diff --git a/.github/workflows/cibuild-setup-ubuntu.sh b/.github/workflows/cibuild-setup-ubuntu.sh
index 568ecf3..2c0adb2 100755
--- a/.github/workflows/cibuild-setup-ubuntu.sh
+++ b/.github/workflows/cibuild-setup-ubuntu.sh
@@ -4,9 +4,10 @@ set -ex
PACKAGES=(
git make autoconf automake autopoint pkg-config libtool libtool-bin
- gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+ gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+ asciidoctor
)
COMPILER="${COMPILER:?}"
diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml
index 7da6060..2698389 100644
--- a/.github/workflows/cibuild.yml
+++ b/.github/workflows/cibuild.yml
@@ -2,9 +2,10 @@ name: Build test
on:
push:
branches:
- - 'master'
+ - 'main'
- 'wip-luks2'
- 'v2.3.x'
+ - 'v2.4.x'
paths-ignore:
- 'docs/**'
diff --git a/.gitignore b/.gitignore
index e75faa2..41715d1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,8 @@ Makefile.in.in
*.lo
*.la
*.o
+*.so
+*.8
**/*.dirstamp
.deps/
.libs/
@@ -54,3 +56,6 @@ tests/luks1-images
tests/tcrypt-images
tests/unit-utils-io
tests/vectors-test
+tests/test-symbols-list.h
+tests/all-symbols-test
+tests/fuzz/LUKS2.pb*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a12284f..3153145 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,113 +1,23 @@
stages:
- test
-.debian-prep:
- before_script:
- - sudo apt-get -y update --fix-missing
- - >
- sudo apt-get -y install -y -qq git gcc make
- autoconf automake autopoint pkg-config libtool libtool-bin gettext
- libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
- libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev
- libpwquality-dev sharutils dmsetup jq xxd expect keyutils
- netcat passwd openssh-client sshpass
- - sudo apt-get -y build-dep cryptsetup
- - sudo -E git clean -xdf
- - ./autogen.sh
- - ./configure --enable-libargon2
-
-.dnf-openssl-backend:
- before_script:
- - >
- sudo dnf -y -q install
- autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
- libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
- libssh-devel libtool libuuid-devel make popt-devel
- libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
- sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
- keyutils openssl-devel openssl
- - sudo -E git clean -xdf
- - ./autogen.sh
- - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl
-
-# Merge request: Build and run only non-root tests
-test-mergerq-job-debian-noroot:
- extends:
- - .debian-prep
- tags:
- - libvirt
- - debian10
- stage: test
- interruptible: true
- rules:
- - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
- when: never
- - if: $CI_PIPELINE_SOURCE == "merge_request_event"
- script:
- - make -j
- - make -j -C tests check-programs
- - make check
-
-# For main branch commit, run all tests as root
-test-main-commit-job-debian:
- extends:
- - .debian-prep
- tags:
- - libvirt
- - debian10
- stage: test
- interruptible: true
- variables:
- RUN_SSH_PLUGIN_TEST: "1"
- rules:
- - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
- when: never
- - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
- script:
- - make -j
- - make -j -C tests check-programs
- - sudo -E make check
- - sudo -E make clean
-
-test-main-commit-job-dnf:
- extends:
- - .dnf-openssl-backend
- tags:
- - libvirt
- - fedora-rawhide
- stage: test
- interruptible: true
- variables:
- RUN_SSH_PLUGIN_TEST: "1"
- rules:
- - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
- when: never
- - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
- script:
- - make -j
- - make -j -C tests check-programs
- - sudo -E make check
-
-test-mergerq-job-dnf:
- extends:
- - .dnf-openssl-backend
- tags:
- - libvirt
- - fedora-rawhide
- stage: test
- interruptible: true
- variables:
- RUN_SSH_PLUGIN_TEST: "1"
- rules:
- - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
- when: never
- - if: $CI_PIPELINE_SOURCE == "merge_request_event"
- script:
- - make -j
- - make -j -C tests check-programs
- - sudo -E make check
+.dump_kernel_log:
+ after_script:
+ - sudo dmesg > /mnt/artifacts/dmesg.log
+ - sudo journalctl > /mnt/artifacts/journalctl.log
+ - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
include:
+ - local: .gitlab/ci/debian.yml
+ - local: .gitlab/ci/fedora.yml
+ - local: .gitlab/ci/rhel.yml
+ - local: .gitlab/ci/centos.yml
+ - local: .gitlab/ci/annocheck.yml
+ - local: .gitlab/ci/csmock.yml
- local: .gitlab/ci/gitlab-shared-docker.yml
+ - local: .gitlab/ci/compilation-various-disables.yml
- local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
- local: .gitlab/ci/compilation-clang.gitlab-ci.yml
+ - local: .gitlab/ci/alpinelinux.yml
+ - local: .gitlab/ci/ubuntu-32bit.yml
+ - local: .gitlab/ci/cifuzz.yml
diff --git a/.gitlab/ci/alpinelinux.yml b/.gitlab/ci/alpinelinux.yml
new file mode 100644
index 0000000..81bd6cb
--- /dev/null
+++ b/.gitlab/ci/alpinelinux.yml
@@ -0,0 +1,55 @@
+.alpinelinux-dependencies:
+ after_script:
+ - sudo dmesg > /mnt/artifacts/dmesg.log
+ - sudo cp /var/log/messages /mnt/artifacts/
+ - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
+ before_script:
+ - >
+ sudo apk add
+ lvm2-dev openssl1.1-compat-dev popt-dev util-linux-dev json-c-dev
+ argon2-dev device-mapper which sharutils gettext gettext-dev automake
+ autoconf libtool build-base keyutils tar jq expect git asciidoctor
+ - ./autogen.sh
+ - ./configure --prefix=/usr --libdir=/lib --sbindir=/sbin --disable-static --enable-libargon2 --with-crypto_backend=openssl --disable-external-tokens --disable-ssh-token --enable-asciidoc
+
+test-main-commit-job-alpinelinux:
+ extends:
+ - .alpinelinux-dependencies
+ tags:
+ - libvirt
+ - alpinelinux
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "0"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-mergerq-job-alpinelinux:
+ extends:
+ - .alpinelinux-dependencies
+ tags:
+ - libvirt
+ - alpinelinux
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "0"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/annocheck.yml b/.gitlab/ci/annocheck.yml
new file mode 100644
index 0000000..5b3a715
--- /dev/null
+++ b/.gitlab/ci/annocheck.yml
@@ -0,0 +1,19 @@
+test-main-commit-job-annocheck:
+ extends:
+ - .dump_kernel_log
+ tags:
+ - libvirt
+ - rhel9-annocheck
+ stage: test
+ interruptible: true
+ allow_failure: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - /opt/build-rpm-script.sh > /dev/null 2>&1
+ - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9
+ - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8
diff --git a/.gitlab/ci/centos.yml b/.gitlab/ci/centos.yml
new file mode 100644
index 0000000..6f5559c
--- /dev/null
+++ b/.gitlab/ci/centos.yml
@@ -0,0 +1,59 @@
+.centos-openssl-backend:
+ extends:
+ - .dump_kernel_log
+ before_script:
+ - >
+ sudo dnf -y -q install
+ autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
+ libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
+ libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
+ pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
+ expect gettext git jq keyutils openssl-devel openssl gem
+ - sudo gem install asciidoctor
+ - sudo -E git clean -xdf
+ - ./autogen.sh
+ - ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
+
+# non-FIPS jobs
+
+test-main-commit-centos-stream9:
+ extends:
+ - .centos-openssl-backend
+ tags:
+ - libvirt
+ - centos-stream9
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-mergerq-centos-stream9:
+ extends:
+ - .centos-openssl-backend
+ tags:
+ - libvirt
+ - centos-stream9
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/cibuild-setup-ubuntu.sh b/.gitlab/ci/cibuild-setup-ubuntu.sh
index 74a7700..07b0990 100755
--- a/.gitlab/ci/cibuild-setup-ubuntu.sh
+++ b/.gitlab/ci/cibuild-setup-ubuntu.sh
@@ -4,9 +4,10 @@ set -ex
PACKAGES=(
git make autoconf automake autopoint pkg-config libtool libtool-bin
- gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+ gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+ asciidoctor
)
COMPILER="${COMPILER:?}"
@@ -42,7 +43,7 @@ apt-get -y build-dep cryptsetup
echo "====================== VERSIONS ==================="
if [[ $COMPILER == "clang" ]]; then
- scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --help
+ echo "Using scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
fi
${COMPILER}-$COMPILER_VERSION -v
diff --git a/.gitlab/ci/cifuzz.yml b/.gitlab/ci/cifuzz.yml
new file mode 100644
index 0000000..063b912
--- /dev/null
+++ b/.gitlab/ci/cifuzz.yml
@@ -0,0 +1,46 @@
+cifuzz:
+ variables:
+ OSS_FUZZ_PROJECT_NAME: cryptsetup
+ CFL_PLATFORM: gitlab
+ CIFUZZ_DEBUG: "True"
+ FUZZ_SECONDS: 300 # 5 minutes per fuzzer
+ ARCHITECTURE: "x86_64"
+ DRY_RUN: "False"
+ LOW_DISK_SPACE: "True"
+ BAD_BUILD_CHECK: "True"
+ LANGUAGE: "c"
+ DOCKER_HOST: "tcp://docker:2375"
+ DOCKER_IN_DOCKER: "true"
+ DOCKER_DRIVER: overlay2
+ DOCKER_TLS_CERTDIR: ""
+ image:
+ name: gcr.io/oss-fuzz-base/cifuzz-base
+ entrypoint: [""]
+ services:
+ - docker:dind
+
+ stage: test
+ parallel:
+ matrix:
+ - SANITIZER: [address, undefined, memory]
+ rules:
+ # Default code change.
+ # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ # variables:
+ # MODE: "code-change"
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $BUILD_AND_RUN_FUZZERS != null
+ before_script:
+ # Get gitlab's container id.
+ - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
+ script:
+ # Will build and run the fuzzers.
+ # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
+ # in GitLab CI environment
+ - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
+ artifacts:
+ # Upload artifacts when a crash makes the job fail.
+ when: always
+ paths:
+ - artifacts/
diff --git a/.gitlab/ci/clang-Wall b/.gitlab/ci/clang-Wall
index a907757..d09e154 100755
--- a/.gitlab/ci/clang-Wall
+++ b/.gitlab/ci/clang-Wall
@@ -15,8 +15,10 @@ CLANG="clang${COMPILER_VERSION:+-$COMPILER_VERSION}"
#PEDANTIC="-pedantic -std=gnu99 -Wno-variadic-macros"
#CONVERSION="-Wconversion"
-EXTRA="-Wextra \
+EXTRA="\
+ -Wextra \
-Wsign-compare \
+ -Wcast-align
-Werror-implicit-function-declaration \
-Wpointer-arith \
-Wwrite-strings \
@@ -27,7 +29,6 @@ EXTRA="-Wextra \
-Wold-style-definition \
-Wno-missing-field-initializers \
-Wno-unused-parameter \
- -Wno-attributes \
-Wno-long-long"
exec $CLANG $PEDANTIC $CONVERSION \
@@ -43,13 +44,6 @@ exec $CLANG $PEDANTIC $CONVERSION \
-Wnested-externs \
-Wcomment \
-Winline \
- -Wcast-align \
-Wcast-qual \
-Wredundant-decls $EXTRA \
- "$@" 2>&1 | {
- if [[ $USE_FILTER -eq 1 ]]; then
- .gitlab/ci/warnings_filter.py
- else
- cat
- fi
-}
+ "$@"
diff --git a/.gitlab/ci/compilation-clang.gitlab-ci.yml b/.gitlab/ci/compilation-clang.gitlab-ci.yml
index 9b9bee5..6f5cd42 100644
--- a/.gitlab/ci/compilation-clang.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-clang.gitlab-ci.yml
@@ -3,23 +3,25 @@ test-clang-compilation:
- .gitlab-shared-clang
script:
- export CFLAGS="-Wall -Werror"
- - ./configure --enable-pwquality --enable-libargon2
+ - ./configure
- make -j
+ - make -j check-programs
-# Clang doesn't support json output, so we cannot use the warnings filter
-# test-clang-Wall-script:
-# extends:
-# - .gitlab-shared-clang
-# script:
-# - export CFLAGS="-g -O0"
-# - export CC=".gitlab/ci/clang-Wall"
-# - ./configure --enable-pwquality --enable-libargon2
-# - make -j CFLAGS="-g -O0 -Werror"
+test-clang-Wall-script:
+ extends:
+ - .gitlab-shared-clang
+ script:
+ - export CFLAGS="-g -O0"
+ - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
+ - ./configure
+ - make -j CFLAGS="-g -O0 -Werror"
+ - make -j CFLAGS="-g -O0 -Werror" check-programs
test-scan-build:
extends:
- .gitlab-shared-clang
script:
- - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --enable-internal-sse-argon2 --enable-pwquality --enable-libargon2
+ - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
- make clean
- - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -maxloop 10 make -j
+ - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
+ - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
diff --git a/.gitlab/ci/compilation-gcc.gitlab-ci.yml b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
index 775c00d..00fae36 100644
--- a/.gitlab/ci/compilation-gcc.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
@@ -3,22 +3,25 @@ test-gcc-compilation:
- .gitlab-shared-gcc
script:
- export CFLAGS="-Wall -Werror"
- - ./configure --enable-pwquality --enable-libargon2
+ - ./configure
- make -j
+ - make -j check-programs
test-gcc-Wall-script:
extends:
- .gitlab-shared-gcc
script:
- export CFLAGS="-g -O0"
- - export CC=".gitlab/ci/gcc-Wall"
- - USE_FILTER=0 ./configure --enable-pwquality --enable-libargon2
- - USE_FILTER=1 make -j CFLAGS="-g -O0 -fdiagnostics-format=json"
+ - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
+ - ./configure
+ - make -j CFLAGS="-g -O0 -Werror"
+ - make -j CFLAGS="-g -O0 -Werror" check-programs
test-gcc-fanalyzer:
extends:
- .gitlab-shared-gcc
script:
- export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
- - ./configure --enable-pwquality --enable-libargon2
+ - ./configure
- make -j
+ - make -j check-programs
diff --git a/.gitlab/ci/compilation-various-disables.yml b/.gitlab/ci/compilation-various-disables.yml
new file mode 100644
index 0000000..1414f9e
--- /dev/null
+++ b/.gitlab/ci/compilation-various-disables.yml
@@ -0,0 +1,21 @@
+test-gcc-disable-compiles:
+ extends:
+ - .gitlab-shared-gcc
+ parallel:
+ matrix:
+ - DISABLE_FLAGS: [
+ "--disable-keyring",
+ "--disable-external-tokens --disable-ssh-token",
+ "--disable-luks2-reencryption",
+ "--disable-cryptsetup --disable-veritysetup --disable-integritysetup",
+ "--disable-kernel_crypto",
+ "--disable-selinux",
+ "--disable-udev",
+ "--disable-internal-argon2",
+ "--disable-blkid"
+ ]
+ script:
+ - export CFLAGS="-Wall -Werror"
+ - ./configure $DISABLE_FLAGS
+ - make -j
+ - make -j check-programs
diff --git a/.gitlab/ci/csmock.yml b/.gitlab/ci/csmock.yml
new file mode 100644
index 0000000..72b53ed
--- /dev/null
+++ b/.gitlab/ci/csmock.yml
@@ -0,0 +1,17 @@
+test-commit-job-csmock:
+ extends:
+ - .dump_kernel_log
+ tags:
+ - libvirt
+ - rhel7-csmock
+ stage: test
+ interruptible: true
+ allow_failure: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - /opt/csmock-run-script.sh
diff --git a/.gitlab/ci/debian.yml b/.gitlab/ci/debian.yml
new file mode 100644
index 0000000..fad9d97
--- /dev/null
+++ b/.gitlab/ci/debian.yml
@@ -0,0 +1,56 @@
+.debian-prep:
+ extends:
+ - .dump_kernel_log
+ before_script:
+ - >
+ [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+ sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
+ gperf libcap-dev tpm2-tss-engine-dev libmount-dev swtpm-tools
+ - >
+ sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
+ pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+ libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+ tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect
+ keyutils netcat passwd openssh-client sshpass asciidoctor
+ - sudo apt-get -y build-dep cryptsetup
+ - sudo -E git clean -xdf
+ - ./autogen.sh
+ - ./configure --enable-libargon2 --enable-asciidoc
+
+test-mergerq-job-debian:
+ extends:
+ - .debian-prep
+ tags:
+ - libvirt
+ - debian11
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-main-commit-job-debian:
+ extends:
+ - .debian-prep
+ tags:
+ - libvirt
+ - debian11
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/fedora.yml b/.gitlab/ci/fedora.yml
new file mode 100644
index 0000000..7fd9c7e
--- /dev/null
+++ b/.gitlab/ci/fedora.yml
@@ -0,0 +1,60 @@
+.dnf-openssl-backend:
+ extends:
+ - .dump_kernel_log
+ before_script:
+ - >
+ [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+ sudo dnf -y -q install
+ swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
+ libmount-devel swtpm-tools
+ - >
+ sudo dnf -y -q install
+ autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
+ libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
+ libssh-devel libtool libuuid-devel make popt-devel
+ libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
+ sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
+ keyutils openssl-devel openssl asciidoctor
+ - sudo -E git clean -xdf
+ - ./autogen.sh
+ - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl --enable-asciidoc
+
+test-main-commit-job-rawhide:
+ extends:
+ - .dnf-openssl-backend
+ tags:
+ - libvirt
+ - fedora-rawhide
+ stage: test
+ interruptible: true
+ allow_failure: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-mergerq-job-rawhide:
+ extends:
+ - .dnf-openssl-backend
+ tags:
+ - libvirt
+ - fedora-rawhide
+ stage: test
+ interruptible: true
+ allow_failure: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/gcc-Wall b/.gitlab/ci/gcc-Wall
index f45c607..6669504 100755
--- a/.gitlab/ci/gcc-Wall
+++ b/.gitlab/ci/gcc-Wall
@@ -16,6 +16,8 @@ GCC="gcc${COMPILER_VERSION:+-$COMPILER_VERSION}"
#CONVERSION="-Wconversion"
# -Wpacked \
+# This does more than expected for gcc (mixed code with declarations)
+# -Wdeclaration-after-statement \
EXTRA="-Wextra \
-Wsign-compare \
@@ -27,14 +29,14 @@ EXTRA="-Wextra \
-Wstrict-aliasing=3 \
-Winit-self \
-Wunsafe-loop-optimizations \
- -Wdeclaration-after-statement \
-Wold-style-definition \
-Wno-missing-field-initializers \
-Wno-unused-parameter \
- -Wno-attributes \
-Wno-long-long \
-Wmaybe-uninitialized \
- -Wvla"
+ -Wvla \
+ -Wformat-overflow \
+ -Wformat-truncation"
exec $GCC $PEDANTIC $CONVERSION \
-Wall $Wuninitialized \
@@ -49,13 +51,7 @@ exec $GCC $PEDANTIC $CONVERSION \
-Wnested-externs \
-Wcomment \
-Winline \
- -Wcast-align \
+ -Wcast-align=strict \
-Wcast-qual \
-Wredundant-decls $EXTRA \
- "$@" 2>&1 | {
- if [[ $USE_FILTER -eq 1 ]]; then
- .gitlab/ci/warnings_filter.py
- else
- cat
- fi
-}
+ "$@"
diff --git a/.gitlab/ci/gitlab-shared-docker.yml b/.gitlab/ci/gitlab-shared-docker.yml
index 2be9da9..1edacc8 100644
--- a/.gitlab/ci/gitlab-shared-docker.yml
+++ b/.gitlab/ci/gitlab-shared-docker.yml
@@ -5,7 +5,9 @@
stage: test
interruptible: true
rules:
- - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
before_script:
- .gitlab/ci/cibuild-setup-ubuntu.sh
- export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
diff --git a/.gitlab/ci/rhel.yml b/.gitlab/ci/rhel.yml
new file mode 100644
index 0000000..f71533c
--- /dev/null
+++ b/.gitlab/ci/rhel.yml
@@ -0,0 +1,106 @@
+.rhel-openssl-backend:
+ extends:
+ - .dump_kernel_log
+ before_script:
+ - >
+ sudo yum -y -q install
+ autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
+ libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
+ libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
+ pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
+ expect gettext git jq keyutils openssl-devel openssl gem > /dev/null 2>&1
+ - sudo gem install asciidoctor
+ - sudo -E git clean -xdf
+ - ./autogen.sh
+ - ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
+
+# non-FIPS jobs
+
+test-main-commit-rhel8:
+ extends:
+ - .rhel-openssl-backend
+ tags:
+ - libvirt
+ - rhel8
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-main-commit-rhel9:
+ extends:
+ - .rhel-openssl-backend
+ tags:
+ - libvirt
+ - rhel9
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+# FIPS jobs
+
+test-main-commit-rhel8-fips:
+ extends:
+ - .rhel-openssl-backend
+ tags:
+ - libvirt
+ - rhel8-fips
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - fips-mode-setup --check || exit 1
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-main-commit-rhel9-fips:
+ extends:
+ - .rhel-openssl-backend
+ tags:
+ - libvirt
+ - rhel9-fips
+ stage: test
+ interruptible: true
+ allow_failure: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - fips-mode-setup --check || exit 1
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/ubuntu-32bit.yml b/.gitlab/ci/ubuntu-32bit.yml
new file mode 100644
index 0000000..f51c059
--- /dev/null
+++ b/.gitlab/ci/ubuntu-32bit.yml
@@ -0,0 +1,41 @@
+test-mergerq-job-ubuntu-32bit:
+ extends:
+ - .debian-prep
+ tags:
+ - libvirt
+ - ubuntu-bionic-32bit
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
+
+test-main-commit-job-ubuntu-32bit:
+ extends:
+ - .debian-prep
+ tags:
+ - libvirt
+ - ubuntu-bionic-32bit
+ stage: test
+ interruptible: true
+ variables:
+ RUN_SSH_PLUGIN_TEST: "1"
+ rules:
+ - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+ when: never
+ - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+ when: never
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+ script:
+ - make -j
+ - make -j -C tests check-programs
+ - sudo -E make check
diff --git a/.gitlab/ci/warnings_filter.py b/.gitlab/ci/warnings_filter.py
deleted file mode 100755
index f9d275d..0000000
--- a/.gitlab/ci/warnings_filter.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/python3
-
-import sys
-import json
-import linecache
-
-if __name__ == "__main__":
- json_string = sys.stdin.read()
- if json_string in [None, ""]:
- sys.exit(0)
-
- parsed = json.loads(json_string)
- #print(json.dumps(parsed, indent=4, sort_keys=True))
-
- r = 0
-
- for o in parsed:
- kind = o["kind"]
-
- start = o["locations"][0]["caret"]
- l = linecache.getline(start["file"], int(start["line"]))
-
- ignored = "json_object_object_foreach" in l
-
- print(f"{o['kind']} {'ignored' if ignored else 'FOUND'} in {start['file']}:{start['line']}:{start['column']} {o['message']}")
- print(f"line contains:\n\t{l}", end="")
-
- if not ignored:
- r = 1
-
- sys.exit(r)
diff --git a/.lgtm.yml b/.lgtm.yml
new file mode 100644
index 0000000..64d9cc8
--- /dev/null
+++ b/.lgtm.yml
@@ -0,0 +1,11 @@
+queries:
+ - exclude: cpp/fixme-comment
+ - exclude: cpp/empty-block
+# symver attribute detection cannot be used, disable it for lgtm
+extraction:
+ cpp:
+ configure:
+ command:
+ - "./autogen.sh"
+ - "./configure --enable-external-tokens --enable-ssh-token"
+ - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"
diff --git a/FAQ b/FAQ.md
similarity index 88%
rename from FAQ
rename to FAQ.md
index 5ce8f07..74ad955 100644
--- a/FAQ
+++ b/FAQ.md
@@ -1,33 +1,33 @@
-Frequently Asked Questions Cryptsetup/LUKS
+# Frequently Asked Questions Cryptsetup/LUKS
-Sections
-1. General Questions
-2. Setup
-3. Common Problems
-4. Troubleshooting
-5. Security Aspects
-6. Backup and Data Recovery
-7. Interoperability with other Disk Encryption Tools
-8. Issues with Specific Versions of cryptsetup
-9. The Initrd question
-10. LUKS2 Questions
-11. References and Further Reading
-A. Contributors
+# Sections
+[1. General Questions](#1-general-questions)
+[2. Setup](#2-setup)
+[3. Common Problems](#3-common-problems)
+[4. Troubleshooting](#4-troubleshooting)
+[5. Security Aspects](#5-security-aspects)
+[6. Backup and Data Recovery](#6-backup-and-data-recovery)
+[7. Interoperability with other Disk Encryption Tools](#7-interoperability-with-other-disk-encryption-tools)
+[8. Issues with Specific Versions of cryptsetup](#8-issues-with-specific-versions-of-cryptsetup)
+[9. The Initrd question](#9-the-initrd-question)
+[10. LUKS2 Questions](#10-luks2-questions)
+[11. References and Further Reading](#11-references-and-further-reading)
+[A. Contributors](#a-contributors)
-1. General Questions
+# 1. General Questions
- * 1.1 What is this?
+ * **1.1 What is this?**
This is the FAQ (Frequently Asked Questions) for cryptsetup. It covers
Linux disk encryption with plain dm-crypt (one passphrase, no
management, no metadata on disk) and LUKS (multiple user keys with one
- master key, anti-forensic features, metadata block at start of device,
+ volume key, anti-forensic features, metadata block at start of device,
...). The latest version of this FAQ should usually be available at
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
- * 1.2 WARNINGS
+ * **1.2 WARNINGS**
LUKS2 COMPATIBILITY: This FAQ was originally written for LUKS1, not
LUKS2. Hence regarding LUKS2, some of the answers found here may not
@@ -51,7 +51,7 @@ A. Contributors
security model BEFORE you face such a disaster! In particular, make
sure you have a current header backup before doing any potentially
dangerous operations. The LUKS2 header should be a bit more resilient
- as critical data starts later and is stored twice, but you can decidely
+ as critical data starts later and is stored twice, but you can decidedly
still destroy it or a keyslot permanently by accident.
DEBUG COMMANDS: While the --debug and --debug-json options should not
@@ -69,8 +69,8 @@ A. Contributors
doing encrypted backup.
CLONING/IMAGING: If you clone or image a LUKS container, you make a copy
- of the LUKS header and the master key will stay the same! That means
- that if you distribute an image to several machines, the same master key
+ of the LUKS header and the volume key will stay the same! That means
+ that if you distribute an image to several machines, the same volume key
will be used on all of them, regardless of whether you change the
passphrases. Do NOT do this! If you do, a root-user on any of the
machines with a mapped (decrypted) container or a passphrase on that
@@ -98,12 +98,12 @@ A. Contributors
checking for an existing LUKS header is shifted to the script. This is
a more general form of the previous item.
- LUKS PASSPHRASE IS NOT THE MASTER KEY: The LUKS passphrase is not used
- in deriving the master key. It is used in decrypting a master key that
+ LUKS PASSPHRASE IS NOT THE VOLUME KEY: The LUKS passphrase is not used
+ in deriving the volume key. It is used in decrypting a volume key that
is randomly selected on header creation. This means that if you create
a new LUKS header on top of an old one with exactly the same parameters
and exactly the same passphrase as the old one, it will still have a
- different master key and your data will be permanently lost.
+ different volume key and your data will be permanently lost.
PASSPHRASE CHARACTER SET: Some people have had difficulties with this
when upgrading distributions. It is highly advisable to only use the 95
@@ -122,7 +122,7 @@ A. Contributors
device in pre-boot, try entering the digits over the regular digit keys.
- * 1.3 System specific warnings
+ * **1.3 System specific warnings**
- The Ubuntu Natty uinstaller has a "won't fix" defect that may destroy
LUKS containers. This is quite old an not relevant for most people.
@@ -130,7 +130,7 @@ A. Contributors
https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/420080
- * 1.4 My LUKS-device is broken! Help!
+ * **1.4 My LUKS-device is broken! Help!**
First: Do not panic! In many cases the data is still recoverable.
Do not do anything hasty! Steps:
@@ -156,7 +156,7 @@ A. Contributors
- Ask on the mailing-list if you need more help.
- * 1.5 Who wrote this?
+ * **1.5 Who wrote this?**
Current FAQ maintainer is Arno Wagner <arno@wagner.name>. If you want
to send me encrypted email, my current PGP key is DSA key CB5D9718,
@@ -181,7 +181,7 @@ A. Contributors
problems.
- * 1.6 Where is the project website?
+ * **1.6 Where is the project website?**
There is the project website at
https://gitlab.com/cryptsetup/cryptsetup/ Please do not post
@@ -189,29 +189,30 @@ A. Contributors
instead.
- * 1.7 Is there a mailing-list?
+ * **1.7 Is there a mailing-list?**
Instructions on how to subscribe to the mailing-list are on the
project website. People are generally helpful and friendly on the
list.
The question of how to unsubscribe from the list does crop up sometimes.
- For this you need your list management URL, which is sent to you
- initially and once at the start of each month. Go to the URL mentioned
- in the email and select "unsubscribe". This page also allows you to
- request a password reminder.
+ For this you need your list management URL
+ https://subspace.kernel.org/lists.linux.dev.html. Go to the URL mentioned
+ in the email and select "unsubscribe".
- Alternatively, you can send an Email to dm-crypt-request@saout.de with
- just the word "help" in the subject or message body. Make sure to send
- it from your list address.
+ Alternatively, you can send an empty Email to cryptsetup+help@lists.linux.dev.
+ Make sure to send it from your list address.
The mailing list archive is here:
- https://marc.info/?l=dm-crypt
+ https://lore.kernel.org/cryptsetup/
+
+ The legacy dm-crypt mailing list archive is here:
+ https://lore.kernel.org/dm-crypt/
- * 1.8 Unsubscribe from the mailing-list
+ * **1.8 Unsubscribe from the mailing-list**
- Send mail to dm-crypt-unsubscribe@saout.de from the subscribed account.
+ Send mail to cryptsetup+unsubscribe@lists.linux.dev from the subscribed account.
You will get an email with instructions.
Basically, you just have to respond to it unmodified to get
@@ -227,28 +228,28 @@ A. Contributors
your email account and it had to be answered before the subscription
went active. The confirmation emails from the listserver have subjects
like these (with other numbers):
-
- Subject: confirm 9964cf10.....
-
- and are sent from dm-crypt-request@saout.de. You should check whether
+```
+ Subject: Confirm subscription to cryptsetup@lists.linux.dev
+```
+ and are sent from cryptsetup+help@lists.linux.dev. You should check whether
you have anything like it in your sent email folder. If you find
nothing and are sure you did not confirm, then you should look into a
possible compromise of your email account.
- * 1.9 What can I do if cryptsetup is running out of memory?
+ * **1.9 What can I do if cryptsetup is running out of memory?**
Memory issues are generally related to the key derivation function. You may
be able to tune usage with the options --pbkdf-memory or --pbkdf pbkdf2.
- * 1.10 Can cryptsetup be run without root access?
+ * **1.10 Can cryptsetup be run without root access?**
Elevated privileges are required to use cryptsetup and LUKS. Some operations
require root access. There are a few features which will work without root
access with the right switches but there are caveats.
- * 1.11 What are the problems with running as non root?
+ * **1.11 What are the problems with running as non root?**
The first issue is one of permissions to devices. Generally, root or a group
such as disk has ownership of the storage devices. The non root user will
@@ -261,9 +262,23 @@ A. Contributors
Also, device mapper requires root access. cryptsetup uses device mapper to
manage the decrypted container.
-2. Setup
+ * **1.12 How can I report an issue in the cryptsetup project?**
- * 2.1 LUKS Container Setup mini-HOWTO
+ Before reporting any issue, please be sure you are using the latest
+ upstream version and that you read the documentation (and this FAQ).
+
+ If you think you have discovered an issue, please report it through
+ the project issue tracker [New issue](https://gitlab.com/cryptsetup/cryptsetup/issues).
+ For a possible security issue, please use the confidential checkbox.
+
+ Please fill in all information requested in the report template
+ (specifically add debug output with all run environment data).
+ Do not trim the output; debug output does not include private data.
+
+
+# 2. Setup
+
+ * **2.1 LUKS Container Setup mini-HOWTO**
This item tries to give you a very brief list of all the steps you
should go through when creating a new LUKS encrypted container, i.e.
@@ -284,20 +299,22 @@ A. Contributors
container.
To just quickly wipe file systems (old data may remain), use
-
+```
wipefs -a <target device>
-
+```
To wipe file system and data, use something like
-
+```
cat /dev/zero > <target device>
-
+```
This can take a while. To get a progress indicator, you can use the
tool dd_rescue (->google) instead or use my stream meter "wcs" (source
here: https://www.tansi.org/tools/index.html) in the following fashion:
-
+```
cat /dev/zero | wcs > <target device>
-
+```
Plain "dd" also gives you the progress on a SIGUSR1, see its man-page.
+ The GNU "dd" command supports the "status=progress" operand that gives you
+ the progress without having to send it any signal.
Be very sure you have the right target, all data will be lost!
@@ -310,13 +327,13 @@ A. Contributors
04) Create the LUKS container.
LUKS1:
-
+```
cryptsetup luksFormat --type luks1 <target device>
-
+```
LUKS2:
-
+```
cryptsetup luksFormat --type luks2 <target device>
-
+```
Just follow the on-screen instructions.
@@ -340,14 +357,14 @@ A. Contributors
much lower than 100000, i.e. 100MB, but don't take my word for it.
05) Map the container. Here it will be mapped to /dev/mapper/c1:
-
+```
cryptsetup luksOpen <target device> c1
-
+```
06) (Optionally) wipe the container (make sure you have the right
target!):
-
+```
cat /dev/zero > /dev/mapper/c1
-
+```
This will take a while. Note that this creates a small information
leak, as an attacker can determine whether a 512 byte block is zero if
the attacker has access to the encrypted container multiple times.
@@ -357,13 +374,13 @@ A. Contributors
07) Create a file system in the mapped container, for example an
ext3 file system (any other file system is possible):
-
+```
mke2fs -j /dev/mapper/c1
-
+```
08) Mount your encrypted file system, here on /mnt:
-
+```
mount /dev/mapper/c1 /mnt
-
+```
09) Make a LUKS header backup and plan for a container backup.
See Section 6 for details.
@@ -373,7 +390,7 @@ A. Contributors
will compromise your security.
- * 2.2 LUKS on partitions or raw disks? What about RAID?
+ * **2.2 LUKS on partitions or raw disks? What about RAID?**
Also see Item 2.8.
This is a complicated question, and made more so by the availability of
@@ -455,7 +472,7 @@ A. Contributors
CPU that does hardware AES as most do today.
- * 2.3 How do I set up encrypted swap?
+ * **2.3 How do I set up encrypted swap?**
As things that are confidential can end up in swap (keys, passphrases,
etc. are usually protected against being swapped to disk, but other
@@ -471,9 +488,9 @@ A. Contributors
01) Add the swap partition to /etc/crypttab. A line like the
following should do it:
-
+```
swap /dev/<partition> /dev/urandom swap,noearly
-
+```
Warning: While Debian refuses to overwrite partitions with a filesystem
or RAID signature on it, as your disk IDs may change (adding or removing
disks, failure of disk during boot, etc.), you may want to take
@@ -500,24 +517,24 @@ A. Contributors
02) Add the swap partition to /etc/fstab. A line like the following
should do it:
-
+```
/dev/mapper/swap none swap sw 0 0
-
+```
That is it. Reboot or start it manually to activate encrypted swap.
Manual start would look like this:
-
+```
/etc/init.d/cryptdisks start
swapon /dev/mapper/swap
+```
-
- * 2.4 What is the difference between "plain" and LUKS format?
+ * **2.4 What is the difference between "plain" and LUKS format?**
First, unless you happen to understand the cryptographic background
well, you should use LUKS. It does protect the user from a lot of
common mistakes. Plain dm-crypt is for experts.
Plain format is just that: It has no metadata on disk, reads all
- parameters from the commandline (or the defaults), derives a master-key
+ parameters from the commandline (or the defaults), derives a volume-key
from the passphrase and then uses that to de-/encrypt the sectors of the
device, with a direct 1:1 mapping between encrypted and decrypted
sectors.
@@ -555,7 +572,7 @@ A. Contributors
LUKS format uses a metadata header and 8 key-slot areas that are being
placed at the beginning of the disk, see below under "What does the LUKS
on-disk format looks like?". The passphrases are used to decrypt a
- single master key that is stored in the anti-forensic stripes. LUKS2
+ single volume key that is stored in the anti-forensic stripes. LUKS2
adds some more flexibility.
Advantages are a higher usability, automatic configuration of
@@ -572,7 +589,7 @@ A. Contributors
use LUKS2.
- * 2.5 Can I encrypt an existing, non-empty partition to use LUKS?
+ * **2.5 Can I encrypt an existing, non-empty partition to use LUKS?**
There is no converter, and it is not really needed. The way to do this
is to make a backup of the device in question, securely wipe the device
@@ -585,23 +602,21 @@ A. Contributors
in a filesystem.
- * 2.6 How do I use LUKS with a loop-device?
+ * **2.6 How do I use LUKS with a loop-device?**
This can be very handy for experiments. Setup is just the same as with
any block device. If you want, for example, to use a 100MiB file as
LUKS container, do something like this:
-
+```
head -c 100M /dev/zero > luksfile # create empty file
losetup /dev/loop0 luksfile # map file to /dev/loop0
cryptsetup luksFormat --type luks2 /dev/loop0 # create LUKS2 container
-
+```
Afterwards just use /dev/loop0 as a you would use a LUKS partition.
To unmap the file when done, use "losetup -d /dev/loop0".
- * 2.7 When I add a new key-slot to LUKS, it asks for a passphrase
- but then complains about there not being a key-slot with that
- passphrase?
+ * **2.7 When I add a new key-slot to LUKS, it asks for a passphrase but then complains about there not being a key-slot with that passphrase?**
That is as intended. You are asked a passphrase of an existing key-slot
first, before you can enter the passphrase for the new key-slot.
@@ -610,7 +625,7 @@ A. Contributors
configured key-slots in order to be able to configure a new key-slot.
- * 2.8 Encryption on top of RAID or the other way round?
+ * **2.8 Encryption on top of RAID or the other way round?**
Also see Item 2.2.
Unless you have special needs, place encryption between RAID and
@@ -621,7 +636,7 @@ A. Contributors
/dev/dm0 .
This means that the typical layering looks like this:
-
+```
Filesystem <- top
|
Encryption (LUKS)
@@ -631,19 +646,30 @@ A. Contributors
Raw partitions (optional)
|
Raw disks <- bottom
-
+```
The big advantage of this is that you can manage the RAID container just
like any other regular RAID container, it does not care that its content
is encrypted. This strongly cuts down on complexity, something very
valuable with storage encryption.
+ Try to avoid so-called fake RAID (RAID configured from BIOS but handled
+ by proprietary drivers). Note that some fake RAID firmware automatically
+ writes signature on disks if enabled. This causes corruption of LUKS
+ metadata. Be sure to switch the RAID option off in BIOS if you do not
+ use it.
- * 2.9 How do I read a dm-crypt key from file?
+ Another data corruption can happen if you resize (enlarge) the underlying
+ device and some remnant metadata appear near the end of the resized device
+ (like a secondary copy of the GPT table). You can use wipefs command to
+ detect and wipe such signatures.
+
+
+ * **2.9 How do I read a dm-crypt key from file?**
Use the --key-file option, like this:
-
+```
cryptsetup create --key-file keyfile e1 /dev/loop0
-
+```
This will read the binary key from file, i.e. no hashing or
transformation will be applied to the keyfile before its bits are used
as key. Extra bits (beyond the length of the key) at the end are
@@ -652,7 +678,7 @@ A. Contributors
sections "NOTES ON PASSPHRASE PROCESSING..." for more detail.
- * 2.10 How do I read a LUKS slot key from file?
+ * **2.10 How do I read a LUKS slot key from file?**
What you really do here is to read a passphrase from file, just as you
would with manual entry of a passphrase for a key-slot. You can add a
@@ -663,32 +689,32 @@ A. Contributors
To add a new passphrase to a free key slot from file, use something
like this:
-
+```
cryptsetup luksAddKey /dev/loop0 keyfile
-
+```
To add a new passphrase to a specific key-slot, use something
like this:
-
+```
cryptsetup luksAddKey --key-slot 7 /dev/loop0 keyfile
-
+```
To supply a key from file to any LUKS command, use the --key-file
option, e.g. like this:
-
+```
cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
+```
-
- * 2.11 How do I read the LUKS master key from file?
+ * **2.11 How do I read the LUKS volume key from file?**
The question you should ask yourself first is why you would want to do
this. The only legitimate reason I can think of is if you want to have
- two LUKS devices with the same master key. Even then, I think it would
+ two LUKS devices with the same volume key. Even then, I think it would
be preferable to just use key-slots with the same passphrase, or to use
plain dm-crypt instead. If you really have a good reason, please tell
me. If I am convinced, I will add how to do this here.
- * 2.12 What are the security requirements for a key read from file?
+ * **2.12 What are the security requirements for a key read from file?**
A file-stored key or passphrase has the same security requirements as
one entered interactively, however you can use random bytes and thereby
@@ -696,13 +722,12 @@ A. Contributors
like as key file, for example a plain text file with a human readable
passphrase. To generate a file with random bytes, use something like
this:
-
+```
head -c 256 /dev/random > keyfile
+```
-
- * 2.13 If I map a journaled file system using dm-crypt/LUKS, does
- it still provide its usual transactional guarantees?
+ * **2.13 If I map a journaled file system using dm-crypt/LUKS, does it still provide its usual transactional guarantees?**
Yes, it does, unless a very old kernel is used. The required flags come
from the filesystem layer and are processed and passed onward by
@@ -730,8 +755,7 @@ A. Contributors
go away.
- * 2.14 Can I use LUKS or cryptsetup with a more secure (external)
- medium for key storage, e.g. TPM or a smartcard?
+ * **2.14 Can I use LUKS or cryptsetup with a more secure (external) medium for key storage, e.g. TPM or a smartcard?**
Yes, see the answers on using a file-supplied key. You do have to write
the glue-logic yourself though. Basically you can have cryptsetup read
@@ -739,7 +763,7 @@ A. Contributors
gets the key from the more secure key storage.
- * 2.15 Can I resize a dm-crypt or LUKS container?
+ * **2.15 Can I resize a dm-crypt or LUKS container?**
Yes, you can, as neither dm-crypt nor LUKS1 stores partition size and
LUKS2 uses a generic "whole device" size as default. Note that LUKS2
@@ -761,20 +785,20 @@ A. Contributors
container sizes larger than 2TiB. Use aes-xts-plain64 for that.
- * 2.16 How do I Benchmark the Ciphers, Hashes and Modes?
+ * **2.16 How do I Benchmark the Ciphers, Hashes and Modes?**
Since version 1.60 cryptsetup supports the "benchmark" command.
Simply run as root:
-
+```
cryptsetup benchmark
-
+```
You can get more than the default benchmarks, see the man-page for the
relevant parameters. Note that XTS mode takes two keys, hence the
listed key sizes are double that for other modes and half of it is the
cipher key, the other half is the XTS key.
- * 2.17 How do I Verify I have an Authentic cryptsetup Source Package?
+ * **2.17 How do I Verify I have an Authentic cryptsetup Source Package?**
Current maintainer is Milan Broz and he signs the release packages with
his PGP key. The key he currently uses is the "RSA key ID D93E98FC",
@@ -787,10 +811,10 @@ A. Contributors
That said, as cryptsetup is under good version control and a malicious
change should be noticed sooner or later, but it may take a while.
Also, the attacker model makes compromising the sources in a non-obvious
- way pretty hard. Sure, you could put the master-key somewhere on disk,
+ way pretty hard. Sure, you could put the volume-key somewhere on disk,
but that is rather obvious as soon as somebody looks as there would be
data in an empty LUKS container in a place it should not be. Doing this
- in a more nefarious way, for example hiding the master-key in the salts,
+ in a more nefarious way, for example hiding the volume-key in the salts,
would need a look at the sources to be discovered, but I think that
somebody would find that sooner or later as well.
@@ -798,7 +822,7 @@ A. Contributors
as an FAQ can sustain. If in doubt, ask on the mailing list.
- * 2.18 Is there a concern with 4k Sectors?
+ * **2.18 Is there a concern with 4k Sectors?**
Not from dm-crypt itself. Encryption will be done in 512B blocks, but
if the partition and filesystem are aligned correctly and the filesystem
@@ -811,13 +835,13 @@ A. Contributors
blocks internally (e.g. 128kB or even larger).
- * 2.19 How can I wipe a device with crypto-grade randomness?
+ * **2.19 How can I wipe a device with crypto-grade randomness?**
The conventional recommendation if you want to do more than just a
zero-wipe is to use something like
-
+```
cat /dev/urandom > <target-device>
-
+```
That used to very slow and painful at 10-20MB/s on a fast computer, but
newer kernels can give you > 200MB/s (depending on hardware). An
alternative is using cryptsetup and a plain dm-crypt device with a
@@ -825,32 +849,33 @@ A. Contributors
defaults are quite enough.
For device set-up, do the following:
-
+```
cryptsetup open --type plain -d /dev/urandom /dev/<device> target
-
+```
This maps the container as plain under /dev/mapper/target with a random
password. For the actual wipe you have several options. Basically, you
pipe zeroes into the opened container that then get encrypted. Simple
wipe without progress-indicator:
-
+```
cat /dev/zero > /dev/mapper/to_be_wiped
-
+```
Progress-indicator by dd_rescue:
-
+```
dd_rescue -w /dev/zero /dev/mapper/to_be_wiped
-
+```
Progress-indicator by my "wcs" stream meter (available from
https://www.tansi.org/tools/index.html ):
-
+```
cat /dev/zero | wcs > /dev/mapper/to_be_wiped
-
+```
Or use plain "dd", which gives you the progress when sent a SIGUSR1, see
- the dd man page.
+ the dd man page. The GNU "dd" command supports the "status=progress"
+ operand that gives you the progress without having to send it any signal.
Remove the mapping at the end and you are done.
- * 2.20 How do I wipe only the LUKS header?
+ * **2.20 How do I wipe only the LUKS header?**
This does _not_ describe an emergency wipe procedure, see Item 5.4 for
that. This procedure here is intended to be used when the data should
@@ -860,21 +885,21 @@ A. Contributors
LUKS1:
01) Determine header size in 512 Byte sectors with luksDump:
-
+```
cryptsetup luksDump <device with LUKS container>
-> ...
Payload offset: <number> [of 512 byte sectors]
...
-
+```
02) Take the result number, multiply by 512 zeros and write to
the start of the device, e.g. using one of the following alternatives:
-
+```
dd bs=512 count=<number> if=/dev/zero of=<device>
-
-
+```
+```
head -c <number * 512> /dev/zero > /dev/<device>
-
+```
LUKS2:
(warning, untested! Remember that backup?) This assumes the
@@ -882,25 +907,24 @@ A. Contributors
segment.
01) Determine the data-segment offset using luksDump, same
as above for LUKS1:
-
+```
cryptsetup luksDump <device with LUKS container>
-> ...
Data segments:
0: crypt
offset: <number> [bytes]
...
-
+```
02) Overwrite the stated number of bytes from the start of the device.
Just to give yet another way to get a defined number of zeros:
-
+```
head -c <number> /dev/zero > /dev/<device>
+```
+
+# 3. Common Problems
-3. Common Problems
-
-
- * 3.1 My dm-crypt/LUKS mapping does not work! What general steps
- are there to investigate the problem?
+ * **3.1 My dm-crypt/LUKS mapping does not work! What general steps are there to investigate the problem?**
If you get a specific error message, investigate what it claims first.
If not, you may want to check the following things.
@@ -918,15 +942,14 @@ A. Contributors
kernel. The output of "cat /proc/crypto" needs to list them.
- * 3.2 My dm-crypt mapping suddenly stopped when upgrading cryptsetup.
+ * **3.2 My dm-crypt mapping suddenly stopped when upgrading cryptsetup.**
The default cipher, hash or mode may have changed (the mode changed from
1.0.x to 1.1.x). See under "Issues With Specific Versions of
cryptsetup".
- * 3.3 When I call cryptsetup from cron/CGI, I get errors about
- unknown features?
+ * **3.3 When I call cryptsetup from cron/CGI, I get errors about unknown features?**
If you get errors about unknown parameters or the like that are not
present when cryptsetup is called from the shell, make sure you have no
@@ -937,7 +960,7 @@ A. Contributors
non-shell mechanism to be sure the right version gets called.
- * 3.4 Unlocking a LUKS device takes very long. Why?
+ * **3.4 Unlocking a LUKS device takes very long. Why?**
The unlock time for a key-slot (see Section 5 for an explanation what
iteration does) is calculated when setting a passphrase. By default it
@@ -962,8 +985,7 @@ A. Contributors
relevant.
- * 3.5 "blkid" sees a LUKS UUID and an ext2/swap UUID on the same
- device. What is wrong?
+ * **3.5 "blkid" sees a LUKS UUID and an ext2/swap UUID on the same device. What is wrong?**
Some old versions of cryptsetup have a bug where the header does not get
completely wiped during LUKS format and an older ext2/swap signature
@@ -971,16 +993,25 @@ A. Contributors
Fix: Wipe the unused header areas by doing a backup and restore of
the header with cryptsetup 1.1.x or later:
-
+```
cryptsetup luksHeaderBackup --header-backup-file <file> <device>
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
+```
+
+ * **3.6 I see a data corruption with the Intel QAT kernel driver; why?**
+
+ Intel QAT crypto API drivers have severe bugs that are not fixed for years.
+
+ If you see data corruption, please disable the QAT in the BIOS or avoid loading
+ kernel Intel QAT drivers (switch to software crypto implementation or AES-NI).
+
+ For more info, see posts in dm-devel list https://lore.kernel.org/dm-devel/?q=intel+qat
-
-4. Troubleshooting
+# 4. Troubleshooting
- * 4.1 I get the error "LUKS keyslot x is invalid." What does that mean?
+ * **4.1 I get the error "LUKS keyslot x is invalid." What does that mean?**
For LUKS1, this means that the given keyslot has an offset that points
outside the valid keyslot area. Typically, the reason is a corrupted
@@ -991,7 +1022,7 @@ A. Contributors
trouble diagnosing and (if still possible) repairing this.
- * 4.2 I cannot unlock my LUKS container! What could be the problem?
+ * **4.2 I cannot unlock my LUKS container! What could be the problem?**
First, make sure you have a correct passphrase. Then make sure you have
the correct key-map and correct keyboard. And then make sure you have
@@ -1008,7 +1039,7 @@ A. Contributors
that is intact.
In order to find out whether a key-slot is damaged one has to look for
- "non-random looking" data in it. There is a tool that automatizes this
+ "non-random looking" data in it. There is a tool that automates this
for LUKS1 in the cryptsetup distribution from version 1.6.0 onwards. It
is located in misc/keyslot_checker/. Instructions how to use and how to
interpret results are in the README file. Note that this tool requires
@@ -1021,7 +1052,7 @@ A. Contributors
from cryptsetup >= 1.6.0 again to fix this.
- * 4.3 Can a bad RAM module cause problems?
+ * **4.3 Can a bad RAM module cause problems?**
LUKS and dm-crypt can give the RAM quite a workout, especially when
combined with software RAID. In particular the combination RAID5 +
@@ -1033,9 +1064,9 @@ A. Contributors
Note: One thing you should always do on large data copying or movements
is to run a verify, for example with the "-d" option of "tar" or by
doing a set of MD5 checksums on the source or target with
-
+```
find . -type f -exec md5sum \{\} \; > checksum-file
-
+```
and then a "md5sum -c checksum-file" on the other side. If you get
mismatches here, RAM is the primary suspect. A lesser suspect is an
overclocked CPU. I have found countless hardware problems in verify
@@ -1061,7 +1092,7 @@ A. Contributors
and copied data to be suspect, unless you did a verify.
- * 4.4 How do I test RAM?
+ * **4.4 How do I test RAM?**
First you should know that overclocking often makes memory problems
worse. So if you overclock (which I strongly recommend against in a
@@ -1094,17 +1125,17 @@ A. Contributors
settings to the most conservative ones available and try with that.
- * 4.5 Is there a risk using debugging tools like strace?
+ * **4.5 Is there a risk using debugging tools like strace?**
There most definitely is. A dump from strace and friends can contain
all data entered, including the full passphrase. Example with strace
and passphrase "test":
-
+```
> strace cryptsetup luksOpen /dev/sda10 c1
...
read(6, "test\n", 512) = 5
...
-
+```
Depending on different factors and the tool used, the passphrase may
also be encoded and not plainly visible. Hence it is never a good idea
to give such a trace from a live container to anybody. Recreate the
@@ -1117,10 +1148,10 @@ A. Contributors
others.
-5. Security Aspects
+# 5. Security Aspects
- * 5.1 How long is a secure passphrase?
+ * **5.1 How long is a secure passphrase?**
This is just the short answer. For more info and explanation of some of
the terms used in this item, read the rest of Section 5. The actual
@@ -1142,9 +1173,9 @@ A. Contributors
That said, it does not matter too much what scheme you use, but it does
matter how much entropy your passphrase contains, because an attacker
has to try on average
-
+```
1/2 * 2^(bits of entropy in passphrase)
-
+```
different passphrases to guess correctly.
Historically, estimations tended to use computing time estimates, but
@@ -1161,7 +1192,7 @@ A. Contributors
More references can be found at the end of this document. Note that
these are estimates from the defender side, so assuming something is
- easier than it actually is is fine. An attacker may still have
+ easier than it actually is fine. An attacker may still have
significantly higher cost than estimated here.
LUKS1 used SHA1 (since version 1.7.0 it uses SHA256) for hashing per
@@ -1169,9 +1200,9 @@ A. Contributors
a key-slot. I will assume a useful lifetime of the hardware of 2 years.
(This is on the low side.) Disregarding downtime, the machine can then
break
-
+```
N = 68*10^9 * 3600 * 24 * 365 * 2 ~ 4*10^18
-
+```
passphrases for EUR/USD 23k. That is one 62 bit passphrase hashed once
with SHA1 for EUR/USD 23k. This can be parallelized, it can be done
faster than 2 years with several of these machines.
@@ -1183,7 +1214,7 @@ A. Contributors
For plain dm-crypt (no hash iteration) this is it. This gives (with
SHA1, plain dm-crypt default is ripemd160 which seems to be slightly
slower than SHA1):
-
+```
Passphrase entropy Cost to break
60 bit EUR/USD 6k
65 bit EUR/USD 200K
@@ -1192,14 +1223,14 @@ A. Contributors
80 bit EUR/USD 6B
85 bit EUR/USD 200B
... ...
-
+```
For LUKS1, you have to take into account hash iteration in PBKDF2.
For a current CPU, there are about 100k iterations (as can be queried
with ''cryptsetup luksDump''.
The table above then becomes:
-
+```
Passphrase entropy Cost to break
50 bit EUR/USD 600k
55 bit EUR/USD 20M
@@ -1208,7 +1239,7 @@ A. Contributors
70 bit EUR/USD 600B
75 bit EUR/USD 20T
... ...
-
+```
Recommendation:
@@ -1231,7 +1262,7 @@ A. Contributors
random English sentence.
- * 5.2 Is LUKS insecure? Everybody can see I have encrypted data!
+ * **5.2 Is LUKS insecure? Everybody can see I have encrypted data!**
In practice it does not really matter. In most civilized countries you
can just refuse to hand over the keys, no harm done. In some countries
@@ -1269,7 +1300,7 @@ A. Contributors
between "plain" and LUKS format?"
- * 5.3 Should I initialize (overwrite) a new LUKS/dm-crypt partition?
+ * **5.3 Should I initialize (overwrite) a new LUKS/dm-crypt partition?**
If you just create a filesystem on it, most of the old data will still
be there. If the old data is sensitive, you should overwrite it before
@@ -1278,26 +1309,26 @@ A. Contributors
determine how much and where on the partition data was written. If you
think this is a risk, you can prevent this by overwriting the encrypted
device (here assumed to be named "e1") with zeros like this:
-
+```
dd_rescue -w /dev/zero /dev/mapper/e1
-
+```
or alternatively with one of the following more standard commands:
-
+```
cat /dev/zero > /dev/mapper/e1
dd if=/dev/zero of=/dev/mapper/e1
+```
-
- * 5.4 How do I securely erase a LUKS container?
+ * **5.4 How do I securely erase a LUKS container?**
For LUKS, if you are in a desperate hurry, overwrite the LUKS header and
key-slot area. For LUKS1 and LUKS2, just be generous and overwrite the
first 100MB. A single overwrite with zeros should be enough. If you
anticipate being in a desperate hurry, prepare the command beforehand.
Example with /dev/sde1 as the LUKS partition and default parameters:
-
+```
head -c 100000000 /dev/zero > /dev/sde1; sync
-
+```
A LUKS header backup or full backup will still grant access to most or
all data, so make sure that an attacker does not have access to backups
or destroy them as well.
@@ -1323,12 +1354,12 @@ A. Contributors
Example for a random-overwrite erase of partition sde1 done with
dd_rescue:
-
+```
dd_rescue -w /dev/urandom /dev/sde1
+```
-
- * 5.5 How do I securely erase a backup of a LUKS partition or header?
+ * **5.5 How do I securely erase a backup of a LUKS partition or header?**
That depends on the medium it is stored on. For HDD and SSD, use
overwrite with random data. For an SSD, FLASH drive (USB stick) hybrid
@@ -1353,12 +1384,12 @@ A. Contributors
ashes to a fine powder. A blender and water also works nicely.
- * 5.6 What about backup? Does it compromise security?
+ * **5.6 What about backup? Does it compromise security?**
That depends. See item 6.7.
- * 5.7 Why is all my data permanently gone if I overwrite the LUKS header?
+ * **5.7 Why is all my data permanently gone if I overwrite the LUKS header?**
Overwriting the LUKS header in part or in full is the most common reason
why access to LUKS containers is lost permanently. Overwriting can be
@@ -1380,8 +1411,8 @@ A. Contributors
If your header does not contain an intact key-slot salt, best go
directly to the last stage ("Acceptance") and think about what to do
now. There is one exception that I know of: If your LUKS1 container is
- still open, then it may be possible to extract the master key from the
- running system. See Item "How do I recover the master key from a mapped
+ still open, then it may be possible to extract the volume key from the
+ running system. See Item "How do I recover the volume key from a mapped
LUKS1 container?" in Section "Backup and Data Recovery".
For LUKS2, things are both better and worse. First, the salts are in a
@@ -1391,7 +1422,7 @@ A. Contributors
how much effort that needs.
- * 5.8 What is a "salt"?
+ * **5.8 What is a "salt"?**
A salt is a random key-grade value added to the passphrase before it is
processed. It is not kept secret. The reason for using salts is as
@@ -1417,7 +1448,7 @@ A. Contributors
value (256 bit, e.g.) this is quite infeasible.
- * 5.9 Is LUKS secure with a low-entropy (bad) passphrase?
+ * **5.9 Is LUKS secure with a low-entropy (bad) passphrase?**
Short answer: yes. Do not use a low-entropy passphrase.
@@ -1438,9 +1469,9 @@ A. Contributors
Now, if n is the number of bits of entropy in your passphrase and t
is the time it takes to process a passphrase in order to open the
LUKS container, then an attacker has to spend at maximum
-
+```
attack_time_max = 2^n * t
-
+```
time for a successful attack and on average half that. There is no way
getting around that relationship. However, there is one thing that does
help, namely increasing t, the time it takes to use a passphrase, see
@@ -1471,7 +1502,7 @@ A. Contributors
passphrase material.
- * 5.10 What is "iteration count" and why is decreasing it a bad idea?
+ * **5.10 What is "iteration count" and why is decreasing it a bad idea?**
LUKS1:
Iteration count is the number of PBKDF2 iterations a passphrase is put
@@ -1537,7 +1568,7 @@ A. Contributors
is the only main difference.
- * 5.11 Some people say PBKDF2 is insecure?
+ * **5.11 Some people say PBKDF2 is insecure?**
There is some discussion that a hash-function should have a "large
memory" property, i.e. that it should require a lot of memory to be
@@ -1561,24 +1592,24 @@ A. Contributors
and massively reduces the advantages of GPUs and FPGAs.
- * 5.12 What about iteration count with plain dm-crypt?
+ * **5.12 What about iteration count with plain dm-crypt?**
Simple: There is none. There is also no salting. If you use plain
dm-crypt, the only way to be secure is to use a high entropy passphrase.
If in doubt, use LUKS instead.
- * 5.13 Is LUKS with default parameters less secure on a slow CPU?
+ * **5.13 Is LUKS with default parameters less secure on a slow CPU?**
Unfortunately, yes. However the only aspect affected is the protection
- for low-entropy passphrase or master-key. All other security aspects
+ for low-entropy passphrase or volume-key. All other security aspects
are independent of CPU speed.
- The master key is less critical, as you really have to work at it to
+ The volume key is less critical, as you really have to work at it to
give it low entropy. One possibility to mess this up is to supply the
- master key yourself. If that key is low-entropy, then you get what you
+ volume key yourself. If that key is low-entropy, then you get what you
deserve. The other known possibility to create a LUKS container with a
- bad master key is to use /dev/urandom for key generation in an
+ bad volume key is to use /dev/urandom for key generation in an
entropy-starved situation (e.g. automatic installation on an embedded
device without network and other entropy sources or installation in a VM
under certain circumstances).
@@ -1597,7 +1628,7 @@ A. Contributors
times at the expected values though at this CPU speed.
- * 5.14 Why was the default aes-cbc-plain replaced with aes-cbc-essiv?
+ * **5.14 Why was the default aes-cbc-plain replaced with aes-cbc-essiv?**
Note: This item applies both to plain dm-crypt and to LUKS
@@ -1626,7 +1657,7 @@ A. Contributors
and the watermarking attack fails.
- * 5.15 Are there any problems with "plain" IV? What is "plain64"?
+ * **5.15 Are there any problems with "plain" IV? What is "plain64"?**
First, "plain" and "plain64" are both not secure to use with CBC, see
previous FAQ item.
@@ -1642,7 +1673,7 @@ A. Contributors
performance penalty compared to "plain".
- * 5.16 What about XTS mode?
+ * **5.16 What about XTS mode?**
XTS mode is potentially even more secure than cbc-essiv (but only if
cbc-essiv is insecure in your scenario). It is a NIST standard and
@@ -1650,19 +1681,19 @@ A. Contributors
aes-xts-plain64 is the default for LUKS. If you want to use it with a
cryptsetup before version 1.6.0 or with plain dm-crypt, you have to
specify it manually as "aes-xts-plain", i.e.
-
+```
cryptsetup -c aes-xts-plain luksFormat <device>
-
+```
For volumes >2TiB and kernels >= 2.6.33 use "plain64" (see FAQ item
on "plain" and "plain64"):
-
+```
cryptsetup -c aes-xts-plain64 luksFormat <device>
-
+```
There is a potential security issue with XTS mode and large blocks.
LUKS and dm-crypt always use 512B blocks and the issue does not apply.
- * 5.17 Is LUKS FIPS-140-2 certified?
+ * **5.17 Is LUKS FIPS-140-2 certified?**
No. But that is more a problem of FIPS-140-2 than of LUKS. From a
technical point-of-view, LUKS with the right parameters would be
@@ -1673,11 +1704,11 @@ A. Contributors
From the aspect of actual security, LUKS with default parameters should
be as good as most things that are FIPS-140-2 certified, although you
may want to make sure to use /dev/random (by specifying --use-random on
- luksFormat) as randomness source for the master key to avoid being
+ luksFormat) as randomness source for the volume key to avoid being
potentially insecure in an entropy-starved situation.
- * 5.18 What about Plausible Deniability?
+ * **5.18 What about Plausible Deniability?**
First let me attempt a definition for the case of encrypted filesystems:
Plausible deniability is when you store data inside an encrypted
@@ -1756,7 +1787,7 @@ A. Contributors
can figure out how to do it yourself.
- * 5.19 What about SSDs, Flash, Hybrid and SMR Drives?
+ * **5.19 What about SSDs, Flash, Hybrid and SMR Drives?**
The problem is that you cannot reliably erase parts of these devices,
mainly due to wear-leveling and possibly defect management and delayed
@@ -1824,7 +1855,7 @@ A. Contributors
does a targeted laptop theft to get at your data, you should be fine.
- * 5.20 LUKS1 is broken! It uses SHA-1!
+ * **5.20 LUKS1 is broken! It uses SHA-1!**
No, it is not. SHA-1 is (academically) broken for finding collisions,
but not for using it in a key-derivation function. And that collision
@@ -1833,11 +1864,11 @@ A. Contributors
This basically means that if you already have a slot-key, and you have
set the PBKDF2 iteration count to 1 (it is > 10'000 normally), you could
- (maybe) derive a different passphrase that gives you the the same
- slot-key. But if you have the slot-key, you can already unlock the
- key-slot and get the master key, breaking everything. So basically,
- this SHA-1 vulnerability allows you to open a LUKS1 container with high
- effort when you already have it open.
+ (maybe) derive a different passphrase that gives you the same slot-key.
+ But if you have the slot-key, you can already unlock the key-slot and
+ get the volume key, breaking everything. So basically, this SHA-1
+ vulnerability allows you to open a LUKS1 container with high effort when
+ you already have it open.
The real problem here is people that do not understand crypto and claim
things are broken just because some mechanism is used that has been
@@ -1850,7 +1881,7 @@ A. Contributors
where SHA-1 is completely phased out or disabled by a security policy.
- * 5.21 Why is there no "Nuke-Option"?
+ * **5.21 Why is there no "Nuke-Option"?**
A "Nuke-Option" or "Kill-switch" is a password that when entered upon
unlocking instead wipes the header and all passwords. So when somebody
@@ -1902,7 +1933,7 @@ A. Contributors
me know.
- * 5.22 Does cryptsetup open network connections to websites, etc. ?
+ * **5.22 Does cryptsetup open network connections to websites, etc. ?**
This question seems not to make much sense at first glance, but here is
an example form the real world: The TrueCrypt GUI has a "Donation"
@@ -1922,10 +1953,35 @@ A. Contributors
connection by the user and cryptsetup will stay true to that principle.
-6. Backup and Data Recovery
+ * **5.23 What is cryptsetup CVE-2021-4122?**
+
+ CVE-2021-4122 describes a possible attack against data confidentiality
+ through LUKS2 online reencryption extension crash recovery.
+
+ An attacker can modify on-disk metadata to simulate decryption in
+ progress with crashed (unfinished) reencryption step and persistently
+ decrypt part of the LUKS device.
+
+ This attack requires repeated physical access to the LUKS device but
+ no knowledge of user passphrases.
+
+ The decryption step is performed after a valid user activates
+ the device with a correct passphrase and modified metadata.
+ There are no visible warnings for the user that such recovery happened
+ (except using the luksDump command). The attack can also be reversed
+ afterward (simulating crashed encryption from a plaintext) with
+ possible modification of revealed plaintext.
+
+ The problem was fixed in cryptsetup version 2.4.3 and 2.3.7.
+
+ For more info, please see the report here:
+ https://seclists.org/oss-sec/2022/q1/34
- * 6.1 Why do I need Backup?
+# 6. Backup and Data Recovery
+
+
+ * **6.1 Why do I need Backup?**
First, disks die. The rate for well-treated (!) disk is about 5% per
year, which is high enough to worry about. There is some indication
@@ -1944,40 +2000,40 @@ A. Contributors
an update if you change passphrases.
- * 6.2 How do I backup a LUKS header?
+ * **6.2 How do I backup a LUKS header?**
While you could just copy the appropriate number of bytes from the start
of the LUKS partition, the best way is to use command option
"luksHeaderBackup" of cryptsetup. This protects also against errors
when non-standard parameters have been used in LUKS partition creation.
Example:
-
+```
cryptsetup luksHeaderBackup --header-backup-file <file> <device>
-
+```
To restore, use the inverse command, i.e.
-
+```
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
-
+```
If you are unsure about a header to be restored, make a backup of the
current one first! You can also test the header-file without restoring
it by using the --header option for a detached header like this:
-
+```
cryptsetup --header <file> luksOpen <device> </dev/mapper/name>
-
+```
If that unlocks your key-slot, you are good. Do not forget to close
the device again.
Under some circumstances (damaged header), this fails. Then use the
following steps in case it is LUKS1:
- First determine the master-key size:
-
+ First determine the volume (volume) key size:
+```
cryptsetup luksDump <device>
-
+```
gives a line of the form
-
+```
MK bits: <bits>
-
+```
with bits equal to 256 for the old defaults and 512 for the new
defaults. 256 bits equals a total header size of 1'052'672 Bytes and
512 bits one of 2MiB. (See also Item 6.12) If luksDump fails, assume
@@ -1988,38 +2044,38 @@ A. Contributors
Second, dump the header to file. There are many ways to do it, I
prefer the following:
-
+```
head -c 1052672 <device> > header_backup.dmp
-
+```
or
-
+```
head -c 2M <device> > header_backup.dmp
-
+```
for a 2MiB header. Verify the size of the dump-file to be sure.
To restore such a backup, you can try luksHeaderRestore or do a more
basic
-
+```
cat header_backup.dmp > <device>
+```
-
- * 6.3 How do I test for a LUKS header?
+ * **6.3 How do I test for a LUKS header?**
Use
-
+```
cryptsetup -v isLuks <device>
-
+```
on the device. Without the "-v" it just signals its result via
exit-status. You can also use the more general test
-
+```
blkid -p <device>
-
+```
which will also detect other types and give some more info. Omit
"-p" for old versions of blkid that do not support it.
- * 6.4 How do I backup a LUKS or dm-crypt partition?
+ * **6.4 How do I backup a LUKS or dm-crypt partition?**
There are two options, a sector-image and a plain file or filesystem
backup of the contents of the partition. The sector image is already
@@ -2031,10 +2087,10 @@ A. Contributors
LUKS the LUKS header, the keys-slots and the data area. It can be done
under Linux e.g. with dd_rescue (for a direct image copy) and with
"cat" or "dd". Examples:
-
+```
cat /dev/sda10 > sda10.img
dd_rescue /dev/sda10 sda10.img
-
+```
You can also use any other backup software that is capable of making a
sector image of a partition. Note that compression is ineffective for
encrypted data, hence it does not make sense to use it.
@@ -2043,22 +2099,22 @@ A. Contributors
and back it up as you would a normal filesystem. In this case the
backup is not encrypted, unless your encryption method does that. For
example you can encrypt a backup with "tar" as follows with GnuPG:
-
+```
tar cjf - <path> | gpg --cipher-algo AES -c - > backup.tbz2.gpg
-
+```
And verify the backup like this if you are at "path":
-
+```
cat backup.tbz2.gpg | gpg - | tar djf -
-
+```
Note: Always verify backups, especially encrypted ones!
There is one problem with verifying like this: The kernel may still have
some files cached and in fact verify them against RAM or may even verify
RAM against RAM, which defeats the purpose of the exercise. The
following command empties the kernel caches:
-
+```
echo 3 > /proc/sys/vm/drop_caches
-
+```
Run it after backup and before verify.
In both cases GnuPG will ask you interactively for your symmetric key.
@@ -2083,8 +2139,7 @@ A. Contributors
mounted containers. Also see next item.
- * 6.5 Do I need a backup of the full partition? Would the header
- and key-slots not be enough?
+ * **6.5 Do I need a backup of the full partition? Would the header and key-slots not be enough?**
Backup protects you against two things: Disk loss or corruption and user
error. By far the most questions on the dm-crypt mailing list about how
@@ -2098,23 +2153,23 @@ A. Contributors
against this case.
- * 6.6 What do I need to backup if I use "decrypt_derived"?
+ * **6.6 What do I need to backup if I use "decrypt_derived"?**
This is a script in Debian, intended for mounting /tmp or swap with a
- key derived from the master key of an already decrypted device. If you
+ key derived from the volume key of an already decrypted device. If you
use this for an device with data that should be persistent, you need to
- make sure you either do not lose access to that master key or have a
+ make sure you either do not lose access to that volume key or have a
backup of the data. If you derive from a LUKS device, a header backup
- of that device would cover backing up the master key. Keep in mind that
+ of that device would cover backing up the volume key. Keep in mind that
this does not protect against disk loss.
Note: If you recreate the LUKS header of the device you derive from
- (using luksFormat), the master key changes even if you use the same
+ (using luksFormat), the volume key changes even if you use the same
passphrase(s) and you will not be able to decrypt the derived device
with the new LUKS header.
- * 6.7 Does a backup compromise security?
+ * **6.7 Does a backup compromise security?**
Depends on how you do it. However if you do not have one, you are going
to eventually lose your encrypted data.
@@ -2149,8 +2204,7 @@ A. Contributors
control...)
- * 6.8 What happens if I overwrite the start of a LUKS partition or
- damage the LUKS header or key-slots?
+ * **6.8 What happens if I overwrite the start of a LUKS partition or damage the LUKS header or key-slots?**
There are two critical components for decryption: The salt values in the
key-slot descriptors of the header and the key-slots. For LUKS2 they
@@ -2164,7 +2218,7 @@ A. Contributors
locations of its 128kiB size is quite enough.
- * 6.9 What happens if I (quick) format a LUKS partition?
+ * **6.9 What happens if I (quick) format a LUKS partition?**
I have not tried the different ways to do this, but very likely you will
have written a new boot-sector, which in turn overwrites the LUKS
@@ -2174,7 +2228,7 @@ A. Contributors
also damage the key-slots in part or in full. See also last item.
- * 6.10 How do I recover the master key from a mapped LUKS1 container?
+ * **6.10 How do I recover the volume key from a mapped LUKS1 container?**
Note: LUKS2 uses the kernel keyring to store keys and hence this
procedure does not work unless you have explicitly disabled the use of
@@ -2187,44 +2241,44 @@ A. Contributors
WARNING: Things go wrong, do a full backup before trying this!
- WARNING: This exposes the master key of the LUKS1 container. Note that
- both ways to recreate a LUKS header with the old master key described
- below will write the master key to disk. Unless you are sure you have
+ WARNING: This exposes the volume key of the LUKS1 container. Note that
+ both ways to recreate a LUKS header with the old volume key described
+ below will write the volume key to disk. Unless you are sure you have
securely erased it afterwards, e.g. by writing it to an encrypted
partition, RAM disk or by erasing the filesystem you wrote it to by a
- complete overwrite, you should change the master key afterwards.
- Changing the master key requires a full data backup, luksFormat and then
+ complete overwrite, you should change the volume key afterwards.
+ Changing the volume key requires a full data backup, luksFormat and then
restore of the backup. Alternatively the tool cryptsetup-reencrypt from
- the cryptsetup package can be used to change the master key (see its
+ the cryptsetup package can be used to change the volume key (see its
man-page), but a full backup is still highly recommended.
First, there is a script by Milan that automates the whole process,
- except generating a new LUKS1 header with the old master key (it prints
+ except generating a new LUKS1 header with the old volume key (it prints
the command for that though):
- https://gitlab.com/cryptsetup/cryptsetup/blob/master/misc/luks-header-from-active
+ https://gitlab.com/cryptsetup/cryptsetup/blob/main/misc/luks-header-from-active
You can also do this manually. Here is how:
- - Get the master key from the device mapper. This is done by the
+ - Get the volume key from the device mapper. This is done by the
following command. Substitute c5 for whatever you mapped to:
-
+```
# dmsetup table --target crypt --showkey /dev/mapper/c5
Result:
0 200704 crypt aes-cbc-essiv:sha256
a1704d9715f73a1bb4db581dcacadaf405e700d591e93e2eaade13ba653d0d09
0 7:0 4096
-
+```
The result is actually one line, wrapped here for clarity. The long
- hex string is the master key.
+ hex string is the volume key.
- - Convert the master key to a binary file representation. You can do
+ - Convert the volume key to a binary file representation. You can do
this manually, e.g. with hexedit. You can also use the tool "xxd"
from vim like this:
-
- echo "a1704d9....53d0d09" | xxd -r -p > <master-key-file>
-
+```
+ echo "a1704d9....53d0d09" | xxd -r -p > <volume-key-file>
+```
- Do a luksFormat to create a new LUKS1 header.
@@ -2232,26 +2286,26 @@ A. Contributors
you can just set a new passphrase, see next sub-item.
Unmap the device before you do that (luksClose). Then do
-
- cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>
-
+```
+ cryptsetup luksFormat --volume-key-file=<volume-key-file> <luks device>
+```
Note that if the container was created with other than the default
settings of the cryptsetup version you are using, you need to give
additional parameters specifying the deviations. If in doubt, try the
script by Milan. It does recover the other parameters as well.
- Side note: This is the way the decrypt_derived script gets at the master
- key. It just omits the conversion and hashes the master key string.
+ Side note: This is the way the decrypt_derived script gets at the volume
+ key. It just omits the conversion and hashes the volume key string.
- If the header is intact and you just forgot the passphrase, just
set a new passphrase like this:
-
- cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>
-
+```
+ cryptsetup luksAddKey --volume-key-file=<volume-key-file> <luks device>
+```
You may want to disable the old one afterwards.
- * 6.11 What does the on-disk structure of dm-crypt look like?
+ * **6.11 What does the on-disk structure of dm-crypt look like?**
There is none. dm-crypt takes a block device and gives encrypted access
to each of its blocks with a key derived from the passphrase given. If
@@ -2263,7 +2317,7 @@ A. Contributors
limited to the area you overwrote.
- * 6.12 What does the on-disk structure of LUKS1 look like?
+ * **6.12 What does the on-disk structure of LUKS1 look like?**
Note: For LUKS2, refer to the LUKS2 document referenced in Item 1.2
@@ -2273,7 +2327,7 @@ A. Contributors
Header and key-slot descriptors fill the first 592 bytes. The key-slot
size depends on the creation parameters, namely on the number of
- anti-forensic stripes, key material offset and master key size.
+ anti-forensic stripes, key material offset and volume key size.
With the default parameters, each key-slot is a bit less than 128kiB in
size. Due to sector alignment of the key-slot start, that means the key
@@ -2305,7 +2359,7 @@ A. Contributors
The spec counts key-slots from 1 to 8, but the cryptsetup tool counts
from 0 to 7. The numbers here refer to the cryptsetup numbers.
-
+```
Refers to LUKS1 On-Disk Format Specification Version 1.2.3
LUKS1 header:
@@ -2326,7 +2380,7 @@ offset length name data type description
104 4 (512 bytes per sector)
0x006c 0x04 key-bytes uint32_t number of bytes in key
108 4
-0x0070 0x14 mk-digest byte[] master key checksum
+0x0070 0x14 mk-digest byte[] volume key checksum
112 20 calculated with PBKDF2
0x0084 0x20 mk-digest-salt byte[] salt for PBKDF2 when
132 32 calculating mk-digest
@@ -2366,10 +2420,10 @@ offset length name data type description
40 4 (512 bytes/sector)
0x002c 0x04 stripes uint32_t number of anti-forensic
44 4 stripes
+```
-
- * 6.13 What is the smallest possible LUKS1 container?
+ * **6.13 What is the smallest possible LUKS1 container?**
Note: From cryptsetup 1.3 onwards, alignment is set to 1MB. With modern
Linux partitioning tools that also align to 1MB, this will result in
@@ -2404,23 +2458,23 @@ offset length name data type description
has to be considered insecure today.
Example 1 - AES 128 bit with CBC:
-
+```
cryptsetup luksFormat -s 128 --align-payload=8 <device>
-
+```
This results in a data offset of 0x81000, i.e. 516KiB or 528384
bytes. Add one 512 byte sector and the smallest LUKS container size
with these parameters is 516KiB + 512B or 528896 bytes.
Example 2 - Blowfish 64 bit with CBC (WARNING: insecure):
-
+```
cryptsetup luksFormat -c blowfish -s 64 --align-payload=8 /dev/loop0
-
+```
This results in a data offset of 0x41000, i.e. 260kiB or 266240
bytes, with a minimal LUKS1 container size of 260kiB + 512B or 266752
bytes.
- * 6.14 I think this is overly complicated. Is there an alternative?
+ * **6.14 I think this is overly complicated. Is there an alternative?**
Not really. Encryption comes at a price. You can use plain dm-crypt to
simplify things a bit. It does not allow multiple passphrases, but on
@@ -2428,15 +2482,15 @@ offset length name data type description
part of a plain dm-crypt partition, exactly the overwritten parts are
lost (rounded up to full sectors).
- * 6.15 Can I clone a LUKS container?
+ * **6.15 Can I clone a LUKS container?**
You can, but it breaks security, because the cloned container has the
- same header and hence the same master key. Even if you change the
- passphrase(s), the master key stays the same. That means whoever has
+ same header and hence the same volume key. Even if you change the
+ passphrase(s), the volume key stays the same. That means whoever has
access to one of the clones can decrypt them all, completely bypassing
the passphrases.
- While you can use cryptsetup-reencrypt to change the master key,
+ While you can use cryptsetup-reencrypt to change the volume key,
this is probably more effort than to create separate LUKS containers
in the first place.
@@ -2449,14 +2503,39 @@ offset length name data type description
Note that if you need to ship (e.g.) cloned LUKS containers with a
default passphrase, that is fine as long as each container was
- individually created (and hence has its own master key). In this case,
+ individually created (and hence has its own volume key). In this case,
changing the default passphrase will make it secure again.
-
-7. Interoperability with other Disk Encryption Tools
+ * **6.16 How to convert the printed volume key to a raw one?**
+ A volume key printed via something like:
+```
+ cryptsetup --dump-volume-key luksDump /dev/<device> >volume-key
+```
+(i.e. without using `--volume-key-file`), which gives something like:
+```
+LUKS header information for /dev/<device>
+Cipher name: aes
+Cipher mode: xts-plain64
+Payload offset: 32768
+UUID: 6e914442-e8b5-4eb5-98c4-5bf0cf17ecad
+MK bits: 512
+MK dump: e0 3f 15 c2 0f e5 80 ab 35 b4 10 03 ae 30 b9 5d
+ 4c 0d 28 9e 1b 0f e3 b0 50 57 ef d4 4d 53 a0 12
+ b7 4e 43 a1 20 7e c5 02 1f f1 f5 08 04 3c f5 20
+ a6 0b 23 f6 7b 53 55 aa 22 d8 aa 02 e0 2f d5 04
+```
+can be converted to the raw volume key for example via:
+```
+ sed -E -n '/^MK dump:\t/,/^[^\t]/{0,/^MK dump:\t/s/^MK dump://; /^([^\t].*)?$/q; s/\t+//p;};' volume-key | xxd -r -p
+```
- * 7.1 What is this section about?
+
+
+# 7. Interoperability with other Disk Encryption Tools
+
+
+ * **7.1 What is this section about?**
Cryptsetup for plain dm-crypt can be used to access a number of on-disk
formats created by tools like loop-aes patched into losetup. This
@@ -2469,7 +2548,7 @@ offset length name data type description
be interested, please email the FAQ maintainer.
- * 7.2 loop-aes: General observations.
+ * **7.2 loop-aes: General observations.**
One problem is that there are different versions of losetup around.
loop-aes is a patch for losetup. Possible problems and deviations
@@ -2494,44 +2573,44 @@ offset length name data type description
that worked for somebody.
- * 7.3 loop-aes patched into losetup on Debian 5.x, kernel 2.6.32
+ * **7.3 loop-aes patched into losetup on Debian 5.x, kernel 2.6.32**
In this case, the main problem seems to be that this variant of
losetup takes the offset (-o option) in bytes, while cryptsetup takes
it in sectors of 512 bytes each.
Example: The losetup command
-
+```
losetup -e twofish -o 2560 /dev/loop0 /dev/sdb1
mount /dev/loop0 mount-point
-
+```
translates to
-
+```
cryptsetup create -c twofish -o 5 --skip 5 e1 /dev/sdb1
mount /dev/mapper/e1 mount-point
+```
-
- * 7.4 loop-aes with 160 bit key
+ * **7.4 loop-aes with 160 bit key**
This seems to be sometimes used with twofish and blowfish and represents
a 160 bit ripemed160 hash output padded to 196 bit key length. It seems
the corresponding options for cryptsetup are
-
+```
--cipher twofish-cbc-null -s 192 -h ripemd160:20
+```
-
- * 7.5 loop-aes v1 format OpenSUSE
+ * **7.5 loop-aes v1 format OpenSUSE**
Apparently this is done by older OpenSUSE distros and stopped working
from OpenSUSE 12.1 to 12.2. One user had success with the following:
-
+```
cryptsetup create <target> <device> -c aes -s 128 -h sha256
+```
-
- * 7.6 Kernel encrypted loop device (cryptoloop)
+ * **7.6 Kernel encrypted loop device (cryptoloop)**
There are a number of different losetup implementations for using
encrypted loop devices so getting this to work may need a bit of
@@ -2541,40 +2620,38 @@ offset length name data type description
implementations are insecure and future support is uncertain.
Example for a compatible mapping:
-
+```
losetup -e twofish -N /dev/loop0 /image.img
-
+```
translates to
-
+```
cryptsetup create image_plain /image.img -c twofish-cbc-plain -H plain
-
+```
with the mapping being done to /dev/mapper/image_plain instead of
to /dev/loop0.
More details:
Cipher, mode and password hash (or no hash):
-
+```
-e cipher [-N] => -c cipher-cbc-plain -H plain [-s 256]
-e cipher => -c cipher-cbc-plain -H ripemd160 [-s 256]
-
+```
Key size and offsets (losetup: bytes, cryptsetuop: sectors of 512 bytes):
-
+```
-k 128 => -s 128
-o 2560 => -o 5 -p 5 # 2560/512 = 5
-
+```
There is no replacement for --pass-fd, it has to be emulated using
keyfiles, see the cryptsetup man-page.
-8. Issues with Specific Versions of cryptsetup
+# 8. Issues with Specific Versions of cryptsetup
- * 8.1 When using the create command for plain dm-crypt with
- cryptsetup 1.1.x, the mapping is incompatible and my data is not
- accessible anymore!
+ * **8.1 When using the create command for plain dm-crypt with cryptsetup 1.1.x, the mapping is incompatible and my data is not accessible anymore!**
With cryptsetup 1.1.x, the distro maintainer can define different
default encryption modes. You can check the compiled-in defaults using
@@ -2584,14 +2661,14 @@ offset length name data type description
If you are using a plain device and you need a compatible mode, just
specify cipher, key size and hash algorithm explicitly. For
compatibility with cryptsetup 1.0.x defaults, simple use the following:
-
+```
cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 <name> <dev>
-
+```
LUKS stores cipher and mode in the metadata on disk, avoiding this
problem.
- * 8.2 cryptsetup on SLED 10 has problems...
+ * **8.2 cryptsetup on SLED 10 has problems...**
SLED 10 is missing an essential kernel patch for dm-crypt, which is
broken in its kernel as a result. There may be a very old version of
@@ -2599,7 +2676,7 @@ offset length name data type description
anymore as well. My advice would be to drop SLED 10.
- * 8.3 Gcrypt 1.6.x and later break Whirlpool
+ * **8.3 Gcrypt 1.6.x and later break Whirlpool**
It is the other way round: In gcrypt 1.5.x, Whirlpool is broken and it
was fixed in 1.6.0 and later. If you selected whirlpool as hash on
@@ -2623,17 +2700,17 @@ offset length name data type description
- Make sure you have cryptsetup 1.6.4 or later and check the gcrypt
version:
-
+```
cryptsetup luksDump <your luks device> --debug | grep backend
-
+```
If gcrypt is at version 1.5.x or before:
- Reencrypt the LUKS header with a different hash. (Requires entering
all keyslot passphrases. If you do not have all, remove the ones you
do not have before.):
-
+```
cryptsetup-reencrypt --keep-key --hash sha256 <your luks device>
-
+```
If gcrypt is at version 1.6.1 or later:
- Patch the hash name in the LUKS header from "whirlpool" to
@@ -2641,9 +2718,9 @@ offset length name data type description
The detailed header layout is in Item 6.12 of this FAQ and in the
LUKS on-disk format specification. One way to change the hash is
with the following command:
-
+```
echo -n -e 'whirlpool_gcryptbug\0' | dd of=<luks device> bs=1 seek=72 conv=notrunc
-
+```
- You can now open the device again. It is highly advisable to change
the hash now with cryptsetup-reencrypt as described above. While you
can reencrypt to use the fixed whirlpool, that may not be a good idea
@@ -2651,17 +2728,17 @@ offset length name data type description
bug was discovered.
-9. The Initrd question
+# 9. The Initrd question
- * 9.1 My initrd is broken with cryptsetup
+ * **9.1 My initrd is broken with cryptsetup**
That is not nice! However the initrd is supplied by your distribution,
not by the cryptsetup project and hence you should complain to them. We
cannot really do anything about it.
- * 9.2 CVE-2016-4484 says cryptsetup is broken!
+ * **9.2 CVE-2016-4484 says cryptsetup is broken!**
Not really. It says the initrd in some Debian versions have a behavior
that under some very special and unusual conditions may be considered
@@ -2678,13 +2755,13 @@ offset length name data type description
safe under these circumstances, then you have bigger problems than this
somewhat expected behavior.
- The CVE was exagerrated and should not be assigned to upstream
+ The CVE was exaggerated and should not be assigned to upstream
cryptsetup in the first place (it is a distro specific initrd issue).
It was driven more by a try to make a splash for self-aggrandizement,
than by any actual security concerns. Ignore it.
- * 9.3 How do I do my own initrd with cryptsetup?
+ * **9.3 How do I do my own initrd with cryptsetup?**
Note: The instructions here apply to an initrd in initramfs format, not
to an initrd in initrd format. The latter is a filesystem image, not a
@@ -2700,9 +2777,9 @@ offset length name data type description
A Linux initrd is in gzip'ed cpio format. To unpack it, use something
like this:
-
- md tmp; cd tmp; cat ../initrd | gunzip | cpio -id
-
+```
+ mkdir tmp; cd tmp; cat ../initrd | gunzip | cpio -id
+```
After this, you have the full initrd content in tmp/
02) Inspecting the init-script
@@ -2715,10 +2792,10 @@ offset length name data type description
in Debian the main init on the root partition is a binary, but the init
in the initrd (and only that one is called by the kernel) is a script
and starts like this:
-
+```
#!/bin/sh
....
-
+```
The "sh" used here is in tmp/bin/sh as just unpacked, and in Debian it
currently is a busybox.
@@ -2731,7 +2808,7 @@ offset length name data type description
Here is a really minimal example. It does nothing but set up some
things and then drop to an interactive shell. It is perfect to try out
things that you want to go into the init-script.
-
+```
#!/bin/sh
export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
@@ -2741,7 +2818,7 @@ offset length name data type description
mount -t proc -o nodev,noexec,nosuid proc /proc
echo "initrd is running, starting BusyBox..."
exec /bin/sh --login
-
+```
Here is an example that opens the first LUKS-partition it finds with the
hard-coded password "test2" and then mounts it as root-filesystem. This
@@ -2754,7 +2831,7 @@ offset length name data type description
/dev/mapper/c1 /mnt/root". The second argument of switch_root is relative
to the first argument, i.e. the init started with this command is really
/mnt/sbin/init before switch_root runs.
-
+```
#!/bin/sh
export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
@@ -2796,7 +2873,7 @@ offset length name data type description
done
echo "FAIL finding root on LUKS, loading BusyBox..."; sleep 5
exec /bin/sh --login
-
+```
04) What if I want a binary in the initrd, but libraries are missing?
@@ -2820,19 +2897,19 @@ offset length name data type description
the initrd is a kernel-parameter) and move to /boot. That is it.
-10. LUKS2 Questions
+# 10. LUKS2 Questions
- * 10.1 Is the cryptography of LUKS2 different?
+ * **10.1 Is the cryptography of LUKS2 different?**
Mostly not. The header has changed in its structure, but the
- crytpgraphy is the same. The one exception is that PBKDF2 has been
+ cryptography is the same. The one exception is that PBKDF2 has been
replaced by Argon2 to give better resilience against attacks by
graphics cards and other hardware with lots of computing power but
limited local memory per computing element.
- * 10.2 What new features does LUKS2 have?
+ * **10.2 What new features does LUKS2 have?**
There are quite a few. I recommend reading the man-page and the on-disk
format specification, see Item 1.2.
@@ -2845,13 +2922,13 @@ offset length name data type description
- The LUKS2 header is less vulnerable to corruption and has a 2nd copy
- * 10.3 Why does LUKS2 need so much memory?
+ * **10.3 Why does LUKS2 need so much memory?**
LUKS2 uses Argon2 instead of PBKDF2. That causes the increase in memory.
See next item.
- * 10.4 Why use Argon2 in LUKS 2 instead of PBKDF2?
+ * **10.4 Why use Argon2 in LUKS 2 instead of PBKDF2?**
LUKS tries to be secure with not-so-good passwords. Bad passwords need to
be protected in some way against an attacker that just tries all possible
@@ -2860,7 +2937,7 @@ offset length name data type description
password stored in a database, but there are similarities.
LUKS does not store passwords on disk. Instead, the passwords are used to
- decrypt the master-key with it and that one is stored on disk in encrypted
+ decrypt the volume-key with it and that one is stored on disk in encrypted
form. If you have a good password, with, say, more than 80 bits of
entropy, you could just put the password through a single crypto-hash (to
turn it into something that can be used as a key) and that would be secure.
@@ -2895,7 +2972,7 @@ offset length name data type description
low amount of memory used for Argon2 when creating the header.
- * 10.5 LUKS2 is insecure! It uses less memory than the Argon2 RFC say!
+ * **10.5 LUKS2 is insecure! It uses less memory than the Argon2 RFC say!**
Well, not really. The RFC recommends 6GiB of memory for use with disk
encryption. That is a bit insane and something clearly went wrong in the
@@ -2920,20 +2997,20 @@ offset length name data type description
with any memory parameter.
- * 10.6 How does re-encryption store data while it is running?
+ * **10.6 How does re-encryption store data while it is running?**
All metadata necessary to perform a recovery of said segment (in case of
crash) is stored in the LUKS2 metadata area. No matter if the LUKS2
reencryption was run in online or offline mode.
- * 10.7 What do I do if re-encryption crashes?
+ * **10.7 What do I do if re-encryption crashes?**
In case of a reencryption application crash, try to close the original
device via following command first:
-
+```
cryptsetup close <my_crypt_device>.
-
+```
Cryptsetup assesses if it's safe to teardown the reencryption device stack
or not. It will also cut off I/O (via dm-error mapping) to current
hotzone segment (to make later recovery possible). If it can't be torn
@@ -2943,8 +3020,7 @@ offset length name data type description
could damage the data beyond repair.
- * 10.8 Do I need to enter two passphrases to recover a crashed
- re-encryption?
+ * **10.8 Do I need to enter two passphrases to recover a crashed re-encryption?**
Cryptsetup (command line utility) expects the passphrases to be identical
for the keyslot containing old volume key and for the keyslot containing
@@ -2955,7 +3031,7 @@ offset length name data type description
the "cryptsetup repair" command.
- * 10.9 What is an unbound keyslot and what is it used for?
+ * **10.9 What is an unbound keyslot and what is it used for?**
Quite simply, an 'unbound key' is an independent 'key' stored in a luks2
keyslot that cannot be used to unlock a LUKS2 data device. More specifically,
@@ -2963,9 +3039,9 @@ offset length name data type description
currently associated with any data/crypt segment (encrypted area) in the
LUKS2 'Segments' section (displayed by luksDump).
- This is a bit of a more general idea. It basically allows to use a keyslot
- as a container for a key to be used in other things than decrypting a
- data segment.
+ This is a bit of a more general idea. It basically allows one to use a
+ keyslot as a container for a key to be used in other things than decrypting
+ a data segment.
As of April 2020, the following uses are defined:
@@ -2983,7 +3059,7 @@ offset length name data type description
(and bound to the respective crypt segment).
- * 10.10 What about the size of the LUKS2 header?
+ * **10.10 What about the size of the LUKS2 header**?
While the LUKS1 header has a fixed size that is determined by the cipher
spec (see Item 6.12), LUKS2 is more variable. The default size is 16MB,
@@ -2994,7 +3070,7 @@ offset length name data type description
recreate the container with changed parameters and restore that backup.
- * 10.11 Does LUKS2 store metadata anywhere except in the header?
+ * **10.11 Does LUKS2 store metadata anywhere except in the header?**
It does not. But note that if you use the experimental integrity support,
there will be an integrity header as well at the start of the data area
@@ -3002,7 +3078,7 @@ offset length name data type description
start of the device, nothing gets stored somewhere in the middle or at
the end.
- * 10.12 What is a LUKS2 Token?
+ * **10.12 What is a LUKS2 Token?**
A LUKS2 token is an object that describes "how to get a passphrase or
key" to unlock particular keyslot. A LUKS2 token is stored as json data
@@ -3017,10 +3093,10 @@ offset length name data type description
in the luks2 reference available as PDF on the project page.
-11. References and Further Reading
+# 11. References and Further Reading
- * Purpose of this Section
+ * **Purpose of this Section**
The purpose of this section is to collect references to all materials
that do not fit the FAQ but are relevant in some fashion. This can be
@@ -3037,43 +3113,43 @@ offset length name data type description
At this time I would like to limit the references to things that are
available on the web.
- * Specifications
+ * **Specifications**
- LUKS on-disk format spec: See Item 1.2
- * Other Documentation
+ * **Other Documentation**
- Arch Linux on LUKS, LVM and full-disk encryption:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
- * Code Examples
+ * **Code Examples**
- Some code examples are in the source package under docs/examples
- LUKS AF Splitter in Ruby by John Lane: https://rubygems.org/gems/afsplitter
- * Brute-forcing passphrases
+ * **Brute-forcing passphrases**
- http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
- https://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
- * Tools
+ * **Tools**
- * SSD and Flash Disk Related
+ * **SSD and Flash Disk Related**
- * Disk Encryption
+ * **Disk Encryption**
- * Attacks Against Disk Encryption
+ * **Attacks Against Disk Encryption**
- * Risk Management as Relevant for Disk Encryption
+ * **Risk Management as Relevant for Disk Encryption**
- * Cryptography
+ * **Cryptography**
- * Secure Storage
+ * **Secure Storage**
-A. Contributors
+# A. Contributors
In no particular order:
- Arno Wagner
diff --git a/Makefile.am b/Makefile.am
index bba38ae..fb7cb18 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,5 @@
-EXTRA_DIST = README.md COPYING.LGPL FAQ docs misc autogen.sh
-SUBDIRS = po tests
+EXTRA_DIST = README.md COPYING.LGPL FAQ.md docs misc autogen.sh
+SUBDIRS = po tests tests/fuzz
CLEANFILES =
DISTCLEAN_TARGETS =
@@ -14,9 +14,15 @@ AM_CPPFLAGS = \
-DVERSION=\""$(VERSION)"\" \
-DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
AM_CFLAGS = -Wall
+AM_CXXFLAGS = -Wall
AM_LDFLAGS =
-LDADD = $(LTLIBINTL) -lm
+if ENABLE_FUZZ_TARGETS
+AM_CFLAGS += -fsanitize=fuzzer-no-link
+AM_CXXFLAGS += -fsanitize=fuzzer-no-link
+endif
+
+LDADD = $(LTLIBINTL)
tmpfilesddir = @DEFAULT_TMPFILESDIR@
@@ -27,6 +33,7 @@ sbin_PROGRAMS =
man8_MANS =
tmpfilesd_DATA =
pkgconfig_DATA =
+dist_noinst_DATA =
include man/Makemodule.am
@@ -46,7 +53,7 @@ ACLOCAL_AMFLAGS = -I m4
DISTCHECK_CONFIGURE_FLAGS = \
--with-tmpfilesdir=$$dc_install_base/usr/lib/tmpfiles.d \
--enable-internal-argon2 --enable-internal-sse-argon2 \
- --enable-external-tokens --enable-ssh-token
+ --enable-external-tokens --enable-ssh-token --enable-asciidoc
distclean-local:
-find . -name \*~ -o -name \*.orig -o -name \*.rej | xargs rm -f
@@ -60,3 +67,11 @@ install-data-local:
uninstall-local:
rmdir $(DESTDIR)/${EXTERNAL_LUKS2_TOKENS_PATH} 2>/dev/null || :
+
+check-programs: libcryptsetup.la
+ $(MAKE) -C tests $@
+
+if ENABLE_FUZZ_TARGETS
+fuzz-targets: libcryptsetup.la libcrypto_backend.la
+ $(MAKE) -C tests/fuzz $@
+endif
diff --git a/README.md b/README.md
index 3c1d368..daec8f7 100644
--- a/README.md
+++ b/README.md
@@ -2,106 +2,147 @@
What the ...?
=============
-**Cryptsetup** is a utility used to conveniently set up disk encryption based
-on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
+**Cryptsetup** is an open-source utility used to conveniently set up disk encryption based
+on the [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
-These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
-**TrueCrypt** (including **VeraCrypt** extension) and **BitLocker** formats.
+These formats are supported:
+ * **plain** volumes,
+ * **LUKS** volumes,
+ * **loop-AES**,
+ * **TrueCrypt** (including **VeraCrypt** extension),
+ * **BitLocker**, and
+ * **FileVault2**.
The project also includes a **veritysetup** utility used to conveniently setup
-[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
-and **integritysetup** to setup
-[DMIntegrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity) block integrity kernel module.
-
+[dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity)
+block integrity checking kernel module and **integritysetup** to setup
+[dm-integrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity)
+block integrity kernel module.
LUKS Design
-----------
-**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not
-only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.
-LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
+**LUKS** is the standard for Linux disk encryption. By providing a standard on-disk format,
+it does not only facilitate compatibility among distributions, but also provides secure management
+of multiple user passwords. LUKS stores all necessary setup information in the partition header,
+enabling to transport or migrate data seamlessly.
-### Specifications
+### Specification and documentation
-Last version of the LUKS2 format specification is
-[available here](https://gitlab.com/cryptsetup/LUKS2-docs).
-
-Last version of the LUKS1 format specification is
-[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
-
-Why LUKS?
----------
- * compatibility via standardization,
- * secure against low entropy attacks,
- * support for multiple keys,
- * effective passphrase revocation,
- * free.
-
-[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
------------------
-
-[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
---------------------------------
+ * The latest version of the
+ [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
+ * The latest version of the
+ [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
+ * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
+ * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
Download
--------
-All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+All release tarballs and release notes are hosted on
+[kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
-**The latest stable cryptsetup version is 2.4.3**
- * [cryptsetup-2.4.3.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.xz)
- * Signature [cryptsetup-2.4.3.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.sign)
+**The latest stable cryptsetup release version is 2.6.1**
+ * [cryptsetup-2.6.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz)
+ * Signature [cryptsetup-2.6.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign)
_(You need to decompress file first to check signature.)_
- * [Cryptsetup 2.4.3 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes).
+ * [Cryptsetup 2.6.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.1-ReleaseNotes).
Previous versions
- * [Version 2.3.7](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.xz) -
- [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.sign) -
- [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes).
+ * [Version 2.5.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
* [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
-Source and API docs
--------------------
-For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
-mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
+Source and API documentation
+----------------------------
+For development version code, please refer to
+[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
+mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or
+[GitHub](https://github.com/mbroz/cryptsetup).
-For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
+For libcryptsetup documentation see
+[libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
-The libcryptsetup API/ABI changes are tracked in [compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
+The libcryptsetup API/ABI changes are tracked in
+[compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
-NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html).
+NLS PO files are maintained by
+[TranslationProject](https://translationproject.org/domain/cryptsetup.html).
Required packages
-----------------
-All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
-For available compile options, check ``configure --help`` for more info. If you are using a git snapshot, you need to generate a configure script with ``autogen.sh`` script.
+All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself,
+some packages are required for compilation.
+Please always prefer distro specific build tools to manually configuring cryptsetup.
Here is the list of packages needed for the compilation of project for particular distributions:
- * For Fedora: `git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar`. Optionally `libargon2-devel libpwquality-devel`. To run the internal testsuite you also need to install `sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass`.
- * For Debian and Ubuntu: `git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar`. Optionally `libargon2-0-dev libpwquality-dev`. To run the internal testsuite you also need to install `sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass`
+**For Fedora**:
+```
+git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
+libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
+
+Optionally: libargon2-devel libpwquality-devel
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
+```
+
+**For Debian and Ubuntu**:
+```
+git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
+libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
+
+Optionally: libargon2-0-dev libpwquality-dev
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+```
Note that the list could change as the distributions evolve.
+Compilation
+-----------
+The cryptsetup project uses **automake** and **autoconf** system to generate all needed files
+for compilation. If you check it from the git snapshot, use **./autogen.sh && ./configure && make**
+to compile the project. If you use downloaded released **tar.xz** archive, the configure script
+is already pre-generated (no need to run **autoconf.sh**).
+See **./configure --help** and use **--disable-[feature]** and **--enable-[feature]** options.
+
+For running the test suite that come with the project, type **make check**.
+Note that most tests will need root user privileges and run many dangerous storage fail simulations.
+Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug
+kernel module to be available.
+
+For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html)
+and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals.
+
Help!
-----
-
### Documentation
+Please read the following documentation before posting questions in the mailing list...
+You will be able to ask better questions and better understand the answers.
-Please read the following documentation before posting questions in the mailing list. You will be able to ask better questions and better understand the answers.
-
-* [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
-* LUKS Specifications
+* [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
+* [LUKS Specifications](#specification-and-documentation), and
* manuals (aka man page, man pages, man-page)
-The FAQ is online and in the source code for the project. The Specifications are referenced above in this document. The man pages are in source and should be available after installation using standard man commands. e.g. man cryptsetup
+The FAQ is online and in the source code for the project. The Specifications are referenced above
+in this document. The man pages are in source and should be available after installation using
+standard man commands, e.g. **man cryptsetup**.
### Mailing List
-For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, [dm-crypt@saout.de](mailto:dm-crypt@saout.de). To subscribe send an empty mail to [dm-crypt-subscribe@saout.de](mailto:dm-crypt-subscribe@saout.de).
+For cryptsetup and LUKS related questions, please use the cryptsetup mailing list
+[cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev),
+hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
+To subscribe send an empty mail to
+[cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
-You can also browse and/or search the mailing list archives using the following resources:
+You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/).
+News (NNTP), Atom feed and git access to public inbox is available through [lore.kernel.org](https://lore.kernel.org) service.
-* [list archive](https://www.saout.de/pipermail/dm-crypt/)
-* [web interface on lore.kernel.org](https://lore.kernel.org/dm-crypt/)
-* [marc.info](https://marc.info/?l=dm-crypt).
+The former dm-crypt [list archive](https://lore.kernel.org/dm-crypt/) is also available.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..3bca49f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Reporting a Security Bug in cryptsetup project
+
+If you think you have discovered a security issue, please report it through
+the project issue tracker [New issue](https://gitlab.com/cryptsetup/cryptsetup/issues)
+as a confidential issue (select confidential checkbox).
+
+An alternative is to send PGP encrypted mail to the cryptsetup maintainer.
+Current maintainer is [Milan Broz](mailto:gmazyland@gmail.com), use PGP key
+with fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
+
diff --git a/autogen.sh b/autogen.sh
index 1b77be6..c111f79 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -74,7 +74,7 @@ autopoint --force $AP_OPTS
libtoolize --force --copy
aclocal -I m4 $AL_OPTS
autoheader $AH_OPTS
-automake --add-missing --copy --gnu $AM_OPTS
+automake --force-missing --add-missing --copy --gnu $AM_OPTS
autoconf $AC_OPTS
echo
diff --git a/configure.ac b/configure.ac
index a20a92e..ccf2112 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,9 +1,9 @@
AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.4.3])
+AC_INIT([cryptsetup],[2.6.1])
dnl library version from <major>.<minor>.<release>[-<suffix>]
LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=19:0:7
+LIBCRYPTSETUP_VERSION_INFO=21:0:9
AM_SILENT_RULES([yes])
AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -28,13 +28,13 @@ AC_USE_SYSTEM_EXTENSIONS
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_CPP
+AC_PROG_CXX
AC_PROG_INSTALL
AC_PROG_MAKE_SET
AC_PROG_MKDIR_P
AC_ENABLE_STATIC(no)
LT_INIT
PKG_PROG_PKG_CONFIG
-AM_ICONV
dnl ==========================================================================
dnl define PKG_CHECK_VAR for old pkg-config <= 0.28
@@ -53,12 +53,33 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
AS_VAR_IF([$1], [""], [$5], [$4])
])
])
+dnl ==========================================================================
+dnl AsciiDoc manual pages
+
+AC_ARG_ENABLE([asciidoc],
+ AS_HELP_STRING([--disable-asciidoc], [do not generate man pages from asciidoc]),
+ [], [enable_asciidoc=yes]
+)
+
+AC_PATH_PROG([ASCIIDOCTOR], [asciidoctor])
+if test "x$enable_asciidoc" = xyes -a "x$ASCIIDOCTOR" = x; then
+ AC_MSG_ERROR([Building man pages requires asciidoctor installed.])
+fi
+AM_CONDITIONAL([ENABLE_ASCIIDOC], [test "x$enable_asciidoc" = xyes])
+
+have_manpages=no
+AS_IF([test -f "$srcdir/man/cryptsetup-open.8"], [
+ AC_MSG_NOTICE([re-use already generated man-pages.])
+ have_manpages=yes]
+)
+AM_CONDITIONAL([HAVE_MANPAGES], [test "x$have_manpages" = xyes])
+
dnl ==========================================================================
AC_C_RESTRICT
AC_HEADER_DIRENT
-AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
+AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h uchar.h sys/ioctl.h sys/mman.h \
sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
[[
@@ -130,6 +151,7 @@ if test "x$enable_external_tokens" = "xyes"; then
AC_SUBST(DL_LIBS, $LIBS)
LIBS=$saved_LIBS
fi
+AM_CONDITIONAL(EXTERNAL_TOKENS, test "x$enable_external_tokens" = "xyes")
AC_ARG_ENABLE([ssh-token],
AS_HELP_STRING([--disable-ssh-token], [disable LUKS2 ssh-token]),
@@ -193,6 +215,17 @@ if test "x$enable_pwquality" = "xyes"; then
PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
fi
+dnl ==========================================================================
+dnl fuzzers, it requires own static library compilation later
+AC_ARG_ENABLE([fuzz-targets],
+ AS_HELP_STRING([--enable-fuzz-targets], [enable building fuzz targets]))
+AM_CONDITIONAL(ENABLE_FUZZ_TARGETS, test "x$enable_fuzz_targets" = "xyes")
+
+if test "x$enable_fuzz_targets" = "xyes"; then
+ AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],,
+ AC_MSG_ERROR([Required compiler options not supported; use clang.]), [-Werror])
+fi
+
dnl ==========================================================================
dnl passwdqc library (cryptsetup CLI only)
AC_ARG_ENABLE([passwdqc],
@@ -362,11 +395,6 @@ AC_ARG_ENABLE([veritysetup],
[], [enable_veritysetup=yes])
AM_CONDITIONAL(VERITYSETUP, test "x$enable_veritysetup" = "xyes")
-AC_ARG_ENABLE([cryptsetup-reencrypt],
- AS_HELP_STRING([--disable-cryptsetup-reencrypt], [disable cryptsetup-reencrypt tool]),
- [], [enable_cryptsetup_reencrypt=yes])
-AM_CONDITIONAL(REENCRYPT, test "x$enable_cryptsetup_reencrypt" = "xyes")
-
AC_ARG_ENABLE([integritysetup],
AS_HELP_STRING([--disable-integritysetup], [disable integritysetup support]),
[], [enable_integritysetup=yes])
@@ -419,7 +447,7 @@ if test "x$enable_ssh_token" = "xyes"; then
AC_CHECK_DECLS([ssh_session_is_known_server], [], [], [#include <libssh/libssh.h>])
AC_CHECK_HEADER([argp.h], [], AC_MSG_ERROR([You need argp library.]))
saved_LIBS=$LIBS
- AC_SEARCH_LIBS([argp_usage],[argp])
+ AC_SEARCH_LIBS([argp_parse],[argp])
AC_SUBST(ARGP_LIBS, $LIBS)
LIBS=$saved_LIBS
fi
@@ -560,6 +588,23 @@ if test "x$enable_static_cryptsetup" = "xyes"; then
PKG_CONFIG=$saved_PKG_CONFIG
fi
+dnl Check compiler support for symver function attribute
+AC_MSG_CHECKING([for symver attribute support])
+saved_CFLAGS=$CFLAGS
+CFLAGS="-O0 -Werror"
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ void _test_sym(void);
+ __attribute__((__symver__("sym@VERSION_4.2"))) void _test_sym(void) {}
+]],
+[[ _test_sym() ]]
+)],[
+ AC_DEFINE([HAVE_ATTRIBUTE_SYMVER], 1, [Define to 1 to use __attribute__((symver))])
+ AC_MSG_RESULT([yes])
+], [
+ AC_MSG_RESULT([no])
+])
+CFLAGS=$saved_CFLAGS
+
AC_MSG_CHECKING([for systemd tmpfiles config directory])
PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
AC_MSG_RESULT([$systemd_tmpfilesdir])
@@ -585,6 +630,22 @@ AC_SUBST([LIBSSH_LIBS])
AC_SUBST([LIBCRYPTSETUP_VERSION])
AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
+dnl Set Requires.private for libcryptsetup.pc
+dnl pwquality is used only by tools
+PKGMODULES="uuid devmapper json-c"
+case $with_crypto_backend in
+ gcrypt) PKGMODULES+=" libgcrypt" ;;
+ openssl) PKGMODULES+=" openssl" ;;
+ nss) PKGMODULES+=" nss" ;;
+ nettle) PKGMODULES+=" nettle" ;;
+esac
+if test "x$enable_libargon2" = "xyes"; then
+ PKGMODULES+=" libargon2"
+fi
+if test "x$enable_blkid" = "xyes"; then
+ PKGMODULES+=" blkid"
+fi
+AC_SUBST([PKGMODULES])
dnl ==========================================================================
AC_ARG_ENABLE([dev-random],
AS_HELP_STRING([--enable-dev-random], [use /dev/random by default for key generation (otherwise use /dev/urandom)]))
@@ -707,5 +768,6 @@ lib/libcryptsetup.pc
po/Makefile.in
scripts/cryptsetup.conf
tests/Makefile
+tests/fuzz/Makefile
])
AC_OUTPUT
diff --git a/docs/ChangeLog.old b/docs/ChangeLog.old
index 7a4027c..516ea17 100644
--- a/docs/ChangeLog.old
+++ b/docs/ChangeLog.old
@@ -74,7 +74,7 @@
2012-03-16 Milan Broz <gmazyland@gmail.com>
* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
* Add repair command and crypt_repair() for known LUKS metadata problems repair.
- * Allow to specify --align-payload only for luksFormat.
+ * Allow one to specify --align-payload only for luksFormat.
2012-03-16 Milan Broz <mbroz@redhat.com>
* Unify password verification option.
@@ -228,7 +228,7 @@
* Fix password callback call.
* Fix default plain password entry from terminal in activate_by_passphrase.
* Add --dump-master-key option for luksDump to allow volume key dump.
- * Allow to activate by internally cached volume key
+ * Allow one to activate by internally cached volume key
(format/activate without keyslots active - used for temporary devices).
* Initialize volume key from active device in crypt_init_by_name()
* Fix cryptsetup binary exitcodes.
diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c
index b0cdd56..3d08c34 100644
--- a/docs/examples/crypt_log_usage.c
+++ b/docs/examples/crypt_log_usage.c
@@ -1,7 +1,7 @@
/*
* libcryptsetup API log example
*
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c
index f99bfc7..d7779bd 100644
--- a/docs/examples/crypt_luks_usage.c
+++ b/docs/examples/crypt_luks_usage.c
@@ -1,7 +1,7 @@
/*
* libcryptsetup API - using LUKS device example
*
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/docs/on-disk-format-luks2.pdf b/docs/on-disk-format-luks2.pdf
index 3f09952..d89bcef 100644
Binary files a/docs/on-disk-format-luks2.pdf and b/docs/on-disk-format-luks2.pdf differ
diff --git a/docs/v1.2.0-ReleaseNotes b/docs/v1.2.0-ReleaseNotes
index f3061d9..77fbedf 100644
--- a/docs/v1.2.0-ReleaseNotes
+++ b/docs/v1.2.0-ReleaseNotes
@@ -85,7 +85,7 @@ Libcryptsetup API additions:
* Fix optional password callback handling.
- * Allow to activate by internally cached volume key immediately after
+ * Allow one to activate by internally cached volume key immediately after
crypt_format() without active slot (for temporary devices with
on-disk metadata)
diff --git a/docs/v1.4.2-ReleaseNotes b/docs/v1.4.2-ReleaseNotes
index 9dbeb46..a3c2912 100644
--- a/docs/v1.4.2-ReleaseNotes
+++ b/docs/v1.4.2-ReleaseNotes
@@ -24,7 +24,7 @@ Changes since version 1.4.1
* Fix header check to support old (cryptsetup 1.0.0) header alignment.
(Regression in 1.4.0)
-* Allow to specify --align-payload only for luksFormat.
+* Allow one to specify --align-payload only for luksFormat.
* Add --master-key-file option to luksOpen (open using volume key).
diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes
index f084e06..16792a5 100644
--- a/docs/v1.4.3-ReleaseNotes
+++ b/docs/v1.4.3-ReleaseNotes
@@ -32,7 +32,7 @@ Changes since version 1.4.2
Device-mapper now retry removal if device is busy.
* Allow "private" activation (skip some udev global rules) flag.
- Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE,
+ Cryptsetup library API now allows one to specify CRYPT_ACTIVATE_PRIVATE,
which means that some udev rules are not processed.
(Used for temporary devices, like internal keyslot mappings where
it is not desirable to run any device scans.)
diff --git a/docs/v1.6.0-ReleaseNotes b/docs/v1.6.0-ReleaseNotes
index fe8770d..8ee64a0 100644
--- a/docs/v1.6.0-ReleaseNotes
+++ b/docs/v1.6.0-ReleaseNotes
@@ -4,7 +4,7 @@ Cryptsetup 1.6.0 Release Notes
Changes since version 1.6.0-rc1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- * Change LUKS default cipher to to use XTS encryption mode,
+ * Change LUKS default cipher to use XTS encryption mode,
aes-xts-plain64 (i.e. using AES128-XTS).
XTS mode becomes standard in hard disk encryption.
@@ -209,7 +209,7 @@ Important changes
WARNING: these tests do not use dmcrypt, only crypto API.
You have to benchmark the whole device stack and you can get completely
- different results. But is is usable for basic comparison.
+ different results. But it is usable for basic comparison.
(Note for example AES-NI decryption optimization effect in example above.)
Features
diff --git a/docs/v1.6.2-ReleaseNotes b/docs/v1.6.2-ReleaseNotes
index 192f4a6..fba3990 100644
--- a/docs/v1.6.2-ReleaseNotes
+++ b/docs/v1.6.2-ReleaseNotes
@@ -8,7 +8,7 @@ Changes since version 1.6.1
* Fix cipher specification string parsing (found by gcc -fsanitize=address option).
* Try to map TCRYPT system encryption through partition
- (allows to activate mapping when other partition on the same device is mounted).
+ (allows one to activate mapping when other partition on the same device is mounted).
* Print a warning if system encryption is used and device is a partition.
(TCRYPT system encryption uses whole device argument.)
diff --git a/docs/v1.6.4-ReleaseNotes b/docs/v1.6.4-ReleaseNotes
index ebc71cb..010ba5f 100644
--- a/docs/v1.6.4-ReleaseNotes
+++ b/docs/v1.6.4-ReleaseNotes
@@ -25,7 +25,7 @@ Changes since version 1.6.3
Please refer to cryptsetup FAQ for detail how to fix this situation.
-* Allow to use --disable-gcrypt-pbkdf2 during configuration
+* Allow one to use --disable-gcrypt-pbkdf2 during configuration
to force use internal PBKDF2 code.
* Require gcrypt 1.6.1 for imported implementation of PBKDF2
diff --git a/docs/v1.6.5-ReleaseNotes b/docs/v1.6.5-ReleaseNotes
index dc9f525..0f46964 100644
--- a/docs/v1.6.5-ReleaseNotes
+++ b/docs/v1.6.5-ReleaseNotes
@@ -38,7 +38,7 @@ Changes since version 1.6.4
The command "cryptsetup status" will print basic info, even if you
do not provide detached header argument.
-* Allow to specify ECB mode in cryptsetup benchmark.
+* Allow one to specify ECB mode in cryptsetup benchmark.
* Add some LUKS images for regression testing.
Note that if image with Whirlpool fails, the most probable cause is that
diff --git a/docs/v1.6.7-ReleaseNotes b/docs/v1.6.7-ReleaseNotes
index edb73e5..bb7c671 100644
--- a/docs/v1.6.7-ReleaseNotes
+++ b/docs/v1.6.7-ReleaseNotes
@@ -35,14 +35,14 @@ Changes since version 1.6.6
* Support permanent device decryption for cryptsetup-reencrypt.
To remove LUKS encryption from a device, you can now use --decrypt option.
-* Allow to use --header option in all LUKS commands.
+* Allow one to use --header option in all LUKS commands.
The --header always takes precedence over positional device argument.
* Allow luksSuspend without need to specify a detached header.
* Detect if O_DIRECT is usable on a device allocation.
There are some strange storage stack configurations which wrongly allows
- to open devices with direct-io but fails on all IO operations later.
+ one to open devices with direct-io but fails on all IO operations later.
Cryptsetup now tries to read the device first sector to ensure it can use
direct-io.
diff --git a/docs/v1.6.8-ReleaseNotes b/docs/v1.6.8-ReleaseNotes
index 43b4f2c..8ae0da9 100644
--- a/docs/v1.6.8-ReleaseNotes
+++ b/docs/v1.6.8-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 1.6.7
cryptsetup resize will try to resize underlying loop device as well.
(It can be used to grow up file-backed device in one step.)
-* Cryptsetup now allows to use empty password through stdin pipe.
+* Cryptsetup now allows one to use empty password through stdin pipe.
(Intended only for testing in scripts.)
Cryptsetup API NOTE:
diff --git a/docs/v1.7.4-ReleaseNotes b/docs/v1.7.4-ReleaseNotes
index 73dbaa7..2b24754 100644
--- a/docs/v1.7.4-ReleaseNotes
+++ b/docs/v1.7.4-ReleaseNotes
@@ -3,7 +3,7 @@ Cryptsetup 1.7.4 Release Notes
Changes since version 1.7.3
-* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
+* Allow one to specify LUKS1 hash algorithm in Python luksFormat wrapper.
* Use LUKS1 compiled-in defaults also in Python wrapper.
diff --git a/docs/v2.0.0-ReleaseNotes b/docs/v2.0.0-ReleaseNotes
index 779dcb0..401484d 100644
--- a/docs/v2.0.0-ReleaseNotes
+++ b/docs/v2.0.0-ReleaseNotes
@@ -89,7 +89,7 @@ Important features
Integritysetup is intended to be used for settings that require
non-cryptographic data integrity protection with no data encryption.
- Fo setting integrity protected encrypted devices, see disk authenticated
+ For setting integrity protected encrypted devices, see disk authenticated
encryption below.
Note that after formatting the checksums need to be initialized;
@@ -583,7 +583,7 @@ Unfinished things & TODO for next releases
in kernel (more on this later).
NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305)
in kernel have too small 96-bit nonces that are problematic with
- randomly generated IVs (the collison probability is not negligible).
+ randomly generated IVs (the collision probability is not negligible).
For the GCM, nonce collision is a fatal problem.
* Authenticated encryption do not set encryption for dm-integrity journal.
diff --git a/docs/v2.0.2-ReleaseNotes b/docs/v2.0.2-ReleaseNotes
index a85a248..bda57fd 100644
--- a/docs/v2.0.2-ReleaseNotes
+++ b/docs/v2.0.2-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 2.0.1
* Add LUKS2 specific options for cryptsetup-reencrypt.
Tokens and persistent flags are now transferred during reencryption;
- change of PBKDF keyslot parameters is now supported and allows
+ change of PBKDF keyslot parameters is now supported and allows one
to set precalculated values (no benchmarks).
* Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags
diff --git a/docs/v2.0.3-ReleaseNotes b/docs/v2.0.3-ReleaseNotes
index 030a1b4..d2b209b 100644
--- a/docs/v2.0.3-ReleaseNotes
+++ b/docs/v2.0.3-ReleaseNotes
@@ -28,7 +28,7 @@ Changes since version 2.0.2
* New API extensions for unbound keyslots (LUKS2 only)
crypt_keyslot_get_key_size() and crypt_volume_key_get()
- These functions allow to get key and key size for unbound keyslots.
+ These functions allow one to get key and key size for unbound keyslots.
* New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only).
diff --git a/docs/v2.1.0-ReleaseNotes b/docs/v2.1.0-ReleaseNotes
index 36d2247..87222cb 100644
--- a/docs/v2.1.0-ReleaseNotes
+++ b/docs/v2.1.0-ReleaseNotes
@@ -170,21 +170,21 @@ These new calls are now exported, for details see libcryptsetup.h:
* crypt_get_metadata_size
* crypt_set_metadata_size
- allows to set/get area sizes in LUKS header
+ allows one to set/get area sizes in LUKS header
(according to specification).
* crypt_get_default_type
get default compiled-in LUKS type (version).
* crypt_get_pbkdf_type_params
- allows to get compiled-in PBKDF parameters.
+ allows one to get compiled-in PBKDF parameters.
* crypt_keyslot_set_encryption
* crypt_keyslot_get_encryption
- allows to set/get per-keyslot encryption algorithm for LUKS2.
+ allows one to set/get per-keyslot encryption algorithm for LUKS2.
* crypt_keyslot_get_pbkdf
- allows to get PBKDF parameters per-keyslot.
+ allows one to get PBKDF parameters per-keyslot.
and these new defines:
* CRYPT_LOG_DEBUG_JSON (message type for JSON debug)
diff --git a/docs/v2.3.0-ReleaseNotes b/docs/v2.3.0-ReleaseNotes
index 2b582c3..a3eb3ec 100644
--- a/docs/v2.3.0-ReleaseNotes
+++ b/docs/v2.3.0-ReleaseNotes
@@ -9,7 +9,7 @@ native read-write access to BitLocker Full Disk Encryption devices.
The BITLK implementation is based on publicly available information
and it is an independent and opensource implementation that allows
-to access this proprietary disk encryption.
+one to access this proprietary disk encryption.
Changes since version 2.2.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/v2.3.2-ReleaseNotes b/docs/v2.3.2-ReleaseNotes
index eb0d447..b8b8250 100644
--- a/docs/v2.3.2-ReleaseNotes
+++ b/docs/v2.3.2-ReleaseNotes
@@ -18,7 +18,7 @@ Changes since version 2.3.1
The slot number --key-slot (-S) option is mandatory here.
An unbound keyslot store a key is that is not assigned to data
- area on disk (LUKS2 allows to store arbitrary keys).
+ area on disk (LUKS2 allows one to store arbitrary keys).
* Rephrase some error messages and remove redundant end-of-lines.
diff --git a/docs/v2.3.4-ReleaseNotes b/docs/v2.3.4-ReleaseNotes
index fb5a411..46c5f14 100644
--- a/docs/v2.3.4-ReleaseNotes
+++ b/docs/v2.3.4-ReleaseNotes
@@ -75,7 +75,7 @@ Changes since version 2.3.3
If users want to use blake2b/blake2s, the kernel algorithm name includes
a dash (like "blake2s-256").
- Theses algorithms can now be used for integritysetup devices.
+ These algorithms can now be used for integritysetup devices.
* Fix crypto backend to properly handle ECB mode.
diff --git a/docs/v2.5.0-ReleaseNotes b/docs/v2.5.0-ReleaseNotes
new file mode 100644
index 0000000..f5bdeec
--- /dev/null
+++ b/docs/v2.5.0-ReleaseNotes
@@ -0,0 +1,291 @@
+Cryptsetup 2.5.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
+
+Changes since version 2.4.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Split manual pages into per-action pages and use AsciiDoc format.
+
+ Manual pages are now generated from AsciiDoc format, allowing easy
+ conditional modifications for per-action options.
+
+ Generation of man pages requires the asciidoctor tool installed.
+
+ Pre-generated man pages are also included in the distribution tarball.
+ You can use --disable-asciidoc configure option to skip man page
+ generation completely. In this case, pre-generated man pages will be
+ used for installation.
+
+ For cryptsetup, there is main man page (cryptsetup.8) that references
+ separate man pages for each command (for example, cryptsetup-open.8).
+ You can open such a man page by simply running "man cryptsetup open".
+ Also, man pages for action aliases are available (cryptsetup-luksOpen.8
+ is an alias for cryptsetup-open.8, etc.)
+
+LUKS volume reencryption changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Remove cryptsetup-reencrypt tool from the project and move reencryption
+ to already existing "cryptsetup reencrypt" command.
+
+ Cryptsetup reencrypt now handles both LUKS1 and LUKS2 reencryption,
+ encryption, and decryption.
+
+ If you need to emulate the old cryptsetup-reencrypt binary, use simple
+ wrappers script running "exec cryptsetup reencrypt $@".
+
+ All command line options should be compatible. An exception is the
+ reencryption of LUKS2 volumes with old LUKS1 reencryption code that was
+ replaced by native and more resilient LUKS2 reencryption.
+
+* LUKS2: implement --decryption option that allows LUKS removal. The
+ operation can run online or offline and supports the data shift option.
+
+ During the initialization, the LUKS2 header is exported to a file.
+ The first data segment is moved to the head of the data device in place
+ of the original header.
+
+ The feature internally introduces several new resilience modes
+ (combination of existing modes datashift and "checksum" or "journal").
+ Datashift resilience mode is applied for data moved towards the first
+ segment, and the first segment is then decrypted in place.
+
+ This decryption mode is not backward compatible with prior LUKS2
+ reencryption. Interrupted operations in progress cannot be resumed
+ using older cryptsetup releases.
+
+* Reencryption metadata options that are not compatible with recent code
+ (features implemented in more recent releases) are now only read, but
+ code will not activate or modify such metadata.
+ Reencryption metadata contains a version that is validated when
+ reencryption is resumed.
+ For more info, see the updated LUKS2 on-disk format specification.
+
+ Safe operation of reencryption is to always finish the operation with
+ only one version of the tools.
+
+* Fix decryption operation with --active-name option and restrict
+ it to be used only with LUKS2.
+
+* Do not refresh reencryption digest when not needed.
+ This should speed up the reencryption resume process.
+
+* Store proper resilience data in LUKS2 reencrypt initialization.
+ Resuming reencryption now does not require specification of resilience
+ type parameters if these are the same as during initialization.
+
+* Properly wipe the unused area after reencryption with datashift in
+ the forward direction.
+
+* Check datashift value against larger sector size.
+ For example, it could cause an issue if misaligned 4K sector appears
+ during decryption.
+
+* Do not allow sector size increase reencryption in offline mode.
+ The eventual logical block size increase on the dm-crypt device above
+ may lead to an unusable filesystem. Do not allow offline reencryption
+ when sector size increase is requested.
+
+ You can use --force-offline-reencrypt option to override this check
+ (and potentially destroy the data).
+
+* Do not allow dangerous sector size change during reencryption.
+ By changing the encryption sector size during reencryption, a user
+ may increase the effective logical block size for the dm-crypt active
+ device.
+
+ Do not allow encryption sector size to be increased over the value
+ provided by fs superblock in BLOCK_SIZE property.
+
+* Ask the user for confirmation before resuming reencryption.
+ The prompt is not shown in batch mode or when the user explicitly asks
+ for a reencryption resume via --resume-only.
+
+* Do not resume reencryption with conflicting parameters.
+ For example, if the operation was initialized as --encrypt, do not
+ allow resume with opposing parameter --decrypt and vice versa.
+ Also, the code now checks for conflicting resilience parameters
+ (datashift cannot be changed after initialization).
+
+* Add --force-offline-reencrypt option.
+ It can be used to enforce offline reencryption in batch mode when
+ the device is a regular file; therefore, cryptsetup cannot detect
+ properly active devices using it.
+ Also, it may be useful to override the active device auto-detection
+ for specific storage configurations (dangerous!).
+
+* Do not allow nested encryption in LUKS reencrypt.
+ Avoid accidental nested encryption via cryptsetup reencrypt --encrypt.
+
+* Fix --test-passphrase when the device is in reencryption.
+
+* Do not upload keys in keyring during offline reencryption.
+ Reencryption runs in userspace, so the kernel does not need the key.
+
+* Support all options allowed with luksFormat with encrypt action.
+
+* Add prompt if LUKS2 decryption is run with a detached header.
+
+* Add warning for reencryption of file image and mention
+ the possible use of --force-offline-reencrypt option.
+
+Other changes
+~~~~~~~~~~~~~
+
+* Add resize action to integritysetup.
+ This allows resizing of standalone integrity devices.
+
+* Support --device-size option (that allows unit specification) for plain
+ devices (existing --size option requires 512-byte sectors units).
+
+* Fix detection of encryption sector size if a detached header is used.
+
+* Remove obsolete dracut plugin reencryption example.
+
+* Fix possible keyslot area size overflow during conversion to LUKS2.
+ If keyslots are not sorted according to binary area offset, the area
+ size calculation was wrong and could overflow.
+
+* Hardening and fixes to LUKS2 validation functions:
+
+ * Log a visible error if convert fails due to validation check.
+
+ * Check for interval (keyslot and segment area) overflow.
+
+ * Check cipher availability before LUKS conversion to LUKS2.
+ Some historic incompatibilities are ignored for LUKS1 but do not
+ work for LUKS2.
+
+ * Add empty string check to LUKS2 metadata JSON validation.
+ Most of the LUKS2 fields cannot be empty.
+
+ * Fix JSON objects validation to check JSON object type properly.
+
+* TCRYPT: Properly apply retry count and continue if some PBKDF variant
+ is unavailable.
+
+* BITLK: Add a warning when activating a device with the wrong size
+ stored in metadata.
+
+* BITLK: Add BitLocker volume size to dump command.
+
+* BITLK: Fix possible UTF16 buffer overflow in volume key dump.
+
+* BITLK: Skip question if the batch mode is set for volume key dump.
+
+* BITLK: Check dm-zero availability in the kernel.
+ Bitlocker compatible mode uses dm-zero to mask metadata area.
+ The device cannot be activated if dm-zero is not available.
+
+* Fix error message for LUKS2-only cryptsetup commands to explicitly
+ state LUKS2 version is required.
+
+* Fix error message for incompatible dm-integrity metadata.
+ If the integritysetup tool is too old, kernel dm-integrity may use
+ a more recent version of dm-integrity metadata.
+
+* Properly deactivate the integrity device even if the LUKS2 header
+ is no longer available.
+ If LUKS2 is used with integrity protection, there is always
+ a dm-integrity device underneath that must be deactivated.
+
+* Allow use of --header option for cryptsetup close.
+ This can be used to check that the activated device has the same UUID.
+
+* Fix activation of LUKS2 device with integrity and detached header.
+ The kernel-parsed dm-integrity superblock is always located on the
+ data device, the incorrectly used detached header device here.
+
+* Add ZEROOUT IOCTL support for crypt_wipe API call.
+ For block devices, we can use optimized in-kernel BLKZEROOUT ioctl.
+
+* VERITY: set loopback sector size according to dm-verity block sizes.
+ Verity block size has the same limits, so we can optimize the loop
+ device to increase performance.
+
+* Other Documentation and man page improvements:
+
+ * Update LUKS2 on-disk format description.
+
+ * Add per-keyslot LUKS2 options to the man page.
+ Some options were missing for LUKS2 luksAddKey and luksChangeKey.
+
+ * Fix cryptsetup manpage to use PBKDF consistently.
+
+ * Add compile info to README. This information was lost when we removed
+ the default automake INSTALL file.
+
+ * Use volume key consistently in FAQ and man pages.
+
+ * Use markdown version of FAQ directly for installation.
+
+ * Clarify graceful reencryption interruption.
+ Currently, it can be interrupted by both SIGINT and SIGTERM signals.
+
+ * Add new mailing list info.
+
+ * Mention non-cryptographic xxhash64 hash for integrity protection.
+
+* veritysetup: dump device sizes.
+ Calculating device sizes for verity devices is a little bit tricky.
+ Data, hash, and FEC can share devices or be separate devices.
+ Now dump command prints used device sizes, but it requires that
+ the user specifies all values that are not stored in superblock
+ (like FEC device and FEC roots).
+
+* Fix check for argp_usage in configure if argp-standalone lib is used.
+
+* Add constant time memcmp and hexa print implementation and use it for
+ cryptographic keys handling.
+
+* Display progress when wiping the end of the resized device.
+
+* LUKS2 token: prefer token PIN query before passphrase in some cases.
+ When a user provides --token-type or specific --token-id, a token PIN
+ query is preferred to a passphrase query.
+
+* LUKS2 token: allow tokens to be replaced with --token-replace option
+ for cryptsetup token command.
+
+* LUKS2 token: do not continue operation when interrupted in PIN prompt.
+
+* Add --progress-json parameter to utilities.
+ Progress data can now be printed out in JSON format suitable for
+ machine processing.
+
+* Embedded Argon2 PBKDF: optimize and simplify thread exit.
+
+* Avoid using SHA1 in tests and fix new enforcements introduced in FIPS
+ provider for OpenSSL3 (like minimal parameters for PBKDF2).
+
+* Use custom UTF conversion and avoid linking to iconv as a dependency.
+
+* Reimplement BASE64 with simplified code instead of coreutils version.
+
+* Fix regression when warning messages were not displayed
+ if some kernel feature is not supported (2.4.2).
+
+* Add support for --key-slot option in luksResume action.
+
+Libcryptsetup API extensions and changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Properly define uint32_t constants in API.
+ This is not a real change, but it avoids strict compiler warnings.
+
+* crypt_resume_by_token_pin() - Resume crypt device using LUKS2 token.
+
+* crypt_get_label() - Get the label of the LUKS2 device.
+
+* crypt_get_subsystem() - Get the subsystem label of the LUKS2 device.
+
+* Make CRYPT_WIPE_ENCRYPTED_ZERO crypt_wipe() option obsolete.
+ It was never implemented (the idea was to speed up wipe), but with
+ the recent RNG performance changes, it makes no longer sense.
+
+* Add struct crypt_params_reencrypt changes related to decryption.
+
+* Improve crypt_reencrypt_status() return values.
+ Empty or any non-LUKS types now returns CRYPT_REENCRYPT_INVALID status.
+ For LUKS1 devices, it returns CRYPT_REENCRYPT_NONE.
diff --git a/docs/v2.6.0-ReleaseNotes b/docs/v2.6.0-ReleaseNotes
new file mode 100644
index 0000000..6303945
--- /dev/null
+++ b/docs/v2.6.0-ReleaseNotes
@@ -0,0 +1,236 @@
+Cryptsetup 2.6.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
+
+Changes since version 2.5.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Introduce support for handling macOS FileVault2 devices (FVAULT2).
+
+ Cryptsetup now supports the mapping of FileVault2 full-disk encryption
+ by Apple for the macOS operating system using a native Linux kernel.
+ You can open an existing USB FileVault portable device and (with
+ the hfsplus filesystem driver) access the native data read/write.
+
+ Cryptsetup supports only (legacy) FileVault2 based on Core Storage
+ and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
+ It does NOT support the new version of FileVault based on the APFS
+ filesystem used in recent macOS versions.
+
+ Header formatting and changes are not supported; cryptsetup never
+ changes the metadata on the device.
+
+ FVAULT2 extension requires kernel userspace crypto API and kernel
+ driver for HFS+ (hfsplus) filesystem (available on most systems today).
+
+ Example of using FileVault2 formatted USB device:
+
+ A typical encrypted device contains three partitions; the FileVault
+ encrypted partition is here sda2:
+
+ $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
+ NAME FSTYPE LABEL
+ sda
+ |-sda1 vfat EFI
+ |-sda2
+ `-sda3 hfsplus Boot OS X
+
+ Note: blkid does not recognize FileVault2 format yet.
+
+ To dump metadata information about the device, you can use
+ the fvault2Dump command:
+
+ $ cryptsetup fvault2Dump /dev/sda2
+ Header information for FVAULT2 device /dev/sda2.
+ Physical volume UUID: 6f353c05-daae-4e76-a0ee-6a9569a22d81
+ Family UUID: f82cceb0-a788-4815-945a-53d57fcd55a8
+ Logical volume offset: 67108864 [bytes]
+ Logical volume size: 3288334336 [bytes]
+ Cipher: aes
+ Cipher mode: xts-plain64
+ PBKDF2 iterations: 97962
+ PBKDF2 salt: 173a4ec7447662ec79ca7a47df6c2a01
+
+ To activate the device, use open --type fvault2 option:
+
+ $ cryptsetup open --type fvault2 /dev/sda2 test
+ Enter passphrase for /dev/sda2: ...
+
+ And check the status of the active device:
+
+ $ cryptsetup status test
+ /dev/mapper/test is active.
+ type: FVAULT2
+ cipher: aes-xts-plain64
+ keysize: 256 bits
+ key location: dm-crypt
+ device: /dev/sda2
+ sector size: 512
+ offset: 131072 sectors
+ size: 6422528 sectors
+ mode: read/write
+
+ Now, if the kernel contains hfsplus filesystem driver, you can mount
+ decrypted content:
+
+ $ mount /dev/mapper/test /mnt/test
+
+ For more info about implementation, please refer to the master thesis
+ by Pavel Tobias, which was the source for this extension.
+ https://is.muni.cz/th/p0aok/?lang=en
+
+* libcryptsetup: no longer use global memory locking through mlockall()
+
+ For many years, libcryptsetup locked all memory (including dependent
+ library address space) to prevent swapping sensitive content outside
+ of RAM.
+
+ This strategy no longer works as the locking of basic libraries exceeds
+ the memory locking limit if running as a non-root user.
+
+ Libcryptsetup now locks only memory ranges containing sensitive
+ material (keys) through crypt_safe_alloc() calls.
+
+ This change solves many reported mysterious problems of unexpected
+ failures. If the initial lock was still under the limit and succeeded,
+ some following memory allocation could fail later as it exceeded
+ the locking limit. If the initial locking fails, memory locking
+ was quietly ignored completely.
+
+ The whole crypt_memory_lock() API call is deprecated; it no longer
+ calls memlockall().
+
+* libcryptsetup: process priority is increased only for key derivation
+ (PBKDF) calls.
+
+ Increasing priority was tight to memory locking and works only if
+ running under superuser.
+ Only PBKDF calls and benchmarking now increase the process priority.
+
+* Add new LUKS keyslot context handling functions and API.
+
+ In practice, the luksAddKey action does two operations.
+ It unlocks the existing device volume key and stores the unlocked
+ volume key in a new keyslot.
+ Previously the options were limited to key files and passphrases.
+
+ Newly available methods (keyslot contexts) are passphrase, keyfile,
+ key (binary representation), and LUKS2 token.
+
+ To unlock a keyslot user may:
+ - provide existing passphrase via interactive prompt (default method)
+ - use --key-file option to provide a file with a valid passphrase
+ - provide volume key directly via --volume-key-file
+ - unlock keyslot via all available LUKS2 tokens by --token-only
+ - unlock keyslot via specific token with --token-id
+ - unlock keyslot via specific token type by --token-type
+
+ To provide the passphrase for a new keyslot, a user may:
+ - provide existing passphrase via interactive prompt (default method)
+ - use --new-keyfile to read the passphrase from the file
+ - use --new-token-id to select LUKS2 token to get passphrase
+ for new keyslot. The new keyslot is assigned to the selected token
+ id if the operation is successful.
+
+* The volume key may now be extracted using a passphrase, keyfile, or
+ token. For LUKS devices, it also returns the volume key after
+ a successful crypt_format call.
+
+* Fix --disable-luks2-reencryption configuration option.
+
+* cryptsetup: Print a better error message and warning if the format
+ produces an image without space available for data.
+
+ Activation now fails early with a more descriptive message.
+
+* Print error if anti-forensic LUKS2 hash setting is not available.
+ If the specified hash was not available, activation quietly failed.
+
+* Fix internal crypt segment compare routine if the user
+ specified cipher in kernel format (capi: prefix).
+
+* cryptsetup: Add token unassign action.
+
+ This action allows removing token binding on specific keyslot.
+
+* veritysetup: add support for --use-tasklets option.
+
+ This option sets try_verify_in_tasklet kernel dm-verity option
+ (available since Linux kernel 6.0) to allow some performance
+ improvement on specific systems.
+
+* Provide pkgconfig Require.private settings.
+
+ While we do not completely provide static build on udev systems,
+ it helps produce statically linked binaries in certain situations.
+
+* Always update automake library files if autogen.sh is run.
+
+ For several releases, we distributed older automake scripts by mistake.
+
+* reencryption: Fix user defined moved segment size in LUKS2 decryption.
+
+ The --hotzone-size argument was ignored in cases where the actual data
+ size was less than the original LUKS2 data offset.
+
+* Delegate FIPS mode detection to configured crypto backend.
+ System FIPS mode check no longer depends on /etc/system-fips file.
+
+* tests: externally provided systemd plugin is now optionally compiled
+ from systemd git and tested with cryptsetup
+
+* tests: initial integration to OSS-fuzz project with basic crypt_load()
+ test for LUKS2 and JSON mutated fuzzing.
+
+ For more info, see README in tests/fuzz directory.
+
+* Update documentation, including FAQ and man pages.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible with existing symbols.
+
+New symbols:
+ crypt_keyslot_context_init_by_passphrase
+ crypt_keyslot_context_init_by_keyfile
+ crypt_keyslot_context_init_by_token
+ crypt_keyslot_context_init_by_volume_key
+ crypt_keyslot_context_get_error
+ crypt_keyslot_context_set_pin
+ crypt_keyslot_context_get_type
+ crypt_keyslot_context_free
+ crypt_keyslot_add_by_keyslot_context
+ crypt_volume_key_get_by_keyslot_context
+
+New defines:
+ CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)
+
+Keyslot context types:
+ CRYPT_KC_TYPE_PASSPHRASE
+ CRYPT_KC_TYPE_KEYFILE
+ CRYPT_KC_TYPE_TOKEN
+ CRYPT_KC_TYPE_KEY
+
+ CRYPT_ACTIVATE_TASKLETS (dm-verity: use tasklets activation flag)
+
+WARNING!
+~~~~~~~~
+The next version of cryptsetup will change the encryption mode and key
+derivation option for the PLAIN format.
+
+This change will cause backward incompatibility.
+For this reason, the user will have to specify the exact parameters
+for cipher, key size, and key derivation parameters for plain format.
+
+The default encryption mode will be AES-XTS with 512bit key (AES-256).
+The CBC mode is no longer considered the best default, as it allows easy
+bit-flipped ciphertext modification attacks and performance problems.
+
+For the passphrase hashing in plain mode, the encryption key is directly
+derived through iterative hashing from a user-provided passphrase
+(except a keyfile that is not hashed).
+
+The default hash is RIPEMD160, which is no longer the best default
+option. The exact change will be yet discussed but should include
+the possibility of using a password-based key derivation function
+instead of iterative hashing.
diff --git a/docs/v2.6.1-ReleaseNotes b/docs/v2.6.1-ReleaseNotes
new file mode 100644
index 0000000..82012b9
--- /dev/null
+++ b/docs/v2.6.1-ReleaseNotes
@@ -0,0 +1,50 @@
+Cryptsetup 2.6.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.6.0 should upgrade to this version.
+
+Changes since version 2.6.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* bitlk: Fixes for BitLocker-compatible on-disk metadata parser
+ (found by new cryptsetup OSS-Fuzz fuzzers).
+ - Fix a possible memory leak if the metadata contains more than
+ one description field.
+ - Harden parsing of metadata entries for key and description entries.
+ - Fix broken metadata parsing that can cause a crash or out of memory.
+
+* Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
+ OpenSSL2 uses a signed integer for PBKDF2 iteration count.
+ As cryptsetup uses an unsigned value, this can lead to overflow and
+ a decrease in the actual iteration count.
+ This situation can happen only if the user specifies
+ --pbkdf-force-iterations option.
+ OpenSSL3 (and other supported crypto backends) are not affected.
+
+* Fix compilation for new ISO C standards (gcc with -std=c11 and higher).
+
+* fvault2: Fix compilation with very old uuid.h.
+
+* verity: Fix possible hash offset setting overflow.
+
+* bitlk: Fix use of startup BEK key on big-endian platforms.
+
+* Fix compilation with latest musl library.
+ Recent musl no longer implements lseek64() in some configurations.
+ Use lseek() as 64-bit offset is mandatory for cryptsetup.
+
+* Do not initiate encryption (reencryption command) when the header and
+ data devices are the same.
+ If data device reduction is not requsted, this leads to data corruption
+ since LUKS metadata was written over the data device.
+
+* Fix possible memory leak if crypt_load() fails.
+
+* Always use passphrases with a minimal 8 chars length for benchmarking.
+ Some enterprise distributions decided to set an unconditional check
+ for PBKDF2 password length when running in FIPS mode.
+ This questionable change led to unexpected failures during LUKS format
+ and keyslot operations, where short passwords were used for
+ benchmarking PBKDF2 speed.
+ PBKDF2 benchmark calculations should not be affected by this change.
diff --git a/lib/Makemodule.am b/lib/Makemodule.am
index 351dbbd..2e60a90 100644
--- a/lib/Makemodule.am
+++ b/lib/Makemodule.am
@@ -33,7 +33,6 @@ libcryptsetup_la_LIBADD = \
@JSON_C_LIBS@ \
@BLKID_LIBS@ \
@DL_LIBS@ \
- $(LTLIBICONV) \
$(LTLIBINTL) \
libcrypto_backend.la \
libutils_io.la
@@ -54,8 +53,6 @@ libcryptsetup_la_SOURCES = \
lib/utils_loop.h \
lib/utils_devpath.c \
lib/utils_wipe.c \
- lib/utils_fips.c \
- lib/utils_fips.h \
lib/utils_device.c \
lib/utils_keyring.c \
lib/utils_keyring.h \
@@ -70,14 +67,14 @@ libcryptsetup_la_SOURCES = \
lib/volumekey.c \
lib/random.c \
lib/crypt_plain.c \
- lib/base64.h \
- lib/base64.c \
lib/integrity/integrity.h \
lib/integrity/integrity.c \
lib/loopaes/loopaes.h \
lib/loopaes/loopaes.c \
lib/tcrypt/tcrypt.h \
lib/tcrypt/tcrypt.c \
+ lib/keyslot_context.h \
+ lib/keyslot_context.c \
lib/luks1/af.h \
lib/luks1/af.c \
lib/luks1/keyencryption.c \
@@ -109,4 +106,6 @@ libcryptsetup_la_SOURCES = \
lib/utils_blkid.c \
lib/utils_blkid.h \
lib/bitlk/bitlk.h \
- lib/bitlk/bitlk.c
+ lib/bitlk/bitlk.c \
+ lib/fvault2/fvault2.h \
+ lib/fvault2/fvault2.c
diff --git a/lib/base64.c b/lib/base64.c
deleted file mode 100644
index aafb901..0000000
--- a/lib/base64.c
+++ /dev/null
@@ -1,605 +0,0 @@
-/* base64.c -- Encode binary data using printable characters.
- Copyright (C) 1999-2001, 2004-2006, 2009-2019 Free Software Foundation, Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2, or (at your option)
- any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, see <https://www.gnu.org/licenses/>. */
-
-/* Written by Simon Josefsson. Partially adapted from GNU MailUtils
- * (mailbox/filter_trans.c, as of 2004-11-28). Improved by review
- * from Paul Eggert, Bruno Haible, and Stepan Kasal.
- *
- * See also RFC 4648 <https://www.ietf.org/rfc/rfc4648.txt>.
- *
- * Be careful with error checking. Here is how you would typically
- * use these functions:
- *
- * bool ok = base64_decode_alloc (in, inlen, &out, &outlen);
- * if (!ok)
- * FAIL: input was not valid base64
- * if (out == NULL)
- * FAIL: memory allocation error
- * OK: data in OUT/OUTLEN
- *
- * size_t outlen = base64_encode_alloc (in, inlen, &out);
- * if (out == NULL && outlen == 0 && inlen != 0)
- * FAIL: input too long
- * if (out == NULL)
- * FAIL: memory allocation error
- * OK: data in OUT/OUTLEN.
- *
- */
-
-#include <config.h>
-
-/* Get prototype. */
-#include "base64.h"
-
-/* Get malloc. */
-#include <stdlib.h>
-
-/* Get UCHAR_MAX. */
-#include <limits.h>
-
-#include <string.h>
-
-/* C89 compliant way to cast 'char' to 'unsigned char'. */
-static unsigned char
-to_uchar (char ch)
-{
- return ch;
-}
-
-static const char b64c[64] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-/* Base64 encode IN array of size INLEN into OUT array. OUT needs
- to be of length >= BASE64_LENGTH(INLEN), and INLEN needs to be
- a multiple of 3. */
-static void
-base64_encode_fast (const char *restrict in, size_t inlen, char *restrict out)
-{
- while (inlen)
- {
- *out++ = b64c[(to_uchar (in[0]) >> 2) & 0x3f];
- *out++ = b64c[((to_uchar (in[0]) << 4) + (to_uchar (in[1]) >> 4)) & 0x3f];
- *out++ = b64c[((to_uchar (in[1]) << 2) + (to_uchar (in[2]) >> 6)) & 0x3f];
- *out++ = b64c[to_uchar (in[2]) & 0x3f];
-
- inlen -= 3;
- in += 3;
- }
-}
-
-/* Base64 encode IN array of size INLEN into OUT array of size OUTLEN.
- If OUTLEN is less than BASE64_LENGTH(INLEN), write as many bytes as
- possible. If OUTLEN is larger than BASE64_LENGTH(INLEN), also zero
- terminate the output buffer. */
-void
-base64_encode (const char *restrict in, size_t inlen,
- char *restrict out, size_t outlen)
-{
- /* Note this outlen constraint can be enforced at compile time.
- I.E. that the output buffer is exactly large enough to hold
- the encoded inlen bytes. The inlen constraints (of corresponding
- to outlen, and being a multiple of 3) can change at runtime
- at the end of input. However the common case when reading
- large inputs is to have both constraints satisfied, so we depend
- on both in base_encode_fast(). */
- if (outlen % 4 == 0 && inlen == outlen / 4 * 3)
- {
- base64_encode_fast (in, inlen, out);
- return;
- }
-
- while (inlen && outlen)
- {
- *out++ = b64c[(to_uchar (in[0]) >> 2) & 0x3f];
- if (!--outlen)
- break;
- *out++ = b64c[((to_uchar (in[0]) << 4)
- + (--inlen ? to_uchar (in[1]) >> 4 : 0))
- & 0x3f];
- if (!--outlen)
- break;
- *out++ =
- (inlen
- ? b64c[((to_uchar (in[1]) << 2)
- + (--inlen ? to_uchar (in[2]) >> 6 : 0))
- & 0x3f]
- : '=');
- if (!--outlen)
- break;
- *out++ = inlen ? b64c[to_uchar (in[2]) & 0x3f] : '=';
- if (!--outlen)
- break;
- if (inlen)
- inlen--;
- if (inlen)
- in += 3;
- }
-
- if (outlen)
- *out = '\0';
-}
-
-/* Allocate a buffer and store zero terminated base64 encoded data
- from array IN of size INLEN, returning BASE64_LENGTH(INLEN), i.e.,
- the length of the encoded data, excluding the terminating zero. On
- return, the OUT variable will hold a pointer to newly allocated
- memory that must be deallocated by the caller. If output string
- length would overflow, 0 is returned and OUT is set to NULL. If
- memory allocation failed, OUT is set to NULL, and the return value
- indicates length of the requested memory block, i.e.,
- BASE64_LENGTH(inlen) + 1. */
-size_t
-base64_encode_alloc (const char *in, size_t inlen, char **out)
-{
- size_t outlen = 1 + BASE64_LENGTH (inlen);
-
- /* Check for overflow in outlen computation.
- *
- * If there is no overflow, outlen >= inlen.
- *
- * If the operation (inlen + 2) overflows then it yields at most +1, so
- * outlen is 0.
- *
- * If the multiplication overflows, we lose at least half of the
- * correct value, so the result is < ((inlen + 2) / 3) * 2, which is
- * less than (inlen + 2) * 0.66667, which is less than inlen as soon as
- * (inlen > 4).
- */
- if (inlen > outlen)
- {
- *out = NULL;
- return 0;
- }
-
- *out = malloc (outlen);
- if (!*out)
- return outlen;
-
- base64_encode (in, inlen, *out, outlen);
-
- return outlen - 1;
-}
-
-/* With this approach this file works independent of the charset used
- (think EBCDIC). However, it does assume that the characters in the
- Base64 alphabet (A-Za-z0-9+/) are encoded in 0..255. POSIX
- 1003.1-2001 require that char and unsigned char are 8-bit
- quantities, though, taking care of that problem. But this may be a
- potential problem on non-POSIX C99 platforms.
-
- IBM C V6 for AIX mishandles "#define B64(x) ...'x'...", so use "_"
- as the formal parameter rather than "x". */
-#define B64(_) \
- ((_) == 'A' ? 0 \
- : (_) == 'B' ? 1 \
- : (_) == 'C' ? 2 \
- : (_) == 'D' ? 3 \
- : (_) == 'E' ? 4 \
- : (_) == 'F' ? 5 \
- : (_) == 'G' ? 6 \
- : (_) == 'H' ? 7 \
- : (_) == 'I' ? 8 \
- : (_) == 'J' ? 9 \
- : (_) == 'K' ? 10 \
- : (_) == 'L' ? 11 \
- : (_) == 'M' ? 12 \
- : (_) == 'N' ? 13 \
- : (_) == 'O' ? 14 \
- : (_) == 'P' ? 15 \
- : (_) == 'Q' ? 16 \
- : (_) == 'R' ? 17 \
- : (_) == 'S' ? 18 \
- : (_) == 'T' ? 19 \
- : (_) == 'U' ? 20 \
- : (_) == 'V' ? 21 \
- : (_) == 'W' ? 22 \
- : (_) == 'X' ? 23 \
- : (_) == 'Y' ? 24 \
- : (_) == 'Z' ? 25 \
- : (_) == 'a' ? 26 \
- : (_) == 'b' ? 27 \
- : (_) == 'c' ? 28 \
- : (_) == 'd' ? 29 \
- : (_) == 'e' ? 30 \
- : (_) == 'f' ? 31 \
- : (_) == 'g' ? 32 \
- : (_) == 'h' ? 33 \
- : (_) == 'i' ? 34 \
- : (_) == 'j' ? 35 \
- : (_) == 'k' ? 36 \
- : (_) == 'l' ? 37 \
- : (_) == 'm' ? 38 \
- : (_) == 'n' ? 39 \
- : (_) == 'o' ? 40 \
- : (_) == 'p' ? 41 \
- : (_) == 'q' ? 42 \
- : (_) == 'r' ? 43 \
- : (_) == 's' ? 44 \
- : (_) == 't' ? 45 \
- : (_) == 'u' ? 46 \
- : (_) == 'v' ? 47 \
- : (_) == 'w' ? 48 \
- : (_) == 'x' ? 49 \
- : (_) == 'y' ? 50 \
- : (_) == 'z' ? 51 \
- : (_) == '0' ? 52 \
- : (_) == '1' ? 53 \
- : (_) == '2' ? 54 \
- : (_) == '3' ? 55 \
- : (_) == '4' ? 56 \
- : (_) == '5' ? 57 \
- : (_) == '6' ? 58 \
- : (_) == '7' ? 59 \
- : (_) == '8' ? 60 \
- : (_) == '9' ? 61 \
- : (_) == '+' ? 62 \
- : (_) == '/' ? 63 \
- : -1)
-
-static const signed char b64[0x100] = {
- B64 (0), B64 (1), B64 (2), B64 (3),
- B64 (4), B64 (5), B64 (6), B64 (7),
- B64 (8), B64 (9), B64 (10), B64 (11),
- B64 (12), B64 (13), B64 (14), B64 (15),
- B64 (16), B64 (17), B64 (18), B64 (19),
- B64 (20), B64 (21), B64 (22), B64 (23),
- B64 (24), B64 (25), B64 (26), B64 (27),
- B64 (28), B64 (29), B64 (30), B64 (31),
- B64 (32), B64 (33), B64 (34), B64 (35),
- B64 (36), B64 (37), B64 (38), B64 (39),
- B64 (40), B64 (41), B64 (42), B64 (43),
- B64 (44), B64 (45), B64 (46), B64 (47),
- B64 (48), B64 (49), B64 (50), B64 (51),
- B64 (52), B64 (53), B64 (54), B64 (55),
- B64 (56), B64 (57), B64 (58), B64 (59),
- B64 (60), B64 (61), B64 (62), B64 (63),
- B64 (64), B64 (65), B64 (66), B64 (67),
- B64 (68), B64 (69), B64 (70), B64 (71),
- B64 (72), B64 (73), B64 (74), B64 (75),
- B64 (76), B64 (77), B64 (78), B64 (79),
- B64 (80), B64 (81), B64 (82), B64 (83),
- B64 (84), B64 (85), B64 (86), B64 (87),
- B64 (88), B64 (89), B64 (90), B64 (91),
- B64 (92), B64 (93), B64 (94), B64 (95),
- B64 (96), B64 (97), B64 (98), B64 (99),
- B64 (100), B64 (101), B64 (102), B64 (103),
- B64 (104), B64 (105), B64 (106), B64 (107),
- B64 (108), B64 (109), B64 (110), B64 (111),
- B64 (112), B64 (113), B64 (114), B64 (115),
- B64 (116), B64 (117), B64 (118), B64 (119),
- B64 (120), B64 (121), B64 (122), B64 (123),
- B64 (124), B64 (125), B64 (126), B64 (127),
- B64 (128), B64 (129), B64 (130), B64 (131),
- B64 (132), B64 (133), B64 (134), B64 (135),
- B64 (136), B64 (137), B64 (138), B64 (139),
- B64 (140), B64 (141), B64 (142), B64 (143),
- B64 (144), B64 (145), B64 (146), B64 (147),
- B64 (148), B64 (149), B64 (150), B64 (151),
- B64 (152), B64 (153), B64 (154), B64 (155),
- B64 (156), B64 (157), B64 (158), B64 (159),
- B64 (160), B64 (161), B64 (162), B64 (163),
- B64 (164), B64 (165), B64 (166), B64 (167),
- B64 (168), B64 (169), B64 (170), B64 (171),
- B64 (172), B64 (173), B64 (174), B64 (175),
- B64 (176), B64 (177), B64 (178), B64 (179),
- B64 (180), B64 (181), B64 (182), B64 (183),
- B64 (184), B64 (185), B64 (186), B64 (187),
- B64 (188), B64 (189), B64 (190), B64 (191),
- B64 (192), B64 (193), B64 (194), B64 (195),
- B64 (196), B64 (197), B64 (198), B64 (199),
- B64 (200), B64 (201), B64 (202), B64 (203),
- B64 (204), B64 (205), B64 (206), B64 (207),
- B64 (208), B64 (209), B64 (210), B64 (211),
- B64 (212), B64 (213), B64 (214), B64 (215),
- B64 (216), B64 (217), B64 (218), B64 (219),
- B64 (220), B64 (221), B64 (222), B64 (223),
- B64 (224), B64 (225), B64 (226), B64 (227),
- B64 (228), B64 (229), B64 (230), B64 (231),
- B64 (232), B64 (233), B64 (234), B64 (235),
- B64 (236), B64 (237), B64 (238), B64 (239),
- B64 (240), B64 (241), B64 (242), B64 (243),
- B64 (244), B64 (245), B64 (246), B64 (247),
- B64 (248), B64 (249), B64 (250), B64 (251),
- B64 (252), B64 (253), B64 (254), B64 (255)
-};
-
-#if UCHAR_MAX == 255
-# define uchar_in_range(c) true
-#else
-# define uchar_in_range(c) ((c) <= 255)
-#endif
-
-/* Return true if CH is a character from the Base64 alphabet, and
- false otherwise. Note that '=' is padding and not considered to be
- part of the alphabet. */
-bool
-isbase64 (char ch)
-{
- return uchar_in_range (to_uchar (ch)) && 0 <= b64[to_uchar (ch)];
-}
-
-/* Initialize decode-context buffer, CTX. */
-void
-base64_decode_ctx_init (struct base64_decode_context *ctx)
-{
- ctx->i = 0;
-}
-
-/* If CTX->i is 0 or 4, there are four or more bytes in [*IN..IN_END), and
- none of those four is a newline, then return *IN. Otherwise, copy up to
- 4 - CTX->i non-newline bytes from that range into CTX->buf, starting at
- index CTX->i and setting CTX->i to reflect the number of bytes copied,
- and return CTX->buf. In either case, advance *IN to point to the byte
- after the last one processed, and set *N_NON_NEWLINE to the number of
- verified non-newline bytes accessible through the returned pointer. */
-static const char *
-get_4 (struct base64_decode_context *ctx,
- char const *restrict *in, char const *restrict in_end,
- size_t *n_non_newline)
-{
- if (ctx->i == 4)
- ctx->i = 0;
-
- if (ctx->i == 0)
- {
- char const *t = *in;
- if (4 <= in_end - *in && memchr (t, '\n', 4) == NULL)
- {
- /* This is the common case: no newline. */
- *in += 4;
- *n_non_newline = 4;
- return (const char *) t;
- }
- }
-
- {
- /* Copy non-newline bytes into BUF. */
- char const *p = *in;
- while (p < in_end)
- {
- char c = *p++;
- if (c != '\n')
- {
- ctx->buf[ctx->i++] = c;
- if (ctx->i == 4)
- break;
- }
- }
-
- *in = p;
- *n_non_newline = ctx->i;
- return ctx->buf;
- }
-}
-
-#define return_false \
- do \
- { \
- *outp = out; \
- return false; \
- } \
- while (false)
-
-/* Decode up to four bytes of base64-encoded data, IN, of length INLEN
- into the output buffer, *OUT, of size *OUTLEN bytes. Return true if
- decoding is successful, false otherwise. If *OUTLEN is too small,
- as many bytes as possible are written to *OUT. On return, advance
- *OUT to point to the byte after the last one written, and decrement
- *OUTLEN to reflect the number of bytes remaining in *OUT. */
-static bool
-decode_4 (char const *restrict in, size_t inlen,
- char *restrict *outp, size_t *outleft)
-{
- char *out = *outp;
- if (inlen < 2)
- return false;
-
- if (!isbase64 (in[0]) || !isbase64 (in[1]))
- return false;
-
- if (*outleft)
- {
- *out++ = ((b64[to_uchar (in[0])] << 2)
- | (b64[to_uchar (in[1])] >> 4));
- --*outleft;
- }
-
- if (inlen == 2)
- return_false;
-
- if (in[2] == '=')
- {
- if (inlen != 4)
- return_false;
-
- if (in[3] != '=')
- return_false;
- }
- else
- {
- if (!isbase64 (in[2]))
- return_false;
-
- if (*outleft)
- {
- *out++ = (((b64[to_uchar (in[1])] << 4) & 0xf0)
- | (b64[to_uchar (in[2])] >> 2));
- --*outleft;
- }
-
- if (inlen == 3)
- return_false;
-
- if (in[3] == '=')
- {
- if (inlen != 4)
- return_false;
- }
- else
- {
- if (!isbase64 (in[3]))
- return_false;
-
- if (*outleft)
- {
- *out++ = (((b64[to_uchar (in[2])] << 6) & 0xc0)
- | b64[to_uchar (in[3])]);
- --*outleft;
- }
- }
- }
-
- *outp = out;
- return true;
-}
-
-/* Decode base64-encoded input array IN of length INLEN to output array
- OUT that can hold *OUTLEN bytes. The input data may be interspersed
- with newlines. Return true if decoding was successful, i.e. if the
- input was valid base64 data, false otherwise. If *OUTLEN is too
- small, as many bytes as possible will be written to OUT. On return,
- *OUTLEN holds the length of decoded bytes in OUT. Note that as soon
- as any non-alphabet, non-newline character is encountered, decoding
- is stopped and false is returned. If INLEN is zero, then process
- only whatever data is stored in CTX.
-
- Initially, CTX must have been initialized via base64_decode_ctx_init.
- Subsequent calls to this function must reuse whatever state is recorded
- in that buffer. It is necessary for when a quadruple of base64 input
- bytes spans two input buffers.
-
- If CTX is NULL then newlines are treated as garbage and the input
- buffer is processed as a unit. */
-
-bool
-base64_decode_ctx (struct base64_decode_context *ctx,
- const char *restrict in, size_t inlen,
- char *restrict out, size_t *outlen)
-{
- size_t outleft = *outlen;
- bool ignore_newlines = ctx != NULL;
- bool flush_ctx = false;
- unsigned int ctx_i = 0;
-
- if (ignore_newlines)
- {
- ctx_i = ctx->i;
- flush_ctx = inlen == 0;
- }
-
-
- while (true)
- {
- size_t outleft_save = outleft;
- if (ctx_i == 0 && !flush_ctx)
- {
- while (true)
- {
- /* Save a copy of outleft, in case we need to re-parse this
- block of four bytes. */
- outleft_save = outleft;
- if (!decode_4 (in, inlen, &out, &outleft))
- break;
-
- in += 4;
- inlen -= 4;
- }
- }
-
- if (inlen == 0 && !flush_ctx)
- break;
-
- /* Handle the common case of 72-byte wrapped lines.
- This also handles any other multiple-of-4-byte wrapping. */
- if (inlen && *in == '\n' && ignore_newlines)
- {
- ++in;
- --inlen;
- continue;
- }
-
- /* Restore OUT and OUTLEFT. */
- out -= outleft_save - outleft;
- outleft = outleft_save;
-
- {
- char const *in_end = in + inlen;
- char const *non_nl;
-
- if (ignore_newlines)
- non_nl = get_4 (ctx, &in, in_end, &inlen);
- else
- non_nl = in; /* Might have nl in this case. */
-
- /* If the input is empty or consists solely of newlines (0 non-newlines),
- then we're done. Likewise if there are fewer than 4 bytes when not
- flushing context and not treating newlines as garbage. */
- if (inlen == 0 || (inlen < 4 && !flush_ctx && ignore_newlines))
- {
- inlen = 0;
- break;
- }
- if (!decode_4 (non_nl, inlen, &out, &outleft))
- break;
-
- inlen = in_end - in;
- }
- }
-
- *outlen -= outleft;
-
- return inlen == 0;
-}
-
-/* Allocate an output buffer in *OUT, and decode the base64 encoded
- data stored in IN of size INLEN to the *OUT buffer. On return, the
- size of the decoded data is stored in *OUTLEN. OUTLEN may be NULL,
- if the caller is not interested in the decoded length. *OUT may be
- NULL to indicate an out of memory error, in which case *OUTLEN
- contains the size of the memory block needed. The function returns
- true on successful decoding and memory allocation errors. (Use the
- *OUT and *OUTLEN parameters to differentiate between successful
- decoding and memory error.) The function returns false if the
- input was invalid, in which case *OUT is NULL and *OUTLEN is
- undefined. */
-bool
-base64_decode_alloc_ctx (struct base64_decode_context *ctx,
- const char *in, size_t inlen, char **out,
- size_t *outlen)
-{
- /* This may allocate a few bytes too many, depending on input,
- but it's not worth the extra CPU time to compute the exact size.
- The exact size is 3 * (inlen + (ctx ? ctx->i : 0)) / 4, minus 1 if the
- input ends with "=" and minus another 1 if the input ends with "==".
- Dividing before multiplying avoids the possibility of overflow. */
- size_t needlen = 3 * (inlen / 4) + 3;
-
- *out = malloc (needlen);
- if (!*out)
- return true;
-
- if (!base64_decode_ctx (ctx, in, inlen, *out, &needlen))
- {
- free (*out);
- *out = NULL;
- return false;
- }
-
- if (outlen)
- *outlen = needlen;
-
- return true;
-}
diff --git a/lib/base64.h b/lib/base64.h
deleted file mode 100644
index a0360dc..0000000
--- a/lib/base64.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/* base64.h -- Encode binary data using printable characters.
- Copyright (C) 2004-2006, 2009-2019 Free Software Foundation, Inc.
- Written by Simon Josefsson.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2, or (at your option)
- any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, see <https://www.gnu.org/licenses/>. */
-
-#ifndef BASE64_H
-# define BASE64_H
-
-/* Get size_t. */
-# include <stddef.h>
-
-/* Get bool. */
-# include <stdbool.h>
-
-# ifdef __cplusplus
-extern "C" {
-# endif
-
-/* This uses that the expression (n+(k-1))/k means the smallest
- integer >= n/k, i.e., the ceiling of n/k. */
-# define BASE64_LENGTH(inlen) ((((inlen) + 2) / 3) * 4)
-
-struct base64_decode_context
-{
- unsigned int i;
- char buf[4];
-};
-
-extern bool isbase64 (char ch) __attribute__ ((__const__));
-
-extern void base64_encode (const char *restrict in, size_t inlen,
- char *restrict out, size_t outlen);
-
-extern size_t base64_encode_alloc (const char *in, size_t inlen, char **out);
-
-extern void base64_decode_ctx_init (struct base64_decode_context *ctx);
-
-extern bool base64_decode_ctx (struct base64_decode_context *ctx,
- const char *restrict in, size_t inlen,
- char *restrict out, size_t *outlen);
-
-extern bool base64_decode_alloc_ctx (struct base64_decode_context *ctx,
- const char *in, size_t inlen,
- char **out, size_t *outlen);
-
-#define base64_decode(in, inlen, out, outlen) \
- base64_decode_ctx (NULL, in, inlen, out, outlen)
-
-#define base64_decode_alloc(in, inlen, out, outlen) \
- base64_decode_alloc_ctx (NULL, in, inlen, out, outlen)
-
-# ifdef __cplusplus
-}
-# endif
-
-#endif /* BASE64_H */
diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
index 965c769..de7bcea 100644
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -1,9 +1,9 @@
/*
* BITLK (BitLocker-compatible) volume handling
*
- * Copyright (C) 2019-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2021 Milan Broz
- * Copyright (C) 2019-2021 Vojtech Trefny
+ * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2023 Milan Broz
+ * Copyright (C) 2019-2023 Vojtech Trefny
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -24,7 +24,6 @@
#include <string.h>
#include <uuid/uuid.h>
#include <time.h>
-#include <iconv.h>
#include <limits.h>
#include "bitlk.h"
@@ -234,86 +233,11 @@ static const char* get_bitlk_type_string(BITLKEncryptionType type)
}
}
-/* TODO -- move to some utils file */
-static void hexprint(struct crypt_device *cd, const char *d, int n, const char *sep)
-{
- int i;
- for(i = 0; i < n; i++)
- log_std(cd, "%02hhx%s", (const char)d[i], sep);
-}
-
static uint64_t filetime_to_unixtime(uint64_t time)
{
return (time - EPOCH_AS_FILETIME) / HUNDREDS_OF_NANOSECONDS;
}
-static int convert_to_utf8(struct crypt_device *cd, uint8_t *input, size_t inlen, char **out)
-{
- char *outbuf = NULL;
- iconv_t ic;
- size_t ic_inlen = inlen;
- size_t ic_outlen = inlen;
- char *ic_outbuf = NULL;
- size_t r = 0;
-
- outbuf = malloc(inlen);
- if (outbuf == NULL)
- return -ENOMEM;
-
- memset(outbuf, 0, inlen);
- ic_outbuf = outbuf;
-
- ic = iconv_open("UTF-8", "UTF-16LE");
- r = iconv(ic, (char **) &input, &ic_inlen, &ic_outbuf, &ic_outlen);
- iconv_close(ic);
-
- if (r == 0)
- *out = strdup(outbuf);
- else {
- *out = NULL;
- log_dbg(cd, "Failed to convert volume description: %s", strerror(errno));
- r = 0;
- }
-
- free(outbuf);
- return r;
-}
-
-static int passphrase_to_utf16(struct crypt_device *cd, char *input, size_t inlen, char **out)
-{
- char *outbuf = NULL;
- iconv_t ic;
- size_t ic_inlen = inlen;
- size_t ic_outlen = inlen * 2;
- char *ic_outbuf = NULL;
- size_t r = 0;
-
- if (inlen == 0)
- return r;
-
- outbuf = crypt_safe_alloc(inlen * 2);
- if (outbuf == NULL)
- return -ENOMEM;
-
- memset(outbuf, 0, inlen * 2);
- ic_outbuf = outbuf;
-
- ic = iconv_open("UTF-16LE", "UTF-8");
- r = iconv(ic, &input, &ic_inlen, &ic_outbuf, &ic_outlen);
- iconv_close(ic);
-
- if (r == 0) {
- *out = outbuf;
- } else {
- *out = NULL;
- crypt_safe_free(outbuf);
- log_dbg(cd, "Failed to convert passphrase: %s", strerror(errno));
- r = -errno;
- }
-
- return r;
-}
-
static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, int end, struct bitlk_vmk **vmk)
{
uint16_t key_entry_size = 0;
@@ -324,19 +248,23 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
const char *key = NULL;
struct volume_key *vk = NULL;
bool supported = false;
+ int r = 0;
/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE ||
(*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
(*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
- while (end - start > 2) {
+ while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
/* size of this entry */
memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
key_entry_size = le16_to_cpu(key_entry_size);
if (key_entry_size == 0)
break;
+ if (key_entry_size > (end - start))
+ return -EINVAL;
+
/* type and value of this entry */
memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
memcpy(&key_entry_value,
@@ -355,20 +283,24 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
}
/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
- if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
+ if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY) {
+ if ((end - start) < (BITLK_ENTRY_HEADER_LEN + BITLK_SALT_SIZE + 4))
+ return -EINVAL;
memcpy((*vmk)->salt,
data + start + BITLK_ENTRY_HEADER_LEN + 4,
- sizeof((*vmk)->salt));
+ BITLK_SALT_SIZE);
/* AES-CCM encrypted key */
- else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+ } else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+ if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE))
+ return -EINVAL;
/* nonce */
memcpy((*vmk)->nonce,
data + start + BITLK_ENTRY_HEADER_LEN,
- sizeof((*vmk)->nonce));
+ BITLK_NONCE_SIZE);
/* MAC tag */
memcpy((*vmk)->mac_tag,
data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
- sizeof((*vmk)->mac_tag));
+ BITLK_VMK_MAC_TAG_SIZE);
/* AES-CCM encrypted key */
key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -393,9 +325,16 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
;
} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
- if (convert_to_utf8(cd, data + start + BITLK_ENTRY_HEADER_LEN, key_entry_size - BITLK_ENTRY_HEADER_LEN, &string) < 0) {
- log_err(cd, _("Invalid string found when parsing Volume Master Key."));
+ if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
+ return -EINVAL;
+ string = malloc((key_entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
+ if (!string)
+ return -ENOMEM;
+ r = crypt_utf16_to_utf8(&string, CONST_CAST(char16_t *)(data + start + BITLK_ENTRY_HEADER_LEN),
+ key_entry_size - BITLK_ENTRY_HEADER_LEN);
+ if (r < 0 || !string) {
free(string);
+ log_err(cd, _("Invalid string found when parsing Volume Master Key."));
return -EINVAL;
} else if ((*vmk)->name != NULL) {
if (supported) {
@@ -475,6 +414,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
struct bitlk_fve_metadata fve = {};
struct bitlk_entry_vmk entry_vmk = {};
uint8_t *fve_entries = NULL;
+ size_t fve_entries_size = 0;
uint32_t fve_metadata_size = 0;
int fve_offset = 0;
char guid_buf[UUID_STR_LEN] = {0};
@@ -483,9 +423,9 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
int i = 0;
int r = 0;
int start = 0;
- int end = 0;
size_t key_size = 0;
const char *key = NULL;
+ char *description = NULL;
struct bitlk_vmk *vmk = NULL;
struct bitlk_vmk *vmk_p = params->vmks;
@@ -499,8 +439,8 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
/* read and check the signature */
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), &sig, sizeof(sig), 0) != sizeof(sig)) {
- log_err(cd, _("Failed to read BITLK signature from %s."), device_path(device));
- r = -EINVAL;
+ log_dbg(cd, "Failed to read BITLK signature from %s.", device_path(device));
+ r = -EIO;
goto out;
}
@@ -511,7 +451,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
params->togo = true;
fve_offset = BITLK_HEADER_METADATA_OFFSET_TOGO;
} else {
- log_err(cd, _("Invalid or unknown signature for BITLK device."));
+ log_dbg(cd, "Invalid or unknown signature for BITLK device.");
r = -EINVAL;
goto out;
}
@@ -581,8 +521,8 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
le16_to_cpu(fve.curr_state), le16_to_cpu(fve.next_state));
}
+ params->volume_size = le64_to_cpu(fve.volume_size);
params->metadata_version = le16_to_cpu(fve.fve_version);
- fve_metadata_size = le32_to_cpu(fve.metadata_size);
switch (le16_to_cpu(fve.encryption)) {
/* AES-CBC with Elephant difuser */
@@ -637,40 +577,56 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));
+ fve_metadata_size = le32_to_cpu(fve.metadata_size);
+ if (fve_metadata_size < (BITLK_FVE_METADATA_HEADER_LEN + sizeof(entry_size) + sizeof(entry_type)) ||
+ fve_metadata_size > BITLK_FVE_METADATA_SIZE) {
+ r = -EINVAL;
+ goto out;
+ }
+ fve_entries_size = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
+
/* read and parse all FVE metadata entries */
- fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
+ fve_entries = malloc(fve_entries_size);
if (!fve_entries) {
r = -ENOMEM;
goto out;
}
- memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
+ memset(fve_entries, 0, fve_entries_size);
- log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
- fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
- params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
+ log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
+ fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
- device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
- params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN)) {
+ device_alignment(device), fve_entries, fve_entries_size,
+ params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
r = -EINVAL;
goto out;
}
- end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
- while (end - start > 2) {
+ while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
+
/* size of this entry */
memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
entry_size = le16_to_cpu(entry_size);
if (entry_size == 0)
break;
+ if (entry_size > (fve_entries_size - start)) {
+ r = -EINVAL;
+ goto out;
+ }
+
/* type of this entry */
memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
entry_type = le16_to_cpu(entry_type);
/* VMK */
if (entry_type == BITLK_ENTRY_TYPE_VMK) {
+ if (entry_size < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_vmk))) {
+ r = -EINVAL;
+ goto out;
+ }
/* skip first four variables in the entry (entry size, type, value and version) */
memcpy(&entry_vmk,
fve_entries + start + BITLK_ENTRY_HEADER_LEN,
@@ -707,7 +663,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
vmk_p = vmk;
vmk = vmk->next;
/* FVEK */
- } else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
+ } else if (entry_type == BITLK_ENTRY_TYPE_FVEK && !params->fvek) {
+ if (entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE)) {
+ r = -EINVAL;
+ goto out;
+ }
params->fvek = malloc(sizeof(struct bitlk_fvek));
if (!params->fvek) {
r = -ENOMEM;
@@ -715,11 +675,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
}
memcpy(params->fvek->nonce,
fve_entries + start + BITLK_ENTRY_HEADER_LEN,
- sizeof(params->fvek->nonce));
+ BITLK_NONCE_SIZE);
/* MAC tag */
memcpy(params->fvek->mac_tag,
fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
- sizeof(params->fvek->mac_tag));
+ BITLK_VMK_MAC_TAG_SIZE);
/* AES-CCM encrypted key */
key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -731,20 +691,35 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
/* volume header info (location and size) */
} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
struct bitlk_entry_header_block entry_header;
+ if ((fve_entries_size - start) < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_header))) {
+ r = -EINVAL;
+ goto out;
+ }
memcpy(&entry_header,
fve_entries + start + BITLK_ENTRY_HEADER_LEN,
sizeof(entry_header));
params->volume_header_offset = le64_to_cpu(entry_header.offset);
params->volume_header_size = le64_to_cpu(entry_header.size);
/* volume description (utf-16 string) */
- } else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
- r = convert_to_utf8(cd, fve_entries + start + BITLK_ENTRY_HEADER_LEN,
- entry_size - BITLK_ENTRY_HEADER_LEN,
- &(params->description));
- if (r < 0) {
- BITLK_bitlk_vmk_free(vmk);
+ } else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION && !params->description) {
+ if (entry_size < BITLK_ENTRY_HEADER_LEN) {
+ r = -EINVAL;
goto out;
}
+ description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
+ if (!description) {
+ r = -ENOMEM;
+ goto out;
+ }
+ r = crypt_utf16_to_utf8(&description, CONST_CAST(char16_t *)(fve_entries + start + BITLK_ENTRY_HEADER_LEN),
+ entry_size - BITLK_ENTRY_HEADER_LEN);
+ if (r < 0) {
+ free(description);
+ BITLK_bitlk_vmk_free(vmk);
+ log_err(cd, _("Failed to convert BITLK volume description"));
+ goto out;
+ }
+ params->description = description;
}
start += entry_size;
@@ -767,6 +742,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
log_std(cd, "Version: \t%u\n", params->metadata_version);
log_std(cd, "GUID: \t%s\n", params->guid);
log_std(cd, "Sector size: \t%u [bytes]\n", params->sector_size);
+ log_std(cd, "Volume size: \t%" PRIu64 " [bytes]\n", params->volume_size);
log_std(cd, "Created: \t%s", ctime((time_t *)&(params->creation_time)));
log_std(cd, "Description: \t%s\n", params->description);
log_std(cd, "Cipher name: \t%s\n", params->cipher);
@@ -785,7 +761,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
log_std(cd, "\tGUID: \t%s\n", vmk_p->guid);
log_std(cd, "\tProtection: \t%s\n", get_vmk_protection_string (vmk_p->protection));
log_std(cd, "\tSalt: \t");
- hexprint(cd, (const char *) vmk_p->salt, 16, "");
+ crypt_log_hex(cd, (const char *) vmk_p->salt, 16, "", 0, NULL);
log_std(cd, "\n");
vk_p = vmk_p->vk;
@@ -835,13 +811,13 @@ static int get_recovery_key(struct crypt_device *cd,
- each part is a number dividable by 11
*/
if (passwordLen != BITLK_RECOVERY_KEY_LEN) {
- if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
- /* looks like a recovery key with an extra newline, possibly from a key file */
- passwordLen--;
- log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
- } else
- return 0;
- }
+ if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
+ /* looks like a recovery key with an extra newline, possibly from a key file */
+ passwordLen--;
+ log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
+ } else
+ return 0;
+ }
for (i = BITLK_RECOVERY_PART_LEN; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1) {
if (password[i] != '-')
@@ -884,13 +860,16 @@ static int parse_external_key_entry(struct crypt_device *cd,
struct bitlk_guid guid;
char guid_buf[UUID_STR_LEN] = {0};
- while (end - start > 2) {
+ while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
/* size of this entry */
memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
key_entry_size = le16_to_cpu(key_entry_size);
if (key_entry_size == 0)
break;
+ if (key_entry_size > (end - start))
+ return -EINVAL;
+
/* type and value of this entry */
memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
memcpy(&key_entry_value,
@@ -905,6 +884,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
}
if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
+ if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + 4))
+ return -EINVAL;
key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
*vk = crypt_alloc_volume_key(key_size, key);
@@ -916,6 +897,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
;
/* GUID of the BitLocker device we are trying to open with this key */
else if (key_entry_value == BITLK_ENTRY_VALUE_GUID) {
+ if ((end - start) < (ssize_t)(BITLK_ENTRY_HEADER_LEN + sizeof(struct bitlk_guid)))
+ return -EINVAL;
memcpy(&guid, data + start + BITLK_ENTRY_HEADER_LEN, sizeof(struct bitlk_guid));
guid_to_string(&guid, guid_buf);
if (strcmp(guid_buf, params->guid) != 0) {
@@ -949,7 +932,7 @@ static int get_startup_key(struct crypt_device *cd,
uint16_t key_entry_type = 0;
uint16_t key_entry_value = 0;
- if (passwordLen < BITLK_BEK_FILE_HEADER_LEN)
+ if (passwordLen < (BITLK_BEK_FILE_HEADER_LEN + sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value)))
return -EPERM;
memcpy(&bek_header, password, BITLK_BEK_FILE_HEADER_LEN);
@@ -961,13 +944,14 @@ static int get_startup_key(struct crypt_device *cd,
else
return -EPERM;
- if (bek_header.metadata_version != 1) {
- log_err(cd, _("Unsupported BEK metadata version %" PRIu32), bek_header.metadata_version);
+ if (le32_to_cpu(bek_header.metadata_version) != 1) {
+ log_err(cd, _("Unsupported BEK metadata version %" PRIu32), le32_to_cpu(bek_header.metadata_version));
return -ENOTSUP;
}
- if (bek_header.metadata_size != passwordLen) {
- log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"), bek_header.metadata_size);
+ if (le32_to_cpu(bek_header.metadata_size) != passwordLen) {
+ log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"),
+ le32_to_cpu(bek_header.metadata_size));
return -EINVAL;
}
@@ -1008,7 +992,7 @@ static int bitlk_kdf(struct crypt_device *cd,
struct bitlk_kdf_data kdf = {};
struct crypt_hash *hd = NULL;
int len = 0;
- char *utf16Password = NULL;
+ char16_t *utf16Password = NULL;
int i = 0;
int r = 0;
@@ -1025,11 +1009,16 @@ static int bitlk_kdf(struct crypt_device *cd,
if (!recovery) {
/* passphrase: convert to UTF-16 first, then sha256(sha256(pw)) */
- r = passphrase_to_utf16(cd, CONST_CAST(char*)password, passwordLen, &utf16Password);
+ utf16Password = crypt_safe_alloc(sizeof(char16_t) * (passwordLen + 1));
+ if (!utf16Password) {
+ r = -ENOMEM;
+ goto out;
+ }
+ r = crypt_utf8_to_utf16(&utf16Password, CONST_CAST(char*)password, passwordLen);
if (r < 0)
goto out;
- crypt_hash_write(hd, utf16Password, passwordLen * 2);
+ crypt_hash_write(hd, (char*)utf16Password, passwordLen * 2);
r = crypt_hash_final(hd, kdf.initial_sha256, len);
if (r < 0)
goto out;
@@ -1258,7 +1247,7 @@ static int _activate(struct crypt_device *cd,
uint64_t next_start = 0;
uint64_t next_end = 0;
uint64_t last_segment = 0;
- uint32_t dmt_flags;
+ uint32_t dmt_flags = 0;
r = _activate_check(cd, params);
if (r)
@@ -1269,6 +1258,11 @@ static int _activate(struct crypt_device *cd,
if (r)
return r;
+ if (dmd.size * SECTOR_SIZE != params->volume_size)
+ log_std(cd, _("WARNING: BitLocker volume size %" PRIu64 " does not match the underlying device size %" PRIu64 ""),
+ params->volume_size,
+ dmd.size * SECTOR_SIZE);
+
/* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */
for (i = 0; i < 3; i++) {
segments[num_segments].offset = params->metadata_offset[i] / SECTOR_SIZE;
@@ -1399,6 +1393,14 @@ static int _activate(struct crypt_device *cd,
log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."));
r = -ENOTSUP;
}
+ if ((dmd.flags & CRYPT_ACTIVATE_IV_LARGE_SECTORS) && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED)) {
+ log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for large sector size."));
+ r = -ENOTSUP;
+ }
+ if (dm_flags(cd, DM_ZERO, &dmt_flags) < 0) {
+ log_err(cd, _("Cannot activate device, kernel dm-zero module is missing."));
+ r = -ENOTSUP;
+ }
}
out:
dm_targets_free(cd, &dmd);
diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h
index ccf99a7..54d3dc7 100644
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -1,9 +1,9 @@
/*
* BITLK (BitLocker-compatible) header definition
*
- * Copyright (C) 2019-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2021 Milan Broz
- * Copyright (C) 2019-2021 Vojtech Trefny
+ * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2023 Milan Broz
+ * Copyright (C) 2019-2023 Vojtech Trefny
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -99,6 +99,7 @@ struct bitlk_fvek {
struct bitlk_metadata {
uint16_t sector_size;
+ uint64_t volume_size;
bool togo;
bool state;
BITLKEncryptionType type;
diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c
index 180d08a..c839b09 100644
--- a/lib/crypt_plain.c
+++ b/lib/crypt_plain.c
@@ -2,8 +2,8 @@
* cryptsetup plain device helper functions
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/crypto_backend/Makemodule.am b/lib/crypto_backend/Makemodule.am
index f33cd45..7507763 100644
--- a/lib/crypto_backend/Makemodule.am
+++ b/lib/crypto_backend/Makemodule.am
@@ -9,6 +9,8 @@ libcrypto_backend_la_SOURCES = \
lib/crypto_backend/crypto_storage.c \
lib/crypto_backend/pbkdf_check.c \
lib/crypto_backend/crc32.c \
+ lib/crypto_backend/base64.c \
+ lib/crypto_backend/utf8.c \
lib/crypto_backend/argon2_generic.c \
lib/crypto_backend/cipher_generic.c \
lib/crypto_backend/cipher_check.c
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
index db9a774..f128d84 100644
--- a/lib/crypto_backend/argon2/core.c
+++ b/lib/crypto_backend/argon2/core.c
@@ -279,7 +279,6 @@ static void *fill_segment_thr(void *thread_data)
{
argon2_thread_data *my_data = thread_data;
fill_segment(my_data->instance_ptr, my_data->pos);
- argon2_thread_exit();
return 0;
}
diff --git a/lib/crypto_backend/argon2/thread.c b/lib/crypto_backend/argon2/thread.c
index 3ae2fb2..9fd15ed 100644
--- a/lib/crypto_backend/argon2/thread.c
+++ b/lib/crypto_backend/argon2/thread.c
@@ -46,12 +46,4 @@ int argon2_thread_join(argon2_thread_handle_t handle) {
#endif
}
-void argon2_thread_exit(void) {
-#if defined(_WIN32)
- _endthreadex(0);
-#else
- pthread_exit(NULL);
-#endif
-}
-
#endif /* ARGON2_NO_THREADS */
diff --git a/lib/crypto_backend/argon2/thread.h b/lib/crypto_backend/argon2/thread.h
index d4ca10c..478e260 100644
--- a/lib/crypto_backend/argon2/thread.h
+++ b/lib/crypto_backend/argon2/thread.h
@@ -58,10 +58,5 @@ int argon2_thread_create(argon2_thread_handle_t *handle,
*/
int argon2_thread_join(argon2_thread_handle_t handle);
-/* Terminate the current thread. Must be run inside a thread created by
- * argon2_thread_create.
-*/
-void argon2_thread_exit(void);
-
#endif /* ARGON2_NO_THREADS */
#endif
diff --git a/lib/crypto_backend/argon2_generic.c b/lib/crypto_backend/argon2_generic.c
index d8a5b21..0ce67da 100644
--- a/lib/crypto_backend/argon2_generic.c
+++ b/lib/crypto_backend/argon2_generic.c
@@ -1,8 +1,8 @@
/*
* Argon2 PBKDF2 library wrapper
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Milan Broz
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/crypto_backend/base64.c b/lib/crypto_backend/base64.c
new file mode 100644
index 0000000..42f70cb
--- /dev/null
+++ b/lib/crypto_backend/base64.c
@@ -0,0 +1,276 @@
+/*
+ * Base64 "Not encryption" helpers, copied and adapted from systemd project.
+ *
+ * Copyright (C) 2010 Lennart Poettering
+ *
+ * cryptsetup related changes
+ * Copyright (C) 2021-2023 Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdlib.h>
+#include <limits.h>
+
+#include "crypto_backend.h"
+
+#define WHITESPACE " \t\n\r"
+
+/* https://tools.ietf.org/html/rfc4648#section-4 */
+static char base64char(int x)
+{
+ static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789+/";
+ return table[x & 63];
+}
+
+static int unbase64char(char c)
+{
+ unsigned offset;
+
+ if (c >= 'A' && c <= 'Z')
+ return c - 'A';
+
+ offset = 'Z' - 'A' + 1;
+
+ if (c >= 'a' && c <= 'z')
+ return c - 'a' + offset;
+
+ offset += 'z' - 'a' + 1;
+
+ if (c >= '0' && c <= '9')
+ return c - '0' + offset;
+
+ offset += '9' - '0' + 1;
+
+ if (c == '+')
+ return offset;
+
+ offset++;
+
+ if (c == '/')
+ return offset;
+
+ return -EINVAL;
+}
+
+int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length)
+{
+ char *r, *z;
+ const uint8_t *x;
+
+ assert(in || in_length == 0);
+ assert(out);
+
+ /* three input bytes makes four output bytes, padding is added so we must round up */
+ z = r = malloc(4 * (in_length + 2) / 3 + 1);
+ if (!r)
+ return -ENOMEM;
+
+ for (x = (const uint8_t *)in; x < (const uint8_t*)in + (in_length / 3) * 3; x += 3) {
+ /* x[0] == XXXXXXXX; x[1] == YYYYYYYY; x[2] == ZZZZZZZZ */
+ *(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
+ *(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
+ *(z++) = base64char((x[1] & 15) << 2 | x[2] >> 6); /* 00YYYYZZ */
+ *(z++) = base64char(x[2] & 63); /* 00ZZZZZZ */
+ }
+
+ switch (in_length % 3) {
+ case 2:
+ *(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
+ *(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
+ *(z++) = base64char((x[1] & 15) << 2); /* 00YYYY00 */
+ *(z++) = '=';
+
+ break;
+ case 1:
+ *(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
+ *(z++) = base64char((x[0] & 3) << 4); /* 00XX0000 */
+ *(z++) = '=';
+ *(z++) = '=';
+
+ break;
+ }
+
+ *z = 0;
+ *out = r;
+ if (out_length)
+ *out_length = z - r;
+ return 0;
+}
+
+static int unbase64_next(const char **p, size_t *l)
+{
+ int ret;
+
+ assert(p);
+ assert(l);
+
+ /* Find the next non-whitespace character, and decode it. If we find padding, we return it as INT_MAX. We
+ * greedily skip all preceding and all following whitespace. */
+
+ for (;;) {
+ if (*l == 0)
+ return -EPIPE;
+
+ if (!strchr(WHITESPACE, **p))
+ break;
+
+ /* Skip leading whitespace */
+ (*p)++, (*l)--;
+ }
+
+ if (**p == '=')
+ ret = INT_MAX; /* return padding as INT_MAX */
+ else {
+ ret = unbase64char(**p);
+ if (ret < 0)
+ return ret;
+ }
+
+ for (;;) {
+ (*p)++, (*l)--;
+
+ if (*l == 0)
+ break;
+ if (!strchr(WHITESPACE, **p))
+ break;
+
+ /* Skip following whitespace */
+ }
+
+ return ret;
+}
+
+int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t in_length)
+{
+ uint8_t *buf = NULL;
+ const char *x;
+ uint8_t *z;
+ size_t len;
+ int r;
+
+ assert(in || in_length == 0);
+ assert(out);
+ assert(out_length);
+
+ if (in_length == (size_t) -1)
+ in_length = strlen(in);
+
+ /* A group of four input bytes needs three output bytes, in case of padding we need to add two or three extra
+ * bytes. Note that this calculation is an upper boundary, as we ignore whitespace while decoding */
+ len = (in_length / 4) * 3 + (in_length % 4 != 0 ? (in_length % 4) - 1 : 0);
+
+ buf = malloc(len + 1);
+ if (!buf)
+ return -ENOMEM;
+
+ for (x = in, z = buf;;) {
+ int a, b, c, d; /* a == 00XXXXXX; b == 00YYYYYY; c == 00ZZZZZZ; d == 00WWWWWW */
+
+ a = unbase64_next(&x, &in_length);
+ if (a == -EPIPE) /* End of string */
+ break;
+ if (a < 0) {
+ r = a;
+ goto err;
+ }
+ if (a == INT_MAX) { /* Padding is not allowed at the beginning of a 4ch block */
+ r = -EINVAL;
+ goto err;
+ }
+
+ b = unbase64_next(&x, &in_length);
+ if (b < 0) {
+ r = b;
+ goto err;
+ }
+ if (b == INT_MAX) { /* Padding is not allowed at the second character of a 4ch block either */
+ r = -EINVAL;
+ goto err;
+ }
+
+ c = unbase64_next(&x, &in_length);
+ if (c < 0) {
+ r = c;
+ goto err;
+ }
+
+ d = unbase64_next(&x, &in_length);
+ if (d < 0) {
+ r = d;
+ goto err;
+ }
+
+ if (c == INT_MAX) { /* Padding at the third character */
+
+ if (d != INT_MAX) { /* If the third character is padding, the fourth must be too */
+ r = -EINVAL;
+ goto err;
+ }
+
+ /* b == 00YY0000 */
+ if (b & 15) {
+ r = -EINVAL;
+ goto err;
+ }
+
+ if (in_length > 0) { /* Trailing rubbish? */
+ r = -ENAMETOOLONG;
+ goto err;
+ }
+
+ *(z++) = (uint8_t) a << 2 | (uint8_t) (b >> 4); /* XXXXXXYY */
+ break;
+ }
+
+ if (d == INT_MAX) {
+ /* c == 00ZZZZ00 */
+ if (c & 3) {
+ r = -EINVAL;
+ goto err;
+ }
+
+ if (in_length > 0) { /* Trailing rubbish? */
+ r = -ENAMETOOLONG;
+ goto err;
+ }
+
+ *(z++) = (uint8_t) a << 2 | (uint8_t) b >> 4; /* XXXXXXYY */
+ *(z++) = (uint8_t) b << 4 | (uint8_t) c >> 2; /* YYYYZZZZ */
+ break;
+ }
+
+ *(z++) = (uint8_t) a << 2 | (uint8_t) b >> 4; /* XXXXXXYY */
+ *(z++) = (uint8_t) b << 4 | (uint8_t) c >> 2; /* YYYYZZZZ */
+ *(z++) = (uint8_t) c << 6 | (uint8_t) d; /* ZZWWWWWW */
+ }
+
+ *z = 0;
+
+ *out_length = (size_t) (z - buf);
+ *out = (char *)buf;
+ return 0;
+err:
+ free(buf);
+
+ /* Ignore other errors in crypt_backend */
+ if (r != -ENOMEM)
+ r = -EINVAL;
+
+ return r;
+}
diff --git a/lib/crypto_backend/cipher_check.c b/lib/crypto_backend/cipher_check.c
index 70515ee..98ec1a5 100644
--- a/lib/crypto_backend/cipher_check.c
+++ b/lib/crypto_backend/cipher_check.c
@@ -1,8 +1,8 @@
/*
* Cipher performance check
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Milan Broz
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/crypto_backend/cipher_generic.c b/lib/crypto_backend/cipher_generic.c
index 6c8e84c..b3a4407 100644
--- a/lib/crypto_backend/cipher_generic.c
+++ b/lib/crypto_backend/cipher_generic.c
@@ -1,8 +1,8 @@
/*
* Linux kernel cipher generic utilities
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Milan Broz
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/crypto_backend/crc32.c b/lib/crypto_backend/crc32.c
index 9d43623..9009b02 100644
--- a/lib/crypto_backend/crc32.c
+++ b/lib/crypto_backend/crc32.c
@@ -97,12 +97,71 @@ static const uint32_t crc32_tab[] = {
0x2d02ef8dL
};
+static const uint32_t crc32c_tab[] = {
+ 0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, 0xC79A971FL,
+ 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, 0x8AD958CFL, 0x78B2DBCCL,
+ 0x6BE22838L, 0x9989AB3BL, 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L,
+ 0x5E133C24L, 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+ 0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, 0x9A879FA0L,
+ 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, 0x5D1D08BFL, 0xAF768BBCL,
+ 0xBC267848L, 0x4E4DFB4BL, 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L,
+ 0x33ED7D2AL, 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+ 0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, 0x6DFE410EL,
+ 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, 0x30E349B1L, 0xC288CAB2L,
+ 0xD1D83946L, 0x23B3BA45L, 0xF779DEAEL, 0x05125DADL, 0x1642AE59L,
+ 0xE4292D5AL, 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+ 0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, 0x417B1DBCL,
+ 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, 0x86E18AA3L, 0x748A09A0L,
+ 0x67DAFA54L, 0x95B17957L, 0xCBA24573L, 0x39C9C670L, 0x2A993584L,
+ 0xD8F2B687L, 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+ 0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, 0x96BF4DCCL,
+ 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, 0xDBFC821CL, 0x2997011FL,
+ 0x3AC7F2EBL, 0xC8AC71E8L, 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L,
+ 0x0F36E6F7L, 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+ 0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, 0xEB1FCBADL,
+ 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, 0x2C855CB2L, 0xDEEEDFB1L,
+ 0xCDBE2C45L, 0x3FD5AF46L, 0x7198540DL, 0x83F3D70EL, 0x90A324FAL,
+ 0x62C8A7F9L, 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+ 0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, 0x3CDB9BDDL,
+ 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, 0x82F63B78L, 0x709DB87BL,
+ 0x63CD4B8FL, 0x91A6C88CL, 0x456CAC67L, 0xB7072F64L, 0xA457DC90L,
+ 0x563C5F93L, 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+ 0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, 0x92A8FC17L,
+ 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, 0x55326B08L, 0xA759E80BL,
+ 0xB4091BFFL, 0x466298FCL, 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL,
+ 0x0B21572CL, 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+ 0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, 0x65D122B9L,
+ 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, 0x2892ED69L, 0xDAF96E6AL,
+ 0xC9A99D9EL, 0x3BC21E9DL, 0xEF087A76L, 0x1D63F975L, 0x0E330A81L,
+ 0xFC588982L, 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+ 0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, 0x38CC2A06L,
+ 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, 0xFF56BD19L, 0x0D3D3E1AL,
+ 0x1E6DCDEEL, 0xEC064EEDL, 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L,
+ 0xD0DDD530L, 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+ 0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, 0x8ECEE914L,
+ 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, 0xD3D3E1ABL, 0x21B862A8L,
+ 0x32E8915CL, 0xC083125FL, 0x144976B4L, 0xE622F5B7L, 0xF5720643L,
+ 0x07198540L, 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+ 0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, 0xE330A81AL,
+ 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, 0x24AA3F05L, 0xD6C1BC06L,
+ 0xC5914FF2L, 0x37FACCF1L, 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L,
+ 0x7AB90321L, 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+ 0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, 0x34F4F86AL,
+ 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, 0x79B737BAL, 0x8BDCB4B9L,
+ 0x988C474DL, 0x6AE7C44EL, 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L,
+ 0xAD7D5351L
+};
+
/*
* This a generic crc32() function, it takes seed as an argument,
* and does __not__ xor at the end. Then individual users can do
* whatever they need.
*/
-uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+static uint32_t compute_crc32(
+ const uint32_t *crc32_tab,
+ uint32_t seed,
+ const unsigned char *buf,
+ size_t len)
{
uint32_t crc = seed;
const unsigned char *p = buf;
@@ -112,3 +171,13 @@ uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
return crc;
}
+
+uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+{
+ return compute_crc32(crc32_tab, seed, buf, len);
+}
+
+uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len)
+{
+ return compute_crc32(crc32c_tab, seed, buf, len);
+}
diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
index 88cc2d5..88562e9 100644
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -1,8 +1,8 @@
/*
* crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -21,10 +21,17 @@
#ifndef _CRYPTO_BACKEND_H
#define _CRYPTO_BACKEND_H
+#include <assert.h>
#include <stdint.h>
#include <stdbool.h>
#include <stddef.h>
#include <string.h>
+#ifdef HAVE_UCHAR_H
+#include <uchar.h>
+#else
+#define char32_t uint32_t
+#define char16_t uint16_t
+#endif
struct crypt_hash;
struct crypt_hmac;
@@ -34,7 +41,8 @@ struct crypt_storage;
int crypt_backend_init(bool fips);
void crypt_backend_destroy(void);
-#define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */
uint32_t crypt_backend_flags(void);
const char *crypt_backend_version(void);
@@ -82,6 +90,15 @@ int crypt_pbkdf_perf(const char *kdf, const char *hash,
/* CRC32 */
uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len);
+uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len);
+
+/* Base64 */
+int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length);
+int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t in_length);
+
+/* UTF8/16 */
+int crypt_utf16_to_utf8(char **out, const char16_t *s, size_t length /* bytes! */);
+int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length);
/* Block ciphers */
int crypt_cipher_ivsize(const char *name, const char *mode);
@@ -135,4 +152,10 @@ static inline void crypt_backend_memzero(void *s, size_t n)
#endif
}
+/* Memcmp helper (memcmp in constant time) */
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
+
+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
+
#endif /* _CRYPTO_BACKEND_H */
diff --git a/lib/crypto_backend/crypto_backend_internal.h b/lib/crypto_backend/crypto_backend_internal.h
index e2d6a6a..9b1cc69 100644
--- a/lib/crypto_backend/crypto_backend_internal.h
+++ b/lib/crypto_backend/crypto_backend_internal.h
@@ -1,8 +1,8 @@
/*
* crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -58,4 +58,18 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
const char *iv, size_t iv_length,
const char *tag, size_t tag_length);
+/* Internal implementation for constant time memory comparison */
+static inline int crypt_internal_memeq(const void *m1, const void *m2, size_t n)
+{
+ const unsigned char *_m1 = (const unsigned char *) m1;
+ const unsigned char *_m2 = (const unsigned char *) m2;
+ unsigned char result = 0;
+ size_t i;
+
+ for (i = 0; i < n; i++)
+ result |= _m1[i] ^ _m2[i];
+
+ return result;
+}
+
#endif /* _CRYPTO_BACKEND_INTERNAL_H */
diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c
index 4903266..3460717 100644
--- a/lib/crypto_backend/crypto_cipher_kernel.c
+++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -1,8 +1,8 @@
/*
* Linux kernel userspace API crypto backend implementation (skcipher)
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
index 67f2606..e974aa8 100644
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -1,8 +1,8 @@
/*
* GCRYPT crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -22,7 +22,6 @@
#include <string.h>
#include <stdio.h>
#include <errno.h>
-#include <assert.h>
#include <gcrypt.h>
#include "crypto_backend_internal.h"
@@ -550,3 +549,25 @@ out:
return -ENOTSUP;
#endif
}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+ return crypt_internal_memeq(m1, m2, n);
+}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = gcry_fips_mode_active();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
index ce84cfa..8493c0a 100644
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -1,8 +1,8 @@
/*
* Linux kernel userspace API crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -416,3 +416,13 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+ return crypt_internal_memeq(m1, m2, n);
+}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
index c9b9f5f..086e4fc 100644
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -1,8 +1,8 @@
/*
* Nettle crypto backend implementation
*
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2021 Milan Broz
+ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -26,6 +26,7 @@
#include <nettle/sha3.h>
#include <nettle/hmac.h>
#include <nettle/pbkdf2.h>
+#include <nettle/memops.h>
#include "crypto_backend_internal.h"
#if HAVE_NETTLE_VERSION_H
@@ -446,3 +447,14 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+ /* The logic is inverse to memcmp... */
+ return !memeql_sec(m1, m2, n);
+}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
index a84d3d6..c154812 100644
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -1,8 +1,8 @@
/*
* NSS crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -395,3 +395,13 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+ return NSS_SecureMemcmp(m1, m2, n);
+}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 80a747c..607ec38 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -1,8 +1,8 @@
/*
* OPENSSL crypto backend implementation
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -30,6 +30,8 @@
#include <string.h>
#include <errno.h>
+#include <limits.h>
+#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
@@ -230,7 +232,11 @@ void crypt_backend_destroy(void)
uint32_t crypt_backend_flags(void)
{
+#if OPENSSL_VERSION_MAJOR >= 3
return 0;
+#else
+ return CRYPT_BACKEND_PBKDF2_INT;
+#endif
}
const char *crypt_backend_version(void)
@@ -573,6 +579,10 @@ static int openssl_pbkdf2(const char *password, size_t password_length,
if (!hash_id)
return -EINVAL;
+ /* OpenSSL2 has iteration as signed int, avoid overflow */
+ if (iterations > INT_MAX)
+ return -EINVAL;
+
r = PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
(int)salt_length, iterations, hash_id, (int)key_length, (unsigned char*) key);
#endif
@@ -789,9 +799,6 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length __attribute__((un
if (EVP_DecryptInit_ex(ctx, EVP_aes_256_ccm(), NULL, NULL, NULL) != 1)
goto out;
- //EVP_CIPHER_CTX_key_length(ctx)
- //EVP_CIPHER_CTX_iv_length(ctx)
-
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_length, NULL) != 1)
goto out;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_length, CONST_CAST(void*)tag) != 1)
@@ -809,3 +816,34 @@ out:
return -ENOTSUP;
#endif
}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+ return CRYPTO_memcmp(m1, m2, n);
+}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+ return EVP_default_properties_is_fips_enabled(NULL);
+#else
+ return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = openssl_fips_mode();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
diff --git a/lib/crypto_backend/crypto_storage.c b/lib/crypto_backend/crypto_storage.c
index 962ec2b..13479dd 100644
--- a/lib/crypto_backend/crypto_storage.c
+++ b/lib/crypto_backend/crypto_storage.c
@@ -2,7 +2,7 @@
* Generic wrapper for storage encryption modes and Initial Vectors
* (reimplementation of some functions from Linux dm-crypt kernel)
*
- * Copyright (C) 2014-2021 Milan Broz
+ * Copyright (C) 2014-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -151,7 +151,8 @@ static int crypt_sector_iv_init(struct crypt_sector_iv *ctx,
static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector)
{
- uint64_t val;
+ uint64_t val, *u64_iv;
+ uint32_t *u32_iv;
switch (ctx->type) {
case IV_NONE:
@@ -161,19 +162,24 @@ static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector
break;
case IV_PLAIN:
memset(ctx->iv, 0, ctx->iv_size);
- *(uint32_t *)ctx->iv = cpu_to_le32(sector & 0xffffffff);
+ u32_iv = (void *)ctx->iv;
+ *u32_iv = cpu_to_le32(sector & 0xffffffff);
break;
case IV_PLAIN64:
memset(ctx->iv, 0, ctx->iv_size);
- *(uint64_t *)ctx->iv = cpu_to_le64(sector);
+ u64_iv = (void *)ctx->iv;
+ *u64_iv = cpu_to_le64(sector);
break;
case IV_PLAIN64BE:
memset(ctx->iv, 0, ctx->iv_size);
- *(uint64_t *)&ctx->iv[ctx->iv_size - sizeof(uint64_t)] = cpu_to_be64(sector);
+ /* iv_size is at least of size u64; usually it is 16 bytes */
+ u64_iv = (void *)&ctx->iv[ctx->iv_size - sizeof(uint64_t)];
+ *u64_iv = cpu_to_be64(sector);
break;
case IV_ESSIV:
memset(ctx->iv, 0, ctx->iv_size);
- *(uint64_t *)ctx->iv = cpu_to_le64(sector);
+ u64_iv = (void *)ctx->iv;
+ *u64_iv = cpu_to_le64(sector);
return crypt_cipher_encrypt(ctx->cipher,
ctx->iv, ctx->iv, ctx->iv_size, NULL, 0);
break;
@@ -184,7 +190,8 @@ static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector
break;
case IV_EBOIV:
memset(ctx->iv, 0, ctx->iv_size);
- *(uint64_t *)ctx->iv = cpu_to_le64(sector << ctx->shift);
+ u64_iv = (void *)ctx->iv;
+ *u64_iv = cpu_to_le64(sector << ctx->shift);
return crypt_cipher_encrypt(ctx->cipher,
ctx->iv, ctx->iv, ctx->iv_size, NULL, 0);
break;
diff --git a/lib/crypto_backend/pbkdf2_generic.c b/lib/crypto_backend/pbkdf2_generic.c
index b18c7a7..9e87e19 100644
--- a/lib/crypto_backend/pbkdf2_generic.c
+++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -4,8 +4,8 @@
* Copyright (C) 2004 Free Software Foundation
*
* cryptsetup related changes
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/crypto_backend/pbkdf_check.c b/lib/crypto_backend/pbkdf_check.c
index 28b42d0..53a2da9 100644
--- a/lib/crypto_backend/pbkdf_check.c
+++ b/lib/crypto_backend/pbkdf_check.c
@@ -1,7 +1,7 @@
/*
* PBKDF performance check
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
* Copyright (C) 2016-2020 Ondrej Mosnacek
*
* This file is free software; you can redistribute it and/or
diff --git a/lib/crypto_backend/utf8.c b/lib/crypto_backend/utf8.c
new file mode 100644
index 0000000..24e0d8d
--- /dev/null
+++ b/lib/crypto_backend/utf8.c
@@ -0,0 +1,288 @@
+/*
+ * UTF8/16 helpers, copied and adapted from systemd project.
+ *
+ * Copyright (C) 2010 Lennart Poettering
+ *
+ * cryptsetup related changes
+ * Copyright (C) 2021-2023 Vojtech Trefny
+
+ * Parts of the original systemd implementation are based on the GLIB utf8
+ * validation functions.
+ * gutf8.c - Operations on UTF-8 strings.
+ *
+ * Copyright (C) 1999 Tom Tromey
+ * Copyright (C) 2000 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <errno.h>
+#include <endian.h>
+
+#include "crypto_backend.h"
+
+static inline bool utf16_is_surrogate(char16_t c)
+{
+ return c >= 0xd800U && c <= 0xdfffU;
+}
+
+static inline bool utf16_is_trailing_surrogate(char16_t c)
+{
+ return c >= 0xdc00U && c <= 0xdfffU;
+}
+
+static inline char32_t utf16_surrogate_pair_to_unichar(char16_t lead, char16_t trail)
+{
+ return ((((char32_t) lead - 0xd800U) << 10) + ((char32_t) trail - 0xdc00U) + 0x10000U);
+}
+
+/**
+ * utf8_encode_unichar() - Encode single UCS-4 character as UTF-8
+ * @out_utf8: output buffer of at least 4 bytes or NULL
+ * @g: UCS-4 character to encode
+ *
+ * This encodes a single UCS-4 character as UTF-8 and writes it into @out_utf8.
+ * The length of the character is returned. It is not zero-terminated! If the
+ * output buffer is NULL, only the length is returned.
+ *
+ * Returns: The length in bytes that the UTF-8 representation does or would
+ * occupy.
+ */
+static size_t utf8_encode_unichar(char *out_utf8, char32_t g)
+{
+ if (g < (1 << 7)) {
+ if (out_utf8)
+ out_utf8[0] = g & 0x7f;
+ return 1;
+ } else if (g < (1 << 11)) {
+ if (out_utf8) {
+ out_utf8[0] = 0xc0 | ((g >> 6) & 0x1f);
+ out_utf8[1] = 0x80 | (g & 0x3f);
+ }
+ return 2;
+ } else if (g < (1 << 16)) {
+ if (out_utf8) {
+ out_utf8[0] = 0xe0 | ((g >> 12) & 0x0f);
+ out_utf8[1] = 0x80 | ((g >> 6) & 0x3f);
+ out_utf8[2] = 0x80 | (g & 0x3f);
+ }
+ return 3;
+ } else if (g < (1 << 21)) {
+ if (out_utf8) {
+ out_utf8[0] = 0xf0 | ((g >> 18) & 0x07);
+ out_utf8[1] = 0x80 | ((g >> 12) & 0x3f);
+ out_utf8[2] = 0x80 | ((g >> 6) & 0x3f);
+ out_utf8[3] = 0x80 | (g & 0x3f);
+ }
+ return 4;
+ }
+
+ return 0;
+}
+
+/**
+ * crypt_utf16_to_utf8()
+ * @out: output buffer, should be 2 * @length + 1 long
+ * @s: string to convert
+ * @length: length of @s in bytes
+ *
+ * Converts a UTF16LE encoded string to a UTF8 encoded string.
+ *
+ * Returns: 0 on success, negative errno otherwise
+ */
+int crypt_utf16_to_utf8(char **out, const char16_t *s, size_t length /* bytes! */)
+{
+ const uint8_t *f;
+ char *t;
+
+ assert(s);
+ assert(out);
+ assert(*out);
+
+ /* Input length is in bytes, i.e. the shortest possible character takes 2 bytes. Each unicode character may
+ * take up to 4 bytes in UTF-8. Let's also account for a trailing NUL byte. */
+ if (length * 2 < length)
+ return -EOVERFLOW; /* overflow */
+
+ f = (const uint8_t*) s;
+ t = *out;
+
+ while (f + 1 < (const uint8_t*) s + length) {
+ char16_t w1, w2;
+
+ /* see RFC 2781 section 2.2 */
+
+ w1 = f[1] << 8 | f[0];
+ f += 2;
+
+ if (!utf16_is_surrogate(w1)) {
+ t += utf8_encode_unichar(t, w1);
+ continue;
+ }
+
+ if (utf16_is_trailing_surrogate(w1))
+ continue; /* spurious trailing surrogate, ignore */
+
+ if (f + 1 >= (const uint8_t*) s + length)
+ break;
+
+ w2 = f[1] << 8 | f[0];
+ f += 2;
+
+ if (!utf16_is_trailing_surrogate(w2)) {
+ f -= 2;
+ continue; /* surrogate missing its trailing surrogate, ignore */
+ }
+
+ t += utf8_encode_unichar(t, utf16_surrogate_pair_to_unichar(w1, w2));
+ }
+
+ *t = 0;
+ return 0;
+}
+
+/* count of characters used to encode one unicode char */
+static size_t utf8_encoded_expected_len(uint8_t c)
+{
+ if (c < 0x80)
+ return 1;
+ if ((c & 0xe0) == 0xc0)
+ return 2;
+ if ((c & 0xf0) == 0xe0)
+ return 3;
+ if ((c & 0xf8) == 0xf0)
+ return 4;
+ if ((c & 0xfc) == 0xf8)
+ return 5;
+ if ((c & 0xfe) == 0xfc)
+ return 6;
+
+ return 0;
+}
+
+/* decode one unicode char */
+static int utf8_encoded_to_unichar(const char *str, char32_t *ret_unichar)
+{
+ char32_t unichar;
+ size_t len, i;
+
+ assert(str);
+
+ len = utf8_encoded_expected_len(str[0]);
+
+ switch (len) {
+ case 1:
+ *ret_unichar = (char32_t)str[0];
+ return 0;
+ case 2:
+ unichar = str[0] & 0x1f;
+ break;
+ case 3:
+ unichar = (char32_t)str[0] & 0x0f;
+ break;
+ case 4:
+ unichar = (char32_t)str[0] & 0x07;
+ break;
+ case 5:
+ unichar = (char32_t)str[0] & 0x03;
+ break;
+ case 6:
+ unichar = (char32_t)str[0] & 0x01;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ for (i = 1; i < len; i++) {
+ if (((char32_t)str[i] & 0xc0) != 0x80)
+ return -EINVAL;
+
+ unichar <<= 6;
+ unichar |= (char32_t)str[i] & 0x3f;
+ }
+
+ *ret_unichar = unichar;
+
+ return 0;
+}
+
+static size_t utf16_encode_unichar(char16_t *out, char32_t c)
+{
+ /* Note that this encodes as little-endian. */
+
+ switch (c) {
+
+ case 0 ... 0xd7ffU:
+ case 0xe000U ... 0xffffU:
+ out[0] = htole16(c);
+ return 1;
+
+ case 0x10000U ... 0x10ffffU:
+ c -= 0x10000U;
+ out[0] = htole16((c >> 10) + 0xd800U);
+ out[1] = htole16((c & 0x3ffU) + 0xdc00U);
+ return 2;
+
+ default: /* A surrogate (invalid) */
+ return 0;
+ }
+}
+
+/**
+ * crypt_utf8_to_utf16()
+ * @out: output buffer, should be @length + 1 long
+ * @s: string to convert
+ * @length: length of @s in bytes
+ *
+ * Converts a UTF8 encoded string to a UTF16LE encoded string.
+ *
+ * Returns: 0 on success, negative errno otherwise
+ */
+int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length)
+{
+ char16_t *p;
+ size_t i;
+ int r;
+
+ assert(s);
+
+ p = *out;
+
+ for (i = 0; i < length;) {
+ char32_t unichar;
+ size_t e;
+
+ e = utf8_encoded_expected_len(s[i]);
+ if (e <= 1) /* Invalid and single byte characters are copied as they are */
+ goto copy;
+
+ if (i + e > length) /* sequence longer than input buffer, then copy as-is */
+ goto copy;
+
+ r = utf8_encoded_to_unichar(s + i, &unichar);
+ if (r < 0) /* sequence invalid, then copy as-is */
+ goto copy;
+
+ p += utf16_encode_unichar(p, unichar);
+ i += e;
+ continue;
+
+ copy:
+ *(p++) = htole16(s[i++]);
+ }
+
+ *p = 0;
+ return 0;
+}
diff --git a/lib/fvault2/fvault2.c b/lib/fvault2/fvault2.c
new file mode 100644
index 0000000..0b0c9ce
--- /dev/null
+++ b/lib/fvault2/fvault2.c
@@ -0,0 +1,1057 @@
+/*
+ * FVAULT2 (FileVault2-compatible) volume handling
+ *
+ * Copyright (C) 2021-2022 Pavel Tobias
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <regex.h>
+#include <stdio.h>
+#include <uuid/uuid.h>
+
+#include "internal.h"
+#include "fvault2.h"
+
+/* Core Storage signature/magic; "CS" big-endian */
+#define FVAULT2_CORE_STORAGE_MAGIC 0x4353
+
+/* size of the physical volume header in bytes */
+#define FVAULT2_VOL_HEADER_SIZE 512
+
+/* size of a single metadata block in bytes */
+#define FVAULT2_MD_BLOCK_SIZE 8192
+
+/* maximal offset to read metadata block */
+#define FVAULT2_MAX_OFF 1024*1024*1024
+
+/* encrypted metadata parsing progress flags (see _read_encrypted_metadata) */
+#define FVAULT2_ENC_MD_PARSED_0x0019 0b001
+#define FVAULT2_ENC_MD_PARSED_0x001A 0b010
+#define FVAULT2_ENC_MD_PARSED_0x0305 0b100
+#define FVAULT2_ENC_MD_PARSED_NONE 0b000
+#define FVAULT2_ENC_MD_PARSED_ALL 0b111
+
+/* sizes of decoded PassphraseWrappedKEKStruct and KEKWrappedVolumeKeyStruct */
+#define FVAULT2_PWK_SIZE 284
+#define FVAULT2_KWVK_SIZE 256
+
+/* size of an AES-128 key */
+#define FVAULT2_AES_KEY_SIZE 16
+
+/* size of the volume key and the encrypted metadata decryption key */
+#define FVAULT2_XTS_KEY_SIZE (FVAULT2_AES_KEY_SIZE * 2)
+
+/* size of an XTS tweak value */
+#define FVAULT2_XTS_TWEAK_SIZE 16
+
+/* size of a binary representation of a UUID */
+#define FVAULT2_UUID_BIN_SIZE 16
+
+struct crc32_checksum {
+ uint32_t value;
+ uint32_t seed;
+} __attribute__((packed));
+
+struct volume_header {
+ struct crc32_checksum checksum;
+ uint16_t version;
+ uint16_t block_type;
+ uint8_t unknown1[52];
+ uint64_t ph_vol_size;
+ uint8_t unknown2[16];
+ uint16_t magic;
+ uint32_t checksum_algo;
+ uint8_t unknown3[2];
+ uint32_t block_size;
+ uint32_t metadata_size;
+ uint64_t disklbl_blkoff;
+ uint64_t other_md_blkoffs[3];
+ uint8_t unknown4[32];
+ uint32_t key_data_size;
+ uint32_t cipher;
+ uint8_t key_data[FVAULT2_AES_KEY_SIZE];
+ uint8_t unknown5[112];
+ uint8_t ph_vol_uuid[FVAULT2_UUID_BIN_SIZE];
+ uint8_t unknown6[192];
+} __attribute__((packed));
+
+struct volume_groups_descriptor {
+ uint8_t unknown1[8];
+ uint64_t enc_md_blocks_n;
+ uint8_t unknown2[16];
+ uint64_t enc_md_blkoff;
+} __attribute__((packed));
+
+struct metadata_block_header {
+ struct crc32_checksum checksum;
+ uint16_t version;
+ uint16_t block_type;
+ uint8_t unknown1[20];
+ uint64_t block_num;
+ uint8_t unknown2[8];
+ uint32_t block_size;
+ uint8_t unknown3[12];
+} __attribute__((packed));
+
+struct metadata_block_0x0011 {
+ struct metadata_block_header header;
+ uint32_t md_size;
+ uint8_t unknown1[4];
+ struct crc32_checksum checksum;
+ uint8_t unknown2[140];
+ uint32_t vol_gr_des_off;
+} __attribute__((packed));
+
+struct metadata_block_0x0019 {
+ struct metadata_block_header header;
+ uint8_t unknown1[40];
+ uint32_t xml_comp_size;
+ uint32_t xml_uncomp_size;
+ uint32_t xml_off;
+ uint32_t xml_size;
+} __attribute__((packed));
+
+struct metadata_block_0x001a {
+ struct metadata_block_header header;
+ uint8_t unknown1[64];
+ uint32_t xml_off;
+ uint32_t xml_size;
+} __attribute__((packed));
+
+struct metadata_block_0x0305 {
+ struct metadata_block_header header;
+ uint32_t entries_n;
+ uint8_t unknown1[36];
+ uint32_t log_vol_blkoff;
+} __attribute__((packed));
+
+struct passphrase_wrapped_kek {
+ uint32_t pbkdf2_salt_type;
+ uint32_t pbkdf2_salt_size;
+ uint8_t pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
+ uint32_t wrapped_kek_type;
+ uint32_t wrapped_kek_size;
+ uint8_t wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
+ uint8_t unknown1[112];
+ uint32_t pbkdf2_iters;
+} __attribute__((packed));
+
+struct kek_wrapped_volume_key {
+ uint32_t wrapped_vk_type;
+ uint32_t wrapped_vk_size;
+ uint8_t wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
+} __attribute__((packed));
+
+/**
+ * Test whether all bytes of a chunk of memory are equal to a constant value.
+ * @param[in] value the value all bytes should be equal to
+ * @param[in] data the tested chunk of memory
+ * @param[in] data_size byte-size of the chunk of memory
+ */
+static bool _filled_with(
+ uint8_t value,
+ const void *data,
+ size_t data_size)
+{
+ const uint8_t *data_bytes = data;
+ size_t i;
+
+ for (i = 0; i < data_size; i++)
+ if (data_bytes[i] != value)
+ return false;
+
+ return true;
+}
+
+/**
+ * Assert the validity of the CRC checksum of a chunk of memory.
+ * @param[in] data a chunk of memory starting with a crc32_checksum struct
+ * @param[in] data_size the size of the chunk of memory in bytes
+ */
+static int _check_crc(
+ const void *data,
+ size_t data_size)
+{
+ const size_t crc_size = sizeof(struct crc32_checksum);
+ uint32_t seed;
+ uint32_t value;
+
+ assert(data_size >= crc_size);
+
+ value = le32_to_cpu(((const struct crc32_checksum *)data)->value);
+ seed = le32_to_cpu(((const struct crc32_checksum *)data)->seed);
+ if (seed != 0xffffffff)
+ return -EINVAL;
+
+ if (crypt_crc32c(seed, (const uint8_t *)data + crc_size,
+ data_size - crc_size) != value)
+ return -EINVAL;
+
+ return 0;
+}
+
+/**
+ * Unwrap an AES-wrapped key.
+ * @param[in] kek the KEK with which the key has been wrapped
+ * @param[in] kek_size the size of the KEK in bytes
+ * @param[in] key_wrapped the wrapped key
+ * @param[in] key_wrapped_size the size of the wrapped key in bytes
+ * @param[out] key_buf key an output buffer for the unwrapped key
+ * @param[in] key_buf_size the size of the output buffer in bytes
+ */
+static int _unwrap_key(
+ const void *kek,
+ size_t kek_size,
+ const void *key_wrapped,
+ size_t key_wrapped_size,
+ void *key_buf,
+ size_t key_buf_size)
+{
+ /* Algorithm and notation taken from NIST Special Publication 800-38F:
+ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+
+ This implementation supports only 128-bit KEKs and wrapped keys. */
+
+ int r = 0;
+ struct crypt_cipher *cipher = NULL;
+ void *cipher_in = NULL;
+ void *cipher_out = NULL;
+ uint64_t a;
+ uint64_t r2;
+ uint64_t r3;
+ uint64_t t;
+ uint64_t r2_prev;
+
+ assert(kek_size == 16 && key_wrapped_size == 24 && key_buf_size == 16);
+
+ r = crypt_cipher_init(&cipher, "aes", "ecb", kek, kek_size);
+ if (r < 0)
+ goto out;
+
+ cipher_in = malloc(16);
+ if (cipher_in == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ cipher_out = malloc(16);
+ if (cipher_out == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ /* CHAPTER 6.1, ALGORITHM 2: W^-1(C) */
+
+ /* initialize variables */
+ a = ((const uint64_t *)key_wrapped)[0]; /* A = C_1 (see step 1c) */
+ r2 = ((const uint64_t *)key_wrapped)[1]; /* R_1 = C_2 (see step 1d) */
+ r3 = ((const uint64_t *)key_wrapped)[2]; /* R_2 = C_3 (see step 1d) */
+
+ /* calculate intermediate values for each t = s, ..., 1 (see step 2),
+ where s = 6 * (n - 1) (see step 1a) */
+ for (t = 6 * (3 - 1); t > 0; t--) {
+ /* store current R2 for later assignment (see step 2c) */
+ r2_prev = r2;
+
+ /* prepare input for CIPH^{-1}_K (see steps 2a, 2b) */
+ ((uint64_t *)cipher_in)[0] = a ^ cpu_to_be64(t);
+ ((uint64_t *)cipher_in)[1] = r3;
+
+ /* A||R2 = CIPH^{-1}_K(...) (see steps 2a, 2b) */
+ r = crypt_cipher_decrypt(cipher, cipher_in, cipher_out, 16, NULL, 0);
+ if (r < 0)
+ goto out;
+ a = ((uint64_t *)cipher_out)[0];
+ r2 = ((uint64_t *)cipher_out)[1];
+
+ /* assign previous R2 (see step 2c) */
+ r3 = r2_prev;
+ }
+
+ /* note that A||R_1||R_2 holds the result S (see step 3) */
+
+ /* CHAPTER 6.2, ALGORITHM 4: KW-AD(C) */
+
+ /* check whether MSB_{64}(S) (= A) matches ICV1 (see step 3) */
+ if (a != 0xA6A6A6A6A6A6A6A6) {
+ r = -EPERM;
+ goto out;
+ }
+
+ /* return LSB_{128}(S) (= R_1||R_2) (see step 4) */
+ ((uint64_t *)key_buf)[0] = r2;
+ ((uint64_t *)key_buf)[1] = r3;
+out:
+ free(cipher_in);
+ free(cipher_out);
+ if (cipher != NULL)
+ crypt_cipher_destroy(cipher);
+ return r;
+}
+
+/**
+ * Search XML plist data for a property and return its value.
+ * @param[in] xml a 0-terminated string containing the XML plist data
+ * @param[in] prop_key a 0-terminated string with the seeked property's key
+ * @param[in] prop_type a 0-terminated string with the seeked property's type
+ * @param[out] value a 0-terminated string with the found property's value
+ */
+static int _search_xml(
+ const char *xml,
+ const char *prop_key,
+ const char *prop_type,
+ char **value)
+{
+ int r = 0;
+ char *pattern = NULL;
+ bool regex_ready = false;
+ regex_t regex;
+ regmatch_t match[2];
+ const char *value_start;
+ size_t value_len;
+
+ if (asprintf(&pattern, "<key>%s</key><%s[^>]*>([^<]+)</%s>",
+ prop_key, prop_type, prop_type) < 0) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (regcomp(®ex, pattern, REG_EXTENDED) != 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ regex_ready = true;
+
+ if (regexec(®ex, xml, 2, match, 0) != 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ value_start = xml + match[1].rm_so;
+ value_len = match[1].rm_eo - match[1].rm_so;
+
+ *value = calloc(value_len + 1, 1);
+ if (*value == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ memcpy(*value, value_start, value_len);
+out:
+ free(pattern);
+ if (regex_ready)
+ regfree(®ex);
+ return r;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x0019.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] pbkdf2_iters number of PBKDF2 iterations
+ * @param[out] pbkdf2_salt PBKDF2 salt (intermt. key derivation from passphrase)
+ * @param[out] wrapped_kek KEK AES-wrapped with passphrase-derived key
+ * @param[out] wrapped_vk volume key AES-wrapped with KEK
+ */
+static int _parse_metadata_block_0x0019(
+ const struct metadata_block_0x0019 *md_block,
+ uint32_t *pbkdf2_iters,
+ uint8_t *pbkdf2_salt,
+ uint8_t *wrapped_kek,
+ uint8_t *wrapped_vk)
+{
+ int r = 0;
+ char *xml = NULL;
+ char *pwk_base64 = NULL;
+ char *kwvk_base64 = NULL;
+ struct passphrase_wrapped_kek *pwk = NULL;
+ struct kek_wrapped_volume_key *kwvk = NULL;
+ size_t decoded_size;
+ uint32_t xml_off = le32_to_cpu(md_block->xml_off);
+ uint32_t xml_size = le32_to_cpu(md_block->xml_size);
+
+ if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
+ return -EINVAL;
+
+ xml = strndup((const char *)md_block + xml_off, xml_size);
+ if (xml == NULL)
+ return -ENOMEM;
+
+ r = _search_xml(xml, "PassphraseWrappedKEKStruct", "data", &pwk_base64);
+ if (r < 0)
+ goto out;
+ r = crypt_base64_decode((char **)&pwk, &decoded_size, pwk_base64, strlen(pwk_base64));
+ if (r < 0)
+ goto out;
+ if (decoded_size != FVAULT2_PWK_SIZE) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = _search_xml(xml, "KEKWrappedVolumeKeyStruct", "data", &kwvk_base64);
+ if (r < 0)
+ goto out;
+ r = crypt_base64_decode((char **)&kwvk, &decoded_size, kwvk_base64, strlen(kwvk_base64));
+ if (r < 0)
+ goto out;
+ if (decoded_size != FVAULT2_KWVK_SIZE) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ *pbkdf2_iters = le32_to_cpu(pwk->pbkdf2_iters);
+ memcpy(pbkdf2_salt, pwk->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE);
+ memcpy(wrapped_kek, pwk->wrapped_kek, FVAULT2_WRAPPED_KEY_SIZE);
+ memcpy(wrapped_vk, kwvk->wrapped_vk, FVAULT2_WRAPPED_KEY_SIZE);
+out:
+ free(xml);
+ free(pwk_base64);
+ free(kwvk_base64);
+ free(pwk);
+ free(kwvk);
+ return r;
+}
+
+/**
+ * Validate a UUID string and reformat it to match system defaults.
+ * @param[in] uuid_in the original UUID string
+ * @param[out] uuid_out the reformatted UUID string
+ */
+static int _reformat_uuid(
+ const char *uuid_in,
+ char *uuid_out)
+{
+ uint8_t uuid_bin[FVAULT2_UUID_LEN];
+ int r;
+
+ r = uuid_parse(uuid_in, uuid_bin);
+ if (r < 0)
+ return -EINVAL;
+
+ uuid_unparse(uuid_bin, uuid_out);
+ return 0;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x001A.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] log_vol_size encrypted logical volume size in bytes
+ * @param[out] family_uuid logical volume family UUID
+ */
+static int _parse_metadata_block_0x001a(
+ const struct metadata_block_0x001a *md_block,
+ uint64_t *log_vol_size,
+ char *family_uuid)
+{
+ int r = 0;
+ char *xml = NULL;
+ char *log_vol_size_str = NULL;
+ char *family_uuid_str = NULL;
+ uint32_t xml_off = le32_to_cpu(md_block->xml_off);
+ uint32_t xml_size = le32_to_cpu(md_block->xml_size);
+
+ if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
+ return -EINVAL;
+
+ xml = strndup((const char *)md_block + xml_off, xml_size);
+ if (xml == NULL)
+ return -ENOMEM;
+
+ r = _search_xml(xml, "com.apple.corestorage.lv.size", "integer", &log_vol_size_str);
+ if (r < 0)
+ goto out;
+ *log_vol_size = strtoull(log_vol_size_str, NULL, 16);
+ if (*log_vol_size == 0 || *log_vol_size == ULLONG_MAX) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = _search_xml(xml, "com.apple.corestorage.lv.familyUUID", "string", &family_uuid_str);
+ if (r < 0)
+ goto out;
+ r = _reformat_uuid(family_uuid_str, family_uuid);
+ if (r < 0)
+ goto out;
+out:
+ free(xml);
+ free(log_vol_size_str);
+ free(family_uuid_str);
+ return r;
+}
+
+/**
+ * Extract relevant info from a metadata block of type 0x0305.
+ * @param[in] md_block the pre-read and decrypted metadata block
+ * @param[out] log_vol_blkoff block-offset of the encrypted logical volume
+ */
+static int _parse_metadata_block_0x0305(
+ const struct metadata_block_0x0305 *md_block,
+ uint32_t *log_vol_blkoff)
+{
+ *log_vol_blkoff = le32_to_cpu(md_block->log_vol_blkoff);
+ return 0;
+}
+
+/**
+ * Extract relevant info from the physical volume header.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[out] block_size used to compute byte-offsets from block-offsets
+ * @param[out] disklbl_blkoff block-offset of the disk label block
+ * @param[out] ph_vol_uuid physical volume UUID
+ * @param[out] enc_md_key AES-XTS key used to decrypt the encrypted metadata
+ */
+static int _read_volume_header(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t *block_size,
+ uint64_t *disklbl_blkoff,
+ char *ph_vol_uuid,
+ struct volume_key **enc_md_key)
+{
+ int r = 0;
+ struct device *dev = crypt_metadata_device(cd);
+ struct volume_header *vol_header = NULL;
+
+ assert(sizeof(*vol_header) == FVAULT2_VOL_HEADER_SIZE);
+
+ vol_header = malloc(FVAULT2_VOL_HEADER_SIZE);
+ if (vol_header == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ log_dbg(cd, "Reading FVAULT2 volume header of size %u bytes.", FVAULT2_VOL_HEADER_SIZE);
+ if (read_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), vol_header,
+ FVAULT2_VOL_HEADER_SIZE) != FVAULT2_VOL_HEADER_SIZE) {
+ log_err(cd, _("Could not read %u bytes of volume header."), FVAULT2_VOL_HEADER_SIZE);
+ r = -EIO;
+ goto out;
+ }
+
+ r = _check_crc(vol_header, FVAULT2_VOL_HEADER_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ if (le16_to_cpu(vol_header->version) != 1) {
+ log_err(cd, _("Unsupported FVAULT2 version %" PRIu16 "."),
+ le16_to_cpu(vol_header->version));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (be16_to_cpu(vol_header->magic) != FVAULT2_CORE_STORAGE_MAGIC) {
+ log_dbg(cd, "Invalid Core Storage magic bytes.");
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (le32_to_cpu(vol_header->key_data_size) != FVAULT2_AES_KEY_SIZE) {
+ log_dbg(cd, "Unsupported AES key size: %" PRIu32 " bytes.",
+ le32_to_cpu(vol_header->key_data_size));
+ r = -EINVAL;
+ goto out;
+ }
+
+ *enc_md_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
+ if (*enc_md_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ *block_size = le32_to_cpu(vol_header->block_size);
+ *disklbl_blkoff = le64_to_cpu(vol_header->disklbl_blkoff);
+ uuid_unparse(vol_header->ph_vol_uuid, ph_vol_uuid);
+ memcpy((*enc_md_key)->key, vol_header->key_data, FVAULT2_AES_KEY_SIZE);
+ memcpy((*enc_md_key)->key + FVAULT2_AES_KEY_SIZE,
+ vol_header->ph_vol_uuid, FVAULT2_AES_KEY_SIZE);
+out:
+ free(vol_header);
+ return r;
+}
+
+/**
+ * Extract info from the disk label block and the volume groups descriptor.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[in] block_size used to compute byte-offsets from block-offsets
+ * @param[in] disklbl_blkoff block-offset of the disk label block
+ * @param[out] enc_md_blkoff block-offset of the encrypted metadata
+ * @param[out] enc_md_blocks_n total count of encrypted metadata blocks
+ */
+static int _read_disklabel(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t block_size,
+ uint64_t disklbl_blkoff,
+ uint64_t *enc_md_blkoff,
+ uint64_t *enc_md_blocks_n)
+{
+ int r = 0;
+ uint64_t off;
+ ssize_t size;
+ void *md_block = NULL;
+ struct metadata_block_0x0011 *md_block_11;
+ struct volume_groups_descriptor *vol_gr_des = NULL;
+ struct device *dev = crypt_metadata_device(cd);
+
+ md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (uint64_mult_overflow(&off, disklbl_blkoff, block_size) ||
+ off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ size = FVAULT2_MD_BLOCK_SIZE;
+ log_dbg(cd, "Reading FVAULT2 disk label header of size %zu bytes.", size);
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), md_block, size, off) != size) {
+ r = -EIO;
+ goto out;
+ }
+
+ r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ vol_gr_des = malloc(sizeof(*vol_gr_des));
+ if (vol_gr_des == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block_11 = md_block;
+ off += le32_to_cpu(md_block_11->vol_gr_des_off);
+ if (off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ size = sizeof(struct volume_groups_descriptor);
+ log_dbg(cd, "Reading FVAULT2 volume groups descriptor of size %zu bytes.", size);
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), vol_gr_des, size, off) != size) {
+ r = -EIO;
+ goto out;
+ }
+
+ *enc_md_blkoff = le64_to_cpu(vol_gr_des->enc_md_blkoff);
+ *enc_md_blocks_n = le64_to_cpu(vol_gr_des->enc_md_blocks_n);
+out:
+ free(md_block);
+ free(vol_gr_des);
+ return r;
+}
+
+/**
+ * Extract info from relevant encrypted metadata blocks.
+ * @param[in] devfd opened device file descriptor
+ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
+ * @param[in] block_size used to compute byte-offsets from block-offsets
+ * @param[in] start_blkoff block-offset of the start of the encrypted metadata
+ * @param[in] blocks_n total count of encrypted metadata blocks
+ * @param[in] key AES-XTS key for decryption
+ * @param[out] params decryption parameters struct to fill
+ */
+static int _read_encrypted_metadata(
+ int devfd,
+ struct crypt_device *cd,
+ uint64_t block_size,
+ uint64_t start_blkoff,
+ uint64_t blocks_n,
+ const struct volume_key *key,
+ struct fvault2_params *params)
+{
+ int r = 0;
+ int status = FVAULT2_ENC_MD_PARSED_NONE;
+ struct device *dev = crypt_metadata_device(cd);
+ struct crypt_cipher *cipher = NULL;
+ void *tweak;
+ void *md_block_enc = NULL;
+ void *md_block = NULL;
+ struct metadata_block_header *md_block_header;
+ uint32_t log_vol_blkoff;
+ uint64_t i, start_off;
+ off_t off;
+ unsigned int block_type;
+
+ tweak = calloc(FVAULT2_XTS_TWEAK_SIZE, 1);
+ if (tweak == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block_enc = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block_enc == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
+ if (md_block == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = crypt_cipher_init(&cipher, "aes", "xts", key->key, FVAULT2_XTS_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ if (uint64_mult_overflow(&start_off, start_blkoff, block_size) ||
+ start_off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+
+ log_dbg(cd, "Reading FVAULT2 encrypted metadata blocks.");
+ for (i = 0; i < blocks_n; i++) {
+ off = start_off + i * FVAULT2_MD_BLOCK_SIZE;
+ if (off > FVAULT2_MAX_OFF) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
+ device_alignment(dev), md_block_enc,
+ FVAULT2_MD_BLOCK_SIZE, off)
+ != FVAULT2_MD_BLOCK_SIZE) {
+ r = -EIO;
+ goto out;
+ }
+
+ if (_filled_with(0, md_block_enc, FVAULT2_MD_BLOCK_SIZE))
+ break;
+
+ *(uint64_t *)tweak = cpu_to_le64(i);
+ r = crypt_cipher_decrypt(cipher, md_block_enc, md_block,
+ FVAULT2_MD_BLOCK_SIZE, tweak, FVAULT2_XTS_TWEAK_SIZE);
+ if (r < 0)
+ goto out;
+
+ r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
+ if (r < 0) {
+ log_dbg(cd, "CRC mismatch.");
+ goto out;
+ }
+
+ md_block_header = md_block;
+ block_type = le16_to_cpu(md_block_header->block_type);
+ switch (block_type) {
+ case 0x0019:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0019.", i);
+ r = _parse_metadata_block_0x0019(md_block,
+ ¶ms->pbkdf2_iters,
+ (uint8_t *)params->pbkdf2_salt,
+ (uint8_t *)params->wrapped_kek,
+ (uint8_t *)params->wrapped_vk);
+ if (r < 0)
+ goto out;
+ status |= FVAULT2_ENC_MD_PARSED_0x0019;
+ break;
+
+ case 0x001A:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x001A.", i);
+ r = _parse_metadata_block_0x001a(md_block,
+ ¶ms->log_vol_size,
+ params->family_uuid);
+ if (r < 0)
+ goto out;
+ status |= FVAULT2_ENC_MD_PARSED_0x001A;
+ break;
+
+ case 0x0305:
+ log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0305.", i);
+ r = _parse_metadata_block_0x0305(md_block,
+ &log_vol_blkoff);
+ if (r < 0)
+ goto out;
+ if (uint64_mult_overflow(¶ms->log_vol_off,
+ log_vol_blkoff, block_size)) {
+ log_dbg(cd, "Device offset overflow.");
+ r = -EINVAL;
+ goto out;
+ }
+ status |= FVAULT2_ENC_MD_PARSED_0x0305;
+ break;
+ }
+ }
+
+ if (status != FVAULT2_ENC_MD_PARSED_ALL) {
+ log_dbg(cd, "Necessary FVAULT2 metadata blocks not found.");
+ r = -EINVAL;
+ goto out;
+ }
+out:
+ free(tweak);
+ free(md_block_enc);
+ free(md_block);
+ if (cipher != NULL)
+ crypt_cipher_destroy(cipher);
+ return r;
+}
+
+/**
+ * Activate device.
+ * @param[in] cd crypt_device struct passed into FVAULT2_activate_by_*
+ * @param[in] name name of the mapped device
+ * @param[in] vol_key the pre-derived AES-XTS volume key
+ * @param[in] params logical volume decryption parameters
+ * @param[in] flags flags assigned to the crypt_dm_active_device struct
+ */
+static int _activate(
+ struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vol_key,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r = 0;
+ char *cipher = NULL;
+ struct crypt_dm_active_device dm_dev = {
+ .flags = flags,
+ .size = params->log_vol_size / SECTOR_SIZE
+ };
+
+ r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
+ crypt_get_data_offset(cd), &dm_dev.size, &dm_dev.flags);
+ if (r)
+ return r;
+
+ if (asprintf(&cipher, "%s-%s", params->cipher, params->cipher_mode) < 0)
+ return -ENOMEM;
+
+ r = dm_crypt_target_set(&dm_dev.segment, 0, dm_dev.size,
+ crypt_data_device(cd), vol_key, cipher,
+ crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+ crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
+ crypt_get_sector_size(cd));
+
+ if (!r)
+ r = dm_create_device(cd, name, CRYPT_FVAULT2, &dm_dev);
+
+ dm_targets_free(cd, &dm_dev);
+ free(cipher);
+ return r;
+}
+
+int FVAULT2_read_metadata(
+ struct crypt_device *cd,
+ struct fvault2_params *params)
+{
+ int r = 0;
+ int devfd;
+ uint64_t block_size;
+ uint64_t disklbl_blkoff;
+ uint64_t enc_md_blkoff;
+ uint64_t enc_md_blocks_n;
+ struct volume_key *enc_md_key = NULL;
+ struct device *device = crypt_metadata_device(cd);
+
+ devfd = device_open(cd, device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(cd, _("Cannot open device %s."), device_path(device));
+ return -EIO;
+ }
+
+ r = _read_volume_header(devfd, cd, &block_size, &disklbl_blkoff,
+ params->ph_vol_uuid, &enc_md_key);
+ if (r < 0)
+ goto out;
+
+ r = _read_disklabel(devfd, cd, block_size, disklbl_blkoff,
+ &enc_md_blkoff, &enc_md_blocks_n);
+ if (r < 0)
+ goto out;
+
+ r = _read_encrypted_metadata(devfd, cd, block_size, enc_md_blkoff,
+ enc_md_blocks_n, enc_md_key, params);
+ if (r < 0)
+ goto out;
+
+ params->cipher = "aes";
+ params->cipher_mode = "xts-plain64";
+ params->key_size = FVAULT2_XTS_KEY_SIZE;
+out:
+ crypt_free_volume_key(enc_md_key);
+ return r;
+}
+
+int FVAULT2_get_volume_key(
+ struct crypt_device *cd,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ struct volume_key **vol_key)
+{
+ int r = 0;
+ uint8_t family_uuid_bin[FVAULT2_UUID_BIN_SIZE];
+ struct volume_key *passphrase_key = NULL;
+ struct volume_key *kek = NULL;
+ struct crypt_hash *hash = NULL;
+
+ *vol_key = NULL;
+
+ if (uuid_parse(params->family_uuid, family_uuid_bin) < 0) {
+ log_dbg(cd, "Could not parse logical volume family UUID: %s.",
+ params->family_uuid);
+ r = -EINVAL;
+ goto out;
+ }
+
+ passphrase_key = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+ if (passphrase_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = crypt_pbkdf("pbkdf2", "sha256", passphrase, passphrase_len,
+ params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, passphrase_key->key,
+ FVAULT2_AES_KEY_SIZE, params->pbkdf2_iters, 0, 0);
+ if (r < 0)
+ goto out;
+
+ kek = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+ if (kek == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = _unwrap_key(passphrase_key->key, FVAULT2_AES_KEY_SIZE, params->wrapped_kek,
+ FVAULT2_WRAPPED_KEY_SIZE, kek->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ *vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
+ if (*vol_key == NULL) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = _unwrap_key(kek->key, FVAULT2_AES_KEY_SIZE, params->wrapped_vk,
+ FVAULT2_WRAPPED_KEY_SIZE, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+
+ r = crypt_hash_init(&hash, "sha256");
+ if (r < 0)
+ goto out;
+ r = crypt_hash_write(hash, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+ r = crypt_hash_write(hash, (char *)family_uuid_bin,
+ FVAULT2_UUID_BIN_SIZE);
+ if (r < 0)
+ goto out;
+ r = crypt_hash_final(hash, (*vol_key)->key + FVAULT2_AES_KEY_SIZE,
+ FVAULT2_AES_KEY_SIZE);
+ if (r < 0)
+ goto out;
+out:
+ crypt_free_volume_key(passphrase_key);
+ crypt_free_volume_key(kek);
+ if (r < 0) {
+ crypt_free_volume_key(*vol_key);
+ *vol_key = NULL;
+ }
+ if (hash != NULL)
+ crypt_hash_destroy(hash);
+ return r;
+}
+
+int FVAULT2_dump(
+ struct crypt_device *cd,
+ struct device *device,
+ const struct fvault2_params *params)
+{
+ log_std(cd, "Header information for FVAULT2 device %s.\n", device_path(device));
+
+ log_std(cd, "Physical volume UUID: \t%s\n", params->ph_vol_uuid);
+ log_std(cd, "Family UUID: \t%s\n", params->family_uuid);
+
+ log_std(cd, "Logical volume offset:\t%" PRIu64 " [bytes]\n", params->log_vol_off);
+
+ log_std(cd, "Logical volume size: \t%" PRIu64 " [bytes]\n",
+ params->log_vol_size);
+
+ log_std(cd, "Cipher: \t%s\n", params->cipher);
+ log_std(cd, "Cipher mode: \t%s\n", params->cipher_mode);
+
+ log_std(cd, "PBKDF2 iterations: \t%" PRIu32 "\n", params->pbkdf2_iters);
+
+ log_std(cd, "PBKDF2 salt: \t");
+ crypt_log_hex(cd, params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, " ", 0, NULL);
+ log_std(cd, "\n");
+
+ return 0;
+}
+
+int FVAULT2_activate_by_passphrase(
+ struct crypt_device *cd,
+ const char *name,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r;
+ struct volume_key *vol_key = NULL;
+
+ r = FVAULT2_get_volume_key(cd, passphrase, passphrase_len, params, &vol_key);
+ if (r < 0)
+ return r;
+
+ if (name)
+ r = _activate(cd, name, vol_key, params, flags);
+
+ crypt_free_volume_key(vol_key);
+ return r;
+}
+
+int FVAULT2_activate_by_volume_key(
+ struct crypt_device *cd,
+ const char *name,
+ const char *key,
+ size_t key_size,
+ const struct fvault2_params *params,
+ uint32_t flags)
+{
+ int r = 0;
+ struct volume_key *vol_key = NULL;
+
+ if (key_size != FVAULT2_XTS_KEY_SIZE)
+ return -EINVAL;
+
+ vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, key);
+ if (vol_key == NULL)
+ return -ENOMEM;
+
+ r = _activate(cd, name, vol_key, params, flags);
+
+ crypt_free_volume_key(vol_key);
+ return r;
+}
diff --git a/lib/fvault2/fvault2.h b/lib/fvault2/fvault2.h
new file mode 100644
index 0000000..ce50ee3
--- /dev/null
+++ b/lib/fvault2/fvault2.h
@@ -0,0 +1,80 @@
+/*
+ * FVAULT2 (FileVault2-compatible) volume handling
+ *
+ * Copyright (C) 2021-2022 Pavel Tobias
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRYPTSETUP_FVAULT2_H
+#define _CRYPTSETUP_FVAULT2_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define FVAULT2_WRAPPED_KEY_SIZE 24
+#define FVAULT2_PBKDF2_SALT_SIZE 16
+#define FVAULT2_UUID_LEN 37
+
+struct crypt_device;
+struct volume_key;
+
+struct fvault2_params {
+ const char *cipher;
+ const char *cipher_mode;
+ uint16_t key_size;
+ uint32_t pbkdf2_iters;
+ char pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
+ char wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
+ char wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
+ char family_uuid[FVAULT2_UUID_LEN];
+ char ph_vol_uuid[FVAULT2_UUID_LEN];
+ uint64_t log_vol_off;
+ uint64_t log_vol_size;
+};
+
+int FVAULT2_read_metadata(
+ struct crypt_device *cd,
+ struct fvault2_params *params);
+
+int FVAULT2_get_volume_key(
+ struct crypt_device *cd,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ struct volume_key **vol_key);
+
+int FVAULT2_dump(
+ struct crypt_device *cd,
+ struct device *device,
+ const struct fvault2_params *params);
+
+int FVAULT2_activate_by_passphrase(
+ struct crypt_device *cd,
+ const char *name,
+ const char *passphrase,
+ size_t passphrase_len,
+ const struct fvault2_params *params,
+ uint32_t flags);
+
+int FVAULT2_activate_by_volume_key(
+ struct crypt_device *cd,
+ const char *name,
+ const char *key,
+ size_t key_size,
+ const struct fvault2_params *params,
+ uint32_t flags);
+
+#endif
diff --git a/lib/integrity/integrity.c b/lib/integrity/integrity.c
index 086b42f..aeadc82 100644
--- a/lib/integrity/integrity.c
+++ b/lib/integrity/integrity.c
@@ -1,7 +1,7 @@
/*
* Integrity volume handling
*
- * Copyright (C) 2016-2021 Milan Broz
+ * Copyright (C) 2016-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -27,6 +27,17 @@
#include "integrity.h"
#include "internal.h"
+/* For LUKS2, integrity metadata are on DATA device even for detached header! */
+static struct device *INTEGRITY_metadata_device(struct crypt_device *cd)
+{
+ const char *type = crypt_get_type(cd);
+
+ if (type && !strcmp(type, CRYPT_LUKS2))
+ return crypt_data_device(cd);
+
+ return crypt_metadata_device(cd);
+}
+
static int INTEGRITY_read_superblock(struct crypt_device *cd,
struct device *device,
uint64_t offset, struct superblock *sb)
@@ -38,11 +49,13 @@ static int INTEGRITY_read_superblock(struct crypt_device *cd,
return -EINVAL;
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
- device_alignment(device), sb, sizeof(*sb), offset) != sizeof(*sb) ||
- memcmp(sb->magic, SB_MAGIC, sizeof(sb->magic)) ||
- sb->version < SB_VERSION_1 || sb->version > SB_VERSION_5) {
- log_std(cd, "No integrity superblock detected on %s.\n",
- device_path(device));
+ device_alignment(device), sb, sizeof(*sb), offset) != sizeof(*sb) ||
+ memcmp(sb->magic, SB_MAGIC, sizeof(sb->magic))) {
+ log_dbg(cd, "No kernel dm-integrity metadata detected on %s.", device_path(device));
+ r = -EINVAL;
+ } else if (sb->version < SB_VERSION_1 || sb->version > SB_VERSION_5) {
+ log_err(cd, _("Incompatible kernel dm-integrity metadata (version %u) detected on %s."),
+ sb->version, device_path(device));
r = -EINVAL;
} else {
sb->integrity_tag_size = le16toh(sb->integrity_tag_size);
@@ -63,7 +76,7 @@ int INTEGRITY_read_sb(struct crypt_device *cd,
struct superblock sb;
int r;
- r = INTEGRITY_read_superblock(cd, crypt_metadata_device(cd), 0, &sb);
+ r = INTEGRITY_read_superblock(cd, INTEGRITY_metadata_device(cd), 0, &sb);
if (r)
return r;
@@ -120,7 +133,7 @@ int INTEGRITY_data_sectors(struct crypt_device *cd,
return 0;
}
-int INTEGRITY_key_size(struct crypt_device *cd __attribute__((unused)), const char *integrity)
+int INTEGRITY_key_size(const char *integrity)
{
if (!integrity)
return 0;
@@ -154,6 +167,9 @@ int INTEGRITY_hash_tag_size(const char *integrity)
if (!strcmp(integrity, "crc32") || !strcmp(integrity, "crc32c"))
return 4;
+ if (!strcmp(integrity, "xxhash64"))
+ return 8;
+
r = sscanf(integrity, "hmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
if (r == 1)
r = crypt_hash_size(hash);
@@ -163,8 +179,7 @@ int INTEGRITY_hash_tag_size(const char *integrity)
return r < 0 ? 0 : r;
}
-int INTEGRITY_tag_size(struct crypt_device *cd __attribute__((unused)),
- const char *integrity,
+int INTEGRITY_tag_size(const char *integrity,
const char *cipher,
const char *cipher_mode)
{
@@ -228,13 +243,13 @@ int INTEGRITY_create_dmd_device(struct crypt_device *cd,
if (sb_flags & SB_FLAG_RECALCULATING)
dmd->flags |= CRYPT_ACTIVATE_RECALCULATE;
- r = INTEGRITY_data_sectors(cd, crypt_metadata_device(cd),
+ r = INTEGRITY_data_sectors(cd, INTEGRITY_metadata_device(cd),
crypt_get_data_offset(cd) * SECTOR_SIZE, &dmd->size);
if (r < 0)
return r;
return dm_integrity_target_set(cd, &dmd->segment, 0, dmd->size,
- crypt_metadata_device(cd), crypt_data_device(cd),
+ INTEGRITY_metadata_device(cd), crypt_data_device(cd),
crypt_get_integrity_tag_size(cd), crypt_get_data_offset(cd),
crypt_get_sector_size(cd), vk, journal_crypt_key,
journal_mac_key, params);
@@ -256,18 +271,8 @@ int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
log_dbg(cd, "Trying to activate INTEGRITY device on top of %s, using name %s, tag size %d, provided sectors %" PRIu64".",
device_path(tgt->data_device), name, tgt->u.integrity.tag_size, dmd->size);
- r = device_block_adjust(cd, tgt->data_device, DEV_EXCL,
- tgt->u.integrity.offset, NULL, &dmd->flags);
- if (r)
- return r;
+ r = create_or_reload_device(cd, name, type, dmd);
- if (tgt->u.integrity.meta_device) {
- r = device_block_adjust(cd, tgt->u.integrity.meta_device, DEV_EXCL, 0, NULL, NULL);
- if (r)
- return r;
- }
-
- r = dm_create_device(cd, name, type, dmd);
if (r < 0 && (dm_flags(cd, DM_INTEGRITY, &dmi_flags) || !(dmi_flags & DM_INTEGRITY_SUPPORTED))) {
log_err(cd, _("Kernel does not support dm-integrity mapping."));
return -ENOTSUP;
@@ -299,14 +304,33 @@ int INTEGRITY_activate(struct crypt_device *cd,
struct volume_key *journal_mac_key,
uint32_t flags, uint32_t sb_flags)
{
- struct crypt_dm_active_device dmd = {};
- int r = INTEGRITY_create_dmd_device(cd, params, vk, journal_crypt_key,
- journal_mac_key, &dmd, flags, sb_flags);
+ struct crypt_dm_active_device dmdq = {}, dmd = {};
+ int r;
- if (r < 0)
- return r;
+ if (flags & CRYPT_ACTIVATE_REFRESH) {
+ r = dm_query_device(cd, name, DM_ACTIVE_CRYPT_KEYSIZE |
+ DM_ACTIVE_CRYPT_KEY |
+ DM_ACTIVE_INTEGRITY_PARAMS |
+ DM_ACTIVE_JOURNAL_CRYPT_KEY |
+ DM_ACTIVE_JOURNAL_MAC_KEY, &dmdq);
+ if (r < 0)
+ return r;
- r = INTEGRITY_activate_dmd_device(cd, name, CRYPT_INTEGRITY, &dmd, sb_flags);
+ r = INTEGRITY_create_dmd_device(cd, params, vk ?: dmdq.segment.u.integrity.vk,
+ journal_crypt_key ?: dmdq.segment.u.integrity.journal_crypt_key,
+ journal_mac_key ?: dmdq.segment.u.integrity.journal_integrity_key,
+ &dmd, flags, sb_flags);
+
+ if (!r)
+ dmd.size = dmdq.size;
+ } else
+ r = INTEGRITY_create_dmd_device(cd, params, vk, journal_crypt_key,
+ journal_mac_key, &dmd, flags, sb_flags);
+
+ if (!r)
+ r = INTEGRITY_activate_dmd_device(cd, name, CRYPT_INTEGRITY, &dmd, sb_flags);
+
+ dm_targets_free(cd, &dmdq);
dm_targets_free(cd, &dmd);
return r;
}
@@ -338,7 +362,7 @@ int INTEGRITY_format(struct crypt_device *cd,
if (params && params->integrity_key_size)
vk = crypt_alloc_volume_key(params->integrity_key_size, NULL);
- r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, crypt_metadata_device(cd),
+ r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, INTEGRITY_metadata_device(cd),
crypt_data_device(cd), crypt_get_integrity_tag_size(cd),
crypt_get_data_offset(cd), crypt_get_sector_size(cd), vk,
journal_crypt_key, journal_mac_key, params);
diff --git a/lib/integrity/integrity.h b/lib/integrity/integrity.h
index 08b18bf..2883ef8 100644
--- a/lib/integrity/integrity.h
+++ b/lib/integrity/integrity.h
@@ -1,7 +1,7 @@
/*
* Integrity header definition
*
- * Copyright (C) 2016-2021 Milan Broz
+ * Copyright (C) 2016-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -66,9 +66,8 @@ int INTEGRITY_dump(struct crypt_device *cd, struct device *device, uint64_t offs
int INTEGRITY_data_sectors(struct crypt_device *cd,
struct device *device, uint64_t offset,
uint64_t *data_sectors);
-int INTEGRITY_key_size(struct crypt_device *cd, const char *integrity);
-int INTEGRITY_tag_size(struct crypt_device *cd,
- const char *integrity,
+int INTEGRITY_key_size(const char *integrity);
+int INTEGRITY_tag_size(const char *integrity,
const char *cipher,
const char *cipher_mode);
int INTEGRITY_hash_tag_size(const char *integrity);
diff --git a/lib/internal.h b/lib/internal.h
index d19b96a..b5cb4e3 100644
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,6 +31,7 @@
#include <unistd.h>
#include <inttypes.h>
#include <fcntl.h>
+#include <assert.h>
#include "nls.h"
#include "bitops.h"
@@ -38,7 +39,6 @@
#include "utils_crypt.h"
#include "utils_loop.h"
#include "utils_dm.h"
-#include "utils_fips.h"
#include "utils_keyring.h"
#include "utils_io.h"
#include "crypto_backend/crypto_backend.h"
@@ -178,8 +178,7 @@ int init_crypto(struct crypt_device *ctx);
int crypt_get_debug_level(void);
-int crypt_memlock_inc(struct crypt_device *ctx);
-int crypt_memlock_dec(struct crypt_device *ctx);
+void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise);
int crypt_metadata_locking_enabled(void);
diff --git a/lib/keyslot_context.c b/lib/keyslot_context.c
new file mode 100644
index 0000000..89bd433
--- /dev/null
+++ b/lib/keyslot_context.c
@@ -0,0 +1,488 @@
+/*
+ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
+ *
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2023 Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+
+#include "luks1/luks.h"
+#include "luks2/luks2.h"
+#include "keyslot_context.h"
+
+static int get_luks2_key_by_passphrase(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ int segment,
+ struct volume_key **r_vk)
+{
+ int r;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+ assert(r_vk);
+
+ r = LUKS2_keyslot_open(cd, keyslot, segment, kc->u.p.passphrase, kc->u.p.passphrase_size, r_vk);
+ if (r < 0)
+ kc->error = r;
+
+ return r;
+}
+
+static int get_luks1_volume_key_by_passphrase(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ struct volume_key **r_vk)
+{
+ int r;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+ assert(r_vk);
+
+ r = LUKS_open_key_with_hdr(keyslot, kc->u.p.passphrase, kc->u.p.passphrase_size,
+ crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+ if (r < 0)
+ kc->error = r;
+
+ return r;
+}
+
+static int get_luks2_volume_key_by_passphrase(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ struct volume_key **r_vk)
+{
+ return get_luks2_key_by_passphrase(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_passphrase_by_passphrase(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ const char **r_passphrase,
+ size_t *r_passphrase_size)
+{
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+ assert(r_passphrase);
+ assert(r_passphrase_size);
+
+ *r_passphrase = kc->u.p.passphrase;
+ *r_passphrase_size = kc->u.p.passphrase_size;
+
+ return 0;
+}
+
+static int get_passphrase_by_keyfile(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ const char **r_passphrase,
+ size_t *r_passphrase_size)
+{
+ int r;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+ assert(r_passphrase);
+ assert(r_passphrase_size);
+
+ if (!kc->i_passphrase) {
+ r = crypt_keyfile_device_read(cd, kc->u.kf.keyfile,
+ &kc->i_passphrase, &kc->i_passphrase_size,
+ kc->u.kf.keyfile_offset, kc->u.kf.keyfile_size, 0);
+ if (r < 0) {
+ kc->error = r;
+ return r;
+ }
+ }
+
+ *r_passphrase = kc->i_passphrase;
+ *r_passphrase_size = kc->i_passphrase_size;
+
+ return 0;
+}
+
+static int get_luks2_key_by_keyfile(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ int segment,
+ struct volume_key **r_vk)
+{
+ int r;
+ const char *passphrase;
+ size_t passphrase_size;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+ assert(r_vk);
+
+ r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+ if (r)
+ return r;
+
+ r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase, passphrase_size, r_vk);
+ if (r < 0)
+ kc->error = r;
+
+ return r;
+}
+
+static int get_luks2_volume_key_by_keyfile(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ struct volume_key **r_vk)
+{
+ return get_luks2_key_by_keyfile(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ struct volume_key **r_vk)
+{
+ int r;
+ const char *passphrase;
+ size_t passphrase_size;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+ assert(r_vk);
+
+ r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+ if (r)
+ return r;
+
+ r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size,
+ crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+ if (r < 0)
+ kc->error = r;
+
+ return r;
+}
+
+static int get_key_by_key(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot __attribute__((unused)),
+ int segment __attribute__((unused)),
+ struct volume_key **r_vk)
+{
+ assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
+ assert(r_vk);
+
+ if (!kc->u.k.volume_key) {
+ kc->error = -ENOENT;
+ return kc->error;
+ }
+
+ *r_vk = crypt_alloc_volume_key(kc->u.k.volume_key_size, kc->u.k.volume_key);
+ if (!*r_vk) {
+ kc->error = -ENOMEM;
+ return kc->error;
+ }
+
+ return 0;
+}
+
+static int get_volume_key_by_key(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot __attribute__((unused)),
+ struct volume_key **r_vk)
+{
+ return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static int get_luks2_key_by_token(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot __attribute__((unused)),
+ int segment,
+ struct volume_key **r_vk)
+{
+ int r;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
+ assert(r_vk);
+
+ r = LUKS2_token_unlock_key(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id, kc->u.t.type,
+ kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk);
+ if (r < 0)
+ kc->error = r;
+
+ return r;
+}
+
+static int get_luks2_volume_key_by_token(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot __attribute__((unused)),
+ struct volume_key **r_vk)
+{
+ return get_luks2_key_by_token(cd, kc, -2 /* unused */, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_passphrase_by_token(struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ const char **r_passphrase,
+ size_t *r_passphrase_size)
+{
+ int r;
+
+ assert(cd);
+ assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
+ assert(r_passphrase);
+ assert(r_passphrase_size);
+
+ if (!kc->i_passphrase) {
+ r = LUKS2_token_unlock_passphrase(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id,
+ kc->u.t.type, kc->u.t.pin, kc->u.t.pin_size,
+ kc->u.t.usrptr, &kc->i_passphrase, &kc->i_passphrase_size);
+ if (r < 0) {
+ kc->error = r;
+ return r;
+ }
+ kc->u.t.id = r;
+ }
+
+ *r_passphrase = kc->i_passphrase;
+ *r_passphrase_size = kc->i_passphrase_size;
+
+ return kc->u.t.id;
+}
+
+static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
+{
+ assert(kc);
+
+ kc->error = 0;
+ kc->i_passphrase = NULL;
+ kc->i_passphrase_size = 0;
+}
+
+void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+ const char *volume_key,
+ size_t volume_key_size)
+{
+ assert(kc);
+
+ kc->type = CRYPT_KC_TYPE_KEY;
+ kc->u.k.volume_key = volume_key;
+ kc->u.k.volume_key_size = volume_key_size;
+ kc->get_luks2_key = get_key_by_key;
+ kc->get_luks2_volume_key = get_volume_key_by_key;
+ kc->get_luks1_volume_key = get_volume_key_by_key;
+ kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+ unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+ const char *passphrase,
+ size_t passphrase_size)
+{
+ assert(kc);
+
+ kc->type = CRYPT_KC_TYPE_PASSPHRASE;
+ kc->u.p.passphrase = passphrase;
+ kc->u.p.passphrase_size = passphrase_size;
+ kc->get_luks2_key = get_luks2_key_by_passphrase;
+ kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
+ kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
+ kc->get_passphrase = get_passphrase_by_passphrase;
+ unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint64_t keyfile_offset)
+{
+ assert(kc);
+
+ kc->type = CRYPT_KC_TYPE_KEYFILE;
+ kc->u.kf.keyfile = keyfile;
+ kc->u.kf.keyfile_size = keyfile_size;
+ kc->u.kf.keyfile_offset = keyfile_offset;
+ kc->get_luks2_key = get_luks2_key_by_keyfile;
+ kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
+ kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
+ kc->get_passphrase = get_passphrase_by_keyfile;
+ unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ void *usrptr)
+{
+ assert(kc);
+
+ kc->type = CRYPT_KC_TYPE_TOKEN;
+ kc->u.t.id = token;
+ kc->u.t.type = type;
+ kc->u.t.pin = pin;
+ kc->u.t.pin_size = pin_size;
+ kc->u.t.usrptr = usrptr;
+ kc->get_luks2_key = get_luks2_key_by_token;
+ kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
+ kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
+ kc->get_passphrase = get_passphrase_by_token;
+ unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
+{
+ if (!kc)
+ return;
+
+ crypt_safe_free(kc->i_passphrase);
+ kc->i_passphrase = NULL;
+ kc->i_passphrase_size = 0;
+}
+
+void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
+{
+ crypt_keyslot_context_destroy_internal(kc);
+ free(kc);
+}
+
+int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
+ const char *passphrase,
+ size_t passphrase_size,
+ struct crypt_keyslot_context **kc)
+{
+ struct crypt_keyslot_context *tmp;
+
+ if (!kc || !passphrase)
+ return -EINVAL;
+
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ return -ENOMEM;
+
+ crypt_keyslot_unlock_by_passphrase_init_internal(tmp, passphrase, passphrase_size);
+
+ *kc = tmp;
+
+ return 0;
+}
+
+int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint64_t keyfile_offset,
+ struct crypt_keyslot_context **kc)
+{
+ struct crypt_keyslot_context *tmp;
+
+ if (!kc || !keyfile)
+ return -EINVAL;
+
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ return -ENOMEM;
+
+ crypt_keyslot_unlock_by_keyfile_init_internal(tmp, keyfile, keyfile_size, keyfile_offset);
+
+ *kc = tmp;
+
+ return 0;
+}
+
+int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
+ int token,
+ const char *type,
+ const char *pin, size_t pin_size,
+ void *usrptr,
+ struct crypt_keyslot_context **kc)
+{
+ struct crypt_keyslot_context *tmp;
+
+ if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN))
+ return -EINVAL;
+
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ return -ENOMEM;
+
+ crypt_keyslot_unlock_by_token_init_internal(tmp, token, type, pin, pin_size, usrptr);
+
+ *kc = tmp;
+
+ return 0;
+}
+
+int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
+ const char *volume_key,
+ size_t volume_key_size,
+ struct crypt_keyslot_context **kc)
+{
+ struct crypt_keyslot_context *tmp;
+
+ if (!kc)
+ return -EINVAL;
+
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ return -ENOMEM;
+
+ crypt_keyslot_unlock_by_key_init_internal(tmp, volume_key, volume_key_size);
+
+ *kc = tmp;
+
+ return 0;
+}
+
+int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
+{
+ return kc ? kc->error : -EINVAL;
+}
+
+int crypt_keyslot_context_set_pin(struct crypt_device *cd,
+ const char *pin, size_t pin_size,
+ struct crypt_keyslot_context *kc)
+{
+ if (!kc || kc->type != CRYPT_KC_TYPE_TOKEN)
+ return -EINVAL;
+
+ kc->u.t.pin = pin;
+ kc->u.t.pin_size = pin_size;
+ kc->error = 0;
+
+ return 0;
+}
+
+int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc)
+{
+ return kc ? kc->type : -EINVAL;
+}
+
+const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc)
+{
+ assert(kc);
+
+ switch (kc->type) {
+ case CRYPT_KC_TYPE_PASSPHRASE:
+ return "passphrase";
+ case CRYPT_KC_TYPE_KEYFILE:
+ return "keyfile";
+ case CRYPT_KC_TYPE_TOKEN:
+ return "token";
+ case CRYPT_KC_TYPE_KEY:
+ return "key";
+ default:
+ return "<unknown>";
+ }
+}
diff --git a/lib/keyslot_context.h b/lib/keyslot_context.h
new file mode 100644
index 0000000..7ca7428
--- /dev/null
+++ b/lib/keyslot_context.h
@@ -0,0 +1,111 @@
+/*
+ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
+ *
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2023 Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef KEYSLOT_CONTEXT_H
+#define KEYSLOT_CONTEXT_H
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#include "internal.h"
+
+typedef int (*keyslot_context_get_key) (
+ struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ int segment,
+ struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_volume_key) (
+ struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ int keyslot,
+ struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_passphrase) (
+ struct crypt_device *cd,
+ struct crypt_keyslot_context *kc,
+ const char **r_passphrase,
+ size_t *r_passphrase_size);
+
+/* crypt_keyslot_context */
+struct crypt_keyslot_context {
+ int type;
+
+ union {
+ struct {
+ const char *passphrase;
+ size_t passphrase_size;
+ } p;
+ struct {
+ const char *keyfile;
+ uint64_t keyfile_offset;
+ size_t keyfile_size;
+ } kf;
+ struct {
+ int id;
+ const char *type;
+ const char *pin;
+ size_t pin_size;
+ void *usrptr;
+ } t;
+ struct {
+ const char *volume_key;
+ size_t volume_key_size;
+ } k;
+ } u;
+
+ int error;
+
+ char *i_passphrase;
+ size_t i_passphrase_size;
+
+ keyslot_context_get_key get_luks2_key;
+ keyslot_context_get_volume_key get_luks1_volume_key;
+ keyslot_context_get_volume_key get_luks2_volume_key;
+ keyslot_context_get_passphrase get_passphrase;
+};
+
+void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method);
+
+void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+ const char *volume_key,
+ size_t volume_key_size);
+
+void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+ const char *passphrase,
+ size_t passphrase_size);
+
+void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint64_t keyfile_offset);
+
+void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ void *usrptr);
+
+const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc);
+
+#endif /* KEYSLOT_CONTEXT_H */
diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 21428b5..e899829 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -46,6 +46,7 @@ extern "C" {
*/
struct crypt_device; /* crypt device handle */
+struct crypt_keyslot_context;
/**
* Initialize crypt device handle and check if the provided device exists.
@@ -271,9 +272,9 @@ struct crypt_pbkdf_type {
};
/** Iteration time set by crypt_set_iteration_time(), for compatibility only. */
-#define CRYPT_PBKDF_ITER_TIME_SET (1 << 0)
+#define CRYPT_PBKDF_ITER_TIME_SET (UINT32_C(1) << 0)
/** Never run benchmarks, use pre-set value or defaults. */
-#define CRYPT_PBKDF_NO_BENCHMARK (1 << 1)
+#define CRYPT_PBKDF_NO_BENCHMARK (UINT32_C(1) << 1)
/** PBKDF2 according to RFC2898, LUKS1 legacy */
#define CRYPT_KDF_PBKDF2 "pbkdf2"
@@ -344,6 +345,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
/**
* Helper to lock/unlock memory to avoid swap sensitive data to disk.
+ * \b Deprecated, only for backward compatibility. Memory with keys are locked automatically.
*
* @param cd crypt device handle, can be @e NULL
* @param lock 0 to unlock otherwise lock memory
@@ -353,7 +355,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
* @note Only root can do this.
* @note It locks/unlocks all process memory, not only crypt context.
*/
-int crypt_memory_lock(struct crypt_device *cd, int lock);
+int crypt_memory_lock(struct crypt_device *cd, int lock) __attribute__((deprecated));
/**
* Set global lock protection for on-disk metadata (file-based locking).
@@ -427,6 +429,8 @@ int crypt_get_metadata_size(struct crypt_device *cd,
#define CRYPT_INTEGRITY "INTEGRITY"
/** BITLK (BitLocker-compatible mode) */
#define CRYPT_BITLK "BITLK"
+/** FVAULT2 (FileVault2-compatible mode) */
+#define CRYPT_FVAULT2 "FVAULT2"
/** LUKS any version */
#define CRYPT_LUKS NULL
@@ -513,13 +517,13 @@ struct crypt_params_verity {
};
/** No on-disk header (only hashes) */
-#define CRYPT_VERITY_NO_HEADER (1 << 0)
+#define CRYPT_VERITY_NO_HEADER (UINT32_C(1) << 0)
/** Verity hash in userspace before activation */
-#define CRYPT_VERITY_CHECK_HASH (1 << 1)
+#define CRYPT_VERITY_CHECK_HASH (UINT32_C(1) << 1)
/** Create hash - format hash device */
-#define CRYPT_VERITY_CREATE_HASH (1 << 2)
+#define CRYPT_VERITY_CREATE_HASH (UINT32_C(1) << 2)
/** Root hash signature required for activation */
-#define CRYPT_VERITY_ROOT_HASH_SIGNATURE (1 << 3)
+#define CRYPT_VERITY_ROOT_HASH_SIGNATURE (UINT32_C(1) << 3)
/**
*
@@ -542,18 +546,18 @@ struct crypt_params_tcrypt {
};
/** Include legacy modes when scanning for header */
-#define CRYPT_TCRYPT_LEGACY_MODES (1 << 0)
+#define CRYPT_TCRYPT_LEGACY_MODES (UINT32_C(1) << 0)
/** Try to load hidden header (describing hidden device) */
-#define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1)
+#define CRYPT_TCRYPT_HIDDEN_HEADER (UINT32_C(1) << 1)
/** Try to load backup header */
-#define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2)
+#define CRYPT_TCRYPT_BACKUP_HEADER (UINT32_C(1) << 2)
/** Device contains encrypted system (with boot loader) */
-#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3)
+#define CRYPT_TCRYPT_SYSTEM_HEADER (UINT32_C(1) << 3)
/** Include VeraCrypt modes when scanning for header,
* all other TCRYPT flags applies as well.
* VeraCrypt device is reported as TCRYPT type.
*/
-#define CRYPT_TCRYPT_VERA_MODES (1 << 4)
+#define CRYPT_TCRYPT_VERA_MODES (UINT32_C(1) << 4)
/**
*
@@ -662,11 +666,11 @@ void crypt_set_compatibility(struct crypt_device *cd, uint32_t flags);
uint32_t crypt_get_compatibility(struct crypt_device *cd);
/** dm-integrity device uses less effective (legacy) padding (old kernels) */
-#define CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING (1 << 0)
+#define CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING (UINT32_C(1) << 0)
/** dm-integrity device does not protect superblock with HMAC (old kernels) */
-#define CRYPT_COMPAT_LEGACY_INTEGRITY_HMAC (1 << 1)
+#define CRYPT_COMPAT_LEGACY_INTEGRITY_HMAC (UINT32_C(1) << 1)
/** dm-integrity allow recalculating of volumes with HMAC keys (old kernels) */
-#define CRYPT_COMPAT_LEGACY_INTEGRITY_RECALC (1 << 2)
+#define CRYPT_COMPAT_LEGACY_INTEGRITY_RECALC (UINT32_C(1) << 2)
/**
* Convert to new type for already existing device.
@@ -718,6 +722,24 @@ int crypt_set_label(struct crypt_device *cd,
const char *label,
const char *subsystem);
+/**
+ * Get the label of an existing device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return label, or @e NULL otherwise
+ */
+const char *crypt_get_label(struct crypt_device *cd);
+
+/**
+ * Get the subsystem of an existing device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return subsystem, or @e NULL otherwise
+ */
+const char *crypt_get_subsystem(struct crypt_device *cd);
+
/**
* Enable or disable loading of volume keys via kernel keyring. When set to
* 'enabled' library loads key in kernel keyring first and pass the key
@@ -749,7 +771,8 @@ int crypt_volume_key_keyring(struct crypt_device *cd, int enable);
* @post In case LUKS header is read successfully but payload device is too small
* error is returned and device type in context is set to @e NULL
*
- * @note Note that in current version load works only for LUKS and VERITY device type.
+ * @note Note that load works only for device types with on-disk metadata.
+ * @note Function does not print visible error message if metadata is not present.
*
*/
int crypt_load(struct crypt_device *cd,
@@ -881,6 +904,43 @@ int crypt_resume_by_volume_key(struct crypt_device *cd,
const char *name,
const char *volume_key,
size_t volume_key_size);
+/**
+ * Resume crypt device using LUKS2 token.
+ *
+ * @param cd LUKS2 crypt device handle
+ * @param name name of device to resume
+ * @param type restrict type of token, if @e NULL all types are allowed
+ * @param pin passphrase (or PIN) to unlock token (may be binary data)
+ * @param pin_size size of @e pin
+ * @param usrptr provided identification in callback
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ *
+ * @note EPERM errno means token provided passphrase successfully, but
+ * passphrase did not unlock any keyslot associated with the token.
+ *
+ * @note ENOENT errno means no token (or subsequently assigned keyslot) was
+ * eligible to resume LUKS2 device.
+ *
+ * @note ENOANO errno means that token is PIN protected and was either missing
+ * (NULL) or wrong.
+ *
+ * @note Negative EAGAIN errno means token handler requires additional hardware
+ * not present in the system to unlock keyslot.
+ *
+ * @note with @param token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
+ * to resume device using any available token. It may happen that various token handlers
+ * return different error codes. At the end loop returns error codes in the following
+ * order (from the most significant to the least) any negative errno except those
+ * listed below, non negative token id (success), -ENOANO, -EAGAIN, -EPERM, -ENOENT.
+ */
+int crypt_resume_by_token_pin(struct crypt_device *cd,
+ const char *name,
+ const char *type,
+ int token,
+ const char *pin,
+ size_t pin_size,
+ void *usrptr);
/** @} */
/**
@@ -1005,13 +1065,13 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
size_t passphrase_size);
/** create keyslot with volume key not associated with current dm-crypt segment */
-#define CRYPT_VOLUME_KEY_NO_SEGMENT (1 << 0)
+#define CRYPT_VOLUME_KEY_NO_SEGMENT (UINT32_C(1) << 0)
/** create keyslot with new volume key and assign it to current dm-crypt segment */
-#define CRYPT_VOLUME_KEY_SET (1 << 1)
+#define CRYPT_VOLUME_KEY_SET (UINT32_C(1) << 1)
/** Assign key to first matching digest before creating new digest */
-#define CRYPT_VOLUME_KEY_DIGEST_REUSE (1 << 2)
+#define CRYPT_VOLUME_KEY_DIGEST_REUSE (UINT32_C(1) << 2)
/**
* Add key slot using provided key.
@@ -1050,6 +1110,187 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
size_t passphrase_size,
uint32_t flags);
+/**
+ * @defgroup crypt-keyslot-context Crypt keyslot context
+ * @addtogroup crypt-keyslot-context
+ * @{
+ */
+
+/**
+ * Release crypt keyslot context and used memory.
+ *
+ * @param kc crypt keyslot context
+ */
+void crypt_keyslot_context_free(struct crypt_keyslot_context *kc);
+
+/**
+ * Initialize keyslot context via passphrase.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ * @param passphrase passphrase for a keyslot
+ * @param passphrase_size size of passphrase
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_PASSPHRASE
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
+ const char *passphrase,
+ size_t passphrase_size,
+ struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via key file path.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param keyfile key file with passphrase for a keyslot
+ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
+ * @param keyfile_offset number of bytes to skip at start of keyfile
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYFILE
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint64_t keyfile_offset,
+ struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via LUKS2 token.
+ *
+ * @param cd crypt device handle initialized to LUKS2 device context
+ *
+ * @param token token providing passphrase for a keyslot or CRYPT_ANY_TOKEN
+ * @param type restrict type of token, if @e NULL all types are allowed
+ * @param pin passphrase (or PIN) to unlock token (may be binary data)
+ * @param pin_size size of @e pin
+ * @param usrptr provided identification in callback
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_TOKEN
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
+ int token,
+ const char *type,
+ const char *pin, size_t pin_size,
+ void *usrptr,
+ struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via key.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param volume_key provided volume key or @e NULL if used after crypt_format
+ * or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
+ * @param volume_key_size size of volume_key
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
+ const char *volume_key,
+ size_t volume_key_size,
+ struct crypt_keyslot_context **kc);
+
+/**
+ * Get error code per keyslot context from last failed call.
+ *
+ * @note If @link crypt_keyslot_add_by_keyslot_context @endlink passed with
+ * no negative return code. The return value of this function is undefined.
+ *
+ * @param kc keyslot context involved in failed @link crypt_keyslot_add_by_keyslot_context @endlink
+ *
+ * @return Negative errno if keyslot context caused a failure, zero otherwise.
+ */
+int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc);
+
+/**
+ * Set new pin to token based keyslot context.
+ *
+ * @note Use when @link crypt_keyslot_add_by_keyslot_context @endlink failed
+ * and token keyslot context returned -ENOANO error code via
+ * @link crypt_keyslot_context_get_error @endlink.
+ *
+ * @param cd crypt device handle initialized to LUKS2 device context
+ * @param pin passphrase (or PIN) to unlock token (may be binary data)
+ * @param pin_size size of @e pin
+ * @param kc LUKS2 keyslot context (only @link CRYPT_KC_TYPE_TOKEN @endlink is allowed)
+ *
+ * @return zero on success or negative errno otherwise
+ */
+int crypt_keyslot_context_set_pin(struct crypt_device *cd,
+ const char *pin, size_t pin_size,
+ struct crypt_keyslot_context *kc);
+
+/**
+ * @defgroup crypt-keyslot-context-types Crypt keyslot context
+ * @addtogroup crypt-keyslot-context-types
+ * @{
+ */
+/** keyslot context initialized by passphrase (@link crypt_keyslot_context_init_by_passphrase @endlink) */
+#define CRYPT_KC_TYPE_PASSPHRASE INT16_C(1)
+/** keyslot context initialized by keyfile (@link crypt_keyslot_context_init_by_keyfile @endlink) */
+#define CRYPT_KC_TYPE_KEYFILE INT16_C(2)
+/** keyslot context initialized by token (@link crypt_keyslot_context_init_by_token @endlink) */
+#define CRYPT_KC_TYPE_TOKEN INT16_C(3)
+/** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */
+#define CRYPT_KC_TYPE_KEY INT16_C(4)
+/** @} */
+
+/**
+ * Get type identifier for crypt keyslot context.
+ *
+ * @param kc keyslot context
+ *
+ * @return crypt keyslot context type id (see @link crypt-keyslot-context-types @endlink) or negative errno otherwise.
+ */
+int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
+/** @} */
+
+/**
+ * Add key slot by volume key provided by keyslot context (kc). New
+ * keyslot will be protected by passphrase provided by new keyslot context (new_kc).
+ * See @link crypt-keyslot-context @endlink for context initialization routines.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context.
+ *
+ * @param cd crypt device handle
+ * @param keyslot_existing existing keyslot or CRYPT_ANY_SLOT to get volume key from.
+ * @param kc keyslot context providing volume key.
+ * @param keyslot_new new keyslot or CRYPT_ANY_SLOT (first free number is used).
+ * @param new_kc keyslot context providing passphrase for new keyslot.
+ * @param flags key flags to set
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ *
+ * @note new_kc can not be @e CRYPT_KC_TYPE_KEY type keyslot context.
+ *
+ * @note For kc parameter with type @e CRYPT_KC_TYPE_KEY the keyslot_existing
+ * parameter is ignored.
+ *
+ * @note in case there is no active LUKS keyslot to get existing volume key from, one of following must apply:
+ * @li @e cd must be device handle used in crypt_format() by current process (it holds reference to generated volume key)
+ * @li kc must be of @e CRYPT_KC_TYPE_KEY type with valid volume key.
+ *
+ * @note With CRYPT_VOLUME_KEY_NO_SEGMENT flag raised and kc of type @e CRYPT_KC_TYPE_KEY with @e volume_key set to @e NULL
+ * the new volume_key will be generated and stored in new keyslot. The keyslot will become unbound (unusable to
+ * dm-crypt device activation).
+ *
+ * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
+ * By doing so you will most probably destroy your ciphertext data device. It's supposed
+ * to be used only in wrapped keys scheme for key refresh process where real (inner) volume
+ * key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * unbound) keyslot new regular keyslot.
+ */
+int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
+ int keyslot_existing,
+ struct crypt_keyslot_context *kc,
+ int keyslot_new,
+ struct crypt_keyslot_context *new_kc,
+ uint32_t flags);
+
/**
* Destroy (and disable) key slot.
*
@@ -1073,59 +1314,61 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
*/
/** device is read only */
-#define CRYPT_ACTIVATE_READONLY (1 << 0)
+#define CRYPT_ACTIVATE_READONLY (UINT32_C(1) << 0)
/** only reported for device without uuid */
-#define CRYPT_ACTIVATE_NO_UUID (1 << 1)
+#define CRYPT_ACTIVATE_NO_UUID (UINT32_C(1) << 1)
/** activate even if cannot grant exclusive access (DANGEROUS) */
-#define CRYPT_ACTIVATE_SHARED (1 << 2)
+#define CRYPT_ACTIVATE_SHARED (UINT32_C(1) << 2)
/** enable discards aka TRIM */
-#define CRYPT_ACTIVATE_ALLOW_DISCARDS (1 << 3)
+#define CRYPT_ACTIVATE_ALLOW_DISCARDS (UINT32_C(1) << 3)
/** skip global udev rules in activation ("private device"), input only */
-#define CRYPT_ACTIVATE_PRIVATE (1 << 4)
+#define CRYPT_ACTIVATE_PRIVATE (UINT32_C(1) << 4)
/** corruption detected (verity), output only */
-#define CRYPT_ACTIVATE_CORRUPTED (1 << 5)
+#define CRYPT_ACTIVATE_CORRUPTED (UINT32_C(1) << 5)
/** use same_cpu_crypt option for dm-crypt */
-#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
+#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (UINT32_C(1) << 6)
/** use submit_from_crypt_cpus for dm-crypt */
-#define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (1 << 7)
+#define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (UINT32_C(1) << 7)
/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
-#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (1 << 8)
+#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (UINT32_C(1) << 8)
/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
-#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
+#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (UINT32_C(1) << 9)
/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
-#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)
+#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (UINT32_C(1) << 10)
/** key loaded in kernel keyring instead directly in dm-crypt */
-#define CRYPT_ACTIVATE_KEYRING_KEY (1 << 11)
+#define CRYPT_ACTIVATE_KEYRING_KEY (UINT32_C(1) << 11)
/** dm-integrity: direct writes, do not use journal */
-#define CRYPT_ACTIVATE_NO_JOURNAL (1 << 12)
+#define CRYPT_ACTIVATE_NO_JOURNAL (UINT32_C(1) << 12)
/** dm-integrity: recovery mode - no journal, no integrity checks */
-#define CRYPT_ACTIVATE_RECOVERY (1 << 13)
+#define CRYPT_ACTIVATE_RECOVERY (UINT32_C(1) << 13)
/** ignore persistently stored flags */
-#define CRYPT_ACTIVATE_IGNORE_PERSISTENT (1 << 14)
+#define CRYPT_ACTIVATE_IGNORE_PERSISTENT (UINT32_C(1) << 14)
/** dm-verity: check_at_most_once - check data blocks only the first time */
-#define CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE (1 << 15)
+#define CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE (UINT32_C(1) << 15)
/** allow activation check including unbound keyslots (keyslots without segments) */
-#define CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY (1 << 16)
+#define CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY (UINT32_C(1) << 16)
/** dm-integrity: activate automatic recalculation */
-#define CRYPT_ACTIVATE_RECALCULATE (1 << 17)
+#define CRYPT_ACTIVATE_RECALCULATE (UINT32_C(1) << 17)
/** reactivate existing and update flags, input only */
-#define CRYPT_ACTIVATE_REFRESH (1 << 18)
+#define CRYPT_ACTIVATE_REFRESH (UINT32_C(1) << 18)
/** Use global lock to serialize memory hard KDF on activation (OOM workaround) */
-#define CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF (1 << 19)
+#define CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF (UINT32_C(1) << 19)
/** dm-integrity: direct writes, use bitmap to track dirty sectors */
-#define CRYPT_ACTIVATE_NO_JOURNAL_BITMAP (1 << 20)
+#define CRYPT_ACTIVATE_NO_JOURNAL_BITMAP (UINT32_C(1) << 20)
/** device is suspended (key should be wiped from memory), output only */
-#define CRYPT_ACTIVATE_SUSPENDED (1 << 21)
+#define CRYPT_ACTIVATE_SUSPENDED (UINT32_C(1) << 21)
/** use IV sector counted in sector_size instead of default 512 bytes sectors */
-#define CRYPT_ACTIVATE_IV_LARGE_SECTORS (1 << 22)
+#define CRYPT_ACTIVATE_IV_LARGE_SECTORS (UINT32_C(1) << 22)
/** dm-verity: panic_on_corruption flag - panic kernel on corruption */
-#define CRYPT_ACTIVATE_PANIC_ON_CORRUPTION (1 << 23)
+#define CRYPT_ACTIVATE_PANIC_ON_CORRUPTION (UINT32_C(1) << 23)
/** dm-crypt: bypass internal workqueue and process read requests synchronously. */
-#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24)
+#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (UINT32_C(1) << 24)
/** dm-crypt: bypass internal workqueue and process write requests synchronously. */
-#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25)
+#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (UINT32_C(1) << 25)
/** dm-integrity: reset automatic recalculation */
-#define CRYPT_ACTIVATE_RECALCULATE_RESET (1 << 26)
+#define CRYPT_ACTIVATE_RECALCULATE_RESET (UINT32_C(1) << 26)
+/** dm-verity: try to use tasklets */
+#define CRYPT_ACTIVATE_TASKLETS (UINT32_C(1) << 27)
/**
* Active device runtime attributes
@@ -1174,11 +1417,11 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
* LUKS2 header requirements
*/
/** Unfinished offline reencryption */
-#define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT (1 << 0)
+#define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT (UINT32_C(1) << 0)
/** Online reencryption in-progress */
-#define CRYPT_REQUIREMENT_ONLINE_REENCRYPT (1 << 1)
+#define CRYPT_REQUIREMENT_ONLINE_REENCRYPT (UINT32_C(1) << 1)
/** unknown requirement in header (output only) */
-#define CRYPT_REQUIREMENT_UNKNOWN (1 << 31)
+#define CRYPT_REQUIREMENT_UNKNOWN (UINT32_C(1) << 31)
/**
* Persistent flags type
@@ -1308,8 +1551,8 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
* @note For VERITY the volume key means root hash required for activation.
* Because kernel dm-verity is always read only, you have to provide
* CRYPT_ACTIVATE_READONLY flag always.
- * @note For TCRYPT the volume key should be always NULL and because master
- * key from decrypted header is used instead.
+ * @note For TCRYPT the volume key should be always NULL
+ * the key from decrypted header is used instead.
*/
int crypt_activate_by_volume_key(struct crypt_device *cd,
const char *name,
@@ -1365,11 +1608,11 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
uint32_t flags);
/** lazy deactivation - remove once last user releases it */
-#define CRYPT_DEACTIVATE_DEFERRED (1 << 0)
+#define CRYPT_DEACTIVATE_DEFERRED (UINT32_C(1) << 0)
/** force deactivation - if the device is busy, it is replaced by error device */
-#define CRYPT_DEACTIVATE_FORCE (1 << 1)
+#define CRYPT_DEACTIVATE_FORCE (UINT32_C(1) << 1)
/** if set, remove lazy deactivation */
-#define CRYPT_DEACTIVATE_DEFERRED_CANCEL (1 << 2)
+#define CRYPT_DEACTIVATE_DEFERRED_CANCEL (UINT32_C(1) << 2)
/**
* Deactivate crypt device. This function tries to remove active device-mapper
@@ -1415,6 +1658,9 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
* @note For TCRYPT cipher chain is the volume key concatenated
* for all ciphers in chain.
* @note For VERITY the volume key means root hash used for activation.
+ * @note For LUKS devices, if passphrase is @e NULL and volume key is cached in
+ * device context it returns the volume key generated in preceding
+ * @link crypt_format @endlink call.
*/
int crypt_volume_key_get(struct crypt_device *cd,
int keyslot,
@@ -1423,6 +1669,41 @@ int crypt_volume_key_get(struct crypt_device *cd,
const char *passphrase,
size_t passphrase_size);
+/**
+ * Get volume key from crypt device by keyslot context.
+ *
+ * @param cd crypt device handle
+ * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
+ * @param volume_key buffer for volume key
+ * @param volume_key_size on input, size of buffer @e volume_key,
+ * on output size of @e volume_key
+ * @param kc keyslot context used to unlock volume key
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ *
+ * @note See @link crypt-keyslot-context-types @endlink for info on keyslot
+ * context initialization.
+ * @note For TCRYPT cipher chain is the volume key concatenated
+ * for all ciphers in chain (kc may be NULL).
+ * @note For VERITY the volume key means root hash used for activation
+ * (kc may be NULL).
+ * @note For LUKS devices, if kc is @e NULL and volume key is cached in
+ * device context it returns the volume key generated in preceding
+ * @link crypt_format @endlink call.
+ * @note @link CRYPT_KC_TYPE_TOKEN @endlink keyslot context is usable only with LUKS2 devices.
+ * @note @link CRYPT_KC_TYPE_KEY @endlink keyslot context can not be used.
+ * @note To get LUKS2 unbound key, keyslot parameter must not be @e CRYPT_ANY_SLOT.
+ * @note EPERM errno means provided keyslot context could not unlock any (or selected)
+ * keyslot.
+ * @note ENOENT errno means no LUKS keyslot is available to retrieve volume key from
+ * and there's no cached volume key in device handle.
+ */
+int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
+ int keyslot,
+ char *volume_key,
+ size_t *volume_key_size,
+ struct crypt_keyslot_context *kc);
+
/**
* Verify that provided volume key is valid for crypt device.
*
@@ -1431,6 +1712,10 @@ int crypt_volume_key_get(struct crypt_device *cd,
* @param volume_key_size size of @e volume_key
*
* @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note Negative EPERM return value means that passed volume_key
+ * did not pass digest verification routine (not a valid volume
+ * key).
*/
int crypt_volume_key_verify(struct crypt_device *cd,
const char *volume_key,
@@ -1923,7 +2208,7 @@ int crypt_keyfile_read(struct crypt_device *cd,
uint32_t flags);
/** Read key only to the first end of line (\\n). */
-#define CRYPT_KEYFILE_STOP_EOL (1 << 0)
+#define CRYPT_KEYFILE_STOP_EOL (UINT32_C(1) << 0)
/** @} */
/**
@@ -1937,7 +2222,7 @@ int crypt_keyfile_read(struct crypt_device *cd,
typedef enum {
CRYPT_WIPE_ZERO, /**< Fill with zeroes */
CRYPT_WIPE_RANDOM, /**< Use RNG to fill data */
- CRYPT_WIPE_ENCRYPTED_ZERO, /**< Add encryption and fill with zeroes as plaintext */
+ CRYPT_WIPE_ENCRYPTED_ZERO, /**< Obsolete, same as CRYPT_WIPE_RANDOM */
CRYPT_WIPE_SPECIAL, /**< Compatibility only, do not use (Gutmann method) */
} crypt_wipe_pattern;
@@ -1973,7 +2258,7 @@ int crypt_wipe(struct crypt_device *cd,
);
/** Use direct-io */
-#define CRYPT_WIPE_NO_DIRECT_IO (1 << 0)
+#define CRYPT_WIPE_NO_DIRECT_IO (UINT32_C(1) << 0)
/** @} */
/**
@@ -2390,15 +2675,16 @@ int crypt_activate_by_token_pin(struct crypt_device *cd,
*/
/** Initialize reencryption metadata but do not run reencryption yet. (in) */
-#define CRYPT_REENCRYPT_INITIALIZE_ONLY (1 << 0)
-/** Move the first segment, used only with data shift. (in/out) */
-#define CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT (1 << 1)
+#define CRYPT_REENCRYPT_INITIALIZE_ONLY (UINT32_C(1) << 0)
+/** Move the first segment, used only with datashift resilience mode
+ * and subvariants. (in/out) */
+#define CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT (UINT32_C(1) << 1)
/** Resume already initialized reencryption only. (in) */
-#define CRYPT_REENCRYPT_RESUME_ONLY (1 << 2)
+#define CRYPT_REENCRYPT_RESUME_ONLY (UINT32_C(1) << 2)
/** Run reencryption recovery only. (in) */
-#define CRYPT_REENCRYPT_RECOVERY (1 << 3)
+#define CRYPT_REENCRYPT_RECOVERY (UINT32_C(1) << 3)
/** Reencryption requires metadata protection. (in/out) */
-#define CRYPT_REENCRYPT_REPAIR_NEEDED (1 << 4)
+#define CRYPT_REENCRYPT_REPAIR_NEEDED (UINT32_C(1) << 4)
/**
* Reencryption direction
@@ -2423,10 +2709,15 @@ typedef enum {
struct crypt_params_reencrypt {
crypt_reencrypt_mode_info mode; /**< Reencryption mode, immutable after first init. */
crypt_reencrypt_direction_info direction; /**< Reencryption direction, immutable after first init. */
- const char *resilience; /**< Resilience mode: "none", "checksum", "journal" or "shift" (only "shift" is immutable after init) */
+ const char *resilience; /**< Resilience mode: "none", "checksum", "journal", "datashift",
+ "datashift-checksum" or "datashift-journal".
+ "datashift" mode is immutable, "datashift-" subvariant can be only
+ changed to other "datashift-" subvariant */
const char *hash; /**< Used hash for "checksum" resilience type, ignored otherwise. */
- uint64_t data_shift; /**< Used in "shift" mode, must be non-zero, immutable after first init. */
- uint64_t max_hotzone_size; /**< Exact hotzone size for "none" mode. Maximum hotzone size for "checksum" and "journal" modes. */
+ uint64_t data_shift; /**< Used in "datashift" mode (and subvariants), must be non-zero,
+ immutable after first init. */
+ uint64_t max_hotzone_size; /**< Maximum hotzone size (may be lowered by library). For "datashift-" subvariants
+ it is used to set size of moved segment (decryption only). */
uint64_t device_size; /**< Reencrypt only initial part of the data device. */
const struct crypt_params_luks2 *luks2; /**< LUKS2 parameters for the final reencryption volume.*/
uint32_t flags; /**< Reencryption flags. */
diff --git a/lib/libcryptsetup.pc.in b/lib/libcryptsetup.pc.in
index f3d3fb1..7836293 100644
--- a/lib/libcryptsetup.pc.in
+++ b/lib/libcryptsetup.pc.in
@@ -8,3 +8,4 @@ Description: cryptsetup library
Version: @LIBCRYPTSETUP_VERSION@
Cflags: -I${includedir}
Libs: -L${libdir} -lcryptsetup
+Requires.private: @PKGMODULES@
diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym
index f7c6940..d0f0d98 100644
--- a/lib/libcryptsetup.sym
+++ b/lib/libcryptsetup.sym
@@ -144,3 +144,24 @@ CRYPTSETUP_2.4 {
crypt_token_external_disable;
crypt_token_external_path;
} CRYPTSETUP_2.0;
+
+CRYPTSETUP_2.5 {
+ global:
+ crypt_get_label;
+ crypt_get_subsystem;
+ crypt_resume_by_token_pin;
+} CRYPTSETUP_2.4;
+
+CRYPTSETUP_2.6 {
+ global:
+ crypt_keyslot_context_free;
+ crypt_keyslot_context_init_by_passphrase;
+ crypt_keyslot_context_init_by_keyfile;
+ crypt_keyslot_context_init_by_token;
+ crypt_keyslot_context_init_by_volume_key;
+ crypt_keyslot_context_get_error;
+ crypt_keyslot_context_set_pin;
+ crypt_keyslot_context_get_type;
+ crypt_keyslot_add_by_keyslot_context;
+ crypt_volume_key_get_by_keyslot_context;
+} CRYPTSETUP_2.5;
diff --git a/lib/libcryptsetup_macros.h b/lib/libcryptsetup_macros.h
index 5fd402c..55187ab 100644
--- a/lib/libcryptsetup_macros.h
+++ b/lib/libcryptsetup_macros.h
@@ -1,8 +1,8 @@
/*
- * Definitions of common constant and generic macros fo libcryptsetup
+ * Definitions of common constant and generic macros of libcryptsetup
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -25,6 +25,9 @@
/* to silent gcc -Wcast-qual for const cast */
#define CONST_CAST(x) (x)(uintptr_t)
+/* to silent clang -Wcast-align when working with byte arrays */
+#define VOIDP_CAST(x) (x)(void*)
+
#define UNUSED(x) (void)(x)
#ifndef ARRAY_SIZE
diff --git a/lib/libcryptsetup_symver.h b/lib/libcryptsetup_symver.h
index 128ee81..a5aa8f9 100644
--- a/lib/libcryptsetup_symver.h
+++ b/lib/libcryptsetup_symver.h
@@ -1,7 +1,7 @@
/*
* Helpers for defining versioned symbols
*
- * Copyright (C) 2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2021-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,7 +31,7 @@
* It's supposed to be used only with symbols that are exported in at least
* two versions simultaneously as follows:
*
- * - the latest version is marked with _NEW variant and oll other compatible
+ * - the latest version is marked with _NEW variant and all other compatible
* symbols should be marked with _OLD variant
*
* Examples:
@@ -67,16 +67,14 @@
* under CRYPT_SYMBOL_EXPORT_OLD(int, crypt_func_X, ...) macro
*/
-#ifdef __has_attribute
-# if __has_attribute(symver)
-# define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min) \
- __attribute__((__symver__(#_public_sym _ver_str #_maj "." #_min)))
-# endif
+#if HAVE_ATTRIBUTE_SYMVER
+# define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min) \
+ __attribute__((__symver__(#_public_sym _ver_str #_maj "." #_min)))
#endif
-#if !defined(_CRYPT_SYMVER) && defined(__GNUC__)
+#if !defined(_CRYPT_SYMVER) && (defined(__GNUC__) || defined(__clang__))
# define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min) \
- asm(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
+ __asm__(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
#endif
#define _CRYPT_FUNC(_public_sym, _prefix_str, _maj, _min, _ret, ...) \
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index 9bc3d22..9c5fc0c 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,7 +31,6 @@
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h> /* for major, minor */
#endif
-#include <assert.h>
#include "internal.h"
#define DM_CRYPT_TARGET "crypt"
@@ -47,6 +46,7 @@ static bool _dm_ioctl_checked = false;
static bool _dm_crypt_checked = false;
static bool _dm_verity_checked = false;
static bool _dm_integrity_checked = false;
+static bool _dm_zero_checked = false;
static int _quiet_log = 0;
static uint32_t _dm_flags = 0;
@@ -204,6 +204,9 @@ static void _dm_set_verity_compat(struct crypt_device *cd,
if (_dm_satisfies_version(1, 7, 0, verity_maj, verity_min, verity_patch))
_dm_flags |= DM_VERITY_PANIC_CORRUPTION_SUPPORTED;
+ if (_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
+ _dm_flags |= DM_VERITY_TASKLETS_SUPPORTED;
+
_dm_verity_checked = true;
}
@@ -241,6 +244,20 @@ static void _dm_set_integrity_compat(struct crypt_device *cd,
_dm_integrity_checked = true;
}
+static void _dm_set_zero_compat(struct crypt_device *cd,
+ unsigned zero_maj,
+ unsigned zero_min,
+ unsigned zero_patch)
+{
+ if (_dm_zero_checked || zero_maj == 0)
+ return;
+
+ log_dbg(cd, "Detected dm-zero version %i.%i.%i.",
+ zero_maj, zero_min, zero_patch);
+
+ _dm_zero_checked = true;
+}
+
/* We use this for loading target module */
static void _dm_check_target(dm_target_type target_type)
{
@@ -278,11 +295,12 @@ static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_typ
unsigned dm_maj, dm_min, dm_patch;
int r = 0;
- if ((target_type == DM_CRYPT && _dm_crypt_checked) ||
+ if ((target_type == DM_CRYPT && _dm_crypt_checked) ||
(target_type == DM_VERITY && _dm_verity_checked) ||
(target_type == DM_INTEGRITY && _dm_integrity_checked) ||
- (target_type == DM_LINEAR) || (target_type == DM_ZERO) ||
- (_dm_crypt_checked && _dm_verity_checked && _dm_integrity_checked))
+ (target_type == DM_ZERO && _dm_zero_checked) ||
+ (target_type == DM_LINEAR) ||
+ (_dm_crypt_checked && _dm_verity_checked && _dm_integrity_checked && _dm_zero_checked))
return 1;
/* Shut up DM while checking */
@@ -331,8 +349,12 @@ static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_typ
_dm_set_integrity_compat(cd, (unsigned)target->version[0],
(unsigned)target->version[1],
(unsigned)target->version[2]);
+ } else if (!strcmp(DM_ZERO_TARGET, target->name)) {
+ _dm_set_zero_compat(cd, (unsigned)target->version[0],
+ (unsigned)target->version[1],
+ (unsigned)target->version[2]);
}
- target = (struct dm_versions *)((char *) target + target->next);
+ target = VOIDP_CAST(struct dm_versions *)((char *) target + target->next);
} while (last_target != target);
r = 1;
@@ -355,13 +377,14 @@ int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags)
*flags = _dm_flags;
if (target == DM_UNKNOWN &&
- _dm_crypt_checked && _dm_verity_checked && _dm_integrity_checked)
+ _dm_crypt_checked && _dm_verity_checked && _dm_integrity_checked && _dm_zero_checked)
return 0;
- if ((target == DM_CRYPT && _dm_crypt_checked) ||
+ if ((target == DM_CRYPT && _dm_crypt_checked) ||
(target == DM_VERITY && _dm_verity_checked) ||
(target == DM_INTEGRITY && _dm_integrity_checked) ||
- (target == DM_LINEAR) || (target == DM_ZERO)) /* nothing to check */
+ (target == DM_ZERO && _dm_zero_checked) ||
+ (target == DM_LINEAR)) /* nothing to check */
return 0;
return -ENODEV;
@@ -444,14 +467,6 @@ char *dm_device_name(const char *path)
return dm_device_path(NULL, major(st.st_rdev), minor(st.st_rdev));
}
-static void hex_key(char *hexkey, size_t key_size, const char *key)
-{
- unsigned i;
-
- for(i = 0; i < key_size; i++)
- sprintf(&hexkey[i * 2], "%02x", (unsigned char)key[i]);
-}
-
static size_t int_log10(uint64_t x)
{
uint64_t r = 0;
@@ -460,27 +475,22 @@ static size_t int_log10(uint64_t x)
return r;
}
-#define CLEN 64 /* 2*MAX_CIPHER_LEN */
-#define CLENS "63" /* for sscanf length + '\0' */
-#define CAPIL 144 /* should be enough to fit whole capi string */
-#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
-
-static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
char *c_dm, int c_dm_size,
char *i_dm, int i_dm_size)
{
int c_size = 0, i_size = 0, i;
- char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
- char capi[CAPIL];
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
+ tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];
if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
return -EINVAL;
- i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
+ i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
if (i != 2)
return -EINVAL;
- i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
+ i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
if (i == 1) {
memset(iv, 0, sizeof(iv));
strncpy(iv, mode, sizeof(iv)-1);
@@ -527,75 +537,6 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
return 0;
}
-static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
-{
- char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
- char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
- size_t len;
- int i;
-
- if (!c_dm)
- return -EINVAL;
-
- /* legacy mode */
- if (strncmp(c_dm, "capi:", 4)) {
- if (!(*org_c = strdup(c_dm)))
- return -ENOMEM;
- *org_i = NULL;
- return 0;
- }
-
- /* modes with capi: prefix */
- i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
- if (i != 2)
- return -EINVAL;
-
- len = strlen(tmp);
- if (len < 2)
- return -EINVAL;
-
- if (tmp[len-1] == ')')
- tmp[len-1] = '\0';
-
- if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
- if (!(*org_i = strdup("aead")))
- return -ENOMEM;
- } else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
- if (!(*org_i = strdup(auth)))
- return -ENOMEM;
- } else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
- if (!(*org_i = strdup(auth)))
- return -ENOMEM;
- } else {
- if (i_dm) {
- if (!(*org_i = strdup(i_dm)))
- return -ENOMEM;
- } else
- *org_i = NULL;
- memset(capi, 0, sizeof(capi));
- strncpy(capi, tmp, sizeof(capi)-1);
- }
-
- i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
- if (i == 2)
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
- else
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
- if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
- free(*org_i);
- *org_i = NULL;
- return -EINVAL;
- }
-
- if (!(*org_c = strdup(dmcrypt_tmp))) {
- free(*org_i);
- *org_i = NULL;
- return -ENOMEM;
- }
-
- return 0;
-}
-
static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
{
size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
@@ -613,7 +554,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
if (!tgt)
return NULL;
- r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
+ r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
if (r < 0)
return NULL;
@@ -655,24 +596,20 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
null_cipher = 1;
if (null_cipher)
- hexkey = crypt_safe_alloc(2);
+ hexkey = crypt_bytes_to_hex(0, NULL);
else if (flags & CRYPT_ACTIVATE_KEYRING_KEY) {
keystr_len = strlen(tgt->u.crypt.vk->key_description) + int_log10(tgt->u.crypt.vk->keylength) + 10;
hexkey = crypt_safe_alloc(keystr_len);
- } else
- hexkey = crypt_safe_alloc(tgt->u.crypt.vk->keylength * 2 + 1);
-
- if (!hexkey)
- goto out;
-
- if (null_cipher)
- strncpy(hexkey, "-", 2);
- else if (flags & CRYPT_ACTIVATE_KEYRING_KEY) {
+ if (!hexkey)
+ goto out;
r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key_description);
if (r < 0 || r >= keystr_len)
goto out;
} else
- hex_key(hexkey, tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key);
+ hexkey = crypt_bytes_to_hex(tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key);
+
+ if (!hexkey)
+ goto out;
max_size = strlen(hexkey) + strlen(cipher_dm) +
strlen(device_block_path(tgt->data_device)) +
@@ -725,6 +662,8 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
num_options++;
if (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE)
num_options++;
+ if (flags & CRYPT_ACTIVATE_TASKLETS)
+ num_options++;
max_fec_size = (tgt->u.verity.fec_device ? strlen(device_block_path(tgt->u.verity.fec_device)) : 0) + 256;
fec_features = crypt_safe_alloc(max_fec_size);
@@ -755,30 +694,26 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
} else
*verity_verify_args = '\0';
- if (num_options) { /* MAX length int32 + 18 + 22 + 20 + 19 + 19 */
- r = snprintf(features, sizeof(features), " %d%s%s%s%s%s", num_options,
+ if (num_options) { /* MAX length int32 + 18 + 22 + 20 + 19 + 19 + 22 */
+ r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s", num_options,
(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
(flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? " panic_on_corruption" : "",
(flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "",
- (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "");
+ (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "",
+ (flags & CRYPT_ACTIVATE_TASKLETS) ? " try_verify_in_tasklet" : "");
if (r < 0 || (size_t)r >= sizeof(features))
goto out;
} else
*features = '\0';
- hexroot = crypt_safe_alloc(tgt->u.verity.root_hash_size * 2 + 1);
+ hexroot = crypt_bytes_to_hex(tgt->u.verity.root_hash_size, tgt->u.verity.root_hash);
if (!hexroot)
goto out;
- hex_key(hexroot, tgt->u.verity.root_hash_size, tgt->u.verity.root_hash);
- hexsalt = crypt_safe_alloc(vp->salt_size ? vp->salt_size * 2 + 1 : 2);
+ hexsalt = crypt_bytes_to_hex(vp->salt_size, vp->salt);
if (!hexsalt)
goto out;
- if (vp->salt_size)
- hex_key(hexsalt, vp->salt_size, vp->salt);
- else
- strncpy(hexsalt, "-", 2);
max_size = strlen(hexroot) + strlen(hexsalt) +
strlen(device_block_path(tgt->data_device)) +
@@ -843,10 +778,9 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
num_options++;
if (tgt->u.integrity.vk) {
- hexkey = crypt_safe_alloc(tgt->u.integrity.vk->keylength * 2 + 1);
+ hexkey = crypt_bytes_to_hex(tgt->u.integrity.vk->keylength, tgt->u.integrity.vk->key);
if (!hexkey)
goto out;
- hex_key(hexkey, tgt->u.integrity.vk->keylength, tgt->u.integrity.vk->key);
} else
hexkey = NULL;
@@ -861,11 +795,10 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
num_options++;
if (tgt->u.integrity.journal_integrity_key) {
- hexkey = crypt_safe_alloc(tgt->u.integrity.journal_integrity_key->keylength * 2 + 1);
+ hexkey = crypt_bytes_to_hex( tgt->u.integrity.journal_integrity_key->keylength,
+ tgt->u.integrity.journal_integrity_key->key);
if (!hexkey)
goto out;
- hex_key(hexkey, tgt->u.integrity.journal_integrity_key->keylength,
- tgt->u.integrity.journal_integrity_key->key);
} else
hexkey = NULL;
@@ -880,11 +813,10 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
num_options++;
if (tgt->u.integrity.journal_crypt_key) {
- hexkey = crypt_safe_alloc(tgt->u.integrity.journal_crypt_key->keylength * 2 + 1);
+ hexkey = crypt_bytes_to_hex(tgt->u.integrity.journal_crypt_key->keylength,
+ tgt->u.integrity.journal_crypt_key->key);
if (!hexkey)
goto out;
- hex_key(hexkey, tgt->u.integrity.journal_crypt_key->keylength,
- tgt->u.integrity.journal_crypt_key->key);
} else
hexkey = NULL;
@@ -980,7 +912,7 @@ out:
return params_out;
}
-static char *get_dm_linear_params(const struct dm_target *tgt, uint32_t flags __attribute__((unused)))
+static char *get_dm_linear_params(const struct dm_target *tgt)
{
char *params;
int r;
@@ -1001,7 +933,7 @@ static char *get_dm_linear_params(const struct dm_target *tgt, uint32_t flags __
return params;
}
-static char *get_dm_zero_params(const struct dm_target *tgt __attribute__((unused)), uint32_t flags __attribute__((unused)))
+static char *get_dm_zero_params(void)
{
char *params = crypt_safe_alloc(1);
if (!params)
@@ -1263,8 +1195,7 @@ int lookup_dm_dev_by_uuid(struct crypt_device *cd, const char *uuid, const char
return r;
r_udev = r;
- if (r_udev <= 0)
- r = lookup_by_sysfs_uuid_field(dev_uuid + DM_BY_ID_PREFIX_LEN);
+ r = lookup_by_sysfs_uuid_field(dev_uuid + DM_BY_ID_PREFIX_LEN);
return r == -ENOENT ? r_udev : r;
}
@@ -1328,9 +1259,9 @@ static int _create_dm_targets_params(struct crypt_dm_active_device *dmd)
else if (tgt->type == DM_INTEGRITY)
tgt->params = get_dm_integrity_params(tgt, dmd->flags);
else if (tgt->type == DM_LINEAR)
- tgt->params = get_dm_linear_params(tgt, dmd->flags);
+ tgt->params = get_dm_linear_params(tgt);
else if (tgt->type == DM_ZERO)
- tgt->params = get_dm_zero_params(tgt, dmd->flags);
+ tgt->params = get_dm_zero_params();
else {
r = -ENOTSUP;
goto err;
@@ -1576,6 +1507,9 @@ static void _dm_target_free_query_path(struct crypt_device *cd, struct dm_target
static void _dm_target_erase(struct crypt_device *cd, struct dm_target *tgt)
{
+ if (tgt->direction == TARGET_EMPTY)
+ return;
+
if (tgt->direction == TARGET_QUERY)
_dm_target_free_query_path(cd, tgt);
@@ -1667,16 +1601,94 @@ int dm_create_device(struct crypt_device *cd, const char *name,
return -ENOTSUP;
r = _dm_create_device(cd, name, type, dmd);
-
- if (r < 0 && dm_flags(cd, dmd->segment.type, &dmt_flags))
+ if (!r || r == -EEXIST)
goto out;
- if (r && (dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR || dmd->segment.type == DM_ZERO) &&
+ if (dm_flags(cd, dmd->segment.type, &dmt_flags))
+ goto out;
+
+ if ((dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR || dmd->segment.type == DM_ZERO) &&
check_retry(cd, &dmd->flags, dmt_flags)) {
log_dbg(cd, "Retrying open without incompatible options.");
r = _dm_create_device(cd, name, type, dmd);
+ if (!r || r == -EEXIST)
+ goto out;
}
+ if (dmd->flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
+ !(dmt_flags & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED))) {
+ log_err(cd, _("Requested dm-crypt performance options are not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->flags & (CRYPT_ACTIVATE_NO_READ_WORKQUEUE | CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) &&
+ !(dmt_flags & DM_CRYPT_NO_WORKQUEUE_SUPPORTED)) {
+ log_err(cd, _("Requested dm-crypt performance options are not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
+ CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
+ CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
+ CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) &&
+ !(dmt_flags & DM_VERITY_ON_CORRUPTION_SUPPORTED)) {
+ log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->flags & CRYPT_ACTIVATE_TASKLETS &&
+ !(dmt_flags & DM_VERITY_TASKLETS_SUPPORTED)) {
+ log_err(cd, _("Requested dm-verity tasklets option is not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION &&
+ !(dmt_flags & DM_VERITY_PANIC_CORRUPTION_SUPPORTED)) {
+ log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->segment.type == DM_VERITY &&
+ dmd->segment.u.verity.fec_device && !(dmt_flags & DM_VERITY_FEC_SUPPORTED)) {
+ log_err(cd, _("Requested dm-verity FEC options are not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->segment.type == DM_CRYPT) {
+ if (dmd->segment.u.crypt.integrity && !(dmt_flags & DM_INTEGRITY_SUPPORTED)) {
+ log_err(cd, _("Requested data integrity options are not supported."));
+ r = -EINVAL;
+ }
+ if (dmd->segment.u.crypt.sector_size != SECTOR_SIZE && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED)) {
+ log_err(cd, _("Requested sector_size option is not supported."));
+ r = -EINVAL;
+ }
+ }
+
+ if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
+ !(dmt_flags & DM_INTEGRITY_RECALC_SUPPORTED)) {
+ log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE_RESET) &&
+ !(dmt_flags & DM_INTEGRITY_RESET_RECALC_SUPPORTED)) {
+ log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
+ !(dmt_flags & DM_INTEGRITY_DISCARDS_SUPPORTED)) {
+ log_err(cd, _("Discard/TRIM is not supported."));
+ r = -EINVAL;
+ }
+
+ if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP) &&
+ !(dmt_flags & DM_INTEGRITY_BITMAP_SUPPORTED)) {
+ log_err(cd, _("Requested dm-integrity bitmap mode is not supported."));
+ r = -EINVAL;
+ }
+out:
/*
* Print warning if activating dm-crypt cipher_null device unless it's reencryption helper or
* keyslot encryption helper device (LUKS1 cipher_null devices).
@@ -1685,54 +1697,6 @@ int dm_create_device(struct crypt_device *cd, const char *name,
crypt_is_cipher_null(dmd->segment.u.crypt.cipher))
log_dbg(cd, "Activated dm-crypt device with cipher_null. Device is not encrypted.");
- if (r == -EINVAL &&
- dmd->flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
- !(dmt_flags & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED)))
- log_err(cd, _("Requested dm-crypt performance options are not supported."));
-
- if (r == -EINVAL &&
- dmd->flags & (CRYPT_ACTIVATE_NO_READ_WORKQUEUE | CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) &&
- !(dmt_flags & DM_CRYPT_NO_WORKQUEUE_SUPPORTED))
- log_err(cd, _("Requested dm-crypt performance options are not supported."));
-
- if (r == -EINVAL && dmd->flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
- CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
- CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
- CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) &&
- !(dmt_flags & DM_VERITY_ON_CORRUPTION_SUPPORTED))
- log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
-
- if (r == -EINVAL && dmd->flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION &&
- !(dmt_flags & DM_VERITY_PANIC_CORRUPTION_SUPPORTED))
- log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
-
- if (r == -EINVAL && dmd->segment.type == DM_VERITY &&
- dmd->segment.u.verity.fec_device && !(dmt_flags & DM_VERITY_FEC_SUPPORTED))
- log_err(cd, _("Requested dm-verity FEC options are not supported."));
-
- if (r == -EINVAL && dmd->segment.type == DM_CRYPT) {
- if (dmd->segment.u.crypt.integrity && !(dmt_flags & DM_INTEGRITY_SUPPORTED))
- log_err(cd, _("Requested data integrity options are not supported."));
- if (dmd->segment.u.crypt.sector_size != SECTOR_SIZE && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED))
- log_err(cd, _("Requested sector_size option is not supported."));
- }
-
- if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
- !(dmt_flags & DM_INTEGRITY_RECALC_SUPPORTED))
- log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
-
- if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE_RESET) &&
- !(dmt_flags & DM_INTEGRITY_RESET_RECALC_SUPPORTED))
- log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
-
- if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
- !(dmt_flags & DM_INTEGRITY_DISCARDS_SUPPORTED))
- log_err(cd, _("Discard/TRIM is not supported."));
-
- if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP) &&
- !(dmt_flags & DM_INTEGRITY_BITMAP_SUPPORTED))
- log_err(cd, _("Requested dm-integrity bitmap mode is not supported."));
-out:
dm_exit_context();
return r;
}
@@ -2027,9 +1991,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
/* cipher */
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
- r = cipher_dm2c(CONST_CAST(char**)&cipher,
- CONST_CAST(char**)&integrity,
- rcipher, rintegrity);
+ r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
if (r < 0)
goto err;
}
@@ -2262,6 +2224,8 @@ static int _dm_target_query_verity(struct crypt_device *cd,
*act_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
else if (!strcasecmp(arg, "check_at_most_once"))
*act_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;
+ else if (!strcasecmp(arg, "try_verify_in_tasklet"))
+ *act_flags |= CRYPT_ACTIVATE_TASKLETS;
else if (!strcasecmp(arg, "use_fec_from_device")) {
str = strsep(¶ms, " ");
str2 = crypt_lookup_dev(str);
@@ -2370,6 +2334,8 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
struct device *data_device = NULL, *meta_device = NULL;
char *integrity = NULL, *journal_crypt = NULL, *journal_integrity = NULL;
struct volume_key *vk = NULL;
+ struct volume_key *journal_integrity_key = NULL;
+ struct volume_key *journal_crypt_key = NULL;
tgt->type = DM_INTEGRITY;
tgt->direction = TARGET_QUERY;
@@ -2499,6 +2465,28 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
goto err;
}
}
+
+ if (str) {
+ len = crypt_hex_to_bytes(str, &str2, 1);
+ if (len < 0) {
+ r = len;
+ goto err;
+ }
+
+ r = 0;
+ if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEY) {
+ journal_crypt_key = crypt_alloc_volume_key(len, str2);
+ if (!journal_crypt_key)
+ r = -ENOMEM;
+ } else if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE) {
+ journal_crypt_key = crypt_alloc_volume_key(len, NULL);
+ if (!journal_crypt_key)
+ r = -ENOMEM;
+ }
+ crypt_safe_free(str2);
+ if (r < 0)
+ goto err;
+ }
} else if (!strncmp(arg, "journal_mac:", 12) && !journal_integrity) {
str = &arg[12];
arg = strsep(&str, ":");
@@ -2509,6 +2497,28 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
goto err;
}
}
+
+ if (str) {
+ len = crypt_hex_to_bytes(str, &str2, 1);
+ if (len < 0) {
+ r = len;
+ goto err;
+ }
+
+ r = 0;
+ if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEY) {
+ journal_integrity_key = crypt_alloc_volume_key(len, str2);
+ if (!journal_integrity_key)
+ r = -ENOMEM;
+ } else if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEYSIZE) {
+ journal_integrity_key = crypt_alloc_volume_key(len, NULL);
+ if (!journal_integrity_key)
+ r = -ENOMEM;
+ }
+ crypt_safe_free(str2);
+ if (r < 0)
+ goto err;
+ }
} else if (!strcmp(arg, "recalculate")) {
*act_flags |= CRYPT_ACTIVATE_RECALCULATE;
} else if (!strcmp(arg, "reset_recalculate")) {
@@ -2544,6 +2554,10 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
tgt->u.integrity.journal_integrity = journal_integrity;
if (vk)
tgt->u.integrity.vk = vk;
+ if (journal_integrity_key)
+ tgt->u.integrity.journal_integrity_key = journal_integrity_key;
+ if (journal_crypt_key)
+ tgt->u.integrity.journal_crypt_key = journal_crypt_key;
return 0;
err:
device_free(cd, data_device);
@@ -2552,6 +2566,8 @@ err:
free(journal_crypt);
free(journal_integrity);
crypt_free_volume_key(vk);
+ crypt_free_volume_key(journal_integrity_key);
+ crypt_free_volume_key(journal_crypt_key);
return r;
}
@@ -2595,7 +2611,7 @@ err:
return r;
}
-static int _dm_target_query_error(struct crypt_device *cd __attribute__((unused)), struct dm_target *tgt)
+static int _dm_target_query_error(struct dm_target *tgt)
{
tgt->type = DM_ERROR;
tgt->direction = TARGET_QUERY;
@@ -2603,7 +2619,7 @@ static int _dm_target_query_error(struct crypt_device *cd __attribute__((unused)
return 0;
}
-static int _dm_target_query_zero(struct crypt_device *cd __attribute__((unused)), struct dm_target *tgt)
+static int _dm_target_query_zero(struct dm_target *tgt)
{
tgt->type = DM_ZERO;
tgt->direction = TARGET_QUERY;
@@ -2631,9 +2647,9 @@ static int dm_target_query(struct crypt_device *cd, struct dm_target *tgt, const
else if (!strcmp(target_type, DM_LINEAR_TARGET))
r = _dm_target_query_linear(cd, tgt, get_flags, params);
else if (!strcmp(target_type, DM_ERROR_TARGET))
- r = _dm_target_query_error(cd, tgt);
+ r = _dm_target_query_error(tgt);
else if (!strcmp(target_type, DM_ZERO_TARGET))
- r = _dm_target_query_zero(cd, tgt);
+ r = _dm_target_query_zero(tgt);
if (!r) {
tgt->offset = *start;
@@ -2681,7 +2697,7 @@ static int _dm_query_device(struct crypt_device *cd, const char *name,
goto out;
}
- /* Never allow to return empty key */
+ /* Never allow one to return empty key */
if ((get_flags & DM_ACTIVE_CRYPT_KEY) && dmi.suspended) {
log_dbg(cd, "Cannot read volume key while suspended.");
r = -EINVAL;
@@ -2763,7 +2779,8 @@ int dm_query_device(struct crypt_device *cd, const char *name,
return r;
}
-static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps, char **names, size_t names_offset, size_t names_length)
+static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps,
+ char **names, size_t names_offset, size_t names_length)
{
#if HAVE_DECL_DM_DEVICE_GET_NAME
struct crypt_dm_active_device dmd;
@@ -2809,7 +2826,8 @@ static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_
#endif
}
-int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix, char **names, size_t names_length)
+int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
+ char **names, size_t names_length)
{
struct dm_task *dmt;
struct dm_info dmi;
@@ -2948,7 +2966,7 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
{
uint32_t dmt_flags;
int msg_size;
- char *msg = NULL;
+ char *msg = NULL, *key = NULL;
int r = -ENOTSUP;
if (dm_init_context(cd, DM_CRYPT) || dm_flags(cd, DM_CRYPT, &dmt_flags))
@@ -2970,14 +2988,21 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
goto out;
}
- strcpy(msg, "key set ");
- if (!vk->keylength)
- snprintf(msg + 8, msg_size - 8, "-");
- else if (vk->key_description)
- snprintf(msg + 8, msg_size - 8, ":%zu:logon:%s", vk->keylength, vk->key_description);
- else
- hex_key(&msg[8], vk->keylength, vk->key);
+ if (vk->key_description) {
+ r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, vk->key_description);
+ } else {
+ key = crypt_bytes_to_hex(vk->keylength, vk->key);
+ if (!key) {
+ r = -ENOMEM;
+ goto out;
+ }
+ r = snprintf(msg, msg_size, "key set %s", key);
+ }
+ if (r < 0 || r >= msg_size) {
+ r = -EINVAL;
+ goto out;
+ }
if (!_dm_message(name, msg) ||
_dm_resume_device(name, 0)) {
r = -EINVAL;
@@ -2986,6 +3011,7 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
r = 0;
out:
crypt_safe_free(msg);
+ crypt_safe_free(key);
dm_exit_context();
return r;
}
diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c
index e281fc8..224d3d0 100644
--- a/lib/loopaes/loopaes.c
+++ b/lib/loopaes/loopaes.c
@@ -1,8 +1,8 @@
/*
* loop-AES compatible volume handling
*
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2021 Milan Broz
+ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/loopaes/loopaes.h b/lib/loopaes/loopaes.h
index ec16851..a921694 100644
--- a/lib/loopaes/loopaes.h
+++ b/lib/loopaes/loopaes.h
@@ -1,8 +1,8 @@
/*
* loop-AES compatible volume handling
*
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2021 Milan Broz
+ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/luks1/af.c b/lib/luks1/af.c
index 3aa319d..76afeac 100644
--- a/lib/luks1/af.c
+++ b/lib/luks1/af.c
@@ -2,7 +2,7 @@
* AFsplitter - Anti forensic information splitter
*
* Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
*
* AFsplitter diffuses information over a large stripe of data,
* therefore supporting secure data destruction.
@@ -131,7 +131,7 @@ out:
return r;
}
-int AF_merge(struct crypt_device *ctx __attribute__((unused)), const char *src, char *dst,
+int AF_merge(const char *src, char *dst,
size_t blocksize, unsigned int blocknumbers, const char *hash)
{
unsigned int i;
@@ -142,7 +142,7 @@ int AF_merge(struct crypt_device *ctx __attribute__((unused)), const char *src,
if (!bufblock)
return -ENOMEM;
- for(i = 0; i < blocknumbers - 1; i++) {
+ for (i = 0; i < blocknumbers - 1; i++) {
XORblock(src + blocksize * i, bufblock, bufblock, blocksize);
r = diffuse(bufblock, bufblock, blocksize, hash);
if (r < 0)
diff --git a/lib/luks1/af.h b/lib/luks1/af.h
index f82a42f..8a2bceb 100644
--- a/lib/luks1/af.h
+++ b/lib/luks1/af.h
@@ -2,7 +2,7 @@
* AFsplitter - Anti forensic information splitter
*
* Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
*
* AFsplitter diffuses information over a large stripe of data,
* therefore supporting secure data destruction.
@@ -44,7 +44,7 @@ struct volume_key;
int AF_split(struct crypt_device *ctx, const char *src, char *dst,
size_t blocksize, unsigned int blocknumbers, const char *hash);
-int AF_merge(struct crypt_device *ctx, const char *src, char *dst, size_t blocksize,
+int AF_merge(const char *src, char *dst, size_t blocksize,
unsigned int blocknumbers, const char *hash);
size_t AF_split_sectors(size_t blocksize, unsigned int blocknumbers);
diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c
index e7a3836..c1c8201 100644
--- a/lib/luks1/keyencryption.c
+++ b/lib/luks1/keyencryption.c
@@ -2,8 +2,8 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index 244b0d5..fe49a00 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -2,8 +2,8 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2013-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2013-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -28,8 +28,8 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
-#include <assert.h>
#include <uuid/uuid.h>
+#include <limits.h>
#include "luks.h"
#include "af.h"
@@ -232,11 +232,12 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
hdr_size = LUKS_device_sectors(&hdr) << SECTOR_SHIFT;
buffer_size = size_round_up(hdr_size, crypt_getpagesize());
- buffer = crypt_safe_alloc(buffer_size);
+ buffer = malloc(buffer_size);
if (!buffer || hdr_size < LUKS_ALIGN_KEYSLOTS || hdr_size > buffer_size) {
r = -ENOMEM;
goto out;
}
+ memset(buffer, 0, buffer_size);
log_dbg(ctx, "Storing backup of header (%zu bytes) and keyslot area (%zu bytes).",
sizeof(hdr), hdr_size - LUKS_ALIGN_KEYSLOTS);
@@ -280,7 +281,8 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
r = 0;
out:
crypt_safe_memzero(&hdr, sizeof(hdr));
- crypt_safe_free(buffer);
+ crypt_safe_memzero(buffer, buffer_size);
+ free(buffer);
return r;
}
@@ -308,7 +310,7 @@ int LUKS_hdr_restore(
goto out;
}
- buffer = crypt_safe_alloc(buffer_size);
+ buffer = malloc(buffer_size);
if (!buffer) {
r = -ENOMEM;
goto out;
@@ -379,7 +381,8 @@ int LUKS_hdr_restore(
r = LUKS_read_phdr(hdr, 1, 0, ctx);
out:
device_sync(ctx, device);
- crypt_safe_free(buffer);
+ crypt_safe_memzero(buffer, buffer_size);
+ free(buffer);
return r;
}
@@ -399,7 +402,7 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
/*
* cryptsetup 1.0 did not align keyslots to 4k, cannot repair this one
* Also we cannot trust possibly broken keyslots metadata here through LUKS_keyslots_offset().
- * Expect first keyslot is aligned, if not, then manual repair is neccessary.
+ * Expect first keyslot is aligned, if not, then manual repair is necessary.
*/
if (phdr->keyblock[0].keyMaterialOffset < (LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE)) {
log_err(ctx, _("Non standard keyslots alignment, manual repair required."));
@@ -817,7 +820,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
return r;
}
- /* Compute master key digest */
+ /* Compute volume key digest */
pbkdf = crypt_get_pbkdf(ctx);
r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, vk->keylength);
if (r < 0)
@@ -922,11 +925,15 @@ int LUKS_set_key(unsigned int keyIndex,
hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
derived_key->key, hdr->keyBytes,
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
- if (r < 0)
+ if (r < 0) {
+ if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+ hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
+ log_err(ctx, _("PBKDF2 iteration value overflow."));
goto out;
+ }
/*
- * AF splitting, the masterkey stored in vk->key is split to AfKey
+ * AF splitting, the volume key stored in vk->key is split to AfKey
*/
assert(vk->keylength == hdr->keyBytes);
AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
@@ -982,7 +989,7 @@ int LUKS_verify_volume_key(const struct luks_phdr *hdr,
hdr->mkDigestIterations, 0, 0) < 0)
return -EINVAL;
- if (memcmp(checkHashBuf, hdr->mkDigest, LUKS_DIGESTSIZE))
+ if (crypt_backend_memeq(checkHashBuf, hdr->mkDigest, LUKS_DIGESTSIZE))
return -EPERM;
return 0;
@@ -1044,7 +1051,7 @@ static int LUKS_open_key(unsigned int keyIndex,
if (r < 0)
goto out;
- r = AF_merge(ctx, AfKey, (*vk)->key, (*vk)->keylength, hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
+ r = AF_merge(AfKey, (*vk)->key, (*vk)->keylength, hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
if (r < 0)
goto out;
@@ -1227,6 +1234,10 @@ int LUKS_wipe_header_areas(struct luks_phdr *hdr,
uint64_t offset, length;
size_t wipe_block;
+ r = LUKS_check_device_size(ctx, hdr, 1);
+ if (r)
+ return r;
+
/* Wipe complete header, keyslots and padding areas with zeroes. */
offset = 0;
length = (uint64_t)hdr->payloadOffset * SECTOR_SIZE;
diff --git a/lib/luks1/luks.h b/lib/luks1/luks.h
index 2b5132a..9c3f386 100644
--- a/lib/luks1/luks.h
+++ b/lib/luks1/luks.h
@@ -2,7 +2,7 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
index f86fb50..dfccf02 100644
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -62,8 +62,16 @@
/* 1 GiB */
#define LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH 0x40000000
+/* supported reencryption requirement versions */
+#define LUKS2_REENCRYPT_REQ_VERSION UINT8_C(2)
+#define LUKS2_DECRYPT_DATASHIFT_REQ_VERSION UINT8_C(3)
+
+/* see reencrypt_assembly_verification_data() in luks2_reencrypt_digest.c */
+/* LUKS2_REENCRYPT_MAX_VERSION UINT8_C(207) */
+
struct device;
struct luks2_reencrypt;
+struct reenc_protection;
struct crypt_lock_handle;
struct crypt_dm_active_device;
struct luks_phdr; /* LUKS1 for conversion */
@@ -113,6 +121,7 @@ struct luks2_hdr {
uint8_t salt2[LUKS2_SALT_L];
char uuid[LUKS2_UUID_L];
void *jobj;
+ void *jobj_rollback;
};
struct luks2_keyslot_params {
@@ -159,6 +168,7 @@ int LUKS2_hdr_version_unlocked(struct crypt_device *cd,
int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair);
int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr);
int LUKS2_hdr_write_force(struct crypt_device *cd, struct luks2_hdr *hdr);
+int LUKS2_hdr_rollback(struct crypt_device *cd, struct luks2_hdr *hdr);
int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr);
int LUKS2_hdr_dump_json(struct crypt_device *cd, struct luks2_hdr *hdr, const char **json);
@@ -217,9 +227,7 @@ int LUKS2_keyslot_wipe(struct crypt_device *cd,
int keyslot,
int wipe_area_only);
-crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd,
- struct luks2_hdr *hdr,
- int keyslot);
+crypt_keyslot_priority LUKS2_keyslot_priority_get(struct luks2_hdr *hdr, int keyslot);
int LUKS2_keyslot_priority_set(struct crypt_device *cd,
struct luks2_hdr *hdr,
@@ -235,8 +243,7 @@ int LUKS2_keyslot_swap(struct crypt_device *cd,
/*
* Generic LUKS2 token
*/
-int LUKS2_token_json_get(struct crypt_device *cd,
- struct luks2_hdr *hdr,
+int LUKS2_token_json_get(struct luks2_hdr *hdr,
int token,
const char **json);
@@ -247,8 +254,7 @@ int LUKS2_token_assign(struct crypt_device *cd,
int assign,
int commit);
-int LUKS2_token_is_assigned(struct crypt_device *cd,
- struct luks2_hdr *hdr,
+int LUKS2_token_is_assigned(struct luks2_hdr *hdr,
int keyslot,
int token);
@@ -279,14 +285,33 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
uint32_t flags,
void *usrptr);
-int LUKS2_token_keyring_get(struct crypt_device *cd,
+int LUKS2_token_unlock_key(struct crypt_device *cd,
struct luks2_hdr *hdr,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ int segment,
+ void *usrptr,
+ struct volume_key **vk);
+
+int LUKS2_token_keyring_get(struct luks2_hdr *hdr,
int token,
struct crypt_token_params_luks2_keyring *keyring_params);
int LUKS2_token_keyring_json(char *buffer, size_t buffer_size,
const struct crypt_token_params_luks2_keyring *keyring_params);
+int LUKS2_token_unlock_passphrase(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ void *usrptr,
+ char **passphrase,
+ size_t *passphrase_size);
+
void crypt_token_unload_external_all(struct crypt_device *cd);
/*
@@ -372,7 +397,7 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);
int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic);
-int LUKS2_get_sector_size(struct luks2_hdr *hdr);
+uint32_t LUKS2_get_sector_size(struct luks2_hdr *hdr);
const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment);
const char *LUKS2_get_integrity(struct luks2_hdr *hdr, int segment);
int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
@@ -400,8 +425,11 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
*/
int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs);
int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs, bool commit);
+int LUKS2_config_set_requirement_version(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id, uint8_t req_version, bool commit);
-int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version);
+int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version);
+
+bool LUKS2_reencrypt_requirement_candidate(struct luks2_hdr *hdr);
int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet);
@@ -410,7 +438,7 @@ int LUKS2_key_description_by_segment(struct crypt_device *cd,
int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
struct luks2_hdr *hdr, struct volume_key *vk, int keyslot);
int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
- struct luks2_hdr *hdr, struct volume_key *vk, int digest);
+ struct volume_key *vk, int digest);
int LUKS2_luks1_to_luks2(struct crypt_device *cd,
struct luks_phdr *hdr1,
@@ -427,7 +455,6 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
int keyslot_new,
const char *passphrase,
size_t passphrase_size,
- uint32_t flags,
struct volume_key **vks);
void LUKS2_reencrypt_free(struct crypt_device *cd,
@@ -459,4 +486,12 @@ int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
struct luks2_hdr *hdr,
struct volume_key *vks);
+int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ const struct reenc_protection *rp,
+ int reencrypt_keyslot,
+ uint64_t *r_length);
+
+void LUKS2_reencrypt_protection_erase(struct reenc_protection *rp);
+
#endif
diff --git a/lib/luks2/luks2_digest.c b/lib/luks2/luks2_digest.c
index 85c30e7..933b059 100644
--- a/lib/luks2/luks2_digest.c
+++ b/lib/luks2/luks2_digest.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, digest handling
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -111,7 +111,6 @@ int LUKS2_digest_by_keyslot(struct luks2_hdr *hdr, int keyslot)
}
int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
- struct luks2_hdr *hdr __attribute__((unused)),
int digest,
const struct volume_key *vk)
{
@@ -144,7 +143,7 @@ int LUKS2_digest_verify(struct crypt_device *cd,
log_dbg(cd, "Verifying key from keyslot %d, digest %d.", keyslot, digest);
- return LUKS2_digest_verify_by_digest(cd, hdr, digest, vk);
+ return LUKS2_digest_verify_by_digest(cd, digest, vk);
}
int LUKS2_digest_dump(struct crypt_device *cd, int digest)
@@ -164,7 +163,7 @@ int LUKS2_digest_any_matching(struct crypt_device *cd,
int digest;
for (digest = 0; digest < LUKS2_DIGEST_MAX; digest++)
- if (LUKS2_digest_verify_by_digest(cd, hdr, digest, vk) == digest)
+ if (LUKS2_digest_verify_by_digest(cd, digest, vk) == digest)
return digest;
return -ENOENT;
@@ -175,7 +174,7 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
int segment,
const struct volume_key *vk)
{
- return LUKS2_digest_verify_by_digest(cd, hdr, LUKS2_digest_by_segment(hdr, segment), vk);
+ return LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, segment), vk);
}
/* FIXME: segment can have more digests */
@@ -259,8 +258,7 @@ int LUKS2_digest_assign(struct crypt_device *cd, struct luks2_hdr *hdr,
return commit ? LUKS2_hdr_write(cd, hdr) : 0;
}
-static int assign_all_segments(struct crypt_device *cd __attribute__((unused)),
- struct luks2_hdr *hdr, int digest, int assign)
+static int assign_all_segments(struct luks2_hdr *hdr, int digest, int assign)
{
json_object *jobj1, *jobj_digest, *jobj_digest_segments;
@@ -336,7 +334,7 @@ int LUKS2_digest_segment_assign(struct crypt_device *cd, struct luks2_hdr *hdr,
json_object_object_foreach(jobj_digests, key, val) {
UNUSED(val);
if (segment == CRYPT_ANY_SEGMENT)
- r = assign_all_segments(cd, hdr, atoi(key), assign);
+ r = assign_all_segments(hdr, atoi(key), assign);
else
r = assign_one_segment(cd, hdr, segment, atoi(key), assign);
if (r < 0)
@@ -344,7 +342,7 @@ int LUKS2_digest_segment_assign(struct crypt_device *cd, struct luks2_hdr *hdr,
}
} else {
if (segment == CRYPT_ANY_SEGMENT)
- r = assign_all_segments(cd, hdr, digest, assign);
+ r = assign_all_segments(hdr, digest, assign);
else
r = assign_one_segment(cd, hdr, segment, digest, assign);
}
@@ -443,7 +441,7 @@ int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
}
int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
- struct luks2_hdr *hdr __attribute__((unused)), struct volume_key *vk, int digest)
+ struct volume_key *vk, int digest)
{
char *desc = get_key_description_by_digest(cd, digest);
int r;
diff --git a/lib/luks2/luks2_digest_pbkdf2.c b/lib/luks2/luks2_digest_pbkdf2.c
index 03c6f49..1009cfb 100644
--- a/lib/luks2/luks2_digest_pbkdf2.c
+++ b/lib/luks2/luks2_digest_pbkdf2.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible)
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -33,10 +33,10 @@ static int PBKDF2_digest_verify(struct crypt_device *cd,
char checkHashBuf[64];
json_object *jobj_digest, *jobj1;
const char *hashSpec;
- char *mkDigest = NULL, mkDigestSalt[LUKS_SALTSIZE];
+ char *mkDigest = NULL, *mkDigestSalt = NULL;
unsigned int mkDigestIterations;
size_t len;
- int r;
+ int r = -EINVAL;
/* This can be done only for internally linked digests */
jobj_digest = LUKS2_get_digest_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), digest);
@@ -53,25 +53,23 @@ static int PBKDF2_digest_verify(struct crypt_device *cd,
if (!json_object_object_get_ex(jobj_digest, "salt", &jobj1))
return -EINVAL;
- len = sizeof(mkDigestSalt);
- if (!base64_decode(json_object_get_string(jobj1),
- json_object_get_string_len(jobj1), mkDigestSalt, &len))
- return -EINVAL;
+ r = crypt_base64_decode(&mkDigestSalt, &len, json_object_get_string(jobj1),
+ json_object_get_string_len(jobj1));
+ if (r < 0)
+ goto out;
if (len != LUKS_SALTSIZE)
- return -EINVAL;
+ goto out;
if (!json_object_object_get_ex(jobj_digest, "digest", &jobj1))
- return -EINVAL;
- len = 0;
- if (!base64_decode_alloc(json_object_get_string(jobj1),
- json_object_get_string_len(jobj1), &mkDigest, &len))
- return -EINVAL;
+ goto out;
+ r = crypt_base64_decode(&mkDigest, &len, json_object_get_string(jobj1),
+ json_object_get_string_len(jobj1));
+ if (r < 0)
+ goto out;
if (len < LUKS_DIGESTSIZE ||
len > sizeof(checkHashBuf) ||
- (len != LUKS_DIGESTSIZE && len != (size_t)crypt_hash_size(hashSpec))) {
- free(mkDigest);
- return -EINVAL;
- }
+ (len != LUKS_DIGESTSIZE && len != (size_t)crypt_hash_size(hashSpec)))
+ goto out;
r = -EPERM;
if (crypt_pbkdf(CRYPT_KDF_PBKDF2, hashSpec, volume_key, volume_key_len,
@@ -80,11 +78,12 @@ static int PBKDF2_digest_verify(struct crypt_device *cd,
mkDigestIterations, 0, 0) < 0) {
r = -EINVAL;
} else {
- if (memcmp(checkHashBuf, mkDigest, len) == 0)
+ if (crypt_backend_memeq(checkHashBuf, mkDigest, len) == 0)
r = 0;
}
-
+out:
free(mkDigest);
+ free(mkDigestSalt);
return r;
}
@@ -154,18 +153,18 @@ static int PBKDF2_digest_store(struct crypt_device *cd,
json_object_object_add(jobj_digest, "hash", json_object_new_string(pbkdf.hash));
json_object_object_add(jobj_digest, "iterations", json_object_new_int(pbkdf.iterations));
- base64_encode_alloc(salt, LUKS_SALTSIZE, &base64_str);
- if (!base64_str) {
+ r = crypt_base64_encode(&base64_str, NULL, salt, LUKS_SALTSIZE);
+ if (r < 0) {
json_object_put(jobj_digest);
- return -ENOMEM;
+ return r;
}
json_object_object_add(jobj_digest, "salt", json_object_new_string(base64_str));
free(base64_str);
- base64_encode_alloc(digest_raw, hmac_size, &base64_str);
- if (!base64_str) {
+ r = crypt_base64_encode(&base64_str, NULL, digest_raw, hmac_size);
+ if (r < 0) {
json_object_put(jobj_digest);
- return -ENOMEM;
+ return r;
}
json_object_object_add(jobj_digest, "digest", json_object_new_string(base64_str));
free(base64_str);
diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
index 1e432c8..e995959 100644
--- a/lib/luks2/luks2_disk_metadata.c
+++ b/lib/luks2/luks2_disk_metadata.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,8 +19,6 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include <assert.h>
-
#include "luks2_internal.h"
/*
@@ -707,7 +705,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
memcpy(&hdr_disk2, &hdr_disk1, LUKS2_HDR_BIN_LEN);
r = crypt_random_get(cd, (char*)hdr_disk2.salt, sizeof(hdr_disk2.salt), CRYPT_RND_SALT);
if (r)
- log_dbg(cd, "Cannot generate master salt.");
+ log_dbg(cd, "Cannot generate header salt.");
else {
hdr_from_disk(&hdr_disk1, &hdr_disk2, hdr, 0);
r = hdr_write_disk(cd, device, hdr, json_area1, 1);
@@ -728,7 +726,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
memcpy(&hdr_disk1, &hdr_disk2, LUKS2_HDR_BIN_LEN);
r = crypt_random_get(cd, (char*)hdr_disk1.salt, sizeof(hdr_disk1.salt), CRYPT_RND_SALT);
if (r)
- log_dbg(cd, "Cannot generate master salt.");
+ log_dbg(cd, "Cannot generate header salt.");
else {
hdr_from_disk(&hdr_disk2, &hdr_disk1, hdr, 1);
r = hdr_write_disk(cd, device, hdr, json_area2, 0);
diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
index de9ba05..b564a48 100644
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -27,7 +27,6 @@
#include <json-c/json.h>
#include "internal.h"
-#include "base64.h"
#include "luks2.h"
/* override useless forward slash escape when supported by json-c */
@@ -73,9 +72,11 @@ void JSON_DBG(struct crypt_device *cd, json_object *jobj, const char *desc);
*/
/* validation helper */
-json_bool validate_json_uint32(json_object *jobj);
+bool validate_json_uint32(json_object *jobj);
json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
const char *section, const char *key, json_type type);
+json_object *json_contains_string(struct crypt_device *cd, json_object *jobj,
+ const char *name, const char *section, const char *key);
int LUKS2_hdr_validate(struct crypt_device *cd, json_object *hdr_jobj, uint64_t json_size);
int LUKS2_check_json_size(struct crypt_device *cd, const struct luks2_hdr *hdr);
@@ -116,14 +117,13 @@ typedef int (*keyslot_store_func)(struct crypt_device *cd, int keyslot,
typedef int (*keyslot_wipe_func) (struct crypt_device *cd, int keyslot);
typedef int (*keyslot_dump_func) (struct crypt_device *cd, int keyslot);
typedef int (*keyslot_validate_func) (struct crypt_device *cd, json_object *jobj_keyslot);
-typedef void(*keyslot_repair_func) (struct crypt_device *cd, json_object *jobj_keyslot);
+typedef void(*keyslot_repair_func) (json_object *jobj_keyslot);
/* see LUKS2_luks2_to_luks1 */
int placeholder_keyslot_alloc(struct crypt_device *cd,
int keyslot,
uint64_t area_offset,
- uint64_t area_length,
- size_t volume_key_len);
+ uint64_t area_length);
/* validate all keyslot implementations in hdr json */
int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj);
@@ -140,11 +140,28 @@ typedef struct {
keyslot_repair_func repair;
} keyslot_handler;
-/* can not fit prototype alloc function */
-int reenc_keyslot_alloc(struct crypt_device *cd,
- struct luks2_hdr *hdr,
- int keyslot,
- const struct crypt_params_reencrypt *params);
+struct reenc_protection {
+ enum { REENC_PROTECTION_NOT_SET = 0,
+ REENC_PROTECTION_NONE,
+ REENC_PROTECTION_CHECKSUM,
+ REENC_PROTECTION_JOURNAL,
+ REENC_PROTECTION_DATASHIFT } type;
+
+ union {
+ struct {
+ char hash[LUKS2_CHECKSUM_ALG_L];
+ struct crypt_hash *ch;
+ size_t hash_size;
+ /* buffer for checksums */
+ void *checksums;
+ size_t checksums_len;
+ size_t block_size;
+ } csum;
+ struct {
+ uint64_t data_shift;
+ } ds;
+ } p;
+};
/**
* LUKS2 digest handlers (EXPERIMENTAL)
@@ -172,6 +189,8 @@ void keyring_dump(struct crypt_device *cd, const char *json);
int keyring_validate(struct crypt_device *cd, const char *json);
+void keyring_buffer_free(void *buffer, size_t buffer_size);
+
struct crypt_token_handler_v2 {
const char *name;
crypt_token_open_func open;
@@ -237,10 +256,31 @@ int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
struct luks2_hdr *hdr,
int keyslot,
- const struct crypt_params_reencrypt *params);
+ const struct crypt_params_reencrypt *params,
+ size_t alignment);
+
+int LUKS2_keyslot_reencrypt_update_needed(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment);
+
+int LUKS2_keyslot_reencrypt_update(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment,
+ struct volume_key *vks);
+
+int LUKS2_keyslot_reencrypt_load(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ struct reenc_protection *rp,
+ bool primary);
int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
struct luks2_hdr *hdr,
+ uint8_t version,
struct volume_key *vks);
int LUKS2_keyslot_dump(struct crypt_device *cd,
@@ -254,7 +294,7 @@ const char *json_segment_type(json_object *jobj_segment);
uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
const char *json_segment_get_cipher(json_object *jobj_segment);
-int json_segment_get_sector_size(json_object *jobj_segment);
+uint32_t json_segment_get_sector_size(json_object *jobj_segment);
bool json_segment_is_backup(json_object *jobj_segment);
json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
unsigned json_segments_count(json_object *jobj_segments);
@@ -318,7 +358,6 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
* Generic LUKS2 digest
*/
int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
- struct luks2_hdr *hdr,
int digest,
const struct volume_key *vk);
@@ -344,8 +383,6 @@ int LUKS2_reload(struct crypt_device *cd,
int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment);
int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type);
-int LUKS2_set_keyslots_size(struct crypt_device *cd,
- struct luks2_hdr *hdr,
- uint64_t data_offset);
+int LUKS2_set_keyslots_size(struct luks2_hdr *hdr, uint64_t data_offset);
#endif
diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
index 350ebf4..4456358 100644
--- a/lib/luks2/luks2_json_format.c
+++ b/lib/luks2/luks2_json_format.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, LUKS2 header format code
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -21,7 +21,6 @@
#include "luks2_internal.h"
#include <uuid/uuid.h>
-#include <assert.h>
struct area {
uint64_t offset;
@@ -363,6 +362,10 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
wipe_block = 4096;
}
+ r = device_check_size(cd, crypt_metadata_device(cd), length, 1);
+ if (r)
+ return r;
+
log_dbg(cd, "Wiping LUKS areas (0x%06" PRIx64 " - 0x%06" PRIx64") with zeroes.",
offset, length + offset);
@@ -383,9 +386,7 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
offset, length, wipe_block, NULL, NULL);
}
-int LUKS2_set_keyslots_size(struct crypt_device *cd __attribute__((unused)),
- struct luks2_hdr *hdr,
- uint64_t data_offset)
+int LUKS2_set_keyslots_size(struct luks2_hdr *hdr, uint64_t data_offset)
{
json_object *jobj_config;
uint64_t keyslots_size;
diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
index c5e658b..4771f04 100644
--- a/lib/luks2/luks2_json_metadata.c
+++ b/lib/luks2/luks2_json_metadata.c
@@ -1,9 +1,9 @@
/*
* LUKS - Linux Unified Key Setup v2
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
- * Copyright (C) 2015-2021 Ondrej Kozina
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
+ * Copyright (C) 2015-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -22,7 +22,6 @@
#include "luks2_internal.h"
#include "../integrity/integrity.h"
-#include <assert.h>
#include <ctype.h>
#include <uuid/uuid.h>
@@ -40,9 +39,8 @@ void hexprint_base64(struct crypt_device *cd, json_object *jobj,
size_t buf_len;
unsigned int i;
- if (!base64_decode_alloc(json_object_get_string(jobj),
- json_object_get_string_len(jobj),
- &buf, &buf_len))
+ if (crypt_base64_decode(&buf, &buf_len, json_object_get_string(jobj),
+ json_object_get_string_len(jobj)))
return;
for (i = 0; i < buf_len; i++) {
@@ -209,7 +207,7 @@ int LUKS2_get_default_segment(struct luks2_hdr *hdr)
if (s >= 0)
return s;
- if (LUKS2_segments_count(hdr) == 1)
+ if (LUKS2_segments_count(hdr) >= 1)
return 0;
return -EINVAL;
@@ -225,7 +223,7 @@ uint32_t crypt_jobj_get_uint32(json_object *jobj)
}
/* jobj has to be json_type_string and numbered */
-static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
+static bool json_str_to_uint64(json_object *jobj, uint64_t *value)
{
char *endptr;
unsigned long long tmp;
@@ -234,11 +232,11 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
tmp = strtoull(json_object_get_string(jobj), &endptr, 10);
if (*endptr || errno) {
*value = 0;
- return 0;
+ return false;
}
*value = tmp;
- return 1;
+ return true;
}
uint64_t crypt_jobj_get_uint64(json_object *jobj)
@@ -266,16 +264,16 @@ json_object *crypt_jobj_new_uint64(uint64_t value)
/*
* Validate helpers
*/
-static json_bool numbered(struct crypt_device *cd, const char *name, const char *key)
+static bool numbered(struct crypt_device *cd, const char *name, const char *key)
{
int i;
for (i = 0; key[i]; i++)
if (!isdigit(key[i])) {
log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
@@ -293,18 +291,31 @@ json_object *json_contains(struct crypt_device *cd, json_object *jobj, const cha
return sobj;
}
-json_bool validate_json_uint32(json_object *jobj)
+json_object *json_contains_string(struct crypt_device *cd, json_object *jobj,
+ const char *name, const char *section, const char *key)
+{
+ json_object *sobj = json_contains(cd, jobj, name, section, key, json_type_string);
+
+ if (!sobj)
+ return NULL;
+
+ if (strlen(json_object_get_string(sobj)) < 1)
+ return NULL;
+
+ return sobj;
+}
+
+bool validate_json_uint32(json_object *jobj)
{
int64_t tmp;
errno = 0;
tmp = json_object_get_int64(jobj);
- return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1;
+ return (errno || tmp < 0 || tmp > UINT32_MAX) ? false : true;
}
-static json_bool validate_keyslots_array(struct crypt_device *cd,
- json_object *jarr, json_object *jobj_keys)
+static bool validate_keyslots_array(struct crypt_device *cd, json_object *jarr, json_object *jobj_keys)
{
json_object *jobj;
int i = 0, length = (int) json_object_array_length(jarr);
@@ -313,21 +324,20 @@ static json_bool validate_keyslots_array(struct crypt_device *cd,
jobj = json_object_array_get_idx(jarr, i);
if (!json_object_is_type(jobj, json_type_string)) {
log_dbg(cd, "Illegal value type in keyslots array at index %d.", i);
- return 0;
+ return false;
}
if (!json_contains(cd, jobj_keys, "", "Keyslots section",
json_object_get_string(jobj), json_type_object))
- return 0;
+ return false;
i++;
}
- return 1;
+ return true;
}
-static json_bool validate_segments_array(struct crypt_device *cd,
- json_object *jarr, json_object *jobj_segments)
+static bool validate_segments_array(struct crypt_device *cd, json_object *jarr, json_object *jobj_segments)
{
json_object *jobj;
int i = 0, length = (int) json_object_array_length(jarr);
@@ -336,20 +346,20 @@ static json_bool validate_segments_array(struct crypt_device *cd,
jobj = json_object_array_get_idx(jarr, i);
if (!json_object_is_type(jobj, json_type_string)) {
log_dbg(cd, "Illegal value type in segments array at index %d.", i);
- return 0;
+ return false;
}
if (!json_contains(cd, jobj_segments, "", "Segments section",
json_object_get_string(jobj), json_type_object))
- return 0;
+ return false;
i++;
}
- return 1;
+ return true;
}
-static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
+static bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
{
json_object *jobj_segments;
@@ -357,58 +367,70 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_
UNUSED(key);
json_object_object_get_ex(val, "segments", &jobj_segments);
if (LUKS2_array_jobj(jobj_segments, segment_name))
- return 1;
+ return true;
}
- return 0;
+ return false;
}
-static json_bool validate_intervals(struct crypt_device *cd,
- int length, const struct interval *ix,
- uint64_t metadata_size, uint64_t keyslots_area_end)
+
+static bool validate_intervals(struct crypt_device *cd,
+ int length, const struct interval *ix,
+ uint64_t metadata_size, uint64_t keyslots_area_end)
{
int j, i = 0;
while (i < length) {
+ /* Offset cannot be inside primary or secondary JSON area */
if (ix[i].offset < 2 * metadata_size) {
log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset);
- return 0;
+ return false;
}
if (!ix[i].length) {
log_dbg(cd, "Area length must be greater than zero.");
- return 0;
+ return false;
+ }
+
+ if (ix[i].offset > (UINT64_MAX - ix[i].length)) {
+ log_dbg(cd, "Interval offset+length overflow.");
+ return false;
}
if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
- return 0;
+ return false;
}
for (j = 0; j < length; j++) {
if (i == j)
continue;
+
+ if (ix[j].offset > (UINT64_MAX - ix[j].length)) {
+ log_dbg(cd, "Interval offset+length overflow.");
+ return false;
+ }
+
if ((ix[i].offset >= ix[j].offset) && (ix[i].offset < (ix[j].offset + ix[j].length))) {
log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].",
ix[i].offset, ix[i].offset + ix[i].length,
ix[j].offset, ix[j].offset + ix[j].length);
- return 0;
+ return false;
}
}
i++;
}
- return 1;
+ return true;
}
-static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj __attribute__((unused)),
- json_object *hdr_keyslot, const char *key)
+static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_keyslot, const char *key)
{
json_object *jobj_key_size;
- if (!json_contains(cd, hdr_keyslot, key, "Keyslot", "type", json_type_string))
+ if (!json_contains_string(cd, hdr_keyslot, key, "Keyslot", "type"))
return 1;
if (!(jobj_key_size = json_contains(cd, hdr_keyslot, key, "Keyslot", "key_size", json_type_int)))
return 1;
@@ -432,7 +454,7 @@ int LUKS2_token_validate(struct crypt_device *cd,
if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
return 1;
- if (!json_contains(cd, jobj_token, key, "Token", "type", json_type_string))
+ if (!json_contains_string(cd, jobj_token, key, "Token", "type"))
return 1;
jarr = json_contains(cd, jobj_token, key, "Token", "keyslots", json_type_array);
@@ -481,15 +503,13 @@ static int hdr_validate_keyslots(struct crypt_device *cd, json_object *hdr_jobj)
{
json_object *jobj;
- if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj)) {
- log_dbg(cd, "Missing keyslots section.");
+ if (!(jobj = json_contains(cd, hdr_jobj, "", "JSON area", "keyslots", json_type_object)))
return 1;
- }
json_object_object_foreach(jobj, key, val) {
if (!numbered(cd, "Keyslot", key))
return 1;
- if (LUKS2_keyslot_validate(cd, hdr_jobj, val, key))
+ if (LUKS2_keyslot_validate(cd, val, key))
return 1;
}
@@ -500,10 +520,8 @@ static int hdr_validate_tokens(struct crypt_device *cd, json_object *hdr_jobj)
{
json_object *jobj;
- if (!json_object_object_get_ex(hdr_jobj, "tokens", &jobj)) {
- log_dbg(cd, "Missing tokens section.");
+ if (!(jobj = json_contains(cd, hdr_jobj, "", "JSON area", "tokens", json_type_object)))
return 1;
- }
json_object_object_foreach(jobj, key, val) {
if (!numbered(cd, "Token", key))
@@ -515,25 +533,26 @@ static int hdr_validate_tokens(struct crypt_device *cd, json_object *hdr_jobj)
return 0;
}
-static int hdr_validate_crypt_segment(struct crypt_device *cd,
- json_object *jobj, const char *key, json_object *jobj_digests,
- uint64_t offset __attribute__((unused)), uint64_t size)
+static int hdr_validate_crypt_segment(struct crypt_device *cd, json_object *jobj,
+ const char *key, json_object *jobj_digests,
+ uint64_t size)
{
+ int r;
json_object *jobj_ivoffset, *jobj_sector_size, *jobj_integrity;
uint32_t sector_size;
uint64_t ivoffset;
- if (!(jobj_ivoffset = json_contains(cd, jobj, key, "Segment", "iv_tweak", json_type_string)) ||
- !json_contains(cd, jobj, key, "Segment", "encryption", json_type_string) ||
+ if (!(jobj_ivoffset = json_contains_string(cd, jobj, key, "Segment", "iv_tweak")) ||
+ !json_contains_string(cd, jobj, key, "Segment", "encryption") ||
!(jobj_sector_size = json_contains(cd, jobj, key, "Segment", "sector_size", json_type_int)))
return 1;
/* integrity */
if (json_object_object_get_ex(jobj, "integrity", &jobj_integrity)) {
if (!json_contains(cd, jobj, key, "Segment", "integrity", json_type_object) ||
- !json_contains(cd, jobj_integrity, key, "Segment integrity", "type", json_type_string) ||
- !json_contains(cd, jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) ||
- !json_contains(cd, jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string))
+ !json_contains_string(cd, jobj_integrity, key, "Segment integrity", "type") ||
+ !json_contains_string(cd, jobj_integrity, key, "Segment integrity", "journal_encryption") ||
+ !json_contains_string(cd, jobj_integrity, key, "Segment integrity", "journal_integrity"))
return 1;
}
@@ -561,7 +580,12 @@ static int hdr_validate_crypt_segment(struct crypt_device *cd,
return 1;
}
- return !segment_has_digest(key, jobj_digests);
+ r = segment_has_digest(key, jobj_digests);
+
+ if (!r)
+ log_dbg(cd, "Crypt segment %s not assigned to key digest.", key);
+
+ return !r;
}
static bool validate_segment_intervals(struct crypt_device *cd,
@@ -578,6 +602,12 @@ static bool validate_segment_intervals(struct crypt_device *cd,
for (j = 0; j < length; j++) {
if (i == j)
continue;
+
+ if (ix[j].length != UINT64_MAX && ix[j].offset > (UINT64_MAX - ix[j].length)) {
+ log_dbg(cd, "Interval offset+length overflow.");
+ return false;
+ }
+
if ((ix[i].offset >= ix[j].offset) && (ix[j].length == UINT64_MAX || (ix[i].offset < (ix[j].offset + ix[j].length)))) {
log_dbg(cd, "Overlapping segments [%" PRIu64 ",%" PRIu64 "]%s and [%" PRIu64 ",%" PRIu64 "]%s.",
ix[i].offset, ix[i].offset + ix[i].length, ix[i].length == UINT64_MAX ? "(dynamic)" : "",
@@ -671,10 +701,8 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
int i, r, count, first_backup = -1;
struct interval *intervals = NULL;
- if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments)) {
- log_dbg(cd, "Missing segments section.");
+ if (!(jobj_segments = json_contains(cd, hdr_jobj, "", "JSON area", "segments", json_type_object)))
return 1;
- }
count = json_object_object_length(jobj_segments);
if (count < 1) {
@@ -691,20 +719,27 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
return 1;
/* those fields are mandatory for all segment types */
- if (!(jobj_type = json_contains(cd, val, key, "Segment", "type", json_type_string)) ||
- !(jobj_offset = json_contains(cd, val, key, "Segment", "offset", json_type_string)) ||
- !(jobj_size = json_contains(cd, val, key, "Segment", "size", json_type_string)))
+ if (!(jobj_type = json_contains_string(cd, val, key, "Segment", "type")) ||
+ !(jobj_offset = json_contains_string(cd, val, key, "Segment", "offset")) ||
+ !(jobj_size = json_contains_string(cd, val, key, "Segment", "size")))
return 1;
- if (!numbered(cd, "offset", json_object_get_string(jobj_offset)) ||
- !json_str_to_uint64(jobj_offset, &offset))
+ if (!numbered(cd, "offset", json_object_get_string(jobj_offset)))
return 1;
+ if (!json_str_to_uint64(jobj_offset, &offset)) {
+ log_dbg(cd, "Illegal segment offset value.");
+ return 1;
+ }
+
/* size "dynamic" means whole device starting at 'offset' */
if (strcmp(json_object_get_string(jobj_size), "dynamic")) {
- if (!numbered(cd, "size", json_object_get_string(jobj_size)) ||
- !json_str_to_uint64(jobj_size, &size) || !size)
+ if (!numbered(cd, "size", json_object_get_string(jobj_size)))
return 1;
+ if (!json_str_to_uint64(jobj_size, &size) || !size) {
+ log_dbg(cd, "Illegal segment size value.");
+ return 1;
+ }
} else
size = 0;
@@ -740,7 +775,7 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
/* crypt */
if (!strcmp(json_object_get_string(jobj_type), "crypt") &&
- hdr_validate_crypt_segment(cd, val, key, jobj_digests, offset, size))
+ hdr_validate_crypt_segment(cd, val, key, jobj_digests, size))
return 1;
}
@@ -847,9 +882,9 @@ static int hdr_validate_areas(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_foreach(jobj_keyslots, key, val) {
if (!(jobj_area = json_contains(cd, val, key, "Keyslot", "area", json_type_object)) ||
- !json_contains(cd, jobj_area, key, "Keyslot area", "type", json_type_string) ||
- !(jobj_offset = json_contains(cd, jobj_area, key, "Keyslot", "offset", json_type_string)) ||
- !(jobj_length = json_contains(cd, jobj_area, key, "Keyslot", "size", json_type_string)) ||
+ !json_contains_string(cd, jobj_area, key, "Keyslot area", "type") ||
+ !(jobj_offset = json_contains_string(cd, jobj_area, key, "Keyslot", "offset")) ||
+ !(jobj_length = json_contains_string(cd, jobj_area, key, "Keyslot", "size")) ||
!numbered(cd, "offset", json_object_get_string(jobj_offset)) ||
!numbered(cd, "size", json_object_get_string(jobj_length))) {
free(intervals);
@@ -859,6 +894,7 @@ static int hdr_validate_areas(struct crypt_device *cd, json_object *hdr_jobj)
/* rule out values > UINT64_MAX */
if (!json_str_to_uint64(jobj_offset, &intervals[i].offset) ||
!json_str_to_uint64(jobj_length, &intervals[i].length)) {
+ log_dbg(cd, "Illegal keyslot area values.");
free(intervals);
return 1;
}
@@ -882,24 +918,22 @@ static int hdr_validate_digests(struct crypt_device *cd, json_object *hdr_jobj)
{
json_object *jarr_keys, *jarr_segs, *jobj, *jobj_keyslots, *jobj_segments;
- if (!json_object_object_get_ex(hdr_jobj, "digests", &jobj)) {
- log_dbg(cd, "Missing digests section.");
+ if (!(jobj = json_contains(cd, hdr_jobj, "", "JSON area", "digests", json_type_object)))
return 1;
- }
/* keyslots are not yet validated, but we need to know digest doesn't reference missing keyslot */
- if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ if (!(jobj_keyslots = json_contains(cd, hdr_jobj, "", "JSON area", "keyslots", json_type_object)))
return 1;
/* segments are not yet validated, but we need to know digest doesn't reference missing segment */
- if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ if (!(jobj_segments = json_contains(cd, hdr_jobj, "", "JSON area", "segments", json_type_object)))
return 1;
json_object_object_foreach(jobj, key, val) {
if (!numbered(cd, "Digest", key))
return 1;
- if (!json_contains(cd, val, key, "Digest", "type", json_type_string) ||
+ if (!json_contains_string(cd, val, key, "Digest", "type") ||
!(jarr_keys = json_contains(cd, val, key, "Digest", "keyslots", json_type_array)) ||
!(jarr_segs = json_contains(cd, val, key, "Digest", "segments", json_type_array)))
return 1;
@@ -920,22 +954,26 @@ static int hdr_validate_config(struct crypt_device *cd, json_object *hdr_jobj)
int i;
uint64_t keyslots_size, metadata_size, segment_offset;
- if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
- log_dbg(cd, "Missing config section.");
+ if (!(jobj_config = json_contains(cd, hdr_jobj, "", "JSON area", "config", json_type_object)))
+ return 1;
+
+ if (!(jobj = json_contains_string(cd, jobj_config, "section", "Config", "json_size")))
+ return 1;
+ if (!json_str_to_uint64(jobj, &metadata_size)) {
+ log_dbg(cd, "Illegal config json_size value.");
return 1;
}
- if (!(jobj = json_contains(cd, jobj_config, "section", "Config", "json_size", json_type_string)) ||
- !json_str_to_uint64(jobj, &metadata_size))
- return 1;
-
/* single metadata instance is assembled from json area size plus
* binary header size */
metadata_size += LUKS2_HDR_BIN_LEN;
- if (!(jobj = json_contains(cd, jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||
- !json_str_to_uint64(jobj, &keyslots_size))
+ if (!(jobj = json_contains_string(cd, jobj_config, "section", "Config", "keyslots_size")))
return 1;
+ if(!json_str_to_uint64(jobj, &keyslots_size)) {
+ log_dbg(cd, "Illegal config keyslot_size value.");
+ return 1;
+ }
if (LUKS2_check_metadata_area_size(metadata_size)) {
log_dbg(cd, "Unsupported LUKS2 header size (%" PRIu64 ").", metadata_size);
@@ -974,15 +1012,39 @@ static int hdr_validate_config(struct crypt_device *cd, json_object *hdr_jobj)
return 0;
}
+static bool reencrypt_candidate_flag(const char *flag)
+{
+ const char *ptr;
+
+ assert(flag);
+
+ if (!strcmp(flag, "online-reencrypt"))
+ return true;
+
+ if (strncmp(flag, "online-reencrypt-v", 18))
+ return false;
+
+ ptr = flag + 18;
+ if (!*ptr)
+ return false;
+
+ while (*ptr) {
+ if (!isdigit(*ptr))
+ return false;
+ ptr++;
+ }
+
+ return true;
+}
+
static int hdr_validate_requirements(struct crypt_device *cd, json_object *hdr_jobj)
{
int i;
json_object *jobj_config, *jobj, *jobj1;
+ unsigned online_reencrypt_flag = 0;
- if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
- log_dbg(cd, "Missing config section.");
+ if (!(jobj_config = json_contains(cd, hdr_jobj, "", "JSON area", "config", json_type_object)))
return 1;
- }
/* Requirements object is optional */
if (json_object_object_get_ex(jobj_config, "requirements", &jobj)) {
@@ -995,12 +1057,22 @@ static int hdr_validate_requirements(struct crypt_device *cd, json_object *hdr_j
return 1;
/* All array members must be strings */
- for (i = 0; i < (int) json_object_array_length(jobj1); i++)
+ for (i = 0; i < (int) json_object_array_length(jobj1); i++) {
if (!json_object_is_type(json_object_array_get_idx(jobj1, i), json_type_string))
return 1;
+
+ if (reencrypt_candidate_flag(json_object_get_string(json_object_array_get_idx(jobj1, i))))
+ online_reencrypt_flag++;
+
+ }
}
}
+ if (online_reencrypt_flag > 1) {
+ log_dbg(cd, "Multiple online reencryption requirement flags detected.");
+ return 1;
+ }
+
return 0;
}
@@ -1037,6 +1109,33 @@ int LUKS2_hdr_validate(struct crypt_device *cd, json_object *hdr_jobj, uint64_t
return 0;
}
+static bool hdr_json_free(json_object **jobj)
+{
+ assert(jobj);
+
+ if (json_object_put(*jobj))
+ *jobj = NULL;
+
+ return (*jobj == NULL);
+}
+
+static int hdr_update_copy_for_rollback(struct crypt_device *cd, struct luks2_hdr *hdr)
+{
+ json_object **jobj_copy;
+
+ assert(hdr);
+ assert(hdr->jobj);
+
+ jobj_copy = (json_object **)&hdr->jobj_rollback;
+
+ if (!hdr_json_free(jobj_copy)) {
+ log_dbg(cd, "LUKS2 rollback metadata copy still in use");
+ return -EINVAL;
+ }
+
+ return json_object_copy(hdr->jobj, jobj_copy) ? -ENOMEM : 0;
+}
+
/* FIXME: should we expose do_recovery parameter explicitly? */
int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair)
{
@@ -1068,6 +1167,9 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair)
} else
device_read_unlock(cd, crypt_metadata_device(cd));
+ if (!r && (r = hdr_update_copy_for_rollback(cd, hdr)))
+ log_dbg(cd, "Failed to update rollback LUKS2 metadata.");
+
return r;
}
@@ -1080,18 +1182,50 @@ static int hdr_cleanup_and_validate(struct crypt_device *cd, struct luks2_hdr *h
int LUKS2_hdr_write_force(struct crypt_device *cd, struct luks2_hdr *hdr)
{
+ int r;
+
if (hdr_cleanup_and_validate(cd, hdr))
return -EINVAL;
- return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), false);
+ r = LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), false);
+
+ if (!r && (r = hdr_update_copy_for_rollback(cd, hdr)))
+ log_dbg(cd, "Failed to update rollback LUKS2 metadata.");
+
+ return r;
}
int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr)
{
+ int r;
+
if (hdr_cleanup_and_validate(cd, hdr))
return -EINVAL;
- return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), true);
+ r = LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), true);
+
+ if (!r && (r = hdr_update_copy_for_rollback(cd, hdr)))
+ log_dbg(cd, "Failed to update rollback LUKS2 metadata.");
+
+ return r;
+}
+
+int LUKS2_hdr_rollback(struct crypt_device *cd, struct luks2_hdr *hdr)
+{
+ json_object **jobj_copy;
+
+ assert(hdr->jobj_rollback);
+
+ log_dbg(cd, "Rolling back in-memory LUKS2 json metadata.");
+
+ jobj_copy = (json_object **)&hdr->jobj;
+
+ if (!hdr_json_free(jobj_copy)) {
+ log_dbg(cd, "LUKS2 header still in use");
+ return -EINVAL;
+ }
+
+ return json_object_copy(hdr->jobj_rollback, jobj_copy) ? -ENOMEM : 0;
}
int LUKS2_hdr_uuid(struct crypt_device *cd, struct luks2_hdr *hdr, const char *uuid)
@@ -1128,10 +1262,19 @@ int LUKS2_hdr_labels(struct crypt_device *cd, struct luks2_hdr *hdr,
void LUKS2_hdr_free(struct crypt_device *cd, struct luks2_hdr *hdr)
{
- if (json_object_put(hdr->jobj))
- hdr->jobj = NULL;
- else if (hdr->jobj)
+ json_object **jobj;
+
+ assert(hdr);
+
+ jobj = (json_object **)&hdr->jobj;
+
+ if (!hdr_json_free(jobj))
log_dbg(cd, "LUKS2 header still in use");
+
+ jobj = (json_object **)&hdr->jobj_rollback;
+
+ if (!hdr_json_free(jobj))
+ log_dbg(cd, "LUKS2 rollback metadata copy still in use");
}
static uint64_t LUKS2_keyslots_size_jobj(json_object *jobj)
@@ -1173,7 +1316,7 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
hdr_size = LUKS2_hdr_and_areas_size(hdr);
buffer_size = size_round_up(hdr_size, crypt_getpagesize());
- buffer = crypt_safe_alloc(buffer_size);
+ buffer = malloc(buffer_size);
if (!buffer)
return -ENOMEM;
@@ -1184,23 +1327,22 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
if (r) {
log_err(cd, _("Failed to acquire read lock on device %s."),
device_path(crypt_metadata_device(cd)));
- crypt_safe_free(buffer);
- return r;
+ goto out;
}
devfd = device_open_locked(cd, device, O_RDONLY);
if (devfd < 0) {
device_read_unlock(cd, device);
log_err(cd, _("Device %s is not a valid LUKS device."), device_path(device));
- crypt_safe_free(buffer);
- return devfd == -1 ? -EINVAL : devfd;
+ r = (devfd == -1) ? -EINVAL : devfd;
+ goto out;
}
if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), buffer, hdr_size, 0) < hdr_size) {
device_read_unlock(cd, device);
- crypt_safe_free(buffer);
- return -EIO;
+ r = -EIO;
+ goto out;
}
device_read_unlock(cd, device);
@@ -1211,8 +1353,8 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
log_err(cd, _("Requested header backup file %s already exists."), backup_file);
else
log_err(cd, _("Cannot create header backup file %s."), backup_file);
- crypt_safe_free(buffer);
- return -EINVAL;
+ r = -EINVAL;
+ goto out;
}
ret = write_buffer(fd, buffer, buffer_size);
close(fd);
@@ -1221,8 +1363,9 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
r = -EIO;
} else
r = 0;
-
- crypt_safe_free(buffer);
+out:
+ crypt_safe_memzero(buffer, buffer_size);
+ free(buffer);
return r;
}
@@ -1233,8 +1376,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
int r, fd, devfd = -1, diff_uuid = 0;
ssize_t ret, buffer_size = 0;
char *buffer = NULL, msg[1024];
- struct luks2_hdr hdr_file;
- struct luks2_hdr tmp_hdr = {};
+ struct luks2_hdr hdr_file = {}, tmp_hdr = {};
uint32_t reqs = 0;
r = device_alloc(cd, &backup_device, backup_file);
@@ -1267,7 +1409,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
}
buffer_size = LUKS2_hdr_and_areas_size(&hdr_file);
- buffer = crypt_safe_alloc(buffer_size);
+ buffer = malloc(buffer_size);
if (!buffer) {
r = -ENOMEM;
goto out;
@@ -1367,10 +1509,9 @@ out:
LUKS2_hdr_free(cd, &tmp_hdr);
crypt_safe_memzero(&hdr_file, sizeof(hdr_file));
crypt_safe_memzero(&tmp_hdr, sizeof(tmp_hdr));
- crypt_safe_free(buffer);
-
+ crypt_safe_memzero(buffer, buffer_size);
+ free(buffer);
device_sync(cd, device);
-
return r;
}
@@ -1463,7 +1604,7 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
/* LUKS2 library requirements */
struct requirement_flag {
uint32_t flag;
- uint32_t version;
+ uint8_t version;
const char *description;
};
@@ -1472,6 +1613,7 @@ static const struct requirement_flag unknown_requirement_flag = { CRYPT_REQUIREM
static const struct requirement_flag requirements_flags[] = {
{ CRYPT_REQUIREMENT_OFFLINE_REENCRYPT,1, "offline-reencrypt" },
{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 2, "online-reencrypt-v2" },
+ { CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 3, "online-reencrypt-v3" },
{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1, "online-reencrypt" },
{ 0, 0, NULL }
};
@@ -1487,23 +1629,58 @@ static const struct requirement_flag *get_requirement_by_name(const char *requir
return &unknown_requirement_flag;
}
-int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version)
+static json_object *mandatory_requirements_jobj(struct luks2_hdr *hdr)
{
- json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
+ json_object *jobj_config, *jobj_requirements, *jobj_mandatory;
+
+ assert(hdr);
+
+ if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
+ return NULL;
+
+ if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
+ return NULL;
+
+ if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+ return NULL;
+
+ return jobj_mandatory;
+}
+
+bool LUKS2_reencrypt_requirement_candidate(struct luks2_hdr *hdr)
+{
+ json_object *jobj_mandatory;
+ int i, len;
+
+ assert(hdr);
+
+ jobj_mandatory = mandatory_requirements_jobj(hdr);
+ if (!jobj_mandatory)
+ return false;
+
+ len = (int) json_object_array_length(jobj_mandatory);
+ if (len <= 0)
+ return false;
+
+ for (i = 0; i < len; i++) {
+ if (reencrypt_candidate_flag(json_object_get_string(json_object_array_get_idx(jobj_mandatory, i))))
+ return true;
+ }
+
+ return false;
+}
+
+int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version)
+{
+ json_object *jobj_mandatory, *jobj;
int i, len;
const struct requirement_flag *req;
- assert(hdr && version);
- if (!hdr || !version)
- return -EINVAL;
+ assert(hdr);
+ assert(version);
- if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
- return -EINVAL;
-
- if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
- return -ENOENT;
-
- if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+ jobj_mandatory = mandatory_requirements_jobj(hdr);
+ if (!jobj_mandatory)
return -ENOENT;
len = (int) json_object_array_length(jobj_mandatory);
@@ -1519,7 +1696,7 @@ int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version)
/* check current library is aware of the requirement */
req = get_requirement_by_name(json_object_get_string(jobj));
- if (req->flag == (uint32_t)CRYPT_REQUIREMENT_UNKNOWN)
+ if (req->flag == CRYPT_REQUIREMENT_UNKNOWN)
continue;
*version = req->version;
@@ -1532,26 +1709,19 @@ int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version)
static const struct requirement_flag *stored_requirement_name_by_id(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id)
{
- json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
+ json_object *jobj_mandatory, *jobj;
int i, len;
const struct requirement_flag *req;
assert(hdr);
- if (!hdr)
- return NULL;
- if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
- return NULL;
-
- if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
- return NULL;
-
- if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+ jobj_mandatory = mandatory_requirements_jobj(hdr);
+ if (!jobj_mandatory)
return NULL;
len = (int) json_object_array_length(jobj_mandatory);
if (len <= 0)
- return 0;
+ return NULL;
for (i = 0; i < len; i++) {
jobj = json_object_array_get_idx(jobj_mandatory, i);
@@ -1568,23 +1738,17 @@ static const struct requirement_flag *stored_requirement_name_by_id(struct crypt
*/
int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs)
{
- json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
+ json_object *jobj_mandatory, *jobj;
int i, len;
const struct requirement_flag *req;
assert(hdr);
- if (!hdr || !reqs)
- return -EINVAL;
+ assert(reqs);
*reqs = 0;
- if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
- return 0;
-
- if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
- return 0;
-
- if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+ jobj_mandatory = mandatory_requirements_jobj(hdr);
+ if (!jobj_mandatory)
return 0;
len = (int) json_object_array_length(jobj_mandatory);
@@ -1674,6 +1838,94 @@ err:
return r;
}
+static json_object *LUKS2_get_mandatory_requirements_filtered_jobj(struct luks2_hdr *hdr,
+ uint32_t filter_req_ids)
+{
+ int i, len;
+ const struct requirement_flag *req;
+ json_object *jobj_mandatory, *jobj_mandatory_filtered, *jobj;
+
+ jobj_mandatory_filtered = json_object_new_array();
+ if (!jobj_mandatory_filtered)
+ return NULL;
+
+ jobj_mandatory = mandatory_requirements_jobj(hdr);
+ if (!jobj_mandatory)
+ return jobj_mandatory_filtered;
+
+ len = (int) json_object_array_length(jobj_mandatory);
+
+ for (i = 0; i < len; i++) {
+ jobj = json_object_array_get_idx(jobj_mandatory, i);
+ req = get_requirement_by_name(json_object_get_string(jobj));
+ if (req->flag == CRYPT_REQUIREMENT_UNKNOWN || req->flag & filter_req_ids)
+ continue;
+ json_object_array_add(jobj_mandatory_filtered,
+ json_object_new_string(req->description));
+ }
+
+ return jobj_mandatory_filtered;
+}
+
+/*
+ * The function looks for specific version of requirement id.
+ * If it can't be fulfilled function fails.
+ */
+int LUKS2_config_set_requirement_version(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ uint32_t req_id,
+ uint8_t req_version,
+ bool commit)
+{
+ json_object *jobj_config, *jobj_requirements, *jobj_mandatory;
+ const struct requirement_flag *req;
+ int r = -EINVAL;
+
+ if (!hdr || req_id == CRYPT_REQUIREMENT_UNKNOWN)
+ return -EINVAL;
+
+ req = requirements_flags;
+
+ while (req->description) {
+ /* we have a match */
+ if (req->flag == req_id && req->version == req_version)
+ break;
+ req++;
+ }
+
+ if (!req->description)
+ return -EINVAL;
+
+ /*
+ * Creates copy of mandatory requirements set without specific requirement
+ * (no matter the version) we want to set.
+ */
+ jobj_mandatory = LUKS2_get_mandatory_requirements_filtered_jobj(hdr, req_id);
+ if (!jobj_mandatory)
+ return -ENOMEM;
+
+ json_object_array_add(jobj_mandatory, json_object_new_string(req->description));
+
+ if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
+ goto err;
+
+ if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements)) {
+ jobj_requirements = json_object_new_object();
+ if (!jobj_requirements) {
+ r = -ENOMEM;
+ goto err;
+ }
+ json_object_object_add(jobj_config, "requirements", jobj_requirements);
+ }
+
+ json_object_object_add(jobj_requirements, "mandatory", jobj_mandatory);
+
+ return commit ? LUKS2_hdr_write(cd, hdr) : 0;
+err:
+ json_object_put(jobj_mandatory);
+ return r;
+}
+
/*
* Header dump
*/
@@ -1742,7 +1994,8 @@ static void hdr_dump_keyslots(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_get_ex(hdr_jobj, "keyslots", &keyslots_jobj);
for (j = 0; j < LUKS2_KEYSLOTS_MAX; j++) {
- (void) snprintf(slot, sizeof(slot), "%i", j);
+ if (snprintf(slot, sizeof(slot), "%i", j) < 0)
+ slot[0] = '\0';
json_object_object_get_ex(keyslots_jobj, slot, &val);
if (!val)
continue;
@@ -1784,7 +2037,8 @@ static void hdr_dump_tokens(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_get_ex(hdr_jobj, "tokens", &tokens_jobj);
for (j = 0; j < LUKS2_TOKENS_MAX; j++) {
- (void) snprintf(token, sizeof(token), "%i", j);
+ if (snprintf(token, sizeof(token), "%i", j) < 0)
+ token[0] = '\0';
json_object_object_get_ex(tokens_jobj, token, &val);
if (!val)
continue;
@@ -1814,7 +2068,8 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments);
for (i = 0; i < LUKS2_SEGMENT_MAX; i++) {
- (void) snprintf(segment, sizeof(segment), "%i", i);
+ if (snprintf(segment, sizeof(segment), "%i", i) < 0)
+ segment[0] = '\0';
if (!json_object_object_get_ex(jobj_segments, segment, &jobj_segment))
continue;
@@ -1869,7 +2124,8 @@ static void hdr_dump_digests(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_get_ex(hdr_jobj, "digests", &jobj1);
for (i = 0; i < LUKS2_DIGEST_MAX; i++) {
- (void) snprintf(key, sizeof(key), "%i", i);
+ if (snprintf(key, sizeof(key), "%i", i) < 0)
+ key[0] = '\0';
json_object_object_get_ex(jobj1, key, &val);
if (!val)
continue;
@@ -1927,21 +2183,25 @@ int LUKS2_hdr_dump_json(struct crypt_device *cd, struct luks2_hdr *hdr, const ch
int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic)
{
- int sector_size;
- json_object *jobj_segments, *jobj_size;
+ int i, len, sector_size;
+ json_object *jobj_segments, *jobj_segment, *jobj_size;
uint64_t tmp = 0;
if (!size || !json_object_object_get_ex(hdr->jobj, "segments", &jobj_segments))
return -EINVAL;
- json_object_object_foreach(jobj_segments, key, val) {
- UNUSED(key);
- if (json_segment_is_backup(val))
- continue;
+ len = json_object_object_length(jobj_segments);
- json_object_object_get_ex(val, "size", &jobj_size);
+ for (i = 0; i < len; i++) {
+ if (!(jobj_segment = json_segments_get_segment(jobj_segments, i)))
+ return -EINVAL;
+
+ if (json_segment_is_backup(jobj_segment))
+ break;
+
+ json_object_object_get_ex(jobj_segment, "size", &jobj_size);
if (!strcmp(json_object_get_string(jobj_size), "dynamic")) {
- sector_size = json_segment_get_sector_size(val);
+ sector_size = json_segment_get_sector_size(jobj_segment);
/* last dynamic segment must have at least one sector in size */
if (tmp)
*size = tmp + (sector_size > 0 ? sector_size : SECTOR_SIZE);
@@ -2148,15 +2408,9 @@ int LUKS2_get_volume_key_size(struct luks2_hdr *hdr, int segment)
return -1;
}
-int LUKS2_get_sector_size(struct luks2_hdr *hdr)
+uint32_t LUKS2_get_sector_size(struct luks2_hdr *hdr)
{
- json_object *jobj_segment;
-
- jobj_segment = LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT);
- if (!jobj_segment)
- return SECTOR_SIZE;
-
- return json_segment_get_sector_size(jobj_segment) ?: SECTOR_SIZE;
+ return json_segment_get_sector_size(LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT));
}
int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
@@ -2433,7 +2687,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
tgt = &dmd->segment;
/* TODO: We have LUKS2 dependencies now */
- if (hdr && single_segment(dmd) && tgt->type == DM_CRYPT && crypt_get_integrity_tag_size(cd))
+ if (single_segment(dmd) && tgt->type == DM_CRYPT && tgt->u.crypt.tag_size)
namei = device_dm_name(tgt->data_device);
r = dm_device_deps(cd, name, deps_uuid_prefix, deps, ARRAY_SIZE(deps));
diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
index 2e2487c..5cf4b83 100644
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, keyslot handling
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -34,7 +34,7 @@ static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
};
static const keyslot_handler
-*LUKS2_keyslot_handler_type(struct crypt_device *cd __attribute__((unused)), const char *type)
+*LUKS2_keyslot_handler_type(const char *type)
{
int i;
@@ -64,7 +64,7 @@ static const keyslot_handler
if (!json_object_object_get_ex(jobj1, "type", &jobj2))
return NULL;
- return LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj2));
+ return LUKS2_keyslot_handler_type(json_object_get_string(jobj2));
}
int LUKS2_keyslot_find_empty(struct crypt_device *cd, struct luks2_hdr *hdr, size_t keylength)
@@ -605,38 +605,6 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
return r;
}
-int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
- struct luks2_hdr *hdr,
- int keyslot,
- const struct crypt_params_reencrypt *params)
-{
- const keyslot_handler *h;
- int r;
-
- if (keyslot == CRYPT_ANY_SLOT)
- return -EINVAL;
-
- h = LUKS2_keyslot_handler_type(cd, "reencrypt");
- if (!h)
- return -EINVAL;
-
- r = reenc_keyslot_alloc(cd, hdr, keyslot, params);
- if (r < 0)
- return r;
-
- r = LUKS2_keyslot_priority_set(cd, hdr, keyslot, CRYPT_SLOT_PRIORITY_IGNORE, 0);
- if (r < 0)
- return r;
-
- r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
- if (r) {
- log_dbg(cd, "Keyslot validation failed.");
- return r;
- }
-
- return 0;
-}
-
int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
struct luks2_hdr *hdr,
int keyslot,
@@ -675,7 +643,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
if (!LUKS2_get_keyslot_jobj(hdr, keyslot)) {
/* Try to allocate default and empty keyslot type */
- h = LUKS2_keyslot_handler_type(cd, "luks2");
+ h = LUKS2_keyslot_handler_type("luks2");
if (!h)
return -EINVAL;
@@ -781,8 +749,7 @@ int LUKS2_keyslot_dump(struct crypt_device *cd, int keyslot)
return h->dump(cd, keyslot);
}
-crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd __attribute__((unused)),
- struct luks2_hdr *hdr, int keyslot)
+crypt_keyslot_priority LUKS2_keyslot_priority_get(struct luks2_hdr *hdr, int keyslot)
{
json_object *jobj_keyslot, *jobj_priority;
@@ -816,8 +783,7 @@ int LUKS2_keyslot_priority_set(struct crypt_device *cd, struct luks2_hdr *hdr,
int placeholder_keyslot_alloc(struct crypt_device *cd,
int keyslot,
uint64_t area_offset,
- uint64_t area_length,
- size_t volume_key_len __attribute__((unused)))
+ uint64_t area_length)
{
struct luks2_hdr *hdr;
json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
@@ -898,7 +864,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
json_object_object_foreach(jobj_keyslots, slot, val) {
keyslot = atoi(slot);
json_object_object_get_ex(val, "type", &jobj_type);
- h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
+ h = LUKS2_keyslot_handler_type(json_object_get_string(jobj_type));
if (!h)
continue;
if (h->validate && h->validate(cd, val)) {
@@ -920,7 +886,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
return -EINVAL;
}
- if (!(reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count) {
+ if (reencrypt_count && !LUKS2_reencrypt_requirement_candidate(&dummy)) {
log_dbg(cd, "Missing reencryption requirement flag.");
return -EINVAL;
}
@@ -945,9 +911,9 @@ void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots)
!json_object_is_type(jobj_type, json_type_string))
continue;
- h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
+ h = LUKS2_keyslot_handler_type(json_object_get_string(jobj_type));
if (h && h->repair)
- h->repair(cd, val);
+ h->repair(val);
}
}
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index 38d1071..491dcad 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,6 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
+#include <limits.h>
#include "luks2_internal.h"
/* FIXME: move keyslot encryption to crypto backend */
@@ -31,6 +32,7 @@
/* Serialize memory-hard keyslot access: optional workaround for parallel processing */
#define MIN_MEMORY_FOR_SERIALIZE_LOCK_KB 32*1024 /* 32MB */
+/* coverity[ -taint_source : arg-0 ] */
static int luks2_encrypt_to_storage(char *src, size_t srcLength,
const char *cipher, const char *cipher_mode,
struct volume_key *vk, unsigned int sector,
@@ -142,10 +144,11 @@ static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
}
static int luks2_keyslot_get_pbkdf_params(json_object *jobj_keyslot,
- struct crypt_pbkdf_type *pbkdf, char *salt)
+ struct crypt_pbkdf_type *pbkdf, char **salt)
{
json_object *jobj_kdf, *jobj1, *jobj2;
size_t salt_len;
+ int r;
if (!jobj_keyslot || !pbkdf)
return -EINVAL;
@@ -181,13 +184,16 @@ static int luks2_keyslot_get_pbkdf_params(json_object *jobj_keyslot,
if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj2))
return -EINVAL;
- salt_len = LUKS_SALTSIZE;
- if (!base64_decode(json_object_get_string(jobj2),
- json_object_get_string_len(jobj2),
- salt, &salt_len))
- return -EINVAL;
- if (salt_len != LUKS_SALTSIZE)
+
+ r = crypt_base64_decode(salt, &salt_len, json_object_get_string(jobj2),
+ json_object_get_string_len(jobj2));
+ if (r < 0)
+ return r;
+
+ if (salt_len != LUKS_SALTSIZE) {
+ free(*salt);
return -EINVAL;
+ }
return 0;
}
@@ -198,7 +204,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
const char *volume_key, size_t volume_key_len)
{
struct volume_key *derived_key;
- char salt[LUKS_SALTSIZE], cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char *salt = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
char *AfKey = NULL;
const char *af_hash = NULL;
size_t AFEKSize, keyslot_key_len;
@@ -236,15 +242,18 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
return -EINVAL;
af_hash = json_object_get_string(jobj2);
- if (luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, salt))
- return -EINVAL;
+ r = luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, &salt);
+ if (r < 0)
+ return r;
/*
* Allocate derived key storage.
*/
derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
- if (!derived_key)
+ if (!derived_key) {
+ free(salt);
return -ENOMEM;
+ }
/*
* Calculate keyslot content, split and store it to keyslot area.
*/
@@ -254,7 +263,11 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
derived_key->key, derived_key->keylength,
pbkdf.iterations, pbkdf.max_memory_kb,
pbkdf.parallel_threads);
+ free(salt);
if (r < 0) {
+ if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+ pbkdf.iterations > INT_MAX)
+ log_err(cd, _("PBKDF2 iteration value overflow."));
crypt_free_volume_key(derived_key);
return r;
}
@@ -267,7 +280,11 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
return -ENOMEM;
}
- r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash);
+ r = crypt_hash_size(af_hash);
+ if (r < 0)
+ log_err(cd, _("Hash algorithm %s is not available."), af_hash);
+ else
+ r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash);
if (r == 0) {
log_dbg(cd, "Updating keyslot area [0x%04" PRIx64 "].", area_offset);
@@ -289,12 +306,12 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
const char *password, size_t passwordLen,
char *volume_key, size_t volume_key_len)
{
- struct volume_key *derived_key;
+ struct volume_key *derived_key = NULL;
struct crypt_pbkdf_type pbkdf;
- char *AfKey;
+ char *AfKey = NULL;
size_t AFEKSize;
const char *af_hash = NULL;
- char salt[LUKS_SALTSIZE], cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char *salt = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
json_object *jobj2, *jobj_af, *jobj_area;
uint64_t area_offset;
size_t keyslot_key_len;
@@ -305,9 +322,6 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
return -EINVAL;
- if (luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, salt))
- return -EINVAL;
-
if (!json_object_object_get_ex(jobj_af, "hash", &jobj2))
return -EINVAL;
af_hash = json_object_get_string(jobj2);
@@ -326,12 +340,18 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
return -EINVAL;
keyslot_key_len = json_object_get_int(jobj2);
+ r = luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, &salt);
+ if (r < 0)
+ return r;
+
/*
* Allocate derived key storage space.
*/
derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
- if (!derived_key)
- return -ENOMEM;
+ if (!derived_key) {
+ r = -ENOMEM;
+ goto out;
+ }
AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
AfKey = crypt_safe_alloc(AFEKSize);
@@ -368,10 +388,15 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
}
- if (r == 0)
- r = AF_merge(cd, AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_hash);
-
+ if (r == 0) {
+ r = crypt_hash_size(af_hash);
+ if (r < 0)
+ log_err(cd, _("Hash algorithm %s is not available."), af_hash);
+ else
+ r = AF_merge(AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_hash);
+ }
out:
+ free(salt);
crypt_free_volume_key(derived_key);
crypt_safe_free(AfKey);
@@ -432,9 +457,9 @@ static int luks2_keyslot_update_json(struct crypt_device *cd,
r = crypt_random_get(cd, salt, LUKS_SALTSIZE, CRYPT_RND_SALT);
if (r < 0)
return r;
- base64_encode_alloc(salt, LUKS_SALTSIZE, &salt_base64);
- if (!salt_base64)
- return -ENOMEM;
+ r = crypt_base64_encode(&salt_base64, NULL, salt, LUKS_SALTSIZE);
+ if (r < 0)
+ return r;
json_object_object_add(jobj_kdf, "salt", json_object_new_string(salt_base64));
free(salt_base64);
@@ -662,50 +687,56 @@ static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
if (!jobj_keyslot)
return -EINVAL;
- if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
- !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
- !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
+ if (!(jobj_kdf = json_contains(cd, jobj_keyslot, "", "keyslot", "kdf", json_type_object)) ||
+ !(jobj_af = json_contains(cd, jobj_keyslot, "", "keyslot", "af", json_type_object)) ||
+ !(jobj_area = json_contains(cd, jobj_keyslot, "", "keyslot", "area", json_type_object)))
return -EINVAL;
count = json_object_object_length(jobj_kdf);
- jobj1 = json_contains(cd, jobj_kdf, "", "kdf section", "type", json_type_string);
+ jobj1 = json_contains_string(cd, jobj_kdf, "", "kdf section", "type");
if (!jobj1)
return -EINVAL;
type = json_object_get_string(jobj1);
if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
if (count != 4 || /* type, salt, hash, iterations only */
- !json_contains(cd, jobj_kdf, "kdf type", type, "hash", json_type_string) ||
+ !json_contains_string(cd, jobj_kdf, "kdf type", type, "hash") ||
!json_contains(cd, jobj_kdf, "kdf type", type, "iterations", json_type_int) ||
- !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_type_string))
+ !json_contains_string(cd, jobj_kdf, "kdf type", type, "salt"))
return -EINVAL;
} else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_ARGON2ID)) {
if (count != 5 || /* type, salt, time, memory, cpus only */
!json_contains(cd, jobj_kdf, "kdf type", type, "time", json_type_int) ||
!json_contains(cd, jobj_kdf, "kdf type", type, "memory", json_type_int) ||
!json_contains(cd, jobj_kdf, "kdf type", type, "cpus", json_type_int) ||
- !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_type_string))
+ !json_contains_string(cd, jobj_kdf, "kdf type", type, "salt"))
return -EINVAL;
}
- if (!json_object_object_get_ex(jobj_af, "type", &jobj1))
+ jobj1 = json_contains_string(cd, jobj_af, "", "af section", "type");
+ if (!jobj1)
return -EINVAL;
- if (!strcmp(json_object_get_string(jobj1), "luks1")) {
- if (!json_contains(cd, jobj_af, "", "luks1 af", "hash", json_type_string) ||
+ type = json_object_get_string(jobj1);
+
+ if (!strcmp(type, "luks1")) {
+ if (!json_contains_string(cd, jobj_af, "", "luks1 af", "hash") ||
!json_contains(cd, jobj_af, "", "luks1 af", "stripes", json_type_int))
return -EINVAL;
} else
return -EINVAL;
// FIXME check numbered
- if (!json_object_object_get_ex(jobj_area, "type", &jobj1))
+ jobj1 = json_contains_string(cd, jobj_area, "", "area section", "type");
+ if (!jobj1)
return -EINVAL;
- if (!strcmp(json_object_get_string(jobj1), "raw")) {
- if (!json_contains(cd, jobj_area, "area", "raw type", "encryption", json_type_string) ||
+ type = json_object_get_string(jobj1);
+
+ if (!strcmp(type, "raw")) {
+ if (!json_contains_string(cd, jobj_area, "area", "raw type", "encryption") ||
!json_contains(cd, jobj_area, "area", "raw type", "key_size", json_type_int) ||
- !json_contains(cd, jobj_area, "area", "raw type", "offset", json_type_string) ||
- !json_contains(cd, jobj_area, "area", "raw type", "size", json_type_string))
+ !json_contains_string(cd, jobj_area, "area", "raw type", "offset") ||
+ !json_contains_string(cd, jobj_area, "area", "raw type", "size"))
return -EINVAL;
} else
return -EINVAL;
@@ -740,7 +771,7 @@ static int luks2_keyslot_update(struct crypt_device *cd,
return r;
}
-static void luks2_keyslot_repair(struct crypt_device *cd __attribute__((unused)), json_object *jobj_keyslot)
+static void luks2_keyslot_repair(json_object *jobj_keyslot)
{
const char *type;
json_object *jobj_kdf, *jobj_type;
diff --git a/lib/luks2/luks2_keyslot_reenc.c b/lib/luks2/luks2_keyslot_reenc.c
index afacaa7..4291d0c 100644
--- a/lib/luks2/luks2_keyslot_reenc.c
+++ b/lib/luks2/luks2_keyslot_reenc.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
*
- * Copyright (C) 2016-2021, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021, Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,10 +31,77 @@ static int reenc_keyslot_open(struct crypt_device *cd __attribute__((unused)),
return -ENOENT;
}
-int reenc_keyslot_alloc(struct crypt_device *cd,
+static json_object *reencrypt_keyslot_area_jobj(struct crypt_device *cd,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment,
+ uint64_t area_offset,
+ uint64_t area_length)
+{
+ json_object *jobj_area = json_object_new_object();
+
+ if (!jobj_area || !params || !params->resilience)
+ return NULL;
+
+ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
+ json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
+ json_object_object_add(jobj_area, "type", json_object_new_string(params->resilience));
+
+ if (!strcmp(params->resilience, "checksum")) {
+ log_dbg(cd, "Setting reencrypt keyslot for checksum protection.");
+ json_object_object_add(jobj_area, "hash", json_object_new_string(params->hash));
+ json_object_object_add(jobj_area, "sector_size", json_object_new_int64(alignment));
+ } else if (!strcmp(params->resilience, "journal")) {
+ log_dbg(cd, "Setting reencrypt keyslot for journal protection.");
+ } else if (!strcmp(params->resilience, "none")) {
+ log_dbg(cd, "Setting reencrypt keyslot for none protection.");
+ } else if (!strcmp(params->resilience, "datashift")) {
+ log_dbg(cd, "Setting reencrypt keyslot for datashift protection.");
+ json_object_object_add(jobj_area, "shift_size",
+ crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
+ } else if (!strcmp(params->resilience, "datashift-checksum")) {
+ log_dbg(cd, "Setting reencrypt keyslot for datashift and checksum protection.");
+ json_object_object_add(jobj_area, "hash", json_object_new_string(params->hash));
+ json_object_object_add(jobj_area, "sector_size", json_object_new_int64(alignment));
+ json_object_object_add(jobj_area, "shift_size",
+ crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
+ } else if (!strcmp(params->resilience, "datashift-journal")) {
+ log_dbg(cd, "Setting reencrypt keyslot for datashift and journal protection.");
+ json_object_object_add(jobj_area, "shift_size",
+ crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
+ } else {
+ json_object_put(jobj_area);
+ return NULL;
+ }
+
+ return jobj_area;
+}
+
+static json_object *reencrypt_keyslot_area_jobj_update_block_size(struct crypt_device *cd,
+ json_object *jobj_area, size_t alignment)
+{
+ json_object *jobj_type, *jobj_area_new = NULL;
+
+ if (!jobj_area ||
+ !json_object_object_get_ex(jobj_area, "type", &jobj_type) ||
+ (strcmp(json_object_get_string(jobj_type), "checksum") &&
+ strcmp(json_object_get_string(jobj_type), "datashift-checksum")))
+ return NULL;
+
+ if (json_object_copy(jobj_area, &jobj_area_new))
+ return NULL;
+
+ log_dbg(cd, "Updating reencrypt resilience checksum block size.");
+
+ json_object_object_add(jobj_area_new, "sector_size", json_object_new_int64(alignment));
+
+ return jobj_area_new;
+}
+
+static int reenc_keyslot_alloc(struct crypt_device *cd,
struct luks2_hdr *hdr,
int keyslot,
- const struct crypt_params_reencrypt *params)
+ const struct crypt_params_reencrypt *params,
+ size_t alignment)
{
int r;
json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
@@ -42,50 +109,41 @@ int reenc_keyslot_alloc(struct crypt_device *cd,
log_dbg(cd, "Allocating reencrypt keyslot %d.", keyslot);
+ if (!params || !params->resilience || params->direction > CRYPT_REENCRYPT_BACKWARD)
+ return -EINVAL;
+
if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
return -ENOMEM;
if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
return -EINVAL;
- /* encryption doesn't require area (we shift data and backup will be available) */
- if (!params->data_shift) {
- r = LUKS2_find_area_max_gap(cd, hdr, &area_offset, &area_length);
- if (r < 0)
- return r;
- } else { /* we can't have keyslot w/o area...bug? */
+ /* only plain datashift resilience mode does not require additional storage */
+ if (!strcmp(params->resilience, "datashift"))
r = LUKS2_find_area_gap(cd, hdr, 1, &area_offset, &area_length);
- if (r < 0)
- return r;
- }
+ else
+ r = LUKS2_find_area_max_gap(cd, hdr, &area_offset, &area_length);
+ if (r < 0)
+ return r;
+
+ jobj_area = reencrypt_keyslot_area_jobj(cd, params, alignment, area_offset, area_length);
+ if (!jobj_area)
+ return -EINVAL;
jobj_keyslot = json_object_new_object();
- if (!jobj_keyslot)
+ if (!jobj_keyslot) {
+ json_object_put(jobj_area);
return -ENOMEM;
-
- jobj_area = json_object_new_object();
-
- if (params->data_shift) {
- json_object_object_add(jobj_area, "type", json_object_new_string("datashift"));
- json_object_object_add(jobj_area, "shift_size", crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
- } else
- /* except data shift protection, initial setting is irrelevant. Type can be changed during reencryption */
- json_object_object_add(jobj_area, "type", json_object_new_string("none"));
-
- json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
- json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
+ }
+ json_object_object_add(jobj_keyslot, "area", jobj_area);
json_object_object_add(jobj_keyslot, "type", json_object_new_string("reencrypt"));
json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(1)); /* useless but mandatory */
json_object_object_add(jobj_keyslot, "mode", json_object_new_string(crypt_reencrypt_mode_to_str(params->mode)));
if (params->direction == CRYPT_REENCRYPT_FORWARD)
json_object_object_add(jobj_keyslot, "direction", json_object_new_string("forward"));
- else if (params->direction == CRYPT_REENCRYPT_BACKWARD)
- json_object_object_add(jobj_keyslot, "direction", json_object_new_string("backward"));
else
- return -EINVAL;
-
- json_object_object_add(jobj_keyslot, "area", jobj_area);
+ json_object_object_add(jobj_keyslot, "direction", json_object_new_string("backward"));
json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
if (LUKS2_check_json_size(cd, hdr)) {
@@ -230,7 +288,8 @@ static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot)
static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
{
- json_object *jobj_mode, *jobj_area, *jobj_type, *jobj_shift_size, *jobj_hash, *jobj_sector_size, *jobj_direction, *jobj_key_size;
+ json_object *jobj_mode, *jobj_area, *jobj_type, *jobj_shift_size, *jobj_hash,
+ *jobj_sector_size, *jobj_direction, *jobj_key_size;
const char *mode, *type, *direction;
uint32_t sector_size;
uint64_t shift_size;
@@ -238,10 +297,10 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
/* mode (string: encrypt,reencrypt,decrypt)
* direction (string:)
* area {
- * type: (string: datashift, journal, checksum, none)
- * hash: (string: checksum only)
- * sector_size (uint32: checksum only)
- * shift_size (uint64: datashift only)
+ * type: (string: datashift, journal, checksum, none, datashift-journal, datashift-checksum)
+ * hash: (string: checksum and datashift-checksum types)
+ * sector_size (uint32: checksum and datashift-checksum types)
+ * shift_size (uint64: all datashift based types)
* }
*/
@@ -251,8 +310,8 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
return -EINVAL;
jobj_key_size = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "key_size", json_type_int);
- jobj_mode = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "mode", json_type_string);
- jobj_direction = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "direction", json_type_string);
+ jobj_mode = json_contains_string(cd, jobj_keyslot, "", "reencrypt keyslot", "mode");
+ jobj_direction = json_contains_string(cd, jobj_keyslot, "", "reencrypt keyslot", "direction");
if (!jobj_mode || !jobj_direction || !jobj_key_size)
return -EINVAL;
@@ -277,20 +336,26 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
return -EINVAL;
}
- if (!strcmp(type, "checksum")) {
- jobj_hash = json_contains(cd, jobj_area, "type:checksum", "Keyslot area", "hash", json_type_string);
- jobj_sector_size = json_contains(cd, jobj_area, "type:checksum", "Keyslot area", "sector_size", json_type_int);
+ if (!strcmp(type, "checksum") || !strcmp(type, "datashift-checksum")) {
+ jobj_hash = json_contains_string(cd, jobj_area, "type:checksum",
+ "Keyslot area", "hash");
+ jobj_sector_size = json_contains(cd, jobj_area, "type:checksum",
+ "Keyslot area", "sector_size", json_type_int);
if (!jobj_hash || !jobj_sector_size)
return -EINVAL;
if (!validate_json_uint32(jobj_sector_size))
return -EINVAL;
sector_size = crypt_jobj_get_uint32(jobj_sector_size);
if (sector_size < SECTOR_SIZE || NOTPOW2(sector_size)) {
- log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.", sector_size);
+ log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.",
+ sector_size);
return -EINVAL;
}
- } else if (!strcmp(type, "datashift")) {
- if (!(jobj_shift_size = json_contains(cd, jobj_area, "type:datashift", "Keyslot area", "shift_size", json_type_string)))
+ } else if (!strcmp(type, "datashift") ||
+ !strcmp(type, "datashift-checksum") ||
+ !strcmp(type, "datashift-journal")) {
+ if (!(jobj_shift_size = json_contains_string(cd, jobj_area, "type:datashift",
+ "Keyslot area", "shift_size")))
return -EINVAL;
shift_size = crypt_jobj_get_uint64(jobj_shift_size);
@@ -298,7 +363,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
return -EINVAL;
if (MISALIGNED_512(shift_size)) {
- log_dbg(cd, "Shift size field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
+ log_dbg(cd, "Shift size field has to be aligned to 512 bytes.");
return -EINVAL;
}
}
@@ -306,6 +371,377 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
return 0;
}
+static int reenc_keyslot_update_needed(struct crypt_device *cd,
+ json_object *jobj_keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment)
+{
+ const char *type;
+ json_object *jobj_area, *jobj_type, *jobj;
+
+ if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) ||
+ !json_object_object_get_ex(jobj_area, "type", &jobj_type) ||
+ !(type = json_object_get_string(jobj_type)))
+ return -EINVAL;
+
+ /*
+ * If no resilience mode change is requested and effective
+ * resilience mode is 'checksum' then check alignment matches
+ * stored checksum block size.
+ */
+ if (!params || !params->resilience) {
+ if (!strcmp(json_object_get_string(jobj_type), "checksum") ||
+ !strcmp(json_object_get_string(jobj_type), "datashift-checksum"))
+ return (json_object_object_get_ex(jobj_area, "sector_size", &jobj) ||
+ alignment != crypt_jobj_get_uint32(jobj));
+ return 0;
+ }
+
+ if (strcmp(params->resilience, type))
+ return 1;
+
+ if (!strcmp(type, "checksum") ||
+ !strcmp(type, "datashift-checksum")) {
+ if (!params->hash)
+ return -EINVAL;
+ if (!json_object_object_get_ex(jobj_area, "hash", &jobj) ||
+ strcmp(json_object_get_string(jobj), params->hash) ||
+ !json_object_object_get_ex(jobj_area, "sector_size", &jobj) ||
+ crypt_jobj_get_uint32(jobj) != alignment)
+ return 1;
+ }
+
+ if (!strncmp(type, "datashift", 9)) {
+ if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj))
+ return -EINVAL;
+ if ((params->data_shift << SECTOR_SHIFT) != crypt_jobj_get_uint64(jobj))
+ return 1;
+ }
+
+ /* nothing to compare with 'none' and 'journal' */
+ return 0;
+}
+
+static int load_checksum_protection(struct crypt_device *cd,
+ json_object *jobj_area,
+ uint64_t area_length,
+ struct reenc_protection *rp)
+{
+ int r;
+ json_object *jobj_hash, *jobj_block_size;
+
+ if (!jobj_area || !rp ||
+ !json_object_object_get_ex(jobj_area, "hash", &jobj_hash) ||
+ !json_object_object_get_ex(jobj_area, "sector_size", &jobj_block_size))
+ return -EINVAL;
+
+ r = snprintf(rp->p.csum.hash, sizeof(rp->p.csum.hash), "%s", json_object_get_string(jobj_hash));
+ if (r < 0 || (size_t)r >= sizeof(rp->p.csum.hash))
+ return -EINVAL;
+
+ if (crypt_hash_init(&rp->p.csum.ch, rp->p.csum.hash)) {
+ log_err(cd, _("Hash algorithm %s is not available."), rp->p.csum.hash);
+ return -EINVAL;
+ }
+
+ r = crypt_hash_size(rp->p.csum.hash);
+ if (r <= 0) {
+ crypt_hash_destroy(rp->p.csum.ch);
+ rp->p.csum.ch = NULL;
+ log_dbg(cd, "Invalid hash size");
+ return -EINVAL;
+ }
+
+ rp->p.csum.hash_size = r;
+ rp->p.csum.block_size = crypt_jobj_get_uint32(jobj_block_size);
+ rp->p.csum.checksums_len = area_length;
+
+ rp->type = REENC_PROTECTION_CHECKSUM;
+ return 0;
+}
+
+static int reenc_keyslot_load_resilience_primary(struct crypt_device *cd,
+ const char *type,
+ json_object *jobj_area,
+ uint64_t area_length,
+ struct reenc_protection *rp)
+{
+ json_object *jobj;
+
+ if (!strcmp(type, "checksum")) {
+ log_dbg(cd, "Initializing checksum resilience mode.");
+ return load_checksum_protection(cd, jobj_area, area_length, rp);
+ } else if (!strcmp(type, "journal")) {
+ log_dbg(cd, "Initializing journal resilience mode.");
+ rp->type = REENC_PROTECTION_JOURNAL;
+ } else if (!strcmp(type, "none")) {
+ log_dbg(cd, "Initializing none resilience mode.");
+ rp->type = REENC_PROTECTION_NONE;
+ } else if (!strcmp(type, "datashift") ||
+ !strcmp(type, "datashift-checksum") ||
+ !strcmp(type, "datashift-journal")) {
+ log_dbg(cd, "Initializing datashift resilience mode.");
+ if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj))
+ return -EINVAL;
+ rp->type = REENC_PROTECTION_DATASHIFT;
+ rp->p.ds.data_shift = crypt_jobj_get_uint64(jobj);
+ } else
+ return -EINVAL;
+
+ return 0;
+}
+
+static int reenc_keyslot_load_resilience_secondary(struct crypt_device *cd,
+ const char *type,
+ json_object *jobj_area,
+ uint64_t area_length,
+ struct reenc_protection *rp)
+{
+ if (!strcmp(type, "datashift-checksum")) {
+ log_dbg(cd, "Initializing checksum resilience mode.");
+ return load_checksum_protection(cd, jobj_area, area_length, rp);
+ } else if (!strcmp(type, "datashift-journal")) {
+ log_dbg(cd, "Initializing journal resilience mode.");
+ rp->type = REENC_PROTECTION_JOURNAL;
+ } else
+ rp->type = REENC_PROTECTION_NOT_SET;
+
+ return 0;
+}
+
+static int reenc_keyslot_load_resilience(struct crypt_device *cd,
+ json_object *jobj_keyslot,
+ struct reenc_protection *rp,
+ bool primary)
+{
+ const char *type;
+ int r;
+ json_object *jobj_area, *jobj_type;
+ uint64_t dummy, area_length;
+
+ if (!rp || !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) ||
+ !json_object_object_get_ex(jobj_area, "type", &jobj_type))
+ return -EINVAL;
+
+ r = LUKS2_keyslot_jobj_area(jobj_keyslot, &dummy, &area_length);
+ if (r < 0)
+ return r;
+
+ type = json_object_get_string(jobj_type);
+ if (!type)
+ return -EINVAL;
+
+ if (primary)
+ return reenc_keyslot_load_resilience_primary(cd, type, jobj_area, area_length, rp);
+ else
+ return reenc_keyslot_load_resilience_secondary(cd, type, jobj_area, area_length, rp);
+}
+
+static bool reenc_keyslot_update_is_valid(struct crypt_device *cd,
+ json_object *jobj_area,
+ const struct crypt_params_reencrypt *params)
+{
+ const char *type;
+ json_object *jobj_type, *jobj;
+
+ if (!json_object_object_get_ex(jobj_area, "type", &jobj_type) ||
+ !(type = json_object_get_string(jobj_type)))
+ return false;
+
+ /* do not allow switch to/away from datashift resilience type */
+ if ((strcmp(params->resilience, "datashift") && !strcmp(type, "datashift")) ||
+ (!strcmp(params->resilience, "datashift") && strcmp(type, "datashift")))
+ return false;
+
+ /* do not allow switch to/away from datashift- resilience subvariants */
+ if ((strncmp(params->resilience, "datashift-", 10) &&
+ !strncmp(type, "datashift-", 10)) ||
+ (!strncmp(params->resilience, "datashift-", 10) &&
+ strncmp(type, "datashift-", 10)))
+ return false;
+
+ /* datashift value is also immutable */
+ if (!strncmp(type, "datashift", 9)) {
+ if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj))
+ return false;
+ return (params->data_shift << SECTOR_SHIFT) == crypt_jobj_get_uint64(jobj);
+ }
+
+ return true;
+}
+
+static int reenc_keyslot_update(struct crypt_device *cd,
+ json_object *jobj_keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment)
+{
+ int r;
+ json_object *jobj_area, *jobj_area_new;
+ uint64_t area_offset, area_length;
+
+ if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
+ return -EINVAL;
+
+ r = LUKS2_keyslot_jobj_area(jobj_keyslot, &area_offset, &area_length);
+ if (r < 0)
+ return r;
+
+ if (!params || !params->resilience)
+ jobj_area_new = reencrypt_keyslot_area_jobj_update_block_size(cd, jobj_area, alignment);
+ else {
+ if (!reenc_keyslot_update_is_valid(cd, jobj_area, params)) {
+ log_err(cd, _("Invalid reencryption resilience mode change requested."));
+ return -EINVAL;
+ }
+
+ jobj_area_new = reencrypt_keyslot_area_jobj(cd, params, alignment,
+ area_offset, area_length);
+ }
+
+ if (!jobj_area_new)
+ return -EINVAL;
+
+ /* increase refcount for validation purposes */
+ json_object_get(jobj_area);
+
+ json_object_object_add(jobj_keyslot, "area", jobj_area_new);
+
+ r = reenc_keyslot_validate(cd, jobj_keyslot);
+ if (r) {
+ /* replace invalid object with previous valid one */
+ json_object_object_add(jobj_keyslot, "area", jobj_area);
+ return -EINVAL;
+ }
+
+ /* previous area object is no longer needed */
+ json_object_put(jobj_area);
+
+ return 0;
+}
+
+int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment)
+{
+ int r;
+
+ if (keyslot == CRYPT_ANY_SLOT)
+ return -EINVAL;
+
+ r = reenc_keyslot_alloc(cd, hdr, keyslot, params, alignment);
+ if (r < 0)
+ return r;
+
+ r = LUKS2_keyslot_priority_set(cd, hdr, keyslot, CRYPT_SLOT_PRIORITY_IGNORE, 0);
+ if (r < 0)
+ return r;
+
+ r = reenc_keyslot_validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
+ if (r) {
+ log_dbg(cd, "Keyslot validation failed.");
+ return r;
+ }
+
+ return 0;
+}
+
+int LUKS2_keyslot_reencrypt_update_needed(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment)
+{
+ int r;
+ json_object *jobj_type, *jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
+
+ if (!jobj_keyslot ||
+ !json_object_object_get_ex(jobj_keyslot, "type", &jobj_type) ||
+ strcmp(json_object_get_string(jobj_type), "reencrypt"))
+ return -EINVAL;
+
+ r = reenc_keyslot_update_needed(cd, jobj_keyslot, params, alignment);
+ if (!r)
+ log_dbg(cd, "No update of reencrypt keyslot needed.");
+
+ return r;
+}
+
+int LUKS2_keyslot_reencrypt_update(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ const struct crypt_params_reencrypt *params,
+ size_t alignment,
+ struct volume_key *vks)
+{
+ int r;
+ uint8_t version;
+ uint64_t max_size, moved_segment_size;
+ json_object *jobj_type, *jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
+ struct reenc_protection check_rp = {};
+
+ if (!jobj_keyslot ||
+ !json_object_object_get_ex(jobj_keyslot, "type", &jobj_type) ||
+ strcmp(json_object_get_string(jobj_type), "reencrypt"))
+ return -EINVAL;
+
+ if (LUKS2_config_get_reencrypt_version(hdr, &version))
+ return -EINVAL;
+
+ /* verify existing reencryption metadata before updating */
+ r = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
+ if (r < 0)
+ return r;
+
+ r = reenc_keyslot_update(cd, jobj_keyslot, params, alignment);
+ if (r < 0)
+ return r;
+
+ r = reenc_keyslot_load_resilience(cd, jobj_keyslot, &check_rp, false);
+ if (r < 0)
+ return r;
+
+ if (check_rp.type != REENC_PROTECTION_NOT_SET) {
+ r = LUKS2_reencrypt_max_hotzone_size(cd, hdr, &check_rp, keyslot, &max_size);
+ LUKS2_reencrypt_protection_erase(&check_rp);
+ if (r < 0)
+ return r;
+ moved_segment_size = json_segment_get_size(LUKS2_get_segment_by_flag(hdr, "backup-moved-segment"), 0);
+ if (!moved_segment_size)
+ return -EINVAL;
+ if (moved_segment_size > max_size) {
+ log_err(cd, _("Can not update resilience type. "
+ "New type only provides %" PRIu64 " bytes, "
+ "required space is: %" PRIu64 " bytes."),
+ max_size, moved_segment_size);
+ return -EINVAL;
+ }
+ }
+
+ r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, version, vks);
+ if (r < 0)
+ log_err(cd, _("Failed to refresh reencryption verification digest."));
+
+ return r ?: LUKS2_hdr_write(cd, hdr);
+}
+
+int LUKS2_keyslot_reencrypt_load(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int keyslot,
+ struct reenc_protection *rp,
+ bool primary)
+{
+ json_object *jobj_type, *jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
+
+ if (!jobj_keyslot ||
+ !json_object_object_get_ex(jobj_keyslot, "type", &jobj_type) ||
+ strcmp(json_object_get_string(jobj_type), "reencrypt"))
+ return -EINVAL;
+
+ return reenc_keyslot_load_resilience(cd, jobj_keyslot, rp, primary);
+}
+
const keyslot_handler reenc_keyslot = {
.name = "reencrypt",
.open = reenc_keyslot_open,
diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c
index 84fd44f..6d3fa1e 100644
--- a/lib/luks2/luks2_luks1_convert.c
+++ b/lib/luks2/luks2_luks1_convert.c
@@ -1,9 +1,9 @@
/*
* LUKS - Linux Unified Key Setup v2, LUKS1 conversion code
*
- * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021 Ondrej Kozina
- * Copyright (C) 2015-2021 Milan Broz
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Ondrej Kozina
+ * Copyright (C) 2015-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -24,12 +24,38 @@
#include "../luks1/luks.h"
#include "../luks1/af.h"
+/* This differs from LUKS_check_cipher() that it does not check dm-crypt fallback. */
int LUKS2_check_cipher(struct crypt_device *cd,
size_t keylength,
const char *cipher,
const char *cipher_mode)
{
- return LUKS_check_cipher(cd, keylength, cipher, cipher_mode);
+ int r;
+ struct crypt_storage *s;
+ char buf[SECTOR_SIZE], *empty_key;
+
+ log_dbg(cd, "Checking if cipher %s-%s is usable (storage wrapper).", cipher, cipher_mode);
+
+ empty_key = crypt_safe_alloc(keylength);
+ if (!empty_key)
+ return -ENOMEM;
+
+ /* No need to get KEY quality random but it must avoid known weak keys. */
+ r = crypt_random_get(cd, empty_key, keylength, CRYPT_RND_NORMAL);
+ if (r < 0)
+ goto out;
+
+ r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, empty_key, keylength, false);
+ if (r < 0)
+ goto out;
+
+ memset(buf, 0, sizeof(buf));
+ r = crypt_storage_decrypt(s, 0, sizeof(buf), buf);
+ crypt_storage_destroy(s);
+out:
+ crypt_safe_free(empty_key);
+ crypt_safe_memzero(buf, sizeof(buf));
+ return r;
}
static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struct json_object **keyslot_object)
@@ -37,7 +63,8 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
char *base64_str, cipher[LUKS_CIPHERNAME_L+LUKS_CIPHERMODE_L];
size_t base64_len;
struct json_object *keyslot_obj, *field, *jobj_kdf, *jobj_af, *jobj_area;
- uint64_t offset, area_size, offs_a, offs_b, length;
+ uint64_t offset, area_size, length;
+ int r;
keyslot_obj = json_object_new_object();
json_object_object_add(keyslot_obj, "type", json_object_new_string("luks2"));
@@ -49,13 +76,11 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
json_object_object_add(jobj_kdf, "hash", json_object_new_string(hdr_v1->hashSpec));
json_object_object_add(jobj_kdf, "iterations", json_object_new_int64(hdr_v1->keyblock[keyslot].passwordIterations));
/* salt field */
- base64_len = base64_encode_alloc(hdr_v1->keyblock[keyslot].passwordSalt, LUKS_SALTSIZE, &base64_str);
- if (!base64_str) {
+ r = crypt_base64_encode(&base64_str, &base64_len, hdr_v1->keyblock[keyslot].passwordSalt, LUKS_SALTSIZE);
+ if (r < 0) {
json_object_put(keyslot_obj);
json_object_put(jobj_kdf);
- if (!base64_len)
- return -EINVAL;
- return -ENOMEM;
+ return r;
}
field = json_object_new_string_len(base64_str, base64_len);
free(base64_str);
@@ -67,7 +92,7 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
json_object_object_add(jobj_af, "hash", json_object_new_string(hdr_v1->hashSpec));
/* stripes field ignored, fixed to LUKS_STRIPES (4000) */
- json_object_object_add(jobj_af, "stripes", json_object_new_int(4000));
+ json_object_object_add(jobj_af, "stripes", json_object_new_int(LUKS_STRIPES));
json_object_object_add(keyslot_obj, "af", jobj_af);
/* Area */
@@ -76,20 +101,22 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
/* encryption algorithm field */
if (*hdr_v1->cipherMode != '\0') {
- (void) snprintf(cipher, sizeof(cipher), "%s-%s", hdr_v1->cipherName, hdr_v1->cipherMode);
+ if (snprintf(cipher, sizeof(cipher), "%s-%s", hdr_v1->cipherName, hdr_v1->cipherMode) < 0) {
+ json_object_put(keyslot_obj);
+ json_object_put(jobj_area);
+ return -EINVAL;
+ }
json_object_object_add(jobj_area, "encryption", json_object_new_string(cipher));
} else
json_object_object_add(jobj_area, "encryption", json_object_new_string(hdr_v1->cipherName));
/* area */
- if (LUKS_keyslot_area(hdr_v1, 0, &offs_a, &length) ||
- LUKS_keyslot_area(hdr_v1, 1, &offs_b, &length) ||
- LUKS_keyslot_area(hdr_v1, keyslot, &offset, &length)) {
+ if (LUKS_keyslot_area(hdr_v1, keyslot, &offset, &length)) {
json_object_put(keyslot_obj);
json_object_put(jobj_area);
return -EINVAL;
}
- area_size = offs_b - offs_a;
+ area_size = size_round_up(length, 4096);
json_object_object_add(jobj_area, "key_size", json_object_new_int(hdr_v1->keyBytes));
json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset));
json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_size));
@@ -170,7 +197,10 @@ static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object
/* cipher field */
if (*hdr_v1->cipherMode != '\0') {
- (void) snprintf(cipher, sizeof(cipher), "%s-%s", hdr_v1->cipherName, hdr_v1->cipherMode);
+ if (snprintf(cipher, sizeof(cipher), "%s-%s", hdr_v1->cipherName, hdr_v1->cipherMode) < 0) {
+ json_object_put(segment_obj);
+ return -EINVAL;
+ }
c = cipher;
} else
c = hdr_v1->cipherName;
@@ -216,8 +246,8 @@ static int json_luks1_segments(const struct luks_phdr *hdr_v1, struct json_objec
static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object **digest_object)
{
- char keyslot_str[2], *base64_str;
- int ks;
+ char keyslot_str[16], *base64_str;
+ int r, ks;
size_t base64_len;
struct json_object *digest_obj, *array, *field;
@@ -244,7 +274,12 @@ static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object
for (ks = 0; ks < LUKS_NUMKEYS; ks++) {
if (hdr_v1->keyblock[ks].active != LUKS_KEY_ENABLED)
continue;
- (void) snprintf(keyslot_str, sizeof(keyslot_str), "%d", ks);
+ if (snprintf(keyslot_str, sizeof(keyslot_str), "%d", ks) < 0) {
+ json_object_put(field);
+ json_object_put(array);
+ json_object_put(digest_obj);
+ return -EINVAL;
+ }
field = json_object_new_string(keyslot_str);
if (!field || json_object_array_add(array, field) < 0) {
@@ -284,12 +319,10 @@ static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object
json_object_object_add(digest_obj, "hash", field);
/* salt field */
- base64_len = base64_encode_alloc(hdr_v1->mkDigestSalt, LUKS_SALTSIZE, &base64_str);
- if (!base64_str) {
+ r = crypt_base64_encode(&base64_str, &base64_len, hdr_v1->mkDigestSalt, LUKS_SALTSIZE);
+ if (r < 0) {
json_object_put(digest_obj);
- if (!base64_len)
- return -EINVAL;
- return -ENOMEM;
+ return r;
}
field = json_object_new_string_len(base64_str, base64_len);
@@ -301,12 +334,10 @@ static int json_luks1_digest(const struct luks_phdr *hdr_v1, struct json_object
json_object_object_add(digest_obj, "salt", field);
/* digest field */
- base64_len = base64_encode_alloc(hdr_v1->mkDigest, LUKS_DIGESTSIZE, &base64_str);
- if (!base64_str) {
+ r = crypt_base64_encode(&base64_str, &base64_len, hdr_v1->mkDigest, LUKS_DIGESTSIZE);
+ if (r < 0) {
json_object_put(digest_obj);
- if (!base64_len)
- return -EINVAL;
- return -ENOMEM;
+ return r;
}
field = json_object_new_string_len(base64_str, base64_len);
@@ -424,7 +455,6 @@ static void move_keyslot_offset(json_object *jobj, int offset_add)
}
}
-/* FIXME: return specific error code for partial write error (aka keyslots are gone) */
static int move_keyslot_areas(struct crypt_device *cd, off_t offset_from,
off_t offset_to, size_t buf_size)
{
@@ -535,6 +565,12 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
return -EINVAL;
}
+ if (LUKS2_check_cipher(cd, hdr1->keyBytes, hdr1->cipherName, hdr1->cipherMode)) {
+ log_err(cd, _("Unable to use cipher specification %s-%s for LUKS2."),
+ hdr1->cipherName, hdr1->cipherMode);
+ return -EINVAL;
+ }
+
if (luksmeta_header_present(cd, luks1_size))
return -EINVAL;
@@ -558,7 +594,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
move_keyslot_offset(jobj, luks1_shift);
- // fill hdr2
+ /* Create and fill LUKS2 hdr */
memset(hdr2, 0, sizeof(*hdr2));
hdr2->hdr_size = LUKS2_HDR_16K_LEN;
hdr2->seqid = 1;
@@ -580,6 +616,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
/* check future LUKS2 metadata before moving keyslots area */
if (LUKS2_hdr_validate(cd, hdr2->jobj, hdr2->hdr_size - LUKS2_HDR_BIN_LEN)) {
+ log_err(cd, _("Cannot convert to LUKS2 format - invalid metadata."));
r = -EINVAL;
goto out;
}
@@ -590,7 +627,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
goto out;
}
- // move keyslots 4k -> 32k offset
+ /* move keyslots 4k -> 32k offset */
buf_offset = 2 * LUKS2_HDR_16K_LEN;
buf_size = luks1_size - LUKS_ALIGN_KEYSLOTS;
@@ -606,7 +643,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
goto out;
}
- // Write JSON hdr2
+ /* Write new LUKS2 JSON */
r = LUKS2_hdr_write(cd, hdr2);
out:
LUKS2_hdr_free(cd, hdr2);
@@ -651,8 +688,6 @@ static int keyslot_LUKS1_compatible(struct crypt_device *cd, struct luks2_hdr *h
strcmp(json_object_get_string(jobj), hash))
return 0;
- /* FIXME: should this go to validation code instead (aka invalid luks2 header if assigned to segment 0)? */
- /* FIXME: check all keyslots are assigned to segment id 0, and segments count == 1 */
ks_cipher = LUKS2_get_keyslot_cipher(hdr, keyslot, &ks_key_size);
data_cipher = LUKS2_get_cipher(hdr, CRYPT_DEFAULT_SEGMENT);
if (!ks_cipher || !data_cipher || key_size != ks_key_size || strcmp(ks_cipher, data_cipher)) {
@@ -676,14 +711,14 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
{
size_t buf_size, buf_offset;
char cipher[LUKS_CIPHERNAME_L], cipher_mode[LUKS_CIPHERMODE_L];
- char digest[LUKS_DIGESTSIZE], digest_salt[LUKS_SALTSIZE];
+ char *digest, *digest_salt;
const char *hash;
size_t len;
json_object *jobj_keyslot, *jobj_digest, *jobj_segment, *jobj_kdf, *jobj_area, *jobj1, *jobj2;
uint32_t key_size;
int i, r, last_active = 0;
uint64_t offset, area_length;
- char buf[256], luksMagic[] = LUKS_MAGIC;
+ char *buf, luksMagic[] = LUKS_MAGIC;
jobj_digest = LUKS2_get_digest_jobj(hdr2, 0);
if (!jobj_digest)
@@ -718,6 +753,11 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
return -EINVAL;
}
+ if (json_segments_count(LUKS2_get_segments_jobj(hdr2)) != 1) {
+ log_err(cd, _("Cannot convert to LUKS1 format - device uses more segments."));
+ return -EINVAL;
+ }
+
r = LUKS2_tokens_count(hdr2);
if (r < 0)
return r;
@@ -773,7 +813,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
* inactive keyslots. Otherwise we would allocate all
* inactive luks1 keyslots over same binary keyslot area.
*/
- if (placeholder_keyslot_alloc(cd, i, offset, area_length, key_size))
+ if (placeholder_keyslot_alloc(cd, i, offset, area_length))
return -EINVAL;
}
@@ -800,14 +840,16 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj1))
continue;
- len = sizeof(buf);
- memset(buf, 0, len);
- if (!base64_decode(json_object_get_string(jobj1),
- json_object_get_string_len(jobj1), buf, &len))
+
+ if (crypt_base64_decode(&buf, &len, json_object_get_string(jobj1),
+ json_object_get_string_len(jobj1)))
continue;
- if (len > 0 && len != LUKS_SALTSIZE)
+ if (len > 0 && len != LUKS_SALTSIZE) {
+ free(buf);
continue;
+ }
memcpy(hdr1->keyblock[i].passwordSalt, buf, LUKS_SALTSIZE);
+ free(buf);
}
if (!jobj_keyslot) {
@@ -843,31 +885,36 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
if (!json_object_object_get_ex(jobj_digest, "digest", &jobj1))
return -EINVAL;
- len = sizeof(digest);
- if (!base64_decode(json_object_get_string(jobj1),
- json_object_get_string_len(jobj1), digest, &len))
- return -EINVAL;
+ r = crypt_base64_decode(&digest, &len, json_object_get_string(jobj1),
+ json_object_get_string_len(jobj1));
+ if (r < 0)
+ return r;
/* We can store full digest here, not only sha1 length */
- if (len < LUKS_DIGESTSIZE)
+ if (len < LUKS_DIGESTSIZE) {
+ free(digest);
return -EINVAL;
+ }
memcpy(hdr1->mkDigest, digest, LUKS_DIGESTSIZE);
+ free(digest);
if (!json_object_object_get_ex(jobj_digest, "salt", &jobj1))
return -EINVAL;
- len = sizeof(digest_salt);
- if (!base64_decode(json_object_get_string(jobj1),
- json_object_get_string_len(jobj1), digest_salt, &len))
- return -EINVAL;
- if (len != LUKS_SALTSIZE)
+ r = crypt_base64_decode(&digest_salt, &len, json_object_get_string(jobj1),
+ json_object_get_string_len(jobj1));
+ if (r < 0)
+ return r;
+ if (len != LUKS_SALTSIZE) {
+ free(digest_salt);
return -EINVAL;
+ }
memcpy(hdr1->mkDigestSalt, digest_salt, LUKS_SALTSIZE);
+ free(digest_salt);
if (!json_object_object_get_ex(jobj_segment, "offset", &jobj1))
return -EINVAL;
offset = crypt_jobj_get_uint64(jobj1) / SECTOR_SIZE;
if (offset > UINT32_MAX)
return -EINVAL;
- /* FIXME: LUKS1 requires offset == 0 || offset >= luks1_hdr_size */
hdr1->payloadOffset = offset;
strncpy(hdr1->uuid, hdr2->uuid, UUID_STRING_L); /* max 36 chars */
@@ -881,7 +928,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
if (r)
return r > 0 ? -EBUSY : r;
- // move keyslots 32k -> 4k offset
+ /* move keyslots 32k -> 4k offset */
buf_offset = 2 * LUKS2_HDR_16K_LEN;
buf_size = LUKS2_keyslots_size(hdr2);
r = move_keyslot_areas(cd, buf_offset, 8 * SECTOR_SIZE, buf_size);
@@ -893,6 +940,6 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
crypt_wipe_device(cd, crypt_metadata_device(cd), CRYPT_WIPE_ZERO, 0,
8 * SECTOR_SIZE, 8 * SECTOR_SIZE, NULL, NULL);
- // Write LUKS1 hdr
+ /* Write new LUKS1 hdr */
return LUKS_write_phdr(hdr1, cd);
}
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 24be66c..b0dcd6d 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, reencryption helpers
*
- * Copyright (C) 2015-2021, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2021, Ondrej Kozina
+ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -22,35 +22,11 @@
#include "luks2_internal.h"
#include "utils_device_locking.h"
-struct reenc_protection {
- enum { REENC_PROTECTION_NONE = 0, /* none should be 0 always */
- REENC_PROTECTION_CHECKSUM,
- REENC_PROTECTION_JOURNAL,
- REENC_PROTECTION_DATASHIFT } type;
-
- union {
- struct {
- } none;
- struct {
- char hash[LUKS2_CHECKSUM_ALG_L]; // or include luks.h
- struct crypt_hash *ch;
- size_t hash_size;
- /* buffer for checksums */
- void *checksums;
- size_t checksums_len;
- } csum;
- struct {
- } ds;
- } p;
-};
-
struct luks2_reencrypt {
/* reencryption window attributes */
uint64_t offset;
uint64_t progress;
uint64_t length;
- uint64_t data_shift;
- size_t alignment;
uint64_t device_size;
bool online;
bool fixed_length;
@@ -64,6 +40,7 @@ struct luks2_reencrypt {
/* reencryption window persistence attributes */
struct reenc_protection rp;
+ struct reenc_protection rp_moved_segment;
int reenc_keyslot;
@@ -92,44 +69,9 @@ struct luks2_reencrypt {
struct crypt_lock_handle *reenc_lock;
};
#if USE_LUKS2_REENCRYPTION
-static int reencrypt_keyslot_update(struct crypt_device *cd,
- const struct luks2_reencrypt *rh)
+static uint64_t data_shift_value(struct reenc_protection *rp)
{
- int r;
- json_object *jobj_keyslot, *jobj_area, *jobj_area_type;
- struct luks2_hdr *hdr;
-
- if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
- return -EINVAL;
-
- jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, rh->reenc_keyslot);
- if (!jobj_keyslot)
- return -EINVAL;
-
- json_object_object_get_ex(jobj_keyslot, "area", &jobj_area);
- json_object_object_get_ex(jobj_area, "type", &jobj_area_type);
-
- if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
- log_dbg(cd, "Updating reencrypt keyslot for checksum protection.");
- json_object_object_add(jobj_area, "type", json_object_new_string("checksum"));
- json_object_object_add(jobj_area, "hash", json_object_new_string(rh->rp.p.csum.hash));
- json_object_object_add(jobj_area, "sector_size", json_object_new_int64(rh->alignment));
- } else if (rh->rp.type == REENC_PROTECTION_NONE) {
- log_dbg(cd, "Updating reencrypt keyslot for none protection.");
- json_object_object_add(jobj_area, "type", json_object_new_string("none"));
- json_object_object_del(jobj_area, "hash");
- } else if (rh->rp.type == REENC_PROTECTION_JOURNAL) {
- log_dbg(cd, "Updating reencrypt keyslot for journal protection.");
- json_object_object_add(jobj_area, "type", json_object_new_string("journal"));
- json_object_object_del(jobj_area, "hash");
- } else
- log_dbg(cd, "No update of reencrypt keyslot needed.");
-
- r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, rh->vks);
- if (r < 0)
- log_err(cd, "Failed to refresh reencryption verification digest.");
-
- return r;
+ return rp->type == REENC_PROTECTION_DATASHIFT ? rp->p.ds.data_shift : 0;
}
static json_object *reencrypt_segment(struct luks2_hdr *hdr, unsigned new)
@@ -147,6 +89,30 @@ static json_object *reencrypt_segment_old(struct luks2_hdr *hdr)
return reencrypt_segment(hdr, 0);
}
+static json_object *reencrypt_segments_old(struct luks2_hdr *hdr)
+{
+ json_object *jobj_segments, *jobj = NULL;
+
+ if (json_object_copy(reencrypt_segment_old(hdr), &jobj))
+ return NULL;
+
+ json_segment_remove_flag(jobj, "backup-previous");
+
+ jobj_segments = json_object_new_object();
+ if (!jobj_segments) {
+ json_object_put(jobj);
+ return NULL;
+ }
+
+ if (json_object_object_add_by_uint(jobj_segments, 0, jobj)) {
+ json_object_put(jobj);
+ json_object_put(jobj_segments);
+ return NULL;
+ }
+
+ return jobj_segments;
+}
+
static const char *reencrypt_segment_cipher_new(struct luks2_hdr *hdr)
{
return json_segment_get_cipher(reencrypt_segment(hdr, 1));
@@ -157,12 +123,12 @@ static const char *reencrypt_segment_cipher_old(struct luks2_hdr *hdr)
return json_segment_get_cipher(reencrypt_segment(hdr, 0));
}
-static int reencrypt_get_sector_size_new(struct luks2_hdr *hdr)
+static uint32_t reencrypt_get_sector_size_new(struct luks2_hdr *hdr)
{
return json_segment_get_sector_size(reencrypt_segment(hdr, 1));
}
-static int reencrypt_get_sector_size_old(struct luks2_hdr *hdr)
+static uint32_t reencrypt_get_sector_size_old(struct luks2_hdr *hdr)
{
return json_segment_get_sector_size(reencrypt_segment(hdr, 0));
}
@@ -255,29 +221,6 @@ static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr)
return json_object_get_string(jobj_hash);
}
#if USE_LUKS2_REENCRYPTION
-static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
-{
- json_object *jobj_keyslot, *jobj_area, *jobj_type, *jobj_hash, *jobj_sector_size;
- int ks = LUKS2_find_keyslot(hdr, "reencrypt");
-
- if (ks < 0)
- return 0;
-
- jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, ks);
-
- json_object_object_get_ex(jobj_keyslot, "area", &jobj_area);
- if (!json_object_object_get_ex(jobj_area, "type", &jobj_type))
- return 0;
- if (strcmp(json_object_get_string(jobj_type), "checksum"))
- return 0;
- if (!json_object_object_get_ex(jobj_area, "hash", &jobj_hash))
- return 0;
- if (!json_object_object_get_ex(jobj_area, "sector_size", &jobj_sector_size))
- return 0;
-
- return crypt_jobj_get_uint32(jobj_sector_size);
-}
-
static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh, uint64_t data_offset)
{
int reenc_seg, i = 0;
@@ -568,7 +511,8 @@ static json_object *reencrypt_make_hot_segments_forward(struct crypt_device *cd,
if (tmp < device_size) {
fixed_length = device_size - tmp;
- jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh, data_offset + rh->data_shift, rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
+ jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh, data_offset + data_shift_value(&rh->rp),
+ rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
if (!jobj_old_seg)
goto err;
json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg);
@@ -580,6 +524,119 @@ err:
return NULL;
}
+static json_object *reencrypt_make_hot_segments_decrypt_shift(struct crypt_device *cd,
+ struct luks2_hdr *hdr, struct luks2_reencrypt *rh,
+ uint64_t device_size, uint64_t data_offset)
+{
+ json_object *jobj_segs_hot, *jobj_reenc_seg, *jobj_old_seg, *jobj_new_seg;
+ uint64_t fixed_length, tmp = rh->offset + rh->length, linear_length = rh->progress;
+ unsigned int sg = 0;
+
+ jobj_segs_hot = json_object_new_object();
+ if (!jobj_segs_hot)
+ return NULL;
+
+ if (rh->offset) {
+ jobj_new_seg = LUKS2_get_segment_jobj(hdr, 0);
+ if (!jobj_new_seg)
+ goto err;
+ json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg));
+
+ if (linear_length) {
+ jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh,
+ data_offset,
+ json_segment_get_size(jobj_new_seg, 0),
+ 0,
+ &linear_length);
+ if (!jobj_new_seg)
+ goto err;
+ json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_new_seg);
+ }
+ }
+
+ jobj_reenc_seg = reencrypt_make_segment_reencrypt(cd, hdr, rh, data_offset,
+ rh->offset,
+ rh->offset,
+ &rh->length);
+ if (!jobj_reenc_seg)
+ goto err;
+
+ json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg);
+
+ if (!rh->offset && (jobj_new_seg = LUKS2_get_segment_jobj(hdr, 1)) &&
+ !json_segment_is_backup(jobj_new_seg))
+ json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg));
+ else if (tmp < device_size) {
+ fixed_length = device_size - tmp;
+ jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh,
+ data_offset + data_shift_value(&rh->rp),
+ rh->offset + rh->length,
+ rh->fixed_length ? &fixed_length : NULL);
+ if (!jobj_old_seg)
+ goto err;
+ json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg);
+ }
+
+ return jobj_segs_hot;
+err:
+ json_object_put(jobj_segs_hot);
+ return NULL;
+}
+
+static json_object *_dec_create_segments_shift_after(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ struct luks2_reencrypt *rh,
+ uint64_t data_offset)
+{
+ int reenc_seg, i = 0;
+ json_object *jobj_copy, *jobj_seg_old, *jobj_seg_new,
+ *jobj_segs_post = json_object_new_object();
+ unsigned segs;
+ uint64_t tmp;
+
+ if (!rh->jobj_segs_hot || !jobj_segs_post)
+ goto err;
+
+ segs = json_segments_count(rh->jobj_segs_hot);
+ if (segs == 0)
+ return jobj_segs_post;
+
+ reenc_seg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot);
+ if (reenc_seg < 0)
+ goto err;
+
+ if (reenc_seg == 0) {
+ jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, NULL);
+ if (!jobj_seg_new)
+ goto err;
+ json_object_object_add_by_uint(jobj_segs_post, 0, jobj_seg_new);
+
+ return jobj_segs_post;
+ }
+
+ jobj_copy = json_segments_get_segment(rh->jobj_segs_hot, 0);
+ if (!jobj_copy)
+ goto err;
+ json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy));
+
+ jobj_seg_old = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1);
+
+ tmp = rh->length + rh->progress;
+ jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset,
+ json_segment_get_size(rh->jobj_segment_moved, 0),
+ data_shift_value(&rh->rp),
+ jobj_seg_old ? &tmp : NULL);
+ json_object_object_add_by_uint(jobj_segs_post, i++, jobj_seg_new);
+
+ if (jobj_seg_old)
+ json_object_object_add_by_uint(jobj_segs_post, i, json_object_get(jobj_seg_old));
+
+ return jobj_segs_post;
+err:
+ json_object_put(jobj_segs_post);
+ return NULL;
+}
+
static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd,
struct luks2_hdr *hdr,
struct luks2_reencrypt *rh,
@@ -610,7 +667,8 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd
if (tmp < device_size) {
fixed_length = device_size - tmp;
- jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset + rh->length, rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
+ jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset + rh->length,
+ rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
if (!jobj_new_seg)
goto err;
json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_new_seg);
@@ -631,9 +689,13 @@ static int reencrypt_make_hot_segments(struct crypt_device *cd,
rh->jobj_segs_hot = NULL;
if (rh->mode == CRYPT_REENCRYPT_ENCRYPT && rh->direction == CRYPT_REENCRYPT_BACKWARD &&
- rh->data_shift && rh->jobj_segment_moved) {
+ rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->jobj_segment_moved) {
log_dbg(cd, "Calculating hot segments for encryption with data move.");
rh->jobj_segs_hot = reencrypt_make_hot_segments_encrypt_shift(hdr, rh, data_offset);
+ } else if (rh->mode == CRYPT_REENCRYPT_DECRYPT && rh->direction == CRYPT_REENCRYPT_FORWARD &&
+ rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->jobj_segment_moved) {
+ log_dbg(cd, "Calculating hot segments for decryption with data move.");
+ rh->jobj_segs_hot = reencrypt_make_hot_segments_decrypt_shift(cd, hdr, rh, device_size, data_offset);
} else if (rh->direction == CRYPT_REENCRYPT_FORWARD) {
log_dbg(cd, "Calculating hot segments (forward direction).");
rh->jobj_segs_hot = reencrypt_make_hot_segments_forward(cd, hdr, rh, device_size, data_offset);
@@ -653,9 +715,13 @@ static int reencrypt_make_post_segments(struct crypt_device *cd,
rh->jobj_segs_post = NULL;
if (rh->mode == CRYPT_REENCRYPT_ENCRYPT && rh->direction == CRYPT_REENCRYPT_BACKWARD &&
- rh->data_shift && rh->jobj_segment_moved) {
+ rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->jobj_segment_moved) {
log_dbg(cd, "Calculating post segments for encryption with data move.");
rh->jobj_segs_post = _enc_create_segments_shift_after(rh, data_offset);
+ } else if (rh->mode == CRYPT_REENCRYPT_DECRYPT && rh->direction == CRYPT_REENCRYPT_FORWARD &&
+ rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->jobj_segment_moved) {
+ log_dbg(cd, "Calculating post segments for decryption with data move.");
+ rh->jobj_segs_post = _dec_create_segments_shift_after(cd, hdr, rh, data_offset);
} else if (rh->direction == CRYPT_REENCRYPT_FORWARD) {
log_dbg(cd, "Calculating post segments (forward direction).");
rh->jobj_segs_post = reencrypt_make_post_segments_forward(cd, hdr, rh, data_offset);
@@ -728,22 +794,30 @@ static crypt_reencrypt_direction_info reencrypt_direction(struct luks2_hdr *hdr)
typedef enum { REENC_OK = 0, REENC_ERR, REENC_ROLLBACK, REENC_FATAL } reenc_status_t;
+void LUKS2_reencrypt_protection_erase(struct reenc_protection *rp)
+{
+ if (!rp || rp->type != REENC_PROTECTION_CHECKSUM)
+ return;
+
+ if (rp->p.csum.ch) {
+ crypt_hash_destroy(rp->p.csum.ch);
+ rp->p.csum.ch = NULL;
+ }
+
+ if (rp->p.csum.checksums) {
+ crypt_safe_memzero(rp->p.csum.checksums, rp->p.csum.checksums_len);
+ free(rp->p.csum.checksums);
+ rp->p.csum.checksums = NULL;
+ }
+}
+
void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
{
if (!rh)
return;
- if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
- if (rh->rp.p.csum.ch) {
- crypt_hash_destroy(rh->rp.p.csum.ch);
- rh->rp.p.csum.ch = NULL;
- }
- if (rh->rp.p.csum.checksums) {
- memset(rh->rp.p.csum.checksums, 0, rh->rp.p.csum.checksums_len);
- free(rh->rp.p.csum.checksums);
- rh->rp.p.csum.checksums = NULL;
- }
- }
+ LUKS2_reencrypt_protection_erase(&rh->rp);
+ LUKS2_reencrypt_protection_erase(&rh->rp_moved_segment);
json_object_put(rh->jobj_segs_hot);
rh->jobj_segs_hot = NULL;
@@ -772,19 +846,62 @@ void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
crypt_unlock_internal(cd, rh->reenc_lock);
free(rh);
}
+
+int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ const struct reenc_protection *rp,
+ int reencrypt_keyslot,
+ uint64_t *r_length)
+{
+#if USE_LUKS2_REENCRYPTION
+ int r;
+ uint64_t dummy, area_length;
+
+ assert(hdr);
+ assert(rp);
+ assert(r_length);
+
+ if (rp->type <= REENC_PROTECTION_NONE) {
+ *r_length = LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH;
+ return 0;
+ }
+
+ if (rp->type == REENC_PROTECTION_DATASHIFT) {
+ *r_length = rp->p.ds.data_shift;
+ return 0;
+ }
+
+ r = LUKS2_keyslot_area(hdr, reencrypt_keyslot, &dummy, &area_length);
+ if (r < 0)
+ return -EINVAL;
+
+ if (rp->type == REENC_PROTECTION_JOURNAL) {
+ *r_length = area_length;
+ return 0;
+ }
+
+ if (rp->type == REENC_PROTECTION_CHECKSUM) {
+ *r_length = (area_length / rp->p.csum.hash_size) * rp->p.csum.block_size;
+ return 0;
+ }
+
+ return -EINVAL;
+#else
+ return -ENOTSUP;
+#endif
+}
#if USE_LUKS2_REENCRYPTION
static size_t reencrypt_get_alignment(struct crypt_device *cd,
struct luks2_hdr *hdr)
{
- int ss;
- size_t alignment = device_block_size(cd, crypt_data_device(cd));
+ size_t ss, alignment = device_block_size(cd, crypt_data_device(cd));
ss = reencrypt_get_sector_size_old(hdr);
- if (ss > 0 && (size_t)ss > alignment)
+ if (ss > alignment)
alignment = ss;
ss = reencrypt_get_sector_size_new(hdr);
- if (ss > 0 && (size_t)ss > alignment)
- alignment = (size_t)ss;
+ if (ss > alignment)
+ alignment = ss;
return alignment;
}
@@ -819,7 +936,8 @@ static void _load_backup_segments(struct luks2_hdr *hdr,
rh->jobj_segment_moved = NULL;
}
-static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *jobj_segments, uint64_t *reencrypt_length, uint64_t data_shift, uint64_t *offset)
+static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *jobj_segments,
+ uint64_t *reencrypt_length, uint64_t data_shift, uint64_t *offset)
{
uint64_t tmp, linear_length = 0;
int sg, segs = json_segments_count(jobj_segments);
@@ -852,6 +970,23 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j
return -EINVAL;
}
+static int reencrypt_offset_forward_moved(struct luks2_hdr *hdr,
+ json_object *jobj_segments,
+ uint64_t data_shift,
+ uint64_t *offset)
+{
+ int last_crypt = LUKS2_last_segment_by_type(hdr, "crypt");
+
+ /* if last crypt segment exists and it's first one, just return offset = 0 */
+ if (last_crypt <= 0) {
+ *offset = 0;
+ return 0;
+ }
+
+ *offset = LUKS2_segment_offset(hdr, last_crypt, 0) - data_shift;
+ return 0;
+}
+
static int _offset_forward(json_object *jobj_segments, uint64_t *offset)
{
int segs = json_segments_count(jobj_segments);
@@ -896,7 +1031,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
uint64_t *reencrypt_length,
uint64_t *offset)
{
- int sg;
+ int r, sg;
json_object *jobj_segments;
uint64_t data_shift = reencrypt_data_shift(hdr);
@@ -911,9 +1046,16 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
return 0;
}
- if (di == CRYPT_REENCRYPT_FORWARD)
+ if (di == CRYPT_REENCRYPT_FORWARD) {
+ if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_DECRYPT &&
+ LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0) {
+ r = reencrypt_offset_forward_moved(hdr, jobj_segments, data_shift, offset);
+ if (!r && *offset > device_size)
+ *offset = device_size;
+ return r;
+ }
return _offset_forward(jobj_segments, offset);
- else if (di == CRYPT_REENCRYPT_BACKWARD) {
+ } else if (di == CRYPT_REENCRYPT_BACKWARD) {
if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_ENCRYPT &&
LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0)
return reencrypt_offset_backward_moved(hdr, jobj_segments, reencrypt_length, data_shift, offset);
@@ -924,20 +1066,20 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
}
static uint64_t reencrypt_length(struct crypt_device *cd,
- struct luks2_hdr *hdr,
- struct luks2_reencrypt *rh,
+ struct reenc_protection *rp,
uint64_t keyslot_area_length,
- uint64_t length_max)
+ uint64_t length_max,
+ size_t alignment)
{
unsigned long dummy, optimal_alignment;
uint64_t length, soft_mem_limit;
- if (rh->rp.type == REENC_PROTECTION_NONE)
+ if (rp->type == REENC_PROTECTION_NONE)
length = length_max ?: LUKS2_DEFAULT_NONE_REENCRYPTION_LENGTH;
- else if (rh->rp.type == REENC_PROTECTION_CHECKSUM)
- length = (keyslot_area_length / rh->rp.p.csum.hash_size) * rh->alignment;
- else if (rh->rp.type == REENC_PROTECTION_DATASHIFT)
- return reencrypt_data_shift(hdr);
+ else if (rp->type == REENC_PROTECTION_CHECKSUM)
+ length = (keyslot_area_length / rp->p.csum.hash_size) * rp->p.csum.block_size;
+ else if (rp->type == REENC_PROTECTION_DATASHIFT)
+ return rp->p.ds.data_shift;
else
length = keyslot_area_length;
@@ -954,7 +1096,7 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
if (length_max && length > length_max)
length = length_max;
- length -= (length % rh->alignment);
+ length -= (length % alignment);
/* Emits error later */
if (!length)
@@ -963,7 +1105,7 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length);
/* we have to stick with encryption sector size alignment */
- if (optimal_alignment % rh->alignment)
+ if (optimal_alignment % alignment)
return length;
/* align to opt-io size only if remaining size allows it */
@@ -973,9 +1115,15 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
return length;
}
-static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh, uint64_t device_size, const struct crypt_params_reencrypt *params)
+static int reencrypt_context_init(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ struct luks2_reencrypt *rh,
+ uint64_t device_size,
+ uint64_t max_hotzone_size,
+ uint64_t fixed_device_size)
{
int r;
+ size_t alignment;
uint64_t dummy, area_length;
rh->reenc_keyslot = LUKS2_find_keyslot(hdr, "reencrypt");
@@ -986,76 +1134,38 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
rh->mode = reencrypt_mode(hdr);
- rh->alignment = reencrypt_get_alignment(cd, hdr);
- if (!rh->alignment)
- return -EINVAL;
-
- log_dbg(cd, "Hotzone size: %" PRIu64 ", device size: %" PRIu64 ", alignment: %zu.",
- params->max_hotzone_size << SECTOR_SHIFT,
- params->device_size << SECTOR_SHIFT, rh->alignment);
-
- if ((params->max_hotzone_size << SECTOR_SHIFT) % rh->alignment) {
- log_err(cd, _("Hotzone size must be multiple of calculated zone alignment (%zu bytes)."), rh->alignment);
- return -EINVAL;
- }
-
- if ((params->device_size << SECTOR_SHIFT) % rh->alignment) {
- log_err(cd, _("Device size must be multiple of calculated zone alignment (%zu bytes)."), rh->alignment);
- return -EINVAL;
- }
-
rh->direction = reencrypt_direction(hdr);
- if (!strcmp(params->resilience, "datashift")) {
- log_dbg(cd, "Initializing reencryption context with data_shift resilience.");
- rh->rp.type = REENC_PROTECTION_DATASHIFT;
- rh->data_shift = reencrypt_data_shift(hdr);
- } else if (!strcmp(params->resilience, "journal")) {
- log_dbg(cd, "Initializing reencryption context with journal resilience.");
- rh->rp.type = REENC_PROTECTION_JOURNAL;
- } else if (!strcmp(params->resilience, "checksum")) {
- log_dbg(cd, "Initializing reencryption context with checksum resilience.");
- rh->rp.type = REENC_PROTECTION_CHECKSUM;
+ r = LUKS2_keyslot_reencrypt_load(cd, hdr, rh->reenc_keyslot, &rh->rp, true);
+ if (r < 0)
+ return r;
- r = snprintf(rh->rp.p.csum.hash,
- sizeof(rh->rp.p.csum.hash), "%s", params->hash);
- if (r < 0 || (size_t)r >= sizeof(rh->rp.p.csum.hash)) {
- log_dbg(cd, "Invalid hash parameter");
- return -EINVAL;
- }
+ if (rh->rp.type == REENC_PROTECTION_CHECKSUM)
+ alignment = rh->rp.p.csum.block_size;
+ else
+ alignment = reencrypt_get_alignment(cd, hdr);
- if (crypt_hash_init(&rh->rp.p.csum.ch, params->hash)) {
- log_err(cd, _("Hash algorithm %s not supported."), params->hash);
- return -EINVAL;
- }
+ if (!alignment)
+ return -EINVAL;
- r = crypt_hash_size(params->hash);
- if (r < 1) {
- log_dbg(cd, "Invalid hash size");
- return -EINVAL;
- }
- rh->rp.p.csum.hash_size = r;
-
- rh->rp.p.csum.checksums_len = area_length;
- if (posix_memalign(&rh->rp.p.csum.checksums, device_alignment(crypt_metadata_device(cd)),
- rh->rp.p.csum.checksums_len))
- return -ENOMEM;
- } else if (!strcmp(params->resilience, "none")) {
- log_dbg(cd, "Initializing reencryption context with none resilience.");
- rh->rp.type = REENC_PROTECTION_NONE;
- } else {
- log_err(cd, _("Unsupported resilience mode %s"), params->resilience);
+ if ((max_hotzone_size << SECTOR_SHIFT) % alignment) {
+ log_err(cd, _("Hotzone size must be multiple of calculated zone alignment (%zu bytes)."), alignment);
return -EINVAL;
}
- if (params->device_size) {
+ if ((fixed_device_size << SECTOR_SHIFT) % alignment) {
+ log_err(cd, _("Device size must be multiple of calculated zone alignment (%zu bytes)."), alignment);
+ return -EINVAL;
+ }
+
+ if (fixed_device_size) {
log_dbg(cd, "Switching reencryption to fixed size mode.");
- device_size = params->device_size << SECTOR_SHIFT;
+ device_size = fixed_device_size << SECTOR_SHIFT;
rh->fixed_length = true;
} else
rh->fixed_length = false;
- rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
+ rh->length = reencrypt_length(cd, &rh->rp, area_length, max_hotzone_size << SECTOR_SHIFT, alignment);
if (!rh->length) {
log_dbg(cd, "Invalid reencryption length.");
return -EINVAL;
@@ -1071,21 +1181,34 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
if (rh->length > device_size - rh->offset)
rh->length = device_size - rh->offset;
- log_dbg(cd, "reencrypt-direction: %s", rh->direction == CRYPT_REENCRYPT_FORWARD ? "forward" : "backward");
-
_load_backup_segments(hdr, rh);
+ r = LUKS2_keyslot_reencrypt_load(cd, hdr, rh->reenc_keyslot, &rh->rp_moved_segment, false);
+ if (r < 0)
+ return r;
+
+ if (rh->rp_moved_segment.type == REENC_PROTECTION_NOT_SET)
+ log_dbg(cd, "No moved segment resilience configured.");
+
if (rh->direction == CRYPT_REENCRYPT_BACKWARD)
rh->progress = device_size - rh->offset - rh->length;
- else
+ else if (rh->jobj_segment_moved && rh->direction == CRYPT_REENCRYPT_FORWARD) {
+ if (rh->offset == json_segment_get_offset(LUKS2_get_segment_by_flag(hdr, "backup-moved-segment"), false))
+ rh->progress = device_size - json_segment_get_size(LUKS2_get_segment_by_flag(hdr, "backup-moved-segment"), false);
+ else
+ rh->progress = rh->offset - json_segment_get_size(rh->jobj_segment_moved, 0);
+ } else
rh->progress = rh->offset;
+ log_dbg(cd, "reencrypt-direction: %s", rh->direction == CRYPT_REENCRYPT_FORWARD ? "forward" : "backward");
log_dbg(cd, "backup-previous digest id: %d", rh->digest_old);
log_dbg(cd, "backup-final digest id: %d", rh->digest_new);
log_dbg(cd, "reencrypt length: %" PRIu64, rh->length);
log_dbg(cd, "reencrypt offset: %" PRIu64, rh->offset);
- log_dbg(cd, "reencrypt shift: %s%" PRIu64, (rh->data_shift && rh->direction == CRYPT_REENCRYPT_BACKWARD ? "-" : ""), rh->data_shift);
- log_dbg(cd, "reencrypt alignment: %zu", rh->alignment);
+ log_dbg(cd, "reencrypt shift: %s%" PRIu64,
+ (rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->direction == CRYPT_REENCRYPT_BACKWARD ? "-" : ""),
+ data_shift_value(&rh->rp));
+ log_dbg(cd, "reencrypt alignment: %zu", alignment);
log_dbg(cd, "reencrypt progress: %" PRIu64, rh->progress);
rh->device_size = device_size;
@@ -1095,42 +1218,27 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
static size_t reencrypt_buffer_length(struct luks2_reencrypt *rh)
{
- if (rh->data_shift)
- return rh->data_shift;
+ if (rh->rp.type == REENC_PROTECTION_DATASHIFT)
+ return data_shift_value(&rh->rp);
return rh->length;
}
static int reencrypt_load_clean(struct crypt_device *cd,
struct luks2_hdr *hdr,
uint64_t device_size,
- struct luks2_reencrypt **rh,
- const struct crypt_params_reencrypt *params)
+ uint64_t max_hotzone_size,
+ uint64_t fixed_device_size,
+ struct luks2_reencrypt **rh)
{
int r;
- const struct crypt_params_reencrypt hdr_reenc_params = {
- .resilience = reencrypt_resilience_type(hdr),
- .hash = reencrypt_resilience_hash(hdr),
- .device_size = params ? params->device_size : 0
- };
struct luks2_reencrypt *tmp = crypt_zalloc(sizeof (*tmp));
if (!tmp)
return -ENOMEM;
- r = -EINVAL;
- if (!hdr_reenc_params.resilience)
- goto err;
+ log_dbg(cd, "Loading stored reencryption context.");
- /* skip context update if data shift is detected in header */
- if (!strcmp(hdr_reenc_params.resilience, "datashift"))
- params = NULL;
-
- log_dbg(cd, "Initializing reencryption context (%s).", params ? "update" : "load");
-
- if (!params || !params->resilience)
- params = &hdr_reenc_params;
-
- r = reencrypt_context_init(cd, hdr, tmp, device_size, params);
+ r = reencrypt_context_init(cd, hdr, tmp, device_size, max_hotzone_size, fixed_device_size);
if (r)
goto err;
@@ -1205,17 +1313,18 @@ static int reencrypt_load_crashed(struct crypt_device *cd,
struct luks2_hdr *hdr, uint64_t device_size, struct luks2_reencrypt **rh)
{
bool dynamic;
- uint64_t minimal_size;
+ uint64_t required_device_size;
int r, reenc_seg;
- struct crypt_params_reencrypt params = {};
- if (LUKS2_get_data_size(hdr, &minimal_size, &dynamic))
+ if (LUKS2_get_data_size(hdr, &required_device_size, &dynamic))
return -EINVAL;
- if (!dynamic)
- params.device_size = minimal_size >> SECTOR_SHIFT;
+ if (dynamic)
+ required_device_size = 0;
+ else
+ required_device_size >>= SECTOR_SHIFT;
- r = reencrypt_load_clean(cd, hdr, device_size, rh, ¶ms);
+ r = reencrypt_load_clean(cd, hdr, device_size, 0, required_device_size, rh);
if (!r) {
reenc_seg = json_segments_segment_in_reencrypt(LUKS2_get_segments_jobj(hdr));
@@ -1225,15 +1334,6 @@ static int reencrypt_load_crashed(struct crypt_device *cd,
(*rh)->length = LUKS2_segment_size(hdr, reenc_seg, 0);
}
- if (!r && ((*rh)->rp.type == REENC_PROTECTION_CHECKSUM)) {
- /* we have to override calculated alignment with value stored in mda */
- (*rh)->alignment = reencrypt_alignment(hdr);
- if (!(*rh)->alignment) {
- log_dbg(cd, "Failed to get read resilience sector_size from metadata.");
- r = -EINVAL;
- }
- }
-
if (!r)
r = reencrypt_make_segments_crashed(cd, hdr, *rh);
@@ -1329,32 +1429,48 @@ static int modify_offset(uint64_t *offset, uint64_t data_shift, crypt_reencrypt_
return r;
}
-static int reencrypt_update_flag(struct crypt_device *cd, int enable, bool commit)
+static int reencrypt_update_flag(struct crypt_device *cd, uint8_t version,
+ bool enable, bool commit)
{
uint32_t reqs;
struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+ if (enable) {
+ log_dbg(cd, "Going to store reencryption requirement flag (version: %u).", version);
+ return LUKS2_config_set_requirement_version(cd, hdr, CRYPT_REQUIREMENT_ONLINE_REENCRYPT, version, commit);
+ }
+
if (LUKS2_config_get_requirements(cd, hdr, &reqs))
return -EINVAL;
- /* nothing to do */
- if (enable && (reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT))
- return -EINVAL;
+ reqs &= ~CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
- /* nothing to do */
- if (!enable && !(reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT))
- return -EINVAL;
-
- if (enable)
- reqs |= CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
- else
- reqs &= ~CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
-
- log_dbg(cd, "Going to %s reencryption requirement flag.", enable ? "store" : "wipe");
+ log_dbg(cd, "Going to wipe reencryption requirement flag.");
return LUKS2_config_set_requirements(cd, hdr, reqs, commit);
}
+static int reencrypt_hotzone_protect_ready(struct crypt_device *cd,
+ struct reenc_protection *rp)
+{
+ assert(rp);
+
+ if (rp->type == REENC_PROTECTION_NOT_SET)
+ return -EINVAL;
+
+ if (rp->type != REENC_PROTECTION_CHECKSUM)
+ return 0;
+
+ if (!rp->p.csum.checksums) {
+ log_dbg(cd, "Allocating buffer for storing resilience checksums.");
+ if (posix_memalign(&rp->p.csum.checksums, device_alignment(crypt_metadata_device(cd)),
+ rp->p.csum.checksums_len))
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
static int reencrypt_recover_segment(struct crypt_device *cd,
struct luks2_hdr *hdr,
struct luks2_reencrypt *rh,
@@ -1363,18 +1479,33 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
struct volume_key *vk_old, *vk_new;
size_t count, s;
ssize_t read, w;
- unsigned resilience;
+ struct reenc_protection *rp;
+ int devfd, r, new_sector_size, old_sector_size, rseg;
uint64_t area_offset, area_length, area_length_read, crash_iv_offset,
data_offset = crypt_get_data_offset(cd) << SECTOR_SHIFT;
- int devfd, r, new_sector_size, old_sector_size, rseg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot);
char *checksum_tmp = NULL, *data_buffer = NULL;
struct crypt_storage_wrapper *cw1 = NULL, *cw2 = NULL;
- resilience = rh->rp.type;
+ assert(hdr);
+ assert(rh);
+ assert(vks);
+
+ rseg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot);
+ if (rh->offset == 0 && rh->rp_moved_segment.type > REENC_PROTECTION_NOT_SET) {
+ log_dbg(cd, "Recovery using moved segment protection.");
+ rp = &rh->rp_moved_segment;
+ } else
+ rp = &rh->rp;
if (rseg < 0 || rh->length < 512)
return -EINVAL;
+ r = reencrypt_hotzone_protect_ready(cd, rp);
+ if (r) {
+ log_err(cd, _("Failed to initialize hotzone protection."));
+ return -EINVAL;
+ }
+
vk_new = crypt_volume_key_by_id(vks, rh->digest_new);
if (!vk_new && rh->mode != CRYPT_REENCRYPT_DECRYPT)
return -EINVAL;
@@ -1388,7 +1519,8 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
else
crash_iv_offset = json_segment_get_iv_offset(json_segments_get_segment(rh->jobj_segs_hot, rseg));
- log_dbg(cd, "crash_offset: %" PRIu64 ", crash_length: %" PRIu64 ", crash_iv_offset: %" PRIu64, data_offset + rh->offset, rh->length, crash_iv_offset);
+ log_dbg(cd, "crash_offset: %" PRIu64 ", crash_length: %" PRIu64 ", crash_iv_offset: %" PRIu64,
+ data_offset + rh->offset, rh->length, crash_iv_offset);
r = crypt_storage_wrapper_init(cd, &cw2, crypt_data_device(cd),
data_offset + rh->offset, crash_iv_offset, new_sector_size,
@@ -1408,7 +1540,7 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
goto out;
}
- switch (resilience) {
+ switch (rp->type) {
case REENC_PROTECTION_CHECKSUM:
log_dbg(cd, "Checksums based recovery.");
@@ -1420,15 +1552,15 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
goto out;
}
- count = rh->length / rh->alignment;
- area_length_read = count * rh->rp.p.csum.hash_size;
+ count = rh->length / rp->p.csum.block_size;
+ area_length_read = count * rp->p.csum.hash_size;
if (area_length_read > area_length) {
log_dbg(cd, "Internal error in calculated area_length.");
r = -EINVAL;
goto out;
}
- checksum_tmp = malloc(rh->rp.p.csum.hash_size);
+ checksum_tmp = malloc(rp->p.csum.hash_size);
if (!checksum_tmp) {
r = -ENOMEM;
goto out;
@@ -1441,7 +1573,7 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
/* read old data checksums */
read = read_lseek_blockwise(devfd, device_block_size(cd, crypt_metadata_device(cd)),
- device_alignment(crypt_metadata_device(cd)), rh->rp.p.csum.checksums, area_length_read, area_offset);
+ device_alignment(crypt_metadata_device(cd)), rp->p.csum.checksums, area_length_read, area_offset);
if (read < 0 || (size_t)read != area_length_read) {
log_err(cd, _("Failed to read checksums for current hotzone."));
r = -EINVAL;
@@ -1456,25 +1588,25 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
}
for (s = 0; s < count; s++) {
- if (crypt_hash_write(rh->rp.p.csum.ch, data_buffer + (s * rh->alignment), rh->alignment)) {
+ if (crypt_hash_write(rp->p.csum.ch, data_buffer + (s * rp->p.csum.block_size), rp->p.csum.block_size)) {
log_dbg(cd, "Failed to write hash.");
r = EINVAL;
goto out;
}
- if (crypt_hash_final(rh->rp.p.csum.ch, checksum_tmp, rh->rp.p.csum.hash_size)) {
+ if (crypt_hash_final(rp->p.csum.ch, checksum_tmp, rp->p.csum.hash_size)) {
log_dbg(cd, "Failed to finalize hash.");
r = EINVAL;
goto out;
}
- if (!memcmp(checksum_tmp, (char *)rh->rp.p.csum.checksums + (s * rh->rp.p.csum.hash_size), rh->rp.p.csum.hash_size)) {
- log_dbg(cd, "Sector %zu (size %zu, offset %zu) needs recovery", s, rh->alignment, s * rh->alignment);
- if (crypt_storage_wrapper_decrypt(cw1, s * rh->alignment, data_buffer + (s * rh->alignment), rh->alignment)) {
+ if (!memcmp(checksum_tmp, (char *)rp->p.csum.checksums + (s * rp->p.csum.hash_size), rp->p.csum.hash_size)) {
+ log_dbg(cd, "Sector %zu (size %zu, offset %zu) needs recovery", s, rp->p.csum.block_size, s * rp->p.csum.block_size);
+ if (crypt_storage_wrapper_decrypt(cw1, s * rp->p.csum.block_size, data_buffer + (s * rp->p.csum.block_size), rp->p.csum.block_size)) {
log_err(cd, _("Failed to decrypt sector %zu."), s);
r = -EINVAL;
goto out;
}
- w = crypt_storage_wrapper_encrypt_write(cw2, s * rh->alignment, data_buffer + (s * rh->alignment), rh->alignment);
- if (w < 0 || (size_t)w != rh->alignment) {
+ w = crypt_storage_wrapper_encrypt_write(cw2, s * rp->p.csum.block_size, data_buffer + (s * rp->p.csum.block_size), rp->p.csum.block_size);
+ if (w < 0 || (size_t)w != rp->p.csum.block_size) {
log_err(cd, _("Failed to recover sector %zu."), s);
r = -EINVAL;
goto out;
@@ -1526,12 +1658,20 @@ static int reencrypt_recover_segment(struct crypt_device *cd,
if (rseg == 0) {
r = crypt_storage_wrapper_init(cd, &cw1, crypt_data_device(cd),
- json_segment_get_offset(rh->jobj_segment_moved, 0), 0, 0,
- reencrypt_segment_cipher_old(hdr), NULL, 0);
- } else
+ json_segment_get_offset(rh->jobj_segment_moved, 0), 0,
+ reencrypt_get_sector_size_old(hdr),
+ reencrypt_segment_cipher_old(hdr), vk_old, 0);
+ } else {
+ if (rh->direction == CRYPT_REENCRYPT_FORWARD)
+ data_offset = data_offset + rh->offset + data_shift_value(rp);
+ else
+ data_offset = data_offset + rh->offset - data_shift_value(rp);
r = crypt_storage_wrapper_init(cd, &cw1, crypt_data_device(cd),
- data_offset + rh->offset - rh->data_shift, 0, 0,
- reencrypt_segment_cipher_old(hdr), NULL, 0);
+ data_offset,
+ crash_iv_offset,
+ reencrypt_get_sector_size_old(hdr),
+ reencrypt_segment_cipher_old(hdr), vk_old, 0);
+ }
if (r) {
log_err(cd, _("Failed to initialize old segment storage wrapper."));
goto out;
@@ -1571,9 +1711,9 @@ out:
return r;
}
-static int reencrypt_add_moved_segment(struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
+static int reencrypt_add_moved_segment(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
{
- int s = LUKS2_segment_first_unused_id(hdr);
+ int digest = rh->digest_old, s = LUKS2_segment_first_unused_id(hdr);
if (!rh->jobj_segment_moved)
return 0;
@@ -1586,6 +1726,9 @@ static int reencrypt_add_moved_segment(struct luks2_hdr *hdr, struct luks2_reenc
return -EINVAL;
}
+ if (!strcmp(json_segment_type(rh->jobj_segment_moved), "crypt"))
+ return LUKS2_digest_segment_assign(cd, hdr, s, digest, 1, 0);
+
return 0;
}
@@ -1655,7 +1798,7 @@ static int reencrypt_assign_segments_simple(struct crypt_device *cd,
return r;
}
- r = reencrypt_add_moved_segment(hdr, rh);
+ r = reencrypt_add_moved_segment(cd, hdr, rh);
if (r) {
log_dbg(cd, "Failed to assign reencryption moved backup segment.");
return r;
@@ -1745,7 +1888,9 @@ static int reencrypt_assign_segments(struct crypt_device *cd,
return commit ? LUKS2_hdr_write(cd, hdr) : 0;
}
-static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t dev_size, uint64_t data_shift, bool move_first_segment, crypt_reencrypt_direction_info di)
+static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_hdr *hdr,
+ uint64_t dev_size, uint64_t data_shift, bool move_first_segment,
+ crypt_reencrypt_direction_info di)
{
int r;
uint64_t first_segment_offset, first_segment_length,
@@ -1812,6 +1957,68 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
return r ?: LUKS2_segments_set(cd, hdr, jobj_segments, 0);
}
+static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ uint64_t dev_size,
+ uint64_t moved_segment_length,
+ crypt_reencrypt_direction_info di)
+{
+ int r;
+ uint64_t first_segment_offset, first_segment_length,
+ second_segment_offset, second_segment_length,
+ data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
+ json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
+
+ if (di == CRYPT_REENCRYPT_BACKWARD)
+ return -ENOTSUP;
+
+ /*
+ * future data_device layout:
+ * [encrypted first segment (max data shift size)][gap (data shift size)][second encrypted data segment]
+ */
+ first_segment_offset = 0;
+ first_segment_length = moved_segment_length;
+ if (dev_size > moved_segment_length) {
+ second_segment_offset = data_offset + first_segment_length;
+ second_segment_length = 0;
+ }
+
+ jobj_segments = json_object_new_object();
+ if (!jobj_segments)
+ return -ENOMEM;
+
+ r = -EINVAL;
+ jobj_segment_first = json_segment_create_crypt(first_segment_offset,
+ crypt_get_iv_offset(cd), &first_segment_length,
+ crypt_get_cipher_spec(cd), crypt_get_sector_size(cd), 0);
+
+ if (!jobj_segment_first) {
+ log_dbg(cd, "Failed generate 1st segment.");
+ return r;
+ }
+
+ if (dev_size > moved_segment_length) {
+ jobj_segment_second = json_segment_create_crypt(second_segment_offset,
+ crypt_get_iv_offset(cd) + (first_segment_length >> SECTOR_SHIFT),
+ second_segment_length ? &second_segment_length : NULL,
+ crypt_get_cipher_spec(cd),
+ crypt_get_sector_size(cd), 0);
+ if (!jobj_segment_second) {
+ json_object_put(jobj_segment_first);
+ log_dbg(cd, "Failed generate 2nd segment.");
+ return r;
+ }
+ }
+
+ json_object_object_add(jobj_segments, "0", jobj_segment_first);
+ if (jobj_segment_second)
+ json_object_object_add(jobj_segments, "1", jobj_segment_second);
+
+ r = LUKS2_segments_set(cd, hdr, jobj_segments, 0);
+
+ return r ?: LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0);
+}
+
static int reencrypt_make_targets(struct crypt_device *cd,
struct luks2_hdr *hdr,
struct device *hz_device,
@@ -2164,16 +2371,18 @@ static int reencrypt_refresh_overlay_devices(struct crypt_device *cd,
return REENC_OK;
}
-static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data_shift)
+static int reencrypt_move_data(struct crypt_device *cd,
+ int devfd,
+ uint64_t data_shift,
+ crypt_reencrypt_mode_info mode)
{
void *buffer;
int r;
ssize_t ret;
- uint64_t buffer_len, offset;
+ uint64_t buffer_len, offset,
+ read_offset = (mode == CRYPT_REENCRYPT_ENCRYPT ? 0 : data_shift);
struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
- log_dbg(cd, "Going to move data from head of data device.");
-
offset = json_segment_get_offset(LUKS2_get_segment_jobj(hdr, 0), 0);
buffer_len = json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0);
if (!buffer_len || buffer_len > data_shift)
@@ -2185,25 +2394,30 @@ static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data
ret = read_lseek_blockwise(devfd,
device_block_size(cd, crypt_data_device(cd)),
device_alignment(crypt_data_device(cd)),
- buffer, buffer_len, 0);
+ buffer, buffer_len, read_offset);
if (ret < 0 || (uint64_t)ret != buffer_len) {
+ log_dbg(cd, "Failed to read data at offset %" PRIu64 " (size: %zu)",
+ read_offset, buffer_len);
r = -EIO;
goto out;
}
- log_dbg(cd, "Going to write %" PRIu64 " bytes at offset %" PRIu64, buffer_len, offset);
+ log_dbg(cd, "Going to write %" PRIu64 " bytes read at offset %" PRIu64 " to new offset %" PRIu64,
+ buffer_len, read_offset, offset);
ret = write_lseek_blockwise(devfd,
device_block_size(cd, crypt_data_device(cd)),
device_alignment(crypt_data_device(cd)),
buffer, buffer_len, offset);
if (ret < 0 || (uint64_t)ret != buffer_len) {
+ log_dbg(cd, "Failed to write data at offset %" PRIu64 " (size: %zu)",
+ offset, buffer_len);
r = -EIO;
goto out;
}
r = 0;
out:
- memset(buffer, 0, buffer_len);
+ crypt_safe_memzero(buffer, buffer_len);
free(buffer);
return r;
}
@@ -2216,9 +2430,10 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
const struct crypt_params_reencrypt *params)
{
int r, segment, moved_segment = -1, digest_old = -1, digest_new = -1;
- json_object *jobj_segment_new = NULL, *jobj_segment_old = NULL, *jobj_segment_bcp = NULL;
+ json_object *jobj_tmp, *jobj_segment_new = NULL, *jobj_segment_old = NULL, *jobj_segment_bcp = NULL;
uint32_t sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE;
- uint64_t segment_offset, tmp, data_shift = params->data_shift << SECTOR_SHIFT;
+ uint64_t segment_offset, tmp, data_shift = params->data_shift << SECTOR_SHIFT,
+ device_size = params->device_size << SECTOR_SHIFT;
if (params->mode != CRYPT_REENCRYPT_DECRYPT) {
digest_new = LUKS2_digest_by_keyslot(hdr, keyslot_new);
@@ -2236,20 +2451,42 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
if (segment < 0)
return -EINVAL;
- if (params->mode == CRYPT_REENCRYPT_ENCRYPT &&
- (params->flags & CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT)) {
- json_object_copy(LUKS2_get_segment_jobj(hdr, 0), &jobj_segment_bcp);
+ if (params->flags & CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT) {
+ if (json_object_copy(LUKS2_get_segment_jobj(hdr, 0), &jobj_segment_bcp)) {
+ r = -EINVAL;
+ goto err;
+ }
r = LUKS2_segment_set_flag(jobj_segment_bcp, "backup-moved-segment");
if (r)
goto err;
moved_segment = segment++;
json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), moved_segment, jobj_segment_bcp);
+ if (!strcmp(json_segment_type(jobj_segment_bcp), "crypt"))
+ LUKS2_digest_segment_assign(cd, hdr, moved_segment, digest_old, 1, 0);
}
/* FIXME: Add detection for case (digest old == digest new && old segment == new segment) */
- if (digest_old >= 0)
- json_object_copy(LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT), &jobj_segment_old);
- else if (params->mode == CRYPT_REENCRYPT_ENCRYPT) {
+ if (digest_old >= 0) {
+ if (params->flags & CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT) {
+ jobj_tmp = LUKS2_get_segment_jobj(hdr, 0);
+ if (!jobj_tmp) {
+ r = -EINVAL;
+ goto err;
+ }
+
+ jobj_segment_old = json_segment_create_crypt(data_offset,
+ json_segment_get_iv_offset(jobj_tmp),
+ device_size ? &device_size : NULL,
+ json_segment_get_cipher(jobj_tmp),
+ json_segment_get_sector_size(jobj_tmp),
+ 0);
+ } else {
+ if (json_object_copy(LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT), &jobj_segment_old)) {
+ r = -EINVAL;
+ goto err;
+ }
+ }
+ } else if (params->mode == CRYPT_REENCRYPT_ENCRYPT) {
r = LUKS2_get_data_size(hdr, &tmp, NULL);
if (r)
goto err;
@@ -2309,7 +2546,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
/* FIXME: also check occupied space by keyslot in shrunk area */
if (params->direction == CRYPT_REENCRYPT_FORWARD && data_shift &&
crypt_metadata_device(cd) == crypt_data_device(cd) &&
- LUKS2_set_keyslots_size(cd, hdr, json_segment_get_offset(reencrypt_segment_new(hdr), 0))) {
+ LUKS2_set_keyslots_size(hdr, json_segment_get_offset(reencrypt_segment_new(hdr), 0))) {
log_err(cd, _("Failed to set new keyslots area size."));
r = -EINVAL;
goto err;
@@ -2322,44 +2559,363 @@ err:
return r;
}
-static int reencrypt_verify_and_upload_keys(struct crypt_device *cd, struct luks2_hdr *hdr, int digest_old, int digest_new, struct volume_key *vks)
+static int reencrypt_verify_single_key(struct crypt_device *cd, int digest, struct volume_key *vks)
{
- int r;
struct volume_key *vk;
- if (digest_new >= 0) {
- vk = crypt_volume_key_by_id(vks, digest_new);
- if (!vk)
- return -ENOENT;
- else {
- if (LUKS2_digest_verify_by_digest(cd, hdr, digest_new, vk) != digest_new)
- return -EINVAL;
+ vk = crypt_volume_key_by_id(vks, digest);
+ if (!vk)
+ return -ENOENT;
- if (crypt_use_keyring_for_vk(cd) && !crypt_is_cipher_null(reencrypt_segment_cipher_new(hdr)) &&
- (r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk))))
- return r;
- }
- }
+ if (LUKS2_digest_verify_by_digest(cd, digest, vk) != digest)
+ return -EINVAL;
- if (digest_old >= 0 && digest_old != digest_new) {
- vk = crypt_volume_key_by_id(vks, digest_old);
- if (!vk) {
- r = -ENOENT;
- goto err;
- } else {
- if (LUKS2_digest_verify_by_digest(cd, hdr, digest_old, vk) != digest_old) {
- r = -EINVAL;
- goto err;
- }
- if (crypt_use_keyring_for_vk(cd) && !crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr)) &&
- (r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk))))
- goto err;
- }
+ return 0;
+}
+
+static int reencrypt_verify_keys(struct crypt_device *cd,
+ int digest_old,
+ int digest_new,
+ struct volume_key *vks)
+{
+ int r;
+
+ if (digest_new >= 0 && (r = reencrypt_verify_single_key(cd, digest_new, vks)))
+ return r;
+
+ if (digest_old >= 0 && (r = reencrypt_verify_single_key(cd, digest_old, vks)))
+ return r;
+
+ return 0;
+}
+
+static int reencrypt_upload_single_key(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int digest,
+ struct volume_key *vks)
+{
+ struct volume_key *vk;
+
+ vk = crypt_volume_key_by_id(vks, digest);
+ if (!vk)
+ return -EINVAL;
+
+ return LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, digest);
+}
+
+static int reencrypt_upload_keys(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int digest_old,
+ int digest_new,
+ struct volume_key *vks)
+{
+ int r;
+
+ if (!crypt_use_keyring_for_vk(cd))
+ return 0;
+
+ if (digest_new >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_new(hdr)) &&
+ (r = reencrypt_upload_single_key(cd, hdr, digest_new, vks)))
+ return r;
+
+ if (digest_old >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr)) &&
+ (r = reencrypt_upload_single_key(cd, hdr, digest_old, vks))) {
+ crypt_drop_keyring_key(cd, vks);
+ return r;
}
return 0;
-err:
- crypt_drop_keyring_key(cd, vks);
+}
+
+static int reencrypt_verify_and_upload_keys(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int digest_old,
+ int digest_new,
+ struct volume_key *vks)
+{
+ int r;
+
+ r = reencrypt_verify_keys(cd, digest_old, digest_new, vks);
+ if (r)
+ return r;
+
+ r = reencrypt_upload_keys(cd, hdr, digest_old, digest_new, vks);
+ if (r)
+ return r;
+
+ return 0;
+}
+
+static int reencrypt_verify_checksum_params(struct crypt_device *cd,
+ const struct crypt_params_reencrypt *params)
+{
+ size_t len;
+ struct crypt_hash *ch;
+
+ assert(params);
+
+ if (!params->hash)
+ return -EINVAL;
+
+ len = strlen(params->hash);
+ if (!len || len > (LUKS2_CHECKSUM_ALG_L - 1))
+ return -EINVAL;
+
+ if (crypt_hash_size(params->hash) <= 0)
+ return -EINVAL;
+
+ if (crypt_hash_init(&ch, params->hash)) {
+ log_err(cd, _("Hash algorithm %s is not available."), params->hash);
+ return -EINVAL;
+ }
+ /* We just check for alg availability */
+ crypt_hash_destroy(ch);
+
+ return 0;
+}
+
+static int reencrypt_verify_datashift_params(struct crypt_device *cd,
+ const struct crypt_params_reencrypt *params,
+ uint32_t sector_size)
+{
+ assert(params);
+
+ if (!params->data_shift)
+ return -EINVAL;
+ if (MISALIGNED(params->data_shift, sector_size >> SECTOR_SHIFT)) {
+ log_err(cd, _("Data shift value is not aligned to encryption sector size (%" PRIu32 " bytes)."),
+ sector_size);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int reencrypt_verify_resilience_params(struct crypt_device *cd,
+ const struct crypt_params_reencrypt *params,
+ uint32_t sector_size, bool move_first_segment)
+{
+ /* no change requested */
+ if (!params || !params->resilience)
+ return 0;
+
+ if (!strcmp(params->resilience, "journal"))
+ return (params->data_shift || move_first_segment) ? -EINVAL : 0;
+ else if (!strcmp(params->resilience, "none"))
+ return (params->data_shift || move_first_segment) ? -EINVAL : 0;
+ else if (!strcmp(params->resilience, "datashift"))
+ return reencrypt_verify_datashift_params(cd, params, sector_size);
+ else if (!strcmp(params->resilience, "checksum")) {
+ if (params->data_shift || move_first_segment)
+ return -EINVAL;
+ return reencrypt_verify_checksum_params(cd, params);
+ } else if (!strcmp(params->resilience, "datashift-checksum")) {
+ if (!move_first_segment ||
+ reencrypt_verify_datashift_params(cd, params, sector_size))
+ return -EINVAL;
+ return reencrypt_verify_checksum_params(cd, params);
+ } else if (!strcmp(params->resilience, "datashift-journal")) {
+ if (!move_first_segment)
+ return -EINVAL;
+ return reencrypt_verify_datashift_params(cd, params, sector_size);
+ }
+
+ log_err(cd, _("Unsupported resilience mode %s"), params->resilience);
+ return -EINVAL;
+}
+
+static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
+ const char *name,
+ struct luks2_hdr *hdr,
+ int reencrypt_keyslot,
+ uint32_t sector_size,
+ uint64_t data_size,
+ uint64_t data_offset,
+ const char *passphrase,
+ size_t passphrase_size,
+ int keyslot_old,
+ const struct crypt_params_reencrypt *params,
+ struct volume_key **vks)
+{
+ bool clear_table = false;
+ int r, devfd = -1;
+ uint64_t data_shift, max_moved_segment_length, moved_segment_length;
+ struct reenc_protection check_rp = {};
+ struct crypt_dm_active_device dmd_target, dmd_source = {
+ .uuid = crypt_get_uuid(cd),
+ .flags = CRYPT_ACTIVATE_SHARED /* turn off exclusive open checks */
+ };
+ json_object *jobj_segments_old;
+
+ assert(hdr);
+ assert(params);
+ assert(params->resilience);
+ assert(params->data_shift);
+ assert(vks);
+
+ if (!data_offset)
+ return -EINVAL;
+
+ if (params->max_hotzone_size > params->data_shift) {
+ log_err(cd, _("Moved segment size can not be greater than data shift value."));
+ return -EINVAL;
+ }
+
+ log_dbg(cd, "Initializing decryption with datashift.");
+
+ data_shift = params->data_shift << SECTOR_SHIFT;
+
+ /*
+ * In offline mode we must perform data move with exclusively opened data
+ * device in order to exclude LUKS2 decryption process and filesystem mount.
+ */
+ if (name)
+ devfd = device_open(cd, crypt_data_device(cd), O_RDWR);
+ else
+ devfd = device_open_excl(cd, crypt_data_device(cd), O_RDWR);
+ if (devfd < 0)
+ return -EINVAL;
+
+ /* in-memory only */
+ moved_segment_length = params->max_hotzone_size << SECTOR_SHIFT;
+ if (!moved_segment_length)
+ moved_segment_length = data_shift < LUKS2_DEFAULT_NONE_REENCRYPTION_LENGTH ?
+ data_shift : LUKS2_DEFAULT_NONE_REENCRYPTION_LENGTH;
+
+ if (moved_segment_length > data_size)
+ moved_segment_length = data_size;
+
+ r = reencrypt_set_decrypt_shift_segments(cd, hdr, data_size,
+ moved_segment_length,
+ params->direction);
+ if (r)
+ goto out;
+
+ r = reencrypt_make_backup_segments(cd, hdr, CRYPT_ANY_SLOT, NULL, data_offset, params);
+ if (r) {
+ log_dbg(cd, "Failed to create reencryption backup device segments.");
+ goto out;
+ }
+
+ r = reencrypt_verify_resilience_params(cd, params, sector_size, true);
+ if (r < 0) {
+ log_err(cd, _("Invalid reencryption resilience parameters."));
+ goto out;
+ }
+
+ r = LUKS2_keyslot_reencrypt_allocate(cd, hdr, reencrypt_keyslot,
+ params, reencrypt_get_alignment(cd, hdr));
+ if (r < 0)
+ goto out;
+
+ r = LUKS2_keyslot_reencrypt_load(cd, hdr, reencrypt_keyslot, &check_rp, false);
+ if (r < 0)
+ goto out;
+
+ r = LUKS2_reencrypt_max_hotzone_size(cd, hdr, &check_rp,
+ reencrypt_keyslot,
+ &max_moved_segment_length);
+ if (r < 0)
+ goto out;
+
+ LUKS2_reencrypt_protection_erase(&check_rp);
+
+ if (moved_segment_length > max_moved_segment_length) {
+ log_err(cd, _("Moved segment too large. Requested size %" PRIu64 ", available space for: %" PRIu64 "."),
+ moved_segment_length, max_moved_segment_length);
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, CRYPT_ANY_SLOT,
+ passphrase, passphrase_size, vks);
+ if (r < 0)
+ goto out;
+
+ r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, LUKS2_DECRYPT_DATASHIFT_REQ_VERSION, *vks);
+ if (r < 0)
+ goto out;
+
+ if (name) {
+ r = reencrypt_verify_and_upload_keys(cd, hdr,
+ LUKS2_reencrypt_digest_old(hdr),
+ LUKS2_reencrypt_digest_new(hdr),
+ *vks);
+ if (r)
+ goto out;
+
+ r = dm_query_device(cd, name, DM_ACTIVE_UUID | DM_ACTIVE_DEVICE |
+ DM_ACTIVE_CRYPT_KEYSIZE | DM_ACTIVE_CRYPT_KEY |
+ DM_ACTIVE_CRYPT_CIPHER, &dmd_target);
+ if (r < 0)
+ goto out;
+
+ jobj_segments_old = reencrypt_segments_old(hdr);
+ if (!jobj_segments_old) {
+ r = -EINVAL;
+ goto out;
+ }
+ r = LUKS2_assembly_multisegment_dmd(cd, hdr, *vks, jobj_segments_old, &dmd_source);
+ if (!r) {
+ r = crypt_compare_dm_devices(cd, &dmd_source, &dmd_target);
+ if (r)
+ log_err(cd, _("Mismatching parameters on device %s."), name);
+ }
+ json_object_put(jobj_segments_old);
+
+ dm_targets_free(cd, &dmd_source);
+ dm_targets_free(cd, &dmd_target);
+ free(CONST_CAST(void*)dmd_target.uuid);
+
+ if (r)
+ goto out;
+
+ dmd_source.size = dmd_target.size;
+ r = LUKS2_assembly_multisegment_dmd(cd, hdr, *vks, LUKS2_get_segments_jobj(hdr), &dmd_source);
+ if (!r) {
+ r = dm_reload_device(cd, name, &dmd_source, dmd_target.flags, 0);
+ if (r)
+ log_err(cd, _("Failed to reload device %s."), name);
+ else
+ clear_table = true;
+ }
+
+ dm_targets_free(cd, &dmd_source);
+
+ if (r)
+ goto out;
+ }
+
+ if (name) {
+ r = dm_suspend_device(cd, name, DM_SUSPEND_SKIP_LOCKFS);
+ if (r) {
+ log_err(cd, _("Failed to suspend device %s."), name);
+ goto out;
+ }
+ }
+
+ if (reencrypt_move_data(cd, devfd, data_shift, params->mode)) {
+ r = -EIO;
+ goto out;
+ }
+
+ /* This must be first and only write in LUKS2 metadata during _reencrypt_init */
+ r = reencrypt_update_flag(cd, LUKS2_DECRYPT_DATASHIFT_REQ_VERSION, true, true);
+ if (r) {
+ log_dbg(cd, "Failed to set online-reencryption requirement.");
+ r = -EINVAL;
+ } else
+ r = reencrypt_keyslot;
+out:
+ if (r < 0 && clear_table && dm_clear_device(cd, name))
+ log_err(cd, _("Failed to clear table."));
+ else if (clear_table && dm_resume_device(cd, name, DM_SUSPEND_SKIP_LOCKFS))
+ log_err(cd, _("Failed to resume device %s."), name);
+
+ device_release_excl(cd, crypt_data_device(cd));
+ if (r < 0 && LUKS2_hdr_rollback(cd, hdr) < 0)
+ log_dbg(cd, "Failed to rollback LUKS2 metadata after failure.");
+
return r;
}
@@ -2378,15 +2934,18 @@ static int reencrypt_init(struct crypt_device *cd,
{
bool move_first_segment;
char _cipher[128];
- uint32_t sector_size;
+ uint32_t check_sector_size, new_sector_size, old_sector_size;
int r, reencrypt_keyslot, devfd = -1;
- uint64_t data_offset, dev_size = 0;
+ uint64_t data_offset, data_size = 0;
struct crypt_dm_active_device dmd_target, dmd_source = {
.uuid = crypt_get_uuid(cd),
.flags = CRYPT_ACTIVATE_SHARED /* turn off exclusive open checks */
};
- if (!params || params->mode > CRYPT_REENCRYPT_DECRYPT)
+ assert(cd);
+ assert(hdr);
+
+ if (!params || !params->resilience || params->mode > CRYPT_REENCRYPT_DECRYPT)
return -EINVAL;
if (params->mode != CRYPT_REENCRYPT_DECRYPT &&
@@ -2398,13 +2957,17 @@ static int reencrypt_init(struct crypt_device *cd,
move_first_segment = (params->flags & CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT);
+ old_sector_size = LUKS2_get_sector_size(hdr);
+
/* implicit sector size 512 for decryption */
- sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE;
- if (sector_size < SECTOR_SIZE || sector_size > MAX_SECTOR_SIZE ||
- NOTPOW2(sector_size)) {
+ new_sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE;
+ if (new_sector_size < SECTOR_SIZE || new_sector_size > MAX_SECTOR_SIZE ||
+ NOTPOW2(new_sector_size)) {
log_err(cd, _("Unsupported encryption sector size."));
return -EINVAL;
}
+ /* check the larger encryption sector size only */
+ check_sector_size = new_sector_size > old_sector_size ? new_sector_size : old_sector_size;
if (!cipher_mode || *cipher_mode == '\0')
r = snprintf(_cipher, sizeof(_cipher), "%s", cipher);
@@ -2413,11 +2976,6 @@ static int reencrypt_init(struct crypt_device *cd,
if (r < 0 || (size_t)r >= sizeof(_cipher))
return -EINVAL;
- if (MISALIGNED(params->data_shift, sector_size >> SECTOR_SHIFT)) {
- log_err(cd, _("Data shift is not aligned to requested encryption sector size (%" PRIu32 " bytes)."), sector_size);
- return -EINVAL;
- }
-
data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
r = device_check_access(cd, crypt_data_device(cd), DEV_OK);
@@ -2428,14 +2986,22 @@ static int reencrypt_init(struct crypt_device *cd,
if (r)
return r;
- r = device_size(crypt_data_device(cd), &dev_size);
+ r = device_size(crypt_data_device(cd), &data_size);
if (r)
return r;
- dev_size -= data_offset;
+ data_size -= data_offset;
- if (MISALIGNED(dev_size, sector_size)) {
- log_err(cd, _("Data device is not aligned to requested encryption sector size (%" PRIu32 " bytes)."), sector_size);
+ if (params->device_size) {
+ if ((params->device_size << SECTOR_SHIFT) > data_size) {
+ log_err(cd, _("Reduced data size is larger than real device size."));
+ return -EINVAL;
+ } else
+ data_size = params->device_size << SECTOR_SHIFT;
+ }
+
+ if (MISALIGNED(data_size, check_sector_size)) {
+ log_err(cd, _("Data device is not aligned to encryption sector size (%" PRIu32 " bytes)."), check_sector_size);
return -EINVAL;
}
@@ -2445,51 +3011,73 @@ static int reencrypt_init(struct crypt_device *cd,
return -EINVAL;
}
+ if (params->mode == CRYPT_REENCRYPT_DECRYPT && (params->data_shift > 0) && move_first_segment)
+ return reencrypt_decrypt_with_datashift_init(cd, name, hdr,
+ reencrypt_keyslot,
+ check_sector_size,
+ data_size,
+ data_offset,
+ passphrase,
+ passphrase_size,
+ keyslot_old,
+ params,
+ vks);
+
+
/*
* We must perform data move with exclusive open data device
* to exclude another cryptsetup process to colide with
* encryption initialization (or mount)
*/
if (move_first_segment) {
- if (dev_size < (params->data_shift << SECTOR_SHIFT)) {
+ if (data_size < (params->data_shift << SECTOR_SHIFT)) {
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
return -EINVAL;
}
if (params->data_shift < LUKS2_get_data_offset(hdr)) {
- log_err(cd, _("Data shift (%" PRIu64 " sectors) is less than future data offset (%" PRIu64 " sectors)."), params->data_shift, LUKS2_get_data_offset(hdr));
+ log_err(cd, _("Data shift (%" PRIu64 " sectors) is less than future data offset (%" PRIu64 " sectors)."),
+ params->data_shift, LUKS2_get_data_offset(hdr));
return -EINVAL;
}
devfd = device_open_excl(cd, crypt_data_device(cd), O_RDWR);
if (devfd < 0) {
if (devfd == -EBUSY)
- log_err(cd,_("Failed to open %s in exclusive mode (already mapped or mounted)."), device_path(crypt_data_device(cd)));
+ log_err(cd,_("Failed to open %s in exclusive mode (already mapped or mounted)."),
+ device_path(crypt_data_device(cd)));
return -EINVAL;
}
}
if (params->mode == CRYPT_REENCRYPT_ENCRYPT) {
/* in-memory only */
- r = reencrypt_set_encrypt_segments(cd, hdr, dev_size, params->data_shift << SECTOR_SHIFT, move_first_segment, params->direction);
+ r = reencrypt_set_encrypt_segments(cd, hdr, data_size,
+ params->data_shift << SECTOR_SHIFT,
+ move_first_segment,
+ params->direction);
if (r)
goto out;
}
- r = LUKS2_keyslot_reencrypt_allocate(cd, hdr, reencrypt_keyslot,
- params);
- if (r < 0)
- goto out;
-
r = reencrypt_make_backup_segments(cd, hdr, keyslot_new, _cipher, data_offset, params);
if (r) {
log_dbg(cd, "Failed to create reencryption backup device segments.");
goto out;
}
+ r = reencrypt_verify_resilience_params(cd, params, check_sector_size, move_first_segment);
+ if (r < 0)
+ goto out;
+
+ r = LUKS2_keyslot_reencrypt_allocate(cd, hdr, reencrypt_keyslot, params,
+ reencrypt_get_alignment(cd, hdr));
+ if (r < 0)
+ goto out;
+
r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, vks);
if (r < 0)
goto out;
- r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, *vks);
+ r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, LUKS2_REENCRYPT_REQ_VERSION, *vks);
if (r < 0)
goto out;
@@ -2519,13 +3107,13 @@ static int reencrypt_init(struct crypt_device *cd,
goto out;
}
- if (move_first_segment && reencrypt_move_data(cd, devfd, params->data_shift << SECTOR_SHIFT)) {
+ if (move_first_segment && reencrypt_move_data(cd, devfd, params->data_shift << SECTOR_SHIFT, params->mode)) {
r = -EIO;
goto out;
}
/* This must be first and only write in LUKS2 metadata during _reencrypt_init */
- r = reencrypt_update_flag(cd, 1, true);
+ r = reencrypt_update_flag(cd, LUKS2_REENCRYPT_REQ_VERSION, true, true);
if (r) {
log_dbg(cd, "Failed to set online-reencryption requirement.");
r = -EINVAL;
@@ -2533,42 +3121,46 @@ static int reencrypt_init(struct crypt_device *cd,
r = reencrypt_keyslot;
out:
device_release_excl(cd, crypt_data_device(cd));
- if (r < 0)
- crypt_load(cd, CRYPT_LUKS2, NULL);
+ if (r < 0 && LUKS2_hdr_rollback(cd, hdr) < 0)
+ log_dbg(cd, "Failed to rollback LUKS2 metadata after failure.");
return r;
}
static int reencrypt_hotzone_protect_final(struct crypt_device *cd,
- struct luks2_hdr *hdr, struct luks2_reencrypt *rh,
+ struct luks2_hdr *hdr, int reencrypt_keyslot,
+ const struct reenc_protection *rp,
const void *buffer, size_t buffer_len)
{
const void *pbuffer;
size_t data_offset, len;
int r;
- if (rh->rp.type == REENC_PROTECTION_NONE)
+ assert(hdr);
+ assert(rp);
+
+ if (rp->type == REENC_PROTECTION_NONE)
return 0;
- if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
+ if (rp->type == REENC_PROTECTION_CHECKSUM) {
log_dbg(cd, "Checksums hotzone resilience.");
- for (data_offset = 0, len = 0; data_offset < buffer_len; data_offset += rh->alignment, len += rh->rp.p.csum.hash_size) {
- if (crypt_hash_write(rh->rp.p.csum.ch, (const char *)buffer + data_offset, rh->alignment)) {
+ for (data_offset = 0, len = 0; data_offset < buffer_len; data_offset += rp->p.csum.block_size, len += rp->p.csum.hash_size) {
+ if (crypt_hash_write(rp->p.csum.ch, (const char *)buffer + data_offset, rp->p.csum.block_size)) {
log_dbg(cd, "Failed to hash sector at offset %zu.", data_offset);
return -EINVAL;
}
- if (crypt_hash_final(rh->rp.p.csum.ch, (char *)rh->rp.p.csum.checksums + len, rh->rp.p.csum.hash_size)) {
+ if (crypt_hash_final(rp->p.csum.ch, (char *)rp->p.csum.checksums + len, rp->p.csum.hash_size)) {
log_dbg(cd, "Failed to finalize hash.");
return -EINVAL;
}
}
- pbuffer = rh->rp.p.csum.checksums;
- } else if (rh->rp.type == REENC_PROTECTION_JOURNAL) {
+ pbuffer = rp->p.csum.checksums;
+ } else if (rp->type == REENC_PROTECTION_JOURNAL) {
log_dbg(cd, "Journal hotzone resilience.");
len = buffer_len;
pbuffer = buffer;
- } else if (rh->rp.type == REENC_PROTECTION_DATASHIFT) {
+ } else if (rp->type == REENC_PROTECTION_DATASHIFT) {
log_dbg(cd, "Data shift hotzone resilience.");
return LUKS2_hdr_write(cd, hdr);
} else
@@ -2576,7 +3168,7 @@ static int reencrypt_hotzone_protect_final(struct crypt_device *cd,
log_dbg(cd, "Going to store %zu bytes in reencrypt keyslot.", len);
- r = LUKS2_keyslot_reencrypt_store(cd, hdr, rh->reenc_keyslot, pbuffer, len);
+ r = LUKS2_keyslot_reencrypt_store(cd, hdr, reencrypt_keyslot, pbuffer, len);
return r > 0 ? 0 : r;
}
@@ -2588,15 +3180,15 @@ static int reencrypt_context_update(struct crypt_device *cd,
return -EINVAL;
if (rh->direction == CRYPT_REENCRYPT_BACKWARD) {
- if (rh->data_shift && rh->mode == CRYPT_REENCRYPT_ENCRYPT) {
+ if (rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->mode == CRYPT_REENCRYPT_ENCRYPT) {
if (rh->offset)
- rh->offset -= rh->data_shift;
- if (rh->offset && (rh->offset < rh->data_shift)) {
+ rh->offset -= data_shift_value(&rh->rp);
+ if (rh->offset && (rh->offset < data_shift_value(&rh->rp))) {
rh->length = rh->offset;
- rh->offset = rh->data_shift;
+ rh->offset = data_shift_value(&rh->rp);
}
if (!rh->offset)
- rh->length = rh->data_shift;
+ rh->length = data_shift_value(&rh->rp);
} else {
if (rh->offset < rh->length)
rh->length = rh->offset;
@@ -2604,8 +3196,15 @@ static int reencrypt_context_update(struct crypt_device *cd,
}
} else if (rh->direction == CRYPT_REENCRYPT_FORWARD) {
rh->offset += (uint64_t)rh->read;
+ if (rh->device_size == rh->offset &&
+ rh->jobj_segment_moved &&
+ rh->mode == CRYPT_REENCRYPT_DECRYPT &&
+ rh->rp.type == REENC_PROTECTION_DATASHIFT) {
+ rh->offset = 0;
+ rh->length = json_segment_get_size(rh->jobj_segment_moved, 0);
+ }
/* it fails in-case of device_size < rh->offset later */
- if (rh->device_size - rh->offset < rh->length)
+ else if (rh->device_size - rh->offset < rh->length)
rh->length = rh->device_size - rh->offset;
} else
return -EINVAL;
@@ -2622,7 +3221,8 @@ static int reencrypt_context_update(struct crypt_device *cd,
static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
uint64_t device_size,
- const struct crypt_params_reencrypt *params,
+ uint64_t max_hotzone_size,
+ uint64_t required_device_size,
struct volume_key *vks,
struct luks2_reencrypt **rh)
{
@@ -2641,7 +3241,7 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
return r;
if (ri == CRYPT_REENCRYPT_CLEAN)
- r = reencrypt_load_clean(cd, hdr, device_size, &tmp, params);
+ r = reencrypt_load_clean(cd, hdr, device_size, max_hotzone_size, required_device_size, &tmp);
else if (ri == CRYPT_REENCRYPT_CRASH)
r = reencrypt_load_crashed(cd, hdr, device_size, &tmp);
else
@@ -2772,27 +3372,44 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
struct volume_key **vks,
const struct crypt_params_reencrypt *params)
{
- int r, old_ss, new_ss;
+ int r, reencrypt_slot;
struct luks2_hdr *hdr;
struct crypt_lock_handle *reencrypt_lock;
struct luks2_reencrypt *rh;
const struct volume_key *vk;
+ size_t alignment;
+ uint32_t old_sector_size, new_sector_size, sector_size;
struct crypt_dm_active_device dmd_target, dmd_source = {
.uuid = crypt_get_uuid(cd),
.flags = CRYPT_ACTIVATE_SHARED /* turn off exclusive open checks */
};
- uint64_t minimal_size, device_size, mapping_size = 0, required_size = 0;
+ uint64_t minimal_size, device_size, mapping_size = 0, required_size = 0,
+ max_hotzone_size = 0;
bool dynamic;
- struct crypt_params_reencrypt rparams = {};
uint32_t flags = 0;
- if (params) {
- rparams = *params;
- required_size = params->device_size;
- }
+ assert(cd);
+
+ hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+ if (!hdr)
+ return -EINVAL;
log_dbg(cd, "Loading LUKS2 reencryption context.");
+ old_sector_size = reencrypt_get_sector_size_old(hdr);
+ new_sector_size = reencrypt_get_sector_size_new(hdr);
+ sector_size = new_sector_size > old_sector_size ? new_sector_size : old_sector_size;
+
+ r = reencrypt_verify_resilience_params(cd, params, sector_size,
+ LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0);
+ if (r < 0)
+ return r;
+
+ if (params) {
+ required_size = params->device_size;
+ max_hotzone_size = params->max_hotzone_size;
+ }
+
rh = crypt_get_luks2_reencrypt(cd);
if (rh) {
LUKS2_reencrypt_free(cd, rh);
@@ -2800,16 +3417,22 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
rh = NULL;
}
- hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
-
r = reencrypt_lock_and_verify(cd, hdr, &reencrypt_lock);
if (r)
return r;
+ reencrypt_slot = LUKS2_find_keyslot(hdr, "reencrypt");
+ if (reencrypt_slot < 0) {
+ r = -EINVAL;
+ goto err;
+ }
+
/* From now on we hold reencryption lock */
- if (LUKS2_get_data_size(hdr, &minimal_size, &dynamic))
- return -EINVAL;
+ if (LUKS2_get_data_size(hdr, &minimal_size, &dynamic)) {
+ r = -EINVAL;
+ goto err;
+ }
/* some configurations provides fixed device size */
r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, false, dynamic);
@@ -2820,22 +3443,20 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
minimal_size >>= SECTOR_SHIFT;
- old_ss = reencrypt_get_sector_size_old(hdr);
- new_ss = reencrypt_get_sector_size_new(hdr);
-
- r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
+ r = reencrypt_verify_keys(cd, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
if (r == -ENOENT) {
log_dbg(cd, "Keys are not ready. Unlocking all volume keys.");
r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, vks);
- if (r < 0)
- goto err;
- r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
}
if (r < 0)
goto err;
if (name) {
+ r = reencrypt_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
+ if (r < 0)
+ goto err;
+
r = dm_query_device(cd, name, DM_ACTIVE_UUID | DM_ACTIVE_DEVICE |
DM_ACTIVE_CRYPT_KEYSIZE | DM_ACTIVE_CRYPT_KEY |
DM_ACTIVE_CRYPT_CIPHER, &dmd_target);
@@ -2847,7 +3468,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
* By default reencryption code aims to retain flags from existing dm device.
* The keyring activation flag can not be inherited if original cipher is null.
*
- * In this case override the flag based on decision made in reencrypt_verify_and_upload_keys
+ * In this case override the flag based on decision made in reencrypt_upload_keys
* above. The code checks if new VK is eligible for keyring.
*/
vk = crypt_volume_key_by_id(*vks, LUKS2_reencrypt_digest_new(hdr));
@@ -2885,15 +3506,22 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
if ((minimal_size && (required_size < minimal_size)) ||
(required_size > (device_size >> SECTOR_SHIFT)) ||
(!dynamic && (required_size != minimal_size)) ||
- (old_ss > 0 && MISALIGNED(required_size, old_ss >> SECTOR_SHIFT)) ||
- (new_ss > 0 && MISALIGNED(required_size, new_ss >> SECTOR_SHIFT))) {
+ (old_sector_size > 0 && MISALIGNED(required_size, old_sector_size >> SECTOR_SHIFT)) ||
+ (new_sector_size > 0 && MISALIGNED(required_size, new_sector_size >> SECTOR_SHIFT))) {
log_err(cd, _("Illegal device size requested in reencryption parameters."));
goto err;
}
- rparams.device_size = required_size;
}
- r = reencrypt_load(cd, hdr, device_size, &rparams, *vks, &rh);
+ alignment = reencrypt_get_alignment(cd, hdr);
+
+ r = LUKS2_keyslot_reencrypt_update_needed(cd, hdr, reencrypt_slot, params, alignment);
+ if (r > 0) /* metadata update needed */
+ r = LUKS2_keyslot_reencrypt_update(cd, hdr, reencrypt_slot, params, alignment, *vks);
+ if (r < 0)
+ goto err;
+
+ r = reencrypt_load(cd, hdr, device_size, max_hotzone_size, required_size, *vks, &rh);
if (r < 0 || !rh)
goto err;
@@ -2976,7 +3604,7 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
if (ri == CRYPT_REENCRYPT_CRASH) {
r = LUKS2_reencrypt_locked_recovery_by_passphrase(cd, keyslot_old, keyslot_new,
- passphrase, passphrase_size, 0, NULL);
+ passphrase, passphrase_size, NULL);
if (r < 0)
log_err(cd, _("LUKS2 reencryption recovery failed."));
} else {
@@ -3000,6 +3628,8 @@ static int reencrypt_repair_by_passphrase(
struct crypt_lock_handle *reencrypt_lock;
struct luks2_reencrypt *rh;
crypt_reencrypt_info ri;
+ uint8_t requirement_version;
+ const char *resilience;
struct volume_key *vks = NULL;
log_dbg(cd, "Loading LUKS2 reencryption context for metadata repair.");
@@ -3044,22 +3674,31 @@ static int reencrypt_repair_by_passphrase(
goto out;
}
+ resilience = reencrypt_resilience_type(hdr);
+ if (!resilience) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_DECRYPT &&
+ !strncmp(resilience, "datashift-", 10) &&
+ LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0)
+ requirement_version = LUKS2_DECRYPT_DATASHIFT_REQ_VERSION;
+ else
+ requirement_version = LUKS2_REENCRYPT_REQ_VERSION;
+
r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, &vks);
if (r < 0)
goto out;
- r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, vks);
+ r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, requirement_version, vks);
crypt_free_volume_key(vks);
vks = NULL;
if (r < 0)
goto out;
- /* removes online-reencrypt flag v1 */
- if ((r = reencrypt_update_flag(cd, 0, false)))
- goto out;
-
- /* adds online-reencrypt flag v2 and commits metadata */
- r = reencrypt_update_flag(cd, 1, true);
+ /* replaces old online-reencrypt flag with updated version and commits metadata */
+ r = reencrypt_update_flag(cd, requirement_version, true, true);
out:
LUKS2_reencrypt_unlock(cd, reencrypt_lock);
crypt_free_volume_key(vks);
@@ -3097,8 +3736,10 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
if (r < 0)
return r;
r = LUKS2_check_cipher(cd, r, cipher, cipher_mode);
- if (r < 0)
+ if (r < 0) {
+ log_err(cd, _("Unable to use cipher specification %s-%s for LUKS2."), cipher, cipher_mode);
return r;
+ }
}
r = LUKS2_device_write_lock(cd, hdr, crypt_metadata_device(cd));
@@ -3201,6 +3842,12 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
bool online)
{
int r;
+ struct reenc_protection *rp;
+
+ assert(hdr);
+ assert(rh);
+
+ rp = &rh->rp;
/* in memory only */
r = reencrypt_make_segments(cd, hdr, rh, device_size);
@@ -3213,18 +3860,10 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
return REENC_ERR;
}
- if (online) {
- r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size, rh->flags);
- /* Teardown overlay devices with dm-error. None bio shall pass! */
- if (r != REENC_OK)
- return r;
- }
-
log_dbg(cd, "Reencrypting chunk starting at offset: %" PRIu64 ", size :%" PRIu64 ".", rh->offset, rh->length);
log_dbg(cd, "data_offset: %" PRIu64, crypt_get_data_offset(cd) << SECTOR_SHIFT);
- if (!rh->offset && rh->mode == CRYPT_REENCRYPT_ENCRYPT && rh->data_shift &&
- rh->jobj_segment_moved) {
+ if (!rh->offset && rp->type == REENC_PROTECTION_DATASHIFT && rh->jobj_segment_moved) {
crypt_storage_wrapper_destroy(rh->cw1);
log_dbg(cd, "Reinitializing old segment storage wrapper for moved segment.");
r = crypt_storage_wrapper_init(cd, &rh->cw1, crypt_data_device(cd),
@@ -3238,6 +3877,24 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
log_err(cd, _("Failed to initialize old segment storage wrapper."));
return REENC_ROLLBACK;
}
+
+ if (rh->rp_moved_segment.type != REENC_PROTECTION_NOT_SET) {
+ log_dbg(cd, "Switching to moved segment resilience type.");
+ rp = &rh->rp_moved_segment;
+ }
+ }
+
+ r = reencrypt_hotzone_protect_ready(cd, rp);
+ if (r) {
+ log_err(cd, _("Failed to initialize hotzone protection."));
+ return REENC_ROLLBACK;
+ }
+
+ if (online) {
+ r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size, rh->flags);
+ /* Teardown overlay devices with dm-error. None bio shall pass! */
+ if (r != REENC_OK)
+ return r;
}
rh->read = crypt_storage_wrapper_read(rh->cw1, rh->offset, rh->reenc_buffer, rh->length);
@@ -3248,7 +3905,7 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
}
/* metadata commit point */
- r = reencrypt_hotzone_protect_final(cd, hdr, rh, rh->reenc_buffer, rh->read);
+ r = reencrypt_hotzone_protect_final(cd, hdr, rh->reenc_keyslot, rp, rh->reenc_buffer, rh->read);
if (r < 0) {
/* severity normal */
log_err(cd, _("Failed to write reencryption resilience metadata."));
@@ -3267,13 +3924,13 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
return REENC_FATAL;
}
- if (rh->rp.type != REENC_PROTECTION_NONE && crypt_storage_wrapper_datasync(rh->cw2)) {
+ if (rp->type != REENC_PROTECTION_NONE && crypt_storage_wrapper_datasync(rh->cw2)) {
log_err(cd, _("Failed to sync data."));
return REENC_FATAL;
}
/* metadata commit safe point */
- r = reencrypt_assign_segments(cd, hdr, rh, 0, rh->rp.type != REENC_PROTECTION_NONE);
+ r = reencrypt_assign_segments(cd, hdr, rh, 0, rp->type != REENC_PROTECTION_NONE);
if (r) {
/* severity fatal */
log_err(cd, _("Failed to update metadata after current reencryption hotzone completed."));
@@ -3318,12 +3975,15 @@ static int reencrypt_erase_backup_segments(struct crypt_device *cd,
return 0;
}
-static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_reencrypt *rh)
+static int reencrypt_wipe_unused_device_area(struct crypt_device *cd, struct luks2_reencrypt *rh)
{
+ uint64_t offset, length, dev_size;
int r = 0;
- uint64_t offset, length;
- if (rh->jobj_segment_moved) {
+ assert(cd);
+ assert(rh);
+
+ if (rh->jobj_segment_moved && rh->mode == CRYPT_REENCRYPT_ENCRYPT) {
offset = json_segment_get_offset(rh->jobj_segment_moved, 0);
length = json_segment_get_size(rh->jobj_segment_moved, 0);
log_dbg(cd, "Wiping %" PRIu64 " bytes of backup segment data at offset %" PRIu64,
@@ -3332,6 +3992,25 @@ static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_re
offset, length, 1024 * 1024, NULL, NULL);
}
+ if (r < 0)
+ return r;
+
+ if (rh->rp.type == REENC_PROTECTION_DATASHIFT && rh->direction == CRYPT_REENCRYPT_FORWARD) {
+ r = device_size(crypt_data_device(cd), &dev_size);
+ if (r < 0)
+ return r;
+
+ if (dev_size < data_shift_value(&rh->rp))
+ return -EINVAL;
+
+ offset = dev_size - data_shift_value(&rh->rp);
+ length = data_shift_value(&rh->rp);
+ log_dbg(cd, "Wiping %" PRIu64 " bytes of data at offset %" PRIu64,
+ length, offset);
+ r = crypt_wipe_device(cd, crypt_data_device(cd), CRYPT_WIPE_RANDOM,
+ offset, length, 1024 * 1024, NULL, NULL);
+ }
+
return r;
}
@@ -3365,9 +4044,9 @@ static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr,
}
if (finished) {
- if (reencrypt_wipe_moved_segment(cd, rh))
- log_err(cd, _("Failed to wipe backup segment data."));
- if (reencrypt_get_data_offset_new(hdr) && LUKS2_set_keyslots_size(cd, hdr, reencrypt_get_data_offset_new(hdr)))
+ if (reencrypt_wipe_unused_device_area(cd, rh))
+ log_err(cd, _("Failed to wipe unused data device area."));
+ if (reencrypt_get_data_offset_new(hdr) && LUKS2_set_keyslots_size(hdr, reencrypt_get_data_offset_new(hdr)))
log_dbg(cd, "Failed to set new keyslots area size.");
if (rh->digest_old >= 0 && rh->digest_new != rh->digest_old)
for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++)
@@ -3377,7 +4056,7 @@ static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr,
if (reencrypt_erase_backup_segments(cd, hdr))
log_dbg(cd, "Failed to erase backup segments");
- if (reencrypt_update_flag(cd, 0, false))
+ if (reencrypt_update_flag(cd, 0, false, false))
log_dbg(cd, "Failed to disable reencryption requirement flag.");
/* metadata commit point also removing reencryption flag on-disk */
@@ -3476,14 +4155,8 @@ int crypt_reencrypt_run(
rs = REENC_OK;
- /* update reencrypt keyslot protection parameters in memory only */
- if (!quit && (rh->device_size > rh->progress)) {
- r = reencrypt_keyslot_update(cd, rh);
- if (r < 0) {
- log_dbg(cd, "Keyslot update failed.");
- return reencrypt_teardown(cd, hdr, rh, REENC_ERR, quit, progress, usrptr);
- }
- }
+ if (progress && progress(rh->device_size, rh->progress, usrptr))
+ quit = true;
while (!quit && (rh->device_size > rh->progress)) {
rs = reencrypt_step(cd, hdr, rh, rh->device_size, rh->online);
@@ -3528,7 +4201,7 @@ static int reencrypt_recovery(struct crypt_device *cd,
int r;
struct luks2_reencrypt *rh = NULL;
- r = reencrypt_load(cd, hdr, device_size, NULL, vks, &rh);
+ r = reencrypt_load(cd, hdr, device_size, 0, 0, vks, &rh);
if (r < 0) {
log_err(cd, _("Failed to load LUKS2 reencryption context."));
return r;
@@ -3618,7 +4291,6 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
int keyslot_new,
const char *passphrase,
size_t passphrase_size,
- uint32_t flags __attribute__((unused)),
struct volume_key **vks)
{
uint64_t minimal_size, device_size;
@@ -3641,7 +4313,7 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
vk = _vks;
while (vk) {
- r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
+ r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
if (r < 0)
goto out;
vk = crypt_volume_key_next(vk);
@@ -3667,7 +4339,10 @@ crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr,
{
crypt_reencrypt_info ri;
int digest;
- uint32_t version;
+ uint8_t version;
+
+ if (params)
+ memset(params, 0, sizeof(*params));
ri = LUKS2_reencrypt_status(hdr);
if (ri == CRYPT_REENCRYPT_NONE || ri == CRYPT_REENCRYPT_INVALID || !params)
diff --git a/lib/luks2/luks2_reencrypt_digest.c b/lib/luks2/luks2_reencrypt_digest.c
index 7ee277c..bc86f54 100644
--- a/lib/luks2/luks2_reencrypt_digest.c
+++ b/lib/luks2/luks2_reencrypt_digest.c
@@ -1,9 +1,9 @@
/*
* LUKS - Linux Unified Key Setup v2, reencryption digest helpers
*
- * Copyright (C) 2022, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022, Ondrej Kozina
- * Copyright (C) 2022, Milan Broz
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2023 Ondrej Kozina
+ * Copyright (C) 2022-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -21,7 +21,6 @@
*/
#include "luks2_internal.h"
-#include <assert.h>
#define MAX_STR 64
@@ -231,8 +230,22 @@ static size_t reenc_keyslot_serialize(struct luks2_hdr *hdr, uint8_t *buffer)
{ JU32, jobj_area, "sector_size" },
{}
};
+ struct jtype j_datashift_checksum[] = {
+ { JSTR, jobj_keyslot, "mode" },
+ { JSTR, jobj_keyslot, "direction" },
+ { JSTR, jobj_area, "type" },
+ { JU64, jobj_area, "offset" },
+ { JU64, jobj_area, "size" },
+ { JSTR, jobj_area, "hash" },
+ { JU32, jobj_area, "sector_size" },
+ { JU64, jobj_area, "shift_size" },
+ {}
+ };
- if (!strcmp(area_type, "datashift"))
+ if (!strcmp(area_type, "datashift-checksum"))
+ return srs(j_datashift_checksum, buffer);
+ else if (!strcmp(area_type, "datashift") ||
+ !strcmp(area_type, "datashift-journal"))
return srs(j_datashift, buffer);
else if (!strcmp(area_type, "checksum"))
return srs(j_checksum, buffer);
@@ -251,6 +264,7 @@ static size_t blob_serialize(void *blob, size_t length, uint8_t *buffer)
static int reencrypt_assembly_verification_data(struct crypt_device *cd,
struct luks2_hdr *hdr,
struct volume_key *vks,
+ uint8_t version,
struct volume_key **verification_data)
{
uint8_t *ptr;
@@ -258,21 +272,30 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
struct volume_key *data = NULL, *vk_old = NULL, *vk_new = NULL;
size_t keyslot_data_len, segments_data_len, data_len = 2;
+ /*
+ * This works up to (including) version v207.
+ */
+ assert(version < (UINT8_MAX - 0x2F));
+
/* Keys - calculate length */
digest_new = LUKS2_reencrypt_digest_new(hdr);
digest_old = LUKS2_reencrypt_digest_old(hdr);
if (digest_old >= 0) {
vk_old = crypt_volume_key_by_id(vks, digest_old);
- if (!vk_old)
+ if (!vk_old) {
+ log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_old);
return -EINVAL;
+ }
data_len += blob_serialize(vk_old->key, vk_old->keylength, NULL);
}
if (digest_new >= 0 && digest_old != digest_new) {
vk_new = crypt_volume_key_by_id(vks, digest_new);
- if (!vk_new)
+ if (!vk_new) {
+ log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_new);
return -EINVAL;
+ }
data_len += blob_serialize(vk_new->key, vk_new->keylength, NULL);
}
@@ -295,9 +318,8 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
ptr = (uint8_t*)data->key;
- /* v2 */
*ptr++ = 0x76;
- *ptr++ = 0x32;
+ *ptr++ = 0x30 + version;
if (vk_old)
ptr += blob_serialize(vk_old->key, vk_old->keylength, ptr);
@@ -325,6 +347,7 @@ bad:
int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
struct luks2_hdr *hdr,
+ uint8_t version,
struct volume_key *vks)
{
int digest_reencrypt, keyslot_reencrypt, r;
@@ -334,7 +357,7 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
if (keyslot_reencrypt < 0)
return keyslot_reencrypt;
- r = reencrypt_assembly_verification_data(cd, hdr, vks, &data);
+ r = reencrypt_assembly_verification_data(cd, hdr, vks, version, &data);
if (r < 0)
return r;
@@ -358,12 +381,18 @@ int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
{
int r, keyslot_reencrypt;
struct volume_key *data;
+ uint8_t version;
+
+ log_dbg(cd, "Verifying reencryption metadata.");
keyslot_reencrypt = LUKS2_find_keyslot(hdr, "reencrypt");
if (keyslot_reencrypt < 0)
return keyslot_reencrypt;
- r = reencrypt_assembly_verification_data(cd, hdr, vks, &data);
+ if (LUKS2_config_get_reencrypt_version(hdr, &version))
+ return -EINVAL;
+
+ r = reencrypt_assembly_verification_data(cd, hdr, vks, version, &data);
if (r < 0)
return r;
diff --git a/lib/luks2/luks2_segment.c b/lib/luks2/luks2_segment.c
index 46a524d..63e7c14 100644
--- a/lib/luks2/luks2_segment.c
+++ b/lib/luks2/luks2_segment.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, internal segment handling
*
- * Copyright (C) 2018-2021, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021, Ondrej Kozina
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -103,15 +103,17 @@ const char *json_segment_get_cipher(json_object *jobj_segment)
return json_object_get_string(jobj);
}
-int json_segment_get_sector_size(json_object *jobj_segment)
+uint32_t json_segment_get_sector_size(json_object *jobj_segment)
{
json_object *jobj;
+ int i;
if (!jobj_segment ||
!json_object_object_get_ex(jobj_segment, "sector_size", &jobj))
- return -1;
+ return SECTOR_SIZE;
- return json_object_get_int(jobj);
+ i = json_object_get_int(jobj);
+ return i < 0 ? SECTOR_SIZE : i;
}
static json_object *json_segment_get_flags(json_object *jobj_segment)
@@ -344,19 +346,11 @@ int LUKS2_segment_by_type(struct luks2_hdr *hdr, const char *type)
int LUKS2_segment_first_unused_id(struct luks2_hdr *hdr)
{
json_object *jobj_segments;
- int id, last_id = -1;
if (!json_object_object_get_ex(hdr->jobj, "segments", &jobj_segments))
return -EINVAL;
- json_object_object_foreach(jobj_segments, slot, val) {
- UNUSED(val);
- id = atoi(slot);
- if (id > last_id)
- last_id = id;
- }
-
- return last_id + 1;
+ return json_object_object_length(jobj_segments);
}
int LUKS2_segment_set_flag(json_object *jobj_segment, const char *flag)
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 88d8441..5f65918 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, token handling
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Milan Broz
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -21,7 +21,6 @@
#include <ctype.h>
#include <dlfcn.h>
-#include <assert.h>
#include "luks2_internal.h"
@@ -38,6 +37,7 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
.u = {
.v1 = { .name = LUKS2_TOKEN_KEYRING,
.open = keyring_open,
+ .buffer_free = keyring_buffer_free,
.validate = keyring_validate,
.dump = keyring_dump }
}
@@ -423,7 +423,8 @@ static const char *token_json_to_string(json_object *jobj_token)
JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
}
-static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int segment, crypt_keyslot_priority minimal_priority)
+static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int segment,
+ crypt_keyslot_priority minimal_priority, bool requires_keyslot)
{
crypt_keyslot_priority keyslot_priority;
json_object *jobj_array;
@@ -440,13 +441,19 @@ static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int s
/* no assigned keyslot returns -ENOENT even for CRYPT_ANY_SEGMENT */
len = json_object_array_length(jobj_array);
- if (len <= 0)
+ if (len < 0)
+ return -ENOENT;
+
+ if (!requires_keyslot)
+ return 0;
+
+ if (!len)
return -ENOENT;
for (i = 0; i < len; i++) {
keyslot = atoi(json_object_get_string(json_object_array_get_idx(jobj_array, i)));
- keyslot_priority = LUKS2_keyslot_priority_get(NULL, hdr, keyslot);
+ keyslot_priority = LUKS2_keyslot_priority_get(hdr, keyslot);
if (keyslot_priority == CRYPT_SLOT_PRIORITY_INVALID)
return -EINVAL;
@@ -471,7 +478,7 @@ static int translate_errno(struct crypt_device *cd, int ret_val, const char *typ
return ret_val;
}
-static int LUKS2_token_open(struct crypt_device *cd,
+static int token_open(struct crypt_device *cd,
struct luks2_hdr *hdr,
int token,
json_object *jobj_token,
@@ -482,7 +489,8 @@ static int LUKS2_token_open(struct crypt_device *cd,
size_t pin_size,
char **buffer,
size_t *buffer_len,
- void *usrptr)
+ void *usrptr,
+ bool requires_keyslot)
{
const struct crypt_token_handler_v2 *h;
json_object *jobj_type;
@@ -499,10 +507,11 @@ static int LUKS2_token_open(struct crypt_device *cd,
return -ENOENT;
}
- r = token_is_usable(hdr, jobj_token, segment, priority);
+ r = token_is_usable(hdr, jobj_token, segment, priority, requires_keyslot);
if (r < 0) {
if (r == -ENOENT)
- log_dbg(cd, "Token %d unusable for segment %d with desired keyslot priority %d.", token, segment, priority);
+ log_dbg(cd, "Token %d unusable for segment %d with desired keyslot priority %d.",
+ token, segment, priority);
return r;
}
@@ -589,12 +598,13 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots) && r < 0; i++) {
jobj = json_object_array_get_idx(jobj_token_keyslots, i);
num = atoi(json_object_get_string(jobj));
- keyslot_priority = LUKS2_keyslot_priority_get(NULL, hdr, num);
+ keyslot_priority = LUKS2_keyslot_priority_get(hdr, num);
if (keyslot_priority == CRYPT_SLOT_PRIORITY_INVALID)
return -EINVAL;
if (keyslot_priority < priority)
continue;
- log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).", num, token, json_object_get_string(jobj_type));
+ log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).",
+ num, token, json_object_get_string(jobj_type));
r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, vk);
/* short circuit on fatal error */
if (r < 0 && r != -EPERM && r != -ENOENT)
@@ -615,7 +625,7 @@ static bool token_is_blocked(int token, uint32_t *block_list)
/* it is safe now, but have assert in case LUKS2_TOKENS_MAX grows */
assert(token >= 0 && (size_t)token < BITFIELD_SIZE(block_list));
- return (*block_list & (1 << token));
+ return (*block_list & (UINT32_C(1) << token));
}
static void token_block(int token, uint32_t *block_list)
@@ -623,7 +633,7 @@ static void token_block(int token, uint32_t *block_list)
/* it is safe now, but have assert in case LUKS2_TOKENS_MAX grows */
assert(token >= 0 && (size_t)token < BITFIELD_SIZE(block_list));
- *block_list |= (1 << token);
+ *block_list |= (UINT32_C(1) << token);
}
static int token_open_priority(struct crypt_device *cd,
@@ -650,7 +660,7 @@ static int token_open_priority(struct crypt_device *cd,
token = atoi(slot);
if (token_is_blocked(token, block_list))
continue;
- r = LUKS2_token_open(cd, hdr, token, val, type, segment, priority, pin, pin_size, &buffer, &buffer_size, usrptr);
+ r = token_open(cd, hdr, token, val, type, segment, priority, pin, pin_size, &buffer, &buffer_size, usrptr, true);
if (!r) {
r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, priority,
buffer, buffer_size, vk);
@@ -669,7 +679,8 @@ static int token_open_priority(struct crypt_device *cd,
return *stored_retval;
}
-static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type, int segment, const char *pin, size_t pin_size, void *usrptr, struct volume_key **vk)
+static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type, int segment,
+ const char *pin, size_t pin_size, void *usrptr, struct volume_key **vk)
{
json_object *jobj_tokens;
int r, retval = -ENOENT;
@@ -681,11 +692,64 @@ static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const
if (!type)
usrptr = NULL;
- r = token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_PREFER, pin, pin_size, usrptr, &retval, &blocked, vk);
+ r = token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_PREFER,
+ pin, pin_size, usrptr, &retval, &blocked, vk);
if (break_loop_retval(r))
return r;
- return token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_NORMAL, pin, pin_size, usrptr, &retval, &blocked, vk);
+ return token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_NORMAL,
+ pin, pin_size, usrptr, &retval, &blocked, vk);
+}
+
+int LUKS2_token_unlock_key(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ int segment,
+ void *usrptr,
+ struct volume_key **vk)
+{
+ char *buffer;
+ size_t buffer_size;
+ json_object *jobj_token;
+ int r = -ENOENT;
+
+ assert(vk);
+
+ if (segment == CRYPT_DEFAULT_SEGMENT)
+ segment = LUKS2_get_default_segment(hdr);
+
+ if (segment < 0 && segment != CRYPT_ANY_SEGMENT)
+ return -EINVAL;
+
+ if (token >= 0 && token < LUKS2_TOKENS_MAX) {
+ if ((jobj_token = LUKS2_get_token_jobj(hdr, token))) {
+ r = token_open(cd, hdr, token, jobj_token, type, segment, CRYPT_SLOT_PRIORITY_IGNORE,
+ pin, pin_size, &buffer, &buffer_size, usrptr, true);
+ if (!r) {
+ r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, CRYPT_SLOT_PRIORITY_IGNORE,
+ buffer, buffer_size, vk);
+ LUKS2_token_buffer_free(cd, token, buffer, buffer_size);
+ }
+ }
+ } else if (token == CRYPT_ANY_TOKEN)
+ /*
+ * return priorities (ordered form least to most significant):
+ * ENOENT - unusable for activation (no token handler, invalid token metadata, not assigned to volume segment, etc)
+ * EPERM - usable but token provided passphrase did not unlock any assigned keyslot
+ * EAGAIN - usable but not ready (token HW is missing)
+ * ENOANO - ready, but token pin is wrong or missing
+ *
+ * success (>= 0) or any other negative errno short-circuits token activation loop
+ * immediately
+ */
+ r = token_open_any(cd, hdr, type, segment, pin, pin_size, usrptr, vk);
+ else
+ r = -EINVAL;
+
+ return r;
}
int LUKS2_token_open_and_activate(struct crypt_device *cd,
@@ -699,44 +763,15 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
void *usrptr)
{
bool use_keyring;
- char *buffer;
- size_t buffer_size;
- json_object *jobj_token;
- int keyslot, segment, r = -ENOENT;
+ int keyslot, r, segment;
struct volume_key *vk = NULL;
if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY)
segment = CRYPT_ANY_SEGMENT;
- else {
- segment = LUKS2_get_default_segment(hdr);
- if (segment < 0)
- return -EINVAL;
- }
-
- if (token >= 0 && token < LUKS2_TOKENS_MAX) {
- if ((jobj_token = LUKS2_get_token_jobj(hdr, token))) {
- r = LUKS2_token_open(cd, hdr, token, jobj_token, type, segment, CRYPT_SLOT_PRIORITY_IGNORE, pin, pin_size, &buffer, &buffer_size, usrptr);
- if (!r) {
- r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, CRYPT_SLOT_PRIORITY_IGNORE,
- buffer, buffer_size, &vk);
- LUKS2_token_buffer_free(cd, token, buffer, buffer_size);
- }
- }
- } else if (token == CRYPT_ANY_TOKEN)
- /*
- * return priorities (ordered form least to most significant):
- * ENOENT - unusable for activation (no token handler, invalid token metadata, not assigned to volume segment, etc)
- * EPERM - usable but token provided passphrase did not not unlock any assigned keyslot
- * EAGAIN - usable but not ready (token HW is missing)
- * ENOANO - ready, but token pin is wrong or missing
- *
- * success (>= 0) or any other negative errno short-circuits token activation loop
- * immediately
- */
- r = token_open_any(cd, hdr, type, segment, pin, pin_size, usrptr, &vk);
else
- return -EINVAL;
+ segment = CRYPT_DEFAULT_SEGMENT;
+ r = LUKS2_token_unlock_key(cd, hdr, token, type, pin, pin_size, segment, usrptr, &vk);
if (r < 0)
return r;
@@ -779,8 +814,7 @@ void LUKS2_token_dump(struct crypt_device *cd, int token)
}
}
-int LUKS2_token_json_get(struct crypt_device *cd __attribute__((unused)), struct luks2_hdr *hdr,
- int token, const char **json)
+int LUKS2_token_json_get(struct luks2_hdr *hdr, int token, const char **json)
{
json_object *jobj_token;
@@ -854,6 +888,10 @@ int LUKS2_token_assign(struct crypt_device *cd, struct luks2_hdr *hdr,
json_object *jobj_tokens;
int r = 0;
+ if ((keyslot < 0 && keyslot != CRYPT_ANY_SLOT) || keyslot >= LUKS2_KEYSLOTS_MAX ||
+ (token < 0 && token != CRYPT_ANY_TOKEN) || token >= LUKS2_TOKENS_MAX)
+ return -EINVAL;
+
if (token == CRYPT_ANY_TOKEN) {
json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens);
@@ -895,8 +933,7 @@ static int token_is_assigned(struct luks2_hdr *hdr, int keyslot, int token)
return -ENOENT;
}
-int LUKS2_token_is_assigned(struct crypt_device *cd __attribute__((unused)), struct luks2_hdr *hdr,
- int keyslot, int token)
+int LUKS2_token_is_assigned(struct luks2_hdr *hdr, int keyslot, int token)
{
if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX || token < 0 || token >= LUKS2_TOKENS_MAX)
return -EINVAL;
@@ -937,3 +974,70 @@ int LUKS2_token_assignment_copy(struct crypt_device *cd,
return commit ? LUKS2_hdr_write(cd, hdr) : 0;
}
+
+int LUKS2_token_unlock_passphrase(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ int token,
+ const char *type,
+ const char *pin,
+ size_t pin_size,
+ void *usrptr,
+ char **passphrase,
+ size_t *passphrase_size)
+{
+ char *buffer;
+ size_t buffer_size;
+ json_object *jobj_token, *jobj_tokens;
+ int r = -ENOENT, retval = -ENOENT;
+
+ if (!hdr)
+ return -EINVAL;
+
+ if (token >= 0 && token < LUKS2_TOKENS_MAX) {
+ if ((jobj_token = LUKS2_get_token_jobj(hdr, token)))
+ r = token_open(cd, hdr, token, jobj_token, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE,
+ pin, pin_size, &buffer, &buffer_size, usrptr, false);
+ } else if (token == CRYPT_ANY_TOKEN) {
+ json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens);
+
+ if (!type)
+ usrptr = NULL;
+
+ json_object_object_foreach(jobj_tokens, slot, val) {
+ token = atoi(slot);
+ r = token_open(cd, hdr, token, val, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE,
+ pin, pin_size, &buffer, &buffer_size, usrptr, false);
+
+ /*
+ * return priorities (ordered form least to most significant):
+ * ENOENT - unusable for activation (no token handler, invalid token metadata, etc)
+ * EAGAIN - usable but not ready (token HW is missing)
+ * ENOANO - ready, but token pin is wrong or missing
+ *
+ * success (>= 0) or any other negative errno short-circuits token activation loop
+ * immediately
+ */
+ if (break_loop_retval(r))
+ goto out;
+
+ update_return_errno(r, &retval);
+ }
+ r = retval;
+ } else
+ r = -EINVAL;
+out:
+ if (!r) {
+ *passphrase = crypt_safe_alloc(buffer_size);
+ if (*passphrase) {
+ memcpy(*passphrase, buffer, buffer_size);
+ *passphrase_size = buffer_size;
+ } else
+ r = -ENOMEM;
+ LUKS2_token_buffer_free(cd, token, buffer, buffer_size);
+ }
+
+ if (!r)
+ return token;
+
+ return r;
+}
diff --git a/lib/luks2/luks2_token_keyring.c b/lib/luks2/luks2_token_keyring.c
index aa25861..ad18798 100644
--- a/lib/luks2/luks2_token_keyring.c
+++ b/lib/luks2/luks2_token_keyring.c
@@ -1,8 +1,8 @@
/*
* LUKS - Linux Unified Key Setup v2, kernel keyring token
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,8 +19,6 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include <assert.h>
-
#include "luks2_internal.h"
int keyring_open(struct crypt_device *cd,
@@ -124,7 +122,7 @@ int LUKS2_token_keyring_json(char *buffer, size_t buffer_size,
return 0;
}
-int LUKS2_token_keyring_get(struct crypt_device *cd __attribute__((unused)), struct luks2_hdr *hdr,
+int LUKS2_token_keyring_get(struct luks2_hdr *hdr,
int token, struct crypt_token_params_luks2_keyring *keyring_params)
{
json_object *jobj_token, *jobj;
@@ -139,3 +137,8 @@ int LUKS2_token_keyring_get(struct crypt_device *cd __attribute__((unused)), str
return token;
}
+
+void keyring_buffer_free(void *buffer, size_t buffer_len __attribute__((unused)))
+{
+ crypt_safe_free(buffer);
+}
diff --git a/lib/random.c b/lib/random.c
index dc371ff..0dfcff9 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -1,7 +1,7 @@
/*
* cryptsetup kernel RNG access functions
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -21,7 +21,6 @@
#include <stdlib.h>
#include <string.h>
#include <errno.h>
-#include <assert.h>
#include <sys/select.h>
#include "libcryptsetup.h"
@@ -42,8 +41,7 @@ static int random_fd = -1;
#define RANDOM_DEVICE_TIMEOUT 5
/* URANDOM_DEVICE access */
-static int _get_urandom(struct crypt_device *ctx __attribute__((unused)),
- char *buf, size_t len)
+static int _get_urandom(char *buf, size_t len)
{
int r;
size_t old_len = len;
@@ -51,7 +49,7 @@ static int _get_urandom(struct crypt_device *ctx __attribute__((unused)),
assert(urandom_fd != -1);
- while(len) {
+ while (len) {
r = read(urandom_fd, buf, len);
if (r == -1 && errno != EINTR)
return -EINVAL;
@@ -172,19 +170,20 @@ err:
return -ENOSYS;
}
+/* coverity[ -taint_source : arg-1 ] */
int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality)
{
int status, rng_type;
switch(quality) {
case CRYPT_RND_NORMAL:
- status = _get_urandom(ctx, buf, len);
+ status = _get_urandom(buf, len);
break;
case CRYPT_RND_SALT:
if (crypt_fips_mode())
status = crypt_backend_rng(buf, len, quality, 1);
else
- status = _get_urandom(ctx, buf, len);
+ status = _get_urandom(buf, len);
break;
case CRYPT_RND_KEY:
if (crypt_fips_mode()) {
@@ -195,7 +194,7 @@ int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int qualit
crypt_random_default_key_rng();
switch (rng_type) {
case CRYPT_RNG_URANDOM:
- status = _get_urandom(ctx, buf, len);
+ status = _get_urandom(buf, len);
break;
case CRYPT_RNG_RANDOM:
status = _get_random(ctx, buf, len);
diff --git a/lib/setup.c b/lib/setup.c
index 6eaa89f..1c9d47d 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -36,8 +36,10 @@
#include "tcrypt/tcrypt.h"
#include "integrity/integrity.h"
#include "bitlk/bitlk.h"
+#include "fvault2/fvault2.h"
#include "utils_device_locking.h"
#include "internal.h"
+#include "keyslot_context.h"
#define CRYPT_CD_UNRESTRICTED (1 << 0)
#define CRYPT_CD_QUIET (1 << 1)
@@ -112,6 +114,9 @@ struct crypt_device {
struct bitlk_metadata params;
char *cipher_spec;
} bitlk;
+ struct { /* used in CRYPT_FVAULT2 */
+ struct fvault2_params params;
+ } fvault2;
struct { /* used if initialized without header by name */
char *active_name;
/* buffers, must refresh from kernel on every query */
@@ -323,6 +328,11 @@ static int isBITLK(const char *type)
return (type && !strcmp(CRYPT_BITLK, type));
}
+static int isFVAULT2(const char *type)
+{
+ return (type && !strcmp(CRYPT_FVAULT2, type));
+}
+
static int _onlyLUKS(struct crypt_device *cd, uint32_t cdflags)
{
int r = 0;
@@ -386,15 +396,12 @@ int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask)
static void crypt_set_null_type(struct crypt_device *cd)
{
- if (!cd->type)
- return;
-
free(cd->type);
cd->type = NULL;
- cd->u.none.active_name = NULL;
cd->data_offset = 0;
cd->metadata_size = 0;
cd->keyslots_size = 0;
+ crypt_safe_memzero(&cd->u, sizeof(cd->u));
}
static void crypt_reset_null_type(struct crypt_device *cd)
@@ -482,7 +489,7 @@ static int crypt_uuid_type_cmp(struct crypt_device *cd, const char *type)
size_t len;
int r;
- /* Must user header-on-disk if we know type here */
+ /* Must use header-on-disk if we know the type here */
if (cd->type || !cd->u.none.active_name)
return -EINVAL;
@@ -691,6 +698,49 @@ int crypt_init_data_device(struct crypt_device **cd, const char *device, const c
return r;
}
+static void crypt_free_type(struct crypt_device *cd, const char *force_type)
+{
+ const char *type = force_type ?: cd->type;
+
+ if (isPLAIN(type)) {
+ free(CONST_CAST(void*)cd->u.plain.hdr.hash);
+ free(cd->u.plain.cipher);
+ free(cd->u.plain.cipher_spec);
+ } else if (isLUKS2(type)) {
+ LUKS2_reencrypt_free(cd, cd->u.luks2.rh);
+ LUKS2_hdr_free(cd, &cd->u.luks2.hdr);
+ free(cd->u.luks2.keyslot_cipher);
+ } else if (isLUKS1(type)) {
+ free(cd->u.luks1.cipher_spec);
+ } else if (isLOOPAES(type)) {
+ free(CONST_CAST(void*)cd->u.loopaes.hdr.hash);
+ free(cd->u.loopaes.cipher);
+ free(cd->u.loopaes.cipher_spec);
+ } else if (isVERITY(type)) {
+ free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
+ free(CONST_CAST(void*)cd->u.verity.hdr.data_device);
+ free(CONST_CAST(void*)cd->u.verity.hdr.hash_device);
+ free(CONST_CAST(void*)cd->u.verity.hdr.fec_device);
+ free(CONST_CAST(void*)cd->u.verity.hdr.salt);
+ free(CONST_CAST(void*)cd->u.verity.root_hash);
+ free(cd->u.verity.uuid);
+ device_free(cd, cd->u.verity.fec_device);
+ } else if (isINTEGRITY(type)) {
+ free(CONST_CAST(void*)cd->u.integrity.params.integrity);
+ free(CONST_CAST(void*)cd->u.integrity.params.journal_integrity);
+ free(CONST_CAST(void*)cd->u.integrity.params.journal_crypt);
+ crypt_free_volume_key(cd->u.integrity.journal_crypt_key);
+ crypt_free_volume_key(cd->u.integrity.journal_mac_key);
+ } else if (isBITLK(type)) {
+ free(cd->u.bitlk.cipher_spec);
+ BITLK_bitlk_metadata_free(&cd->u.bitlk.params);
+ } else if (!type) {
+ free(cd->u.none.active_name);
+ cd->u.none.active_name = NULL;
+ }
+
+ crypt_set_null_type(cd);
+}
/* internal only */
struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd)
@@ -743,16 +793,22 @@ out:
return r;
}
-static void _luks2_reload(struct crypt_device *cd)
+static void _luks2_rollback(struct crypt_device *cd)
{
if (!cd || !isLUKS2(cd->type))
return;
- (void) _crypt_load_luks2(cd, 1, 0);
+ if (LUKS2_hdr_rollback(cd, &cd->u.luks2.hdr)) {
+ log_err(cd, _("Failed to rollback LUKS2 metadata in memory."));
+ return;
+ }
+
+ free(cd->u.luks2.keyslot_cipher);
+ cd->u.luks2.keyslot_cipher = NULL;
}
static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
- int require_header, int repair)
+ bool quiet, bool repair)
{
char *cipher_spec;
struct luks_phdr hdr = {};
@@ -784,7 +840,7 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
return r;
}
- r = LUKS_read_phdr(&hdr, require_header, repair, cd);
+ r = LUKS_read_phdr(&hdr, !quiet, repair, cd);
if (r)
goto out;
@@ -829,6 +885,8 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
r = _crypt_load_luks2(cd, cd->type != NULL, repair);
if (!r)
device_set_block_size(crypt_data_device(cd), LUKS2_get_sector_size(&cd->u.luks2.hdr));
+ else if (!quiet)
+ log_err(cd, _("Device %s is not a valid LUKS device."), mdata_device_path(cd));
} else {
if (version > 2)
log_err(cd, _("Unsupported LUKS version %d."), version);
@@ -862,18 +920,20 @@ static int _crypt_load_tcrypt(struct crypt_device *cd, struct crypt_params_tcryp
cd->u.tcrypt.params.veracrypt_pim = 0;
if (r < 0)
- return r;
+ goto out;
if (!cd->type && !(cd->type = strdup(CRYPT_TCRYPT)))
- return -ENOMEM;
-
+ r = -ENOMEM;
+out:
+ if (r < 0)
+ crypt_free_type(cd, CRYPT_TCRYPT);
return r;
}
static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verity *params)
{
int r;
- size_t sb_offset = 0;
+ uint64_t sb_offset = 0;
r = init_crypto(cd);
if (r < 0)
@@ -887,14 +947,11 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
r = VERITY_read_sb(cd, sb_offset, &cd->u.verity.uuid, &cd->u.verity.hdr);
if (r < 0)
- return r;
+ goto out;
if (!cd->type && !(cd->type = strdup(CRYPT_VERITY))) {
- free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
- free(CONST_CAST(void*)cd->u.verity.hdr.salt);
- free(cd->u.verity.uuid);
- crypt_safe_memzero(&cd->u.verity.hdr, sizeof(cd->u.verity.hdr));
- return -ENOMEM;
+ r = -ENOMEM;
+ goto out;
}
if (params)
@@ -902,21 +959,25 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
/* Hash availability checked in sb load */
cd->u.verity.root_hash_size = crypt_hash_size(cd->u.verity.hdr.hash_name);
- if (cd->u.verity.root_hash_size > 4096)
- return -EINVAL;
+ if (cd->u.verity.root_hash_size > 4096) {
+ r = -EINVAL;
+ goto out;
+ }
if (params && params->data_device &&
(r = crypt_set_data_device(cd, params->data_device)) < 0)
- return r;
+ goto out;
if (params && params->fec_device) {
r = device_alloc(cd, &cd->u.verity.fec_device, params->fec_device);
if (r < 0)
- return r;
+ goto out;
cd->u.verity.hdr.fec_area_offset = params->fec_area_offset;
cd->u.verity.hdr.fec_roots = params->fec_roots;
}
-
+out:
+ if (r < 0)
+ crypt_free_type(cd, CRYPT_VERITY);
return r;
}
@@ -931,49 +992,52 @@ static int _crypt_load_integrity(struct crypt_device *cd,
r = INTEGRITY_read_sb(cd, &cd->u.integrity.params, &cd->u.integrity.sb_flags);
if (r < 0)
- return r;
+ goto out;
// FIXME: add checks for fields in integrity sb vs params
+ r = -ENOMEM;
if (params) {
cd->u.integrity.params.journal_watermark = params->journal_watermark;
cd->u.integrity.params.journal_commit_time = params->journal_commit_time;
cd->u.integrity.params.buffer_sectors = params->buffer_sectors;
- // FIXME: check ENOMEM
- if (params->integrity)
- cd->u.integrity.params.integrity = strdup(params->integrity);
+ if (params->integrity &&
+ !(cd->u.integrity.params.integrity = strdup(params->integrity)))
+ goto out;
cd->u.integrity.params.integrity_key_size = params->integrity_key_size;
- if (params->journal_integrity)
- cd->u.integrity.params.journal_integrity = strdup(params->journal_integrity);
- if (params->journal_crypt)
- cd->u.integrity.params.journal_crypt = strdup(params->journal_crypt);
+ if (params->journal_integrity &&
+ !(cd->u.integrity.params.journal_integrity = strdup(params->journal_integrity)))
+ goto out;
+ if (params->journal_crypt &&
+ !(cd->u.integrity.params.journal_crypt = strdup(params->journal_crypt)))
+ goto out;
if (params->journal_crypt_key) {
cd->u.integrity.journal_crypt_key =
crypt_alloc_volume_key(params->journal_crypt_key_size,
params->journal_crypt_key);
if (!cd->u.integrity.journal_crypt_key)
- return -ENOMEM;
+ goto out;
}
if (params->journal_integrity_key) {
cd->u.integrity.journal_mac_key =
crypt_alloc_volume_key(params->journal_integrity_key_size,
params->journal_integrity_key);
if (!cd->u.integrity.journal_mac_key)
- return -ENOMEM;
+ goto out;
}
}
- if (!cd->type && !(cd->type = strdup(CRYPT_INTEGRITY))) {
- free(CONST_CAST(void*)cd->u.integrity.params.integrity);
- return -ENOMEM;
- }
-
- return 0;
+ if (!cd->type && !(cd->type = strdup(CRYPT_INTEGRITY)))
+ goto out;
+ r = 0;
+out:
+ if (r < 0)
+ crypt_free_type(cd, CRYPT_INTEGRITY);
+ return r;
}
-static int _crypt_load_bitlk(struct crypt_device *cd,
- struct bitlk_metadata *params __attribute__((unused)))
+static int _crypt_load_bitlk(struct crypt_device *cd)
{
int r;
@@ -983,20 +1047,45 @@ static int _crypt_load_bitlk(struct crypt_device *cd,
r = BITLK_read_sb(cd, &cd->u.bitlk.params);
if (r < 0)
- return r;
+ goto out;
if (asprintf(&cd->u.bitlk.cipher_spec, "%s-%s",
cd->u.bitlk.params.cipher, cd->u.bitlk.params.cipher_mode) < 0) {
cd->u.bitlk.cipher_spec = NULL;
- return -ENOMEM;
+ r = -ENOMEM;
+ goto out;
}
- if (!cd->type && !(cd->type = strdup(CRYPT_BITLK)))
- return -ENOMEM;
+ if (!cd->type && !(cd->type = strdup(CRYPT_BITLK))) {
+ r = -ENOMEM;
+ goto out;
+ }
device_set_block_size(crypt_data_device(cd), cd->u.bitlk.params.sector_size);
+out:
+ if (r < 0)
+ crypt_free_type(cd, CRYPT_BITLK);
+ return r;
+}
- return 0;
+static int _crypt_load_fvault2(struct crypt_device *cd)
+{
+ int r;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ r = FVAULT2_read_metadata(cd, &cd->u.fvault2.params);
+ if (r < 0)
+ goto out;
+
+ if (!cd->type && !(cd->type = strdup(CRYPT_FVAULT2)))
+ r = -ENOMEM;
+out:
+ if (r < 0)
+ crypt_free_type(cd, CRYPT_FVAULT2);
+ return r;
}
int crypt_load(struct crypt_device *cd,
@@ -1025,7 +1114,7 @@ int crypt_load(struct crypt_device *cd,
return -EINVAL;
}
- r = _crypt_load_luks(cd, requested_type, 1, 0);
+ r = _crypt_load_luks(cd, requested_type, true, false);
} else if (isVERITY(requested_type)) {
if (cd->type && !isVERITY(cd->type)) {
log_dbg(cd, "Context is already initialized to type %s", cd->type);
@@ -1049,7 +1138,13 @@ int crypt_load(struct crypt_device *cd,
log_dbg(cd, "Context is already initialized to type %s", cd->type);
return -EINVAL;
}
- r = _crypt_load_bitlk(cd, params);
+ r = _crypt_load_bitlk(cd);
+ } else if (isFVAULT2(requested_type)) {
+ if (cd->type && !isFVAULT2(cd->type)) {
+ log_dbg(cd, "Context is already initialized to type %s", cd->type);
+ return -EINVAL;
+ }
+ r = _crypt_load_fvault2(cd);
} else
return -EINVAL;
@@ -1109,52 +1204,11 @@ static const char *LUKS_UUID(struct crypt_device *cd)
return NULL;
}
-static void crypt_free_type(struct crypt_device *cd)
-{
- if (isPLAIN(cd->type)) {
- free(CONST_CAST(void*)cd->u.plain.hdr.hash);
- free(cd->u.plain.cipher);
- free(cd->u.plain.cipher_spec);
- } else if (isLUKS2(cd->type)) {
- LUKS2_reencrypt_free(cd, cd->u.luks2.rh);
- LUKS2_hdr_free(cd, &cd->u.luks2.hdr);
- free(cd->u.luks2.keyslot_cipher);
- } else if (isLUKS1(cd->type)) {
- free(cd->u.luks1.cipher_spec);
- } else if (isLOOPAES(cd->type)) {
- free(CONST_CAST(void*)cd->u.loopaes.hdr.hash);
- free(cd->u.loopaes.cipher);
- free(cd->u.loopaes.cipher_spec);
- } else if (isVERITY(cd->type)) {
- free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
- free(CONST_CAST(void*)cd->u.verity.hdr.data_device);
- free(CONST_CAST(void*)cd->u.verity.hdr.hash_device);
- free(CONST_CAST(void*)cd->u.verity.hdr.fec_device);
- free(CONST_CAST(void*)cd->u.verity.hdr.salt);
- free(CONST_CAST(void*)cd->u.verity.root_hash);
- free(cd->u.verity.uuid);
- device_free(cd, cd->u.verity.fec_device);
- } else if (isINTEGRITY(cd->type)) {
- free(CONST_CAST(void*)cd->u.integrity.params.integrity);
- free(CONST_CAST(void*)cd->u.integrity.params.journal_integrity);
- free(CONST_CAST(void*)cd->u.integrity.params.journal_crypt);
- crypt_free_volume_key(cd->u.integrity.journal_crypt_key);
- crypt_free_volume_key(cd->u.integrity.journal_mac_key);
- } else if (isBITLK(cd->type)) {
- free(cd->u.bitlk.cipher_spec);
- BITLK_bitlk_metadata_free(&cd->u.bitlk.params);
- } else if (!cd->type) {
- free(cd->u.none.active_name);
- cd->u.none.active_name = NULL;
- }
-
- crypt_set_null_type(cd);
-}
-
static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
{
bool found = false;
- char **dep, *cipher_spec = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = {};
+ char **dep, *cipher_spec = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = {};
const char *dev, *namei;
int key_nums, r;
struct crypt_dm_active_device dmd, dmdi = {}, dmdep = {};
@@ -1269,7 +1323,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
cd->u.loopaes.key_size = tgt->u.crypt.vk->keylength / key_nums;
} else if (isLUKS1(cd->type) || isLUKS2(cd->type)) {
if (crypt_metadata_device(cd)) {
- r = _crypt_load_luks(cd, cd->type, 0, 0);
+ r = _crypt_load_luks(cd, cd->type, true, false);
if (r < 0) {
log_dbg(cd, "LUKS device header does not match active device.");
crypt_set_null_type(cd);
@@ -1283,7 +1337,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
if (r < 0) {
log_dbg(cd, "LUKS device header uuid: %s mismatches DM returned uuid %s",
LUKS_UUID(cd), dmd.uuid);
- crypt_free_type(cd);
+ crypt_free_type(cd, NULL);
r = 0;
goto out;
}
@@ -1296,12 +1350,19 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = TCRYPT_init_by_name(cd, name, dmd.uuid, tgt, &cd->device,
&cd->u.tcrypt.params, &cd->u.tcrypt.hdr);
} else if (isBITLK(cd->type)) {
- r = _crypt_load_bitlk(cd, NULL);
+ r = _crypt_load_bitlk(cd);
if (r < 0) {
log_dbg(cd, "BITLK device header not available.");
crypt_set_null_type(cd);
r = 0;
}
+ } else if (isFVAULT2(cd->type)) {
+ r = _crypt_load_fvault2(cd);
+ if (r < 0) {
+ log_dbg(cd, "FVAULT2 device header not available.");
+ crypt_set_null_type(cd);
+ r = 0;
+ }
}
out:
dm_targets_free(cd, &dmd);
@@ -1472,6 +1533,8 @@ int crypt_init_by_name_and_header(struct crypt_device **cd,
(*cd)->type = strdup(CRYPT_INTEGRITY);
else if (!strncmp(CRYPT_BITLK, dmd.uuid, sizeof(CRYPT_BITLK)-1))
(*cd)->type = strdup(CRYPT_BITLK);
+ else if (!strncmp(CRYPT_FVAULT2, dmd.uuid, sizeof(CRYPT_FVAULT2)-1))
+ (*cd)->type = strdup(CRYPT_FVAULT2);
else
log_dbg(NULL, "Unknown UUID set, some parameters are not set.");
} else
@@ -1681,9 +1744,6 @@ static int _crypt_format_luks1(struct crypt_device *cd,
if (r < 0)
return r;
- if (!device_size(crypt_data_device(cd), &dev_size) &&
- dev_size < (crypt_get_data_offset(cd) * SECTOR_SIZE))
- log_std(cd, _("WARNING: Data offset is outside of currently available data device.\n"));
if (asprintf(&cd->u.luks1.cipher_spec, "%s-%s", cipher, cipher_mode) < 0) {
cd->u.luks1.cipher_spec = NULL;
@@ -1699,10 +1759,17 @@ static int _crypt_format_luks1(struct crypt_device *cd,
}
r = LUKS_write_phdr(&cd->u.luks1.hdr, cd);
- if (r)
+ if (r) {
free(cd->u.luks1.cipher_spec);
+ return r;
+ }
- return r;
+ if (!device_size(crypt_data_device(cd), &dev_size) &&
+ dev_size <= (crypt_get_data_offset(cd) * SECTOR_SIZE))
+ log_std(cd, _("Device %s is too small for activation, there is no remaining space for data.\n"),
+ device_path(crypt_data_device(cd)));
+
+ return 0;
}
static int _crypt_format_luks2(struct crypt_device *cd,
@@ -1742,6 +1809,16 @@ static int _crypt_format_luks2(struct crypt_device *cd,
if (params && params->sector_size)
sector_size_autodetect = false;
+ if (params && params->data_device) {
+ if (!cd->metadata_device)
+ cd->metadata_device = cd->device;
+ else
+ device_free(cd, cd->device);
+ cd->device = NULL;
+ if (device_alloc(cd, &cd->device, params->data_device) < 0)
+ return -ENOMEM;
+ }
+
if (sector_size_autodetect) {
sector_size = device_optimal_encryption_sector_size(cd, crypt_data_device(cd));
log_dbg(cd, "Auto-detected optimal encryption sector size for device %s is %d bytes.",
@@ -1775,13 +1852,13 @@ static int _crypt_format_luks2(struct crypt_device *cd,
params->integrity_params->journal_integrity)
return -ENOTSUP;
}
- if (!INTEGRITY_tag_size(cd, integrity, cipher, cipher_mode)) {
+ if (!INTEGRITY_tag_size(integrity, cipher, cipher_mode)) {
if (!strcmp(integrity, "none"))
integrity = NULL;
else
return -EINVAL;
}
- integrity_key_size = INTEGRITY_key_size(cd, integrity);
+ integrity_key_size = INTEGRITY_key_size(integrity);
if ((integrity_key_size < 0) || (integrity_key_size >= (int)volume_key_size)) {
log_err(cd, _("Volume key is too small for encryption with integrity extensions."));
return -EINVAL;
@@ -1812,16 +1889,6 @@ static int _crypt_format_luks2(struct crypt_device *cd,
if (r < 0)
return r;
- if (params && params->data_device) {
- if (!cd->metadata_device)
- cd->metadata_device = cd->device;
- else
- device_free(cd, cd->device);
- cd->device = NULL;
- if (device_alloc(cd, &cd->device, params->data_device) < 0)
- return -ENOMEM;
- }
-
if (params && cd->metadata_device) {
/* For detached header the alignment is used directly as data offset */
if (!cd->data_offset)
@@ -1860,7 +1927,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
}
if ((!integrity || integrity_key_size) && !crypt_cipher_wrapped_key(cipher, cipher_mode) &&
- !INTEGRITY_tag_size(cd, NULL, cipher, cipher_mode)) {
+ !INTEGRITY_tag_size(NULL, cipher, cipher_mode)) {
r = LUKS_check_cipher(cd, volume_key_size - integrity_key_size,
cipher, cipher_mode);
if (r < 0)
@@ -1878,9 +1945,6 @@ static int _crypt_format_luks2(struct crypt_device *cd,
if (r < 0)
goto out;
- if (dev_size < (crypt_get_data_offset(cd) * SECTOR_SIZE))
- log_std(cd, _("WARNING: Data offset is outside of currently available data device.\n"));
-
if (cd->metadata_size && (cd->metadata_size != LUKS2_metadata_size(&cd->u.luks2.hdr)))
log_std(cd, _("WARNING: LUKS2 metadata size changed to %" PRIu64 " bytes.\n"),
LUKS2_metadata_size(&cd->u.luks2.hdr));
@@ -1961,10 +2025,18 @@ static int _crypt_format_luks2(struct crypt_device *cd,
}
out:
- if (r)
+ if (r) {
LUKS2_hdr_free(cd, &cd->u.luks2.hdr);
+ return r;
+ }
- return r;
+ /* Device size can be larger now if it is a file container */
+ if (!device_size(crypt_data_device(cd), &dev_size) &&
+ dev_size <= (crypt_get_data_offset(cd) * SECTOR_SIZE))
+ log_std(cd, _("Device %s is too small for activation, there is no remaining space for data.\n"),
+ device_path(crypt_data_device(cd)));
+
+ return 0;
}
static int _crypt_format_loopaes(struct crypt_device *cd,
@@ -2154,7 +2226,7 @@ static int _crypt_format_verity(struct crypt_device *cd,
if (!(cd->u.verity.uuid = strdup(uuid)))
r = -ENOMEM;
} else
- r = VERITY_UUID_generate(cd, &cd->u.verity.uuid);
+ r = VERITY_UUID_generate(&cd->u.verity.uuid);
if (!r)
r = VERITY_write_sb(cd, cd->u.verity.hdr.hash_area_offset,
@@ -2378,7 +2450,7 @@ int crypt_repair(struct crypt_device *cd,
return -EINVAL;
/* Load with repair */
- r = _crypt_load_luks(cd, requested_type, 1, 1);
+ r = _crypt_load_luks(cd, requested_type, false, true);
if (r < 0)
return r;
@@ -2391,7 +2463,8 @@ int crypt_repair(struct crypt_device *cd,
}
/* compare volume keys */
-static int _compare_volume_keys(struct volume_key *svk, unsigned skeyring_only, struct volume_key *tvk, unsigned tkeyring_only)
+static int _compare_volume_keys(struct volume_key *svk, unsigned skeyring_only,
+ struct volume_key *tvk, unsigned tkeyring_only)
{
if (!svk && !tvk)
return 0;
@@ -2402,7 +2475,7 @@ static int _compare_volume_keys(struct volume_key *svk, unsigned skeyring_only,
return 1;
if (!skeyring_only && !tkeyring_only)
- return memcmp(svk->key, tvk->key, svk->keylength);
+ return crypt_backend_memeq(svk->key, tvk->key, svk->keylength);
if (svk->key_description && tvk->key_description)
return strcmp(svk->key_description, tvk->key_description);
@@ -2435,7 +2508,7 @@ static int _compare_device_types(struct crypt_device *cd,
log_dbg(cd, "Unexpected uuid prefix %s in target device.", tgt->uuid);
return -EINVAL;
}
- } else {
+ } else if (!isINTEGRITY(cd->type)) {
log_dbg(cd, "Unsupported device type %s for reload.", cd->type ?: "<empty>");
return -ENOTSUP;
}
@@ -2447,6 +2520,9 @@ static int _compare_crypt_devices(struct crypt_device *cd,
const struct dm_target *src,
const struct dm_target *tgt)
{
+ char *src_cipher = NULL, *src_integrity = NULL;
+ int r = -EINVAL;
+
/* for crypt devices keys are mandatory */
if (!src->u.crypt.vk || !tgt->u.crypt.vk)
return -EINVAL;
@@ -2454,21 +2530,30 @@ static int _compare_crypt_devices(struct crypt_device *cd,
/* CIPHER checks */
if (!src->u.crypt.cipher || !tgt->u.crypt.cipher)
return -EINVAL;
- if (strcmp(src->u.crypt.cipher, tgt->u.crypt.cipher)) {
- log_dbg(cd, "Cipher specs do not match.");
+
+ /*
+ * dm_query_target converts capi cipher specification to dm-crypt format.
+ * We need to do same for cipher specification requested in source
+ * device.
+ */
+ if (crypt_capi_to_cipher(&src_cipher, &src_integrity, src->u.crypt.cipher, src->u.crypt.integrity))
return -EINVAL;
+
+ if (strcmp(src_cipher, tgt->u.crypt.cipher)) {
+ log_dbg(cd, "Cipher specs do not match.");
+ goto out;
}
if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
log_dbg(cd, "Existing device uses cipher null. Skipping key comparison.");
else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) {
log_dbg(cd, "Keys in context and target device do not match.");
- return -EINVAL;
+ goto out;
}
- if (crypt_strcmp(src->u.crypt.integrity, tgt->u.crypt.integrity)) {
+ if (crypt_strcmp(src_integrity, tgt->u.crypt.integrity)) {
log_dbg(cd, "Integrity parameters do not match.");
- return -EINVAL;
+ goto out;
}
if (src->u.crypt.offset != tgt->u.crypt.offset ||
@@ -2476,15 +2561,19 @@ static int _compare_crypt_devices(struct crypt_device *cd,
src->u.crypt.iv_offset != tgt->u.crypt.iv_offset ||
src->u.crypt.tag_size != tgt->u.crypt.tag_size) {
log_dbg(cd, "Integer parameters do not match.");
- return -EINVAL;
+ goto out;
}
- if (device_is_identical(src->data_device, tgt->data_device) <= 0) {
+ if (device_is_identical(src->data_device, tgt->data_device) <= 0)
log_dbg(cd, "Data devices do not match.");
- return -EINVAL;
- }
+ else
+ r = 0;
- return 0;
+out:
+ free(src_cipher);
+ free(src_integrity);
+
+ return r;
}
static int _compare_integrity_devices(struct crypt_device *cd,
@@ -2524,15 +2613,6 @@ static int _compare_integrity_devices(struct crypt_device *cd,
return -EINVAL;
}
- /* unsupported underneath dm-crypt with auth. encryption */
- if (src->u.integrity.meta_device || tgt->u.integrity.meta_device)
- return -ENOTSUP;
-
- if (src->size != tgt->size) {
- log_dbg(cd, "Device size parameters do not match.");
- return -EINVAL;
- }
-
if (device_is_identical(src->data_device, tgt->data_device) <= 0) {
log_dbg(cd, "Data devices do not match.");
return -EINVAL;
@@ -2605,13 +2685,16 @@ static int _reload_device(struct crypt_device *cd, const char *name,
r = dm_query_device(cd, name, DM_ACTIVE_DEVICE | DM_ACTIVE_CRYPT_CIPHER |
DM_ACTIVE_UUID | DM_ACTIVE_CRYPT_KEYSIZE |
- DM_ACTIVE_CRYPT_KEY, &tdmd);
+ DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_INTEGRITY_PARAMS |
+ DM_ACTIVE_JOURNAL_CRYPT_KEY | DM_ACTIVE_JOURNAL_MAC_KEY, &tdmd);
if (r < 0) {
log_err(cd, _("Device %s is not active."), name);
return -EINVAL;
}
- if (!single_segment(&tdmd) || tgt->type != DM_CRYPT || tgt->u.crypt.tag_size) {
+ if (!single_segment(&tdmd) ||
+ (tgt->type != DM_CRYPT && tgt->type != DM_INTEGRITY) ||
+ (tgt->type == DM_CRYPT && tgt->u.crypt.tag_size)) {
r = -ENOTSUP;
log_err(cd, _("Unsupported parameters on device %s."), name);
goto out;
@@ -2631,11 +2714,11 @@ static int _reload_device(struct crypt_device *cd, const char *name,
else
sdmd->flags &= ~CRYPT_ACTIVATE_READONLY;
- if (sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) {
+ if (tgt->type == DM_CRYPT && sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) {
r = crypt_volume_key_set_description(tgt->u.crypt.vk, src->u.crypt.vk->key_description);
if (r)
goto out;
- } else {
+ } else if (tgt->type == DM_CRYPT) {
crypt_free_volume_key(tgt->u.crypt.vk);
tgt->u.crypt.vk = crypt_alloc_volume_key(src->u.crypt.vk->keylength, src->u.crypt.vk->key);
if (!tgt->u.crypt.vk) {
@@ -2644,8 +2727,15 @@ static int _reload_device(struct crypt_device *cd, const char *name,
}
}
- r = device_block_adjust(cd, src->data_device, DEV_OK,
- src->u.crypt.offset, &sdmd->size, NULL);
+ if (tgt->type == DM_CRYPT)
+ r = device_block_adjust(cd, src->data_device, DEV_OK,
+ src->u.crypt.offset, &sdmd->size, NULL);
+ else if (tgt->type == DM_INTEGRITY)
+ r = device_block_adjust(cd, src->data_device, DEV_OK,
+ src->u.integrity.offset, &sdmd->size, NULL);
+ else
+ r = -EINVAL;
+
if (r)
goto out;
@@ -2709,6 +2799,10 @@ static int _reload_device_with_integrity(struct crypt_device *cd,
goto out;
}
+ /* unsupported underneath dm-crypt with auth. encryption */
+ if (sdmdi->segment.u.integrity.meta_device || tdmdi.segment.u.integrity.meta_device)
+ return -ENOTSUP;
+
src = &sdmd->segment;
srci = &sdmdi->segment;
@@ -2830,6 +2924,9 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
{
struct crypt_dm_active_device dmdq, dmd = {};
struct dm_target *tgt = &dmdq.segment;
+ struct crypt_params_integrity params = {};
+ uint32_t supported_flags = 0;
+ uint64_t old_size;
int r;
/*
@@ -2848,12 +2945,14 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
log_dbg(cd, "Resizing device %s to %" PRIu64 " sectors.", name, new_size);
- r = dm_query_device(cd, name, DM_ACTIVE_CRYPT_KEYSIZE | DM_ACTIVE_CRYPT_KEY, &dmdq);
+ r = dm_query_device(cd, name, DM_ACTIVE_CRYPT_KEYSIZE | DM_ACTIVE_CRYPT_KEY |
+ DM_ACTIVE_INTEGRITY_PARAMS | DM_ACTIVE_JOURNAL_CRYPT_KEY |
+ DM_ACTIVE_JOURNAL_MAC_KEY, &dmdq);
if (r < 0) {
log_err(cd, _("Device %s is not active."), name);
return -EINVAL;
}
- if (!single_segment(&dmdq) || tgt->type != DM_CRYPT) {
+ if (!single_segment(&dmdq) || (tgt->type != DM_CRYPT && tgt->type != DM_INTEGRITY)) {
log_dbg(cd, "Unsupported device table detected in %s.", name);
r = -EINVAL;
goto out;
@@ -2885,12 +2984,55 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
log_err(cd, _("Cannot resize loop device."));
}
+
+ /*
+ * Integrity device metadata are maintained by the kernel. We need to
+ * reload the device (with the same parameters) and let the kernel
+ * calculate the maximum size of integrity device and store it in the
+ * superblock.
+ */
+ if (!new_size && tgt->type == DM_INTEGRITY) {
+ r = INTEGRITY_data_sectors(cd, crypt_metadata_device(cd),
+ crypt_get_data_offset(cd) * SECTOR_SIZE, &old_size);
+ if (r < 0)
+ return r;
+
+ dmd.size = dmdq.size;
+ dmd.flags = dmdq.flags | CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_PRIVATE;
+
+ r = crypt_get_integrity_info(cd, ¶ms);
+ if (r)
+ goto out;
+
+ r = dm_integrity_target_set(cd, &dmd.segment, 0, dmdq.segment.size,
+ crypt_metadata_device(cd), crypt_data_device(cd),
+ crypt_get_integrity_tag_size(cd), crypt_get_data_offset(cd),
+ crypt_get_sector_size(cd), tgt->u.integrity.vk, tgt->u.integrity.journal_crypt_key,
+ tgt->u.integrity.journal_integrity_key, ¶ms);
+ if (r)
+ goto out;
+ r = _reload_device(cd, name, &dmd);
+ if (r)
+ goto out;
+
+ r = INTEGRITY_data_sectors(cd, crypt_metadata_device(cd),
+ crypt_get_data_offset(cd) * SECTOR_SIZE, &new_size);
+ if (r < 0)
+ return r;
+ log_dbg(cd, "Maximum integrity device size from kernel %" PRIu64, new_size);
+
+ if (old_size == new_size && new_size == dmdq.size &&
+ !dm_flags(cd, tgt->type, &supported_flags) &&
+ !(supported_flags & DM_INTEGRITY_RESIZE_SUPPORTED))
+ log_std(cd, _("WARNING: Maximum size already set or kernel doesn't support resize.\n"));
+ }
+
r = device_block_adjust(cd, crypt_data_device(cd), DEV_OK,
- crypt_get_data_offset(cd), &new_size, &dmdq.flags);
+ crypt_get_data_offset(cd), &new_size, &dmdq.flags);
if (r)
goto out;
- if (MISALIGNED(new_size, tgt->u.crypt.sector_size >> SECTOR_SHIFT)) {
+ if (MISALIGNED(new_size, (tgt->type == DM_CRYPT ? tgt->u.crypt.sector_size : tgt->u.integrity.sector_size) >> SECTOR_SHIFT)) {
log_err(cd, _("Device size is not aligned to requested sector size."));
r = -EINVAL;
goto out;
@@ -2905,13 +3047,28 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
dmd.uuid = crypt_get_uuid(cd);
dmd.size = new_size;
dmd.flags = dmdq.flags | CRYPT_ACTIVATE_REFRESH;
- r = dm_crypt_target_set(&dmd.segment, 0, new_size, crypt_data_device(cd),
- tgt->u.crypt.vk, crypt_get_cipher_spec(cd),
- crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
- crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
- crypt_get_sector_size(cd));
- if (r < 0)
- goto out;
+
+ if (tgt->type == DM_CRYPT) {
+ r = dm_crypt_target_set(&dmd.segment, 0, new_size, crypt_data_device(cd),
+ tgt->u.crypt.vk, crypt_get_cipher_spec(cd),
+ crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+ crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
+ crypt_get_sector_size(cd));
+ if (r < 0)
+ goto out;
+ } else if (tgt->type == DM_INTEGRITY) {
+ r = crypt_get_integrity_info(cd, ¶ms);
+ if (r)
+ goto out;
+
+ r = dm_integrity_target_set(cd, &dmd.segment, 0, new_size,
+ crypt_metadata_device(cd), crypt_data_device(cd),
+ crypt_get_integrity_tag_size(cd), crypt_get_data_offset(cd),
+ crypt_get_sector_size(cd), tgt->u.integrity.vk, tgt->u.integrity.journal_crypt_key,
+ tgt->u.integrity.journal_integrity_key, ¶ms);
+ if (r)
+ goto out;
+ }
if (new_size == dmdq.size) {
log_dbg(cd, "Device has already requested size %" PRIu64
@@ -2924,6 +3081,11 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
r = LUKS2_unmet_requirements(cd, &cd->u.luks2.hdr, 0, 0);
if (!r)
r = _reload_device(cd, name, &dmd);
+
+ if (r && tgt->type == DM_INTEGRITY &&
+ !dm_flags(cd, tgt->type, &supported_flags) &&
+ !(supported_flags & DM_INTEGRITY_RESIZE_SUPPORTED))
+ log_err(cd, _("Resize failed, the kernel doesn't support it."));
}
out:
dm_targets_free(cd, &dmd);
@@ -2976,6 +3138,22 @@ int crypt_set_label(struct crypt_device *cd, const char *label, const char *subs
return LUKS2_hdr_labels(cd, &cd->u.luks2.hdr, label, subsystem, 1);
}
+const char *crypt_get_label(struct crypt_device *cd)
+{
+ if (_onlyLUKS2(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0))
+ return NULL;
+
+ return cd->u.luks2.hdr.label;
+}
+
+const char *crypt_get_subsystem(struct crypt_device *cd)
+{
+ if (_onlyLUKS2(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0))
+ return NULL;
+
+ return cd->u.luks2.hdr.subsystem;
+}
+
int crypt_header_backup(struct crypt_device *cd,
const char *requested_type,
const char *backup_file)
@@ -2989,7 +3167,7 @@ int crypt_header_backup(struct crypt_device *cd,
return -EINVAL;
/* Load with repair */
- r = _crypt_load_luks(cd, requested_type, 1, 0);
+ r = _crypt_load_luks(cd, requested_type, false, false);
if (r < 0)
return r;
@@ -3048,14 +3226,14 @@ int crypt_header_restore(struct crypt_device *cd,
} else if (isLUKS2(cd->type) && (!requested_type || isLUKS2(requested_type))) {
r = LUKS2_hdr_restore(cd, &cd->u.luks2.hdr, backup_file);
if (r)
- _luks2_reload(cd);
+ (void) _crypt_load_luks2(cd, 1, 0);
} else if (isLUKS1(cd->type) && (!requested_type || isLUKS1(requested_type)))
r = LUKS_hdr_restore(backup_file, &cd->u.luks1.hdr, cd);
else
r = -EINVAL;
if (!r)
- r = _crypt_load_luks(cd, version == 1 ? CRYPT_LUKS1 : CRYPT_LUKS2, 1, 1);
+ r = _crypt_load_luks(cd, version == 1 ? CRYPT_LUKS1 : CRYPT_LUKS2, false, true);
return r;
}
@@ -3064,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
{
int r;
- if (!cd || !isLUKS(cd->type))
+ if (!cd || (cd->type && !isLUKS(cd->type)))
return -EINVAL;
r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
@@ -3081,12 +3259,12 @@ void crypt_free(struct crypt_device *cd)
if (!cd)
return;
- log_dbg(cd, "Releasing crypt device %s context.", mdata_device_path(cd));
+ log_dbg(cd, "Releasing crypt device %s context.", mdata_device_path(cd) ?: "empty");
dm_backend_exit(cd);
crypt_free_volume_key(cd->volume_key);
- crypt_free_type(cd);
+ crypt_free_type(cd, NULL);
device_free(cd, cd->device);
device_free(cd, cd->metadata_device);
@@ -3200,8 +3378,7 @@ static int resume_by_volume_key(struct crypt_device *cd,
digest = LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
if (digest < 0)
return -EINVAL;
- r = LUKS2_volume_key_load_in_keyring_by_digest(cd,
- &cd->u.luks2.hdr, vk, digest);
+ r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, digest);
if (r < 0)
return r;
}
@@ -3307,7 +3484,8 @@ int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd,
r = LUKS_open_key_with_hdr(keyslot, passphrase_read, passphrase_size_read,
&cd->u.luks1.hdr, &vk, cd);
else
- r = LUKS2_keyslot_open(cd, keyslot, CRYPT_DEFAULT_SEGMENT, passphrase_read, passphrase_size_read, &vk);
+ r = LUKS2_keyslot_open(cd, keyslot, CRYPT_DEFAULT_SEGMENT,
+ passphrase_read, passphrase_size_read, &vk);
crypt_safe_free(passphrase_read);
if (r < 0)
@@ -3387,6 +3565,41 @@ int crypt_resume_by_volume_key(struct crypt_device *cd,
return r;
}
+int crypt_resume_by_token_pin(struct crypt_device *cd, const char *name,
+ const char *type, int token, const char *pin, size_t pin_size,
+ void *usrptr)
+{
+ struct volume_key *vk = NULL;
+ int r, keyslot;
+
+ if (!name)
+ return -EINVAL;
+
+ log_dbg(cd, "Resuming volume %s by token (%s type) %d.",
+ name, type ?: "any", token);
+
+ if ((r = _onlyLUKS2(cd, CRYPT_CD_QUIET, 0)))
+ return r;
+
+ r = dm_status_suspended(cd, name);
+ if (r < 0)
+ return r;
+
+ if (!r) {
+ log_err(cd, _("Volume %s is not suspended."), name);
+ return -EINVAL;
+ }
+
+ r = LUKS2_token_unlock_key(cd, &cd->u.luks2.hdr, token, type,
+ pin, pin_size, CRYPT_DEFAULT_SEGMENT, usrptr, &vk);
+ keyslot = r;
+ if (r >= 0)
+ r = resume_by_volume_key(cd, vk, name);
+
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot;
+}
+
/*
* Keyslot manipulation
*/
@@ -3397,82 +3610,21 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
const char *new_passphrase,
size_t new_passphrase_size)
{
- int digest, r, active_slots;
- struct luks2_keyslot_params params;
- struct volume_key *vk = NULL;
-
- log_dbg(cd, "Adding new keyslot, existing passphrase %sprovided,"
- "new passphrase %sprovided.",
- passphrase ? "" : "not ", new_passphrase ? "" : "not ");
-
- if ((r = onlyLUKS(cd)))
- return r;
+ int r;
+ struct crypt_keyslot_context kc, new_kc;
if (!passphrase || !new_passphrase)
return -EINVAL;
- r = keyslot_verify_or_find_empty(cd, &keyslot);
- if (r)
- return r;
+ crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
+ crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, new_passphrase, new_passphrase_size);
- if (isLUKS1(cd->type))
- active_slots = LUKS_keyslot_active_count(&cd->u.luks1.hdr);
- else
- active_slots = LUKS2_keyslot_active_count(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
- if (active_slots == 0) {
- /* No slots used, try to use pre-generated key in header */
- if (cd->volume_key) {
- vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
- r = vk ? 0 : -ENOMEM;
- } else {
- log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided."));
- return -EINVAL;
- }
- } else if (active_slots < 0)
- return -EINVAL;
- else {
- /* Passphrase provided, use it to unlock existing keyslot */
- if (isLUKS1(cd->type))
- r = LUKS_open_key_with_hdr(CRYPT_ANY_SLOT, passphrase,
- passphrase_size, &cd->u.luks1.hdr, &vk, cd);
- else
- r = LUKS2_keyslot_open(cd, CRYPT_ANY_SLOT, CRYPT_DEFAULT_SEGMENT, passphrase,
- passphrase_size, &vk);
- }
+ r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
- if (r < 0)
- goto out;
+ crypt_keyslot_context_destroy_internal(&kc);
+ crypt_keyslot_context_destroy_internal(&new_kc);
- if (isLUKS1(cd->type))
- r = LUKS_set_key(keyslot, CONST_CAST(char*)new_passphrase,
- new_passphrase_size, &cd->u.luks1.hdr, vk, cd);
- else {
- r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
- digest = r;
-
- if (r >= 0)
- r = LUKS2_keyslot_params_default(cd, &cd->u.luks2.hdr, ¶ms);
-
- if (r >= 0)
- r = LUKS2_digest_assign(cd, &cd->u.luks2.hdr, keyslot, digest, 1, 0);
-
- if (r >= 0)
- r = LUKS2_keyslot_store(cd, &cd->u.luks2.hdr, keyslot,
- CONST_CAST(char*)new_passphrase,
- new_passphrase_size, vk, ¶ms);
- }
-
- if (r < 0)
- goto out;
-
- r = 0;
-out:
- crypt_free_volume_key(vk);
- if (r < 0) {
- _luks2_reload(cd);
- return r;
- }
- return keyslot;
+ return r;
}
int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
@@ -3586,7 +3738,7 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
out:
crypt_free_volume_key(vk);
if (r < 0) {
- _luks2_reload(cd);
+ _luks2_rollback(cd);
return r;
}
return keyslot_new;
@@ -3601,87 +3753,21 @@ int crypt_keyslot_add_by_keyfile_device_offset(struct crypt_device *cd,
size_t new_keyfile_size,
uint64_t new_keyfile_offset)
{
- int digest, r, active_slots;
- size_t passwordLen, new_passwordLen;
- struct luks2_keyslot_params params;
- char *password = NULL, *new_password = NULL;
- struct volume_key *vk = NULL;
+ int r;
+ struct crypt_keyslot_context kc, new_kc;
if (!keyfile || !new_keyfile)
return -EINVAL;
- log_dbg(cd, "Adding new keyslot, existing keyfile %s, new keyfile %s.",
- keyfile, new_keyfile);
+ crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset);
+ crypt_keyslot_unlock_by_keyfile_init_internal(&new_kc, new_keyfile, new_keyfile_size, new_keyfile_offset);
- if ((r = onlyLUKS(cd)))
- return r;
+ r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
- r = keyslot_verify_or_find_empty(cd, &keyslot);
- if (r)
- return r;
+ crypt_keyslot_context_destroy_internal(&kc);
+ crypt_keyslot_context_destroy_internal(&new_kc);
- if (isLUKS1(cd->type))
- active_slots = LUKS_keyslot_active_count(&cd->u.luks1.hdr);
- else
- active_slots = LUKS2_keyslot_active_count(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
- if (active_slots == 0) {
- /* No slots used, try to use pre-generated key in header */
- if (cd->volume_key) {
- vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
- r = vk ? 0 : -ENOMEM;
- } else {
- log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided."));
- return -EINVAL;
- }
- } else {
- r = crypt_keyfile_device_read(cd, keyfile,
- &password, &passwordLen,
- keyfile_offset, keyfile_size, 0);
- if (r < 0)
- goto out;
-
- if (isLUKS1(cd->type))
- r = LUKS_open_key_with_hdr(CRYPT_ANY_SLOT, password, passwordLen,
- &cd->u.luks1.hdr, &vk, cd);
- else
- r = LUKS2_keyslot_open(cd, CRYPT_ANY_SLOT, CRYPT_DEFAULT_SEGMENT, password, passwordLen, &vk);
- }
-
- if (r < 0)
- goto out;
-
- r = crypt_keyfile_device_read(cd, new_keyfile,
- &new_password, &new_passwordLen,
- new_keyfile_offset, new_keyfile_size, 0);
- if (r < 0)
- goto out;
-
- if (isLUKS1(cd->type))
- r = LUKS_set_key(keyslot, new_password, new_passwordLen,
- &cd->u.luks1.hdr, vk, cd);
- else {
- r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
- digest = r;
-
- if (r >= 0)
- r = LUKS2_keyslot_params_default(cd, &cd->u.luks2.hdr, ¶ms);
-
- if (r >= 0)
- r = LUKS2_digest_assign(cd, &cd->u.luks2.hdr, keyslot, digest, 1, 0);
-
- if (r >= 0)
- r = LUKS2_keyslot_store(cd, &cd->u.luks2.hdr, keyslot,
- new_password, new_passwordLen, vk, ¶ms);
- }
-out:
- crypt_safe_free(password);
- crypt_safe_free(new_password);
- crypt_free_volume_key(vk);
- if (r < 0) {
- _luks2_reload(cd);
- return r;
- }
- return keyslot;
+ return r;
}
int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
@@ -3717,43 +3803,21 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
const char *passphrase,
size_t passphrase_size)
{
- struct volume_key *vk = NULL;
int r;
+ struct crypt_keyslot_context kc, new_kc;
if (!passphrase)
return -EINVAL;
- log_dbg(cd, "Adding new keyslot %d using volume key.", keyslot);
+ crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+ crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, passphrase, passphrase_size);
- if ((r = onlyLUKS(cd)))
- return r;
+ r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
- if (isLUKS2(cd->type))
- return crypt_keyslot_add_by_key(cd, keyslot,
- volume_key, volume_key_size, passphrase,
- passphrase_size, 0);
+ crypt_keyslot_context_destroy_internal(&kc);
+ crypt_keyslot_context_destroy_internal(&new_kc);
- r = keyslot_verify_or_find_empty(cd, &keyslot);
- if (r < 0)
- return r;
-
- if (volume_key)
- vk = crypt_alloc_volume_key(volume_key_size, volume_key);
- else if (cd->volume_key)
- vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
-
- if (!vk)
- return -ENOMEM;
-
- r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
- if (r < 0)
- log_err(cd, _("Volume key does not match the volume."));
- else
- r = LUKS_set_key(keyslot, passphrase, passphrase_size,
- &cd->u.luks1.hdr, vk, cd);
-
- crypt_free_volume_key(vk);
- return (r < 0) ? r : keyslot;
+ return r;
}
int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
@@ -3901,7 +3965,7 @@ int create_or_reload_device(struct crypt_device *cd, const char *name,
return -EINVAL;
tgt = &dmd->segment;
- if (tgt->type != DM_CRYPT)
+ if (tgt->type != DM_CRYPT && tgt->type != DM_INTEGRITY)
return -EINVAL;
/* drop CRYPT_ACTIVATE_REFRESH flag if any device is inactive */
@@ -3912,12 +3976,27 @@ int create_or_reload_device(struct crypt_device *cd, const char *name,
if (dmd->flags & CRYPT_ACTIVATE_REFRESH)
r = _reload_device(cd, name, dmd);
else {
- device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL;
+ if (tgt->type == DM_CRYPT) {
+ device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL;
- r = device_block_adjust(cd, tgt->data_device, device_check,
+ r = device_block_adjust(cd, tgt->data_device, device_check,
tgt->u.crypt.offset, &dmd->size, &dmd->flags);
- if (!r) {
- tgt->size = dmd->size;
+ if (!r) {
+ tgt->size = dmd->size;
+ r = dm_create_device(cd, name, type, dmd);
+ }
+ } else if (tgt->type == DM_INTEGRITY) {
+ r = device_block_adjust(cd, tgt->data_device, DEV_EXCL,
+ tgt->u.integrity.offset, NULL, &dmd->flags);
+ if (r)
+ return r;
+
+ if (tgt->u.integrity.meta_device) {
+ r = device_block_adjust(cd, tgt->u.integrity.meta_device, DEV_EXCL, 0, NULL, NULL);
+ if (r)
+ return r;
+ }
+
r = dm_create_device(cd, name, type, dmd);
}
}
@@ -3955,10 +4034,6 @@ out:
return r;
}
-/* See fixmes in _open_and_activate_luks2 */
-int update_reencryption_flag(struct crypt_device *cd, int enable, bool commit);
-
-/* TODO: This function should 1:1 with pre-reencryption code */
static int _open_and_activate(struct crypt_device *cd,
int keyslot,
const char *name,
@@ -4009,7 +4084,7 @@ static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct
struct volume_key *vk = vks;
while (vk) {
- r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
+ r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
if (r < 0)
return r;
vk = crypt_volume_key_next(vk);
@@ -4100,7 +4175,7 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
if (ri == CRYPT_REENCRYPT_CRASH) {
r = LUKS2_reencrypt_locked_recovery_by_passphrase(cd, keyslot,
- keyslot, passphrase, passphrase_size, flags, &vks);
+ keyslot, passphrase, passphrase_size, &vks);
if (r < 0) {
log_err(cd, _("LUKS2 reencryption recovery failed."));
goto out;
@@ -4269,6 +4344,10 @@ static int _activate_by_passphrase(struct crypt_device *cd,
r = BITLK_activate_by_passphrase(cd, name, passphrase, passphrase_size,
&cd->u.bitlk.params, flags);
keyslot = 0;
+ } else if (isFVAULT2(cd->type)) {
+ r = FVAULT2_activate_by_passphrase(cd, name, passphrase, passphrase_size,
+ &cd->u.fvault2.params, flags);
+ keyslot = 0;
} else {
log_err(cd, _("Device type is not properly initialized."));
r = -EINVAL;
@@ -4499,7 +4578,8 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
if (!crypt_use_keyring_for_vk(cd))
use_keyring = false;
else
- use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) || (flags & CRYPT_ACTIVATE_KEYRING_KEY);
+ use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
+ (flags & CRYPT_ACTIVATE_KEYRING_KEY);
if (!r && use_keyring) {
r = LUKS2_key_description_by_segment(cd,
@@ -4565,7 +4645,10 @@ int crypt_activate_by_signed_key(struct crypt_device *cd,
return -EINVAL;
}
- log_dbg(cd, "%s volume %s by %skey.", name ? "Activating" : "Checking", name ?: "", signature ? "signed " : "");
+ if (name)
+ log_dbg(cd, "Activating volume %s by %skey.", name, signature ? "signed " : "");
+ else
+ log_dbg(cd, "Checking volume by key.");
if (cd->u.verity.hdr.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE && !signature) {
log_err(cd, _("Root hash signature required."));
@@ -4783,10 +4866,34 @@ int crypt_volume_key_get(struct crypt_device *cd,
const char *passphrase,
size_t passphrase_size)
{
- struct volume_key *vk = NULL;
- int key_len, r = -EINVAL;
+ int r;
+ struct crypt_keyslot_context kc;
- if (!cd || !volume_key || !volume_key_size || (!isTCRYPT(cd->type) && !isVERITY(cd->type) && !passphrase))
+ if (!passphrase)
+ return crypt_volume_key_get_by_keyslot_context(cd, keyslot, volume_key, volume_key_size, NULL);
+
+ crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
+
+ r = crypt_volume_key_get_by_keyslot_context(cd, keyslot, volume_key, volume_key_size, &kc);
+
+ crypt_keyslot_context_destroy_internal(&kc);
+
+ return r;
+}
+
+int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
+ int keyslot,
+ char *volume_key,
+ size_t *volume_key_size,
+ struct crypt_keyslot_context *kc)
+{
+ size_t passphrase_size;
+ int key_len, r;
+ const char *passphrase = NULL;
+ struct volume_key *vk = NULL;
+
+ if (!cd || !volume_key || !volume_key_size ||
+ (!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type)))
return -EINVAL;
if (isLUKS2(cd->type) && keyslot != CRYPT_ANY_SLOT)
@@ -4802,20 +4909,39 @@ int crypt_volume_key_get(struct crypt_device *cd,
return -ENOMEM;
}
- if (isPLAIN(cd->type) && cd->u.plain.hdr.hash) {
- r = process_key(cd, cd->u.plain.hdr.hash, key_len,
- passphrase, passphrase_size, &vk);
+ if (kc && (!kc->get_passphrase || kc->type == CRYPT_KC_TYPE_KEY))
+ return -EINVAL;
+
+ if (kc) {
+ r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
+ if (r < 0)
+ return r;
+ }
+
+ r = -EINVAL;
+
+ if (isLUKS2(cd->type)) {
+ if (kc && !kc->get_luks2_key)
+ log_err(cd, _("Cannot retrieve volume key for LUKS2 device."));
+ else if (!kc)
+ r = -ENOENT;
+ else
+ r = kc->get_luks2_key(cd, kc, keyslot,
+ keyslot == CRYPT_ANY_SLOT ? CRYPT_DEFAULT_SEGMENT : CRYPT_ANY_SEGMENT,
+ &vk);
+ } else if (isLUKS1(cd->type)) {
+ if (kc && !kc->get_luks1_volume_key)
+ log_err(cd, _("Cannot retrieve volume key for LUKS1 device."));
+ else if (!kc)
+ r = -ENOENT;
+ else
+ r = kc->get_luks1_volume_key(cd, kc, keyslot, &vk);
+ } else if (isPLAIN(cd->type)) {
+ if (passphrase && cd->u.plain.hdr.hash)
+ r = process_key(cd, cd->u.plain.hdr.hash, key_len,
+ passphrase, passphrase_size, &vk);
if (r < 0)
log_err(cd, _("Cannot retrieve volume key for plain device."));
- } else if (isLUKS1(cd->type)) {
- r = LUKS_open_key_with_hdr(keyslot, passphrase,
- passphrase_size, &cd->u.luks1.hdr, &vk, cd);
- } else if (isLUKS2(cd->type)) {
- r = LUKS2_keyslot_open(cd, keyslot,
- keyslot == CRYPT_ANY_SLOT ? CRYPT_DEFAULT_SEGMENT : CRYPT_ANY_SEGMENT,
- passphrase, passphrase_size, &vk);
- } else if (isTCRYPT(cd->type)) {
- r = TCRYPT_get_volume_key(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params, &vk);
} else if (isVERITY(cd->type)) {
/* volume_key == root hash */
if (cd->u.verity.root_hash) {
@@ -4824,11 +4950,26 @@ int crypt_volume_key_get(struct crypt_device *cd,
r = 0;
} else
log_err(cd, _("Cannot retrieve root hash for verity device."));
+ } else if (isTCRYPT(cd->type)) {
+ r = TCRYPT_get_volume_key(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params, &vk);
} else if (isBITLK(cd->type)) {
- r = BITLK_get_volume_key(cd, passphrase, passphrase_size, &cd->u.bitlk.params, &vk);
+ if (passphrase)
+ r = BITLK_get_volume_key(cd, passphrase, passphrase_size, &cd->u.bitlk.params, &vk);
+ if (r < 0)
+ log_err(cd, _("Cannot retrieve volume key for BITLK device."));
+ } else if (isFVAULT2(cd->type)) {
+ if (passphrase)
+ r = FVAULT2_get_volume_key(cd, passphrase, passphrase_size, &cd->u.fvault2.params, &vk);
+ if (r < 0)
+ log_err(cd, _("Cannot retrieve volume key for FVAULT2 device."));
} else
log_err(cd, _("This operation is not supported for %s crypt device."), cd->type ?: "(none)");
+ if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) {
+ vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+ r = vk ? 0 : -ENOMEM;
+ }
+
if (r >= 0 && vk) {
memcpy(volume_key, vk->key, vk->keylength);
*volume_key_size = vk->keylength;
@@ -4859,10 +5000,6 @@ int crypt_volume_key_verify(struct crypt_device *cd,
else
r = -EINVAL;
-
- if (r == -EPERM)
- log_err(cd, _("Volume key does not match the volume."));
-
crypt_free_volume_key(vk);
return r >= 0 ? 0 : r;
@@ -4894,7 +5031,7 @@ int crypt_get_rng_type(struct crypt_device *cd)
int crypt_memory_lock(struct crypt_device *cd, int lock)
{
- return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
+ return 0;
}
void crypt_set_compatibility(struct crypt_device *cd, uint32_t flags)
@@ -4941,13 +5078,6 @@ crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
return CRYPT_INACTIVE;
}
-static void hexprint(struct crypt_device *cd, const char *d, int n, const char *sep)
-{
- int i;
- for(i = 0; i < n; i++)
- log_std(cd, "%02hhx%s", (const char)d[i], sep);
-}
-
static int _luks_dump(struct crypt_device *cd)
{
int i;
@@ -4960,12 +5090,12 @@ static int _luks_dump(struct crypt_device *cd)
log_std(cd, "Payload offset:\t%" PRIu32 "\n", cd->u.luks1.hdr.payloadOffset);
log_std(cd, "MK bits: \t%" PRIu32 "\n", cd->u.luks1.hdr.keyBytes * 8);
log_std(cd, "MK digest: \t");
- hexprint(cd, cd->u.luks1.hdr.mkDigest, LUKS_DIGESTSIZE, " ");
+ crypt_log_hex(cd, cd->u.luks1.hdr.mkDigest, LUKS_DIGESTSIZE, " ", 0, NULL);
log_std(cd, "\n");
log_std(cd, "MK salt: \t");
- hexprint(cd, cd->u.luks1.hdr.mkDigestSalt, LUKS_SALTSIZE/2, " ");
+ crypt_log_hex(cd, cd->u.luks1.hdr.mkDigestSalt, LUKS_SALTSIZE/2, " ", 0, NULL);
log_std(cd, "\n \t");
- hexprint(cd, cd->u.luks1.hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ");
+ crypt_log_hex(cd, cd->u.luks1.hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ", 0, NULL);
log_std(cd, "\n");
log_std(cd, "MK iterations: \t%" PRIu32 "\n", cd->u.luks1.hdr.mkDigestIterations);
log_std(cd, "UUID: \t%s\n\n", cd->u.luks1.hdr.uuid);
@@ -4975,11 +5105,11 @@ static int _luks_dump(struct crypt_device *cd)
log_std(cd, "\tIterations: \t%" PRIu32 "\n",
cd->u.luks1.hdr.keyblock[i].passwordIterations);
log_std(cd, "\tSalt: \t");
- hexprint(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt,
- LUKS_SALTSIZE/2, " ");
+ crypt_log_hex(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt,
+ LUKS_SALTSIZE/2, " ", 0, NULL);
log_std(cd, "\n\t \t");
- hexprint(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt +
- LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ");
+ crypt_log_hex(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt +
+ LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ", 0, NULL);
log_std(cd, "\n");
log_std(cd, "\tKey material offset:\t%" PRIu32 "\n",
@@ -4993,29 +5123,6 @@ static int _luks_dump(struct crypt_device *cd)
return 0;
}
-static int _verity_dump(struct crypt_device *cd)
-{
- log_std(cd, "VERITY header information for %s\n", mdata_device_path(cd));
- log_std(cd, "UUID: \t%s\n", cd->u.verity.uuid ?: "");
- log_std(cd, "Hash type: \t%u\n", cd->u.verity.hdr.hash_type);
- log_std(cd, "Data blocks: \t%" PRIu64 "\n", cd->u.verity.hdr.data_size);
- log_std(cd, "Data block size: \t%u\n", cd->u.verity.hdr.data_block_size);
- log_std(cd, "Hash block size: \t%u\n", cd->u.verity.hdr.hash_block_size);
- log_std(cd, "Hash algorithm: \t%s\n", cd->u.verity.hdr.hash_name);
- log_std(cd, "Salt: \t");
- if (cd->u.verity.hdr.salt_size)
- hexprint(cd, cd->u.verity.hdr.salt, cd->u.verity.hdr.salt_size, "");
- else
- log_std(cd, "-");
- log_std(cd, "\n");
- if (cd->u.verity.root_hash) {
- log_std(cd, "Root hash: \t");
- hexprint(cd, cd->u.verity.root_hash, cd->u.verity.root_hash_size, "");
- log_std(cd, "\n");
- }
- return 0;
-}
-
int crypt_dump(struct crypt_device *cd)
{
if (!cd)
@@ -5025,13 +5132,17 @@ int crypt_dump(struct crypt_device *cd)
else if (isLUKS2(cd->type))
return LUKS2_hdr_dump(cd, &cd->u.luks2.hdr);
else if (isVERITY(cd->type))
- return _verity_dump(cd);
+ return VERITY_dump(cd, &cd->u.verity.hdr,
+ cd->u.verity.root_hash, cd->u.verity.root_hash_size,
+ cd->u.verity.fec_device);
else if (isTCRYPT(cd->type))
return TCRYPT_dump(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
else if (isINTEGRITY(cd->type))
return INTEGRITY_dump(cd, crypt_data_device(cd), 0);
else if (isBITLK(cd->type))
return BITLK_dump(cd, crypt_data_device(cd), &cd->u.bitlk.params);
+ else if (isFVAULT2(cd->type))
+ return FVAULT2_dump(cd, crypt_data_device(cd), &cd->u.fvault2.params);
log_err(cd, _("Dump operation is not supported for this device type."));
return -EINVAL;
@@ -5096,6 +5207,9 @@ const char *crypt_get_cipher(struct crypt_device *cd)
if (isBITLK(cd->type))
return cd->u.bitlk.params.cipher;
+ if (isFVAULT2(cd->type))
+ return cd->u.fvault2.params.cipher;
+
if (!cd->type && !_init_by_name_crypt_none(cd))
return cd->u.none.cipher;
@@ -5129,6 +5243,9 @@ const char *crypt_get_cipher_mode(struct crypt_device *cd)
if (isBITLK(cd->type))
return cd->u.bitlk.params.cipher_mode;
+ if (isFVAULT2(cd->type))
+ return cd->u.fvault2.params.cipher_mode;
+
if (!cd->type && !_init_by_name_crypt_none(cd))
return cd->u.none.cipher_mode;
@@ -5153,13 +5270,15 @@ const char *crypt_get_integrity(struct crypt_device *cd)
/* INTERNAL only */
int crypt_get_integrity_key_size(struct crypt_device *cd)
{
+ int key_size = 0;
+
if (isINTEGRITY(cd->type))
- return INTEGRITY_key_size(cd, crypt_get_integrity(cd));
+ key_size = INTEGRITY_key_size(crypt_get_integrity(cd));
if (isLUKS2(cd->type))
- return INTEGRITY_key_size(cd, crypt_get_integrity(cd));
+ key_size = INTEGRITY_key_size(crypt_get_integrity(cd));
- return 0;
+ return key_size > 0 ? key_size : 0;
}
/* INTERNAL only */
@@ -5169,7 +5288,7 @@ int crypt_get_integrity_tag_size(struct crypt_device *cd)
return cd->u.integrity.params.tag_size;
if (isLUKS2(cd->type))
- return INTEGRITY_tag_size(cd, crypt_get_integrity(cd),
+ return INTEGRITY_tag_size(crypt_get_integrity(cd),
crypt_get_cipher(cd),
crypt_get_cipher_mode(cd));
return 0;
@@ -5209,6 +5328,9 @@ const char *crypt_get_uuid(struct crypt_device *cd)
if (isBITLK(cd->type))
return cd->u.bitlk.params.guid;
+ if (isFVAULT2(cd->type))
+ return cd->u.fvault2.params.family_uuid;
+
return NULL;
}
@@ -5272,6 +5394,9 @@ int crypt_get_volume_key_size(struct crypt_device *cd)
if (isBITLK(cd->type))
return cd->u.bitlk.params.key_size / 8;
+ if (isFVAULT2(cd->type))
+ return cd->u.fvault2.params.key_size;
+
if (!cd->type && !_init_by_name_crypt_none(cd))
return cd->u.none.key_size;
@@ -5456,6 +5581,9 @@ uint64_t crypt_get_data_offset(struct crypt_device *cd)
if (isBITLK(cd->type))
return cd->u.bitlk.params.volume_header_size / SECTOR_SIZE;
+ if (isFVAULT2(cd->type))
+ return cd->u.fvault2.params.log_vol_off / SECTOR_SIZE;
+
return cd->data_offset;
}
@@ -5523,7 +5651,7 @@ crypt_keyslot_priority crypt_keyslot_get_priority(struct crypt_device *cd, int k
return CRYPT_SLOT_PRIORITY_INVALID;
if (isLUKS2(cd->type))
- return LUKS2_keyslot_priority_get(cd, &cd->u.luks2.hdr, keyslot);
+ return LUKS2_keyslot_priority_get(&cd->u.luks2.hdr, keyslot);
return CRYPT_SLOT_PRIORITY_NORMAL;
}
@@ -5615,7 +5743,7 @@ int crypt_get_integrity_info(struct crypt_device *cd,
ip->integrity = LUKS2_get_integrity(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
ip->integrity_key_size = crypt_get_integrity_key_size(cd);
- ip->tag_size = INTEGRITY_tag_size(cd, ip->integrity, crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
+ ip->tag_size = INTEGRITY_tag_size(ip->integrity, crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
ip->journal_integrity = NULL;
ip->journal_integrity_key_size = 0;
@@ -5655,13 +5783,13 @@ int crypt_convert(struct crypt_device *cd,
if (r < 0) {
/* in-memory header may be invalid after failed conversion */
- _luks2_reload(cd);
+ _luks2_rollback(cd);
if (r == -EBUSY)
log_err(cd, _("Cannot convert device %s which is still in use."), mdata_device_path(cd));
return r;
}
- crypt_free_type(cd);
+ crypt_free_type(cd, NULL);
return crypt_load(cd, type, params);
}
@@ -5732,7 +5860,8 @@ int crypt_activate_by_token_pin(struct crypt_device *cd, const char *name,
if (r < 0)
return r;
- return LUKS2_token_open_and_activate(cd, &cd->u.luks2.hdr, token, name, type, pin, pin_size, flags, usrptr);
+ return LUKS2_token_open_and_activate(cd, &cd->u.luks2.hdr, token, name, type,
+ pin, pin_size, flags, usrptr);
}
int crypt_activate_by_token(struct crypt_device *cd,
@@ -5753,7 +5882,7 @@ int crypt_token_json_get(struct crypt_device *cd, int token, const char **json)
if ((r = _onlyLUKS2(cd, CRYPT_CD_UNRESTRICTED, 0)))
return r;
- return LUKS2_token_json_get(cd, &cd->u.luks2.hdr, token, json) ?: token;
+ return LUKS2_token_json_get(&cd->u.luks2.hdr, token, json) ?: token;
}
int crypt_token_json_set(struct crypt_device *cd, int token, const char *json)
@@ -5819,7 +5948,7 @@ int crypt_token_luks2_keyring_get(struct crypt_device *cd,
return -EINVAL;
}
- return LUKS2_token_keyring_get(cd, &cd->u.luks2.hdr, token, params);
+ return LUKS2_token_keyring_get(&cd->u.luks2.hdr, token, params);
}
int crypt_token_luks2_keyring_set(struct crypt_device *cd,
@@ -5829,7 +5958,7 @@ int crypt_token_luks2_keyring_set(struct crypt_device *cd,
int r;
char json[4096];
- if (!params)
+ if (!params || !params->key_description)
return -EINVAL;
log_dbg(cd, "Creating new LUKS2 keyring token (%d).", token);
@@ -5871,7 +6000,7 @@ int crypt_token_is_assigned(struct crypt_device *cd, int token, int keyslot)
if ((r = _onlyLUKS2(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0)))
return r;
- return LUKS2_token_is_assigned(cd, &cd->u.luks2.hdr, keyslot, token);
+ return LUKS2_token_is_assigned(&cd->u.luks2.hdr, keyslot, token);
}
/* Internal only */
@@ -5938,28 +6067,18 @@ static int update_volume_key_segment_digest(struct crypt_device *cd, struct luks
}
static int verify_and_update_segment_digest(struct crypt_device *cd,
- struct luks2_hdr *hdr, int keyslot,
- const char *volume_key, size_t volume_key_size,
- const char *password, size_t password_size)
+ struct luks2_hdr *hdr, int keyslot, struct crypt_keyslot_context *kc)
{
int digest, r;
struct volume_key *vk = NULL;
- if (keyslot < 0 || (volume_key && !volume_key_size))
- return -EINVAL;
+ assert(kc);
+ assert(kc->get_luks2_key);
+ assert(keyslot >= 0);
- if (volume_key)
- vk = crypt_alloc_volume_key(volume_key_size, volume_key);
- else {
- r = LUKS2_keyslot_open(cd, keyslot, CRYPT_ANY_SEGMENT, password, password_size, &vk);
- if (r != keyslot) {
- r = -EINVAL;
- goto out;
- }
- }
-
- if (!vk)
- return -ENOMEM;
+ r = kc->get_luks2_key(cd, kc, keyslot, CRYPT_ANY_SEGMENT, &vk);
+ if (r < 0)
+ return r;
/* check volume_key (param) digest matches keyslot digest */
r = LUKS2_digest_verify(cd, hdr, vk, keyslot);
@@ -5979,9 +6098,150 @@ static int verify_and_update_segment_digest(struct crypt_device *cd,
log_err(cd, _("Failed to assign keyslot %u as the new volume key."), keyslot);
out:
crypt_free_volume_key(vk);
+
return r < 0 ? r : keyslot;
}
+static int luks2_keyslot_add_by_verified_volume_key(struct crypt_device *cd,
+ int keyslot_new,
+ const char *new_passphrase,
+ size_t new_passphrase_size,
+ struct volume_key *vk)
+{
+ int r;
+ struct luks2_keyslot_params params;
+
+ assert(cd);
+ assert(keyslot_new >= 0);
+ assert(new_passphrase);
+ assert(vk);
+ assert(crypt_volume_key_get_id(vk) >= 0);
+
+ r = LUKS2_keyslot_params_default(cd, &cd->u.luks2.hdr, ¶ms);
+ if (r < 0) {
+ log_err(cd, _("Failed to initialize default LUKS2 keyslot parameters."));
+ return r;
+ }
+
+ r = LUKS2_digest_assign(cd, &cd->u.luks2.hdr, keyslot_new, crypt_volume_key_get_id(vk), 1, 0);
+ if (r < 0) {
+ log_err(cd, _("Failed to assign keyslot %d to digest."), keyslot_new);
+ return r;
+ }
+
+ r = LUKS2_keyslot_store(cd, &cd->u.luks2.hdr, keyslot_new,
+ CONST_CAST(char*)new_passphrase,
+ new_passphrase_size, vk, ¶ms);
+
+ return r < 0 ? r : keyslot_new;
+}
+
+static int luks2_keyslot_add_by_volume_key(struct crypt_device *cd,
+ int keyslot_new,
+ const char *new_passphrase,
+ size_t new_passphrase_size,
+ struct volume_key *vk)
+{
+ int r;
+
+ assert(cd);
+ assert(keyslot_new >= 0);
+ assert(new_passphrase);
+ assert(vk);
+
+ r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
+ if (r >= 0)
+ crypt_volume_key_set_id(vk, r);
+
+ if (r < 0) {
+ log_err(cd, _("Volume key does not match the volume."));
+ return r;
+ }
+
+ return luks2_keyslot_add_by_verified_volume_key(cd, keyslot_new, new_passphrase, new_passphrase_size, vk);
+}
+
+static int luks1_keyslot_add_by_volume_key(struct crypt_device *cd,
+ int keyslot_new,
+ const char *new_passphrase,
+ size_t new_passphrase_size,
+ struct volume_key *vk)
+{
+ int r;
+
+ assert(cd);
+ assert(keyslot_new >= 0);
+ assert(new_passphrase);
+ assert(vk);
+
+ r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
+ if (r < 0) {
+ log_err(cd, _("Volume key does not match the volume."));
+ return r;
+ }
+
+ r = LUKS_set_key(keyslot_new, CONST_CAST(char*)new_passphrase,
+ new_passphrase_size, &cd->u.luks1.hdr, vk, cd);
+
+ return r < 0 ? r : keyslot_new;
+}
+
+static int keyslot_add_by_key(struct crypt_device *cd,
+ bool is_luks1,
+ int keyslot_new,
+ const char *new_passphrase,
+ size_t new_passphrase_size,
+ struct volume_key *vk,
+ uint32_t flags)
+{
+ int r, digest;
+
+ assert(cd);
+ assert(keyslot_new >= 0);
+ assert(new_passphrase);
+ assert(vk);
+
+ if (!flags)
+ return is_luks1 ? luks1_keyslot_add_by_volume_key(cd, keyslot_new, new_passphrase, new_passphrase_size, vk) :
+ luks2_keyslot_add_by_volume_key(cd, keyslot_new, new_passphrase, new_passphrase_size, vk);
+
+ if (is_luks1)
+ return -EINVAL;
+
+ digest = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
+ if (digest >= 0) /* if key matches volume key digest tear down new vk flag */
+ flags &= ~CRYPT_VOLUME_KEY_SET;
+ else {
+ /* if key matches any existing digest, do not create new digest */
+ if ((flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
+ digest = LUKS2_digest_any_matching(cd, &cd->u.luks2.hdr, vk);
+
+ /* no segment flag or new vk flag requires new key digest */
+ if (flags & (CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_SET)) {
+ if (digest < 0 || !(flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
+ digest = LUKS2_digest_create(cd, "pbkdf2", &cd->u.luks2.hdr, vk);
+ }
+ }
+
+ r = digest;
+ if (r < 0) {
+ log_err(cd, _("Volume key does not match the volume."));
+ return r;
+ }
+
+ crypt_volume_key_set_id(vk, digest);
+
+ if (flags & CRYPT_VOLUME_KEY_SET) {
+ r = update_volume_key_segment_digest(cd, &cd->u.luks2.hdr, digest, 0);
+ if (r < 0)
+ log_err(cd, _("Failed to assign keyslot %u as the new volume key."), keyslot_new);
+ }
+
+ if (r >= 0)
+ r = luks2_keyslot_add_by_verified_volume_key(cd, keyslot_new, new_passphrase, new_passphrase_size, vk);
+
+ return r < 0 ? r : keyslot_new;
+}
int crypt_keyslot_add_by_key(struct crypt_device *cd,
int keyslot,
@@ -5991,92 +6251,133 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
size_t passphrase_size,
uint32_t flags)
{
- int digest, r;
- struct luks2_keyslot_params params;
- struct volume_key *vk = NULL;
+ int r;
+ struct crypt_keyslot_context kc, new_kc;
if (!passphrase || ((flags & CRYPT_VOLUME_KEY_NO_SEGMENT) &&
(flags & CRYPT_VOLUME_KEY_SET)))
return -EINVAL;
- log_dbg(cd, "Adding new keyslot %d with volume key %sassigned to a crypt segment.",
- keyslot, flags & CRYPT_VOLUME_KEY_NO_SEGMENT ? "un" : "");
-
- if ((r = onlyLUKS2(cd)))
+ if ((r = onlyLUKS(cd)) < 0)
return r;
- /* new volume key assignment */
- if ((flags & CRYPT_VOLUME_KEY_SET) && crypt_keyslot_status(cd, keyslot) > CRYPT_SLOT_INACTIVE)
- return verify_and_update_segment_digest(cd, &cd->u.luks2.hdr,
- keyslot, volume_key, volume_key_size, passphrase, passphrase_size);
+ if ((flags & CRYPT_VOLUME_KEY_SET) && crypt_keyslot_status(cd, keyslot) > CRYPT_SLOT_INACTIVE &&
+ isLUKS2(cd->type)) {
+ if (volume_key)
+ crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+ else
+ crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
- r = keyslot_verify_or_find_empty(cd, &keyslot);
+ r = verify_and_update_segment_digest(cd, &cd->u.luks2.hdr, keyslot, &kc);
+
+ crypt_keyslot_context_destroy_internal(&kc);
+
+ return r;
+ }
+
+ crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+ crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, passphrase, passphrase_size);
+
+ r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, flags);
+
+ crypt_keyslot_context_destroy_internal(&kc);
+ crypt_keyslot_context_destroy_internal(&new_kc);
+
+ return r;
+}
+
+int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
+ int keyslot_existing,
+ struct crypt_keyslot_context *kc,
+ int keyslot_new,
+ struct crypt_keyslot_context *new_kc,
+ uint32_t flags)
+{
+ bool is_luks1;
+ int active_slots, r;
+ const char *new_passphrase;
+ size_t new_passphrase_size;
+ struct volume_key *vk = NULL;
+
+ if (!kc || ((flags & CRYPT_VOLUME_KEY_NO_SEGMENT) &&
+ (flags & CRYPT_VOLUME_KEY_SET)))
+ return -EINVAL;
+
+ r = flags ? onlyLUKS2(cd) : onlyLUKS(cd);
+ if (r)
+ return r;
+
+ if ((flags & CRYPT_VOLUME_KEY_SET) && crypt_keyslot_status(cd, keyslot_existing) > CRYPT_SLOT_INACTIVE)
+ return verify_and_update_segment_digest(cd, &cd->u.luks2.hdr, keyslot_existing, kc);
+
+ if (!new_kc || !new_kc->get_passphrase)
+ return -EINVAL;
+
+ log_dbg(cd, "Adding new keyslot %d by %s%s, volume key provided by %s (%d).",
+ keyslot_new, keyslot_context_type_string(new_kc),
+ (flags & CRYPT_VOLUME_KEY_NO_SEGMENT) ? " unassigned to a crypt segment" : "",
+ keyslot_context_type_string(kc), keyslot_existing);
+
+ r = keyslot_verify_or_find_empty(cd, &keyslot_new);
if (r < 0)
return r;
- if (volume_key)
- vk = crypt_alloc_volume_key(volume_key_size, volume_key);
- else if (flags & CRYPT_VOLUME_KEY_NO_SEGMENT)
- vk = crypt_generate_volume_key(cd, volume_key_size);
- else if (cd->volume_key)
- vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+ is_luks1 = isLUKS1(cd->type);
+ if (is_luks1)
+ active_slots = LUKS_keyslot_active_count(&cd->u.luks1.hdr);
+ else
+ active_slots = LUKS2_keyslot_active_count(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
+
+ if (active_slots < 0)
+ return -EINVAL;
+
+ if (active_slots == 0 && kc->type != CRYPT_KC_TYPE_KEY)
+ r = -ENOENT;
+ else if (is_luks1 && kc->get_luks1_volume_key)
+ r = kc->get_luks1_volume_key(cd, kc, keyslot_existing, &vk);
+ else if (!is_luks1 && kc->get_luks2_volume_key)
+ r = kc->get_luks2_volume_key(cd, kc, keyslot_existing, &vk);
else
return -EINVAL;
- if (!vk)
- return -ENOMEM;
-
- /* if key matches volume key digest tear down new vk flag */
- digest = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
- if (digest >= 0)
- flags &= ~CRYPT_VOLUME_KEY_SET;
-
- /* if key matches any existing digest, do not create new digest */
- if (digest < 0 && (flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
- digest = LUKS2_digest_any_matching(cd, &cd->u.luks2.hdr, vk);
-
- /* no segment flag or new vk flag requires new key digest */
- if (flags & (CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_SET)) {
- if (digest < 0 || !(flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
- digest = LUKS2_digest_create(cd, "pbkdf2", &cd->u.luks2.hdr, vk);
+ if (r == -ENOENT) {
+ if ((flags & CRYPT_VOLUME_KEY_NO_SEGMENT) && kc->type == CRYPT_KC_TYPE_KEY) {
+ if (!(vk = crypt_generate_volume_key(cd, kc->u.k.volume_key_size)))
+ return -ENOMEM;
+ r = 0;
+ } else if (cd->volume_key) {
+ if (!(vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key)))
+ return -ENOMEM;
+ r = 0;
+ } else if (active_slots == 0) {
+ log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided."));
+ r = -EINVAL;
+ }
}
- r = digest;
- if (r < 0) {
- log_err(cd, _("Volume key does not match the volume."));
- goto out;
- }
+ if (r < 0)
+ return r;
- r = LUKS2_keyslot_params_default(cd, &cd->u.luks2.hdr, ¶ms);
- if (r < 0) {
- log_err(cd, _("Failed to initialize default LUKS2 keyslot parameters."));
- goto out;
- }
+ r = new_kc->get_passphrase(cd, new_kc, &new_passphrase, &new_passphrase_size);
+ /* If new keyslot context is token just assign it to new keyslot */
+ if (r >= 0 && new_kc->type == CRYPT_KC_TYPE_TOKEN && !is_luks1)
+ r = LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot_new, new_kc->u.t.id, 1, 0);
+ if (r >= 0)
+ r = keyslot_add_by_key(cd, is_luks1, keyslot_new, new_passphrase, new_passphrase_size, vk, flags);
- r = LUKS2_digest_assign(cd, &cd->u.luks2.hdr, keyslot, digest, 1, 0);
- if (r < 0) {
- log_err(cd, _("Failed to assign keyslot %d to digest."), keyslot);
- goto out;
- }
-
- r = LUKS2_keyslot_store(cd, &cd->u.luks2.hdr, keyslot,
- passphrase, passphrase_size, vk, ¶ms);
-
- if (r >= 0 && (flags & CRYPT_VOLUME_KEY_SET))
- r = update_volume_key_segment_digest(cd, &cd->u.luks2.hdr, digest, 1);
-out:
crypt_free_volume_key(vk);
+
if (r < 0) {
- _luks2_reload(cd);
+ _luks2_rollback(cd);
return r;
}
- return keyslot;
+
+ return keyslot_new;
}
/*
* Keyring handling
*/
-
int crypt_use_keyring_for_vk(struct crypt_device *cd)
{
uint32_t dmc_flags;
@@ -6202,8 +6503,7 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
r = _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
- crypt_safe_memzero(passphrase, passphrase_size);
- free(passphrase);
+ crypt_safe_free(passphrase);
return r;
}
@@ -6240,7 +6540,13 @@ void crypt_serialize_unlock(struct crypt_device *cd)
crypt_reencrypt_info crypt_reencrypt_status(struct crypt_device *cd,
struct crypt_params_reencrypt *params)
{
- if (!cd || !isLUKS2(cd->type))
+ if (params)
+ memset(params, 0, sizeof(*params));
+
+ if (!cd || !isLUKS(cd->type))
+ return CRYPT_REENCRYPT_INVALID;
+
+ if (isLUKS1(cd->type))
return CRYPT_REENCRYPT_NONE;
if (_onlyLUKS2(cd, CRYPT_CD_QUIET, CRYPT_REQUIREMENT_ONLINE_REENCRYPT))
diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
index 4be73f2..60e4966 100644
--- a/lib/tcrypt/tcrypt.c
+++ b/lib/tcrypt/tcrypt.c
@@ -1,8 +1,8 @@
/*
* TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -23,7 +23,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <assert.h>
#include "libcryptsetup.h"
#include "tcrypt.h"
@@ -264,8 +263,8 @@ static int TCRYPT_hdr_from_disk(struct crypt_device *cd,
*/
static void TCRYPT_swab_le(char *buf)
{
- uint32_t *l = (uint32_t*)&buf[0];
- uint32_t *r = (uint32_t*)&buf[4];
+ uint32_t *l = VOIDP_CAST(uint32_t*)&buf[0];
+ uint32_t *r = VOIDP_CAST(uint32_t*)&buf[4];
*l = swab32(*l);
*r = swab32(*r);
}
@@ -588,7 +587,6 @@ static int TCRYPT_init_hdr(struct crypt_device *cd,
(tcrypt_kdf[i].veracrypt_pim_mult * params->veracrypt_pim);
} else
iterations = tcrypt_kdf[i].iterations;
-
/* Derive header key */
log_dbg(cd, "TCRYPT: trying KDF: %s-%s-%d%s.",
tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations,
@@ -601,6 +599,8 @@ static int TCRYPT_init_hdr(struct crypt_device *cd,
if (r < 0) {
log_verbose(cd, _("PBKDF2 hash algorithm %s not available, skipping."),
tcrypt_kdf[i].hash);
+ skipped++;
+ r = -EPERM;
continue;
}
@@ -609,16 +609,18 @@ static int TCRYPT_init_hdr(struct crypt_device *cd,
if (r == -ENOENT) {
skipped++;
r = -EPERM;
+ continue;
}
if (r != -EPERM)
break;
}
- if ((r < 0 && r != -EPERM && skipped && skipped == i) || r == -ENOTSUP) {
+ if ((r < 0 && skipped && skipped == i) || r == -ENOTSUP) {
log_err(cd, _("Required kernel crypto interface not available."));
#ifdef ENABLE_AF_ALG
log_err(cd, _("Ensure you have algif_skcipher kernel module loaded."));
#endif
+ r = -ENOTSUP;
}
if (r < 0)
goto out;
@@ -827,7 +829,10 @@ int TCRYPT_activate(struct crypt_device *cd,
strncpy(dm_name, name, sizeof(dm_name)-1);
dmd.flags = flags;
} else {
- snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
+ if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1) < 0) {
+ r = -EINVAL;
+ break;
+ }
dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
}
@@ -835,8 +840,10 @@ int TCRYPT_activate(struct crypt_device *cd,
vk->key, hdr->d.keys);
if (algs->chain_count != i) {
- snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
- dm_get_dir(), name, i);
+ if (snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d", dm_get_dir(), name, i) < 0) {
+ r = -EINVAL;
+ break;
+ }
r = device_alloc(cd, &device, dm_dev_name);
if (r)
break;
diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h
index 4b4dafd..b95d74d 100644
--- a/lib/tcrypt/tcrypt.h
+++ b/lib/tcrypt/tcrypt.h
@@ -1,8 +1,8 @@
/*
* TCRYPT (TrueCrypt-compatible) header definition
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/utils.c b/lib/utils.c
index 68789f7..bfcf60d 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -59,43 +59,33 @@ uint64_t crypt_getphysmemory_kb(void)
return phys_memory_kb;
}
-/* MEMLOCK */
-#define DEFAULT_PROCESS_PRIORITY -18
-
-static int _priority;
-static int _memlock_count = 0;
-
-// return 1 if memory is locked
-int crypt_memlock_inc(struct crypt_device *ctx)
+void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise)
{
- if (!_memlock_count++) {
- log_dbg(ctx, "Locking memory.");
- if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
- log_dbg(ctx, "Cannot lock memory with mlockall.");
- _memlock_count--;
- return 0;
- }
- errno = 0;
- if (((_priority = getpriority(PRIO_PROCESS, 0)) == -1) && errno)
- log_err(ctx, _("Cannot get process priority."));
+ int _priority, new_priority;
+
+ if (raise) {
+ _priority = getpriority(PRIO_PROCESS, 0);
+ if (_priority < 0)
+ _priority = 0;
+ if (priority)
+ *priority = _priority;
+
+ /*
+ * Do not bother checking CAP_SYS_NICE as device activation
+ * requires CAP_SYSADMIN later anyway.
+ */
+ if (getuid() || geteuid())
+ new_priority = 0;
else
- if (setpriority(PRIO_PROCESS, 0, DEFAULT_PROCESS_PRIORITY))
- log_dbg(ctx, "setpriority %d failed: %s",
- DEFAULT_PROCESS_PRIORITY, strerror(errno));
- }
- return _memlock_count ? 1 : 0;
-}
+ new_priority = -18;
-int crypt_memlock_dec(struct crypt_device *ctx)
-{
- if (_memlock_count && (!--_memlock_count)) {
- log_dbg(ctx, "Unlocking memory.");
- if (munlockall() == -1)
- log_err(ctx, _("Cannot unlock memory."));
+ if (setpriority(PRIO_PROCESS, 0, new_priority))
+ log_dbg(cd, "Cannot raise process priority.");
+ } else {
+ _priority = priority ? *priority : 0;
if (setpriority(PRIO_PROCESS, 0, _priority))
- log_dbg(ctx, "setpriority %d failed: %s", _priority, strerror(errno));
+ log_dbg(cd, "Cannot reset process priority.");
}
- return _memlock_count ? 1 : 0;
}
/* Keyfile processing */
@@ -112,9 +102,9 @@ static int keyfile_seek(int fd, uint64_t bytes)
char tmp[BUFSIZ];
size_t next_read;
ssize_t bytes_r;
- off64_t r;
+ off_t r;
- r = lseek64(fd, bytes, SEEK_CUR);
+ r = lseek(fd, bytes, SEEK_CUR);
if (r > 0)
return 0;
if (r < 0 && errno != ESPIPE)
@@ -179,7 +169,7 @@ int crypt_keyfile_device_read(struct crypt_device *cd, const char *keyfile,
key_size = DEFAULT_KEYFILE_SIZE_MAXKB * 1024 + 1;
unlimited_read = 1;
/* use 4k for buffer (page divisor but avoid huge pages) */
- buflen = 4096 - sizeof(size_t); // sizeof(struct safe_allocation);
+ buflen = 4096 - 16; /* sizeof(struct safe_allocation); */
} else
buflen = key_size;
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
index 7a9736d..728e4df 100644
--- a/lib/utils_benchmark.c
+++ b/lib/utils_benchmark.c
@@ -1,8 +1,8 @@
/*
* libcryptsetup - cryptsetup library, cipher benchmark
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -47,6 +47,7 @@ int crypt_benchmark(struct crypt_device *cd,
r = -ENOMEM;
if (posix_memalign(&buffer, crypt_getpagesize(), buffer_size))
goto out;
+ memset(buffer, 0, buffer_size);
r = crypt_cipher_ivsize(cipher, cipher_mode);
if (r >= 0 && iv_size != (size_t)r) {
@@ -98,7 +99,7 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd,
int (*progress)(uint32_t time_ms, void *usrptr),
void *usrptr)
{
- int r;
+ int r, priority;
const char *kdf_opt;
if (!pbkdf || (!password && password_size))
@@ -112,10 +113,12 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd,
log_dbg(cd, "Running %s(%s) benchmark.", pbkdf->type, kdf_opt);
+ crypt_process_priority(cd, &priority, true);
r = crypt_pbkdf_perf(pbkdf->type, pbkdf->hash, password, password_size,
salt, salt_size, volume_key_size, pbkdf->time_ms,
pbkdf->max_memory_kb, pbkdf->parallel_threads,
&pbkdf->iterations, &pbkdf->max_memory_kb, progress, usrptr);
+ crypt_process_priority(cd, &priority, false);
if (!r)
log_dbg(cd, "Benchmark returns %s(%s) %u iterations, %u memory, %u threads (for %zu-bits key).",
@@ -184,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "bar", 3,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
volume_key_size, &benchmark_callback, &u);
pbkdf->time_ms = ms_tmp;
if (r < 0) {
@@ -204,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
return 0;
}
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
volume_key_size, &benchmark_callback, &u);
if (r < 0)
diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c
index 562b136..5a848a1 100644
--- a/lib/utils_blkid.c
+++ b/lib/utils_blkid.c
@@ -1,7 +1,7 @@
/*
* blkid probe utilities
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,6 +19,7 @@
*/
#include <errno.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -72,14 +73,20 @@ void blk_set_chains_for_full_print(struct blkid_handle *h)
blk_set_chains_for_wipes(h);
}
+void blk_set_chains_for_superblocks(struct blkid_handle *h)
+{
+#ifdef HAVE_BLKID
+ blkid_probe_enable_superblocks(h->pr, 1);
+ blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE);
+#endif
+}
+
void blk_set_chains_for_fast_detection(struct blkid_handle *h)
{
#ifdef HAVE_BLKID
blkid_probe_enable_partitions(h->pr, 1);
blkid_probe_set_partitions_flags(h->pr, 0);
-
- blkid_probe_enable_superblocks(h->pr, 1);
- blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE);
+ blk_set_chains_for_superblocks(h);
#endif
}
@@ -135,16 +142,34 @@ int blk_init_by_fd(struct blkid_handle **h, int fd)
return r;
}
-int blk_superblocks_filter_luks(struct blkid_handle *h)
-{
- int r = -ENOTSUP;
#ifdef HAVE_BLKID
+static int blk_superblocks_luks(struct blkid_handle *h, bool enable)
+{
char luks[] = "crypto_LUKS";
char *luks_filter[] = {
luks,
NULL
};
- r = blkid_probe_filter_superblocks_type(h->pr, BLKID_FLTR_NOTIN, luks_filter);
+ return blkid_probe_filter_superblocks_type(h->pr,
+ enable ? BLKID_FLTR_ONLYIN : BLKID_FLTR_NOTIN,
+ luks_filter);
+}
+#endif
+
+int blk_superblocks_filter_luks(struct blkid_handle *h)
+{
+ int r = -ENOTSUP;
+#ifdef HAVE_BLKID
+ r = blk_superblocks_luks(h, false);
+#endif
+ return r;
+}
+
+int blk_superblocks_only_luks(struct blkid_handle *h)
+{
+ int r = -ENOTSUP;
+#ifdef HAVE_BLKID
+ r = blk_superblocks_luks(h, true);
#endif
return r;
}
@@ -308,16 +333,15 @@ int blk_supported(void)
return r;
}
-off_t blk_get_offset(struct blkid_handle *h)
+unsigned blk_get_block_size(struct blkid_handle *h)
{
- off_t offset_value = -1;
+ unsigned block_size = 0;
#ifdef HAVE_BLKID
- const char *offset;
- if (blk_is_superblock(h)) {
- if (!blkid_probe_lookup_value(h->pr, "SBMAGIC_OFFSET", &offset, NULL))
- offset_value = strtoll(offset, NULL, 10);
- } else if (blk_is_partition(h) && !blkid_probe_lookup_value(h->pr, "PTMAGIC_OFFSET", &offset, NULL))
- offset_value = strtoll(offset, NULL, 10);
+ const char *data;
+ if (!blk_is_superblock(h) || !blkid_probe_has_value(h->pr, "BLOCK_SIZE") ||
+ blkid_probe_lookup_value(h->pr, "BLOCK_SIZE", &data, NULL) ||
+ sscanf(data, "%u", &block_size) != 1)
+ block_size = 0;
#endif
- return offset_value;
+ return block_size;
}
diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h
index 5b61873..3ee1434 100644
--- a/lib/utils_blkid.h
+++ b/lib/utils_blkid.h
@@ -1,7 +1,7 @@
/*
* blkid probe utilities
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -41,9 +41,12 @@ void blk_set_chains_for_wipes(struct blkid_handle *h);
void blk_set_chains_for_full_print(struct blkid_handle *h);
+void blk_set_chains_for_superblocks(struct blkid_handle *h);
+
void blk_set_chains_for_fast_detection(struct blkid_handle *h);
int blk_superblocks_filter_luks(struct blkid_handle *h);
+int blk_superblocks_only_luks(struct blkid_handle *h);
blk_probe_status blk_safeprobe(struct blkid_handle *h);
@@ -61,6 +64,6 @@ int blk_do_wipe(struct blkid_handle *h);
int blk_supported(void);
-off_t blk_get_offset(struct blkid_handle *h);
+unsigned blk_get_block_size(struct blkid_handle *h);
#endif
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 93565e6..0b7dc37 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -2,8 +2,8 @@
* utils_crypt - cipher utilities for cryptsetup
*
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,6 +31,8 @@
#include "libcryptsetup.h"
#include "utils_crypt.h"
+#define MAX_CAPI_LEN_STR "143" /* for sscanf of crypto API string + 16 + \0 */
+
int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
char *cipher_mode)
{
@@ -152,10 +154,50 @@ int crypt_parse_pbkdf(const char *s, const char **pbkdf)
return 0;
}
+/*
+ * Thanks Mikulas Patocka for these two char converting functions.
+ *
+ * This function is used to load cryptographic keys, so it is coded in such a
+ * way that there are no conditions or memory accesses that depend on data.
+ *
+ * Explanation of the logic:
+ * (ch - '9' - 1) is negative if ch <= '9'
+ * ('0' - 1 - ch) is negative if ch >= '0'
+ * we "and" these two values, so the result is negative if ch is in the range
+ * '0' ... '9'
+ * we are only interested in the sign, so we do a shift ">> 8"; note that right
+ * shift of a negative value is implementation-defined, so we cast the
+ * value to (unsigned) before the shift --- we have 0xffffff if ch is in
+ * the range '0' ... '9', 0 otherwise
+ * we "and" this value with (ch - '0' + 1) --- we have a value 1 ... 10 if ch is
+ * in the range '0' ... '9', 0 otherwise
+ * we add this value to -1 --- we have a value 0 ... 9 if ch is in the range '0'
+ * ... '9', -1 otherwise
+ * the next line is similar to the previous one, but we need to decode both
+ * uppercase and lowercase letters, so we use (ch & 0xdf), which converts
+ * lowercase to uppercase
+ */
+static int hex_to_bin(unsigned char ch)
+{
+ unsigned char cu = ch & 0xdf;
+ return -1 +
+ ((ch - '0' + 1) & (unsigned)((ch - '9' - 1) & ('0' - 1 - ch)) >> 8) +
+ ((cu - 'A' + 11) & (unsigned)((cu - 'F' - 1) & ('A' - 1 - cu)) >> 8);
+}
+
+static char hex2asc(unsigned char c)
+{
+ return c + '0' + ((unsigned)(9 - c) >> 4 & 0x27);
+}
+
ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc)
{
- char buf[3] = "xx\0", *endp, *bytes;
+ char *bytes;
size_t i, len;
+ int bl, bh;
+
+ if (!hex || !result)
+ return -EINVAL;
len = strlen(hex);
if (len % 2)
@@ -167,20 +209,139 @@ ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc)
return -ENOMEM;
for (i = 0; i < len; i++) {
- memcpy(buf, &hex[i * 2], 2);
- bytes[i] = strtoul(buf, &endp, 16);
- if (endp != &buf[2]) {
+ bh = hex_to_bin(hex[i * 2]);
+ bl = hex_to_bin(hex[i * 2 + 1]);
+ if (bh == -1 || bl == -1) {
safe_alloc ? crypt_safe_free(bytes) : free(bytes);
return -EINVAL;
}
+ bytes[i] = (bh << 4) | bl;
}
*result = bytes;
return i;
}
+char *crypt_bytes_to_hex(size_t size, const char *bytes)
+{
+ unsigned i;
+ char *hex;
+
+ if (size && !bytes)
+ return NULL;
+
+ /* Alloc adds trailing \0 */
+ if (size == 0)
+ hex = crypt_safe_alloc(2);
+ else
+ hex = crypt_safe_alloc(size * 2 + 1);
+ if (!hex)
+ return NULL;
+
+ if (size == 0)
+ hex[0] = '-';
+ else for (i = 0; i < size; i++) {
+ hex[i * 2] = hex2asc((const unsigned char)bytes[i] >> 4);
+ hex[i * 2 + 1] = hex2asc((const unsigned char)bytes[i] & 0xf);
+ }
+
+ return hex;
+}
+
+void crypt_log_hex(struct crypt_device *cd,
+ const char *bytes, size_t size,
+ const char *sep, int numwrap, const char *wrapsep)
+{
+ unsigned i;
+
+ for (i = 0; i < size; i++) {
+ if (wrapsep && numwrap && i && !(i % numwrap))
+ crypt_logf(cd, CRYPT_LOG_NORMAL, wrapsep);
+ crypt_logf(cd, CRYPT_LOG_NORMAL, "%c%c%s",
+ hex2asc((const unsigned char)bytes[i] >> 4),
+ hex2asc((const unsigned char)bytes[i] & 0xf), sep);
+ }
+}
+
bool crypt_is_cipher_null(const char *cipher_spec)
{
if (!cipher_spec)
return false;
return (strstr(cipher_spec, "cipher_null") || !strcmp(cipher_spec, "null"));
}
+
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
+{
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN],
+ auth[MAX_CAPI_ONE_LEN], tmp[MAX_CAPI_LEN], dmcrypt_tmp[MAX_CAPI_LEN*2],
+ capi[MAX_CAPI_LEN+1];
+ size_t len;
+ int i;
+
+ if (!c_dm)
+ return -EINVAL;
+
+ /* legacy mode */
+ if (strncmp(c_dm, "capi:", 4)) {
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ if (i_dm) {
+ if (!(*org_i = strdup(i_dm))) {
+ free(*org_c);
+ *org_c = NULL;
+ return -ENOMEM;
+ }
+ } else
+ *org_i = NULL;
+ return 0;
+ }
+
+ /* modes with capi: prefix */
+ i = sscanf(c_dm, "capi:%" MAX_CAPI_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", tmp, iv);
+ if (i != 2)
+ return -EINVAL;
+
+ len = strlen(tmp);
+ if (len < 2)
+ return -EINVAL;
+
+ if (tmp[len-1] == ')')
+ tmp[len-1] = '\0';
+
+ if (sscanf(tmp, "rfc4309(%" MAX_CAPI_LEN_STR "s", capi) == 1) {
+ if (!(*org_i = strdup("aead")))
+ return -ENOMEM;
+ } else if (sscanf(tmp, "rfc7539(%" MAX_CAPI_LEN_STR "[^,],%" MAX_CAPI_ONE_LEN_STR "s", capi, auth) == 2) {
+ if (!(*org_i = strdup(auth)))
+ return -ENOMEM;
+ } else if (sscanf(tmp, "authenc(%" MAX_CAPI_ONE_LEN_STR "[^,],%" MAX_CAPI_LEN_STR "s", auth, capi) == 2) {
+ if (!(*org_i = strdup(auth)))
+ return -ENOMEM;
+ } else {
+ if (i_dm) {
+ if (!(*org_i = strdup(i_dm)))
+ return -ENOMEM;
+ } else
+ *org_i = NULL;
+ memset(capi, 0, sizeof(capi));
+ strncpy(capi, tmp, sizeof(capi)-1);
+ }
+
+ i = sscanf(capi, "%" MAX_CAPI_ONE_LEN_STR "[^(](%" MAX_CAPI_ONE_LEN_STR "[^)])", mode, cipher);
+ if (i == 2)
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
+ else
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
+ if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
+ free(*org_i);
+ *org_i = NULL;
+ return -EINVAL;
+ }
+
+ if (!(*org_c = strdup(dmcrypt_tmp))) {
+ free(*org_i);
+ *org_i = NULL;
+ return -ENOMEM;
+ }
+
+ return 0;
+}
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
index e7af57c..92e0705 100644
--- a/lib/utils_crypt.h
+++ b/lib/utils_crypt.h
@@ -2,8 +2,8 @@
* utils_crypt - cipher utilities for cryptsetup
*
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -25,9 +25,14 @@
#include <stdbool.h>
-#define MAX_CIPHER_LEN 32
-#define MAX_CIPHER_LEN_STR "31"
-#define MAX_KEYFILES 32
+struct crypt_device;
+
+#define MAX_CIPHER_LEN 32
+#define MAX_CIPHER_LEN_STR "31"
+#define MAX_KEYFILES 32
+#define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN
+#define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */
+#define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */
int crypt_parse_name_and_mode(const char *s, char *cipher,
int *key_nums, char *cipher_mode);
@@ -37,7 +42,13 @@ int crypt_parse_integrity_mode(const char *s, char *integrity,
int crypt_parse_pbkdf(const char *s, const char **pbkdf);
ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc);
+char *crypt_bytes_to_hex(size_t size, const char *bytes);
+void crypt_log_hex(struct crypt_device *cd,
+ const char *bytes, size_t size,
+ const char *sep, int numwrap, const char *wrapsep);
bool crypt_is_cipher_null(const char *cipher_spec);
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm);
+
#endif /* _UTILS_CRYPT_H */
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 8bb8599..d80ea62 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -21,7 +21,6 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
@@ -351,7 +350,7 @@ int device_open_excl(struct crypt_device *cd, struct device *device, int flags)
else {
/* open(2) with O_EXCL (w/o O_CREAT) on regular file is undefined behaviour according to man page */
/* coverity[toctou] */
- device->dev_fd_excl = open(path, O_RDONLY | O_EXCL);
+ device->dev_fd_excl = open(path, O_RDONLY | O_EXCL); /* lgtm[cpp/toctou-race-condition] */
if (device->dev_fd_excl < 0)
return errno == EBUSY ? -EBUSY : device->dev_fd_excl;
if (fstat(device->dev_fd_excl, &st) || !S_ISBLK(st.st_mode)) {
@@ -623,7 +622,10 @@ size_t device_optimal_encryption_sector_size(struct crypt_device *cd, struct dev
phys_block_size = device_block_phys_size_fd(fd);
close(fd);
- if (device->block_size >= phys_block_size || phys_block_size <= SECTOR_SIZE || phys_block_size > MAX_SECTOR_SIZE || MISALIGNED(phys_block_size, device->block_size))
+ if (device->block_size >= phys_block_size ||
+ phys_block_size <= SECTOR_SIZE ||
+ phys_block_size > MAX_SECTOR_SIZE ||
+ MISALIGNED(phys_block_size, device->block_size))
return device->block_size;
return phys_block_size;
diff --git a/lib/utils_device_locking.c b/lib/utils_device_locking.c
index 6505ccc..e18ea77 100644
--- a/lib/utils_device_locking.c
+++ b/lib/utils_device_locking.c
@@ -1,8 +1,8 @@
/*
* Metadata on-disk locking for processes serialization
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -32,7 +32,6 @@
# include <sys/sysmacros.h> /* for major, minor */
#endif
#include <libgen.h>
-#include <assert.h>
#include "internal.h"
#include "utils_device_locking.h"
@@ -106,7 +105,7 @@ static int open_lock_dir(struct crypt_device *cd, const char *dir, const char *b
lockdfd = openat(dirfd, base, O_RDONLY | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC);
if (lockdfd < 0) {
if (errno == ENOENT) {
- log_dbg(cd, _("Locking directory %s/%s will be created with default compiled-in permissions."), dir, base);
+ log_dbg(cd, "Locking directory %s/%s will be created with default compiled-in permissions.", dir, base);
/* success or failure w/ errno == EEXIST either way just try to open the 'base' directory again */
if (mkdirat(dirfd, base, DEFAULT_LUKS2_LOCK_DIR_PERMS) && errno != EEXIST)
@@ -229,7 +228,7 @@ static void release_lock_handle(struct crypt_device *cd, struct crypt_lock_handl
!stat(res, &buf_b) && /* does path file still exist? */
same_inode(buf_a, buf_b)) { /* is it same id as the one referenced by fd? */
/* coverity[toctou] */
- if (unlink(res)) /* yes? unlink the file */
+ if (unlink(res)) /* yes? unlink the file. lgtm[cpp/toctou-race-condition] */
log_dbg(cd, "Failed to unlink resource file: %s", res);
}
@@ -240,7 +239,7 @@ static void release_lock_handle(struct crypt_device *cd, struct crypt_lock_handl
!stat(res, &buf_b) && /* does path file still exist? */
same_inode(buf_a, buf_b)) { /* is it same id as the one referenced by fd? */
/* coverity[toctou] */
- if (unlink(res)) /* yes? unlink the file */
+ if (unlink(res)) /* yes? unlink the file. lgtm[cpp/toctou-race-condition] */
log_dbg(cd, "Failed to unlink resource file: %s", res);
}
diff --git a/lib/utils_device_locking.h b/lib/utils_device_locking.h
index d3b55a0..b73f15d 100644
--- a/lib/utils_device_locking.h
+++ b/lib/utils_device_locking.h
@@ -1,8 +1,8 @@
/*
* Metadata on-disk locking for processes serialization
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_devpath.c b/lib/utils_devpath.c
index 7371881..dc5a5bb 100644
--- a/lib/utils_devpath.c
+++ b/lib/utils_devpath.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_dm.h b/lib/utils_dm.h
index 57e5eca..79212a2 100644
--- a/lib/utils_dm.h
+++ b/lib/utils_dm.h
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -70,13 +70,15 @@ static inline uint32_t act2dmflags(uint32_t act_flags)
#define DM_BITLK_ELEPHANT_SUPPORTED (1 << 21) /* Elephant diffuser for BITLK supported */
#define DM_VERITY_SIGNATURE_SUPPORTED (1 << 22) /* Verity option root_hash_sig_key_desc supported */
#define DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */
+#define DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
#define DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption */
#define DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt suppot for bypassing workqueues */
#define DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */
#define DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */
+#define DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */
typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_ZERO, DM_UNKNOWN } dm_target_type;
-enum tdirection { TARGET_SET = 1, TARGET_QUERY };
+enum tdirection { TARGET_EMPTY = 0, TARGET_SET, TARGET_QUERY };
int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags);
@@ -94,6 +96,12 @@ int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags);
#define DM_ACTIVE_INTEGRITY_PARAMS (1 << 9)
+#define DM_ACTIVE_JOURNAL_CRYPT_KEY (1 << 10)
+#define DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE (1 << 11)
+
+#define DM_ACTIVE_JOURNAL_MAC_KEY (1 << 12)
+#define DM_ACTIVE_JOURNAL_MAC_KEYSIZE (1 << 13)
+
struct dm_target {
dm_target_type type;
enum tdirection direction;
diff --git a/lib/utils_fips.c b/lib/utils_fips.c
deleted file mode 100644
index 640ff0e..0000000
--- a/lib/utils_fips.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include "utils_fips.h"
-
-#if !ENABLE_FIPS
-bool crypt_fips_mode(void) { return false; }
-#else
-static bool fips_checked = false;
-static bool fips_mode = false;
-
-static bool kernel_fips_mode(void)
-{
- int fd;
- char buf[1] = "";
-
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
- close(fd);
- }
-
- return (buf[0] == '1');
-}
-
-bool crypt_fips_mode(void)
-{
- if (fips_checked)
- return fips_mode;
-
- fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
- fips_checked = true;
-
- return fips_mode;
-}
-#endif /* ENABLE_FIPS */
diff --git a/lib/utils_fips.h b/lib/utils_fips.h
deleted file mode 100644
index 13cfc9f..0000000
--- a/lib/utils_fips.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef _UTILS_FIPS_H
-#define _UTILS_FIPS_H
-
-#include <stdbool.h>
-
-bool crypt_fips_mode(void);
-
-#endif /* _UTILS_FIPS_H */
diff --git a/lib/utils_io.c b/lib/utils_io.c
index 882f4b5..a5bc501 100644
--- a/lib/utils_io.c
+++ b/lib/utils_io.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -29,6 +29,7 @@
#include "utils_io.h"
+/* coverity[ -taint_source : arg-1 ] */
static ssize_t _read_buffer(int fd, void *buf, size_t length, volatile int *quit)
{
size_t read_size = 0;
diff --git a/lib/utils_io.h b/lib/utils_io.h
index 7251b16..f8b3f00 100644
--- a/lib/utils_io.h
+++ b/lib/utils_io.h
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_keyring.c b/lib/utils_keyring.c
index e8e337b..a0c4db1 100644
--- a/lib/utils_keyring.c
+++ b/lib/utils_keyring.c
@@ -1,8 +1,8 @@
/*
* kernel keyring utilities
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -163,7 +163,7 @@ int keyring_get_passphrase(const char *key_desc,
ret = keyctl_read(kid, NULL, 0);
if (ret > 0) {
len = ret;
- buf = malloc(len);
+ buf = crypt_safe_alloc(len);
if (!buf)
return -ENOMEM;
@@ -173,9 +173,7 @@ int keyring_get_passphrase(const char *key_desc,
if (ret < 0) {
err = errno;
- if (buf)
- crypt_safe_memzero(buf, len);
- free(buf);
+ crypt_safe_free(buf);
return -err;
}
diff --git a/lib/utils_keyring.h b/lib/utils_keyring.h
index 10818e0..0248862 100644
--- a/lib/utils_keyring.h
+++ b/lib/utils_keyring.h
@@ -1,8 +1,8 @@
/*
* kernel keyring syscall wrappers
*
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_loop.c b/lib/utils_loop.c
index 9d4d94c..9b31603 100644
--- a/lib/utils_loop.c
+++ b/lib/utils_loop.c
@@ -1,8 +1,8 @@
/*
* loopback block device utilities
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -67,7 +67,7 @@ struct loop_config {
static char *crypt_loop_get_device_old(void)
{
- char dev[20];
+ char dev[64];
int i, loop_fd;
struct loop_info64 lo64 = {0};
diff --git a/lib/utils_loop.h b/lib/utils_loop.h
index b3f87bd..c1f6356 100644
--- a/lib/utils_loop.h
+++ b/lib/utils_loop.h
@@ -1,8 +1,8 @@
/*
* loopback block device utilities
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c
index 72e3482..4d7e18d 100644
--- a/lib/utils_pbkdf.c
+++ b/lib/utils_pbkdf.c
@@ -1,8 +1,8 @@
/*
* utils_pbkdf - PBKDF settings for libcryptsetup
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/lib/utils_safe_memory.c b/lib/utils_safe_memory.c
index 6137006..b161369 100644
--- a/lib/utils_safe_memory.c
+++ b/lib/utils_safe_memory.c
@@ -1,8 +1,8 @@
/*
* utils_safe_memory - safe memory helpers
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -20,13 +20,17 @@
*/
#include <stdlib.h>
+#include <stdbool.h>
#include <string.h>
+#include <sys/mman.h>
#include "libcryptsetup.h"
struct safe_allocation {
- size_t size;
- char data[0];
+ size_t size;
+ bool locked;
+ char data[0] __attribute__((aligned(8)));
};
+#define OVERHEAD offsetof(struct safe_allocation, data)
/*
* Replacement for memset(s, 0, n) on stack that can be optimized out
@@ -34,6 +38,9 @@ struct safe_allocation {
*/
void crypt_safe_memzero(void *data, size_t size)
{
+ if (!data)
+ return;
+
#ifdef HAVE_EXPLICIT_BZERO
explicit_bzero(data, size);
#else
@@ -49,15 +56,19 @@ void *crypt_safe_alloc(size_t size)
{
struct safe_allocation *alloc;
- if (!size || size > (SIZE_MAX - offsetof(struct safe_allocation, data)))
+ if (!size || size > (SIZE_MAX - OVERHEAD))
return NULL;
- alloc = malloc(size + offsetof(struct safe_allocation, data));
+ alloc = malloc(size + OVERHEAD);
if (!alloc)
return NULL;
+ crypt_safe_memzero(alloc, size + OVERHEAD);
alloc->size = size;
- crypt_safe_memzero(&alloc->data, size);
+
+ /* Ignore failure if it is over limit. */
+ if (!mlock(alloc, size + OVERHEAD))
+ alloc->locked = true;
/* coverity[leaked_storage] */
return &alloc->data;
@@ -67,15 +78,21 @@ void crypt_safe_free(void *data)
{
struct safe_allocation *alloc;
volatile size_t *s;
+ void *p;
if (!data)
return;
- alloc = (struct safe_allocation *)
- ((char *)data - offsetof(struct safe_allocation, data));
+ p = (char *)data - OVERHEAD;
+ alloc = (struct safe_allocation *)p;
crypt_safe_memzero(data, alloc->size);
+ if (alloc->locked) {
+ munlock(alloc, alloc->size + OVERHEAD);
+ alloc->locked = false;
+ }
+
s = (volatile size_t *)&alloc->size;
*s = 0x55aa55aa;
free(alloc);
@@ -85,13 +102,14 @@ void *crypt_safe_realloc(void *data, size_t size)
{
struct safe_allocation *alloc;
void *new_data;
+ void *p;
new_data = crypt_safe_alloc(size);
if (new_data && data) {
- alloc = (struct safe_allocation *)
- ((char *)data - offsetof(struct safe_allocation, data));
+ p = (char *)data - OVERHEAD;
+ alloc = (struct safe_allocation *)p;
if (size > alloc->size)
size = alloc->size;
diff --git a/lib/utils_storage_wrappers.c b/lib/utils_storage_wrappers.c
index 80d275b..6ff5afa 100644
--- a/lib/utils_storage_wrappers.c
+++ b/lib/utils_storage_wrappers.c
@@ -2,7 +2,7 @@
* Generic wrapper for storage functions
* (experimental only)
*
- * Copyright (C) 2018-2021, Ondrej Kozina
+ * Copyright (C) 2018-2023 Ondrej Kozina
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/utils_storage_wrappers.h b/lib/utils_storage_wrappers.h
index ec55ec2..f7781e8 100644
--- a/lib/utils_storage_wrappers.h
+++ b/lib/utils_storage_wrappers.h
@@ -2,7 +2,7 @@
* Generic wrapper for storage functions
* (experimental only)
*
- * Copyright (C) 2018-2021, Ondrej Kozina
+ * Copyright (C) 2018-2023 Ondrej Kozina
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
index b148a8a..1df46c1 100644
--- a/lib/utils_wipe.c
+++ b/lib/utils_wipe.c
@@ -2,8 +2,8 @@
* utils_wipe - wipe a device
*
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -22,8 +22,36 @@
#include <stdlib.h>
#include <errno.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <linux/fs.h>
#include "internal.h"
+/* block device zeroout ioctls, introduced in Linux kernel 3.7 */
+#ifndef BLKZEROOUT
+#define BLKZEROOUT _IO(0x12,127)
+#endif
+
+static int wipe_zeroout(struct crypt_device *cd, int devfd,
+ uint64_t offset, uint64_t length)
+{
+ static bool zeroout_available = true;
+ uint64_t range[2] = { offset, length };
+ int r;
+
+ if (!zeroout_available)
+ return -ENOTSUP;
+
+ r = ioctl(devfd, BLKZEROOUT, &range);
+ if (r < 0) {
+ log_dbg(cd, "BLKZEROOUT ioctl not available (error %i), disabling.", r);
+ zeroout_available = false;
+ return -ENOTSUP;
+ }
+
+ return 0;
+}
+
/*
* Wipe using Peter Gutmann method described in
* https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
@@ -93,7 +121,8 @@ static int crypt_wipe_special(struct crypt_device *cd, int fd, size_t bsize,
static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pattern,
char *sf, size_t device_block_size, size_t alignment,
- size_t wipe_block_size, uint64_t offset, bool *need_block_init)
+ size_t wipe_block_size, uint64_t offset, bool *need_block_init,
+ bool blockdev)
{
int r;
@@ -106,12 +135,8 @@ static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pat
memset(sf, 0, wipe_block_size);
*need_block_init = false;
r = 0;
- } else if (pattern == CRYPT_WIPE_RANDOM) {
- r = crypt_random_get(cd, sf, wipe_block_size,
- CRYPT_RND_NORMAL) ? -EIO : 0;
- *need_block_init = true;
- } else if (pattern == CRYPT_WIPE_ENCRYPTED_ZERO) {
- // FIXME
+ } else if (pattern == CRYPT_WIPE_RANDOM ||
+ pattern == CRYPT_WIPE_ENCRYPTED_ZERO) {
r = crypt_random_get(cd, sf, wipe_block_size,
CRYPT_RND_NORMAL) ? -EIO : 0;
*need_block_init = true;
@@ -122,6 +147,16 @@ static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pat
return r;
}
+ if (blockdev && pattern == CRYPT_WIPE_ZERO &&
+ !wipe_zeroout(cd, devfd, offset, wipe_block_size)) {
+ /* zeroout ioctl does not move offset */
+ if (lseek(devfd, offset + wipe_block_size, SEEK_SET) < 0) {
+ log_err(cd, _("Cannot seek to device offset."));
+ return -EINVAL;
+ }
+ return 0;
+ }
+
if (write_blockwise(devfd, device_block_size, alignment, sf,
wipe_block_size) == (ssize_t)wipe_block_size)
return 0;
@@ -139,6 +174,7 @@ int crypt_wipe_device(struct crypt_device *cd,
void *usrptr)
{
int r, devfd;
+ struct stat st;
size_t bsize, alignment;
char *sf = NULL;
uint64_t dev_size;
@@ -163,6 +199,11 @@ int crypt_wipe_device(struct crypt_device *cd,
if (devfd < 0)
return errno ? -errno : -EINVAL;
+ if (fstat(devfd, &st) < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
if (length)
dev_size = offset + length;
else {
@@ -180,7 +221,7 @@ int crypt_wipe_device(struct crypt_device *cd,
if (r)
goto out;
- if (lseek64(devfd, offset, SEEK_SET) < 0) {
+ if (lseek(devfd, offset, SEEK_SET) < 0) {
log_err(cd, _("Cannot seek to device offset."));
r = -EINVAL;
goto out;
@@ -200,10 +241,8 @@ int crypt_wipe_device(struct crypt_device *cd,
if ((offset + wipe_block_size) > dev_size)
wipe_block_size = dev_size - offset;
- //log_dbg("Wipe %012" PRIu64 "-%012" PRIu64 " bytes", offset, offset + wipe_block_size);
-
r = wipe_block(cd, devfd, pattern, sf, bsize, alignment,
- wipe_block_size, offset, &need_block_init);
+ wipe_block_size, offset, &need_block_init, S_ISBLK(st.st_mode));
if (r) {
log_err(cd,_("Device wipe error, offset %" PRIu64 "."), offset);
break;
@@ -239,6 +278,10 @@ int crypt_wipe(struct crypt_device *cd,
if (!cd)
return -EINVAL;
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
if (!dev_path)
device = crypt_data_device(cd);
else {
@@ -249,6 +292,8 @@ int crypt_wipe(struct crypt_device *cd,
if (flags & CRYPT_WIPE_NO_DIRECT_IO)
device_disable_direct_io(device);
}
+ if (!device)
+ return -EINVAL;
if (!wipe_block_size)
wipe_block_size = 1024*1024;
diff --git a/lib/verity/rs.h b/lib/verity/rs.h
index d44a230..7638924 100644
--- a/lib/verity/rs.h
+++ b/lib/verity/rs.h
@@ -3,7 +3,7 @@
*
* Copyright (C) 2004 Phil Karn, KA9Q
* libcryptsetup modifications
- * Copyright (C) 2017-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/verity/rs_decode_char.c b/lib/verity/rs_decode_char.c
index c6c9aa9..4473202 100644
--- a/lib/verity/rs_decode_char.c
+++ b/lib/verity/rs_decode_char.c
@@ -3,7 +3,7 @@
*
* Copyright (C) 2002, Phil Karn, KA9Q
* libcryptsetup modifications
- * Copyright (C) 2017-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/verity/rs_encode_char.c b/lib/verity/rs_encode_char.c
index cab6ae2..55b502a 100644
--- a/lib/verity/rs_encode_char.c
+++ b/lib/verity/rs_encode_char.c
@@ -3,7 +3,7 @@
*
* Copyright (C) 2002, Phil Karn, KA9Q
* libcryptsetup modifications
- * Copyright (C) 2017-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/lib/verity/verity.c b/lib/verity/verity.c
index d1771b8..0d7a8f5 100644
--- a/lib/verity/verity.c
+++ b/lib/verity/verity.c
@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -87,8 +87,7 @@ int VERITY_read_sb(struct crypt_device *cd,
return -EIO;
if (memcmp(sb.signature, VERITY_SIGNATURE, sizeof(sb.signature))) {
- log_err(cd, _("Device %s is not a valid VERITY device."),
- device_path(device));
+ log_dbg(cd, "No VERITY signature detected.");
return -EINVAL;
}
@@ -112,6 +111,10 @@ int VERITY_read_sb(struct crypt_device *cd,
}
params->data_size = le64_to_cpu(sb.data_blocks);
+ /* Update block size to be used for loop devices */
+ device_set_block_size(crypt_metadata_device(cd), params->hash_block_size);
+ device_set_block_size(crypt_data_device(cd), params->data_block_size);
+
params->hash_name = strndup((const char*)sb.algorithm, sizeof(sb.algorithm));
if (!params->hash_name)
return -ENOMEM;
@@ -236,7 +239,7 @@ uint64_t VERITY_hash_offset_block(struct crypt_params_verity *params)
return hash_offset / params->hash_block_size;
}
-int VERITY_UUID_generate(struct crypt_device *cd __attribute__((unused)), char **uuid_string)
+int VERITY_UUID_generate(char **uuid_string)
{
uuid_t uuid;
@@ -351,3 +354,63 @@ out:
dm_targets_free(cd, &dmd);
return r;
}
+
+int VERITY_dump(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ const char *root_hash,
+ unsigned int root_hash_size,
+ struct device *fec_device)
+{
+ uint64_t hash_blocks, verity_blocks, fec_blocks = 0, rs_blocks = 0;
+ bool fec_on_hash_device = false;
+
+ hash_blocks = VERITY_hash_blocks(cd, verity_hdr);
+ verity_blocks = VERITY_hash_offset_block(verity_hdr) + hash_blocks;
+
+ if (fec_device && verity_hdr->fec_roots) {
+ fec_blocks = VERITY_FEC_blocks(cd, fec_device, verity_hdr);
+ rs_blocks = VERITY_FEC_RS_blocks(fec_blocks, verity_hdr->fec_roots);
+ fec_on_hash_device = device_is_identical(crypt_metadata_device(cd), fec_device) > 0;
+ /*
+ * No way to access fec_area_offset directly.
+ * Assume FEC area starts directly after hash blocks.
+ */
+ if (fec_on_hash_device)
+ verity_blocks += rs_blocks;
+ }
+
+ log_std(cd, "VERITY header information for %s\n", device_path(crypt_metadata_device(cd)));
+ log_std(cd, "UUID: \t%s\n", crypt_get_uuid(cd) ?: "");
+ log_std(cd, "Hash type: \t%u\n", verity_hdr->hash_type);
+ log_std(cd, "Data blocks: \t%" PRIu64 "\n", verity_hdr->data_size);
+ log_std(cd, "Data block size: \t%u\n", verity_hdr->data_block_size);
+ log_std(cd, "Hash blocks: \t%" PRIu64 "\n", hash_blocks);
+ log_std(cd, "Hash block size: \t%u\n", verity_hdr->hash_block_size);
+ log_std(cd, "Hash algorithm: \t%s\n", verity_hdr->hash_name);
+ if (fec_device && fec_blocks) {
+ log_std(cd, "FEC RS roots: \t%" PRIu32 "\n", verity_hdr->fec_roots);
+ log_std(cd, "FEC blocks: \t%" PRIu64 "\n", rs_blocks);
+ }
+
+ log_std(cd, "Salt: \t");
+ if (verity_hdr->salt_size)
+ crypt_log_hex(cd, verity_hdr->salt, verity_hdr->salt_size, "", 0, NULL);
+ else
+ log_std(cd, "-");
+ log_std(cd, "\n");
+
+ if (root_hash) {
+ log_std(cd, "Root hash: \t");
+ crypt_log_hex(cd, root_hash, root_hash_size, "", 0, NULL);
+ log_std(cd, "\n");
+ }
+
+ /* As dump can take only hash device, we have no idea about offsets here. */
+ if (verity_hdr->hash_area_offset == 0)
+ log_std(cd, "Hash device size: \t%" PRIu64 " [bytes]\n", verity_blocks * verity_hdr->hash_block_size);
+
+ if (fec_device && verity_hdr->fec_area_offset == 0 && fec_blocks && !fec_on_hash_device)
+ log_std(cd, "FEC device size: \t%" PRIu64 " [bytes]\n", rs_blocks * verity_hdr->data_block_size);
+
+ return 0;
+}
diff --git a/lib/verity/verity.h b/lib/verity/verity.h
index 2269649..afc411e 100644
--- a/lib/verity/verity.h
+++ b/lib/verity/verity.h
@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -74,7 +74,14 @@ uint64_t VERITY_hash_blocks(struct crypt_device *cd, struct crypt_params_verity
uint64_t VERITY_FEC_blocks(struct crypt_device *cd,
struct device *fec_device,
struct crypt_params_verity *params);
+uint64_t VERITY_FEC_RS_blocks(uint64_t blocks, uint32_t roots);
-int VERITY_UUID_generate(struct crypt_device *cd, char **uuid_string);
+int VERITY_UUID_generate(char **uuid_string);
+
+int VERITY_dump(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ const char *root_hash,
+ unsigned int root_hash_size,
+ struct device *fec_device);
#endif
diff --git a/lib/verity/verity_fec.c b/lib/verity/verity_fec.c
index 8ffbca0..2dbf59e 100644
--- a/lib/verity/verity_fec.c
+++ b/lib/verity/verity_fec.c
@@ -2,7 +2,7 @@
* dm-verity Forward Error Correction (FEC) support
*
* Copyright (C) 2015 Google, Inc. All rights reserved.
- * Copyright (C) 2017-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -202,6 +202,22 @@ out:
return r;
}
+static int VERITY_FEC_validate(struct crypt_device *cd, struct crypt_params_verity *params)
+{
+ if (params->data_block_size != params->hash_block_size) {
+ log_err(cd, _("Block sizes must match for FEC."));
+ return -EINVAL;
+ }
+
+ if (params->fec_roots > FEC_RSM - FEC_MIN_RSN ||
+ params->fec_roots < FEC_RSM - FEC_MAX_RSN) {
+ log_err(cd, _("Invalid number of parity bytes."));
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
int VERITY_FEC_process(struct crypt_device *cd,
struct crypt_params_verity *params,
struct device *fec_device, int check_fec,
@@ -224,16 +240,9 @@ int VERITY_FEC_process(struct crypt_device *cd,
};
/* validate parameters */
- if (params->data_block_size != params->hash_block_size) {
- log_err(cd, _("Block sizes must match for FEC."));
- return -EINVAL;
- }
-
- if (params->fec_roots > FEC_RSM - FEC_MIN_RSN ||
- params->fec_roots < FEC_RSM - FEC_MAX_RSN) {
- log_err(cd, _("Invalid number of parity bytes."));
- return -EINVAL;
- }
+ r = VERITY_FEC_validate(cd, params);
+ if (r < 0)
+ return r;
if (!inputs[0].count) {
log_err(cd, _("Invalid FEC segment length."));
@@ -281,12 +290,16 @@ out:
return r;
}
+/* All blocks that are covered by FEC */
uint64_t VERITY_FEC_blocks(struct crypt_device *cd,
struct device *fec_device,
struct crypt_params_verity *params)
{
uint64_t blocks = 0;
+ if (!fec_device || VERITY_FEC_validate(cd, params) < 0)
+ return 0;
+
/*
* FEC covers this data:
* | protected data | hash area | padding (optional foreign metadata) |
@@ -315,3 +328,9 @@ uint64_t VERITY_FEC_blocks(struct crypt_device *cd,
return blocks;
}
+
+/* Blocks needed to store FEC data, blocks must be validated/calculated by VERITY_FEC_blocks() */
+uint64_t VERITY_FEC_RS_blocks(uint64_t blocks, uint32_t roots)
+{
+ return FEC_div_round_up(blocks, FEC_RSM - roots) * roots;
+}
diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c
index 36d5bdb..f33b737 100644
--- a/lib/verity/verity_hash.c
+++ b/lib/verity/verity_hash.c
@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -214,7 +214,7 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
r = -EIO;
goto out;
}
- if (memcmp(read_digest, calculated_digest, digest_size)) {
+ if (crypt_backend_memeq(read_digest, calculated_digest, digest_size)) {
log_err(cd, _("Verification failed at position %" PRIu64 "."),
ftello(rd) - data_block_size);
r = -EPERM;
@@ -380,7 +380,7 @@ out:
log_err(cd, _("Verification of data area failed."));
else {
log_dbg(cd, "Verification of data area succeeded.");
- r = memcmp(root_hash, calculated_digest, digest_size) ? -EFAULT : 0;
+ r = crypt_backend_memeq(root_hash, calculated_digest, digest_size) ? -EFAULT : 0;
if (r)
log_err(cd, _("Verification of root hash failed."));
else
diff --git a/lib/volumekey.c b/lib/volumekey.c
index fafaec6..00791ac 100644
--- a/lib/volumekey.c
+++ b/lib/volumekey.c
@@ -2,7 +2,7 @@
* cryptsetup volume key implementation
*
* Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
new file mode 100644
index 0000000..bd753b3
--- /dev/null
+++ b/m4/ax_check_compile_flag.m4
@@ -0,0 +1,53 @@
+# ===========================================================================
+# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the current language's compiler
+# or gives an error. (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# INPUT gives an alternative input source to AC_COMPILE_IFELSE.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+ AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
diff --git a/man/Makemodule.am b/man/Makemodule.am
index f441961..41e21da 100644
--- a/man/Makemodule.am
+++ b/man/Makemodule.am
@@ -1,20 +1,145 @@
-EXTRA_DIST += man/cryptsetup.8 man/integritysetup.8 man/veritysetup.8 man/cryptsetup-reencrypt.8
+ADOCFILES_COMMON = \
+ man/common_options.adoc \
+ man/common_footer.adoc
-man8_MANS += man/cryptsetup.8
+ADOCFILES = $(ADOCFILES_COMMON) \
+ man/cryptsetup.8.adoc \
+ man/cryptsetup-open.8.adoc \
+ man/cryptsetup-close.8.adoc \
+ man/cryptsetup-reencrypt.8.adoc \
+ man/cryptsetup-status.8.adoc \
+ man/cryptsetup-resize.8.adoc \
+ man/cryptsetup-refresh.8.adoc \
+ man/cryptsetup-luksFormat.8.adoc \
+ man/cryptsetup-luksSuspend.8.adoc \
+ man/cryptsetup-luksResume.8.adoc \
+ man/cryptsetup-luksAddKey.8.adoc \
+ man/cryptsetup-luksRemoveKey.8.adoc \
+ man/cryptsetup-luksConvertKey.8.adoc \
+ man/cryptsetup-luksKillSlot.8.adoc \
+ man/cryptsetup-luksChangeKey.8.adoc \
+ man/cryptsetup-erase.8.adoc \
+ man/cryptsetup-luksUUID.8.adoc \
+ man/cryptsetup-isLuks.8.adoc \
+ man/cryptsetup-luksDump.8.adoc \
+ man/cryptsetup-luksHeaderBackup.8.adoc \
+ man/cryptsetup-luksHeaderRestore.8.adoc \
+ man/cryptsetup-token.8.adoc \
+ man/cryptsetup-convert.8.adoc \
+ man/cryptsetup-config.8.adoc \
+ man/cryptsetup-tcryptDump.8.adoc \
+ man/cryptsetup-bitlkDump.8.adoc \
+ man/cryptsetup-fvault2Dump.8.adoc \
+ man/cryptsetup-repair.8.adoc \
+ man/cryptsetup-benchmark.8.adoc \
+ man/cryptsetup-ssh.8.adoc \
+ man/veritysetup.8.adoc \
+ man/integritysetup.8.adoc
+dist_noinst_DATA += $(ADOCFILES)
+
+CRYPTSETUP_MANPAGES = \
+ man/cryptsetup.8 \
+ man/cryptsetup-open.8 \
+ man/cryptsetup-close.8 \
+ man/cryptsetup-reencrypt.8 \
+ man/cryptsetup-status.8 \
+ man/cryptsetup-resize.8 \
+ man/cryptsetup-refresh.8 \
+ man/cryptsetup-luksFormat.8 \
+ man/cryptsetup-luksSuspend.8 \
+ man/cryptsetup-luksResume.8 \
+ man/cryptsetup-luksAddKey.8 \
+ man/cryptsetup-luksRemoveKey.8 \
+ man/cryptsetup-luksConvertKey.8 \
+ man/cryptsetup-luksKillSlot.8 \
+ man/cryptsetup-luksChangeKey.8 \
+ man/cryptsetup-erase.8 \
+ man/cryptsetup-luksUUID.8 \
+ man/cryptsetup-isLuks.8 \
+ man/cryptsetup-luksDump.8 \
+ man/cryptsetup-luksHeaderBackup.8 \
+ man/cryptsetup-luksHeaderRestore.8 \
+ man/cryptsetup-token.8 \
+ man/cryptsetup-convert.8 \
+ man/cryptsetup-config.8 \
+ man/cryptsetup-tcryptDump.8 \
+ man/cryptsetup-bitlkDump.8 \
+ man/cryptsetup-fvault2Dump.8 \
+ man/cryptsetup-repair.8 \
+ man/cryptsetup-benchmark.8
+
+CRYPTSETUP_MANLINKS = \
+ man/cryptsetup-create.8 \
+ man/cryptsetup-plainOpen.8 \
+ man/cryptsetup-luksOpen.8 \
+ man/cryptsetup-loopaesOpen.8 \
+ man/cryptsetup-tcryptOpen.8 \
+ man/cryptsetup-bitlkOpen.8 \
+ man/cryptsetup-fvault2Open.8 \
+ man/cryptsetup-luksErase.8
+
+VERITYSETUP_MANPAGES = man/veritysetup.8
+INTEGRITYSETUP_MANPAGES = man/integritysetup.8
+SSHPLUGIN_MANPAGES = man/cryptsetup-ssh.8
+
+MANPAGES_ALL = \
+ $(CRYPTSETUP_MANPAGES) \
+ $(CRYPTSETUP_MANLINKS) \
+ $(VERITYSETUP_MANPAGES) \
+ $(INTEGRITYSETUP_MANPAGES) \
+ $(SSHPLUGIN_MANPAGES)
+
+MANPAGES =
+MANLINKS =
+
+if CRYPTSETUP
+MANPAGES += $(CRYPTSETUP_MANPAGES)
+MANLINKS += $(CRYPTSETUP_MANLINKS)
+endif
if VERITYSETUP
-man8_MANS += man/veritysetup.8
+MANPAGES += $(VERITYSETUP_MANPAGES)
endif
-
-if REENCRYPT
-man8_MANS += man/cryptsetup-reencrypt.8
-endif
-
if INTEGRITYSETUP
-man8_MANS += man/integritysetup.8
+MANPAGES += $(INTEGRITYSETUP_MANPAGES)
+endif
+if SSHPLUGIN_TOKEN
+MANPAGES += $(SSHPLUGIN_MANPAGES)
endif
-if SSHPLUGIN_TOKEN
-EXTRA_DIST += man/cryptsetup-ssh.8
-man8_MANS += man/cryptsetup-ssh.8
+if ENABLE_ASCIIDOC
+EXTRA_DIST += $(MANPAGES_ALL)
+man8_MANS += $(MANPAGES) $(MANLINKS)
+
+$(MANPAGES): $(ADOCFILES_COMMON)
+
+SUFFIXES = .8.adoc .8
+.8.adoc.8:
+ $(AM_V_GEN) $(ASCIIDOCTOR) -b manpage \
+ -a 'release-version=$(VERSION)' \
+ --base-dir=$(abs_srcdir) \
+ --destination-dir $(abs_builddir)/man $<
+
+$(MANLINKS): $(MANPAGES)
+gen-man: $(man8_MANS)
+
+gen-man-dist:
+ @list=`find -name *.adoc -not -path "*/man/common_*" | sed -e 's/\.adoc//g'`; \
+ missing=`for p in $$list; do test -f $$p || echo $$p; done`; \
+ if test -n "$$missing"; then \
+ $(MAKE) $(AM_MAKEFLAGS) $$missing; \
+ fi;
+
+# !ENABLE_ASCIIDOC
+else
+
+if HAVE_MANPAGES
+EXTRA_DIST += $(MANPAGES_ALL)
+man8_MANS += $(MANPAGES) $(MANLINKS)
endif
+
+gen-man:
+gen-man-dist:
+endif
+
+dist-hook: gen-man-dist
diff --git a/man/common_footer.adoc b/man/common_footer.adoc
new file mode 100644
index 0000000..21302eb
--- /dev/null
+++ b/man/common_footer.adoc
@@ -0,0 +1,17 @@
+
+== REPORTING BUGS
+
+Report bugs at mailto:cryptsetup@lists.linux.dev[*cryptsetup mailing list*]
+or in https://gitlab.com/cryptsetup/cryptsetup/-/issues/new[*Issues project section*].
+
+Please attach output of the failed command with --debug option added.
+
+== SEE ALSO
+
+https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[*Cryptsetup FAQ*]
+
+*cryptsetup*(8), *integritysetup*(8) and *veritysetup*(8)
+
+== CRYPTSETUP
+
+Part of https://gitlab.com/cryptsetup/cryptsetup/[*cryptsetup project*].
diff --git a/man/common_options.adoc b/man/common_options.adoc
new file mode 100644
index 0000000..56a6e29
--- /dev/null
+++ b/man/common_options.adoc
@@ -0,0 +1,1195 @@
+== OPTIONS
+
+ifdef::ACTION_REENCRYPT[]
+*--block-size* _value_ *(LUKS1 only)*::
+Use re-encryption block size of _value_ in MiB.
++
+Values can be between 1 and 64 MiB.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--use-directio (LUKS1 only)*::
+Use direct-io (O_DIRECT) for all read/write data operations related
+to block device undergoing reencryption.
++
+Useful if direct-io operations perform better than normal buffered
+operations (e.g. in virtual environments).
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--use-fsync (LUKS1 only)*::
+Use fsync call after every written block. This applies for reencryption
+log files as well.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--write-log (LUKS1 only)*::
+Update log file after every block write. This can slow down reencryption
+but will minimize data loss in the case of system crash.
+endif::[]
+
+ifdef::ACTION_ISLUKS[]
+*--verbose, -v*::
+Print more information on command execution.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSKILLSLOT,ACTION_ISLUKS,ACTION_LUKSDUMP,ACTION_LUKSUUID,ACTION_CONVERT,ACTION_REPAIR,ACTION_REENCRYPT[]
+*--type <device-type>*::
+ifndef::ACTION_REENCRYPT[]
+Specifies required device type, for more info read _BASIC ACTIONS_ section in *cryptsetup*(8).
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+Specifies required (encryption mode) or expected (other modes) LUKS format. Accepts only _luks1_ or _luks2_.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_TCRYPTDUMP,ACTION_BENCHMARK,ACTION_REENCRYPT[]
+*--hash, -h* _<hash-spec>_::
+ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
+Specifies the passphrase hash. Applies to _plain_ and _loopaes_ device types only.
++
+For _tcrypt_ device type, it restricts checked PBKDF2 variants when looking for header.
+endif::[]
+ifdef::ACTION_LUKSFORMAT[]
+Specifies the hash used in the LUKS key setup scheme and volume key
+digest.
+endif::[]
+ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_TCRYPTDUMP[]
+The specified hash is used for PBKDF2 and AF splitter.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+*LUKS1:*
+Specifies the hash used in the LUKS1 key setup scheme and volume key digest.
++
+*NOTE*: if this parameter is not specified, default hash algorithm is always used
+for new LUKS1 device header.
++
+*LUKS2:* Ignored unless new keyslot pbkdf algorithm is set to PBKDF2 (see --pbkdf).
+endif::[]
++
+ifdef::ACTION_LUKSFORMAT[]
+The hash algorithm must provide at least 160 bits of output.
+Do not use a non-crypto hash like *xxhash* as this breaks security.
+Use _cryptsetup --help_ to show the defaults.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT,ACTION_TCRYPTDUMP,ACTION_BENCHMARK[]
+*--cipher, -c* _<cipher-spec>_::
+ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
+Set the cipher specification string for _plain_ device type.
++
+For _tcrypt_ device type it restricts checked cipher chains when looking for header.
+endif::[]
+ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_TCRYPTDUMP[]
+Set the cipher specification string.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+*LUKS2*:
+Set the cipher specification string for data segment only.
++
+*LUKS1*:
+Set the cipher specification string for data segment and keyslots.
++
+*NOTE*: In encrypt mode, if cipher specification is omitted the default cipher is applied.
+In reencrypt mode, if no new cipher specification is requested, the existing cipher will remain
+in use. Unless the existing cipher was "cipher_null". In that case default cipher would
+be applied as in encrypt mode.
+endif::[]
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
++
+_cryptsetup --help_ shows the compiled-in defaults.
++
+If a hash is part of the cipher specification, then it is used as part
+of the IV generation. For example, ESSIV needs a hash function, while
+"plain64" does not and hence none is specified.
++
+For XTS mode you can optionally set a key size of 512 bits with the -s
+option. Key size for XTS mode is twice that for other modes for the same
+security level.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_REPAIR,ACTION_TCRYPTDUMP,ACTION_REENCRYPT[]
+*--verify-passphrase, -y*::
+When interactively asking for a passphrase, ask for it twice and
+complain if both inputs do not match.
+ifdef::ACTION_OPEN[]
+Advised when creating a _plain_ type mapping for the first time.
+endif::[]
+Ignored on input from file or stdin.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_TCRYPTDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
+*--key-file, -d* _name_::
+Read the passphrase from file.
++
+If the name given is "-", then the passphrase will be read from stdin.
+In this case, reading will not stop at newline characters.
++
+ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY[]
+The passphrase supplied via --key-file is always the passphrase for existing
+keyslot requested by the command.
++
+If you want to set a new passphrase via key file, you have to use a
+positional argument or parameter --new-keyfile.
++
+endif::[]
+ifdef::ACTION_OPEN[]
+*NOTE:* With _plain_ device type, the passphrase obtained via --key-file option is
+passed directly in dm-crypt. Unlike the interactive mode (stdin)
+where digest (--hash option) of the passphrase is passed in dm-crypt instead.
++
+endif::[]
+ifndef::ACTION_REENCRYPT[]
+See section _NOTES ON PASSPHRASE PROCESSING_ in *cryptsetup*(8) for more information.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+*WARNING:* --key-file option can be used only if there is only one active keyslot,
+or alternatively, also if --key-slot option is specified (then all other keyslots
+will be disabled in new LUKS device).
++
+If this option is not used, cryptsetup will ask for all active keyslot
+passphrases.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
+*--keyfile-offset* _value_::
+Skip _value_ bytes at the beginning of the key file.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
+*--keyfile-size, -l* _value_::
+Read a maximum of _value_ bytes from the key file. The default is to
+read the whole file up to the compiled-in maximum that can be queried
+with --help. Supplying more data than the compiled-in maximum aborts
+the operation.
++
+This option is useful to cut trailing newlines, for example. If
+--keyfile-offset is also given, the size count starts after the offset.
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY[]
+*--new-keyfile* _name_::
+Read the passphrase for a new keyslot from file.
++
+If the name given is "-", then the passphrase will be read from stdin.
+In this case, reading will not stop at newline characters.
++
+This is alternative method to positional argument when adding new
+passphrase via kefile.
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY[]
+*--new-keyfile-offset* _value_::
+Skip _value_ bytes at the start when adding a new passphrase from key
+file.
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY[]
+*--new-keyfile-size* _value_::
+Read a maximum of _value_ bytes when adding a new passphrase from key
+file. The default is to read the whole file up to
+the compiled-in maximum length that can be queried with --help.
+Supplying more than the compiled in maximum aborts the operation. When
+--new-keyfile-offset is also given, reading starts after the offset.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_BITLKDUMP,ACTION_REENCRYPT[]
+*--volume-key-file, --master-key-file (OBSOLETE alias)*::
+ifndef::ACTION_REENCRYPT[]
+Use a volume key stored in a file.
+endif::[]
+ifdef::ACTION_FORMAT[]
++
+This allows creating a LUKS header with this specific
+volume key. If the volume key was taken from an existing LUKS header and
+all other parameters are the same, then the new header decrypts the data
+encrypted with the header the volume key was taken from. +
+endif::[]
+ifdef::ACTION_LUKSDUMP,ACTION_BITLKDUMP[]
+The volume key is stored in a file instead of being printed out to standard output. +
+endif::[]
+ifdef::ACTION_LUKSADDKEY[]
+This allows adding a new keyslot without having to know passphrase to existing one.
+It may be also used when no keyslot is active.
++
+endif::[]
+ifdef::ACTION_OPEN[]
+This allows one to open _luks_ and _bitlk_ device types without giving a passphrase. +
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+Use (set) new volume key stored in a file. +
+endif::[]
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
+*WARNING:* If you create your own volume key, you need to make sure to
+do it right. Otherwise, you can end up with a low-entropy or otherwise
+partially predictable volume key which will compromise security.
+endif::[]
+endif::[]
+
+ifdef::ACTION_LUKSDUMP[]
+*--dump-json-metadata*::
+For _luksDump_ (LUKS2 only) this option prints content of LUKS2 header
+JSON metadata area.
+endif::[]
+
+ifdef::ACTION_LUKSDUMP,ACTION_TCRYPTDUMP,ACTION_BITLKDUMP[]
+*--dump-volume-key, --dump-master-key (OBSOLETE alias)*::
+Print the volume key in the displayed information. Use with care,
+as the volume key can be used to bypass
+the passphrases, see also option --volume-key-file.
+endif::[]
+
+ifdef::ACTION_TOKEN[]
+*--json-file*::
+Read token JSON from a file or write token to it. --json-file=- reads JSON from
+standard input or writes it to standard output respectively.
+endif::[]
+
+ifdef::ACTION_TOKEN[]
+*--token-replace*::
+Replace an existing token when adding or importing a token with the
+--token-id option.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--use-random*::
+*--use-urandom*::
+ifdef::ACTION_REENCRYPT[]
+Define which kernel random number generator will be used to create the volume key.
+endif::[]
+ifndef::ACTION_REENCRYPT[]
+For _luksFormat_ these options define which kernel random number
+generator will be used to create the volume key (which is a long-term
+key).
++
+See *NOTES ON RANDOM NUMBER GENERATORS* in *cryptsetup*(8) for more
+information. Use _cryptsetup --help_ to show the compiled-in default random
+number generator.
++
+*WARNING:* In a low-entropy situation (e.g. in an embedded system) and older
+kernels, both selections are problematic. Using /dev/urandom can lead to weak keys.
+Using /dev/random can block a long time, potentially forever, if not
+enough entropy can be harvested by the kernel.
+endif::[]
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--keep-key*::
+*LUKS2*:
+Do not change effective volume key and change other parameters provided
+it is requested.
++
+*LUKS1*:
+Reencrypt only the LUKS1 header and keyslots. Skips data in-place reencryption.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_CONFIG,ACTION_TOKEN,ACTION_REPAIR,ACTION_REENCRYPT[]
+*--key-slot, -S <0-N>*::
+ifdef::ACTION_LUKSADDKEY[]
+When used together with parameter --new-key-slot this option allows you to specify which
+key slot is selected for unlocking volume key.
++
+*NOTE:* This option is ignored if existing volume key gets unlocked
+via LUKS2 token (--token-id, --token-type or --token-only parameters) or
+when volume key is provided directly via --volume-key-file parameter.
++
+*NOTE:* To maintain backward compatibility, without --new-key-slot parameter,
+this option allows you to specify which key slot is selected for the new key.
+endif::[]
+ifndef::ACTION_OPEN,ACTION_LUKSADDKEY[]
+For LUKS operations that add key material, this option allows you to
+specify which key slot is selected for the new key.
+endif::[]
+ifdef::ACTION_OPEN[]
+This option selects a specific key-slot to
+compare the passphrase against. If the given passphrase would only
+match a different key-slot, the operation fails.
+endif::[]
++
+ifdef::ACTION_REENCRYPT[]
+For reencryption mode it selects specific keyslot (and passphrase) that can be used to unlock new volume key.
+If used all other keyslots get removed after reencryption operation is finished.
++
+endif::[]
+The maximum number of key slots depends on the LUKS version. LUKS1 can have up
+to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area
+size and key size, but a valid key slot ID can always be between 0 and
+31 for LUKS2.
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY[]
+*--new-key-slot <0-N>*::
+This option allows you to specify which key slot is selected for
+the new key.
++
+*NOTE:* When used this option affects --key-slot option.
++
+The maximum number of key slots depends on the LUKS version. LUKS1 can have up
+to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area
+size and key size, but a valid key slot ID can always be between 0 and
+31 for LUKS2.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT,ACTION_BENCHMARK,ACTION_LUKSADDKEY[]
+*--key-size, -s* _bits_::
+ifndef::ACTION_LUKSADDKEY[]
+Sets key size in _bits_. The argument has to be a multiple of 8. The
+possible key-sizes are limited by the cipher and mode used.
++
+See /proc/crypto for more information. Note that key-size in
+/proc/crypto is stated in bytes.
++
+endif::[]
+ifdef::ACTION_LUKSADDKEY[]
+Provide volume key size in _bits_. The argument has to be a multiple of 8.
++
+This option is required when parameter --volume-key-file is used to provide
+current volume key. Also, it is used when new unbound keyslot is created by
+specifying --unbound parameter.
+endif::[]
+ifdef::ACTION_OPEN[]
+This option can be used for _plain_ device type only.
+endif::[]
+ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_LUKSADDKEY[]
+This option can be used for _open --type plain_ or _luksFormat_. All
+other LUKS actions will use the key-size specified in the LUKS header.
+Use _cryptsetup --help_ to show the compiled-in defaults.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+*LUKS1*:
+If you are increasing key size, there must be enough space in the LUKS header
+for enlarged keyslots (data offset must be large enough) or reencryption
+cannot be performed.
++
+If there is not enough space for keyslots with new key size,
+you can destructively shrink device with --reduce-device-size option.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE[]
+*--size, -b <number of 512 byte sectors>*::
+Set the size of the device in sectors of 512 bytes.
+ifdef::ACTION_OPEN[]
+Usable only with _plain_ device type.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--offset, -o <number of 512 byte sectors>*::
+Start offset in the backend device in 512-byte sectors.
+ifdef::ACTION_OPEN[]
+This option is only relevant with plain or loopaes device types.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+This option is only relevant for the encrypt mode.
+endif::[]
++
+ifndef::ACTION_OPEN[]
+The --offset option sets the data offset (payload) of data
+device and must be aligned to 4096-byte sectors (must be multiple of
+8). This option cannot be combined with --align-payload option.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--skip, -p <number of 512 byte sectors>*::
+Start offset used in IV calculation in 512-byte sectors (how many
+sectors of the encrypted data to skip at the beginning). This option
+is only relevant with plain or loopaes device types.
++
+Hence, if --offset _n_, and --skip _s_, sector _n_ (the first sector of
+the encrypted device) will get a sector number of _s_ for the IV
+calculation.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_REENCRYPT,ACTION_RESIZE[]
+*--device-size* _size[units]_::
+ifndef::ACTION_RESIZE[]
+Instead of real device size, use specified value.
+endif::[]
+ifdef::ACTION_RESIZE[]
+Sets new size of the device. If unset real device size is used.
+endif::[]
+ifdef::ACTION_OPEN[]
+Usable only with _plain_ device type.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+It means that only specified area (from the start of the device
+to the specified size) will be reencrypted.
++
+*WARNING:* This is destructive operation. Data beyond --device-size limit may
+be lost after operation gets finished.
+endif::[]
++
+If no unit suffix is specified, the size is in bytes.
++
+Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
+for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--readonly, -r*::
+set up a read-only mapping.
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--shared*::
+Creates an additional mapping for one common ciphertext device.
+Arbitrary mappings are supported. This option is only relevant for the
+_plain_ device type. Use --offset, --size and --skip to specify
+the mapped area.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
+*--pbkdf <PBKDF spec>*::
+Set Password-Based Key Derivation Function (PBKDF) algorithm for LUKS
+keyslot. The PBKDF can be: _pbkdf2_ (for PBKDF2 according to RFC2898),
+_argon2i_ for Argon2i or _argon2id_ for Argon2id (see
+https://www.cryptolux.org/index.php/Argon2[Argon2] for more info).
++
+For LUKS1, only PBKDF2 is accepted (no need to use this option). The
+default PBKDF for LUKS2 is set during compilation time and is available
+in _cryptsetup --help_ output.
++
+A PBKDF is used for increasing dictionary and brute-force attack cost
+for keyslot passwords. The parameters can be time, memory and parallel
+cost.
++
+For PBKDF2, only time cost (number of iterations) applies. For
+Argon2i/id, there is also memory cost (memory required during the
+process of key derivation) and parallel cost (number of threads that run
+in parallel during the key derivation.
++
+Note that increasing memory cost also increases time, so the final
+parameter values are measured by a benchmark. The benchmark tries to
+find iteration time (_--iter-time_) with required memory cost
+_--pbkdf-memory_. If it is not possible, the memory cost is decreased as
+well. The parallel cost _--pbkdf-parallel_ is constant and is checked
+against available CPU cores.
++
+You can see all PBKDF parameters for particular LUKS2 keyslot with
+*cryptsetup-luksDump*(8) command.
++
+*NOTE:* If you do not want to use benchmark and want to specify all
+parameters directly, use _--pbkdf-force-iterations_ with
+_--pbkdf-memory_ and _--pbkdf-parallel_. This will override the values
+without benchmarking. Note it can cause extremely long unlocking time.
+Use only in specific cases, for example, if you know that the formatted
+device will be used on some small embedded system.
++
+*MINIMAL AND MAXIMAL PBKDF COSTS:* For *PBKDF2*, the minimum iteration
+count is 1000 and maximum is 4294967295 (maximum for 32bit unsigned
+integer). Memory and parallel costs are unused for PBKDF2. For *Argon2i*
+and *Argon2id*, minimum iteration count (CPU cost) is 4 and maximum is
+4294967295 (maximum for 32bit unsigned integer). Minimum memory cost is
+32 KiB and maximum is 4 GiB. (Limited by addressable memory on some CPU
+platforms.) If the memory cost parameter is benchmarked (not specified
+by a parameter) it is always in range from 64 MiB to 1 GiB. The parallel
+cost minimum is 1 and maximum 4 (if enough CPUs cores are available,
+otherwise it is decreased).
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
+*--iter-time, -i <number of milliseconds>*::
+ifndef::ACTION_REENCRYPT[]
+The number of milliseconds to spend with PBKDF passphrase processing.
+Specifying 0 as parameter selects the compiled-in default.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+The number of milliseconds to spend with PBKDF passphrase processing for the
+new LUKS header.
+endif::[]
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
+*--pbkdf-memory <number>*::
+Set the memory cost for PBKDF (for Argon2i/id the number represents
+kilobytes). Note that it is maximal value, PBKDF benchmark or
+available physical memory can decrease it. This option is not
+available for PBKDF2.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
+*--pbkdf-parallel <number>*::
+Set the parallel cost for PBKDF (number of threads, up to 4). Note
+that it is maximal value, it is decreased automatically if CPU online
+count is lower. This option is not available for PBKDF2.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
+*--pbkdf-force-iterations <num>*::
+Avoid PBKDF benchmark and set time cost (iterations) directly. It can
+be used for LUKS/LUKS2 device only. See _--pbkdf_ option for more
+info.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--progress-frequency* _seconds_::
+ifndef::ACTION_REENCRYPT[]
+Print separate line every _seconds_ with wipe progress.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+Print separate line every _seconds_ with reencryption progress.
+endif::[]
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--progress-json*::
+Prints progress data in JSON format suitable mostly for machine
+processing. It prints separate line every half second (or based on
+_--progress-frequency_ value). The JSON output looks as follows during
+progress (except it's compact single line):
++
+....
+{
+ "device":"/dev/sda" // backing device or file
+ "device_bytes":"8192", // bytes of I/O so far
+ "device_size":"44040192", // total bytes of I/O to go
+ "speed":"126877696", // calculated speed in bytes per second (based on progress so far)
+ "eta_ms":"2520012" // estimated time to finish an operation in milliseconds
+ "time_ms":"5561235" // total time spent in IO operation in milliseconds
+}
+....
++
+Note on numbers in JSON output: Due to JSON parsers limitations all
+numbers are represented in a string format due to need of full 64bit
+unsigned integers.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TCRYPTDUMP,ACTION_BITLKDUMP[]
+*--timeout, -t <number of seconds>*::
+The number of seconds to wait before timeout on passphrase input via
+terminal. It is relevant every time a passphrase is asked.
+It has no effect if used in conjunction with --key-file.
++
+This option is useful when the system should not stall if the user
+does not input a passphrase, e.g. during boot. The default is a value
+of 0 seconds, which means to wait forever.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_REENCRYPT[]
+*--tries, -T*::
+How often the input of the passphrase shall be retried. The default is 3 tries.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--align-payload <number of 512 byte sectors>*::
+Align payload at a boundary of _value_ 512-byte sectors.
++
+If not specified, cryptsetup tries to use the topology info provided by
+the kernel for the underlying device to get the optimal alignment. If
+not available (or the calculated value is a multiple of the default)
+data is by default aligned to a 1MiB boundary (i.e. 2048 512-byte
+sectors).
++
+For a detached LUKS header, this option specifies the offset on the data
+device. See also the --header option.
++
+*WARNING:* This option is DEPRECATED and has often unexpected impact to
+the data offset and keyslot area size (for LUKS2) due to the complex
+rounding. For fixed data device offset use _--offset_ option instead.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSUUID,ACTION_REENCRYPT[]
+*--uuid <UUID>*::
+ifndef::ACTION_REENCRYPT[]
+Use the provided _UUID_ for the _luksFormat_ command instead of
+generating a new one. Changes the existing _UUID_ when used with the
+_luksUUID_ command.
++
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+When used in encryption mode use the provided _UUID_ for the new LUKS header
+instead of generating a new one.
++
+*LUKS1 (only in decryption mode)*:
+To find out what _UUID_ to pass look for temporary files LUKS-_UUID_.[|log|org|new]
+of the interrupted decryption process.
++
+endif::[]
+The _UUID_ must be provided in the standard UUID format, e.g.
+12345678-1234-1234-1234-123456789abc.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_REFRESH[]
+*--allow-discards*::
+Allow the use of discard (TRIM) requests for the device. This is also not
+supported for LUKS2 devices with data integrity protection.
++
+*WARNING:* This command can have a negative security impact because it
+can make filesystem-level operations visible on the physical device. For
+example, information leaking filesystem type, used space, etc. may be
+extractable from the physical device if the discarded blocks can be
+located later. If in doubt, do not use it.
++
+A kernel version of 3.1 or later is needed. For earlier kernels, this
+option is ignored.
+endif::[]
+
+ifdef::ACTION_REFRESH,ACTION_OPEN[]
+*--perf-same_cpu_crypt*::
+Perform encryption using the same cpu that IO was submitted on. The
+default is to use an unbound workqueue so that encryption work is
+automatically balanced between available CPUs.
++
+*NOTE:* This option is available only for low-level dm-crypt performance
+tuning, use only if you need a change to default dm-crypt behaviour.
+Needs kernel 4.0 or later.
+endif::[]
+
+ifdef::ACTION_REFRESH,ACTION_OPEN[]
+*--perf-submit_from_crypt_cpus*::
+Disable offloading writes to a separate thread after encryption. There
+are some situations where offloading write bios from the encryption
+threads to a single thread degrades performance significantly. The
+default is to offload write bios to the same thread.
++
+*NOTE:* This option is available only for low-level dm-crypt performance
+tuning, use only if you need a change to default dm-crypt behaviour.
+Needs kernel 4.0 or later.
+endif::[]
+
+ifdef::ACTION_REFRESH,ACTION_OPEN[]
+*--perf-no_read_workqueue, --perf-no_write_workqueue*::
+Bypass dm-crypt internal workqueue and process read or write requests
+synchronously.
++
+*NOTE:* These options are available only for low-level dm-crypt
+performance tuning, use only if you need a change to default dm-crypt
+behaviour. Needs kernel 5.9 or later.
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--test-passphrase*::
+Do not activate the device, just verify passphrase. The device mapping name is
+not mandatory if this option is used.
+endif::[]
+
+ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP[]
+*--header <device or file storing the LUKS header>*::
+ifndef::ACTION_OPEN[]
+Use a detached (separated) metadata device or file where the LUKS
+header is stored. This option allows one to store ciphertext and LUKS
+header on different devices.
++
+endif::[]
+ifdef::ACTION_OPEN[]
+Specify detached (separated) metadata device or file where the header is stored.
++
+*WARNING:* There is no check whether the ciphertext device specified
+actually belongs to the header given. In fact, you can specify an
+arbitrary device as the ciphertext device with the --header option.
+Use with care.
+endif::[]
+ifndef::ACTION_REENCRYPT[]
+ifdef::ACTION_LUKSFORMAT[]
+With a file name as the argument to --header, the file
+will be automatically created if it does not exist. See the cryptsetup
+FAQ for header size calculation.
++
+The --align-payload option is taken as absolute sector alignment on ciphertext
+device and can be zero.
+endif::[]
+ifndef::ACTION_LUKSFORMAT,ACTION_OPEN[]
+For commands that change the LUKS header (e.g. _luksAddKey_),
+specify the device or file with the LUKS header directly as the LUKS
+device.
+endif::[]
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+If used with --encrypt/--new option, the header file will be created (or overwritten).
+Use with care.
++
+*LUKS2*:
+For decryption mode the option may be used to export original LUKS2 header
+to a detached file. The passed future file must not exist at the time
+of initializing the decryption operation. This frees space in head of data
+device so that data can be moved at original LUKS2 header location. Later on
+decryption operation continues as if the ordinary detached header was passed.
++
+*WARNING:* Never put exported header file in a filesystem on top of device
+you are about to decrypt! It would cause a deadlock.
+endif::[]
+endif::[]
+
+ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[]
+*--header-backup-file <file>*::
+Specify file with header backup file.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--force-offline-reencrypt (LUKS2 only)*::
+Bypass active device auto-detection and enforce offline reencryption.
++
+This option is useful especially for reencryption of LUKS2 images put in
+files (auto-detection is not reliable in this scenario).
++
+It may also help in case active device auto-detection on particular
+data device does not work or report errors.
++
+*WARNING:* Use with extreme caution! This may destroy data if the device
+is activated and/or actively used.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
+*--force-password*::
+Do not use password quality checking for new LUKS passwords.
++
+This option is ignored if cryptsetup is built without password
+quality checking support.
++
+For more info about password quality check, see the manual page for
+*pwquality.conf(5)* and *passwdqc.conf(5)*.
+endif::[]
+
+ifdef::ACTION_CLOSE[]
+*--deferred*::
+Defers device removal in _close_ command until the last user closes
+it.
+endif::[]
+
+ifdef::ACTION_CLOSE[]
+*--cancel-deferred*::
+Removes a previously configured deferred device removal in _close_
+command.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[]
+*--disable-external-tokens*::
+Disable loading of plugins for external LUKS2 tokens.
+endif::[]
+
+ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP,ACTION_TCRYPTDUMP[]
+*--disable-locks*::
+Disable lock protection for metadata on disk. This option is valid
+only for LUKS2 and ignored for other formats.
++
+ifdef::ACTION_REENCRYPT[]
+*NOTE:* With locking disabled LUKS2 images in files can be fully (re)encrypted
+offline without need for super user privileges provided used block ciphers are
+available in crypto backend.
++
+endif::[]
+*WARNING:* Do not use this option unless you run cryptsetup in a
+restricted environment where locking is impossible to perform (where
+/run directory cannot be used).
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_REFRESH,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_REENCRYPT[]
+*--disable-keyring*::
+Do not load volume key in kernel keyring and store it directly in the
+dm-crypt target instead. This option is supported only for the LUKS2 type.
+endif::[]
+
+ifdef::ACTION_TOKEN[]
+*--key-description <text>*::
+Set key description in keyring for use with _token_ command.
+endif::[]
+
+ifdef::ACTION_CONFIG[]
+*--priority <normal|prefer|ignore>*::
+Set a priority for LUKS2 keyslot. The _prefer_ priority marked slots
+are tried before _normal_ priority. The _ignored_ priority means, that
+slot is never used, if not explicitly requested by _--key-slot_
+option.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY[]
+*--token-id*::
+ifndef::ACTION_TOKEN,ACTION_LUKSADDKEY[]
+Specify what token to use and allow token PIN prompt to take precedence over interative
+keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN)
+will be checked before proceeding further with passphrase prompt.
+endif::[]
+ifdef::ACTION_LUKSADDKEY[]
+Specify what token to use when unlocking existing keyslot to get volume key.
+endif::[]
+ifdef::ACTION_TOKEN[]
+Specify token number. If omitted, first unused token id is used when adding or importing
+new token.
+endif::[]
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY[]
+*--new-token-id*::
+Specify what token to use to get the passphrase for a new keyslot.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+*--token-only*::
+ifndef::ACTION_LUKSADDKEY[]
+Do not proceed further with action if token based keyslot unlock failed. Without the
+option, action asks for passphrase to proceed further.
++
+It allows LUKS2 tokens protected by PIN to take precedence over interactive keyslot
+passphrase prompt.
+endif::[]
+ifdef::ACTION_LUKSADDKEY[]
+Use only LUKS2 tokens to unlock existing volume key.
++
+*NOTE*: To create a new keyslot using passphrase provided by a token use --new-token-id parameter.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+*--token-type* _type_::
+ifndef::ACTION_LUKSADDKEY[]
+Restrict tokens eligible for operation to specific token _type_.
+Mostly useful when no --token-id is specified.
++
+It allows LUKS2 _type_ tokens protected by PIN to take precedence over interactive keyslot
+passphrase prompt.
+endif::[]
+ifdef::ACTION_LUKSADDKEY[]
+Specify what token type (all _type_ tokens) to use when unlocking existing keyslot to get volume key.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+ifndef::ACTION_REENCRYPT[]
+*--sector-size* _bytes_::
+endif::[]
+ifndef::ACTION_REENCRYPT[]
+ifdef::ACTION_OPEN[]
+Set encryption sector size for use with _plain_ device type. It must be power of two
+and in range 512 - 4096 bytes. The default mode is 512 bytes.
++
+Note that if sector size is higher than underlying device hardware
+sector, using this option can increase risk on incomplete sector writes during a
+power fail.
+endif::[]
+ifdef::ACTION_LUKSFORMAT[]
+Set sector size for use with disk encryption. It must be power of two
+and in range 512 - 4096 bytes. This option is available only with LUKS2
+format.
++
+For LUKS2 devices it's established based on parameters provided by
+underlying data device. For native 4K block devices it's 4096 bytes.
+For 4K/512e (4K physical sector size with 512 bytes emulation) it's
+4096 bytes. For drives reporting only 512 bytes block size it remains
+512 bytes. If data device is regular file put in filesystem it's 4096
+bytes.
++
+Note that if sector size is higher than underlying device hardware
+sector and there is not integrity protection that uses data journal,
+using this option can increase risk on incomplete sector writes during a
+power fail.
++
+If used together with _--integrity_ option and dm-integrity journal, the
+atomicity of writes is guaranteed in all cases (but it cost write
+performance - data has to be written twice).
+endif::[]
++
+Increasing sector size from 512 bytes to 4096 bytes can provide better
+performance on most of the modern storage devices and also with some hw
+encryption accelerators.
+endif::[]
+ifdef::ACTION_REENCRYPT[]
+*--sector-size* _bytes_ *(LUKS2 only)*::
+Reencrypt device with new encryption sector size enforced.
++
+*WARNING:* Increasing encryption sector size may break hosted filesystem. Do not
+run reencryption with --force-offline-reencrypt if unsure what block size
+was filesystem formatted with.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--iv-large-sectors*::
+Count Initialization Vector (IV) in larger sector size (if set)
+instead of 512 bytes sectors. This option can be used only with _plain_
+device type.
++
+*NOTE:* This option does not have any performance or security impact,
+use it only for accessing incompatible existing disk images from other
+systems that require this option.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_REFRESH[]
+*--persistent*::
+If used with LUKS2 devices and activation commands like _open_ or
+_refresh_, the specified activation flags are persistently written
+into metadata and used next time automatically even for normal
+activation. (No need to use cryptab or other system configuration
+files.)
++
+If you need to remove a persistent flag, use _--persistent_ without the
+flag you want to remove (e.g. to disable persistently stored discard
+flag, use _--persistent_ without _--allow-discards_).
++
+Only _--allow-discards_, _--perf-same_cpu_crypt_,
+_--perf-submit_from_crypt_cpus_, _--perf-no_read_workqueue_,
+_--perf-no_write_workqueue_ and _--integrity-no-journal_ can be stored
+persistently.
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--refresh*::
+Refreshes an active device with new set of parameters. See
+*cryptsetup-refresh*(8) for more details.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_CONFIG,ACTION_REENCRYPT[]
+*--label <LABEL> --subsystem <SUBSYSTEM>*::
+Set label and subsystem description for LUKS2 device.
+The label and subsystem are optional fields and can be later used
+in udev scripts for triggering user actions once the device marked
+by these labels is detected.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--integrity <integrity algorithm>*::
+Specify integrity algorithm to be used for authenticated disk
+encryption in LUKS2.
++
+*WARNING: This extension is EXPERIMENTAL* and requires dm-integrity
+kernel target (available since kernel version 4.12). For native AEAD
+modes, also enable "User-space interface for AEAD cipher algorithms" in
+"Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config
+option).
++
+For more info, see _AUTHENTICATED DISK ENCRYPTION_ section in *cryptsetup*(8).
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--integrity-legacy-padding*::
+Use inefficient legacy padding.
++
+*WARNING*: Do not use this option until you need compatibility with specific
+old kernel.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--luks2-metadata-size <size>*::
+This option can be used to enlarge the LUKS2 metadata (JSON) area. The
+size includes 4096 bytes for binary metadata (usable JSON area is
+smaller of the binary area). According to LUKS2 specification, only
+these values are valid: 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096
+kB The <size> can be specified with unit suffix (for example 128k).
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--luks2-keyslots-size <size>*::
+This option can be used to set specific size of the LUKS2 binary
+keyslot area (key material is encrypted there). The value must be
+aligned to multiple of 4096 bytes with maximum size 128MB. The <size>
+can be specified with unit suffix (for example 128k).
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
+*--keyslot-cipher <cipher-spec>*::
+This option can be used to set specific cipher encryption for the
+LUKS2 keyslot area.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
+*--keyslot-key-size <bits>*::
+This option can be used to set specific key size for the LUKS2 keyslot
+area.
+endif::[]
+
+ifdef::ACTION_REFRESH[]
+*--integrity-no-journal*::
+Activate device with integrity protection without using data journal
+(direct write of data and integrity tags). Note that without journal
+power fail can cause non-atomic write and data corruption. Use only if
+journalling is performed on a different storage layer.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--integrity-no-wipe*::
+Skip wiping of device authentication (integrity) tags. If you skip
+this step, sectors will report invalid integrity tag until an
+application write to the sector.
++
+*NOTE:* Even some writes to the device can fail if the write is not
+aligned to page size and page-cache initiates read of a sector with
+invalid integrity tag.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_TOKEN[]
+*--unbound*::
+ifdef::ACTION_LUKSADDKEY[]
+Creates new LUKS2 unbound keyslot.
+endif::[]
+ifdef::ACTION_LUKSDUMP[]
+Dumps existing LUKS2 unbound keyslot.
+endif::[]
+ifdef::ACTION_OPEN[]
+Allowed only together with --test-passphrase parameter, it allows one to test
+passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase
+can be tested only when specific keyslot is selected via --key-slot parameter.
+endif::[]
+ifdef::ACTION_TOKEN[]
+Creates new LUKS2 keyring token assigned to no keyslot. Usable only with _add_ action.
+endif::[]
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
+*--tcrypt-hidden*::
+*--tcrypt-system*::
+*--tcrypt-backup*::
+Specify which TrueCrypt on-disk
+header will be used to open the device. See _TCRYPT_ section in
+*cryptsetup*(8) for more info.
+endif::[]
+
+ifdef::ACTION_TCRYPTDUMP,ACTION_OPEN[]
+*--veracrypt*::
+This option is ignored as VeraCrypt compatible mode is supported by
+default.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
+*--disable-veracrypt*::
+This option can be used to disable VeraCrypt compatible mode (only
+TrueCrypt devices are recognized). Only for TCRYPT extension. See
+_TCRYPT_ section in *cryptsetup*(8) for more info.
+endif::[]
+
+ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
+*--veracrypt-pim*::
+*--veracrypt-query-pim*::
+Use a custom Personal Iteration Multiplier (PIM) for
+VeraCrypt device. See _TCRYPT_ section in *cryptsetup*(8) for more info.
+endif::[]
+
+ifdef::ACTION_OPEN[]
+*--serialize-memory-hard-pbkdf*::
+Use a global lock to serialize unlocking of keyslots using memory-hard
+PBKDF.
++
+*NOTE:* This is (ugly) workaround for a specific situation when multiple
+devices are activated in parallel and system instead of reporting out of
+memory starts unconditionally stop processes using out-of-memory killer.
++
+*DO NOT USE* this switch until you are implementing boot environment
+with parallel devices activation!
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--encrypt, --new, -N*::
+Initialize (and run) device in-place encryption mode.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--decrypt*::
+Initialize (and run) device decryption mode.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--init-only (LUKS2 only)*::
+Initialize reencryption (any mode) operation in LUKS2 metadata only
+and exit. If any reencrypt operation is already initialized in
+metadata, the command with --init-only parameter fails.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--resume-only (LUKS2 only)*::
+Resume reencryption (any mode) operation already described in LUKS2
+metadata. If no reencrypt operation is initialized, the command with
+--resume-only parameter fails. Useful for resuming reencrypt operation
+without accidentally triggering new reencryption operation.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--resilience* _mode_ *(LUKS2 only)*::
+Reencryption resilience _mode_ can be one of _checksum_, _journal_ or
+_none_.
++
+_checksum_: default mode, where individual checksums of ciphertext
+hotzone sectors are stored, so the recovery process can detect which
+sectors were already reencrypted. It requires that the device sector
+write is atomic.
++
+_journal_: the hotzone is journaled in the binary area (so the data are
+written twice).
++
+_none_: performance mode. There is no protection and the only way it's
+safe to interrupt the reencryption is similar to old offline
+reencryption utility.
++
+Resilience modes can be changed unless _datashift_ mode is used for
+operation initialization (encryption with --reduce-device-size option)
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--resilience-hash* _hash_ *(LUKS2 only)*::
+The _hash_ algorithm used with "--resilience checksum" only. The default
+hash is sha256. With other resilience modes, the hash parameter is
+ignored.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--hotzone-size* _size_ *(LUKS2 only)*::
+This option can be used to set an upper limit on the size of
+reencryption area (hotzone). The _size_ can be specified with unit
+suffix (for example 50M). Note that actual hotzone size may be less
+than specified <size> due to other limitations (free space in keyslots
+area or available memory).
++
+With decryption mode for devices with LUKS2 header placed in head of data
+device, the option specifies how large is the first data segment moved
+from original data offset pointer.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--reduce-device-size* _size_::
+This means that last _size_ sectors on the original device will be lost,
+data will be effectively shifted by specified number of sectors.
++
+It could be useful if you added some space to underlying partition or
+logical volume (so last _size_ sectors contains no data).
++
+For units suffix see --device-size parameter description.
++
+*WARNING:* This is a destructive operation and cannot be reverted. Use
+with extreme care - accidentally overwritten filesystems are usually
+unrecoverable.
++
+*LUKS2*:
+Initialize LUKS2 reencryption with data device size reduction
+(currently only encryption mode is supported).
++
+Recommended minimal size is twice the default LUKS2 header size
+(--reduce-device-size 32M) for encryption mode.
++
+*LUKS1*:
+Enlarge data offset to specified value by shrinking device size.
++
+You cannot shrink device more than by 64 MiB (131072 sectors).
+endif::[]
+
+ifdef::COMMON_OPTIONS[]
+*--batch-mode, -q*::
+Suppresses all confirmation questions. Use with care!
++
+If the --verify-passphrase option is not specified, this option also
+switches off the passphrase verification.
+endif::[]
+
+ifdef::COMMON_OPTIONS[]
+*--debug or --debug-json*::
+Run in debug mode with full diagnostic logs. Debug output lines are
+always prefixed by *#*.
++
+If --debug-json is used, additional LUKS2 JSON data structures are printed.
+endif::[]
+
+ifdef::COMMON_OPTIONS[]
+*--version, -V*::
+Show the program version.
+endif::[]
+
+ifdef::COMMON_OPTIONS[]
+*--usage*::
+Show short option help.
+endif::[]
+
+ifdef::COMMON_OPTIONS[]
+*--help, -?*::
+Show help text and default parameters.
+endif::[]
diff --git a/man/cryptsetup-benchmark.8.adoc b/man/cryptsetup-benchmark.8.adoc
new file mode 100644
index 0000000..caaacba
--- /dev/null
+++ b/man/cryptsetup-benchmark.8.adoc
@@ -0,0 +1,41 @@
+= cryptsetup-benchmark(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_BENCHMARK:
+
+== Name
+
+cryptsetup-benchmark - benchmarks ciphers and KDF
+
+== SYNOPSIS
+
+*cryptsetup _benchmark_ [<options>]*
+
+== DESCRIPTION
+
+Benchmarks ciphers and KDF (key derivation function). Without
+parameters, it tries to measure few common configurations.
+
+To benchmark other ciphers or modes, you need to specify *--cipher* and
+*--key-size* options.
+
+To benchmark PBKDF you need to specify *--pbkdf* or *--hash* with optional
+cost parameters *--iter-time*, *--pbkdf-memory* or *--pbkdf-parallel*.
+
+*NOTE:* This benchmark uses memory only and is only informative. You
+cannot directly predict real storage encryption speed from it.
+
+For testing block ciphers, this benchmark requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38). If you
+are configuring kernel yourself, enable "User-space interface for
+symmetric key cipher algorithms" in "Cryptographic API" section
+(CRYPTO_USER_API_SKCIPHER .config option).
+
+*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time,
+--pbkdf-memory, --pbkdf-parallel].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-bitlkDump.8.adoc b/man/cryptsetup-bitlkDump.8.adoc
new file mode 100644
index 0000000..6dc273f
--- /dev/null
+++ b/man/cryptsetup-bitlkDump.8.adoc
@@ -0,0 +1,34 @@
+= cryptsetup-bitlkDump(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_BITLKDUMP:
+
+== Name
+
+cryptsetup-bitlkDump - dump the header information of a BITLK (BitLocker compatible) device
+
+== SYNOPSIS
+
+*cryptsetup _bitlkDump_ [<options>] <device>*
+
+== DESCRIPTION
+
+Dump the header information of a BITLK (BitLocker compatible) device.
+
+If the --dump-volume-key option is used, the BITLK device volume key
+is dumped instead of header information. You have to provide password
+or keyfile to dump volume key.
+
+Beware that the volume key can be used to decrypt the data stored in
+the container without a passphrase.
+This means that if the volume key is compromised, the whole device has
+to be erased to prevent further access. Use this option carefully.
+
+*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
+--keyfile-offset, --keyfile-size, --timeout].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-close.8.adoc b/man/cryptsetup-close.8.adoc
new file mode 100644
index 0000000..28813d3
--- /dev/null
+++ b/man/cryptsetup-close.8.adoc
@@ -0,0 +1,30 @@
+= cryptsetup-close(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_CLOSE:
+
+== Name
+
+cryptsetup-close - removes the existing mapping <name> (and the associated key)
+
+== SYNOPSIS
+
+*cryptsetup _close_ [<options>] <name>*
+
+== DESCRIPTION
+
+Removes the existing mapping <name> and wipes the key from kernel
+memory.
+
+For backward compatibility, there are *close* command aliases: *remove*,
+*plainClose*, *luksClose*, *loopaesClose*, *tcryptClose*, *bitlkClose*
+(all behave exactly the same, device type is determined automatically
+from the active device).
+
+*<options>* can be [--deferred, --cancel-deferred, --header, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-config.8.adoc b/man/cryptsetup-config.8.adoc
new file mode 100644
index 0000000..c664242
--- /dev/null
+++ b/man/cryptsetup-config.8.adoc
@@ -0,0 +1,30 @@
+= cryptsetup-config(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_CONFIG:
+
+== Name
+
+cryptsetup-config - set permanent configuration options (store to LUKS header)
+
+== SYNOPSIS
+
+*cryptsetup _config_ <options> <device>*
+
+== DESCRIPTION
+
+Set permanent configuration options (store to LUKS header). The _config_
+command is supported only for LUKS2.
+
+The permanent options can be _--priority_ to set priority (normal,
+prefer, ignore) for keyslot (specified by _--key-slot_) or _--label_ and
+_--subsystem_.
+
+*<options>* can be [--priority, --label, --subsystem, --key-slot,
+--header, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-convert.8.adoc b/man/cryptsetup-convert.8.adoc
new file mode 100644
index 0000000..dbb4c23
--- /dev/null
+++ b/man/cryptsetup-convert.8.adoc
@@ -0,0 +1,37 @@
+= cryptsetup-convert(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_CONVERT:
+
+== Name
+
+cryptsetup-convert - converts the device between LUKS1 and LUKS2 format
+
+== SYNOPSIS
+
+*cryptsetup _convert_ --type <format> [<options>] <device>*
+
+== DESCRIPTION
+
+Converts the device between LUKS1 and LUKS2 format (if possible). The
+conversion will not be performed if there is an additional LUKS2 feature
+or LUKS1 has unsupported header size.
+
+Conversion (both directions) must be performed on inactive device. There
+must not be active dm-crypt mapping established for LUKS header
+requested for conversion.
+
+The *--type* option is mandatory with the following accepted values: _luks1_ or
+_luks2_.
+
+*WARNING:* The _convert_ action can destroy the LUKS header in the case
+of a crash during conversion or if a media error occurs. Always create a
+header backup before performing this operation!
+
+*<options>* can be [--header, --type, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-erase.8.adoc b/man/cryptsetup-erase.8.adoc
new file mode 100644
index 0000000..97a13aa
--- /dev/null
+++ b/man/cryptsetup-erase.8.adoc
@@ -0,0 +1,28 @@
+= cryptsetup-erase(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_ERASE:
+
+== Name
+
+cryptsetup-erase, cryptsetup-luksErase - erase all keyslots
+
+== SYNOPSIS
+
+*cryptsetup _erase_ [<options>] <device>* +
+*cryptsetup _luksErase_ [<options>] <device>*
+
+== DESCRIPTION
+
+Erase all keyslots and make the LUKS container permanently inaccessible.
+You do not need to provide any password for this operation.
+
+*WARNING:* This operation is irreversible.
+
+*<options>* can be [--header, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-fvault2Dump.8.adoc b/man/cryptsetup-fvault2Dump.8.adoc
new file mode 100644
index 0000000..0831899
--- /dev/null
+++ b/man/cryptsetup-fvault2Dump.8.adoc
@@ -0,0 +1,34 @@
+= cryptsetup-fvault2Dump(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_BITLKDUMP:
+
+== Name
+
+cryptsetup-fvault2Dump - dump the header information of a FVAULT2 (FileVault2 compatible) device
+
+== SYNOPSIS
+
+*cryptsetup _fvault2Dump_ [<options>] <device>*
+
+== DESCRIPTION
+
+Dump the header information of a FVAULT2 (FileVault2 compatible) device.
+
+If the --dump-volume-key option is used, the FVAULT2 device volume key
+is dumped instead of header information. You have to provide password
+or keyfile to dump volume key.
+
+Beware that the volume key can be used to decrypt the data stored in
+the container without a passphrase.
+This means that if the volume key is compromised, the whole device has
+to be erased to prevent further access. Use this option carefully.
+
+*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
+--keyfile-offset, --keyfile-size, --timeout].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-isLuks.8.adoc b/man/cryptsetup-isLuks.8.adoc
new file mode 100644
index 0000000..aac559c
--- /dev/null
+++ b/man/cryptsetup-isLuks.8.adoc
@@ -0,0 +1,29 @@
+= cryptsetup-isLuks(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_ISLUKS:
+
+== Name
+
+cryptsetup-isLuks - check if a device is a LUKS device
+
+== SYNOPSIS
+
+*cryptsetup _isLuks_ [<options>] <device>*
+
+== DESCRIPTION
+
+Returns true, if <device> is a LUKS device, false otherwise.
+
+Use option -v to get human-readable feedback.
+'Command successful.' means the device is a LUKS device.
+
+By specifying --type you may query for specific LUKS version.
+
+*<options>* can be [--header, --type, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksAddKey.8.adoc b/man/cryptsetup-luksAddKey.8.adoc
new file mode 100644
index 0000000..9686a1d
--- /dev/null
+++ b/man/cryptsetup-luksAddKey.8.adoc
@@ -0,0 +1,71 @@
+= cryptsetup-luksAddKey(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSADDKEY:
+
+== Name
+
+cryptsetup-luksAddKey - add a new passphrase
+
+== SYNOPSIS
+
+*cryptsetup _luksAddKey_ [<options>] <device> [<key file with new key>]*
+
+== DESCRIPTION
+
+Adds a keyslot protected by a new passphrase. An existing passphrase
+must be supplied interactively, via --key-file or LUKS2 token (plugin).
+Alternatively to existing passphrase user may pass directly volume key
+(via --volume-key-file). The new passphrase to be added can be specified
+interactively, read from the file given as the positional argument (also
+via --new-keyfile parameter) or via LUKS2 token.
+
+*NOTE:* with --unbound option the action creates new unbound LUKS2
+keyslot. The keyslot cannot be used for device activation. If you don't
+pass new key via --volume-key-file option, new random key is generated.
+Existing passphrase for any active keyslot is not required.
+
+*NOTE:* some parameters are effective only if used with LUKS2 format
+that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
+algorithm is always the same for all keyslots.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot,
+--new-key-slot, --volume-key-file, --force-password, --hash, --header,
+--disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations,
+--pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher,
+--keyslot-key-size, --key-size, --timeout, --token-id, --token-type,
+--token-only, --new-token-id, --verify-passphrase].
+
+include::man/common_options.adoc[]
+
+== EXAMPLES
+
+*NOTE*: When not specified otherwise interactive passphrase prompt is always default method.
+
+Add new keyslot using interactive passphrase prompt for both existing and new passphrase:
+
+*cryptsetup luksAddKey /dev/device*
+
+Add new keyslot using LUKS2 tokens to unlock existing keyslot with interactive passphrase prompt for new passphrase:
+
+*cryptsetup luksAddKey --token-only /dev/device*
+
+Add new keyslot using LUKS2 systemd-tpm2 tokens to unlock existing keyslot with interactive passphrase prompt for new passphrase (systemd-tpm2 token plugin must be available):
+
+*cryptsetup luksAddKey --token-type systemd-tpm2 /dev/device*
+
+Add new keyslot using interactive passphrase prompt for existing keyslot, reading new passphrase from key_file:
+
+*cryptsetup luksAddKey --new-keyfile key_file /dev/device* or
+*cryptsetup luksAddKey /dev/device key_file*
+
+Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist
+and respective token plugin must be available):
+
+*cryptsetup luksAddKey --volume-key-file volume_key_file --new-token-id 5 /dev/device*
+
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksChangeKey.8.adoc b/man/cryptsetup-luksChangeKey.8.adoc
new file mode 100644
index 0000000..7dd5f3b
--- /dev/null
+++ b/man/cryptsetup-luksChangeKey.8.adoc
@@ -0,0 +1,46 @@
+= cryptsetup-luksChangeKey(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSCHANGEKEY:
+
+== Name
+
+cryptsetup-luksChangeKey - change an existing passphrase
+
+== SYNOPSIS
+
+*cryptsetup _luksChangeKey_ [<options>] <device> [<new key file>]*
+
+== DESCRIPTION
+
+Changes an existing passphrase. The passphrase to be changed must be
+supplied interactively or via --key-file. The new passphrase can be
+supplied interactively or in a file given as the positional argument.
+
+If a key-slot is specified (via --key-slot), the passphrase for that
+key-slot must be given and the new passphrase will overwrite the
+specified key-slot. If no key-slot is specified and there is still a
+free key-slot, then the new passphrase will be put into a free key-slot
+before the key-slot containing the old passphrase is purged. If there is
+no free key-slot, then the key-slot with the old passphrase is
+overwritten directly.
+
+*WARNING:* If a key-slot is overwritten, a media failure during this
+operation can cause the overwrite to fail after the old passphrase has
+been wiped and make the LUKS container inaccessible.
+
+*NOTE:* some parameters are effective only if used with LUKS2 format
+that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
+algorithm is always the same for all keyslots.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations,
+--pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot,
+--force-password, --hash, --header, --disable-locks, --type,
+--keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksConvertKey.8.adoc b/man/cryptsetup-luksConvertKey.8.adoc
new file mode 100644
index 0000000..c626542
--- /dev/null
+++ b/man/cryptsetup-luksConvertKey.8.adoc
@@ -0,0 +1,41 @@
+= cryptsetup-luksConvertKey(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSCONVERTKEY:
+
+== Name
+
+cryptsetup-luksConvertKey - converts an existing LUKS2 keyslot to new PBKDF parameters
+
+== SYNOPSIS
+
+*cryptsetup _luksConvertKey_ [<options>] <device>*
+
+== DESCRIPTION
+
+Converts an existing LUKS2 keyslot to new PBKDF parameters. The
+passphrase for keyslot to be converted must be supplied interactively or
+via --key-file. If no --pbkdf parameters are specified LUKS2 default
+PBKDF values will apply.
+
+If a keyslot is specified (via --key-slot), the passphrase for that
+keyslot must be given. If no keyslot is specified and there is still a
+free keyslot, then the new parameters will be put into a free keyslot
+before the keyslot containing the old parameters is purged. If there is
+no free keyslot, then the keyslot with the old parameters is overwritten
+directly.
+
+*WARNING:* If a keyslot is overwritten, a media failure during this
+operation can cause the overwrite to fail after the old parameters have
+been wiped and make the LUKS container inaccessible.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--key-slot, --hash, --header, --disable-locks, --iter-time, --pbkdf,
+--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel,
+--keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksDump.8.adoc b/man/cryptsetup-luksDump.8.adoc
new file mode 100644
index 0000000..f9f3910
--- /dev/null
+++ b/man/cryptsetup-luksDump.8.adoc
@@ -0,0 +1,50 @@
+= cryptsetup-luksDump(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSDUMP:
+
+== Name
+
+cryptsetup-luksDump - dump the header information of a LUKS device
+
+== SYNOPSIS
+
+*cryptsetup _luksDump_ [<options>] <device>*
+
+== DESCRIPTION
+
+Dump the header information of a LUKS device.
+
+If the --dump-volume-key option is used, the LUKS device volume key is
+dumped instead of the keyslot info. Together with the --volume-key-file
+option, volume key is dumped to a file instead of standard output.
+Beware that the volume key cannot be changed without reencryption and
+can be used to decrypt the data stored in the LUKS container without a
+passphrase and even without the LUKS header. This means that if the
+volume key is compromised, the whole device has to be erased or
+reencrypted to prevent further access. Use this option carefully.
+
+To dump the volume key, a passphrase has to be supplied, either
+interactively or via --key-file.
+
+To dump unbound key (LUKS2 format only), --unbound parameter, specific
+--key-slot id and proper passphrase has to be supplied, either
+interactively or via --key-file. Optional --volume-key-file parameter
+enables unbound keyslot dump to a file.
+
+To dump LUKS2 JSON metadata (without basic header information like UUID)
+use --dump-json-metadata option.
+
+*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
+--keyfile-offset, --keyfile-size, --header, --disable-locks,
+--volume-key-file, --type, --unbound, --key-slot, --timeout].
+
+*WARNING:* If --dump-volume-key is used with --key-file and the argument
+to --key-file is '-', no validation question will be asked and no
+warning given.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksFormat.8.adoc b/man/cryptsetup-luksFormat.8.adoc
new file mode 100644
index 0000000..be241f8
--- /dev/null
+++ b/man/cryptsetup-luksFormat.8.adoc
@@ -0,0 +1,51 @@
+= cryptsetup-luksFormat(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSFORMAT:
+
+== Name
+
+cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphrase
+
+== SYNOPSIS
+
+*cryptsetup _luksFormat_ [<options>] <device> [<key file>]*
+
+== DESCRIPTION
+
+Initializes a LUKS partition and sets the initial passphrase (for
+key-slot 0), either via prompting or via <key file>. Note that if the
+second argument is present, then the passphrase is taken from the file
+given there, without the need to use the --key-file option. Also note
+that for both forms of reading the passphrase from a file you can give
+'-' as file name, which results in the passphrase being read from stdin
+and the safety-question being skipped.
+
+You cannot call luksFormat on a device or filesystem that is mapped or
+in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The
+device or filesystem has to be un-mounted in order to call luksFormat.
+
+To use specific version of LUKS format, use _--type luks1_ or _type luks2_.
+
+*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size,
+--key-slot, --key-file (takes precedence over optional second argument),
+--keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid,
+--volume-key-file, --iter-time, --header, --pbkdf-force-iterations,
+--force-password, --disable-locks, --timeout, --type, --offset,
+--align-payload (deprecated)].
+
+For LUKS2, additional *<options>* can be [--integrity,
+--integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf,
+--pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring,
+--luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher,
+--keyslot-key-size, --integrity-legacy-padding].
+
+*WARNING:* Doing a luksFormat on an existing LUKS container will make
+all data in the old container permanently irretrievable unless you have a
+header backup.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksHeaderBackup.8.adoc b/man/cryptsetup-luksHeaderBackup.8.adoc
new file mode 100644
index 0000000..1f57f25
--- /dev/null
+++ b/man/cryptsetup-luksHeaderBackup.8.adoc
@@ -0,0 +1,35 @@
+= cryptsetup-luksHeaderBackup(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSHEADERBACKUP:
+
+== Name
+
+cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keyslot area
+
+== SYNOPSIS
+
+*cryptsetup _luksHeaderBackup_ --header-backup-file <file> [<options>] <device>*
+
+== DESCRIPTION
+
+Stores a binary backup of the LUKS header and keyslot area. +
+*NOTE:* Using '-' as filename writes the header backup to a file named
+'-'.
+
+*<options>* can be [--header, --header-backup-file, --disable-locks].
+
+*WARNING:* This backup file and a passphrase valid at the time of backup
+allows decryption of the LUKS data area, even if the passphrase was
+later changed or removed from the LUKS device. Also note that with a
+header backup you lose the ability to securely wipe the LUKS device by
+just overwriting the header and key-slots. You either need to securely
+erase all header backups in addition or overwrite the encrypted data
+area as well. The second option is less secure, as some sectors can
+survive, e.g., due to defect management.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksHeaderRestore.8.adoc b/man/cryptsetup-luksHeaderRestore.8.adoc
new file mode 100644
index 0000000..e7fa8aa
--- /dev/null
+++ b/man/cryptsetup-luksHeaderRestore.8.adoc
@@ -0,0 +1,34 @@
+= cryptsetup-luksHeaderRestore(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSHEADERRESTORE:
+
+== Name
+
+cryptsetup-luksHeaderRestore - restore a binary backup of the LUKS header and keyslot area
+
+== SYNOPSIS
+
+*cryptsetup _luksHeaderRestore_ --header-backup-file <file> [<options>] <device>*
+
+== DESCRIPTION
+
+Restores a binary backup of the LUKS header and keyslot area from the
+specified file. +
+*NOTE:* Using '-' as filename reads the header backup from a file named '-'.
+
+*<options>* can be [--header, --header-backup-file, --disable-locks].
+
+*WARNING:* Header and keyslots will be replaced, only the passphrases
+from the backup will work afterward.
+
+This command requires that the volume key size and data offset of the
+LUKS header already on the device and of the header backup match.
+Alternatively, if there is no LUKS header on the device, the backup will
+also be written to it.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksKillSlot.8.adoc b/man/cryptsetup-luksKillSlot.8.adoc
new file mode 100644
index 0000000..4575387
--- /dev/null
+++ b/man/cryptsetup-luksKillSlot.8.adoc
@@ -0,0 +1,40 @@
+= cryptsetup-luksKillSlot(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSKILLSLOT:
+
+== Name
+
+cryptsetup-luksKillSlot - wipe a key-slot from the LUKS device
+
+== SYNOPSIS
+
+*cryptsetup _luksKillSlot_ [<options>] <device> <key slot number>*
+
+== DESCRIPTION
+
+Wipe the key-slot number <key slot> from the LUKS device. Except running
+in batch-mode (-q) a remaining passphrase must be supplied, either
+interactively or via --key-file. This command can remove the last
+remaining key-slot, but requires an interactive confirmation when doing
+so. Removing the last passphrase makes a LUKS container permanently
+inaccessible.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--header, --disable-locks, --type, --verify-passphrase, --timeout].
+
+*WARNING:* If you read the passphrase from stdin (without further
+argument or with '-' as an argument to --key-file), batch-mode (-q) will
+be implicitly switched on and no warning will be given when you remove
+the last remaining passphrase from a LUKS container. Removing the last
+passphrase makes the LUKS container permanently inaccessible.
+
+*NOTE:* If there is no passphrase provided (on stdin or through
+--key-file argument) and batch-mode (-q) is active, the key-slot is
+removed without any other warning.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksRemoveKey.8.adoc b/man/cryptsetup-luksRemoveKey.8.adoc
new file mode 100644
index 0000000..b414f18
--- /dev/null
+++ b/man/cryptsetup-luksRemoveKey.8.adoc
@@ -0,0 +1,33 @@
+= cryptsetup-luksRemoveKey(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSREMOVEKEY:
+
+== Name
+
+cryptsetup-luksRemoveKey - remove the supplied passphrase from the LUKS device
+
+== SYNOPSIS
+
+*cryptsetup _luksRemoveKey_ [<options>] <device> [<key file with passphrase to be removed>]*
+
+== DESCRIPTION
+
+Removes the supplied passphrase from the LUKS device. The passphrase to
+be removed can be specified interactively, as the positional argument or
+via --key-file.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--header, --disable-locks, --type, --timeout, --verify-passphrase].
+
+*WARNING:* If you read the passphrase from stdin (without further
+argument or with '-' as an argument to --key-file), batch-mode (-q) will
+be implicitly switched on and no warning will be given when you remove
+the last remaining passphrase from a LUKS container. Removing the last
+passphrase makes the LUKS container permanently inaccessible.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksResume.8.adoc b/man/cryptsetup-luksResume.8.adoc
new file mode 100644
index 0000000..9d81cbc
--- /dev/null
+++ b/man/cryptsetup-luksResume.8.adoc
@@ -0,0 +1,29 @@
+= cryptsetup-luksResume(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSRESUME:
+
+== Name
+
+cryptsetup-luksResume - resume a suspended device and reinstate the key
+
+== SYNOPSIS
+
+*cryptsetup _luksResume_ [<options>] <name>*
+
+== DESCRIPTION
+
+Resumes a suspended device and reinstates the encryption key. Prompts
+interactively for a passphrase if no token is usable (LUKS2 only) or
+--key-file is not given.
+
+*<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
+--key-slot, --header, --disable-keyring, --disable-locks, --token-id,
+--token-only, --token-type, --disable-external-tokens, --type, --tries,
+--timeout, --verify-passphrase].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksSuspend.8.adoc b/man/cryptsetup-luksSuspend.8.adoc
new file mode 100644
index 0000000..ed20681
--- /dev/null
+++ b/man/cryptsetup-luksSuspend.8.adoc
@@ -0,0 +1,33 @@
+= cryptsetup-luksSuspend(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSSUSPEND:
+
+== Name
+
+cryptsetup-luksSuspend - suspends an active device and wipes the key
+
+== SYNOPSIS
+
+*cryptsetup _luksSuspend_ [<options>] <name>*
+
+== DESCRIPTION
+
+Suspends an active device (all IO operations will block and accesses to
+the device will wait indefinitely) and wipes the encryption key from
+kernel memory. Needs kernel 2.6.19 or later.
+
+After this operation, you have to use _luksResume_ to reinstate the
+encryption key and unblock the device or _close_ to remove the mapped
+device.
+
+*<options>* can be [--header, --disable-locks].
+
+*WARNING:* Never suspend the device on which the cryptsetup binary
+resides.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksUUID.8.adoc b/man/cryptsetup-luksUUID.8.adoc
new file mode 100644
index 0000000..8ffe9ff
--- /dev/null
+++ b/man/cryptsetup-luksUUID.8.adoc
@@ -0,0 +1,25 @@
+= cryptsetup-luksUUID(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSUUID:
+
+== Name
+
+cryptsetup-luksUUID - print or set the UUID of a LUKS device
+
+== SYNOPSIS
+
+*cryptsetup _luksUUID_ [<options>] <device>*
+
+== DESCRIPTION
+
+Print the UUID of a LUKS device. +
+Set new UUID if _--uuid_ option is specified.
+
+*<options>* can be [--header, --uuid, --type, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-open.8.adoc b/man/cryptsetup-open.8.adoc
new file mode 100644
index 0000000..5e8e7a6
--- /dev/null
+++ b/man/cryptsetup-open.8.adoc
@@ -0,0 +1,165 @@
+= cryptsetup-open(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_OPEN:
+
+== Name
+
+cryptsetup-open, cryptsetup-create, cryptsetup-plainOpen, cryptsetup-luksOpen, cryptsetup-loopaesOpen, cryptsetup-tcryptOpen, cryptsetup-bitlkOpen, cryptsetup-fvault2Open - open an encrypted device and create a mapping with a specified name
+
+== SYNOPSIS
+
+*cryptsetup _open_ --type <device_type> [<options>] <device> <name>*
+
+== DESCRIPTION
+Opens (creates a mapping with) <name> backed by device <device>.
+
+Device type can be _plain_, _luks_ (default), _luks1_, _luks2_,
+_loopaes_ or _tcrypt_.
+
+For backward compatibility there are *open* command aliases:
+
+*create* (argument-order <name> <device>): open --type plain +
+*plainOpen*: open --type plain +
+*luksOpen*: open --type luks +
+*loopaesOpen*: open --type loopaes +
+*tcryptOpen*: open --type tcrypt +
+*bitlkOpen*: open --type bitlk
+
+*<options>* are type specific and are described below for individual
+device types. For *create*, the order of the <name> and <device> options
+is inverted for historical reasons, all other aliases use the standard
+*<device> <name>* order.
+
+=== PLAIN
+*open --type plain <device> <name>* +
+plainOpen <device> <name> (*old syntax*) +
+create <name> <device> (*OBSOLETE syntax*)
+
+Opens (creates a mapping with) <name> backed by device <device>.
+
+*<options>* can be [--hash, --cipher, --verify-passphrase, --sector-size,
+--key-file, --keyfile-size, --keyfile-offset, --key-size, --offset,
+--skip, --device-size, --size, --readonly, --shared, --allow-discards,
+--refresh, --timeout, --verify-passphrase, --iv-large-sectors].
+
+Example: 'cryptsetup open --type plain /dev/sda10 e1' maps the raw
+encrypted device /dev/sda10 to the mapped (decrypted) device
+/dev/mapper/e1, which can then be mounted, fsck-ed or have a filesystem
+created on it.
+
+=== LUKS
+*open <device> <name>* +
+open --type <luks1|luks2> <device> <name> (*explicit version request*) +
+luksOpen <device> <name> (*old syntax*)
+
+Opens the LUKS device <device> and sets up a mapping <name> after
+successful verification of the supplied passphrase.
+
+First, the passphrase is searched in LUKS2 tokens unprotected by PIN.
+If such token does not exist (or fails to unlock keyslot) and
+also the passphrase is not supplied via --key-file, the command
+prompts for passphrase interactively.
+
+If there is valid LUKS2 token but it requires PIN to unlock assigned keyslot,
+it is not used unless one of following options is added: --token-only,
+--token-type where type matches desired PIN protected token or --token-id with id
+matching PIN protected token.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
+--readonly, --test-passphrase, --allow-discards, --header, --key-slot,
+--volume-key-file, --token-id, --token-only, --token-type,
+--disable-external-tokens, --disable-keyring, --disable-locks, --type,
+--refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
+--verify-passphrase, --persistent].
+
+=== loopAES
+*open --type loopaes <device> <name> --key-file <keyfile>* +
+loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
+
+Opens the loop-AES <device> and sets up a mapping <name>.
+
+If the key file is encrypted with GnuPG, then you have to use
+--key-file=- and decrypt it before use, e.g., like this: +
+gpg --decrypt <keyfile> | cryptsetup loopaesOpen --key-file=- <device>
+<name>
+
+*WARNING:* The loop-AES extension cannot use the direct input of the key
+file on the real terminal because the keys are separated by end-of-line and
+only part of the multi-key file would be read. +
+If you need it in script, just use the pipe redirection: +
+echo $keyfile | cryptsetup loopaesOpen --key-file=- <device> <name>
+
+Use *--keyfile-size* to specify the proper key length if needed.
+
+Use *--offset* to specify device offset. Note that the units need to be
+specified in number of 512 byte sectors.
+
+Use *--skip* to specify the IV offset. If the original device used an
+offset and but did not use it in IV sector calculations, you have to
+explicitly use *--skip 0* in addition to the offset parameter.
+
+Use *--hash* to override the default hash function for passphrase
+hashing (otherwise it is detected according to key size).
+
+*<options>* can be [--cipher, --key-file, --keyfile-size, --keyfile-offset,
+--key-size, --offset, --skip, --hash, --readonly, --allow-discards, --refresh].
+
+=== TrueCrypt and VeraCrypt
+*open --type tcrypt <device> <name>* +
+tcryptOpen <device> <name> (*old syntax*)
+
+Opens the TCRYPT (TrueCrypt and VeraCrypt compatible) <device> and sets
+up a mapping <name>.
+
+*<options>* can be [--key-file, --tcrypt-hidden, --tcrypt-system,
+--tcrypt-backup, --readonly, --test-passphrase, --allow-discards,
+--veracrypt (ignored), --disable-veracrypt, --veracrypt-pim,
+--veracrypt-query-pim, --header,
+--cipher, --hash, --tries, --timeout, --verify-passphrase].
+
+The keyfile parameter allows a combination of file content with the
+passphrase and can be repeated. Note that using keyfiles is compatible
+with TCRYPT and is different from LUKS keyfile logic.
+
+If *--cipher* or *--hash* options are used, only cipher chains or PBKDF2
+variants with the specified hash algorithms are checked. This could
+speed up unlocking the device (but also it reveals some information
+about the container).
+
+If you use *--header* in combination with hidden or system options, the
+header file must contain specific headers on the same positions as the
+original encrypted container.
+
+*WARNING:* Option *--allow-discards* cannot be combined with option
+*--tcrypt-hidden*. For normal mapping, it can cause the *destruction of
+hidden volume* (hidden volume appears as unused space for outer volume
+so this space can be discarded).
+
+=== BitLocker
+*open --type bitlk <device> <name>* +
+bitlkOpen <device> <name> (*old syntax*)
+
+Opens the BITLK (a BitLocker compatible) <device> and sets up a mapping
+<name>.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
+--readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
+--timeout, --verify-passphrase].
+
+=== FileVault2
+*open --type fvault2 <device> <name>* +
+fvault2Open <device> <name> (*old syntax*)
+
+Opens the FVAULT2 (a FileVault2 compatible) <device> and sets up a mapping
+<name>.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
+--readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
+--timeout, --verify-passphrase].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8
deleted file mode 100644
index 333ed58..0000000
--- a/man/cryptsetup-reencrypt.8
+++ /dev/null
@@ -1,295 +0,0 @@
-.TH CRYPTSETUP-REENCRYPT "8" "January 2021" "cryptsetup-reencrypt" "Maintenance Commands"
-.SH NAME
-cryptsetup-reencrypt - tool for offline LUKS device re-encryption
-.SH SYNOPSIS
-.B cryptsetup-reencrypt <options> <device>
-.SH DESCRIPTION
-.PP
-Cryptsetup-reencrypt can be used to change reencryption parameters
-which otherwise require full on-disk data change (re-encryption).
-
-You can regenerate \fBvolume key\fR (the real key used in on-disk encryption
-unclocked by passphrase), \fBcipher\fR, \fBcipher mode\fR.
-
-Cryptsetup-reencrypt reencrypts data on LUKS device in-place. During
-reencryption process the LUKS device is marked unavailable.
-
-\fINOTE\fR: If you're looking for LUKS2 online reencryption manual please read cryptsetup(8)
-man page instead (see reencrypt action). This page is for legacy offline reencryption
-utility only.
-
-\fIWARNING\fR: The cryptsetup-reencrypt program is not resistant to hardware
-or kernel failures during reencryption (you can lose your data in this case).
-
-\fIALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.\fR
-.br
-The reencryption can be temporarily suspended (by TERM signal or by
-using ctrl+c) but you need to retain temporary files named LUKS-<uuid>.[log|org|new].
-LUKS device is unavailable until reencryption is finished though.
-
-Current working directory must be writable and temporary
-files created during reencryption must be present.
-
-For more info about LUKS see cryptsetup(8).
-.PP
-.SH OPTIONS
-.TP
-To start (or continue) re-encryption for <device> use:
-.PP
-\fIcryptsetup-reencrypt\fR <device>
-
-\fB<options>\fR can be [\-\-batch-mode, \-\-block-size, \-\-cipher | \-\-keep-key,
-\-\-debug, \-\-device-size, \-\-hash, \-\-header, \-\-iter-time | \-\-pbkdf\-force\-iterations,
-\-\-key-file, \-\-key-size, \-\-key-slot, \-\-keyfile-offset, \-\-keyfile-size,
-\-\-master\-key\-file, \-\-tries, \-\-pbkdf, \-\-pbkdf\-memory, \-\-pbkdf\-parallel,
-\-\-progress-frequency, \-\-use-directio, \-\-use-random | \-\-use-urandom, \-\-use-fsync,
-\-\-uuid, \-\-verbose, \-\-write-log]
-
-To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR in combination
-with \fI\-\-reduce-device-size\fR or with \fI\-\-header\fR option for detached header.
-
-To remove encryption from device, use \fI\-\-decrypt\fR.
-
-For detailed description of encryption and key file options see \fIcryptsetup(8)\fR
-man page.
-.TP
-.B "\-\-batch-mode, \-q"
-Suppresses all warnings and reencryption progress output.
-.TP
-.B "\-\-block-size, \-B \fIvalue\fR"
-Use re-encryption block size of <value> in MiB.
-
-Values can be between 1 and 64 MiB.
-.TP
-.B "\-\-cipher, \-c" \fI<cipher-spec>\fR
-Set the cipher specification string.
-.TP
-.B "\-\-debug"
-Run in debug mode with full diagnostic logs. Debug output
-lines are always prefixed by '#'.
-.TP
-.B "\-\-decrypt"
-Remove encryption (decrypt already encrypted device and remove LUKS header).
-
-\fBWARNING:\fR This is destructive operation and cannot be reverted.
-.TP
-.B "\-\-device-size \fIsize[units]\fR"
-Instead of real device size, use specified value.
-
-It means that only specified area (from the start of the device
-to the specified size) will be reencrypted.
-
-If no unit suffix is specified, the size is in bytes.
-
-Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
-for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
-
-\fBWARNING:\fR This is destructive operation.
-.TP
-.B "\-\-hash, \-h \fI<hash-spec>\fR"
-Specifies the hash used in the LUKS1 key setup scheme and volume key digest.
-
-\fBNOTE:\fR if this parameter is not specified, default hash algorithm is always used
-for new LUKS1 device header.
-
-\fBNOTE:\fR with LUKS2 format this option is only relevant when new keyslot pbkdf algorithm
-is set to PBKDF2 (see \fI\-\-pbkdf\fR).
-.TP
-.B "\-\-header\fR \fI<LUKS header file>\fR"
-Use a detached (separated) metadata device or file where the
-LUKS header is stored. This option allows one to store ciphertext
-and LUKS header on different devices.
-
-\fBWARNING:\fR There is no check whether the ciphertext device specified
-actually belongs to the header given.
-If used with \fI\-\-new\fR option, the header file will created (or overwritten).
-Use with care.
-.TP
-.B "\-\-iter-time, \-i \fI<milliseconds>\fR"
-The number of milliseconds to spend with PBKDF2 passphrase processing for the
-new LUKS header.
-.TP
-.B "\-\-keep-key"
-Do not change encryption key, just reencrypt the LUKS header and keyslots.
-
-This option can be combined only with \fI\-\-hash\fR, \fI\-\-iter-time\fR,
-\fI\-\-pbkdf\-force\-iterations\fR, \fI\-\-pbkdf\fR (LUKS2 only),
-\fI\-\-pbkdf\-memory\fR (Argon2i/id and LUKS2 only) and \fI\-\-pbkdf\-parallel\fR
-(Argon2i/id and LUKS2 only) options.
-.TP
-.B "\-\-key-file, \-d \fIname\fR"
-Read the passphrase from file.
-
-\fBWARNING:\fR \-\-key-file option can be used only if there is only one active keyslot,
-or alternatively, also if \-\-key-slot option is specified (then all other keyslots
-will be disabled in new LUKS device).
-
-If this option is not used, cryptsetup-reencrypt will ask for all active keyslot
-passphrases.
-.TP
-.B "\-\-key-size, \-s \fI<bits>\fR"
-Set key size in bits. The argument has to be a multiple of 8.
-
-The possible key-sizes are limited by the cipher and mode used.
-
-If you are increasing key size, there must be enough space in the LUKS header
-for enlarged keyslots (data offset must be large enough) or reencryption
-cannot be performed.
-
-If there is not enough space for keyslots with new key size,
-you can destructively shrink device with \-\-reduce-device-size option.
-.TP
-.B "\-\-key-slot, \-S <0-MAX>"
-Specify which key slot is used. For LUKS1, max keyslot number is 7. For LUKS2, it's 31.
-
-\fBWARNING:\fR All other keyslots will be disabled if this option is used.
-.TP
-.B "\-\-keyfile-offset \fIvalue\fR"
-Skip \fIvalue\fR bytes at the beginning of the key file.
-.TP
-.B "\-\-keyfile-size, \-l"
-Read a maximum of \fIvalue\fR bytes from the key file.
-Default is to read the whole file up to the compiled-in
-maximum.
-.TP
-.B "\-\-master\-key\-file"
-Use new volume (master) key stored in a file.
-.TP
-.B "\-\-new, \-N"
-Create new header (encrypt not yet encrypted device).
-
-This option must be used together with \-\-reduce-device-size.
-
-\fBWARNING:\fR This is destructive operation and cannot be reverted.
-.TP
-.B "\-\-pbkdf"
-Set Password-Based Key Derivation Function (PBKDF) algorithm for LUKS keyslot.
-The PBKDF can be: \fIpbkdf2\fR, \fIargon2i\fR for Argon2i or \fIargon2id\fR for Argon2id.
-
-For LUKS1, only \fIpbkdf2\fR is accepted (no need to use this option).
-.TP
-.B "\-\-pbkdf\-force\-iterations <num>"
-Avoid PBKDF benchmark and set time cost (iterations) directly.
-.TP
-.B "\-\-pbkdf\-memory <number>"
-Set the memory cost for PBKDF (for Argon2i/id the number represents kilobytes).
-Note that it is maximal value, PBKDF benchmark or available physical memory
-can decrease it.
-This option is not available for PBKDF2.
-.TP
-.B "\-\-pbkdf\-parallel <number>"
-Set the parallel cost for PBKDF (number of threads, up to 4).
-Note that it is maximal value, it is decreased automatically if
-CPU online count is lower.
-This option is not available for PBKDF2.
-.TP
-.B "\-\-progress-frequency <seconds>"
-Print separate line every <seconds> with reencryption progress.
-.TP
-.B "\-\-reduce-device-size \fIsize[units]\fR"
-Enlarge data offset to specified value by shrinking device size.
-
-This means that last sectors on the original device will be lost,
-ciphertext data will be effectively shifted by specified
-number of sectors.
-
-It can be useful if you e.g. added some space to underlying
-partition (so last sectors contains no data).
-
-For units suffix see \-\-device-size parameter description.
-
-You cannot shrink device more than by 64 MiB (131072 sectors).
-
-\fBWARNING:\fR This is destructive operation and cannot be reverted.
-Use with extreme care - shrunk filesystems are usually unrecoverable.
-.TP
-.B "\-\-tries, \-T"
-Number of retries for invalid passphrase entry.
-.TP
-.B "\-\-type <type>"
-Use only while encrypting not yet encrypted device (see \-\-new).
-
-Specify LUKS version when performing in-place encryption. If the parameter
-is omitted default value (LUKS1) is used. Type may be one of: \fBluks\fR (default),
-\fBluks1\fR or \fBluks2\fR.
-.TP
-.B "\-\-use-directio"
-Use direct-io (O_DIRECT) for all read/write data operations related
-to block device undergoing reencryption.
-
-Useful if direct-io operations perform better than normal buffered
-operations (e.g. in virtual environments).
-.TP
-.B "\-\-use-fsync"
-Use fsync call after every written block. This applies for reencryption
-log files as well.
-.TP
-.B "\-\-use-random"
-.TP
-.B "\-\-use-urandom"
-Define which kernel random number generator will be used to create the volume key.
-.TP
-.B "\-\-uuid" \fI<uuid>\fR
-Use only while resuming an interrupted decryption process (see \-\-decrypt).
-
-To find out what \fI<uuid>\fR to pass look for temporary files LUKS-<uuid>.[|log|org|new]
-of the interrupted decryption process.
-.TP
-.B "\-\-verbose, \-v"
-Print more information on command execution.
-.TP
-.B "\-\-version"
-Show the program version.
-.TP
-.B "\-\-write-log"
-Update log file after every block write. This can slow down reencryption
-but will minimize data loss in the case of system crash.
-
-.SH RETURN CODES
-Cryptsetup-reencrypt returns 0 on success and a non-zero value on error.
-
-Error codes are: 1 wrong parameters, 2 no permission,
-3 out of memory, 4 wrong device specified, 5 device already exists
-or device is busy.
-.SH EXAMPLES
-.TP
-Reencrypt /dev/sdb1 (change volume key)
-cryptsetup-reencrypt /dev/sdb1
-.TP
-Reencrypt and also change cipher and cipher mode
-cryptsetup-reencrypt /dev/sdb1 \-c aes-xts-plain64
-.TP
-Add LUKS encryption to not yet encrypted device
-
-First, be sure you have space added to disk.
-
-Or alternatively shrink filesystem in advance.
-.br
-Here we need 4096 512-bytes sectors (enough for 2x128 bit key).
-
-fdisk \-u /dev/sdb # move sdb1 partition end + 4096 sectors
-(or use resize2fs or tool for your filesystem and shrink it)
-
-cryptsetup-reencrypt /dev/sdb1 \-\-new \-\-reduce-device-size 4096S
-.TP
-Remove LUKS encryption completely
-
-cryptsetup-reencrypt /dev/sdb1 \-\-decrypt
-
-.SH REPORTING BUGS
-Report bugs, including ones in the documentation, on
-the cryptsetup mailing list at <dm-crypt@saout.de>
-or in the 'Issues' section on LUKS website.
-Please attach the output of the failed command with the
-\-\-debug option added.
-.SH AUTHORS
-Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.
-.SH COPYRIGHT
-Copyright \(co 2012-2021 Milan Broz
-.br
-Copyright \(co 2012-2021 Red Hat, Inc.
-
-This is free software; see the source for copying conditions. There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-.SH SEE ALSO
-The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
diff --git a/man/cryptsetup-reencrypt.8.adoc b/man/cryptsetup-reencrypt.8.adoc
new file mode 100644
index 0000000..154a469
--- /dev/null
+++ b/man/cryptsetup-reencrypt.8.adoc
@@ -0,0 +1,175 @@
+= cryptsetup-reencrypt(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_REENCRYPT:
+
+== Name
+
+cryptsetup-reencrypt - reencrypt LUKS encrypted volumes in-place
+
+== SYNOPSIS
+
+*cryptsetup _reencrypt_ [<options>] <device> or --active-name <name> [<new_name>]*
+
+== DESCRIPTION
+
+Run LUKS device reencryption.
+
+There are 3 basic modes of operation:
+
+* device reencryption (_reencrypt_)
+* device encryption (_reencrypt_ --encrypt/--new/-N)
+* device decryption (_reencrypt_ --decrypt)
+
+<device> or --active-name <name> (LUKS2 only) is mandatory parameter.
+
+Cryptsetup _reencrypt_ action can be used to change reencryption parameters
+which otherwise require full on-disk data change (re-encryption). The
+_reencrypt_ action reencrypts data on LUKS device in-place.
+
+You can regenerate *volume key* (the real key used in on-disk encryption
+unclocked by passphrase), *cipher*, *cipher mode* or *encryption sector size*
+(LUKS2 only).
+
+Reencryption process may be safely interrupted by a user via SIGINT
+signal (ctrl+c). Same applies to SIGTERM signal (i.e. issued by systemd
+during system shutdown).
+
+For in-place encryption mode, the _reencrypt_ action additionally takes all
+options available for _luksFormat_ action for respective LUKS version (see
+cryptsetup-luksFormat man page for more details). See *cryptsetup-luksFormat*(8).
+
+*NOTE* that for encrypt and decrypt mode, the whole device must be
+treated as unencrypted -- there are no quarantees of confidentiality as
+part of the device contains plaintext.
+
+*ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.*
+
+*<options>* can be [--batch-mode,
+--block-size,
+--cipher,
+--debug,
+--debug-json,
+--decrypt,
+--device-size,
+--disable-locks,
+--encrypt,
+--force-offline-reencrypt,
+--hash,
+--header,
+--hotzone-size,
+--iter-time,
+--init-only,
+--keep-key,
+--key-file,
+--key-size,
+--key-slot,
+--keyfile-offset,
+--keyfile-size,
+--tries,
+--timeout,
+--pbkdf,
+--pbkdf-force-iterations,
+--pbkdf-memory,
+--pbkdf-parallel,
+--progress-frequency,
+--progress-json,
+--reduce-device-size,
+--resilience,
+--resilience-hash,
+--resume-only,
+--sector-size,
+--use-directio,
+--use-random,
+--use-urandom,
+--use-fsync,
+--uuid,
+--verbose,
+--volume-key-file,
+--write-log].
+
+== LUKS2 REENCRYPTION
+
+With <device> parameter cryptsetup looks up active <device> dm mapping.
+If no active mapping is detected, it starts offline LUKS2 reencryption
+otherwise online reencryption takes place.
+
+To resume already initialized or interrupted reencryption, just run the
+cryptsetup _reencrypt_ command again to continue the reencryption
+operation. Reencryption may be resumed with different --resilience or
+--hotzone-size unless implicit datashift resilience mode is used: either
+encrypt mode with --reduce-device-size option or decrypt mode with
+original LUKS2 header exported in --header file.
+
+If the reencryption process was interrupted abruptly (reencryption
+process crash, system crash, poweroff) it may require recovery. The
+recovery is currently run automatically on next activation (action
+_open_) when needed or explicitly by user (action _repair_).
+
+Optional parameter <new_name> takes effect only with encrypt option
+and it activates device <new_name> immediately after encryption
+initialization gets finished. That's useful when device needs to be
+ready as soon as possible and mounted (used) before full data area
+encryption is completed.
+
+== LUKS1 REENCRYPTION
+
+Current working directory must be writable and temporary files created during
+reencryption must be present. During reencryption process the LUKS1 device is
+marked unavailable and must be offline (no dm-crypt mapping or mounted
+filesystem).
+
+*WARNING*: The LUKS1 reencryption code is not resistant to hardware
+or kernel failures during reencryption (you can lose your data in this case).
+
+include::man/common_options.adoc[]
+
+== EXAMPLES
+
+*NOTE*: You may drop *--type luks2* option as long as LUKS2 format is
+default.
+
+=== LUKS2 ENCRYPTION EXAMPLES
+
+Encrypt LUKS2 device (in-place). Make sure last 32 MiB on _/dev/plaintext_
+is unused (e.g.: does not contain filesystem data):
+
+*cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/plaintext_device*
+
+Encrypt LUKS2 device (in-place) with detached header put in a file:
+
+*cryptsetup reencrypt --encrypt --type luks2 --header my_luks2_header /dev/plaintext_device*
+
+Initialize LUKS2 in-place encryption operation only and activate the device (not yet encrypted):
+
+*cryptsetup reencrypt --encrypt --type luks2 --init-only --reduce-device-size 32m /dev/plaintext_device my_future_luks_device*
+
+Resume online encryption on device initialized in example above:
+
+*cryptsetup reencrypt --resume-only /dev/plaintext_device* or
+*cryptsetup reencrypt --active-name my_future_luks_device*
+
+=== LUKS2 REENCRYPTION EXAMPLES
+
+Reencrypt LUKS2 device (refresh volume key only):
+
+*cryptsetup reencrypt /dev/encrypted_device*
+
+=== LUKS2 DECRYPTION EXAMPLES
+
+Decrypt LUKS2 device with header put in head of data device (header file does not exist):
+
+*cryptsetup reencrypt --decrypt --header /export/header/to/file /dev/encrypted_device*
+
+Decrypt LUKS2 device with detached header (header file exists):
+
+*cryptsetup reencrypt --decrypt --header detached-luks2-header /dev/encrypted_device*
+
+Resume interrupted LUKS2 decryption:
+
+*cryptsetup reencrypt --resume-only --header luks2-hdr-file /dev/encrypted_device*
+
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-refresh.8.adoc b/man/cryptsetup-refresh.8.adoc
new file mode 100644
index 0000000..b79a80a
--- /dev/null
+++ b/man/cryptsetup-refresh.8.adoc
@@ -0,0 +1,53 @@
+= cryptsetup-refresh(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_REFRESH:
+
+== Name
+
+cryptsetup-refresh - refresh parameters of an active mapping
+
+== SYNOPSIS
+
+*cryptsetup _refresh_ [<options>] <name>*
+
+== DESCRIPTION
+
+Refreshes parameters of active mapping <name>.
+
+Updates parameters of active device <name> without the need to deactivate
+the device (and umount filesystem). Currently, it supports parameters
+refresh on following devices: LUKS1, LUKS2 (including authenticated
+encryption), plain crypt and loop-AES.
+
+Mandatory parameters are identical to those of an open action for
+the respective device type.
+
+You may change following parameters on all devices
+--perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
+--perf-no_read_workqueue, --perf-no_write_workqueue and
+--allow-discards.
+
+Refreshing the device without any optional parameter will refresh the device
+with default setting (respective to device type).
+
+*LUKS2 only:*
+
+The --integrity-no-journal parameter affects only LUKS2 devices with
+the underlying dm-integrity device.
+
+Adding option --persistent stores any combination of device parameters
+above in LUKS2 metadata (only after successful refresh operation).
+
+The --disable-keyring parameter refreshes a device with volume key passed in
+dm-crypt driver.
+
+*<options>* can be [--allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
+--perf-no_read_workqueue, --perf-no_write_workqueue, --header, --disable-keyring,
+--disable-locks, --persistent, --integrity-no-journal].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-repair.8.adoc b/man/cryptsetup-repair.8.adoc
new file mode 100644
index 0000000..22ad9cb
--- /dev/null
+++ b/man/cryptsetup-repair.8.adoc
@@ -0,0 +1,43 @@
+= cryptsetup-repair(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_REPAIR:
+
+== Name
+
+cryptsetup-repair - repair the device metadata
+
+== SYNOPSIS
+
+*cryptsetup _repair_ [<options>] <device>*
+
+== DESCRIPTION
+
+Tries to repair the device metadata if possible. Currently supported
+only for LUKS device type.
+
+This command is useful to fix some known benign LUKS metadata header
+corruptions. Only basic corruptions of unused keyslot are fixable. This
+command will only change the LUKS header, not any key-slot data. You may
+enforce LUKS version by adding --type option.
+
+It also repairs (upgrades) LUKS2 reencryption metadata by adding
+a metadata digest that protects it against malicious changes.
+
+If LUKS2 reencryption was interrupted in the middle of writing
+reencryption segment the repair command can be used to perform
+reencryption recovery so that reencryption can continue later.
+Repairing reencryption requires verification of reencryption
+keyslot so passphrase or keyfile is needed.
+
+*<options>* can be [--timeout, --verify-passphrase, --disable-locks,
+--type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
+
+*WARNING:* Always create a binary backup of the original header before
+calling this command.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-resize.8.adoc b/man/cryptsetup-resize.8.adoc
new file mode 100644
index 0000000..4cff482
--- /dev/null
+++ b/man/cryptsetup-resize.8.adoc
@@ -0,0 +1,42 @@
+= cryptsetup-resize(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_RESIZE:
+
+== Name
+
+cryptsetup-resize - resize an active mapping
+
+== SYNOPSIS
+
+*cryptsetup _resize_ [<options>] <name>*
+
+== DESCRIPTION
+
+Resizes an active mapping <name>.
+
+If --size (in 512-bytes sectors) or --device-size are not specified, the
+size is computed from the underlying device. For LUKS it is the size of
+the underlying device without the area reserved for LUKS header (see
+data payload offset in *luksDump* command). For plain crypt device, the
+whole device size is used.
+
+Note that this does not change the raw device geometry, it just changes
+how many sectors of the raw device are represented in the mapped device.
+
+If cryptsetup detected volume key for active device loaded in kernel
+keyring service, resize action would first try to retrieve the key using
+a token. Only if it failed, it'd ask for a passphrase to unlock a
+keyslot (LUKS) or to derive a volume key again (plain mode). The kernel
+keyring is used by default for LUKS2 devices.
+
+*<options>* can be [--size, --device-size, --token-id, --token-only,
+--token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
+--timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
+--verify-passphrase, --timeout].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-ssh.8 b/man/cryptsetup-ssh.8
deleted file mode 100644
index 3599ce9..0000000
--- a/man/cryptsetup-ssh.8
+++ /dev/null
@@ -1,84 +0,0 @@
-.TH CRYPTSETUP-SSH "8" "June 2021" "cryptsetup-ssh" "Maintenance Commands"
-.SH NAME
-cryptsetup-ssh \- manage LUKS2 SSH token
-.SH SYNOPSIS
-.B cryptsetup-ssh
-\fI\,<options> <action> <action args>\/\fR
-.SH DESCRIPTION
-Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected
-to an SSH server.
-
-This plugin currently allows only adding a token to an existing key slot, see \fBcryptsetup(8)\fP
-for instruction on how to remove, import or export the token.
-
-.SS Add operation
-.PP
-\fIadd\fR <options> <device>
-.IP
-Adds the SSH token to \fB<device>\fR.
-
-Specified SSH server must contain a key file on the specified path with a
-passphrase for an existing key slot on the device.
-Provided credentials will be used by cryptsetup to get the password when
-opening the device using the token.
-
-\-\-ssh\-server, \-\-ssh\-user, \-\-ssh\-keypath and -\-ssh\-path
-are required for this operation.
-
-.TP
-\fB\-\-key\-slot\fR=\fI\,NUM\/\fR
-Keyslot to assign the token to. If not specified, the token will be assigned to the first key slot
-matching provided passphrase.
-.TP
-\fB\-\-ssh\-keypath\fR=\fI\,STRING\/\fR
-Path to the SSH key for connecting to the remote server.
-.TP
-\fB\-\-ssh\-path\fR=\fI\,STRING\/\fR
-Path to the key file on the remote server.
-.TP
-\fB\-\-ssh\-server\fR=\fI\,STRING\/\fR
-IP address/URL of the remote server for this token.
-.TP
-\fB\-\-ssh\-user\fR=\fI\,STRING\/\fR
-Username used for the remote server.
-.IP
-
-.SH OPTIONS
-.TP
-\fB\-\-debug\fR
-Show debug messages
-.TP
-\fB\-\-debug\-json\fR
-Show debug messages including JSON metadata
-.TP
-\fB\-v\fR, \fB\-\-verbose\fR
-Shows more detailed error messages
-.TP
-\-?, \fB\-\-help\fR
-Show help
-.TP
-\fB\-V\fR, \fB\-\-version\fR
-Print program version
-.PP
-
-.SH NOTES
-The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.
-
-.SH REPORTING BUGS
-Report bugs, including ones in the documentation, on
-the cryptsetup mailing list at <dm-crypt@saout.de>
-or in the 'Issues' section on LUKS website.
-Please attach the output of the failed command with the
-\-\-debug option added.
-
-.SH COPYRIGHT
-Copyright \(co 2016-2021 Red Hat, Inc.
-.br
-Copyright \(co 2016-2021 Milan Broz
-.br
-Copyright \(co 2021 Vojtech Trefny
-
-This is free software; see the source for copying conditions. There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-.SH SEE ALSO
-The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
diff --git a/man/cryptsetup-ssh.8.adoc b/man/cryptsetup-ssh.8.adoc
new file mode 100644
index 0000000..f71f856
--- /dev/null
+++ b/man/cryptsetup-ssh.8.adoc
@@ -0,0 +1,80 @@
+= cryptsetup-ssh(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup-ssh {release-version}
+:man-linkstyle: pass:[blue R < >]
+
+== NAME
+
+cryptsetup-ssh - manage LUKS2 SSH token
+
+== SYNOPSIS
+
+*cryptsetup-ssh <action> [<options>] <action args>*
+
+== DESCRIPTION
+
+Experimental cryptsetup plugin for unlocking LUKS2 devices with token
+connected to an SSH server.
+
+This plugin currently allows only adding a token to an existing key
+slot. See *cryptsetup(8)* for instructions on how to remove, import or
+export the token.
+
+=== Add operation
+
+*add <options> <device>*
+
+Adds the SSH token to *<device>*.
+
+The specified SSH server must contain a key file on the specified path with
+a passphrase for an existing key slot on the device. Provided
+credentials will be used by cryptsetup to get the password when opening
+the device using the token.
+
+Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are
+required for this operation.
+
+== OPTIONS
+
+**--key-slot**=_NUM_::
+Keyslot to assign the token to. If not specified, the token will be
+assigned to the first key slot matching provided passphrase.
+
+**--ssh-keypath**=_STRING_::
+Path to the SSH key for connecting to the remote server.
+
+**--ssh-path**=_STRING_::
+Path to the key file on the remote server.
+
+**--ssh-server**=_STRING_::
+IP address/URL of the remote server for this token.
+
+**--ssh-user**=_STRING_::
+Username used for the remote server.
+
+*--debug*::
+Show debug messages
+
+*--debug-json*::
+Show debug messages including JSON metadata
+
+*--verbose, -v*::
+Shows more detailed error messages
+
+*--help, -?*::
+Show help
+
+*--version, -V*::
+Print program version
+
+== NOTES
+
+The information provided when adding the token (SSH server address, user
+and paths) will be stored in the LUKS2 header in plaintext.
+
+== AUTHORS
+
+The cryptsetup-ssh tool is written by Vojtech Trefny.
+
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-status.8.adoc b/man/cryptsetup-status.8.adoc
new file mode 100644
index 0000000..1152f55
--- /dev/null
+++ b/man/cryptsetup-status.8.adoc
@@ -0,0 +1,24 @@
+= cryptsetup-status(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_STATUS:
+
+== Name
+
+cryptsetup-status - report the status for a mapping
+
+== SYNOPSIS
+
+*cryptsetup _status_ [<options>] <name>*
+
+== DESCRIPTION
+
+Reports the status for the mapping <name>.
+
+*<options>* can be [--header, --disable-locks].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-tcryptDump.8.adoc b/man/cryptsetup-tcryptDump.8.adoc
new file mode 100644
index 0000000..51d5041
--- /dev/null
+++ b/man/cryptsetup-tcryptDump.8.adoc
@@ -0,0 +1,37 @@
+= cryptsetup-tcryptDump(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_TCRYPTDUMP:
+
+== Name
+
+cryptsetup-tcryptDump - dump the header information of a TCRYPT (TrueCrypt or VeraCrypt compatible) device
+
+== SYNOPSIS
+
+*cryptsetup _tcryptDump_ [<options>] <device>*
+
+== DESCRIPTION
+
+Dump the header information of a TCRYPT (TrueCrypt or VeraCrypt compatible) device.
+
+If the --dump-volume-key option is used, the TCRYPT device volume key is
+dumped instead of TCRYPT header info. Beware that the volume key (or
+concatenated volume keys if cipher chain is used) can be used to decrypt
+the data stored in the TCRYPT container without a passphrase. This means
+that if the volume key is compromised, the whole device has to be erased
+to prevent further access. Use this option carefully.
+
+*<options>* can be [--dump-volume-key, --key-file, --tcrypt-hidden,
+--tcrypt-system, --tcrypt-backup, --veracrypt (ignored), --disable-veracrypt,
+--veracrypt-pim, --veracrypt-query-pim, --cipher, --hash, --header,
+--verify-passphrase, --timeout].
+
+The keyfile parameter allows a combination of file content with the
+passphrase and can be repeated.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc
new file mode 100644
index 0000000..7a3a069
--- /dev/null
+++ b/man/cryptsetup-token.8.adoc
@@ -0,0 +1,55 @@
+= cryptsetup-token(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_TOKEN:
+
+== Name
+
+cryptsetup-token - manage LUKS2 tokens
+
+== SYNOPSIS
+
+*cryptsetup _token_ <add|remove|import|export|unassign> [<options>] <device>*
+
+== DESCRIPTION
+
+Action _add_ creates a new keyring token to enable auto-activation of the
+device. For the auto-activation, the passphrase must be stored in
+keyring with the specified description. Usually, the passphrase should
+be stored in _user_ or _user-session_ keyring. The _token_ command is
+supported only for LUKS2.
+
+For adding new keyring token, option --key-description is mandatory.
+Also, new token is assigned to key slot specified with --key-slot option
+or to all active key slots in the case --key-slot option is omitted.
+
+To remove existing token, specify the token ID which should be removed
+with --token-id option.
+
+*WARNING:* The action _token remove_ removes any token type, not just
+_keyring_ type from token slot specified by --token-id option.
+
+Action _import_ can store arbitrary valid token json in LUKS2 header. It
+may be passed via standard input or via file passed in --json-file
+option. If you specify --key-slot then successfully imported token is
+also assigned to the key slot.
+
+Action _export_ writes requested token JSON to a file passed with
+--json-file or to standard output.
+
+Action _unassign_ removes token binding to specified keyslot. Both token
+and keyslot must be specified by --token-id and --key-slot parameters.
+
+If --token-id is used with action _add_ or action _import_ and a token
+with that ID already exists, option --token-replace can be used to
+replace the existing token.
+
+*<options>* can be [--header, --token-id, --key-slot, --key-description,
+--disable-external-tokens, --disable-locks, --disable-keyring,
+--json-file, --token-replace, --unbound].
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
deleted file mode 100644
index f3b82ef..0000000
--- a/man/cryptsetup.8
+++ /dev/null
@@ -1,1836 +0,0 @@
-.TH CRYPTSETUP "8" "January 2021" "cryptsetup" "Maintenance Commands"
-.SH NAME
-cryptsetup - manage plain dm-crypt and LUKS encrypted volumes
-.SH SYNOPSIS
-.B cryptsetup <options> <action> <action args>
-.SH DESCRIPTION
-.PP
-cryptsetup is used to conveniently setup dm-crypt managed
-device-mapper mappings. These include plain dm-crypt volumes and
-LUKS volumes. The difference is that LUKS uses a metadata header
-and can hence offer more features than plain dm-crypt. On the other
-hand, the header is visible and vulnerable to damage.
-
-In addition, cryptsetup provides limited support for the use of
-loop-AES volumes, TrueCrypt, VeraCrypt and BitLocker compatible volumes.
-
-.SH PLAIN DM-CRYPT OR LUKS?
-.PP
-Unless you understand the cryptographic background well, use LUKS.
-With plain dm-crypt there are a number of possible user errors
-that massively decrease security. While LUKS cannot fix them
-all, it can lessen the impact for many of them.
-.SH WARNINGS
-.PP
-A lot of good information on the risks of using encrypted storage,
-on handling problems and on security aspects can be found in the
-\fICryptsetup FAQ\fR. Read it. Nonetheless, some risks deserve
-to be mentioned here.
-
-\fBBackup:\fR Storage media die. Encryption has no influence on that.
-Backup is mandatory for encrypted data as well, if the data has any
-worth. See the Cryptsetup FAQ for advice on how to do a backup of an
-encrypted volume.
-
-\fBCharacter encoding:\fR If you enter a
-passphrase with special symbols, the passphrase can change
-depending on character encoding. Keyboard settings can also change,
-which can make blind input hard or impossible. For
-example, switching from some ASCII 8-bit variant to UTF-8
-can lead to a different binary encoding and hence different
-passphrase seen by cryptsetup, even if what you see on
-the terminal is exactly the same. It is therefore highly
-recommended to select passphrase characters only from 7-bit
-ASCII, as the encoding for 7-bit ASCII stays the same for
-all ASCII variants and UTF-8.
-
-\fBLUKS header:\fR If the header of a LUKS volume gets damaged,
-all data is permanently lost unless you have a header-backup.
-If a key-slot is damaged, it can only be restored from a header-backup
-or if another active key-slot with known passphrase is undamaged.
-Damaging the LUKS header is something people manage to do with
-surprising frequency. This risk is the result of a trade-off
-between security and safety, as LUKS is designed for fast and
-secure wiping by just overwriting header and key-slot area.
-
-\fBPreviously used partitions:\fR If a partition was previously used,
-it is a very good idea to wipe filesystem signatures, data, etc. before
-creating a LUKS or plain dm-crypt container on it.
-For a quick removal of filesystem signatures, use "wipefs". Take care
-though that this may not remove everything. In particular, MD RAID
-signatures at the end of a device may survive. It also does not
-remove data. For a full wipe, overwrite the whole partition before
-container creation. If you do not know how to do that, the
-cryptsetup FAQ describes several options.
-
-.SH BASIC ACTIONS
-The following are valid actions for all supported device types.
-
-\fIopen\fR <device> <name> \-\-type <device_type>
-.IP
-Opens (creates a mapping with) <name> backed by device <device>.
-
-Device type can be \fIplain\fR, \fIluks\fR (default), \fIluks1\fR, \fIluks2\fR,
-\fIloopaes\fR or \fItcrypt\fR.
-
-For backward compatibility there are \fBopen\fR command aliases:
-
-\fBcreate\fR (argument-order <name> <device>): open \-\-type plain
-.br
-\fBplainOpen\fR: open \-\-type plain
-.br
-\fBluksOpen\fR: open \-\-type luks
-.br
-\fBloopaesOpen\fR: open \-\-type loopaes
-.br
-\fBtcryptOpen\fR: open \-\-type tcrypt
-.br
-\fBbitlkOpen\fR: open \-\-type bitlk
-
-\fB<options>\fR are type specific and are described below
-for individual device types. For \fBcreate\fR, the order of the <name>
-and <device> options is inverted for historical reasons, all other
-aliases use the standard \fB<device> <name>\fR order.
-.PP
-\fIclose\fR <name>
-.IP
-Removes the existing mapping <name> and wipes the key from kernel memory.
-
-For backward compatibility there are \fBclose\fR command aliases:
-\fBremove\fR, \fBplainClose\fR, \fBluksClose\fR, \fBloopaesClose\fR,
-\fBtcryptClose\fR (all behaves exactly the same, device type is
-determined automatically from active device).
-
-\fB<options>\fR can be [\-\-deferred] or [\-\-cancel\-deferred]
-
-.PP
-\fIstatus\fR <name>
-.IP
-Reports the status for the mapping <name>.
-.PP
-\fIresize\fR <name>
-.IP
-Resizes an active mapping <name>.
-
-If \-\-size (in 512-bytes sectors) or \-\-device\-size are not specified,
-the size is computed from the underlying device. For LUKS it is the size
-of the underlying device without the area reserved for LUKS header
-(see data payload offset in \fBluksDump\fR command).
-For plain crypt device, the whole device size is used.
-
-Note that this does not change the raw device geometry, it just
-changes how many sectors of the raw device are represented
-in the mapped device.
-
-If cryptsetup detected volume key for active device loaded in kernel keyring
-service, resize action would first try to retrieve
-the key using a token and only if it failed it'd ask for a passphrase
-to unlock a keyslot (LUKS) or to derive a volume key again (plain mode).
-The kernel keyring is used by default for LUKS2 devices.
-
-With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-only,
-\-\-token-type, \-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset,
-\-\-timeout, \-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring].
-
-.PP
-\fIrefresh\fR <name>
-.IP
-Refreshes parameters of active mapping <name>.
-
-Updates parameters of active device <name> without need to deactivate the device
-(and umount filesystem). Currently it supports parameters refresh on following
-devices: LUKS1, LUKS2 (including authenticated encryption), plain crypt
-and loopaes.
-
-Mandatory parameters are identical to those of an open action for respective
-device type.
-
-You may change following parameters on all devices \-\-perf\-same_cpu_crypt,
-\-\-perf\-submit_from_crypt_cpus, \-\-perf-no_read_workqueue, \-\-perf-no_write_workqueue
-and \-\-allow\-discards.
-
-Refreshing device without any optional parameter will refresh the device
-with default setting (respective to device type).
-
-\fBLUKS2 only:\fR
-
-\-\-integrity\-no\-journal parameter affects only LUKS2 devices with
-underlying dm-integrity device.
-
-Adding option \-\-persistent stores any combination of device parameters
-above in LUKS2 metadata (only after successful refresh operation).
-
-\-\-disable\-keyring parameter refreshes a device with volume key passed
-in dm-crypt driver.
-
-.PP
-\fIreencrypt\fR <device> or --active-name <name> [<new_name>]
-.IP
-Run resilient reencryption (LUKS2 device only).
-
-There are 3 basic modes of operation:
-
-\(bu device reencryption (\fIreencrypt\fR)
-
-\(bu device encryption (\fIreencrypt\fR \-\-encrypt)
-
-\(bu device decryption (\fIreencrypt\fR \-\-decrypt)
-
-<device> or --active-name <name> is mandatory parameter.
-
-With <device> parameter cryptsetup looks up active <device> dm mapping.
-If no active mapping is detected, it starts offline reencryption otherwise online
-reencryption takes place.
-
-Reencryption process may be safely interrupted by a user via SIGTERM signal (ctrl+c).
-
-To resume already initialized or interrupted reencryption, just run the cryptsetup
-\fIreencrypt\fR command again to continue the reencryption operation.
-Reencryption may be resumed with different \-\-resilience or \-\-hotzone\-size unless
-implicit datashift resilience mode is used (reencrypt \-\-encrypt with \-\-reduce-device-size
-option).
-
-If the reencryption process was interrupted abruptly (reencryption process crash, system crash, poweroff)
-it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR)
-when needed.
-
-Optional parameter <new_name> takes effect only with \-\-encrypt option and it activates device <new_name>
-immediately after encryption initialization gets finished. That's useful when device needs to be ready
-as soon as possible and mounted (used) before full data area encryption is completed.
-
-Action supports following additional \fB<options>\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size,
-\-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only,
-\-\-reduce\-device\-size, \-\-master\-key\-file, \-\-key\-size].
-
-.SH PLAIN MODE
-Plain dm-crypt encrypts the device sector-by-sector with a
-single, non-salted hash of the passphrase. No checks
-are performed, no metadata is used. There is no formatting operation.
-When the raw device is mapped (opened), the usual device operations
-can be used on the mapped device, including filesystem creation.
-Mapped devices usually reside in /dev/mapper/<name>.
-
-The following are valid plain device type actions:
-
-\fIopen\fR \-\-type plain <device> <name>
-.br
-\fIcreate\fR <name> <device> (\fBOBSOLETE syntax\fR)
-.IP
-Opens (creates a mapping with) <name> backed by device <device>.
-
-\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify-passphrase,
-\-\-sector\-size, \-\-key-file, \-\-keyfile-offset, \-\-key-size,
-\-\-offset, \-\-skip, \-\-size, \-\-readonly, \-\-shared, \-\-allow\-discards,
-\-\-refresh]
-
-Example: 'cryptsetup open \-\-type plain /dev/sda10 e1' maps the raw
-encrypted device /dev/sda10 to the mapped (decrypted) device
-/dev/mapper/e1, which can then be mounted, fsck-ed or have a
-filesystem created on it.
-.SH LUKS EXTENSION
-LUKS, the Linux Unified Key Setup, is a standard for disk encryption.
-It adds a standardized header at the start of the device,
-a key-slot area directly behind the header and the bulk
-data area behind that. The whole set is called a 'LUKS container'.
-The device that a LUKS container resides on is called a 'LUKS device'.
-For most purposes, both terms can be used interchangeably. But
-note that when the LUKS header is at a nonzero offset
-in a device, then the device is not a LUKS device anymore, but
-has a LUKS container stored in it at an offset.
-
-LUKS can manage multiple passphrases that can be individually revoked
-or changed and that can be securely scrubbed from persistent
-media due to the use of anti-forensic stripes. Passphrases
-are protected against brute-force and dictionary
-attacks by PBKDF2, which implements hash iteration and salting
-in one function.
-
-LUKS2 is a new version of header format that allows additional
-extensions like different PBKDF algorithm or authenticated encryption.
-You can format device with LUKS2 header if you specify
-\fI\-\-type luks2\fR in \fIluksFormat\fR command.
-For activation, the format is already recognized automatically.
-
-Each passphrase, also called a
-.B key
-in this document, is associated with one of 8 key-slots.
-Key operations that do not specify a slot affect the first slot
-that matches the supplied passphrase or the first empty slot if
-a new passphrase is added.
-
-The \fB<device>\fR parameter can also be specified by a LUKS UUID in the
-format UUID=<uuid>. Translation to real device name uses symlinks
-in /dev/disk/by-uuid directory.
-
-To specify a detached header, the \fB\-\-header\fR parameter can be used
-in all LUKS commands and always takes precedence over the positional
-\fB<device>\fR parameter.
-
-The following are valid LUKS actions:
-
-\fIluksFormat\fR <device> [<key file>]
-.IP
-Initializes a LUKS partition and sets the initial passphrase
-(for key-slot 0),
-either via prompting or via <key file>. Note that
-if the second argument is present, then the passphrase
-is taken from the file given there, without the need
-to use the \-\-key-file option. Also note that for both forms
-of reading the passphrase from a file you can
-give '-' as file name, which results in the passphrase being read
-from stdin and the safety-question being skipped.
-
-You cannot call luksFormat on a device or filesystem that is mapped or in use,
-e.g. mounted filesysem, used in LVM, active RAID member etc.
-The device or filesystem has to be un-mounted in order to call luksFormat.
-
-To use LUKS2, specify \fI\-\-type luks2\fR.
-
-\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify\-passphrase,
-\-\-key\-size, \-\-key\-slot,
-\-\-key\-file (takes precedence over optional second argument),
-\-\-keyfile\-offset, \-\-keyfile\-size, \-\-use\-random | \-\-use\-urandom,
-\-\-uuid, \-\-master\-key\-file, \-\-iter\-time, \-\-header,
-\-\-pbkdf\-force\-iterations,
-\-\-force\-password, \-\-disable-locks].
-
-For LUKS2, additional \fB<options>\fR can be
-[\-\-integrity, \-\-integrity\-no\-wipe, \-\-sector\-size,
-\-\-label, \-\-subsystem,
-\-\-pbkdf, \-\-pbkdf\-memory, \-\-pbkdf\-parallel,
-\-\-disable\-locks, \-\-disable\-keyring,
-\-\-luks2\-metadata\-size, \-\-luks2\-keyslots\-size,
-\-\-keyslot\-cipher, \-\-keyslot\-key\-size].
-
-\fBWARNING:\fR Doing a luksFormat on an existing LUKS container will
-make all data the old container permanently irretrievable unless
-you have a header backup.
-.PP
-\fIopen\fR \-\-type luks <device> <name>
-.br
-\fIluksOpen\fR <device> <name> (\fBold syntax\fR)
-.IP
-Opens the LUKS device <device> and sets up a mapping <name> after
-successful verification of the supplied passphrase.
-
-First, the passphrase is searched in LUKS tokens. If it's not
-found in any token and also the passphrase is not supplied via \-\-key-file,
-the command prompts for it interactively.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
-\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
-\-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
-\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
-.PP
-\fIluksSuspend\fR <name>
-.IP
-Suspends an active device (all IO operations will block
-and accesses to the device will wait indefinitely)
-and wipes the encryption
-key from kernel memory. Needs kernel 2.6.19 or later.
-
-After this operation you have to use \fIluksResume\fR to reinstate
-the encryption key and unblock the device or \fIclose\fR to remove
-the mapped device.
-
-\fBWARNING:\fR never suspend the device on which the cryptsetup binary resides.
-
-\fB<options>\fR can be [\-\-header, \-\-disable\-locks].
-.PP
-\fIluksResume\fR <name>
-.IP
-Resumes a suspended device and reinstates the encryption key.
-Prompts interactively for a passphrase if \-\-key-file is not given.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header,
-\-\-disable\-keyring, \-\-disable\-locks, \-\-type]
-.PP
-\fIluksAddKey\fR <device> [<key file with new key>]
-.IP
-Adds a new passphrase. An existing passphrase must be supplied
-interactively or via \-\-key-file.
-The new passphrase to be added can be specified interactively
-or read from the file given as positional argument.
-
-\fBNOTE:\fR with \-\-unbound option the action creates new unbound
-LUKS2 keyslot. The keyslot cannot be used for device activation.
-If you don't pass new key via \-\-master\-key\-file option,
-new random key is generated. Existing passphrase for any active keyslot
-is not required.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-new\-keyfile\-offset,
-\-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
-\-\-force\-password, \-\-header, \-\-disable\-locks,
-\-\-iter-time, \-\-pbkdf, \-\-pbkdf\-force\-iterations,
-\-\-unbound, \-\-type, \-\-keyslot\-cipher, \-\-keyslot\-key\-size].
-.PP
-\fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
-.IP
-Removes the supplied passphrase from the LUKS device. The
-passphrase to be removed can be specified interactively,
-as the positional argument or via \-\-key-file.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type]
-
-\fBWARNING:\fR If you read the passphrase from stdin
-(without further argument or with '-' as an argument
-to \-\-key\-file), batch-mode (\-q) will be implicitly
-switched on and no warning will be given when you remove the
-last remaining passphrase from a LUKS container. Removing
-the last passphrase makes the LUKS container permanently
-inaccessible.
-.PP
-\fIluksChangeKey\fR <device> [<new key file>]
-.IP
-Changes an existing passphrase. The passphrase
-to be changed must be supplied interactively or via \-\-key\-file.
-The new passphrase can be supplied interactively or in
-a file given as positional argument.
-
-If a key-slot is specified (via \-\-key-slot), the passphrase
-for that key-slot must be given and the new passphrase
-will overwrite the specified key-slot. If no key-slot
-is specified and there is still a free key-slot, then
-the new passphrase will be put into a free key-slot before the
-key-slot containing the old passphrase is purged. If there is
-no free key-slot, then the key-slot with the old passphrase is
-overwritten directly.
-
-\fBWARNING:\fR If a key-slot is overwritten, a media failure
-during this operation can cause the overwrite to fail after
-the old passphrase has been wiped and make the LUKS container
-inaccessible.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-new\-keyfile\-offset,
-\-\-iter-time, \-\-pbkdf, \-\-pbkdf\-force\-iterations,
-\-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header,
-\-\-disable\-locks, \-\-type, \-\-keyslot\-cipher, \-\-keyslot\-key\-size].
-.PP
-.PP
-\fIluksConvertKey\fR <device>
-.IP
-Converts an existing LUKS2 keyslot to new pbkdf parameters. The
-passphrase for keyslot to be converted must be supplied interactively
-or via \-\-key\-file. If no \-\-pbkdf parameters are specified LUKS2
-default pbkdf values will apply.
-
-If a keyslot is specified (via \-\-key\-slot), the passphrase for that
-keyslot must be given. If no keyslot is specified and there is still
-a free keyslot, then the new parameters will be put into a free
-keyslot before the keyslot containing the old parameters is
-purged. If there is no free keyslot, then the keyslot with the old
-parameters is overwritten directly.
-
-\fBWARNING:\fR If a keyslot is overwritten, a media failure during
-this operation can cause the overwrite to fail after the old
-parameters have been wiped and make the LUKS container inaccessible.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-key\-slot, \-\-header, \-\-disable\-locks,
-\-\-iter-time, \-\-pbkdf, \-\-pbkdf\-force\-iterations,
-\-\-pbkdf\-memory, \-\-pbkdf\-parallel,
-\-\-keyslot\-cipher, \-\-keyslot\-key\-size].
-.PP
-\fIluksKillSlot\fR <device> <key slot number>
-.IP
-Wipe the key-slot number <key slot> from the LUKS device. Except running
-in batch-mode (\-q) a remaining passphrase must be supplied,
-either interactively or via \-\-key-file.
-This command can remove the last remaining key-slot, but requires
-an interactive confirmation when doing so. Removing the last
-passphrase makes a LUKS container permanently inaccessible.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
-\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type].
-
-\fBWARNING:\fR If you read the passphrase from stdin
-(without further argument or with '-' as an argument
-to \-\-key-file), batch-mode (\-q) will be implicitly
-switched on and no warning will be given when you remove the
-last remaining passphrase from a LUKS container. Removing
-the last passphrase makes the LUKS container permanently
-inaccessible.
-
-\fBNOTE:\fR If there is no passphrase provided (on stdin or through
-\-\-key-file argument) and batch-mode (\-q) is active, the
-key-slot is removed without any other warning.
-
-.PP
-\fIerase\fR <device>
-.br
-\fIluksErase\fR <device>
-.IP
-Erase all keyslots and make the LUKS container permanently inaccessible.
-You do not need to provide any password for this operation.
-
-\fBWARNING:\fR This operation is irreversible.
-.PP
-\fIluksUUID\fR <device>
-.IP
-Print the UUID of a LUKS device.
-.br
-Set new UUID if \fI\-\-uuid\fR option is specified.
-.PP
-\fIisLuks\fR <device>
-.IP
-Returns true, if <device> is a LUKS device, false otherwise.
-Use option \-v to get human-readable feedback. 'Command successful.'
-means the device is a LUKS device.
-
-By specifying \-\-type you may query for specific LUKS version.
-.PP
-\fIluksDump\fR <device>
-.IP
-Dump the header information of a LUKS device.
-
-If the \-\-dump\-master\-key option is used, the LUKS device master key is
-dumped instead of the keyslot info. Together with \-\-master\-key\-file option,
-master key is dumped to a file instead of standard output. Beware that the
-master key cannot be changed without reencryption and can be used to decrypt
-the data stored in the LUKS container without a passphrase and even without the
-LUKS header. This means that if the master key is compromised, the whole device
-has to be erased or reencrypted to prevent further access. Use this option carefully.
-
-To dump the master key, a passphrase has to be supplied,
-either interactively or via \-\-key\-file.
-
-To dump unbound key (LUKS2 format only), \-\-unbound parameter, specific \-\-key-slot
-id and proper passphrase has to be supplied, either interactively or via \-\-key\-file.
-Optional \-\-master\-key\-file parameter enables unbound keyslot dump to a file.
-
-To dump LUKS2 JSON metadata (without basic heade information like UUID) use
-\-\-dump\-json\-metadata option.
-
-\fB<options>\fR can be [\-\-dump\-master\-key, \-\-dump\-json\-metadata, \-\-key\-file,
-\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
-\-\-master\-key\-file, \-\-type, \-\-unbound, \-\-key-slot].
-
-\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
-and the argument to \-\-key\-file is '-', no validation question
-will be asked and no warning given.
-.PP
-\fIluksHeaderBackup\fR <device> \-\-header\-backup\-file <file>
-.IP
-Stores a binary backup of the LUKS header and keyslot area.
-.br
-Note: Using '-' as filename writes the header backup to a file named '-'.
-
-\fBWARNING:\fR This backup file and a passphrase valid
-at the time of backup allows decryption of the
-LUKS data area, even if the passphrase was later changed or
-removed from the LUKS device. Also note that with a header
-backup you lose the ability to securely wipe the LUKS
-device by just overwriting the header and key-slots. You
-either need to securely erase all header backups in
-addition or overwrite the encrypted data area as well.
-The second option is less secure, as some sectors
-can survive, e.g. due to defect management.
-.PP
-\fIluksHeaderRestore\fR <device> \-\-header\-backup\-file <file>
-.IP
-Restores a binary backup of the LUKS header and keyslot area
-from the specified file.
-.br
-Note: Using '-' as filename reads the header backup from a file named '-'.
-
-\fBWARNING:\fR Header and keyslots will be replaced, only
-the passphrases from the backup will work afterward.
-
-This command requires that the master key size and data offset
-of the LUKS header already on the device and of the header backup
-match. Alternatively, if there is no LUKS header on the device,
-the backup will also be written to it.
-.PP
-\fItoken\fR <add|remove|import|export> <device>
-.IP
-Action \fIadd\fR creates new keyring token to enable auto-activation of the device.
-For the auto-activation, the passphrase must be stored in keyring with the specified
-description. Usually, the passphrase should be stored in \fIuser\fR or
-\fIuser-session\fR keyring.
-The \fItoken\fR command is supported only for LUKS2.
-
-For adding new keyring token, option \-\-key\-description is mandatory.
-Also, new token is assigned to key slot specified with \-\-key\-slot option or to all
-active key slots in the case \-\-key\-slot option is omitted.
-
-To remove existing token, specify the token ID which should be removed with
-\-\-token\-id option.
-
-\fBWARNING:\fR The action \fItoken remove\fR removes any token type, not just \fIkeyring\fR
-type from token slot specified by \-\-token\-id option.
-
-Action \fIimport\fR can store arbitrary valid token json in LUKS2 header. It may be passed via
-standard input or via file passed in \-\-json\-file option. If you specify \-\-key\-slot then
-successfully imported token is also assigned to the key slot.
-
-Action \fIexport\fR writes requested token json to a file passed with \-\-json\-file or
-to standard output.
-
-\fB<options>\fR can be [\-\-header, \-\-token\-id, \-\-key\-slot, \-\-key\-description,
-\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
-.PP
-\fIconvert\fR <device> \-\-type <format>
-.IP
-Converts the device between LUKS1 and LUKS2 format (if possible).
-The conversion will not be performed if there is an additional LUKS2 feature or LUKS1 has
-unsupported header size.
-
-Conversion (both directions) must be performed on inactive device. There must not be active
-dm-crypt mapping established for LUKS header requested for conversion.
-
-\fB\-\-type\fR option is mandatory with following accepted values: \fIluks1\fR or \fIluks2\fR.
-
-\fBWARNING:\fR The \fIconvert\fR action can destroy the LUKS header in the case of a crash
-during conversion or if a media error occurs.
-Always create a header backup before performing this operation!
-
-\fB<options>\fR can be [\-\-header, \-\-type].
-.PP
-\fIconfig\fR <device>
-.IP
-Set permanent configuration options (store to LUKS header).
-The \fIconfig\fR command is supported only for LUKS2.
-
-The permanent options can be \fI\-\-priority\fR to set priority (normal, prefer, ignore)
-for keyslot (specified by \fI\-\-key\-slot\fR) or \fI\-\-label\fR and \fI\-\-subsystem\fR.
-
-\fB<options>\fR can be [\-\-priority, \-\-label, \-\-subsystem, \-\-key\-slot, \-\-header].
-
-.SH loop-AES EXTENSION
-cryptsetup supports mapping loop-AES encrypted partition using
-a compatibility mode.
-.PP
-\fIopen\fR \-\-type loopaes <device> <name> \-\-key\-file <keyfile>
-.br
-\fIloopaesOpen\fR <device> <name> \-\-key\-file <keyfile> (\fBold syntax\fR)
-.IP
-Opens the loop-AES <device> and sets up a mapping <name>.
-
-If the key file is encrypted with GnuPG, then you have to use
-\-\-key\-file=\- and decrypt it before use, e.g. like this:
-.br
-gpg \-\-decrypt <keyfile> | cryptsetup loopaesOpen \-\-key\-file=\-
-<device> <name>
-
-\fBWARNING:\fR The loop-AES extension cannot use the direct input of key file
-on real terminal because the keys are separated by end-of-line and only part
-of the multi-key file would be read.
-.br
-If you need it in script, just use the pipe redirection:
-.br
-echo $keyfile | cryptsetup loopaesOpen \-\-key\-file=\- <device> <name>
-
-Use \fB\-\-keyfile\-size\fR to specify the proper key length if needed.
-
-Use \fB\-\-offset\fR to specify device offset. Note that the units
-need to be specified in number of 512 byte sectors.
-
-Use \fB\-\-skip\fR to specify the IV offset. If the original device
-used an offset and but did not use it in IV sector calculations,
-you have to explicitly use \fB\-\-skip 0\fR in addition to the offset
-parameter.
-
-Use \fB\-\-hash\fR to override the default hash function for
-passphrase hashing (otherwise it is detected according to key
-size).
-
-\fB<options>\fR can be [\-\-key\-file, \-\-key\-size, \-\-offset, \-\-skip,
-\-\-hash, \-\-readonly, \-\-allow\-discards, \-\-refresh].
-.PP
-See also section 7 of the FAQ and \fBhttp://loop-aes.sourceforge.net\fR
-for more information regarding loop-AES.
-.SH TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION
-cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt
-encrypted partition using a native Linux kernel API.
-Header formatting and TCRYPT header change is not supported, cryptsetup
-never changes TCRYPT header on-device.
-
-TCRYPT extension requires kernel userspace
-crypto API to be available (introduced in Linux kernel 2.6.38).
-If you are configuring kernel yourself, enable
-"User-space interface for symmetric key cipher algorithms" in
-"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
-
-Because TCRYPT header is encrypted, you have to always provide valid
-passphrase and keyfiles.
-
-Cryptsetup should recognize all header variants, except legacy cipher chains
-using LRW encryption mode with 64 bits encryption block (namely Blowfish
-in LRW mode is not recognized, this is limitation of kernel crypto API).
-
-VeraCrypt is just extension of TrueCrypt header with increased
-iteration count so unlocking can take quite a lot of time (in comparison
-with TCRYPT device).
-
-To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM)
-value, use either the \fB\-\-veracrypt\-pim=<PIM>\fR option to directly specify
-the PIM on the command- line or use \fB\-\-veracrypt\-query\-pim\fR to be
-prompted for the PIM.
-
-The PIM value affects the number of iterations applied during key derivation. Please refer to
-\fBhttps://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html\fR
-for more detailed information.
-
-If you need to disable VeraCrypt device support, use \fB\-\-disable\-veracrypt\fR option.
-
-\fBNOTE:\fR Activation with \fBtcryptOpen\fR is supported only for cipher chains
-using LRW or XTS encryption modes.
-
-The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
-and doesn't require superuser privilege.
-
-To map system device (device with boot loader where the whole encrypted
-system resides) use \fB\-\-tcrypt\-system\fR option.
-You can use partition device as the parameter (parameter must be real partition
-device, not an image in a file), then only this partition is mapped.
-
-If you have the whole TCRYPT device as a file image and you want to map multiple
-partition encrypted with system encryption, please create loopback mapping
-with partitions first (\fBlosetup \-P\fR, see \fPlosetup(8)\fR man page for more info),
-and use loop partition as the device parameter.
-
-If you use the whole base device as a parameter, one device for the whole system
-encryption is mapped. This mode is available only for backward compatibility
-with older cryptsetup versions which mapped TCRYPT system encryption
-using the whole device.
-
-To use hidden header (and map hidden device, if available),
-use \fB\-\-tcrypt\-hidden\fR option.
-
-To explicitly use backup (secondary) header, use \fB\-\-tcrypt\-backup\fR
-option.
-
-\fBNOTE:\fR There is no protection for a hidden volume if
-the outer volume is mounted. The reason is that if there
-were any protection, it would require some metadata describing
-what to protect in the outer volume and the hidden volume would
-become detectable.
-
-.PP
-\fIopen\fR \-\-type tcrypt <device> <name>
-.br
-\fItcryptOpen\fR <device> <name> (\fBold syntax\fR)
-.IP
-Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up
-a mapping <name>.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden,
-\-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase,
-\-\-allow-discards, \-\-disable\-veracrypt, \-\-veracrypt\-pim, \-\-veracrypt\-query\-pim,
-\-\-header, \-\-cipher, \-\-hash].
-
-The keyfile parameter allows a combination of file content with the
-passphrase and can be repeated. Note that using keyfiles is compatible
-with TCRYPT and is different from LUKS keyfile logic.
-
-If \fB\-\-\cipher\fR or \fB\-\-hash\fR options are used, only cipher chains or
-PBKDF2 variants with the specified hash algorithms are checked. This could speed
-up unlocking the device (but also it reveals some information about the container).
-
-If you use \fB\-\-header\fR in combination with hidden or system options,
-the header file must contain specific headers on the same positions as the original
-encrypted container.
-
-\fBWARNING:\fR Option \fB\-\-allow\-discards\fR cannot be combined with
-option \fB\-\-tcrypt\-hidden\fR. For normal mapping, it can cause
-the \fBdestruction of hidden volume\fR (hidden volume appears as unused space
-for outer volume so this space can be discarded).
-
-.PP
-\fItcryptDump\fR <device>
-.IP
-Dump the header information of a TCRYPT device.
-
-If the \-\-dump\-master\-key option is used, the TCRYPT device master key
-is dumped instead of TCRYPT header info. Beware that the master key
-(or concatenated master keys if cipher chain is used)
-can be used to decrypt the data stored in the TCRYPT container without
-a passphrase.
-This means that if the master key is compromised, the whole device has
-to be erased to prevent further access. Use this option carefully.
-
-\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
-\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-cipher, \-\-hash].
-
-The keyfile parameter allows a combination of file content with the
-passphrase and can be repeated.
-.PP
-See also \fBhttps://en.wikipedia.org/wiki/TrueCrypt\fR for more information regarding
-TrueCrypt.
-
-Please note that cryptsetup does not use TrueCrypt code, please report
-all problems related to this compatibility extension to the cryptsetup project.
-
-.SH BITLK (Windows BitLocker-compatible) EXTENSION (EXPERIMENTAL)
-cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted partition
-using a native Linux kernel API.
-Header formatting and BITLK header changes are not supported, cryptsetup
-never changes BITLK header on-device.
-
-\fBWARNING:\fR This extension is EXPERIMENTAL.
-
-BITLK extension requires kernel userspace crypto API to be available
-(for details see TCRYPT section).
-
-Cryptsetup should recognize all BITLK header variants, except legacy
-header used in Windows Vista systems and partially decrypted BitLocker devices.
-Activation of legacy devices encrypted in CBC mode requires at least
-Linux kernel version 5.3 and for devices using Elephant diffuser kernel 5.6.
-
-The \fBbitlkDump\fR command should work for all recognized BITLK devices
-and doesn't require superuser privilege.
-
-For unlocking with the \fBopen\fR a password or a recovery passphrase or
-a startup key must be provided.
-
-Additionally unlocking using master key is
-supported. You must provide BitLocker Full Volume Encryption Key (FVEK)
-using the \-\-master\-key\-file option. The key must be decrypted and
-without the header (only 128/256/512 bits of key data depending on used
-cipher and mode).
-
-Other unlocking methods (TPM, SmartCard) are not supported.
-
-.PP
-\fIopen\fR \-\-type bitlk <device> <name>
-.br
-\fIbitlkOpen\fR <device> <name> (\fBold syntax\fR)
-.IP
-Opens the BITLK (a BitLocker-compatible) <device> and sets up
-a mapping <name>.
-
-\fB<options>\fR can be [\-\-key\-file, \-\-readonly, \-\-test\-passphrase,
-\-\-allow\-discards \-\-master\-key\-file].
-
-.PP
-\fIbitlkDump\fR <device>
-.IP
-Dump the header information of a BITLK device.
-
-\fB<options>\fR can be [\-\-dump\-master\-key \-\-master\-key\-file].
-
-.PP
-Please note that cryptsetup does not use any Windows BitLocker code, please report
-all problems related to this compatibility extension to the cryptsetup project.
-
-.SH MISCELLANEOUS
-.PP
-\fIrepair\fR <device>
-.IP
-Tries to repair the device metadata if possible. Currently supported only
-for LUKS device type.
-
-This command is useful to fix some known benign LUKS metadata
-header corruptions. Only basic corruptions of unused keyslot
-are fixable. This command will only change the LUKS header, not
-any key-slot data. You may enforce LUKS version by adding \-\-type
-option.
-
-It also repairs (upgrades) LUKS2 reencryption metadata by adding
-metadata digest that protects it against malicious changes.
-
-If LUKS2 reencryption was interrupted in the middle of writting
-reencryption segment the repair command can be used to perform
-reencryption recovery so that reencryption can continue later.
-
-\fBWARNING:\fR Always create a binary backup of the original
-header before calling this command.
-.PP
-\fIbenchmark\fR <options>
-.IP
-Benchmarks ciphers and KDF (key derivation function).
-Without parameters, it tries to measure few common configurations.
-
-To benchmark other ciphers or modes, you need to specify \fB\-\-cipher\fR
-and \fB\-\-key\-size\fR options or \fB\-\-hash\fR for KDF test.
-
-\fBNOTE:\fR This benchmark is using memory only and is only informative.
-You cannot directly predict real storage encryption speed from it.
-
-For testing block ciphers, this benchmark requires kernel userspace
-crypto API to be available (introduced in Linux kernel 2.6.38).
-If you are configuring kernel yourself, enable
-"User-space interface for symmetric key cipher algorithms" in
-"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
-
-\fB<options>\fR can be [\-\-cipher, \-\-key\-size, \-\-hash].
-.SH OPTIONS
-.TP
-.B "\-\-verbose, \-v"
-Print more information on command execution.
-.TP
-.B "\-\-debug or \-\-debug\-json"
-Run in debug mode with full diagnostic logs. Debug output
-lines are always prefixed by '#'.
-If \-\-debug\-json is used, additional LUKS2 JSON data structures are printed.
-.TP
-.B "\-\-type <device-type>
-Specifies required device type, for more info read \fIBASIC ACTIONS\fR section.
-.TP
-.B "\-\-hash, \-h \fI<hash\-spec>\fR"
-Specifies the passphrase hash for \fIopen\fR (for plain and
-loopaes device types).
-
-Specifies the hash used in the LUKS key setup scheme and volume key digest
-for \fIluksFormat\fR. The specified hash is used as hash-parameter
-for PBKDF2 and for the AF splitter.
-
-The specified hash name is passed to the compiled-in crypto backend.
-Different backends may support different hashes.
-For \fIluksFormat\fR, the hash
-algorithm must provide at least 160 bits of output, which
-excludes, e.g., MD5. Do not use a non-crypto hash like
-\fB"crc32"\fR as this breaks security.
-
-Values compatible with old version of cryptsetup are
-\fB"ripemd160"\fR for \fIopen \-\-type plain\fR and
-\fB"sha1"\fR for \fIluksFormat\fR.
-
-Use \fIcryptsetup \-\-help\fR to show the defaults.
-.TP
-.B "\-\-cipher, \-c \fI<cipher\-spec>\fR"
-Set the cipher specification string.
-
-\fIcryptsetup \-\-help\fR shows the compiled-in defaults.
-The current default in the distributed sources is
-"aes-cbc-essiv:sha256" for plain dm-crypt and
-"aes-xts-plain64" for LUKS.
-
-If a hash is part of the cipher specification, then it is
-used as part of the IV generation. For example, ESSIV
-needs a hash function, while "plain64" does not and
-hence none is specified.
-
-For XTS mode you can optionally set a key size of
-512 bits with the \-s option. Key size for XTS
-mode is twice that for other modes for the same
-security level.
-
-XTS mode requires kernel 2.6.24 or later and plain64 requires
-kernel 2.6.33 or later. More information can be found in the FAQ.
-.TP
-.B "\-\-verify-passphrase, \-y"
-When interactively asking for a passphrase, ask for it twice
-and complain if both inputs do not match. Advised when creating
-a regular mapping for the first time, or when running
-\fIluksFormat\fR. Ignored on input from file or stdin.
-.TP
-.B "\-\-key-file, \-d \fIname\fR"
-Read the passphrase from file.
-
-If the name given is "-", then the passphrase will be read from stdin.
-In this case, reading will not stop at newline characters.
-
-With LUKS, passphrases supplied via \-\-key\-file are always
-the existing passphrases requested by a command, except in
-the case of \fIluksFormat\fR where \-\-key\-file is equivalent
-to the positional key file argument.
-
-If you want to set a new passphrase via key file, you have to
-use a positional argument to \fIluksAddKey\fR.
-
-See section \fBNOTES ON PASSPHRASE PROCESSING\fR for more information.
-.TP
-.B "\-\-keyfile\-offset \fIvalue\fR"
-Skip \fIvalue\fR bytes at the beginning of the key file.
-Works with all commands that accept key files.
-.TP
-.B "\-\-keyfile\-size, \-l \fIvalue\fR"
-Read a maximum of \fIvalue\fR bytes from the key file.
-The default is to read the whole file up to the compiled-in
-maximum that can be queried with \-\-help. Supplying more
-data than the compiled-in maximum aborts the operation.
-
-This option is useful
-to cut trailing newlines, for example. If \-\-keyfile\-offset
-is also given, the size count starts after the offset.
-Works with all commands that accept key files.
-.TP
-.B "\-\-new\-keyfile\-offset \fIvalue\fR"
-Skip \fIvalue\fR bytes at the start when
-adding a new passphrase from key file with
-\fIluksAddKey\fR.
-.TP
-.B "\-\-new\-keyfile\-size \fIvalue\fR"
-Read a maximum of \fIvalue\fR bytes when adding
-a new passphrase from key file with \fIluksAddKey\fR.
-The default is to read the whole file up to the compiled-in
-maximum length that can be queried with \-\-help.
-Supplying more than the compiled in maximum aborts the
-operation.
-When \-\-new\-keyfile\-offset is also given, reading starts
-after the offset.
-.TP
-.B "\-\-master\-key\-file"
-Use a master key stored in a file.
-
-For \fIluksFormat\fR this
-allows creating a LUKS header with this specific
-master key. If the master key was taken from an existing
-LUKS header and all other parameters are the same,
-then the new header decrypts the data encrypted with the
-header the master key was taken from.
-
-Action \fIluksDump\fR together with \-\-dump\-master\-key
-option: The volume (master) key is stored in a file instead of
-being printed out to standard output.
-
-\fBWARNING:\fR If you create your own master key, you
-need to make sure to do it right. Otherwise, you can end
-up with a low-entropy or otherwise partially predictable
-master key which will compromise security.
-
-For \fIluksAddKey\fR this allows adding a new passphrase
-without having to know an existing one.
-
-For \fIopen\fR this allows one to open the LUKS device
-without giving a passphrase.
-.TP
-.B "\-\-dump\-json\-metadata"
-For \fIluksDump\fR (LUKS2 only) this option prints content
-of LUKS2 header JSON metadata area.
-.TP
-.B "\-\-dump\-master\-key"
-For \fIluksDump\fR this option includes the master key in the displayed
-information. Use with care, as the master key can be used to
-bypass the passphrases, see also option \-\-master\-key\-file.
-.TP
-.B "\-\-json\-file"
-Read token json from a file or write token to it. See \fItoken\fR action for more
-information. \-\-json\-file=- reads json from standard input or writes it to
-standard output respectively.
-.TP
-.B "\-\-use\-random"
-.TP
-.B "\-\-use\-urandom"
-For \fIluksFormat\fR these options define which kernel random number
-generator will be used to create the master key (which is a
-long-term key).
-
-See \fBNOTES ON RANDOM NUMBER GENERATORS\fR for more
-information. Use \fIcryptsetup \-\-help\fR
-to show the compiled-in default random number generator.
-
-\fBWARNING:\fR In a low-entropy situation (e.g. in an
-embedded system), both selections are problematic.
-Using /dev/urandom can lead to weak keys.
-Using /dev/random can block a long time, potentially
-forever, if not enough entropy can be harvested by
-the kernel.
-.TP
-.B "\-\-key\-slot, \-S <0\-N>"
-For LUKS operations that add key material, this options allows you
-to specify which key slot is selected for the new key.
-This option can be used for \fIluksFormat\fR,
-and \fIluksAddKey\fR.
-.br
-In addition, for \fIopen\fR, this option selects a
-specific key-slot to compare the passphrase against.
-If the given passphrase would only match a different key-slot,
-the operation fails.
-
-Maximum number of key slots depends on LUKS version. LUKS1 can have
-up to 8 key slots. LUKS2 can have up to 32 key slots based on key slot
-area size and key size, but a valid key slot ID can always be between 0
-and 31 for LUKS2.
-.TP
-.B "\-\-key\-size, \-s <bits>"
-Sets key size in bits. The argument has to be a multiple of
-8. The possible key-sizes are limited by the cipher and
-mode used.
-
-See /proc/crypto for more information. Note that key-size
-in /proc/crypto is stated in bytes.
-
-This option can be used for \fIopen \-\-type plain\fR or \fIluksFormat\fR.
-All other LUKS actions will use the key-size specified in the LUKS header.
-Use \fIcryptsetup \-\-help\fR to show the compiled-in defaults.
-.TP
-.B "\-\-size, \-b <number of 512 byte sectors>"
-Set the size of the device in sectors of 512 bytes.
-This option is only relevant for the \fIopen\fR and \fIresize\fR
-actions.
-.TP
-.B "\-\-offset, \-o <number of 512 byte sectors>"
-Start offset in the backend device in 512-byte sectors.
-This option is only relevant for the \fIopen\fR action with plain
-or loopaes device types or for LUKS devices in \fIluksFormat\fR.
-
-For LUKS, the \-\-offset option sets the data offset (payload) of data
-device and must be be aligned to 4096-byte sectors (must be multiple of 8).
-This option cannot be combined with \-\-align\-payload option.
-.TP
-.B "\-\-skip, \-p <number of 512 byte sectors>"
-Start offset used in IV calculation in 512-byte sectors
-(how many sectors of the encrypted data to skip at the beginning).
-This option is only relevant for the \fIopen\fR action with plain
-or loopaes device types.
-
-Hence, if \-\-offset \fIn\fR, and \-\-skip \fIs\fR, sector \fIn\fR
-(the first sector of the encrypted device) will get a sector number
-of \fIs\fR for the IV calculation.
-.TP
-.B "\-\-device\-size \fIsize[units]\fR"
-Instead of real device size, use specified value.
-
-With \fIreencrypt\fR action it means that only specified area
-(from the start of the device to the specified size) will be
-reencrypted.
-
-With \fIresize\fR action it sets new size of the device.
-
-If no unit suffix is specified, the size is in bytes.
-
-Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
-for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
-
-\fBWARNING:\fR This is destructive operation when used with reencrypt command.
-.TP
-.B "\-\-readonly, \-r"
-set up a read-only mapping.
-.TP
-.B "\-\-shared"
-Creates an additional mapping for one common
-ciphertext device. Arbitrary mappings are supported.
-This option is only relevant for the
-\fIopen \-\-type plain\fR action. Use \-\-offset, \-\-size and \-\-skip to
-specify the mapped area.
-.TP
-.B "\-\-pbkdf <PBKDF spec>"
-Set Password-Based Key Derivation Function (PBKDF) algorithm for LUKS keyslot.
-The PBKDF can be: \fIpbkdf2\fR (for PBKDF2 according to RFC2898),
-\fIargon2i\fR for Argon2i or \fIargon2id\fR for Argon2id
-(see https://www.cryptolux.org/index.php/Argon2 for more info).
-
-For LUKS1, only PBKDF2 is accepted (no need to use this option).
-The default PBKDF2 for LUKS2 is set during compilation time
-and is available in \fIcryptsetup \-\-help\fR output.
-
-A PBKDF is used for increasing dictionary and brute-force attack cost
-for keyslot passwords. The parameters can be time, memory and parallel cost.
-
-For PBKDF2, only time cost (number of iterations) applies.
-For Argon2i/id, there is also memory cost (memory required during
-the process of key derivation) and parallel cost (number of threads
-that run in parallel during the key derivation.
-
-Note that increasing memory cost also increases time, so the final
-parameter values are measured by a benchmark. The benchmark
-tries to find iteration time (\fI\-\-iter\-time\fR) with required
-memory cost \fI\-\-pbkdf\-memory\fR. If it is not possible,
-the memory cost is decreased as well.
-The parallel cost \fI\-\-pbkdf\-parallel\fR is constant and is checked
-against available CPU cores.
-
-You can see all PBKDF parameters for particular LUKS2 keyslot with
-\fIluksDump\fR command.
-
-\fBNOTE:\fR If you do not want to use benchmark and want to specify
-all parameters directly, use \fI\-\-pbkdf\-force\-iterations\fR with
-\fI\-\-pbkdf\-memory\fR and \fI\-\-pbkdf\-parallel\fR.
-This will override the values without benchmarking.
-Note it can cause extremely long unlocking time. Use only in specific
-cases, for example, if you know that the formatted device will
-be used on some small embedded system.
-
-\fBMINIMAL AND MAXIMAL PBKDF COSTS:\fR
-For \fBPBKDF2\fR, the minimum iteration count is 1000 and
-maximum is 4294967295 (maximum for 32bit unsigned integer).
-Memory and parallel costs are unused for PBKDF2.
-For \fBArgon2i\fR and \fBArgon2id\fR, minimum iteration count (CPU cost) is 4 and
-maximum is 4294967295 (maximum for 32bit unsigned integer).
-Minimum memory cost is 32 KiB and maximum is 4 GiB. (Limited by addresable
-memory on some CPU platforms.)
-If the memory cost parameter is benchmarked (not specified by a parameter)
-it is always in range from 64 MiB to 1 GiB.
-The parallel cost minimum is 1 and maximum 4 (if enough CPUs cores are available,
-otherwise it is decreased).
-.TP
-.B "\-\-iter\-time, \-i <number of milliseconds>"
-The number of milliseconds to spend with PBKDF passphrase processing.
-This option is only relevant for LUKS operations that set or change
-passphrases, such as \fIluksFormat\fR or \fIluksAddKey\fR.
-Specifying 0 as parameter selects the compiled-in default.
-.TP
-.B "\-\-pbkdf\-memory <number>"
-Set the memory cost for PBKDF (for Argon2i/id the number represents kilobytes).
-Note that it is maximal value, PBKDF benchmark or available physical memory
-can decrease it.
-This option is not available for PBKDF2.
-.TP
-.B "\-\-pbkdf\-parallel <number>"
-Set the parallel cost for PBKDF (number of threads, up to 4).
-Note that it is maximal value, it is decreased automatically if
-CPU online count is lower.
-This option is not available for PBKDF2.
-.TP
-.B "\-\-pbkdf\-force\-iterations <num>"
-Avoid PBKDF benchmark and set time cost (iterations) directly.
-It can be used for LUKS/LUKS2 device only.
-See \fI\-\-pbkdf\fR option for more info.
-.TP
-.B "\-\-batch\-mode, \-q"
-Suppresses all confirmation questions. Use with care!
-
-If the \-y option is not specified, this option also switches off
-the passphrase verification for \fIluksFormat\fR.
-.TP
-.B "\-\-progress-frequency <seconds>"
-Print separate line every <seconds> with wipe progress.
-.TP
-.B "\-\-timeout, \-t <number of seconds>"
-The number of seconds to wait before timeout on passphrase input
-via terminal. It is relevant every time a passphrase is asked,
-for example for \fIopen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
-It has no effect if used in conjunction with \-\-key-file.
-.br
-This option is useful when the system
-should not stall if the user does not input a passphrase,
-e.g. during boot. The default is a value of 0 seconds,
-which means to wait forever.
-.TP
-.B "\-\-tries, \-T"
-How often the input of the passphrase shall be retried.
-This option is relevant
-every time a passphrase is asked, for example for
-\fIopen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
-The default is 3 tries.
-.TP
-.B "\-\-align\-payload <number of 512 byte sectors>"
-Align payload at a boundary of \fIvalue\fR 512-byte sectors.
-This option is relevant for \fIluksFormat\fR.
-
-If not specified, cryptsetup tries to use the topology info
-provided by the kernel for the underlying device to get the optimal alignment.
-If not available (or the calculated value is a multiple of the default)
-data is by default aligned to a 1MiB boundary (i.e. 2048 512-byte sectors).
-
-For a detached LUKS header, this option specifies the offset on the
-data device. See also the \-\-header option.
-
-\fBWARNING:\fR This option is DEPRECATED and has often unexpected impact
-to the data offset and keyslot area size (for LUKS2) due to the complex rounding.
-For fixed data device offset use \fI\-\-offset\fR option instead.
-
-.TP
-.B "\-\-uuid=\fIUUID\fR"
-Use the provided \fIUUID\fR for the \fIluksFormat\fR command
-instead of generating a new one. Changes the existing UUID when
-used with the \fIluksUUID\fR command.
-
-The UUID must be provided in the standard UUID format,
-e.g. 12345678-1234-1234-1234-123456789abc.
-.TP
-.B "\-\-allow\-discards\fR"
-Allow the use of discard (TRIM) requests for the device.
-This option is only relevant for \fIopen\fR action.
-This is also not supported for LUKS2 devices with data integrity protection.
-
-\fBWARNING:\fR This command can have a negative security impact
-because it can make filesystem-level operations visible on
-the physical device. For example, information leaking
-filesystem type, used space, etc. may be extractable from
-the physical device if the discarded blocks can be located
-later. If in doubt, do not use it.
-
-A kernel version of 3.1 or later is needed. For earlier kernels,
-this option is ignored.
-.TP
-.B "\-\-perf\-same_cpu_crypt\fR"
-Perform encryption using the same cpu that IO was submitted on.
-The default is to use an unbound workqueue so that encryption work
-is automatically balanced between available CPUs.
-This option is only relevant for \fIopen\fR action.
-
-\fBNOTE:\fR This option is available only for low-level dm-crypt
-performance tuning, use only if you need a change to default dm-crypt
-behaviour. Needs kernel 4.0 or later.
-.TP
-.B "\-\-perf\-submit_from_crypt_cpus\fR"
-Disable offloading writes to a separate thread after encryption.
-There are some situations where offloading write bios from the
-encryption threads to a single thread degrades performance
-significantly. The default is to offload write bios to the same
-thread.
-This option is only relevant for \fIopen\fR action.
-
-\fBNOTE:\fR This option is available only for low-level dm-crypt
-performance tuning, use only if you need a change to default dm-crypt
-behaviour. Needs kernel 4.0 or later.
-.TP
-.B "\-\-perf\-no_read_workqueue, \-\-perf\-no_write_workqueue\fR"
-Bypass dm-crypt internal workqueue and process read or write requests
-synchronously.
-This option is only relevant for \fIopen\fR action.
-
-\fBNOTE:\fR These options are available only for low-level dm-crypt
-performance tuning, use only if you need a change to default dm-crypt
-behaviour. Needs kernel 5.9 or later.
-.TP
-.B "\-\-test\-passphrase\fR"
-Do not activate the device, just verify passphrase.
-This option is only relevant for \fIopen\fR action (the device
-mapping name is not mandatory if this option is used).
-.TP
-.B "\-\-header\fR <device or file storing the LUKS header>"
-Use a detached (separated) metadata device or file where the
-LUKS header is stored. This option allows one to store ciphertext
-and LUKS header on different devices.
-
-This option is only relevant for LUKS devices and can be
-used with the \fIluksFormat\fR, \fIopen\fR, \fIluksSuspend\fR,
-\fIluksResume\fR, \fIstatus\fR and \fIresize\fR commands.
-
-For \fIluksFormat\fR with a file name as the argument to \-\-header,
-the file will be automatically created if it does not exist.
-See the cryptsetup FAQ for header size calculation.
-
-For other commands that change the LUKS header (e.g. \fIluksAddKey\fR),
-specify the device or file with the LUKS header directly as the
-LUKS device.
-
-If used with \fIluksFormat\fR, the \-\-align\-payload option is taken
-as absolute sector alignment on ciphertext device and can be zero.
-
-\fBWARNING:\fR There is no check whether the ciphertext device specified
-actually belongs to the header given. In fact, you can specify an
-arbitrary device as the ciphertext device for \fIopen\fR
-with the \-\-header option. Use with care.
-.TP
-.B "\-\-header\-backup\-file <file>"
-Specify file with header backup for \fIluksHeaderBackup\fR or
-\fIluksHeaderRestore\fR actions.
-.TP
-.B "\-\-force\-password"
-Do not use password quality checking for new LUKS passwords.
-
-This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
-\fIluksChangeKey\fR and is ignored if cryptsetup is built without
-password quality checking support.
-
-For more info about password quality check, see the manual page
-for \fBpwquality.conf(5)\fR and \fBpasswdqc.conf(5)\fR.
-.TP
-.B "\-\-deferred"
-Defers device removal in \fIclose\fR command until the last user closes it.
-.TP
-.B "\-\-cancel\-deferred"
-Removes a previously configured deferred device removal in \fIclose\fR command.
-.TP
-.B "\-\-disable\-external\-tokens"
-Disable loading of plugins for external LUKS2 tokens.
-.TP
-.B "\-\-disable\-locks"
-Disable lock protection for metadata on disk.
-This option is valid only for LUKS2 and ignored for other formats.
-
-\fBWARNING:\fR Do not use this option unless you run cryptsetup in
-a restricted environment where locking is impossible to perform
-(where /run directory cannot be used).
-.TP
-.B "\-\-disable\-keyring"
-Do not load volume key in kernel keyring and store it directly
-in the dm-crypt target instead.
-This option is supported only for the LUKS2 format.
-.TP
-.B "\-\-key\-description <text>"
-Set key description in keyring for use with \fItoken\fR command.
-.TP
-.B "\-\-priority <normal|prefer|ignore>"
-Set a priority for LUKS2 keyslot.
-The \fIprefer\fR priority marked slots are tried before \fInormal\fR priority.
-The \fIignored\fR priority means, that slot is never used, if not explicitly
-requested by \fI\-\-key\-slot\fR option.
-.TP
-.B "\-\-token\-id"
-Specify what token to use in actions \fItoken\fR, \fIopen\fR or \fIresize\fR.
-If omitted, all available tokens will be checked before proceeding further with
-passphrase prompt.
-.TP
-.B "\-\-token\-only"
-Do not proceed further with action (any of \fItoken\fR, \fIopen\fR or
-\fIresize\fR) if token activation failed. Without the option,
-action asks for passphrase to proceed further.
-.TP
-.B "\-\-token\-type"
-Restrict tokens eligible for operation to specific token type (name). Mostly
-useful when no \-\-token\-id is specified.
-.TP
-.B "\-\-sector\-size <bytes>"
-Set sector size for use with disk encryption. It must be power of two
-and in range 512 - 4096 bytes. This option is available only in the LUKS2
-or plain modes.
-
-The default for plain mode is 512 bytes. For LUKS2 devices it's established
-during luksFormat operation based on parameters provided by underlying data device.
-For native 4K block devices it's 4096 bytes. For 4K/512e (4K physical sector size
-with 512 bytes emulation) it's 4096 bytes. For drives reporting only 512 bytes
-block size it remains 512 bytes. If data device is regular file put in filesystem
-it's 4096 bytes.
-
-Note that if sector size is higher than underlying device hardware sector
-and there is not integrity protection that uses data journal, using
-this option can increase risk on incomplete sector writes during a power fail.
-
-If used together with \fI\-\-integrity\fR option and dm-integrity journal,
-the atomicity of writes is guaranteed in all cases (but it cost write
-performance - data has to be written twice).
-
-Increasing sector size from 512 bytes to 4096 bytes can provide better
-performance on most of the modern storage devices and also with some
-hw encryption accelerators.
-.TP
-.B "\-\-iv-large-sectors"
-Count Initialization Vector (IV) in larger sector size (if set) instead
-of 512 bytes sectors. This option can be used only for \fIopen\fR command
-and \fIplain\fR encryption type.
-
-\fBNOTE:\fR This option does not have any performance or security impact,
-use it only for accessing incompatible existing disk images from other systems
-that require this option.
-.TP
-.B "\-\-persistent"
-If used with LUKS2 devices and activation commands like \fIopen\fR or \fIrefresh\fR,
-the specified activation flags are persistently written into metadata
-and used next time automatically even for normal activation.
-(No need to use cryptab or other system configuration files.)
-
-If you need to remove a persistent flag, use \fI\-\-persistent\fR without
-the flag you want to remove (e.g. to disable persistently stored discard flag,
-use \fI\-\-persistent\fR without \fI\-\-allow-discards\fR).
-
-Only \fI\-\-allow-discards\fR, \fI\-\-perf\-same_cpu_crypt\fR,
-\fI\-\-perf\-submit_from_crypt_cpus\fR, \fI\-\-perf\-no_read_workqueue\fR,
-\fI\-\-perf\-no_write_workqueue\fR and \fI\-\-integrity\-no\-journal\fR
-can be stored persistently.
-.TP
-.B "\-\-refresh"
-Refreshes an active device with new set of parameters. See action \fIrefresh\fR description
-for more details.
-.TP
-.B "\-\-label <LABEL>"
-.B "\-\-subsystem <SUBSYSTEM>"
-Set label and subsystem description for LUKS2 device, can be used
-in \fIconfig\fR and \fIformat\fR actions.
-The label and subsystem are optional fields and can be later used in udev scripts
-for triggering user actions once device marked by these labels is detected.
-.TP
-.B "\-\-integrity <integrity algorithm>"
-Specify integrity algorithm to be used for authenticated disk encryption in LUKS2.
-
-\fBWARNING: This extension is EXPERIMENTAL\fR and requires dm-integrity
-kernel target (available since kernel version 4.12).
-For native AEAD modes, also enable "User-space interface for AEAD cipher algorithms"
-in "Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config option).
-
-For more info, see \fIAUTHENTICATED DISK ENCRYPTION\fR section.
-.TP
-.B "\-\-luks2\-metadata\-size <size>"
-This option can be used to enlarge the LUKS2 metadata (JSON) area.
-The size includes 4096 bytes for binary metadata (usable JSON area is smaller
-of the binary area).
-According to LUKS2 specification, only these values are valid:
-16, 32, 64, 128, 256, 512, 1024, 2048 and 4096 kB
-The <size> can be specified with unit suffix (for example 128k).
-.TP
-.B "\-\-luks2\-keyslots\-size <size>"
-This option can be used to set specific size of the LUKS2 binary keyslot area
-(key material is encrypted there). The value must be aligned to multiple
-of 4096 bytes with maximum size 128MB.
-The <size> can be specified with unit suffix (for example 128k).
-.TP
-.B "\-\-keyslot\-cipher <cipher\-spec>"
-This option can be used to set specific cipher encryption for the LUKS2 keyslot area.
-.TP
-.B "\-\-keyslot\-key\-size <bits>"
-This option can be used to set specific key size for the LUKS2 keyslot area.
-.TP
-.B "\-\-integrity\-no\-journal"
-Activate device with integrity protection without using data journal (direct
-write of data and integrity tags).
-Note that without journal power fail can cause non-atomic write and data corruption.
-Use only if journalling is performed on a different storage layer.
-.TP
-.B "\-\-integrity\-no\-wipe"
-Skip wiping of device authentication (integrity) tags. If you skip this
-step, sectors will report invalid integrity tag until an application write
-to the sector.
-
-\fBNOTE:\fR Even some writes to the device can fail if the write is not
-aligned to page size and page-cache initiates read of a sector with invalid
-integrity tag.
-.TP
-.B "\-\-unbound"
-
-Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
-\fIluksDump\fR actions for more details.
-
-.TP
-.B "\-\-tcrypt\-hidden"
-.B "\-\-tcrypt\-system"
-.B "\-\-tcrypt\-backup"
-Specify which TrueCrypt on-disk header will be used to open the device.
-See \fITCRYPT\fR section for more info.
-.TP
-.B "\-\-veracrypt"
-This option is ignored as VeraCrypt compatible mode is supported by default.
-.TP
-.B "\-\-disable\-veracrypt"
-This option can be used to disable VeraCrypt compatible mode (only TrueCrypt devices
-are recognized). Only for TCRYPT extension. See \fITCRYPT\fR section for more info.
-.TP
-.B "\-\-veracrypt\-pim"
-.B "\-\-veracrypt\-query\-pim"
-Use a custom Personal Iteration Multiplier (PIM) for VeraCrypt device.
-See \fITCRYPT\fR section for more info.
-.TP
-.B "\-\-serialize\-memory\-hard\-pbkdf"
-Use a global lock to serialize unlocking of keyslots using memory-hard PBKDF.
-
-\fBNOTE:\fR This is (ugly) workaround for a specific situation when multiple
-devices are activated in parallel and system instead of reporting out of memory
-starts unconditionally stop processes using out-of-memory killer.
-
-\fBDO NOT USE\fR this switch until you are implementing boot environment
-with parallel devices activation!
-.TP
-.B "\-\-encrypt"
-Initialize (and run) device encryption (\fIreencrypt\fR action parameter)
-.TP
-.B "\-\-decrypt"
-Initialize (and run) device decryption (\fIreencrypt\fR action parameter)
-.TP
-.B "\-\-init\-only"
-Initialize reencryption (any variant) operation in LUKS2 metadata only and exit. If any
-reencrypt operation is already initialized in metadata, the command with \-\-init\-only
-parameter fails.
-.TP
-.B "\-\-resume\-only"
-Resume reencryption (any variant) operation already described in LUKS2 metadata. If no
-reencrypt operation is initialized, the command with \-\-resume\-only
-parameter fails. Useful for resuming reencrypt operation without accidentally triggering
-new reencryption operation.
-.TP
-.B "\-\-resilience <mode>"
-Reencryption resilience mode can be one of \fIchecksum\fR, \fIjournal\fR or \fInone\fR.
-
-\fIchecksum\fR: default mode, where individual checksums of ciphertext hotzone sectors are stored,
-so the recovery process can detect which sectors were already reencrypted.
-It requires that the device sector write is atomic.
-
-\fIjournal\fR: the hotzone is journaled in the binary area (so the data are written twice).
-
-\fInone\fR: performance mode. There is no protection and the only way it's safe to interrupt
-the reencryption is similar to old offline reencryption utility. (ctrl+c).
-
-The option is ignored if reencryption with datashift mode is in progress.
-.TP
-.B "\-\-resilience-hash <hash>"
-The hash algorithm used with "\-\-resilience checksum" only.
-The default hash is sha256. With other resilience modes, the hash parameter is ignored.
-.TP
-.B "\-\-hotzone-size <size>"
-This option can be used to set an upper limit on the size of reencryption area (hotzone).
-The <size> can be specified with unit suffix (for example 50M). Note that actual hotzone
-size may be less than specified <size> due to other limitations (free space in keyslots area or
-available memory).
-.TP
-.B "\-\-reduce\-device\-size <size>"
-Initialize LUKS2 reencryption with data device size reduction
-(currently only \-\-encrypt variant is supported).
-
-Last <size> sectors of <device> will be used to properly initialize device reencryption.
-That means any data at last <size> sectors will be lost.
-
-It could be useful if you added some space to underlying partition or logical volume
-(so last <size> sectors contains no data).
-
-Recommended minimal size is twice the default LUKS2 header size (\-\-reduce\-device\-size 32M)
-for \-\-encrypt use case. Be sure to have enough (at least \-\-reduce\-device\-size value
- of free space at the end of <device>).
-
-WARNING: This is a destructive operation and cannot be reverted.
-Use with extreme care - accidentally overwritten filesystems are usually unrecoverable.
-.TP
-.B "\-\-version"
-Show the program version.
-.TP
-.B "\-\-usage"
-Show short option help.
-.TP
-.B "\-\-help, \-?"
-Show help text and default parameters.
-.SH EXAMPLE
-.TP
-Example 1: Create LUKS 2 container on block device /dev/sdX.
-sudo cryptsetup --type luks2 luksFormat /dev/sdX
-.TP
-Example 2: Add an additional passphrase to key slot 5.
-sudo cryptsetup luksAddKey --key-slot 5 /dev/sdX
-.TP
-Example 3: Create LUKS header backup and save it to file.
-sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file /var/tmp/NameOfBackupFile
-.TP
-Example 4: Open LUKS container on /dev/sdX and map it to sdX_crypt.
-sudo cryptsetup open /dev/sdX sdX_crypt
-.TP
-.B WARNING: The command in example 5 will erase all key slots.
-Your cannot use your luks container afterwards anymore unless you have a backup to restore.
-.TP
-Example 5: Erase all key slots on /dev/sdX.
-sudo cryptsetup erase /dev/sdX
-.TP
-Example 6: Restore LUKS header from backup file.
-sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file /var/tmp/NameOfBackupFile
-.SH RETURN CODES
-Cryptsetup returns 0 on success and a non-zero value on error.
-
-Error codes are: 1 wrong parameters, 2 no permission (bad passphrase),
-3 out of memory, 4 wrong device specified, 5 device already exists
-or device is busy.
-.SH NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE
-Note that no iterated hashing or salting is done in plain mode.
-If hashing is done, it is a single direct hash. This means that
-low-entropy passphrases are easy to attack in plain mode.
-
-\fBFrom a terminal\fR: The passphrase is read until the
-first newline, i.e. '\\n'.
-The input without the newline character is processed with
-the default hash or the hash specified with \-\-hash.
-The hash result will be truncated to the key size
-of the used cipher, or the size specified with \-s.
-
-\fBFrom stdin\fR: Reading will continue until a newline (or until
-the maximum input size is reached), with the trailing newline
-stripped. The maximum input size is defined by the same
-compiled-in default as for the maximum key file size and can
-be overwritten using \-\-keyfile-size option.
-
-The data read will be hashed with the default hash
-or the hash specified with \-\-hash.
-The hash result will be truncated to the key size
-of the used cipher, or the size specified with \-s.
-
-Note that if \-\-key-file=- is used for reading the key
-from stdin, trailing newlines are not stripped from the input.
-
-If "plain" is used as argument to \-\-hash, the input
-data will not be hashed. Instead, it will be zero padded (if
-shorter than the key size) or truncated (if longer than the
-key size) and used directly as the binary key. This is useful for
-directly specifying a binary key.
-No warning will be given if the amount of data read from stdin is
-less than the key size.
-
-\fBFrom a key file\fR: It will be truncated to the
-key size of the used cipher or the size given by \-s
-and directly used as a binary key.
-
-\fBWARNING\fR: The \-\-hash argument is being ignored.
-The \-\-hash option is usable only for stdin input in plain mode.
-
-If the key file is shorter than the key, cryptsetup
-will quit with an error.
-The maximum input size is defined by the same
-compiled-in default as for the maximum key file size and can
-be overwritten using \-\-keyfile-size option.
-
-
-.SH NOTES ON PASSPHRASE PROCESSING FOR LUKS
-LUKS uses PBKDF2 to protect against dictionary attacks
-and to give some protection to low-entropy passphrases
-(see RFC 2898 and the cryptsetup FAQ).
-
-\fBFrom a terminal\fR: The passphrase is read until the
-first newline and then processed by PBKDF2 without
-the newline character.
-
-\fBFrom stdin\fR:
-LUKS will read passphrases from stdin up to the
-first newline character or the compiled-in
-maximum key file length. If \-\-keyfile\-size is
-given, it is ignored.
-
-\fBFrom key file\fR:
-The complete keyfile is read up to the compiled-in
-maximum size. Newline characters do not terminate the
-input. The \-\-keyfile\-size option can be used to limit
-what is read.
-
-\fBPassphrase processing\fR:
-Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat),
-the user may specify how much the time the passphrase processing
-should consume. The time is used to determine the iteration count
-for PBKDF2 and higher times will offer better protection for
-low-entropy passphrases, but open will take longer to
-complete. For passphrases that have entropy higher than the
-used key length, higher iteration times will not increase security.
-
-The default setting of one or two seconds is sufficient for most
-practical cases. The only exception is a low-entropy
-passphrase used on a device with a slow CPU, as this will
-result in a low iteration count. On a slow device, it may
-be advisable to increase the iteration time using the
-\-\-iter\-time option in order to obtain a higher
-iteration count. This does slow down all later luksOpen
-operations accordingly.
-.SH INCOHERENT BEHAVIOR FOR INVALID PASSPHRASES/KEYS
-LUKS checks for a valid passphrase when an encrypted partition
-is unlocked. The behavior of plain dm-crypt is different.
-It will always decrypt with the passphrase given. If the
-given passphrase is wrong, the device mapped by plain
-dm-crypt will essentially still contain encrypted data and
-will be unreadable.
-.SH NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES
-The available combinations of ciphers, modes, hashes and key sizes
-depend on kernel support. See /proc/crypto for a list of available
-options. You might need to load additional kernel crypto modules
-in order to get more options.
-
-For the \-\-hash option, if the crypto backend is libgcrypt,
-then all algorithms supported by the gcrypt library are available.
-For other crypto backends, some algorithms may be missing.
-.SH NOTES ON PASSPHRASES
-Mathematics can't be bribed. Make sure you keep your passphrases safe.
-There are a few nice tricks for constructing a fallback, when suddenly
-out of the blue, your brain refuses to cooperate.
-These fallbacks need LUKS, as it's only possible with LUKS
-to have multiple passphrases. Still, if your attacker model does
-not prevent it, storing your passphrase in a sealed envelope somewhere
-may be a good idea as well.
-.SH NOTES ON RANDOM NUMBER GENERATORS
-Random Number Generators (RNG) used in cryptsetup are always the
-kernel RNGs without any modifications or additions to data stream
-produced.
-
-There are two types of randomness cryptsetup/LUKS needs. One type
-(which always uses /dev/urandom) is used for salts, the AF splitter
-and for wiping deleted keyslots.
-
-The second type is used for the volume (master) key. You can switch
-between using /dev/random and /dev/urandom here, see
-\fP\-\-use\-random\fR and \fP\-\-use\-urandom\fR
-options. Using /dev/random on a system without enough entropy sources
-can cause \fPluksFormat\fR to block until the requested amount of
-random data is gathered. In a low-entropy situation (embedded system),
-this can take a very long time and potentially forever. At the same
-time, using /dev/urandom in a low-entropy situation will
-produce low-quality keys. This is a serious problem, but solving
-it is out of scope for a mere man-page.
-See \fPurandom(4)\fR for more information.
-.SH AUTHENTICATED DISK ENCRYPTION (EXPERIMENTAL)
-Since Linux kernel version 4.12 dm-crypt supports authenticated
-disk encryption.
-
-Normal disk encryption modes are length-preserving (plaintext sector
-is of the same size as a ciphertext sector) and can provide only
-confidentiality protection, but not cryptographically sound
-data integrity protection.
-
-Authenticated modes require additional space per-sector for
-authentication tag and use Authenticated Encryption with Additional
-Data (AEAD) algorithms.
-
-If you configure LUKS2 device with data integrity protection,
-there will be an underlying dm-integrity device, which provides
-additional per-sector metadata space and also provide data
-journal protection to ensure atomicity of data and metadata update.
-Because there must be additional space for metadata and journal,
-the available space for the device will be smaller than for
-length-preserving modes.
-
-The dm-crypt device then resides on top of such a dm-integrity device.
-All activation and deactivation of this device stack is performed
-by cryptsetup, there is no difference in using \fIluksOpen\fR
-for integrity protected devices.
-If you want to format LUKS2 device with data integrity protection,
-use \fI\-\-integrity\fR option.
-
-Since dm-integrity doesn't support discards (TRIM), dm-crypt device on top of it
-inherits this, so integrity protection mode doesn't support discards either.
-
-Some integrity modes requires two independent keys (key for encryption
-and for authentication). Both these keys are stored in one LUKS keyslot.
-
-\fBWARNING:\fR All support for authenticated modes is experimental
-and there are only some modes available for now. Note that there
-are a very few authenticated encryption algorithms that are suitable
-for disk encryption. You also cannot use CRC32 or any other non-cryptographic
-checksums (other than the special integrity mode "none"). If for some reason
-you want to have integrity control without using authentication mode, then you
-should separately configure dm-integrity independently of LUKS2.
-
-.SH NOTES ON LOOPBACK DEVICE USE
-Cryptsetup is usually used directly on a block device (disk
-partition or LVM volume). However, if the device argument is a
-file, cryptsetup tries to allocate a loopback device
-and map it into this file. This mode requires Linux kernel 2.6.25
-or more recent which supports the loop autoclear flag (loop device is
-cleared on the last close automatically). Of course, you can
-always map a file to a loop-device manually. See the
-cryptsetup FAQ for an example.
-
-When device mapping is active, you can see the loop backing file in
-the status command output. Also see losetup(8).
-.SH LUKS2 header locking
-.PP
-The LUKS2 on-disk metadata is updated in several steps and
-to achieve proper atomic update, there is a locking mechanism.
-For an image in file, code uses \fIflock(2)\fR system call.
-For a block device, lock is performed over a special file stored
-in a locking directory (by default \fI/run/lock/cryptsetup\fR).
-The locking directory should be created with the proper security
-context by the distribution during the boot-up phase.
-Only LUKS2 uses locks, other formats do not use this mechanism.
-.SH DEPRECATED ACTIONS
-.PP
-The \fIreload\fR action is no longer supported.
-Please use \fIdmsetup(8)\fR if you need to
-directly manipulate with the device mapping table.
-.PP
-The \fIluksDelKey\fR was replaced with \fIluksKillSlot\fR.
-.PP
-.SH REPORTING BUGS
-Report bugs, including ones in the documentation, on
-the cryptsetup mailing list at <dm-crypt@saout.de>
-or in the 'Issues' section on LUKS website.
-Please attach the output of the failed command with the
-\-\-debug option added.
-.SH AUTHORS
-cryptsetup originally written by Jana Saout <jana@saout.de>
-.br
-The LUKS extensions and original man page were written by
-Clemens Fruhwirth <clemens@endorphin.org>.
-.br
-Man page extensions by Milan Broz <gmazyland@gmail.com>.
-.br
-Man page rewrite and extension by Arno Wagner <arno@wagner.name>.
-.SH COPYRIGHT
-Copyright \(co 2004 Jana Saout
-.br
-Copyright \(co 2004-2006 Clemens Fruhwirth
-.br
-Copyright \(co 2012-2014 Arno Wagner
-.br
-Copyright \(co 2009-2021 Red Hat, Inc.
-.br
-Copyright \(co 2009-2021 Milan Broz
-
-This is free software; see the source for copying conditions. There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-.SH SEE ALSO
-The LUKS website at \fBhttps://gitlab.com/cryptsetup/cryptsetup/\fR
-
-The cryptsetup FAQ, contained in the distribution package and
-online at
-\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions\fR
-
-The cryptsetup mailing list and list archive, see FAQ entry 1.6.
-
-The LUKS version 1 on-disk format specification available at
-\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/Specification\fR and
-LUKS version 2 at \fBhttps://gitlab.com/cryptsetup/LUKS2-docs\fR.
diff --git a/man/cryptsetup.8.adoc b/man/cryptsetup.8.adoc
new file mode 100644
index 0000000..ddd3a12
--- /dev/null
+++ b/man/cryptsetup.8.adoc
@@ -0,0 +1,729 @@
+= cryptsetup(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+
+== Name
+
+cryptsetup - manage plain dm-crypt, LUKS, and other encrypted volumes
+
+== SYNOPSIS
+
+*cryptsetup <action> [<options>] <action args>*
+
+== DESCRIPTION
+
+cryptsetup is used to conveniently setup dm-crypt managed device-mapper
+mappings. These include plain dm-crypt volumes and LUKS volumes. The
+difference is that LUKS uses a metadata header and can hence offer more
+features than plain dm-crypt. On the other hand, the header is visible
+and vulnerable to damage.
+
+In addition, cryptsetup provides limited support for the use of loop-AES
+volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes.
+
+For more information about specific cryptsetup action see
+*cryptsetup-<action>*(8), where *<action>* is the name of the
+cryptsetup action.
+
+== BASIC ACTIONS
+
+The following are valid actions for all supported device types.
+
+=== OPEN
+*open <device> <name> --type <device_type>*
+
+Opens (creates a mapping with) <name> backed by device <device>. +
+See *cryptsetup-open*(8).
+
+=== CLOSE
+*close <name>*
+
+Removes the existing mapping <name> and wipes the key from kernel memory. +
+See *cryptsetup-close*(8).
+
+=== STATUS
+*status <name>*
+
+Reports the status for the mapping <name>. +
+See *cryptsetup-status*(8).
+
+=== RESIZE
+*resize <name>*
+
+Resizes an active mapping <name>. +
+See *cryptsetup-resize*(8).
+
+=== REFRESH
+*refresh <name>*
+
+Refreshes parameters of active mapping <name>. +
+See *cryptsetup-refresh*(8).
+
+=== REENCRYPT
+*reencrypt <device> or --active-name <name> [<new_name>]*
+
+Run LUKS device reencryption. +
+See *cryptsetup-reencrypt*(8).
+
+== PLAIN MODE
+
+Plain dm-crypt encrypts the device sector-by-sector with a single,
+non-salted hash of the passphrase. No checks are performed, no metadata
+is used. There is no formatting operation. When the raw device is mapped
+(opened), the usual device operations can be used on the mapped device,
+including filesystem creation. Mapped devices usually reside in
+/dev/mapper/<name>.
+
+The following are valid plain device type actions:
+
+=== OPEN
+*open --type plain <device> <name>* +
+create <name> <device> (*OBSOLETE syntax*)
+
+Opens (creates a mapping with) <name> backed by device <device>. +
+See *cryptsetup-open*(8).
+
+== LUKS EXTENSION
+
+LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It
+adds a standardized header at the start of the device, a key-slot area
+directly behind the header and the bulk data area behind that. The whole
+set is called a 'LUKS container'. The device that a LUKS container
+resides on is called a 'LUKS device'. For most purposes, both terms can
+be used interchangeably. But note that when the LUKS header is at a
+nonzero offset in a device, then the device is not a LUKS device
+anymore, but has a LUKS container stored in it at an offset.
+
+LUKS can manage multiple passphrases that can be individually revoked or
+changed and that can be securely scrubbed from persistent media due to
+the use of anti-forensic stripes. Passphrases are protected against
+brute-force and dictionary attacks by Password-Based Key Derivation
+Function (PBKDF).
+
+LUKS2 is a new version of header format that allows additional
+extensions like different PBKDF algorithm or authenticated encryption.
+You can format device with LUKS2 header if you specify *--type luks2* in
+*luksFormat* command. For activation, the format is already recognized
+automatically.
+
+Each passphrase, also called a *key* in this document, is associated
+with one of 8 key-slots. Key operations that do not specify a slot
+affect the first slot that matches the supplied passphrase or the first
+empty slot if a new passphrase is added.
+
+The *<device>* parameter can also be specified by a LUKS UUID in the
+format UUID=<uuid>. Translation to real device name uses symlinks in
+/dev/disk/by-uuid directory.
+
+To specify a detached header, the *--header* parameter can be used in
+all LUKS commands and always takes precedence over the positional
+*<device>* parameter.
+
+The following are valid LUKS actions:
+
+=== FORMAT
+*luksFormat <device> [<key file>]*
+
+Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). +
+See *cryptsetup-luksFormat*(8).
+
+=== OPEN
+*open --type luks <device> <name>* +
+luksOpen <device> <name> (*old syntax*)
+
+Opens the LUKS device <device> and sets up a mapping <name> after
+successful verification of the supplied passphrase. +
+See *cryptsetup-open*(8).
+
+=== SUSPEND
+*luksSuspend <name>*
+
+Suspends an active device (all IO operations will block and accesses to
+the device will wait indefinitely) and wipes the encryption key from
+kernel memory. +
+See *cryptsetup-luksSuspend*(8).
+
+=== RESUME
+*luksResume <name>*
+
+Resumes a suspended device and reinstates the encryption key. +
+See *cryptsetup-luksResume*(8).
+
+=== ADD KEY
+*luksAddKey <device> [<key file with new key>]*
+
+Adds a new passphrase using an existing passphrase. +
+See *cryptsetup-luksAddKey*(8).
+
+=== REMOVE KEY
+*luksRemoveKey <device> [<key file with passphrase to be removed>]*
+
+Removes the supplied passphrase from the LUKS device. +
+See *cryptsetup-luksRemoveKey*(8).
+
+=== CHANGE KEY
+*luksChangeKey <device> [<new key file>]*
+
+Changes an existing passphrase. +
+See *cryptsetup-luksChangeKey*(8).
+
+=== CONVERT KEY
+*luksConvertKey <device>*
+
+Converts an existing LUKS2 keyslot to new PBKDF parameters. +
+See *cryptsetup-luksConvertKey*(8).
+
+=== KILL SLOT
+*luksKillSlot <device> <key slot number>*
+
+Wipe the key-slot number <key slot> from the LUKS device. +
+See *cryptsetup-luksKillSlot*(8).
+
+=== ERASE
+*erase <device>* +
+luksErase <device> (*old syntax*)
+
+Erase all keyslots and make the LUKS container permanently inaccessible. +
+See *cryptsetup-erase*(8).
+
+=== UUID
+*luksUUID <device>*
+
+Print or set the UUID of a LUKS device. +
+See *cryptsetup-luksUUID*(8).
+
+=== IS LUKS
+*isLuks <device>*
+
+Returns true, if <device> is a LUKS device, false otherwise. +
+See *cryptsetup-isLuks*(8).
+
+=== DUMP
+*luksDump <device>*
+
+Dump the header information of a LUKS device. +
+See *cryptsetup-luksDump*(8).
+
+=== HEADER BACKUP
+*luksHeaderBackup <device> --header-backup-file <file>*
+
+Stores a binary backup of the LUKS header and keyslot area. +
+See *cryptsetup-luksHeaderBackup*(8).
+
+=== HEADER RESTORE
+*luksHeaderRestore <device> --header-backup-file <file>*
+
+Restores a binary backup of the LUKS header and keyslot area from the
+specified file. +
+See *cryptsetup-luksHeaderRestore*(8).
+
+=== TOKEN
+*token <add|remove|import|export> <device>*
+
+Manipulate token objects used for obtaining passphrases. +
+See *cryptsetup-token*(8).
+
+=== CONVERT
+*convert <device> --type <format>*
+
+Converts the device between LUKS1 and LUKS2 format (if possible). +
+See *cryptsetup-convert*(8).
+
+=== CONFIG
+*config <device>*
+
+Set permanent configuration options (store to LUKS header). +
+See *cryptsetup-config*(8).
+
+== loop-AES EXTENSION
+
+cryptsetup supports mapping loop-AES encrypted partition using a
+compatibility mode.
+
+=== OPEN
+*open --type loopaes <device> <name> --key-file <keyfile>* +
+loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
+
+Opens the loop-AES <device> and sets up a mapping <name>. +
+See *cryptsetup-open*(8).
+
+See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES]
+for more information regarding loop-AES.
+
+== TCRYPT (TrueCrypt and VeraCrypt compatible) EXTENSION
+
+cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt encrypted
+partition using a native Linux kernel API. Header formatting and TCRYPT
+header change is not supported, cryptsetup never changes TCRYPT header
+on-device.
+
+TCRYPT extension requires kernel userspace crypto API to be available
+(introduced in Linux kernel 2.6.38). If you are configuring kernel
+yourself, enable "User-space interface for symmetric key cipher
+algorithms" in "Cryptographic API" section
+(CRYPTO_USER_API_SKCIPHER .config option).
+
+Because TCRYPT header is encrypted, you have to always provide valid
+passphrase and keyfiles.
+
+Cryptsetup should recognize all header variants, except legacy cipher
+chains using LRW encryption mode with 64 bits encryption block (namely
+Blowfish in LRW mode is not recognized, this is limitation of kernel
+crypto API).
+
+VeraCrypt is extension of TrueCrypt header with increased iteration
+count so unlocking can take quite a lot of time.
+
+To open a VeraCrypt device with a custom Personal Iteration Multiplier
+(PIM) value, use either the *--veracrypt-pim=<PIM>* option to directly
+specify the PIM on the command- line or use *--veracrypt-query-pim* to
+be prompted for the PIM.
+
+The PIM value affects the number of iterations applied during key
+derivation. Please refer to
+https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html[PIM]
+for more detailed information.
+
+If you need to disable VeraCrypt device support, use
+*--disable-veracrypt* option.
+
+*NOTE:* Activation with *tcryptOpen* is supported only for cipher chains
+using LRW or XTS encryption modes.
+
+The *tcryptDump* command should work for all recognized TCRYPT devices
+and doesn't require superuser privilege.
+
+To map system device (device with boot loader where the whole encrypted
+system resides) use *--tcrypt-system* option. You can use partition
+device as the parameter (parameter must be real partition device, not an
+image in a file), then only this partition is mapped.
+
+If you have the whole TCRYPT device as a file image and you want to map
+multiple partition encrypted with system encryption, please create
+loopback mapping with partitions first (*losetup -P*, see *losetup(8)*
+man page for more info), and use loop partition as the device parameter.
+
+If you use the whole base device as a parameter, one device for the
+whole system encryption is mapped. This mode is available only for
+backward compatibility with older cryptsetup versions which mapped
+TCRYPT system encryption using the whole device.
+
+To use hidden header (and map hidden device, if available), use
+*--tcrypt-hidden* option.
+
+To explicitly use backup (secondary) header, use *--tcrypt-backup*
+option.
+
+*NOTE:* There is no protection for a hidden volume if the outer volume
+is mounted. The reason is that if there were any protection, it would
+require some metadata describing what to protect in the outer volume and
+the hidden volume would become detectable.
+
+=== OPEN
+*open --type tcrypt <device> <name>* +
+tcryptOpen_ <device> <name> (*old syntax*)
+
+Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping
+<name>. +
+See *cryptsetup-open*(8).
+
+=== DUMP
+*tcryptDump <device>*
+
+Dump the header information of a TCRYPT device. +
+See *cryptsetup-tcryptDump*(8).
+
+See also https://en.wikipedia.org/wiki/TrueCrypt[*TrueCrypt*] and
+https://en.wikipedia.org/wiki/VeraCrypt[*VeraCrypt*] pages for more information.
+
+Please note that cryptsetup does not use TrueCrypt or VeraCrypt code, please
+report all problems related to this compatibility extension to the cryptsetup
+project.
+
+== BITLK (Windows BitLocker compatible) EXTENSION
+
+cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted
+partition using a native Linux kernel API. Header formatting and BITLK
+header changes are not supported, cryptsetup never changes BITLK header
+on-device.
+
+BITLK extension requires kernel userspace crypto API to be available
+(for details see TCRYPT section).
+
+Cryptsetup should recognize all BITLK header variants, except legacy
+header used in Windows Vista systems and partially decrypted BitLocker
+devices. Activation of legacy devices encrypted in CBC mode requires at
+least Linux kernel version 5.3 and for devices using Elephant diffuser
+kernel 5.6.
+
+The *bitlkDump* command should work for all recognized BITLK devices and
+doesn't require superuser privilege.
+
+For unlocking with the *open* a password or a recovery passphrase or a
+startup key must be provided.
+
+Additionally unlocking using volume key is supported. You must provide
+BitLocker Full Volume Encryption Key (FVEK) using the --volume-key-file
+option. The key must be decrypted and without the header (only
+128/256/512 bits of key data depending on used cipher and mode).
+
+Other unlocking methods (TPM, SmartCard) are not supported.
+
+=== OPEN
+*open --type bitlk <device> <name>* +
+bitlkOpen <device> <name> (*old syntax*)
+
+Opens the BITLK (a BitLocker-compatible) <device> and sets up a mapping
+<name>. +
+See *cryptsetup-open*(8).
+
+=== DUMP
+*bitlkDump <device>*
+
+Dump the header information of a BITLK device. +
+See *cryptsetup-bitlkDump*(8).
+
+Please note that cryptsetup does not use any Windows BitLocker code,
+please report all problems related to this compatibility extension to
+the cryptsetup project.
+
+== FVAULT2 (Apple macOS FileVault2 compatible) EXTENSION
+
+cryptsetup supports the mapping of FileVault2 (FileVault2 full-disk
+encryption) by Apple for the macOS operating system using a native Linux
+kernel API.
+
+*NOTE:* cryptsetup supports only FileVault2 based on Core Storage and HFS+
+filesystem (introduced in MacOS X 10.7 Lion).
+It does NOT support the new version of FileVault based on the APFS
+filesystem used in recent macOS versions.
+
+Header formatting and FVAULT2 header changes are not supported;
+cryptsetup never changes the FVAULT2 header on-device.
+
+FVAULT2 extension requires kernel userspace crypto API to be available
+(for details, see TCRYPT section) and kernel driver for HFS+ (hfsplus)
+filesystem.
+
+Cryptsetup should recognize the basic configuration for portable drives.
+
+The *fvault2Dump* command should work for all recognized FVAULT2 devices
+and doesn't require superuser privilege.
+
+For unlocking with the *open*, a password must be provided.
+Other unlocking methods are not supported.
+
+=== OPEN
+*open --type fvault2 <device> <name>* +
+fvault2Open <device> <name> (*old syntax*)
+
+Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second
+partition on the device) and sets up a mapping <name>. +
+See *cryptsetup-open*(8).
+
+=== DUMP
+*fvault2Dump <device>*
+
+Dump the header information of an FVAULT2 device. +
+See *cryptsetup-fvault2Dump*(8).
+
+Note that cryptsetup does not use any macOS code or proprietary
+specifications. Please report all problems related to this compatibility
+extension to the cryptsetup project.
+
+== MISCELLANEOUS ACTIONS
+
+=== REPAIR
+*repair <device>*
+
+Tries to repair the device metadata if possible. Currently supported
+only for LUKS device type. +
+See *cryptsetup-repair*(8).
+
+=== BENCHMARK
+*benchmark <options>*
+
+Benchmarks ciphers and KDF (key derivation function). +
+See *cryptsetup-benchmark*(8).
+
+== PLAIN DM-CRYPT OR LUKS?
+
+Unless you understand the cryptographic background well, use LUKS. With
+plain dm-crypt there are a number of possible user errors that massively
+decrease security. While LUKS cannot fix them all, it can lessen the
+impact for many of them.
+
+== WARNINGS
+
+A lot of good information on the risks of using encrypted storage, on
+handling problems and on security aspects can be found in the
+Cryptsetup FAQ. Read it. Nonetheless, some risks deserve to be
+mentioned here.
+
+*Backup:* Storage media die. Encryption has no influence on that. Backup
+is mandatory for encrypted data as well, if the data has any worth. See
+the Cryptsetup FAQ for advice on how to do a backup of an encrypted
+volume.
+
+*Character encoding:* If you enter a passphrase with special symbols,
+the passphrase can change depending on character encoding. Keyboard
+settings can also change, which can make blind input hard or impossible.
+For example, switching from some ASCII 8-bit variant to UTF-8 can lead
+to a different binary encoding and hence different passphrase seen by
+cryptsetup, even if what you see on the terminal is exactly the same. It
+is therefore highly recommended to select passphrase characters only
+from 7-bit ASCII, as the encoding for 7-bit ASCII stays the same for all
+ASCII variants and UTF-8.
+
+*LUKS header:* If the header of a LUKS volume gets damaged, all data is
+permanently lost unless you have a header-backup. If a key-slot is
+damaged, it can only be restored from a header-backup or if another
+active key-slot with known passphrase is undamaged. Damaging the LUKS
+header is something people manage to do with surprising frequency. This
+risk is the result of a trade-off between security and safety, as LUKS
+is designed for fast and secure wiping by just overwriting header and
+key-slot area.
+
+*Previously used partitions:* If a partition was previously used, it is
+a very good idea to wipe filesystem signatures, data, etc. before
+creating a LUKS or plain dm-crypt container on it. For a quick removal
+of filesystem signatures, use *wipefs*(8). Take care though that this may
+not remove everything. In particular, MD RAID signatures at the end of a
+device may survive. It also does not remove data. For a full wipe,
+overwrite the whole partition before container creation. If you do not
+know how to do that, the cryptsetup FAQ describes several options.
+
+== EXAMPLES
+
+Example 1: Create LUKS 2 container on block device /dev/sdX.::
+ sudo cryptsetup --type luks2 luksFormat /dev/sdX
+Example 2: Add an additional passphrase to key slot 5.::
+ sudo cryptsetup luksAddKey --key-slot 5 /dev/sdX
+Example 3: Create LUKS header backup and save it to file.::
+ sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file
+ /var/tmp/NameOfBackupFile
+Example 4: Open LUKS container on /dev/sdX and map it to sdX_crypt.::
+ sudo cryptsetup open /dev/sdX sdX_crypt
+*WARNING: The command in example 5 will erase all key slots.*::
+ Your cannot use your LUKS container afterward anymore unless you have
+ a backup to restore.
+Example 5: Erase all key slots on /dev/sdX.::
+ sudo cryptsetup erase /dev/sdX
+Example 6: Restore LUKS header from backup file.::
+ sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file
+ /var/tmp/NameOfBackupFile
+
+== RETURN CODES
+
+Cryptsetup returns *0* on success and a non-zero value on error.
+
+Error codes are: *1* wrong parameters, *2* no permission (bad passphrase),
+*3* out of memory, *4* wrong device specified, *5* device already exists
+or device is busy.
+
+== NOTES
+
+=== Passphrase processing for PLAIN mode
+
+Note that no iterated hashing or salting is done in plain mode. If
+hashing is done, it is a single direct hash. This means that low-entropy
+passphrases are easy to attack in plain mode.
+
+*From a terminal*: The passphrase is read until the first newline, i.e.
+'\n'. The input without the newline character is processed with the
+default hash or the hash specified with --hash. The hash result will be
+truncated to the key size of the used cipher, or the size specified with
+-s.
+
+*From stdin*: Reading will continue until a newline (or until the
+maximum input size is reached), with the trailing newline stripped. The
+maximum input size is defined by the same compiled-in default as for the
+maximum key file size and can be overwritten using --keyfile-size
+option.
+
+The data read will be hashed with the default hash or the hash specified
+with --hash. The hash result will be truncated to the key size of the
+used cipher, or the size specified with -s.
+
+Note that if --key-file=- is used for reading the key from stdin,
+trailing newlines are not stripped from the input.
+
+If "plain" is used as argument to --hash, the input data will not be
+hashed. Instead, it will be zero padded (if shorter than the key size)
+or truncated (if longer than the key size) and used directly as the
+binary key. This is useful for directly specifying a binary key. No
+warning will be given if the amount of data read from stdin is less than
+the key size.
+
+*From a key file*: It will be truncated to the key size of the used
+cipher or the size given by -s and directly used as a binary key.
+
+*WARNING*: The --hash argument is being ignored. The --hash option is
+usable only for stdin input in plain mode.
+
+If the key file is shorter than the key, cryptsetup will quit with an
+error. The maximum input size is defined by the same compiled-in default
+as for the maximum key file size and can be overwritten using
+--keyfile-size option.
+
+=== Passphrase processing for LUKS
+
+LUKS uses PBKDF to protect against dictionary attacks and to give some
+protection to low-entropy passphrases (see cryptsetup FAQ).
+
+*From a terminal*: The passphrase is read until the first newline and
+then processed by PBKDF2 without the newline character.
+
+*From stdin*: LUKS will read passphrases from stdin up to the first
+newline character or the compiled-in maximum key file length. If
+--keyfile-size is given, it is ignored.
+
+*From key file*: The complete keyfile is read up to the compiled-in
+maximum size. Newline characters do not terminate the input. The
+--keyfile-size option can be used to limit what is read.
+
+*Passphrase processing*: Whenever a passphrase is added to a LUKS header
+(luksAddKey, luksFormat), the user may specify how much the time the
+passphrase processing should consume. The time is used to determine the
+iteration count for PBKDF2 and higher times will offer better protection
+for low-entropy passphrases, but open will take longer to complete. For
+passphrases that have entropy higher than the used key length, higher
+iteration times will not increase security.
+
+The default setting of one or two seconds is sufficient for most
+practical cases. The only exception is a low-entropy passphrase used on
+a device with a slow CPU, as this will result in a low iteration count.
+On a slow device, it may be advisable to increase the iteration time
+using the --iter-time option in order to obtain a higher iteration
+count. This does slow down all later luksOpen operations accordingly.
+
+=== Incoherent behavior for invalid passphrases/keys
+
+LUKS checks for a valid passphrase when an encrypted partition is
+unlocked. The behavior of plain dm-crypt is different. It will always
+decrypt with the passphrase given. If the given passphrase is wrong, the
+device mapped by plain dm-crypt will essentially still contain encrypted
+data and will be unreadable.
+
+=== Supported ciphers, modes, hashes and key sizes
+
+The available combinations of ciphers, modes, hashes and key sizes
+depend on kernel support. See /proc/crypto for a list of available
+options. You might need to load additional kernel crypto modules in
+order to get more options.
+
+For the --hash option, if the crypto backend is libgcrypt, then all
+algorithms supported by the gcrypt library are available. For other
+crypto backends, some algorithms may be missing.
+
+=== Notes on passphrases
+
+Mathematics can't be bribed. Make sure you keep your passphrases safe.
+There are a few nice tricks for constructing a fallback, when suddenly
+out of the blue, your brain refuses to cooperate. These fallbacks need
+LUKS, as it's only possible with LUKS to have multiple passphrases.
+Still, if your attacker model does not prevent it, storing your
+passphrase in a sealed envelope somewhere may be a good idea as well.
+
+=== Notes on Random Number Generators
+
+Random Number Generators (RNG) used in cryptsetup are always the kernel
+RNGs without any modifications or additions to data stream produced.
+
+There are two types of randomness cryptsetup/LUKS needs. One type (which
+always uses /dev/urandom) is used for salts, the AF splitter and for
+wiping deleted keyslots.
+
+The second type is used for the volume key. You can switch between using
+/dev/random and /dev/urandom here, see *--use-random* and
+*--use-urandom* options. Using /dev/random on a system without enough
+entropy sources can cause *luksFormat* to block until the requested
+amount of random data is gathered. In a low-entropy situation (embedded
+system), this can take a very long time and potentially forever. At the
+same time, using /dev/urandom in a low-entropy situation will produce
+low-quality keys. This is a serious problem, but solving it is out of
+scope for a mere man-page. See *urandom(4)* for more information.
+
+=== Authenticated disk encryption (EXPERIMENTAL)
+
+Since Linux kernel version 4.12 dm-crypt supports authenticated disk
+encryption.
+
+Normal disk encryption modes are length-preserving (plaintext sector is
+of the same size as a ciphertext sector) and can provide only
+confidentiality protection, but not cryptographically sound data
+integrity protection.
+
+Authenticated modes require additional space per-sector for
+authentication tag and use Authenticated Encryption with Additional Data
+(AEAD) algorithms.
+
+If you configure LUKS2 device with data integrity protection, there will
+be an underlying dm-integrity device, which provides additional
+per-sector metadata space and also provide data journal protection to
+ensure atomicity of data and metadata update. Because there must be
+additional space for metadata and journal, the available space for the
+device will be smaller than for length-preserving modes.
+
+The dm-crypt device then resides on top of such a dm-integrity device.
+All activation and deactivation of this device stack is performed by
+cryptsetup, there is no difference in using *luksOpen* for integrity
+protected devices. If you want to format LUKS2 device with data
+integrity protection, use *--integrity* option.
+
+Since dm-integrity doesn't support discards (TRIM), dm-crypt device on
+top of it inherits this, so integrity protection mode doesn't support
+discards either.
+
+Some integrity modes requires two independent keys (key for encryption
+and for authentication). Both these keys are stored in one LUKS keyslot.
+
+*WARNING:* All support for authenticated modes is experimental and there
+are only some modes available for now. Note that there are a very few
+authenticated encryption algorithms that are suitable for disk
+encryption. You also cannot use CRC32 or any other non-cryptographic
+checksums (other than the special integrity mode "none"). If for some
+reason you want to have integrity control without using authentication
+mode, then you should separately configure dm-integrity independently of
+LUKS2.
+
+=== Notes on loopback device use
+
+Cryptsetup is usually used directly on a block device (disk partition or
+LVM volume). However, if the device argument is a file, cryptsetup tries
+to allocate a loopback device and map it into this file. This mode
+requires Linux kernel 2.6.25 or more recent which supports the loop
+autoclear flag (loop device is cleared on the last close automatically).
+Of course, you can always map a file to a loop-device manually. See the
+cryptsetup FAQ for an example.
+
+When device mapping is active, you can see the loop backing file in the
+status command output. Also see losetup(8).
+
+=== LUKS2 header locking
+
+The LUKS2 on-disk metadata is updated in several steps and to achieve
+proper atomic update, there is a locking mechanism. For an image in
+file, code uses *flock(2)* system call. For a block device, lock is
+performed over a special file stored in a locking directory (by default
+*/run/cryptsetup*). The locking directory should be created with the
+proper security context by the distribution during the boot-up phase.
+Only LUKS2 uses locks, other formats do not use this mechanism.
+
+=== LUKS on-disk format specification
+
+For LUKS on-disk metadata specification see
+https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification[*LUKS1*] and
+https://gitlab.com/cryptsetup/LUKS2-docs[*LUKS2*].
+
+== AUTHORS
+
+Cryptsetup is originally written by mailto:jana@saout.de[Jana Saout]. +
+The LUKS extensions and original man page were written by
+mailto:clemens@endorphin.org[Clemens Fruhwirth]. +
+Man page extensions by mailto:gmazyland@gmail.com[Milan Broz]. +
+Man page rewrite and extension by mailto:arno@wagner.name[Arno Wagner].
+
+include::man/common_footer.adoc[]
diff --git a/man/integritysetup.8 b/man/integritysetup.8
deleted file mode 100644
index efe8f4d..0000000
--- a/man/integritysetup.8
+++ /dev/null
@@ -1,270 +0,0 @@
-.TH INTEGRITYSETUP "8" "January 2021" "integritysetup" "Maintenance Commands"
-.SH NAME
-integritysetup - manage dm-integrity (block level integrity) volumes
-.SH SYNOPSIS
-.B integritysetup <options> <action> <action args>
-.SH DESCRIPTION
-.PP
-Integritysetup is used to configure dm-integrity managed device-mapper mappings.
-
-Device-mapper integrity target provides read-write transparent integrity
-checking of block devices. The dm-integrity target emulates additional data
-integrity field per-sector. You can use this additional field directly
-with integritysetup utility, or indirectly (for authenticated encryption)
-through cryptsetup.
-
-Integritysetup supports these operations:
-.PP
-\fIformat\fR <device>
-.IP
-Formats <device> (calculates space and dm-integrity superblock and wipes the device).
-
-\fB<options>\fR can be [\-\-data\-device, \-\-batch\-mode, \-\-no\-wipe, \-\-journal\-size,
-\-\-interleave\-sectors, \-\-tag\-size, \-\-integrity, \-\-integrity\-key\-size,
-\-\-integrity\-key\-file, \-\-sector\-size, \-\-progress-frequency]
-
-.PP
-\fIopen\fR <device> <name>
-.br
-\fIcreate\fR <name> <device> (\fBOBSOLETE syntax\fR)
-.IP
-Open a mapping with <name> backed by device <device>.
-
-\fB<options>\fR can be [\-\-data\-device, \-\-batch\-mode, \-\-journal\-watermark,
-\-\-journal\-commit\-time, \-\-buffer\-sectors, \-\-integrity, \-\-integrity\-key\-size,
-\-\-integrity\-key\-file, \-\-integrity\-no\-journal, \-\-integrity\-recalculate,
-\-\-integrity\-recalculate-reset,\-\-integrity\-recovery\-mode, \-\-allow\-discards]
-
-.PP
-\fIclose\fR <name>
-.IP
-Removes existing mapping <name>.
-
-For backward compatibility, there is \fBremove\fR command alias
-for the \fBclose\fR command.
-
-\fB<options>\fR can be [\-\-deferred] or [\-\-cancel\-deferred]
-
-.PP
-\fIstatus\fR <name>
-.IP
-Reports status for the active integrity mapping <name>.
-.PP
-\fIdump\fR <device>
-.IP
-Reports parameters from on-disk stored superblock.
-
-.SH OPTIONS
-.TP
-.B "\-\-verbose, \-v"
-Print more information on command execution.
-.TP
-.B "\-\-debug"
-Run in debug mode with full diagnostic logs. Debug output
-lines are always prefixed by '#'.
-.TP
-.B "\-\-version"
-Show the program version.
-.TP
-.B "\-\-batch\-mode"
-Do not ask for confirmation.
-.TP
-.B "\-\-progress-frequency <seconds>"
-Print separate line every <seconds> with wipe progress.
-.TP
-.B "\-\-no\-wipe"
-Do not wipe the device after format. A device that is not initially wiped will contain invalid checksums.
-.TP
-.B "\-\-journal\-size, \-j BYTES"
-Size of the journal.
-.TP
-.B "\-\-interleave\-sectors SECTORS"
-The number of interleaved sectors.
-.TP
-.B "\-\-integrity\-recalculate"
-Automatically recalculate integrity tags in kernel on activation.
-The device can be used during automatic integrity recalculation but becomes fully
-integrity protected only after the background operation is finished.
-This option is available since the Linux kernel version 4.19.
-.TP
-.B "\-\-integrity\-recalculate\-reset"
-Restart recalculation from the beginning of the device.
-It can be used to change the integrity checksum function.
-Note it does not change the tag length.
-This option is available since the Linux kernel version 5.13.
-.TP
-.B "\-\-journal\-watermark PERCENT"
-Journal watermark in percents. When the size of the journal exceeds this watermark,
-the journal flush will be started.
-.TP
-.B "\-\-journal\-commit\-time MS"
-Commit time in milliseconds. When this time passes (and no explicit flush operation was issued),
-the journal is written.
-.TP
-.B "\-\-tag\-size, \-t BYTES"
-Size of the integrity tag per-sector (here the integrity function will store authentication tag).
-
-\fBNOTE:\fR The size can be smaller that output size of the hash function, in that case only
-part of the hash will be stored.
-.TP
-.B "\-\-data\-device"
-Specify a separate data device that contains existing data. The <device> then will contain
-calculated integrity tags and journal for this data device.
-.TP
-.B "\-\-sector\-size, \-s BYTES"
-Sector size (power of two: 512, 1024, 2048, 4096).
-.TP
-.B "\-\-buffer\-sectors SECTORS"
-The number of sectors in one buffer.
-
-The tag area is accessed using buffers, the large buffer size means that the I/O size will
-be larger, but there could be less I/Os issued.
-.TP
-.B "\-\-integrity, \-I ALGORITHM"
-Use internal integrity calculation (standalone mode).
-The integrity algorithm can be CRC (crc32c/crc32) or hash function (sha1, sha256).
-
-For HMAC (hmac-sha256) you have also to specify an integrity key and its size.
-.TP
-.B "\-\-integrity\-key\-size BYTES"
-The size of the data integrity key. Maximum is 4096 bytes.
-.TP
-.B "\-\-integrity\-key\-file FILE"
-The file with the integrity key.
-.TP
-.B "\-\-integrity\-no\-journal, \-D"
-Disable journal for integrity device.
-.TP
-.B "\-\-integrity\-bitmap\-mode. \-B"
-Use alternate bitmap mode (available since Linux kernel 5.2) where dm-integrity uses bitmap
-instead of a journal. If a bit in the bitmap is 1, the corresponding region's data and integrity tags
-are not synchronized - if the machine crashes, the unsynchronized regions will be recalculated.
-The bitmap mode is faster than the journal mode, because we don't have to write the data
-twice, but it is also less reliable, because if data corruption happens
-when the machine crashes, it may not be detected.
-.TP
-.B "\-\-bitmap\-sectors\-per\-bit SECTORS"
-Number of 512-byte sectors per bitmap bit, the value must be power of two.
-.TP
-.B "\-\-bitmap\-flush\-time MS"
-Bitmap flush time in milliseconds.
-.TP
-
-\fBWARNING:\fR
-In case of a crash, it is possible that the data and integrity tag doesn't match
-if the journal is disabled.
-.TP
-.B "\-\-integrity\-recovery\-mode. \-R"
-Recovery mode (no journal, no tag checking).
-.TP
-
-\fBNOTE:\fR The following options are intended for testing purposes only.
-Using journal encryption does not make sense without encryption the data,
-these options are internally used in authenticated disk encryption with \fBcryptsetup(8)\fR.
-.TP
-.B "\-\-journal\-integrity ALGORITHM"
-Integrity algorithm for journal area.
-See \-\-integrity option for detailed specification.
-.TP
-.B "\-\-journal\-integrity\-key\-size BYTES"
-The size of the journal integrity key. Maximum is 4096 bytes.
-.TP
-.B "\-\-journal\-integrity\-key\-file FILE"
-The file with the integrity key.
-.TP
-.B "\-\-journal\-crypt ALGORITHM"
-Encryption algorithm for journal data area.
-You can use a block cipher here such as cbc-aes or
-a stream cipher, for example, chacha20 or ctr-aes.
-.TP
-.B "\-\-journal\-crypt\-key\-size BYTES"
-The size of the journal encryption key. Maximum is 4096 bytes.
-.TP
-.B "\-\-journal\-crypt\-key\-file FILE"
-The file with the journal encryption key.
-.TP
-.B "\-\-allow\-discards\fR"
-Allow the use of discard (TRIM) requests for the device.
-This option is available since the Linux kernel version 5.7.
-.TP
-.B "\-\-deferred"
-Defers device removal in \fIclose\fR command until the last user closes it.
-.TP
-.B "\-\-cancel\-deferred"
-Removes a previously configured deferred device removal in \fIclose\fR command.
-.TP
-The dm-integrity target is available since Linux kernel version 4.12.
-.TP
-\fBNOTE:\fR
-Format and activation of an integrity device always require superuser
-privilege because the superblock is calculated and handled in dm-integrity kernel target.
-
-.SH LEGACY COMPATIBILITY OPTIONS
-.TP
-\fBWARNING:\fR
-Do not use these options until you need compatibility with specific old kernel.
-.TP
-.B "\-\-integrity\-legacy\-padding"
-Use inefficient legacy padding.
-.TP
-.B "\-\-integrity\-legacy\-hmac"
-Use old flawed HMAC calclation (also does not protect superblock).
-.TP
-.B "\-\-integrity\-legacy\-recalculate"
-Allow insecure recalculating of volumes with HMAC keys (recalcualtion offset in superblock
-is not protected).
-
-.SH RETURN CODES
-Integritysetup returns 0 on success and a non-zero value on error.
-
-Error codes are:
- 1 wrong parameters
- 2 no permission
- 3 out of memory
- 4 wrong device specified
- 5 device already exists, or device is busy.
-
-.SH EXAMPLES
-Format the device with default standalone mode (CRC32C):
-
-.B "integritysetup format <device>"
-
-Open the device with default parameters:
-
-.B "integritysetup open <device> test"
-
-Format the device in standalone mode for use with HMAC(SHA256):
-
-.B "integritysetup format <device> \-\-tag\-size 32 \-\-integrity hmac\-sha256 \
-\-\-integrity\-key\-file <keyfile> \-\-integrity\-key\-size <key_bytes>"
-
-Open (activate) the device with HMAC(SHA256) and HMAC key in file:
-
-.B "integritysetup open <device> test \-\-integrity hmac\-sha256 \
-\-\-integrity\-key\-file <keyfile> \-\-integrity\-key\-size <key_bytes>"
-
-Dump dm-integrity superblock information:
-
-.B "integritysetup dump <device>"
-
-.SH REPORTING BUGS
-Report bugs, including ones in the documentation, on
-the cryptsetup mailing list at <dm-crypt@saout.de>
-or in the 'Issues' section on LUKS website.
-Please attach the output of the failed command with the
-\-\-debug option added.
-.SH AUTHORS
-The integritysetup tool is written by Milan Broz <gmazyland@gmail.com>
-and is part of the cryptsetup project.
-.SH COPYRIGHT
-Copyright \(co 2016-2021 Red Hat, Inc.
-.br
-Copyright \(co 2016-2021 Milan Broz
-
-This is free software; see the source for copying conditions. There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-.SH SEE ALSO
-The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
-
-The integrity on-disk format specification available at
-\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity\fR
diff --git a/man/integritysetup.8.adoc b/man/integritysetup.8.adoc
new file mode 100644
index 0000000..2aec1a6
--- /dev/null
+++ b/man/integritysetup.8.adoc
@@ -0,0 +1,334 @@
+= integritysetup(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: integritysetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+
+== NAME
+
+integritysetup - manage dm-integrity (block level integrity) volumes
+
+== SYNOPSIS
+
+*integritysetup <action> [<options>] <action args>*
+
+== DESCRIPTION
+
+Integritysetup is used to configure dm-integrity managed device-mapper
+mappings.
+
+Device-mapper integrity target provides read-write transparent integrity
+checking of block devices. The dm-integrity target emulates an additional
+data integrity field per-sector. You can use this additional field
+directly with integritysetup utility, or indirectly (for authenticated
+encryption) through cryptsetup.
+
+== BASIC ACTIONS
+
+Integritysetup supports these operations:
+
+=== FORMAT
+*format <device>*
+
+Formats <device> (calculates space and dm-integrity superblock and wipes
+the device).
+
+*<options>* can be [--data-device, --batch-mode, --no-wipe,
+--journal-size, --interleave-sectors, --tag-size, --integrity,
+--integrity-key-size, --integrity-key-file, --sector-size,
+--progress-frequency, --progress-json].
+
+=== OPEN
+*open <device> <name>* +
+create <name> <device> (*OBSOLETE syntax*)
+
+Open a mapping with <name> backed by device <device>.
+
+*<options>* can be [--data-device, --batch-mode, --journal-watermark,
+--journal-commit-time, --buffer-sectors, --integrity,
+--integrity-key-size, --integrity-key-file, --integrity-no-journal,
+--integrity-recalculate,
+--integrity-recalculate-reset,--integrity-recovery-mode,
+--allow-discards].
+
+=== CLOSE
+*close <name>* +
+remove <name> (*OBSOLETE syntax*)
+
+Removes existing mapping <name>.
+
+*<options>* can be [--deferred] or [--cancel-deferred]
+
+=== STATUS
+*status <name>*
+
+Reports status for the active integrity mapping <name>.
+
+=== DUMP
+*dump <device>*
+
+Reports parameters from on-disk stored superblock.
+
+=== RESIZE
+*resize <name>*
+
+Resizes an active mapping <name>.
+
+If --size (in 512-bytes sectors) or --device-size are not specified, the
+size is computed from the underlying device. After resize, the
+*recalculating* flag is set. If --wipe flag is set and the size of the
+device is increased, the newly added section will be wiped.
+
+Increasing the size of integrity volumes is available since the Linux
+kernel version 5.7, shrinking should work on older kernels too.
+
+*<options>* can be [--size, --device-size, --wipe].
+
+== OPTIONS
+*--progress-frequency <seconds>*::
+Print separate line every <seconds> with wipe progress.
+
+*--progress-json*::
+Prints wipe progress data in json format suitable mostly for machine
+processing. It prints separate line every half second (or based on
+--progress-frequency value). The JSON output looks as follows during
+wipe progress (except it's compact single line):
++
+....
+{
+ "device":"/dev/sda" // backing device or file
+ "device_bytes":"8192", // bytes wiped so far
+ "device_size":"44040192", // total bytes to wipe
+ "speed":"126877696", // calculated speed in bytes per second (based on progress so far)
+ "eta_ms":"2520012" // estimated time to finish wipe in milliseconds
+ "time_ms":"5561235" // total time spent wiping device in milliseconds
+}
+....
++
+Note on numbers in JSON output: Due to JSON parsers limitations all
+numbers are represented in a string format due to need of full 64bit
+unsigned integers.
+
+*--no-wipe*::
+Do not wipe the device after format. A device that is not initially
+wiped will contain invalid checksums.
+
+*--wipe*::
+Wipe the newly allocated area after resize to bigger size. If this
+flag is not set, checksums will be calculated for the data previously
+stored in the newly allocated area.
+
+*--journal-size, -j BYTES*::
+Size of the journal.
+
+*--interleave-sectors SECTORS*::
+The number of interleaved sectors.
+
+*--integrity-recalculate*::
+Automatically recalculate integrity tags in kernel on activation. The
+device can be used during automatic integrity recalculation but
+becomes fully integrity protected only after the background operation
+is finished. This option is available since the Linux kernel version
+4.19.
+
+*--integrity-recalculate-reset*::
+Restart recalculation from the beginning of the device. It can be used
+to change the integrity checksum function. Note it does not change the
+tag length. This option is available since the Linux kernel version
+5.13.
+
+*--journal-watermark PERCENT*::
+Journal watermark in percents. When the size of the journal exceeds
+this watermark, the journal flush will be started.
+
+*--journal-commit-time MS*::
+Commit time in milliseconds. When this time passes (and no explicit
+flush operation was issued), the journal is written.
+
+*--tag-size, -t BYTES*::
+Size of the integrity tag per-sector (here the integrity function will
+store authentication tag).
++
+*NOTE:* The size can be smaller that output size of the hash function,
+in that case only part of the hash will be stored.
+
+*--data-device <data_device>*::
+Specify a separate data device that contains existing data. The
+<device> then will contain calculated integrity tags and journal for
+data on <data_device>.
++
+*NOTE:* To not wipe the data device after initial format, also specify
+--no-wipe option and activate with --integrity-recalculate to
+automatically recalculate integrity tags.
+
+*--sector-size, -s BYTES*::
+Sector size (power of two: 512, 1024, 2048, 4096).
+
+*--buffer-sectors SECTORS*::
+The number of sectors in one buffer.
++
+The tag area is accessed using buffers, the large buffer size means that
+the I/O size will be larger, but there could be less I/Os issued.
+
+*--integrity, -I ALGORITHM*::
+Use internal integrity calculation (standalone mode). The integrity
+algorithm can be CRC (crc32c/crc32), non-cryptographic hash function
+(xxhash64) or hash function (sha1, sha256).
++
+For HMAC (hmac-sha256) you have also to specify an integrity key and its
+size.
+
+*--integrity-key-size BYTES*::
+The size of the data integrity key. Maximum is 4096 bytes.
+
+*--integrity-key-file FILE*::
+The file with the integrity key.
+
+*--integrity-no-journal, -D*::
+Disable journal for integrity device.
+
+*--integrity-bitmap-mode. -B*::
+Use alternate bitmap mode (available since Linux kernel 5.2) where
+dm-integrity uses bitmap instead of a journal. If a bit in the bitmap
+is 1, the corresponding region's data and integrity tags are not
+synchronized - if the machine crashes, the unsynchronized regions will
+be recalculated. The bitmap mode is faster than the journal mode,
+because we don't have to write the data twice, but it is also less
+reliable, because if data corruption happens when the machine crashes,
+it may not be detected.
+
+*--bitmap-sectors-per-bit SECTORS*::
+Number of 512-byte sectors per bitmap bit, the value must be power of
+two.
+
+*--bitmap-flush-time MS*::
+Bitmap flush time in milliseconds.
++
+*WARNING:*::
+In case of a crash, it is possible that the data and integrity tag
+doesn't match if the journal is disabled.
+
+*--integrity-recovery-mode. -R*::
+Recovery mode (no journal, no tag checking).
+
+*NOTE:* The following options are intended for testing purposes only.:
+Using journal encryption does not make sense without encryption the
+data, these options are internally used in authenticated disk
+encryption with *cryptsetup(8)*.
+
+*--journal-integrity ALGORITHM*::
+Integrity algorithm for journal area. See --integrity option for
+detailed specification.
+
+*--journal-integrity-key-size BYTES*::
+The size of the journal integrity key. Maximum is 4096 bytes.
+
+*--journal-integrity-key-file FILE*::
+The file with the integrity key.
+
+*--journal-crypt ALGORITHM*::
+Encryption algorithm for journal data area. You can use a block cipher
+here such as cbc-aes or a stream cipher, for example, chacha20 or
+ctr-aes.
+
+*--journal-crypt-key-size BYTES*::
+The size of the journal encryption key. Maximum is 4096 bytes.
+
+*--journal-crypt-key-file FILE*::
+The file with the journal encryption key.
+
+*--allow-discards*::
+Allow the use of discard (TRIM) requests for the device. This option
+is available since the Linux kernel version 5.7.
+
+*--deferred*::
+Defers device removal in *close* command until the last user closes
+it.
+
+*--cancel-deferred*::
+Removes a previously configured deferred device removal in *close*
+command.
+
+*--verbose, -v*::
+Print more information on command execution.
+
+*--debug*::
+Run in debug mode with full diagnostic logs. Debug output lines are
+always prefixed by *#*.
+
+*--version, -V*::
+Show the program version.
+
+*--batch-mode, -q*::
+Do not ask for confirmation.
+
+*--usage*::
+Show short option help.
+
+*--help, -?*::
+Show help text and default parameters.
+
+== LEGACY COMPATIBILITY OPTIONS
+
+*WARNING:*::
+Do not use these options until you need compatibility with specific
+old kernel.
+
+*--integrity-legacy-padding*::
+Use inefficient legacy padding.
+
+*--integrity-legacy-hmac*::
+Use old flawed HMAC calculation (also does not protect superblock).
+
+*--integrity-legacy-recalculate*::
+Allow insecure recalculating of volumes with HMAC keys (recalculation
+offset in superblock is not protected).
+
+== RETURN CODES
+
+Integritysetup returns *0* on success and a non-zero value on error.
+
+Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
+*4* wrong device specified, *5* device already exists or device is busy.
+
+== NOTES
+The dm-integrity target is available since Linux kernel version 4.12.
+
+Format and activation of an integrity device always require superuser
+privilege because the superblock is calculated and handled in
+dm-integrity kernel target.
+
+== EXAMPLES
+
+Format the device with default standalone mode (CRC32C):
+
+*integritysetup format <device>*
+
+Open the device with default parameters:
+
+*integritysetup open <device> test*
+
+Format the device in standalone mode for use with HMAC(SHA256):
+
+*integritysetup format <device> --tag-size 32 --integrity hmac-sha256
+--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
+
+Open (activate) the device with HMAC(SHA256) and HMAC key in file:
+
+*integritysetup open <device> test --integrity hmac-sha256
+--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
+
+Dump dm-integrity superblock information:
+
+*integritysetup dump <device>*
+
+== DM-INTEGRITY ON-DISK FORMAT
+
+The on-disk format specification available at
+https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[*DMIntegrity*] page.
+
+== AUTHORS
+
+The integritysetup tool is written by mailto:gmazyland@gmail.com[Milan Broz].
+
+include::man/common_footer.adoc[]
diff --git a/man/veritysetup.8 b/man/veritysetup.8
deleted file mode 100644
index 0013b96..0000000
--- a/man/veritysetup.8
+++ /dev/null
@@ -1,278 +0,0 @@
-.TH VERITYSETUP "8" "January 2021" "veritysetup" "Maintenance Commands"
-.SH NAME
-veritysetup - manage dm-verity (block level verification) volumes
-.SH SYNOPSIS
-.B veritysetup <options> <action> <action args>
-.SH DESCRIPTION
-.PP
-Veritysetup is used to configure dm-verity managed device-mapper mappings.
-
-Device-mapper verity target provides read-only transparent integrity
-checking of block devices using kernel crypto API.
-
-The dm-verity devices are always read-only.
-
-Veritysetup supports these operations:
-.PP
-\fIformat\fR <data_device> <hash_device>
-.IP
-Calculates and permanently stores hash verification data for data_device.
-Hash area can be located on the same device after data if specified
-by \-\-hash\-offset option.
-
-Note you need to provide root hash string for device verification
-or activation. Root hash must be trusted.
-
-The data or hash device argument can be block device or file image.
-If hash device path doesn't exist, it will be created as file.
-
-\fB<options>\fR can be [\-\-hash, \-\-no-superblock, \-\-format,
-\-\-data-block-size, \-\-hash-block-size, \-\-data-blocks, \-\-hash-offset,
-\-\-salt, \-\-uuid, \-\-root-hash-file]
-
-If option \-\-root-hash-file is used, the root hash is stored in hex-encoded text
-format in <path>.
-.PP
-\fIopen\fR <data_device> <name> <hash_device> <root_hash>
-.br
-\fIopen\fR <data_device> <name> <hash_device> \-\-root-hash-file <path>
-.br
-\fIcreate\fR <name> <data_device> <hash_device> <root_hash> (\fBOBSOLETE syntax\fR)
-.IP
-Creates a mapping with <name> backed by device <data_device> and using
-<hash_device> for in-kernel verification.
-
-The <root_hash> is a hexadecimal string.
-
-\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock,
-\-\-ignore-corruption or \-\-restart-on-corruption, \-\-panic-on-corruption,
-\-\-ignore-zero-blocks, \-\-check-at-most-once, \-\-root-hash-signature,
-\-\-root-hash-file]
-
-If option \-\-root-hash-file is used, the root hash is read from <path> instead
-of from the command line parameter. Expects hex-encoded text, without terminating
-newline.
-
-If option \-\-no-superblock is used, you have to use as the same options
-as in initial format operation.
-.PP
-\fIverify\fR <data_device> <hash_device> <root_hash>
-.br
-\fIverify\fR <data_device> <hash_device> \-\-root-hash-file <path>
-.IP
-Verifies data on data_device with use of hash blocks stored on hash_device.
-
-This command performs userspace verification, no kernel device is created.
-
-The <root_hash> is a hexadecimal string.
-
-If option \-\-root-hash-file is used, the root hash is read from <path> instead
-of from the command line parameter. Expects hex-encoded text, without terminating
-newline.
-
-\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock, \-\-root-hash-file]
-
-If option \-\-no-superblock is used, you have to use as the same options
-as in initial format operation.
-.PP
-\fIclose\fR <name>
-.IP
-Removes existing mapping <name>.
-
-For backward compatibility there is \fBremove\fR command alias
-for \fBclose\fR command.
-
-\fB<options>\fR can be [\-\-deferred] or [\-\-cancel\-deferred]
-
-.PP
-\fIstatus\fR <name>
-.IP
-Reports status for the active verity mapping <name>.
-.PP
-\fIdump\fR <hash_device>
-.IP
-Reports parameters of verity device from on-disk stored superblock.
-
-\fB<options>\fR can be [\-\-hash-offset]
-.SH OPTIONS
-.TP
-.B "\-\-verbose, \-v"
-Print more information on command execution.
-.TP
-.B "\-\-debug"
-Run in debug mode with full diagnostic logs. Debug output
-lines are always prefixed by '#'.
-.TP
-.B "\-\-no-superblock"
-Create or use dm-verity without permanent on-disk superblock.
-.TP
-.B "\-\-format=number"
-Specifies the hash version type.
-Format type 0 is original Chrome OS version. Format type 1 is current version.
-.TP
-.B "\-\-data-block-size=bytes"
-Used block size for the data device.
-(Note kernel supports only page-size as maximum here.)
-.TP
-.B "\-\-hash-block-size=bytes"
-Used block size for the hash device.
-(Note kernel supports only page-size as maximum here.)
-.TP
-.B "\-\-data-blocks=blocks"
-Size of data device used in verification.
-If not specified, the whole device is used.
-.TP
-.B "\-\-hash-offset=bytes"
-Offset of hash area/superblock on hash_device.
-Value must be aligned to disk sector offset.
-.TP
-.B "\-\-salt=hex string"
-Salt used for format or verification.
-Format is a hexadecimal string.
-.TP
-.B "\-\-uuid=UUID"
-Use the provided UUID for format command instead of generating new one.
-
-The UUID must be provided in standard UUID format,
-e.g. 12345678-1234-1234-1234-123456789abc.
-.TP
-.B "\-\-ignore-corruption", "\-\-restart-on-corruption", "\-\-panic-on-corruption"
-Defines what to do if data integrity problem is detected (data corruption).
-
-Without these options kernel fails the IO operation with I/O error.
-With \-\-ignore-corruption option the corruption is only logged.
-With \-\-restart-on-corruption or \-\-panic-on-corruption the kernel
-is restarted (panicked) immediately.
-(You have to provide way how to avoid restart loops.)
-
-\fBWARNING:\fR Use these options only for very specific cases.
-These options are available since Linux kernel version 4.1.
-.TP
-.B "\-\-ignore-zero-blocks"
-Instruct kernel to not verify blocks that are expected to contain zeroes
-and always directly return zeroes instead.
-
-\fBWARNING:\fR Use this option only in very specific cases.
-This option is available since Linux kernel version 4.5.
-.TP
-.B "\-\-check-at-most-once"
-Instruct kernel to verify blocks only the first time they are read
-from the data device, rather than every time.
-
-\fBWARNING:\fR It provides a reduced level of security because only
-offline tampering of the data device's content will be detected,
-not online tampering.
-This option is available since Linux kernel version 4.17.
-.TP
-.B "\-\-hash=hash"
-Hash algorithm for dm-verity. For default see \-\-help option.
-.TP
-.B "\-\-version"
-Show the program version.
-.TP
-.B "\-\-fec-device=fec_device"
-Use forward error correction (FEC) to recover from corruption if hash verification fails.
-Use encoding data from the specified device.
-
-The fec device argument can be block device or file image.
-For format, if fec device path doesn't exist, it will be created as file.
-
-Block sizes for data and hash devices must match.
-Also, if the verity data_device is encrypted the fec_device should be too.
-
-FEC calculation covers data, hash area, and optional foreign metadata stored on the same
-device with the hash tree (additional space after hash area).
-Size of this optional additional area protected by FEC is calculated from image sizes,
-so you must be sure that you use the same images for activation.
-
-If the hash device is in a separate image, metadata covers the whole rest of the image after the hash area.
-
-If hash and FEC device is in the image, metadata ends on the FEC area offset.
-
-.TP
-.B "\-\-fec-offset=bytes"
-This is the offset, in bytes, from the start of the FEC device to the beginning of the encoding data.
-.TP
-.B "\-\-fec-roots=num"
-Number of generator roots. This equals to the number of parity bytes in the encoding data.
-In RS(M, N) encoding, the number of roots is M-N. M is 255 and M-N is between 2 and 24 (including).
-.TP
-.B "\-\-root-hash-file=FILE"
-Path to file with stored root hash in hex-encoded text.
-.TP
-.B "\-\-root-hash-signature=FILE"
-Path to roothash signature file used to verify the root hash (in kernel).
-This feature requires Linux kernel version 5.4 or more recent.
-.TP
-.B "\-\-deferred"
-Defers device removal in \fIclose\fR command until the last user closes it.
-.TP
-.B "\-\-cancel\-deferred"
-Removes a previously configured deferred device removal in \fIclose\fR command.
-.TP
-.SH RETURN CODES
-Veritysetup returns 0 on success and a non-zero value on error.
-
-Error codes are:
- 1 wrong parameters
- 2 no permission
- 3 out of memory
- 4 wrong device specified
- 5 device already exists or device is busy.
-
-.SH EXAMPLES
-.B "veritysetup \-\-data-blocks=256 format <data_device> <hash_device>"
-
-Calculates and stores verification data on hash_device for the first 256 blocks (of block-size).
-If hash_device does not exist, it is created (as file image).
-
-.B "veritysetup format --root-hash-file <path> <data_device> <hash_device>"
-
-Calculates and stores verification data on hash_device for the whole data_device, and store the
-root hash as hex-encoded text in <path>.
-
-.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 format <device> <device>"
-
-Verification data (hashes) is stored on the same device as data (starting at hash-offset).
-Hash-offset must be greater than number of blocks in data-area.
-
-.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 create test-device <device> <device> <root_hash>"
-
-Activates the verity device named test-device. Options \-\-data-blocks and \-\-hash-offset are the same
-as in the format command. The <root_hash> was calculated in format command.
-
-.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 verify <data_device> <hash_device> <root_hash>"
-
-Verifies device without activation (in userspace).
-
-.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 --root-hash-file <path> verify <data_device> <hash_device>"
-
-Verifies device without activation (in userspace). Root hash passed via a file rather than inline.
-
-.B "veritysetup \-\-fec-device=<fec_device> \-\-fec-roots=10 format <data_device> <hash_device>"
-
-Calculates and stores verification and encoding data for data_device.
-
-.SH REPORTING BUGS
-Report bugs, including ones in the documentation, on
-the cryptsetup mailing list at <dm-crypt@saout.de>
-or in the 'Issues' section on LUKS website.
-Please attach the output of the failed command with the
-\-\-debug option added.
-.SH AUTHORS
-The first implementation of veritysetup was written by Chrome OS authors.
-
-This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com>
-and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.
-.SH COPYRIGHT
-Copyright \(co 2012-2021 Red Hat, Inc.
-.br
-Copyright \(co 2012-2021 Milan Broz
-
-This is free software; see the source for copying conditions. There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-.SH SEE ALSO
-The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
-
-The verity on-disk format specification available at
-\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity\fR
diff --git a/man/veritysetup.8.adoc b/man/veritysetup.8.adoc
new file mode 100644
index 0000000..36d1501
--- /dev/null
+++ b/man/veritysetup.8.adoc
@@ -0,0 +1,311 @@
+= veritysetup(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: veritysetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+
+== NAME
+
+veritysetup - manage dm-verity (block level verification) volumes
+
+== SYNOPSIS
+
+*veritysetup <action> [<options>] <action args>*
+
+== DESCRIPTION
+
+Veritysetup is used to configure dm-verity managed device-mapper
+mappings.
+
+Device-mapper verity target provides read-only transparent integrity
+checking of block devices using kernel crypto API.
+
+The dm-verity devices are always read-only.
+
+== BASIC ACTIONS
+
+Veritysetup supports these operations:
+
+=== FORMAT
+*format <data_device> <hash_device>*
+
+Calculates and permanently stores hash verification data for
+data_device. Hash area can be located on the same device after data if
+specified by --hash-offset option.
+
+Note you need to provide root hash string for device verification or
+activation. Root hash must be trusted.
+
+The data or hash device argument can be block device or file image. If
+hash device path doesn't exist, it will be created as file.
+
+*<options>* can be [--hash, --no-superblock, --format,
+--data-block-size, --hash-block-size, --data-blocks, --hash-offset,
+--salt, --uuid, --root-hash-file].
+
+If option --root-hash-file is used, the root hash is stored in
+hex-encoded text format in <path>.
+
+=== OPEN
+*open <data_device> <name> <hash_device> <root_hash>* +
+*open <data_device> <name> <hash_device> --root-hash-file <path>* +
+create <name> <data_device> <hash_device> <root_hash> (*OBSOLETE syntax*)
+
+Creates a mapping with <name> backed by device <data_device> and using
+<hash_device> for in-kernel verification.
+
+The <root_hash> is a hexadecimal string.
+
+*<options>* can be [--hash-offset, --no-superblock, --ignore-corruption
+or --restart-on-corruption, --panic-on-corruption, --ignore-zero-blocks,
+--check-at-most-once, --root-hash-signature, --root-hash-file, --use-tasklets].
+
+If option --root-hash-file is used, the root hash is read from <path>
+instead of from the command line parameter. Expects hex-encoded text,
+without terminating newline.
+
+If option --no-superblock is used, you have to use as the same options
+as in initial format operation.
+
+=== VERIFY
+*verify <data_device> <hash_device> <root_hash>* +
+*verify <data_device> <hash_device> --root-hash-file <path>*
+
+Verifies data on data_device with use of hash blocks stored on
+hash_device.
+
+This command performs userspace verification, no kernel device is
+created.
+
+The <root_hash> is a hexadecimal string.
+
+If option --root-hash-file is used, the root hash is read from <path>
+instead of from the command line parameter. Expects hex-encoded text,
+without terminating newline.
+
+*<options>* can be [--hash-offset, --no-superblock, --root-hash-file].
+
+If option --no-superblock is used, you have to use as the same options
+as in initial format operation.
+
+=== CLOSE
+*close <name>* +
+remove <name> (*OBSOLETE syntax*)
+
+Removes existing mapping <name>.
+
+*<options>* can be [--deferred] or [--cancel-deferred].
+
+=== STATUS
+*status <name>*
+
+Reports status for the active verity mapping <name>.
+
+=== DUMP
+*dump <hash_device>*
+
+Reports parameters of verity device from on-disk stored superblock.
+
+*<options>* can be [--hash-offset].
+
+== OPTIONS
+
+*--no-superblock*::
+Create or use dm-verity without permanent on-disk superblock.
+
+*--format=number*::
+Specifies the hash version type. Format type 0 is original Chrome OS
+version. Format type 1 is current version.
+
+*--data-block-size=bytes*::
+Used block size for the data device. (Note kernel supports only
+page-size as maximum here.)
+
+*--hash-block-size=bytes*::
+Used block size for the hash device. (Note kernel supports only
+page-size as maximum here.)
+
+*--data-blocks=blocks*::
+Size of data device used in verification. If not specified, the whole
+device is used.
+
+*--hash-offset=bytes*::
+Offset of hash area/superblock on hash_device. Value must be aligned
+to disk sector offset.
+
+*--salt=hex string*::
+Salt used for format or verification. Format is a hexadecimal string.
+
+*--uuid=UUID*::
+Use the provided UUID for format command instead of generating new
+one.
++
+The UUID must be provided in standard UUID format, e.g.
+12345678-1234-1234-1234-123456789abc.
+*--ignore-corruption , --restart-on-corruption ,
+--panic-on-corruption*::
+Defines what to do if data integrity problem is detected (data
+corruption).
++
+Without these options kernel fails the IO operation with I/O error. With
+--ignore-corruption option the corruption is only logged. With
+--restart-on-corruption or --panic-on-corruption the kernel is restarted
+(panicked) immediately. (You have to provide way how to avoid restart
+loops.)
++
+*WARNING:* Use these options only for very specific cases. These options
+are available since Linux kernel version 4.1.
+
+*--ignore-zero-blocks*::
+Instruct kernel to not verify blocks that are expected to contain
+zeroes and always directly return zeroes instead.
++
+*WARNING:* Use this option only in very specific cases. This option is
+available since Linux kernel version 4.5.
+
+*--check-at-most-once*::
+Instruct kernel to verify blocks only the first time they are read
+from the data device, rather than every time.
++
+*WARNING:* It provides a reduced level of security because only offline
+tampering of the data device's content will be detected, not online
+tampering. This option is available since Linux kernel version 4.17.
+
+*--hash=hash*::
+Hash algorithm for dm-verity. For default see --help option.
+
+*--fec-device=fec_device*::
+Use forward error correction (FEC) to recover from corruption if hash
+verification fails. Use encoding data from the specified device.
++
+The fec device argument can be block device or file image. For format,
+if fec device path doesn't exist, it will be created as file.
++
+Block sizes for data and hash devices must match. Also, if the verity
+data_device is encrypted the fec_device should be too.
++
+FEC calculation covers data, hash area, and optional foreign metadata
+stored on the same device with the hash tree (additional space after
+hash area). Size of this optional additional area protected by FEC is
+calculated from image sizes, so you must be sure that you use the same
+images for activation.
++
+If the hash device is in a separate image, metadata covers the whole
+rest of the image after the hash area.
++
+If hash and FEC device is in the image, metadata ends on the FEC area
+offset.
+
+*--fec-offset=bytes*::
+This is the offset, in bytes, from the start of the FEC device to the
+beginning of the encoding data.
+
+*--fec-roots=num*::
+Number of generator roots. This equals to the number of parity bytes
+in the encoding data. In RS(M, N) encoding, the number of roots is
+M-N. M is 255 and M-N is between 2 and 24 (including).
+
+*--root-hash-file=FILE*::
+Path to file with stored root hash in hex-encoded text.
+
+*--root-hash-signature=FILE*::
+Path to root hash signature file used to verify the root hash (in
+kernel). This feature requires Linux kernel version 5.4 or more
+recent.
+
+*--use-tasklets*::
+Try to use kernel tasklets in dm-verity driver for performance reasons.
+This option is available since Linux kernel version 6.0.
+
+*--deferred*::
+Defers device removal in *close* command until the last user closes
+it.
+
+*--cancel-deferred*::
+Removes a previously configured deferred device removal in *close*
+command.
+
+*--verbose, -v*::
+Print more information on command execution.
+
+*--debug*::
+Run in debug mode with full diagnostic logs. Debug output lines are
+always prefixed by *#*.
+
+*--version, -V*::
+Show the program version.
+
+*--batch-mode, -q*::
+Do not ask for confirmation.
+
+*--usage*::
+Show short option help.
+
+*--help, -?*::
+Show help text and default parameters.
+
+== RETURN CODES
+
+Veritysetup returns *0* on success and a non-zero value on error.
+
+Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
+*4* wrong device specified, *5* device already exists or device is busy.
+
+== EXAMPLES
+
+*veritysetup --data-blocks=256 format <data_device> <hash_device>*
+
+Calculates and stores verification data on hash_device for the first 256
+blocks (of block-size). If hash_device does not exist, it is created (as
+file image).
+
+*veritysetup format --root-hash-file <path> <data_device> <hash_device>*
+
+Calculates and stores verification data on hash_device for the whole
+data_device, and store the root hash as hex-encoded text in <path>.
+
+*veritysetup --data-blocks=256 --hash-offset=1052672 format <device>
+<device>*
+
+Verification data (hashes) is stored on the same device as data
+(starting at hash-offset). Hash-offset must be greater than number of
+blocks in data-area.
+
+*veritysetup --data-blocks=256 --hash-offset=1052672 create test-device
+<device> <device> <root_hash>*
+
+Activates the verity device named test-device. Options --data-blocks and
+--hash-offset are the same as in the format command. The <root_hash> was
+calculated in format command.
+
+*veritysetup --data-blocks=256 --hash-offset=1052672 verify
+<data_device> <hash_device> <root_hash>*
+
+Verifies device without activation (in userspace).
+
+*veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file
+<path> verify <data_device> <hash_device>*
+
+Verifies device without activation (in userspace). Root hash passed via
+a file rather than inline.
+
+*veritysetup --fec-device=<fec_device> --fec-roots=10 format
+<data_device> <hash_device>*
+
+Calculates and stores verification and encoding data for data_device.
+
+== DM-VERITY ON-DISK SPECIFICATION
+
+The on-disk format specification is available at
+https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity[*DMVerity*] page.
+
+== AUTHORS
+
+The first implementation of veritysetup was written by Chrome OS
+authors.
+
+This version is based on verification code written by
+mailto:mpatocka@redhat.com[Mikulas Patocka] and rewritten for libcryptsetup
+by mailto:gmazyland@gmail.com[Milan Broz].
+
+include::man/common_footer.adoc[]
diff --git a/misc/dracut_90reencrypt/README b/misc/dracut_90reencrypt/README
deleted file mode 100644
index 0672949..0000000
--- a/misc/dracut_90reencrypt/README
+++ /dev/null
@@ -1,40 +0,0 @@
-Example of simple dracut module for reencryption of system
-LUKS drive on-the-fly.
-
-Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
-build special initramfs "with dracut -a reencrypt -o crypt".
-Reencrypt module doesn't work (has a conflict) with crypt module as
-of now. After successful reencryption reboot using original initramfs.
-
-Dracut then recognize argument rd.luks.reencrypt=name:size,
-e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
-will be reencrypted (default is whole device).
-(Name is kernel name of device.)
-
-If there's more than single active keyslot in the target luks device
-you're required to select one keyslot explicitly for reencryption via
-rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
-if you use this option, all other keyslots will get deactivated in the
-process.
-
-Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
-can be used to read password for specific keyslot from device containing
-filesystem with a keyfile (file with a password). If you omit reencrypt_key
-argument, reencryption would work only in case a LUKS container has
-exactly one keyslot activated.
-
-Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not
-mandatory.
-
-Note that reencryption context is stored in ramdisk, any
-fail can mean complete lost of data!
-
-Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>
-
-This copyrighted material is made available to anyone wishing to use,
-modify, copy, or redistribute it subject to the terms and conditions
-of the GNU General Public License v.2.
-
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software Foundation,
-Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/misc/dracut_90reencrypt/check.old b/misc/dracut_90reencrypt/check.old
deleted file mode 100755
index 53010b3..0000000
--- a/misc/dracut_90reencrypt/check.old
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-which cryptsetup-reencrypt >/dev/null 2>&1 || exit 1
-
-exit 0
diff --git a/misc/dracut_90reencrypt/install.old b/misc/dracut_90reencrypt/install.old
deleted file mode 100755
index 6e0523b..0000000
--- a/misc/dracut_90reencrypt/install.old
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-inst cryptsetup-reencrypt
-
-inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
-inst "$moddir"/reencrypt.sh /sbin/reencrypt
diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh
deleted file mode 100755
index fcd7c92..0000000
--- a/misc/dracut_90reencrypt/module-setup.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-check() {
- [ -x /sbin/cryptsetup-reencrypt ] || return 1
- return 255
-}
-
-depends() {
- echo dm rootfs-block
-}
-
-installkernel() {
- # requires hostonly='' override so that loop module is pulled in initramfs
- # even if not loaded in actual kernel. dracut bug?
- hostonly='' instmods dm_crypt =crypto loop
-}
-
-install() {
- if dracut_module_included crypt; then
- derror "'reencrypt' can't be installed together with 'crypt'."
- derror "Add '-o crypt' option to install reencrypt module."
- return 1
- fi
-
- dracut_install cryptsetup-reencrypt
-
- # moddir variable is assigned in dracut general shell lib
- # shellcheck disable=SC2154
- inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
- inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt
- inst_simple "$moddir"/reencrypt-verbose.sh /sbin/cryptsetup-reencrypt-verbose
-}
diff --git a/misc/dracut_90reencrypt/parse-reencrypt.sh b/misc/dracut_90reencrypt/parse-reencrypt.sh
deleted file mode 100755
index 5fec191..0000000
--- a/misc/dracut_90reencrypt/parse-reencrypt.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh
-
-REENC=$(getargs rd.luks.reencrypt=)
-# shellcheck disable=SC2086
-REENC_DEV=$(echo $REENC | sed 's/:.*//')
-# shellcheck disable=SC2086
-REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')
-
-REENC_KEY=$(getargs rd.luks.reencrypt_key=)
-if [ -z "$REENC_KEY" ] ; then
- REENC_KEY=none
-fi
-
-REENC_SLOT=$(getargs rd.luks.reencrypt_keyslot=)
-if [ -z "$REENC_SLOT" ] ; then
- REENC_SLOT=any
-fi
-
-# shellcheck disable=SC2086
-# shellcheck disable=SC1004
-# shellcheck disable=SC2016
-if [ -n "$REENC_DEV" ] ; then
-{
- printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
- printf 'ACTION!="add|change", GOTO="reenc_end"\n'
- printf 'KERNEL=="%s", ' $REENC_DEV
- printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
- --unique --onetime --settled --name crypt-reencrypt-%%k \
- /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
-
- printf 'ENV{ID_FS_UUID}=="*%s*", ' $REENC_DEV
- printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
- --unique --onetime --settled --name crypt-reencrypt-%%k \
- /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
- printf 'LABEL="reenc_end"\n'
-} > /etc/udev/rules.d/69-reencryption.rules
- initqueue --unique --finished --name crypt-reencrypt-finished-${REENC_DEV} [ -e /tmp/reencrypted ]
-fi
diff --git a/misc/dracut_90reencrypt/reencrypt-verbose.sh b/misc/dracut_90reencrypt/reencrypt-verbose.sh
deleted file mode 100755
index 109ce6e..0000000
--- a/misc/dracut_90reencrypt/reencrypt-verbose.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-# Route stdout to stderr in initrd. Otherwise output is invisible
-# unless we run in debug mode.
-# shellcheck disable=SC2068
-/sbin/cryptsetup-reencrypt $@ 1>&2
diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
deleted file mode 100755
index db09e64..0000000
--- a/misc/dracut_90reencrypt/reencrypt.sh
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
-#
-
-[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
-
-[ -d /sys/module/loop ] || modprobe loop
-
-[ -f /tmp/reencrypted ] && exit 0
-
-. /lib/dracut-lib.sh
-
-# if device name is /dev/dm-X, convert to /dev/mapper/name
-if [ "${1##/dev/dm-}" != "$1" ]; then
- device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
-else
- device="$1"
-fi
-
-PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
-if [ "$3" != "any" ]; then
- PARAMS="$PARAMS -S $3"
-fi
-
-if [ -n "$4" ]; then
- PARAMS="$PARAMS --device-size $4"
-fi
-
-reenc_readkey() {
- keypath="${1#*:}"
- keydev="${1%%:*}"
-
- mntp="/tmp/reencrypted-mount-tmp"
- mkdir "$mntp"
- mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
- umount "$mntp"
- rm -r "$mntp"
-}
-
-# shellcheck disable=SC2086
-# shellcheck disable=SC2164
-reenc_run() {
- cwd=$(pwd)
- _prompt="LUKS password for REENCRYPTING $device"
- cd /tmp
- udevadm settle
- if [ "$1" = "none" ] ; then
- if [ "$2" != "any" ]; then
- _prompt="$_prompt, using keyslot $2"
- fi
- /bin/plymouth ask-for-password \
- --prompt "$_prompt" \
- --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
- else
- info "REENCRYPT using key $1"
- reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
- fi
- _ret=$?
- cd $cwd
-}
-
-info "REENCRYPT $device requested"
-# flock against other interactive activities
-# shellcheck disable=SC2086
-{ flock -s 9;
- reenc_run $2 $3
-} 9>/.console_lock
-
-if [ $_ret -eq 0 ]; then
- # do not ask again
- # shellcheck disable=SC2188
- >> /tmp/reencrypted
- warn "Reencryption of device $device has finished successfully. Use previous"
- warn "initramfs image (without reencrypt module) to boot the system. When"
- warn "you leave the emergency shell, the system will reboot."
-
- emergency_shell -n "(reboot)"
- [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
- [ -x /sbin/shutdown ] && /sbin/shutdown -r now
-fi
-
-# panic the kernel otherwise
-exit 1
diff --git a/misc/fedora/cryptsetup.spec b/misc/fedora/cryptsetup.spec
index 0f651a3..d635d45 100644
--- a/misc/fedora/cryptsetup.spec
+++ b/misc/fedora/cryptsetup.spec
@@ -2,7 +2,7 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
-Version: 2.4.0
+Version: 2.5.0
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
@@ -11,11 +11,14 @@ BuildRequires: openssl-devel, popt-devel, device-mapper-devel
BuildRequires: libuuid-devel, gcc, json-c-devel, libargon2-devel
BuildRequires: libpwquality-devel, libblkid-devel
BuildRequires: make libssh-devel
+BuildRequires: asciidoctor
Requires: cryptsetup-libs = %{version}-%{release}
Requires: libpwquality >= 1.2.0
+Obsoletes: %{name}-reencrypt <= %{version}
+Provides: %{name}-reencrypt = %{version}
%global upstream_version %{version_no_tilde}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-%{upstream_version}.tar.xz
%description
The cryptsetup package contains a utility for setting up
@@ -59,20 +62,15 @@ Requires: cryptsetup-libs = %{version}-%{release}
The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module.
-%package reencrypt
-Summary: A utility for offline reencryption of LUKS encrypted disks
-Requires: cryptsetup-libs = %{version}-%{release}
-
-%description reencrypt
-This package contains cryptsetup-reencrypt utility which
-can be used for offline reencryption of disk in situ.
-
%prep
%autosetup -n cryptsetup-%{upstream_version} -p 1
%build
+# force regeneration of manual pages from AsciiDoc
+rm -f man/*.8
+
./autogen.sh
-%configure --enable-fips --enable-pwquality --enable-libargon2
+%configure --enable-fips --enable-pwquality --enable-libargon2 --enable-asciidoc
%make_build
%install
@@ -86,8 +84,9 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
%files
%license COPYING
-%doc AUTHORS FAQ docs/*ReleaseNotes
+%doc AUTHORS FAQ.md docs/*ReleaseNotes
%{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-*.8.gz
%{_sbindir}/cryptsetup
%files -n veritysetup
@@ -100,11 +99,6 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
%{_mandir}/man8/integritysetup.8.gz
%{_sbindir}/integritysetup
-%files reencrypt
-%license COPYING
-%{_mandir}/man8/cryptsetup-reencrypt.8.gz
-%{_sbindir}/cryptsetup-reencrypt
-
%files devel
%doc docs/examples/*
%{_includedir}/libcryptsetup.h
diff --git a/misc/keyslot_checker/chk_luks_keyslots.c b/misc/keyslot_checker/chk_luks_keyslots.c
index d05aad8..308b002 100644
--- a/misc/keyslot_checker/chk_luks_keyslots.c
+++ b/misc/keyslot_checker/chk_luks_keyslots.c
@@ -45,7 +45,7 @@ const char *help =
"\n"
"This tool checks all keyslots of a LUKS device for \n"
"low entropy sections. If any are found, they are reported. \n"
-"This allows to find areas damaged by things like filesystem \n"
+"This allows one to find areas damaged by things like filesystem \n"
"creation or RAID superblocks. \n"
"\n"
"Options: \n"
diff --git a/po/LINGUAS b/po/LINGUAS
index fa53b7b..1ad138e 100644
--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -7,9 +7,11 @@ fr
id
it
ja
+ka
nl
pl
pt_BR
+ro
ru
sr
sv
diff --git a/po/Makevars b/po/Makevars
index 8940c0a..93d6bbc 100644
--- a/po/Makevars
+++ b/po/Makevars
@@ -37,7 +37,7 @@ COPYRIGHT_HOLDER =
# It can be your email address, or a mailing list address where translators
# can write to without being subscribed, or the URL of a web page through
# which the translators can contact you.
-MSGID_BUGS_ADDRESS = dm-crypt@saout.de
+MSGID_BUGS_ADDRESS = cryptsetup@lists.linux.dev
# This is the list of locale categories, beyond LC_MESSAGES, for which the
# message catalogs shall be used. It is usually empty.
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 2d42503..ed9ebfe 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -6,7 +6,6 @@ lib/volumekey.c
lib/crypt_plain.c
lib/utils_crypt.c
lib/utils_loop.c
-lib/utils_fips.c
lib/utils_device.c
lib/utils_devpath.c
lib/utils_pbkdf.c
@@ -23,6 +22,7 @@ lib/luks1/keymanage.c
lib/loopaes/loopaes.c
lib/tcrypt/tcrypt.c
lib/bitlk/bitlk.c
+lib/fvault2/fvault2.c
lib/verity/verity.c
lib/verity/verity_hash.c
lib/verity/verity_fec.c
@@ -44,10 +44,12 @@ lib/luks2/luks2_token_keyring.c
src/cryptsetup.c
src/veritysetup.c
src/integritysetup.c
-src/cryptsetup_reencrypt.c
src/utils_tools.c
+src/utils_progress.c
src/utils_password.c
-src/utils_luks2.c
+src/utils_luks.c
+src/utils_reencrypt.c
+src/utils_reencrypt_luks1.c
src/utils_blockdev.c
src/utils_args.c
tokens/ssh/cryptsetup-ssh.c
diff --git a/po/cryptsetup.pot b/po/cryptsetup.pot
index 650aca6..8c1423d 100644
--- a/po/cryptsetup.pot
+++ b/po/cryptsetup.pot
@@ -5,9 +5,9 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-16 16:52+0100\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,649 +16,690 @@ msgstr ""
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr ""
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr ""
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr ""
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr ""
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr ""
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr ""
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr ""
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr ""
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr ""
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr ""
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr ""
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr ""
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr ""
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr ""
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random "
"events.\n"
msgstr ""
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr ""
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr ""
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr ""
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr ""
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr ""
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr ""
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr ""
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr ""
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr ""
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr ""
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr ""
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr ""
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr ""
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr ""
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr ""
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr ""
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr ""
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr ""
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr ""
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr ""
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr ""
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr ""
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr ""
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr ""
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr ""
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr ""
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr ""
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr ""
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr ""
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr ""
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr ""
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr ""
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr ""
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr ""
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid ""
+"Device %s is too small for activation, there is no remaining space for "
+"data.\n"
+msgstr ""
+
+#: lib/setup.c:1840
msgid ""
"WARNING: The device activation will fail, dm-crypt is missing support for "
"requested encryption sector size.\n"
msgstr ""
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr ""
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr ""
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr ""
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr ""
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr ""
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr ""
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr ""
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr ""
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr ""
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr ""
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr ""
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr ""
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr ""
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr ""
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr ""
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr ""
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr ""
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr ""
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid ""
"WARNING: Requested tag size %d bytes differs from %s size output (%d "
"bytes).\n"
msgstr ""
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr ""
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr ""
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr ""
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr ""
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr ""
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr ""
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr ""
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr ""
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr ""
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr ""
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr ""
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr ""
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr ""
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr ""
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr ""
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr ""
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr ""
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr ""
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr ""
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr ""
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr ""
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr ""
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr ""
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr ""
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr ""
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr ""
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr ""
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr ""
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr ""
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr ""
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr ""
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr ""
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr ""
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr ""
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr ""
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr ""
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr ""
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr ""
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr ""
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr ""
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr ""
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr ""
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr ""
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr ""
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr ""
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr ""
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr ""
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr ""
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr ""
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr ""
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr ""
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr ""
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr ""
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr ""
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr ""
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr ""
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr ""
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr ""
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr ""
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr ""
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr ""
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr ""
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr ""
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr ""
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr ""
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr ""
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr ""
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr ""
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr ""
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr ""
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr ""
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr ""
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr ""
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr ""
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr ""
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr ""
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr ""
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr ""
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid ""
"Attaching loopback device failed (loop device with autoclear flag is "
"required)."
msgstr ""
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr ""
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr ""
@@ -713,44 +754,38 @@ msgstr ""
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr ""
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr ""
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr ""
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr ""
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid ""
"Locking aborted. The locking path %s/%s is unusable (not a directory or "
"missing)."
msgstr ""
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid ""
-"Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr ""
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid ""
"Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr ""
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr ""
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr ""
@@ -770,9 +805,9 @@ msgstr ""
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr ""
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr ""
@@ -785,23 +820,24 @@ msgstr ""
msgid "Failed to access temporary keystore device."
msgstr ""
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr ""
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr ""
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr ""
@@ -817,195 +853,188 @@ msgstr ""
msgid "LUKS keyslot %u is invalid."
msgstr ""
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr ""
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr ""
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr ""
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr ""
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr ""
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr ""
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr ""
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr ""
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr ""
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid ""
"does not contain LUKS header. Replacing header can destroy data on that "
"device."
msgstr ""
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid ""
"already contains LUKS header. Replacing header will destroy existing "
"keyslots."
msgstr ""
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
msgstr ""
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr ""
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr ""
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr ""
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr ""
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr ""
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr ""
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr ""
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr ""
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr ""
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr ""
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr ""
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr ""
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr ""
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr ""
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr ""
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr ""
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr ""
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid ""
"Data offset for LUKS header must be either 0 or higher than header size."
msgstr ""
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr ""
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr ""
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr ""
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr ""
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr ""
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr ""
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr ""
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr ""
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr ""
@@ -1026,223 +1055,245 @@ msgstr ""
msgid "Kernel does not support loop-AES compatible mapping."
msgstr ""
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr ""
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr ""
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr ""
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr ""
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr ""
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr ""
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr ""
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr ""
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr ""
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr ""
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid ""
"Unexpected metadata entry type '%u' found when parsing supported Volume "
"Master Key."
msgstr ""
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr ""
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid ""
"Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr ""
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid ""
"Unexpected metadata entry value '%u' found when parsing supported Volume "
"Master Key."
msgstr ""
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr ""
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr ""
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr ""
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr ""
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr ""
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr ""
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr ""
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr ""
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr ""
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr ""
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr ""
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr ""
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr ""
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr ""
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr ""
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr ""
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr ""
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr ""
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr ""
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid ""
+"WARNING: BitLocker volume size %<PRIu64> does not match the underlying "
+"device size %<PRIu64>"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1389
msgid ""
"Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr ""
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid ""
"Cannot activate device, kernel dm-crypt is missing support for BITLK "
"Elephant diffuser."
msgstr ""
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid ""
+"Cannot activate device, kernel dm-crypt is missing support for large sector "
+"size."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr ""
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr ""
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr ""
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr ""
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr ""
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr ""
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr ""
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr ""
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr ""
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr ""
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr ""
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr ""
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr ""
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr ""
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr ""
@@ -1316,1157 +1367,1293 @@ msgstr ""
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr ""
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr ""
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr ""
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr ""
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr ""
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr ""
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr ""
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr ""
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid ""
"Kernel refuses to activate insecure recalculate option (see legacy "
"activation options to override)."
msgstr ""
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr ""
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid ""
"Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr ""
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
msgstr ""
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr ""
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid ""
"WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 "
"keyslot count is very limited.\n"
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid ""
"Binary header with keyslot areas size differ on device and backup, restore "
"failed."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid ""
"does not contain LUKS2 header. Replacing header can destroy data on that "
"device."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid ""
"already contains LUKS2 header. Replacing header will destroy existing "
"keyslots."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
"Replacing header with backup may corrupt the data on that device!"
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
"Replacing header with backup may corrupt data."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid ""
"Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr ""
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid ""
"Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr ""
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr ""
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr ""
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr ""
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid ""
+"Can not update resilience type. New type only provides %<PRIu64> bytes, "
+"required space is: %<PRIu64> bytes."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid ""
"Cannot convert to LUKS1 format - default segment encryption sector size is "
"not 512 bytes."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid ""
"Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid ""
"Cannot convert to LUKS1 format - slot %u (over maximum slots) is still "
"active."
msgstr ""
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid ""
"Source and target device sizes don't match. Source %<PRIu64>, target: "
"%<PRIu64>."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
msgid ""
-"Data shift is not aligned to requested encryption sector size (%<PRIu32> "
-"bytes)."
+"Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#, c-format
+msgid "Unsupported resilience mode %s"
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2824
#, c-format
msgid ""
-"Data device is not aligned to requested encryption sector size (%<PRIu32> "
-"bytes)."
+"Moved segment too large. Requested size %<PRIu64>, available space for: "
+"%<PRIu64>."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid ""
"Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> "
"sectors)."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid ""
"Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> "
"sectors long."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr ""
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr ""
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
msgstr ""
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr ""
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
+msgid "Enter token PIN: "
msgstr ""
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
+msgid "Enter token %d PIN: "
msgstr ""
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr ""
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid ""
"WARNING: The --hash parameter is being ignored in plain mode with keyfile "
"specified.\n"
msgstr ""
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid ""
"WARNING: The --keyfile-size option is being ignored, the read size is the "
"same as the encryption key size.\n"
msgstr ""
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid ""
"Detected device signature(s) on %s. Proceeding further may damage existing "
"data."
msgstr ""
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr ""
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr ""
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr ""
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr ""
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr ""
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr ""
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr ""
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr ""
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid ""
"Cannot determine volume key size for BITLK, please use --key-size option."
msgstr ""
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
"This dump should be always stored encrypted on safe place."
msgstr ""
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
"This dump should be stored encrypted in a safe place."
msgstr ""
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr ""
+
+#: src/cryptsetup.c:747
+msgid ""
+"Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr ""
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr ""
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid ""
"Resize of active device requires volume key in keyring but --disable-keyring "
"option is set."
msgstr ""
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr ""
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr ""
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr ""
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr ""
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid ""
"%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit "
"key (requested %u ms time)\n"
msgstr ""
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr ""
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr ""
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr ""
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr ""
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr ""
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr ""
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the "
+"reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as "
+"genuine."
msgstr ""
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr ""
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr ""
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr ""
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr ""
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr ""
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will "
"contain invalid checksum).\n"
msgstr ""
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr ""
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr ""
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr ""
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr ""
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr ""
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr ""
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr ""
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr ""
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr ""
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr ""
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid ""
+"LUKS file container %s is too small for activation, there is no remaining "
+"space for data."
+msgstr ""
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid ""
"Cannot determine volume key size for LUKS without keyslots, please use --key-"
"size option."
msgstr ""
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr ""
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr ""
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid ""
"This is the last keyslot. Device will become unusable after purging this key."
msgstr ""
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr ""
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr ""
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr ""
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr ""
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr ""
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr ""
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr ""
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr ""
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr ""
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr ""
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
msgstr ""
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr ""
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr ""
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr ""
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr ""
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr ""
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr ""
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr ""
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
"Device will become unusable after this operation."
msgstr ""
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr ""
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr ""
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr ""
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr ""
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr ""
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr ""
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr ""
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr ""
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr ""
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr ""
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr ""
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr ""
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr ""
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
msgstr ""
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
+msgid "Failed to unassign token %d from keyslot %d."
msgstr ""
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr ""
-
-#: src/cryptsetup.c:2799
-#, c-format
+#: src/cryptsetup.c:2983
msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
+"Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only "
+"for TCRYPT device."
msgstr ""
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr ""
-
-#: src/cryptsetup.c:2886
+#: src/cryptsetup.c:2986
msgid ""
-"Encryption without detached header (--header) is not possible without data "
-"device size reduction (--reduce-device-size)."
+"Option --veracrypt or --disable-veracrypt is supported only for TCRYPT "
+"device type."
msgstr ""
-#: src/cryptsetup.c:2891
+#: src/cryptsetup.c:2989
msgid ""
-"Requested data offset must be less than or equal to half of --reduce-device-"
-"size parameter."
+"Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
msgstr ""
-#: src/cryptsetup.c:2900
-#, c-format
+#: src/cryptsetup.c:2993
msgid ""
-"Adjusting --reduce-device-size value to twice the --offset %<PRIu64> "
-"(sectors).\n"
+"Option --veracrypt-query-pim is supported only for VeraCrypt compatible "
+"devices."
msgstr ""
-#: src/cryptsetup.c:2923
-#, c-format
+#: src/cryptsetup.c:2995
msgid ""
-"Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+"The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
msgstr ""
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr ""
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr ""
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
msgstr ""
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
msgstr ""
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
msgstr ""
-#: src/cryptsetup.c:3055
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr ""
+
+#: src/cryptsetup.c:3016
msgid ""
-"LUKS2 decryption is supported with detached header device only (with data "
-"offset set to 0)."
+"Option --offset with open action is only supported for plain and loopaes "
+"devices."
msgstr ""
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
msgstr ""
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
+#: src/cryptsetup.c:3023
msgid ""
-"Key file can be used only with --key-slot or with exactly one key slot "
-"active."
+"Sector size option with open action is supported only for plain devices."
msgstr ""
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr ""
-
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr ""
-
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr ""
-
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr ""
-
-#: src/cryptsetup.c:3437
+#: src/cryptsetup.c:3027
msgid ""
-"Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt "
-"tool for LUKS1."
+"Large IV sectors option is supported only for opening plain type device with "
+"sector size larger than 512 bytes."
msgstr ""
-#: src/cryptsetup.c:3449
+#: src/cryptsetup.c:3032
msgid ""
-"Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt "
-"utility."
+"Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and "
+"FVAULT2 devices."
msgstr ""
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
msgstr ""
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
msgstr ""
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
msgstr ""
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid ""
+"Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr ""
+
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr ""
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3091
+msgid ""
+"Option --integrity-no-wipe can be used only for format action with integrity "
+"extension."
+msgstr ""
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr ""
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr ""
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr ""
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr ""
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr ""
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr ""
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr ""
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr ""
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr ""
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr ""
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr ""
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr ""
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr ""
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr ""
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr ""
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr ""
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr ""
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr ""
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr ""
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr ""
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr ""
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr ""
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr ""
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr ""
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr ""
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr ""
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr ""
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr ""
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr ""
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr ""
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr ""
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr ""
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr ""
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr ""
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr ""
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr ""
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr ""
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr ""
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr ""
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr ""
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr ""
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr ""
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
msgstr ""
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, "
+"fvault2Open\n"
"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, "
-"bitlkClose\n"
+"bitlkClose, fvault2Close\n"
msgstr ""
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2476,34 +2663,34 @@ msgid ""
"<key file> optional key file for the new key for luksAddKey action\n"
msgstr ""
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
"Default compiled-in metadata format is %s (for luksFormat action).\n"
msgstr ""
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
"LUKS2 external token plugin support is %s.\n"
msgstr ""
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr ""
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr ""
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr ""
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2515,7 +2702,7 @@ msgid ""
"\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
msgstr ""
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2525,227 +2712,99 @@ msgid ""
"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
msgstr ""
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid ""
"\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr ""
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr ""
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr ""
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr ""
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr ""
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr ""
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr ""
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr ""
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr ""
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr ""
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr ""
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr ""
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr ""
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr ""
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr ""
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr ""
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr ""
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid ""
-"Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr ""
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr ""
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr ""
-
-#: src/cryptsetup.c:3882
-msgid ""
-"Option --integrity-no-wipe can be used only for format action with integrity "
-"extension."
-msgstr ""
-
-#: src/cryptsetup.c:3889
-msgid ""
-"Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK "
-"devices."
-msgstr ""
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr ""
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr ""
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr ""
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr ""
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr ""
-
-#: src/cryptsetup.c:3927
-msgid ""
-"Option --offset with open action is only supported for plain and loopaes "
-"devices."
-msgstr ""
-
-#: src/cryptsetup.c:3933
-msgid ""
-"Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only "
-"for TCRYPT device."
-msgstr ""
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr ""
-
-#: src/cryptsetup.c:3943
-msgid ""
-"Option --veracrypt or --disable-veracrypt is supported only for TCRYPT "
-"device type."
-msgstr ""
-
-#: src/cryptsetup.c:3948
-msgid ""
-"Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr ""
-
-#: src/cryptsetup.c:3954
-msgid ""
-"Option --veracrypt-query-pim is supported only for VeraCrypt compatible "
-"devices."
-msgstr ""
-
-#: src/cryptsetup.c:3958
-msgid ""
-"The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr ""
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr ""
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid ""
"Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/"
"argon2id."
msgstr ""
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr ""
-#: src/cryptsetup.c:3983
-msgid ""
-"Sector size option with open action is supported only for plain devices."
-msgstr ""
-
-#: src/cryptsetup.c:3990
-msgid ""
-"Large IV sectors option is supported only for opening plain type device with "
-"sector size larger than 512 bytes."
-msgstr ""
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr ""
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr ""
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr ""
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr ""
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr ""
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr ""
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr ""
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr ""
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr ""
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr ""
@@ -2773,67 +2832,72 @@ msgstr ""
msgid "Cannot write to root hash file %s."
msgstr ""
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr ""
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr ""
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr ""
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr ""
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr ""
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr ""
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr ""
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr ""
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr ""
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr ""
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr ""
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr ""
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr ""
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr ""
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr ""
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2843,7 +2907,7 @@ msgid ""
"<root_hash> hash of the root node on <hash_device>\n"
msgstr ""
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2852,32 +2916,51 @@ msgid ""
"Hash format: %u\n"
msgstr ""
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid ""
"Option --ignore-corruption and --restart-on-corruption cannot be used "
"together."
msgstr ""
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid ""
"Option --panic-on-corruption and --restart-on-corruption cannot be used "
"together."
msgstr ""
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --"
+"integrity-recalculate)."
+msgstr ""
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr ""
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid ""
+"Setting recalculate flag is not supported, you may consider using --wipe "
+"instead."
+msgstr ""
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr ""
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr ""
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr ""
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2885,7 +2968,7 @@ msgid ""
"<integrity_device> is the device containing data with integrity tags\n"
msgstr ""
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2894,253 +2977,49 @@ msgid ""
"\tMaximum keyfile size: %dkB\n"
msgstr ""
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr ""
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr ""
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr ""
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid ""
"Journal integrity algorithm must be specified if journal integrity key is "
"used."
msgstr ""
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid ""
"Both journal encryption key file and key size options must be specified."
msgstr ""
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid ""
"Journal encryption algorithm must be specified if journal encryption key is "
"used."
msgstr ""
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr ""
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr ""
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr ""
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid ""
-"This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid ""
-"No decryption in progress, provided UUID can be used only to resume "
-"suspended decryption process."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid ""
-"Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid ""
-"Option --new must be used together with --reduce-device-size or --header."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid ""
-"Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-"
-"iterations."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr ""
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr ""
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3148,7 +3027,7 @@ msgid ""
msgstr ""
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3156,145 +3035,175 @@ msgid ""
"Are you sure? (Type 'yes' in capital letters): "
msgstr ""
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr ""
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr ""
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr ""
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr ""
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr ""
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr ""
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr ""
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr ""
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr ""
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr ""
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr ""
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr ""
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr ""
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr ""
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr ""
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr ""
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr ""
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr ""
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid ""
"Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr ""
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr ""
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr ""
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr ""
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr ""
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr ""
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr ""
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr ""
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr ""
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr ""
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr ""
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr ""
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr ""
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr ""
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr ""
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr ""
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr ""
@@ -3306,123 +3215,507 @@ msgid ""
" %s"
msgstr ""
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr ""
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr ""
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr ""
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr ""
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr ""
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr ""
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr ""
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr ""
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr ""
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr ""
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr ""
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr ""
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr ""
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
msgstr ""
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr ""
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
msgstr ""
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr ""
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr ""
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or "
+"not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode "
+"(dangerous!)."
+msgstr ""
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid ""
+"Requested --resilience option cannot be applied to current reencryption "
+"operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr ""
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr ""
+
+#: src/utils_reencrypt.c:215
+msgid ""
+"Device is in reencryption using datashift resilience. Requested --resilience "
+"option cannot be applied."
+msgstr ""
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr ""
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid ""
+"Device %s is already in LUKS2 reencryption. Do you wish to resume previously "
+"initialised operation?"
+msgstr ""
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr ""
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr ""
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid ""
+"Encryption without detached header (--header) is not possible without data "
+"device size reduction (--reduce-device-size)."
+msgstr ""
+
+#: src/utils_reencrypt.c:525
+msgid ""
+"Requested data offset must be less than or equal to half of --reduce-device-"
+"size parameter."
+msgstr ""
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid ""
+"Adjusting --reduce-device-size value to twice the --offset %<PRIu64> "
+"(sectors).\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr ""
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr ""
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr ""
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr ""
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr ""
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid ""
+"Header file %s does not exist. Do you want to initialize LUKS2 decryption of "
+"device %s and export LUKS2 header to file %s?"
+msgstr ""
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr ""
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:873
+msgid ""
+"LUKS2 decryption is supported with detached header device only (with data "
+"offset set to 0)."
+msgstr ""
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid ""
+"Key file can be used only with --key-slot or with exactly one key slot "
+"active."
+msgstr ""
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr ""
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr ""
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr ""
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option "
+"(dangerous!)."
+msgstr ""
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr ""
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr ""
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr ""
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr ""
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid ""
+"No decryption in progress, provided UUID can be used only to resume "
+"suspended decryption process."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ""
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr ""
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr ""
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr ""
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr ""
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr ""
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr ""
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr ""
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr ""
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr ""
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr ""
@@ -3432,16 +3725,16 @@ msgstr ""
msgid "Invalid size specification in parameter --%s."
msgstr ""
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token "
"connected to an SSH server\vThis plugin currently allows only adding a token "
@@ -3456,112 +3749,112 @@ msgid ""
"user and paths) will be stored in the LUKS2 header in plaintext."
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid ""
"Keyslot to assign the token to. If not specified, token will be assigned to "
"the first keyslot matching provided passphrase."
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr ""
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr ""
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr ""
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr ""
@@ -3569,6 +3862,10 @@ msgstr ""
msgid "Cannot init sftp session: "
msgstr ""
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr ""
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr ""
diff --git a/po/cs.po b/po/cs.po
index 2c69a11..ed39d10 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -3,7 +3,7 @@
# This file is distributed under the same license as the cryptsetup package.
# Milan Broz <mbroz@redhat.com>, 2010.
# Petr Pisar <petr.pisar@atlas.cz>, 2010, 2011, 2012, 2013, 2014, 2015, 2016.
-# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020, 2021.
+# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020, 2021, 2022, 2023.
#
# See `LUKS On-Disk Format Specification' document to clarify some terms.
#
@@ -11,7 +11,7 @@
# (SSH) credentials → přihlašovací údaje
# data offset → počátek dat
# deffered remove → odložené odebrání
-# detached header → oddědelená hlavička
+# detached header → oddělená hlavička
# digest → otisk
# hash → haš
# key slot → pozice klíče
@@ -29,10 +29,10 @@
#
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-13 14:47+01:00\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 18:11+01:00\n"
"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
"Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
"Language: cs\n"
@@ -42,67 +42,71 @@ msgstr ""
"X-Bugs: Report translation errors to the Language-Team address.\n"
"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Nelze inicializovat device-mapper, nespuštěno superuživatelem."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Požadovaný příznak odložení není podporován."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "DM-UUID pro zařízení %s bylo zkráceno."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Neznámý druh cíle DM."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Požadované výkonnostní volby dm-cryptu nejsou podporovány."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Požadované volby, jak zacházet s poškozením dat dm-verity, nejsou podporovány."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Požadovaná volba taskletu dm-cryptu není podporována."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Požadované FEC volby dm-cryptu nejsou podporovány."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Požadované volby integrity dat nejsou podporovány."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "Požadované volby sector_size není podporována."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Požadovaný automatický přepočet značek integrity není podporován."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Zahazování (TRIM) není podporováno."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Požadovaný režim bitmapy integrity DM není podporován."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Dotaz na část dm-%s selhal."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -111,578 +115,615 @@ msgstr ""
"Aby bylo možné nasbírat náhodné události, žádáme uživatele, aby pohyboval\n"
"myší nebo psal text do jiného okna.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Vytváří se klíč (%d %% hotovo).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Režim FIPS zapnut."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "Fatální chyba během přípravy generátoru náhodných čísel."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Požadována neznámá kvalita generátoru náhodných čísel."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Chyba při čtení z generátoru náhodných čísel."
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Implementaci šifrovacího generátoru náhodných čísel nelze inicializovat."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Implementaci šifrování nelze inicializovat."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Hašovací algoritmus %s není podporován."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Chyba zpracování klíče (za použití haše %s)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "Tato operace je podporována jen u zařízení LUKS."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Tato operace je podporována jen u zařízení LUKS2."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Všechny pozice klíčů jsou obsazeny."
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d."
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru zařízení."
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "Nalezena hlavička, ale zařízení %s je příliš malé."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Tato operace není na zařízení tohoto typu podporována."
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "Zakázaná operace spolu s probíhajícím přešifrování."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Nahrání původních metadat LUKS2 do paměti selhalo."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Zařízení %s není platným zařízením LUKS."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Nepodporovaná verze LUKS %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "Zařízení %s není aktivní."
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo."
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "Neplatné parametry plain šifry."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "Neplatná velikost klíče."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "UUID není na šifře tohoto typu podporováno."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Zařízení s oddělenými metadaty není na šifře tohoto typu podporováno."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Nepodporovaná velikost šifrovaného sektoru."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "Velikost zařízení není zarovnaná na požadovanou velikost sektoru."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "LUKS nelze bez zařízení naformátovat."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "Požadované zarovnání dat není slučitelné s polohou dat."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "POZOR: Poloha dat je mimo nyní dostupné zařízení s daty.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Ze zařízení %s nelze odstranit hlavičku."
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Zařízení %s je na aktivaci příliš malé. Nezbývá žádné místo pro data.\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "POZOR: Aktivace zařízení selže, dm-crypt nepodporuje požadovanou velikost šifrovaného sektoru.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Klíč svazku je příliš malý na šifrovaní s rozšířeními pro integritu."
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Šifra %s-%s (velikost klíče %zd bitů) není dostupná."
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "POZOR: Metadata LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "POZOR: Oblast s pozicemi klíčů pro LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Zařízení %s je příliš malé."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "Zařízení %s, které se používá, nelze formátovat."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Zařízení %s nelze formátovat, povolení zamítnuto."
# FIXME "format integrity" is nonsense
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Zařízení %s není možné formátovat integritu."
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "Zařízení %s nelze formátovat."
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "LOOPAES nelze bez zařízení naformátovat."
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "VERITY nelze bez zařízení naformátovat."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Nepodporovaný druh VERITY haše %d."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Nepodporovaná velikost bloku VERITY."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Nepodporovaná poloha haše VERITY."
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "Nepodporovaná poloha VERITY FEC."
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "Oblast dat se překrývá s oblastí haše."
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "Oblast FEC se překrývá s oblastí haše."
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "Oblast dat se překrývá s oblastí FEC."
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "POZOR: Požadovaná velikost značky %d bajtů se liší od výstupu velikosti %s (%d bajtů).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Požadován neznámý typ šifrovaného zařízení %s."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nepodporované parametry na zařízení %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Neodpovídající parametry an za zařízení %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Zařízení dmcryptu si neodpovídají."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Zařízení %s nebylo možné znovu zavést."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Zařízení %s nebylo možné pozastavit."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Zařízení %s nebylo možné probudit."
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Nepřekonatelná chyba při zavádění zařízení %s (nad zařízením %s)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Zařízení %s nebylo možné přepnout do dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "Nelze změnit velikost zařízení zpětné smyčky."
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr ""
+"POZOR: Maximální velikost je již nastavena nebo změna velikosti není jádrem\n"
+"podporována.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Změna velikosti selhala, jádro ji nepodporuje."
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "Opravdu chcete změnit UUID zařízení?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Soubor se zálohou hlavičky neobsahuje kompatibilní hlavičku LUKS."
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "Svazek %s není aktivní."
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "Svazek %s je již uspán."
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Uspání není na zařízení %s podporováno."
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "Chyba při uspávání zařízení %s."
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Probuzení není na zařízení %s podporováno."
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "Chyba při probouzení zařízení %s."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Svazek %s není uspán."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Heslo svazku neodpovídá svazku."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "Záměna novou pozicí klíče se nezdařila."
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "Pozice klíče %d je neplatná."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "Pozice klíče %d není aktivní."
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "Hlavička zařízení se překrývá s datovou oblastí."
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Přešifrování již probíhá. Zařízení nelze aktivovat."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Získání zámku pro přešifrování selhalo."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "Obnova přešifrování LUKS2 selhalo."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "Typ zařízení není řádně inicializován."
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "Zařízení %s již existuje."
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Zařízení %s nelze použít. Název není platný nebo zařízení se stále používá."
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "Byl zadán neplatný klíč svazku."
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "K zařízení VERITY byl zadán neplatný kořenový haš."
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "Je potřeba podpis kořenového otisku."
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Jaderná klíčenka chybí: je potřeba pro předání podpisu do jádra."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "Klíč se nepodařilo přidat do jaderné klíčenky."
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Odložené odebrání zařízení %s nebylo možné zrušit."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Zařízení %s se stále používá."
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "Neplatné zařízení %s."
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "Vyhrazená paměť pro klíč svazku je příliš malá."
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Nelze získat klíč svazku pro zařízení LUKS2."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Nelze získat klíč svazku pro zařízení LUKS1."
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "Nelze získat klíč svazku pro otevřené zařízení."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "K zařízení VERITY nelze získat kořenový otisk."
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Nelze získat klíč svazku pro zařízení BITLK."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Nelze získat klíč svazku pro zařízení FVAULT2."
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Na šifrovaném zařízení %s není tato operace podporována."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "Operace výpisu není na zařízení tohoto typu podporována."
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Počátek dat není násobkem %u bajtů."
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Zařízení %s, které se stále používá, nelze konvertovat."
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Přiřazení pozice klíče %u jakožto nového klíče svazku se nezdařilo."
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Inicializace parametrů výchozí pozice klíče LUKS2 selhala."
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Přiřazení pozice klíče %d k otisku se nezdařilo."
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut."
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "Jaderná klíčenka není jádrem podporována."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Čtení hesla z klíčenky selhalo (chyba %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Získání zámku pro tvrdý přístup do globální paměti selhalo."
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Nelze zjistit prioritu procesu."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Paměť nelze odemknout."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Soubor s klíčem se nepodařilo otevřít."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Soubor s klíčem nelze z terminálu přečíst."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "O souboru s klíčem nebylo možné zjistit údaje."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Nelze se přesunout na požadované místo v souboru s klíčem."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "Při čtení hesla došla paměť."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Chyba při čtení hesla."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Na vstupu není nic k přečtení."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Maximální délka souboru s klíčem překročena."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "Požadované množství dat nelze načíst."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Zařízení %s není kompatibilní."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "U zařízení s daty se ignoruje chybná optimální velikost I/O (%u bajtů)."
# TODO: Pluralize
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Zařízení %s je příliš malé. Je třeba alespoň %<PRIu64> bajtů."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Zařízení %s nelze použít, protože se již používá (již namapováno nebo připojeno)."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Zařízení %s nelze použít, povolení zamítnuto."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "O zařízení %s nelze získat údaje."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Zařízení typu loopback nelze použít, nespuštěno superuživatelem."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Připojení zařízení zpětné smyčky selhalo (požadováno zařízení s příznakem autoclear)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Požadovaná poloha je za hranicí skutečné velikosti zařízení %s."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Zařízení %s má nulovou velikost."
@@ -736,40 +777,35 @@ msgstr "Požadovaný počet souběžných vláken PBKDF nemůže být nula."
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "V režimu FIPS je podporován jen PBKDF2."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "Porovnání výkonu PBKDF je zakázáno, ale počet iterací není nastaven."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Neslučitelné volby PBKDF2 (při použití hašovacího algoritmu %s)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "Neslučitelné volby PBKDF."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (není adresářem nebo neexistuje)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Zamykací adresář %s/%s bude vytvořen s výchozími zakompilovanými právy."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (%s není adresářem)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Nelze se přesunout na požadované místo v zařízení."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Chyba při čištění zařízení na pozici %<PRIu64>."
@@ -791,9 +827,9 @@ msgstr "V režimu XTS musí být velikost klíče 256 nebo 512 bitů."
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "Zápis šifry by měl být ve tvaru [šifra]-[režim]-[iv]."
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Na zařízení %s nelze zapsat, povolení zamítnuto."
@@ -806,23 +842,24 @@ msgstr "Otevření dočasného zařízení s úložištěm klíče selhalo."
msgid "Failed to access temporary keystore device."
msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Chyba vstupu/výstupu při šifrování pozice klíče."
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Zařízení %s nelze otevřít."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "Chyba vstupu/výstupu při dešifrování pozice klíče."
@@ -838,65 +875,54 @@ msgstr "Zařízení %s je příliš malé. (LUKS1 vyžaduje alespoň %<PRIu64> b
msgid "LUKS keyslot %u is invalid."
msgstr "Pozice %u klíče LUKS není platná."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Zařízení %s není platným zařízením LUKS."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Požadovaný soubor se zálohou hlavičky %s již existuje."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Soubor se zálohou hlavičky %s nelze vytvořit."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Nelze zapsat soubor %s se zálohou hlavičky."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Nelze otevřít soubor se zálohou hlavičky %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Soubor se zálohou hlavičky %s nelze načíst."
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "Počátek dat nebo velikost klíče se liší mezi zařízením a zálohou, obnova se nezdařila."
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "Zařízení %s %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na daném zařízení."
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -904,127 +930,131 @@ msgstr ""
"\n"
"POZOR: hlavička ve skutečném zařízení má jiné UUID než záloha!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "Nestandardní velikost klíče, je třeba ruční opravy."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Nestandardní zarovnání pozice klíče, je třeba ruční opravy."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Režim šifry opraven (%s → %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Haš šifry opraven na malý písmena (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "Požadovaný haš LUKSu %s není podporován."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "Opravují se pozice klíčů."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Pozice klíče %i: poloha opravena (%u → %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Pozice klíče %i: proklad opraven (%u → %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Pozice klíče %i: chybná značka oddílu."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Pozice klíče %i: sůl vymazána."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "Hlavička LUKS se zapisuje na disk."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "Oprava selhala."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "Režim LUKS šifry %s není platný."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "LUKS haš %s není platný."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "V hlavičce LUKS nenalezen žádný známý problém."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Chyba při aktualizaci hlavičky LUKS na zařízení %s."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Chyba při opakovaném čtení hlavičky LUKS po aktualizaci zařízení %s."
# TODO: Pluralize
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Poloha dat u hlavičky LUKS musí být buď 0 nebo více než velikost hlavičky."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "Poskytnut UUID LUKSu ve špatném tvaru."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo."
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "Hlavičku LUKS nelze vytvořit: výpočet otisku hlavičky (haš %s) selhal."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "Pozice klíče %d je aktivní, nejprve ji uvolněte."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Pozice klíče %d obsahuje příliš málo útržků. Manipulace s hlavičkou?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Čítač opakování PBKDF2 přetekl."
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Pozici s klíčem nezle otevřít (za použití haše %s)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Zařízení %s není možné smazat."
@@ -1045,216 +1075,235 @@ msgstr "Zjištěn nekompatibilní soubor s klíčem loop-AES."
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "Jádro nepodporuje mapování kompatibilní s loop-AES."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Chyba při čtení souboru s klíčem %s"
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Překročena maximální délka hesla TCRYPT (%zu)."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "Hašovací algoritmus PBKDF2 %s není podporován, přeskakuje se."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "Požadované kryptografické rozhraní jádra není dostupné."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Ujistěte se, že jaderný modul algif_skcipher je zaveden."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Aktivace nad sektory o velikosti %d není podporována."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Jádro nepodporuje aktivaci v tomto zastaralém režimu TCRYPT."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Aktivuje se systémové šifrování TCRYPT pro oddíl %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Při rozboru podporovaného hlavního klíče svazku byla nalezena položka nečekaného typu „%u“."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Při rozboru hlavního svazku klíče byl nalezen neplatný řetězec."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Při rozboru hlavního klíče svazku byl nalezen nečekaný řetězec („%s“)."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Při rozboru hlavního klíče svazku byl nalezen záznam metadat s nečekanou hodnotou „%u“."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Z %s nebylo možné načíst vzorec BITLK."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Neplatná nebo neznámá značka zařízení BITLK."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK verze 1 není v současnosti podporován."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Neplatná nebo neznámá značka zavaděče zařízení BITLK."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Nepodporovaná velikost sektoru %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Z %s nebylo možné načíst hlavičku BITLK."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Z %s nebylo možné přečíst metadata BITLK FVE."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "Neznámý nebo nepodporovaný druh šifrování."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Z %s nebylo možné načíst položky metadat BITLK."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Převod popisu svazku BITLK se nezdařil"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Při rozboru externího klíče byla v metadatech nalezena položka nečekaného typu „%u“."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "GUID „%s“ souboru BEK neodpovídá GUID svazku."
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Při rozboru externího klíče byla v metadatech nalezena položka s nečekanou hodnotou „%u“."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Nepodporovaná metadata BEK verze %<PRIu32>."
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Nečekaná velikost metadat BEK %<PRIu32> neodpovídá délce souboru BEK"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Při rozboru startovacího klíče byla v metadatech nalezena nečekaná položka."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "Tato operace není podporována."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "Nečekaná velikost údajů o klíči."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Toto zařízení BITLK je v nepodporovaném stavu a nelze jej aktivovat."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Zařízení BITLK s typem „%s“ nelze aktivovat."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Aktivace částečně dešifrovaného zařízení BITLK není podporována."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "POZOR: Velikost svazku BitLockeru %<PRIu64> neodpovídá velikosti zařízení ve zpod %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu inicializačního vektoru BITLK."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu difuzéru Elephant BITLK."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu velikostí velkých sektorů."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Zařízení nelze aktivovat. Chybí jaderný modul dm-zero."
+
+# FIXME: Pluralize
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Z hlavičky svazku nebylo možné přečíst %u bajtů."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Nepodporovaná verze FVAULT2 %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Zařízení VERITY %s nepoužívá hlavičku uvnitř disku."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Zařízení %s není platným zařízením VERITY."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Nepodporovaná verze VERITY %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "Hlavička VERITY je poškozena."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Na zařízení %s poskytnuto UUID VERITY ve špatném tvaru."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Chyba při aktualizaci hlavičky VERITY na zařízení %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Ověření podpisu kořenového otisku není podporováno."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Chyby v zařízení FEC nelze opravit."
# TODO: Pluralize
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "Nalezeno %u opravitelných chyb v zařízení FEC."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Jádro nepodporuje mapování dm-verity."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Jádro nepodporuje volbu pro podpis dm-verity."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Po aktivaci zjistilo zařízení VERITY poškození."
@@ -1326,48 +1375,53 @@ msgstr "Oprava parity bloku RS %<PRIu64> selhala."
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Zápis parity bloku RS %<PRIu64> selhal."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Velikosti bloků musí odpovídat FEC."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Chybný počet paritních bajtů."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Neplatná délka části FEC."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Velikost zařízení %s se nepodařilo určit."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Neslučitelná metadata jaderného dm-integrity (verze %u) byla nalezena na %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Jádro nepodporuje mapování dm-integrity."
# Fixed metadata means fix_padding attribute of dm-integrity target
# documented as "use a smaller padding".
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Jádro nepodporuje drobné zarovnání metadat dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Jádro odmítá aktivovat volbu nebezpečného přepočtu (pro přebití vizte zastaralé volby aktivace)"
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Získání zámku pro zápis do zařízení %s selhalo."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Zjištěn pokus o současnou aktualizaci metadat LUKS2. Operace se ruší."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1375,50 +1429,50 @@ msgstr ""
"Zařízení obsahuje nejednoznačný vzorec. LUKS2 nelze automaticky obnovit.\n"
"Prosím, spusťte obnovu příkazem „cryptsetup repair“."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Požadovaná poloha dat je příliš nízká."
# TODO: Pluralize
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "POZOR: oblast s pozicemi klíčů (%<PRIu64> bajtů) je příliš malá, dostupný počet pozic klíčů LUKS2 je značně omezen.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Získání zámku pro čtení ze zařízení %s selhalo."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "V záloze %s byly zjištěny zakázané požadavky na LUKS2."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Počátek dat se liší mezi zařízením a zálohou, obnova se nezdařila."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Velikost binární hlavičky s oblastí pro pozice klíčů se liší mezi zařízením a zálohou, obnova se nezdařila."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Zařízení %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "neobsahuje hlavičku LUKS2. Nahrazení hlavičky může zničit data na daném zařízení."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "již obsahuje hlavičku LUKS2. Nahrazení hlavičky zničí existující pozice s klíči."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1428,7 +1482,7 @@ msgstr ""
"POZOR: Ve skutečné hlavičce zařízení byly objeveny neznámé požadavky na LUKS2!\n"
"Nahrazení hlavičky zálohou může zničit data na zařízení!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1438,409 +1492,472 @@ msgstr ""
"POZOR: Na zařízení bylo objeveno nedokončené offline přešifrování!\n"
"Nahrazení hlavičky zálohou může zničit data."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Neznámý příznak %s ignorován."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Chybí klíč pro dm-crypt část %u."
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Nastavení části dm-crypt selhalo."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Nastavení části dm-linear selhalo."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Nepodporovaná konfigurace integrity zařízení."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Probíhá přešifrování. Zařízení nelze deaktivovat."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Výměna pozastaveného zařízení %s za cíl dm-error selhala."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Čtení požadavků na LUKS2 selhalo."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Zjištěny nesplněné požadavky na LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Operace se neslučuje se zařízením označeným pro zastaralé přešifrování. Operace se ruší."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Operace se neslučuje se zařízením označeným pro přešifrování LUKS2. Operace se ruší."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Nedostatek paměti pro otevření pozice s klíčem."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Otevření pozice s klíčem selhalo."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Šifru %s-%s nelze použít pro pozici s klíčem."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Hašovací algoritmus %s není dostupný."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "Pro novou pozicí klíče není místo."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Požadována neplatná změna režimu odolnosti při přešifrování."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Druh odolnosti nelze zaktualizovat. Nový druh poskytuje pouze %<PRIu64> bajtů, požadovaná velikost je %<PRIu64> bajtů."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Ověřovací otisk přešifrování se nepodařilo obnovit."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Nelze zjistit stav zařízení s UUID: %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Hlavičky s dodatečnými metadaty LUKSMETA nelze převést."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "LUKS2 neumožňuje použít šifru zadanou jako %s-%s."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Oblast s pozicemi klíčů nelze přesunout. Nedostatek místa."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Nelze převést do formátu LUKS2 – neplatná metadata."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Oblast s pozicemi klíčů nelze přesunout. Oblast s pozicemi klíčů LUKS2 je příliš malá."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Oblast s pozicemi klíčů nelze přesunout."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Nelze převést do formátu LUKS1 – výchozí velikost sektoru šifrování části není 512 bajtů."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Nelze převést do formátu LUKS1 – otisky v pozicích s klíči nejsou slučitelné s LUKS1."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Nelze převést do formátu LUKS1 – zařízení používá šifru se zabaleným klíčem %s."
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Nelze převést do formátu LUKS1 – zařízení používá více částí."
+
# TODO: Pluralize
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Nelze převést do formátu LUKS1 – hlavička LUKS2 obsahuje %u token(ů)."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u je v nesprávném stavu."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u (nad maximem pozic) je stále aktivní."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u není slučitelná s LUKS1."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Velikost horké zóny musí být násobek vypočteného zarovnání zóny (%zu bajtů)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Velikost zařízení musí být násobek vypočteného zarovnání zóny (%zu bajtů)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Nepodporovaný režim odolnosti %s"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Obálku pro starou část úložiště se nepodařilo inicializovat."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Obálku pro novou část úložiště se nepodařilo inicializovat."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Ochranu horké zóny se nepodařilo inicializovat."
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Kontrolní součty pro aktuální horkou zónu se nepodařilo přečíst."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Čtení oblasti s horkou zónou počínaje na %<PRIu64> selhalo."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Sektor %zu nebylo možné rozšifrovat."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Sektor %zu nebylo možné obnovit."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Velikosti zdrojového a cílového zařízení se neshodují. Zdroj %<PRIu64>, cíl %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Aktivace zařízení horké zóny %s selhala."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Aktivace překryvného zařízení %s se skutečnou tabulkou původu selhala."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Zavedení nového mapování pro zařízení %s selhalo."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Zásobník zařízení k přešifrování se nepodařilo obnovit."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Nastavení velikosti nové oblasti s pozicemi klíčů selhalo."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Posun dat není zarovnán s požadovanou velikostí šifrovaného sektoru (%<PRIu32> bajtů)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Hodnota posunu dat není zarovnána s velikostí šifrovaného sektoru (%<PRIu32> bajtů)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Zařízení s daty není zarovnáno na požadovanou velikost šifrovaného sektoru (%<PRIu32> bajtů)."
+msgid "Unsupported resilience mode %s"
+msgstr "Nepodporovaný režim odolnosti %s"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Velikost přesunované oblasti nemůže být větší než hodnota posunu dat."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Neplatné parametry režimu odolnosti při přešifrování."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Přesunovaná oblast je příliš velká. Požadovaná velikost %<PRIu64>, dostupné místo %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Vyprázdnění tabulky selhalo."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Zmenšená velikost dat je větší než velikost skutečného zařízení"
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Zařízení s daty není zarovnáno na velikost šifrovaného sektoru (%<PRIu32> bajtů)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Posun dat (%<PRIu64> sektorů) je menší než budoucí poloha dat (%<PRIu64> sektorů)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Zařízení %s nebylo možné otevřít ve výlučném režimu (již namapováno nebo připojeno)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Zařízení není označeno pro přešifrování LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Načtení kontextu přešifrování LUKS2 selhalo."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Stavu přešifrování se nepodařilo zjistit."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Zařízení se nepřešifrovává."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Proces přešifrování již běží."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Získání zámku pro přešifrování selhalo."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "V přešifrování nelze pokračovat. Spusťte nejprve obnovu přešifrování."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "Aktivní velikost zařízení a velikost požadovaná k přešifrování si neodpovídají."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "V parametrech přešifrování je požadována zakázaná velikost zařízení."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Probíhá přešifrování. Obnovu nelze provést."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "V metadatech je přešifrování LUKS2 již inicializováno."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Inicializace přešifrování LUKS2 v metadatech selhala."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Nastavení segmentů zařízení pro další horkou zónu přešifrování selhalo."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Metadata pro odolnost při přešifrování se nepodařilo zapsat."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Rozšifrování selhalo."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Zápis oblasti s horkou zónou počínaje na %<PRIu64> selhal."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Synchronizace dat selhala."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Po dokončení přešifrování aktuální horké zóny se nepodařilo aktualizovat metadata."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Zápis metadat LUKS2 selhal."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Vyčištění dat záložní části selhalo."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Vyčištění oblasti zařízení s nepoužívanými daty selhalo."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Vypnutí příznaku požadavku na přešifrování selhalo."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Odstranění nepoužívané (nepřiřazené) pozice s klíčem %d selhalo."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Odstranění pozice s klíčem přešifrování selhalo."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Nepřekonatelná chyba při přešifrování bloku na pozici %<PRIu64> dlouhého %<PRIu64> sektorů."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Přešifrování za běhu selhalo."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Zařízení neprobouzejte, dokud jej ručně nenahradíte chybovým cílem."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "V přešifrování nelze pokračovat. Přešifrování se nachází v nečekaném stavu."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Chybějící nebo neplatný kontext přešifrování."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Zásobník zařízení k přešifrování se nepodařilo inicializovat."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Kontext přešifrování se nepodařilo aktualizovat."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Se vstupem mimo terminál nelze ověřit heslo."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Metadata o přešifrování jsou neplatná."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Parametry pro šifrování pozice s klíčem lze nastavit jen u zařízení LUKS2."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Zadejte PIN k tokenu:"
+msgid "Enter token PIN: "
+msgstr "Zadejte PIN k tokenu: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Zadejte PIN k tokenu %d:"
+msgid "Enter token %d PIN: "
+msgstr "Zadejte PIN k tokenu %d: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Nelze najít žádný známý vzorek se specifikaci šifry."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "POZOR: Jedná-li se o režim plain a je-li určen soubor s klíčem, parametr --hash se ignoruje.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "POZOR: Přepínač --keyfile-size se ignoruje, velikost pro čtení je stejná jako velikosti šifrovacího klíče.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Na %s byla nalezen vzorec zařízení. Pokračování může poškodit existující data."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "Operace zrušena.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Je vyžadován přepínač --key-file."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Zadejte PIM VeraCryptu: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Neplatná hodnota VIM: chyba rozboru"
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Neplatná hodnota PIM: 0"
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Neplatná hodnota PIM: mimo rozsah"
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "S tímto heslem není rozpoznatelná žádná hlavička zařízení."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Zařízení %s není platným zařízením BITLK."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Nelze určit velikost BITLK klíče svazku. Prosím, použijte přepínač --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1850,7 +1967,7 @@ msgstr ""
"který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
"Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1860,89 +1977,115 @@ msgstr ""
"který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
"Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Zařízení %s není platným zařízením FVAULT2."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Nelze určit velikost klíče svazku pro FVAULT2. Prosím, použijte přepínač --key-size."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Zařízení %s je stále aktivní a naplánováno pro odložené odstranění.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Změna velikosti aktivního zařízení vyžaduje klíč svazku v klíčence. Byl však použit přepínač --disable-keyring."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Hodnocení výkonu přerušeno."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s –\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u iterací za sekundu pro %zubitový klíč\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s –\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u iterací, %5u paměti, %1u souběžných vláken (procesorů) pro %zubitový klíč (požadován čas %u ms)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Výsledek hodnocení výkonu není spolehlivý."
# ???: are aproximated?
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Testy jsou počítány jen z práce s pamětí (žádné I/O úložiště).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*sAlgoritmus | Klíč | Šifrování | Dešifrování\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Šifra %s (s %ibitovým klíčem) není dostupná."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algoritmus | Klíč | Šifrování | Dešifrování\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "–"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Zdá se, že zařízení nevyžaduje obnovu přešifrování.\n"
-"Přejete si přesto pokračovat?"
+"Objevena nechráněná metadata o přešifrování LUKS2. Prosím, ověřte, že operace\n"
+"přešifrování je žádoucí (vizte výstup luksDump) a pokračujte (zvýšení verze\n"
+"metadat) pouze, když poznáte, že operace je chtěná."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Zadejte heslo pro ochránění metadat o přešifrování a pro zvýšení jejich verze: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Opravdu pokračovat s obnovou přešifrování LUKS2?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Zadejte heslo pro ověření otisku metadat o přešifrování: "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "Zadejte heslo pro obnovení přešifrování: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Opravdu se pokusit opravit hlavičku zařízení LUKS?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Výmaz přerušen."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1951,115 +2094,130 @@ msgstr ""
"Lze přerušit pomocí Ctrl+C (zbytek nesmazaného zařízení bude obsahovat\n"
"neplatné součty).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Dočasné zařízení %s nelze deaktivovat."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Volby integrity lze použít jen při formátu LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Nepodporované volby velikosti metadat LUKS2."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Soubor s hlavičkou neexistuje. Chcete jej vytvořit?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Soubor s hlavičkou %s nelze vytvořit."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Nelze najít žádný známý vzorek se specifikací integrity."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "%s nelze použít pro hlavičku uvnitř disku."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Toto nevratně přepíše data na %s."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Nastavení parametrů PBKDF selhalo."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Zmenšená poloha dat je dovolena jen u oddělené hlavičky LUKS."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Souborový kontejner LUKS %s je na aktivaci příliš malý. Nezbývá žádné místo pro data."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Bez pozic pro klíče nelze určit velikost LUKS klíče svazku. Prosím, použijte přepínač --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Zařízení aktivováno, ale příznaky nelze učinit trvalými."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Ke smazání vybrán klíč na pozici %d."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr ""
"Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n"
"zařízení použít."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Zadejte jakékoliv jiné heslo: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Operace zrušena, pozice klíče NEBYLA vymazána.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Zadejte heslo, které se má smazat: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Zařízení %s není platným zařízením LUKS2."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Zadejte nové heslo pro pozici klíče: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "POZOR: Parametr --key-slot se použije pro číslo nové pozice klíče.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Zadejte jakékoliv existující heslo: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Zadejte heslo, které má být změněno: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Zadejte nové heslo: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Zadejte heslo pro pozici klíče, který má být převeden: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "U operace isLuks je podporován pouze jeden argument se zařízením."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Pozice klíče %d neobsahuje nepřiřazený klíč."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2067,40 +2225,40 @@ msgstr ""
"Výpis hlavičky s nepřiřazeným klíčem je citlivý údaj.\n"
"Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s není název aktivního zařízení %s."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s není název aktivního zařízení LUKS nebo mu chybí hlavička."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "Je vyžadován přepínač --header-backup-file."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s není zařízení spravované nástrojem cryptsetup."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Reaktivace není na zařízení typu %s podporována"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Nerozpoznaná metadata druhu zařízení %s."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "Příkaz vyžaduje jako argumenty zařízení a mapovaný název."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2109,339 +2267,356 @@ msgstr ""
"Tento úkon smaže všechny pozice s klíči na zařízení %s.\n"
"Po jeho dokončení zařízení bude nepoužitelné."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Operace zrušena, pozice s klíči NEBYLY smazány.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Neplatný druh formátu LUKS. Podporován je pouze LUKS1 a LUKS2."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Zařízení je již druhu %s."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Tato operace převede formát %s na %s.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Operace zrušena, zařízení NEBYLO převedeno.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Chybí přepínač --priority, --label nebo --subsystem."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Token %d je neplatný."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Token %d se používá."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Přidání tokenu %d klíčenky LUKS2 selhalo."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Přiřazení tokenu %d do pozice s klíčem %d selhalo."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Token %d se nepoužívá."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Import tokenu ze souboru selhal."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Získání tokenu %d za účelem exportu selhalo."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Automaticky nalezené aktivní zařízení DM „%s“ pro datové zařízení %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Token %d není přiřazen pozici s klíčem %d."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Zařízení %s není blokovým zařízením.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Zrušení přiřazení tokenu %d k pozici s klíčem %d selhalo."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Držitele zařízení %s nebylo možné automaticky nalézt."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Nelze rozhodnout, jestli zařízení %s je nebo není aktivováno.\n"
-"Jste si jisti, že si přejete pokračovat v přešifrování v režimu offline?\n"
-"To může vést k poškození dat, bylo-li zařízení ve skutečnosti aktivováno.\n"
-"Pro přešifrování za běhu použijte parametr --active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Přepínače --veracrypt a --disable-veracrypt jsou podporovány jen u typu zařízení TCRYPT."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Šifrování je podporováno jen s formátem LUKS2."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Přepínač --veracrypt-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Přešifrování bez oddělené hlavičky (--header) není možné bez zmenšení velikosti datového zařízení (--reduce-device-size)."
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Přepínač --veracrypt-query-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Požadovaný počátek dat musí být menší nebo roven polovině parametru --reduce-device-size"
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Přepínače --veracrypt-pim a --veracrypt-query-pim se vzájemně vylučují."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Upravuje se hodnota --reduce-device-size na dvojnásobek --offset %<PRIu64> (v sektorech).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Na %s zjištěno zařízeno LUKS. Přejete si toto zařízení LUKS znovu zašifrovat?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Dočasný soubor s hlavičkou %s již existuje. Operace se ruší."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Dočasný soubor s hlavičkou %s nelze vytvořit."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Velikost metadat LUKS2 je větší než hodnota posunu dat."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Přepínač --persistent není dovolen současně s --test-passphrase."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Umístění nové hlavičky na začátek zařízení %s selhalo."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Přepínače --refresh a --test-passphrase se vzájemně vylučují."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "Dešifrování LUKS2 je podporováno jen u zařízení s oddělenou hlavičkou (počátek dat na 0)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Nedostatek pozic s klíči pro přešifrování."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Při otevírání je přepínač --offset podporován jen u zařízení plain a loopaes."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Zadejte heslo pro pozici klíče %d: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Otevírání s přepínačem velikosti sektoru je podporován jen u zařízení plain."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Zadejte heslo pro pozici klíče %u: "
+# FIXME: "Large IV sectors" should read "IV large sectors".
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Volba inicializačního vektoru s velkými sektory je podporována jen při otevírání zařízení typu plain s velikostí sektoru větší než 512 bajtů."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Přepíná se algoritmus šifrování dat na %s.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS, TCRYPT, BITLK a FVAULT2."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Příkaz vyžaduje jako argument zařízení."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Přepínače --device-size a --size nelze kombinovat."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Nyní je podporován pouze formát LUKS2. Pro LUKS1, prosím, použijte nástroj cryptsetup-reencrypt."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Přepínač --unbound je dovolen jen při otevírání zařízení LUKS."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Zastaralé offline přešifrování již probíhá. Použijte nástroj cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Přepínač --unbound není dovolen současně s --test-passphrase."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Přešifrování zařízení s profilem integrity není podporováno."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Přepínače --cancel-deferred a --deferred se vzájemně vylučují."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Přešifrování LUKS2 je již inicializováno. Operace se ruší."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Přepínače --reduce-device-size a --data-size nelze kombinovat."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "Zařízení LUKS2 se nepřešifrovává."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Přepínač --active-name lze použít jen u zařízení LUKS2."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Přepínače --active-name a --force-offline-reencrypt nelze kombinovat."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Je nutné určit pozici s klíčem."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Přepínače --align-payload a --offset nelze kombinovat."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Přepínač --integrity-no-wipe smí být použit jen při formátování s rozšířením integrity."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "Přepínač --unbound vyžaduje velikost klíče."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Neplatná operace tokenu."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Parametr --key-description je při přidávání tokenu povinný."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Akce vyžaduje určitý token. Použijte parametr --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Přepínač --unbound lze použít pouze s akcí přidání."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Přepínače --key-slot a --unbound nelze kombinovat."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Akce vyžaduje určitou pozici klíče. Použijte parametr --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<zařízení> [--type <druh>] [<název>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "otevře zařízení jako <název>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<název>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "zavře zařízení (odstraní mapování)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "změní velikost aktivního zařízení"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "zobrazí stav zařízení"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <šifra>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "zhodnotí výkon šifry"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<zařízení>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "pokusí se opravit metadata uložená na disku"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "přešifruje zařízení LUKS2"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "smaže všechny pozice s klíči (odstraní šifrovací klíč)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "převede formát LUKS do/z formátu LUKS2"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "nastaví trvalé volby konfigurace pro LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<zařízení> [<soubor_s_novým_klíčem>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "naformátuje zařízení LUKS"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "do zařízení LUKS přidá klíč"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<zařízení> [<soubor_s_klíčem>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "změní zadaný klíč nebo soubor s klíčem u zařízení LUKS"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "převede klíč do nových parametrů PBKDF"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<zařízení> <pozice_klíče>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "smaže klíč s číslem <pozice_klíče> ze zařízení LUKS"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "zobrazí UUID zařízení LUKS"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "otestuje <zařízení> na hlavičku oddílu LUKS"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "vypíše údaje o oddílu LUKS"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "vypíše údaje o oddílu TCRYPT"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "vypíše údaje o zařízení BITLK"
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "vypíše údaje o zařízení FVAULT2"
+
# TODO: not consistent with previous line
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)"
# TODO: not consistent with previous line
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "Probudí uspané zařízení LUKS"
# TODO: not consistent with previous line
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Zálohuje hlavičku zařízení LUKS a jeho pozice s klíči"
# TODO: not consistent with previous line
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Obnoví hlavičku zařízení LUKS a jeho pozice s klíči"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <zařízení>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "Zachází s tokeny LUKS2"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2449,19 +2624,19 @@ msgstr ""
"\n"
"<akce> je jedna z:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Rovněž lze použít aliasy se starým zápisem <akce>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2476,7 +2651,7 @@ msgstr ""
"<pozice_klíče> je číslo pozice klíče LUKS, který se má upravit\n"
"<soubor_s_klíčem> je volitelný soubor s novým klíčem pro akci luksAddKey\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2485,7 +2660,7 @@ msgstr ""
"\n"
"Výchozí zakompilovaný formát metadat (pro akci luksFormat) je %s.\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2494,21 +2669,21 @@ msgstr ""
"\n"
"Podpora pro zásuvný modul externího tokenu LUKS2 je %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "zakompilována"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Cesta k zásuvnému modulu externího tokenu LUKS2: %s.\n"
# Support is %s
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "vypnuta"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2525,7 +2700,7 @@ msgstr ""
"Výchozí PBKDF pro LUKS2: %s\n"
"\tDoba iterací: %d, nutná paměť: %d kB, souběžná vlákna: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2540,207 +2715,96 @@ msgstr ""
"\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n"
"\tLUKS: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: V režimu XTS (dva vnitřní klíče) bude výchozí velikost klíče zdvojnásobena.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: vyžaduje %s jako argumenty"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Pozice klíče není platná."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Velikost zařízení musí být násobkem 512bajtových sektorů."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "Zadána neplatná maximální velikost horké zóny při přešifrování."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "Velikost klíče musí být násobkem 8 bitů."
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "Maximální velikost zmenšení zařízení je 1 GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Velikost zmenšení musí být násobkem 512bajtových sektorů."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Přepínač --priority smí mít pouze argument ignore, normal a prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Zobrazí tuto nápovědu"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Zobrazí stručný návod na použití"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Vypíše verzi balíku"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Přepínače nápovědy:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[PŘEPÍNAČ…] <akce> <přepínače_akce>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Chybí argument <akce>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Neznámá akce."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Přepínače --refresh a --test-passphrase se vzájemně vylučují."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Přepínače --cancel-deferred a --deferred se vzájemně vylučují."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Přepínač --persistent není dovolen současně s --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Přepínač --integrity-no-wipe smí být použit jen při formátování s rozšířením integrity."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS, TCRYPT a BITLK."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Je dovolen pouze jeden argument přepínače --key-file."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Přepínače --align-payload a --offset nelze kombinovat."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Při otevírání je přepínač --offset podporován jen u zařízení plain a loopaes."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Přepínače --veracrypt a --disable-veracrypt jsou podporovány jen u typu zařízení TCRYPT."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Přepínač --veracrypt-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Přepínač --veracrypt-query-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Přepínače --veracrypt-pim a --veracrypt-query-pim se vzájemně vylučují."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Je nutné určit pozici s klíčem."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Funkce pro odvození klíče na základě hesla (PBKDF) smí být pouze pbkdf2 nebo argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Vynucené iterace PBKDF nelze kombinovat s volnou doby iterací."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Otevírání s přepínačem velikosti sektoru je podporován jen u zařízení plain."
-
-# FIXME: "Large IV sectors" should read "IV large sectors".
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Volba inicializačního vektoru s velkými sektory je podporována jen při otevírání zařízení typu plain s velikostí sektoru větší než 512 bajtů."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Přepínač --unbound vyžaduje velikost klíče."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "Dešifrování LUKS2 vyžaduje přepínač --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Přepínače --reduce-device-size a --data-size nelze kombinovat."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Přepínače --device-size a --size nelze kombinovat."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Přepínače --keyslot-cipher a --keyslot-key-size musí být použity spolu."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Žádný úkon nebude proveden. Zavoláno s přepínačem --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Neplatná operace tokenu."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Parametr --key-description je při přidávání tokenu povinný."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Akce vyžaduje určitý token. Použijte parametr --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Zamykání metadata nelze vypnout."
@@ -2768,67 +2832,72 @@ msgstr "Nelze vytvořit soubor %s s kořenovým hašem určený k zápisu."
msgid "Cannot write to root hash file %s."
msgstr "Do souboru %s s kořenovým hašem nelze zapsat."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Zařízení %s není platným zařízením VERITY."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Soubor %s s kořenovým hašem nelze vytvořit."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Neplatný soubor %s s kořenovým hašem."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Zadán neplatný řetězec s kořenovým hašem."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Neplatné soubor s podpisem %s."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Soubor s podpisem %s nelze číst."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Příkaz vyžaduje argument <kořenový_haš> nebo přepínač --root-hash-file."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<zařízení_dat> <zařízení_hašů>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "naformátuje zařízení"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<zařízení_dat> <zařízení_hašů> [<kořenový_haš>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "ověří zařízení"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<zařízení_dat> <název> <zařízení_hašů> [<kořenový_haš>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "zobrazí stav aktivního zařízení"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<zařízení_hašů>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "zobrazí údaje z disku"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2843,7 +2912,7 @@ msgstr ""
"<zařízení_hašů> je zařízení obsahující ověřovací data\n"
"<kořenový_haš> haš kořenového uzlu na <zařízení_hašů>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2854,28 +2923,47 @@ msgstr ""
"Výchozí zakompilované parametry dm-verity:\n"
"\tHaš: %s, Datový blok (bajty): %u, Blok hašů (bajty): %u, Velikost soli: %u, Formát haše: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Přepínače --ignore-corruption a --restart-on-corruption nelze použít najednou."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Přepínač --panic-on-corruption a --restart-on-corruption nelze použít najednou."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Toto nevratně přepíše data na %s a %s.\n"
+"Pro zachování datového zařízení použije přepínač --no-wipe (a pak jej\n"
+"aktivujte pomocí --integrity-recalculate)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Formátováno s velikostí značky %u, vnitřní integrita %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Nastavení příznaku přepočtu není podporováno, místo toho zvažte použití --wipe."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Zařízení %s není platným zařízením INTEGRITY."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<zařízení_s_daty_integrity>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<zařízení_s_daty_integrity> <název>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2886,7 +2974,7 @@ msgstr ""
"<název> je zařízení, které bude vytvořeno pod %s\n"
"<zařízení_s_daty_integrity> je zařízení obsahující data se značkami integrity\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2900,241 +2988,44 @@ msgstr ""
"\tMaximální velikost souboru s klíčem: %d kB\n"
# TODO: Pluralize
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Neplatná velikost --%s. Maximální je %u bajtů."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Musí být zadány oba přepínače pro soubor s klíčem a velikostí klíče."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Musí být zadány oba přepínače pro soubor s klíčem žurnálu a velikostí klíče."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Je-li použit klíč integrity žurnálu, musí být zadán algoritmus integrity žurnálu."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Musí být zadány oba přepínače pro soubor s šifrovacím klíčem žurnálu a velikostí klíče."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Je-li použit šifrovací klíč žurnálu, musí být zadán algoritmus šifrování žurnálu."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Přepínače režimu bitmapy a obnovení se vzájemně vylučují."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Přepínače žurnálu nelze použití spolu s režimem bitmapy."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Přepínače bitmapy lze použít jen při režimu bitmapy."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Přešifrování již probíhá."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Alokace zarovnané paměti se nezdařila."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Ze zařízení %s nelze číst."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "LUKS1 zařízení %s se označuje za nepoužitelné."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Na zařízení %s se nastavuje příznak offline přešifrování."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Zařízení %s není možné zapsat."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Nelze zapsat soubor s protokolem přešifrování."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Soubor s protokolem přešifrování nelze načíst."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Chybný formát protokolu."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Soubor s protokolem %s existuje, pokračuje se v přerušeném přešifrování.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Aktivuje se dočasné zařízení za pomoci staré hlavičky LUKS."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Aktivuje se dočasné zařízení za pomoci nové hlavičky LUKS."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Aktivace dočasných zařízení selhala."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Nastavení polohy dat selhalo."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Nastavení velikosti metadat selhalo."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Byla vytvořena nová hlavička LUKS zařízení %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Tato verze cryptsetup-reencrypt neumí zacházet s novým vnitřním druhem tokenů %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Přečtení příznaků pro aktivaci ze záložní hlavičky selhalo."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Zápis příznaků pro aktivaci do nové hlavičky selhal."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Čtení požadavků ze záložní hlavičky selhalo."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Záloha hlavičky %s zařízení %s byla vytvořena."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Záložní hlavičky LUKS se nepodařilo vytvořit."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Hlavičku %s na zařízení %s nelze obnovit."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Hlavička %s na zařízení %s byla obnovena."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Nelze otevřít dočasné zařízení LUKS."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Velikost zařízení nelze zjistit."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "Chyba vstupu/výstupu během přešifrování."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Poskytnuté UUID není platné."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Nelze otevřít soubor s protokolem přešifrování."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Žádné dešifrování není rozpracované. Poskytnuté UUID lze použít jen k dokončení pozastaveného procesu dešifrování."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Parametry PBKDF pro pozici klíče %i změněny."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Velikost bloku při přešifrování může nabývat hodnot pouze mezi 1 a 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Maximální velikost zmenšení zařízení je 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[PŘEPÍNAČ…] <zařízení>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Přešifrování změní: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "klíč svazku"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "nastaví haš na "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", nastaví šifru na "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Vyžadován argument."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Přepínač --new musí být použit spolu s --reduce-device-size nebo --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Přepínač --keep-key lze použít jen s přepínači --hash, --iter-time nebo --pbkdf-force-iterations."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Přepínač --new nelze být použit spolu s --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Přepínač --decrypt se neslučuje se zadanými parametry."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Přepínač --uuid lze použít jen spolu s přepínačem --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Neplatný druh LUKS. Použijte jeden z: „luks“, „luks1“ nebo „luks2“"
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3145,7 +3036,7 @@ msgstr ""
"======\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3156,149 +3047,176 @@ msgstr ""
"\n"
"Jste si jisti? (Napište „yes“ velkými písmeny): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Chyba při čtení odpovědi z terminálu."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Příkaz úspěšně vykonán."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "špatné nebo chybějící parametry"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "žádné oprávnění nebo chybné heslo"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "nedostatek paměti"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "zadáno špatné zařízení nebo soubor"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "zařízení již existuje nebo zařízení je zaneprázdněno"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "neznámá chyba"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Příkaz selhal s kódem %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Pozice klíče %i vytvořena."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Pozice klíče %i odemknuta."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Pozice klíče %i odemknuta."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Token %i vytvořen."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Token %i se odstraněn."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Tímto PIN nebylo možné odemknou žádný token."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Token %i vyžaduje PIN."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Token (druh %s) vyžaduje PIN."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token %i nedokáže odemknout přiřazené pozice s klíči (chybné heslo pozice)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token (druh %s) nedokáže odemknout přiřazené pozice s klíči (chybné heslo pozice)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Token %i vyžaduje dodatečné chybějící zdroje."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Token (druh %s) vyžaduje dodatečné chybějící zdroje."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Žádný token (druhu %s) není dostupný."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Není dostupný žádný použitelný token."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Výmaz přerušen."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Přešifrování přerušeno."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Soubor s klíčem %s nelze číst."
# FIXME: Pluralize
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Ze souboru s klíčem %2$s nelze přečíst %1$d bajtů."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Soubor s klíčem %s nelze otevřít pro zápis."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Do souboru s klíčem %s nelze zapsat."
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64> m %02<PRIu64> s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64> h %02<PRIu64> m %02<PRIu64> s"
+
+# TODO: Pluralize
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> dnů"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "zapsáno %4<PRIu64> %s"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "rychlost %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Průběh: %5.1f %%, zbývá %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Dokončeno, čas %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "Odolnost hesla nelze prověřit: %s"
@@ -3312,59 +3230,63 @@ msgstr ""
"Kontrola odolnosti hesla selhala:\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Kontrola odolnosti hesla selhala: Špatné heslo (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "Chyba při čtení hesla z terminálu."
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "Ověřte heslo: "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "Hesla se neshodují."
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "Ve vstupu z terminálu nelze měnit polohu."
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "Zadejte heslo: "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Zadejte heslo pro %s: "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "S tímto heslem není dostupný žádný klíč."
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "Nejsou dostupné žádné použitelné pozice s klíči."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Se vstupem mimo terminál nelze ověřit heslo."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Soubor %s se nepodařilo otevřít pouze pro čtení."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Poskytněte JSON s platným tokenem LUKS2:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Soubor s dokumentem JSON se nepodařilo přečíst."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3372,12 +3294,12 @@ msgstr ""
"\n"
"Čtení přerušeno."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Otevření souboru %s pro zápis selhalo."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3385,54 +3307,425 @@ msgstr ""
"\n"
"Zápis přerušen."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Zapsaní souboru s dokumentem JSON selhalo."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Automaticky nalezené aktivní zařízení DM „%s“ pro datové zařízení %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Držitele zařízení %s nebylo možné automaticky nalézt."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Zařízení %s není blokovým zařízením.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Nelze rozhodnout, jestli zařízení %s je nebo není aktivováno.\n"
+"Jste si jisti, že si přejete pokračovat v přešifrování v režimu offline?\n"
+"To může vést k poškození dat, bylo-li zařízení ve skutečnosti aktivováno.\n"
+"Pro přešifrování za běhu použijte parametr --active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Zařízení %s není blokovým zařízením. Nelze určit, jestli je\n"
+"aktivní, nebo ne. Pro obejití kontroly a spuštění v režimu offline\n"
+"(nebezpečné!) použijte --force-offline-reencrypt."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Na současnou operaci přešifrování nelze použít požadovaný přepínač --resilience."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Zařízení není ve stavu přešifrování LUKS2. Neslučitelný přepínač --encrypt."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Zařízení není ve stavu dešifrování LUKS2. Neslučitelný přepínač --decrypt."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Zařízení je ve stavu přešifrování pomocí odolnosti posunu dat. Požadovaný přepínač --resilience nelze použít."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Zařízení vyžaduje obnovu přešifrování. Spusťte nejprve opravu."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Zařízení %s je již ve stavu přešifrování LUKS2. Přejete si dokončit dříve zahájenou operaci?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Zastaralé přešifrování LUKS2 již není podporováno."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Přešifrování zařízení s profilem integrity není podporováno."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Požadovaný --sector-size %<PRIu32> není slučitelný se superblokem %s\n"
+"(velikost bloku %<PRIu32> bajtů) nalezeném na zařízení %s."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Přešifrování bez oddělené hlavičky (--header) není možné bez zmenšení velikosti datového zařízení (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Požadovaný počátek dat musí být menší nebo roven polovině parametru --reduce-device-size"
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Upravuje se hodnota --reduce-device-size na dvojnásobek --offset %<PRIu64> (v sektorech).\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Dočasný soubor s hlavičkou %s již existuje. Operace se ruší."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Dočasný soubor s hlavičkou %s nelze vytvořit."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Velikost metadat LUKS2 je větší než hodnota posunu dat."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Umístění nové hlavičky na začátek zařízení %s selhalo."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Aktivní zařízení %s není LUKS2."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Obnovuje se původní hlavička LUKS2."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Obnovení původní hlavičky LUKS2 selhalo."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Soubor s hlavičkou %s neexistuje. Přejete si zahájit dešifrování LUKS2 zařízení %s a export hlavičku LUKS2 do souboru %s?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Přidání práv na čtení/zápis souboru s hlavičkou selhalo."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Inicializace přešifrování selhala. Záloha hlavičky je dostupná v %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Dešifrování LUKS2 je podporováno jen u zařízení s oddělenou hlavičkou (počátek dat na 0)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Nedostatek pozic s klíči pro přešifrování."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Zadejte heslo pro pozici klíče %d: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Zadejte heslo pro pozici klíče %u: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Přepíná se algoritmus šifrování dat na %s.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Žádné parametry oblasti s daty nebyly změněny. Přešifrování zrušeno."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Zvětšení velikosti šifrovaného sektoru na zařízení v režimu offline není\n"
+"podporováno. Nejprve zařízení aktivujte, nebo použijte přepínač\n"
+"--force-offline-reencrypt (nebezpečné!)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Přešifrování přerušeno."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Dokončuje se přešifrování LUKS ve vynuceném režimu offline.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Zařízení %s obsahuje porušená metadata LUKS. Operace se ruší."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Zařízení %s je již zařízením LUKS. Operace se ruší."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Zařízení %s je již ve stavu přešifrování LUKS. Operace se ruší."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "Dešifrování LUKS2 vyžaduje přepínač --header."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "Příkaz vyžaduje jako argument zařízení."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Neslučitelné verze. Zařízení %s je LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS1."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Neslučitelné verze. Zařízení %s je LUKS2."
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS2."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Přešifrování LUKS2 je již inicializováno. Operace se ruší."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Neprobíhá žádné přešifrování zařízení."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Alokace zarovnané paměti se nezdařila."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Ze zařízení %s nelze číst."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "LUKS1 zařízení %s se označuje za nepoužitelné."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Zařízení %s není možné zapsat."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Nelze zapsat soubor s protokolem přešifrování."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Soubor s protokolem přešifrování nelze načíst."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Chybný formát protokolu."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Soubor s protokolem %s existuje, pokračuje se v přerušeném přešifrování.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Aktivuje se dočasné zařízení za pomoci staré hlavičky LUKS."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Aktivuje se dočasné zařízení za pomoci nové hlavičky LUKS."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Aktivace dočasných zařízení selhala."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Nastavení polohy dat selhalo."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Nastavení velikosti metadat selhalo."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Byla vytvořena nová hlavička LUKS zařízení %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Záloha hlavičky %s zařízení %s byla vytvořena."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Záložní hlavičky LUKS se nepodařilo vytvořit."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Hlavičku %s na zařízení %s nelze obnovit."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Hlavička %s na zařízení %s byla obnovena."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Nelze otevřít dočasné zařízení LUKS."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Velikost zařízení nelze zjistit."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Chyba vstupu/výstupu během přešifrování."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Poskytnuté UUID není platné."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Nelze otevřít soubor s protokolem přešifrování."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Žádné dešifrování není rozpracované. Poskytnuté UUID lze použít jen k dokončení pozastaveného procesu dešifrování."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Přešifrování změní: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "klíč svazku"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "nastaví haš na "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", nastaví šifru na "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "POZOR: Zařízení %s již obsahuje vzorec oddílu „%s“.\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "POZOR: Zařízení %s již obsahuje vzorec superbloku „%s“.\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Sondu vzorců zařízení se nepodařilo inicializovat."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "O zařízení %s nebylo možné zjistit údaje."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Zařízení %s se používá. K formátování nelze přikročit."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Soubor %s nebylo možné otevřít pro čtení i zápis."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Existující vzorec oddílu „%s“ na zařízení %s bude vymazán."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Existující vzorec superbloku „%s“ na zařízení %s bude vymazán."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Odstranění vzorce ze zařízení selhalo."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Otestování zařízení %s na vzorce selhalo."
@@ -3442,16 +3735,16 @@ msgstr "Otestování zařízení %s na vzorce selhalo."
msgid "Invalid size specification in parameter --%s."
msgstr "Zadána neplatná velikost v parametru --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Přepínač --%s není dovolen s akcí %s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Zapsaní dokumentu JSON pro token SSH selhalo."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3467,110 +3760,110 @@ msgstr ""
"\n"
"Poznámka: Údaje poskytnuté při přidávání tokenu (adresa SSH serveru, uživatel a cesta) budou uloženy do hlavičky LUKS2 v nešifrované podobě."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<akce> <zařízení>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Přepínače pro akci „add“:"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "IP adresa / URL vzdáleného serveru pro tento token"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Uživatelské jméno ke vzdálenému serveru"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Cesta k souboru s klíčem na vzdáleném serveru"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Cesta ke klíči SSH pro připojení ke vzdálenému serveru"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Pozice klíče, ke které se má přiřadit token. Nebude-li určeno, token bude přiřazen k první pozici odpovídající poskytnutému heslu."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Obecné přepínače:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Zobrazuje podrobnější chybové hlášky"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Zobrazuje ladicí hlášky"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Zobrazuje ladicí hlášky včetně metadat JSON"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Otevření a import soukromého klíče selhalo:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Import soukromého klíče selhal (chráněný heslem?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "Heslo pro %s@%s: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Rozbor argumentů selhal.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Je třeba zadat akci\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Pro akci „%s“ je třeba zadat zařízení.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Pro akci „%s“ je třeba zadat SSH server.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Pro akci „%s“ je třeba zadat uživatele SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Pro akci „%s“ je třeba zadat SSH cestu.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Pro akci „%s“ je třeba zadat cestu ke klíči SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Otevření %s pomocí zadaných přihlašovacích údajů selhalo.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "V současnosti je tímto modulem podporována pouze akce „add“.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Relaci SFTP nelze sestavit: "
@@ -3578,6 +3871,10 @@ msgstr "Relaci SFTP nelze sestavit: "
msgid "Cannot init sftp session: "
msgstr "Relaci SFTP nelze inicializovat: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Relaci SFTP nelze otevřít: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Údaje o SFTP souboru nelze získat: "
@@ -3606,6 +3903,96 @@ msgstr "Na stroji není povolena autentizace veřejným klíčem.\n"
msgid "Public key authentication error: "
msgstr "Chyba při autentizaci veřejným klíčem: "
+#~ msgid "WARNING: Data offset is outside of currently available data device.\n"
+#~ msgstr "POZOR: Poloha dat je mimo nyní dostupné zařízení s daty.\n"
+
+#~ msgid "Cannot get process priority."
+#~ msgstr "Nelze zjistit prioritu procesu."
+
+#~ msgid "Cannot unlock memory."
+#~ msgstr "Paměť nelze odemknout."
+
+#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions."
+#~ msgstr "Zamykací adresář %s/%s bude vytvořen s výchozími zakompilovanými právy."
+
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Z %s nebylo možné načíst vzorec BITLK."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Neplatná nebo neznámá značka zařízení BITLK."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Vyčištění dat záložní části selhalo."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Vypnutí příznaku požadavku na přešifrování selhalo."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Šifrování je podporováno jen s formátem LUKS2."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "Na %s zjištěno zařízeno LUKS. Přejete si toto zařízení LUKS znovu zašifrovat?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "Nyní je podporován pouze formát LUKS2. Pro LUKS1, prosím, použijte nástroj cryptsetup-reencrypt."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Zastaralé offline přešifrování již probíhá. Použijte nástroj cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "Zařízení LUKS2 se nepřešifrovává."
+
+#~ msgid "Reencryption already in-progress."
+#~ msgstr "Přešifrování již probíhá."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Na zařízení %s se nastavuje příznak offline přešifrování."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Tato verze cryptsetup-reencrypt neumí zacházet s novým vnitřním druhem tokenů %s."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Přečtení příznaků pro aktivaci ze záložní hlavičky selhalo."
+
+#~ msgid "Failed to write activation flags to new header."
+#~ msgstr "Zápis příznaků pro aktivaci do nové hlavičky selhal."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Parametry PBKDF pro pozici klíče %i změněny."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Velikost bloku při přešifrování může nabývat hodnot pouze mezi 1 a 64 MiB."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Maximální velikost zmenšení zařízení je 64 MiB."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[PŘEPÍNAČ…] <zařízení>"
+
+#~ msgid "Argument required."
+#~ msgstr "Vyžadován argument."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Přepínač --new musí být použit spolu s --reduce-device-size nebo --header."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Přepínač --keep-key lze použít jen s přepínači --hash, --iter-time nebo --pbkdf-force-iterations."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Přepínač --new nelze být použit spolu s --decrypt."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Přepínač --decrypt se neslučuje se zadanými parametry."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Přepínač --uuid lze použít jen spolu s přepínačem --decrypt."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Neplatný druh LUKS. Použijte jeden z: „luks“, „luks1“ nebo „luks2“"
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Zařízení %s se používá. K formátování nelze přikročit."
+
#~ msgid "No free token slot."
#~ msgstr "Žádná volná pozice s tokenem"
@@ -3932,9 +4319,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "Sector size option is not supported for this command."
#~ msgstr "Tento příkaz nepodporuje volbu velikosti sektoru."
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "Přepínač --unbound lze použít pouze s akcemi luksAddKey nebo luksDump."
-
#~ msgid "Option --refresh may be used only with open action."
#~ msgstr "Přepínač --refresh lze použít pouze s úkonem otevření."
@@ -4115,9 +4499,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "Read new volume (master) key from file"
#~ msgstr "Nový (hlavní) klíč svazku načte ze souboru"
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "Doba opakování PBKDF2 pro LUKS (v ms)"
-
#~ msgid "Use direct-io when accessing devices"
#~ msgstr "K zařízením se bude přistupovat pomocí přímého I/O"
@@ -4157,9 +4538,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "Parameter --refresh is only allowed with open or refresh commands."
#~ msgstr "Přepínač --refresh je dovolen jen při příkazu otevření nebo reaktivace."
-#~ msgid "Cipher %s is not available."
-#~ msgstr "Šifra %s není dostupná."
-
#~ msgid "Unsupported encryption sector size.\n"
#~ msgstr "Nepodporovaná velikost šifrovaného sektoru.\n"
@@ -4169,9 +4547,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "Online reencryption in progress. Aborting."
#~ msgstr "Probíhá přešifrování za běhu. Operace se ruší."
-#~ msgid "No LUKS2 reencryption in progress."
-#~ msgstr "Neprobíhá žádné přešifrování LUKS2."
-
#~ msgid "Interrupted by a signal."
#~ msgstr "Přerušeno signálem."
@@ -4235,9 +4610,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "Error: Calculated reencryption offset %<PRIu64> is beyond device size %<PRIu64>."
#~ msgstr "Chyba: Vypočtená pozice pro přešifrování %<PRIu64> je větší než velikost zařízení %<PRIu64>."
-#~ msgid "Device is not in clean reencryption state."
-#~ msgstr "Zařízení není v čistém stavu přešifrování."
-
#~ msgid "Failed to calculate new segments."
#~ msgstr "Výpočet nových částí selhal."
@@ -4346,9 +4718,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
#~ msgstr "POZOR: zařízení %s je oddíl. U systémového šifrování TCRYPT je obvykle třeba použít cestu k celému blokovému zařízení.\n"
-#~ msgid "Kernel doesn't support plain64 IV.\n"
-#~ msgstr "Jádro nepodporuje inicializační vektor plain64.\n"
-
#~ msgid "Enter LUKS passphrase: "
#~ msgstr "Zadejte heslo LUKS: "
diff --git a/po/de.po b/po/de.po
index 4d0ef30..b3b84fb 100644
--- a/po/de.po
+++ b/po/de.po
@@ -1,85 +1,89 @@
# German translation for the cryptsetup package.
# Copyright (C) 2010 Free Software Foundation, Inc.
# This file is distributed under the same license as the cryptsetup package.
-# Roland Illig <roland.illig@gmx.de>, 2010-2021.
+# Roland Illig <roland.illig@gmx.de>, 2010-2023.
#
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-13 21:05+0100\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 22:57+0100\n"
"Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
"Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-"X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 3.0\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.2.2\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden, da das Programm nicht mit Root-Rechten läuft."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden. Ist das Kernelmodul »dm_mod« geladen?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Verlangter »deferred«-Schalter wird nicht unterstützt."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "DM-UUID für Gerät »%s« wurde verkürzt."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Unbekannte Art des dm-Ziels."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Die verlangten dm-crypt-Performance-Optionen werden nicht unterstützt."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Die verlangten dm-verity-Datenbeschädigungs-Optionen werden nicht unterstützt."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Die verlangte dm-verity-Tasklet-Option wird nicht unterstützt."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Die verlangten dm-verity-FEC-Optionen werden nicht unterstützt."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Die verlangten Datenintegritäts-Optionen werden nicht unterstützt."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "Die verlangte sector_size-Option wird nicht unterstützt."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Die verlangte automatische Berechnung der Integritätsangaben wird nicht unterstützt."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "»Discard/TRIM« wird nicht unterstützt."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Der verlangte Bitmap-Modus für dm-Integrität wird nicht unterstützt."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Fehler beim Abfragen des »dm-%s«-Segments."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -87,576 +91,611 @@ msgstr ""
"Das System hat keine Entropie mehr, um den Laufwerksschlüssel zu generieren.\n"
"Bitte bewegen Sie die Maus oder tippen Sie etwas Text in ein anderes Fenster, um einige zufällige Ereignisse zu sammeln.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Schlüssel wird generiert (%d %% erledigt).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Laufe im FIPS-Modus."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "Fataler Fehler während der Initialisierung des Zufallszahlengenerators."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Unbekannte Qualität des Zufallszahlengenerators verlangt."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Fehler beim Einlesen vom Zufallszahlengenerator."
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Fehler beim Initialisieren des Krypto-Zufallszahlengenerator-Backends."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Fehler beim Initialisieren des Krypto-Backends."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Hash-Algorithmus »%s« wird nicht unterstützt."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Diese Operation wird nur für LUKS2-Geräte unterstützt."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Alle Schlüsselfächer sind voll."
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %d."
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet."
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "Header gefunden, aber Gerät »%s« ist zu klein."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Diese Operation wird für diese Geräteart nicht unterstützt."
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "Ungültige Operation, während die Wiederverschlüsselung läuft."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Fehler beim Rückabwickeln der LUKS2-Metadaten im Speicher."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Nicht unterstützte LUKS-Version %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "Gerät »%s« ist nicht aktiv."
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Zugrundeliegendes Gerät für das Kryptogerät »%s« ist verschwunden."
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "Ungültige Parameter für Plain-Verschlüsselung."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "Ungültige Schlüsselgröße."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "UUID wird für diese Verschlüsselungsart nicht unterstützt."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Gerät für separierte Metadaten wird für diese Verschlüsselungsart nicht unterstützt."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "Gerätegröße ist nicht an verlangter Sektorgröße ausgerichtet."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "Ohne Gerät kann LUKS nicht formatiert werden."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "Die angeforderte Datenausrichtung ist nicht mit dem Datenoffset kompatibel."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "WARNING: Der Datenoffset ist außerhalb des derzeit verfügbaren Datengeräts.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Fehler beim Auslöschen des Headers auf Gerät »%s«."
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Gerät %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden.\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "WARNUNG: Die Geräteaktivierung wird fehlschlagen, dm-crypt fehlt die Unterstützung für die angeforderte Verschlüsselungsgröße.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Laufwerksschlüssel ist zu klein für die Verschlüsselung mit Integritätserweiterungen."
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Verschlüsselung »%s-%s« (Schlüsselgröße %zd Bits) ist nicht verfügbar."
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "Warnung: Größe der LUKS2-Metadaten wurde auf %<PRIu64> geändert.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "Warnung: Größe des LUKS2-Schlüsselfachbereichs wurde auf %<PRIu64> Bytes geändert.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Gerät »%s« ist zu klein."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "Gerät »%s« kann nicht formatiert werden, da es gerade benutzt wird."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Gerät »%s« kann nicht formatiert werden, Zugriff verweigert."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Fehler beim Formatieren der Integrität auf Gerät »%s«."
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "Gerät »%s« kann nicht formatiert werden."
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "Ohne Gerät kann LOOPAES nicht formatiert werden."
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "Ohne Gerät kann VERITY nicht formatiert werden."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Nicht unterstützte VERITY-Hash-Art %d."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Nicht unterstützte VERITY-Blockgröße."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Nicht unterstützter VERITY-Hash-Offset."
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "Nicht unterstützter VERITY-FEC-Offset."
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "Datenbereich und Hashbereich überlappen sich."
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "Hashbereich und FEC-Bereich überlappen sich."
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "Datenbereich und FEC-Bereich überlappen sich."
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "WARNUNG: Angeforderte Taggröße mit %d Bytes unterscheidet sich von der Ausgabe der Größe %s (%d Bytes).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Unbekannte Art des Verschlüsselungsgeräts »%s« verlangt."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nicht unterstützte Parameter für Gerät %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Parameter für Gerät %s sind durcheinander."
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Verschlüsselungsgeräte passen nicht zusammen."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Gerät »%s« konnte nicht neugeladen werden."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Gerät »%s« konnte nicht stillgelegt werden."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Gerät »%s« konnte nicht fortgesetzt werden."
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Schwerwiegender Fehler beim Neuladen von Gerät »%s« (über Gerät »%s«)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Gerät »%s« konnte nicht auf dm-error umgeschaltet werden."
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "Fehler beim Ändern der Größe des Loopback-Geräts."
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "WARNUNG: Die maximale Größe ist bereits eingestellt oder der Kernel unterstützt die Größenänderung nicht.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Fehler bei Größenänderung, der Kernel unterstützt sie nicht."
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "Wollen Sie wirklich die UUID des Geräts ändern?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Header-Backupdatei enthält keinen kompatiblen LUKS-Header."
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "Laufwerk »%s« ist nicht aktiv."
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "Laufwerk »%s« ist bereits im Ruhezustand."
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand."
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden."
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden."
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Laufwerk »%s« ist nicht im Ruhezustand."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden."
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "Schlüsselfach %d ist ungültig."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "Schlüsselfach %d ist nicht aktiv."
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "Geräteheader und Datenbereich überlappen sich."
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Wiederverschlüsselung läuft bereits. Das Gerät kann nicht aktiviert werden."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Fehler beim Zugriff auf die Sperre zur Wiederverschlüsselung."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "Geräteart ist nicht richtig initialisiert."
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "Das Gerät »%s« existiert bereits."
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Gerät »%s« kann nicht verwendet werden, da es gerade benutzt wird oder der Name ungültig ist."
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben."
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben."
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "Signatur des Stammhashes erforderlich."
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Der Kernel-Schlüsselbund fehlt. Wird benötigt, um die Signatur zum Kernel zu übergeben."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund."
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Fehler beim Abbrechen des verzögerten Löschens von Gerät »%s«."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Gerät »%s« wird gerade benutzt."
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "Ungültiges Gerät »%s«."
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "Laufwerks-Schlüsselpuffer zu klein."
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS2-Gerät."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS1-Gerät."
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Root-Hash für Verity-Gerät kann nicht ermittelt werden."
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für BITLK-Gerät."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für FVAULT2-Gerät."
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt."
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Datenoffset ist kein Vielfaches von %u Bytes."
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Gerät »%s« kann nicht konvertiert werden, da es gerade benutzt wird."
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Schlüsselfach %u konnte nicht dem Laufwerksschlüssel zugeordnet werden."
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Fehler beim Initialisieren der LUKS2-Schlüsselfach-Parameter."
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Schlüsselfach %d konnte nicht dem Digest zugeordnet werden."
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde."
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund (Fehler %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Globale Speicherzugriffsserialisierungssperre konnte nicht angefordert werden."
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Fehler beim Ermitteln der Prozesspriorität."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Fehler beim Entsperren des Speichers."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Fehler beim Öffnen der Schlüsseldatei."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Fehler beim Einlesen der Schlüsseldatei »%s« vom Terminal."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "Fehler beim Öffnen der Schlüsseldatei."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Fehler beim Zugriff auf die Schlüsseldatei."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "Zu wenig Speicher zum Einlesen der Passphrase."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Fehler beim Einlesen der Passphrase."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Nichts zu lesen in der Eingabe."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Größenbegrenzung für die Schlüsseldatei überschritten."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "Die gewünschte Menge an Daten kann nicht eingelesen werden."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Gerät »%s« existiert nicht oder Zugriff verweigert."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Gerät »%s« ist nicht kompatibel."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "Merkwürdige Optimale-Datenübertragungs-Größe für Datengerät (%u Bytes) wird ignoriert."
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Gerät »%s« ist zu klein. Mindestens %<PRIu64> Bytes erforderlich."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Gerät »%s« kann nicht benutzt werden, da es bereits anderweitig benutzt wird."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Gerät »%s« kann nicht verwendet werden, Zugriff verweigert."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "Fehler beim Abrufen der Infos über Gerät »%s«."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Das Loopback-Gerät kann nicht benutzt werden, da das Programm nicht mit Root-Rechten läuft."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Anklemmen des Loopback-Geräts fehlgeschlagen (das Loopback-Gerät benötigt den »autoclear«-Schalter)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Der angeforderte Offset ist jenseits der wirklichen Größe des Geräts »%s«."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Gerät »%s« hat die Größe 0."
@@ -710,40 +749,35 @@ msgstr "Die Anzahl der verlangten parallelen Threads für PBKDF darf nicht 0 sei
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Im FIPS-Modus wird ausschließlich PBKDF2 unterstützt."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "PBKDF-Benchmark deaktiviert, aber Anzahl der Iterationen nicht angegeben."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Inkompatible PBKDF2-Optionen (mit Hash-Algorithmus »%s«)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "Inkompatible PBKDF2-Optionen."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (kein Verzeichnis oder existiert nicht)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Das Verzeichnis %s/%s, das die Dateisperren enthält, wird mit den vorgegebenen, fest einprogrammierten Berechtigungen erzeugt."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (%s ist kein Verzeichnis)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Fehler beim Springen zum Gerät-Offset."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Fehler beim gründlichen Löschen des Geräts, an Offset %<PRIu64>."
@@ -766,9 +800,9 @@ msgstr "Schlüsselgröße im XTS-Modus muss entweder 256 oder 512 Bits sein."
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "Verschlüsselungsverfahren sollte im Format [Verfahren]-[Modus]-[IV] sein."
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Fehler beim Schreiben auf Gerät »%s«, Zugriff verweigert."
@@ -781,23 +815,24 @@ msgstr "Fehler beim Öffnen des temporären Schlüsselspeichergeräts."
msgid "Failed to access temporary keystore device."
msgstr "Fehler beim Zugriff auf das temporäre Schlüsselspeichergerät."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "E/A-Fehler beim Verschlüsseln des Schlüsselfachs."
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Fehler beim Öffnen des Geräts »%s«."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "E/A-Fehler beim Entschlüsseln des Schlüsselfachs."
@@ -813,65 +848,54 @@ msgstr "Gerät »%s« ist zu klein. (LUKS1 benötigt mindestens %<PRIu64> Bytes.
msgid "LUKS keyslot %u is invalid."
msgstr "LUKS-Schlüsselfach %u ist ungültig."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Angeforderte Header-Backupdatei »%s« existiert bereits."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Fehler beim Anlegen der Header-Backupdatei »%s«."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Fehler beim Speichern der Header-Backupdatei »%s«."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Backupdatei enthält keinen gültigen LUKS-Header."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Fehler beim Öffnen der Header-Backupdatei »%s«."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Fehler beim Einlesen der Header-Backupdatei »%s«."
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "Unterschiedlicher Offset oder Schlüsselgröße zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen."
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "Gerät »%s« %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "enthält keinen LUKS-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "enthält bereits einen LUKS-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -879,128 +903,132 @@ msgstr ""
"\n"
"WARNUNG: Der Header des echten Geräts hat eine andere UUID als das Backup!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "Ungewöhnliche Schlüsselgröße, manuelles Reparieren erforderlich."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Ungewöhnliche Ausrichtung der Schlüsselfächer, manuelles Reparieren erforderlich."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Verschlüsselungsmodus repariert (%s -> %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Chiffre-Hash in Kleinbuchstaben umgewandelt (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "Verlangter LUKS-Hash »%s« wird nicht unterstützt."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "Schlüsselfächer werden repariert."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Schlüsselfach %i: Offset repariert (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Schlüsselfach %i: Streifen repariert (%u -> %u)."
# XXX
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Schlüsselfach %i: schwindlerische Partitions-Signatur."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Schlüsselfach %i: Salt gelöscht."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "LUKS-Header wird auf den Datenträger geschrieben."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "Fehler beim Reparieren."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "LUKS-Verschlüsselungsmodus %s ist ungültig."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "LUKS-Hash %s ist ungültig."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "Keine bekannten Probleme im LUKS-Header erkannt."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Fehler beim Aktualisieren des LUKS-Headers auf Gerät »%s«."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Fehler beim Neueinlesen des LUKS-Headers nach dem Aktualisieren auf Gerät »%s«."
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Daten-Offset für LUKS-Header muss entweder 0 sein oder mehr als die Headergröße."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "Falsches LUKS-UUID-Format angegeben."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Einlesen des zufälligen Salts."
# XXX
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Hashen des Headers (mit Hash-Algorithmus »%s«)."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "Schlüsselfach %d aktiv, löschen Sie es erst."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Material für Schlüsselfach %d enthält zu wenige Streifen. Manipulation des Headers?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Überlauf im Iterationswert von PBKDF2."
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Schlüsselfach kann nicht geöffnet werden (mit Hash-Algorithmus »%s«)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie ein Schlüsselfach zwischen 0 und %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Gerät »%s« kann nicht ausgelöscht werden."
@@ -1021,215 +1049,233 @@ msgstr "Inkompatible Loop-AES-Schlüsseldatei erkannt."
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "Kernel unterstützt Loop-AES-kompatibles Mapping nicht."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«."
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Maximale Länge der TCRYPT-Passphrase (%zu) überschritten."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "Der Hash-Algorithmus »%s« für PBKDF2 wird nicht unterstützt, überspringe diesen Teil."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "Die benötigte Crypto-Kernel-Schnittstelle ist nicht verfügbar."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Stellen Sie sicher, dass das Kernelmodul »algif_skcipher« geladen ist."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Aktivierung wird für die Sektorengröße %d nicht unterstützt."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Der Kernel unterstützt die Aktivierung für diesen TCRYPT-Legacymodus nicht."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "TCRYPT-Systemverschlüsselung für Partition »%s« wird aktiviert."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des unterstützten Volume Master Keys gefunden."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Ungültige Zeichenkette beim Parsen des Volume Master Key gefunden."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Unerwartete Zeichenkette »%s« beim Parsen des Volume Master Key gefunden."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Unerwarteter Metadaten-Eintrag %u beim Einlesen des unterstützten Volume Master Key gefunden."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Fehler beim Lesen der BITLK-Signatur von »%s«."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Ungültige oder unbekannte Signatur für BITLK-Gerät."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK Version 1 wird derzeit nicht unterstützt."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Ungültige oder unbekannte Bootsignatur für BITLK-Gerät."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Nicht unterstützte Sektorengröße %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Fehler beim Lesen des BITLK-Headers von »%s«."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Fehler beim Schreiben der BITLK-FVE-Metadaten von »%s«."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "Unbekannte oder nicht unterstützte Verschlüsselungsart."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Fehler beim Lesen der BITLK-Metadaten von »%s«."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Fehler beim Konvertieren der BITLK-Volumenbeschreibung"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des externen Schlüssels gefunden."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "Die GUID der BEK-Datei »%s« stimmt nicht mit der GUID des Laufwerks überein."
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Unerwarteter Metadaten-Eintrag »%u« beim Einlesen des externen Schlüssels gefunden."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Nicht unterstützte BEK-Metadatenversion %<PRIu32>"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Unerwartete BEK-Metadatengröße %<PRIu32> stimmt nicht mit BEK-Dateilänge überein"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Einlesen des Startschlüssels gefunden."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "Diese Operation wird nicht unterstützt."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "Unerwartete Größe des Datenschlüssels."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Dieses BITLK-Gerät ist in einem nicht unterstützten Zustand und kann daher nicht aktiviert werden."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "BITLK-Geräte der Art »%s« können nicht aktiviert werden."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Aktivieren eines teilweise entschlüsselten BITLK-Geräts wird nicht unterstützt."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "WARNUNG: BitLocker-Datenträgergröße %<PRIu64> stimmt nicht mit der zugrunde liegenden Gerätegröße %<PRIu64> überein"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für BITLK-IV."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Gerät kann nicht aktiviert werden, da dem Kernelmodul dm-crypt die Unterstützung für BITLK-Elephant-Verschleierer fehlt."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für große Sektoren."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Gerät kann nicht aktiviert werden, das Kernelmodul dm-crypt existiert nicht."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Fehler beim Einlesen von %u Bytes aus dem Laufwerks-Kopfbereich."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Nicht unterstützte VFAULT2-Version %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Verity-Gerät »%s« benutzt keinen Header auf dem Datenträger."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Gerät »%s« ist kein gültiges VERITY-Gerät."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Nicht unterstützte VERITY-Version %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "VERITY-Header verfälscht."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Falsches VERITY-UUID-Format über Gerät »%s« angegeben."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Fehler beim Aktualisieren des VERITY-Headers auf Gerät »%s«."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Verifikation der Stammhash-Signatur wird nicht unterstützt."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Fehler können mit einem FEC-Gerät nicht repariert werden."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "%u reparierbare Fehler mit FEC-Gerät gefunden."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Kernel unterstützt dm-verity-Zuordnung nicht."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Kernel unterstützt Signatur-Option für dm-verity nicht."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Verity-Gerät hat eine Verfälschung nach der Aktivierung festgestellt."
@@ -1301,46 +1347,51 @@ msgstr "Fehler beim Reparieren der Parität für RS-Block %<PRIu64>."
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Fehler beim Schreiben der Parität für RS-Block %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Blockgrößen müssen für FEC zusammen passen."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Ungültige Anzahl von Paritätsbytes."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Ungültige FEC-Segmentlänge."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Fehler beim Ermitteln der Größe von Gerät »%s«."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Inkompatible Metadaten des Kernelmoduls dm-integrity (Version %u) auf %s entdeckt."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Kernel unterstützt dm-integrity-Zuordnung nicht."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Kernel unterstützt feste Ausrichtung der Metadaten für dm-integrity nicht."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Der Kernel weigert sich, die unsichere Neuberechnungs-Option zu aktivieren. Um dies zu übersteuern, können Sie die veralteten Aktivierungsoptionen nutzen."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Fehler beim exklusiven Schreibzugriff auf Gerät »%s«."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Es wurde ein Versuch erkannt, die LUKS2-Metadaten nebenläufig zu ändern. Die Operation wird abgebrochen."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1348,49 +1399,49 @@ msgstr ""
"Gerät enthält mehrdeutige Signaturen, LUKS2 kann nicht automatisch wiederhergestellt werden.\n"
"Bitte führen Sie \"cryptsetup repair\" zur Wiederherstellung aus."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Verlangter Daten-Offset ist zu klein."
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "WARNING: Der Schlüsselfach-Bereich (%<PRIu64> Bytes) ist sehr klein, die LUKS2-Schlüsselfachanzahl ist sehr begrenzt.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Fehler beim Zugriff auf die Lesesperre für das Gerät »%s«."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "Verbotene LUKS2-Anforderungen in Backup »%s« entdeckt."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Unterschiedliche Datenoffsets auf Gerät und Backup. Wiederherstellung fehlgeschlagen."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Unterschiedliche Größe der Binärheader mit Schlüsselfach-Bereichen zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Gerät »%s« %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "enthält keinen LUKS2-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "enthält bereits einen LUKS2-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1400,7 +1451,7 @@ msgstr ""
"WARNUNG: Unbekannte LUKS2-Anforderungen im echten Geräteheader entdeckt!\n"
"Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1410,408 +1461,471 @@ msgstr ""
"WARNUNG: Unvollendete Offline-Wiederverschlüsselung auf dem Gerät entdeckt!\n"
"Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Unbekannter Schalter »%s« wird ignoriert."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Fehlender Schlüssel für dm-crypt-Segment %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Fehler beim Festlegen des »dm-crypt«-Segments."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Fehler beim Festlegen des »dm-linear«-Segments."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Nicht unterstützte Konfiguration für Geräteintegrität."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Wiederverschlüsselung läuft gerade. Das Gerät kann nicht deaktiviert werden."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Das stillgelegte Gerät »%s« mit dm-error-Ziel konnte nicht in den Fehlerzustand gesetzt werden."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Fehler beim Lesen der LUKS2-Anforderungen."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Unerfüllte LUKS2-Anforderungen entdeckt."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für Altlasten-Wiederverschlüsselung markiert ist. Wird abgebrochen."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für LUKS2-Wiederverschlüsselung markiert ist. Wird abgebrochen."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Nicht genügend Speicher, um ein Schlüsselfach zu öffnen."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Fehler beim Öffnen des Schlüsselfachs."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Der Algorithmus %s-%s kann nicht für Schlüsselfach-Verschlüsselung verwendet werden."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Der Hash-Algorithmus »%s« ist nicht verfügbar."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "Nicht genug Speicherplatz für neues Schlüsselfach."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Ungültige Änderung des Modus für die robuste Wiederverschlüsselung angefordert."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Die Art der Robustheit kann nicht geändert werden. Die neue Art bietet nur %<PRIu64> Bytes, der erforderliche Platz ist jedoch %<PRIu64> Bytes."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Fehler beim Auffrischen des Zusammenfassungswerts der Prüfung der Wiederverschlüsselung."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Fehler beim Prüfen des Zustands von Gerät mit der UUID %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Fehler beim Konvertieren des Headers mit zusätzlichen LUKSMETA-Metadaten."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Die Chiffrierspezifikation %s-%s kann für LUKS2 nicht verwendet werden."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Nicht genug Speicherplatz."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Fehler beim Konvertieren ins LUKS2-Format: ungültige Metadaten."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Bereich für die LUKS2-Schlüsselfächer ist zu klein."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Standardgröße für Verschlüsselungssektoren ist nicht 512 Bytes."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach-Digeste sind nicht zu LUKS1 kompatibel."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Gerät verwendet eingepacktes Verschlüsselungsverfahren %s."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Gerät verwendet mehr Segmente."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Fehler beim Konvertieren in LUKS1-Format: LUKS2-Header enthält %u Token."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist in ungültigem Zustand."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u (über Maximalfach) ist noch aktiv."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist nicht zu LUKS1 kompatibel."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Die Größe der Hotzone muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Gerätegröße muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Nicht unterstützter Modus »%s« für Widerstandsfähigkeit"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher alter Segmente."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher neuer Segmente."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Fehler beim Initialisieren des Hotzone-Schutzes."
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Fehler beim Lesen der Prüfsummen für die aktuelle Hotzone."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Fehler beim Lesen des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Fehler beim Entschlüsseln von Sektor %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Fehler beim Wiederherstellen von Sektor %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Die Größe der Quell- und Zielgeräte stimmt nicht überein. Quelle %<PRIu64>, Ziel: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Fehler beim Aktivieren des Hotzone-Geräts »%s«."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Fehler beim Aktivieren des Überlagerungsgeräts »%s« mit der tatsächlichen Ursprungstabelle."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Fehler beim Laden der neuen Zuordnung für Gerät »%s«."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Fehler beim Auffrischen des Gerätestapels für Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Fehler beim Festlegen der neuen Bereichsgröße für Schlüsselfächer."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
msgstr "Datenverschiebung ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (%<PRIu32> Bytes) ausgerichtet."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgid "Unsupported resilience mode %s"
+msgstr "Nicht unterstützter Modus »%s« für Widerstandsfähigkeit"
+
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Die Größe des verschobenen Segments kann nicht größer als der Wert der Datenverschiebung sein."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Ungültige Parameter für die robuste Wiederverschlüsselung."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Das verschobene Segment ist zu groß. Angeforderte Größe %<PRIu64>, verfügbarer Platz %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Fehler beim Leeren der Tabelle."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Die reduzierte Datengröße ist größer als die tatsächliche Gerätegröße."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
msgstr "Datengerät ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (%<PRIu32> Bytes) ausgerichtet."
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Datenverschiebung (%<PRIu64> Sektoren) ist weniger als der zukünftige Datenoffset (%<PRIu64> Sektoren)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Fehler beim exklusiven Öffnen von »%s« (wird bereits anderweitig benutzt)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Das Gerät ist nicht für LUKS2-Wiederverschlüsselung markiert."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Fehler beim Laden des LUKS2-Wiederverschlüsselungs-Kontextes."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Fehler beim Einlesen des Wiederverschlüsselungs-Zustands."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Das Gerät befindet sich nicht in der Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Der Wiederverschlüsselungs-Vorgang läuft bereits."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Fehler beim Zugriff auf die Schreibsperre für die Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Führen Sie zuerst die Wiederverschlüsselungs-Wiederherstellung durch."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "Aktive Gerätegröße und angeforderte Wiederverschlüsselungsgröße passen nicht zusammen."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "Ungültige Gerätegröße wurde in den Wiederverschlüsselungsparametern angefordert."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Wiederverschlüsselung läuft bereits. Wiederherstellung ist nicht möglich."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "LUKS2-Wiederverschlüsselung ist in den Metadaten bereits initialisiert."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "LUKS2-Wiederverschlüsselung konnte in den Metadaten nicht initialisiert werden."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Fehler beim Festlegen der Gerätesegmente für die nächste Wiederverschlüsselungs-Hotzone."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Fehler beim Schreiben der Metadaten für robuste Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Fehler beim Entschlüsseln."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Fehler beim Schreiben des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Fehler beim Synchronisieren von Daten."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Fehler beim Aktualisieren der Metadaten, nachdem die aktuelle Wiederverschlüsselungs-Hotzone beendet wurde."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Fehler beim Schreiben der LUKS2-Metadaten."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Fehler beim gründlichen Löschen der Backupsegmentdaten."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Fehler beim gründlichen Löschen des ungenutzten Bereichs auf dem Gerät."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Fehler beim Deaktivieren der Wiederverschlüsselungsanforderung."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Fehler beim Entfernen des ungenutzten (ungebundenen) Schlüsselfachs %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Fehler beim Entfernen des Schlüsselfachs zur Wiederverschlüsselung."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Schwerwiegender Fehler beim Wiederverschlüsseln des Blocks bei %<PRIu64>, %<PRIu64> Sektoren lang."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Fehler bei Online-Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Das Gerät nicht fortsetzen, außer es wird manuell durch das Fehlerziel ersetzt."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Unerwarteter Zustand der Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Fehlender oder ungültiger Wiederverschlüsselungs-Kontext."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Fehler beim Initialisieren des Gerätestapels für Wiederverschlüsselung."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Fehler beim Aktualisieren des Wiederverschlüsselungskontexts."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Die Metadaten für die Wiederverschlüsselung sind ungültig."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Verschlüsselungsparameter für Schlüsselfach wird nur für LUKS2-Geräte unterstützt."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Geben Sie die PIN des Tokens ein:"
+msgid "Enter token PIN: "
+msgstr "Geben Sie die PIN des Tokens ein: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Geben Sie die PIN des Tokens %d ein:"
+msgid "Enter token %d PIN: "
+msgstr "Geben Sie die PIN des Tokens %d ein: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Kein bekanntes Verschlüsselungsmuster entdeckt."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "WARNUNG: Der Parameter --hash wird im Plain-Modus ignoriert, wenn eine Schlüsseldatei angegeben ist.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "WARNUNG: Die Option --keyfile-size wird ignoriert, da die Lesegröße die gleiche ist wie die Verschlüsselungsschlüsselgröße ist.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Gerätesignaturen auf »%s« erkannt. Wenn Sie fortfahren, könnte das bestehende Daten beschädigen."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "Vorgang abgebrochen.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Die Option »--key-file« muss angegeben werden."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "VeraCrypt-PIM eingeben: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Ungültiger PIM-Wert: Formatfehler."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Ungültiger PIM-Wert: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Ungültiger PIM-Wert: außerhalb des gültigen Bereichs."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Kein Geräte-Header mit dieser Passphrase gefunden."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Gerät »%s« ist kein gültiges BITLK-Gerät."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Die Größe des Laufwerksschlüssels für BITLK kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1823,7 +1937,7 @@ msgstr ""
"daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
"aufbewahrt werden."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1835,56 +1949,65 @@ msgstr ""
"daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
"aufbewahrt werden."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Gerät »%s« ist kein gültiges FVAULT2-Gerät."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Die Größe des Laufwerksschlüssels für FVAULT2 kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Gerät »%s« ist noch aktiv und zum verzögerten Entfernen eingeplant.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Um die Größe von aktiven Geräten zu öndern, muss der Laufwerksschlüssel im Schlüsselbund sein, aber die Option --disable-keyring wurde angegeben."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Benchmark unterbrochen."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s (nicht zutreffend)\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u Iterationen pro Sekunde für %zu-Bit-Schlüssel\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s (nicht zutreffend)\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u Iterationen, %5u Speicher, %1u parallele Threads (CPUs) für %zu-Bit-Schlüssel (Zieldauer %u Millisekunden)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Das Ergebnis des Benchmarks ist nicht zuverlässig."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Die Tests sind nur annähernd genau, da sie nicht auf den Datenträger zugreifen.\n"
# upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
# To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfügbar."
@@ -1892,35 +2015,51 @@ msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfü
# upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
# To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "N/A"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Es scheint, dass das Gerät keine Wiederherstellung der Wiederverschlüsselung braucht.\n"
-"Trotzdem fortsetzen?"
+"Ungeschützte LUKS2-Metadaten für die Wiederverschlüsselung entdeckt. Bitte überprüfen Sie, ob die Wiederverschlüsselungsoperation erwünscht ist (siehe luksDump-Ausgabe)\n"
+"und fahren Sie nur fort (Upgrade der Metadaten), wenn Sie den Vorgang als echt anerkennen."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Geben Sie die Passphrase für den Schutz und das Aktualisieren der Metadaten für die Wiederverschlüsselung ein: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Wirklich mit der Wiederherstellung der LUKS2-Wiederverschlüsselung fortfahren?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Geben Sie die Passphrase für das Prüfen der Metadaten für die Wiederverschlüsselung ein: "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "Geben Sie die Passphrase für die Wiederherstellung der Wiederverschlüsselung ein: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Wirklich versuchen, den LUKS-Geräteheader wiederherzustellen?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Gründlich löschen unterbrochen."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1929,113 +2068,128 @@ msgstr ""
"Sie können diesen Vorgang mit Strg+C unterbrechen (der nicht gesäuberte Bereich des Geräts wird dann ungültige Prüfsummen haben).\n"
# upstream: it is boring that I have to translate the newline at the end of each of these messages. Translating strings without newlines is much easier and faster. Since it is redundant anyway (all calls to log_err have a trailing newline), this newline should be written implicitly.
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Fehler beim Deaktivieren des temporären Geräts »%s«."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Die Integritätsoption kann nur für das LUKS2-Format verwendet werden."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Nicht unterstützte Optionen für Größe der LUKS-Metadaten."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Die Headerdatei existiert nicht, soll sie angelegt werden?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Fehler beim Anlegen der Headerdatei »%s«."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Kein bekanntes Integritätsspezifikationsmuster entdeckt."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Das Gerät »%s« kann nicht als Datenträger-Header benutzt werden."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Hiermit werden die Daten auf »%s« unwiderruflich überschrieben."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Fehler beim Festlegen der PBKDF-Parameter."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Verringerter Datenoffset ist nur für separaten LUKS-Header erlaubt."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "LUKS-Datei-Container %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Die Größe des Laufwerksschlüssels erfordert Schlüsselfächer, bitte nutzen Sie dazu die Option »--key-size«."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Gerät aktiviert, aber die Schalter können nicht dauerhaft gespeichert werden."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Schlüsselfach %d zum Löschen ausgewählt."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Dies ist das letzte Schlüsselfach. Wenn Sie diesen Schlüssel löschen, wird das Gerät unbrauchbar."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Geben Sie irgendeine verbleibende Passphrase ein: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Vorgang abgebrochen, das Schlüsselfach wurde NICHT gesäubert.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Geben Sie die zu löschende Passphrase ein: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Gerät »%s« ist kein gültiges LUKS2-Gerät."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Geben Sie die neue Passphrase für das Schlüsselfach ein: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "WARNUNG: Der Parameter --key-slot wird für die neue Nummer des Schlüsselfachs verwendet.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Geben Sie irgendeine bestehende Passphrase ein: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Geben Sie die zu ändernde Passphrase ein: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Geben Sie die neue Passphrase ein: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Geben Sie die Passphrase für das umzuwandelnde Schlüsselfach ein: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "Die Operation »isLuks« unterstützt nur genau ein Geräte-Argument."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Schlüsselfach %d enthält keinen unverbundenen Schlüssel."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2044,40 +2198,40 @@ msgstr ""
"Dieser Dump sollte daher ausschließlich an einem sicheren Ort und\n"
"verschlüsselt aufbewahrt werden."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s ist kein aktives %s-Gerät."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s ist kein aktives LUKS-Gerät, oder der Header fehlt."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "Option »--header-backup-file« muss angegeben werden."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s ist kein von cryptsetup verwaltetes Gerät."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Die Geräteart »%s« kann nicht aufgefrischt werden"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Unbekannte Art »%s« des Metadaten-Geräts."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "Dieser Befehl benötigt den Gerätenamen und den zugeordneten Namen als Argumente."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2086,335 +2240,351 @@ msgstr ""
"Diese Operation wird alle Schlüsselfächer auf Gerät »%s« löschen.\n"
"Dadurch wird das Gerät unbrauchbar."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Vorgang abgebrochen, die Schlüsselfächer wurden NICHT gesäubert.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Invalid LUKS type, only luks1 and luks2 are supported."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Das Gerät hat bereits den Typ »%s«."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Diese Operation wird für »%s« ins Format »%s« umwandeln.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Vorgang abgebrochen, das Gerät wurde NICHT konvertiert.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Die Option --priority, --label oder --subsystem fehlt."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Token %d ist ungültig."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Token %d ist in Benutzung."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Fehler beim Hinzufügen des LUKS2-Schlüsselring-Tokens %d."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Token %d kann nicht dem Schlüsselfach %d zugeordnet werden."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Token %d wird gerade nicht verwendet."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Token konnte nicht aus der Datei importiert werden."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Auf Token %d kann nicht für den Export zugegriffen werden."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Automatisch erkanntes aktives dm-Gerät »%s« für Datengerät »%s«.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Token %d ist nicht dem Schlüsselfach %d zugeordnet."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Gerät »%s« ist kein Blockgerät.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Token %d kann nicht vom Schlüsselfach %d losgelöst werden."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Fehler bei der automatischen Erkennung von Gerät »%s«."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Es ist unklar, ob das Gerät »%s« aktiviert ist oder nicht.\n"
-"Möchten Sie wirklich mit der Wiederverschlüsselung im Offline-Modus fortfahren?\n"
-"Es kann zu Datenverlust kommen, wenn das Gerät gerade aktiviert ist.\n"
-"Um die Wiederverschlüsselung im Online-Modus durchzuführen, verwenden Sie stattdessen den Parameter --active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Die Optionen --veracrypt und --disable-veracrypt werden nur für TCRYPT-kompatible Geräte unterstützt."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Verschlüsselung wird nur für das LUKS2-Format unterstützt."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Die Option --veracrypt-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Verschlüsselung ohne separaten Kopfbereich (--header) ist nur möglich, wenn die Größe des Hauptgeräts reduziert wird (--reduce-device-size)."
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Die Option --veracrypt-query-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Der angeforderte Datenoffset darf maximal die Hälfte des Parameters --reduce-device-size betragen."
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Die Optionen --veracrypt-pim und --veracrypt-query-pim schließen sich gegenseitig aus."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Der Wert von --reduce-device-size wird auf das Doppelte von --offset %<PRIu64> (in Sektoren) angepasst.\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "LUKS-Gerät auf »%s« erkannt. Möchten Sie dieses LUKS-Gerät erneut verschlüsseln?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Temporäre Headerdatei »%s« existiert bereits. Wird abgebrochen."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Fehler beim Anlegen der temporären Headerdatei »%s«."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Die Größe der LUKS2-Metadaten ist größer als der Wert der Datenverschiebung."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Die Option --persistent ist nicht mit --test-passphrase kombinierbar."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Der neue Header konnte nicht am Kopf des Geräts %s platziert werden."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Die Optionen --refresh und --test-passphrase schließen sich gegenseitig aus."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Die Option --shared ist nur beim beim »open«-Befehl eines Plain-Gerätes erlaubt."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "LUKS2-Entschlüsselung wird nur mit losgelöstem Headergerät unterstützt (mit Datenoffset auf 0 gesetzt)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Nicht genügend freie Schlüsselfächer für Wiederverschlüsselung."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Die Option --offset mit der Aktion Öffnen wird nur für einfache und loopaes-Geräte unterstützt."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Geben Sie die Passphrase für Schlüsselfach %d ein: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Die Option \"Sektorgröße\" mit der Aktion \"Öffnen\" wird nur für einfache Geräte unterstützt."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Die Option für große IV-Sektoren wird nur unterstützt, wenn das geöffnete Gerät Sektoren größer als 512 Bytes hat."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Der Verschlüsselungsalgorithmus wird auf %s geändert.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS-, TCRYPT-, BITLK- und FVAULT2-Geräten erlaubt."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Dieser Befehl benötigt den Gerätenamen als Argument."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Die Optionen --device-size und --size können nicht kombiniert werden."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Derzeit wird nur das LUKS2-Format unterstützt. Bitte verwenden Sie das Werkzeug cryptsetup-reencrypt für LUKS1."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Die Option »--unbound« ist nur beim »open«-Befehl eines LUKS-Gerätes erlaubt."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Veraltete Offline-Wiederverschlüsselung wird gerade durchgeführt. Verwenden Sie das Hilfsprogramm cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Die Option »--unbound« kann nur in Kombination mit »--test-passphrase« verwendet werden."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Wiederverschlüsselung von Geräten mit Integritätsprofil wird nicht unterstützt."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Die Optionen --cancel-deferred und --deferred können nicht kombiniert werden."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Die LUKS2-Wiederverschlüsselung wurde bereits begonnen. Die Operation wird abgebrochen."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Die Optionen --reduce-device-size und --data-size können nicht kombiniert werden."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "LUKS2-Gerät wird derzeit nicht wiederverschlüsselt."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Die Option »--active-name« ist nur auf LUKS2-Geräte anwendbar."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Die Optionen »--active-name« und »--force-offline-reencrypt« können nicht kombiniert werden."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Das Schlüsselfach muss angegeben werden."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Die Optionen --align-payload und --offset können nicht kombiniert werden."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Die Option --integrity-no-wipe ist nur für die »format«-Aktion mit Integritätserweiterung erlaubt."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Nur eine der Optionen --use-[u]random ist erlaubt."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "Die Option »--unbound« erfordert die Schlüsselgröße."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Ungültige Token-Aktion."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Der Parameter --key-description ist Pflicht für die Aktion »token add«."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Die Aktion erfordert ein bestimmtes Token. Verwenden Sie den Parameter --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Die Option »--unbound« kann nur zusammen mit der Aktion zum Hinzufügen eines Tokens verwendet werden."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Die Optionen --key-slot und --unbound können nicht kombiniert werden."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Die Aktion erfordert ein bestimmtes Schlüsselfach. Verwenden Sie den Parameter --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<Gerät> [--type <Art>] [<Name>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "Gerät als <Name> öffnen"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<Name>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "Gerät schließen (Zuordnung entfernen)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "Größe des aktiven Geräts ändern"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "Gerätestatus anzeigen"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <Algorithmus>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "Verschlüsselungsalgorithmus benchmarken"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<Gerät>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "Versuchen, die Metadaten auf dem Datenträger zu reparieren"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "LUKS2-Gerät wiederverschlüsseln"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "Alle Schlüsselfächer löschen (Verschlüsselungsschlüssel entfernen)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "Zwischen den Formaten LUKS und LUKS2 umwandeln"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "Permanente Konfigurationsoptionen für LUKS2 festlegen"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<Gerät> [<neue Schlüsseldatei>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "Ein LUKS-Gerät formatieren"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "Schlüssel zu LUKS-Gerät hinzufügen"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<Gerät> [<Schlüsseldatei>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "Entfernt bereitgestellten Schlüssel oder Schlüsseldatei vom LUKS-Gerät"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "Ändert den angegebenen Schlüssel oder die Schlüsseldatei des LUKS-Geräts"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "Wandelt einen Schlüssel in neue PBKDF-Parameter um"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<Gerät> <Schlüsselfach>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "Löscht Schlüssel mit Nummer <Schlüsselfach> vom LUKS-Gerät"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "UUID des LUKS-Geräts ausgeben"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "Testet <Gerät> auf Header einer LUKS-Partition"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "LUKS-Partitionsinformationen ausgeben"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "TCRYPT-Geräteinformationen ausgeben"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "BITLK-Geräteinformationen ausgeben"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "VFAULT2-Geräteinformationen ausgeben"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "LUKS-Gerät in Ruhezustand versetzen und alle Schlüssel auslöschen (alle IOs werden eingefroren)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "LUKS-Gerät aus dem Ruhezustand aufwecken"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Header und Schlüsselfächer eines LUKS-Geräts sichern"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Header und Schlüsselfächer eines LUKS-Geräts wiederherstellen"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <Gerät>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "LUKS2-Token manipulieren"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2422,19 +2592,19 @@ msgstr ""
"\n"
"<Aktion> ist eine von:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Sie können auch die alten <Aktion>-Aliase benutzen:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2449,7 +2619,7 @@ msgstr ""
"<Schlüsselfach> ist die Nummer des zu verändernden LUKS-Schlüsselfachs\n"
"<Schlüsseldatei> optionale Schlüsseldatei für den neuen Schlüssel der »luksAddKey«-Aktion\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2458,7 +2628,7 @@ msgstr ""
"\n"
"Vorgegebenes festeingebautes Metadatenformat ist %s (für luksFormat-Aktion).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2467,20 +2637,20 @@ msgstr ""
"\n"
"Die Unterstützung des externen Token-Plugins LUKS2 ist %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "integriert"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Pfad des Plugins für externe LUKS2-Token: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "deaktiviert"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2497,7 +2667,7 @@ msgstr ""
"Vorgabe-PBKDF für LUKS2: %s\n"
"\tIterationszeit: %d, benötigter Speicher: %d kB, parallele Threads: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2512,206 +2682,96 @@ msgstr ""
"\tplain: %s, Schlüssel: %d Bits, Passphrase-Hashen: %s\n"
"\tLUKS: %s, Schlüssel: %d Bits, LUKS-Header-Hashen: %s, Zufallszahlengenerator: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: Standard-Schlüsselgröße mit XTS-Modus (zwei interne Schlüssel) wird verdoppelt.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: Benötigt %s als Argumente"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Schlüsselfach ist ungültig."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Die Gerätegröße muss ein Vielfaches von 512-Byte-Sektoren sein."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "Ungültige Angabe der Maximalgröße für die Wiederverschlüsselungs-Hotzone."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "Schlüsselgröße muss ein Vielfaches von 8 Bit sein"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "Die maximale Verkleinerungsgröße ist 1 GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Die verkleinerte Größe muss ein Vielfaches von 512-Byte-Sektoren sein."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Die Option --priority kann nur »ignore/normal/prefer« sein."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Diese Hilfe anzeigen"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Kurze Aufrufsyntax anzeigen"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Paketversion ausgeben"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Hilfe-Optionen:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[OPTION...] <Aktion> <aktionsabhängig>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Argument <Aktion> fehlt."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Unbekannte Aktion."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Die Optionen --refresh und --test-passphrase schließen sich gegenseitig aus."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Die Optionen --cancel-deferred und --deferred können nicht kombiniert werden."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Die Option --shared ist nur beim beim »open«-Befehl eines Plain-Gerätes erlaubt."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Die Option --persistent ist nicht mit --test-passphrase kombinierbar."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Die Option --integrity-no-wipe ist nur für die »format«-Aktion mit Integritätserweiterung erlaubt."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS, TCRYPT- und BITLK-Geräten erlaubt."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Die Option --key-file wirkt stärker als das angegebene Schlüsseldatei-Argument."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Die Option --key-file ist nur einmal erlaubt."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Nur eine der Optionen --use-[u]random ist erlaubt."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Die Optionen --align-payload und --offset können nicht kombiniert werden."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Die Option --offset mit der Aktion Öffnen wird nur für einfache und loopaes-Geräte unterstützt."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Die Optionen --veracrypt und --disable-veracrypt werden nur für TCRYPT-kompatible Geräte unterstützt."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Die Option --veracrypt-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Die Option --veracrypt-query-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Die Optionen --veracrypt-pim und --veracrypt-query-pim schließen sich gegenseitig aus."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Das Schlüsselfach muss angegeben werden."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Passwortbasierte Schlüsselableitungsfunktion (PBKDF) kann nur »pbkdf2« oder »argon2i/argon2id« sein."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Bei PBKDF darf nur entweder die Anzahl der Durchläufe oder die Zeitbegrenzung angegeben werden."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Die Option \"Sektorgröße\" mit der Aktion \"Öffnen\" wird nur für einfache Geräte unterstützt."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Die Option für große IV-Sektoren wird nur unterstützt, wenn das geöffnete Gerät Sektoren größer als 512 Bytes hat."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Die Option »--unbound« erfordert die Schlüsselgröße."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "LUKS2-Entschlüsselung erfordert die Option --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Die Optionen --reduce-device-size und --data-size können nicht kombiniert werden."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Die Optionen --device-size und --size können nicht kombiniert werden."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Die Optionen --keyslot-cipher und --keyslot-keysize können nur zusammen benutzt werden."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Es wird keine Aktion ausgeführt. Aufgerufen mit der Option --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Ungültige Token-Aktion."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Der Parameter --key-description ist Pflicht für die Aktion »token add«."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Die Aktion erfordert ein bestimmtes Token. Verwenden Sie den Parameter --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Fehler beim Deaktivieren der Metadaten-Dateisperre."
@@ -2739,67 +2799,72 @@ msgstr "Fehler beim Schreiben des Wurzel-Hash-Abbilds »%s«."
msgid "Cannot write to root hash file %s."
msgstr "Fehler beim Schreiben der Wurzel-Hashdatei »%s«."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Gerät »%s« ist kein gültiges VERITY-Gerät."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Fehler beim Anlegen der Wurzel-Hashdatei »%s«."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Ungültige Root-Hash-Datei »%s«."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Ungültiger Root-Hash-String angegeben."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Ungültige Signaturdatei »%s«."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Fehler beim Einlesen der Signaturdatei »%s«."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Der Befehl erfordert die Option <root_hash> oder --root-hash-file als Argument."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<Datengerät> <Hash-Gerät>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "Gerät formatieren"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<Daten-Gerät> <Hash-Gerät> [<Wurzel_Hash>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "Gerät verifizieren"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<Datengerät> <Name> <Hash-Gerät> [<Wurzel-Hash>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "Status der aktiven Geräte anzeigen"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<Hash-Gerät>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "Auf dem Datenträger gespeicherte Informationen anzeigen"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2814,7 +2879,7 @@ msgstr ""
"<Hash-Gerät> ist das Gerät, das die Verifikationsdaten enthält\n"
"<Root-Hash> ist der Hash des Rootknotens auf <Hash-Gerät>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2825,28 +2890,46 @@ msgstr ""
"Einkompilierte Vorgabewerte für dm-verity:\n"
"\tHash: %s, Datenblock (Bytes): %u, Hashblock (Bytes): %u, Salt-Größe: %u, Hashformat: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Die Optionen --ignore-corruption und --restart-on-corruption können nicht zusammen benutzt werden."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Die Optionen --panic-on-corruption und --restart-on-corruption können nicht zusammen benutzt werden."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Dadurch werden Daten auf %s und %s unwiderruflich überschrieben.\n"
+"Um Daten auf dem Gerät zu bewahren, verwenden Sie die Option »--no-wipe« (und aktivieren Sie sie dann mit »--integrity-recalculate«)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Formatiert mit Etikettgröße %u und interner Integrität %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Das Setzen der Option »recalculate« wird nicht unterstützt, Sie können stattdessen »--wipe« erwägen."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Gerät »%s« ist kein gültiges INTEGRITY-Gerät."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<Integritätsgerät>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<Integritätsgerät> <Name>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2857,7 +2940,7 @@ msgstr ""
"<Name> ist das Gerät, das unter »%s« angelegt werden soll\n"
"<Integritätsgerät> ist das Gerät, das die Daten mit Integritätsangaben enthält\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2870,241 +2953,44 @@ msgstr ""
"\tPrüfalgorithmus: %s\n"
"\tMaximalgröße der Schlüsseldatei: %d kB\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Ungültige Größe für --%s. Maximum ist %u Bytes."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen angegeben werden."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen für die Journalintegrität angegeben werden."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Wenn ein Integritätsschlüssel für das Journal verwendet wird, muss auch der Integritätsalgorithmus angegeben werden."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Sowohl der Verschlüsselungsschlüssel als auch die Schlüsselgröße müssen für die Journalverschlüsselung angegeben werden."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Wenn ein Verschlüsselungsschlüssel für das Journal verwendet wird, muss auch der Verschlüsselungsalgorithmus angegeben werden."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Die Modi Wiederherstellung und Bitmap schließen sich gegenseitig aus."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Die Journal-Optionen können nicht im Bitmap-Modus verwendet werden."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Die Bitmapoptionen können nur im Bitmapmodus verwendet werden."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Wiederverschlüsselung läuft bereits."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Belegen des ausgerichteten Speichers fehlgeschlagen."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Fehler beim Lesen von Gerät »%s«."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "LUKS1-Gerät »%s« wird als unbenutzbar markiert."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "LUKS2-Offline-Wiederverschlüsselungs-Kennzeichen wird auf Gerät »%s« festgelegt."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Fehler beim Schreiben auf Gerät »%s«."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Fehler beim Speichern der Wiederverschlüsselungs-Logdatei."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Fehler beim Einlesen der Wiederverschlüsselungs-Logdatei."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Falsches Protokollformat."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Logdatei »%s« existiert, Wiederverschlüsselung wird fortgesetzt.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Temporäres Gerät mit dem alten LUKS-Header wird aktiviert."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Temporäres Gerät mit dem neuen LUKS-Header wird aktiviert."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Fehler beim Aktivieren der temporären Geräte."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Fehler beim Festlegen des Daten-Offsets."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Fehler beim Festlegen der Metadatengröße."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Neuer LUKS-Header für Gerät »%s« angelegt."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Diese Version von cryptsetup-reencrypt kann internen Tokentyp %s nicht verarbeiten."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Fehler beim Lesen der Aktivierungsschalter aus dem Backup-Header."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Fehler beim Schreiben der Aktivierungsschalter in den neuen Header."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Fehler beim Lesen der Anforderungen aus dem Backup-Header."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "%s-Backup-Header von Gerät »%s« angelegt."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Fehler beim Anlegen des LUKS-Backup-Headers."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Fehler beim Wiederherstellen des %s-Headers auf Gerät »%s«."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "%s-Header auf Gerät »%s« wiederhergestellt."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Fehler beim Öffnen des temporären LUKS-Geräts."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Fehler beim Ermitteln der Gerätegröße."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "E/A-Fehler während der Wiederverschlüsselung."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Die angegebene UUID ist ungültig."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Fehler beim Öffnen der Wiederverschlüsselungs-Logdatei."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Derzeit ist keine Entschlüsselung im Gange, die angegebene UUID kann nur benutzt werden, um einen unterbrochenen Entschlüsselungsvorgang fortzusetzen."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "PBKDF-Parameter in Schlüsselfach %i wurden geändert."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Für die Wiederverschlüsselungs-Blockgröße sind nur Werte zwischen 1 MiB und 64 MiB erlaubt."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Die maximale Verkleinerungsgröße ist 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[OPTION...] <Gerät>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Wiederverschlüsselung ändert: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "Laufwerksschlüssel"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr ", Hash auf "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", Verschlüsselung auf "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Argument muss angegeben werden."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Die Option »--new« muss zusammen mit »--reduce-device-size« oder »--header« benutzt werden."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Die Option »--keep-new« kann nur zusammen mit »--hash«, »--iter-time« oder »--pbkdf-force-iterations« benutzt werden."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Die Option »--new« kann nicht zusammen mit »--decrypt« benutzt werden."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Die Option --decrypt verträgt sich nicht mit den angegebenen Parametern."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Die Option »--uuid« kann nur zusammen mit »--decrypt« benutzt werden."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Ungültiger LUKS-Typ. Verwenden Sie einen von diesen: luks, luks1, luks2."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3115,7 +3001,7 @@ msgstr ""
"========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3126,148 +3012,174 @@ msgstr ""
"\n"
"Sind Sie sicher? (Tippen Sie 'yes' in Großbuchstaben): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Fehler beim Lesen der Antwort vom Terminal."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Befehl erfolgreich."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "Falsche oder fehlende Parameter"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "Kein Zugriff, oder falsche Passphrase"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "Nicht genug Speicher"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "Falsches Gerät oder falsche Datei angegeben"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "Das Gerät existiert bereits oder wird bereits benutzt"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "Unbekannter Fehler"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Fehler %i beim Ausführen des Befehls »%s«."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Schlüsselfach %i erstellt."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Schlüsselfach %i entsperrt."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Schlüsselfach %i entfernt."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Token %i erstellt."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Token %i entfernt."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Mit dieser PIN konnte kein Token entsperrt werden."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Token %i benötigt eine PIN."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Token (Art %s) benötigt eine PIN."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token %i kann zugewiesenes Schlüsselfach nicht freischalten (falsche Schlüsselfach-Passphrase)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token (Art %s) kann zugewiesenes Schlüsselfach nicht freischalten (falsche Schlüsselfach-Passphrase)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Token %i erfordert zusätzliche fehlende Ressource."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Token (Art %s) erfordert zusätzliche fehlende Ressource."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Es ist kein verwendbares Token (Art %s) vorhanden."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Es ist kein verwendbares Token verfügbar."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Gründlich löschen unterbrochen."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Wiederverschlüsselung unterbrochen."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Fehler beim Einlesen von %d Bytes aus der Schlüsseldatei »%s«."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Fehler beim Schreiben der Schlüsseldatei »%s«."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Fehler beim Schreiben der Schlüsseldatei »%s«."
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> Tage"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s geschrieben"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "Geschwindigkeit %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Fortschritt: %5.1f%%, ETA %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Fertiggestellt, Zeit %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "Fehler beim Prüfen der Passwortqualität: %s"
@@ -3281,59 +3193,63 @@ msgstr ""
"Passwort-Qualitätsüberprüfung fehlgeschlagen:\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Passwort-Qualitätsüberprüfung fehlgeschlagen: Falsche Passphrase (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "Fehler beim Lesen der Passphrase vom Terminal."
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "Passphrase bestätigen: "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "Passphrasen stimmen nicht überein."
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "Offset kann nicht zusammen mit Terminaleingabe benutzt werden."
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "Passphrase eingeben: "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Geben Sie die Passphrase für »%s« ein: "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "Kein Schlüssel mit dieser Passphrase verfügbar."
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "Es ist kein nutzbares Schlüsselfach verfügbar."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Datei %s konnte nicht im Nur-Lese-Modus geöffnet werden."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Geben Sie gültiges LUKS2-Token-JSON an:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "JSON-Datei konnte nicht gelesen werden."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3341,12 +3257,12 @@ msgstr ""
"\n"
"Lesen unterbrochen."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Datei %s konnte nicht im Schreibmodus geöffnet werden."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3354,54 +3270,423 @@ msgstr ""
"\n"
"Schreiben unterbrochen."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "JSON-Datei konnte nicht geschrieben werden."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Automatisch erkanntes aktives dm-Gerät »%s« für Datengerät »%s«.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Fehler bei der automatischen Erkennung von Gerät »%s«."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Gerät »%s« ist kein Blockgerät.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Es ist unklar, ob das Gerät »%s« aktiviert ist oder nicht.\n"
+"Möchten Sie wirklich mit der Wiederverschlüsselung im Offline-Modus fortfahren?\n"
+"Es kann zu Datenverlust kommen, wenn das Gerät gerade aktiviert ist.\n"
+"Um die Wiederverschlüsselung im Online-Modus durchzuführen, verwenden Sie stattdessen den Parameter --active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Gerät %s ist kein Blockgerät. Kann nicht automatisch erkennen, ob es aktiv ist oder nicht.\n"
+"Verwenden Sie --force-offline-reencrypt, um die Prüfung zu umgehen und im Offline-Modus zu laufen (gefährlich!)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Die angeforderte Option »--resilience« kann nicht auf den aktuellen Wiederverschlüsselungsvorgang angewendet werden."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Das Gerät ist nicht der LUKS2-Verschlüsselung. Die Option »--encrypt« ist widersprüchlich."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Das Gerät ist nicht der LUKS2-Entschlüsselung. Die Option »--encrypt« ist widersprüchlich."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Das Gerät befindet sich in der Wiederverschlüsselung mit Datashift-Resilienz. Die angeforderte Option --resilience kann nicht angewendet werden."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Das Gerät erfordert die Wiederherstellung der Wiederverschlüsselung. Führen Sie zuerst die Reparatur aus."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Gerät %s befindet sich bereits in der LUKS2-Neuverschlüsselung. Möchten Sie den zuvor begonnenen Vorgang fortsetzen?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Die veraltete LUKS2-Wiederverschlüsselung wird nicht mehr unterstützt."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Wiederverschlüsselung von Geräten mit Integritätsprofil wird nicht unterstützt."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Angeforderte --sector-size %<PRIu32> ist nicht kompatibel mit dem %s-Superblock\n"
+"(Blockgröße: %<PRIu32>Bytes), der auf dem Gerät %s erkannt wurde."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Verschlüsselung ohne separaten Kopfbereich (--header) ist nur möglich, wenn die Größe des Hauptgeräts reduziert wird (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Der angeforderte Datenoffset darf maximal die Hälfte des Parameters --reduce-device-size betragen."
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Der Wert von --reduce-device-size wird auf das Doppelte von --offset %<PRIu64> (in Sektoren) angepasst.\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Temporäre Headerdatei »%s« existiert bereits. Wird abgebrochen."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Fehler beim Anlegen der temporären Headerdatei »%s«."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Die Größe der LUKS2-Metadaten ist größer als der Wert der Datenverschiebung."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Der neue Header konnte nicht am Kopf des Geräts %s platziert werden."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Das aktive Gerät »%s« ist kein LUKS2-Gerät."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Wiederherstellung des ursprünglichen LUKS2-Headers."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Fehler beim Wiederherstellen des ursprünglichen LUKS2-Headers."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Die Header-Datei %s existiert nicht. Möchten Sie die LUKS2-Entschlüsselung von Gerät %s initialisieren und LUKS2-Header in Datei %s exportieren?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Fehler beim Hinzufügen der Lese-/Schreibberechtigung für die exportierte Header-Datei."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Fehler beim Initialisieren der Wiederverschlüsselung. Eine Sicherungskopie des Headers befindet sich in %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "LUKS2-Entschlüsselung wird nur mit losgelöstem Headergerät unterstützt (mit Datenoffset auf 0 gesetzt)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Nicht genügend freie Schlüsselfächer für Wiederverschlüsselung."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Geben Sie die Passphrase für Schlüsselfach %d ein: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Der Verschlüsselungsalgorithmus wird auf %s geändert.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Keine Datensegmentparameter geändert. Wiederverschlüsselung abgebrochen."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Die Zunahme der Größe des Verschlüsselungssektors auf einem Offline-Gerät wird nicht unterstützt.\n"
+"Aktivieren Sie das Gerät zuerst oder verwenden Sie die Option »--force-offline-reencrypt« (gefährlich!)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Wiederverschlüsselung unterbrochen."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "LUKS-Wiederverschlüsselung wird im erzwungenen Offline-Modus fortgesetzt.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Das Gerät %s enthält fehlerhafte LUKS-Metadaten. Vorgang wird abgebrochen."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Gerät %s ist bereits ein LUKS-Gerät. Vorgang wird abgebrochen."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Gerät %s befindet sich bereits in der LUKS-Wiederverschlüsselung. Vorgang wird abgebrochen."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "LUKS2-Entschlüsselung erfordert die Option »--header«."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "Dieser Befehl benötigt den Gerätenamen als Argument."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in der LUKS1-Wiederverschlüsselung."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS2."
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in LUKS2-Wiederverschlüsselung."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Die LUKS2-Wiederverschlüsselung wurde bereits begonnen. Die Operation wird abgebrochen."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Derzeit läuft keine Wiederverschlüsselung."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Belegen des ausgerichteten Speichers fehlgeschlagen."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Fehler beim Lesen von Gerät »%s«."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "LUKS1-Gerät »%s« wird als unbenutzbar markiert."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Fehler beim Schreiben auf Gerät »%s«."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Fehler beim Speichern der Wiederverschlüsselungs-Logdatei."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Fehler beim Einlesen der Wiederverschlüsselungs-Logdatei."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Falsches Protokollformat."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Logdatei »%s« existiert, Wiederverschlüsselung wird fortgesetzt.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Temporäres Gerät mit dem alten LUKS-Header wird aktiviert."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Temporäres Gerät mit dem neuen LUKS-Header wird aktiviert."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Fehler beim Aktivieren der temporären Geräte."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Fehler beim Festlegen des Daten-Offsets."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Fehler beim Festlegen der Metadatengröße."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Neuer LUKS-Header für Gerät »%s« angelegt."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "%s-Backup-Header von Gerät »%s« angelegt."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Fehler beim Anlegen des LUKS-Backup-Headers."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Fehler beim Wiederherstellen des %s-Headers auf Gerät »%s«."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "%s-Header auf Gerät »%s« wiederhergestellt."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Fehler beim Öffnen des temporären LUKS-Geräts."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Fehler beim Ermitteln der Gerätegröße."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "E/A-Fehler während der Wiederverschlüsselung."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Die angegebene UUID ist ungültig."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Fehler beim Öffnen der Wiederverschlüsselungs-Logdatei."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Derzeit ist keine Entschlüsselung im Gange, die angegebene UUID kann nur benutzt werden, um einen unterbrochenen Entschlüsselungsvorgang fortzusetzen."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Wiederverschlüsselung ändert: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "Laufwerksschlüssel"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr ", Hash auf "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", Verschlüsselung auf "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Partitionssignatur.\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Superblock-Signatur.\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Fehler beim Initialisieren der Gerätesignatursonden."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Gerät %s konnte nicht gefunden werden."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Gerät %s wird gerade benutzt. Das Formatieren ist gerade nicht möglich."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Datei %s konnte nicht im Lese-/Schreibmodus geöffnet werden."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Die bestehende »%s«-Partitionssignatur auf Gerät %s wird gelöscht."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Die bestehende »%s«-Superblocksignatur auf Gerät %s wird gelöscht."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Fehler beim Löschen der Gerätesignatur."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Gerät %s konnte nicht auf eine Signatur geprüft werden."
@@ -3411,16 +3696,16 @@ msgstr "Gerät %s konnte nicht auf eine Signatur geprüft werden."
msgid "Invalid size specification in parameter --%s."
msgstr "Ungültige Größenangabe in Parameter --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Die Option --%s ist nicht mit der Aktion %s kombinierbar."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Fehler beim Schreiben des SSH-Tokens im JSON-Format."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3437,110 +3722,110 @@ msgstr ""
"\n"
"Hinweis: Die beim Hinzufügen des Tokens angegebenen Informationen (SSH-Server-Adresse, Benutzer und Pfade) werden im LUKS2-Header im Klartext gespeichert."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<Aktion> <Gerät>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Optionen für die Aktion \"add\" (Hinzufügen):"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "IP-Adresse/URL des entfernten Servers für dieses Token"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Benutzername, der für den entfernten Server verwendet wird"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Pfad zur Schlüsseldatei auf dem entfernten Server"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Pfad zum SSH-Schlüssel für die Verbindung zum entfernten Server"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Schlüsselfach, dem das Token zugewiesen werden soll. Wenn nicht angegeben, wird das Token dem ersten Schlüsselfach zugewiesen, das zur angegebenen Passphrase passt."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Allgemeine Optionen:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Zeigt detailliertere Fehlermeldungen an"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Zeigt Debugging-Meldungen an"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Debugging-Meldungen anzeigen, inclusive JSON-Metadaten"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Öffnen und Importieren des privaten Schlüssels fehlgeschlagen:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Der Import des privaten Schlüssels (passwortgeschützt?) ist fehlgeschlagen.\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "Passwort von %s@%s: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Das Parsen der Argumente ist fehlgeschlagen.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Es muss eine Aktion angegeben werden\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Für die Aktion '%s' muss ein Gerät angegeben werden.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Für die Aktion '%s' muss ein SSH-Server angegeben werden.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Für die Aktion '%s' muss ein SSH-Benutzer angegeben werden.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Für die Aktion '%s' muss ein SSH-Pfad angegeben werden.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Für die Aktion '%s' muss ein SSH-Schlüsselpfad angegeben werden.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Öffnen von %s mit den angegebenen Anmeldeinformationen fehlgeschlagen.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "Nur die Aktion \"add\" (Hinzufügen) wird derzeit von diesem Plugin unterstützt.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Kann keine sftp-Sitzung erstellen: "
@@ -3548,6 +3833,10 @@ msgstr "Kann keine sftp-Sitzung erstellen: "
msgid "Cannot init sftp session: "
msgstr "Kann sftp-Sitzung nicht starten: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Kann sftp-Sitzung nicht eröffnen: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Kann Eigenschaften der sftp-Datei nicht ermitteln: "
@@ -3576,6 +3865,96 @@ msgstr "Authentifizierung mit öffentlichem Schlüssel ist auf dem Host nicht er
msgid "Public key authentication error: "
msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
+#~ msgid "WARNING: Data offset is outside of currently available data device.\n"
+#~ msgstr "WARNING: Der Datenoffset ist außerhalb des derzeit verfügbaren Datengeräts.\n"
+
+#~ msgid "Cannot get process priority."
+#~ msgstr "Fehler beim Ermitteln der Prozesspriorität."
+
+#~ msgid "Cannot unlock memory."
+#~ msgstr "Fehler beim Entsperren des Speichers."
+
+#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions."
+#~ msgstr "Das Verzeichnis %s/%s, das die Dateisperren enthält, wird mit den vorgegebenen, fest einprogrammierten Berechtigungen erzeugt."
+
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Fehler beim Lesen der BITLK-Signatur von »%s«."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Ungültige oder unbekannte Signatur für BITLK-Gerät."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Fehler beim gründlichen Löschen der Backupsegmentdaten."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Fehler beim Deaktivieren der Wiederverschlüsselungsanforderung."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Verschlüsselung wird nur für das LUKS2-Format unterstützt."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "LUKS-Gerät auf »%s« erkannt. Möchten Sie dieses LUKS-Gerät erneut verschlüsseln?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "Derzeit wird nur das LUKS2-Format unterstützt. Bitte verwenden Sie das Werkzeug cryptsetup-reencrypt für LUKS1."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Veraltete Offline-Wiederverschlüsselung wird gerade durchgeführt. Verwenden Sie das Hilfsprogramm cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "LUKS2-Gerät wird derzeit nicht wiederverschlüsselt."
+
+#~ msgid "Reencryption already in-progress."
+#~ msgstr "Wiederverschlüsselung läuft bereits."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "LUKS2-Offline-Wiederverschlüsselungs-Kennzeichen wird auf Gerät »%s« festgelegt."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Diese Version von cryptsetup-reencrypt kann internen Tokentyp %s nicht verarbeiten."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Fehler beim Lesen der Aktivierungsschalter aus dem Backup-Header."
+
+#~ msgid "Failed to write activation flags to new header."
+#~ msgstr "Fehler beim Schreiben der Aktivierungsschalter in den neuen Header."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "PBKDF-Parameter in Schlüsselfach %i wurden geändert."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Für die Wiederverschlüsselungs-Blockgröße sind nur Werte zwischen 1 MiB und 64 MiB erlaubt."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Die maximale Verkleinerungsgröße ist 64 MiB."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[OPTION...] <Gerät>"
+
+#~ msgid "Argument required."
+#~ msgstr "Argument muss angegeben werden."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Die Option »--new« muss zusammen mit »--reduce-device-size« oder »--header« benutzt werden."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Die Option »--keep-new« kann nur zusammen mit »--hash«, »--iter-time« oder »--pbkdf-force-iterations« benutzt werden."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Die Option »--new« kann nicht zusammen mit »--decrypt« benutzt werden."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Die Option --decrypt verträgt sich nicht mit den angegebenen Parametern."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Die Option »--uuid« kann nur zusammen mit »--decrypt« benutzt werden."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Ungültiger LUKS-Typ. Verwenden Sie einen von diesen: luks, luks1, luks2."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Gerät %s wird gerade benutzt. Das Formatieren ist gerade nicht möglich."
+
#~ msgid "No free token slot."
#~ msgstr "Kein freies Fach für Token."
@@ -3904,9 +4283,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
#~ msgid "Sector size option is not supported for this command."
#~ msgstr "Die Option Sektorgröße wird für diesen Befehl nicht unterstützt."
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "Die Option »--unbound« kann nur zusammen mit den Aktionen »luksAddKey« und »luksDump« benutzt werden."
-
#~ msgid "Option --refresh may be used only with open action."
#~ msgstr "Die Option --refresh kann nur zusammen mit der Aktion »open« benutzt werden."
@@ -4087,9 +4463,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
#~ msgid "Read new volume (master) key from file"
#~ msgstr "Laufwerks-(Master-)Schlüssel aus Datei lesen"
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "PBKDF2 Iterationszeit for LUKS (in ms)"
-
#~ msgid "Use direct-io when accessing devices"
#~ msgstr "Beim Zugriff auf die Geräte direct-io benutzen"
@@ -4129,9 +4502,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
#~ msgid "Parameter --refresh is only allowed with open or refresh commands."
#~ msgstr "Die Option --refresh ist nur beim »open«- oder »refresh«-Befehl erlaubt."
-#~ msgid "Cipher %s is not available."
-#~ msgstr "Verschlüsselung »%s« ist nicht verfügbar."
-
#~ msgid "Unsupported encryption sector size.\n"
#~ msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung.\n"
@@ -4141,9 +4511,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
#~ msgid "Online reencryption in progress. Aborting."
#~ msgstr "Online-Wiederverschlüsselung läuft gerade. Wird abgebrochen."
-#~ msgid "No LUKS2 reencryption in progress."
-#~ msgstr "Derzeit läuft keine LUKS2-Wiederverschlüsselung."
-
#~ msgid "Interrupted by a signal."
#~ msgstr "Durch ein Signal unterbrochen."
@@ -4207,9 +4574,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
#~ msgid "Error: Calculated reencryption offset %<PRIu64> is beyond device size %<PRIu64>."
#~ msgstr "Fehler: Der berechnete Offset für die Wiederverschlüsselung %<PRIu64> liegt jenseits der Gerätegröße %<PRIu64>."
-#~ msgid "Device is not in clean reencryption state."
-#~ msgstr "Das Gerät ist nicht in einem sauberen Wiederverschlüsselungszustand."
-
#~ msgid "Failed to calculate new segments."
#~ msgstr "Fehler beim Berechnen der neuen Segmente."
diff --git a/po/fr.po b/po/fr.po
index 6a4f907..7517b8a 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -1,16 +1,16 @@
# Messages français pour cryptsetup.
-# Copyright (C) 2021 Free Software Foundation, Inc.
+# Copyright (C) 2023 Free Software Foundation, Inc.
# This file is put in the public domain.
#
# Solveig <perso@solveig.org>, 2009.
# Nicolas Provost <nprovost@quadriv.com>, 2011.
-# Frédéric Marchal <fmarchal@perso.be>, 2021.
+# Frédéric Marchal <fmarchal@perso.be>, 2023.
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-13 11:00+0100\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 15:51+0100\n"
"Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
"Language-Team: French <traduc@traduc.org>\n"
"Language: fr\n"
@@ -20,67 +20,71 @@ msgstr ""
"X-Bugs: Report translation errors to the Language-Team address.\n"
"Plural-Forms: nplurals=2; plural=(n >= 2);\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Exécution comme un utilisateur non-root."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Le module noyau dm_mod est-il chargé ?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Le fanion différé demandé n'est pas supporté."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "Le DM-UUID du périphérique %s a été tronqué."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Type de cible dm inconnu."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Les options de performance dm-crypt demandées ne sont pas supportées."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Les options demandées de gestion de corruption des données dm-verity ne sont pas supportées."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "L'option dm-verity tasklets demandée n'est pas supportée."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Les options dm-verity FEC demandées ne sont pas supportées."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Les options d'intégrité de données demandées ne sont pas supportées."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "L'option sector_size demandée n'est pas supportée."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Le recalcule automatique des balises de sécurité demandés n'est pas supporté."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Discard/TRIM n'est pas supporté."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Le mode de carte de bits d'intégrité dm demandé n'est pas supporté."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Échec lors de l'interrogation du segment dm-%s."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -88,576 +92,611 @@ msgstr ""
"Le système a manqué d'entropie lors de la génération de la clef de volume.\n"
"Veuillez remuer la souris ou taper du texte dans une autre fenêtre pour générer des événements aléatoires.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Génération de la clef (%d%% effectués).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Fonctionne en mode FIPS."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "Erreur fatale d'initialisation RNG."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "La qualité du générateur aléatoire RNG demandé est inconnue."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Erreur en lecture du générateur aléatoire RNG "
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Impossible d'initialiser le moteur aléatoire RNG pour le chiffrement."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Impossible d'initialiser le moteur de chiffrement."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "L'algorithme de hachage %s n'est pas supporté."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Erreur de traitement de clé (valeur hachage %s)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "Cette opération n'est possible que pour les périphériques LUKS."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Cette opération n'est possible que pour les périphériques LUKS2."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Tous les emplacements de clés sont utilisés."
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0 et %d."
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc logique du périphérique."
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "En-tête détecté mais le périphérique %s est trop petit."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Cette opération n'est pas supportée pour ce type de périphérique."
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "Opération illégale avec une re-chiffrement en cours."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Échec lors du retour en arrière des métadonnées LUKS2 en mémoire."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "%s n'est pas un périphérique LUKS valide."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "La version %d de LUKS n'est pas supportée."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "Le périphérique %s n'est pas activé."
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Le périphérique sous-jacent pour le périphérique chiffré %s a disparu."
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "Paramètres de chiffrement non valides."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "La taille de la clé n'est pas valide."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "le UUID n'est pas supporté avec ce type de chiffrement."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Un périphérique avec des métadonnées détachées n'est pas supporté avec ce type de chiffrement."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Taille de secteur de chiffrement non supportée."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "La taille du périphérique n'est pas alignée avec la taille de secteur demandée."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "Impossible de formater en LUKS sans périphérique."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "L'alignement de données demandé n'est pas compatible avec le décalage des données."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "AVERTISSEMENT: L'offset des données est en dehors du périphérique de données actuellement disponible.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Impossible d'effacer l'en-tête du périphérique %s."
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Le périphérique %s est trop petit pour l'activation, il ne reste pas d'espace pour les données.\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "AVERTISSEMENT: L'activation du périphérique va échouer, dm-crypt ne supporte pas la taille de secteur de chiffrement demandée.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "La clé de volume est trop petite pour chiffrer avec les extensions d'intégrité."
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Le chiffrement %s-%s (clé de %zd bits) n'est pas disponible."
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "ATTENTION: La taille des métadonnées LUKS2 est devenue %<PRIu64> octets.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "ATTENTION: La taille de la zone des emplacements de clés LUKS2 est devenue %<PRIu64> octets.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Le périphérique %s est trop petit."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "Impossible de formater le périphérique %s qui est en cours d'utilisation."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Impossible de formater le périphérique %s. Permission refusée."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Impossible de formater l'intégrité du périphérique %s."
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "Impossible de formater le périphérique %s"
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "Impossible de formater LOOPAES sans périphérique."
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "Impossible de formater VERITY sans périphérique."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Type de hachage VERITY %d non supporté."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Taille de bloc VERITY non supportée."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Décalage de hachage VERITY non supporté."
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "Décalage VERITY FEC non supporté."
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "La zone de données recouvre la zone de hachage."
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "La zone de hachage recouvre la zone FEC."
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "La zone de données recouvre la zone FEC."
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "ATTENTION : La taille %d demandée pour l'étiquette est différente de la taille de sortie de %s (%d octets).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Type de chiffrement de périphérique demandé (%s) inconnu."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Paramètres non supportés sur le périphérique %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Paramètres non concordants sur le périphérique %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Désaccord entre les périphériques crypt."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Impossible de recharger le périphérique %s."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Impossible de suspendre le périphérique %s."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Impossible de redémarrer le périphérique %s."
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Erreur fatale en rechargeant le périphérique %s (au dessus du périphérique %s)"
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Impossible de basculer le périphérique %s en dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "Impossible de redimensionner le périphérique loopback."
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "ATTENTION: La taille maximale est déjà définie ou le noyau ne supporte pas le redimensionnement.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Le redimensionnement a échoué, le noyau ne le supporte pas."
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "Voulez vous réellement changer l'UUID du périphérique ?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Le fichier de sauvegarde de l'en-tête ne contient pas d'en-tête compatible LUKS."
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "Le volume %s n'est pas actif."
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "Le volume %s est déjà suspendu."
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Le périphérique %s ne supporte pas la suspension."
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "Erreur lors de la suspension du périphérique %s."
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Le périphérique %s ne supporte pas la remise en service."
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "Erreur lors de la remise en service du périphérique %s."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Le volume %s n'est pas suspendu."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Ceci n'est pas la clé du volume."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "Nouvel emplacement de clé impossible à échanger."
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "L'emplacement de clé %d n'est pas valide."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "L'emplacement de clé %d n'est pas actif."
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "L'en-tête du périphérique recouvre la zone de données."
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Re-chiffrement en cours. Impossible d'activer le périphérique."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Impossible d'obtenir le verrou de re-chiffrement."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "La récupération du rechiffrement LUKS2 a échoué."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "Type de périphérique improprement initialisé."
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "Le périphérique %s existe déjà."
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Impossible d'utiliser le périphérique %s, le nom est invalide ou est toujours utilisé."
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "Clé de volume incorrecte pour le périphérique en clair."
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "Hachage racine incorrect spécifié pour le périphérique verity."
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "Signature de hachage racine requise."
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Le porte-clé du noyau est manquant : il est requis pour passer une signature au noyau."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "Impossible de charger la clé dans le porte-clé du noyau."
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Impossible d'annuler la suppression différée du périphérique %s."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Le périphérique %s est toujours occupé."
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "Le périphérique %s n'est pas valide."
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "Le tampon de la clé du volume est trop petit."
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS2."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS1."
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain »."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Impossible de récupérer le hachage racine pour le périphérique verity."
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Impossible de récupérer la clé du volume pour le périphérique BITLK."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Impossible de récupérer la clé du volume pour le périphérique FVAULT2."
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique."
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Le décalage des données n'est pas un multiple de %u octets."
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Impossible de convertir le périphérique %s qui est toujours en cours d'utilisation."
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Échec de l'affectation de l'emplacement de clé %u pour la nouvelle clé de volume."
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Échec de l'initialisation des paramètres par défaut des emplacement de clé LUKS2."
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Échec de l'affectation de l'emplacement de clé %d aux résumé."
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume."
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé (erreur %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Erreur lors de l'acquisition du verrou global de sérialisation des accès strictes à la mémoire"
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Impossible d'obtenir la priorité du processus."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Impossible de déverrouiller la mémoire."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Impossible d'ouvrir le fichier de clef."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Impossible de lire le fichier de clé depuis un terminal."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "Impossible d'exécuter « stat » sur le fichier de clef."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Impossible de sauter au décalage demandé dans le fichier de clé."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "Plus assez de mémoire lors de la lecture de la phrase secrète."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Erreur de lecture de la phrase secrète."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Rien à lire en entrée."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Taille max. de fichier de clé dépassée."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "Impossible de lire la quantité de données demandée."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Le périphérique %s n'existe pas ou l'accès y est interdit."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Le périphérique %s n'est pas compatible."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "La mauvaise taille de optimal-io est ignorée pour le périphérique de données (%u octets)."
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Le périphérique %s est trop petit. Il a besoin d'au moins %<PRIu64> octets."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Impossible d'utiliser le périphérique %s actuellement utilisé (déjà mappé ou monté)."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Impossible d'utiliser le périphérique %s, permission refusée."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "Impossible d'obtenir des informations au sujet du périphérique %s."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Impossible d'utiliser un périphérique loopback. Fonctionne comme un utilisateur non-root."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Impossible d'associer le périphérique loopback (le drapeau « autoclear » est requis)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Le décalage demandé est au delà de la taille réelle du périphérique %s."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Le périphérique %s a une taille nulle."
@@ -711,40 +750,35 @@ msgstr "Le nombre de threads parallèles PBKDF demandé ne peut pas être zéro.
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "Seul PBKDF2 est supporté en mode FIPS."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "L'étalon PBKDF est désactivé mais les itérations ne sont pas définies."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Options PBKDF2 incompatibles (en utilisant l'algorithme de hachage %s)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "Options PBKDF incompatibles."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (pas un répertoire ou est manquant)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Le répertoire de verrouillage %s/%s sera créé avec les permissions par défaut fournies durant la compilation."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (%s n'est pas un répertoire)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Impossible de se déplacer au décalage du périphérique."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Erreur durant l'effacement total, offset %<PRIu64>"
@@ -767,9 +801,9 @@ msgstr "La taille de la clé en mode XTS doit être un multiple de 256 ou 512 bi
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "La spécification du chiffrement devrait être au format [chiffrement]-[mode]-[iv]."
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Impossible d'écrire sur le périphérique %s. Permission refusée."
@@ -782,23 +816,24 @@ msgstr "Échec lors de l'ouverture du périphérique de stockage temporaire de c
msgid "Failed to access temporary keystore device."
msgstr "Impossible d'accéder au périphérique de stockage temporaire de clés."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Erreur E/S pendant le chiffrement de l'emplacement de clé."
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Impossible d'ouvrir le périphérique %s."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "Erreur E/S pendant le déchiffrement de l'emplacement de clé."
@@ -814,65 +849,54 @@ msgstr "Le périphérique %s est trop petit (LUKS1 a besoin d'au moins %<PRIu64>
msgid "LUKS keyslot %u is invalid."
msgstr "L'emplacement de clé LUKS %u n'est pas valide."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "%s n'est pas un périphérique LUKS valide."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Le fichier de sauvegarde d'en-tête demandé %s existe déjà."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Impossible de créer le fichier de sauvegarde d'en-tête %s."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Impossible d'écrire le fichier de sauvegarde d'en-tête %s."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Le fichier de sauvegarde ne contient pas d'en-tête LUKS valide."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Impossible d'ouvrir le fichier de sauvegarde d'en-tête %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Impossible de lire le fichier de sauvegarde d'en-tête %s."
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "Le décalage des données (« offset ») ou la taille de la clé ne sont pas identiques dans le périphérique et la sauvegarde. La restauration a échouée."
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "Périphérique %s %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "ne contient pas d'en-tête LUKS. Remplacer l'en-tête peut détruire les données de ce périphérique."
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "contient déjà un en-tête LUKS. Remplacer l'en-tête détruira les emplacements de clés actuels."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -880,126 +904,130 @@ msgstr ""
"\n"
"ATTENTION : l'en-tête du périphérique a un UUID différent de celui de la sauvegarde !"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "Taille de clé non standard. Réparation manuelle requise."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Alignement non standard des emplacements de clé. Réparation manuelle requise."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Mode de chiffrement réparé (%s -> %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Valeur hachée du chiffrement réparée vers des minuscules (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "L'algorithme de hachage LUKS demandé (%s) n'est pas supporté."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "Réparation des emplacements de clé."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Emplacement de clé %i : décalage réparé (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Emplacement de clé %i : bandes réparées (%u -> %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Emplacement de clé %i : signature de partition contrefaite."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Emplacement de clé %i : aléa effacé."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "Écriture de l'en-tête LUKS sur le disque."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "Échec de la réparation."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "Le mode de chiffrement LUKS %s n'est pas valide."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "La valeur hachée LUKS %s n'est pas valide."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "Aucun problème connu détecté pour l'en-tête LUKS."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Erreur lors de la mise à jour de l'en-tête LUKS sur le périphérique %s."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Erreur lors de la relecture de l'en-tête LUKS après la mise à jour sur le périphérique %s."
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "L'offset des données d'un en-tête LUKS doit être soit 0 ou soit plus grand que la taille de l'en-tête."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "Mauvais format fourni pour le UUID LUKS."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "Impossible de créer un en-tête LUKS : échec lors de la lecture de l'aléa."
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "Impossible de créer un en-tête LUKS : le résumé (« digest ») de l'en-tête a échoué (en utilisant l'algorithme de hachage %s)."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "L'emplacement de clé %d est activé, effacez le d'abord."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Le matériel de l'emplacement de clé %d a trop peu de bandes. L'en-tête a-t-il été modifié ?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Débordement de la valeur d'itération de PBKDF2."
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Impossible d'ouvrir l'emplacement de clé (en utilisant le hachage %s)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "L'emplacement de clé %d n'est pas valide, merci de sélectionner un emplacement entre 0 et %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Impossible d'effacer de façon sécurisée le périphérique %s."
@@ -1020,215 +1048,233 @@ msgstr "Fichier de clé incompatible pour boucle « loop-AES »."
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "Le noyau ne supporte pas les associations de type boucle « loop-AES »."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Erreur lors de la lecture du fichier de clé %s."
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Longueur maximum de la phrase secrète TCRYPT (%zu) dépassée."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "L'algorithme de hachage PBKDF2 %s n'est pas supporté, ignoré."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "L'interface du noyau requise pour le chiffrement n'est pas disponible."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Vérifiez que le module du noyau algif_skcipher est chargé."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "L'activation n'est pas supportée pour des secteurs de taille %d."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Le noyau ne supporte pas l'activation pour ce mode TCRYPT historique."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Activation du chiffrement du système TCRYPT sur la partition %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Le noyau ne supporte pas les associations de type TCRYPT."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la Clé Maître du Volume supportée."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Chaîne texte invalide rencontrée en analysant la Clé Maître du Volume."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Chaîne texte (« %s ») inattendue rencontrée en analysant la Clé Maître du Volume supportée."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la Clé Maître du Volume supportée."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Impossible de lire la signature BITLK depuis %s."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Signature invalide ou inconnue pour le périphérique BITLK."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "La version 1 de BITLK n'est actuellement pas supportée."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Signature d'amorce invalide ou inconnue pour le périphérique BITLK."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Taille de secteur %<PRIu16> non supportée."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Impossible de lire l'en-tête BITLK depuis %s."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Impossible de lire les méta-données BITLK FVE depuis %s."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "Type de chiffrement inconnu ou non supporté."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Impossible de lire les entrées des méta-données de BITLK depuis %s."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Échec lors de la conversion de la description du volume BITLK"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la clé externe."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "Le GUID du fichier BEK « %s » ne correspond pas au GUID du volume."
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la clé externe."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Métadonnées BEK version %<PRIu32> non supportées"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "La taille inattendue des métadonnées BEK %<PRIu32> ne correspond pas à la longueur du fichier BEK"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Une entrée de méta-donnée inattendue a été trouvée en analysant la clé de démarrage."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "Cette opération n'est pas supportée."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "Taille inattendue pour les données de la clé."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Ce périphérique BITLK est dans un état non supporté et ne peut pas être activé."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Les périphériques BITLK avec le type « %s » ne peuvent pas être activés."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "L'activation d'un périphérique BITLK partiellement déchiffré n'est pas supporté."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "AVERTISSEMENT: La taille %<PRIu64> du volume BitLocker ne correspond pas à la taille %<PRIu64> du périphérique sous-jacent"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas BITLK IV."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas le diffuseur BITLK Elephant."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas une grande taille de secteur."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Impossible d'activer le périphérique car le module dm-zero est manquant dans le noyau."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Échec à la lecture de %u octets dans l'en-tête du volume."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Version FVAULT2 %<PRIu16> non supportée."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Le périphérique verity %s n'utilise pas l'en-tête sur le disque."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Le périphérique %s n'est pas un périphérique VERITY valable."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "La version VERITY %d n'est pas supportée."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "En-tête VERITY corrompu."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Mauvais format d'UUID VERITY fourni sur le périphérique %s."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Erreur lors de la mise à jour de l'en-tête verity sur le périphérique %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "La vérification de la signature du hachage racine n'est pas supportée."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Les erreurs ne savent pas être réparées avec un périphérique FEC."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "%u erreurs réparables ont été trouvées avec le périphérique FEC."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Le noyau ne supporte pas les associations de type dm-verity."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Le noyau ne supporte pas les options de signature dm-verity."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Le périphérique verity a détecté une corruption après l'activation."
@@ -1300,46 +1346,51 @@ msgstr "Échec de la réparation de la parité du bloc %<PRIu64>."
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Échec de l'écriture de la parité du bloc RS %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Les tailles des blocs doivent concorder pour FEC."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Nombre d'octets de parité invalide."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Longueur de segment FEC invalide."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Impossible de déterminer la taille du périphérique %s."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Métadonnées dm-integrity du noyau incompatible (version %u) détectée sur %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Le noyau ne supporte pas les associations de type dm-integrity."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Le noyau ne supporte pas les alignements de méta-données fixés de dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Le noyau refuse d'activer l'option de recalcul non sûre (voyez les options d'activation historique pour outrepasser)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Impossible d'acquérir un verrou en écriture sur le périphérique %s."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Tentative détectée de mettre à jour les métadonnées LUKS2 de manière concurrent. L'opération est abandonnée."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1347,49 +1398,49 @@ msgstr ""
"Le périphérique contient une signature ambigüe, impossible de récupérer automatiquement LUKS2.\n"
"Veuillez exécuter « cryptsetup repair » pour la récupération."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Le décalage de données demandé est trop petit."
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "ATTENTION: la zone des emplacements de clés (%<PRIu64> octets) est très petite, le nombre d'emplacements de clés LUKS2 est très limité.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Impossible d'acquérir le verrou de lecture sur le périphérique %s."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "Des exigences LUKS2 interdites ont été détectées dans la sauvegarde %s."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Les décalages des données ne sont pas identiques sur le périphérique et la sauvegarde, la restauration a échoué."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Les en-têtes binaires avec des tailles de zones d'emplacements de clés sont différents sur le périphérique et la sauvegarde, la restauration a échouée."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Périphérique %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "ne contient pas d'en-tête LUKS2. Remplacer l'en-tête peut détruire les données de ce périphérique."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "contient déjà un en-tête LUKS2. Remplacer l'en-tête détruira les emplacements de clés actuels."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1399,7 +1450,7 @@ msgstr ""
"ATTENTION: des exigences LUKS2 inconnues ont été détectées sur l'en-tête du périphérique réel !\n"
"Remplacer l'en-tête par la sauvegarde peut corrompre les données sur ce périphérique !"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1409,409 +1460,472 @@ msgstr ""
"ATTENTION: Un rechiffrement hors-ligne non terminé a été détecté sur le périphérique !\n"
"Remplacer l'en-tête par la sauvegarde peut corrompre les données."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Fanion inconnu %s ignoré."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Clé manquante pour le segment %u de dm-crypt"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Impossible de définir le segment dm-crypt."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Impossible de définir le segment dm-linear."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Configuration d'intégrité du périphérique non supportée."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Re-chiffrement en cours. Le périphérique ne peut être désactivé."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Échec du remplacement du périphérique suspendu %s avec la cible dm-error."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Échec lors de la lecture des exigences LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Des exigences LUKS2 non rencontrées ont été détectées."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement historique. Abandon."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement LUKS2. Abandon."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Pas assez de mémoire disponible pour ouvrir l'emplacement de clé."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Échec de l'ouverture de l'emplacement de clé."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Impossible d'utiliser le chiffrement %s-%s pour le chiffrement de l'emplacement de clé"
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "L'algorithme de hachage %s n'est pas disponible."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "Plus d'espace pour le nouvel emplacement de clé."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Requête de changement du mode de résilience du rechiffrement invalide."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Impossible de mettre à jour le type de résilience. Le nouveau type ne fourni que %<PRIu64> octets alors que l'espace requis est %<PRIu64> octets."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Impossible de rafraîchir le résumé de la vérification de rechiffrement."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Ne peut vérifier le statut du périphérique avec le uuid : %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Impossible de convertir un en-tête avec des métadonnées LUKSMETA supplémentaires."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Impossible d'utiliser la spécification de chiffrement %s-%s pour LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Impossible de déplacer la zone des emplacements de clés. Pas assez d'espace."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Impossible de convertir au format LUKS2 – métadonnées invalides."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Impossible de déplacer la zone des emplacements de clés. Les emplacements de clés LULS2 sont trop petits."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Impossible de déplacer la zone des emplacements de clés."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Impossible de convertir au format LUKS1 – la taille du secteur de chiffrement du segment par défaut n'est pas 512 octets."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Impossible de convertir au format LUKS1 – les résumés des emplacements de clés ne sont pas compatibles avec LUKS1."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise des clés de chiffrement %s emballées."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise plus de segments."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Impossible de convertir au format LUKS1 – l'en-tête LUKS2 contient %u jeton(s)."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u est dans un état invalide."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Impossible de convertir au format LUKS1 – l'emplacement %u (sur les emplacements maximum) est toujours actif."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u n'est pas compatible avec LUKS1."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "La taille de la zone chaude doit être un multiple de l'alignement de zone calculé (%zu octets)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "La taille du périphérique doit être un multiple de l'alignement de zone calculé (%zu octets)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Mode de résilience %s non supporté"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Impossible d'initialiser l'encapsulation pour le stockage de l'ancien segment."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Impossible d'initialiser l'encapsulation pour le stockage du nouveau segment."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Impossible d'initialiser la protection des zones chaudes."
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Impossible de lire les sommes de contrôle pour la zone chaude actuelle."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Échec de la lecture de la zone chaude démarrant à %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Échec lors du déchiffrement du secteur %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Échec lors de la récupération du secteur %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Les tailles des périphériques source et cible ne correspondent pas. Source %<PRIu64>, cible: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Échec de l'activation du périphérique de zone chaude %s."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Impossible d'activer le périphérique de surcouche %s avec la table d'origine actuelle."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Impossible de charger la nouvelle cartographie du périphérique %s."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Impossible de rafraîchir la pile des périphériques de rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Impossible de définir la taille de la nouvelle zone des emplacements de clés."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Le décalage de données n'est pas aligné sur la taille de secteur de chiffrement demandée (%<PRIu32> octets)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "La valeur de décalage de données n'est pas alignée sur la taille de secteur de chiffrement (%<PRIu32> octets)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Le périphérique de données n'est pas aligné sur la taille de secteur de chiffrement demandée (%<PRIu32> octets)."
+msgid "Unsupported resilience mode %s"
+msgstr "Mode de résilience %s non supporté"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "La taille du secteur déplacé ne peut pas être plus grande que la valeur de décalage des données."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Paramètres de rechiffrement de la résilience invalides."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Le segment déplacé est trop grand. La taille demandée est %<PRIu64>, l'espace disponible est %<PRIu64>"
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Erreur lors de la suppression de la table."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "La taille des données réduites est plus grande que la taille réelle du périphérique."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Le périphérique de données n'est pas aligné sur la taille de secteur de chiffrement (%<PRIu32> octets)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Le décalage de données (%<PRIu64> secteurs) est plus petit que le décalage de données future (%<PRIu64> secteurs)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Erreur lors de l'ouverture de %s en mode exclusif (déjà mappé ou monté)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Le périphérique n'est pas marqué pour le rechiffrement LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Échec du chargement du contexte de rechiffrement LUKS2"
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Impossible d'obtenir l'état de rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Le périphérique n'est pas en rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Le rechiffrement est déjà en cours."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Impossible d'acquérir le verrou de rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Impossible de réaliser le rechiffrement. Exécutez d'abord la récupération du rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "La taille du périphérique actif et la taille de rechiffrement demandée ne correspondent pas."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "Taille de périphérique illégale demandée dans les paramètres de rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Rechiffrement en cours. La récupération ne peut pas être réalisée."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "Rechiffrement LUKS2 déjà initialisé dans les métadonnées."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Échec de l'initialisation du rechiffrement LUKS2 dans les métadonnées."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Impossible de définir les segments du périphérique pour le rechiffrement suivant de la zone chaude."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Échec lors de l'écriture des métadonnées de la résilience du rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Échec du déchiffrement."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Échec de l'écriture de la zone chaude démarrant à %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Erreur lors de la synchronisation des données."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Échec de la mise à jour des métadonnées après la fin du rechiffrement de la zone chaude courante."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Échec lors de l'écriture des métadonnées LUKS2"
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Échec lors de l'effacement des données du segment de sauvegarde."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Impossible d'effacer la zone du périphérique contenant les données inutilisées."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Impossible de désactiver le fanion de demande de rechiffrement."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Erreur lors de la suppression de l'emplacement de clé inutilisé (unbound) %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Erreur lors de la suppression de l'emplacement de clé de re-chiffrement."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Erreur fatale en rechiffrant le morceau commençant à %<PRIu64> d'une longueur de %<PRIu64> secteurs."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Échec du rechiffrement en-ligne."
# Frédéric: Je n'ai pas la moindre idée de ce que le développeur a voulu écrire. Qu'est-ce que "error target" dans ce contexte ?
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Ne pas redémarrer le périphérique à moins qu'il ait été remplacé manuellement par la cible en erreur."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Impossible de réaliser le rechiffrement. Statut de rechiffrement inattendu."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Contexte de rechiffrement manquant ou invalide."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Impossible d'initialiser la pile du périphérique de rechiffrement."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Échec de la mise à jour du contexte de rechiffrement."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Impossible de vérifier une phrase secrète non saisie sur une console."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Les méta-données de rechiffrement sont invalides."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Les paramètres de chiffrement des emplacement de clés peuvent uniquement être définis pour un périphérique LUKS2."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Entrez le code PIN du jeton :"
+msgid "Enter token PIN: "
+msgstr "Entrez le code PIN du jeton : "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Entrez le code PIN du jeton %d :"
+msgid "Enter token %d PIN: "
+msgstr "Entrez le code PIN du jeton %d : "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "ATTENTION: Le paramètre --hash est ignoré en mode non chiffré quand le fichier de clé est spécifié.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "ATTENTION: L'option --keyfile-size est ignorée. La taille de lecture est la même que la taille de la clé de chiffrement.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Signature(s) de périphérique détectée(s) sur %s. Continuer risque d'endommager les données existantes."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "Opération interrompue.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "L'option --key-file est requise."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Entrez le PIN VeraCrypt : "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Valeur PIN invalide : erreur d'analyse"
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Valeur PIN invalide: 0"
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Valeur PIN invalide: hors des limites."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Aucun en-tête détecté avec cette phrase secrète sur le périphérique."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Le périphérique %s n'est pas un périphérique BITLK valide."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Impossible de déterminer la taille de la clé de volume pour BITLK, veuillez utiliser l'option --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1821,7 +1935,7 @@ msgstr ""
"sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
"Ce contenu devrait toujours être stocké, chiffré, en lieu sûr."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1831,88 +1945,114 @@ msgstr ""
"sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
"Ce contenu devrait être stocké, chiffré, en lieu sûr."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Le périphérique %s n'est pas un périphérique FVAULT2 valide."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Impossible de déterminer la taille de la clé de volume pour FVAULT2, veuillez utiliser l'option --key-size."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Le périphérique %s est toujours actif et prévu pour une suppression différée.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Le redimensionnement d'un périphérique actif requiert que la clé du volume soit dans le porte-clé mais l'option --disable-keyring est définie."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Test de performance interrompu."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s N/A\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u itérations par seconde pour une clé de %zu bits\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s N/A\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u itérations, %5u mémoire, %1u threads parallèles (CPUs) pour une clé de %zu bits (temps de %u ms demandé)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Le résultat de l'évaluation de performance n'est pas fiable."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Tests approximatifs en utilisant uniquement la mémoire (pas de stockage E/S).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Algorithme | Clé | Chiffrement | Déchiffrement\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Le chiffrement %s (avec une clé de %i bits) n'est pas disponible."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algorithme | Clé | Chiffrement | Déchiffrement\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "N/D"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Le périphérique seems ne requière pas de récupération de rechiffrement.\n"
-"Voulez-vous quand-même continuer ?"
+"Des métadonnées de rechiffrement LUKS2 non protégées ont été détectées. Veuillez vérifier si l'opération de rechiffrement est\n"
+"désirable (consultez la sortie de luksDump) et continuez (mise à niveau des métadonnées) uniquement si vous constatez que\n"
+"l'opération est légitime."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Entrez la phrase secrète pour protéger et mettre à niveau les métadonnées de rechiffrement : "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Réellement procéder à la récupération du rechiffrement LUKS2 ?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Entrez la phrase secrète pour vérifier le résumé des métadonnées du rechiffrement : "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "Entrez la phrase secrète pour la récupération du rechiffrement : "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Réellement essayer de réparer l'en-tête du périphérique LUKS ?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Effacement interrompu."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1920,113 +2060,128 @@ msgstr ""
"Effacement du périphérique pour initialiser les sommes de contrôle d'intégrité.\n"
"Vous pouvez interrompre ceci en appuyant sur CTRL+c (le reste du périphérique effacé contiendra toujours des sommes de contrôle invalides).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Impossible de désactiver le périphérique temporaire %s."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "L'option d'intégrité peut uniquement être utilisée avec le format LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Options de taille des métadonnées LUKS2 non supportées."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Le fichier d'en-tête n'existe pas, voulez-vous le créer ?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Impossible de créer le fichier d'en-tête %s."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Aucun motif connu de spécification d'intégrité n'a été détecté."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Ne peut utiliser %s comme en-tête sur disque."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Cette action écrasera définitivement les données sur %s."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Impossible de définir les paramètres pbkdf."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Décalage réduit de données est uniquement permis dans un en-tête LUKS détaché."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Le container %s du fichier LUKS est trop petit pour l'activation, il ne reste pas d'espace pour les données."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Impossible de déterminer la taille de la clé de volume pour LUKS sans emplacement de clé, veuillez utiliser l'option --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Le périphérique a été activé mais les fanions ne peuvent pas être rendus permanents."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Emplacement de clé %d sélectionné pour suppression."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Ceci est le dernier emplacement de clé. Le périphérique sera inutilisable après la suppression de cette clé."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Entrez toute phrase secrète restante : "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Opération interrompue, l'emplacement de clé n'a PAS été effacé.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Entrez la phrase secrète à effacer : "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "%s n'est pas un périphérique LUKS2 valide."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Entrez une nouvelle phrase secrète pour l'emplacement de clé : "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "ATTENTION: Le paramètre --key-slot est utilisé pour le nouveau numéro de l'emplacement de clé.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Entrez une phrase secrète existante : "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Entrez la phrase secrète à changer : "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Entrez la nouvelle phrase secrète : "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Entrez la phrase secrète pour l'emplacement de clé à convertir: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "L'opération isLuks supporte seulement un périphérique en argument."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "L'emplacement de clé %d ne contient pas de clé non liée."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2034,40 +2189,40 @@ msgstr ""
"Le contenu de l'en-tête avec une clé non liée est une information sensible.\n"
"Ce contenu devrait être stocké, chiffré, en lieu sûr."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s n'est pas un nom de périphérique %s actif."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s n'est pas un nom de périphérique LUKS actif ou l'en-tête est manquant."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "L'option --header-backup-file est requise."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s n'est pas un périphérique géré par cryptsetup."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Le rafraîchissement n'est pas supporté pour un périphérique de type %s"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Type de métadonnée du périphérique %s non reconnu."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "La commande exige un périphérique et un nom de correspondance comme arguments."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2076,335 +2231,351 @@ msgstr ""
"Cette opération va supprimer tous les emplacements de clés du périphérique %s.\n"
"Le périphérique sera inutilisable après cette opération."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Opération interrompue, les emplacements de clés n'ont PAS été effacés.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Type LUKS invalide, seuls luks1 et luks2 sont supportés."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Le périphérique est déjà du type %s."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Cette opération va convertir %s au format %s.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Opération interrompue, le périphérique n'a PAS été converti.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "L'option --priority, --label ou --subsystem est manquante."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Le jeton %d est invalide."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Le jeton %d est utilisé."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Échec lors de l'ajout du jeton %d au porte-clé luks2."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Échec lors de l'affectation du jeton %d à l'emplacement de clé %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Le jeton %d n'est pas utilisé."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Impossible d'importer le jeton depuis le fichier."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Impossible d'obtenir le jeton %d pour l'export."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Périphérique dm actif auto-détecté « %s » pour le périphérique de données %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Le jeton %d n'est pas assigné à l'emplacement de clé %d."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Le périphérique %s n'est pas un périphérique blocs.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Impossible de dissocier le jeton %d de l'emplacement de clé %d."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Échec de l'auto-détection des containers du périphérique %s."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Impossible de décider si le périphérique %s est actif ou non.\n"
-"Êtes-vous sûr de vouloir procéder au rechiffrement en mode hors-ligne ?\n"
-"Les données pourraient être corrompues si le périphérique est réellement activé.\n"
-"Pour exécuter le rechiffrement en mode en ligne, utilisez le paramètre --active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "L'option --veracrypt ou --disable-veracrypt est uniquement supportée pour un périphérique de type TCRYPT."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Le chiffrement est uniquement supporté avec le format LUKS2."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "L'option --veracrypt-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Le chiffrement sans en-tête détaché (--header) n'est pas possible sans une réduction de la taille du périphérique de données (--reduce-device-size)"
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "L'option --veracrypt-query-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Le décalage de données demandé doit être inférieur ou égal à la moitié du paramètre --reduce-device-size."
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Les options --veracrypt-pim et --veracrypt-query-pim sont mutuellement exclusives."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Ajustement de la valeur de --reduce-device-size à deux fois --offset %<PRIu64> (secteurs).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Périphérique LUKS détecté sur %s. Voulez-vous chiffrer à nouveau ce périphérique LUKS ?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Le fichier temporaire d'en-tête %s existe déjà. Abandon."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Impossible de créer le fichier temporaire d'en-tête %s."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "La taille des métadonnées LUKS2 est plus grande que la valeur de décalage des données."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "L'option --persistent n'est pas permise avec --test-passphrase."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Impossible de placer le nouvel en-tête au début du périphérique %s."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Les options --refresh et --test-passphrase sont mutuellement exclusives."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "Le déchiffrement LUKS2 est uniquement supporté avec un périphérique à l'en-tête détaché (avec l'offset de données défini à 0)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Pas assez d'emplacements de clés libres pour le rechiffrement."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "L'option --offset avec l'action d'ouverture est supportée uniquement pour des périphériques ordinaires et loopaes."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Entrez la phrase secrète pour l'emplacement de clé %d : "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "L'option de taille de secteur avec l'action d'ouverture est uniquement supportée pour des périphérique ordinaires."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "L'option des secteurs IV (vecteur d'initialisation) de grande taille est supportée uniquement à l'ouverture de périphériques de type simple avec une taille de secteur supérieure à 512 octets."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Basculement de l'algorithme de chiffrement de données vers %s.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS, TCRYPT, BITLK et FVAULT2."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "La commande exige un périphérique comme argument."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Les options --device-size et --size ne peuvent pas être combinées."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Seul le format LUKS2 est actuellement supporté. Veuillez utiliser l'outil cryptsetup-reencrypt pour LUKS1."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "L'option --unbound est permise uniquement pour ouvrir un périphérique luks."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Un rechiffrement hors-ligne historique est déjà en cours. Utilisez l'utilitaire cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "L'option --unbound ne peut pas être utilisée sans --test-passphrase."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Le rechiffrement d'un périphérique avec un profil d'intégrité n'est pas supporté."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Les options --cancel-deferred et --deferred ne peuvent pas être utilisées en même temps."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Rechiffrement LUKS2 déjà initialisé. Abandon de l'opération."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Les options --reduce-device-size et --data-size ne peuvent pas être combinées."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "Le périphérique LUKS2 n'est pas en rechiffrement."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "L'option --active-name peut uniquement être définie pour un périphérique LUKS2."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Les options --active-name et --force-offline-reencrypt ne peuvent pas être combinées."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Une spécification d'emplacement de clé est requise."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Les options --align-payload et --offset ne peuvent pas être combinées."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "L'option --integrity-no-wipe peut uniquement être utilisée pour une action de formatage avec l'extension d'intégrité."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Seule une des deux possibilités --use-[u]random est autorisée."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "La taille de clé est requise avec l'option --unbound."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "L'action de jeton est invalide."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Le paramètre --key-description est requis pour l'action d'ajout d'un jeton."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "L'option --unbound est uniquement valable avec l'action d'ajout d'un jeton."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Les options --key-slot et --unbound ne peuvent pas être combinées."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<périphérique> [--type <type>] [<nom>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "ouvrir le périphérique comme <nom>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<nom>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "fermeture du périphérique (supprime le « mapping »)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "redimensionner le périphérique actif"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "afficher le statut du périphérique"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <chiffrement>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "chiffrement pour test de performance"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<périphérique>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "essayer de réparer les métadonnées sur le disque"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "rechiffrer le périphérique LUKS2"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "supprimer tous les emplacements de clés (supprime la clé de chiffrement)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "convertir LUKS depuis/vers le format LUKS2"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "définir les options de configuration permanentes pour LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<périphérique> [<fichier de la nouvelle clé>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "formater un périphérique LUKS"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "ajouter une clé au périphérique LUKS"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<périphérique> [<fichier de clé>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "retire du périphérique LUKS la clé ou le fichier de clé fourni"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "modifie la clé ou le fichier de clé fourni pour le périphérique LUKS"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "converti une clé vers les nouveaux paramètres pbkdf"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<périphérique> <emplacement de clé>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "efface de façon sécurisée la clé avec le numéro <emplacement de clé> du périphérique LUKS"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "afficher l'UUID du périphérique LUKS"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "teste si <périphérique> a un en-tête de partition LUKS"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "affiche les informations LUKS de la partition"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "affiche les informations du périphérique TCRYPT"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "affiche les informations du périphérique BITLK"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "affiche les informations du périphérique FVAULT2"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Suspendre le périphérique LUKS et effacer de façon sécurisée la clé (toutes les entrées/sorties sont suspendues)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "Remettre en service le périphérique LUKS suspendu"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Sauvegarder l'en-tête et les emplacements de clés du périphérique LUKS"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Restaurer l'en-tête et les emplacements de clés du périphérique LUKS"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <périphérique>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "Manipuler les jetons LUKS2"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2412,19 +2583,19 @@ msgstr ""
"\n"
"<action> est l'une de :\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Vous pouvez aussi utiliser les alias de l'ancienne syntaxe <action> :\n"
-"\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2439,7 +2610,7 @@ msgstr ""
"<emplacement> est le numéro de l'emplacement de clé LUKS à modifier\n"
"<fichier de clé> est un fichier optionnel contenant la nouvelle clé pour l'action luksAddKey\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2448,7 +2619,7 @@ msgstr ""
"\n"
"Le format de métadonnées compilé par défaut est %s (pour l'action luksFormat).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2457,20 +2628,20 @@ msgstr ""
"\n"
"Le support du greffon de jeton externe LUKS2 est %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "intégré dans la compilation"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Chemin du greffon de jeton externe LUKS2 : %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "désactivé"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2487,7 +2658,7 @@ msgstr ""
"PBKDF par défaut pour LUKS2 : %s\n"
"\tTemps d'itération: %d, Mémoire requise: %d ko, Threads parallèles: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2502,206 +2673,96 @@ msgstr ""
"\tplain: %s, Clé: %d bits, Hachage mot de passe: %s\n"
"\tLUKS: %s, Clé: %d bits, Hachage en-tête LUKS: %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: La taille de clé par défaut en mode XTS (deux clés internes) sera doublée.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s : exige %s comme arguments."
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Emplacement de clé non valide."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "La taille du périphérique doit être un multiple d'un secteur de 512 octets."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "La spécification de la taille maximale de la zone chaude de rechiffrement est invalide."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "La taille de la clé doit être un multiple de 8 bits"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "La taille maximum réduite pour le périphérique est 1 GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "La taille réduite doit être un multiple d'un secteur de 512 octets."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "L'option --priority peut uniquement être ignore/normal/prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Afficher ce message d'aide"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Afficher, en résumé, la syntaxe d'invocation"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Afficher la version du paquet"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Options d'aide :"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[OPTION...] <action> <paramètres de l'action>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Il manque l'argument <action>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Action inconnue."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Les options --refresh et --test-passphrase sont mutuellement exclusives."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Les options --cancel-deferred et --deferred ne peuvent pas être utilisées en même temps."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "L'option --persistent n'est pas permise avec --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "L'option --integrity-no-wipe peut uniquement être utilisée pour une action de formatage avec l'extension d'intégrité."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS, TCRYPT et BITLK."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "L'option --key-file est prioritaire par rapport à un fichier de clé spécifié en argument."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Un seul argument --key-file est autorisé."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Seule une des deux possibilités --use-[u]random est autorisée."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Les options --align-payload et --offset ne peuvent pas être combinées."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "L'option --offset avec l'action d'ouverture est supportée uniquement pour des périphériques ordinaires et loopaes."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "L'option --veracrypt ou --disable-veracrypt est uniquement supportée pour un périphérique de type TCRYPT."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "L'option --veracrypt-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "L'option --veracrypt-query-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Les options --veracrypt-pim et --veracrypt-query-pim sont mutuellement exclusives."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Une spécification d'emplacement de clé est requise."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "La fonction de dérivation d'une clé basée sur un mot de passe (PBKDF = Password-Based Key Derivation Function) peut uniquement être pbkdf2 ou argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Les itérations forcées de PBKDF ne peuvent pas être combinées avec l'option de temps d'itération."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "L'option de taille de secteur avec l'action d'ouverture est uniquement supportée pour des périphérique ordinaires."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "L'option des secteurs IV (vecteur d'initialisation) de grande taille est supportée uniquement à l'ouverture de périphériques de type simple avec une taille de secteur supérieure à 512 octets."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "La taille de clé est requise avec l'option --unbound."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "Le déchiffrement LUKS2 requiert l'option --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Les options --reduce-device-size et --data-size ne peuvent pas être combinées."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Les options --device-size et --size ne peuvent pas être combinées."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Les options --keyslot-cipher et --keyslot-key-size doivent être utilisées ensembles."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Aucune action réalisée. Invoqué avec l'option --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "L'action de jeton est invalide."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Le paramètre --key-description est requis pour l'action d'ajout d'un jeton."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Impossible de désactiver le verrouillage des métadonnées."
@@ -2729,67 +2790,72 @@ msgstr "Impossible de créer le fichier de hachage racine %s en écriture."
msgid "Cannot write to root hash file %s."
msgstr "Impossible d'écrire dans le fichier de hachage racine %s."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Le périphérique %s n'est pas un périphérique VERITY valable."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Impossible de lire le fichier de hachage racine %s."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Fichier de hachage racine %s invalide."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Chaîne de hachage racine invalide."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Fichier de signature %s invalide."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Impossible de lire le fichier de signature %s."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "La commande exige <hachage_racine> ou l'option --root-hash-file comme argument."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<périph_données> <périph_hachage>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "formater le périphérique"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<périph_données> <périph_hachage> [<hachage_racine>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "vérifier le périphérique"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<périph_données> <nom> <périph_hachage> [<hachage_racine>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "afficher le statut du périphérique actif"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<périph_hachage>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "afficher les informations sur le disque"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2804,7 +2870,7 @@ msgstr ""
"<périph_hachage> est le périphérique contenant les données de vérification\n"
"<hachage_racine> hachage du nœud racine sur <périph_hachage>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2815,28 +2881,46 @@ msgstr ""
"Paramètres compilés par défaut dans dm-verity :\n"
"\tHachage: %s, Bloc données (octets): %u, Bloc hachage (octets): %u, Taille aléa: %u, Format hachage: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Les options --ignore-corruption et --restart-on-corruption ne peuvent être utilisées ensembles."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Les options --panic-on-corruption et --restart-on-corruption ne peuvent être utilisées ensembles."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Ceci écrasera les données sur %s et %s de manière irrévocable.\n"
+"Pour préserver le périphérique de données, utilisez l'option --no-wipe (et ensuite activez-le avec --integrity-recalculate)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Formaté avec une taille de balise de %u, intégrité interne %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Définir le fanion pour le recalcul n'est pas supporté, envisagez plutôt d'utiliser --wipe."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Le périphérique %s n'est pas un périphérique INTEGRITY valable."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<périph_intégrité>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<périph_intégrigé> <nom>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2847,7 +2931,7 @@ msgstr ""
"<nom> est le périphérique à créer sous %s\n"
"<périph_intégrité> est le périphérique contenant les données avec les balises d'intégrité\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2860,241 +2944,44 @@ msgstr ""
"\tAlgorithme de somme de contrôle : %s\n"
"\tTaille maximale du fichier de clé : %dko\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "La taille --%s n'est pas valide. Le maximum est %u octets."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Les options du fichier de clé et de la taille de la clé doivent être spécifiées toutes les deux."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Les options du fichier de clé de l'intégrité du journal et de la taille de la clé doivent être spécifiées toutes les deux."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "L'algorithme d'intégrité du journal doit être spécifié si la clé d'intégrité du journal est utilisée."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Les options du fichier de clé de chiffrement du journal et de la taille de la clé doivent être spécifiées toutes les deux."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "L'algorithme de chiffrement du journal doit être spécifié si la clé de chiffrement du journal est utilisée."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Les options de mode récupération et champ de bits sont mutuellement exclusives."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Les options de journal ne peuvent pas être utilisées en mode champ de bits."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Les options de champ de bits peuvent uniquement être utilisées en mode champ de bits."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Re-chiffrement déjà en cours."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "La réservation de la mémoire alignée a échoué."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Impossible de lire le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Marque le périphérique LUKS1 %s comme inutilisable."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Activation du fanion de re-chiffrement hors-ligne de LUKS2 sur le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Impossible d'écrire le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Impossible d'écrire le journal de re-chiffrement."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Impossible de lire le journal de re-chiffrement."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Format de journal incorrect."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Fichier journal %s existe. Reprise du re-chiffrement.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Activation du périphérique temporaire en utilisant l'ancien en-tête LUKS."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Activation du périphérique temporaire un utilisant le nouvel en-tête LUKS."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Échec de l'activation des périphériques temporaires."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Impossible de définir les offsets des données."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Impossible de définir la taille des métadonnées."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Nouvel en-tête LUKS créé pour le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Cette version de cryptsetup-reencrypt ne gère pas le nouveau type de jeton interne %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Échec lors de la lecture des fanions d'activation depuis l'en-tête de sauvegarde."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Échec lors de l'écriture des fanions d'activation dans le nouvel en-tête."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Échec lors de la lecture des exigences de l'en-tête de sauvegarde."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Sauvegarde de l'en-tête %s du périphérique %s créée."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "La création de la sauvegarde des en-têtes LUKS a échoué."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Impossible de rétablir l'en-tête %s sur le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "En-tête %s rétabli sur le périphérique %s."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Impossible d'ouvrir le périphérique LUKS temporaire."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Impossible d'obtenir la taille du périphérique."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "Erreur E/S pendant le re-chiffrement."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Le UUID fourni est invalide."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Impossible d'ouvrir le journal de re-chiffrement."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Pas de déchiffrement en cours. Le UUID fourni ne peut être utilisé que pour reprendre un déchiffrement suspendu."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Les paramètres pbkdf ont été changés dans l'emplacement de clé %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Seules les valeurs entre 1 MiB et 64 MiB sont permises pour la taille des blocs de re-chiffrement."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "La taille maximum réduite pour le périphérique est 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[OPTION...] <périph>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Le re-chiffrement va changer : %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "clé de volume"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "change hachage en "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", change chiffrement en "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Argument requis."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "L'option --new doit être utilisée avec --reduce-device-size ou --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "L'option --keep-key ne peut être utilisée que avec --hash, --iter-time ou --pbkdf-force-iterations²."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "L'option --new ne peut pas être utilisée avec --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "L'option --decrypt est incompatible avec les paramètres spécifiés."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "L'option --uuid ne peut être utilisée qu'avec --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Type luks invalide. Utilisez « luks », « luks1 » ou « luks2 »."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3105,7 +2992,7 @@ msgstr ""
"===========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3116,148 +3003,174 @@ msgstr ""
"\n"
"Êtes-vous sûr ? (Typez « yes » en majuscules) : "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Erreur de lecture de la réponse depuis le terminal."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Commande réussie."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "paramètres erronés ou manquants"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "Aucune permission ou mauvais mot de passe"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "mémoire épuisée"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "mauvais périphérique ou fichier spécifié"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "le périphérique existe déjà ou est utilisé"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "erreur inconnue"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "La commande a échoué avec le code %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Emplacement de clef %i créé."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Emplacement de clé %i déverrouillé."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Emplacement de clé %i supprimé."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Jeton %i créé."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Jeton %i supprimé."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Aucun jeton n'a pu être déverrouillé avec ce code PIN."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Jeton %i requiert un code PIN."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Le jeton (type %s) exige un code PIN."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Le jeton %i ne sait pas déverrouiller le/les emplacement(s) de clé assigné(s) (mauvaise phrase secrète pour l'emplacement de clé)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Le jeton (type %s) ne sait pas déverrouiller le/les emplacement(s) de clé assigné(s) (mauvaise phrase secrète pour l'emplacement de clé)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Le jeton %i a besoin d'une ressource supplémentaire qui est manquante."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Le jeton (type %s) a besoin d'une ressource supplémentaire qui est manquante."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Aucun jeton (type %s) utilisable est disponible."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Aucun jeton utilisable est disponible."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Effacement interrompu."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Rechiffrement interrompu."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Impossible de lire le fichier de clé %s."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Échec à la lecture de %d octets du fichier de clé %s."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Impossible d'ouvrir le fichier de clé %s en écriture."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Impossible d'écrire dans le fichier de clé %s."
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> jours"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s écrits"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "vitesse %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Progression : %5.1f%%, Fin prévue %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Terminé, temps %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "Ne peut vérifier la qualité du mot de passe : %s"
@@ -3271,59 +3184,63 @@ msgstr ""
"Échec de la vérification de la qualité du mot de passe :\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Échec de la vérification de la qualité du mot de passe : Mauvais mot de passe (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "Erreur de lecture de la phrase secrète depuis la console."
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "Vérifiez la phrase secrète : "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "Les phrases secrètes ne sont pas identiques."
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "Le décalage n'est pas possible si l'entrée provient de la console."
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "Saisissez la phrase secrète : "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Saisissez la phrase secrète pour %s : "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "Aucune clé disponible avec cette phrase secrète."
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "Aucun emplacement de clé utilisable est disponible."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Impossible de vérifier une phrase secrète non saisie sur une console."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Impossible d'ouvrir le fichier %s en lecture seule."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Fournissez le jeton LUKS valide au format JSON:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Impossible de lire le fichier JSON."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3331,12 +3248,12 @@ msgstr ""
"\n"
"Lecture interrompue."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Impossible d'ouvrir le fichier %s en écriture seule."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3344,54 +3261,423 @@ msgstr ""
"\n"
"Écriture interrompue."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Erreur lors de l'écriture du fichier JSON."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Périphérique dm actif auto-détecté « %s » pour le périphérique de données %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Échec de l'auto-détection des containers du périphérique %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Le périphérique %s n'est pas un périphérique blocs.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Impossible de décider si le périphérique %s est actif ou non.\n"
+"Êtes-vous sûr de vouloir procéder au rechiffrement en mode hors-ligne ?\n"
+"Les données pourraient être corrompues si le périphérique est réellement activé.\n"
+"Pour exécuter le rechiffrement en mode en ligne, utilisez le paramètre --active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Le périphérique %s n'est pas un périphérique bloc. Impossible de détecter s'il est actif ou non.\n"
+"Utilisez --force-offline-reencrypt pour passer outre la vérification et exécuter en mode hors-ligne (dangereux !)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "L'option --resilience demandée ne peut pas être appliquée à l'opération de rechiffrement courante."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Le périphérique n'est pas en cour de chiffrement LUKS2. Option --encrypt conflictuelle."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Le périphérique n'est pas en cours de déchiffrement LUKS2. Option --decrypt conflictuelle."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Le périphérique est en cours de rechiffrement en utilisant la résilience datashift. L'option --resilience demandée ne peut pas être appliquée."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Le périphérique requiert une récupération de rechiffrement. Exécuter d'abord une réparation."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS2. Voulez-vous redémarrer l'opération précédemment initialisée ?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Le rechiffrement LUKS2 historique n'est plus supporté."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Le rechiffrement d'un périphérique avec un profil d'intégrité n'est pas supporté."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"La taille de secteur demandée avec --sector-size %<PRIu32> est incompatible avec le superbloc %s\n"
+"(taille de bloc : %<PRIu32> octets) détecté sur le périphérique %s."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Le chiffrement sans en-tête détaché (--header) n'est pas possible sans une réduction de la taille du périphérique de données (--reduce-device-size)"
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Le décalage de données demandé doit être inférieur ou égal à la moitié du paramètre --reduce-device-size."
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Ajustement de la valeur de --reduce-device-size à deux fois --offset %<PRIu64> (secteurs).\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Le fichier temporaire d'en-tête %s existe déjà. Abandon."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Impossible de créer le fichier temporaire d'en-tête %s."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "La taille des métadonnées LUKS2 est plus grande que la valeur de décalage des données."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Impossible de placer le nouvel en-tête au début du périphérique %s."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Le périphérique actif %s n'est pas LUKS2."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Restauration de l'en-tête LUKS2 original."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Échec de la restauration de l'en-tête LUKS2 original."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Le fichier d'en-tête %s n'existe pas. Voulez-vous initialiser le déchiffrement LUKS2 du périphérique %s et exporter l'en-tête LUKS2 dans le fichier %s ?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Échec de l'ajout des permissions lecture/écriture pour exporter le fichier d'en-tête."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "L'initialisation du rechiffrement a échoué. La sauvegarde de l'en-tête est disponible dans %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Le déchiffrement LUKS2 est uniquement supporté avec un périphérique à l'en-tête détaché (avec l'offset de données défini à 0)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Pas assez d'emplacements de clés libres pour le rechiffrement."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Entrez la phrase secrète pour l'emplacement de clé %d : "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Basculement de l'algorithme de chiffrement de données vers %s.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Aucun paramètre de segment de donnée changé. Rechiffrement abandonné."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"L'augmentation de la taille du secteur de chiffrement n'est pas supportée sur un périphérique hors-ligne.\n"
+"Activez d'abord le périphérique ou utilisez l'option --force-offline-reencrypt (dangereux !)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Rechiffrement interrompu."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Redémarrage du rechiffrement LUKS en mode hors-ligne forcé.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Le périphérique %s contient des métadonnées LUKS endommagées. L'opération est abandonnée."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Le périphérique %s est déjà un périphérique LUKS. L'opération est abandonnée."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS. L'opération est abandonnée."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "Le déchiffrement LUKS2 requiert l'option --header."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "La commande exige un périphérique comme argument."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Versions conflictuelles. Le périphérique %s est LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS1."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Versions conflictuelle. Le périphérique %s est LUKS2"
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS2."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Rechiffrement LUKS2 déjà initialisé. Abandon de l'opération."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Le rechiffrement du périphérique n'est pas en cours."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "La réservation de la mémoire alignée a échoué."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Impossible de lire le périphérique %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Marque le périphérique LUKS1 %s comme inutilisable."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Impossible d'écrire le périphérique %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Impossible d'écrire le journal de re-chiffrement."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Impossible de lire le journal de re-chiffrement."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Format de journal incorrect."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Fichier journal %s existe. Reprise du re-chiffrement.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Activation du périphérique temporaire en utilisant l'ancien en-tête LUKS."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Activation du périphérique temporaire un utilisant le nouvel en-tête LUKS."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Échec de l'activation des périphériques temporaires."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Impossible de définir les offsets des données."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Impossible de définir la taille des métadonnées."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Nouvel en-tête LUKS créé pour le périphérique %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Sauvegarde de l'en-tête %s du périphérique %s créée."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "La création de la sauvegarde des en-têtes LUKS a échoué."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Impossible de rétablir l'en-tête %s sur le périphérique %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "En-tête %s rétabli sur le périphérique %s."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Impossible d'ouvrir le périphérique LUKS temporaire."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Impossible d'obtenir la taille du périphérique."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Erreur E/S pendant le re-chiffrement."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Le UUID fourni est invalide."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Impossible d'ouvrir le journal de re-chiffrement."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Pas de déchiffrement en cours. Le UUID fourni ne peut être utilisé que pour reprendre un déchiffrement suspendu."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Le re-chiffrement va changer : %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "clé de volume"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "change hachage en "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", change chiffrement en "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour une partition « %s ».\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour un superblock « %s ».\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Impossible d'initialiser les sondes de la signature du périphérique."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Impossible d'exécuter « stat » sur le périphérique %s."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Le périphérique %s est utilisé. Impossible de continuer avec l'opération de formatage."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Impossible d'ouvrir le fichier %s en mode lecture/écriture."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "La signature de partition « %s » existante sur le périphérique %s sera effacée."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "La signature de superbloc « %s » existante sur le périphérique %s sera effacée."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Impossible d'effacer la signature du périphérique."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Impossible de sonder le périphérique %s pour une signature."
@@ -3401,16 +3687,16 @@ msgstr "Impossible de sonder le périphérique %s pour une signature."
msgid "Invalid size specification in parameter --%s."
msgstr "La spécification de taille est invalide dans le paramètre --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "L'option --%s n'est pas permise avec l'action %s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Erreur lors de l'écriture du json du jeton ssh."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3426,110 +3712,110 @@ msgstr ""
"\n"
"Note : L'information fournie en ajoutant le jeton (adresse du serveur SSH, utilisateur et chemins) sont stockés dans l'en-tête LUKS2 sous forme de texte clair."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<action> <périphérique>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Options pour l'action « add » :"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "Adresse IP/URL du serveur distant pour ce jeton"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Nom d'utilisateur utilisé pour le serveur distant"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Chemin vers le fichier de clé sur le serveur distant"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Chemin vers la clé SSH pour se connecter au serveur distant"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Emplacement de clé à assigner au jeton. Si non spécifié, le jeton sera assigné au premier emplacement de clé correspondant à la phrase secrète fournie."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Options génériques :"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Afficher des messages d'erreur plus détaillés"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Afficher les messages de débogage"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Montrer les messages de débogage incluant les métadonnées JSON"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Impossible d'ouvrir et d'importer la clé privée :\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Impossible d'importer la clé privée (protégée par mot de passe ?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "mot de passe de %s@%s : "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Échec lors de l'analyse des arguments.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Une action doit être spécifiée\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Le périphérique doit être spécifié pour l'action « %s ».\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Le serveur SSH doit être spécifié pour l'action « %s ».\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "L'utilisateur SSH doit être spécifié pour l'action « %s ».\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Le chemin SSH doit être spécifié pour l'action « %s ».\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Le chemin de la clé SSH doit être spécifié pour l'action « %s ».\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Échec de l'ouverture de %s en utilisant les identifiants fournis.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "Seule l'action « add » est actuellement supportée par ce greffon.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Impossible de créer la session sftp : "
@@ -3537,6 +3823,10 @@ msgstr "Impossible de créer la session sftp : "
msgid "Cannot init sftp session: "
msgstr "Impossible d'initialiser la session sftp : "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Impossible d'ouvrir la session sftp : "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Impossible d'exécuter stat sur le fichier sftp : "
@@ -3565,6 +3855,96 @@ msgstr "La méthode d'authentification par clé publique n'est pas permise sur l
msgid "Public key authentication error: "
msgstr "Erreur durant l'authentification par clé publique : "
+#~ msgid "WARNING: Data offset is outside of currently available data device.\n"
+#~ msgstr "AVERTISSEMENT: L'offset des données est en dehors du périphérique de données actuellement disponible.\n"
+
+#~ msgid "Cannot get process priority."
+#~ msgstr "Impossible d'obtenir la priorité du processus."
+
+#~ msgid "Cannot unlock memory."
+#~ msgstr "Impossible de déverrouiller la mémoire."
+
+#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions."
+#~ msgstr "Le répertoire de verrouillage %s/%s sera créé avec les permissions par défaut fournies durant la compilation."
+
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Impossible de lire la signature BITLK depuis %s."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Signature invalide ou inconnue pour le périphérique BITLK."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Échec lors de l'effacement des données du segment de sauvegarde."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Impossible de désactiver le fanion de demande de rechiffrement."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Le chiffrement est uniquement supporté avec le format LUKS2."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "Périphérique LUKS détecté sur %s. Voulez-vous chiffrer à nouveau ce périphérique LUKS ?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "Seul le format LUKS2 est actuellement supporté. Veuillez utiliser l'outil cryptsetup-reencrypt pour LUKS1."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Un rechiffrement hors-ligne historique est déjà en cours. Utilisez l'utilitaire cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "Le périphérique LUKS2 n'est pas en rechiffrement."
+
+#~ msgid "Reencryption already in-progress."
+#~ msgstr "Re-chiffrement déjà en cours."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Activation du fanion de re-chiffrement hors-ligne de LUKS2 sur le périphérique %s."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Cette version de cryptsetup-reencrypt ne gère pas le nouveau type de jeton interne %s."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Échec lors de la lecture des fanions d'activation depuis l'en-tête de sauvegarde."
+
+#~ msgid "Failed to write activation flags to new header."
+#~ msgstr "Échec lors de l'écriture des fanions d'activation dans le nouvel en-tête."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Les paramètres pbkdf ont été changés dans l'emplacement de clé %i."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Seules les valeurs entre 1 MiB et 64 MiB sont permises pour la taille des blocs de re-chiffrement."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "La taille maximum réduite pour le périphérique est 64 MiB."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[OPTION...] <périph>"
+
+#~ msgid "Argument required."
+#~ msgstr "Argument requis."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "L'option --new doit être utilisée avec --reduce-device-size ou --header."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "L'option --keep-key ne peut être utilisée que avec --hash, --iter-time ou --pbkdf-force-iterations²."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "L'option --new ne peut pas être utilisée avec --decrypt."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "L'option --decrypt est incompatible avec les paramètres spécifiés."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "L'option --uuid ne peut être utilisée qu'avec --decrypt."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Type luks invalide. Utilisez « luks », « luks1 » ou « luks2 »."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Le périphérique %s est utilisé. Impossible de continuer avec l'opération de formatage."
+
#~ msgid "No free token slot."
#~ msgstr "Aucun emplacement de jeton libre"
@@ -3890,9 +4270,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "Sector size option is not supported for this command."
#~ msgstr "L'option de taille de secteur n'est pas supportée pour cette commande."
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "L'option --unbound peut uniquement être utilisée avec les actions luksAddKey et luksDump."
-
#~ msgid "Option --refresh may be used only with open action."
#~ msgstr "L'option --refresh peut uniquement être utilisée avec l'action open."
@@ -4073,9 +4450,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "Read new volume (master) key from file"
#~ msgstr "Lire la nouvelle clé (maîtresse) du volume depuis un fichier"
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "Temps d'itération de PBKDF2 pour LUKS (en ms)"
-
#~ msgid "Use direct-io when accessing devices"
#~ msgstr "Utiliser direct-io pour accéder aux périphériques"
@@ -4115,9 +4489,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "Parameter --refresh is only allowed with open or refresh commands."
#~ msgstr "Le paramètre --refresh est permis uniquement avec les commandes open ou refresh."
-#~ msgid "Cipher %s is not available."
-#~ msgstr "Le chiffrement %s n'est pas disponible."
-
#~ msgid "Unsupported encryption sector size.\n"
#~ msgstr "Taille de secteur de chiffrement non supportée.\n"
@@ -4127,9 +4498,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "Online reencryption in progress. Aborting."
#~ msgstr "Un rechiffrement en-ligne est en cours. Interruption."
-#~ msgid "No LUKS2 reencryption in progress."
-#~ msgstr "Pas de rechiffrement LUKS2 en cours."
-
#~ msgid "Interrupted by a signal."
#~ msgstr "Interrompu par un signal."
@@ -4193,9 +4561,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "Error: Calculated reencryption offset %<PRIu64> is beyond device size %<PRIu64>."
#~ msgstr "Erreur: Le décalage de rechiffrement calculé %<PRIu64> est au delà de la taille du périphérique %<PRIu64>"
-#~ msgid "Device is not in clean reencryption state."
-#~ msgstr "Le périphérique n'est pas dans un état de rechiffrement propre."
-
#~ msgid "Failed to calculate new segments."
#~ msgstr "Échec lors du calcul des nouveaux segments."
@@ -4304,9 +4669,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
#~ msgstr "ATTENTION : le périphérique %s est une partition. Pour le chiffrement de système TCRYPT, vous avez généralement besoin du chemin d'un périphérique bloc entier.\n"
-#~ msgid "Kernel doesn't support plain64 IV.\n"
-#~ msgstr "Le noyau ne supporte pas plain64 IV.\n"
-
#~ msgid "Enter LUKS passphrase: "
#~ msgstr "Saisissez la phrase secrète LUKS : "
diff --git a/po/ja.po b/po/ja.po
index 6509598..db3799e 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -1,14 +1,14 @@
# Japanese messages for cryptsetup.
# Copyright (C) 2019, 2020 Free Software Foundation, Inc.
# This file is put in the public domain, to the extent permitted under applicable law.
-# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019, 2020, 2021
+# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019, 2020, 2021, 2022, 2023
#
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-13 11:23+0900\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 20:52+0900\n"
"Last-Translator: Hiroshi Takekawa <sian@big.or.jp>\n"
"Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
"Language: ja\n"
@@ -17,67 +17,71 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "device-mapper を初期化できません、non-root で実行します。"
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "device-mapper を初期化できません。dm_mod モジュールはロードされてますか?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "指定された延期フラグはサポートされていません。"
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "デバイス %s の DM-UUID は短縮されています。"
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "不明な dm target タイプです。"
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "指定された dm-crypt パフォーマンスオプションはサポートされていません。"
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "指定された dm-verity のデータ破壊時の対応についてのオプションはサポートされていません。"
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "指定された dm-verity のタスクレットオプションはサポートされていません。"
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "指定された dm-verity の誤り訂正(FEC)オプションはサポートされていません。"
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "指定されたデータの無改ざん確認のオプションはサポートされていません。"
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "指定された sector_size オプションはサポートされていません。"
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "指定された改ざん確認タグの自動再計算はサポートされていません。"
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Discard/TRIM はサポートしていません。"
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "要求された dm-integrity のビットマップモードはサポートされていません。"
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "dm-%s のクエリーに失敗しました。"
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -85,576 +89,611 @@ msgstr ""
"ボリュームキーを生成するためのエントロピー(この文脈では乱数の乱れ度合)が足りません。\n"
"マウスを動かしたり、他のウィンドウで文字を入力したりしてみてください。\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "キー生成中 (%d%% 完了)。\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "FIPS モードで実行中。"
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "RNG(乱数生成器)初期化中に重大なエラーが発生しました。"
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "不明な RNG(乱数生成器) の質(quality)が要求されました。"
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "RNG(乱数生成器)から読み込み中にエラー。"
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "暗号向けRNG(乱数生成器)バックエンドの初期化ができません。"
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "暗号バックエンドの初期化ができません。"
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "ハッシュアルゴリズム %s がサポートされていません。"
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "鍵の処理でエラー (ハッシュ %s を使用)。"
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "デバイスタイプがわかりません。互換性のないデバイスのアクティベーションをしようとしていませんか?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "この操作は LUKS デバイスでしかサポートされていません。"
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "この操作は LUKS2 デバイスでしかサポートされていません。"
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "キースロットがいっぱいです。"
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "キースロット %d は使われています。別の番号を選んでください。"
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "デバイスサイズが論理ブロックサイズのアライメントに合いません。"
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "ヘッダが検出されましたがデバイス %s が小さすぎます。"
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "この操作はこのデバイスタイプではサポートされていません。"
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "オフラインでの再暗号化中です。中止します。"
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "メモリ上の LUKS2 メタデータのロールバックに失敗しました。"
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "デバイス %s は有効な LUKS デバイスではありません。"
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "LUKS バージョン %d はサポートされていません。"
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "デバイス %s はアクティブではありません。"
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "暗号化されたデバイス %s の元になるデバイスが消滅しました。"
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "不正な plain crypt のパラメータ。"
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "不正なキーサイズ。"
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "UUID はこの暗号タイプではサポートされていません。"
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "分離したメタデータデバイスはこの暗号タイプではサポートされていません。"
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "サポートされていない暗号化セクタサイズです。"
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。"
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "デバイスなしには LUKS 形式にフォーマットできません。"
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "要求されたデータアライメントとデータオフセットが合いません。"
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "警告: データオフセットが現在利用可能なデータの外にあります。\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "デバイス %s のヘッダを消し去れません。"
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "デバイス %s はアクティベートするのに小さすぎます。データ用のスペースがありません。\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "警告: デバイスアクティベーションが失敗しました。dm-crypt が要求された暗号セクタサイズをサポートしていません。\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "ボリュームキーは改ざん耐性拡張のため暗号には鍵長が小さすぎます。"
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "暗号 %s-%s (キーサイズ %zd ビット) は利用できません。"
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "警告: LUKS2 メタデータサイズが %<PRIu64> バイトに変更されました。\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "警告: LUKS2 キースロット領域サイズが %<PRIu64> バイトに変更されました。\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "デバイス %s のサイズが小さすぎます。"
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "デバイス %s は使用中のためフォーマットできません。"
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "デバイス %s は権限がないためフォーマットできません。"
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "デバイス %s を改ざん耐性がつくようフォーマットできません。"
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "デバイス %s をフォーマットできません。"
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "LOOPAES としてフォーマットするにはデバイスが必要です。"
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "VERITY としてフォーマットするにはデバイスが必要です。"
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "VERITY ハッシュタイプ %d はサポートしていません。"
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "サポートしていない VERITY ブロックサイズです。"
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "サポートしていない VERITY ハッシュオフセットです。"
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "サポートしていない VERITY FEC オフセットです。"
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "データ領域がハッシュ領域と重なっています。"
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "ハッシュ領域が FEC 領域と重なっています。"
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "データ領域が FEC 領域と重なっています。"
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "警告: 指定されたタグのサイズ %d バイトが %s の出力サイズと異なります (%d バイト)。\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "不明な暗号デバイスタイプ %s が指定されました。"
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "デバイス %s のパラメータはサポートしていません。"
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "デバイス %s のパラメータがミスマッチしています。"
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Crypt デバイスが一致しません。"
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "デバイス %s のリロードに失敗しました。"
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "デバイス %s のサスペンドに失敗しました。"
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "デバイス %s のリジュームに失敗しました。"
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "デバイス %s のリロード中に致命的なエラー(デバイス %s の上で)。"
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "デバイス %s を dm-error にスイッチできません。"
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "ループデバイスはリサイズできません。"
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "警告: 最大サイズが既に設定済かカーネルがリサイズをサポートしていません。\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "リサイズに失敗しました。カーネルがサポートしていません。"
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "デバイスの UUID を本当に変更してもいいですか?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "ヘッダのバックアップファイルの中味が LUKS ヘッダと互換性がありません。"
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "ボリューム %s はアクティブではありません。"
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "ボリューム %s は既に停止されています。"
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "デバイス %s の停止はサポートされていません。"
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "デバイス %s 停止中にエラー。"
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "デバイス %s は再開をサポートしていません。"
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "デバイス %s の再開中にエラー。"
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "ボリューム %s は停止されていません。"
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "ボリュームキーがボリュームに合いません。"
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。"
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "新しいキースロットを交換できませんでした。"
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "キースロット %d は不正です。"
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "キースロット %d は非アクティブです。"
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "デバイスヘッダがデータ領域に重なっています。"
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "既に再暗号化中です。デバイスをアクティベートできません。"
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "再暗号化ロックを取得できません。"
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "LUKS2 の再暗号化は既に初期化されました。"
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "デバイスタイプが正しく初期化されていません。"
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "デバイス %s は既に存在します。"
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "デバイス %s を使えません。名前が不正か使用中です。"
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "正しくないボリュームキーがプレーンデバイスに指定されました。"
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "正しくないルートハッシュが verity デバイスに指定されました。"
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "ルートハッシュ署名が必要です。"
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "署名をカーネルに渡すのに必要なカーネルキーリングをカーネルがサポートしていません。"
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "キーをカーネルキーリングにロードできません。"
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "デバイス %s からの遅延削除をキャンセルできませんでした。"
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "デバイス %s は使用中です。"
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "デバイス %s は不正です。"
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "ボリュームキーのバッファが小さすぎます。"
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "LUKS2 デバイス向けのボリュームキーが取得できません。"
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "LUKS1 デバイス向けのボリュームキーが取得できません。"
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "プレーンデバイス向けのボリュームキーが取得できません。"
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "verity デバイスのルートハッシュが読み出せません。"
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "BITLK デバイス向けのボリュームキーが取得できません。"
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "FVAULT2 デバイス向けのボリュームキーが取得できません。"
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "この操作は %s 暗号化デバイスではサポートされていません。"
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "このデバイスタイプはダンプ操作をサポートしていません。"
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "データオフセットが %u バイトの倍数である必要があります。"
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "使用中のデバイス %s を変換できません。"
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "新しいボリュームキー向けのキースロット %u を確保できません。"
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "デフォルト LUKS2 キースロットパラメータを初期化できません。"
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "ダイジェストするためのキースロット %d が確保できません。"
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。"
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "カーネルがカーネルキーリングをサポートしていません。"
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "キーリングからパスフレーズが読み出せません (エラー %d)。"
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "グローバル memory-hard アクセス直列化ロックが取れません。"
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "プロセス優先度を取得できません。"
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "メモリをアンロックできません。"
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "キーファイルがオープンできません。"
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "ターミナルからキーファイルを読みこめません。"
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "キーファイルを stat() できません。"
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "指定されたキーファイルオフセットにシークできません。"
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "パスフレーズ読み込み中にメモリが不足しました。"
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "パスフレーズの読み込みでエラー。"
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "読もうとしたら入力が空です。"
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "キーファイルが最大サイズを超えています。"
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "指定されたサイズのデータを読み込めません。"
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "デバイス %s は存在しないかアクセスが拒否されました。"
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "デバイス %s は互換性がありません。"
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "データデバイスのおかしな(bogus) optimal-io サイズ (%u バイト) は無視します。"
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "デバイス %s が小さすぎます。少なくとも %<PRIu64> バイト必要です。"
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "デバイス %s は使用中で使えません (既にマップされているかマウントされています)。"
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "デバイス %s が使えません、拒否されました。"
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "デバイス %s についての情報が取得できません。"
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "ループバックデバイスが使えません、非 root ユーザで実行していませんか。"
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "ループデバイスのアタッチできません (autoclear 付きのループデバイスが必要です)。"
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "指定されたオフセットはデバイス %s の実際のサイズを超えています。"
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "デバイス %s のサイズが 0 です。"
@@ -708,40 +747,35 @@ msgstr "要求された PBKDF 並列スレッド数は 0 ではいけません
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "FIPS モードでは PBKDF2 しかサポートしていません。"
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "PBKDF ベンチマークが無効ですが繰り返し回数が設定されていません。"
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "PBKDF2 と互換性のないオプションです (ハッシュアルゴリズム %s)。"
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "互換性のない PBKDF オプションです。"
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (ディレクトリでないか存在していません)。"
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "ロックディレクトリ %s/%s がコンパイル時に指定されたパーミッションで作成されます。"
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (%s はディレクトリではありません)。"
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "デバイスオフセットまで seek できません。"
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "デバイスのワイプでエラー, オフセット %<PRIu64>."
@@ -763,9 +797,9 @@ msgstr "XTS モードのキーサイズは 256 か 512 ビットでなければ
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "暗号の指定は [暗号]-[モード]-[初期ベクタ] という形式であるべきです。"
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "デバイス %s に書き込めません。パーミッションがありません。"
@@ -778,23 +812,24 @@ msgstr "一時的なキーストアデバイスを開けません。"
msgid "Failed to access temporary keystore device."
msgstr "一時的なキーストアデバイスにアクセスできません。"
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "キースロットを暗号化中にI/Oエラーが発生しました。"
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "デバイス %s を開けません。"
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "キースロットを復号化中にI/Oエラーが発生しました。"
@@ -810,65 +845,54 @@ msgstr "デバイス %s が小さすぎます。(LUKS1 は最低でも %<PRIu64>
msgid "LUKS keyslot %u is invalid."
msgstr "LUKS キースロット %u は不正です。"
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "デバイス %s は有効な LUKS デバイスではありません。"
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "要求されたヘッダバックアップファイル %s は既に存在しています。"
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "ヘッダバックアップファイル %s が作成できません。"
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "ヘッダバックアップファイル %s に書き込めません。"
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "バックアップファイルが有効な LUKS ヘッダを含んでいません。"
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "ヘッダバックアップファイル %s をオープンできません。"
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "ヘッダバックアップファイル %s を読めません。"
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "データオフセットかキーサイズがデバイスとバックアップで異なるのでリストアできません。"
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "デバイス %s %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "LUKS ヘッダが含まれていません。ヘッダを置き換えるとデバイスのデータを破壊する恐れがあります。"
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "LUKS ヘッダを既に含んでいます。ヘッダを置き換えると既にあるキースロットを破壊します。"
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -876,126 +900,130 @@ msgstr ""
"\n"
"警告: 実デバイスのヘッダはバックアップとUUIDが異なります!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "標準的でないキーサイズなので、手動の修復が必要です。"
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "標準的でないキースロットアライメントなので、手動の修復が必要です。"
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "暗号モードを修復しました (%s -> %s)。"
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "暗号ハッシュを小文字に修復しました (%s)。"
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "要求された LUKS ハッシュ %s はサポートしていません。"
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "キースロットを修復中です。"
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "キースロット %i: オフセットを修復 (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "キースロット %i: のストライプを修復 (%u -> %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "キースロット %i: パーティションの印(signature)がおかしいです。"
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "キースロット %i: ソルトを消しました。"
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "LUKS ヘッダを書きこんでいます。"
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "修復に失敗しました。"
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "LUKS 暗号モード %s は不正です。"
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "LUKS ハッシュ %s は不正です。"
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "LUKS ヘッダに既知の不具合は検出されませんでした。"
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "デバイス %s の LUKS ヘッダを更新中にエラーが発生しました。"
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "デバイス %s の LUKS ヘッダを更新後の再読み込み中にエラーが発生しました。"
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "LUKS ヘッダのデータへのオフセットは 0 かヘッダサイズより大きくなければいけません。"
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "LUKS UUID の形式が間違っています。"
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "LUKS ヘッダを作成できません: ランダムなソルトを読み込めません。"
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "LUKS ヘッダを作成できません: ヘッダのハッシュが求められません (ハッシュには %s を使用)。"
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "キースロット %d が使用中なので、パージしてください。"
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "キースロット %d のストライプが少なすぎます。ヘッダを細工でもしましたか?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "PBKDF2 イテレーション回数がオーバーフローしました。"
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "キースロットをオープンできません (ハッシュ %s を使用)。"
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "デバイス %s をワイプできません。"
@@ -1016,215 +1044,233 @@ msgstr "互換性のない loop-AES キーファイルが検出されました
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "カーネルが loop-AES 互換マッピングをサポートしていません。"
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "キーファイル %s を読み込み中にエラー。"
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "TCRYPT パスフレーズの最大長 (%zu) を超えました。"
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "PBKDF2 ハッシュアルゴリズム %s が利用できないのでスキップします。"
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "必要なカーネル crypto インターフェースが使用できません。"
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "algif_skcipher カーネルモジュールをロードしてください。"
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "アクティベーションは %d セクタサイズではサポートしていません。"
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "カーネルが TCRYPT レガシーモードのアクティベーションをサポートしていません。"
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "TCRYPT システム暗号をパーティション %s に対してアクティベーションしました。"
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "カーネルが TCRYPT 互換のマッピングをサポートしていません。"
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "この機能は TCRYPT ヘッダの読み込みなしではサポートしません。"
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。"
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "ボリュームマスターキーを解釈中に不正な文字列が見つかりました。"
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "ボリュームマスターキーを解釈中に予期しない文字列 ('%s') が見つかりました。"
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。"
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "%s から BITLK シグネチャを読み込めませんでした。"
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "BITLK デバイスのシグネチャが不正また不明です。"
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK version 1 はサポートされていません。"
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "BITLK デバイスのブートシグネチャが不正また不明です。"
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "サポートされていないセクタサイズ %<PRIu16> です。"
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "%s から BITLK ヘッダを読み出すのに失敗しました。"
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "%s から BITLK FVE メタデータを読み込めませんでした。"
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "不明かサポートされていない暗号化タイプです。"
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "%s から BITLK メタデータエントリを読み込めませんでした。"
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "BITLKボリュームの description を変換できません。"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "外部キーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。"
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "BEK ファイル GUID '%s' がボリュームの GUID と一致しません。"
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "外部キーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。"
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "サポートされていない BEK メタデータバージョン %<PRIu32> です。"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "予期しない BEK メタデータサイズ %<PRIu32> は BEK ファイルサイズと合いません"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "スタートアップキーを解釈中に予期しないメタデータエントリが見つかりました。"
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "この操作はサポートされていません。"
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "予期しないキーデータサイズです。"
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "この BITLK デバイスはサポートされてない状態にあるためアクティベートできません。"
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "タイプ '%s' の BITLK デバイスはアクティベートできません。"
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "部分的に復号された BITLK デバイスのアクティベーションはサポートされていません。"
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "警告: BitLocker ボリュームサイズ %<PRIu64> がデバイスサイズ %<PRIu64> と一致しません"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "カーネルの dm-crypt が BITLK IV をサポートしていないためデバイスをアクティベートできません。"
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "カーネルの dm-crypt が BITLK Elephant diffuser をサポートしていないためデバイスをアクティベートできません。"
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "カーネルの dm-crypt がラージセクタサイズをサポートしていないためデバイスをアクティベートできません。"
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "カーネルの dm-zero モジュールがないためデバイスをアクティベートできません。"
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "ボリュームヘッダの %u バイトを読みこめませんでした。"
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "FVAULT2 のバージョン %<PRIu16> はサポートされていません。"
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Verity デバイス %s はディスク上のヘッダを使いません。"
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "デバイス %s が有効な VERITY デバイスではありません。"
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "VERITY バージョン %d はサポートされていません。"
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "VERITY ヘッダが壊れています。"
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "デバイス %s の VERITY UUID フォーマットが間違っています。"
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "デバイス %s の verity ヘッダを更新中にエラー。"
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "ルートハッシュ署名の検証はサポートしていません。"
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "FEC デバイスのエラーが修復できません。"
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "FEC デバイスに %u 個の修復可能なエラーが見つかりました。"
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "カーネルが dm-verity マッピングをサポートしていません。"
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "カーネルが dm-verity 署名オプションをサポートしていません。"
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "アクティベーションされた Verity デバイスが破損が見つかりました。"
@@ -1296,46 +1342,51 @@ msgstr "ブロック %<PRIu64> のパリティが修復できませんでした
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Reed-Solomon ブロック %<PRIu64> のパリティの書き込みに失敗しました。"
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "ブロックサイズが FEC と合っていません。"
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "パリティのバイト数が不正です。"
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "FEC セグメント長が不正です。"
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "デバイス %s のサイズが不明です。"
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "互換性のないカーネルの dm-integrity のメタデータ (バージョン %u) が %s に検出されました。"
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "カーネルが dm-integrity マッピングをサポートしていません。"
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "カーネルが dm-integrity 固定メタデータアラインメントをサポートしていません。"
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "カーネルが安全でない再計算オプションを拒否しました (レガジーアクティベーションオプションでオーバーライドできます)。"
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "デバイス %s の書き込みのためのロックを取得できませんでした。"
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "LUKS2 メタデータの更新の並列実行をしそうになりました。実行を中止します。"
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1343,49 +1394,49 @@ msgstr ""
"デバイスのシグネチャが曖昧なので、LUKS2 の自動修復ができません。.\n"
"修復するには \"cryptsetup repair\" を実行してください。"
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "要求されたデータオフセットが小さすぎます。"
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "警告: キースロット領域 (%<PRIu64> バイト) がとても小さいため、利用可能な LUKS2 キースロット数が制限されます。\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "デバイス %s の読み込みのためのロックを取得できませんでした。"
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "禁止された LUKS2 要求がバックアップ %s に検出されました。"
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "データオフセットがデバイスとバックアップと異なるため修復できません。"
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "キースロット領域のあるバイナリヘッダのサイズがデバイスとバックアップで異なるため修復できません。"
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "デバイス %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "LUKS2 ヘッダが含まれていません。ヘッダを置き換えるとデータを破壊しかねません。"
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "既に LUKS2 ヘッダがあります。ヘッダを置き換えると既にあるキースロットを破壊します。"
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1395,7 +1446,7 @@ msgstr ""
"警告: 不明な LUKS2 への要求がリアルデバイスヘッダにあります!\n"
"ヘッダをバックアップで置き換えるとデータを破壊する恐れがあります!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1405,408 +1456,471 @@ msgstr ""
"警告: オフラインの再暗号化が終了していません!\n"
"ヘッダを置き換えるとデータを破壊しかねません。"
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "不明なフラグ %s を無視しました。"
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "dm-crypt セグメント %u にキーがありません"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "dm-crypt セグメントの設定に失敗しました。"
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "dm-linear セグメントの設定に失敗しました。"
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "サポートしていないデバイス整合性設定です。"
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "再暗号化が実行中なのでデバイスのデアクティベートできません。. Cannot deactivate device."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "サスペンドされたデバイス %s を dm-error ターゲットで置き換えられません。"
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "LUKS2 の必要条件を読み込めませんでした。"
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "満たせない LUKS2 の必要条件があります。"
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "操作がレガシー再暗号化とマークされたデバイスと互換性がありません。中止します。"
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "操作が LUKS2 再暗号化とマークされたデバイスと互換性がありません。中止します。"
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "キースロットをオープンするのにメモリが足りません。"
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "キースロットのオープンに失敗しました。"
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "キースロットの暗号化に %s- %s 暗号は使えません。"
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "ハッシュアルゴリズム %s が利用できません。"
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "新しいキースロット用の領域がありません。"
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "不正な再暗号化耐性モード変更を要求されました。"
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "耐性タイプを更新できません。新しいタイプは %<PRIu64> バイトしかありませんが、%<PRIu64> バイト必要です。"
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "再暗号化検証ダイジェストのリフレッシュに失敗しました。"
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "UUID が %s のデバイスの状態が確認できません。"
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "LUKSMETA メタデータ付きのヘッダは変換できません。"
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "暗号スペック %s-%s は LUKS2 に使えません。"
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "領域が足りないのでキースロット領域を動かせません。"
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "LUKS2 形式に変換できません - メタデータが不正です。"
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "LUKS2 キースロット領域が足りないのでキースロット領域を動かせません。"
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "キースロット領域を動かせません。"
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "LUKS1 形式に変換できません - デフォルトの暗号セクタサイズが 512 バイトではありません。"
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "LUKS1 形式に変換できません - キースロットのハッシュ関数が LUKS1 互換ではありません。"
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "LUKS1 形式に変換できません - ラップされたキーの暗号に %s が使われています。"
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "LUKS1 形式に変換できません - デバイスが多くのセグメントを使っています。"
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "LUKS1 形式に変換できません - LUKS2 ヘッダ %u 個のトークンを含んでいます。"
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "LUKS1 形式に変換できません - キースロット %u が不正な状態です。"
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "LUKS1 形式に変換できません - スロット %u が(最大個数を超過して)有効です。"
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "LUKS1 形式に変換できません - キースロット %u が LUKS1 と互換ではありません。"
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "ホットゾーンサイズは計算されたゾーンアライメントの倍数である必要がありす (%zu バイト)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "デバイスサイズが計算ゾーンアライメント (%zu バイト) に合っていません。"
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "弾性(resilience)モード %s はサポートしていません"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "古いセグメントのストレージラッパの初期化に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "新しいセグメントのストレージラッパの初期化に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "ホットゾーン保護の初期化に失敗しました。"
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "現在のホットゾーンのチェックサムを読み込めません。"
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "%<PRIu64> から始めるホットゾーンエリアを読み込めません。"
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "セクタ %zu を復号できません。"
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "セクタ %zu を復元できません。"
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "ソースとターゲットデバイスのサイズが一致しません。ソース %<PRIu64>, ターゲット: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "ホットゾーンデバイス %s がアクティベートできません。"
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "実際の origin table があるオーバーレイデバイス %s をアクティベートできません。"
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "デバイス %s の新しいマッピングをロードできません。"
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "再暗号化デバイススタックのリフレッシュに失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "新しいキースロットエリアサイズを設定できません。"
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "データシフトが要求された暗号化セクタサイズにアラインされていません(%<PRIu32> bytes)。"
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "データシフト値が要求された暗号化セクタサイズにアラインされていません(%<PRIu32> バイト)。"
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "データデバイスが要求された暗号化セクタサイズにアラインされていません(%<PRIu32> bytes)."
+msgid "Unsupported resilience mode %s"
+msgstr "耐性(resilience)モード %s はサポートしていません"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "移動されるセグメントサイズはデータシフト値より大きくできません。"
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "不正な再暗号化耐性パラメータを要求されました。"
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "移動されるセグメントが大きすぎます。要求されているサイズは %<PRIu64> ですが、使えるサイズは %<PRIu64> です。"
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "テーブルをクリアできません。"
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "小さくしたデータサイズが実際のデバイスサイズより大きいです。"
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "データデバイスが暗号化セクタサイズにアラインされていません(%<PRIu32> バイト)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "データシフト (%<PRIu64> セクタ) が今後のデータオフセットより少ないです (%<PRIu64> セクタ)。"
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "デバイス %s を排他モードでオープンでません (既にマップされているかマウントされています)。"
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "デバイスは LUKS2 再暗号化向けにマークされていません。"
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "LUKS2 再暗号化コンテキストをロードできません。"
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "再暗号化状態を取得できません。"
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "デバイス %s は再暗号化中ではありません。"
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "既に再暗号化中です。"
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "再暗号化ロックを取得できません。"
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "再暗号化を開始できません。再暗号化のリカバリを先にしてください。"
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "実際のデバイスサイズと要求された再暗号化サイズが一致しません。"
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "再暗号化のパラメータとして不正なデバイスサイズが要求されました。"
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "既に再暗号化中です。復元を実行できません。"
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "メタデータの LUKS2 の再暗号化は既に初期化されました。"
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "メタデータの LUKS2 再暗号化に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "デバイスセグメントの次の再暗号化ホットゾーンの設定に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "再暗号化した耐性用メタデータを書き込めません。"
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "復号に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "%<PRIu64> から始まるホットゾーンエリアに書き込めません。"
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "データを sync できません。"
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "現在のホットゾーンの再暗号化完了後にメタデータが更新できません。"
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "LUKS2 メタデータが書き込めません。"
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "バックアップセグメントデータを消せません。"
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "未使用データデバイス領域を消せません。"
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "再暗号化の要求(requirement)フラグを禁止できません。"
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "未使用のキースロット %d を削除できませんでした。"
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "再暗号化キースロットが削除できません。"
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "%<PRIu64> から %<PRIu64> セクタのチャンクの再暗号化中に致命的なエラー。"
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "オンライン再暗号化に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "手動でエラーターゲットに置き換えた場合以外はデバイスのレジュームをしないでください。"
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "再暗号化を開始できません。予期しない再暗号化状態です。"
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "ないか不正な再暗号化コンテキストです。"
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "再暗号化デバイススタックの初期化に失敗しました。"
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "再暗号化コンテキストが更新できません。"
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "tty 入力以外ではパスフレーズ認証できません。"
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "再暗号化メタデータが不正です。"
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "キースロットの暗号化パラメータは LUKS2 デバイスでしか設定できません。"
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "トークンPINを入力してください:"
+msgid "Enter token PIN: "
+msgstr "トークンPINを入力してください: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "トークン %d PINを入力してください:"
+msgid "Enter token %d PIN: "
+msgstr "トークン %d PINを入力してください: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "未知の暗号スペックです。"
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "警告: --hash パラメータは plain モードでキーファイルが指定されていると無視されます。\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "警告: --keyfile-size オプションは無視されて、読み込みサイズは暗号鍵のサイズと同じになります。\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "%s にデバイス署名が検出されました。既にあるデータを破壊しかねません。"
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "中止されました。\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "オプション --key-file が必要です。"
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "VeraCrypt PIM を入力してください: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "不正な PIM: 解釈できません。"
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "不正 PIM の値で 0 です。"
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "不正な PIM の値: 範囲外です。"
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "このパスフレーズではデバイスヘッダが検出されませんでした。"
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "デバイス %s は有効な BITLK デバイスではありません。"
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "BITLK のボリュームキーサイズが決定できないので、--key-size を使ってください。"
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1816,7 +1930,7 @@ msgstr ""
"暗号化されたパーティションにパスフレーズなしでアクセス可能にます。\n"
"このダンプは暗号化された安全な所に保存してください。"
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1826,88 +1940,113 @@ msgstr ""
"暗号化されたパーティションにパスフレーズなしでアクセス可能になります。\n"
"このダンプは暗号化された安全な所に保存してください。"
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "デバイス %s は有効な FVAULT2 デバイスではありません。"
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "FVAULT2 のボリュームキーサイズが決定できないので、--key-size を使ってください。"
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "デバイス %s はまたアクティブで後から削除される予定になっています。.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "アクティブなデバイスをリサイズするにはボリュームキーがキーリングに必要ですが、--disable-keyring が指定されています。"
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "ベンチマークが中止されました。"
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s 計測値なし\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u 回/秒 (%zu ビットの鍵)\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s 計測値なし\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u 回, %5u KB使用, %1u スレッド (%zu のビットの鍵) (%u ms 計測)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "ベンチマークの結果は信頼できません。"
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# テストはストレージI/Oがなくメモリ上のもののため目安です。\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Algorithm | キー | 暗号化 | 復号化\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "暗号 %s (キーサイズ %i ビット) は利用できません。"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algorithm | キー | 暗号化 | 復号化\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "計測値なし"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"デバイスは再暗号化のリカバリを必要としていなそうです。\n"
-"本当にやりますか?"
+"保護されていない LUKS2 再暗号化メタデータが検出されました。再暗号化操作が望ましいものか確認してください。(luksDump の出力を見てください)\n"
+"そのうえで、この操作が問題ないと確認できたら継続(メタデータのアップグレード)してください。"
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "再暗号化メタデータの保護とアップグレードのためのパスフレーズを入力してください: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "本当に LUKS2 再暗号化リカバリを行いますか?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "再暗号化メタデータダイジェストを検証するためのパスフレーズを入力してください: "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "再暗号化のリカバリのためのパスフレーズを入力してください: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "本当に LUKS デバイスヘッダの復元を試みていいですか?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"ワイプが中断されました。"
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1915,113 +2054,128 @@ msgstr ""
"整合性チェックサムの初期化のためにデバイスのデータを消去しています。\n"
"CTRL+c で中止できます (初期化されなかったデバイスのチェックサムは正しくなくなります)。\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "一時的デバイス %s を非アクティブにできません。"
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "整合性オプションは LUKS2 形式でしか使えません。"
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "サポートされていない LUKS2 メタデータのサイズオプションです。"
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "ヘッダファイルがありません。作成しますか?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "ヘッダファイル %s を作成できません。"
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "サポートしている整合性確認方式が検出されませんでした。"
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "%s を on-disk ヘッダとして使えません。"
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "%s のデータを上書きします。戻せません。"
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "pbkdf パラメータを設定できません。"
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "分離された LUKS ヘッダでのみ少ないデータオフセットが使えます。"
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "LUKS ファイルコンテナ %s がアクティベートするには小さすぎます。データ用の領域に空きがありません。"
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "キースロットのない LUKS のボリュームキーサイズが決定できないので、--key-size を使ってください。"
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "デバイスはアクティベートされましたが、フラグを恒常的なものにできません。"
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "キースロット %d は削除対象として選択されました。"
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "これは最後のキースロットです。このキーがなくなるとデバイスは使用不能になります。"
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "残っているパスフレーズを入力してください: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "操作は中止されました。キースロットは消去されていません。\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "削除するキーのパスフレーズを入力してください: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "デバイス %s は有効な LUKS2 デバイスではありません。"
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "キースロットの新しいパスフレーズを入力してください: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "警告: --key-slot パラメータは新しいキースロット番号に使われます。\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "有効なパスフレーズをどれか入力してください: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "変更するキーのパスフレーズを入力してください: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "新しいキーのパスフレーズを入力してください: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "変換されるキースロットのパスフレーズを入力してください: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "isLuks は一つのデバイス引数しかサポートしていません。"
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "キースロット %d は unbound キーを含んでいません。"
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2029,40 +2183,40 @@ msgstr ""
"unbound キーを使ったヘッダダンプは取り扱いに注意すべき情報です。\n"
"このダンプは暗号化された安全な所に保存してください。"
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s はアクティブな %s デバイスではありません。"
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s はアクティブな LUKS デバイス名ではないか、ヘッダがありません。"
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "オプション --header-backup-file が必要です。"
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s は cryptsetup で管理されているデバイスではありません。"
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "リフレッシュはデバイスタイプ %s ではサポートされていません。"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "%s は認識できないメタデータデータタイプです。"
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "コマンドはデバイスとマップされた名前を引数として必要とします。"
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2071,335 +2225,351 @@ msgstr ""
"この処理はデバイス %s の全てのキースロットを消去します。\n"
"デバイスのデータは使用できなくなります。"
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "処理は中止されました。キースロットは消去されません。\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "不正な LUKS タイプです。luks1 と luks2 しかサポートしていません。"
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "デバイスは既にタイプ %s です。"
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "この処理は %s から %s フォーマットに変換します。\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "処理は中止されました。デバイスは変換されませんでした。\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "オプション --priority, --label か --subsystem がありません。"
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "トークン %d は不正です。"
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "トークン %d は使用中です。"
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "luks2-キーリングトークン %d を追加できませんでした。"
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "トークン %d をキースロット %d に割りあてられませんでした。"
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "トークン %d は使われていません。"
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "ファイルからトークンをインポートできません。"
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "トークン %d をエクスポートのために取得できませんでした。"
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "データデバイス %2s のアクティブな dm デバイス '%1s'を自動検出しました。\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "トークン %d をキースロット %d に割りあてられませんでした。"
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "デバイス %s は有効なブロックデバイスではありません。\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "トークン %d をキースロット %d の割り当てから解除できませんでした。"
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "デバイス %s のホルダ(holders)を自動検出できません。"
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "--tcrypt-hidden と --tcrypt-system と --tcrypt-backup は TCRYPT デバイスしか使えません。"
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"デバイス %s がアクティベートされているかどうか判断できません。\n"
-"オフラインでの再暗号化を進めていいですか?\n"
-"アクティベートされていたらデータが破壊されるかもしれません。\n"
-"再暗号化をオンラインで行う場合は --active-name を代わりに使ってください。\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "--veracrypt や --disable-veracrypt は TCRYPT デバイスでしか使えません。"
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "暗号化は LUKS2 形式でしか使えません。"
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "--veracrypt-pim は VeraCrypt 互換デバイスにしか使えません。"
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "データデバイスサイズの縮小(--reduce-device-size)なしに分離ヘッダ(--header)による暗号化はできません。"
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "--veracrypt-query-pim は VeraCrypt 互換デバイスにしか使えません。"
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "要求されたデータオフセットは --reduce-device-size パラメータの半分以下である必要があります。"
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "--veracrypt-pim と --veracrypt-query-pim はどちらかしか使えません。"
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "--reduce-device-size の値を --offset %<PRIu64> (セクタ) の倍にします。\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "LUKS デバイスが %s に検出されました。もう一度 LUKS デバイスを暗号化したいのですか?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "テンポラリヘッダファイル %s は既に存在しているので、中止します。"
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "テンポラリヘッダファイル %s を作成できません。"
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "LUKS2 メタデータサイズがデータシフト値より大きいです。"
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "--persistent は --test-passphrase と一緒には使えません。"
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "デバイス %s の先頭に新しいヘッダを置けません。"
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "--refresh と --test-passphrase は同時には使えません。"
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s がアクティブでオンライン暗号化可能です。\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "--shared は plain デバイスの open にしか使えません。"
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "LUKS2 復号は分離(detached)ヘッダデバイスしかサポートしていません(データへのオフセットが0)。"
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "--skip は plain か loopaes デバイスの open にしか使えません。"
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "再暗号化に必要な空きキースロットがありません。"
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "--offset は plain か loopaes デバイスの open にしか使えません。"
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "--tcrypt-hidden は --allow-discards と一緒に使えません。"
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "キースロット %d のパスフレーズを入力してください: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "オープン時のセクタサイズオプションは plain デバイスでしかサポートされていません。"
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "キースロット %u のパスフレーズを入力してください: "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "大きな IV セクタオプションは plain タイプでセクタサイズが 512 バイトより大きいものをオープンする時しかサポートしていません。"
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "データの暗号化用の暗号アルゴリズムを %s にします。\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "--test-passphrase は LUKS か TCRYPT か BITLK か FVAULT2 デバイスの open にしか使えません。."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "コマンドはデバイスを引数として必要とします。"
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "--device-size と --size は一緒に使えません。"
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "現在 LUKS2 形式しかサポートされていません。LUKS1 には cryptsetup-reencrypt を使ってください。"
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "オプション --unbound は luks デバイスの open にしか使えません。"
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "古いオフライン再暗号化が実行中です。cryptsetup-reencrypt を使ってください。"
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "オプション --unbound は --test-passphrase がないと使えません。"
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "整合性プロファイルつきのデバイスの再暗号化はサポートされていません。"
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "オプション --cancel-deferred と --deferred は同時に使えません。"
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "LUKS2 再暗号化が既に初期化済なので操作を中止します。"
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "オプション --reduce-device-size と --data-size は一緒に使えません。"
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "LUKS2 デバイスは再暗号化中ではありません。"
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "オプション --active-nameは LUKS2 デバイスでしか設定できません。"
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "オプション --active-name と --force-offline-reencrypt は一緒に使えません。"
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "キースロットの指定が必要です。"
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "--align-payload と --offset は一緒に使えません。"
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "--integrity-no-wipe は format で integrity extension 付きの時しか使えません。"
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "--use-[u]random は一つしか使えません。"
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "--unbound にはキーサイズが必要です。"
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "不正なトークンアクションです。"
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "--key-description はトークン追加には必須です。"
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "トークンを必要としています。--token-id を使用してください。"
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "オプション --unbound はトークンの追加にしか使えません。"
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "--key-slot と --unbound は一緒に使えません。"
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "特定のキースロットを必要としています。--key-slot を使用してください。"
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<デバイス> [--type <タイプ>] [<名前>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "デバイスを <名前> としてオープン"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<名前>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "デバイスをクローズします (マッピングを削除します)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "アクティブデバイスをリサイズ"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "デバイスステータスを表示"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <暗号>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "暗号ベンチマーク"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<デバイス>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "on-disk メタデータを修復しようとしています"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "LUKS2 デバイスを再暗号化"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "全てのキースロットを消去します (暗号鍵も削除します)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "LUKS2 から LUKS もしくは LUKS から LUKS2 形式に変換します"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "LUKS2 の permanent configuration オプションを設定します"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<デバイス> [<新しいキーファイル>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "LUKS デバイスをフォーマットします"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "LUKS デバイスにキーを追加します"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<デバイス> [<キーファイル>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "与えられたキーかキーファイルを LUKS デバイスから削除します。"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "与えられた LUKS デバイスのキーかキーファイルを変更します"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "キーを新しい pbkdf パラメータに変換します"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<デバイス> <キースロット>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "<キースロット>のキーを LUKS デバイスから削除します"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "LUKS デバイスの UUID を表示"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "<デバイス> の LUKS パーティションヘッダをテストします"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "LUKS パーティション情報をダンプします"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "TCRYPT デバイス情報をダンプします"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "BITLK デバイス情報をダンプします"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "FVAULT2 デバイス情報をダンプします"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "LUKS デバイスを停止してキーを削除します (全てのI/Oは停止します)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "停止していた LUKS デバイスを再開します"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "LUKS デバイスヘッダとキースロットをバックアップします"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "LUKS デバイスヘッダとキースロットをリストアします"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <デバイス>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "LUKS2 トークンを操作します"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2407,19 +2577,19 @@ msgstr ""
"\n"
"<action> は以下のうちの一つです:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"古い <アクション> という形式も使えます:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2434,7 +2604,7 @@ msgstr ""
"<キースロット> は変更する LUKS キースロット番号\n"
"<キーファイル> は luskAddKey でオプションで与えられる新しいキーのキーファイル\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2443,7 +2613,7 @@ msgstr ""
"\n"
"デフォルトのコンパイル時に決められたメタデータ形式は %s です(luksFormat で使われます)。\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2452,20 +2622,20 @@ msgstr ""
"\n"
"LUKS2 外部トークンプラグインサポート: %s\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "本体に内蔵"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "LUKS2 外部トークンプラグインパス: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "利用不可"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2482,7 +2652,7 @@ msgstr ""
"デフォルト LUKS2 向け PBKDF: %s\n"
"\t繰り返す時間: %d, 使うメモリ: %dkB, 並列スレッド: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2497,206 +2667,96 @@ msgstr ""
"\tplain: %s, キー: %d ビット, パスワードハッシュ: %s\n"
"\tLUKS: %s, キー: %d ビット, LUKS ヘッダハッシュ: %s, 乱数生成: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: XTS モードのデフォルトキーサイズは (2つの内部キーがあるため) 倍になります。\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: は %s を引数で与える必要があります"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "キースロットは不正です。"
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "デバイスサイズは 512 バイトセクタの倍数である必要があります。"
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "再暗号化ホットゾーン最大サイズの指定が不正です。"
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "キーサイズは 8bit の倍数でなければなりません"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "デバイスを減らせる最大値は 1 GiB です。"
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "減らすサイズは 512 バイトセクタの倍数である必要があります。"
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "--priority の引数は ignore/normal/prefer のいずれかのみです。"
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "このヘルプを表示します"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "コンパクトな使用法表示をします"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "パッケージのバージョンを表示"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "ヘルプオプション:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[オプション...] <アクション> <アクション特有>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "<アクション> がありません。"
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "未知のアクションです。"
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "--refresh と --test-passphrase は同時には使えません。"
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "オプション --cancel-deferred と --deferred は同時に使えません。"
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "--shared は plain デバイスの open にしか使えません。"
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "--persistent は --test-passphrase と一緒には使えません。"
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "--integrity-no-wipe は format で integrity extension 付きの時しか使えません。"
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "--test-passphrase は LUKS か TCRYPT か BITLK デバイスの open にしか使えません。."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "--key-file は他で指定されたキーファイルを上書きします。"
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "--key-file は一つしか使えません。"
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "--use-[u]random は一つしか使えません。"
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "--align-payload と --offset は一緒に使えません。"
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "--skip は plain か loopaes デバイスの open にしか使えません。"
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "--offset は plain か loopaes デバイスの open にしか使えません。"
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "--tcrypt-hidden と --tcrypt-system と --tcrypt-backup は TCRYPT デバイスしか使えません。"
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "--tcrypt-hidden は --allow-discards と一緒に使えません。"
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "--veracrypt や --disable-veracrypt は TCRYPT デバイスでしか使えません。"
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "--veracrypt-pim は VeraCrypt 互換デバイスにしか使えません。"
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "--veracrypt-query-pim は VeraCrypt 互換デバイスにしか使えません。"
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "--veracrypt-pim と --veracrypt-query-pim はどちらかしか使えません。"
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "キースロットの指定が必要です。"
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "パスワードからキーを作る関数 (PBKDF) は pbkdf2 argon2i argon2id のいずれかのみです。"
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "PBKDF の繰り返し回数の強制と繰り返し時間指定オプションは共存できません。"
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "オープン時のセクタサイズオプションは plain デバイスでしかサポートされていません。"
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "大きな IV セクタオプションは plain タイプでセクタサイズが 512 バイトより大きいものをオープンする時しかサポートしていません。"
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "--unbound にはキーサイズが必要です。"
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "LUKS2 復号には --header が必要です。"
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "--reduce-device-size と --data-size は一緒に使えません。"
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "--device-size と --size は一緒に使えません。"
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "--keyslot-cipher と --keyslot-key-size は同時に使う必要があります。"
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "--test-args オプションつきだったため、何もしません。\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "不正なトークンアクションです。"
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "--key-description はトークン追加には必須です。"
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "トークンを必要としています。--token-id を使用してください。"
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "メタデータロックを禁止できません。"
@@ -2724,67 +2784,72 @@ msgstr "ルートハッシュファイル %s を書けるように作成でき
msgid "Cannot write to root hash file %s."
msgstr "ルートハッシュファイル %s に書き込めません。"
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "デバイス %s が有効な VERITY デバイスではありません。"
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "ルートハッシュファイル %s を読み込めません。"
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "不正なルートハッシュファイル %s です。"
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "不正なルートハッシュ文字列が指定されました。"
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "署名ファイル %s が不正です。"
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "署名ファイル %s を読み込めませんでした。"
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "コマンドは <root_hash> か --root-hash-file オプションを引数として必要とします。"
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<データデバイス> <ハッシュデバイス>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "デバイスをフォーマット"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<データデバイス> <ハッシュデバイス> [<ルートハッシュ>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "デバイスを検証"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<データデバイス> <名前> <ハッシュデバイス> [<ルートハッシュ>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "アクティブデバイスのステータスを表示"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<ハッシュデバイス>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "ディスク上の情報を表示"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2799,7 +2864,7 @@ msgstr ""
"<ハッシュデバイス> は検証用データが入るデバイス\n"
"<ルートハッシュ> は <ハッシュデバイス> のルートノードのハッシュ\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2810,28 +2875,46 @@ msgstr ""
"コンパイル時に決めた dm-verity のデフォルトパラメータ:\n"
"\tハッシュ: %s, データブロック (バイト): %u, ハッシュブロック (バイト): %u, ソルトサイズ: %u, ハッシュフォーマット: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "--ignore-corruption と --restart-on-corruption は同時に使えません。"
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "--panic-on-corruption と --restart-on-corruption は同時に使えません。"
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"%s と %s のデータを復元不能な形で上書きします。\n"
+"データデバイスを保持するにはオプション --no-wipe を使ってください (その後、--integrity-recalculate を付けてアクティベートしてください)。"
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "タグサイズ %u、内部整合性は %s でフォーマットされました。\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "再計算フラグの設定はサポートされていません。代わりに --wipe を使うことを検討してください。"
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "デバイス %s が有効な INTEGRITY デバイスではありません。"
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<整合性デバイス>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<整合性デバイス> <名前>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2842,7 +2925,7 @@ msgstr ""
"<名前> は %s に作られるデバイス\n"
"<整合性デバイス> は整合性タグを格納するデバイス\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2855,241 +2938,44 @@ msgstr ""
"\tチェックサムアルゴリズム: %s\n"
" 最大キーファイルサイズ: %dkB\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "不正な --%s サイズです。最大は %u バイトです。"
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "キーファイルとキーサイズの両方の指定が必要です。"
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "ジャーナル整合性キーファイルとキーサイズの両方の指定が必要です。"
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "ジャーナル整合性キーを使う場合はアルゴリズムの指定が必要です。"
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "ジャーナル暗号キーファイルとキーサイズの両方の指定が必要です。"
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "ジャーナル暗号キーを使う場合はアルゴリズムの指定が必要です。"
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "リカバリと bitmap モードオプションは同時には使えません。"
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "ジャーナルオプションは bitmap モードでは使えません。"
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "bitmap オプションは bitmap モードでしか使えません。"
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "既に再暗号化中です。"
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "デバイスが使用中のため %s を排他的にオープンできません。"
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "アライメントつきメモリの確保ができませんでした。"
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "デバイス %s を読めません。"
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "LUKS1 デバイス %s を使用不可としてマークします。"
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "LUKS2 offline reencrypt フラグをデバイス %s に設定します。"
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "デバイス %s に書き込めません。"
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "再暗号化ログファイルに書きこめません。"
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "再暗号化ログファイルを読み込めません。"
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "誤ったログフォーマットです。"
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "ログファイル %s が既にあるので再暗号化を再開します。\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "古い LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "新しい LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "テンポラリデバイスの有効化に失敗しました。"
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "データオフセットの設定に失敗しました。"
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "メタデータサイズの設定に失敗しました。"
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "デバイス %s の新しい LUKS ヘッダを作成しました。"
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "このバージョンの cryptsetup-reencrypt は新しい内部トークンタイプ %s を扱えません。"
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "アクティベーションフラグをバックアップヘッダから読み込めません。"
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "アクティベーションフラグを新しいヘッダに書き込めません。"
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "バックアップヘッダから要求(requirements)を読み込めません。"
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "%s ヘッダバックアップデバイス %s が作成されました。"
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "LUKS バックアップヘッダが作成できません。"
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "デバイス %2s の %1s ヘッダが復元できません。"
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "デバイス %2s の %1s ヘッダを復元しました。"
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "テンポラリ LUKS デバイスをオープンできません。"
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "デバイスサイズを取得できません。"
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "再暗号化中に I/O エラーが発生しました。"
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "与えられた UUID が不正です。"
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "再暗号化ログファイルを開けません。"
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "復号を実行中ではありません。与えられた UUID は中止された復号を再開するためだけに使えます。"
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "キースロット %i の pbkdf パラメータを変更しました。"
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "再暗号化のブロックサイズは 1 MiB から 64 MiB までの値しか使えません。"
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "デバイスを減らせる最大値は 64 MiB です。"
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[オプション...] <デバイス>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "再暗号化で以下が変わります: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "ボリュームキー"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "ハッシュ"
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr "暗号(cipher)"
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "引数が必要です。"
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "--new は --reduce-device-size か --header と一緒に使う必要があります"
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "--keep-key は --hash か --iter-time か --pbkdf-force-iterations と使う必要があります。"
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "--new は --decrypt と一緒に使えません。"
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "--decrypt は指定されたパラメータと互換性がありません。"
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "--uuid は --decrypt と一緒にしか使えません。"
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "不正な luks タイプです。'luks', 'luks1', 'luks2' のいずれかを使ってください。"
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3100,7 +2986,7 @@ msgstr ""
"========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3111,148 +2997,174 @@ msgstr ""
"\n"
"よろしいですか? ('yes' を大文字で入力してください): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "端末から応答を読み込み中にエラー。"
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "コマンド成功。"
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "パラメータが間違っているか指定されていません"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "権限がないかパスフレーズが間違っています"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "メモリ不足"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "間違ったデバイスかファイルが指定されました"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "デバイスが既にあるかビジーです"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "不明なエラー"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "コマンド失敗:コード %i (%s)"
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "キースロット %i が作成されました。"
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "キースロット %i がアンロックされました。"
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "キースロット %i が削除されました。"
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "トークン %i が作成されました。"
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "トークン %i が削除されました。"
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "この PIN でアンロックできるトークンがありません。"
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "トークン %i は PIN が必要です。"
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "トークン (タイプ %s) は PIN が必要です。"
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "トークン %i では割り当てられたキースロットをアンロックできません (間違ったキースロットパスフレーズ)。"
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "トークン (タイプ %s) では割り当てられたキースロットをアンロックできません (間違ったキースロットパスフレーズ)。"
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "トークン %i は追加のリソースが必要です。"
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "トークン (タイプ %s) は追加のリソースが必要です。"
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "使用可能なトークン (タイプ %s) がありません。"
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "使用可能なトークンがありません。"
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"ワイプが中断されました。"
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"再暗号化が中断されました。"
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "キーファイル %s を読みこめませんでした。"
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "%d バイトをキーファイル %s から読みこめませんでした。"
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "キーファイル %s を書き込み用にオープンできません。"
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "キーファイル %s に書き込めません。"
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>分%02<PRIu64>秒"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>時間%02<PRIu64>分%02<PRIu64>秒"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> 日"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s 書き込み済"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "速度 %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "進捗: %5.1f%%, 残り時間 %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "終了。所要時間 %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "パスワードの質を確認できません: %s"
@@ -3266,59 +3178,63 @@ msgstr ""
"パスワードの質の確認に失敗:\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "パスワードの質が確認できません: 質の悪いパスフレーズ (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "端末からパスフレーズを読み込めません。"
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "同じパスフレーズを入力してください: "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "パスフレーズが一致しません。"
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "端末からの入力でオフセットは使用できません。"
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "パスフレーズを入力してください: "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "%s のパスフレーズを入力してください: "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "このパスフレーズで使用可能なキーはありません。"
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "使用可能なキースロットがありません。"
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "tty 入力以外ではパスフレーズ認証できません。"
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "ファイル %s を読み込み専用モードでオープンできません。"
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "妥当な LUKS2 トークンを JSON で与えてください:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "JSON ファイルを読み込めません。"
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3326,12 +3242,12 @@ msgstr ""
"\n"
"読み込みが中断されました。"
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "ファイル %s を書き込みモードでオープンできません。"
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3339,54 +3255,423 @@ msgstr ""
"\n"
"書き込みが中断されました。"
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "JSON ファイルに書き込めません。"
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "データデバイス %2s のアクティブな dm デバイス '%1s'を自動検出しました。\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "デバイス %s のホルダ(holders)を自動検出できません。"
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "デバイス %s は有効なブロックデバイスではありません。\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"デバイス %s がアクティベートされているかどうか判断できません。\n"
+"オフラインでの再暗号化を進めていいですか?\n"
+"アクティベートされていたらデータが破壊されるかもしれません。\n"
+"再暗号化をオンラインで行う場合は --active-name を代わりに使ってください。\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"デバイス %s はブロックデバイスではありません。アクティブであろうとなかろうと自動検出できません。\n"
+"このチェックをバイパスしてオフラインモードで動作するには --force-offline-reencrypt を使ってください。(ただし危険です!)。"
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "要求された --resilience オプションは現在の再暗号化処理に適用できません。"
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "デバイスは LUKS2 暗号化状態にありません。オプション --encrypt と競合します。"
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "デバイスは LUKS2 復号状態にありません。オプション --decrypt と競合します。"
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "デバイスはデータシフト耐性を使った再暗号化状態にあります。--resilience オプションは適用できません。"
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "デバイスは再暗号化リカバリが必要です。先に修復してください。"
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "デバイス %s は既に LUKS2 再暗号化状態にあります。以前に初期化された処理に復帰しますか?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "古い LUKS2 再暗号化はサポートされなくなりました。"
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "整合性プロファイルつきのデバイスの再暗号化はサポートされていません。"
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"要求された --sector-size %<PRIu32> は %s superblock\n"
+"(ブロックサイズ: %<PRIu32> バイト、デバイス %s)と互換性がありません。"
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "データデバイスサイズの縮小(--reduce-device-size)なしに分離ヘッダ(--header)による暗号化はできません。"
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "要求されたデータオフセットは --reduce-device-size パラメータの半分以下である必要があります。"
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "--reduce-device-size の値を --offset %<PRIu64> (セクタ) の倍にします。\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "テンポラリヘッダファイル %s は既に存在しているので、中止します。"
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "テンポラリヘッダファイル %s を作成できません。"
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "LUKS2 メタデータサイズがデータシフト値より大きいです。"
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "デバイス %s の先頭に新しいヘッダを置けません。"
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s がアクティブでオンライン暗号化可能です。\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "アクティブなデバイス %s は LUKS2 ではありません。"
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "オリジナルの LUKS2 ヘッダを復元しています。"
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "オリジナルの LUKS ヘッダの復元に失敗しました。"
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "ヘッダファイル %s が存在しません。デバイス %s の復号化をして LUKS2 ヘッダをファイル %s に出力しますか?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "エクスポートされたヘッダファイルに読み書き権限を付与できません。"
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "再暗号化の初期化に失敗しました。ヘッダのバックアップは %s にあります。"
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "LUKS2 復号は分離(detached)ヘッダデバイスしかサポートしていません(データへのオフセットが0)。"
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "再暗号化に必要な空きキースロットがありません。"
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "キースロット %d のパスフレーズを入力してください: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "キースロット %u のパスフレーズを入力してください: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "データの暗号化用の暗号アルゴリズムを %s にします。\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "データセグメントのパラメータが変わっていません。再暗号化を中止します。"
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"オフラインデバイスの暗号化セクタサイズの増加はサポートしていません。\n"
+"まずデバイスをアクティベートするか、--force-offline-reencrypt オプションを使ってください (ただし危険です!)。"
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"再暗号化が中断されました。"
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "LUKS 再暗号化を強制オフラインモードで再開します。\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "デバイス %s は壊れた LUKS メタデータを含んでいます。処理を中止します。"
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "デバイス %s は既に LUKS デバイスです。処理を中止します。"
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "デバイス %s は既に LUKS 再暗号化状態にあります。処理を中止します。"
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "LUKS2 復号には --header オプションが必要です。"
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "コマンドはデバイスを引数として必要とします。"
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "バージョンが衝突しています。デバイス %s は LUKS1 です。"
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "バージョンが衝突しています。デバイス %s は LUKS1 再暗号化状態にあります。"
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "バージョンが衝突しています。デバイス %s は LUKS2 です。"
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "バージョンが衝突しています。デバイス %s は LUKS2 再暗号化状態にあります。"
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "LUKS2 再暗号化が既に初期化済なので操作を中止します。"
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "再暗号化処理を実行中ではありません。"
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "デバイスが使用中のため %s を排他的にオープンできません。"
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "アライメントつきメモリの確保ができませんでした。"
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "デバイス %s を読めません。"
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "LUKS1 デバイス %s を使用不可としてマークします。"
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "デバイス %s に書き込めません。"
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "再暗号化ログファイルに書きこめません。"
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "再暗号化ログファイルを読み込めません。"
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "誤ったログフォーマットです。"
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "ログファイル %s が既にあるので再暗号化を再開します。\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "古い LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "新しい LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "テンポラリデバイスの有効化に失敗しました。"
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "データオフセットの設定に失敗しました。"
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "メタデータサイズの設定に失敗しました。"
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "デバイス %s の新しい LUKS ヘッダを作成しました。"
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "%s ヘッダバックアップデバイス %s が作成されました。"
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "LUKS バックアップヘッダが作成できません。"
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "デバイス %2s の %1s ヘッダが復元できません。"
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "デバイス %2s の %1s ヘッダを復元しました。"
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "テンポラリ LUKS デバイスをオープンできません。"
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "デバイスサイズを取得できません。"
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "再暗号化中に I/O エラーが発生しました。"
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "与えられた UUID が不正です。"
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "再暗号化ログファイルを開けません。"
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "復号を実行中ではありません。与えられた UUID は中止された復号を再開するためだけに使えます。"
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "再暗号化で以下が変わります: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "ボリュームキー"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "ハッシュ"
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr "暗号(cipher)"
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "警告: デバイス %s が既に '%s' パーティションシグネチャを含んでいます。\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "警告: デバイス %s が既に '%s' のスーパーブロックシグネチャを含んでいます。\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "デバイスシグネチャ検出の初期化に失敗しました。"
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "デバイス %s の stat() に失敗しました。"
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "デバイス %s は使用中です。フォーマットを続けられません。"
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "ファイル %s を読み書き可能なモードでオープンできません。"
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "今ある '%s' パーティションシグネチャはデバイス %s から消されます。"
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "今ある '%s' スーパーブロックシグネチャはデバイス %s から消されます。"
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "デバイスシグネチャを消せません。"
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "デバイス %s のシグネチャが検出できません。"
@@ -3396,16 +3681,16 @@ msgstr "デバイス %s のシグネチャが検出できません。"
msgid "Invalid size specification in parameter --%s."
msgstr "--%s のサイズの指定が不正です。"
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "オプション --%s は %s アクションと一緒には使えません。"
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "ssh token json ファイルに書き込めません。"
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3421,110 +3706,110 @@ msgstr ""
"\n"
"Note: トークンを追加する時に与えられる情報 (SSH server address, user and paths) は LUKS2 ヘッダに平文で保存されます。"
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<アクション> <デバイス>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "'add' アクションのオプション:"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "このトークンのリモートサーバのIPアドレス/URL"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "リモートサーバで使うユーザ名"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "リモートサーバのキーファイルのパス"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "リモートサーバに接続するための SSH キーへのパス"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "トークンが割り当てられるキースロット。指定されなければトークンは与えられたパスフレーズがマッチする最初のキースロットに割り当てられます。"
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "一般オプション:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "より詳細なエラーメッセージを表示します"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "デバッグメッセージを表示します"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "JSON メタデータを含むデバッグメッセージを表示する"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "秘密鍵を開いてインポートできませんでした:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "秘密鍵のインポートに失敗しました(パスワードで保護されているのでは?)。\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "%s@%s のパスワード: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "引数の解釈に失敗しました。\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "アクションの指定が必要です\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "'%s' アクションにはデバイスの指定が必要です。\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "'%s' アクションには SSH サーバの指定が必要です。\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "'%s' アクションには SSH ユーザの指定が必要です。\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "'%s' アクションには SSH パスの指定が必要です。\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "'%s' アクションには SSH キーパスの指定が必要です。\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "与えられた credential ではファイル %s をオープンできません。\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "今のところ、このプラグインでは 'add' アクションしかサポートされていません。\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "sftp セッションが作成できません: "
@@ -3532,6 +3817,10 @@ msgstr "sftp セッションが作成できません: "
msgid "Cannot init sftp session: "
msgstr "sftp セッションが初期化できません: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "sftp セッションをオープンできません: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "sftp ファイルの stat できません: "
diff --git a/po/ka.po b/po/ka.po
new file mode 100644
index 0000000..189e176
--- /dev/null
+++ b/po/ka.po
@@ -0,0 +1,3756 @@
+# Georgian translation for cryptsetup.
+# Copyright (C) 2022 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Temuri Doghonadze <temuri.doghonadze@gmail.com>, 2022.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2.6.0-rc1\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2022-11-20 12:38+0100\n"
+"PO-Revision-Date: 2022-12-28 18:51+0100\n"
+"Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
+"Language-Team: Georgian <(nothing)>\n"
+"Language: ka\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Poedit 3.2.2\n"
+
+#: lib/libdevmapper.c:419
+msgid "Cannot initialize device-mapper, running as non-root user."
+msgstr ""
+
+#: lib/libdevmapper.c:422
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
+msgstr ""
+
+#: lib/libdevmapper.c:1102
+msgid "Requested deferred flag is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1171
+#, c-format
+msgid "DM-UUID for device %s was truncated."
+msgstr ""
+
+#: lib/libdevmapper.c:1501
+msgid "Unknown dm target type."
+msgstr "უცნობი dm სამიზნის ტიპი."
+
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
+msgid "Requested dm-crypt performance options are not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
+msgid "Requested dm-verity data corruption handling options are not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1653
+msgid "Requested dm-verity FEC options are not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1659
+msgid "Requested data integrity options are not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1663
+msgid "Requested sector_size option is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
+msgid "Requested automatic recalculation of integrity tags is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
+msgid "Discard/TRIM is not supported."
+msgstr "Discard/TRIM მხარდაუჭერელია."
+
+#: lib/libdevmapper.c:1688
+msgid "Requested dm-integrity bitmap mode is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:2724
+#, c-format
+msgid "Failed to query dm-%s segment."
+msgstr ""
+
+#: lib/random.c:73
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+
+#: lib/random.c:77
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "გასაღების გენერაცია (%d%% მზადაა).\n"
+
+#: lib/random.c:163
+msgid "Running in FIPS mode."
+msgstr "FIPS რეჟიმში მუშაობა."
+
+#: lib/random.c:169
+msgid "Fatal error during RNG initialisation."
+msgstr "ფატალური შეცდომა RNG-ის ინიციალიზაციისას."
+
+#: lib/random.c:207
+msgid "Unknown RNG quality requested."
+msgstr "RNG-ის მოთხოვნილი ხარისხი უცნობია."
+
+#: lib/random.c:212
+msgid "Error reading from RNG."
+msgstr "RNG-დან წაკითხვის შეცდომა."
+
+#: lib/setup.c:231
+msgid "Cannot initialize crypto RNG backend."
+msgstr "კრიპტოს RNG უკანაბოლოს ინიციალიზაციის შეცდომა."
+
+#: lib/setup.c:237
+msgid "Cannot initialize crypto backend."
+msgstr "კრიპტო უკანაბოლოს ინიციალიზაციის შეცდომა."
+
+#: lib/setup.c:268 lib/setup.c:2139 lib/verity/verity.c:122
+#, c-format
+msgid "Hash algorithm %s not supported."
+msgstr ""
+
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s)."
+msgstr "გასაღების დამუშავების შეცდომა (გამოყენებული ჰეში %s)."
+
+#: lib/setup.c:342 lib/setup.c:369
+msgid "Cannot determine device type. Incompatible activation of device?"
+msgstr ""
+
+#: lib/setup.c:348 lib/setup.c:3308
+msgid "This operation is supported only for LUKS device."
+msgstr ""
+
+#: lib/setup.c:375
+msgid "This operation is supported only for LUKS2 device."
+msgstr ""
+
+#: lib/setup.c:430 lib/luks2/luks2_reencrypt.c:3010
+msgid "All key slots full."
+msgstr "გასაღების ყველა სლოტი სავსეა."
+
+#: lib/setup.c:441
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d."
+msgstr ""
+
+#: lib/setup.c:447
+#, c-format
+msgid "Key slot %d is full, please select another one."
+msgstr ""
+
+#: lib/setup.c:532 lib/setup.c:3030
+msgid "Device size is not aligned to device logical block size."
+msgstr ""
+
+#: lib/setup.c:630
+#, c-format
+msgid "Header detected but device %s is too small."
+msgstr ""
+
+#: lib/setup.c:671 lib/setup.c:2930 lib/setup.c:4275
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
+msgid "This operation is not supported for this device type."
+msgstr ""
+
+#: lib/setup.c:676
+msgid "Illegal operation with reencryption in-progress."
+msgstr ""
+
+#: lib/setup.c:762
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr ""
+
+#: lib/setup.c:849 lib/luks1/keymanage.c:247 lib/luks1/keymanage.c:525
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1433
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr ""
+
+#: lib/setup.c:852 lib/luks1/keymanage.c:528
+#, c-format
+msgid "Unsupported LUKS version %d."
+msgstr "LUKS-ის მხარდაუჭერელი ვერსია %d."
+
+#: lib/setup.c:1479 lib/setup.c:2679 lib/setup.c:2761 lib/setup.c:2773
+#: lib/setup.c:2940 lib/setup.c:4752
+#, c-format
+msgid "Device %s is not active."
+msgstr "მოწყობილობა %s აქტიური არაა."
+
+#: lib/setup.c:1496
+#, c-format
+msgid "Underlying device for crypt device %s disappeared."
+msgstr "ქვეშმყოფი მოწყობილობა დაშიფრული მოწყობილობისთვის %s სადღაც აორთქლდა."
+
+#: lib/setup.c:1578
+msgid "Invalid plain crypt parameters."
+msgstr "უბრალოდ შიფრაციის არასწორი პარამეტრები."
+
+#: lib/setup.c:1583 lib/setup.c:2042
+msgid "Invalid key size."
+msgstr "გასაღების არასწორი ზომა."
+
+#: lib/setup.c:1588 lib/setup.c:2047 lib/setup.c:2250
+msgid "UUID is not supported for this crypt type."
+msgstr ""
+
+#: lib/setup.c:1593 lib/setup.c:2052
+msgid "Detached metadata device is not supported for this crypt type."
+msgstr ""
+
+#: lib/setup.c:1603 lib/setup.c:1819 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
+msgid "Unsupported encryption sector size."
+msgstr ""
+
+#: lib/setup.c:1611 lib/setup.c:1947 lib/setup.c:3024
+msgid "Device size is not aligned to requested sector size."
+msgstr ""
+
+#: lib/setup.c:1663 lib/setup.c:1787
+msgid "Can't format LUKS without device."
+msgstr ""
+
+#: lib/setup.c:1669 lib/setup.c:1793
+msgid "Requested data alignment is not compatible with data offset."
+msgstr ""
+
+#: lib/setup.c:1744 lib/setup.c:1964 lib/setup.c:1985 lib/setup.c:2262
+#, c-format
+msgid "Cannot wipe header on device %s."
+msgstr ""
+
+#: lib/setup.c:1757 lib/setup.c:2024
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr ""
+
+#: lib/setup.c:1828
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr ""
+
+#: lib/setup.c:1851
+msgid "Volume key is too small for encryption with integrity extensions."
+msgstr ""
+
+#: lib/setup.c:1911
+#, c-format
+msgid "Cipher %s-%s (key size %zd bits) is not available."
+msgstr ""
+
+#: lib/setup.c:1937
+#, c-format
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr ""
+
+#: lib/setup.c:1941
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr ""
+
+#: lib/setup.c:1967 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
+#, c-format
+msgid "Device %s is too small."
+msgstr "მოწყობილობა ძალიან პატარაა %s."
+
+#: lib/setup.c:1978 lib/setup.c:2004
+#, c-format
+msgid "Cannot format device %s in use."
+msgstr ""
+
+#: lib/setup.c:1981 lib/setup.c:2007
+#, c-format
+msgid "Cannot format device %s, permission denied."
+msgstr ""
+
+#: lib/setup.c:1993 lib/setup.c:2322
+#, c-format
+msgid "Cannot format integrity for device %s."
+msgstr ""
+
+#: lib/setup.c:2011
+#, c-format
+msgid "Cannot format device %s."
+msgstr "მოწყობილობის ფორმატირების (%s) შეცდომა."
+
+#: lib/setup.c:2037
+msgid "Can't format LOOPAES without device."
+msgstr ""
+
+#: lib/setup.c:2082
+msgid "Can't format VERITY without device."
+msgstr ""
+
+#: lib/setup.c:2093 lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY hash type %d."
+msgstr ""
+
+#: lib/setup.c:2099 lib/verity/verity.c:109
+msgid "Unsupported VERITY block size."
+msgstr ""
+
+#: lib/setup.c:2104 lib/verity/verity.c:74
+msgid "Unsupported VERITY hash offset."
+msgstr ""
+
+#: lib/setup.c:2109
+msgid "Unsupported VERITY FEC offset."
+msgstr ""
+
+#: lib/setup.c:2133
+msgid "Data area overlaps with hash area."
+msgstr ""
+
+#: lib/setup.c:2158
+msgid "Hash area overlaps with FEC area."
+msgstr ""
+
+#: lib/setup.c:2165
+msgid "Data area overlaps with FEC area."
+msgstr ""
+
+#: lib/setup.c:2301
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr ""
+
+#: lib/setup.c:2380
+#, c-format
+msgid "Unknown crypt device type %s requested."
+msgstr ""
+
+#: lib/setup.c:2687 lib/setup.c:2766 lib/setup.c:2779
+#, c-format
+msgid "Unsupported parameters on device %s."
+msgstr ""
+
+#: lib/setup.c:2693 lib/setup.c:2786 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
+#, c-format
+msgid "Mismatching parameters on device %s."
+msgstr ""
+
+#: lib/setup.c:2810
+msgid "Crypt devices mismatch."
+msgstr ""
+
+#: lib/setup.c:2847 lib/setup.c:2852 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
+#, c-format
+msgid "Failed to reload device %s."
+msgstr ""
+
+#: lib/setup.c:2858 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
+#, c-format
+msgid "Failed to suspend device %s."
+msgstr ""
+
+#: lib/setup.c:2870 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
+#, c-format
+msgid "Failed to resume device %s."
+msgstr ""
+
+#: lib/setup.c:2885
+#, c-format
+msgid "Fatal error while reloading device %s (on top of device %s)."
+msgstr ""
+
+#: lib/setup.c:2888 lib/setup.c:2890
+#, c-format
+msgid "Failed to switch device %s to dm-error."
+msgstr ""
+
+#: lib/setup.c:2972
+msgid "Cannot resize loop device."
+msgstr "Loop მოწყობილობის ზომის შეცვლა შეუძლებელია."
+
+#: lib/setup.c:3015
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr ""
+
+#: lib/setup.c:3076
+msgid "Resize failed, the kernel doesn't support it."
+msgstr ""
+
+#: lib/setup.c:3108
+msgid "Do you really want to change UUID of device?"
+msgstr ""
+
+#: lib/setup.c:3200
+msgid "Header backup file does not contain compatible LUKS header."
+msgstr ""
+
+#: lib/setup.c:3316
+#, c-format
+msgid "Volume %s is not active."
+msgstr "ტომი %s აქტიური არაა."
+
+#: lib/setup.c:3327
+#, c-format
+msgid "Volume %s is already suspended."
+msgstr ""
+
+#: lib/setup.c:3340
+#, c-format
+msgid "Suspend is not supported for device %s."
+msgstr ""
+
+#: lib/setup.c:3342
+#, c-format
+msgid "Error during suspending device %s."
+msgstr ""
+
+#: lib/setup.c:3377
+#, c-format
+msgid "Resume is not supported for device %s."
+msgstr ""
+
+#: lib/setup.c:3379
+#, c-format
+msgid "Error during resuming device %s."
+msgstr ""
+
+#: lib/setup.c:3413 lib/setup.c:3461 lib/setup.c:3532 lib/setup.c:3577
+#: src/cryptsetup.c:2479
+#, c-format
+msgid "Volume %s is not suspended."
+msgstr ""
+
+#: lib/setup.c:3547 lib/setup.c:4528 lib/setup.c:4541 lib/setup.c:4549
+#: lib/setup.c:4562 lib/setup.c:6145 lib/setup.c:6167 lib/setup.c:6216
+#: src/cryptsetup.c:2011
+msgid "Volume key does not match the volume."
+msgstr "ტომის გასაღები ტომს არ ემთხვევა."
+
+#: lib/setup.c:3725
+msgid "Failed to swap new key slot."
+msgstr ""
+
+#: lib/setup.c:3823
+#, c-format
+msgid "Key slot %d is invalid."
+msgstr "გასაღების სლოტი %d არასწორია."
+
+#: lib/setup.c:3829 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
+#, c-format
+msgid "Keyslot %d is not active."
+msgstr "გასაღების სლოტი %d აქტიური არაა."
+
+#: lib/setup.c:3848
+msgid "Device header overlaps with data area."
+msgstr ""
+
+#: lib/setup.c:4153
+msgid "Reencryption in-progress. Cannot activate device."
+msgstr ""
+
+#: lib/setup.c:4155 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
+msgid "Failed to get reencryption lock."
+msgstr ""
+
+#: lib/setup.c:4168 lib/luks2/luks2_reencrypt.c:3609
+msgid "LUKS2 reencryption recovery failed."
+msgstr ""
+
+#: lib/setup.c:4340 lib/setup.c:4606
+msgid "Device type is not properly initialized."
+msgstr ""
+
+#: lib/setup.c:4388
+#, c-format
+msgid "Device %s already exists."
+msgstr "მოწყობლობა %s უკვე არსებობს."
+
+#: lib/setup.c:4395
+#, c-format
+msgid "Cannot use device %s, name is invalid or still in use."
+msgstr ""
+
+#: lib/setup.c:4515
+msgid "Incorrect volume key specified for plain device."
+msgstr ""
+
+#: lib/setup.c:4632
+msgid "Incorrect root hash specified for verity device."
+msgstr ""
+
+#: lib/setup.c:4642
+msgid "Root hash signature required."
+msgstr ""
+
+#: lib/setup.c:4651
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr ""
+
+#: lib/setup.c:4668 lib/setup.c:6411
+msgid "Failed to load key in kernel keyring."
+msgstr ""
+
+#: lib/setup.c:4724
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr ""
+
+#: lib/setup.c:4731 lib/setup.c:4747 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
+#, c-format
+msgid "Device %s is still in use."
+msgstr "მოწყობილობა %s ჯერ კიდევ გამოიყენება."
+
+#: lib/setup.c:4756
+#, c-format
+msgid "Invalid device %s."
+msgstr "არასწორი მოწყობილობა '%s'."
+
+#: lib/setup.c:4896
+msgid "Volume key buffer too small."
+msgstr "ტომის გასაღების ბუფერი ძალიან პატარაა."
+
+#: lib/setup.c:4913
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr ""
+
+#: lib/setup.c:4922
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr ""
+
+#: lib/setup.c:4932
+msgid "Cannot retrieve volume key for plain device."
+msgstr "უბრალო მოწყობილობისთვის ტომის გასაღების მიღების შეცდომა."
+
+#: lib/setup.c:4940
+msgid "Cannot retrieve root hash for verity device."
+msgstr ""
+
+#: lib/setup.c:4947
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr ""
+
+#: lib/setup.c:4952
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr ""
+
+#: lib/setup.c:4954
+#, c-format
+msgid "This operation is not supported for %s crypt device."
+msgstr ""
+
+#: lib/setup.c:5135 lib/setup.c:5146
+msgid "Dump operation is not supported for this device type."
+msgstr ""
+
+#: lib/setup.c:5488
+#, c-format
+msgid "Data offset is not multiple of %u bytes."
+msgstr ""
+
+#: lib/setup.c:5776
+#, c-format
+msgid "Cannot convert device %s which is still in use."
+msgstr ""
+
+#: lib/setup.c:6086 lib/setup.c:6225
+#, c-format
+msgid "Failed to assign keyslot %u as the new volume key."
+msgstr ""
+
+#: lib/setup.c:6110
+msgid "Failed to initialize default LUKS2 keyslot parameters."
+msgstr ""
+
+#: lib/setup.c:6116
+#, c-format
+msgid "Failed to assign keyslot %d to digest."
+msgstr ""
+
+#: lib/setup.c:6341
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr ""
+
+#: lib/setup.c:6478
+msgid "Kernel keyring is not supported by the kernel."
+msgstr ""
+
+#: lib/setup.c:6488 lib/luks2/luks2_reencrypt.c:3807
+#, c-format
+msgid "Failed to read passphrase from keyring (error %d)."
+msgstr ""
+
+#: lib/setup.c:6512
+msgid "Failed to acquire global memory-hard access serialization lock."
+msgstr ""
+
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
+msgid "Failed to open key file."
+msgstr "გასაღების ფაილის გახსნის შეცდომა."
+
+#: lib/utils.c:163
+msgid "Cannot read keyfile from a terminal."
+msgstr ""
+
+#: lib/utils.c:179
+msgid "Failed to stat key file."
+msgstr "გასაღების ფაილის აღმოჩენის შეცდომა."
+
+#: lib/utils.c:187 lib/utils.c:208
+msgid "Cannot seek to requested keyfile offset."
+msgstr ""
+
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:227
+#: src/utils_password.c:239
+msgid "Out of memory while reading passphrase."
+msgstr "არასაკმარისი მეხსიერება საკვანძო ფრაზის წაკითხვისას."
+
+#: lib/utils.c:237
+msgid "Error reading passphrase."
+msgstr "საკვანძო ფრაზის წაკითხვის შეცდომა."
+
+#: lib/utils.c:254
+msgid "Nothing to read on input."
+msgstr ""
+
+#: lib/utils.c:261
+msgid "Maximum keyfile size exceeded."
+msgstr ""
+
+#: lib/utils.c:266
+msgid "Cannot read requested amount of data."
+msgstr ""
+
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1408
+#, c-format
+msgid "Device %s does not exist or access denied."
+msgstr ""
+
+#: lib/utils_device.c:217
+#, c-format
+msgid "Device %s is not compatible."
+msgstr ""
+
+#: lib/utils_device.c:561
+#, c-format
+msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
+msgstr ""
+
+#: lib/utils_device.c:722
+#, c-format
+msgid "Device %s is too small. Need at least %<PRIu64> bytes."
+msgstr ""
+
+#: lib/utils_device.c:803
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted)."
+msgstr ""
+
+#: lib/utils_device.c:807
+#, c-format
+msgid "Cannot use device %s, permission denied."
+msgstr ""
+
+#: lib/utils_device.c:810
+#, c-format
+msgid "Cannot get info about device %s."
+msgstr ""
+
+#: lib/utils_device.c:833
+msgid "Cannot use a loopback device, running as non-root user."
+msgstr ""
+
+#: lib/utils_device.c:844
+msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
+msgstr ""
+
+#: lib/utils_device.c:892
+#, c-format
+msgid "Requested offset is beyond real size of device %s."
+msgstr ""
+
+#: lib/utils_device.c:900
+#, c-format
+msgid "Device %s has zero size."
+msgstr ""
+
+#: lib/utils_pbkdf.c:100
+msgid "Requested PBKDF target time cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:106
+#, c-format
+msgid "Unknown PBKDF type %s."
+msgstr ""
+
+#: lib/utils_pbkdf.c:111
+#, c-format
+msgid "Requested hash %s is not supported."
+msgstr ""
+
+#: lib/utils_pbkdf.c:122
+msgid "Requested PBKDF type is not supported for LUKS1."
+msgstr ""
+
+#: lib/utils_pbkdf.c:128
+msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
+msgstr ""
+
+#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#, c-format
+msgid "Forced iteration count is too low for %s (minimum is %u)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:148
+#, c-format
+msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:155
+#, c-format
+msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:160
+msgid "Requested maximum PBKDF memory cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:164
+msgid "Requested PBKDF parallel threads cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:184
+msgid "Only PBKDF2 is supported in FIPS mode."
+msgstr ""
+
+#: lib/utils_benchmark.c:174
+msgid "PBKDF benchmark disabled but iterations not set."
+msgstr ""
+
+#: lib/utils_benchmark.c:193
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
+msgstr ""
+
+#: lib/utils_benchmark.c:213
+msgid "Not compatible PBKDF options."
+msgstr ""
+
+#: lib/utils_device_locking.c:101
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
+msgstr ""
+
+#: lib/utils_device_locking.c:118
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
+msgstr ""
+
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
+msgid "Cannot seek to device offset."
+msgstr ""
+
+#: lib/utils_wipe.c:247
+#, c-format
+msgid "Device wipe error, offset %<PRIu64>."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:39
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info)."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:44
+msgid "Key size in XTS mode must be 256 or 512 bits."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:46
+msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
+#: lib/luks1/keymanage.c:675 lib/luks1/keymanage.c:1126
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
+#, c-format
+msgid "Cannot write to device %s, permission denied."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:120
+msgid "Failed to open temporary keystore device."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:127
+msgid "Failed to access temporary keystore device."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:61
+#: lib/luks2/luks2_keyslot_luks2.c:79 lib/luks2/luks2_keyslot_reenc.c:192
+msgid "IO error while encrypting keyslot."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
+#: lib/luks1/keymanage.c:628 lib/luks1/keymanage.c:678 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
+#, c-format
+msgid "Cannot open device %s."
+msgstr "მოწყობილობის გახსნის შეცდომა: '%s'."
+
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:138
+msgid "IO error while decrypting keyslot."
+msgstr ""
+
+#: lib/luks1/keymanage.c:129
+#, c-format
+msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
+msgstr ""
+
+#: lib/luks1/keymanage.c:150 lib/luks1/keymanage.c:158
+#: lib/luks1/keymanage.c:170 lib/luks1/keymanage.c:181
+#: lib/luks1/keymanage.c:193
+#, c-format
+msgid "LUKS keyslot %u is invalid."
+msgstr ""
+
+#: lib/luks1/keymanage.c:265 lib/luks2/luks2_json_metadata.c:1353
+#, c-format
+msgid "Requested header backup file %s already exists."
+msgstr ""
+
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1355
+#, c-format
+msgid "Cannot create header backup file %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:274 lib/luks2/luks2_json_metadata.c:1362
+#, c-format
+msgid "Cannot write header backup file %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1399
+msgid "Backup file does not contain valid LUKS header."
+msgstr ""
+
+#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:591
+#: lib/luks2/luks2_json_metadata.c:1420
+#, c-format
+msgid "Cannot open header backup file %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1428
+#, c-format
+msgid "Cannot read header backup file %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:337
+msgid "Data offset or key size differs on device and backup, restore failed."
+msgstr ""
+
+#: lib/luks1/keymanage.c:345
+#, c-format
+msgid "Device %s %s%s"
+msgstr "მოწყობილობა %s %s%s"
+
+#: lib/luks1/keymanage.c:346
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr ""
+
+#: lib/luks1/keymanage.c:347
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr ""
+
+#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1462
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+
+#: lib/luks1/keymanage.c:396
+msgid "Non standard key size, manual repair required."
+msgstr ""
+
+#: lib/luks1/keymanage.c:406
+msgid "Non standard keyslots alignment, manual repair required."
+msgstr ""
+
+#: lib/luks1/keymanage.c:415
+#, c-format
+msgid "Cipher mode repaired (%s -> %s)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:426
+#, c-format
+msgid "Cipher hash repaired to lowercase (%s)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:534
+#: lib/luks1/keymanage.c:790
+#, c-format
+msgid "Requested LUKS hash %s is not supported."
+msgstr ""
+
+#: lib/luks1/keymanage.c:442
+msgid "Repairing keyslots."
+msgstr ""
+
+#: lib/luks1/keymanage.c:461
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:469
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:478
+#, c-format
+msgid "Keyslot %i: bogus partition signature."
+msgstr ""
+
+#: lib/luks1/keymanage.c:483
+#, c-format
+msgid "Keyslot %i: salt wiped."
+msgstr ""
+
+#: lib/luks1/keymanage.c:500
+msgid "Writing LUKS header to disk."
+msgstr ""
+
+#: lib/luks1/keymanage.c:505
+msgid "Repair failed."
+msgstr "შეკეთების შეცდომა."
+
+#: lib/luks1/keymanage.c:560
+#, c-format
+msgid "LUKS cipher mode %s is invalid."
+msgstr ""
+
+#: lib/luks1/keymanage.c:565
+#, c-format
+msgid "LUKS hash %s is invalid."
+msgstr ""
+
+#: lib/luks1/keymanage.c:572 src/cryptsetup.c:1281
+msgid "No known problems detected for LUKS header."
+msgstr ""
+
+#: lib/luks1/keymanage.c:700
+#, c-format
+msgid "Error during update of LUKS header on device %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:708
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s."
+msgstr ""
+
+#: lib/luks1/keymanage.c:784
+msgid "Data offset for LUKS header must be either 0 or higher than header size."
+msgstr ""
+
+#: lib/luks1/keymanage.c:795 lib/luks1/keymanage.c:864
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:514
+msgid "Wrong LUKS UUID format provided."
+msgstr ""
+
+#: lib/luks1/keymanage.c:817
+msgid "Cannot create LUKS header: reading random salt failed."
+msgstr ""
+
+#: lib/luks1/keymanage.c:843
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:887
+#, c-format
+msgid "Key slot %d active, purge first."
+msgstr ""
+
+#: lib/luks1/keymanage.c:893
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?"
+msgstr ""
+
+#: lib/luks1/keymanage.c:1034
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:1112
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
+msgstr ""
+
+#: lib/luks1/keymanage.c:1130 lib/luks2/luks2_keyslot.c:718
+#, c-format
+msgid "Cannot wipe device %s."
+msgstr ""
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile."
+msgstr ""
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr ""
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected."
+msgstr ""
+
+#: lib/loopaes/loopaes.c:245
+msgid "Kernel does not support loop-AES compatible mapping."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:508
+#, c-format
+msgid "Error reading keyfile %s."
+msgstr "გასაღების ფაილის %s წაკითხვის შეცდომა."
+
+#: lib/tcrypt/tcrypt.c:558
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:600
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
+msgid "Required kernel crypto interface not available."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
+msgid "Ensure you have algif_skcipher kernel module loaded."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:762
+#, c-format
+msgid "Activation is not supported for %d sector size."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:768
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:799
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:882
+msgid "Kernel does not support TCRYPT compatible mapping."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:1095
+msgid "This function is not supported without TCRYPT header load."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:275
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:328
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:349
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:451
+msgid "BITLK version 1 is currently not supported."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:457
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:469
+#, c-format
+msgid "Unsupported sector size %<PRIu16>."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:502
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:554
+msgid "Unknown or unsupported encryption type."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:587
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:681
+msgid "Failed to convert BITLK volume description"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:841
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing external key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:860
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:864
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing external key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:903
+#, c-format
+msgid "Unsupported BEK metadata version %<PRIu32>"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:908
+#, c-format
+msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:933
+msgid "Unexpected metadata entry found when parsing startup key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1029
+msgid "This operation is not supported."
+msgstr "ეს ოპერაცია მხარდაუჭერელია."
+
+#: lib/bitlk/bitlk.c:1037
+msgid "Unexpected key data size."
+msgstr "გასაღების მონაცემების მოულოდნელი ზომა."
+
+#: lib/bitlk/bitlk.c:1163
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1168
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1175
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1216
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1343
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1347
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1351
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1355
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr ""
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr ""
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr ""
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#, c-format
+msgid "Verity device %s does not use on-disk header."
+msgstr ""
+
+#: lib/verity/verity.c:96
+#, c-format
+msgid "Unsupported VERITY version %d."
+msgstr ""
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted."
+msgstr "VERITY თავსართი დაზიანებულია."
+
+#: lib/verity/verity.c:176
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s."
+msgstr ""
+
+#: lib/verity/verity.c:220
+#, c-format
+msgid "Error during update of verity header on device %s."
+msgstr ""
+
+#: lib/verity/verity.c:278
+msgid "Root hash signature verification is not supported."
+msgstr ""
+
+#: lib/verity/verity.c:290
+msgid "Errors cannot be repaired with FEC device."
+msgstr ""
+
+#: lib/verity/verity.c:292
+#, c-format
+msgid "Found %u repairable errors with FEC device."
+msgstr ""
+
+#: lib/verity/verity.c:335
+msgid "Kernel does not support dm-verity mapping."
+msgstr ""
+
+#: lib/verity/verity.c:339
+msgid "Kernel does not support dm-verity signature option."
+msgstr ""
+
+#: lib/verity/verity.c:350
+msgid "Verity device detected corruption after activation."
+msgstr ""
+
+#: lib/verity/verity_hash.c:66
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>."
+msgstr ""
+
+#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:311
+msgid "Device offset overflow."
+msgstr "მოწყობილობის წანაცვლების გადავსება."
+
+#: lib/verity/verity_hash.c:218
+#, c-format
+msgid "Verification failed at position %<PRIu64>."
+msgstr "გადამოწმების შეცდომა მდებარეობაზე %<PRIu64>."
+
+#: lib/verity/verity_hash.c:307
+msgid "Hash area overflow."
+msgstr "ჰეშის ფართის გადავსება."
+
+#: lib/verity/verity_hash.c:380
+msgid "Verification of data area failed."
+msgstr "მონაცემების რეგიონის გადამოწმების შეცდომა."
+
+#: lib/verity/verity_hash.c:385
+msgid "Verification of root hash failed."
+msgstr ""
+
+#: lib/verity/verity_hash.c:391
+msgid "Input/output error while creating hash area."
+msgstr ""
+
+#: lib/verity/verity_hash.c:393
+msgid "Creation of hash area failed."
+msgstr ""
+
+#: lib/verity/verity_hash.c:428
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
+msgstr ""
+
+#: lib/verity/verity_fec.c:131
+msgid "Failed to allocate RS context."
+msgstr ""
+
+#: lib/verity/verity_fec.c:149
+msgid "Failed to allocate buffer."
+msgstr "ბუფერის გამოყოფის შეცდომა."
+
+#: lib/verity/verity_fec.c:159
+#, c-format
+msgid "Failed to read RS block %<PRIu64> byte %d."
+msgstr ""
+
+#: lib/verity/verity_fec.c:172
+#, c-format
+msgid "Failed to read parity for RS block %<PRIu64>."
+msgstr ""
+
+#: lib/verity/verity_fec.c:180
+#, c-format
+msgid "Failed to repair parity for block %<PRIu64>."
+msgstr ""
+
+#: lib/verity/verity_fec.c:192
+#, c-format
+msgid "Failed to write parity for RS block %<PRIu64>."
+msgstr ""
+
+#: lib/verity/verity_fec.c:208
+msgid "Block sizes must match for FEC."
+msgstr ""
+
+#: lib/verity/verity_fec.c:214
+msgid "Invalid number of parity bytes."
+msgstr ""
+
+#: lib/verity/verity_fec.c:248
+msgid "Invalid FEC segment length."
+msgstr ""
+
+#: lib/verity/verity_fec.c:316
+#, c-format
+msgid "Failed to determine size for device %s."
+msgstr ""
+
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr ""
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+msgid "Kernel does not support dm-integrity mapping."
+msgstr ""
+
+#: lib/integrity/integrity.c:283
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr ""
+
+#: lib/integrity/integrity.c:292
+msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
+#, c-format
+msgid "Failed to acquire write lock on device %s."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:400
+msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+msgid ""
+"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
+"Please run \"cryptsetup repair\" for recovery."
+msgstr ""
+
+#: lib/luks2/luks2_json_format.c:229
+msgid "Requested data offset is too small."
+msgstr ""
+
+#: lib/luks2/luks2_json_format.c:274
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:93
+#: lib/luks2/luks2_keyslot_luks2.c:115
+#, c-format
+msgid "Failed to acquire read lock on device %s."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1405
+#, c-format
+msgid "Forbidden LUKS2 requirements detected in backup %s."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1446
+msgid "Data offset differ on device and backup, restore failed."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1452
+msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1459
+#, c-format
+msgid "Device %s %s%s%s%s"
+msgstr "მოწყობილობა %s %s%s%s%s"
+
+#: lib/luks2/luks2_json_metadata.c:1460
+msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1461
+msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1463
+msgid ""
+"\n"
+"WARNING: unknown LUKS2 requirements detected in real device header!\n"
+"Replacing header with backup may corrupt the data on that device!"
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1465
+msgid ""
+"\n"
+"WARNING: Unfinished offline reencryption detected on the device!\n"
+"Replacing header with backup may corrupt data."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1562
+#, c-format
+msgid "Ignored unknown flag %s."
+msgstr "უცნობი ალამი იგნორირებულია %s."
+
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
+#, c-format
+msgid "Missing key for dm-crypt segment %u"
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
+msgid "Failed to set dm-crypt segment."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
+msgid "Failed to set dm-linear segment."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2615
+msgid "Unsupported device integrity configuration."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2701
+msgid "Reencryption in-progress. Cannot deactivate device."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
+#, c-format
+msgid "Failed to replace suspended device %s with dm-error target."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2792
+msgid "Failed to read LUKS2 requirements."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2799
+msgid "Unmet LUKS2 requirements detected."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2807
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2809
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+msgid "Not enough available memory to open a keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+msgid "Keyslot open failed."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_luks2.c:54 lib/luks2/luks2_keyslot_luks2.c:109
+#, c-format
+msgid "Cannot use %s-%s cipher for keyslot encryption."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_luks2.c:281 lib/luks2/luks2_keyslot_luks2.c:390
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_luks2.c:506
+msgid "No space for new keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:512
+#, c-format
+msgid "Cannot check status of device with uuid: %s."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:538
+msgid "Unable to convert header with LUKSMETA additional metadata."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:584
+msgid "Unable to move keyslot area. Not enough space."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:636
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+msgid "Unable to move keyslot area."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:732
+msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:740
+msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:752
+#, c-format
+msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:765
+#, c-format
+msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:779
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:784
+#, c-format
+msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:789
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1152
+#, c-format
+msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1157
+#, c-format
+msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
+msgid "Failed to initialize old segment storage wrapper."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
+msgid "Failed to initialize new segment storage wrapper."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1578
+msgid "Failed to read checksums for current hotzone."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
+#, c-format
+msgid "Failed to read hotzone area starting at %<PRIu64>."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1604
+#, c-format
+msgid "Failed to decrypt sector %zu."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:1610
+#, c-format
+msgid "Failed to recover sector %zu."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2174
+#, c-format
+msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2272
+#, c-format
+msgid "Failed to activate hotzone device %s."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2289
+#, c-format
+msgid "Failed to activate overlay device %s with actual origin table."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2296
+#, c-format
+msgid "Failed to load new mapping for device %s."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2367
+msgid "Failed to refresh reencryption devices stack."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2550
+msgid "Failed to set new keyslots area size."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2686
+#, c-format
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#, c-format
+msgid "Unsupported resilience mode %s"
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "ცხრილის გასუფთავება შეუძლებელია."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3038
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
+#, c-format
+msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3234
+msgid "Device not marked for LUKS2 reencryption."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
+msgid "Failed to load LUKS2 reencryption context."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3331
+msgid "Failed to get reencryption state."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
+msgid "Device is not in reencryption."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
+msgid "Reencryption process is already running."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
+msgid "Failed to acquire reencryption lock."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3362
+msgid "Cannot proceed with reencryption. Run reencryption recovery first."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3497
+msgid "Active device size and requested reencryption size don't match."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3511
+msgid "Illegal device size requested in reencryption parameters."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3588
+msgid "Reencryption in-progress. Cannot perform recovery."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3757
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3764
+msgid "Failed to initialize LUKS2 reencryption in metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3859
+msgid "Failed to set device segments for next reencryption hotzone."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3911
+msgid "Failed to write reencryption resilience metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3918
+msgid "Decryption failed."
+msgstr "გაშიფვრის შეცდომა."
+
+#: lib/luks2/luks2_reencrypt.c:3923
+#, c-format
+msgid "Failed to write hotzone area starting at %<PRIu64>."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3928
+msgid "Failed to sync data."
+msgstr "მონაცემების სინქრონიზაციის შეცდომა."
+
+#: lib/luks2/luks2_reencrypt.c:3936
+msgid "Failed to update metadata after current reencryption hotzone completed."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4025
+msgid "Failed to write LUKS2 metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4074
+#, c-format
+msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4078
+msgid "Online reencryption failed."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4083
+msgid "Do not resume the device unless replaced with error target manually."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4137
+msgid "Cannot proceed with reencryption. Unexpected reencryption status."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4143
+msgid "Missing or invalid reencrypt context."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4150
+msgid "Failed to initialize reencryption device stack."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
+msgid "Failed to update reencryption context."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr ""
+
+#: src/cryptsetup.c:85
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
+#, c-format
+msgid "Enter token PIN: "
+msgstr "შეიყვანეთ კოდის PIN კოდი: "
+
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr ""
+
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1097 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
+msgid "No known cipher specification pattern detected."
+msgstr ""
+
+#: src/cryptsetup.c:167
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr ""
+
+#: src/cryptsetup.c:175
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr ""
+
+#: src/cryptsetup.c:215
+#, c-format
+msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
+msgstr ""
+
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:724
+msgid "Operation aborted.\n"
+msgstr "ოპერაცია გაუქმდა.\n"
+
+#: src/cryptsetup.c:294
+msgid "Option --key-file is required."
+msgstr ""
+
+#: src/cryptsetup.c:345
+msgid "Enter VeraCrypt PIM: "
+msgstr ""
+
+#: src/cryptsetup.c:354
+msgid "Invalid PIM value: parse error."
+msgstr ""
+
+#: src/cryptsetup.c:357
+msgid "Invalid PIM value: 0."
+msgstr ""
+
+#: src/cryptsetup.c:360
+msgid "Invalid PIM value: outside of range."
+msgstr ""
+
+#: src/cryptsetup.c:383
+msgid "No device header detected with this passphrase."
+msgstr ""
+
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr ""
+
+#: src/cryptsetup.c:464
+msgid "Cannot determine volume key size for BITLK, please use --key-size option."
+msgstr ""
+
+#: src/cryptsetup.c:506
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
+msgid ""
+"The header dump with volume key is sensitive information\n"
+"that allows access to encrypted partition without a passphrase.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr ""
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr ""
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
+#, c-format
+msgid "Device %s is still active and scheduled for deferred removal.\n"
+msgstr ""
+
+#: src/cryptsetup.c:835
+msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
+msgstr ""
+
+#: src/cryptsetup.c:982
+msgid "Benchmark interrupted."
+msgstr ""
+
+#: src/cryptsetup.c:1003
+#, c-format
+msgid "PBKDF2-%-9s N/A\n"
+msgstr "PBKDF2-%-9s N/A\n"
+
+#: src/cryptsetup.c:1005
+#, c-format
+msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
+msgstr ""
+
+#: src/cryptsetup.c:1019
+#, c-format
+msgid "%-10s N/A\n"
+msgstr "%-10s N/A\n"
+
+#: src/cryptsetup.c:1021
+#, c-format
+msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
+msgstr ""
+
+#: src/cryptsetup.c:1045
+msgid "Result of benchmark is not reliable."
+msgstr ""
+
+#: src/cryptsetup.c:1095
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr ""
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1115
+#, c-format
+msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
+msgstr "#%*s ალგორითმი | გასაღები | დაშიფვრა | გაშიფვრა\n"
+
+#: src/cryptsetup.c:1119
+#, c-format
+msgid "Cipher %s (with %i bits key) is not available."
+msgstr ""
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1138
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# ალგორითმი | გასაღები | დაშიფვრა | გაშიფვრა\n"
+
+#: src/cryptsetup.c:1149
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:1174
+msgid ""
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
+msgstr ""
+
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr ""
+
+#: src/cryptsetup.c:1224
+msgid "Really proceed with LUKS2 reencryption recovery?"
+msgstr ""
+
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr ""
+
+#: src/cryptsetup.c:1235
+msgid "Enter passphrase for reencryption recovery: "
+msgstr ""
+
+#: src/cryptsetup.c:1290
+msgid "Really try to repair LUKS device header?"
+msgstr ""
+
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
+msgid ""
+"Wiping device to initialize integrity checksum.\n"
+"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
+msgstr ""
+
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
+#, c-format
+msgid "Cannot deactivate temporary device %s."
+msgstr ""
+
+#: src/cryptsetup.c:1392
+msgid "Integrity option can be used only for LUKS2 format."
+msgstr ""
+
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
+msgid "Unsupported LUKS2 metadata size options."
+msgstr ""
+
+#: src/cryptsetup.c:1406
+msgid "Header file does not exist, do you want to create it?"
+msgstr ""
+
+#: src/cryptsetup.c:1414
+#, c-format
+msgid "Cannot create header file %s."
+msgstr "თავსართის ფაილის (%s) შექმნის შეცდომა."
+
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
+msgid "No known integrity specification pattern detected."
+msgstr ""
+
+#: src/cryptsetup.c:1450
+#, c-format
+msgid "Cannot use %s as on-disk header."
+msgstr ""
+
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr ""
+
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
+msgid "Failed to set pbkdf parameters."
+msgstr ""
+
+#: src/cryptsetup.c:1593
+msgid "Reduced data offset is allowed only for detached LUKS header."
+msgstr ""
+
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr ""
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
+msgstr ""
+
+#: src/cryptsetup.c:1658
+msgid "Device activated but cannot make flags persistent."
+msgstr ""
+
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
+#, c-format
+msgid "Keyslot %d is selected for deletion."
+msgstr ""
+
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr ""
+
+#: src/cryptsetup.c:1750
+msgid "Enter any remaining passphrase: "
+msgstr ""
+
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
+msgid "Operation aborted, the keyslot was NOT wiped.\n"
+msgstr ""
+
+#: src/cryptsetup.c:1787
+msgid "Enter passphrase to be deleted: "
+msgstr ""
+
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
+msgid "Enter new passphrase for key slot: "
+msgstr ""
+
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr ""
+
+#: src/cryptsetup.c:2152
+msgid "Enter passphrase to be changed: "
+msgstr ""
+
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
+msgid "Enter new passphrase: "
+msgstr "შეიყვანეთ ახალი საკვანძო ფრაზა: "
+
+#: src/cryptsetup.c:2218
+msgid "Enter passphrase for keyslot to be converted: "
+msgstr ""
+
+#: src/cryptsetup.c:2242
+msgid "Only one device argument for isLuks operation is supported."
+msgstr ""
+
+#: src/cryptsetup.c:2350
+#, c-format
+msgid "Keyslot %d does not contain unbound key."
+msgstr ""
+
+#: src/cryptsetup.c:2355
+msgid ""
+"The header dump with unbound key is sensitive information.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
+#, c-format
+msgid "%s is not active %s device name."
+msgstr ""
+
+#: src/cryptsetup.c:2465
+#, c-format
+msgid "%s is not active LUKS device name or header is missing."
+msgstr ""
+
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
+msgid "Option --header-backup-file is required."
+msgstr ""
+
+#: src/cryptsetup.c:2577
+#, c-format
+msgid "%s is not cryptsetup managed device."
+msgstr ""
+
+#: src/cryptsetup.c:2588
+#, c-format
+msgid "Refresh is not supported for device type %s"
+msgstr ""
+
+#: src/cryptsetup.c:2638
+#, c-format
+msgid "Unrecognized metadata device type %s."
+msgstr ""
+
+#: src/cryptsetup.c:2640
+msgid "Command requires device and mapped name as arguments."
+msgstr ""
+
+#: src/cryptsetup.c:2661
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+
+#: src/cryptsetup.c:2668
+msgid "Operation aborted, keyslots were NOT wiped.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2707
+msgid "Invalid LUKS type, only luks1 and luks2 are supported."
+msgstr ""
+
+#: src/cryptsetup.c:2723
+#, c-format
+msgid "Device is already %s type."
+msgstr ""
+
+#: src/cryptsetup.c:2730
+#, c-format
+msgid "This operation will convert %s to %s format.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2733
+msgid "Operation aborted, device was NOT converted.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2773
+msgid "Option --priority, --label or --subsystem is missing."
+msgstr ""
+
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
+#, c-format
+msgid "Token %d is invalid."
+msgstr "კოდი %d არასწორია."
+
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
+#, c-format
+msgid "Token %d in use."
+msgstr "კოდი %d გამოიყენება."
+
+#: src/cryptsetup.c:2822
+#, c-format
+msgid "Failed to add luks2-keyring token %d."
+msgstr ""
+
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
+#, c-format
+msgid "Failed to assign token %d to keyslot %d."
+msgstr ""
+
+#: src/cryptsetup.c:2850
+#, c-format
+msgid "Token %d is not in use."
+msgstr "კოდი %d არ გამოიყენება."
+
+#: src/cryptsetup.c:2887
+msgid "Failed to import token from file."
+msgstr ""
+
+#: src/cryptsetup.c:2912
+#, c-format
+msgid "Failed to get token %d for export."
+msgstr ""
+
+#: src/cryptsetup.c:2925
+#, c-format
+msgid "Token %d is not assigned to keyslot %d."
+msgstr ""
+
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
+#, c-format
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr ""
+
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr ""
+
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr ""
+
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr ""
+
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr ""
+
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr ""
+
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr ""
+
+#: src/cryptsetup.c:3007
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr ""
+
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr ""
+
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr ""
+
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr ""
+
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr ""
+
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr ""
+
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr ""
+
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr ""
+
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr ""
+
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr ""
+
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr ""
+
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr ""
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr ""
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr ""
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr ""
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "არასწორი კოდის ქმედება."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr ""
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr ""
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr ""
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr ""
+
+#: src/cryptsetup.c:3156
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<მოწყობილობა> [--type <ტიპი>] [<სახელი>]"
+
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
+msgid "open device as <name>"
+msgstr ""
+
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
+msgid "<name>"
+msgstr "<name>"
+
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
+msgid "close device (remove mapping)"
+msgstr ""
+
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
+msgid "resize active device"
+msgstr "აქტიური მოწყობილობის ზომის შეცვლა"
+
+#: src/cryptsetup.c:3159
+msgid "show device status"
+msgstr "მოწყობილობის მდგომარეობის ჩვენება"
+
+#: src/cryptsetup.c:3160
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <შიფრი>]"
+
+#: src/cryptsetup.c:3160
+msgid "benchmark cipher"
+msgstr ""
+
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
+msgid "<device>"
+msgstr "<მოწყობილობა>"
+
+#: src/cryptsetup.c:3161
+msgid "try to repair on-disk metadata"
+msgstr ""
+
+#: src/cryptsetup.c:3162
+msgid "reencrypt LUKS2 device"
+msgstr ""
+
+#: src/cryptsetup.c:3163
+msgid "erase all keyslots (remove encryption key)"
+msgstr ""
+
+#: src/cryptsetup.c:3164
+msgid "convert LUKS from/to LUKS2 format"
+msgstr ""
+
+#: src/cryptsetup.c:3165
+msgid "set permanent configuration options for LUKS2"
+msgstr ""
+
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
+msgid "<device> [<new key file>]"
+msgstr ""
+
+#: src/cryptsetup.c:3166
+msgid "formats a LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3167
+msgid "add key to LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
+msgid "<device> [<key file>]"
+msgstr "<მოწყობილობა> [<გასაღების ფაილი>]"
+
+#: src/cryptsetup.c:3168
+msgid "removes supplied key or key file from LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3169
+msgid "changes supplied key or key file of LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3170
+msgid "converts a key to new pbkdf parameters"
+msgstr ""
+
+#: src/cryptsetup.c:3171
+msgid "<device> <key slot>"
+msgstr ""
+
+#: src/cryptsetup.c:3171
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3172
+msgid "print UUID of LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3173
+msgid "tests <device> for LUKS partition header"
+msgstr ""
+
+#: src/cryptsetup.c:3174
+msgid "dump LUKS partition information"
+msgstr ""
+
+#: src/cryptsetup.c:3175
+msgid "dump TCRYPT device information"
+msgstr ""
+
+#: src/cryptsetup.c:3176
+msgid "dump BITLK device information"
+msgstr ""
+
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr ""
+
+#: src/cryptsetup.c:3178
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
+msgstr ""
+
+#: src/cryptsetup.c:3179
+msgid "Resume suspended LUKS device"
+msgstr ""
+
+#: src/cryptsetup.c:3180
+msgid "Backup LUKS device header and keyslots"
+msgstr ""
+
+#: src/cryptsetup.c:3181
+msgid "Restore LUKS device header and keyslots"
+msgstr ""
+
+#: src/cryptsetup.c:3182
+msgid "<add|remove|import|export> <device>"
+msgstr ""
+
+#: src/cryptsetup.c:3182
+msgid "Manipulate LUKS2 tokens"
+msgstr ""
+
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<ქმედება> შეიძლება იყოს:\n"
+
+#: src/cryptsetup.c:3207
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
+msgstr ""
+
+#: src/cryptsetup.c:3211
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+
+#: src/cryptsetup.c:3218
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in metadata format is %s (for luksFormat action).\n"
+msgstr ""
+
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
+#, c-format
+msgid ""
+"\n"
+"LUKS2 external token plugin support is %s.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3223
+msgid "compiled-in"
+msgstr ""
+
+#: src/cryptsetup.c:3224
+#, c-format
+msgid "LUKS2 external token plugin path: %s.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3226
+msgid "disabled"
+msgstr "გამორთულია"
+
+#: src/cryptsetup.c:3230
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF for LUKS1: %s, iteration time: %d (ms)\n"
+"Default PBKDF for LUKS2: %s\n"
+"\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
+msgstr ""
+
+#: src/cryptsetup.c:3241
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+
+#: src/cryptsetup.c:3250
+msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr ""
+
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
+msgid "Key slot is invalid."
+msgstr "გასაღების სლოტი არასწორია."
+
+#: src/cryptsetup.c:3335
+msgid "Device size must be multiple of 512 bytes sector."
+msgstr ""
+
+#: src/cryptsetup.c:3340
+msgid "Invalid max reencryption hotzone size specification."
+msgstr ""
+
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
+msgid "Key size must be a multiple of 8 bits"
+msgstr ""
+
+#: src/cryptsetup.c:3371
+msgid "Maximum device reduce size is 1 GiB."
+msgstr ""
+
+#: src/cryptsetup.c:3374
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr ""
+
+#: src/cryptsetup.c:3391
+msgid "Option --priority can be only ignore/normal/prefer."
+msgstr ""
+
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
+msgid "Show this help message"
+msgstr "დახმარების ამ შეტყობინების ჩვენება"
+
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
+msgid "Display brief usage"
+msgstr "გამოყენების მოკლე შეტყობინება"
+
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
+msgid "Print package version"
+msgstr "პაკეტის ვერსიის გამოტანა"
+
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
+msgid "Help options:"
+msgstr "დახმარების პარამეტრები:"
+
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
+msgid "[OPTION...] <action> <action-specific>"
+msgstr ""
+
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
+msgid "Argument <action> missing."
+msgstr ""
+
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
+msgid "Unknown action."
+msgstr "უცნობი ქმედება."
+
+#: src/cryptsetup.c:3546
+msgid "Option --key-file takes precedence over specified key file argument."
+msgstr ""
+
+#: src/cryptsetup.c:3552
+msgid "Only one --key-file argument is allowed."
+msgstr ""
+
+#: src/cryptsetup.c:3557
+msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
+msgstr ""
+
+#: src/cryptsetup.c:3562
+msgid "PBKDF forced iterations cannot be combined with iteration time option."
+msgstr ""
+
+#: src/cryptsetup.c:3573
+msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
+msgstr ""
+
+#: src/cryptsetup.c:3581
+msgid "No action taken. Invoked with --test-args option.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3594
+msgid "Cannot disable metadata locking."
+msgstr ""
+
+#: src/veritysetup.c:54
+msgid "Invalid salt string specified."
+msgstr "მარილის მითითებული სტრიქონი არასწორია."
+
+#: src/veritysetup.c:87
+#, c-format
+msgid "Cannot create hash image %s for writing."
+msgstr ""
+
+#: src/veritysetup.c:97
+#, c-format
+msgid "Cannot create FEC image %s for writing."
+msgstr ""
+
+#: src/veritysetup.c:136
+#, c-format
+msgid "Cannot create root hash file %s for writing."
+msgstr ""
+
+#: src/veritysetup.c:143
+#, c-format
+msgid "Cannot write to root hash file %s."
+msgstr ""
+
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr ""
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
+#, c-format
+msgid "Cannot read root hash file %s."
+msgstr ""
+
+#: src/veritysetup.c:220
+#, c-format
+msgid "Invalid root hash file %s."
+msgstr ""
+
+#: src/veritysetup.c:241
+msgid "Invalid root hash string specified."
+msgstr ""
+
+#: src/veritysetup.c:249
+#, c-format
+msgid "Invalid signature file %s."
+msgstr ""
+
+#: src/veritysetup.c:256
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr ""
+
+#: src/veritysetup.c:279 src/veritysetup.c:293
+msgid "Command requires <root_hash> or --root-hash-file option as argument."
+msgstr ""
+
+#: src/veritysetup.c:489
+msgid "<data_device> <hash_device>"
+msgstr ""
+
+#: src/veritysetup.c:489 src/integritysetup.c:534
+msgid "format device"
+msgstr "მოწყობილობის ფორმატირება"
+
+#: src/veritysetup.c:490
+msgid "<data_device> <hash_device> [<root_hash>]"
+msgstr ""
+
+#: src/veritysetup.c:490
+msgid "verify device"
+msgstr "მოწყობილობის გადამოწმება"
+
+#: src/veritysetup.c:491
+msgid "<data_device> <name> <hash_device> [<root_hash>]"
+msgstr ""
+
+#: src/veritysetup.c:493 src/integritysetup.c:537
+msgid "show active device status"
+msgstr "აქტიურ მოწყობილობის სტატუსის ჩვენება"
+
+#: src/veritysetup.c:494
+msgid "<hash_device>"
+msgstr "<ჰეშის მოწყობილობა>"
+
+#: src/veritysetup.c:494 src/integritysetup.c:538
+msgid "show on-disk information"
+msgstr ""
+
+#: src/veritysetup.c:513
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+
+#: src/veritysetup.c:520
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+
+#: src/veritysetup.c:658
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
+msgstr ""
+
+#: src/veritysetup.c:663
+msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
+msgstr ""
+
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+
+#: src/integritysetup.c:212
+#, c-format
+msgid "Formatted with tag size %u, internal integrity %s.\n"
+msgstr ""
+
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr ""
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr ""
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
+msgid "<integrity_device>"
+msgstr ""
+
+#: src/integritysetup.c:535
+msgid "<integrity_device> <name>"
+msgstr ""
+
+#: src/integritysetup.c:558
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<integrity_device> is the device containing data with integrity tags\n"
+msgstr ""
+
+#: src/integritysetup.c:563
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-integrity parameters:\n"
+"\tChecksum algorithm: %s\n"
+"\tMaximum keyfile size: %dkB\n"
+msgstr ""
+
+#: src/integritysetup.c:620
+#, c-format
+msgid "Invalid --%s size. Maximum is %u bytes."
+msgstr ""
+
+#: src/integritysetup.c:720
+msgid "Both key file and key size options must be specified."
+msgstr ""
+
+#: src/integritysetup.c:724
+msgid "Both journal integrity key file and key size options must be specified."
+msgstr ""
+
+#: src/integritysetup.c:727
+msgid "Journal integrity algorithm must be specified if journal integrity key is used."
+msgstr ""
+
+#: src/integritysetup.c:731
+msgid "Both journal encryption key file and key size options must be specified."
+msgstr ""
+
+#: src/integritysetup.c:734
+msgid "Journal encryption algorithm must be specified if journal encryption key is used."
+msgstr ""
+
+#: src/integritysetup.c:738
+msgid "Recovery and bitmap mode options are mutually exclusive."
+msgstr ""
+
+#: src/integritysetup.c:745
+msgid "Journal options cannot be used in bitmap mode."
+msgstr ""
+
+#: src/integritysetup.c:750
+msgid "Bitmap options can be used only in bitmap mode."
+msgstr ""
+
+#: src/utils_tools.c:118
+msgid ""
+"\n"
+"WARNING!\n"
+"========\n"
+msgstr ""
+"\n"
+"გაფრთხილება!\n"
+"========\n"
+
+#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
+#: src/utils_tools.c:120
+#, c-format
+msgid ""
+"%s\n"
+"\n"
+"Are you sure? (Type 'yes' in capital letters): "
+msgstr ""
+
+#: src/utils_tools.c:126
+msgid "Error reading response from terminal."
+msgstr "ტერმინალიდან მიღებული პასუხის წაკითხვის შეცდომა."
+
+#: src/utils_tools.c:158
+msgid "Command successful."
+msgstr "ბრძანება წარმატებულია."
+
+#: src/utils_tools.c:166
+msgid "wrong or missing parameters"
+msgstr "ნაკლული ან არასწორი პარამეტრები"
+
+#: src/utils_tools.c:168
+msgid "no permission or bad passphrase"
+msgstr "აკრძალული წვდომა ან არასწორი საკვანძო ფრაზა"
+
+#: src/utils_tools.c:170
+msgid "out of memory"
+msgstr "მეხსიერებას გარეთ"
+
+#: src/utils_tools.c:172
+msgid "wrong device or file specified"
+msgstr "მითითებული მოწყობილობა ან ფაილი არასწორია"
+
+#: src/utils_tools.c:174
+msgid "device already exists or device is busy"
+msgstr "მოწყობილობა უკვე არსებობს ან დაკავებულია"
+
+#: src/utils_tools.c:176
+msgid "unknown error"
+msgstr "უცნობი შეცდომა"
+
+#: src/utils_tools.c:178
+#, c-format
+msgid "Command failed with code %i (%s)."
+msgstr ""
+
+#: src/utils_tools.c:256
+#, c-format
+msgid "Key slot %i created."
+msgstr ""
+
+#: src/utils_tools.c:258
+#, c-format
+msgid "Key slot %i unlocked."
+msgstr ""
+
+#: src/utils_tools.c:260
+#, c-format
+msgid "Key slot %i removed."
+msgstr ""
+
+#: src/utils_tools.c:269
+#, c-format
+msgid "Token %i created."
+msgstr ""
+
+#: src/utils_tools.c:271
+#, c-format
+msgid "Token %i removed."
+msgstr ""
+
+#: src/utils_tools.c:281
+msgid "No token could be unlocked with this PIN."
+msgstr ""
+
+#: src/utils_tools.c:283
+#, c-format
+msgid "Token %i requires PIN."
+msgstr ""
+
+#: src/utils_tools.c:285
+#, c-format
+msgid "Token (type %s) requires PIN."
+msgstr ""
+
+#: src/utils_tools.c:288
+#, c-format
+msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr ""
+
+#: src/utils_tools.c:290
+#, c-format
+msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr ""
+
+#: src/utils_tools.c:293
+#, c-format
+msgid "Token %i requires additional missing resource."
+msgstr ""
+
+#: src/utils_tools.c:295
+#, c-format
+msgid "Token (type %s) requires additional missing resource."
+msgstr ""
+
+#: src/utils_tools.c:298
+#, c-format
+msgid "No usable token (type %s) is available."
+msgstr ""
+
+#: src/utils_tools.c:300
+msgid "No usable token is available."
+msgstr ""
+
+#: src/utils_tools.c:393
+#, c-format
+msgid "Cannot read keyfile %s."
+msgstr ""
+
+#: src/utils_tools.c:398
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s."
+msgstr ""
+
+#: src/utils_tools.c:423
+#, c-format
+msgid "Cannot open keyfile %s for write."
+msgstr ""
+
+#: src/utils_tools.c:430
+#, c-format
+msgid "Cannot write to keyfile %s."
+msgstr ""
+
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>სთ%02<PRIu64>წთ%02<PRIu64>წმ"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> დღე"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s ჩაწერილია"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "სიჩქარე %5.1f %s/წმ"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "მიმდინარეობა: %5.1f%%, დარჩენილია %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "დასრულდა. დრო: %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s"
+msgstr ""
+
+#: src/utils_password.c:49
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s"
+msgstr ""
+
+#: src/utils_password.c:81
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)"
+msgstr ""
+
+#: src/utils_password.c:232 src/utils_password.c:246
+msgid "Error reading passphrase from terminal."
+msgstr ""
+
+#: src/utils_password.c:244
+msgid "Verify passphrase: "
+msgstr "გადაამოწმეთ საკვანძო ფრაზა: "
+
+#: src/utils_password.c:251
+msgid "Passphrases do not match."
+msgstr "საკვანძო ფრაზები არ ემთხვევა."
+
+#: src/utils_password.c:289
+msgid "Cannot use offset with terminal input."
+msgstr ""
+
+#: src/utils_password.c:293
+#, c-format
+msgid "Enter passphrase: "
+msgstr "შეიყვანეთ საკვანძო ფრაზა: "
+
+#: src/utils_password.c:296
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "შეიყვანეთ საკვანძო ფრაზა \"%s\"-სთვის: "
+
+#: src/utils_password.c:330
+msgid "No key available with this passphrase."
+msgstr ""
+
+#: src/utils_password.c:332
+msgid "No usable keyslot is available."
+msgstr ""
+
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr ""
+
+#: src/utils_luks.c:182
+#, c-format
+msgid "Failed to open file %s in read-only mode."
+msgstr ""
+
+#: src/utils_luks.c:195
+msgid "Provide valid LUKS2 token JSON:\n"
+msgstr ""
+
+#: src/utils_luks.c:202
+msgid "Failed to read JSON file."
+msgstr "JSON ფაილის წაკითხვის შეცდომა."
+
+#: src/utils_luks.c:207
+msgid ""
+"\n"
+"Read interrupted."
+msgstr ""
+"\n"
+"წაკითხვა შეწყდა."
+
+#: src/utils_luks.c:248
+#, c-format
+msgid "Failed to open file %s in write mode."
+msgstr ""
+
+#: src/utils_luks.c:257
+msgid ""
+"\n"
+"Write interrupted."
+msgstr ""
+"\n"
+"ჩაწერა შეწყდა."
+
+#: src/utils_luks.c:261
+msgid "Failed to write JSON file."
+msgstr "JSON ფაილი ჩაწერის შეცდომა."
+
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr ""
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr ""
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr ""
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr ""
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr ""
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr ""
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr ""
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr ""
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:494
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr ""
+
+#: src/utils_reencrypt.c:500
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr ""
+
+#: src/utils_reencrypt.c:510
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:540
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr ""
+
+#: src/utils_reencrypt.c:542 src/utils_reencrypt.c:549
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:574
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr ""
+
+#: src/utils_reencrypt.c:611
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:621
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:657
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr ""
+
+#: src/utils_reencrypt.c:685
+msgid "Restoring original LUKS2 header."
+msgstr ""
+
+#: src/utils_reencrypt.c:693
+msgid "Original LUKS2 header restore failed."
+msgstr ""
+
+#: src/utils_reencrypt.c:719
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr ""
+
+#: src/utils_reencrypt.c:767
+msgid "Failed to add read/write permissions to exported header file."
+msgstr ""
+
+#: src/utils_reencrypt.c:820
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr ""
+
+#: src/utils_reencrypt.c:848
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr ""
+
+#: src/utils_reencrypt.c:983 src/utils_reencrypt.c:992
+msgid "Not enough free keyslots for reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1013 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr ""
+
+#: src/utils_reencrypt.c:1022 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr ""
+
+#: src/utils_reencrypt.c:1034
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr ""
+
+#: src/utils_reencrypt.c:1086
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:1140
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr ""
+
+#: src/utils_reencrypt.c:1242
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+
+#: src/utils_reencrypt.c:1282 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"თავიდან დაშიფვრა შეწყვეტილია."
+
+#: src/utils_reencrypt.c:1287
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr ""
+
+#: src/utils_reencrypt.c:1304
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1320 src/utils_reencrypt.c:1342
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1348
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1421
+msgid "LUKS2 decryption requires --header option."
+msgstr ""
+
+#: src/utils_reencrypt.c:1469
+msgid "Command requires device as argument."
+msgstr ""
+
+#: src/utils_reencrypt.c:1482
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr ""
+
+#: src/utils_reencrypt.c:1488
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1494
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr ""
+
+#: src/utils_reencrypt.c:1500
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr ""
+
+#: src/utils_reencrypt.c:1506
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr ""
+
+#: src/utils_reencrypt.c:1513
+msgid "Device reencryption not in progress."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "ჟურნალის არასწორი ფორმატი."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "მოწყობილობის ზომის მიღების შეცდომა."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "მითითებული UUID არასწორია."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "ტომის გასაღები"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "ჰეშის დაყენება "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ""
+
+#: src/utils_blockdev.c:189
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
+msgstr ""
+
+#: src/utils_blockdev.c:197
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
+msgstr ""
+
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+msgid "Failed to initialize device signature probes."
+msgstr ""
+
+#: src/utils_blockdev.c:274
+#, c-format
+msgid "Failed to stat device %s."
+msgstr ""
+
+#: src/utils_blockdev.c:289
+#, c-format
+msgid "Failed to open file %s in read/write mode."
+msgstr ""
+
+#: src/utils_blockdev.c:307
+#, c-format
+msgid "Existing '%s' partition signature on device %s will be wiped."
+msgstr ""
+
+#: src/utils_blockdev.c:310
+#, c-format
+msgid "Existing '%s' superblock signature on device %s will be wiped."
+msgstr ""
+
+#: src/utils_blockdev.c:313
+msgid "Failed to wipe device signature."
+msgstr ""
+
+#: src/utils_blockdev.c:320
+#, c-format
+msgid "Failed to probe device %s for a signature."
+msgstr ""
+
+#: src/utils_args.c:65
+#, c-format
+msgid "Invalid size specification in parameter --%s."
+msgstr ""
+
+#: src/utils_args.c:125
+#, c-format
+msgid "Option --%s is not allowed with %s action."
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:110
+msgid "Failed to write ssh token json."
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:128
+msgid ""
+"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
+"\n"
+"Specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device.\n"
+"Provided credentials will be used by cryptsetup to get the password when opening the device using the token.\n"
+"\n"
+"Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext."
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:138
+msgid "<action> <device>"
+msgstr "<ქმედება> <მოწყობილობა>"
+
+#: tokens/ssh/cryptsetup-ssh.c:141
+msgid "Options for the 'add' action:"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:142
+msgid "IP address/URL of the remote server for this token"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:143
+msgid "Username used for the remote server"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:144
+msgid "Path to the key file on the remote server"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:145
+msgid "Path to the SSH key for connecting to the remote server"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:146
+msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:148
+msgid "Generic options:"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:149
+msgid "Shows more detailed error messages"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:150
+msgid "Show debug messages"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:151
+msgid "Show debug messages including JSON metadata"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:262
+msgid "Failed to open and import private key:\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:266
+msgid "Failed to import private key (password protected?).\n"
+msgstr ""
+
+#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
+#: tokens/ssh/cryptsetup-ssh.c:268
+#, c-format
+msgid "%s@%s's password: "
+msgstr "%s@%s-ის პაროლი: "
+
+#: tokens/ssh/cryptsetup-ssh.c:357
+#, c-format
+msgid "Failed to parse arguments.\n"
+msgstr "არგუმენტების დამუშავების შეცდომა.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:368
+#, c-format
+msgid "An action must be specified\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:374
+#, c-format
+msgid "Device must be specified for '%s' action.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:379
+#, c-format
+msgid "SSH server must be specified for '%s' action.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:384
+#, c-format
+msgid "SSH user must be specified for '%s' action.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:389
+#, c-format
+msgid "SSH path must be specified for '%s' action.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:394
+#, c-format
+msgid "SSH key path must be specified for '%s' action.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:401
+#, c-format
+msgid "Failed open %s using provided credentials.\n"
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:417
+#, c-format
+msgid "Only 'add' action is currently supported by this plugin.\n"
+msgstr ""
+
+#: tokens/ssh/ssh-utils.c:46
+msgid "Cannot create sftp session: "
+msgstr "SFTP სესიის შექმნის შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:53
+msgid "Cannot init sftp session: "
+msgstr "SFTP სესიის ინიციალიზაციის შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "SFTP სესიის გახსნის შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:66
+msgid "Cannot stat sftp file: "
+msgstr "SFTP ფაილის აღმოჩენის შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:74
+msgid "Not enough memory.\n"
+msgstr "არასაკმარისი მეხსიერება.\n"
+
+#: tokens/ssh/ssh-utils.c:81
+msgid "Cannot read remote key: "
+msgstr "დაშორებული გასაღების წაკითხვის შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:122
+msgid "Connection failed: "
+msgstr "მიერთების შეცდომა: "
+
+#: tokens/ssh/ssh-utils.c:132
+msgid "Server not known: "
+msgstr "სერვერი უცნობია: "
+
+#: tokens/ssh/ssh-utils.c:160
+msgid "Public key auth method not allowed on host.\n"
+msgstr ""
+
+#: tokens/ssh/ssh-utils.c:171
+msgid "Public key authentication error: "
+msgstr ""
diff --git a/po/pl.po b/po/pl.po
index 64b9246..dd3b1a8 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -1,14 +1,14 @@
# Polish translation for cryptsetup.
# Copyright (C) 2010 Free Software Foundation, Inc.
# This file is put in the public domain.
-# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2021.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2022.
#
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-17 17:45+0100\n"
+"Project-Id-Version: cryptsetup 2.6.0-rc1\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2022-11-20 12:38+0100\n"
+"PO-Revision-Date: 2022-11-20 20:45+0100\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
"Language: pl\n"
@@ -18,67 +18,71 @@ msgstr ""
"X-Bugs: Report translation errors to the Language-Team address.\n"
"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Nie można zainicjować device-mappera w czasie działania jako nie-root."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Nie można zainicjować device-mappera. Czy moduł jądra dm_mod jest wczytany?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Żądana flaga odroczona nie jest obsługiwana."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "DM-UUID dla urządzenia %s został skrócony."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Nieznany typ celu dm."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Żądane opcje dm-crypta dotyczące wydajności nie są obsługiwane."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Żądane opcje dm-verity dotyczące obsługi uszkodzenia danych nie są obsługiwane."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Żądana opcja taskletów dm-verity nie jest obsługiwana."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Żądane opcje FEC dm-verity nie są obsługiwane."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Żądane opcje integralności danych nie są obsługiwane."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "Żądana opcja sector_size nie jest obsługiwana."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Żądane automatyczne przeliczenie znaczników integralności nie jest obsługiwane."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Porzucenie/TRIM nie jest obsługiwane."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Żądany tryb bitmapy dm-integrity nie jest obsługiwany."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Nie udało się odpytać segmentu dm-%s."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -86,576 +90,611 @@ msgstr ""
"Entropia w systemie wyczerpała się w trakcie generowania klucza wolumenu.\n"
"Proszę poruszać myszą albo wpisać trochę tekstu w innym oknie w celu zebrania zdarzeń losowych.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Generowanie klucza (gotowe %d%%).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Działanie w trybie FIPS."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "Błąd krytyczny w trakcie inicjalizacji RNG."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Nieznane żądanie jakości RNG."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Błąd odczytu z RNG."
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Nie można zainicjować backendu kryptograficznego RNG."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Nie można zainicjować backendu kryptograficznego."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2139 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Algorytm skrótu %s nie jest obsługiwany."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Błąd przetwarzania klucza (użyto algorytmu skrótu %s)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób uaktywniania urządzenia?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3308
msgid "This operation is supported only for LUKS device."
msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS2."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:430 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Wszyskie miejsca na klucze są pełne."
-#: lib/setup.c:431
+#: lib/setup.c:441
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "Numer klucza %d jest błędny, proszę wybrać wartość między 0 a %d."
-#: lib/setup.c:437
+#: lib/setup.c:447
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "Miejsce na klucz %d jest pełne, proszę wybrać inne."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:532 lib/setup.c:3030
msgid "Device size is not aligned to device logical block size."
msgstr "Rozmiar urządzenia nie jest wyrównany do rozmiaru bloku logicznego urządzenia."
-#: lib/setup.c:620
+#: lib/setup.c:630
#, c-format
msgid "Header detected but device %s is too small."
msgstr "Wykryto nagłówek, ale urządzenie %s jest zbyt małe."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:671 lib/setup.c:2930 lib/setup.c:4275
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Ta operacja nie jest obsługiwana dla tego rodzaju urządzenia."
-#: lib/setup.c:666
+#: lib/setup.c:676
msgid "Illegal operation with reencryption in-progress."
msgstr "Niedozwolona operacja w trakcie ponownego szyfrowania."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:762
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Nie udało się wycofać zmian w metadanych LUKS2 w pamięci."
+
+#: lib/setup.c:849 lib/luks1/keymanage.c:247 lib/luks1/keymanage.c:525
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1433
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS."
+
+#: lib/setup.c:852 lib/luks1/keymanage.c:528
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Nieobsługiwana wersja LUKS %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1479 lib/setup.c:2679 lib/setup.c:2761 lib/setup.c:2773
+#: lib/setup.c:2940 lib/setup.c:4752
#, c-format
msgid "Device %s is not active."
msgstr "Urządzenie %s nie jest aktywne."
-#: lib/setup.c:1447
+#: lib/setup.c:1496
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Urządzenie stojące za urządzeniem szyfrowanym %s zniknęło."
-#: lib/setup.c:1527
+#: lib/setup.c:1578
msgid "Invalid plain crypt parameters."
msgstr "Błędne parametry szyfru plain."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1583 lib/setup.c:2042
msgid "Invalid key size."
msgstr "Błędny rozmiar klucza."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1588 lib/setup.c:2047 lib/setup.c:2250
msgid "UUID is not supported for this crypt type."
msgstr "UUID nie jest obsługiwany dla tego rodzaju szyfrowania."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1593 lib/setup.c:2052
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Osobne urządzenie metadanych nie jest obsługiwane dla tego rodzaju szyfrowania."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1603 lib/setup.c:1819 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Nieobsługiwany rozmiar sektora szyfrowania."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1611 lib/setup.c:1947 lib/setup.c:3024
msgid "Device size is not aligned to requested sector size."
msgstr "Rozmiar urządzenia nie jest wyrównany do żądanego rozmiaru sektura."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1663 lib/setup.c:1787
msgid "Can't format LUKS without device."
msgstr "Nie można sformatować LUKS-a bez urządzenia."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1669 lib/setup.c:1793
msgid "Requested data alignment is not compatible with data offset."
msgstr "Żądane wyrównanie metadanych nie jest zgodne z offsetem danych."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "UWAGA: offset danych leży poza obecnie dostępnym urządzeniem danych.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1744 lib/setup.c:1964 lib/setup.c:1985 lib/setup.c:2262
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Nie można wymazać nagłówka na urządzeniu %s."
-#: lib/setup.c:1763
+#: lib/setup.c:1757 lib/setup.c:2024
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Urządzenie %s jest zbyt małe do uaktywnienia, nie ma miejsca pozostałego na dane.\n"
+
+#: lib/setup.c:1828
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "UWAGA: uaktywnienie urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1851
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Klucz wolumenu jest zbyt mały do szyfrowania z rozszerzeniami integralności."
-#: lib/setup.c:1856
+#: lib/setup.c:1911
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Szyfr %s-%s (rozmiar klucza w bitach: %zd) nie jest dostępny."
-#: lib/setup.c:1885
+#: lib/setup.c:1937
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "UWAGA: rozmiar metadanych LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1941
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "UWAGA: rozmiar obszaru kluczy LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1967 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Urządzenie %s jest zbyt małe."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1978 lib/setup.c:2004
#, c-format
msgid "Cannot format device %s in use."
msgstr "Nie można sformatować urządzenia %s, które jest w użyciu."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1981 lib/setup.c:2007
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Nie można sformatować urządzenia %s, brak uprawnień."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:1993 lib/setup.c:2322
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Nie można sformatować integralności dla urządzenia %s."
-#: lib/setup.c:1959
+#: lib/setup.c:2011
#, c-format
msgid "Cannot format device %s."
msgstr "Nie można sformatować urządzenia %s."
-#: lib/setup.c:1977
+#: lib/setup.c:2037
msgid "Can't format LOOPAES without device."
msgstr "Nie można sformatować urządzenia LUKSAES bez urządzenia."
-#: lib/setup.c:2022
+#: lib/setup.c:2082
msgid "Can't format VERITY without device."
msgstr "Nie można sformatować VERITY bez urządzenia."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2093 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Nieobsługiwany typ hasza VERITY %d."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2099 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Nieobsługiwany rozmiar bloku VERITY."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2104 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Nieobsługiwany offset hasza VERITY."
-#: lib/setup.c:2049
+#: lib/setup.c:2109
msgid "Unsupported VERITY FEC offset."
msgstr "Nieobsługiwany offset FEC VERITY."
-#: lib/setup.c:2073
+#: lib/setup.c:2133
msgid "Data area overlaps with hash area."
msgstr "Obszar danych zachodzi na obszar skrótów."
-#: lib/setup.c:2098
+#: lib/setup.c:2158
msgid "Hash area overlaps with FEC area."
msgstr "Obszar skrótu zachodzi na obszar FEC."
-#: lib/setup.c:2105
+#: lib/setup.c:2165
msgid "Data area overlaps with FEC area."
msgstr "Obszar danych zachodzi na obszar FEC."
-#: lib/setup.c:2241
+#: lib/setup.c:2301
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "UWAGA: żądany rozmiar znacznika %d B różni się od rozmiaru wyjścia %s (%d B).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2380
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Nieznany typ żądanego urządzenia szyfrującego %s."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2687 lib/setup.c:2766 lib/setup.c:2779
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Nieobsługiwane parametry urządzenia %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2693 lib/setup.c:2786 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Niezgodne parametry dla urządzenia %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2810
msgid "Crypt devices mismatch."
msgstr "Urządzenia szyfrowane nie zgadzają się."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2847 lib/setup.c:2852 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Nie udało się przeładować urządzenia %s."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2858 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Nie udało się wstrzymać urządzenia %s."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2870 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Nie udało wznowić urządzenia %s."
-#: lib/setup.c:2803
+#: lib/setup.c:2885
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Błąd krytyczny przy przeładowywaniu urządzenia %s (w oparciu o urządzenie %s)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2888 lib/setup.c:2890
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Nie udało się przełączyć urządzenia %s na dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2972
msgid "Cannot resize loop device."
msgstr "Nie można zmienić rozmiaru urządzenia loopback."
-#: lib/setup.c:2958
+#: lib/setup.c:3015
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "UWAGA: maksymalny rozmiar jest już ustawiony lub jądro nie obsługuje zmiany rozmiaru.\n"
+
+#: lib/setup.c:3076
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Zmiana rozmiaru nie powiodła się, jądro tego nie obsługuje."
+
+#: lib/setup.c:3108
msgid "Do you really want to change UUID of device?"
msgstr "Czy na pewno zmienić UUID urządzenia?"
-#: lib/setup.c:3034
+#: lib/setup.c:3200
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Plik nagłówka kopii zapasowej nie zawiera zgodnego nagłówka LUKS."
-#: lib/setup.c:3150
+#: lib/setup.c:3316
#, c-format
msgid "Volume %s is not active."
msgstr "Wolumen %s nie jest aktywny."
-#: lib/setup.c:3161
+#: lib/setup.c:3327
#, c-format
msgid "Volume %s is already suspended."
msgstr "Wolumen %s już został wstrzymany."
-#: lib/setup.c:3174
+#: lib/setup.c:3340
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Wstrzymywanie nie jest obsługiwane dla urządzenia %s."
-#: lib/setup.c:3176
+#: lib/setup.c:3342
#, c-format
msgid "Error during suspending device %s."
msgstr "Błąd podczas wstrzymywania urządzenia %s."
-#: lib/setup.c:3212
+#: lib/setup.c:3377
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Wznawianie nie jest obsługiwane dla urządzenia %s."
-#: lib/setup.c:3214
+#: lib/setup.c:3379
#, c-format
msgid "Error during resuming device %s."
msgstr "Błąd podczas wznawiania urządzenia %s."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3413 lib/setup.c:3461 lib/setup.c:3532 lib/setup.c:3577
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Wolumen %s nie jest wstrzymany."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3547 lib/setup.c:4528 lib/setup.c:4541 lib/setup.c:4549
+#: lib/setup.c:4562 lib/setup.c:6145 lib/setup.c:6167 lib/setup.c:6216
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Klucz wolumenu nie pasuje do wolumenu."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3725
msgid "Failed to swap new key slot."
msgstr "Nie udało się podstawić nowego klucza."
-#: lib/setup.c:3771
+#: lib/setup.c:3823
#, c-format
msgid "Key slot %d is invalid."
msgstr "Numer klucza %d jest nieprawidłowy."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3829 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "Klucz %d nie jest aktywny."
-#: lib/setup.c:3796
+#: lib/setup.c:3848
msgid "Device header overlaps with data area."
msgstr "Nagłówek urządzenia zachodzi na obszar danych."
-#: lib/setup.c:4089
+#: lib/setup.c:4153
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Ponowne szyfrowanie trwa. Nie można uaktywnić urządzenia."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4155 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Nie udało się uzyskać blokady ponownego szyfrowania."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4168 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "Odtwarzanie ponownego szyfrowania LUKS2 nie powiodło się."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4340 lib/setup.c:4606
msgid "Device type is not properly initialized."
msgstr "Typ urządzenia nie został właściwie zainicjalizowany."
-#: lib/setup.c:4283
+#: lib/setup.c:4388
#, c-format
msgid "Device %s already exists."
msgstr "Urządzenie %s już istnieje."
-#: lib/setup.c:4290
+#: lib/setup.c:4395
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Nie można użyć urządzenia %s, nazwa jest nieprawidłowa lub nadal w użyciu."
-#: lib/setup.c:4410
+#: lib/setup.c:4515
msgid "Incorrect volume key specified for plain device."
msgstr "Podano niewłaściwy klucz wolumenu dla zwykłego urządzenia."
-#: lib/setup.c:4526
+#: lib/setup.c:4632
msgid "Incorrect root hash specified for verity device."
msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY."
-#: lib/setup.c:4533
+#: lib/setup.c:4642
msgid "Root hash signature required."
msgstr "Wymagany podpis hasza głównego."
-#: lib/setup.c:4542
+#: lib/setup.c:4651
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Brak pęku kluczy w jądrze: wymagany do przekazania podpisu do jądra."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4668 lib/setup.c:6411
msgid "Failed to load key in kernel keyring."
msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze."
-#: lib/setup.c:4615
+#: lib/setup.c:4724
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Nie udało się anulować opóźnionego usuwania z urządzenia %s."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4731 lib/setup.c:4747 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Urządzenie %s jest nadal w użyciu."
-#: lib/setup.c:4647
+#: lib/setup.c:4756
#, c-format
msgid "Invalid device %s."
msgstr "Błędne urządzenie %s."
-#: lib/setup.c:4763
+#: lib/setup.c:4896
msgid "Volume key buffer too small."
msgstr "Bufor klucza wolumenu zbyt mały."
-#: lib/setup.c:4771
+#: lib/setup.c:4913
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS2."
+
+#: lib/setup.c:4922
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS1."
+
+#: lib/setup.c:4932
msgid "Cannot retrieve volume key for plain device."
msgstr "Nie można odtworzyć klucza wolumenu dla zwykłego urządzenia."
-#: lib/setup.c:4788
+#: lib/setup.c:4940
msgid "Cannot retrieve root hash for verity device."
msgstr "Nie można odtworzyć hasza głównego dla urządzenia VERITY."
-#: lib/setup.c:4792
+#: lib/setup.c:4947
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia BITLK."
+
+#: lib/setup.c:4952
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia FVAULT2."
+
+#: lib/setup.c:4954
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Ta operacja nie jest obsługiwana dla urządzenia szyfrującego %s."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5135 lib/setup.c:5146
msgid "Dump operation is not supported for this device type."
msgstr "Operacja zrzutu nie jest obsługiwana dla tego rodzaju urządzenia."
-#: lib/setup.c:5337
+#: lib/setup.c:5488
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Offset danych nie jest wielokrotnością liczby bajtów %u."
-#: lib/setup.c:5622
+#: lib/setup.c:5776
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Nie można przekonwertować urządzenia %s, które jest nadal w użyciu."
-#: lib/setup.c:5941
+#: lib/setup.c:6086 lib/setup.c:6225
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Nie udało się przypisać klucza %u jako nowego klucza wolumenu."
-#: lib/setup.c:6014
+#: lib/setup.c:6110
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Nie udało się zainicjować domyślnych parametrów klucza LUKS2."
-#: lib/setup.c:6020
+#: lib/setup.c:6116
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Nie udało się przypisać klucza %d do skrótu."
-#: lib/setup.c:6151
+#: lib/setup.c:6341
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu."
+
+#: lib/setup.c:6478
msgid "Kernel keyring is not supported by the kernel."
msgstr "Pęk kluczy w jądrze nie jest obsługiwany przez jądro."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6488 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Nie udało się odczytać hasła z pęku kluczy (błąd %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6512
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Nie udało się uzyskać globalnej blokady serializacji dostępu ciężkiego pamięciowo."
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Nie można odczytać priorytetu procesu."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Nie można odblokować pamięci."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Nie udało się otworzyć pliku klucza."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Nie można odczytać pliku klucza z terminala."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "Nie udało się wykonać stat na pliku klucza."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Nie można przemieścić się do żądanego położenia pliku klucza."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:227
+#: src/utils_password.c:239
msgid "Out of memory while reading passphrase."
msgstr "Brak pamięci podczas odczytu hasła."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Błąd podczas odczytu hasła."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Na wejściu nie ma nic do odczytu."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Przekroczono maksymalny rozmiar pliku klucza."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "Nie można odczytać żądanej ilości danych."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1408
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Urządzenie %s nie istnieje lub dostęp jest zabroniony."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Urządzenie %s nie jest zgodne."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "Zignorowano niewłaściwy rozmiar optimal-io dla urządzenia danych (%u bajtów)."
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Urządzenie %s jest zbyt małe. Wymagane przynajmniej %<PRIu64> bajtów."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Nie można użyć urządzenia %s, które jest w użyciu (już podmapowane lub zamontowane)."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Nie można użyć urządzenia %s, brak uprawnień."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "Nie można uzyskać informacji o urządzeniu %s."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Nie można użyć urządzenia loopback w czasie działania jako nie-root."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Nie udało się podłączyć urządzenia loopback (wymagane urządzenie loop z flagą autoclear)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Żądany offset jest poza rzeczywistym rozmiarem urządzenia %s."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Urządzenie %s ma zerowy rozmiar."
@@ -709,40 +748,35 @@ msgstr "Żądana liczba wątków PBKDF nie może być zerowa."
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "W trybie FIPS obsługiwana jest tylko PBKDF2."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:174
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "Test wydajności PBKDF jest wyłączony, ale nie ustawiono liczby iteracji."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:193
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Niekompatybilne opcje PBKDF2 (przy użyciu algorytmu skrótu %s)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:213
msgid "Not compatible PBKDF options."
msgstr "Niekompatybilne opcje PBKDF."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Blokowanie nie powiodło się. Ścieżka blokady %s/%s jest nieużywalna (brak lub nie jest katalogiem)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Katalog blokujący %s/%s zostanie utworzony z domyślnymi wkompilowanymi uprawnieniami."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Blokowanie przerwane. Ścieżka blokady %s/%s jest nieużywalna (%s nie jest katalogiem)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Nie można przemieścić się we właściwe położenie urządzenia."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Błąd wymazywania urządzenia, offset %<PRIu64>."
@@ -765,8 +799,8 @@ msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "Określenie szyfru powinno być w formacie [szyfr]-[tryb]-[iv]."
#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keymanage.c:675 lib/luks1/keymanage.c:1126
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Nie można zapisać na urządzenie %s, brak uprawnień."
@@ -779,75 +813,65 @@ msgstr "Nie udało się otworzyć urządzenia do tymczasowego przechowywania klu
msgid "Failed to access temporary keystore device."
msgstr "Nie udało się uzyskać dostępu do urządzenia do tymczasowego przechowywania kluczy."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:61
+#: lib/luks2/luks2_keyslot_luks2.c:79 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Błąd we/wy podczas szyfrowania klucza."
#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keymanage.c:628 lib/luks1/keymanage.c:678 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Nie można otworzyć urządzenia %s."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:138
msgid "IO error while decrypting keyslot."
msgstr "Błąd we/wy podczas odszyfrowywania klucza."
-#: lib/luks1/keymanage.c:130
+#: lib/luks1/keymanage.c:129
#, c-format
msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
msgstr "Urządzenie %s jest zbyt małe (LUKS1 wymaga przynajmniej %<PRIu64> bajtów)."
-#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
-#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
-#: lib/luks1/keymanage.c:194
+#: lib/luks1/keymanage.c:150 lib/luks1/keymanage.c:158
+#: lib/luks1/keymanage.c:170 lib/luks1/keymanage.c:181
+#: lib/luks1/keymanage.c:193
#, c-format
msgid "LUKS keyslot %u is invalid."
msgstr "Numer klucza LUKS %u jest nieprawidłowy."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:265 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Żądany plik kopii zapasowej nagłówka %s już istnieje."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Nie można utworzyć pliku kopii zapasowej nagłówka %s."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:274 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Nie można zapisać pliku kopii zapasowej nagłówka %s."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Plik kopii zapasowej nie zawiera prawidłowego nagłówka LUKS."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:591
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Nie można otworzyć pliku kopii zapasowej nagłówka %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Nie można odczytać pliku kopii zapasowej nagłówka %s."
@@ -869,7 +893,7 @@ msgstr "nie zawiera nagłówka LUKS. Nadpisanie nagłówka może zniszczyć dane
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "już zawiera nagłówek LUKS. Nadpisanie nagłówka zniszczy istniejące klucze."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -877,126 +901,126 @@ msgstr ""
"\n"
"UWAGA: nagłówek prawdziwego urządzenia ma inny UUID niż kopia zapasowa!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:396
msgid "Non standard key size, manual repair required."
msgstr "Niestandardowy rozmiar klucza, wymagana ręczna naprawa."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:406
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Niestandardowe wyrównanie kluczy, wymagana ręczna naprawa."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:415
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Tryb szyfru poprawiony (%s -> %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:426
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Skrót szyfru poprawiony na małe litery (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:534
+#: lib/luks1/keymanage.c:790
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "Żądany skrót LUKS %s nie jest obsługiwany."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:442
msgid "Repairing keyslots."
msgstr "Naprawianie kluczy."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:461
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Klucz %i: naprawiono offset (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:469
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Klucz %i: naprawiono pasy (%u -> %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:478
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Klucz %i: błędna sygnatura partycji."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:483
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Klucz %i: zarodek wymazany."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:500
msgid "Writing LUKS header to disk."
msgstr "Zapis nagłówka LUKS na dysk."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:505
msgid "Repair failed."
msgstr "Naprawa nie powiodła się."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:560
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "Tryb szyfru LUKS %s jest nieprawidłowy."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:565
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "Skrót LUKS %s jest nieprawidłowy."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:572 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "W nagłówku LUKS nie wykryto żadnych znanych problemów."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:700
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Błąd podczas uaktualniania nagłówka LUKS na urządzeniu %s."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:708
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Błęd podczas ponownego odczytu nagłówka LUKS po uaktualnieniu na urządzeniu %s."
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:784
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Offset danych dla nagłówka LUKS musi wynosić 0 lub więcej niż rozmiar nagłówka."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:795 lib/luks1/keymanage.c:864
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:514
msgid "Wrong LUKS UUID format provided."
msgstr "Podano zły format LUKS UUID."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:817
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powiódł się."
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:843
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "Nie można utworzyć nagłówka LUKS: uzyskanie skrótu nagłówka nie powiodło się (przy użyciu algorytmu %s)."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:887
#, c-format
msgid "Key slot %d active, purge first."
msgstr "Klucz numer %d jest aktywny, należy go najpierw wyczyścić."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:893
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Klucz %d zawiera zbyt mało pasów. Zmieniony nagłówek?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:1034
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Nie można otworzyć klucza (przy użyciu skrótu %s)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1112
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Numer klucza %d jest błędny, proszę wybrać numer od 0 do %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1130 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Nie można wymazać urządzenia %s."
@@ -1017,215 +1041,233 @@ msgstr "Wykryto niekompatybilny plik klucza loop-AES."
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "Jądro nie obsługuje odwzorowań zgodnych z loop-AES."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Błąd odczytu pliku klucza %s."
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Przekroczono maksymalną długość hasła TCRYPT (%zu)."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "Algorytm skrótu PBKDF2 %s nie jest dostępny, pominięto."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "Wymagany interfejs kryptograficzny jądra nie jest dostępny."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Proszę upewnić się, że moduł jądra algif_skcipher został załadowany."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Uaktywnianie nie jest obsługiwane dla rozmiaru sektora %d."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Jądro nie obsługuje uaktywniania dla tego starego trybu TCRYPT."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Włączanie szyfrowania systemu TCRYPT dla partycji %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Jądro nie obsługuje odwzorowań zgodnych z TCRYPT."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "Ta funkcja nie jest obsługiwana bez załadowanego nagłówka TCRYPT."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:275
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany wpis metadanych typu '%u'."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:328
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Przy analizie Głównego Klucza Wolumenu napotkano błędny ciąg znaków."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:332
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany ciąg znaków ('%s')."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:349
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwaną wartość wpisu metadanych '%u'."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Nie udało się odczytać sygnatury BITLK z %s."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Błędna lub nieznana sygnatura urządzenia BITLK."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:451
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK w wersji 1 nie jest obecnie obsługiwany."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:457
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Błędna lub nieznana sygnatura rozruchowa urządzenia BITLK."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:469
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Nieobsługiwany rozmiar sektora %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:477
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Nie udało się odczytać nagłówka BITLK z %s."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:502
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Nie udało się odczytać metadanych BITLK FVE z %s."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:554
msgid "Unknown or unsupported encryption type."
msgstr "Nieznany lub nieobsługiwany rodzaj szyfrowania."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:587
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Nie udało się odczytać wpisów metadanych BITLK z %s."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:681
+msgid "Failed to convert BITLK volume description"
+msgstr "Nie udało się przekonwertować opisu wolumenu BITLK"
+
+#: lib/bitlk/bitlk.c:841
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwany wpis metadanych typu '%u'."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:860
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "GUI pliku BEK '%s' nie pasuje do GUID-a wolumenu."
+
+#: lib/bitlk/bitlk.c:864
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwaną wartość wpisu metadanych '%u'."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:903
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Nieobsługiwana wersja metadanych BEK %<PRIu32>"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:908
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Nieoczekiwany rozmiar metadanych BEK %<PRIu32> nie zgadza się z długością pliku BEK"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:933
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Przy analizie klucza początkowego napotkano nieoczekiwany wpis metadanych."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1029
msgid "This operation is not supported."
msgstr "Ta operacja nie jest obsługiwana."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1037
msgid "Unexpected key data size."
msgstr "Nieoczekiwany rozmiar danych klucza."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1163
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "To urządzenie BITLK jest w nieobsługiwanym stanie i może być uaktywnione."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1168
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Urządzenia BITLK o typie '%s' nie mogą być uaktywnione."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1175
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Uaktywnianie częściowo odszyfrowanych urządzeń BITLK nie jest obsługiwane."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1216
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "UWAGA: rozmiar wolumenu BitLockera %<PRIu64> nie zgadza się z rozmiarem urządzenia %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1343
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Nie można uaktywnić urządzenia, brak obsługi BITLK IV w module dm-crypt jądra."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1347
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Nie można uaktywnić urządzenia, brak obsługi dyfuzora BITLK Elephant w module dm-crypt jądra."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1351
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Nie można uaktywnić urządzenia, brak obsługi dużego rozmiaru sektora w module dm-crypt jądra."
+
+#: lib/bitlk/bitlk.c:1355
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Nie można uaktywnić urządzenia, brak modułu jądra dm-zero."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Nie można odczytać %u bajtów nagłówka wolumenu."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Nieobsługiwana wersja FVAULT2 %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Urządzenie Verity %s nie używa nagłówka na dysku."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Urządzenie %s nie jest prawidłowym urządzeniem VERITY."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Nieobsługiwana wersja VERITY %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "Uszkodzony nagłówek VERITY."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Podano zły format UUID-a VERITY na urządzeniu %s."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Błąd podczas uaktualniania nagłówka VERITY na urządzeniu %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Weryfikacja podpisu hasza głównego nie jest obsługiwana."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Błędów nie można naprawić z urządzeniem FEC."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "Znaleziono %u błędów możliwych do naprawienia z urządzeniem FEC."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Jądro nie obsługuje odwzorowań dm-verity."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Jądro nie obsługuje opcji podpisu dm-verity."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Urządzenie VERITY wykryło uszkodzenie po uaktywnieniu."
@@ -1297,46 +1339,51 @@ msgstr "Nie udało się naprawić parzystości dla bloku %<PRIu64>."
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Nie udało się zapisać parzystości dla bloku RS %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Dla FEC rozmiary bloków muszą się zgadzać."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Błędna liczba bajtów parzystości."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Błędna długość segmentu FEC."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Nie udało się określić rozmiaru urządzenia %s."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Wykryto niezgodne metadane dm-integrity jądra (wersja %u) na %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Jądro nie obsługuje odwzorowań dm-integrity."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Jądro nie obsługuje stałego wyrównania metadanych dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Jądro odmawia uaktywnienia niebezpiecznej opcji przeliczenia (p. stare opcje aktywacji, aby wymusić)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Nie udało się uzyskać blokady dla zapisu na urządzeniu %s."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Wykryto próbę jednoczesnego uaktualnienia metadanych LUKS2. Przerywanie operacji."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1344,49 +1391,49 @@ msgstr ""
"Urządzenie zawiera niejednoznaczne sygnatury, nie można automatycznie odtworzyć LUKS2.\n"
"W celu odtworzenia należy uruchomić \"cryptsetup repair\"."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Żądany offset danych jest zbyt mały."
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "UWAGA: obszar kluczy (%<PRIu64> bajtów) bardzo mały, dostępna liczba kluczy LUKS2 jest bardzo ograniczona.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:93
+#: lib/luks2/luks2_keyslot_luks2.c:115
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Nie udało się uzyskać blokady do odczytu na urządzeniu %s."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "Wykryto zabronione wymagania LUKS2 w kopii zapasowej %s."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Offset danych różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Nagłówek binarny z rozmiarem obszarów kluczy różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Urządzenie %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "nie zawiera nagłówka LUKS2. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "już zawiera nagłówek LUKS2. Nadpisanie nagłówka zniszczy istniejące klucze."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1396,7 +1443,7 @@ msgstr ""
"UWAGA: wykryto nieznane wymagania LUKS2 w nagłówku prawdziwego urządzenia!\n"
"Nadpisanie nagłówka kopią zapasową może uszkodzić dane na tym urządzeniu!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1406,408 +1453,471 @@ msgstr ""
"UWAGA: wykryto nie zakończone ponowne szyfrowanie offline na urządzeniu!\n"
"Nadpisanie nagłówka kopią zapasową może uszkodzić dane."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Zignorowano nieznaną flagę %s."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Brak klucza dla segmentu dm-crypt %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Nie udało się ustawić segmentu dm-crypt."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Nie udało się ustawić segmentu dm-linear."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Nieobsługiwana konfiguracja integralności urządzenia."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Podobne szyfrowanie trwa. Nie można dezaktywować urządzenia."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Nie udało się zastąpić wstrzymanego urządzenia %s celem dm-error."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Nie udało się odczytać wymagań LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Wykryto nie spełnione wymagania LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania starym szyfrem. Przerwano."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania LUKS2. Przerwano."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Za mało dostępnej pamięci, aby otworzyć klucz."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Nie udało się otworzyć klucza."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:54 lib/luks2/luks2_keyslot_luks2.c:109
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Nie można użyć szyfru %s-%s do szyfrowania kluczy."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:281 lib/luks2/luks2_keyslot_luks2.c:390
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Algorytm skrótu %s nie jest dostępny."
+
+#: lib/luks2/luks2_keyslot_luks2.c:506
msgid "No space for new keyslot."
msgstr "Brak miejsca na nowy klucz."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Błędne żądanie zmiany trybu odporności przy ponownym szyfrowaniu."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Nie można uaktualnić rodzaju odporności. Nowy typ zapewnia %<PRIu64> B, wymagane miejsce to %<PRIu64> B."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Nie udało się odświeżyć skrótu weryfikacji ponownego szyfrowania."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Nie można sprawdzić stanu urządzenia mającego UUID: %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Nie można przekonwertować nagłówka z dodatkowymi metadanymi LUKSMETA."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Nie można użyć określenia szyfru %s-%s dla LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Nie można przenieść obszaru kluczy. Brak miejsca."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Nie można przekonwertować do formatu LUKS1 - błędne metadane."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Nie można przenieść obszaru kluczy. Obszar kluczy LUKS2 zbyt mały."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Nie można przenieść obszaru kluczy."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Nie można przekonwertować do formatu LUKS1 - domyślny rozmiar sektora szyfrowania segmentu nie wynosi 512 bajtów."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Nie można przekonwertować formatu LUKS1 - skróty kluczy nie są zgodne z LUKS1."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa szyfru %s z obudowanym kluczem."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa większej liczby segmentów."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Nie można przekonwertować do formatu LUKS1 - nagłówek LUKS2 zawiera %u token(ów)."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u jest w błędnym stanie."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u (powyzej maksimum) jest nadal aktywny."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u nie jest zgodny z LUKS1."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Rozmiar strefy hotzone musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Rozmiar urządzenia musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Nieobsługiwany tryb odporności %s"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Nie udało się zainicjować obudowania przestrzeni starego segmentu."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Nie udało się zainicjować obudowania przestrzeni nowego segmentu."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Nie udało się zainicjować ochrony strefy hotzone."
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Nie udało się odczytać sum kontrolnych dla aktualnej strefy hotzone."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Nie udało się odczytać obszaru hotzone zaczynającego się od %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Nie udało się odszyfrować sektora %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Nie udało się odtworzyć sektora %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Rozmiary urządzenia źródłowego i docelowego różnią się. Źródłowe %<PRIu64>, docelowe: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Nie udało się uaktywnić urządzenia hotzone %s."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Nie udało się uaktywnić urządzenia nakładkowego %s z aktualną tablicą źródła."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Nie udało się załadować nowego odwzorowania dla urządzenia %s."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Nie udało się odświeżyć stosu urządzenia ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Nie udało się ustawić nowego rozmiaru obszaru kluczy."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Przesunięcie danych nie jest wyrównane do żądanego rozmiaru sektora szyfrowania (bajtów: %<PRIu32>)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Wartość przesunięcia danych nie jest wyrównana do rozmiaru sektora szyfrowania (%<PRIu32> B)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Urzędzenie danych nie jest wyrównane do żądanego rozmiaru sektora szyfrowania (bajtów: %<PRIu32>)."
+msgid "Unsupported resilience mode %s"
+msgstr "Nieobsługiwany tryb odporności %s"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Rozmiar przenoszonego segmentu nie może być większy niż wartość przesunięcia danych."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Błędne parametry odporności przy ponownym szyfrowaniu."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Przenoszony segment zbyt duży. Żądany rozmiar %<PRIu64>, dostępne miejsce: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Nie udało się wyczyścić tablicy."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Zmniejszony rozmiar danych jest większy niż rzeczywisty rozmiar urządzenia."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Urzędzenie danych nie jest wyrównane do rozmiaru sektora szyfrowania (%<PRIu32> B)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Przesunięcie danych (sektorów: %<PRIu64>) jest mniejsze niż przyszły offset danych (sektorów: %<PRIu64>)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Nie udało się otworzyć %s w trybie wyłączności (już odwzorowano lub zamontowano)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Urządzenie nie jest oznaczone do ponownego szyfrowania LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Nie udało się załadować kontekstu ponownego szyfrowania LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Nie udało się pobrać stanu ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Urządzenie nie jest w trakcie ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Proces ponownego szyfrowania już trwa."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Nie udało się uzyskać blokady dla ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Nie można kontynuować ponownego szyfrowania. Należy najpierw uruchomić odtworzenie ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "Rozmiar urządzenia aktywnego oraz żądany rozmiar ponownego szyfrowania różnią się."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "W parametrach ponownego szyfrowania zażądano niedozwolonego rozmiaru urządzenia."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Ponowne szyfrowanie trwa. Nie można wykonać odzyskiwania."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane w metadanych."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Nie udało się zainicjować ponownego szyfrowania LUKS2 w metadanych."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Nie udało się ustawić segmentów urządzeń dla następnej strefy hotzone ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Nie udało się zapisać metadanych odporności ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Odszyfrowanie nie powiodło się."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Nie udało się zapisać obszaru hotzone zaczynającego się od %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Nie udało się zsynchronizować danych."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Nie udało się uaktualnić metadanych po zakończeniu aktualnej strefy hotzone ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Nie udało się zapisać metadanych LUKS2."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Nie udało wymazać danych segmentu zapasowego."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Nie udało się wymazać nie używanego obszaru urządzenia danych."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Nie udało się wyłączyć flagi wymagania ponownego szyfrowania."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Nie udało się usunąć nie używanego (nie przypisanego) obszaru klucza %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Nie udało się usunąć obszaru klucza ponownego szyfrowania."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Błąd krytyczny podczas ponownego szyfrowania fragmentu zaczynającego się od %<PRIu64> o długości w sektorach %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Ponowne szyfrowanie online nie powiodło się."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Proszę nie wznawiać urządzenia dopóki nie zostanie zastąpione celem błędnym ręcznie."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Nie można kontynuować ponownego szyfrowania. Nieoczekiwany stan ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Brak lub błędny kontekst ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Nie udało się zainicjować stosu urządzenia ponownego szyfrowania."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Nie udało się uaktualnić kontekstu ponownego szyfrowania."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Metadane ponownego szyfrowania są błędne."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Parametry szyfrowania kluczy mogą być ustawione tylko dla urządzeń LUKS2."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Proszę wprowadzić PIN tokenu:"
+msgid "Enter token PIN: "
+msgstr "Proszę wprowadzić PIN: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Proszę wprowadzić PIN tokenu %d:"
+msgid "Enter token %d PIN: "
+msgstr "Proszę wprowadzić PIN tokenu %d: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1097 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Nie wykryto znanego wzorca określającego szyfr."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "UWAGA: Parametr --hash jest ignorowany w trybie zwykłym z podanym plikiem klucza.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "UWAGA: Opcja --keyfile-size jest ignorowana, rozmiar odczytu jest taki sam, jak rozmiar klucza szyfrującego.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Wykryto sygnatury urządzeń na %s. Dalsze operacje mogą uszkodzić istniejące dane."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:724
msgid "Operation aborted.\n"
msgstr "Operacja przerwana.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Wymagana jest opcja --key-file."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Proszę wprowadzić PIM VeraCrypt: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Błędna wartość PIM: błąd składni."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Błędna wartość PIM: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Błędna wartość PIM: poza zakresem."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Nie wykryto nagłówka urządzenia z tym hasłem."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Urządzenie %s nie jest prawidłowym urządzeniem BITLK."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Nie można określić rozmiaru klucza wolumenu dla BITLK, proszę użyć opcji --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1818,7 +1928,7 @@ msgstr ""
"Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
"w bezpiecznym miejscu."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1829,88 +1939,113 @@ msgstr ""
"Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
"w bezpiecznym miejscu."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem FVAULT2."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Nie można określić rozmiaru klucza wolumenu dla FVAULT2, proszę użyć opcji --key-size."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Urządzenie %s jest nadal aktywne i zaplanowane do odroczonego usunięcia.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Zmiana rozmiaru aktywnego urządzenia wymaga klucza wolumenu w pęku, ale ustawiono opcję --disable-keyring."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Test szybkości przerwany."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s N/D\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u iteracji/sekundę dla klucza %zu-bitowego\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s N/D\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u iteracji, pamięć: %5u, równoległe wątki (CPU): %1u dla klucza %zu-bitowego (żądany czas %u ms)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Wynik testu wydajności nie jest wiarygodny."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Testy są przybliżone tylko z użyciem pamięci (bez we/wy na dysk).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Algorytm | Klucz | Szyfrowanie | Odszyfrowywanie\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Szyfr %s (rozmiar klucza w bitach: %i) nie jest dostępny."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algorytm | Klucz | Szyfrowanie | Odszyfrowywanie\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "N/D"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Wygląda na to, że urządzenie nie wymaga odtwarzania ponownego szyfrowania.\n"
-"Czy mimo to kontynuować?"
+"Wybryto nie zabezpieczone metadane ponownego szyfrowania LUKS2. Proszę sprawdzić, czy operacja ponownego szyfrowania jest pożądana (p. wyjście luksDump)\n"
+"i kontynuować (uaktualnić metadane) tylko jeśli ta operacja ma być faktycznie wykonana."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Hasło do zabezpieczenia i uaktualnienia metadanych ponownego szyfrowania: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Naprawdę kontynuować odtwarzanie ponownego szyfrowania LUKS2?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Hasło do weryfikacji skrótu metadanych ponownego szyfrowania: "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "Hasło do odtwarzania ponownego szyfrowania: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Naprawdę próbować naprawić nagłówek urządzenia LUKS?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Wymazywanie przerwane."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1918,113 +2053,128 @@ msgstr ""
"Czyszczenie urządzenia w celu zainicjowania sumy kontrolnej integralności.\n"
"Można przerwać ten proces wciskając Ctrl+C (reszta nie wymazanego urządzenia będzie zawierać błędną sumę kontrolną).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Nie można dezaktywować urządzenia tymczasowego %s."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Opcja integralności może być używana tylko dla formatu LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Nieobsługiwane opcje rozmiaru metadanych LUKS2."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Plik nagłówka nie istnieje, czy utworzyć go?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Nie można utworzyć pliku nagłówka %s."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Nie wykryto znanego wzorca określającego integralność."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Nie można użyć %s jako nagłówka na dysku."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "To nieodwołalnie nadpisze dane na %s."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Nie udało się ustawić parametrów PBKDF."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Offset zmniejszonych danych jest dozwolony tylko dla odłączonego nagłówka LUKS."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Kontener plikowy LUKS %s jest zbyt mały do uaktywnienia, nie ma miejsca pozostałego na dane."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Nie można określić rozmiaru klucza wolumenu dla LUKS bez kluczy, proszę użyć opcji --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Urządzenie uaktywnione, ale nie można uczynić flag trwałymi."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Klucz %d jest wybrany do usunięcia."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "To jest ostatni klucz. Urządzenie stanie się bezużyteczne po usunięciu tego klucza."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Dowolne pozostałe hasło: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Operacja przerwana, klucz NIE został wymazany.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Hasło do usunięcia: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS2."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Nowe hasło dla klucza: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "UWAGA: Parametr --key-slot jest używany do numeru nowego klucza.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Dowolne istniejące hasło: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Hasło, które ma być zmienione: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Nowe hasło: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Hasło dla klucza do konwersji: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "Dla operacji isLuks obsługiwany jest tylko jeden argument będący urządzeniem."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Miejsce %d nie zawiera niepowiązanego klucza."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2033,40 +2183,40 @@ msgstr ""
"Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
"w bezpiecznym miejscu."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s nie jest nazwą aktywnego urządzenia %s."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s nie jest nazwą aktywnego urządzenia LUKS lub brak nagłówka."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "Wymagana jest opcja --header-backup-file."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s nie jest urządzeniem zarządzanym przez cryptsetup."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Odświeżanie nie jest obsługiwane dla typu urządzenia %s"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Nie rozpoznany typ urządzenia metadanych %s."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "Polecenie wymaga urządzenia i nazwy odwzorowywanej jako argumentów."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2075,336 +2225,351 @@ msgstr ""
"Ta operacja usunię wszystkie klucze na urządzeniu %s.\n"
"Urządzenie po tej operacji stanie się bezużyteczne."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Operacja przerwana, klucze NIE zostały wymazane.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Błędny typ LUKS, obsługiwane są tylko luks1 i luks2."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Urządzenie już ma typ %s."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Ta operacja przekonwertuje %s do formatu %s.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Operacja przerwana, urządzenie NIE zostało skonwertowane.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Brak opcji --priority, --label lub --subsystem."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Token %d jest błędny."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Token %d jest w użyciu."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Nie udało się dodać tokenu %d do pęku kluczy luks2."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Nie udało się przypisać tokenu %d do klucza %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Token %d nie jest w użyciu."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Nie udało się zaimportować tokenu z pliku."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Nie udało się pobrać tokenu %d do eksportu."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Wykryto aktywne urządzenie dm '%s' dla urządzenia danych %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Token %d nie jest przypisany do klucza %d."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Urządzenie %s nie jest urządzeniem blokowym.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Nie udało się usunąć przypisania tokenu %d do klucza %d."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Nie udało się wykryć właścicieli urządzenia %s."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Nie udało się zdecydować, czy urządzenie %s jest uaktywnione, czy nie.\n"
-"Czy na pewno kontynuować ponowne szyfrowanie w trybie offline?\n"
-"Może to prowadzić do uszkodzenia danych, jeśli urządzenie jest aktywne.\n"
-"Aby uruchomić ponowne szyfrowanie w trybie online, należy użyć parametru\n"
-"--active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Opcje --veracrypt i --disable-veracrypt są obsługiwane tylko dla typu urządzeń TCRYPT."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Szyfrowanie jest obsługiwane tylko w formacie LUKS2."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Opcja --veracrypt-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Szyfrowanie bez odłączonego nagłówka (--header) jest niemożliwe bez ograniczenia rozmiaru urządzenia danych (--reduce-device-size)."
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Opcja --veracrypt-query-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Żądany offset danych musi być mniejszy lub równy połowie parametru --reduce-device-size."
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Opcje --veracrypt-pim i --veracrypt-query-pim wykluczają się wzajemnie."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Modyfikowanie wartości --reduce-device-size do dwukrotności parametru --offset %<PRIu64> (w sektorach).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Wykrytu urządzenie LUKS na %s. Czy zaszyfrować to urządzenie LUKS jeszcze raz?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Plik nagłówka %s już istnieje. Przerwano."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Nie można utworzyć pliku tymczasowego nagłówka %s."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Rozmiar metadanych LUKS2 jest większy niż wartość przesunięcia danych."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Opcja --persistent nie jest dozwolona z --test-passphrase."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Nie udało się umieścić nowego nagłówka na początku urządzenia %s."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Opcje --refresh i --test-passphrase wykluczają się wzajemnie."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "Odszyfrowanie LUKS2 jest obsługiwane tylko z urządzeniem z odłączonym nagłówkiem (z offsetem danych ustawionym na 0)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Za mało wolnych kluczy do ponownego szyfrowania."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Opcja --offset z akcją open jest obsługiwana tylko dla urządzeń plain i loopaes."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Hasło dla klucza %d: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Opcja rozmiaru sektora z akcją open jest obsługiwana tylko dla urządzeń plain."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Hasło dla klucza %u: "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Opcja dużych rozmiarów sektorów IV jest obsługiwana tylko przy otwieraniu urządzeń typu plain z sektorem większym niż 512 bajtów."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Zmiana szyfru do szyfrowania danych na %s.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS, TRCYPT, BITLK i FVAULT2."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Polecenie wymaga urządzenia jako argumentu."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Opcji --device-size i --size nie można łączyć."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Obecnie obsługiwany jest tylko format LUKS2. Dla LUKS1 proszę użyć narzędzia cryptsetup-reencrypt."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Opcja --unbound jest dozwolona tylko dla operacji otwarcia urządzenia LUKS."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Tradycyjne ponowne szyfrowanie offline juz trwa. Proszę użyć narzędzia cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Opcja --unbound nie może być użyta bez --test-passphrase."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Ponowne szyfrowanie urządzenia z profilem integralności nie jest obsługiwane."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Opcje --cancel-deferred i --deferred nie mogą być użyte naraz."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane. Przerywanie operacji."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Opcji --reduce-device-size i --data-size nie można łączyć."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "Urządzenie LUKS2 nie jest w trakcie ponownego szyfrowania."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Opcja --active-name może być ustawiona tylko dla urządzenia LUKS2."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Opcji --active-name i --force-offline-reencrypt nie można łączyć."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Wymagane jest określenie klucza."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Opcji --align-payload i --offset nie można łączyć."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Opcja --integrity-no-wipe może być użyta tylko do akcji formatowania z rozszerzeniem integralności."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "Przy opcji --unbound wymagany jest rozmiar klucza."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Błędna akcja token."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Parametr --key-description jest wymagany do akcji dodania tokenu."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Akcja wymaga określonego tokenu. Należy użyć parametru --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Opcja --unbound jest dozwolona tylko dla operacji dodania tokenu."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Opcji --key-slot i --unbound nie można łączyć."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Akcja wymaga określonego klucza. Należy użyć parametru --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<uządzenie> [--type <typ>] [<nazwa>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "otwarcie urządzenia jako <nazwa>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<nazwa>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "zamknięcie urządzenia (usunięcie odwzorowania)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "zmiana rozmiaru aktywnego urządzenia"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "pokazanie stanu urządzenia"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <szyfr>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "test szybkości szyfru"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<urządzenie>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "próba naprawy metadanych na dysku"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "ponowne szyfrowanie urządzenia LUKS2"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "usunięcie wszystkich kluczy (usunięcie klucza szyfrującego)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "przekonwertowanie formatu LUKS z/do LUKS2"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "ustawienie opcji trwałej konfiguracji dla LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<urządzenie> [<nowy plik klucza>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "sformatowanie urządzenia LUKS"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "dodanie klucza do urządzenia LUKS"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<urządzenie> [<plik klucza>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "usunięcie podanego klucza lub pliku klucza z urządzenia LUKS"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "zmiana podanego klucza lub pliku klucza urządzenia LUKS"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "konwersja klucza na nowe parametry pbkdf"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<urządzenie> <numer klucza>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "wymazanie klucza o numerze <numer klucza> z urządzenia LUKS"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "wypisanie UUID-a urządzenia LUKS"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "sprawdzenie <urządzenia> pod kątem nagłówka partycji LUKS"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "zrzut informacji o partycji LUKS"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "zrzut informacji o urządzeniu TCRYPT"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "zrzut informacji o urządzeniu BITLK"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "zrzut informacji o urządzeniu FVAULT2"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Wstrzymanie urządzenia LUKS i wymazanie klucza (zamraża wszystkie operacje we/wy)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "Wznowienie zatrzymanego urządzenia LUKS"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Kopia zapasowa nagłówka i kluczy urządzenia LUKS"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Odtworzenie nagłówka i kluczy urządzenia LUKS z kopii zapasowej"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <urządzenie>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "Operacja na tokenach LUKS2"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2412,19 +2577,19 @@ msgstr ""
"\n"
"<akcja> to jedno z:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Można także używać starych aliasów składni <akcja>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2439,7 +2604,7 @@ msgstr ""
"<numer klucza> to numer klucza LUKS do zmiany\n"
"<plik klucza> to opcjonalny plik nowego klucza dla akcji luksAddKey\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2448,7 +2613,7 @@ msgstr ""
"\n"
"Domyślny wkompilowany format metadanych to %s (dla akcji luksFormat).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2457,20 +2622,20 @@ msgstr ""
"\n"
"Obsługa zewnętrznych wtyczek tokenów LUKS2 jest %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "wkompilowana"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Ścieżka zewnętrznych wtyczek tokenów LUKS2: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "wyłączona"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2487,7 +2652,7 @@ msgstr ""
"Domyślny PBKDF dla LUKS2: %s\n"
"\tCzas iteracji: %d, wymagana pamięć: %dkB, liczba wątków: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2502,206 +2667,96 @@ msgstr ""
"\tplain: %s, bitów klucza: %d, skrót hasła: %s\n"
"\tLUKS: %s, bitów klucza: %d, skrót nagłówka LUKS: %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: Domyślny rozmiar klucza z trybem XTS (dwa klucze wewnętrzne) będzie podwojony.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: wymaga %s jako argumentów"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Numer klucza jest nieprawidłowy."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Rozmiar urządzenia musi być wielokrotnością 512-bajtowego sektora."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "Błędne określenie maksymalnego rozmiaru strefy hotzone ponownego szyfrowania."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "Rozmiar klucza musi być wielokrotnością 8 bitów"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 1GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Rozmiar ograniczenia musi być wielokrotnością 512-bajtowego sektora."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Opcja --priority może mieć wartości tylko ignore/normal/prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Wyświetlenie tego opisu"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Wyświetlenie krótkiej informacji o składni"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Wypisanie wersji pakietu"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Opcje pomocnicze:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[OPCJA...] <akcja> <parametry-akcji>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Brak argumentu <akcja>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Nieznana akcja."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Opcje --refresh i --test-passphrase wykluczają się wzajemnie."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Opcje --cancel-deferred i --deferred nie mogą być użyte naraz."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Opcja --persistent nie jest dozwolona z --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Opcja --integrity-no-wipe może być użyta tylko do akcji formatowania z rozszerzeniem integralności."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS, TRCYPT i BITLK."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Dozwolony jest tylko jeden argument --key-file."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Opcji --align-payload i --offset nie można łączyć."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Opcja --offset z akcją open jest obsługiwana tylko dla urządzeń plain i loopaes."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Opcje --veracrypt i --disable-veracrypt są obsługiwane tylko dla typu urządzeń TCRYPT."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Opcja --veracrypt-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Opcja --veracrypt-query-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Opcje --veracrypt-pim i --veracrypt-query-pim wykluczają się wzajemnie."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Wymagane jest określenie klucza."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Funkcja pochodna klucza oparta na haśle (PBKDF) może być tylko pbkdf2 lub argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Wymuszonych iteracji PBKDF nie można łączyć z opcją czasu iteracji."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Opcja rozmiaru sektora z akcją open jest obsługiwana tylko dla urządzeń plain."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Opcja dużych rozmiarów sektorów IV jest obsługiwana tylko przy otwieraniu urządzeń typu plain z sektorem większym niż 512 bajtów."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Przy opcji --unbound wymagany jest rozmiar klucza."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "Odszyfrowanie LUKS2 wymaga opcji --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Opcji --reduce-device-size i --data-size nie można łączyć."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Opcji --device-size i --size nie można łączyć."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Opcje --keyslot-cipher i --keyslot-key-size muszą być użyte łącznie."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Nie wykonano akcji. Wywołano z opcją --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Błędna akcja token."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Parametr --key-description jest wymagany do akcji dodania tokenu."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Akcja wymaga określonego tokenu. Należy użyć parametru --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Nie można wyłączyć blokowania metadanych."
@@ -2729,67 +2784,72 @@ msgstr "Nie można utworzyć pliku głównego hasza %s do zapisu."
msgid "Cannot write to root hash file %s."
msgstr "Nie można zapisać pliku głównego hasza %s."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem VERITY."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Nie można odczytać pliku głównego hasza %s."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Błędny plik głównego hasza %s."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Podano błędny łańcuch głównego hasza."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Błędny plik podpisu %s."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Nie można odczytać pliku klucza %s."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Polecenie wymaga <głównego_hasza> lub opcji --root-hash-file jako argumentu."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<urządzenie_danych> <urządzenie_haszy>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "sformatowanie urządzenia"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<urządzenie_danych> <urządzenie_haszy> [<główny_hasz>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "weryfikacja urządzenia"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<urządzenie_danych> <nazwa> <urządzenie_haszy> [<główny_hasz>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "pokazanie stanu aktywnego urządzenia"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<urządzenie_haszy>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "wyświetlenie informacji z dysku"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2804,7 +2864,7 @@ msgstr ""
"<urządzenie_haszy> to urządzenie zawierające dane weryfikacyjne\n"
"<główny_hasz> to hasz głównego węzła na <urządzeniu_haszy>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2815,28 +2875,46 @@ msgstr ""
"Domyślnie wkompilowane parametry dm-verity:\n"
"\tHasz: %s, blok danych (bajtów): %u, blok haszy (bajtów): %u, rozmiar zarodka: %u, format haszy: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Opcji --ignore-corruption oraz --restart-on-corruption nie można użyć naraz."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Opcji --panic-on-corruption oraz --restart-on-corruption nie można użyć naraz."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Ta operacja nieodwracalnie nadpisze dane na %s i %s.\n"
+"Aby zachować urządzenie danych, można użyć opcji --no-wipe (a następnie uaktywnić z --integrity-recalculate)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Sformatowano z rozmiarem znacznika %u, wewnętrzna integralność %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Ustawianie flagi recalculate nie jest obsługiwane, zamiast tego można rozważyć użycie --wipe."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem INTEGRITY."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<urządzenie_integralności>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<urządzenie_integralności> <nazwa>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2847,7 +2925,7 @@ msgstr ""
"<nazwa> to urządzenie do utworzenia pod %s\n"
"<urządzenie_integralności> to urządzenie zawierające dane ze znacznikami integralności\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2860,241 +2938,44 @@ msgstr ""
"\tAlgorytm sumy kontrolnej: %s\n"
"\tMaksymalny rozmiar pliku klucza: %dkB\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Błędny rozmiar --%s. Maksimum w bajtach to %u."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Muszą być podane obie opcje: pliku klucza i rozmiaru klucza."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Muszą być podane obie opcje: pliku klucza integralności i rozmiaru klucza."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Algorytm integralności kroniki musi być podany, jeśli używany jest klucz integralności kroniki."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Muszą być podane obie opcje: pliku szyfrowania kroniki i rozmiaru klucza."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Algorytm szyfrowania kroniki musi być podany, jeśli używany jest klucz szyfrowania kroniki."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Opcje trybu odtwarzania i bitmapy wykluczają się wzajemnie."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Opcji kroniki nie można używać w trybie bitmapy."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Opcje bitmapy mogą być używane tylko w trybie bitmapy."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Ponowne szyfrowanie już trwa."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Przydzielenie wyrównanego obszaru pamięci nie powiodło się."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Nie można odczytać urządzenia %s."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Oznaczanie urządzenia LUKS1 %s jako bezużytecznego."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Ustawianie flagi ponownego szyfrowania offline LUKS2 na urządzeniu %s."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Nie można zapisać na urządzenie %s."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Nie można zapisać pliku logu ponownego szyfrowania."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Nie można odczytać pliku logu ponownego szyfrowania."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Niewłaściwy format logu."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Plik logu %s istnieje, wznowienie ponownego szyfrowania.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu starego nagłówka LUKS."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu nowego nagłówka LUKS."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Uaktywnianie urządzeń tymczasowych nie powiodła się."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Nie udało się ustawić offsetu danych."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Nie udało się ustawić rozmiaru metadanych."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Utworzono nowy nagłówek LUKS dla urządzenia %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Ta wersja cryptsetup-reencrypt nie obsługuje nowego typu tokenu wewnętrznego %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Nie udało się odczytać flag uaktywniania z nagłówka zapasowego."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Nie udało się zapisać flag uaktywniania w nowym nagłówku."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Nie udało się odczytać wymagań z nagłówka zapasowego."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Utworzono kopię zapasową nagłówka %s urządzenia %s."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Tworzenie kopii zapasowych nagłówków LUKS nie powiodło się."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Nie można odtworzyć nagłówka %s na urządzeniu %s."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Odtworzono nagłówek %s na urządzeniu %s."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Nie można otworzyć tymczasowego urządzenia LUKS."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Nie można pobrać rozmiaru urządzenia."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "Błąd we/wy podczas ponownego szyfrowania."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Dostarczony UUID jest nieprawidłowy."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Nie można otworzyć pliku logu ponownego szyfrowania."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Nie w trakcie odszyfrowywania; dostarczony UUID może być użyty tylko do wznowienia wstrzymanego procesu odszyfrowywania."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Zmieniono parametry PBKDF dla klucza %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Jako rozmiar bloku ponownego szyfrowania dozwolone są jedynie wartości od 1 MiB do 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 64MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[OPCJA...] <urządzenie>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Ponowne szyfrowanie zmieni: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "klucz wolumenu"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "hasz na "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", szyfr na"
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Wymagany argument."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Opcja --new musi być użyta wraz z --reduce_device_size lub --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Opcja --keep-key może być użyta tylko z --hash, --iter-time lub --pbkdf-force-iterations.."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Opcja --new nie może być użyta wraz z --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Opcja --decrypt jest niezgodna z podanymi parametrami."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Opcja --uuid jest dozwolona tylko wraz z --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Błędny typ LUKS - musi być jednym z 'luks', 'luks1' lub 'luks2'."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3105,7 +2986,7 @@ msgstr ""
"======\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3116,147 +2997,173 @@ msgstr ""
"\n"
"Na pewno? (należy wpisać 'yes' wielkimi literami): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Błąd podczas odczytu odpowiedzi z terminala."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Polecenie się powiodło."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "niewłaściwe lub brakujące parametry"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "brak uprawnień lub błędne hasło"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "brak pamięci"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "podano niewłaściwe urządzenie lub plik"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "urządzenie już istnieje lub jest zajęte"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "nieznany błąd"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Polecenie nie powiodło się z kodem %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Klucz numer %i utworzony."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Klucz numer %i odblokowany."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Klucz numer %i usunięty."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Token %i utworzony."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Token %i usunięty."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Przy użyciu tego PIN-u nie udało się odblokować żadnego tokenu."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Token %i wymaga PIN-u."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Token (typu %s) wymaga PIN-u."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token %i nie może odblokować przypisanych obszarów kluczy (błędne hasło klucza)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token (typu %s) nie może odblokować przypisanych obszarów kluczy (błędne hasło klucza)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Token %i wymaga dodatkowego, brakującego zasobu."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Token (typu %s) wymaga dodatkowego, brakującego zasobu."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Brak dostępnego użytecznego tokenu (typu %s)."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Brak dostępnego użytecznego tokenu."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Wymazywanie przerwane."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Ponowne szyfrowanie przerwane."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Nie można odczytać pliku klucza %s."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Nie można odczytać %d bajtów z pliku klucza %s."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Nie można otworzyć pliku klucza %s do zapisu."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Nie można zapisać pliku klucza %s."
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> d"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "zapisano %4<PRIu64> %s"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "szybkość %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Postęp: %5.1f%%, przewidywany czas zakończenia %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Zakończono, czas %s, %s, %s\n"
+
#: src/utils_password.c:41 src/utils_password.c:74
#, c-format
msgid "Cannot check password quality: %s"
@@ -3276,54 +3183,58 @@ msgstr ""
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Sprawdzenie jakości hasła nie powiodło się: błędne hasło (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:232 src/utils_password.c:246
msgid "Error reading passphrase from terminal."
msgstr "Błąd podczas odczytu hasła z terminala."
-#: src/utils_password.c:236
+#: src/utils_password.c:244
msgid "Verify passphrase: "
msgstr "Weryfikacja hasła: "
-#: src/utils_password.c:243
+#: src/utils_password.c:251
msgid "Passphrases do not match."
msgstr "Hasła nie zgadzają się."
-#: src/utils_password.c:280
+#: src/utils_password.c:289
msgid "Cannot use offset with terminal input."
msgstr "Nie można użyć offsetu, jeśli wejściem jest terminal."
-#: src/utils_password.c:283
+#: src/utils_password.c:293
#, c-format
msgid "Enter passphrase: "
msgstr "Hasło: "
-#: src/utils_password.c:286
+#: src/utils_password.c:296
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Hasło dla %s: "
-#: src/utils_password.c:317
+#: src/utils_password.c:330
msgid "No key available with this passphrase."
msgstr "Dla tego hasła nie ma dostępnego klucza."
-#: src/utils_password.c:319
+#: src/utils_password.c:332
msgid "No usable keyslot is available."
msgstr "Brak dostępnego miejsca na klucz."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Nie udało się otworzyć pliku %s tylko do odczytu."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Poprawny token JSON dla LUKS2:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Nie udało się odczytać pliku JSON."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3331,12 +3242,12 @@ msgstr ""
"\n"
"Odczyt przerwany."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Nie udało się otworzyć pliku %s do zapisu."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3344,54 +3255,424 @@ msgstr ""
"\n"
"Zapis przerwany."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Nie udało się zapisać pliku JSON."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Wykryto aktywne urządzenie dm '%s' dla urządzenia danych %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Nie udało się wykryć właścicieli urządzenia %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Urządzenie %s nie jest urządzeniem blokowym.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Nie udało się zdecydować, czy urządzenie %s jest uaktywnione, czy nie.\n"
+"Czy na pewno kontynuować ponowne szyfrowanie w trybie offline?\n"
+"Może to prowadzić do uszkodzenia danych, jeśli urządzenie jest aktywne.\n"
+"Aby uruchomić ponowne szyfrowanie w trybie online, należy użyć parametru\n"
+"--active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Urządzenie %s nie jest urządzeniem blokowym. Nie można wykryć, czy jest aktywne.\n"
+"Można użyć --force-offline-reencrypt aby obejść to sprawdzenie i uruchomić w trybie offline (niebezpieczne!)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Nie można użyć żądanej opcji --resilience do obecnej operacji ponownego szyfrowania."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Urządzenie nie jest w trybie szyfrowania LUKS2. Konflikt opcji --encrypt."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Urządzenie nie jest w trybie odszyfrowywania LUKS2. Konflikt opcji --decrypt."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Urządzenie jest w trybie ponownego szyfrowania z użyciem odporności przesunięcia danych. Nie można użyć żądanej opcji --resilience."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Urządzenie wymaga odtwarzania ponownego szyfrowania. Najpierw należy uruchomić naprawę."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS2. Czy wznowić uprzednio zainicjowaną operację?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Stara wersja ponownego szyfrowania LUKS2 nie jest już obsługiwana."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Ponowne szyfrowanie urządzenia z profilem integralności nie jest obsługiwane."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Żądany --sector-size %<PRIu32> jest niezgodny z superblokiem %s\n"
+"(rozmiar bloku: %<PRIu32> B), wykrytym na urządzeniu %s."
+
+#: src/utils_reencrypt.c:494
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Szyfrowanie bez odłączonego nagłówka (--header) jest niemożliwe bez ograniczenia rozmiaru urządzenia danych (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:500
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Żądany offset danych musi być mniejszy lub równy połowie parametru --reduce-device-size."
+
+#: src/utils_reencrypt.c:510
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Modyfikowanie wartości --reduce-device-size do dwukrotności parametru --offset %<PRIu64> (w sektorach).\n"
+
+#: src/utils_reencrypt.c:540
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Plik nagłówka %s już istnieje. Przerwano."
+
+#: src/utils_reencrypt.c:542 src/utils_reencrypt.c:549
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Nie można utworzyć pliku tymczasowego nagłówka %s."
+
+#: src/utils_reencrypt.c:574
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Rozmiar metadanych LUKS2 jest większy niż wartość przesunięcia danych."
+
+#: src/utils_reencrypt.c:611
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Nie udało się umieścić nowego nagłówka na początku urządzenia %s."
+
+#: src/utils_reencrypt.c:621
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie.\n"
+
+#: src/utils_reencrypt.c:657
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Aktywne urządzenie %s nie jest urządzeniem LUKS2."
+
+#: src/utils_reencrypt.c:685
+msgid "Restoring original LUKS2 header."
+msgstr "Odtwarzanie oryginalnego nagłówka LUKS2."
+
+#: src/utils_reencrypt.c:693
+msgid "Original LUKS2 header restore failed."
+msgstr "Odtwarzanie oryginalnego nagłówka LUKS2 nie powiodło się."
+
+#: src/utils_reencrypt.c:719
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Plik nagłówka %s nie istnieje. Czy zainicjować odszyfrowywanie LUKS2 urządzenia %s i eksport nagłówka LUKS2 do pliku %s?"
+
+#: src/utils_reencrypt.c:767
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Nie udało się dodać uprawnień odczytu/zapisu do pliku wyeksportowanego nagłówka."
+
+#: src/utils_reencrypt.c:820
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Inicjowanie ponownego szyfrowania nie powiodło się. Kopia zapasowa nagłówka jest dostępna w %s."
+
+#: src/utils_reencrypt.c:848
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Odszyfrowanie LUKS2 jest obsługiwane tylko z urządzeniem z odłączonym nagłówkiem (z offsetem danych ustawionym na 0)."
+
+#: src/utils_reencrypt.c:983 src/utils_reencrypt.c:992
+msgid "Not enough free keyslots for reencryption."
+msgstr "Za mało wolnych kluczy do ponownego szyfrowania."
+
+#: src/utils_reencrypt.c:1013 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
+
+#: src/utils_reencrypt.c:1022 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Hasło dla klucza %d: "
+
+#: src/utils_reencrypt.c:1034
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Hasło dla klucza %u: "
+
+#: src/utils_reencrypt.c:1086
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Zmiana szyfru do szyfrowania danych na %s.\n"
+
+#: src/utils_reencrypt.c:1140
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Nie zmieniono parametrów segmentu danych. Ponowne szyfrowanie przerwane."
+
+#: src/utils_reencrypt.c:1242
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Zwiększanie rozmiaru sektora szyfrowania na urządzeniu offline nie jest obsługiwane.\n"
+"Należy najpierw uaktywnić urządzenie lub użyć opcji --force-offline-reencrypt (niebezpieczna!)."
+
+#: src/utils_reencrypt.c:1282 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Ponowne szyfrowanie przerwane."
+
+#: src/utils_reencrypt.c:1287
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Wznawianie ponownego szyfrowania LUKS w wymuszonym trybie offline.\n"
+
+#: src/utils_reencrypt.c:1304
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Urządzenie %s zawiera uszkodzone metadane LUKS. Przerwano operację."
+
+#: src/utils_reencrypt.c:1320 src/utils_reencrypt.c:1342
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Urządzenie %s jest już urządzeniem LUKS. Przerwano operację."
+
+#: src/utils_reencrypt.c:1348
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS. Przerwano operację."
+
+#: src/utils_reencrypt.c:1421
+msgid "LUKS2 decryption requires --header option."
+msgstr "Odszyfrowanie LUKS2 wymaga opcji --header."
+
+#: src/utils_reencrypt.c:1469
+msgid "Command requires device as argument."
+msgstr "Polecenie wymaga urządzenia jako argumentu."
+
+#: src/utils_reencrypt.c:1482
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS1."
+
+#: src/utils_reencrypt.c:1488
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS1."
+
+#: src/utils_reencrypt.c:1494
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS2."
+
+#: src/utils_reencrypt.c:1500
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS2."
+
+#: src/utils_reencrypt.c:1506
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane. Przerywanie operacji."
+
+#: src/utils_reencrypt.c:1513
+msgid "Device reencryption not in progress."
+msgstr "Ponowne szyfrowanie urządzenia nie jest w toku."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Przydzielenie wyrównanego obszaru pamięci nie powiodło się."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Nie można odczytać urządzenia %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Oznaczanie urządzenia LUKS1 %s jako bezużytecznego."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Nie można zapisać na urządzenie %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Nie można zapisać pliku logu ponownego szyfrowania."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Nie można odczytać pliku logu ponownego szyfrowania."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Niewłaściwy format logu."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Plik logu %s istnieje, wznowienie ponownego szyfrowania.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu starego nagłówka LUKS."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu nowego nagłówka LUKS."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Uaktywnianie urządzeń tymczasowych nie powiodła się."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Nie udało się ustawić offsetu danych."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Nie udało się ustawić rozmiaru metadanych."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Utworzono nowy nagłówek LUKS dla urządzenia %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Utworzono kopię zapasową nagłówka %s urządzenia %s."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Tworzenie kopii zapasowych nagłówków LUKS nie powiodło się."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Nie można odtworzyć nagłówka %s na urządzeniu %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Odtworzono nagłówek %s na urządzeniu %s."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Nie można otworzyć tymczasowego urządzenia LUKS."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Nie można pobrać rozmiaru urządzenia."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Błąd we/wy podczas ponownego szyfrowania."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Dostarczony UUID jest nieprawidłowy."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Nie można otworzyć pliku logu ponownego szyfrowania."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Nie w trakcie odszyfrowywania; dostarczony UUID może być użyty tylko do wznowienia wstrzymanego procesu odszyfrowywania."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Ponowne szyfrowanie zmieni: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "klucz wolumenu"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "hasz na "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", szyfr na"
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "UWAGA: urządzenie %s już zawiera sygnaturę partycji '%s'.\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "UWAGA: urządzenie %s już zawiera sygnaturę superbloku '%s'.\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Nie udało się zainicjować sond sygnatur urządzeń."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Nie udało się wykonać stat na urządzeniu %s."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Urządzenie %s jest w użyciu. Nie można kontynuować operacji formatowania."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Nie udało się otworzyć pliku %s do odczytu i zapisu."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Istniejąca sygnatura partycji '%s' na urządzeniu %s zostanie wymazana."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Istniejąca sygnatura superbloku '%s' na urządzeniu %s zostanie wymazana."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Nie udało się wymazać sygnatury urządzenia."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Nie udało się sprawdzić sygnatury urządzenia %s."
@@ -3401,16 +3682,16 @@ msgstr "Nie udało się sprawdzić sygnatury urządzenia %s."
msgid "Invalid size specification in parameter --%s."
msgstr "Błędne określenie rozmiaru w parametrze --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Opcja --%s nie jest dozwolona z akcją %s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Nie udało się zapisać danych JSON tokenu SSH."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3426,110 +3707,110 @@ msgstr ""
"\n"
"Uwaga: informacje dostarczone przy dodawaniu tokenu (adres serwera SSH, użytkownik i ścieżki) zostaną zapisane w nagłówku LUKS2 czystym tekstem."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<akcja> <urządzenie>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Opcje dla akcji 'add':"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "Adres IP/URL zdalnego serwera dla tego tokenu"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Nazwa użytkownika do użycia ze zdalnym serwerem"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Ścieżka do pliku klucza na zdalnym serwerze"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Ścieżka do klucza SSH do połączenia ze zdalnym serwerem"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Obszar klucza do przypisania tokenu. Domyślnie token zostanie przypisany do pierwszego obszaru pasującego do podanego hasła."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Opcje ogólne:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Wyświetlanie bardziej szczegółowych komunikatów błędów"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Wyświetlanie komunikatów diagnostycznych"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Wyświetlanie komunikatów diagnostycznych wraz z metadanymi JSON"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Nie udało się otworzyć i zaimportować klucza prywatnego:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Nie udało się zaimportować klucza prywatnego (zabezpieczony hasłem?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "Hasło %s@%s: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Nie udało się przeanalizować argumentów.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Musi być podana akcja\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Dla akcji '%s' musi być podane urządzenie.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Dla akcji '%s' musi być podany serwer SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Dla akcji '%s' musi być podany użytkownik SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Dla akcji '%s' musi być podana ścieżka SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Dla akcji '%s' musi być podana ścieżka klucza SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Nie udało się otworzyć %s przy użyciu podanych danych uwierzytelniających.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "Ta wtyczka obecnie obsługuje wyłącznie akcję 'add'.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Nie można utworzyć sesji sftp: "
@@ -3537,6 +3818,10 @@ msgstr "Nie można utworzyć sesji sftp: "
msgid "Cannot init sftp session: "
msgstr "Nie można zainicjować sesji sftp: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Nie można otworzyć sesji sftp: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Nie można wykonać stat pliku sftp: "
diff --git a/po/ro.po b/po/ro.po
new file mode 100644
index 0000000..c12b283
--- /dev/null
+++ b/po/ro.po
@@ -0,0 +1,3874 @@
+# Mesajele în limba română pentru pachetul cryptsetup.
+# Copyright © 2023 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# This file is distributed under the same license as the cryptsetup package.
+#
+# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023.
+#
+# Cronologia traducerii fișierului „cryptsetup”:
+# Traducerea inițială, făcută de R-GC, pentru versiunea cryptsetup 2.6.0-rc1.
+# Actualizare a traducerii pentru versiunea 2.6.1-rc0, făcută de R-GC, ian-2023.
+# Actualizare a traducerii pentru versiunea Y, făcută de X, Y(luna-anul).
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 10:02+0100\n"
+"Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n"
+"Language-Team: Romanian <translation-team-ro@lists.sourceforge.net>\n"
+"Language: ro\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : (n==0 || ((n%100) > 0 && (n%100) < 20)) ? 1 : 2);\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.2.2\n"
+
+#: lib/libdevmapper.c:419
+msgid "Cannot initialize device-mapper, running as non-root user."
+msgstr "Nu se poate inițializa device-mapper, rulând ca utilizator non-root."
+
+#: lib/libdevmapper.c:422
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
+msgstr "Nu se poate inițializa device-mapper. Este încărcat modulul nucleului, «dm_mod»?"
+
+#: lib/libdevmapper.c:1102
+msgid "Requested deferred flag is not supported."
+msgstr "Fanionul de întârziere solicitat nu este acceptat."
+
+#: lib/libdevmapper.c:1171
+#, c-format
+msgid "DM-UUID for device %s was truncated."
+msgstr "DM-UUID pentru dispozitivul %s a fost trunchiat."
+
+#: lib/libdevmapper.c:1501
+msgid "Unknown dm target type."
+msgstr "Tip de țintă dm necunoscut."
+
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
+msgid "Requested dm-crypt performance options are not supported."
+msgstr "Opțiunile de performanță dm-crypt solicitate nu sunt acceptate."
+
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
+msgid "Requested dm-verity data corruption handling options are not supported."
+msgstr "Opțiunile de gestionare a corupției datelor dm-verity solicitate nu sunt acceptate."
+
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Opțiunea de tasklets dm-verity solicitată nu este acceptată."
+
+#: lib/libdevmapper.c:1653
+msgid "Requested dm-verity FEC options are not supported."
+msgstr "Opțiunile FEC dm-verity solicitate nu sunt acceptate."
+
+#: lib/libdevmapper.c:1659
+msgid "Requested data integrity options are not supported."
+msgstr "Opțiunile de integritate a datelor solicitate nu sunt acceptate."
+
+#: lib/libdevmapper.c:1663
+msgid "Requested sector_size option is not supported."
+msgstr "Opțiunea sector_size solicitată nu este acceptată."
+
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
+msgid "Requested automatic recalculation of integrity tags is not supported."
+msgstr "Recalcularea automată a etichetelor de integritate solicitată nu este acceptată."
+
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
+msgid "Discard/TRIM is not supported."
+msgstr "Înlăturarea/Decuparea(TRIM) nu este acceptată."
+
+#: lib/libdevmapper.c:1688
+msgid "Requested dm-integrity bitmap mode is not supported."
+msgstr "Modul de hartă de biți dm-integrity solicitat nu este acceptat."
+
+#: lib/libdevmapper.c:2724
+#, c-format
+msgid "Failed to query dm-%s segment."
+msgstr "Nu s-a putut interoga segmentul dm-%s."
+
+#: lib/random.c:73
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Sistemul este în afara entropiei în timp ce generează cheia de volum.\n"
+"Mișcați mouse-ul sau tastați ceva text într-o altă fereastră pentru a genera și colecta câteva evenimente aleatorii.\n"
+
+#: lib/random.c:77
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Se generează cheia (%d%% finalizată).\n"
+
+#: lib/random.c:163
+msgid "Running in FIPS mode."
+msgstr "Rulează în modul FIPS."
+
+#: lib/random.c:169
+msgid "Fatal error during RNG initialisation."
+msgstr "Eroare fatală în timpul inițializării generatorului de numere aleatorii(RNG)."
+
+#: lib/random.c:207
+msgid "Unknown RNG quality requested."
+msgstr "Calitatea solicitată pentru generatorul de numere aleatoare(RNG) este necunoscută."
+
+#: lib/random.c:212
+msgid "Error reading from RNG."
+msgstr "Eroare la citirea din generatorul de numere aleatorii(RNG)."
+
+#: lib/setup.c:231
+msgid "Cannot initialize crypto RNG backend."
+msgstr "Nu s-a putut inițializa utilitarul de criptare al generatorului de numere aleatorii(RNG)."
+
+#: lib/setup.c:237
+msgid "Cannot initialize crypto backend."
+msgstr "Nu s-a putut inițializa utilitarul de criptare ."
+
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
+#, c-format
+msgid "Hash algorithm %s not supported."
+msgstr "Algoritmul sumei de control %s nu este acceptat."
+
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s)."
+msgstr "Eroare de procesare a cheii (folosind suma de control %s)."
+
+#: lib/setup.c:342 lib/setup.c:369
+msgid "Cannot determine device type. Incompatible activation of device?"
+msgstr "Nu se poate determina tipul de dispozitiv. Activare a dispozitivului incompatibilă?"
+
+#: lib/setup.c:348 lib/setup.c:3320
+msgid "This operation is supported only for LUKS device."
+msgstr "Această operație este acceptată doar pentru dispozitive LUKS."
+
+#: lib/setup.c:375
+msgid "This operation is supported only for LUKS2 device."
+msgstr "Această operație este acceptată doar pentru dispozitive LUKS2."
+
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
+msgid "All key slots full."
+msgstr "Toate sloturile pentru chei sunt ocupate."
+
+#: lib/setup.c:438
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d."
+msgstr "Slotul de cheie %d este nu este valid, selectați între 0 și %d."
+
+#: lib/setup.c:444
+#, c-format
+msgid "Key slot %d is full, please select another one."
+msgstr "Slotul pentru chei %d este ocupat, selectați altul."
+
+#: lib/setup.c:529 lib/setup.c:3042
+msgid "Device size is not aligned to device logical block size."
+msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea blocului logic al dispozitivului."
+
+#: lib/setup.c:627
+#, c-format
+msgid "Header detected but device %s is too small."
+msgstr "Antet detectat, dar dispozitivul %s este prea mic."
+
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
+msgid "This operation is not supported for this device type."
+msgstr "Această operație nu este suportată pentru acest tip de dispozitiv."
+
+#: lib/setup.c:673
+msgid "Illegal operation with reencryption in-progress."
+msgstr "Operație ilegală cu recriptare în curs."
+
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Nu s-au putut reîncărca metadatele LUKS2 în memorie."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Dispozitivul %s nu este un dispozitiv LUKS valid."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
+#, c-format
+msgid "Unsupported LUKS version %d."
+msgstr "Versiunea %d de LUKS nu este acceptată."
+
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
+#, c-format
+msgid "Device %s is not active."
+msgstr "Dispozitivul %s nu este activ."
+
+#: lib/setup.c:1508
+#, c-format
+msgid "Underlying device for crypt device %s disappeared."
+msgstr "Dispozitivul subiacent pentru dispozitivul criptat %s a dispărut."
+
+#: lib/setup.c:1590
+msgid "Invalid plain crypt parameters."
+msgstr "Parametrii de criptare simplă sunt incorecți."
+
+#: lib/setup.c:1595 lib/setup.c:2054
+msgid "Invalid key size."
+msgstr "Dimensiunea cheii este nevalidă."
+
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
+msgid "UUID is not supported for this crypt type."
+msgstr "UUID-ul nu este acceptat pentru acest tip de criptare."
+
+#: lib/setup.c:1605 lib/setup.c:2064
+msgid "Detached metadata device is not supported for this crypt type."
+msgstr "Dispozitivul cu metadate detașate nu este acceptat pentru acest tip de criptare."
+
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
+msgid "Unsupported encryption sector size."
+msgstr "Dimensiunea sectorului de criptare nu este acceptată."
+
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
+msgid "Device size is not aligned to requested sector size."
+msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea sectorului solicitată."
+
+#: lib/setup.c:1675 lib/setup.c:1799
+msgid "Can't format LUKS without device."
+msgstr "Formatarea LUKS fără dispozitiv nu este posibilă."
+
+#: lib/setup.c:1681 lib/setup.c:1805
+msgid "Requested data alignment is not compatible with data offset."
+msgstr "Alinierea datelor solicitată nu este compatibilă cu poziția datelor."
+
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
+#, c-format
+msgid "Cannot wipe header on device %s."
+msgstr "Nu se poate șterge antetul pe dispozitivul %s."
+
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Dispozitivul %s este prea mic pentru activare, nu a mai rămas spațiu pentru date.\n"
+
+#: lib/setup.c:1840
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr "AVERTISMENT: Activarea dispozitivului va eșua, dm-crypt nu are suport pentru dimensiunea sectorului de criptare solicitată.\n"
+
+#: lib/setup.c:1863
+msgid "Volume key is too small for encryption with integrity extensions."
+msgstr "Cheia de volum este prea mică pentru criptare cu extensii de integritate."
+
+#: lib/setup.c:1923
+#, c-format
+msgid "Cipher %s-%s (key size %zd bits) is not available."
+msgstr "Cifrul %s-%s (dimensiunea cheii %zd biți) nu este disponibil."
+
+#: lib/setup.c:1949
+#, c-format
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "AVERTISMENT: dimensiunea metadatelor LUKS2 s-a schimbat la %<PRIu64> octeți.\n"
+
+#: lib/setup.c:1953
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "AVERTISMENT: dimensiunea zonei sloturilor de chei LUKS2 s-a schimbat la %<PRIu64> octeți.\n"
+
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
+#, c-format
+msgid "Device %s is too small."
+msgstr "Dispozitivul %s este prea mic."
+
+#: lib/setup.c:1990 lib/setup.c:2016
+#, c-format
+msgid "Cannot format device %s in use."
+msgstr "Nu se poate formata dispozitivul %s, este în uz."
+
+#: lib/setup.c:1993 lib/setup.c:2019
+#, c-format
+msgid "Cannot format device %s, permission denied."
+msgstr "Nu se poate formata dispozitivul %s; permisiune refuzată."
+
+#: lib/setup.c:2005 lib/setup.c:2334
+#, c-format
+msgid "Cannot format integrity for device %s."
+msgstr "Nu se poate formata integritatea pentru dispozitivul %s."
+
+#: lib/setup.c:2023
+#, c-format
+msgid "Cannot format device %s."
+msgstr "Nu se poate formata dispozitivul %s."
+
+#: lib/setup.c:2049
+msgid "Can't format LOOPAES without device."
+msgstr "Nu se poate formata LOOPAES fără dispozitiv."
+
+#: lib/setup.c:2094
+msgid "Can't format VERITY without device."
+msgstr "Nu se poate formata VERITY fără dispozitiv."
+
+#: lib/setup.c:2105 lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY hash type %d."
+msgstr "Tip de sumă de control VERITY neacceptat %d."
+
+#: lib/setup.c:2111 lib/verity/verity.c:109
+msgid "Unsupported VERITY block size."
+msgstr "Dimensiunea blocului VERITY nu este acceptată."
+
+#: lib/setup.c:2116 lib/verity/verity.c:74
+msgid "Unsupported VERITY hash offset."
+msgstr "Decalajul sumei de control VERITY nu este acceptat."
+
+#: lib/setup.c:2121
+msgid "Unsupported VERITY FEC offset."
+msgstr "Decalajul FEC VERITY nu este acceptat."
+
+#: lib/setup.c:2145
+msgid "Data area overlaps with hash area."
+msgstr "Zona de date se suprapune cu zona de sume de control."
+
+#: lib/setup.c:2170
+msgid "Hash area overlaps with FEC area."
+msgstr "Zona sumelor de control se suprapune cu zona FEC."
+
+#: lib/setup.c:2177
+msgid "Data area overlaps with FEC area."
+msgstr "Zona de date se suprapune cu zona FEC."
+
+#: lib/setup.c:2313
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "AVERTISMENT: Dimensiunea solicitată a etichetei %d octeți diferă de dimensiunea %s de ieșire (%d octeți).\n"
+
+#: lib/setup.c:2392
+#, c-format
+msgid "Unknown crypt device type %s requested."
+msgstr "A fost solicitat un tip de dispozitiv de criptare necunoscut %s."
+
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
+#, c-format
+msgid "Unsupported parameters on device %s."
+msgstr "Parametri neacceptați pentru dispozitivul %s."
+
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
+#, c-format
+msgid "Mismatching parameters on device %s."
+msgstr "Parametrii nepotriviți în dispozitivul %s."
+
+#: lib/setup.c:2822
+msgid "Crypt devices mismatch."
+msgstr "Dispozitivele de criptare nu se potrivesc."
+
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
+#, c-format
+msgid "Failed to reload device %s."
+msgstr "Nu s-a putut reîncărca dispozitivul %s."
+
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
+#, c-format
+msgid "Failed to suspend device %s."
+msgstr "Nu s-a putut suspenda dispozitivul %s."
+
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
+#, c-format
+msgid "Failed to resume device %s."
+msgstr "Nu s-a putut reîncărca dispozitivul %s."
+
+#: lib/setup.c:2897
+#, c-format
+msgid "Fatal error while reloading device %s (on top of device %s)."
+msgstr "Eroare fatală la reîncărcarea dispozitivului %s (în partea superioară a dispozitivului %s)."
+
+#: lib/setup.c:2900 lib/setup.c:2902
+#, c-format
+msgid "Failed to switch device %s to dm-error."
+msgstr "Nu s-a putut comuta dispozitivul %s la dm-error."
+
+#: lib/setup.c:2984
+msgid "Cannot resize loop device."
+msgstr "Nu se poate redimensiona dispozitivul de buclă."
+
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "AVERTISMENT: Dimensiunea maximă a fost deja stabilită sau nucleul nu acceptă redimensionarea.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Redimensionarea nu a reușit, nucleul nu acceptă redimensionarea."
+
+#: lib/setup.c:3120
+msgid "Do you really want to change UUID of device?"
+msgstr "Chiar doriți să schimbați UUID-ul dispozitivului?"
+
+#: lib/setup.c:3212
+msgid "Header backup file does not contain compatible LUKS header."
+msgstr "Fișierul de copie de rezervă pentru antet nu conține un antet LUKS compatibil."
+
+#: lib/setup.c:3328
+#, c-format
+msgid "Volume %s is not active."
+msgstr "Volumul %s nu este activ."
+
+#: lib/setup.c:3339
+#, c-format
+msgid "Volume %s is already suspended."
+msgstr "Volumul %s este deja suspendat."
+
+#: lib/setup.c:3352
+#, c-format
+msgid "Suspend is not supported for device %s."
+msgstr "Suspendarea nu este acceptată pentru dispozitivul %s."
+
+#: lib/setup.c:3354
+#, c-format
+msgid "Error during suspending device %s."
+msgstr "Eroare la suspendarea dispozitivului %s."
+
+#: lib/setup.c:3389
+#, c-format
+msgid "Resume is not supported for device %s."
+msgstr "Reluarea activității nu este acceptată pentru dispozitivul %s."
+
+#: lib/setup.c:3391
+#, c-format
+msgid "Error during resuming device %s."
+msgstr "Eroare la reluarea activității dispozitivului %s."
+
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
+#, c-format
+msgid "Volume %s is not suspended."
+msgstr "Volumul %s nu este suspendat."
+
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
+msgid "Volume key does not match the volume."
+msgstr "Cheia de volum nu se potrivește cu volumul."
+
+#: lib/setup.c:3737
+msgid "Failed to swap new key slot."
+msgstr "Nu s-a putut efectua interschimbarea cu noul slot pentru cheie."
+
+#: lib/setup.c:3835
+#, c-format
+msgid "Key slot %d is invalid."
+msgstr "Slotul de cheie %d nu este valid."
+
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
+#, c-format
+msgid "Keyslot %d is not active."
+msgstr "Slotul de cheie %d nu este activ."
+
+#: lib/setup.c:3860
+msgid "Device header overlaps with data area."
+msgstr "Antetul dispozitivului se suprapune cu zona de date."
+
+#: lib/setup.c:4165
+msgid "Reencryption in-progress. Cannot activate device."
+msgstr "Recriptare în curs. Nu se poate activa dispozitivul."
+
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
+msgid "Failed to get reencryption lock."
+msgstr "Nu s-a putut obține blocarea pentru recriptare."
+
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Recuperarea recriptării LUKS2 a eșuat."
+
+#: lib/setup.c:4352 lib/setup.c:4618
+msgid "Device type is not properly initialized."
+msgstr "Tipul de dispozitiv nu este inițializat corect."
+
+#: lib/setup.c:4400
+#, c-format
+msgid "Device %s already exists."
+msgstr "Dispozitivul %s există deja."
+
+#: lib/setup.c:4407
+#, c-format
+msgid "Cannot use device %s, name is invalid or still in use."
+msgstr "Nu se poate folosi dispozitivul %s, numele este nevalid sau este încă în uz."
+
+#: lib/setup.c:4527
+msgid "Incorrect volume key specified for plain device."
+msgstr "Este specificată o cheie de volum incorectă pentru un dispozitiv cu criptare normală."
+
+#: lib/setup.c:4644
+msgid "Incorrect root hash specified for verity device."
+msgstr "Sumă de control rădăcină incorectă specificată pentru dispozitivul verity."
+
+#: lib/setup.c:4654
+msgid "Root hash signature required."
+msgstr "Este necesară semnătura de sumă de control rădăcină."
+
+#: lib/setup.c:4663
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Lipsește inelul de chei pentru nucleu: este necesar pentru transmiterea semnăturii către nucleu."
+
+#: lib/setup.c:4680 lib/setup.c:6423
+msgid "Failed to load key in kernel keyring."
+msgstr "Nu s-a putut încărca cheia în inelul de chei al nucleului."
+
+#: lib/setup.c:4736
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Nu s-a putut anula eliminarea întârziată din dispozitivul %s."
+
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
+#, c-format
+msgid "Device %s is still in use."
+msgstr "Dispozitivul %s este încă în uz."
+
+#: lib/setup.c:4768
+#, c-format
+msgid "Invalid device %s."
+msgstr "Dispozitiv nevalid %s."
+
+#: lib/setup.c:4908
+msgid "Volume key buffer too small."
+msgstr "Memoria tampon a cheii de volum este prea mică."
+
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS2."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS1."
+
+#: lib/setup.c:4944
+msgid "Cannot retrieve volume key for plain device."
+msgstr "Nu se poate recupera tasta de volum pentru dispozitivul normal."
+
+#: lib/setup.c:4952
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Nu se poate recupera suma de control rădăcină pentru dispozitivul verity."
+
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Nu se poate recupera cheia de volum pentru dispozitivul BITLK."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Nu se poate recupera cheia de volum pentru dispozitivul FVAULT2."
+
+#: lib/setup.c:4966
+#, c-format
+msgid "This operation is not supported for %s crypt device."
+msgstr "Această operație nu este acceptată pentru dispozitivul criptat %s."
+
+#: lib/setup.c:5147 lib/setup.c:5158
+msgid "Dump operation is not supported for this device type."
+msgstr "Operația de descărcare nu este acceptată pentru acest tip de dispozitiv."
+
+#: lib/setup.c:5500
+#, c-format
+msgid "Data offset is not multiple of %u bytes."
+msgstr "Decalajul datelor nu este multiplu de %u octeți."
+
+#: lib/setup.c:5788
+#, c-format
+msgid "Cannot convert device %s which is still in use."
+msgstr "Nu se poate converti dispozitivul %s care este încă în uz."
+
+#: lib/setup.c:6098 lib/setup.c:6237
+#, c-format
+msgid "Failed to assign keyslot %u as the new volume key."
+msgstr "Nu s-a putut atribui slotul %u ca nouă cheie de volum."
+
+#: lib/setup.c:6122
+msgid "Failed to initialize default LUKS2 keyslot parameters."
+msgstr "Nu s-au putut inițializa parametrii impliciți pentru slotul de cheie LUKS2."
+
+#: lib/setup.c:6128
+#, c-format
+msgid "Failed to assign keyslot %d to digest."
+msgstr "Nu s-a putut aloca slotul de cheie %d pentru a digera."
+
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Nu se poate adăuga slotul pentru cheie, toate sloturile sunt dezactivate și nu este furnizată nicio cheie pentru volum."
+
+#: lib/setup.c:6490
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Inelul de chei pentru nucleu nu este acceptat de nucleu actual."
+
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
+#, c-format
+msgid "Failed to read passphrase from keyring (error %d)."
+msgstr "Nu s-a putut citi expresia de acces din inelul de chei (eroarea %d)."
+
+#: lib/setup.c:6523
+msgid "Failed to acquire global memory-hard access serialization lock."
+msgstr "Nu s-a putut obține blocarea de serializare a accesului la memoria-hardwarw globală."
+
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
+msgid "Failed to open key file."
+msgstr "Nu s-a putut deschide fișierul cheii."
+
+#: lib/utils.c:163
+msgid "Cannot read keyfile from a terminal."
+msgstr "Nu se poate citi fișierul de cheie de la un terminal."
+
+#: lib/utils.c:179
+msgid "Failed to stat key file."
+msgstr "Nu s-a putut obține starea fișierului de cheie."
+
+#: lib/utils.c:187 lib/utils.c:208
+msgid "Cannot seek to requested keyfile offset."
+msgstr "Nu se poate căuta poziția fișierului de cheie solicitat."
+
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
+msgid "Out of memory while reading passphrase."
+msgstr "Memoria epuizată în timpul citirii frazei de acces."
+
+#: lib/utils.c:237
+msgid "Error reading passphrase."
+msgstr "Eroare la citirea frazei de acces."
+
+#: lib/utils.c:254
+msgid "Nothing to read on input."
+msgstr "Nimic de citit la intrare."
+
+#: lib/utils.c:261
+msgid "Maximum keyfile size exceeded."
+msgstr "Dimensiunea maximă a fișierului de cheie a fost depășită."
+
+#: lib/utils.c:266
+msgid "Cannot read requested amount of data."
+msgstr "Nu se poate citi cantitatea de date solicitată."
+
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
+#, c-format
+msgid "Device %s does not exist or access denied."
+msgstr "Dispozitivul %s nu există sau accesul a fost refuzat."
+
+#: lib/utils_device.c:217
+#, c-format
+msgid "Device %s is not compatible."
+msgstr "Dispozitivul %s nu este compatibil."
+
+#: lib/utils_device.c:561
+#, c-format
+msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
+msgstr "Se ignoră dimensiunea optimă de transfer de date falsă pentru dispozitivul de date (%u octeți)."
+
+#: lib/utils_device.c:722
+#, c-format
+msgid "Device %s is too small. Need at least %<PRIu64> bytes."
+msgstr "Dispozitivul %s este prea mic. Aveți nevoie de cel puțin %<PRIu64> octeți."
+
+#: lib/utils_device.c:803
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted)."
+msgstr "Nu se poate utiliza dispozitivul %s care este în uz (deja cartografiat sau montat)."
+
+#: lib/utils_device.c:807
+#, c-format
+msgid "Cannot use device %s, permission denied."
+msgstr "Nu se poate utiliza dispozitivul %s, permisiune refuzată."
+
+#: lib/utils_device.c:810
+#, c-format
+msgid "Cannot get info about device %s."
+msgstr "Nu se pot obține informații despre dispozitivul %s."
+
+#: lib/utils_device.c:833
+msgid "Cannot use a loopback device, running as non-root user."
+msgstr "Nu se poate utiliza un dispozitiv loopback, deoarece programul nu rulează cu privilegii de root."
+
+#: lib/utils_device.c:844
+msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
+msgstr "Atașarea dispozitivului de loopback a eșuat (este necesar un dispozitiv de buclă cu fanion de ștergere automată)."
+
+#: lib/utils_device.c:892
+#, c-format
+msgid "Requested offset is beyond real size of device %s."
+msgstr "Decalajul solicitat depășește dimensiunea reală a dispozitivului %s."
+
+#: lib/utils_device.c:900
+#, c-format
+msgid "Device %s has zero size."
+msgstr "Dispozitivul %s are dimensiune zero."
+
+#: lib/utils_pbkdf.c:100
+msgid "Requested PBKDF target time cannot be zero."
+msgstr "Ora specificată pentru PBKDF nu poate fi zero."
+
+#: lib/utils_pbkdf.c:106
+#, c-format
+msgid "Unknown PBKDF type %s."
+msgstr "Tip PBKDF necunoscut %s."
+
+#: lib/utils_pbkdf.c:111
+#, c-format
+msgid "Requested hash %s is not supported."
+msgstr "Suma de control solicitată %s nu este acceptată."
+
+#: lib/utils_pbkdf.c:122
+msgid "Requested PBKDF type is not supported for LUKS1."
+msgstr "Tipul PBKDF solicitat nu este acceptat pentru LUKS1."
+
+#: lib/utils_pbkdf.c:128
+msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
+msgstr "Memoria maximă PBKDF sau firele de execuție paralele nu trebuie definite cu pbkdf2."
+
+#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#, c-format
+msgid "Forced iteration count is too low for %s (minimum is %u)."
+msgstr "Numărul de iterații forțate este prea mic pentru %s (minimul este %u)."
+
+#: lib/utils_pbkdf.c:148
+#, c-format
+msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
+msgstr "Costul memoriei forțate este prea mic pentru %s (minimul este de %u kiloocteți)."
+
+#: lib/utils_pbkdf.c:155
+#, c-format
+msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
+msgstr "Costul maxim de memorie PBKDF solicitat este prea mare (maximul este de %d kiloocteți)."
+
+#: lib/utils_pbkdf.c:160
+msgid "Requested maximum PBKDF memory cannot be zero."
+msgstr "Memoria PBKDF maximă solicitată nu poate fi zero."
+
+#: lib/utils_pbkdf.c:164
+msgid "Requested PBKDF parallel threads cannot be zero."
+msgstr "Firele paralele de execuție PBKDF solicitate nu pot fi zero."
+
+#: lib/utils_pbkdf.c:184
+msgid "Only PBKDF2 is supported in FIPS mode."
+msgstr "Doar PBKDF2 este acceptat în modul FIPS."
+
+#: lib/utils_benchmark.c:175
+msgid "PBKDF benchmark disabled but iterations not set."
+msgstr "Testarea PBKDF este dezactivată, dar numărul de iterații nu este definit."
+
+#: lib/utils_benchmark.c:194
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
+msgstr "Opțiuni PBKDF2 incompatibile (folosind algoritmul de sumă de control %s)."
+
+#: lib/utils_benchmark.c:214
+msgid "Not compatible PBKDF options."
+msgstr "Opțiuni PBKDF2 incompatibile."
+
+#: lib/utils_device_locking.c:101
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
+msgstr "Blocarea a fost anulată. Calea de blocare %s/%s este inutilizabilă (nu este un director sau lipsește)."
+
+#: lib/utils_device_locking.c:118
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
+msgstr "Blocarea a fost anulată. Calea de blocare %s/%s este inutilizabilă (%s nu este un director)."
+
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
+msgid "Cannot seek to device offset."
+msgstr "Nu se poate căuta la poziția dispozitivului."
+
+#: lib/utils_wipe.c:247
+#, c-format
+msgid "Device wipe error, offset %<PRIu64>."
+msgstr "Eroare de ștergere a dispozitivului, decalaj %<PRIu64>."
+
+#: lib/luks1/keyencryption.c:39
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info)."
+msgstr ""
+"Nu s-a putut configura asocierea cheii dm-crypt la dispozitivul %s.\n"
+"Verificați dacă nucleul acceptă cifrul %s (verificați syslog pentru mai multe informații)."
+
+#: lib/luks1/keyencryption.c:44
+msgid "Key size in XTS mode must be 256 or 512 bits."
+msgstr "Dimensiunea cheii în modul XTS trebuie să fie de 256 sau 512 biți."
+
+#: lib/luks1/keyencryption.c:46
+msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
+msgstr "Specificațiile de cifrare ar trebui să fie în formatul [cifrarea]-[mod]-[iv]."
+
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
+#, c-format
+msgid "Cannot write to device %s, permission denied."
+msgstr "Nu se poate scrie în dispozitivul %s, permisiune refuzată."
+
+#: lib/luks1/keyencryption.c:120
+msgid "Failed to open temporary keystore device."
+msgstr "Nu s-a putut deschide dispozitivul pentru stocarea temporară a cheilor."
+
+#: lib/luks1/keyencryption.c:127
+msgid "Failed to access temporary keystore device."
+msgstr "Nu s-a putut accesa dispozitivul pentru stocarea temporară a cheilor."
+
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
+msgid "IO error while encrypting keyslot."
+msgstr "Eroare de In/Ieș în timpul criptării slotului de cheie."
+
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
+#, c-format
+msgid "Cannot open device %s."
+msgstr "Nu s-a putut deschide dispozitivul %s."
+
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
+msgid "IO error while decrypting keyslot."
+msgstr "Eroare de In/Ieș la decriptarea slotului de cheie."
+
+#: lib/luks1/keymanage.c:130
+#, c-format
+msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
+msgstr "Dispozitivul %s este prea mic. (LUKS1 necesită cel puțin %<PRIu64> octeți.)"
+
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
+#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
+#: lib/luks1/keymanage.c:194
+#, c-format
+msgid "LUKS keyslot %u is invalid."
+msgstr "Slotul de cheie LUKS %u nu este valid."
+
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
+#, c-format
+msgid "Requested header backup file %s already exists."
+msgstr "Fișierul de copie de rezervă pentru antetul solicitat %s există deja."
+
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
+#, c-format
+msgid "Cannot create header backup file %s."
+msgstr "Nu se poate crea fișierul de copie de rezervă al antetului %s."
+
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
+#, c-format
+msgid "Cannot write header backup file %s."
+msgstr "Nu se poate scrie fișierul de copie de rezervă al antetului %s."
+
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
+msgid "Backup file does not contain valid LUKS header."
+msgstr "Fișierul de copie de rezervă nu conține antet LUKS valid."
+
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
+#, c-format
+msgid "Cannot open header backup file %s."
+msgstr "Nu se poate deschide fișierul de copie de rezervă al antetului %s."
+
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
+#, c-format
+msgid "Cannot read header backup file %s."
+msgstr "Nu se poate citi fișierul de copie de rezervă al antetului %s."
+
+#: lib/luks1/keymanage.c:339
+msgid "Data offset or key size differs on device and backup, restore failed."
+msgstr "Poziția datelor sau dimensiunea cheii diferă între dispozitiv și copia de rezervă, restaurarea a eșuat."
+
+#: lib/luks1/keymanage.c:347
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Dispozitiv %s %s%s"
+
+#: lib/luks1/keymanage.c:348
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "nu conține antetul LUKS. Înlocuirea antetului poate distruge datele de pe acest dispozitiv."
+
+#: lib/luks1/keymanage.c:349
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "conține deja antetul LUKS. Înlocuirea antetului va distruge sloturile de chei existente."
+
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"AVERTISMENT: antetul dispozitivului real are un UUID diferit de cel al copiei de rezervă!"
+
+#: lib/luks1/keymanage.c:398
+msgid "Non standard key size, manual repair required."
+msgstr "Dimensiunea cheii nu este standard, este necesară repararea manuală."
+
+#: lib/luks1/keymanage.c:408
+msgid "Non standard keyslots alignment, manual repair required."
+msgstr "Alinierea sloturilor pentru chei nu este standard , este necesară repararea manuală."
+
+#: lib/luks1/keymanage.c:417
+#, c-format
+msgid "Cipher mode repaired (%s -> %s)."
+msgstr "Modul de cifrare reparat (%s -> %s)."
+
+#: lib/luks1/keymanage.c:428
+#, c-format
+msgid "Cipher hash repaired to lowercase (%s)."
+msgstr "Cifrul sumei de control(hash) reparat la minuscule (%s)."
+
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
+#, c-format
+msgid "Requested LUKS hash %s is not supported."
+msgstr "Suma de control(hash) LUKS solicitată %s nu este acceptată."
+
+#: lib/luks1/keymanage.c:444
+msgid "Repairing keyslots."
+msgstr "Se repară sloturile pentru chei."
+
+#: lib/luks1/keymanage.c:463
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u)."
+msgstr "Slotul de cheie %i: poziție reparată (%u -> %u)."
+
+#: lib/luks1/keymanage.c:471
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u)."
+msgstr "Slotul de cheie %i: benzi reparate (%u -> %u)."
+
+#: lib/luks1/keymanage.c:480
+#, c-format
+msgid "Keyslot %i: bogus partition signature."
+msgstr "Slotul de cheie %i: semnătură falsă a partiției."
+
+#: lib/luks1/keymanage.c:485
+#, c-format
+msgid "Keyslot %i: salt wiped."
+msgstr "Slotul de cheie %i: «salt» șters."
+
+#: lib/luks1/keymanage.c:502
+msgid "Writing LUKS header to disk."
+msgstr "Se scrie antetul LUKS pe disc."
+
+#: lib/luks1/keymanage.c:507
+msgid "Repair failed."
+msgstr "Repararea a eșuat."
+
+#: lib/luks1/keymanage.c:562
+#, c-format
+msgid "LUKS cipher mode %s is invalid."
+msgstr "Modul de cifrare LUKS %s este nevalid."
+
+#: lib/luks1/keymanage.c:567
+#, c-format
+msgid "LUKS hash %s is invalid."
+msgstr "Suma de control(hash) LUKS %s nu este validă."
+
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
+msgid "No known problems detected for LUKS header."
+msgstr "Nu s-a detectat nicio problemă cunoscută pentru antetul LUKS."
+
+#: lib/luks1/keymanage.c:702
+#, c-format
+msgid "Error during update of LUKS header on device %s."
+msgstr "Eroare în timpul actualizării antetului LUKS pe dispozitivul %s."
+
+#: lib/luks1/keymanage.c:710
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s."
+msgstr "Eroare la recitirea antetului LUKS după actualizare pe dispozitivul %s."
+
+#: lib/luks1/keymanage.c:786
+msgid "Data offset for LUKS header must be either 0 or higher than header size."
+msgstr "Decalajul datelor pentru antetul LUKS trebuie să fie 0 sau mai mare decât dimensiunea antetului."
+
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
+msgid "Wrong LUKS UUID format provided."
+msgstr "Formatul UUID LUKS furnizat este greșit."
+
+#: lib/luks1/keymanage.c:819
+msgid "Cannot create LUKS header: reading random salt failed."
+msgstr "Nu se poate crea antetul LUKS: citirea datelor «salt» aleatoare a eșuat."
+
+#: lib/luks1/keymanage.c:845
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s)."
+msgstr "Nu se poate crea antetul LUKS: calcularea sumei de control a antetului a eșuat (folosind suma de control(hash) %s)."
+
+#: lib/luks1/keymanage.c:889
+#, c-format
+msgid "Key slot %d active, purge first."
+msgstr "Slot de cheie %d activ, curățați mai întâi."
+
+#: lib/luks1/keymanage.c:895
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?"
+msgstr "Materialul de la slotul de cheie %d nu are suficiente benzi. Antetul a fost manipulat?"
+
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Depășire a valorii de iterație a PBKDF2."
+
+#: lib/luks1/keymanage.c:1040
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Nu se poate deschide slotul de cheie (folosind suma de control(hash) %s)."
+
+#: lib/luks1/keymanage.c:1118
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
+msgstr "Slotul de cheie %d nu este valid, selectați slotul de cheie între 0 și %d."
+
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
+#, c-format
+msgid "Cannot wipe device %s."
+msgstr "Nu se poate șterge dispozitivul %s."
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile."
+msgstr "Fișierul cheie criptat GPG, detectat, nu este încă acceptat."
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Utilizați «gpg --decrypt <fișier_cheie>» | «cryptsetup --keyfile=-...»\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected."
+msgstr "S-a detectat un fișier de cheie loop-AES incompatibil."
+
+#: lib/loopaes/loopaes.c:245
+msgid "Kernel does not support loop-AES compatible mapping."
+msgstr "Nucleul nu acceptă asocierea compatibilă cu bucla loop-AES."
+
+#: lib/tcrypt/tcrypt.c:508
+#, c-format
+msgid "Error reading keyfile %s."
+msgstr "Eroare la citirea fișierului de cheie %s."
+
+#: lib/tcrypt/tcrypt.c:558
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Lungimea maximă a frazei de acces TCRYPT (%zu) a fost depășită."
+
+#: lib/tcrypt/tcrypt.c:600
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping."
+msgstr "Algoritmul sumei de control(hash) PBKDF2 %s nu este disponibil, se omite."
+
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
+msgid "Required kernel crypto interface not available."
+msgstr "Interfața necesară de criptare a nucleului nu este disponibilă."
+
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
+msgid "Ensure you have algif_skcipher kernel module loaded."
+msgstr "Asigurați-vă că aveți modulul nucleului «algif_skcipher», încărcat."
+
+#: lib/tcrypt/tcrypt.c:762
+#, c-format
+msgid "Activation is not supported for %d sector size."
+msgstr "Activarea nu este acceptată pentru dimensiunea sectorului de %d."
+
+#: lib/tcrypt/tcrypt.c:768
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
+msgstr "Nucleul nu acceptă activarea pentru acest mod vechi TCRYPT."
+
+#: lib/tcrypt/tcrypt.c:799
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s."
+msgstr "Se activează criptarea sistemului TCRYPT pentru partiția %s."
+
+#: lib/tcrypt/tcrypt.c:882
+msgid "Kernel does not support TCRYPT compatible mapping."
+msgstr "Nucleul nu acceptă asocierea compatibilă cu TCRYPT."
+
+#: lib/tcrypt/tcrypt.c:1095
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Această funcție nu este acceptată fără încărcarea antetului TCRYPT."
+
+#: lib/bitlk/bitlk.c:278
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Tip neașteptat de intrare de metadate „%u” găsit la analizarea cheii master de volum acceptate."
+
+#: lib/bitlk/bitlk.c:337
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "S-a găsit șir nevalid la analizarea cheii master de volum."
+
+#: lib/bitlk/bitlk.c:341
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Șir neașteptat („%s”) găsit la analizarea cheii master de volum acceptate."
+
+#: lib/bitlk/bitlk.c:358
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Valoare neașteptată a intrării de metadate „%u” a fost găsită la analizarea cheii master de volum acceptate."
+
+#: lib/bitlk/bitlk.c:460
+msgid "BITLK version 1 is currently not supported."
+msgstr "Versiunea 1 BITLK nu este acceptată în prezent."
+
+#: lib/bitlk/bitlk.c:466
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Semnătură de pornire nevalidă sau necunoscută pentru dispozitivul BITLK."
+
+#: lib/bitlk/bitlk.c:478
+#, c-format
+msgid "Unsupported sector size %<PRIu16>."
+msgstr "Dimensiunea sectorului neacceptată, %<PRIu16>."
+
+#: lib/bitlk/bitlk.c:486
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Nu s-a putut citi antetul BITLK de la %s."
+
+#: lib/bitlk/bitlk.c:511
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Nu s-au putut citi metadatele BITLK FVE de la %s."
+
+#: lib/bitlk/bitlk.c:562
+msgid "Unknown or unsupported encryption type."
+msgstr "Tip de criptare necunoscut sau neacceptat."
+
+#: lib/bitlk/bitlk.c:602
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Nu s-au putut citi intrările de metadate BITLK de la %s."
+
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Nu s-a putut converti descrierea volumului BITLK"
+
+#: lib/bitlk/bitlk.c:882
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing external key."
+msgstr "Tip neașteptat de intrare de metadate „%u” găsit la analizarea cheii externe."
+
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "GUID-ul fișierului BEK „%s”, nu se potrivește cu GUID-ul volumului."
+
+#: lib/bitlk/bitlk.c:909
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing external key."
+msgstr "Valoare neașteptată a intrării metadatelor „%u”, a fost găsită la analizarea cheii externe."
+
+#: lib/bitlk/bitlk.c:948
+#, c-format
+msgid "Unsupported BEK metadata version %<PRIu32>"
+msgstr "Versiune neacceptată de metadate BEK %<PRIu32>"
+
+#: lib/bitlk/bitlk.c:953
+#, c-format
+msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
+msgstr "Dimensiune neașteptată a metadatelor BEK %<PRIu32>, nu se potrivește cu lungimea fișierului BEK"
+
+#: lib/bitlk/bitlk.c:979
+msgid "Unexpected metadata entry found when parsing startup key."
+msgstr "Intrare neașteptată de metadate găsită la analizarea cheii de pornire."
+
+#: lib/bitlk/bitlk.c:1075
+msgid "This operation is not supported."
+msgstr "Această operație nu este acceptată."
+
+#: lib/bitlk/bitlk.c:1083
+msgid "Unexpected key data size."
+msgstr "Dimensiune neașteptată a datelor cheii."
+
+#: lib/bitlk/bitlk.c:1209
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Acest dispozitiv BITLK este într-o stare neacceptată și nu poate fi activat."
+
+#: lib/bitlk/bitlk.c:1214
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Dispozitivele BITLK de tip „%s” nu pot fi activate."
+
+#: lib/bitlk/bitlk.c:1221
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Activarea dispozitivului BITLK parțial decriptat nu este acceptată."
+
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "AVERTISMENT: dimensiunea volumului BitLocker %<PRIu64> nu se potrivește cu dimensiunea dispozitivului subiacent %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1389
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Nu se poate activa dispozitivul, modulul nucleului «dm-crypt» nu are suport pentru BITLK IV."
+
+#: lib/bitlk/bitlk.c:1393
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Dispozitivul nu poate fi activat, modulul nucleului «dm-crypt» nu are suport pentru difuzorul BITLK Elephant."
+
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Dispozitivul nu poate fi activat, kernel-ul dm-crypt nu are suport pentru dimensiune mare a sectorului."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Dispozitivul nu se poate activa, modulul nucleului, «dm-zero», lipsește."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Nu s-au putut citi %u octeți din antetul volumului."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Versiune FVAULT2 neacceptată %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#, c-format
+msgid "Verity device %s does not use on-disk header."
+msgstr "Dispozitivul verity %s nu utilizează antetul de pe disc."
+
+#: lib/verity/verity.c:96
+#, c-format
+msgid "Unsupported VERITY version %d."
+msgstr "Versiunea VERITY %d nu este acceptată."
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted."
+msgstr "Antetul VERITY este corupt."
+
+#: lib/verity/verity.c:176
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s."
+msgstr "Formatul UUID VERITY furnizat pe dispozitivul %s este greșit."
+
+#: lib/verity/verity.c:220
+#, c-format
+msgid "Error during update of verity header on device %s."
+msgstr "Eroare la actualizarea antetului Verity pe dispozitivul %s."
+
+#: lib/verity/verity.c:278
+msgid "Root hash signature verification is not supported."
+msgstr "Verificarea semnăturii sumei de verificare(hash) rădăcină nu este acceptată."
+
+#: lib/verity/verity.c:290
+msgid "Errors cannot be repaired with FEC device."
+msgstr "Erorile nu pot fi reparate cu dispozitivul FEC."
+
+#: lib/verity/verity.c:292
+#, c-format
+msgid "Found %u repairable errors with FEC device."
+msgstr "S-au găsit %u erori reparabile cu dispozitivul FEC."
+
+#: lib/verity/verity.c:335
+msgid "Kernel does not support dm-verity mapping."
+msgstr "Nucleul nu acceptă asocierea dm-verity."
+
+#: lib/verity/verity.c:339
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Nucleul nu acceptă opțiunea de semnătură dm-verity."
+
+#: lib/verity/verity.c:350
+msgid "Verity device detected corruption after activation."
+msgstr "Dispozitivul verity a detectat corupție după activare."
+
+#: lib/verity/verity_hash.c:66
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>."
+msgstr "Zona de rezervă nu este pusă la zero la poziția %<PRIu64>."
+
+#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:311
+msgid "Device offset overflow."
+msgstr "Depășire a poziției de pe dispozitiv."
+
+#: lib/verity/verity_hash.c:218
+#, c-format
+msgid "Verification failed at position %<PRIu64>."
+msgstr "Verificarea a eșuat la poziția %<PRIu64>."
+
+#: lib/verity/verity_hash.c:307
+msgid "Hash area overflow."
+msgstr "Debordare a zonei sumei de control(hash)."
+
+#: lib/verity/verity_hash.c:380
+msgid "Verification of data area failed."
+msgstr "Verificarea zonei de date a eșuat."
+
+#: lib/verity/verity_hash.c:385
+msgid "Verification of root hash failed."
+msgstr "Verificarea sumei de control(hash) rădăcină a eșuat."
+
+#: lib/verity/verity_hash.c:391
+msgid "Input/output error while creating hash area."
+msgstr "Eroare de intrare/ieșire la crearea zonei de sumă de control(hash)."
+
+#: lib/verity/verity_hash.c:393
+msgid "Creation of hash area failed."
+msgstr "Crearea zonei de sumă de control(hash) a eșuat."
+
+#: lib/verity/verity_hash.c:428
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
+msgstr "AVERTISMENT: Nucleul nu poate activa dispozitivul dacă dimensiunea blocului de date depășește dimensiunea paginii (%u)."
+
+#: lib/verity/verity_fec.c:131
+msgid "Failed to allocate RS context."
+msgstr "Nu s-a putut aloca contextul RS."
+
+#: lib/verity/verity_fec.c:149
+msgid "Failed to allocate buffer."
+msgstr "Nu s-a putut aloca memoria tampon."
+
+#: lib/verity/verity_fec.c:159
+#, c-format
+msgid "Failed to read RS block %<PRIu64> byte %d."
+msgstr "Nu s-a putut citi blocul RS %<PRIu64> octetul %d."
+
+#: lib/verity/verity_fec.c:172
+#, c-format
+msgid "Failed to read parity for RS block %<PRIu64>."
+msgstr "Nu s-a putut citi paritatea pentru blocul RS %<PRIu64>."
+
+#: lib/verity/verity_fec.c:180
+#, c-format
+msgid "Failed to repair parity for block %<PRIu64>."
+msgstr "Nu s-a putut repara paritatea pentru blocul %<PRIu64>."
+
+#: lib/verity/verity_fec.c:192
+#, c-format
+msgid "Failed to write parity for RS block %<PRIu64>."
+msgstr "Nu s-a putut scrie paritatea pentru blocul RS %<PRIu64>."
+
+#: lib/verity/verity_fec.c:208
+msgid "Block sizes must match for FEC."
+msgstr "Dimensiunile blocurilor trebuie să se potrivească pentru FEC."
+
+#: lib/verity/verity_fec.c:214
+msgid "Invalid number of parity bytes."
+msgstr "Număr nevalid de octeți de paritate."
+
+#: lib/verity/verity_fec.c:248
+msgid "Invalid FEC segment length."
+msgstr "Lungimea segmentului FEC nu este validă."
+
+#: lib/verity/verity_fec.c:316
+#, c-format
+msgid "Failed to determine size for device %s."
+msgstr "Nu s-a putut determina dimensiunea pentru dispozitivul %s."
+
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Metadate incompatibile cu modulul nucleului «dm-integrity» (versiunea %u) detectate pe %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+msgid "Kernel does not support dm-integrity mapping."
+msgstr "Nucleul nu acceptă asocierea dm-integrity."
+
+#: lib/integrity/integrity.c:283
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Nucleul nu acceptă alinierea metadatelor fixe dm-integrity."
+
+#: lib/integrity/integrity.c:292
+msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
+msgstr "Nucleul refuză să activeze opțiunea de recalculare nesigură (consultați opțiunile de activare vechi pentru a le înlocui)."
+
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
+#, c-format
+msgid "Failed to acquire write lock on device %s."
+msgstr "Nu s-a putut obține blocarea la scriere pe dispozitivul %s."
+
+#: lib/luks2/luks2_disk_metadata.c:400
+msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
+msgstr "S-a detectat o încercare de actualizare concomitentă a metadatelor LUKS2. Se abandonează operația."
+
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+msgid ""
+"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
+"Please run \"cryptsetup repair\" for recovery."
+msgstr ""
+"Dispozitivul conține semnături ambigue, nu se poate recupera automat LUKS2.\n"
+"Rulați «cryptsetup repair» pentru recuperare."
+
+#: lib/luks2/luks2_json_format.c:229
+msgid "Requested data offset is too small."
+msgstr "Decalajul de date solicitat este prea mic."
+
+#: lib/luks2/luks2_json_format.c:274
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr "AVERTISMENT: zona sloturilor de chei (%<PRIu64> octeți) este foarte mică, numărul de sloturi de chei LUKS2 disponibil este foarte limitat.\n"
+
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
+#, c-format
+msgid "Failed to acquire read lock on device %s."
+msgstr "Nu s-a putut obține blocarea pentru citire pe dispozitivul %s."
+
+#: lib/luks2/luks2_json_metadata.c:1405
+#, c-format
+msgid "Forbidden LUKS2 requirements detected in backup %s."
+msgstr "Cerințe LUKS2 interzise detectate în copia de rezervă %s."
+
+#: lib/luks2/luks2_json_metadata.c:1446
+msgid "Data offset differ on device and backup, restore failed."
+msgstr "Decalajul datelor diferă între dispozitiv și copia de rezervă, restaurare eșuată."
+
+#: lib/luks2/luks2_json_metadata.c:1452
+msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
+msgstr "Antetul binar cu dimensiunea zonelor sloturilor pentru chei diferă între dispozitiv și copia de rezervă, restaurare eșuată."
+
+#: lib/luks2/luks2_json_metadata.c:1459
+#, c-format
+msgid "Device %s %s%s%s%s"
+msgstr "Dispozitiv %s %s%s%s%s"
+
+#: lib/luks2/luks2_json_metadata.c:1460
+msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
+msgstr "nu conține antetul LUKS2. Înlocuirea antetului poate distruge datele de pe acest dispozitiv."
+
+#: lib/luks2/luks2_json_metadata.c:1461
+msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
+msgstr "conține deja antetul LUKS2. Înlocuirea antetului va distruge sloturile de chei existente."
+
+#: lib/luks2/luks2_json_metadata.c:1463
+msgid ""
+"\n"
+"WARNING: unknown LUKS2 requirements detected in real device header!\n"
+"Replacing header with backup may corrupt the data on that device!"
+msgstr ""
+"\n"
+"AVERTISMENT: cerințe necunoscute LUKS2 detectate în antetul dispozitivului real!\n"
+"Înlocuirea antetului cu copia de rezervă poate deteriora datele de pe acest dispozitiv!"
+
+#: lib/luks2/luks2_json_metadata.c:1465
+msgid ""
+"\n"
+"WARNING: Unfinished offline reencryption detected on the device!\n"
+"Replacing header with backup may corrupt data."
+msgstr ""
+"\n"
+"AVERTISMENT: Recriptare „offline” nefinalizată detectată pe dispozitiv!\n"
+"Înlocuirea antetului cu copia de rezervă poate deteriora datele."
+
+#: lib/luks2/luks2_json_metadata.c:1562
+#, c-format
+msgid "Ignored unknown flag %s."
+msgstr "S-a ignorat fanionul necunoscut %s."
+
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
+#, c-format
+msgid "Missing key for dm-crypt segment %u"
+msgstr "Lipsește cheia pentru segmentul dm-crypt %u"
+
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
+msgid "Failed to set dm-crypt segment."
+msgstr "Nu s-a putut definii segmentul dm-crypt."
+
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
+msgid "Failed to set dm-linear segment."
+msgstr "Nu s-a putut definii segmentul dm-linear."
+
+#: lib/luks2/luks2_json_metadata.c:2615
+msgid "Unsupported device integrity configuration."
+msgstr "Configurație de integritate a dispozitivului neacceptată."
+
+#: lib/luks2/luks2_json_metadata.c:2701
+msgid "Reencryption in-progress. Cannot deactivate device."
+msgstr "Recriptare în curs. Nu se poate dezactiva dispozitivul."
+
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
+#, c-format
+msgid "Failed to replace suspended device %s with dm-error target."
+msgstr "Nu s-a putut înlocui dispozitivul suspendat %s cu ținta dm-error."
+
+#: lib/luks2/luks2_json_metadata.c:2792
+msgid "Failed to read LUKS2 requirements."
+msgstr "Nu s-au putut citi cerințele LUKS2."
+
+#: lib/luks2/luks2_json_metadata.c:2799
+msgid "Unmet LUKS2 requirements detected."
+msgstr "Au fost detectate cerințe LUKS2 neîndeplinite."
+
+#: lib/luks2/luks2_json_metadata.c:2807
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare învechită. Se abandonează."
+
+#: lib/luks2/luks2_json_metadata.c:2809
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare LUKS2. Se abandonează."
+
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+msgid "Not enough available memory to open a keyslot."
+msgstr "Nu există suficientă memorie disponibilă pentru a deschide un slot de cheie."
+
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+msgid "Keyslot open failed."
+msgstr "Deschiderea slotului de cheie a eșuat."
+
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
+#, c-format
+msgid "Cannot use %s-%s cipher for keyslot encryption."
+msgstr "Nu se poate utiliza cifrul %s-%s pentru criptarea slotului de cheie."
+
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Algoritmul sumei de control(hash) %s nu este disponibil."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
+msgid "No space for new keyslot."
+msgstr "Nu există spațiu pentru noul slot de cheie."
+
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "A fost solicitată o schimbare incorectă a modului de adaptabilitate pentru recriptare."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Nu se poate actualiza tipul de adaptabilitate. Tipul nou oferă numai %<PRIu64> octeți, spațiul necesar este: %<PRIu64> octeți."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Nu s-a putut reîmprospăta calcularea sumei de control de verificare a recriptării."
+
+#: lib/luks2/luks2_luks1_convert.c:512
+#, c-format
+msgid "Cannot check status of device with uuid: %s."
+msgstr "Nu se poate verifica starea dispozitivului cu uuid: %s."
+
+#: lib/luks2/luks2_luks1_convert.c:538
+msgid "Unable to convert header with LUKSMETA additional metadata."
+msgstr "Nu s-a putut converti antetul cu metadate suplimentare LUKSMETA."
+
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Nu se poate utiliza specificația de cifrare %s-%s pentru LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
+msgid "Unable to move keyslot area. Not enough space."
+msgstr "Nu se poate muta zona slotului pentru chei. Spațiu insuficient."
+
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Nu se poate converti în format LUKS2 - metadate nevalide."
+
+#: lib/luks2/luks2_luks1_convert.c:636
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Nu se poate muta zona slotului pentru chei. Zona sloturilor pentru chei LUKS2 este prea mică."
+
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+msgid "Unable to move keyslot area."
+msgstr "Nu se poate muta zona slotului pentru chei."
+
+#: lib/luks2/luks2_luks1_convert.c:732
+msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
+msgstr "Nu se poate converti în format LUKS1 - dimensiunea implicită a sectorului de criptare al segmentului nu este de 512 octeți."
+
+#: lib/luks2/luks2_luks1_convert.c:740
+msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
+msgstr "Nu se poate converti în formatul LUKS1 - calcularea sumelor de control ale slotului de cheie nu este compatibilă cu LUKS1."
+
+#: lib/luks2/luks2_luks1_convert.c:752
+#, c-format
+msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
+msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul folosește cifrul de cheie încapsulat %s."
+
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul utilizează mai multe segmente."
+
+#: lib/luks2/luks2_luks1_convert.c:765
+#, c-format
+msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
+msgstr "Nu se poate converti în formatul LUKS1 - antetul LUKS2 conține %u jetoane(tokens)."
+
+#: lib/luks2/luks2_luks1_convert.c:779
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
+msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u este într-o stare nevalidă."
+
+#: lib/luks2/luks2_luks1_convert.c:784
+#, c-format
+msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
+msgstr "Nu se poate converti în formatul LUKS1 - slotul %u (peste sloturile maxime) este încă activ."
+
+#: lib/luks2/luks2_luks1_convert.c:789
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
+msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u nu este compatibil cu LUKS1."
+
+#: lib/luks2/luks2_reencrypt.c:1152
+#, c-format
+msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Dimensiunea zonei „fierbinți” (active) trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)."
+
+#: lib/luks2/luks2_reencrypt.c:1157
+#, c-format
+msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)."
+
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
+msgid "Failed to initialize old segment storage wrapper."
+msgstr "Nu s-a putut inițializa vechea încapsulare de stocare a segmentului."
+
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
+msgid "Failed to initialize new segment storage wrapper."
+msgstr "Nu s-a putut inițializa noua încapsulare de stocare a segmentului."
+
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Nu s-a putut inițializa protecția zonei „fierbinți” (active)."
+
+#: lib/luks2/luks2_reencrypt.c:1578
+msgid "Failed to read checksums for current hotzone."
+msgstr "Nu s-au putut citii sumele de control pentru zona „fierbinte” (activă) actuală."
+
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
+#, c-format
+msgid "Failed to read hotzone area starting at %<PRIu64>."
+msgstr "Nu s-a putut citi zona „fierbinte” (activă) începând cu %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:1604
+#, c-format
+msgid "Failed to decrypt sector %zu."
+msgstr "Nu s-a putut decripta sectorul %zu."
+
+#: lib/luks2/luks2_reencrypt.c:1610
+#, c-format
+msgid "Failed to recover sector %zu."
+msgstr "Nu s-a putut recupera sectorul %zu."
+
+#: lib/luks2/luks2_reencrypt.c:2174
+#, c-format
+msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
+msgstr "Dimensiunile dispozitivelor sursă și țintă nu se potrivesc. Sursa %<PRIu64>, ținta: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2272
+#, c-format
+msgid "Failed to activate hotzone device %s."
+msgstr "Nu s-a putut activa zona „fierbinte” (activă) a dispozitivului %s."
+
+#: lib/luks2/luks2_reencrypt.c:2289
+#, c-format
+msgid "Failed to activate overlay device %s with actual origin table."
+msgstr "Nu s-a putut activa dispozitivul de suprapunere %s cu tabelul de origine actual."
+
+#: lib/luks2/luks2_reencrypt.c:2296
+#, c-format
+msgid "Failed to load new mapping for device %s."
+msgstr "Nu s-a putut încărca noua asociere pentru dispozitivul %s."
+
+#: lib/luks2/luks2_reencrypt.c:2367
+msgid "Failed to refresh reencryption devices stack."
+msgstr "Nu s-a putut reîmprospăta stiva de dispozitive de recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:2550
+msgid "Failed to set new keyslots area size."
+msgstr "Nu s-a putut definii dimensiunea zonei noilor sloturi pentru chei."
+
+#: lib/luks2/luks2_reencrypt.c:2686
+#, c-format
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Valoarea deplasării datelor nu este aliniată la dimensiunea sectorului de criptare (%<PRIu32> octeți)."
+
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#, c-format
+msgid "Unsupported resilience mode %s"
+msgstr "Modul de adaptabilitate neacceptat %s"
+
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Dimensiunea segmentului mutat nu poate fi mai mare decât valoarea deplasării de date."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Parametri de adaptabilitate de recriptare nevalizi."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Segmentul mutat este prea mare. Dimensiunea solicitată este de %<PRIu64>, iar spațiul disponibil pentru aceasta este de: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Nu s-a putut șterge tabelul."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Dimensiunea redusă a datelor este mai mare decât dimensiunea dispozitivului real."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Dispozitivul de date nu este aliniat la dimensiunea sectorului de criptare (%<PRIu32> octeți)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Deplasarea datelor (%<PRIu64> sectoare) este mai mică decât decalajul viitor al datelor (%<PRIu64> sectoare)."
+
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
+#, c-format
+msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
+msgstr "Nu s-a putut deschide %s în modul exclusiv (deja cartografiat sau montat)."
+
+#: lib/luks2/luks2_reencrypt.c:3234
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Dispozitivul nu este marcat pentru recriptarea LUKS2."
+
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
+msgid "Failed to load LUKS2 reencryption context."
+msgstr "Nu s-a putut încărca contextul de recriptare LUKS2."
+
+#: lib/luks2/luks2_reencrypt.c:3331
+msgid "Failed to get reencryption state."
+msgstr "Nu s-a putut obține stadiul recriptării."
+
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
+msgid "Device is not in reencryption."
+msgstr "Dispozitivul nu se află în recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
+msgid "Reencryption process is already running."
+msgstr "Procesul de recriptare rulează deja."
+
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
+msgid "Failed to acquire reencryption lock."
+msgstr "Nu s-a putut obține blocarea pentru recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:3362
+msgid "Cannot proceed with reencryption. Run reencryption recovery first."
+msgstr "Nu se poate continua cu recriptarea. Rulați mai întâi recuperarea recriptării."
+
+#: lib/luks2/luks2_reencrypt.c:3497
+msgid "Active device size and requested reencryption size don't match."
+msgstr "Dimensiunea dispozitivului activ și dimensiunea de recriptare solicitată nu se potrivesc."
+
+#: lib/luks2/luks2_reencrypt.c:3511
+msgid "Illegal device size requested in reencryption parameters."
+msgstr "Dimensiunea dispozitivului solicitată în parametrii de recriptare este incorectă."
+
+#: lib/luks2/luks2_reencrypt.c:3588
+msgid "Reencryption in-progress. Cannot perform recovery."
+msgstr "Recriptare în curs. Nu se poate efectua recuperarea."
+
+#: lib/luks2/luks2_reencrypt.c:3757
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr "Recriptare LUKS2 deja inițializată în metadate."
+
+#: lib/luks2/luks2_reencrypt.c:3764
+msgid "Failed to initialize LUKS2 reencryption in metadata."
+msgstr "Nu s-a putut inițializa recriptarea LUKS2 în metadate."
+
+#: lib/luks2/luks2_reencrypt.c:3859
+msgid "Failed to set device segments for next reencryption hotzone."
+msgstr "Nu s-au putut definii segmentele dispozitivului pentru următoarea zonă „fierbinte” (activă) de recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:3911
+msgid "Failed to write reencryption resilience metadata."
+msgstr "Nu s-au putut scrie metadatele adaptabilității recriptării."
+
+#: lib/luks2/luks2_reencrypt.c:3918
+msgid "Decryption failed."
+msgstr "Decriptarea a eșuat."
+
+#: lib/luks2/luks2_reencrypt.c:3923
+#, c-format
+msgid "Failed to write hotzone area starting at %<PRIu64>."
+msgstr "Nu s-a putut scrie zona „fierbinte” (activă) începând de la %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:3928
+msgid "Failed to sync data."
+msgstr "Nu s-au putut sincroniza datele."
+
+#: lib/luks2/luks2_reencrypt.c:3936
+msgid "Failed to update metadata after current reencryption hotzone completed."
+msgstr "Nu s-au putut actualiza metadatele după finalizarea zonei „fierbinți” (active) de recriptare actuală."
+
+#: lib/luks2/luks2_reencrypt.c:4025
+msgid "Failed to write LUKS2 metadata."
+msgstr "Nu s-au putut scrie metadatele LUKS2."
+
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Nu s-a putut șterge zona nefolosită a dispozitivului de date."
+
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Nu s-a putut elimina slotul de cheie neutilizat (neasociat) %d."
+
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Nu s-a putut elimina slotul de cheie de recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:4074
+#, c-format
+msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
+msgstr "Eroare fatală la recriptarea porțiunii începând de la %<PRIu64>, %<PRIu64> sectoare lungi."
+
+#: lib/luks2/luks2_reencrypt.c:4078
+msgid "Online reencryption failed."
+msgstr "Recriptarea «online» a eșuat."
+
+#: lib/luks2/luks2_reencrypt.c:4083
+msgid "Do not resume the device unless replaced with error target manually."
+msgstr "Nu reluați dispozitivul decât dacă este înlocuit manual cu ținta erorii."
+
+#: lib/luks2/luks2_reencrypt.c:4137
+msgid "Cannot proceed with reencryption. Unexpected reencryption status."
+msgstr "Nu se poate continua cu recriptarea. Stare neașteptată a recriptării."
+
+#: lib/luks2/luks2_reencrypt.c:4143
+msgid "Missing or invalid reencrypt context."
+msgstr "Context de recriptare lipsă sau nevalid."
+
+#: lib/luks2/luks2_reencrypt.c:4150
+msgid "Failed to initialize reencryption device stack."
+msgstr "Nu s-a putut inițializa stiva dispozitivului de recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
+msgid "Failed to update reencryption context."
+msgstr "Nu s-a putut actualiza contextul de recriptare."
+
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Metadatele de recriptare sunt nevalide."
+
+#: src/cryptsetup.c:85
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr "Parametrii de criptare a slotului de cheie pot fi stabiliți numai pentru dispozitivul LUKS2."
+
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Introduceți codul PIN al jetonului: "
+
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Introduceți codul PIN al jetonului(token) %d: "
+
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
+msgid "No known cipher specification pattern detected."
+msgstr "Nu s-a detectat niciun model de specificație de cifrare cunoscut."
+
+#: src/cryptsetup.c:167
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "AVERTISMENT: Parametrul „--hash” este ignorat în modul simplu, cu fișierul de cheie specificat.\n"
+
+#: src/cryptsetup.c:175
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "AVERTISMENT: Opțiunea „--keyfile-size” este ignorată, dimensiunea de citire este aceeași cu dimensiunea cheii de criptare.\n"
+
+#: src/cryptsetup.c:215
+#, c-format
+msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
+msgstr "S-au detectat semnături de dispozitiv pe %s. Continuarea operației, riscă să deterioreze datele existente."
+
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
+msgid "Operation aborted.\n"
+msgstr "Operația se întrerupe.\n"
+
+#: src/cryptsetup.c:294
+msgid "Option --key-file is required."
+msgstr "Opțiunea „--key-file” este necesară."
+
+#: src/cryptsetup.c:345
+msgid "Enter VeraCrypt PIM: "
+msgstr "Introduceți PIM-ul VeraCrypt: "
+
+#: src/cryptsetup.c:354
+msgid "Invalid PIM value: parse error."
+msgstr "Valoare PIM nevalidă: eroare de analizare."
+
+#: src/cryptsetup.c:357
+msgid "Invalid PIM value: 0."
+msgstr "Valoare PIM nevalidă: 0."
+
+#: src/cryptsetup.c:360
+msgid "Invalid PIM value: outside of range."
+msgstr "Valoare PIM nevalidă: în afara intervalului."
+
+#: src/cryptsetup.c:383
+msgid "No device header detected with this passphrase."
+msgstr "Nu a fost detectat niciun antet de dispozitiv cu această frază de acces."
+
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Dispozitivul %s nu este un dispozitiv BITLK valid."
+
+#: src/cryptsetup.c:464
+msgid "Cannot determine volume key size for BITLK, please use --key-size option."
+msgstr "Nu se poate determina dimensiunea cheii de volum pentru BITLK; utilizați opțiunea „--key-size” pentru a o furniza."
+
+#: src/cryptsetup.c:506
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Conținutul antetului cu cheia de volum este o informație sensibilă\n"
+"care permite accesul la partiția criptată fără fraza de acces.\n"
+"Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur."
+
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
+msgid ""
+"The header dump with volume key is sensitive information\n"
+"that allows access to encrypted partition without a passphrase.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+"Conținutul antetului cu cheia de volum este o informație sensibilă\n"
+"care permite accesul la partiția criptată fără fraza de acces.\n"
+"Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur."
+
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Dispozitivul %s nu este un dispozitiv FVAULT2 valid."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Nu se poate determina dimensiunea cheii de volum pentru FVAULT2; utilizați opțiunea „--key-size” pentru a o furniza."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
+#, c-format
+msgid "Device %s is still active and scheduled for deferred removal.\n"
+msgstr "Dispozitivul %s este încă activ și programat pentru eliminare temporizată.\n"
+
+#: src/cryptsetup.c:835
+msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
+msgstr "Redimensionarea dispozitivului activ necesită cheia de volum în inelul de chei, dar opțiunea „--disable-keyring” este furnizată."
+
+#: src/cryptsetup.c:982
+msgid "Benchmark interrupted."
+msgstr "Testarea pentru evaluarea performanței a fost întreruptă."
+
+#: src/cryptsetup.c:1003
+#, c-format
+msgid "PBKDF2-%-9s N/A\n"
+msgstr "PBKDF2-%-9s (neaplicabil)\n"
+
+#: src/cryptsetup.c:1005
+#, c-format
+msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
+msgstr "PBKDF2-%-9s %7u iterații pe secundă pentru cheia %zu-bit\n"
+
+#: src/cryptsetup.c:1019
+#, c-format
+msgid "%-10s N/A\n"
+msgstr "%-10s (neaplicabil)\n"
+
+#: src/cryptsetup.c:1021
+#, c-format
+msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
+msgstr "%-10s %4u iterații, %5u memorie, %1u fire paralele (CPU-uri) pentru cheia %zu-bit (timpul necesitat %u ms)\n"
+
+#: src/cryptsetup.c:1045
+msgid "Result of benchmark is not reliable."
+msgstr "Rezultatul testului de evaluare a performanței nu este fiabil."
+
+#: src/cryptsetup.c:1095
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testele sunt aproximative folosind doar memoria (fără In/Ieș de stocare).\n"
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1115
+#, c-format
+msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
+msgstr "#%*s Algoritm | Cheie | Criptare | Decriptare\n"
+
+#: src/cryptsetup.c:1119
+#, c-format
+msgid "Cipher %s (with %i bits key) is not available."
+msgstr "Cifrarea %s (cu cheie de %i biți) nu este disponibilă."
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1138
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritm | Cheie | Criptare | Decriptare\n"
+
+#: src/cryptsetup.c:1149
+msgid "N/A"
+msgstr "nedisponibil"
+
+#: src/cryptsetup.c:1174
+msgid ""
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
+msgstr "Au fost detectate metadate neprotejate de recriptare LUKS2. Verificați că operațiunea de recriptare este de dorit (consultați ieșirea luksDump) și continuați (să actualizați metadatele) numai dacă recunoașteți operația ca fiind autentică."
+
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Introduceți fraza de acces pentru a proteja și actualiza metadatele de recriptare: "
+
+#: src/cryptsetup.c:1224
+msgid "Really proceed with LUKS2 reencryption recovery?"
+msgstr "Continuați cu adevărat cu recuperarea recriptării LUKS2?"
+
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Introduceți fraza de acces pentru a verifica calcularea sumele de control a metadatelor de recriptare: "
+
+#: src/cryptsetup.c:1235
+msgid "Enter passphrase for reencryption recovery: "
+msgstr "Introduceți fraza de acces pentru recuperarea recriptării: "
+
+#: src/cryptsetup.c:1290
+msgid "Really try to repair LUKS device header?"
+msgstr "Încercați cu adevărat să reparați antetul dispozitivului LUKS?"
+
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Ștergere întreruptă."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
+msgid ""
+"Wiping device to initialize integrity checksum.\n"
+"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
+msgstr ""
+"Se șterge dispozitivul pentru a inițializa calcularea sumei de control a integrității.\n"
+"Puteți întrerupe acest lucru apăsând CTRL+c (restul dispozitivului care nu este șters va conține o sumă de control nevalidă).\n"
+
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
+#, c-format
+msgid "Cannot deactivate temporary device %s."
+msgstr "Nu se poate dezactiva dispozitivul temporar %s."
+
+#: src/cryptsetup.c:1392
+msgid "Integrity option can be used only for LUKS2 format."
+msgstr "Opțiunea de integritate poate fi utilizată numai pentru formatul LUKS2."
+
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
+msgid "Unsupported LUKS2 metadata size options."
+msgstr "Opțiuni de dimensiune a metadatelor LUKS2 neacceptate."
+
+#: src/cryptsetup.c:1406
+msgid "Header file does not exist, do you want to create it?"
+msgstr "Fișierul antet nu există, doriți să îl creați?"
+
+#: src/cryptsetup.c:1414
+#, c-format
+msgid "Cannot create header file %s."
+msgstr "Nu se poate crea fișierul antet %s."
+
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
+msgid "No known integrity specification pattern detected."
+msgstr "Nu a fost detectat niciun model de specificație de integritate cunoscut."
+
+#: src/cryptsetup.c:1450
+#, c-format
+msgid "Cannot use %s as on-disk header."
+msgstr "Nu se poate folosi %s ca antet pe disc."
+
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Acest lucru va suprascrie datele de pe %s în mod irevocabil."
+
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
+msgid "Failed to set pbkdf parameters."
+msgstr "Nu s-au putut definii parametrii pbkdf."
+
+#: src/cryptsetup.c:1593
+msgid "Reduced data offset is allowed only for detached LUKS header."
+msgstr "Decalajul redus de date este permis numai pentru antetul LUKS detașat."
+
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Containerul de fișiere LUKS %s este prea mic pentru activare, nu mai rămâne spațiu pentru date."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
+msgstr "Nu se poate determina dimensiunea cheii de volum pentru LUKS fără sloturi de chei; folosiți opțiunea „--key-size” pentru a furniza aceste date."
+
+#: src/cryptsetup.c:1658
+msgid "Device activated but cannot make flags persistent."
+msgstr "Dispozitivul a fost activat, dar nu se poate face ca fanioanele să fie persistente."
+
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
+#, c-format
+msgid "Keyslot %d is selected for deletion."
+msgstr "Slotul de cheie %d este selectat pentru ștergere."
+
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Acesta este ultimul slot de cheie. Dispozitivul va deveni inutilizabil după eliminarea acestei chei."
+
+#: src/cryptsetup.c:1750
+msgid "Enter any remaining passphrase: "
+msgstr "Introduceți orice frază de acces rămasă: "
+
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
+msgid "Operation aborted, the keyslot was NOT wiped.\n"
+msgstr "Operația a fost întreruptă, slotul de cheie NU a fost șters.\n"
+
+#: src/cryptsetup.c:1787
+msgid "Enter passphrase to be deleted: "
+msgstr "Introduceți fraza de acces pentru a fi ștearsă: "
+
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Dispozitivul %s nu este un dispozitiv LUKS2 valid."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
+msgid "Enter new passphrase for key slot: "
+msgstr "Introduceți noua frază de acces pentru slotul de cheie: "
+
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "AVERTISMENT: Parametrul „--key-slot” este utilizat pentru noul număr de slot de cheie.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Introduceți orice frază de acces existentă: "
+
+#: src/cryptsetup.c:2152
+msgid "Enter passphrase to be changed: "
+msgstr "Introduceți fraza de acces pentru a fi schimbată: "
+
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
+msgid "Enter new passphrase: "
+msgstr "Introduceți nouă frază de acces: "
+
+#: src/cryptsetup.c:2218
+msgid "Enter passphrase for keyslot to be converted: "
+msgstr "Introduceți fraza de acces pentru slotul de cheie care urmează să fie convertit: "
+
+#: src/cryptsetup.c:2242
+msgid "Only one device argument for isLuks operation is supported."
+msgstr "Doar un singur dispozitiv este admis ca argument pentru operația isLuks."
+
+#: src/cryptsetup.c:2350
+#, c-format
+msgid "Keyslot %d does not contain unbound key."
+msgstr "Slotul de cheie %d nu conține o cheie neasociată."
+
+#: src/cryptsetup.c:2355
+msgid ""
+"The header dump with unbound key is sensitive information.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+"Conținutul antetului cu cheia neasociată este o informație sensibilă.\n"
+"Acest conținut ar trebui să fie stocat criptat într-un loc sigur."
+
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
+#, c-format
+msgid "%s is not active %s device name."
+msgstr "%s nu este numele dispozitivului activ %s."
+
+#: src/cryptsetup.c:2465
+#, c-format
+msgid "%s is not active LUKS device name or header is missing."
+msgstr "%s nu este numele unui dispozitiv LUKS activ sau antetul lipsește."
+
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
+msgid "Option --header-backup-file is required."
+msgstr "Este necesară opțiunea „--header-backup-file”."
+
+#: src/cryptsetup.c:2577
+#, c-format
+msgid "%s is not cryptsetup managed device."
+msgstr "%s nu este un dispozitiv gestionat de «cryptsetup»."
+
+#: src/cryptsetup.c:2588
+#, c-format
+msgid "Refresh is not supported for device type %s"
+msgstr "Reîmprospătarea nu este disponibilă pentru tipul de dispozitiv %s"
+
+#: src/cryptsetup.c:2638
+#, c-format
+msgid "Unrecognized metadata device type %s."
+msgstr "Tip de dispozitiv de metadate nerecunoscut %s."
+
+#: src/cryptsetup.c:2640
+msgid "Command requires device and mapped name as arguments."
+msgstr "Comanda necesită un dispozitiv și numele asociat acestuia ca argumente."
+
+#: src/cryptsetup.c:2661
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Această operație va șterge toate sloturile de chei de pe dispozitivul %s.\n"
+"Dispozitivul va deveni inutilizabil după această operație."
+
+#: src/cryptsetup.c:2668
+msgid "Operation aborted, keyslots were NOT wiped.\n"
+msgstr "Operația a fost întreruptă, sloturile de chei NU au fost șterse.\n"
+
+#: src/cryptsetup.c:2707
+msgid "Invalid LUKS type, only luks1 and luks2 are supported."
+msgstr "Tip LUKS nevalid, numai luks1 și luks2 sunt acceptate."
+
+#: src/cryptsetup.c:2723
+#, c-format
+msgid "Device is already %s type."
+msgstr "Dispozitivul este deja de tip %s."
+
+#: src/cryptsetup.c:2730
+#, c-format
+msgid "This operation will convert %s to %s format.\n"
+msgstr "Această operație va converti %s în formatul %s.\n"
+
+#: src/cryptsetup.c:2733
+msgid "Operation aborted, device was NOT converted.\n"
+msgstr "Operația a fost întreruptă, dispozitivul NU a fost convertit.\n"
+
+#: src/cryptsetup.c:2773
+msgid "Option --priority, --label or --subsystem is missing."
+msgstr "Opțiunea „--priority”, „--label” sau „--subsystem” lipsește."
+
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
+#, c-format
+msgid "Token %d is invalid."
+msgstr "Jetonul(token) %d nu este valid."
+
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
+#, c-format
+msgid "Token %d in use."
+msgstr "Jetonul(token) %d este în uz."
+
+#: src/cryptsetup.c:2822
+#, c-format
+msgid "Failed to add luks2-keyring token %d."
+msgstr "Nu s-a putut adăuga jetonul(token) %d la inelul de chei luks2."
+
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
+#, c-format
+msgid "Failed to assign token %d to keyslot %d."
+msgstr "Nu s-a putut atribui jetonul(token) %d slotului pentru cheie %d."
+
+#: src/cryptsetup.c:2850
+#, c-format
+msgid "Token %d is not in use."
+msgstr "Jetonul %d nu este în uz."
+
+#: src/cryptsetup.c:2887
+msgid "Failed to import token from file."
+msgstr "Nu s-a putut importa jetonul din fișier."
+
+#: src/cryptsetup.c:2912
+#, c-format
+msgid "Failed to get token %d for export."
+msgstr "Nu s-a putut obține jetonul %d pentru export."
+
+#: src/cryptsetup.c:2925
+#, c-format
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Jetonul %d nu este alocat slotului de cheie %d."
+
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
+#, c-format
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Nu s-a putut anula atribuirea jetonului %d din slotul de cheie %d."
+
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Opțiunea „--tcrypt-hidden”, „--tcrypt-system” sau „--tcrypt-backup” este acceptată doar pentru dispozitivele TCRYPT."
+
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Opțiunea „--veracrypt” sau „--disable-veracrypt” este acceptată numai pentru tipul de dispozitiv TCRYPT."
+
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Opțiunea „--veracrypt-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt."
+
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Opțiunea „--veracrypt-query-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt."
+
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Opțiunile „--veracrypt-pim” și „--veracrypt-query-pim” se exclud reciproc."
+
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Opțiunea „--persistent” nu este permisă cu opțiunea „--test-passphrase”."
+
+#: src/cryptsetup.c:3007
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Opțiunile „--refresh” și „--test-passphrase” se exclud reciproc."
+
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Opțiunea „--shared” este permisă numai pentru deschiderea unui dispozitiv simplu."
+
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Opțiunea „--skip” este acceptată numai pentru deschiderea dispozitivelor simple și a dispozitivelor loopaes."
+
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Opțiunea „--offset” cu acțiune de deschidere este acceptată numai pentru dispozitivele simple și dispozitivele loopaes."
+
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Opțiunea „--tcrypt-hidden” nu poate fi combinată cu opțiunea „--allow-discards”."
+
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Opțiunea de dimensiune a sectorului cu acțiune de deschidere este acceptată numai pentru dispozitivele simple."
+
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Opțiunea sectoare IV (vector de inițializare) mari este acceptată numai pentru deschiderea dispozitivelor de tip simplu, cu dimensiunea sectorului mai mare de 512 de octeți."
+
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Opțiunea „--test-passphrase” este permisă numai pentru deschiderea dispozitivelor LUKS, TCRYPT, BITLK și FVAULT2."
+
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Opțiunile „--device-size” și „--size” nu pot fi combinate."
+
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Opțiunea „--unbound” este permisă numai pentru deschiderea dispozitivelor luks."
+
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Opțiunea „--unbound” nu poate fi utilizată fără opțiunea „--test-passphrase”."
+
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Opțiunile „--cancel-deferred” și „--deferred” nu pot fi utilizate în același timp."
+
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Opțiunile „--reduce-device-size” și „--data-size” nu pot fi combinate."
+
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Opțiunea „--active-name” poate fi utilizată numai pentru dispozitivele LUKS2."
+
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Opțiunile „--active-name” și „--force-offline-reencrypt” nu pot fi combinate."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Este necesară specificarea slotului de cheie."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Opțiunile „--align-payload” și „--offset” nu pot fi combinate."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Opțiunea „--integrity-no-wipe” poate fi utilizată numai pentru acțiuni de formatare cu extensie de integritate."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Numai una dintre opțiunile „--use-[u]random” este permisă."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "Dimensiunea cheii este necesară cu opțiunea „--unbound”."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Operație cu jeton(token) nevalidă."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Parametrul „--key-description” este obligatoriu pentru acțiunea de adăugare a jetonului."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Acțiunea necesită un jeton(token)l specific. Utilizați parametrul „--token-id”."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Opțiunea „--unbound” este validă numai cu acțiunea de adăugare a jetonului."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Opțiunile „--key-slot” și „--unbound” nu pot fi combinate."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Acțiunea necesită un slot de cheie specific. Utilizați parametrul „--key-slot”."
+
+#: src/cryptsetup.c:3156
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<dispozitiv> [--type <tip>] [<nume>]"
+
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
+msgid "open device as <name>"
+msgstr "deschide dispozitivul ca <nume>"
+
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
+msgid "<name>"
+msgstr "<nume>"
+
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
+msgid "close device (remove mapping)"
+msgstr "închide dispozitivul (elimină asocierea)"
+
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
+msgid "resize active device"
+msgstr "redimensionează dispozitivul activ"
+
+#: src/cryptsetup.c:3159
+msgid "show device status"
+msgstr "afișează starea dispozitivului"
+
+#: src/cryptsetup.c:3160
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <cifrarea>]"
+
+#: src/cryptsetup.c:3160
+msgid "benchmark cipher"
+msgstr "evaluează performanța cifrului"
+
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
+msgid "<device>"
+msgstr "<dispozitiv>"
+
+#: src/cryptsetup.c:3161
+msgid "try to repair on-disk metadata"
+msgstr "încearcă să repare metadatele de pe disc"
+
+#: src/cryptsetup.c:3162
+msgid "reencrypt LUKS2 device"
+msgstr "recriptează dispozitivul LUKS2"
+
+#: src/cryptsetup.c:3163
+msgid "erase all keyslots (remove encryption key)"
+msgstr "șterge toate sloturile de chei (elimină cheia de criptare)"
+
+#: src/cryptsetup.c:3164
+msgid "convert LUKS from/to LUKS2 format"
+msgstr "convertește LUKS din/în formatul LUKS2"
+
+#: src/cryptsetup.c:3165
+msgid "set permanent configuration options for LUKS2"
+msgstr "definește opțiunile permanente de configurare pentru LUKS2"
+
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
+msgid "<device> [<new key file>]"
+msgstr "<dispozitiv> [<fișier cheie nou>]"
+
+#: src/cryptsetup.c:3166
+msgid "formats a LUKS device"
+msgstr "formatează un dispozitiv LUKS"
+
+#: src/cryptsetup.c:3167
+msgid "add key to LUKS device"
+msgstr "adaugă o cheie la dispozitivul LUKS"
+
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
+msgid "<device> [<key file>]"
+msgstr "<dispozitiv> [<fișier cheie>]"
+
+#: src/cryptsetup.c:3168
+msgid "removes supplied key or key file from LUKS device"
+msgstr "elimină cheia sau fișierul cheie furnizat de pe dispozitivul LUKS"
+
+#: src/cryptsetup.c:3169
+msgid "changes supplied key or key file of LUKS device"
+msgstr "modifică cheia furnizată sau fișierul cheie al dispozitivului LUKS"
+
+#: src/cryptsetup.c:3170
+msgid "converts a key to new pbkdf parameters"
+msgstr "convertește o cheie în noii parametri pbkdf"
+
+#: src/cryptsetup.c:3171
+msgid "<device> <key slot>"
+msgstr "<dispozitiv> <slot cheie>"
+
+#: src/cryptsetup.c:3171
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "șterge cheia cu numărul <slot cheie> de pe dispozitivul LUKS"
+
+#: src/cryptsetup.c:3172
+msgid "print UUID of LUKS device"
+msgstr "afișează UUID-ul dispozitivului LUKS"
+
+#: src/cryptsetup.c:3173
+msgid "tests <device> for LUKS partition header"
+msgstr "testează <dispozitivul> pentru antetul partiției LUKS"
+
+#: src/cryptsetup.c:3174
+msgid "dump LUKS partition information"
+msgstr "afișează informațiile despre partiția LUKS"
+
+#: src/cryptsetup.c:3175
+msgid "dump TCRYPT device information"
+msgstr "afișează informațiile despre dispozitivul TCRYPT"
+
+#: src/cryptsetup.c:3176
+msgid "dump BITLK device information"
+msgstr "afișează informațiile despre dispozitivul BITLK"
+
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "afișează informațiile despre dispozitivul FVAULT2"
+
+#: src/cryptsetup.c:3178
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
+msgstr "Suspendă dispozitivul LUKS și șterge cheia (toate In/Ieșirile sunt înghețate)"
+
+#: src/cryptsetup.c:3179
+msgid "Resume suspended LUKS device"
+msgstr "Repune în funcțiune dispozitivul LUKS suspendat"
+
+#: src/cryptsetup.c:3180
+msgid "Backup LUKS device header and keyslots"
+msgstr "Face copie de rezervă pentru antetul dispozitivului LUKS și pentru sloturile de chei"
+
+#: src/cryptsetup.c:3181
+msgid "Restore LUKS device header and keyslots"
+msgstr "Restaurează antetul dispozitivului LUKS și sloturile de chei"
+
+#: src/cryptsetup.c:3182
+msgid "<add|remove|import|export> <device>"
+msgstr "<add|remove|import|export> <dispozitiv>"
+
+#: src/cryptsetup.c:3182
+msgid "Manipulate LUKS2 tokens"
+msgstr "Manipulează jetoanele LUKS2"
+
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<acțiune> este una dintre:\n"
+
+# R-GC, scrie:
+# «open» și «close», sunt noile nume
+# pentru <acțiune>, iar:
+# «create» și «remove», sunt vechile
+# nume, sau alias pentru primele.
+# A se vedea ieșirea comenzii:
+# «cryptsetup -?|--help»
+#: src/cryptsetup.c:3207
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
+msgstr ""
+"\n"
+"Puteți utiliza, de asemenea, vechile alias de sintaxă <acțiune>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
+
+#: src/cryptsetup.c:3211
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nume> este dispozitivul de creat sub %s\n"
+"<dispozitiv> este dispozitivul criptat\n"
+"<slot cheie> este numărul slotului de cheie LUKS de modificat\n"
+"<fișier cheie> fișier cheie opțional pentru noua cheie pentru acțiunea luksAddKey\n"
+
+#: src/cryptsetup.c:3218
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in metadata format is %s (for luksFormat action).\n"
+msgstr ""
+"\n"
+"Formatul implicit de metadate compilate este %s (pentru acțiunea luksFormat).\n"
+
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
+#, c-format
+msgid ""
+"\n"
+"LUKS2 external token plugin support is %s.\n"
+msgstr ""
+"\n"
+"Suportul pentru modulul de jeton(token) extern LUKS2 este %s.\n"
+
+#: src/cryptsetup.c:3223
+msgid "compiled-in"
+msgstr "integrat în compilare"
+
+#: src/cryptsetup.c:3224
+#, c-format
+msgid "LUKS2 external token plugin path: %s.\n"
+msgstr "Calea modulului pentru jetonul(token) extern LUKS2: %s.\n"
+
+#: src/cryptsetup.c:3226
+msgid "disabled"
+msgstr "dezactivat"
+
+#: src/cryptsetup.c:3230
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF for LUKS1: %s, iteration time: %d (ms)\n"
+"Default PBKDF for LUKS2: %s\n"
+"\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
+msgstr ""
+"\n"
+"Parametrii impliciti pentru cheia și fraza de acces compilați:\n"
+"\tDimensiunea maximă a fișierului cheie: %dko, Lungimea maximă a frazei de acces interactivă %d (caractere)\n"
+"PBKDF implicit pentru LUKS1: %s, timp de iterație: %d (ms)\n"
+"PBKDF implicit pentru LUKS2: %s\n"
+"\tTimp de iterare: %d, Memorie necesară: %dko, Fire de execuție paralele: %d\n"
+
+#: src/cryptsetup.c:3241
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Parametrii de cifrare ai dispozitivului compilați implicit:\n"
+"\tloop-AES: %s, cheie %d biți\n"
+"\tsimplu: %s, Cheie: %d biți, Suma de control a parolei: %s\n"
+"\tLUKS: %s, Cheie: %d biți, Suma de control a antetului LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:3250
+msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
+msgstr "\tLUKS: Dimensiunea implicită a cheii cu modul XTS (două chei interne) va fi dublată.\n"
+
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: necesită %s ca argumente"
+
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
+msgid "Key slot is invalid."
+msgstr "Slotul de cheie nu este valid."
+
+#: src/cryptsetup.c:3335
+msgid "Device size must be multiple of 512 bytes sector."
+msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al sectorului de 512 octeți."
+
+#: src/cryptsetup.c:3340
+msgid "Invalid max reencryption hotzone size specification."
+msgstr "Specificația pentru dimensiunea zonei fierbinți(active) pentru recriptare maximă nu este validă."
+
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Dimensiunea cheii trebuie să fie multiplu de 8 biți"
+
+#: src/cryptsetup.c:3371
+msgid "Maximum device reduce size is 1 GiB."
+msgstr "Dimensiunea maximă de reducere a dispozitivului este de 1 GiB."
+
+#: src/cryptsetup.c:3374
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Dimensiunea redusă trebuie să fie multiplu al sectorului de 512 octeți."
+
+#: src/cryptsetup.c:3391
+msgid "Option --priority can be only ignore/normal/prefer."
+msgstr "Argumentul opțiuni „--priority” poate fi doar «ignore/normal/prefer»."
+
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
+msgid "Show this help message"
+msgstr "Afișează acest mesaj de ajutor"
+
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
+msgid "Display brief usage"
+msgstr "Afișează modul de utilizare pe scurt"
+
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
+msgid "Print package version"
+msgstr "Afișează versiunea pachetului"
+
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
+msgid "Help options:"
+msgstr "Opțiuni de ajutor:"
+
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPȚIUNE...] <acțiune> <parametri_acțiune>"
+
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
+msgid "Argument <action> missing."
+msgstr "Argumentul <acțiune> lipsește."
+
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
+msgid "Unknown action."
+msgstr "Acțiune necunoscută."
+
+#: src/cryptsetup.c:3546
+msgid "Option --key-file takes precedence over specified key file argument."
+msgstr "Opțiunea „--key-file” are prioritate față de argumentul specificat pentru fișierul cheie."
+
+#: src/cryptsetup.c:3552
+msgid "Only one --key-file argument is allowed."
+msgstr "Numai un argument „--key-file” este permis."
+
+#: src/cryptsetup.c:3557
+msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
+msgstr "Funcția de derivare a unei chei bazată pe parolă (PBKDF=Password-Based Key Derivation Function) poate fi doar pbkdf2 sau argon2i/argon2id."
+
+#: src/cryptsetup.c:3562
+msgid "PBKDF forced iterations cannot be combined with iteration time option."
+msgstr "Iterațiile forțate PBKDF nu pot fi combinate cu opțiunea de timp de iterație."
+
+#: src/cryptsetup.c:3573
+msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
+msgstr "Opțiunile „--keyslot-cipher” și „--keyslot-key-size” trebuie să fie folosite împreună."
+
+#: src/cryptsetup.c:3581
+msgid "No action taken. Invoked with --test-args option.\n"
+msgstr "Nu s-a executat nicio acțiune. Programul a fost invocat cu opțiunea „--test-args”.\n"
+
+#: src/cryptsetup.c:3594
+msgid "Cannot disable metadata locking."
+msgstr "Nu se poate dezactiva blocarea metadatelor."
+
+#: src/veritysetup.c:54
+msgid "Invalid salt string specified."
+msgstr "S-a specificat un șir de date «salt» nevalid."
+
+#: src/veritysetup.c:87
+#, c-format
+msgid "Cannot create hash image %s for writing."
+msgstr "Nu s-a putut crea imaginea sumei de control(hash) %s pentru scriere."
+
+#: src/veritysetup.c:97
+#, c-format
+msgid "Cannot create FEC image %s for writing."
+msgstr "Nu s-a putut crea imaginea FEC %s pentru scriere."
+
+#: src/veritysetup.c:136
+#, c-format
+msgid "Cannot create root hash file %s for writing."
+msgstr "Nu s-a putut crea fișierul sumei de control(hash) rădăcină %s pentru scriere."
+
+#: src/veritysetup.c:143
+#, c-format
+msgid "Cannot write to root hash file %s."
+msgstr "Nu se poate scrie în fișierul sumei de control (hash) rădăcină %s."
+
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Dispozitivul %s nu este un dispozitiv VERITY valid."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
+#, c-format
+msgid "Cannot read root hash file %s."
+msgstr "Nu se poate citii din fișierul sumei de control (hash) rădăcină %s."
+
+#: src/veritysetup.c:220
+#, c-format
+msgid "Invalid root hash file %s."
+msgstr "Fișierul sumei de control (hash) rădăcină %s nu este valid."
+
+#: src/veritysetup.c:241
+msgid "Invalid root hash string specified."
+msgstr "S-a specificat un șir de sumă de control (hash) rădăcină nevalid."
+
+#: src/veritysetup.c:249
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Fișierul de semnătură %s nu este valid."
+
+#: src/veritysetup.c:256
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Nu se poate citi fișierul de semnătură %s."
+
+#: src/veritysetup.c:279 src/veritysetup.c:293
+msgid "Command requires <root_hash> or --root-hash-file option as argument."
+msgstr "Comanda necesită ca argument opțiunea <suma-de-control(hash)_rădăcină> sau „--root-hash-file”."
+
+#: src/veritysetup.c:489
+msgid "<data_device> <hash_device>"
+msgstr "<dispozitiv_date> <dispozitiv_sumă-de-control(hash)>"
+
+#: src/veritysetup.c:489 src/integritysetup.c:534
+msgid "format device"
+msgstr "formatează dispozitivul"
+
+#: src/veritysetup.c:490
+msgid "<data_device> <hash_device> [<root_hash>]"
+msgstr "<dispozitiv_date> <dispozitiv_sumă-de-control(hash)> [<sumă-de-control(hash)_rădăcină>]"
+
+#: src/veritysetup.c:490
+msgid "verify device"
+msgstr "verifică dispozitivul"
+
+#: src/veritysetup.c:491
+msgid "<data_device> <name> <hash_device> [<root_hash>]"
+msgstr "<dispozitiv_date> <nume> <dispozitiv_sumă-de-control(hash)> [<sumă-de-control(hash)_rădăcină>]"
+
+#: src/veritysetup.c:493 src/integritysetup.c:537
+msgid "show active device status"
+msgstr "afișează starea dispozitivului activ"
+
+#: src/veritysetup.c:494
+msgid "<hash_device>"
+msgstr "<dispozitiv_sumă-de-control(hash)>"
+
+#: src/veritysetup.c:494 src/integritysetup.c:538
+msgid "show on-disk information"
+msgstr "afișează informațiile de pe disc"
+
+#: src/veritysetup.c:513
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nume> este dispozitivul de creat sub %s\n"
+"<dispozitiv_date> este dispozitivul de date\n"
+"<dispozitiv_sumă-de-control(hash)> este dispozitivul care conține datele de verificare\n"
+"<sumă-de-control(hash)_rădăcină> suma-de-control(hash) a nodului rădăcină de pe <dispozitiv_sumă-de-control(hash)>\n"
+
+#: src/veritysetup.c:520
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Parametrii dm-verity compilați implicit:\n"
+"\tAlgoritmul sumei de control(hash): %s, Bloc de date (octeți): %u, Bloc sumă de control(hash) (octeți): %u,\n"
+"\tDimensiune date «salt»: %u, Formatul sumei de control(hash): %u\n"
+
+#: src/veritysetup.c:658
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
+msgstr "Opțiunile „--ignore-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună."
+
+#: src/veritysetup.c:663
+msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
+msgstr "Opțiunile „--panic-on-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună."
+
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Acest lucru va suprascrie datele de pe %s și %s în mod irevocabil.\n"
+"Pentru a păstra datele dispozitivului de date, utilizați opțiunea „--no-wipe” (și apoi activați-l cu „--integrity-recalculate”)."
+
+#: src/integritysetup.c:212
+#, c-format
+msgid "Formatted with tag size %u, internal integrity %s.\n"
+msgstr "Formatat cu dimensiunea etichetei %u, integritate internă %s.\n"
+
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Utilizarea fanionului pentru recalculare(...-recalculate) nu este acceptată, luați în considerare utilizarea opțiunii „--wipe” în schimb."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Dispozitivul %s nu este un dispozitiv INTEGRITY valid."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
+msgid "<integrity_device>"
+msgstr "<dispozitiv_integritate>"
+
+#: src/integritysetup.c:535
+msgid "<integrity_device> <name>"
+msgstr "<dispozitiv_integritate> <nume>"
+
+#: src/integritysetup.c:558
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<integrity_device> is the device containing data with integrity tags\n"
+msgstr ""
+"\n"
+"<nume> este dispozitivul de creat sub %s\n"
+"<dispozitiv_integritate> este dispozitivul care conține date cu etichete de integritate\n"
+
+#: src/integritysetup.c:563
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-integrity parameters:\n"
+"\tChecksum algorithm: %s\n"
+"\tMaximum keyfile size: %dkB\n"
+msgstr ""
+"\n"
+"Parametrii dm-integrity compilați implicit:\n"
+"\tAlgoritmul sumei de control: %s\n"
+"\tDimensiunea maximă a fișierului cheie: %dko\n"
+
+#: src/integritysetup.c:620
+#, c-format
+msgid "Invalid --%s size. Maximum is %u bytes."
+msgstr "Dimensiune nevalidă --%s. Maximul este de %u octeți."
+
+#: src/integritysetup.c:720
+msgid "Both key file and key size options must be specified."
+msgstr "Trebuie specificată atât opțiunea pentru fișierul cheie, cât și opțiunea pentru dimensiunea cheii."
+
+#: src/integritysetup.c:724
+msgid "Both journal integrity key file and key size options must be specified."
+msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de integritate a jurnalului, cât și opțiunea pentru dimensiunea cheii."
+
+#: src/integritysetup.c:727
+msgid "Journal integrity algorithm must be specified if journal integrity key is used."
+msgstr "Algoritmul de integritate a jurnalului trebuie să fie specificat dacă este utilizată cheia de integritate a jurnalului."
+
+#: src/integritysetup.c:731
+msgid "Both journal encryption key file and key size options must be specified."
+msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de criptare a jurnalului, cât și opțiunea pentru dimensiunea cheii."
+
+#: src/integritysetup.c:734
+msgid "Journal encryption algorithm must be specified if journal encryption key is used."
+msgstr "Algoritmul de criptare a jurnalului trebuie să fie specificat dacă este utilizată cheia de criptare a jurnalului."
+
+#: src/integritysetup.c:738
+msgid "Recovery and bitmap mode options are mutually exclusive."
+msgstr "Opțiunile de recuperare și modul de hartă de biți(bitmap) se exclud reciproc."
+
+#: src/integritysetup.c:745
+msgid "Journal options cannot be used in bitmap mode."
+msgstr "Opțiunile jurnalului nu pot fi utilizate în modul de hartă de biți(bitmap)."
+
+#: src/integritysetup.c:750
+msgid "Bitmap options can be used only in bitmap mode."
+msgstr "Opțiunile de hartă de biți(bitmap) pot fi utilizate numai în modul de hartă de biți(bitmap)."
+
+#: src/utils_tools.c:118
+msgid ""
+"\n"
+"WARNING!\n"
+"========\n"
+msgstr ""
+"\n"
+"AVERTISMENT!\n"
+"========\n"
+
+#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
+#: src/utils_tools.c:120
+#, c-format
+msgid ""
+"%s\n"
+"\n"
+"Are you sure? (Type 'yes' in capital letters): "
+msgstr ""
+"%s\n"
+"\n"
+"Sunteți sigur? (Tastați „yes” cu litere mari): "
+
+#: src/utils_tools.c:126
+msgid "Error reading response from terminal."
+msgstr "Eroare la citirea răspunsului de la terminal."
+
+#: src/utils_tools.c:158
+msgid "Command successful."
+msgstr "Comandă reușită."
+
+#: src/utils_tools.c:166
+msgid "wrong or missing parameters"
+msgstr "parametri greșiți sau lipsă"
+
+#: src/utils_tools.c:168
+msgid "no permission or bad passphrase"
+msgstr "fără permisiune sau expresie de acces incorectă"
+
+#: src/utils_tools.c:170
+msgid "out of memory"
+msgstr "memorie insuficientă"
+
+#: src/utils_tools.c:172
+msgid "wrong device or file specified"
+msgstr "dispozitiv sau fișier specificat greșit"
+
+#: src/utils_tools.c:174
+msgid "device already exists or device is busy"
+msgstr "dispozitivul există deja sau dispozitivul este ocupat"
+
+#: src/utils_tools.c:176
+msgid "unknown error"
+msgstr "eroare necunoscută"
+
+#: src/utils_tools.c:178
+#, c-format
+msgid "Command failed with code %i (%s)."
+msgstr "Comanda a eșuat cu codul %i (%s)."
+
+#: src/utils_tools.c:256
+#, c-format
+msgid "Key slot %i created."
+msgstr "Slotul de cheie %i a fost creat."
+
+#: src/utils_tools.c:258
+#, c-format
+msgid "Key slot %i unlocked."
+msgstr "Slotul de cheie %i a fost deblocat."
+
+#: src/utils_tools.c:260
+#, c-format
+msgid "Key slot %i removed."
+msgstr "Slotul de cheie %i a fost eliminat."
+
+#: src/utils_tools.c:269
+#, c-format
+msgid "Token %i created."
+msgstr "Jetonul %i a fost creat."
+
+#: src/utils_tools.c:271
+#, c-format
+msgid "Token %i removed."
+msgstr "Jetonul %i a fost eliminat."
+
+#: src/utils_tools.c:281
+msgid "No token could be unlocked with this PIN."
+msgstr "Niciun jeton(token) nu a putut fi deblocat cu acest cod PIN."
+
+#: src/utils_tools.c:283
+#, c-format
+msgid "Token %i requires PIN."
+msgstr "Jetonul %i necesită un cod PIN."
+
+#: src/utils_tools.c:285
+#, c-format
+msgid "Token (type %s) requires PIN."
+msgstr "Jetonul (tip %s) necesită un cod PIN."
+
+#: src/utils_tools.c:288
+#, c-format
+msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr "Jetonul %i nu poate debloca slotul de cheie alocat (frază de acces greșită pentru slotul de cheie)."
+
+#: src/utils_tools.c:290
+#, c-format
+msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr "Jetonul (tip %s) nu poate debloca slotul de cheie alocat (frază de acces greșită pentru slotul de cheie)."
+
+#: src/utils_tools.c:293
+#, c-format
+msgid "Token %i requires additional missing resource."
+msgstr "Jetonul %i necesită o resursă suplimentară lipsă."
+
+#: src/utils_tools.c:295
+#, c-format
+msgid "Token (type %s) requires additional missing resource."
+msgstr "Jetonul (tip %s) necesită o resursă suplimentară lipsă."
+
+#: src/utils_tools.c:298
+#, c-format
+msgid "No usable token (type %s) is available."
+msgstr "Nu este disponibil niciun jeton utilizabil (tip %s)."
+
+#: src/utils_tools.c:300
+msgid "No usable token is available."
+msgstr "Nu este disponibil niciun jeton utilizabil."
+
+#: src/utils_tools.c:393
+#, c-format
+msgid "Cannot read keyfile %s."
+msgstr "Nu se poate citi fișierul de chei %s."
+
+#: src/utils_tools.c:398
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s."
+msgstr "Nu se pot citi %d octeți din fișierul de chei %s."
+
+#: src/utils_tools.c:423
+#, c-format
+msgid "Cannot open keyfile %s for write."
+msgstr "Nu se poate deschide fișierul de chei %s pentru scriere."
+
+#: src/utils_tools.c:430
+#, c-format
+msgid "Cannot write to keyfile %s."
+msgstr "Nu se poate scrie în fișierul de chei %s."
+
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> zile"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s scris"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "viteza %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Progres: %5.1f%%, AMR %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Terminat în: %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
+#, c-format
+msgid "Cannot check password quality: %s"
+msgstr "Nu se poate verifica calitatea parolei: %s"
+
+#: src/utils_password.c:49
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s"
+msgstr ""
+"Verificarea calității parolei a eșuat:\n"
+" %s"
+
+#: src/utils_password.c:79
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)"
+msgstr "Verificarea calității parolei a eșuat: frază de acces greșită (%s)"
+
+#: src/utils_password.c:230 src/utils_password.c:244
+msgid "Error reading passphrase from terminal."
+msgstr "Eroare la citirea frazei de acces de la terminal."
+
+#: src/utils_password.c:242
+msgid "Verify passphrase: "
+msgstr "Verifică fraza de acces: "
+
+#: src/utils_password.c:249
+msgid "Passphrases do not match."
+msgstr "Frazele de acces nu se potrivesc."
+
+#: src/utils_password.c:287
+msgid "Cannot use offset with terminal input."
+msgstr "Nu se poate utiliza decalajul cu intrarea terminalului."
+
+#: src/utils_password.c:291
+#, c-format
+msgid "Enter passphrase: "
+msgstr "Introduceți fraza de acces: "
+
+#: src/utils_password.c:294
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Introduceți fraza de acces pentru %s: "
+
+#: src/utils_password.c:328
+msgid "No key available with this passphrase."
+msgstr "Nu este disponibilă nicio cheie cu această frază de acces."
+
+#: src/utils_password.c:330
+msgid "No usable keyslot is available."
+msgstr "Nu este disponibil niciun slot de cheie utilizabil."
+
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Nu se poate face verificarea frazei de acces pe intrări non-tty."
+
+#: src/utils_luks.c:182
+#, c-format
+msgid "Failed to open file %s in read-only mode."
+msgstr "Nu s-a putut deschide fișierul %s în modul numai-pentru-citire."
+
+#: src/utils_luks.c:195
+msgid "Provide valid LUKS2 token JSON:\n"
+msgstr "Furnizați un jeton(token) JSON LUKS2 valid:\n"
+
+#: src/utils_luks.c:202
+msgid "Failed to read JSON file."
+msgstr "Nu s-a putut citi fișierul JSON."
+
+#: src/utils_luks.c:207
+msgid ""
+"\n"
+"Read interrupted."
+msgstr ""
+"\n"
+"Citire întreruptă."
+
+#: src/utils_luks.c:248
+#, c-format
+msgid "Failed to open file %s in write mode."
+msgstr "Nu s-a putut deschide fișierul %s în modul de scriere."
+
+#: src/utils_luks.c:257
+msgid ""
+"\n"
+"Write interrupted."
+msgstr ""
+"\n"
+"Scriere întreruptă."
+
+#: src/utils_luks.c:261
+msgid "Failed to write JSON file."
+msgstr "Nu s-a putut scrie fișierul JSON."
+
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Dispozitiv dm activ „%s” detectat automat pentru dispozitivul de date %s.\n"
+
+# R-GC, scrie:
+# ceva mă face să cred că:
+# „holders”, ar trebui tradus de fapt,
+# ca „locatarii” (ghilimelele inclusiv).
+# Cred că de fapt autorii se referă
+# la ocupanții dispozitivului:
+# date normale, fișiere de antete de...,
+# fișiere de chei, fișiere de sume
+# de control, fișiere de draci și laci....
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Nu s-au putut detecta automat deținătorii dispozitivului %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Dispozitivul %s nu este un dispozitiv de blocuri.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Nu se poate decide dacă dispozitivul %s este activat sau nu.\n"
+"Sunteți sigur că doriți să continuați cu recriptarea în modul offline?\n"
+"Poate duce la coruperea datelor dacă dispozitivul este activat în acest moment.\n"
+"Pentru a rula recriptarea în modul online, utilizați în schimb parametrul „--active-name”.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Dispozitivul %s nu este un dispozitiv de blocuri. Nu se poate detecta automat dacă este activ sau nu.\n"
+"Utilizați „--force-offline-reencrypt” pentru a ocoli verificarea și rulați în modul offline (periculos!)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Opțiunea „--resilience” solicitată nu poate fi aplicată operațiunii curente de recriptare."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Dispozitivul nu este în criptare LUKS2. Opțiune în conflict „--encrypt”."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Dispozitivul nu este în decriptare LUKS2. Opțiune în conflict „--decrypt”."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Dispozitivul este în recriptare folosind adaptabilitatea la transferul de date. Opțiunea „--resilience” solicitată nu poate fi aplicată."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Dispozitivul necesită recuperarea recriptării. Rulați mai întâi operația de reparare."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Dispozitivul %s este deja în recriptare LUKS2. Doriți să reluați operația inițializată anterior?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Recriptarea veche LUKS2 nu mai este acceptată."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Recriptarea dispozitivului cu profil de integritate nu este acceptată."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Solicitarea făcută cu opțiunea „--sector-size %<PRIu32>” este incompatibilă cu superblocul %s\n"
+"(dimensiunea blocului: %<PRIu32> octeți) detectat pe dispozitivul %s."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Criptarea fără antet detașat (--header) nu este posibilă fără reducerea dimensiunii dispozitivului de date (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Decalajul de date solicitat trebuie să fie mai mic sau egal cu jumătate din parametrul opțiunii „--reduce-device-size”."
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Ajustarea valorii „--reduce-device-size” la de două ori față de „--offset %<PRIu64> (sectoare)”.\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Fișierul antet temporar %s există deja. Se abandonează."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Nu se poate crea fișierul antet temporar %s."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Dimensiunea metadatelor LUKS2 este mai mare decât valoarea decalajului de date."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Nu s-a putut plasa antetul nou la începutul dispozitivului %s."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s este acum activ și pregătit pentru criptarea online.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Dispozitivul activ %s nu este LUKS2."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Se restabilește antetul LUKS2 original."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Restaurarea antetului LUKS2 original a eșuat."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Fișierul antet %s nu există. Doriți să inițializați decriptarea LUKS2 a dispozitivului %s și să exportați antetul LUKS2 în fișierul %s?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Nu s-au putut adăuga permisiuni de citire/scriere la fișierul antet exportat."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Inițializarea recriptării a eșuat. Copia de rezervă a antetului este disponibilă în %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Decriptarea LUKS2 este acceptată numai cu dispozitivul antet detașat (cu decalajul de date fixat la 0)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Nu sunt suficiente sloturi de chei liberee pentru recriptare."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Fișierul de cheie poate fi utilizat numai cu opțiunea „--key-slot” sau cu exact un slot de cheie activ."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Introduceți fraza de acces pentru slotul de cheie %d: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Introduceți fraza de acces pentru slotul de cheie %u: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Se comută cifrul de criptare a datelor la %s.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Nu s-au modificat parametrii de segment de date. Recriptarea a fost abandonată."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Creșterea dimensiunii sectorului de criptare pe dispozitivul offline nu este acceptată.\n"
+"Activați mai întâi dispozitivul sau utilizați opțiunea „--force-offline-reencrypt” (periculos!)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Recriptarea a fost întreruptă."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Reluarea recriptării LUKS în modul offline forțat.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Dispozitivul %s conține metadate LUKS deteriorate. Se abandonează operația."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Dispozitivul %s este deja un dispozitiv LUKS. Se abandonează operația."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Dispozitivul %s este deja în recriptare LUKS. Se abandonează operația."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "Decriptarea LUKS2 necesită opțiunea „--header”."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "Comanda necesită un dispozitiv ca argument."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Versiuni în conflict. Dispozitivul %s este LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS1."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Versiuni în conflict. Dispozitivul %s este LUKS2."
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS2."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Recriptarea LUKS2 a fost deja inițializată. Se abandonează operația."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Recriptarea dispozitivului nu este în curs de desfășurare."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Nu se poate deschide exclusiv %s, dispozitiv în uz."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Alocarea memoriei aliniate a eșuat."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Nu se poate citi dispozitivul %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Se marchează dispozitivul LUKS1 %s ca neutilizabil."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Nu se poate scrie dispozitivul %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Nu se poate scrie fișierul jurnalului de recriptare."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Nu se poate citii fișierul jurnalului de recriptare."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Format de jurnal greșit."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Fișierul jurnal %s există, reluând recriptarea.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Se activează dispozitivul temporar folosind antetul LUKS vechi."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Se activează dispozitivul temporar folosind antetul LUKS nou."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Activarea dispozitivelor temporare a eșuat."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Nu s-a putut definii decalajul de date."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Nu s-a putut definii dimensiunea metadatelor."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "A fost creat un nou antet LUKS pentru dispozitivul %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "A fost creată o copie de rezervă a antetului %s pentru dispozitivul %s."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Crearea antetelor de rezervă LUKS a eșuat."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Nu se poate restabili antetul %s pe dispozitivul %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Antetul %s de pe dispozitivul %s a fost restaurat."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Nu se poate deschide dispozitivul LUKS temporar."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Nu se poate obține dimensiunea dispozitivului."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Eroare de In/Ieș în timpul recriptării."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "UUID-ul furnizat nu este valid."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Nu se poate deschide fișierul jurnalului de recriptare."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Nicio decriptare nu este în curs de desfășurare, UUID-ul furnizat poată să fie utilizat doar pentru a relua procesul de decriptare suspendat."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Recriptarea se va modifica: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "cheia de volum"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "stabilește suma de control(hash) la "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", stabilește cifrarea la "
+
+#: src/utils_blockdev.c:189
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
+msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură de partiție „%s”.\n"
+
+#: src/utils_blockdev.c:197
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
+msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură superbloc „%s”.\n"
+
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+msgid "Failed to initialize device signature probes."
+msgstr "Nu s-au inițializat probele de semnătură a dispozitivului."
+
+#: src/utils_blockdev.c:274
+#, c-format
+msgid "Failed to stat device %s."
+msgstr "Nu s-a putut obține starea dispozitivului %s."
+
+#: src/utils_blockdev.c:289
+#, c-format
+msgid "Failed to open file %s in read/write mode."
+msgstr "Nu s-a putut deschide fișierul %s în modul citire/scriere."
+
+#: src/utils_blockdev.c:307
+#, c-format
+msgid "Existing '%s' partition signature on device %s will be wiped."
+msgstr "Semnătura partiției „%s” existentă pe dispozitivul %s va fi ștearsă."
+
+#: src/utils_blockdev.c:310
+#, c-format
+msgid "Existing '%s' superblock signature on device %s will be wiped."
+msgstr "Semnătura superblocului „%s” existentă pe dispozitivul %s va fi ștearsă."
+
+#: src/utils_blockdev.c:313
+msgid "Failed to wipe device signature."
+msgstr "Nu s-a putut șterge semnătura dispozitivului."
+
+#: src/utils_blockdev.c:320
+#, c-format
+msgid "Failed to probe device %s for a signature."
+msgstr "Nu s-a putut verifica dispozitivul %s pentru o semnătură."
+
+#: src/utils_args.c:65
+#, c-format
+msgid "Invalid size specification in parameter --%s."
+msgstr "Specificație de dimensiune nevalidă în parametrul „--%s”."
+
+#: src/utils_args.c:125
+#, c-format
+msgid "Option --%s is not allowed with %s action."
+msgstr "Opțiunea „--%s” nu este permisă cu acțiunea %s."
+
+#: tokens/ssh/cryptsetup-ssh.c:110
+msgid "Failed to write ssh token json."
+msgstr "Nu s-a putut scrie jetonul ssh în format JSON."
+
+#: tokens/ssh/cryptsetup-ssh.c:128
+msgid ""
+"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
+"\n"
+"Specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device.\n"
+"Provided credentials will be used by cryptsetup to get the password when opening the device using the token.\n"
+"\n"
+"Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext."
+msgstr ""
+"Modul de criptare experimentală pentru deblocarea dispozitivelor LUKS2 cu jeton(token) conectat la un server SSH\v Acest modul permite în prezent doar adăugarea unui jeton(token) la un slot de cheie existent.\n"
+"\n"
+"Serverul SSH specificat trebuie să conțină un fișier cheie în calea specificată, cu o frază de acces pentru un slot de cheie existent pe dispozitiv.\n"
+"Acreditările furnizate vor fi folosite de «cryptsetup» pentru a obține parola atunci când deschideți dispozitivul folosind jetonul(token).\n"
+"\n"
+"Notă: Informațiile furnizate la adăugarea jetonului(token) (adresa serverului SSH, utilizatorul și căile) vor fi stocate în antetul LUKS2 în text clar."
+
+#: tokens/ssh/cryptsetup-ssh.c:138
+msgid "<action> <device>"
+msgstr "<acțiune> <dispozitiv>"
+
+#: tokens/ssh/cryptsetup-ssh.c:141
+msgid "Options for the 'add' action:"
+msgstr "Opțiuni pentru acțiunea „add”:"
+
+#: tokens/ssh/cryptsetup-ssh.c:142
+msgid "IP address/URL of the remote server for this token"
+msgstr "Adresa IP/URL a serverului de la distanță pentru acest jeton(token)"
+
+#: tokens/ssh/cryptsetup-ssh.c:143
+msgid "Username used for the remote server"
+msgstr "Nume de utilizator folosit pentru serverul de la distanță"
+
+#: tokens/ssh/cryptsetup-ssh.c:144
+msgid "Path to the key file on the remote server"
+msgstr "Calea către fișierul de cheie din serverul de la distanță"
+
+#: tokens/ssh/cryptsetup-ssh.c:145
+msgid "Path to the SSH key for connecting to the remote server"
+msgstr "Calea către cheia SSH pentru conectarea la serverul de la distanță"
+
+#: tokens/ssh/cryptsetup-ssh.c:146
+msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
+msgstr "Slotul de cheie căruia să îi atribuiți jetonul. Dacă nu este specificat, jetonul va fi atribuit primei fraze de acces furnizate care se potrivește cu slotul de cheie."
+
+#: tokens/ssh/cryptsetup-ssh.c:148
+msgid "Generic options:"
+msgstr "Opțiuni generice:"
+
+#: tokens/ssh/cryptsetup-ssh.c:149
+msgid "Shows more detailed error messages"
+msgstr "Afișează mesaje de eroare mult mai detaliate"
+
+#: tokens/ssh/cryptsetup-ssh.c:150
+msgid "Show debug messages"
+msgstr "Afișează mesajele de depanare"
+
+#: tokens/ssh/cryptsetup-ssh.c:151
+msgid "Show debug messages including JSON metadata"
+msgstr "Afișează mesajele de depanare, inclusiv metadate JSON"
+
+#: tokens/ssh/cryptsetup-ssh.c:262
+msgid "Failed to open and import private key:\n"
+msgstr "Nu s-a putut deschide și importa cheia privată:\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:266
+msgid "Failed to import private key (password protected?).\n"
+msgstr "Nu s-a putut importa cheia privată (protejată prin parolă?).\n"
+
+#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
+#: tokens/ssh/cryptsetup-ssh.c:268
+#, c-format
+msgid "%s@%s's password: "
+msgstr "Parola pentru %s@%s: "
+
+#: tokens/ssh/cryptsetup-ssh.c:357
+#, c-format
+msgid "Failed to parse arguments.\n"
+msgstr "Argumentele nu au putut fi analizate.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:368
+#, c-format
+msgid "An action must be specified\n"
+msgstr "Trebuie specificată o acțiune\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:374
+#, c-format
+msgid "Device must be specified for '%s' action.\n"
+msgstr "Trebuie specificat dispozitivul pentru acțiunea „%s”.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:379
+#, c-format
+msgid "SSH server must be specified for '%s' action.\n"
+msgstr "Serverul SSH trebuie să fie specificat pentru acțiunea „%s”.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:384
+#, c-format
+msgid "SSH user must be specified for '%s' action.\n"
+msgstr "Trebuie specificat utilizatorul SSH pentru acțiunea „%s”.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:389
+#, c-format
+msgid "SSH path must be specified for '%s' action.\n"
+msgstr "Trebuie specificată calea SSH pentru acțiunea „%s”.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:394
+#, c-format
+msgid "SSH key path must be specified for '%s' action.\n"
+msgstr "Trebuie specificată calea cheii SSH pentru acțiunea „%s”.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:401
+#, c-format
+msgid "Failed open %s using provided credentials.\n"
+msgstr "Nu s-a putut deschide %s folosind acreditările furnizate.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:417
+#, c-format
+msgid "Only 'add' action is currently supported by this plugin.\n"
+msgstr "Doar acțiunea „addi” este suportată în prezent de acest modul.\n"
+
+#: tokens/ssh/ssh-utils.c:46
+msgid "Cannot create sftp session: "
+msgstr "Nu se poate crea sesiunea sftp: "
+
+#: tokens/ssh/ssh-utils.c:53
+msgid "Cannot init sftp session: "
+msgstr "Nu se poate iniția sesiunea sftp: "
+
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Nu se poate deschide sesiunea sftp: "
+
+#: tokens/ssh/ssh-utils.c:66
+msgid "Cannot stat sftp file: "
+msgstr "Nu se poate stabili starea fișierului sftp: "
+
+#: tokens/ssh/ssh-utils.c:74
+msgid "Not enough memory.\n"
+msgstr "Nu este suficientă memorie.\n"
+
+#: tokens/ssh/ssh-utils.c:81
+msgid "Cannot read remote key: "
+msgstr "Nu se poate citi cheia de la distanță: "
+
+#: tokens/ssh/ssh-utils.c:122
+msgid "Connection failed: "
+msgstr "Conexiunea a eșuat: "
+
+#: tokens/ssh/ssh-utils.c:132
+msgid "Server not known: "
+msgstr "Server necunoscut: "
+
+#: tokens/ssh/ssh-utils.c:160
+msgid "Public key auth method not allowed on host.\n"
+msgstr "Metoda de autentificare cu cheie publică nu este permisă pe gazdă.\n"
+
+#: tokens/ssh/ssh-utils.c:171
+msgid "Public key authentication error: "
+msgstr "Eroare la autentificarea cu cheia publică: "
diff --git a/po/ru.po b/po/ru.po
index e8760c2..1133486 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -4,13 +4,13 @@
#
# Rosetta Contributors and Canonical Ltd <EMAIL@ADDRESS>, 2007.
# Eugene Roskin <Unknown>, 2016.
-# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019, 2020, 2021.
+# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019, 2020, 2021, 2022, 2023.
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-15 02:38+0300\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-04 15:38+0300\n"
"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
"Language-Team: Russian <gnu@d07.ru>\n"
"Language: ru\n"
@@ -22,67 +22,71 @@ msgstr ""
"X-Generator: Lokalize 20.12.0\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Не удалось инициализировать device-mapper, выполняется без прав суперпользователя."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Не удалось инициализировать device-mapper. Загружен ли модуль ядра dm_mod?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Запрошенный флаг отсрочки не поддерживается."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "У устройства %s был обрезан DM-UUID."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Неизвестный тип цели dm."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Запрошенные параметры производительности dm-crypt не поддерживаются."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Запрошенные параметры обработки повреждённых данных dm-verify не поддерживаются."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Запрошенный параметр tasklets dm-verify не поддерживается."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Запрошенные параметры FEC dm-verify не поддерживаются."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Запрошенные параметры целостности данных не поддерживаются."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "Запрошенный параметр sector_size не поддерживается."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Запрошенный автоматический пересчёт тегов целостности не поддерживается."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Discard/TRIM не поддерживается."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Запрошенный режим битовой карты dm-integrity не поддерживается."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Ошибка при запросе сегмента dm-%s."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -90,576 +94,611 @@ msgstr ""
"При генерации ключа тома в системе закончились данные энтропии.\n"
"Подвигайте мышь или наберите любой текст в другом окне, чтобы возникли случайные события.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Генерация ключа (выполнена на %d%%).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Выполнение в режиме FIPS."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "При инициализации RNG возникла критическая ошибка."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Запрошено неизвестное качество RNG."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Ошибка чтения из RNG."
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Невозможно инициализировать внутренний интерфейс crypto RNG."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Невозможно инициализировать внутренний интерфейс crypto."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Алгоритм хэширования %s не поддерживается."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Ошибка обработки ключа (используется хэш %s)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Невозможно определить тип устройства. Несовместимая активация устройства?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "Эта операция поддерживается только для устройства LUKS."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Эта операция поддерживается только для устройства LUKS2."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Заполнены все слоты ключей."
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "Некорректный слот ключа %d, укажите значение между 0 и %d."
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "Слот ключа %d заполнен, выберите другой."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "Размер устройства не выровнен к размеру логического блока устройства."
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "Обнаружен заголовок, но устройство %s слишком маленькое."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Эта операция не поддерживается для этого типа устройств."
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "Недопустимая операция во время работы перешифрования."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Не удалось откатиться на метаданные LUKS2 в памяти."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Устройство %s не является корректным устройством LUKS."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Неподдерживаемая версия LUKS %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "Устройство %s не активно."
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Исчезло нижележащее устройство у устройства crypt %s."
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "Неверные параметры plain crypt."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "Неверный размер ключа."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "Для данного типа crypt UUID не поддерживается."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Устройство с отсоединёнными метаданными не поддерживается для этого типа crypt."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Неподдерживаемый размер сектора шифрования."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "Размер устройства не выровнен к запрошенному размеру сектора."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "Невозможно отформатировать LUKS без устройства."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "Запрошенный тип выравнивания данных не совместим со смещением данных."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "ПРЕДУПРЕЖДЕНИЕ: смещение данных находится за пределами доступного в данный момент устройства данных.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "невозможно затереть заголовок на устройстве %s."
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Устройство %s слишком маленькое для активации, не хватает места для данных.\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: Активация устройства завершится ошибкой, так как отсутствует поддержка dm-crypt для запрошенного размера сектора шифрования.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Ключ тома слишком мал для шифрования с целостными расширениями."
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Шифр %s-%s (размер ключа %zd бит) недоступен."
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: размер метаданных LUKS2 изменился и стал %<PRIu64> байт.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: размер слотов ключа LUKS2 изменился и стал %<PRIu64> байт.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Устройство %s слишком маленькое."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "Невозможно отформатировать устройство %s, которое используется."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Невозможно отформатировать устройство %s, недостаточно прав."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Невозможно отформатировать целостность для устройства %s."
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "Невозможно отформатировать устройство %s."
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "Невозможно отформатировать LOOPAES без устройства."
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "Невозможно отформатировать VERITY без устройства."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Неподдерживаемый тип хэша %d для VERITY."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Неподдерживаемый размер блока для VERITY."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Неподдерживаемое смещение хэша для VERITY."
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "Неподдерживаемое смещение FEC для VERITY."
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "Область данных перекрывает области хэша."
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "Область хэша перекрывает область FEC."
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "Область данных перекрывает область FEC."
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: запрошенный размер тега в %d байт отличается от выходного размера %s (%d байт).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Запрошен неизвестный тип устройства crypt %s."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Неподдерживаемые параметры для устройства %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Несовпадение параметров для устройства %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Несоответствие устройств crypt."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Ошибка при перезагрузке устройства %s."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Ошибка при приостановке устройства %s."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Ошибка при возобновлении работы устройства %s."
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Критическая ошибка при перезагрузке устройства %s (поверх устройства %s)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Ошибка при переключении устройства %s на dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "Невозможно изменить размер закольцованного (loop) устройства."
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: максимальный размер уже задан или ядро не поддерживает изменение размера.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Изменение размера невозможно, не поддерживается ядром."
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "Вы действительно хотите изменить UUID устройства?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Файл резервного заголовка не содержит заголовка совместимого с LUKS."
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "Том %s не активен."
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "Том %s уже приостановлен."
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Приостановка не поддерживается устройством %s."
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "Ошибка во время приостановки устройства %s."
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Возобновление не поддерживается устройством %s."
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "Ошибка во время возобновления устройства %s."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Том %s не приостановлен."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Ключ тома не подходит к тому."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Невозможно добавить слот ключа, все слоты отключены и не предоставлен ключ тома."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "Ошибка при переключении на новый слот ключа."
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "Некорректный слот ключа %d."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "Слот ключа %d не активен."
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "Заголовок устройства перекрывает область данных."
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Выполняется перешифрование. Невозможно активировать устройство."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Ошибка при получении блокировки перешифрования."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "Ошибка восстановления перешифрования LUKS2."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "Тип устройства инициализирован неправильно."
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "Устройство %s уже существует."
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Невозможно использовать устройство %s, некорректное имя или оно всё ещё используется."
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "Для устройства plain указан некорректный ключ тома."
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "Некорректный корневой хэш для указанного устройства verity."
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "Требуется подпись корневого хэша."
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Отсутствует связка ключей ядра: требуется для передачи подписи в ядро."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "Ошибка при загрузке ключа в связку ключей ядра."
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Не удалось отменить отложенное удаление с устройства %s."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Устройство %s всё ещё используется."
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "Неверное устройство %s."
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "Буфер ключа тома слишком мал."
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Невозможно получить ключ тома для устройства LUKS2."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Невозможно получить ключ тома для устройства LUKS1."
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "Невозможно получить ключ тома для устройства plain."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Невозможно получить корневой хэш для устройства verity."
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Невозможно получить ключ тома для устройства BITLK."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Невозможно получить ключ тома для устройства FVAULT2."
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Эта операция не поддерживается для устройства crypt %s."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "Операция дампа не поддерживается для устройства этого типа."
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Смещение данных не кратно %u байтам."
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Невозможно преобразовать устройство %s, которое всё ещё используется."
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Ошибка при назначении слота ключа %u в качестве нового ключа тома."
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Ошибка при инициализации параметров слота ключа по умолчанию LUKS2."
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Ошибка при назначении слота ключа %d дайджесту."
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Невозможно добавить слот ключа, все слоты отключены и не предоставлен ключ тома."
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "Связка ключей ядра не поддерживается ядром."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Не удалось прочитать парольную фразу из связки ключей (ошибка %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Не удалось захватить глобальную блокировку сериализации доступа на скорости памяти (memory-hard)."
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Невозможно получить приоритет процесса."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Невозможно разблокировать память."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Не удалось открыть файл ключа."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Невозможно прочитать файл ключа с терминала."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "Не удалось выполнить stat для файла ключа."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Невозможно переместиться по запрошенному смещению в файле ключа."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "Не хватило памяти при чтении парольной фразы."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Ошибка чтения парольной фразы."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Нет ничего для чтения со стандартного ввода."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Превышен максимальный размер файла ключа."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "невозможно прочитать запрошенное количество данных."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Устройство %s не существует или отказано в доступе."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Устройство %s несовместимо."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "Игнорируется фиктивный размер optimal-io для устройства данных (%u байт)."
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Устройство %s слишком маленькое. Требуется не менее %<PRIu64> байт."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Невозможно использовать устройство %s, которое используется (отображено или примонтировано)."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Невозможно использовать устройство %s, недостаточно прав."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "Невозможно получить информацию об устройстве %s."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Невозможно использовать закольцованное устройство, выполняется без прав суперпользователя."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Ошибка при присоединении закольцованного устройства (требуется закольцованное устройство с флагом autoclear)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Запрошенный размер вне реального размера устройства %s."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Устройство %s имеет нулевой размер."
@@ -713,40 +752,35 @@ msgstr "Запрошенное количество параллельных н
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "В режиме FIPS поддерживается только PBKDF2."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "Оценка производительности PBKDF выключена, но не задано количество итераций."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Несовместимые параметры PBKDF2 (используется алгоритм хэширования %s)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "Несовместимые параметры PBKDF."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Блокировка прервана. Путь блокировки %s/%s использовать невозможно (не является каталогом или отсутствует)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Будет создан блокирующий каталог %s/%s с правами по умолчанию, заданными при сборке программы."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Блокировка прервана. Путь блокировки %s/%s использовать невозможно (%s не является каталогом)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Невозможно перемещаться по устройству."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Ошибка затирания устройства, смещение %<PRIu64>."
@@ -768,9 +802,9 @@ msgstr "Размер ключа в режиме XTS должен быть 256 и
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "Шифр должен указываться в формате [шифр]-[режим]-[iv]."
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Невозможно записать на устройство %s, недостаточно прав."
@@ -783,23 +817,24 @@ msgstr "Не удалось открыть временное устройств
msgid "Failed to access temporary keystore device."
msgstr "Не удалось получить доступ к временному устройству keystore."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Ошибка ввода-вывода при шифровании слота ключа."
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Невозможно открыть устройство %s."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "Ошибка ввода-вывода при расшифровке слота ключа."
@@ -815,65 +850,54 @@ msgstr "Устройство %s слишком маленькое (для LUKS1
msgid "LUKS keyslot %u is invalid."
msgstr "Некорректный слот ключа LUKS %u."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Устройство %s не является корректным устройством LUKS."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Запрошенный файл резервного заголовка %s уже существует."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Невозможно создать файл резервного заголовка %s."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Невозможно записать файл резервного заголовка %s."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Резервный файл не содержит корректный заголовок LUKS."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Невозможно открыть файл резервного заголовка %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Невозможно прочитать файл резервного заголовка %s."
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "Смещение данных или размер ключа различаются на устройстве и в резервной копии, восстановление невозможно."
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "Устройство %s %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "не содержит заголовка LUKS. Замена заголовка может уничтожить данные на этом устройстве."
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "уже содержит заголовок LUKS. Замена заголовка уничтожит существующие слоты ключей."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -881,126 +905,130 @@ msgstr ""
"\n"
"ПРЕДУПРЕЖДЕНИЕ: заголовок устройства и резервная копия содержат разные UUID!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "Нестандартный размер ключа, требуется исправление вручную."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Нестандартное выравнивание слотов ключей, требуется исправление вручную."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Исправлен режим шифра (%s -> %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Хэш шифра приведён к нижнему регистру (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "Запрошенный хэш LUKS %s не поддерживается."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "Исправление слотов ключей."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Слот ключа %i: исправлено смещение (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Слот ключа %i: исправлены полосы (%u -> %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Слот ключа %i: фиктивная подпись раздела."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Слот ключа %i: соль затёрта."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "Запись заголовка LUKS на диск."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "Ошибка при исправлении."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "Некорректный режим шифра LUKS %s."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "Некорректный хэш LUKS %s."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "Известных неполадок в заголовке LUKS не обнаружено."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Ошибка при обновлении заголовка LUKS на устройстве %s."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Ошибка при повторном считывании заголовка LUKS после обновления на устройстве %s."
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Смещение данных заголовка LUKS должно быть равно 0 или быть больше размера заголовка."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "Указан неправильный формат LUKS UUID."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "Невозможно создать заголовок LUKS: ошибка при чтении случайной соли."
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "Невозможно создать заголовок LUKS: ошибка подсчёта дайджеста заголовка (используйте хэш %s)."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "Активен слот ключа %d, сначала нужна вычистка."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Данный слота ключа %d содержат несколько полос. Подделка заголовка?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Переполнение значения итерации PBKDF2."
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Невозможно открыть слот ключа (используется хэш %s)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Некорректный слот ключа %d, значение слота ключа должно быть между 0 и %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Невозможно затереть устройство %s."
@@ -1021,215 +1049,233 @@ msgstr "Обнаружен несовместимый файл ключа loop-A
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "Ядро не поддерживает совместимое отображение loop-AES."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Ошибка при чтении файла ключа %s."
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Превышена максимальная длина парольной фразы TCRYPT (%zu)."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "Алгоритм хэширования PBKDF2 %s недоступен, пропускается."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "Требуемый интерфейс ядра crypto недоступен."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Убедитесь, что загружен ядерный модуль algif_skcipher."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Активация не поддерживается при размере сектора %d."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Ядро не поддерживает активацию для данного устаревшего режима TCRYPT."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Активируется система шифрования TCRYPT для раздела %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Ядро не поддерживает совместимое отображение TCRYPT."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "эта функция не поддерживается без загрузки заголовка TCRYPT."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "При анализе поддерживаемого главного ключа тома обнаружен неожиданный тип элемента метаданных «%u»."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "При анализе поддерживаемого главного ключа тома обнаружена некорректная строка."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "При анализе поддерживаемого главного ключа тома обнаружена неожиданная строка («%s»)."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "При анализе поддерживаемого главного ключа тома обнаружено неожиданное значение элемента метаданных «%u»."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Ошибка чтения подписи BITLK из %s."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Некорректная или неизвестная подпись устройства BITLK."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK версии 1 пока не поддерживается."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Некорректная или неизвестная подпись загрузчика устройства BITLK."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Неподдерживаемый размер сектора %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Ошибка чтения заголовка BITLK из %s."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Ошибка чтения метаданных BITLK FVE из %s."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "Неизвестный или неподдерживаемый тип шифрования."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Ошибка чтения элементов метаданных BITLK из %s."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Ошибка преобразования описания тома BITLK"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "При анализе внешнего ключа обнаружен неожиданный тип элемента метаданных «%u»."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "GUID «%s» BEK-файла не совпадает с GUID тома."
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "При анализе внешнего ключа обнаружено неожиданное значение элемента метаданных «%u»."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Неподдерживаемая версия %<PRIu32> метаданных BEK"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Неожиданный размер %<PRIu32> метаданных BEK не совпадает с длиной файла BEK"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "При анализе ключа запуска обнаружен неожиданный элемент метаданных."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "Эта операция не поддерживается."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "Неожиданный размер ключа данных."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Данное устройство BITLK находится в неподдерживаемом состоянии и не может быть включено."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Устройства BITLK с типом «%s» не могут быть включены."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Активация частично расширенного устройства BITLK не поддерживается."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: размер тома BitLocker %<PRIu64> не совпадает с размером нижележащего устройства %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK IV."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK Elephant diffuser."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка секторов большого размера."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Невозможно активировать устройство, отсутствует модуль ядра dm-zero."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Невозможно прочитать %u байт из заголовка тома."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Неподдерживаемая версия FVAULT2 %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Устройство verity %s не использует заголовок на диске."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Устройство %s не является корректным устройством VERITY."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Неподдерживаемая версия VERITY %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "Повреждён заголовок VERITY."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Указан неправильный формат VERITY UUID на устройстве %s."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Ошибка при обновлении заголовка verity на устройстве %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Проверка подписи корневого хэша не поддерживается."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Невозможно исправить ошибки с устройством FEC."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "Найдено %u исправимых ошибок с устройством FEC."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Ядро не поддерживает отображение dm-verity."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Ядро не поддерживает параметр подписи dm-verity."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "После активации обнаружено повреждение устройства verity."
@@ -1301,46 +1347,51 @@ msgstr "Не удалось исправить чётность для блок
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Не удалось записать чётность для блока RS %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Для FEC размеры блока должны совпадать."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Неверное количество байт чётности."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Неправильная длина сегмента FEC."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Не удалось определить размер устройства %s."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "На %2$s обнаружены несовместимые с ядерным dm-integrity метаданные (версия %1$u)."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Ядро не поддерживает отображение dm-integrity."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Ядро не поддерживает выравнивание фиксированных метаданных dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Ядро не позволяет задействовать небезопасный параметр пересчёта (для отключения ищите параметры включения старого режима)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Не удалось захватить блокировку на запись на устройстве %s."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Обнаружена попытка одновременного обновления метаданных LUKS2. Отмена операции."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1348,49 +1399,49 @@ msgstr ""
"Устройство содержит двусмысленные подписи, невозможно провести автоматическое\n"
"восстановление LUKS2. Для восстановления запустите «cryptsetup repair»."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Запрошенное смещение данных слишком мало."
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: очень маленькая область слотов ключа (%<PRIu64> байт), количество доступных слотов ключа LUKS2 очень ограничено.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Не удалось захватить блокировку устройства %s на чтение."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "В резервной копии %s обнаружены запрещённые требования LUKS2."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Смещение данных различается на устройстве и в резервной копии, восстановление невозможно."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Двоичный заголовок с областями слота ключа различается на устройстве и в резервной копии, восстановление невозможно."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Устройство %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "не содержит заголовка LUKS2. Замена заголовка может уничтожить данные на этом устройстве."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "уже содержит заголовок LUKS2. Замена заголовка уничтожит существующие слоты ключей."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1401,418 +1452,481 @@ msgstr ""
"действующего устройства! Замена заголовка из резервной копии может повредить\n"
"данные на этом устройстве!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
"Replacing header with backup may corrupt data."
msgstr ""
"\n"
-"ПРЕДУПРЕЖДЕНИЕ: на устройстве обнаружено незаконченное внесистемное (offline)\n"
+"ПРЕДУПРЕЖДЕНИЕ: на устройстве обнаружено незаконченное отложенное (offline)\n"
"перешифрование! Замена заголовка из резервной копии может повредить данные."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Неизвестный флаг %s игнорируется."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Отсутствует ключ для сегмента dm-crypt %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Ошибка при задании сегмента dm-crypt."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Ошибка при задании сегмента dm-linear."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Неподдерживаемые настройки целостности устройства."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Выполняется перешифрование. Невозможно деактивировать устройство."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Не удалось заменить приостановленное устройство %s на цель dm-error."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Ошибка при чтении требований LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Обнаружены неудовлетворяемые требования LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Операция не совместима с устройством, отмеченным для устаревшего перешифрования. Прерываемся."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Операция не совместима с устройством, отмеченным для перешифрования LUKS2. Прерываемся."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Недостаточно памяти для открытия слота ключа."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Ошибка открытия слота ключа."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Невозможно использовать шифр %s-%s для шифрования слота ключа."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Алгоритм хэширования %s недоступен."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "Нет места для нового слота ключа."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Запрошена некорректная смена режима устойчивости перешифрования."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Невозможно обновить тип устойчивости. Новый тип предоставляет только %<PRIu64> байт, требуемое место: %<PRIu64> байт."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Ошибка при обновлении сверки дайджеста перешифрования."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Невозможно определить состояние устройства с uuid: %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Невозможно преобразовать заголовок с дополнительными метаданными LUKSMETA."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Невозможно использовать шаблон шифра %s-%s для LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Невозможно переместить область слота ключа. Недостаточно места."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Невозможно преобразовать в формат LUKS2 — некорректные метаданные."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Невозможно переместить область слота ключа. Слишком маленькие слоты ключа LUKS2."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Невозможно переместить область слота ключа."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Невозможно преобразовать в формат LUKS1 — размер сектора шифрования сегмента по умолчанию не равно 512 байтам."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Невозможно преобразовать в формат LUKS1 — дайджесты слота ключа несовместимы с LUKS1."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Невозможно преобразовать в формат LUKS1 — устройство использует шифр %s с обёрточным ключом."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Невозможно преобразовать в формат LUKS1 — устройство использует несколько сегментов."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Невозможно преобразовать в формат LUKS1 — заголовок LUKS2 содержит %u токенов."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Невозможно преобразовать в формат LUKS1 — слот ключа %u находится в некорректном состоянии."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Невозможно преобразовать в формат LUKS1 — слот %u (больше максимального количества слотов) всё ещё активен."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Невозможно преобразовать в формат LUKS1 — слот ключа %u несовместим с LUKS1."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Размер hotzone должен быть кратен вычисленному выравниванию зоны (%zu байт)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Размер устройства должен быть кратен вычисленному выравниванию зоны (%zu байт)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Неподдерживаемый режим устойчивости %s."
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Ошибка при инициализации старой сегментной обёртки хранилища."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Ошибка при инициализации новой сегментной обёртки хранилища."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Ошибка при инициализации защиты hotzone."
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Ошибка чтения контрольных сумм текущей hotzone."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Не удалось прочитать область hotzone начиная с %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Не удалось расшифровать сектор %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Не удалось восстановить сектор %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Размеры устройств источника и назначения не совпадают. Источник %<PRIu64>, назначение: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Ошибка при активации устройства hotzone %s."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Ошибка при активации оверлейного устройства %s с действительной исходной таблицей."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Ошибка при загрузке нового отображения устройства %s."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Ошибка при обновлении стека устройств перешифрования."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Ошибка при задании нового размера области слотов ключей."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Сдвиг данные не выровнен к запрошенному размеру сектора шифрования (%<PRIu32> байт)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Значение сдвига данных не выровнено к размеру сектора шифрования (%<PRIu32> байт)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Устройство данных не выровнено к запрошенному размеру сектора шифрования (%<PRIu32> байт)."
+msgid "Unsupported resilience mode %s"
+msgstr "Неподдерживаемый режим устойчивости %s."
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Размер перемещаемого сегмента не может быть больше значения сдвига данных."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Некорректные параметры устойчивости перешифрования."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Слишком большой перемещаемый сегмент. Запрошенный размер %<PRIu64>, доступно место: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Ошибка очистки таблицы."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Размер сокращённых данных больше размера устройства."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Устройство данных не выровнено к размеру сектора шифрования (%<PRIu32> байт)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Сдвиг данных (%<PRIu64> секторов) меньше чем будущее смещение данных (%<PRIu64> секторов)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Ошибка при открытии %s в монопольном режиме (уже отображено или примонтировано)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Устройство не отмечено для перешифрования LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Ошибка при загрузке контекста перешифрования LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Ошибка при получении состояния перешифрования."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Устройство не перешифровывается."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Процесс перешифрования уже запущен."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Ошибка при захвате блокировки перешифрования."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Невозможно продолжить с перешифрованием. Сначала запустите восстановление перешифрования."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "Активный размер устройства и запрошенный размер перешифрования не совпадают."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "В параметрах перешифрования запрошен некорректный размер устройства."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Выполняется перешифрование. Восстановление выполнить невозможно."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "Перешифрование LUKS2 уже инициализировано в метаданных."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Не удалось инициализировать перешифрование LUKS2 в метаданных."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Ошибка при назначении сегментов устройства для следующей hotzone перешифрования."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Ошибка при записи метаданных устойчивости перешифрования."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Не удалось расшифровать."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Не удалось записать область hotzone начиная с %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Ошибка синхронизации данных."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Ошибка при обновлении метаданных после завершения текущей hotzone перешифрования."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Ошибка при записи метаданных LUKS2."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Ошибка при затирании резервной копии сегмента данных."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Ошибка при затирании неиспользуемой области данных устройства."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Не удалось выключить флаг требования перешифрования."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Ошибка при удалении неиспользуемого (непривязанного) слота ключа %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Ошибка при удалении слота ключа перешифрования."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Критическая ошибка при перешифровании куска начиная с %<PRIu64>, длиной в %<PRIu64> секторов."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Оперативное перешифрование завершилось ошибкой."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Устройство не возобновит работу пока не будет заменено вручную с целью error."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Невозможно продолжить с перешифрованием. Неожиданное состояние перешифрования."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Контекст перешифрования отсутствует или неверен."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Ошибка при инициализации стека устройства перешифрования."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Ошибка при обновлении контекста перешифрования."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Невозможно проверить парольную фразу не с входных tty."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Некорректные метаданные перешифрования."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Параметры шифрования слота ключа могут задаваться только для устройства LUKS2."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Введите PIN токена:"
+msgid "Enter token PIN: "
+msgstr "Введите PIN токена: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Введите %d PIN токена:"
+msgid "Enter token %d PIN: "
+msgstr "Введите %d PIN токена: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Обнаружено указание неизвестного шаблона шифра."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --hash игнорируется в режиме plain с указанным файлом ключа.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --keyfile-size игнорируется, размер для чтения приравнивается размеру ключа шифрования.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Обнаружены подпись(и) устройства на %s. Продолжение работы может повредить существующие данные."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "Операция прервана.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Параметр --key-file является обязательным."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Введите VeraCrypt PIM: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Недопустимое значение PIM: ошибка при разборе."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Недопустимое значение PIM: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Недопустимое значение PIM: вышло за границы диапазона."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "С этой парольной фразой заголовка устройства не обнаружено."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Устройство %s не является корректным устройством BITLK."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Невозможно определить размер ключа тома BITLK, укажите параметр --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1822,7 +1936,7 @@ msgstr ""
"обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
"Этот дамп следует всегда хранить зашифрованным в надёжном месте."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1832,90 +1946,116 @@ msgstr ""
"обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
"Этот дамп нужно хранить зашифрованным в надёжном месте."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Устройство %s не является корректным устройством FVAULT2."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Невозможно определить размер ключа тома FVAULT2, укажите параметр --key-size."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Устройство %s всё ещё активно и запланировано к отложенному удалению.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Для изменения размера активного устройства требуется ключ тома в связке ключей, но указан параметр --disable-keyring."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Оценка производительности прервана."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s Н/Д\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u итераций в секунду для %zu-битного ключа\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s Н/Д\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u итераций, %5u памяти, %1u параллельных нитей (ЦП) для %zu-битного ключа (запрашивался %u мс)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Результат оценки производительности ненадёжен."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Тесты, использующие практически только память (без ввода-вывода на хранилище).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Алгоритм | Ключ | Шифрование | Расшифровка\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Шифр %s (%i-битный ключ) недоступен."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr ""
"# Algorithm | Key | Encryption | Decryption\n"
"# Алгоритм | Ключ | Шифрование | Расшифровка\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "Н/Д"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Кажется, что устройству не требуется восстановление перешифрования.\n"
-"Продолжить?"
+"Обнаружены незащищённые метаданные перешифрования LUKS2. Убедитесь,\n"
+"что операция перешифрования желательна (смотрите вывод luksDump) и продолжайте\n"
+"(обновление метаданных) только, если это действительно ваше решение."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Введите пароль защиты и обновления метаданных перешифрования: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Действительно продолжить восстановление перешифрования LUKS2?"
-#: src/cryptsetup.c:1204
-msgid "Enter passphrase for reencryption recovery: "
-msgstr "Введите пароль для восстановления перешифрования: "
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Введите пароль проверки дайджеста перешифрования метаданных: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1235
+msgid "Enter passphrase for reencryption recovery: "
+msgstr "Введите пароль восстановления перешифрования: "
+
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Действительно попробовать восстановить заголовок устройства LUKS?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Затирание прервано."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1923,113 +2063,128 @@ msgstr ""
"Затирается устройство для инициализации целостности контрольной суммы.\n"
"Вы можете прервать процесс нажав CTRL+c (остаток незатёртого устройства будет содержать некорректную контрольную сумму).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Невозможно деактивировать временное устройство %s."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Параметр целостности можно использовать только в формате LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Неподдерживаемый размер параметров метаданных LUKS2."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Файл заголовка не существует, создать?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Невозможно создать файл заголовка %s."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Обнаружено указание неизвестного шаблона целостности."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Невозможно использовать %s в качестве заголовка для диска."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Данные на %s будут перезаписаны без возможности восстановления."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Ошибка при задании параметров pbkdf."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Сокращение смещения данных допускается только для отсоединённого заголовка LUKS."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Файл контейнера LUKS %s слишком мал для активации, не хватает места для данных."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Невозможно определить размер ключа тома LUKS без слотов ключа, укажите параметр --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Устройство активировано, но нельзя сделать флаги постоянными."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Для удаления выбран слот ключа %d."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Это последний слот ключа. Устройство станет неработоспособным после вычистки этого ключа."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Введите любую оставшуюся парольную фразу: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Операция прервана, слот ключа НЕ затёрт.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Введите удаляемую парольную фразу: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Устройство %s не является корректным устройством LUKS2."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Введите новую парольную фразу для слота ключа: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: для нового номера слота ключа используется параметр --key-slot.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Введите любую существующую парольную фразу: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Введите изменяемую парольную фразу: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Введите новую парольную фразу: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Введите парольную фразу для преобразуемого слота ключа: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "Только одно устройство можно указать для операции isLuks."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Слот ключа %d не содержит непривязанного ключа."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2038,40 +2193,40 @@ msgstr ""
"обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
"Этот дамп нужно хранить зашифрованным в надёжном месте."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s не является именем активного устройства %s."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s не является именем активного устройства LUKS или отсутствует заголовок."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "Параметр --header-backup-file является обязательным."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s не является управляемым устройством cryptsetup."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Обновление не поддерживается для устройств типа %s"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Нераспознанный тип метаданных устройства %s."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "Для команды требуется задать устройство и имя отображения."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2080,335 +2235,351 @@ msgstr ""
"Эта операция сотрёт все слоты ключей на устройстве %s.\n"
"Устройство станет неработоспособным после этой операции."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Операция прервана, слоты ключа НЕ затёрты.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Некорректный тип LUKS, поддерживаются только luks1 и luks2."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Устройство уже имеет тип %s."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Данная операция преобразует формат %s в %s.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Операция прервана, устройство НЕ преобразовано.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Отсутствует параметр --priority, --label или --subsystem."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Некорректный токен %d."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Используется токен %d."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Ошибка при добавлении токена luks2-keyring %d."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Ошибка при назначении токена %d слоту ключа %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Токен %d не используется."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Ошибка при импорте токена из файла."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Ошибка при получении токена %d для экспорта."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Автоматически обнаруженное активное устройство dm «%s» для устройства данных %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Токен %d не назначен слоту ключа %d."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Устройство %s не является блочным.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Ошибка при отмене назначения токена %d слоту ключа %d."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Не удалось автоматически обнаружить держателей устройства %s."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Параметр --tcrypt-hidden, --tcrypt-system или --tcrypt-backup поддерживается только для устройства TCRYPT."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Невозможно понять, активно устройство %s или нет.\n"
-"Вы действительно хотите продолжить перешифрование в отложенном режиме?\n"
-"Это может привести к потере данных, если устройство всё же активно.\n"
-"Для запуска перешифрования в оперативном режиме укажите параметр --active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Параметр --veracrypt или --disable-veracrypt поддерживается только для устройств с типом TCRYPT."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Шифрование поддерживается только для формата LUKS2."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Параметр --veracrypt-pim поддерживается только для устройств, совместимых с VeraCrypt."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Шифрование без отсоединённого заголовка (--header) невозможно без сокращения размера устройства данных (--reduce-device-size)."
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Параметр --veracrypt-query-pim поддерживается только для устройств, совместимых с VeraCrypt."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Запрошенное смещение данных должно быть меньше или равно половине значения параметра --reduce-device-size."
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Параметры --veracrypt-pim и --veracrypt-query-pim взаимно исключают друг друга."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Подгоняется значение --reduce-device-size под двукратный размер --offset %<PRIu64> (секторов).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "На %s обнаружено устройство LUKS. Хотите снова зашифровать это устройство LUKS?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Временный файл заголовка %s уже существует. Прекращение работы."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Невозможно создать временный файл заголовка %s."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Размер метаданных LUKS2 больше значения сдвига данных."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Параметр --persistent не допускается одновременно указывать с --test-passphrase."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Не удалось поместить новый заголовок в начало устройства %s."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Параметры --refresh и --test-passphrase взаимно исключают друг друга."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s теперь активен и готов для оперативного шифрования.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Параметр --shared допускается только для открытия устройства plain."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "Расшифровка LUKS2 поддерживается только для устройства с отсоединённым заголовком (смещение данных равно 0)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Параметр --skip поддерживается только для открытия устройств plain и loopaes."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Для шифрования недостаточно свободных слотов ключей."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Параметр --offset с действием open поддерживается только для устройств plain и loopaes."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Файл ключа можно использовать только с --key-slot или только при одном активном слоте."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Параметр --tcrypt-hidden нельзя указывать вместе с --allow-discards."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Введите парольную фразу для слота ключа %d: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Параметр размера сектора с действием open поддерживается только для устройств plain."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Введите парольную фразу для слота ключа %u: "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Параметр больших секторов IV поддерживается только для открытия устройств типа plain с размером сектора более 512 байт."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Переходим на алгоритм шифрования данных %s.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Параметр --test-passphrase допускается только для открытия устройств LUKS, TCRYPT, BITLK и FVAULT2."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Для команды требуется в аргументе указать устройство."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Параметры --device-size и --size не допускается указывать вместе."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "В настоящий момент поддерживается только формат LUKS2. Для LUKS1 используйте программу cryptsetup-reencrypt."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Параметр --unbound допускается только для открытия устройства luks."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Уже выполняется устаревшее внесистемное (offline) перешифрование. Используйте программу cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Параметр --unbound не допускается одновременно указывать с --test-passphrase."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Перешифрование устройства с профилем целостности не поддерживается."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Параметры --cancel-deferred и --deferred не могут быть использованы одновременно."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Перешифрование LUKS2 уже инициализировано. Прекращение работы."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Параметры ---reduce-device-size и --data-size не допускается указывать вместе."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "Устройство LUKS2 не перешифровывается."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Параметр --active-name может задаваться только для устройства LUKS2."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Параметры --active-name и --force-offline-reencrypt не допускается указывать вместе."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Требуется указать слот ключа."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Параметры --align-payload и --offset не допускается указывать вместе."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Параметр --integrity-no-wipe можно использовать только для действия format с расширением целостности."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Разрешено использовать только один параметр --use-[u]random."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "С параметром --unbound требуется задать размер ключа."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Некорректный токен действия."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Для добавления токена требуется параметр --key-description."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Для действия требуется указать токен. Используйте параметр --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Параметр --unbound можно использовать только при добавлении."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Параметры --key-slot и --unbound не допускается указывать вместе."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Для действия требуется указать слот ключа. Используйте параметр --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<устройство> [--type <тип>] [<имя>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "открыть устройство как <имя>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<имя>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "закрыть устройство (удалить отображение)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "изменить размер активного устройства"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "показать состояние устройства"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <шифр>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "оценка производительности шифра"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<устройство>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "попытаться исправить метаданные на диске"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "перешифровать устройство LUKS2"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "стереть все слоты ключей (удалить ключ шифрования)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "преобразовать LUKS из/в формат LUKS2"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "задать постоянные параметры настройки LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<устройство> [<новый файл ключа>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "форматировать устройство LUKS"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "добавить ключ к устройству LUKS"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<устройство> [<файл ключа>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "удалить заданный ключ или файл ключа с устройства LUKS"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "изменить заданный ключ или файл ключа устройства LUKS"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "преобразовать ключ в новые параметры pbkdf"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<устройство> <слот ключа>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "затереть ключ с номером <слот ключа> с устройства LUKS"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "напечатать UUID устройства LUKS"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "проверить <устройство> на наличие заголовка раздела LUKS"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "выгрузить в дамп информацию о разделе LUKS"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "выгрузить в дамп информацию об устройстве TCRYPT"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "выгрузить в дамп информацию об устройстве BITLK"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "выгрузить в дамп информацию об устройстве FVAULT2"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Приостановить устройство LUKS и затереть ключ (заморозка операций ввода-вывода)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "Возобновить работу приостановленного устройства LUKS"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Сделать резервную копию заголовка и слотов ключей устройства LUKS"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Восстановить заголовок и слоты ключей устройства LUKS"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <устройство>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "Управление токенами LUKS2"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2416,19 +2587,19 @@ msgstr ""
"\n"
"<действие> может быть:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Также можно использовать псевдонимы старого синтаксиса <действия>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2443,7 +2614,7 @@ msgstr ""
"<слот ключа> - номер слота ключа LUKS для изменения\n"
"<файл ключа> - необязательный файл ключа для нового ключа для действия luksAddKey\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2452,7 +2623,7 @@ msgstr ""
"\n"
"Встроенным форматом по умолчанию для метаданных является %s (для действия luksFormat).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2461,20 +2632,20 @@ msgstr ""
"\n"
"Модуль поддержки внешнего токена LUKS2 %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "скомпилирован"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Путь к модулю поддержки внешнего токена LUKS2: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "выключен"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2491,7 +2662,7 @@ msgstr ""
"PBKDF по умолчанию для LUKS2: %s\n"
"\tВремя итерации: %d, Требуемая память: %dКБ, Кол-во параллельных нитей: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2506,206 +2677,96 @@ msgstr ""
"\tplain: %s, Ключ: %d бит, хэширование пароля: %s\n"
"\tLUKS: %s, Ключ: %d бит, хэширование заголовка LUKS: %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: Размер ключа по умолчанию в режиме XTS (два внутренних ключа) будет удвоен.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: требуется %s в качестве аргументов"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Некорректный слот ключа."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Размер устройства должен быть кратен 512 байтовому сектору."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "Неправильный максимальный размер перешифрования hotzone."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "Размер ключа должен быть кратен 8-ми битам"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "Максимальный размер сокращения устройства равен 1 ГиБ."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Размер сокращения должен быть кратен 512 байтовому сектору."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Значением параметра --priority может быть только ignore/normal/prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Показать это сообщение"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Показать краткие инструкции"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Показать версию пакета"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Параметры справки:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[ПАРАМЕТР…] <действие> <данные для действия>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Не задан параметр <действие>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Неизвестное действие."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Параметры --refresh и --test-passphrase взаимно исключают друг друга."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Параметры --cancel-deferred и --deferred не могут быть использованы одновременно."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Параметр --shared допускается только для открытия устройства plain."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Параметр --persistent не допускается одновременно указывать с --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Параметр --integrity-no-wipe можно использовать только для действия format с расширением целостности."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Параметр --test-passphrase допускается только для открытия устройств LUKS, TCRYPT и BITLK."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Параметр --key-file имеет приоритет над указанным значением файла ключа."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Разрешено указывать только один параметр --key-file."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Разрешено использовать только один параметр --use-[u]random."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Параметры --align-payload и --offset не допускается указывать вместе."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Параметр --skip поддерживается только для открытия устройств plain и loopaes."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Параметр --offset с действием open поддерживается только для устройств plain и loopaes."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Параметр --tcrypt-hidden, --tcrypt-system или --tcrypt-backup поддерживается только для устройства TCRYPT."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Параметр --tcrypt-hidden нельзя указывать вместе с --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Параметр --veracrypt или --disable-veracrypt поддерживается только для устройств с типом TCRYPT."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Параметр --veracrypt-pim поддерживается только для устройств, совместимых с VeraCrypt."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Параметр --veracrypt-query-pim поддерживается только для устройств, совместимых с VeraCrypt."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Параметры --veracrypt-pim и --veracrypt-query-pim взаимно исключают друг друга."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Требуется указать слот ключа."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Производной функцией на основе пароля для ключа (PBKDF) может быть только pbkdf2 или argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Принудительные итерации PBKDF нельзя объединять вместе с параметром времени итерации."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Параметр размера сектора с действием open поддерживается только для устройств plain."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Параметр больших секторов IV поддерживается только для открытия устройств типа plain с размером сектора более 512 байт."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "С параметром --unbound требуется задать размер ключа."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "Для расшифровки LUKS2 требуется параметр --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Параметры ---reduce-device-size и --data-size не допускается указывать вместе."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Параметры --device-size и --size не допускается указывать вместе."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Параметры --keyslot-cipher и --keyslot-key-size нельзя использовать вместе."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Без выполнения. Вызвано с параметром --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Некорректный токен действия."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Для добавления токена требуется параметр --key-description."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Для действия требуется указать токен. Используйте параметр --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Невозможно выключить блокировку метаданных."
@@ -2733,67 +2794,72 @@ msgstr "Невозможно создать файл корневого хэша
msgid "Cannot write to root hash file %s."
msgstr "Невозможно записать файл корневого хэша %s."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Устройство %s не является корректным устройством VERITY."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Невозможно прочитать файл корневого хэша %s."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Некорректный файл корневого хэша %s."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Указана недопустимая строка корневого хэша."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Неверный файл подписи %s."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Невозможно прочитать файл подписи %s."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Для параметра <корневой_хэш> или --root-hash-file требуется указать команду."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<устройство_данных> <устройство_хэша>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "отформатировать устройство"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<устройство_данных> <устройство_хэша> [<корневой_хэш>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "проверить устройство"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<устройство_данных> <имя> <устройство_хэша> [<корневой_хэш>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "показать состояние активного устройства"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<устройство_хэша>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "показать информацию на диске"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2808,7 +2874,7 @@ msgstr ""
"<устройство_хэша> — устройство, содержащее проверочные данные\n"
"<корневой_хэш> — хэш корневого узла на <устройстве_хэша>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2819,28 +2885,47 @@ msgstr ""
"Встроенные параметры dm-verity по умолчанию:\n"
"\tХэш: %s, Блок данных (байт): %u, Блок хэша (байт): %u, Размер соли: %u, Формат хэша: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Параметры --ignore-corruption и --restart-on-corruption нельзя использовать вместе."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Параметры ---panic-on-corruption и --restart-on-corruption нельзя использовать вместе."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Будут перезаписаны данные на %s и %s необратимо.\n"
+"Чтобы сохранить данные на устройстве укажите параметр --no-wipe\n"
+"(и он включит --integrity-recalculate)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Отформатирован с размером тега %u, внутренняя целостность %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Задание флага пересчёта не поддерживается, вместо этого используйте параметр --wipe."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Устройство %s не является корректным устройством INTEGRITY."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<устройство_целостности>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<устройство_целостности> <имя>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2851,7 +2936,7 @@ msgstr ""
"<имя> — устройство, создаваемое на %s\n"
"<устройство_целостности> — устройство, содержащее данные с тегами целостности\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2864,241 +2949,44 @@ msgstr ""
"\tАлгоритм контрольной суммы: %s\n"
"\tМаксимальный размер файла ключа: %dКБ\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Неверный размер --%s. Максимальное значение (в байтах) равно %u."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Должны быть указаны параметры файла ключа и размер ключа одновременно."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Должны быть указаны параметры файла ключа целостности и размер ключа одновременно."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Если используется ключ целостности журнала, то должен быть указан алгоритм целостности журнала."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Должны быть указаны параметры файла ключа шифрования и размер ключа одновременно."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Если используется ключ шифрования журнала, то должен быть указан алгоритм шифрования журнала."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Параметры восстановления и режима битовой карты взаимно исключают друг друга."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Параметры журнала нельзя использовать в режиме битовой карты."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Параметр битовой карты можно использовать только в режиме битовой карты."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Уже выполняется перешифрование."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Невозможно монопольно открыть устройство %s, оно уже используется."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Не удалось выделить выровненную память."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Невозможно прочитать с устройства %s."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Отметка устройства LUKS1 %s бесполезна."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Установка внесистемного (offline) флага перешифрования LUKS2 на устройстве %s."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Невозможно записать на устройство %s."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Невозможно записать в файл протокола перешифрования."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Невозможно прочитать файл протокола перешифрования."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Неверный формат журнала."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Файл протокола %s существует, подразумевается перешифрование.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Активируется временное устройство, задействуется старый заголовок LUKS."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Активируется временное устройство, задействуется новый заголовок LUKS."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Ошибка при активации временного устройства."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Не удалось задать смещение данных."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Не удалось задать размер метаданных."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Создан новый заголовок LUKS для устройства %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Эта версия cryptsetup-reencrypt не работает с новым типом внутреннего токена %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Ошибка чтения флагов активации из резервной копии заголовка."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Ошибка записи флагов активации в новый заголовок."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Ошибка чтения требований из резервной копии заголовка."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Создана резервная копия заголовка %s для устройства %s."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Ошибка при создании резервных копий заголовка LUKS."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Невозможно восстановить заголовок %s устройства %s."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Заголовок %s устройства %s восстановлен."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Невозможно открыть временное устройство LUKS."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Невозможно получить размер устройства."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "Ошибка ввода-вывода при перешифровании."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Указан некорректный UUID."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Невозможно открыть файл протокола перешифрования."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Расшифровка не выполняется, указанный UUID можно использовать только для возобновления приостановленного процесса расшифровки."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Изменённые параметры pbkdf в слоте ключа %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Значение размера блока перешифрования должно быть в диапазоне от 1 МиБ до 64 МиБ."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Максимальный размер сокращения устройства равен 64 МиБ."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[ПАРАМЕТР…] <устройство>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Перешифрование изменит: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "ключ тома"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "установить хэш равным"
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", установить шифр равным"
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Требуется аргумент."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Параметр --new должен использоваться вместе с --reduce-device-size или --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Параметр --keep-key можно использовать только с --hash, --iter-time или --pbkdf-force-iterations."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Параметр --new нельзя использовать вместе с --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Параметр --decrypt несовместим с указанными параметрами."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Параметр --uuid можно использовать только вместе с --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Некорректный тип luks. Возможные значения: «luks», «luks1» или «luks2»."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3109,7 +2997,7 @@ msgstr ""
"========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3120,148 +3008,174 @@ msgstr ""
"\n"
"Вы уверены? (введите «yes» заглавными буквами): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Ошибка чтения ответа с терминала."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Команда выполнена успешно."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "некорректные или отсутствующие параметры"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "нет прав или некорректная парольная фраза"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "недостаточно памяти"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "указано некорректное устройство или файл"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "устройство уже существует или занято"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "неизвестная ошибка"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Сбой команды, код %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Создан слот ключа %i."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Слот ключа %i разблокирован."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Слот ключа %i удалён."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Создан токен %i."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Токен %i удалён."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "С этим PIN невозможно разблокировать токен."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Для токена %i требуется PIN."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Для токена (тип %s) требуется PIN."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Токен %i невозможно разблокировать назначенным слотом ключа (некорректная парольная фраза для слота ключа)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Токен (тип %s) невозможно разблокировать назначенным слотом ключа (некорректная парольная фраза для слота ключа)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Для токена %i дополнительно требуется отсутствующий ресурс."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Для токена (тип %s) дополнительно требуется отсутствующий ресурс."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Не найдено подходящего токена (тип %s)."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Не найдено подходящего токена."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Затирание прервано."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Перешифрование прервано."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Невозможно прочитать файл ключа %s."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Невозможно прочитать %d байт из файл ключа %s."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Невозможно открыть файл ключа %s для записи."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Невозможно записать в файл ключа %s."
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>м%02<PRIu64>с"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>ч%02<PRIu64>м%02<PRIu64>с"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> дней"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s записано"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "скорость %5.1f %s/с"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Ход выполнения: %5.1f%%, ОВЗ %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Выполнено, время %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "Невозможно проверить стойкость пароля: %s"
@@ -3275,59 +3189,63 @@ msgstr ""
"Ошибка при проверке стойкости пароля:\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Ошибка при проверке стойкости пароля: некорректная парольная фраза (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "Ошибка чтения парольной фразы с терминала."
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "Парольная фраза повторно: "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "Парольные фразы не совпадают."
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "Невозможно использовать смещение при вводе с терминала."
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "Введите парольную фразу: "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Введите парольную фразу для %s: "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "Ключ недоступен с этой парольной фразой."
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "Не найдено подходящего слота ключа."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Невозможно проверить парольную фразу не с входных tty."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Ошибка при открытии файла %s в режиме только для чтения."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Укажите корректный токен LUKS2 в формате JSON:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Ошибка чтения файла JSON."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3335,12 +3253,12 @@ msgstr ""
"\n"
"Чтение прервано."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Ошибка при открытии файла %s в режиме записи."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3348,54 +3266,424 @@ msgstr ""
"\n"
"Запись прервана."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Ошибка записи в файл JSON."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Автоматически обнаруженное активное устройство dm «%s» для устройства данных %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Не удалось автоматически обнаружить держателей устройства %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Устройство %s не является блочным.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Невозможно понять, активно устройство %s или нет.\n"
+"Вы действительно хотите продолжить перешифрование в отложенном режиме?\n"
+"Это может привести к потере данных, если устройство всё же активно.\n"
+"Для запуска перешифрования в оперативном режиме укажите параметр --active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Устройство %s не является блочным. Невозможно автоматически определить активно\n"
+"оно или нет. Используйте --force-offline-reencrypt чтобы пропустить проверку и\n"
+"запустить отложенный режим (опасно!)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Запрошенный параметр --resilience не может быть применён к текущей операции перешифрования."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Устройство зашифровывается не в LUKS2. Конфликт с параметром --encrypt."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Устройство расшифровывается не в LUKS2. Конфликт с параметром --dencrypt."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Устройство перешифровывается с использованием устойчивости datashift. Запрошенный параметр --resilience не может быть применён."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Устройству требуется восстановление перешифрования. Сначала запустите ремонт."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Устройство %s уже в режиме перешифрования LUKS2. Хотите продолжить предыдущую операцию инициализации?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Устаревшее перешифрование LUKS2 больше не поддерживается."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Перешифрование устройства с профилем целостности не поддерживается."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Запрошенный --sector-size %<PRIu32> несовместим с суперблоком %s\n"
+"(размер блока: %<PRIu32> байт), который обнаружен на устройстве %s."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Шифрование без отсоединённого заголовка (--header) невозможно без сокращения размера устройства данных (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Запрошенное смещение данных должно быть меньше или равно половине значения параметра --reduce-device-size."
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Подгоняется значение --reduce-device-size под двукратный размер --offset %<PRIu64> (секторов).\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Временный файл заголовка %s уже существует. Прекращение работы."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Невозможно создать временный файл заголовка %s."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Размер метаданных LUKS2 больше значения сдвига данных."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Не удалось поместить новый заголовок в начало устройства %s."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s теперь активен и готов для оперативного шифрования.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Активное устройство %s не является LUKS2."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Восстановление первоначального заголовка LUKS2."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Не удалось восстановить первоначальный заголовок LUKS2."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Файл заголовка %s не существует. Инициализировать расшифровку LUKS2 с устройства %s и экспортировать заголовок LUKS2 в файл %s?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Не удалось добавить/записать права в экспортируемый файл заголовка."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Ошибка при инициализации перешифрования. Резервный заголовок доступен в %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Расшифровка LUKS2 поддерживается только для устройства с отсоединённым заголовком (смещение данных равно 0)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Для шифрования недостаточно свободных слотов ключей."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Файл ключа можно использовать только с --key-slot или только при одном активном слоте."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Введите парольную фразу для слота ключа %d: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Введите парольную фразу для слота ключа %u: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Переходим на алгоритм шифрования данных %s.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Параметры сегмента данные не изменились. Перешифрование прервано."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Увеличение размера сектора шифрования на выключенном устройстве не поддерживается.\n"
+"Сначала включите устройство или используйте параметр --force-offline-reencrypt (опасно!)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Перешифрование прервано."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Продолжение перешифрования LUKS в принудительном отложенном режиме.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Устройство %s содержит повреждённые метаданные LUKS. Прерывание операции."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Устройство %s уже является устройством LUKS. Прерывание операции."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Устройство %s уже находится в режиме перешифрования LUKS. Прерывание операции."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "Для расшифровки LUKS2 требуется параметр --header."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "Для команды требуется в аргументе указать устройство."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Конфликтующие версии. Устройство %s использует LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Конфликтующие версии. Устройство %s в режиме перешифрования LUKS1."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Конфликтующие версии. Устройство %s использует LUKS2."
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Конфликтующие версии. Устройство %s в режиме перешифрования LUKS2."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Перешифрование LUKS2 уже инициализировано. Прекращение работы."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Перешифрование устройства в данный момент не выполняется."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Невозможно монопольно открыть устройство %s, оно уже используется."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Не удалось выделить выровненную память."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Невозможно прочитать с устройства %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Отметка устройства LUKS1 %s бесполезна."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Невозможно записать на устройство %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Невозможно записать в файл протокола перешифрования."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Невозможно прочитать файл протокола перешифрования."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Неверный формат журнала."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Файл протокола %s существует, подразумевается перешифрование.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Активируется временное устройство, задействуется старый заголовок LUKS."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Активируется временное устройство, задействуется новый заголовок LUKS."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Ошибка при активации временного устройства."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Не удалось задать смещение данных."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Не удалось задать размер метаданных."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Создан новый заголовок LUKS для устройства %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Создана резервная копия заголовка %s для устройства %s."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Ошибка при создании резервных копий заголовка LUKS."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Невозможно восстановить заголовок %s устройства %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Заголовок %s устройства %s восстановлен."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Невозможно открыть временное устройство LUKS."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Невозможно получить размер устройства."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Ошибка ввода-вывода при перешифровании."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Указан некорректный UUID."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Невозможно открыть файл протокола перешифрования."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Расшифровка не выполняется, указанный UUID можно использовать только для возобновления приостановленного процесса расшифровки."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Перешифрование изменит: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "ключ тома"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "установить хэш равным"
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", установить шифр равным"
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: Устройство %s уже содержит подпись раздела «%s».\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "ПРЕДУПРЕЖДЕНИЕ: Устройство %s уже содержит подпись суперблока «%s».\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Ошибка при инициализации определения подписей устройства."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Ошибка выполнения stat для устройства %s."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Устройство %s уже используется. Невозможно продолжить выполнение операции форматирования."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Ошибка при открытии файла %s в режиме чтения-записи."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Существующая подпись раздела «%s» на устройстве %s будет затёрта."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Существующая подпись суперблока «%s» на устройстве %s будет затёрта."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Ошибка при затирании подписи устройства."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Ошибка при определении подписи устройства %s."
@@ -3405,16 +3693,16 @@ msgstr "Ошибка при определении подписи устройс
msgid "Invalid size specification in parameter --%s."
msgstr "Неправильный формат размера в параметре --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Параметр --%s не допускается одновременно указывать с действием %s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Ошибка записи ssh-токена json."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3435,110 +3723,110 @@ msgstr ""
"Замечание: при добавлении токена предоставляемая информация (адрес сервера\n"
"SSH, пользователь и пути) будет сохранена в заголовке LUKS2 в открытом виде."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<действие> <устройство>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Параметры для действия «add»:"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "IP-адрес/URL удалённого сервера для этого токена"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Имя пользователя, используемого на удалённом сервере"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Путь к файлу ключа на удалённом сервере"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Путь к ключу SSH для подключения к удалённому серверу"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Слот ключа, назначаемого токену. Если не указан, то токен будет назначен в первый слот ключа, который соответствует парольной фразе."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Общие параметры:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Показывать подробные сообщения об ошибках"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Показывать отладочные сообщения"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Показывать отладочные сообщения включая метаданные JSON"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Ошибка при открытии и импорте закрытого ключа:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Ошибка при импорте закрытого ключа (защищён паролем?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "Пароль к %s@%s: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Не удалось разобрать аргументы.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Должно быть указано действие\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Для действия «%s» должно быть указано устройство.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Для действия «%s» должен быть указан сервер SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Для действия «%s» должен быть указан пользователь сервера SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Для действия «%s» должен быть указан путь на сервере SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Для действия «%s» должен быть указан путь к ключу сервера SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Не удалось открыть %s с помощью предоставленных идентификационных данных.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "В настоящее время этот модуль поддерживает только действие «add».\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Не удалось создать сеанс sftp: "
@@ -3546,6 +3834,10 @@ msgstr "Не удалось создать сеанс sftp: "
msgid "Cannot init sftp session: "
msgstr "Не удалось инициализировать сеанс sftp: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Не удалось открыть сеанс sftp: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Не удалось выполнить функцию stat для файла по sftp: "
@@ -3574,6 +3866,96 @@ msgstr "Способ аутентификации по открытому клю
msgid "Public key authentication error: "
msgstr "Ошибка при аутентификации по открытому ключу: "
+#~ msgid "WARNING: Data offset is outside of currently available data device.\n"
+#~ msgstr "ПРЕДУПРЕЖДЕНИЕ: смещение данных находится за пределами доступного в данный момент устройства данных.\n"
+
+#~ msgid "Cannot get process priority."
+#~ msgstr "Невозможно получить приоритет процесса."
+
+#~ msgid "Cannot unlock memory."
+#~ msgstr "Невозможно разблокировать память."
+
+#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions."
+#~ msgstr "Будет создан блокирующий каталог %s/%s с правами по умолчанию, заданными при сборке программы."
+
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Ошибка чтения подписи BITLK из %s."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Некорректная или неизвестная подпись устройства BITLK."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Ошибка при затирании резервной копии сегмента данных."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Не удалось выключить флаг требования перешифрования."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Шифрование поддерживается только для формата LUKS2."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "На %s обнаружено устройство LUKS. Хотите снова зашифровать это устройство LUKS?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "В настоящий момент поддерживается только формат LUKS2. Для LUKS1 используйте программу cryptsetup-reencrypt."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Уже выполняется устаревшее внесистемное (offline) перешифрование. Используйте программу cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "Устройство LUKS2 не перешифровывается."
+
+#~ msgid "Reencryption already in-progress."
+#~ msgstr "Уже выполняется перешифрование."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Установка внесистемного (offline) флага перешифрования LUKS2 на устройстве %s."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Эта версия cryptsetup-reencrypt не работает с новым типом внутреннего токена %s."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Ошибка чтения флагов активации из резервной копии заголовка."
+
+#~ msgid "Failed to read requirements from backup header."
+#~ msgstr "Ошибка чтения требований из резервной копии заголовка."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Изменённые параметры pbkdf в слоте ключа %i."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Значение размера блока перешифрования должно быть в диапазоне от 1 МиБ до 64 МиБ."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Максимальный размер сокращения устройства равен 64 МиБ."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[ПАРАМЕТР…] <устройство>"
+
+#~ msgid "Argument required."
+#~ msgstr "Требуется аргумент."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Параметр --new должен использоваться вместе с --reduce-device-size или --header."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Параметр --keep-key можно использовать только с --hash, --iter-time или --pbkdf-force-iterations."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Параметр --new нельзя использовать вместе с --decrypt."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Параметр --decrypt несовместим с указанными параметрами."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Параметр --uuid можно использовать только вместе с --decrypt."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Некорректный тип luks. Возможные значения: «luks», «luks1» или «luks2»."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Устройство %s уже используется. Невозможно продолжить выполнение операции форматирования."
+
#~ msgid "No free token slot."
#~ msgstr "Нет свободного слота под токен."
@@ -3899,9 +4281,6 @@ msgstr "Ошибка при аутентификации по открытому
#~ msgid "Sector size option is not supported for this command."
#~ msgstr "Параметр размера сектора не поддерживается этой командой."
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "Параметр --unbound можно использовать только в действиях luksAddKey и luksDump."
-
#~ msgid "Option --refresh may be used only with open action."
#~ msgstr "Параметр --refresh можно использовать только при действии open."
@@ -4082,9 +4461,6 @@ msgstr "Ошибка при аутентификации по открытому
#~ msgid "Read new volume (master) key from file"
#~ msgstr "Прочитать новый (главный) ключ тома из файла"
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "Время итерации PBKDF2 для LUKS (мс)"
-
#~ msgid "Use direct-io when accessing devices"
#~ msgstr "Использовать direct-io для доступа к устройствам"
@@ -4124,9 +4500,6 @@ msgstr "Ошибка при аутентификации по открытому
#~ msgid "Parameter --refresh is only allowed with open or refresh commands."
#~ msgstr "Параметр --refresh допускается только с командами open и refresh."
-#~ msgid "Cipher %s is not available."
-#~ msgstr "Шифр %s недоступен."
-
#~ msgid "Unsupported encryption sector size.\n"
#~ msgstr "Неподдерживаемый размер сектора шифрования.\n"
@@ -4136,9 +4509,6 @@ msgstr "Ошибка при аутентификации по открытому
#~ msgid "Online reencryption in progress. Aborting."
#~ msgstr "Ведётся оперативное (online) перешифрование. Прерываемся."
-#~ msgid "No LUKS2 reencryption in progress."
-#~ msgstr "Перешифрование LUKS2 в данный момент не выполняется."
-
#~ msgid "Interrupted by a signal."
#~ msgstr "Прервано сигналом."
@@ -4202,9 +4572,6 @@ msgstr "Ошибка при аутентификации по открытому
#~ msgid "Error: Calculated reencryption offset %<PRIu64> is beyond device size %<PRIu64>."
#~ msgstr "Ошибка: вычисленное смещение перешифрования %<PRIu64> находится за границей размера устройства %<PRIu64>."
-#~ msgid "Device is not in clean reencryption state."
-#~ msgstr "Устройство не в начальном (clean) состояния перешифрования."
-
#~ msgid "Failed to calculate new segments."
#~ msgstr "Ошибка при вычислении новых сегментов."
diff --git a/po/sr.po b/po/sr.po
index a238034..5ca41d8 100644
--- a/po/sr.po
+++ b/po/sr.po
@@ -1,13 +1,14 @@
# Serbian translation for cryptsetup.
# Copyright © 2014 Free Software Foundation, Inc.
# This file is distributed under the same license as the cryptsetup package.
-# Мирослав Николић <miroslavnikolic@rocketmail.com>, 2014–2021.
+# Мирослав Николић <miroslavnikolic@rocketmail.com>, 2014–2022.
+#
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup-2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-12-11 19:03+0200\n"
+"Project-Id-Version: cryptsetup-2.5.0-rc1\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2022-07-14 14:04+0200\n"
+"PO-Revision-Date: 2022-09-08 05:02+0200\n"
"Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
"Language-Team: Serbian <(nothing)>\n"
"Language: sr\n"
@@ -17,67 +18,67 @@ msgstr ""
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:417
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Не могу да покренем мапера уређаја, радим као обичан корисник."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:420
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Не могу да покренем мапера уређаја. Да ли је учитан модул кернела „dm_mod“?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1171
msgid "Requested deferred flag is not supported."
msgstr "Затражена одложена заставица није подржана."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1240
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "ДМ-УЈИБ за уређај „%s“ је скраћен."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1570
msgid "Unknown dm target type."
msgstr "Непозната врста „dm“ мете."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1694 lib/libdevmapper.c:1699 lib/libdevmapper.c:1763
+#: lib/libdevmapper.c:1766
msgid "Requested dm-crypt performance options are not supported."
msgstr "Затражене опције перформанси дм-шифровања нису подржане."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1706 lib/libdevmapper.c:1710
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Затражене опције рада оштећених података дм-веритија нису подржане."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1714
msgid "Requested dm-verity FEC options are not supported."
msgstr "Затражене „dm-verity FEC“ опције нису подржане."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1718
msgid "Requested data integrity options are not supported."
msgstr "Затражене опције целовитости података нису подржане."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1720
msgid "Requested sector_size option is not supported."
msgstr "Затражене опције величине одељка нису подржане."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1729
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Затражене опције самосталног прерачунавања ознака целовитости нису подржане."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1733 lib/libdevmapper.c:1769 lib/libdevmapper.c:1772
+#: lib/luks2/luks2_json_metadata.c:2552
msgid "Discard/TRIM is not supported."
msgstr "Одбацивање/ОДСЕЦАЊЕ није подржано."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1737
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Затражени режим битмапе дм-целовитости није подржан."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2763
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Нисам успео да пропитам „dm-%s“ подеок."
-#: lib/random.c:75
+#: lib/random.c:74
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -85,24 +86,24 @@ msgstr ""
"Систем је ван ентропије приликом стварања кључа волумена.\n"
"Померите миша или откуцајте неки текст у другом прозору да прикупите неке насумичне догађаје.\n"
-#: lib/random.c:79
+#: lib/random.c:78
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Стварам кључ (%d %% је урађено).\n"
-#: lib/random.c:165
+#: lib/random.c:164
msgid "Running in FIPS mode."
msgstr "Ради у „FIPS“ режиму."
-#: lib/random.c:171
+#: lib/random.c:170
msgid "Fatal error during RNG initialisation."
msgstr "Кобна грешка за време покретања „RNG“-а."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Затражен је непознат квалитет „RNG“-а."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Грешка читања из „RNG“-а."
@@ -114,7 +115,7 @@ msgstr "Не могу да покренем „RNG“ позадинца кри
msgid "Cannot initialize crypto backend."
msgstr "Не могу да покренем позадинца криптографије."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:263 lib/setup.c:2080 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Хеш алгоритам „%s“ није подржан."
@@ -128,7 +129,7 @@ msgstr "Грешка обраде кључа (користим хеш %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Не могу да одредим врсту уређаја. Несагласно покретање уређаја?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:338 lib/setup.c:3221
msgid "This operation is supported only for LUKS device."
msgstr "Ова радња је подржана само за ЛУКС уређај."
@@ -136,7 +137,7 @@ msgstr "Ова радња је подржана само за ЛУКС уређ
msgid "This operation is supported only for LUKS2 device."
msgstr "Ова радња је подржана само за ЛУКС2 уређај."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2985
msgid "All key slots full."
msgstr "Сви утори кључева су пуни."
@@ -150,7 +151,7 @@ msgstr "Утор кључа %d није исправан, изаберите и
msgid "Key slot %d is full, please select another one."
msgstr "Утор кључа %d је пун, изаберите неки други."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:522 lib/setup.c:2946
msgid "Device size is not aligned to device logical block size."
msgstr "Величина уређаја није поравната на величину логичког блока уређаја."
@@ -159,7 +160,8 @@ msgstr "Величина уређаја није поравната на вел
msgid "Header detected but device %s is too small."
msgstr "Заглавље је откривено али уређај „%s“ је премали."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:661 lib/setup.c:2851 lib/setup.c:4335
+#: lib/luks2/luks2_reencrypt.c:3757 lib/luks2/luks2_reencrypt.c:4159
msgid "This operation is not supported for this device type."
msgstr "Ова радња није подржана за ову врсту уређаја."
@@ -167,396 +169,418 @@ msgstr "Ова радња није подржана за ову врсту ур
msgid "Illegal operation with reencryption in-progress."
msgstr "Неисправна радња са поновним шифровањем је у току."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:833 lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
+#: lib/luks2/luks2_json_metadata.c:1267 src/cryptsetup.c:1449
+#: src/cryptsetup.c:1581 src/cryptsetup.c:1636 src/cryptsetup.c:1756
+#: src/cryptsetup.c:1861 src/cryptsetup.c:2142 src/cryptsetup.c:2380
+#: src/cryptsetup.c:2440 src/utils_reencrypt.c:1378
+#: src/utils_reencrypt_luks1.c:1188 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Уређај „%s“ није исправан ЛУКС уређај."
+
+#: lib/setup.c:836 lib/luks1/keymanage.c:527
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Неподржано ЛУКС издање %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1431 lib/setup.c:2602 lib/setup.c:2682 lib/setup.c:2694
+#: lib/setup.c:2859 lib/setup.c:4807
#, c-format
msgid "Device %s is not active."
msgstr "Уређај „%s“ није радан."
-#: lib/setup.c:1447
+#: lib/setup.c:1448
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Основни уређај за криптографски уређај „%s“ је нестао."
-#: lib/setup.c:1527
+#: lib/setup.c:1528
msgid "Invalid plain crypt parameters."
msgstr "Неисправни параметри обичне криптографије."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1533 lib/setup.c:1983
msgid "Invalid key size."
msgstr "Неисправна величина кључа."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1538 lib/setup.c:1988 lib/setup.c:2191
msgid "UUID is not supported for this crypt type."
msgstr "УЈИБ није подржан за ову врсту криптографије."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1543 lib/setup.c:1993
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Откачени уређај метаподатака није подржан за ову врсту криптографије."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1553 lib/setup.c:1765 lib/luks2/luks2_reencrypt.c:2941
+#: src/cryptsetup.c:1250 src/cryptsetup.c:3072
msgid "Unsupported encryption sector size."
msgstr "Неподржана величина одељка шифровања."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1561 lib/setup.c:1896 lib/setup.c:2940
msgid "Device size is not aligned to requested sector size."
msgstr "Величина уређаја није поравната на затражену величину одељка."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1613 lib/setup.c:1733
msgid "Can't format LUKS without device."
msgstr "Не могу да обликујем ЛУКС без уређаја."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1619 lib/setup.c:1739
msgid "Requested data alignment is not compatible with data offset."
msgstr "Затражено поравнање података није сагласно са померајем података."
-#: lib/setup.c:1686 lib/setup.c:1882
+#: lib/setup.c:1687 lib/setup.c:1883
msgid "WARNING: Data offset is outside of currently available data device.\n"
msgstr "УПОЗОРЕЊЕ: Померај података је ван тренутно доступног уређаја података.\n"
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1697 lib/setup.c:1913 lib/setup.c:1934 lib/setup.c:2203
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Не могу да обришем заглавље на уређају „%s“."
-#: lib/setup.c:1763
+#: lib/setup.c:1774
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "УПОЗОРЕЊЕ: Покретање уређаја неће успети, „dm-crypt“-у недостаје подршка за затражену величину одељка шифровања.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1797
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Кључ волумена је премали за шифровање са проширењима целовитости."
-#: lib/setup.c:1856
+#: lib/setup.c:1857
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Шифрер %s-%s (величина кључа %zd бита) није доступан."
-#: lib/setup.c:1885
+#: lib/setup.c:1886
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "УПОЗОРЕЊЕ: Величина ЛУКС2 метаподатака је промењена на %<PRIu64> бајта.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1890
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "УПОЗОРЕЊЕ: Величина области ЛУКС2 утора кључева је промењена на %<PRIu64> бајта.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1916 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3009 lib/luks2/luks2_reencrypt.c:4254
#, c-format
msgid "Device %s is too small."
msgstr "Уређај „%s“ је премали."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1927 lib/setup.c:1953
#, c-format
msgid "Cannot format device %s in use."
msgstr "Не могу да обликујем уређај „%s“ у употреби."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1930 lib/setup.c:1956
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Не могу да обликујем уређај „%s“, овлашћење је одбијено."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:1942 lib/setup.c:2263
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Не могу да обликујем целовитост за уређај „%s“."
-#: lib/setup.c:1959
+#: lib/setup.c:1960
#, c-format
msgid "Cannot format device %s."
msgstr "Не могу да обликујем уређај „%s“."
-#: lib/setup.c:1977
+#: lib/setup.c:1978
msgid "Can't format LOOPAES without device."
msgstr "Не могу да обликујем „LOOPAES“ без уређаја."
-#: lib/setup.c:2022
+#: lib/setup.c:2023
msgid "Can't format VERITY without device."
msgstr "Не могу да обликујем „VERITY“ без уређаја."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2034 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Неподржана врста „VERITY“ хеша %d."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2040 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Неподржана величина блока „VERITY“."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2045 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Неподржан померај хеша „VERITY“."
-#: lib/setup.c:2049
+#: lib/setup.c:2050
msgid "Unsupported VERITY FEC offset."
msgstr "Неподржан „VERITY FEC“ померај."
-#: lib/setup.c:2073
+#: lib/setup.c:2074
msgid "Data area overlaps with hash area."
msgstr "Област података се преклапа са облашћу хеша."
-#: lib/setup.c:2098
+#: lib/setup.c:2099
msgid "Hash area overlaps with FEC area."
msgstr "Област хеша се преклапа са „FEC“ облашћу."
-#: lib/setup.c:2105
+#: lib/setup.c:2106
msgid "Data area overlaps with FEC area."
msgstr "Област података се преклапа са „FEC“ облашћу."
-#: lib/setup.c:2241
+#: lib/setup.c:2242
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "УПОЗОРЕЊЕ: Затражена величина ознаке %d бајта се разликује од излаза величине „%s“ (%d бајта).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2321
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Затражена је непозната врста „%s“ криптографског уређаја."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2608 lib/setup.c:2687 lib/setup.c:2700
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Неподржани параметри на уређају „%s“."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2614 lib/setup.c:2707 lib/luks2/luks2_reencrypt.c:2837
+#: lib/luks2/luks2_reencrypt.c:3074 lib/luks2/luks2_reencrypt.c:3459
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Неодговарајући параметри на уређају „%s“."
-#: lib/setup.c:2728
+#: lib/setup.c:2731
msgid "Crypt devices mismatch."
msgstr "Криптографски уређаји се не поклапају."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2768 lib/setup.c:2773 lib/luks2/luks2_reencrypt.c:2315
+#: lib/luks2/luks2_reencrypt.c:2853 lib/luks2/luks2_reencrypt.c:4007
#, c-format
msgid "Failed to reload device %s."
msgstr "Нисам успео поново да учитам уређај „%s“."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2779 lib/setup.c:2785 lib/luks2/luks2_reencrypt.c:2286
+#: lib/luks2/luks2_reencrypt.c:2293 lib/luks2/luks2_reencrypt.c:2867
#, c-format
msgid "Failed to suspend device %s."
msgstr "Нисам успео да обуставим уређај „%s“."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2791 lib/luks2/luks2_reencrypt.c:2300
+#: lib/luks2/luks2_reencrypt.c:2888 lib/luks2/luks2_reencrypt.c:3920
+#: lib/luks2/luks2_reencrypt.c:4011
#, c-format
msgid "Failed to resume device %s."
msgstr "Нисам успео да наставим са уређајем „%s“."
-#: lib/setup.c:2803
+#: lib/setup.c:2806
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Кобна грешка приликом поновног учитавања уређаја „%s“ (на врху уређаја „%s“)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2809 lib/setup.c:2811
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Нисам успео да променим уређај „%s“ на дм-грешку."
-#: lib/setup.c:2885
+#: lib/setup.c:2891
msgid "Cannot resize loop device."
msgstr "Не могу да променим величину уређаја петље."
-#: lib/setup.c:2958
+#: lib/setup.c:2931
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr ""
+"УПОЗОРЕЊЕ: Највећа величина је већ постављена или кернел не подржава промену величине.\n"
+"\n"
+
+#: lib/setup.c:2989
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Промена величине није успела, кернел је не подржава."
+
+#: lib/setup.c:3021
msgid "Do you really want to change UUID of device?"
msgstr "Да ли стварно желите да измените УЈИБ уређаја?"
-#: lib/setup.c:3034
+#: lib/setup.c:3113
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Датотека резерве заглавља не садржи сагласно ЛУКС заглавље."
-#: lib/setup.c:3150
+#: lib/setup.c:3229
#, c-format
msgid "Volume %s is not active."
msgstr "Волумен „%s“ није радан."
-#: lib/setup.c:3161
+#: lib/setup.c:3240
#, c-format
msgid "Volume %s is already suspended."
msgstr "Волумен „%s“ је већ обустављен."
-#: lib/setup.c:3174
+#: lib/setup.c:3253
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Обустављање није подржано за уређај „%s“."
-#: lib/setup.c:3176
+#: lib/setup.c:3255
#, c-format
msgid "Error during suspending device %s."
msgstr "Грешка за време обустављања уређаја „%s“."
-#: lib/setup.c:3212
+#: lib/setup.c:3290
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Настављање није подржано за уређај „%s“."
-#: lib/setup.c:3214
+#: lib/setup.c:3292
#, c-format
msgid "Error during resuming device %s."
msgstr "Грешка за време настављања уређаја „%s“."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3326 lib/setup.c:3374 lib/setup.c:3444 lib/setup.c:3489
+#: src/cryptsetup.c:2207
#, c-format
msgid "Volume %s is not suspended."
msgstr "Волумен „%s“ није обустављен."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3459 lib/setup.c:3862 lib/setup.c:4584 lib/setup.c:4597
+#: lib/setup.c:4605 lib/setup.c:4618 lib/setup.c:6142 src/cryptsetup.c:1790
msgid "Volume key does not match the volume."
msgstr "Кључ волумена не одговара волумену."
-#: lib/setup.c:3428 lib/setup.c:3633
+#: lib/setup.c:3540 lib/setup.c:3745
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Не могу да додам утор кључа, сви утори су искључени а није обезбеђен ниједан кључ волумена."
-#: lib/setup.c:3585
+#: lib/setup.c:3697
msgid "Failed to swap new key slot."
msgstr "Нисам успео да разменим нови утор кључа."
-#: lib/setup.c:3771
+#: lib/setup.c:3883
#, c-format
msgid "Key slot %d is invalid."
msgstr "Утор кључа „%d“ није исправан."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3889 src/cryptsetup.c:1594 src/cryptsetup.c:1936
+#: src/cryptsetup.c:2540 src/cryptsetup.c:2597
#, c-format
msgid "Keyslot %d is not active."
msgstr "Утор кључа „%d“ није радан."
-#: lib/setup.c:3796
+#: lib/setup.c:3908
msgid "Device header overlaps with data area."
msgstr "Заглавље уређаја се преклапа са облашћу података."
-#: lib/setup.c:4089
+#: lib/setup.c:4213
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Поновно шифровање је у току. Не могу да активирам уређај."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4215 lib/luks2/luks2_json_metadata.c:2635
+#: lib/luks2/luks2_reencrypt.c:3565
msgid "Failed to get reencryption lock."
msgstr "Нисам успео да добавим закључавање поновног шифровања."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4228 lib/luks2/luks2_reencrypt.c:3584
msgid "LUKS2 reencryption recovery failed."
msgstr "Опоравак ЛУКС2 поновног шифровања није успело."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4396 lib/setup.c:4661
msgid "Device type is not properly initialized."
msgstr "Врста уређаја није исправно покренута."
-#: lib/setup.c:4283
+#: lib/setup.c:4444
#, c-format
msgid "Device %s already exists."
msgstr "Већ постоји уређај „%s“."
-#: lib/setup.c:4290
+#: lib/setup.c:4451
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Не могу да користим уређај „%s“, назив није исправан или је још у употреби."
-#: lib/setup.c:4410
+#: lib/setup.c:4571
msgid "Incorrect volume key specified for plain device."
msgstr "Наведен је неисправан кључ волумена за обичан уређај."
-#: lib/setup.c:4526
+#: lib/setup.c:4687
msgid "Incorrect root hash specified for verity device."
msgstr "Наведен је неисправан хеш корена за уређај тачности."
-#: lib/setup.c:4533
+#: lib/setup.c:4697
msgid "Root hash signature required."
msgstr "Потпис хеша корена је потребан."
-#: lib/setup.c:4542
+#: lib/setup.c:4706
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Привезак кључева кернела недостаје: потребан је за прослеђивање потписа кернелу."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4723 lib/setup.c:6218
msgid "Failed to load key in kernel keyring."
msgstr "Нисам успео да учитам кључ у привеску кључева кернела."
-#: lib/setup.c:4615
+#: lib/setup.c:4779
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Не могу да откажем различно уклањање из уређаја „%s“."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4786 lib/setup.c:4802 lib/luks2/luks2_json_metadata.c:2688
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Уређај „%s“ је још увеку употреби."
-#: lib/setup.c:4647
+#: lib/setup.c:4811
#, c-format
msgid "Invalid device %s."
msgstr "Неисправан уређај „%s“."
-#: lib/setup.c:4763
+#: lib/setup.c:4927
msgid "Volume key buffer too small."
msgstr "Међумеморија кључа волумена је премала."
-#: lib/setup.c:4771
+#: lib/setup.c:4935
msgid "Cannot retrieve volume key for plain device."
msgstr "Не могу да довучем кључ волумена за обичан уређај."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Не могу да довучем хеш корена за уређај тачности."
-#: lib/setup.c:4792
+#: lib/setup.c:4956
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Ова радња није подржана за криптографски уређај „%s“."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5130 lib/setup.c:5141
msgid "Dump operation is not supported for this device type."
msgstr "Радња исписа није подржана за ову врсту уређаја."
-#: lib/setup.c:5337
+#: lib/setup.c:5471
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Померај података није умножак %u бајта."
-#: lib/setup.c:5622
+#: lib/setup.c:5756
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Не могу да преобратим уређај „%s“ који је још увек у употреби."
-#: lib/setup.c:5941
+#: lib/setup.c:6075
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Нисам успео да доделим утор кључа „%u“ као нови кључ волумена."
-#: lib/setup.c:6014
+#: lib/setup.c:6148
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Нисам успео да покренем основне параметре ЛУКС2 утора кључа."
-#: lib/setup.c:6020
+#: lib/setup.c:6154
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Нисам успео да доделим утор кључа „%d“ за преглед."
-#: lib/setup.c:6151
+#: lib/setup.c:6285
msgid "Kernel keyring is not supported by the kernel."
msgstr "Привезак кључева кернела није подржан кернелом."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6295 lib/luks2/luks2_reencrypt.c:3782
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Нисам успео да прочитам пропусну реч из привеска кључа (грешка %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6319
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Нисам успео да остварим опште закључавање серијализације приступа чврстој меморији."
@@ -584,8 +608,8 @@ msgstr "Нисам успео да добавим податке датотек
msgid "Cannot seek to requested keyfile offset."
msgstr "Не могу да премотам на затражени померај датотеке кључа."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:226
+#: src/utils_password.c:238
msgid "Out of memory while reading passphrase."
msgstr "Нестало је меморије приликом читања пропусне речи."
@@ -606,7 +630,7 @@ msgid "Cannot read requested amount of data."
msgstr "Не могу да прочитам затражену количину података."
#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1353
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Уређај „%s“ не постоји или је приступ одбијен."
@@ -736,12 +760,12 @@ msgstr "Директоријум закључавања „%s/%s“ биће н
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Закључавање је прекинуто. Путања закључавања „%s/%s“ је неискористива („%s“ није директоријум)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Не могу да премотам на померај уређаја."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Грешка брисања уређаја, померај %<PRIu64>."
@@ -765,7 +789,7 @@ msgstr "Спецификација шифрера треба бити у зап
#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks2/luks2_json_metadata.c:1421 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Не могу да пишем на уређај „%s“, овлашћење је одбијено."
@@ -779,17 +803,17 @@ msgid "Failed to access temporary keystore device."
msgstr "Нисам успео да приступм привременом уређају смештаја кључа."
#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Грешка УИ приликом шифровања утора кључа."
#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
+#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:680
+#: lib/verity/verity.c:80 lib/verity/verity.c:196 lib/verity/verity_hash.c:320
#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/verity/verity_fec.c:260 lib/verity/verity_fec.c:272
+#: lib/verity/verity_fec.c:277 lib/luks2/luks2_json_metadata.c:1424
+#: src/utils_reencrypt_luks1.c:121 src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Не могу да отворим уређај „%s“."
@@ -810,43 +834,32 @@ msgstr "Уређај „%s“ је премали. (ЛУКС1 захтева б
msgid "LUKS keyslot %u is invalid."
msgstr "ЛУКС утор кључа „%u“ није исправан."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Уређај „%s“ није исправан ЛУКС уређај."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1284
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Затражена датотека резерве заглавља „%s“ већ постоји."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1286
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Не могу да направим резервну датотеку заглавља „%s“."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1293
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Не могу да запишем резервну датотеку заглавља „%s“."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1330
msgid "Backup file does not contain valid LUKS header."
msgstr "Датотека резерве не садржи исправно ЛУКС заглавље."
#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks2/luks2_json_metadata.c:1351
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Не могу да отворим резервну датотеку заглавља „%s“."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1359
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Не могу да прочитам резервну датотеку заглавља „%s“."
@@ -868,7 +881,7 @@ msgstr "не садржи ЛУКС заглавље. Замена заглављ
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "већ садржи ЛУКС заглавље. Замена заглавља ће уништити постојеће уторе кључева."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1393
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -942,7 +955,7 @@ msgstr "Режим ЛУКС шифрера „%s“ није исправан."
msgid "LUKS hash %s is invalid."
msgstr "ЛУКС хеш „%s“ није исправан."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1144
msgid "No known problems detected for LUKS header."
msgstr "Нису откривени познати проблеми за ЛУКС заглавље."
@@ -961,8 +974,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Померај података за ЛУКС заглавље мора бити или 0 или већи од величине заглавља."
#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1175
+#: src/utils_reencrypt.c:475
msgid "Wrong LUKS UUID format provided."
msgstr "Достављен је погрешан запис ЛУКС УЈИБ-а."
@@ -995,7 +1008,7 @@ msgstr "Не могу да отворим утор кључа (користим
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Утор кључа %d није исправан, изаберите га између 0 и %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Не могу да обришем уређај „%s“."
@@ -1026,205 +1039,213 @@ msgstr "Грешка читања датотеке кључа „%s“."
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Премашена је највећа дужина „TCRYPT“ пропусне речи (%zu)."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:601
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "„PBKDF2“ алгоритам хеша „%s“ није доступан, прескачем."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1019
msgid "Required kernel crypto interface not available."
msgstr "Није доступно затражено сучеље криптографије језгра."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:622 src/cryptsetup.c:1021
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Уверите се да је учитан модул кернела „algif_skcipher“."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:763
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Покретање није подржано за величину %d области."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:769
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Језгро не подржава покретање за овај стари „TCRYPT“ режим."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:800
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Покрећем „TCRYPT“ систем шифровања за партицију „%s“."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:883
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Кернел не подржава мапирање сагласно са „TCRYPT“-ом."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1096
msgid "This function is not supported without TCRYPT header load."
msgstr "Ова функција није подржана без учитавања „TCRYPT“ заглавља."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:275
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:328
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Нађох неисправну ниску приликом обраде главног кључа волумена."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:332
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Нађох неочекивану ниску („%s“) приликом обраде подржаног главног кључа волумена."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:349
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Нисам успео да прочитам „BITLK“ потпис из „%s“."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Неисправан или непознат потпис за „BITLK“ уређај."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:451
msgid "BITLK version 1 is currently not supported."
msgstr "„BITLK“ издање 1 тренутно није подржано."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:457
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Неисправан или непознат потпис учитавања за „BITLK“ уређај."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:469
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Неподржана величина одељка „%<PRIu16>“."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:477
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Нисам успео да прочитам „BITLK“ заглавље из „%s“."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:502
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Нисам успео да прочитам „BITLK FVE“ метаподатаке из „%s“."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:554
msgid "Unknown or unsupported encryption type."
msgstr "Непозната или неподржана врста криптографије."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:587
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Нисам успео да прочитам уносе „BITLK“ метаподатака из „%s“."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:681
+msgid "Failed to convert BITLK volume description"
+msgstr "Нисам успео да претворим опис „BITLK“ волумена"
+
+#: lib/bitlk/bitlk.c:841
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде спољног кључа."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:860
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "ГУИД „%s“ датотеке „BEK“ не одговара ГУИД-у волумена."
+
+#: lib/bitlk/bitlk.c:864
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде спољног кључа."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:903
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Неподржани „BEK“ метаподаци издање %<PRIu32>"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:908
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Неочекивана величина „BEK“ метаподатака %<PRIu32> не одговара величини „BEK“ датотеке"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:933
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Нађох неочекивану врсту уноса метаподатака приликом обраде кључа почретања."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1029
msgid "This operation is not supported."
msgstr "Радња није подржана."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1037
msgid "Unexpected key data size."
msgstr "Неочекивана величина података кључа."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1163
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Овај „BITLK“ уређај је у неподржаном стању и не може бити активиран."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1168
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "„BITLK“ уређај са врстом „%s“ се не може активирати."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1175
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Активирање делимично дешифрованог „BITLK“ уређаја није подржано."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1216
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "УПОЗОРЕЊЕ: Величина волумена закључавача бита %<PRIu64> не одговара величини садржаног уређаја %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1343
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK IV“."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1347
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK Elephant“ дифузера."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1351
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за велику величину сектора."
+
+#: lib/bitlk/bitlk.c:1355
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Не могу да активирам уређај, недостаје „dm-zero“ модул кернела."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Уређај тачности %s не користи заглавље на-диску."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Уређај „%s“ није исправан „VERITY“ уређај."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Неподржано издање „VERITY“ %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "Заглавље „VERITY“ је оштећено."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Достављен је погрешан УЈИБ „VERITY“ запис на уређају „%s“."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Грешка приликом освежавања заглавља тачности на уређају „%s“."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Провера хеш потписа корена није подржана."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Грешке се не могу поправити са „FEC“ уређајем."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "Нађох поправљиве грешке (%u) са „FEC“ уређајем."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Кернел не подржава мапирање дм-тачности."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Кернел не подржава опцију потписа дм-тачности."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Уређај тачности је открио оштећење након покретања."
@@ -1296,37 +1317,42 @@ msgstr "Нисам успео да поправим паритет за блок
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Нисам успео да запишем паритет „RS“ блока %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Величине блокова морају одговарати за „FEC“."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Неисправан број бајтова паритета."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Неисправна дужина „FEC“ сегмента."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Нисам успео да одредим величину за уређај „%s“."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Недоследни „dm-integrity“ метаподаци кернела (издање %u) су откривени на „%s“."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Кернел не подржава мапирање дм-целовитости."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Кернел не подржава поравнање фиксних метаподатака дм-целовитости."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Кернел одбија да покрене небезбедну опцију поновног израчунавања (видите старе опције покретања да избегнете ово)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks2/luks2_json_metadata.c:1413
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Нисам успео да остварим закључавање писања на уређају „%s“."
@@ -1352,40 +1378,40 @@ msgstr "Затражени померај података је премали."
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "УПОЗОРЕЊЕ: област утора кључа (%<PRIu64> бајта) је врло мала, доступан број ЛУКС2 утора кључа врло ограничен.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:1120 lib/luks2/luks2_json_metadata.c:1258
+#: lib/luks2/luks2_json_metadata.c:1319 lib/luks2/luks2_keyslot_luks2.c:92
#: lib/luks2/luks2_keyslot_luks2.c:114
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Нисам успео да остварим закључавање читања на уређају „%s“."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1336
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "Забрањени ЛУКС2 захтеви су откривени у резерви „%s“."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1377
msgid "Data offset differ on device and backup, restore failed."
msgstr "Померај података се разликује на уређају и резерви, враћање није успело."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1383
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Бинарно заглавље са областима утора кључа се разликује на уређају и резерви, враћање није успело."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1390
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Уређај %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1391
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "не садржи ЛУКС2 заглавље. Замена заглавља може да уништи податке на том уређају."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1392
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "већ садржи „LUKS2“ заглавље. Замена заглавља ће уништити постојеће уторе кључева."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1394
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1395,7 +1421,7 @@ msgstr ""
"УПОЗОРЕЊЕ: непознати ЛУКС2 захтеви су откривени у стварном заглављу уређаја!\n"
"Замена заглавља резервом може оштетити податке на том уређају!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1396
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1405,58 +1431,58 @@ msgstr ""
"УПОЗОРЕЊЕ: Недовршено ван мрежно поновно шифровање је откривено на уређају!\n"
"Замена заглавља резервом може оштетити податке."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1494
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Занемарена непозната заставица „%s“."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2402 lib/luks2/luks2_reencrypt.c:2015
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Недостаје кључ за „dm-crypt“ подеок %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2414 lib/luks2/luks2_reencrypt.c:2029
msgid "Failed to set dm-crypt segment."
msgstr "Нисам успео да подесим „dm-crypt“ подеок."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2420 lib/luks2/luks2_reencrypt.c:2035
msgid "Failed to set dm-linear segment."
msgstr "Нисам успео да подесим „dm-linear“ подеок."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2547
msgid "Unsupported device integrity configuration."
msgstr "Неподржано подешавање целовитости уређаја."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2633
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Поновно шифровање је у току. Не могу да деактивирам уређај."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2644 lib/luks2/luks2_reencrypt.c:4057
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Нисам успео да заменим обустављени уређај „%s“ са метом „dm-error“."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2724
msgid "Failed to read LUKS2 requirements."
msgstr "Нисам успео да прочитам ЛУКС2 захтеве."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2731
msgid "Unmet LUKS2 requirements detected."
msgstr "Неоствариви ЛУКС2 захтеви су откривени."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2739
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Радња је несагласна са уређајем означеним за старо поновно шифровање. Прекидам."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2741
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Радња је несагласна са уређајем означеним за ЛУКС2 поновно шифровање. Прекидам."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Нема довољно доступне меморије за отварање утора кључа."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Отварање утора кључа није успело."
@@ -1465,348 +1491,406 @@ msgstr "Отварање утора кључа није успело."
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Не могу користити шифрер „%s-%s“ за шифровање утора кључа."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:496
msgid "No space for new keyslot."
msgstr "Нема простора за нови утор кључа."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2615
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Алгоритам хеша „%s“ није доступан."
+
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Затражена је неисправна промена режима гипкости поновног шифровања."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Не могу да освежим врсту гипкости. Нова врста обезбеђује само %<PRIu64> бајт(а), захтеван простор је: %<PRIu64> бајт(а)."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Нисам успео да освежим упит потврђивања поновног шифровања."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Не могу да проверим стање уређаја са ујиб-ом: %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Не могу да претворим заглавље са „LUKSMETA“ додатним метаподацима."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3715
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Не могу да користим спецификацију шифрера „%s-%s“ за ЛУКС2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Не могу да преместим област утора кључа. Нема довољно простора."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Не могу да претворим у ЛУКС2 запис – неисправни метаподаци."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Не могу да преместим област утора кључа. Област ЛУКС2 утора кључа је премала."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Не могу да преместим област утора кључа."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Не могу да претворим у ЛУКС1 запис – основна величина подеока 512 bytes."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Не могу да претворим у ЛУКС1 запис – прегледи утора кључа нису ЛУКС1 сагласни."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Не могу да претворим у ЛУКС1 запис – уређај користи умотаног шифрера кључа „%s“."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Не могу да претворим у ЛУКС2 запис – уређај користи више подеока."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Не могу да претворим у ЛУКС1 запис – ЛУКС2 заглавље садржи %u скупину(е)."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u је у неисправном стању."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Не могу да претворим у ЛУКС1 запис – утор %u (преко максимума утора) је још активан."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u није ЛУКС1 сагласан."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1107
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Величина вруће зоне мора бити умножак прорачунатог поравнања зоне (%zu бајта)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1112
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Величина уређаја мора бити производ прорачунатог поравнања зоне (%zu бајта)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Неподржан режим гипкости „%s“"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1319 lib/luks2/luks2_reencrypt.c:1505
+#: lib/luks2/luks2_reencrypt.c:1588 lib/luks2/luks2_reencrypt.c:1630
+#: lib/luks2/luks2_reencrypt.c:3852
msgid "Failed to initialize old segment storage wrapper."
msgstr "Нисам успео да покренем старог увијача смештаја подеока."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1333 lib/luks2/luks2_reencrypt.c:1483
msgid "Failed to initialize new segment storage wrapper."
msgstr "Нисам успео да покренем новог увијача смештаја подеока."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1460 lib/luks2/luks2_reencrypt.c:3864
+msgid "Failed to initialize hotzone protection."
+msgstr "Нисам успео да покренем заштиту вруће зоне."
+
+#: lib/luks2/luks2_reencrypt.c:1532
msgid "Failed to read checksums for current hotzone."
msgstr "Нисам успео да прочитам суму провере за текућу врућу зону."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1539 lib/luks2/luks2_reencrypt.c:3878
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Нисам успео да прочитам област вруће зоне са почетком на %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1558
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Нисам успео да дешифрујем област %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1564
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Нисам успео да опоравим област %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2128
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Величине изворног и циљног уређаја не одговарају. Извор %<PRIu64>, мета: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2226
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Нисам успео да активирам уређај вруће зоне „%s“."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2243
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Нисам успео да активирам уређај преклапања „%s“ са стварном табелом порекла."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2250
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Нисам успео да учитам ново мапирање за уређај „%s“."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2321
msgid "Failed to refresh reencryption devices stack."
msgstr "Нисам успео да освежим спремник уређаја поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2497
msgid "Failed to set new keyslots area size."
msgstr "Нисам успео да подесим нову величину области утора кључа."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2633
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Помак података није поравнат на захтевану величину одељка шифровања (%<PRIu32> бајта)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Вредност помака података није поравната на величину одељка шифровања (%<PRIu32> бајта)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2664
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Уређај података није поравнат на захтевану величину одељка шифровања (%<PRIu32> бајта)."
+msgid "Unsupported resilience mode %s"
+msgstr "Неподржан режим гипкости „%s“"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2741
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Величина премештеног подеока не може бити већа од вредности помака података."
+
+#: lib/luks2/luks2_reencrypt.c:2799
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Премештени подеок је превелик. Захтевана величина је %<PRIu64>, доступан простор за: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2886
+msgid "Failed to clear table."
+msgstr "Нисам успео да очистим табелу."
+
+#: lib/luks2/luks2_reencrypt.c:2972
+msgid "Reduced data size is larger than real device size."
+msgstr "Величина умањених података је већа од стварне величине уређаја."
+
+#: lib/luks2/luks2_reencrypt.c:2979
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Уређај података није поравнат на величину одељка шифровања (%<PRIu32> бајта)."
+
+#: lib/luks2/luks2_reencrypt.c:3013
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Помак података (%<PRIu64> одељка) је мањи од будућег помераја података (%<PRIu64> одељка)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3020 lib/luks2/luks2_reencrypt.c:3508
+#: lib/luks2/luks2_reencrypt.c:3529
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Нисам успео да отворим „%s“ у искључивом режиму (већ мапиран или прикачен)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3209
msgid "Device not marked for LUKS2 reencryption."
msgstr "Уређај није означен за ЛУКС2 поновно шифровање."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3226 lib/luks2/luks2_reencrypt.c:4181
msgid "Failed to load LUKS2 reencryption context."
msgstr "Нисам успео да учитам контекст ЛУКС2 поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3306
msgid "Failed to get reencryption state."
msgstr "Нисам успео да добавим стање поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3310 lib/luks2/luks2_reencrypt.c:3624
msgid "Device is not in reencryption."
msgstr "Уређај није у поновном шифровању."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3317 lib/luks2/luks2_reencrypt.c:3631
msgid "Reencryption process is already running."
msgstr "Процес поновног шифровања је већ покренут."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3319 lib/luks2/luks2_reencrypt.c:3633
msgid "Failed to acquire reencryption lock."
msgstr "Нисам успео да остварим закључавање поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3337
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Не могу да наставим са поновним шифровањем. Прво покрените опоравак поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3472
msgid "Active device size and requested reencryption size don't match."
msgstr "Активна величина уређаја и величина затраженог поновног шифровања не одговарају."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3486
msgid "Illegal device size requested in reencryption parameters."
msgstr "Неисправна величина уређаја је затражена у параметрима поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3563
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Поновно шифровање је у току. Не могу да обавим опоравак."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3732
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "ЛУКС2 поновно шифровање је већ покренуто у метаподацима."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3739
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Нисам успео да покренем ЛУКС2 поновно шифровање у метаподацима."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3834
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Нисам успео да поставим подеоке уређаја за следећу врућу зону поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3886
msgid "Failed to write reencryption resilience metadata."
msgstr "Нисам успео да запишем метаподатаке гипкости поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3893
msgid "Decryption failed."
msgstr "Дешифровање није успело."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3898
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Нисам успео да запишем област вруће зоне са почетком на %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3903
msgid "Failed to sync data."
msgstr "Нисам успео да усагласим податке."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Нисам успео да освежим метаподатке након тренутно завршеног поновног шифровања вруће зоне."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4000
msgid "Failed to write LUKS2 metadata."
msgstr "Нисам успео да запишем ЛУКС2 метаподатке."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Нисам успео да очистим податке подеока резерве."
+#: lib/luks2/luks2_reencrypt.c:4023
+msgid "Failed to wipe unused data device area."
+msgstr "Нисам успео да обришем област уређаја података."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Нисам успео да искључим заставицу захтева поновног шифровања."
+#: lib/luks2/luks2_reencrypt.c:4029
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Нисам успео да уклоним некоришћени (несвезани) утор кључа %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4039
+msgid "Failed to remove reencryption keyslot."
+msgstr "Нисам успео да уклоним утор кључа поновног шифровања."
+
+#: lib/luks2/luks2_reencrypt.c:4049
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Кобна грешка приликом поновног шифровања комада који почиње на %<PRIu64>, %<PRIu64> подеока дуг."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4053
msgid "Online reencryption failed."
msgstr "Поновно шифровање на мрежи није успело."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4058
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Не наставља са уређајем осим ако није ручно замењен метом грешке."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4112
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Не могу да наставим са поновним шифровањем. Неочекивано стање поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4118
msgid "Missing or invalid reencrypt context."
msgstr "Недостаје или неисправан контекст поновног шифровања."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4125
msgid "Failed to initialize reencryption device stack."
msgstr "Нисам успео да покренем поновно шифровање спремника уређаја."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4147 lib/luks2/luks2_reencrypt.c:4194
msgid "Failed to update reencryption context."
msgstr "Нисам успео да освежим контекст поновног шифровања."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Не могу да одрадим проверу пропусне речи на не-конзолним улазима."
+#: lib/luks2/luks2_reencrypt_digest.c:406
+msgid "Reencryption metadata is invalid."
+msgstr "Метаподаци поновног шифровања нису исправни."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Параметри шифровања утора кључа се могу поставити само за ЛУКС2 уређај."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108
#, c-format
msgid "Enter token PIN:"
msgstr "Унесите ПИН скупине:"
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110
#, c-format
msgid "Enter token %d PIN:"
msgstr "Унесите %d ПИН скупине:"
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:966 src/cryptsetup.c:1293
+#: src/utils_reencrypt.c:1048 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Није откривен познат образац одреднице шифрера."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "УПОЗОРЕЊЕ: Параметар „--hash“ је занемарен у обичном режиму са наведеном кључном датотеком.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "УПОЗОРЕЊЕ: Опција „--keyfile-size“ је занемарена, величина читања је иста као величина кључа шифровања.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Открих потпис(е) уређаја на „%s“. Даље настављање може оштетити постојеће податке."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1040 src/cryptsetup.c:1088
+#: src/cryptsetup.c:1154 src/cryptsetup.c:1270 src/cryptsetup.c:1343
+#: src/cryptsetup.c:1994 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:275
msgid "Operation aborted.\n"
msgstr "Радња је обустављена.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Захтевана је опција „--key-file“."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Унесите „VeraCrypt PIM“: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Неисправна „PIM“ вредност: грешка обраде."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Неисправна „PIM“ вредност: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Неисправна „PIM“ вредност: изван опсега."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Није откривено заглавље уређаја са овом пропусном речи."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Уређај „%s“ није исправан „BITLK“ уређај."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Не могу да одредим величину кључа за „BITLK“, користите „--key-size“ опцију."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1816,7 +1900,7 @@ msgstr ""
"који омогућава приступ шифрованој партицији без лозинке.\n"
"Овај избачај треба увек бити смештен шифрован на безбедном месту."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:2019
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1826,88 +1910,104 @@ msgstr ""
"који омогућава приступ шифрованој партицији без лозинке.\n"
"Овај избачај треба бити смештен шифрован на безбедном месту."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:664 src/veritysetup.c:321 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Уређај „%s“ је још увек активан и заказан за одложено уклањање.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:698
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Сразмеравање активног уређаја захтева кључ волумена у привеску кључева али је постављена „--disable-keyring“ опција."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:845
msgid "Benchmark interrupted."
msgstr "Оцењивање је прекинуто."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:866
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "„PBKDF2-%-9s“ Н/Д\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:868
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "„PBKDF2-%-9s“ %7u понављања у секунди за %zu-битни кључ\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:882
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s Н/Д\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:884
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u понављања, %5u меморије, %1u паралелних нити (процесора) за %zu-битни кључ (захтева се %u ms време)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:908
msgid "Result of benchmark is not reliable."
msgstr "Резултат оцењивања није поуздан."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:958
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Пробе су приближне користећи само меморију (без УИ смештаја).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:978
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Алгоритам | Кључ | Шифровање | Дешифровање\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:982
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Шифрер „%s“ (са %i битним кључем) није доступан."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1001
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Алгоритам | Кључ | Шифровање | Дешифровање\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1012
msgid "N/A"
msgstr "Недоступно"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1037
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Изгледа да уређај не захтева опоравак поновног шифровања.\n"
-"Да ли желите да наставите?"
+"Откривени су незаштићени ЛУКС2 метаподаци поновног шифровања. Проверите да ли је радња поновног шифровања пожељна (видите „luksDump“ излаз)\n"
+"и наставите (са надоградњом метаподатака само ако знате да је радња безопасна."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1043
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Унесите пропусну реч да заштитите и надоградите метаподатке поновног шифровања: "
+
+#: src/cryptsetup.c:1087
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Да наставим са опоравком ЛУКС2 поновног шифровања?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1096
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Унесите пропусну реч да проверите упит метаподатака поновног шифровања: "
+
+#: src/cryptsetup.c:1098
msgid "Enter passphrase for reencryption recovery: "
msgstr "Унесите пропусну реч за опоравак поновног шифровања: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1153
msgid "Really try to repair LUKS device header?"
msgstr "Стварно да покушам да поправим заглавље ЛУКС уређаја?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1177 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Брисање је прекинуто."
+
+#: src/cryptsetup.c:1182 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1915,113 +2015,119 @@ msgstr ""
"Бришем уређај да бих започео суму провере целовитости.\n"
"Можете прекинути ово притиском на „CTRL+c“ (остатак необрисаног уређаја садржаће неисправну суму провере).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1204 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Не могу да деактивирам привремени уређај „%s“."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1255
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Опција целовитости се може користити само за ЛУКС2 запис."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1260 src/cryptsetup.c:1320
msgid "Unsupported LUKS2 metadata size options."
msgstr "Неподржана опција величине ЛУКС2 метаподатака."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1269
msgid "Header file does not exist, do you want to create it?"
msgstr "Датотека заглавља не постоји, да ли желите да је направите?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1277
#, c-format
msgid "Cannot create header file %s."
msgstr "Не могу да направим датотеку заглавља „%s“."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1300 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Није откривен познат образац одреднице целовитости."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1313
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Не могу да користим „%s“ као заглавље на-диску."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1337 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Ово ће неповратно да препише податке на „%s“."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1370 src/cryptsetup.c:1707 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1876 src/cryptsetup.c:1942 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Нисам успео да подесим „pbkdf“ параметре."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1455
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Смањени померај података је допуштен само за откачена ЛУКС заглавља."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1466 src/cryptsetup.c:1778
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Не могу да одредим величину кључа за ЛУКС без утора кључа, користите „--key-size“ опцију."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1512
msgid "Device activated but cannot make flags persistent."
msgstr "Уређај је активиран али не могу да учиним заставице трајним."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1591 src/cryptsetup.c:1659
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Утор кључа „%d“ је изабран за брисање."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1603 src/cryptsetup.c:1663
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Ово је последњи утор кључа. Уређај ће постати неупотребљив након чишћења овог кључа."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1604
msgid "Enter any remaining passphrase: "
msgstr "Унесите неку преосталу пропусну реч: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1605 src/cryptsetup.c:1665
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Радња је прекинута, утор кључа НИЈЕ обрисан.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1641
msgid "Enter passphrase to be deleted: "
msgstr "Унесите пропусну реч за брисање: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1691 src/cryptsetup.c:1925 src/cryptsetup.c:2505
+#: src/cryptsetup.c:2649
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Уређај „%s“ није исправан ЛУКС2 уређај."
+
+#: src/cryptsetup.c:1721 src/cryptsetup.c:1795 src/cryptsetup.c:1829
msgid "Enter new passphrase for key slot: "
msgstr "Унесите нову пропусну реч за утор кључа: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1812 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Унесите неку постојећу пропусну реч: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:1880
msgid "Enter passphrase to be changed: "
msgstr "Унесите пропусну реч за мењање: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:1896 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Унесите нову пропусну реч: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:1946
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Унесите пропусну реч за утор кључа за претварање: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:1970
msgid "Only one device argument for isLuks operation is supported."
msgstr "Подржан је само један аргумент уређаја за радњу „isLuks“."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2078
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Утор кључа %d не садржи несвезани кључ."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2083
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2029,40 +2135,40 @@ msgstr ""
"Избачај заглавља са кључем волумена је осетљив податак\n"
"Овај избачај треба увек бити смештен шифрован на безбедном месту."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2169 src/cryptsetup.c:2198
#, c-format
msgid "%s is not active %s device name."
msgstr "„%s“ није назив активног „%s“ уређаја."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2193
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "„%s“ није назив активног ЛУКС уређаја или недостаје заглавље."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2255 src/cryptsetup.c:2274
msgid "Option --header-backup-file is required."
msgstr "Захтевана је опција „--header-backup-file“."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2305
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "„%s“ није уређај управљан криптоподешавањем."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2316
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Освежавање није подржано за врсту уређаја „%s“"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2362
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Непозната врста уређаја метаподатака „%s“."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2364
msgid "Command requires device and mapped name as arguments."
msgstr "Наредба захтева уређај и мапирани назив као аргумент."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2385
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2071,335 +2177,325 @@ msgstr ""
"Ова радња ће обрисати све уторе кључева на уређају „%s“.\n"
"Уређај ће постати неупотребљив након ове радње."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2392
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Радња је прекинута, утори кључева НИСУ обрисани.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2431
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Неисправна ЛУКС врста, само „luks1“ и „luks2“ су подржане."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2447
#, c-format
msgid "Device is already %s type."
msgstr "Уређај је већ „%s“ врсте."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2454
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Ова радња ће претворити „%s“ у „%s“ запис.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2457
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Радња је прекинута, уређај НИЈЕ претворен.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2497
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Недостаје опција „--priority“, „--label“ или „--subsystem“."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2531 src/cryptsetup.c:2568 src/cryptsetup.c:2588
#, c-format
msgid "Token %d is invalid."
msgstr "Скупина „%d“ није исправна."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2534 src/cryptsetup.c:2591
#, c-format
msgid "Token %d in use."
msgstr "Скупина „%d“ је у употреби."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2546
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Нисам успео да додам „luks2-keyring“ скупину „%d“."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2554 src/cryptsetup.c:2617
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Нисам успео да доделим скупину „%d“ утору кључа %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2571
#, c-format
msgid "Token %d is not in use."
msgstr "Скупина „%d“ није у употреби."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2608
msgid "Failed to import token from file."
msgstr "Нисам успео да увезем скупину из датотеке."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2633
#, c-format
msgid "Failed to get token %d for export."
msgstr "Нисам успео да добавим скупину „%d“ за извоз."
+#: src/cryptsetup.c:2682
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Опција „--tcrypt-hidden“, „--tcrypt-system“ или „--tcrypt-backup“ је подржана само за ТКРИПТ уређај."
+
+#: src/cryptsetup.c:2685
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Опција „--veracrypt“ или „--disable-veracrypt“ је подржана само за ТКРИПТ врсту уређаја."
+
+#: src/cryptsetup.c:2688
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Опција „--veracrypt-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
+
+#: src/cryptsetup.c:2692
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Опција „--veracrypt-query-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
+
+#: src/cryptsetup.c:2694
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Опције „--veracrypt-pim“ и „--veracrypt-query-pim“ се узајамно искључују."
+
+#: src/cryptsetup.c:2703
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Опција „--persistent“ није допуштена са опцијом „--test-passphrase“."
+
+#: src/cryptsetup.c:2706
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Опције „--refresh“ и „--test-passphrase“ се узајамно искључују."
+
+#: src/cryptsetup.c:2709
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Опција „--shared“ је допуштена само за отварање обичног уређаја."
+
+#: src/cryptsetup.c:2712
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Опција „--skip“ је подржана само за отварање обичних и упетљаних уређаја."
+
+#: src/cryptsetup.c:2715
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Опција „--offset“ са отвореном радњом је подржана само за обичне и упетљане уређаје."
+
+#: src/cryptsetup.c:2718
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Опција „--tcrypt-hidden“ не може бити обједињена са „--allow-discards“."
+
+#: src/cryptsetup.c:2722
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Опција величине одељка са отвореном радњом је подржана само за обичне уређаје."
+
+#: src/cryptsetup.c:2726
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Опција великих IV одељака је подржана само за отварање обичних уређаја са величином одељка већом од 512 бајта."
+
+#: src/cryptsetup.c:2730
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
+msgstr "Опција „--test-passphrase“ је допуштена само за отварање ЛУКС, „TCRYPT“ и „BITLK“ уређаја."
+
+#: src/cryptsetup.c:2733 src/cryptsetup.c:2756
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Опције „--device-size“ и „--size“ се не могу комбиновати."
+
+#: src/cryptsetup.c:2736
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Опција „--unbound“ је допуштена само за отварање лукс уређаја."
+
+#: src/cryptsetup.c:2739
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Опција „--unbound“ се не може користити без „--test-passphrase“."
+
+#: src/cryptsetup.c:2748 src/veritysetup.c:664 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Опције „--cancel-deferred“ и „--deferred“ се не могу користити у исто време."
+
+#: src/cryptsetup.c:2764
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Опције „--reduce-device-size“ и „--data-size“ се не могу комбиновати."
+
+#: src/cryptsetup.c:2767
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Опција „--active-name“ се може поставити само за ЛУКС2 уређај."
+
+#: src/cryptsetup.c:2770
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Опције „--active-name“ и „--force-offline-reencrypt“ се не могу комбиновати."
+
+#: src/cryptsetup.c:2778 src/cryptsetup.c:2808
+msgid "Keyslot specification is required."
+msgstr "Одредба утора кључа је потребна."
+
+#: src/cryptsetup.c:2786
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Опције „--align-payload“ и „--offset“ се не могу комбиновати."
+
#: src/cryptsetup.c:2789
-#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Самооткривени активан дм уређај „%sд за уређај података „%s“.\n"
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Опција „--integrity-no-wipe“ се може користити само за радњу форматирања са проширењем целовитости."
-#: src/cryptsetup.c:2793
-#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Уређај „%s“ није блок уређај.\n"
+#: src/cryptsetup.c:2792
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Дозвољена је само једна опција „--use-[u]random“."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Нисам успео да самооткријем држаче „%s“ уређаја."
+#: src/cryptsetup.c:2800
+msgid "Key size is required with --unbound option."
+msgstr "Величина кључа је потребна са опцијом „--unbound“."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Не могу да одлучим да ли је уређај „%s“ активиран или није.\n"
-"Да ли сигурно желите да наставите са поновним шифровањем у режиму ван мреже?\n"
-"То може довести до оштећења података ако је уређај заправо активиран.\n"
-"Да покренете поновно шифровање у режиму на мрежи, користите параметар „--active-name“.\n"
+#: src/cryptsetup.c:2819
+msgid "Invalid token action."
+msgstr "Неисправна радња скупине."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Шифровање је подржано само за ЛУКС2 запис."
+#: src/cryptsetup.c:2822
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "„--key-description“ параметар је обавезан за радњу додавања скупине."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Шифровање без откаченог заглавља (--header) није могуће без смањења величине уређаја података (--reduce-device-size)."
+#: src/cryptsetup.c:2826
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Радња захтева нарочиту скупину. Користите параметар „--token-id“."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Затражени померај података мора бити мањи или једнак половини параметра „--reduce-device-size“."
-
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Подешавам „--reduce-device-size“ вредност на двоструко од „--offset“ %<PRIu64> (подеока).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Откривен је ЛУКС уређај на „%s“. Да ли желите опет да шифрујете тај ЛУКС уређај?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Привремена датотека заглавља „%s“ већ постоји. Прекидам."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Не могу да направим привремену датотеку заглавља „%s“."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Величина ЛУКС2 метаподатака је већа од вредности помака података."
-
-#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Нисам успео да ставим ново заглавље на главу уређаја „%s“."
-
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "„%s/%s“ је сада активно и спремно за шифровање на мрежи.\n"
-
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "ЛУКС2 дешифровање је подржано само са откаченим уређајем заглавља (са померајем података постављеним на 0)."
-
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Нема довољно слободних утора кључева за поновно шифровање."
-
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним активним утором кључа."
-
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Унесите пропусну реч за утор кључа %d: "
-
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Унесите пропусну реч за утор кључа %u: "
-
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Пребацујем шифрера података на „%s“.\n"
-
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Наредба захтева уређај као аргумент."
-
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Само је ЛУКС2 запис тренутно подржан. Користите алат „cryptsetup-reencrypt“ за ЛУКС1."
-
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Старо ванмрежно поновно шифровање је већ у току. Користите помагало „cryptsetup-reencrypt“."
-
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Поновно шифровање уређаја са профилом целовитости није подржано."
-
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "ЛУКС2 поновно шифровање је већ покренуто. Прекидам радњу."
-
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "ЛУКС2 уређај није у поновном шифровању."
-
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:2840
msgid "<device> [--type <type>] [<name>]"
msgstr "<уређај> [--type <врста>] [<назив>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:2840 src/veritysetup.c:487 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "отвара уређај као <назив>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:2841 src/cryptsetup.c:2842 src/cryptsetup.c:2843
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<назив>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:2841 src/veritysetup.c:488 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "затвара уређај (уклања мапирање)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:2842 src/integritysetup.c:539
msgid "resize active device"
msgstr "мења величину радног уређаја"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:2843
msgid "show device status"
msgstr "показује стање уређаја"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:2844
msgid "[--cipher <cipher>]"
msgstr "[--cipher <шифрер>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:2844
msgid "benchmark cipher"
msgstr "шифрер оцењивања"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:2845 src/cryptsetup.c:2846 src/cryptsetup.c:2847
+#: src/cryptsetup.c:2848 src/cryptsetup.c:2849 src/cryptsetup.c:2856
+#: src/cryptsetup.c:2857 src/cryptsetup.c:2858 src/cryptsetup.c:2859
+#: src/cryptsetup.c:2860 src/cryptsetup.c:2861 src/cryptsetup.c:2862
+#: src/cryptsetup.c:2863 src/cryptsetup.c:2864
msgid "<device>"
msgstr "<уређај>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:2845
msgid "try to repair on-disk metadata"
msgstr "покушава да поправи метаподатке на-диску"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:2846
msgid "reencrypt LUKS2 device"
msgstr "ЛУКС2 уређај поновног шифровања"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:2847
msgid "erase all keyslots (remove encryption key)"
msgstr "брише све уторе кључева (уклања кључ шифровања)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:2848
msgid "convert LUKS from/to LUKS2 format"
msgstr "претвара ЛУКС из/у ЛУКС2 запис"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:2849
msgid "set permanent configuration options for LUKS2"
msgstr "поставља трајне опције подешавања за ЛУКС2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:2850 src/cryptsetup.c:2851
msgid "<device> [<new key file>]"
msgstr "<уређај> [<нова датотека кључа>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:2850
msgid "formats a LUKS device"
msgstr "форматира ЛУКС уређај"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:2851
msgid "add key to LUKS device"
msgstr "додаје кључ у ЛУКС уређај"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:2852 src/cryptsetup.c:2853 src/cryptsetup.c:2854
msgid "<device> [<key file>]"
msgstr "<уређај> [<датотека кључа>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:2852
msgid "removes supplied key or key file from LUKS device"
msgstr "уклања достављени кључ или датотеку кључа из ЛУКС уређаја"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:2853
msgid "changes supplied key or key file of LUKS device"
msgstr "мења достављени кључ или датотеку кључа ЛУКС уређаја"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:2854
msgid "converts a key to new pbkdf parameters"
msgstr "претвара кључ у нове „pbkdf“ параметре"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:2855
msgid "<device> <key slot>"
msgstr "<уређај> <утор кључа>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:2855
msgid "wipes key with number <key slot> from LUKS device"
msgstr "брише кључ са бројем <утор кључа> са ЛУКС уређаја"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:2856
msgid "print UUID of LUKS device"
msgstr "исписује УЈИБ ЛУКС уређаја"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:2857
msgid "tests <device> for LUKS partition header"
msgstr "испробава <уређај> за заглављем ЛУКС партиције"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:2858
msgid "dump LUKS partition information"
msgstr "исписује податке ЛУКС партиције"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:2859
msgid "dump TCRYPT device information"
msgstr "исписује податке ТКРИПТ уређаја"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:2860
msgid "dump BITLK device information"
msgstr "исписује податке „BITLK“ уређаја"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:2861
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Обуставља ЛУКС уређај и брише кључ (сви УИ су замрзнути)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:2862
msgid "Resume suspended LUKS device"
msgstr "Наставља са обустављеним ЛУКС уређајем"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:2863
msgid "Backup LUKS device header and keyslots"
msgstr "Прави резерву заглавља „LUKS“ уређаја и утора кључева"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:2864
msgid "Restore LUKS device header and keyslots"
msgstr "Враћа заглавље „LUKS“ уређаја и уторе кључева"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:2865
msgid "<add|remove|import|export> <device>"
msgstr "<додај|уклони|увези|извези> <уређај>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:2865
msgid "Manipulate LUKS2 tokens"
msgstr "Управља ЛУКС2 скупинама"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:2884 src/veritysetup.c:505 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2407,7 +2503,7 @@ msgstr ""
"\n"
"<радња> је једна од следећих:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:2890
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
@@ -2419,7 +2515,7 @@ msgstr ""
"\tотварање: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
"\tзатвори: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:2894
#, c-format
msgid ""
"\n"
@@ -2434,7 +2530,7 @@ msgstr ""
"<утор кључа> је број ЛУКС утора кључа за мењање\n"
"<датотека кључа> изборна датотека кључа за нови кључ за радњу „luksAddKey“\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:2901
#, c-format
msgid ""
"\n"
@@ -2443,7 +2539,7 @@ msgstr ""
"\n"
"Основни уграђени запис метаподатака је „%s“ (за „luksFormat“ радњу).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:2906 src/cryptsetup.c:2909
#, c-format
msgid ""
"\n"
@@ -2452,20 +2548,20 @@ msgstr ""
"\n"
"Подршка прикључка спољне скупине за „LUKS2“ је „%s“.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:2906
msgid "compiled-in"
msgstr "преведено"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:2907
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Путања прикључка спољне скупине за „LUKS2“: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:2909
msgid "disabled"
msgstr "искључено"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:2913
#, c-format
msgid ""
"\n"
@@ -2482,7 +2578,7 @@ msgstr ""
"Основни „PBKDF“ за ЛУКС2: %s\n"
"\tВреме понављања: %d, Захтевана меморија: %dkB, Паралелне нити: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:2924
#, c-format
msgid ""
"\n"
@@ -2497,206 +2593,96 @@ msgstr ""
"\tобично: %s, Кључ: %d бита, Хеширање лозинке: %s\n"
"\tЛУКС: %s, Кључ: %d бита, Хеширање ЛУКС заглавља: %s, РНГ: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:2933
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tЛУКС: Основна величина кључа са „XTS“ режимом (два унутрашња кључа) биће удвостручена.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:2951 src/veritysetup.c:644 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: захтева „%s“ као аргумент"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:2997 src/utils_reencrypt_luks1.c:1194
msgid "Key slot is invalid."
msgstr "Утор кључа није исправан."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3024
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Величина уређаја мора бити умножак одељка од 512 бајта."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3029
msgid "Invalid max reencryption hotzone size specification."
msgstr "Неисправна одредба највеће величине вруће зоне поновног шифровања."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3043 src/cryptsetup.c:3055
msgid "Key size must be a multiple of 8 bits"
msgstr "Величина кључа мора бити умножак од 8 бита"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3060
msgid "Maximum device reduce size is 1 GiB."
msgstr "Највећа величина смањења уређаја је 1 GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3063
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Величина смањивања мора бити умножак одељка од 512 бајта."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3080
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Опција „--priority“ може бити само „ignore/normal/prefer“."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3099 src/veritysetup.c:568 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Приказује ову поруку помоћи"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3100 src/veritysetup.c:569 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Прикажите кратку поруку о коришћењу"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3101 src/veritysetup.c:570 src/integritysetup.c:636
msgid "Print package version"
msgstr "Исписује издање пакета"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3112 src/veritysetup.c:581 src/integritysetup.c:647
msgid "Help options:"
msgstr "Опције помоћи:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3132 src/veritysetup.c:599 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[ОПЦИЈА...] <радња> <посебност-радње>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3141 src/veritysetup.c:608 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Недостаје аргумент <радња>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3211 src/veritysetup.c:639 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Непозната радња."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Опције „--refresh“ и „--test-passphrase“ се узајамно искључују."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Опције „--cancel-deferred“ и „--deferred“ се не могу користити у исто време."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Опција „--shared“ је допуштена само за отварање обичног уређаја."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Опција „--persistent“ није допуштена са опцијом „--test-passphrase“."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Опција „--integrity-no-wipe“ се може користити само за радњу форматирања са проширењем целовитости."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Опција „--test-passphrase“ је допуштена само за отварање ЛУКС, „TCRYPT“ и „BITLK“ уређаја."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3229
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Опција „--key-file“ има првенство над наведеним аргументом датотеке кључа."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3235
msgid "Only one --key-file argument is allowed."
msgstr "Дозвољен је само један аргумент „--key-file“."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Дозвољена је само једна опција „--use-[u]random“."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Опције „--align-payload“ и „--offset“ се не могу комбиновати."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Опција „--skip“ је подржана само за отварање обичних и упетљаних уређаја."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Опција „--offset“ са отвореном радњом је подржана само за обичне и упетљане уређаје."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Опција „--tcrypt-hidden“, „--tcrypt-system“ или „--tcrypt-backup“ је подржана само за ТКРИПТ уређај."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Опција „--tcrypt-hidden“ не може бити обједињена са „--allow-discards“."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Опција „--veracrypt“ или „--disable-veracrypt“ је подржана само за ТКРИПТ врсту уређаја."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Опција „--veracrypt-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Опција „--veracrypt-query-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Опције „--veracrypt-pim“ и „--veracrypt-query-pim“ се узајамно искључују."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Одредба утора кључа је потребна."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3240
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Функција произилажења кључа заснованог на пропусној речи (PBKDF) може бити само „pbkdf2“ или „argon2i/argon2id“."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3245
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "„PBKDF“ присиљена понављања се не могу комбиновати са опцијом времена понављања."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Опција величине одељка са отвореном радњом је подржана само за обичне уређаје."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Опција великих IV одељака је подржана само за отварање обичних уређаја са величином одељка већом од 512 бајта."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Величина кључа је потребна са опцијом „--unbound“."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "ЛУКС2 дешифровање захтева опцију „--header“."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Опције „--reduce-device-size“ и „--data-size“ се не могу комбиновати."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Опције „--device-size“ и „--size“ се не могу комбиновати."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3256
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Опције „--keyslot-cipher“ и „--keyslot-key-size“ се морају користити заједно."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3264
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Није предузета никаква радња. Призвана опцијом „--test-args“.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Неисправна радња скупине."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "„--key-description“ параметар је обавезан за радњу додавања скупине."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Радња захтева нарочиту скупину. Користите параметар „--token-id“."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3277
msgid "Cannot disable metadata locking."
msgstr "Не могу да искључим закључавање метаподатака."
@@ -2724,67 +2710,72 @@ msgstr "Не могу да направим корену хеш датотеку
msgid "Cannot write to root hash file %s."
msgstr "Не могу да пишем у корену хеш датотеку „%s“."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:196 src/veritysetup.c:472
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Уређај „%s“ није исправан „VERITY“ уређај."
+
+#: src/veritysetup.c:213 src/veritysetup.c:230
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Не могу да читам корену хеш датотеку „%s“."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:218
#, c-format
msgid "Invalid root hash file %s."
msgstr "Неисправна корена хеш датотека „%s“."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:239
msgid "Invalid root hash string specified."
msgstr "Наведена је неисправна ниска хеша корена."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:247
#, c-format
msgid "Invalid signature file %s."
msgstr "Неисправна датотека потписа „%s“."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:254
#, c-format
msgid "Cannot read signature file %s."
msgstr "Не могу да прочитам датотеку потписа „%s“."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:277 src/veritysetup.c:291
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Наредба захтева „<root_hash>“ или „--root-hash-file“ опцију као аргумент."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:485
msgid "<data_device> <hash_device>"
msgstr "<уређај_података> <уређај_хеша>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:485 src/integritysetup.c:534
msgid "format device"
msgstr "форматира уређај"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<уређај_података> <уређај_хеша> [<хеш_корена>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
msgid "verify device"
msgstr "проверава уређај"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:487
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<уређај_података> <назив> <уређај_хеша> [<хеш_корена>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:489 src/integritysetup.c:537
msgid "show active device status"
msgstr "показује стање радног уређаја"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:490
msgid "<hash_device>"
msgstr "<уређај_хеша>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:490 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "приказује податке на-диску"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:509
#, c-format
msgid ""
"\n"
@@ -2799,7 +2790,7 @@ msgstr ""
"<уређај_хеша> јесте уређај који садржи податке проверавања\n"
"<хеш_корена> хеш кореног чвора на <уређају_хеша>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:516
#, c-format
msgid ""
"\n"
@@ -2810,28 +2801,46 @@ msgstr ""
"Основни преведени параметри дм-тачности:\n"
"\tХеш: %s, Блок података (бајта): %u, Блок хеша (бајта): %u, Величина присолка: %u, Запис хеша: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:654
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Опције „--ignore-corruption“ и „--restart-on-corruption“ се не могу користити заједно."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:659
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Опције „--panic-on-corruption“ и „--restart-on-corruption“ се не могу користити заједно."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Ово ће неповратно преписати податке на „%s“ и „%s“.\n"
+"Да задржите уређај података користите опцију „--no-wipe“ (а затим активирајте са „--integrity-recalculate“)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Форматирано ознаком величине %u, унутрашња целовитост „%s“.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Постављање заставице поновног рачунањ није подржано, можете узети у обзир коришћење опције „--wipe“."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Уређај „%s“ није исправан „INTEGRITY“ уређај."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<уређај_целовитости>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<уређај_целовитости> <назив>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2842,7 +2851,7 @@ msgstr ""
"<назив> јесте уређај за стварање под „%s“\n"
"<уређај_целовитости> јесте уређај који садржи податке са ознакама целовитости\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2855,241 +2864,44 @@ msgstr ""
"\tАлгоритам провере суме: %s\n"
" Највећа величина датотеке кључа: %dkB\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Неисправна величина „--%s“. Највећа је %u бајта."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Мора бити наведена и опција датотеке кључа и опција величине кључа."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Мора бити наведена и опција датотеке кључа целовитости журнала и опција величине кључа."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Алгоритам целовитости журнала мора бити наведен ако се користи кључ целовитости журнала."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Мора бити наведена и опција датотеке кључа шифровања журнала и опција величине кључа."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Алгоритам шифровања журнала мора бити наведен ако се користи кључ шифровања журнала."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Опције режима опоравка и битмапе се узајамно искључују."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Опције журнала се не могу користити у режиму битмапе."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Опције битмапе се могу користити само у режиму битмапе."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Поновно шифровање је већ у току."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Не могу изричито да отворим „%s“, уређај је у употреби."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Додела поређане меморије није успела."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Не могу да читам уређај „%s“."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Означавам ЛУКС1 уређај „%s“ неупотребљивим."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Постављам заставицу ЛУКС2 ванмрежног поновног шифровања на уређају „%s“."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Не могу да пишем на уређају „%s“."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Не могу да запишем датотеку дневника поновног шифровања."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Не могу да прочитам датотеку дневника поновног шифровања."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Погрешан формат дневника."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Датотека дневника „%s“ постоји, настављам поновно шифровање.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Покрећем привремени уређај користећи старо ЛУКС заглавље."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Покрећем привремени уређај користећи ново ЛУКС заглавље."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Покретање привременог уређаја није успело."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Нисам успео да поставим померај података."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Нисам успео да поставим величину метаподатака."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Направљено је ново ЛУКС заглавље за уређај „%s“."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Ово издање „cryptsetup-reencrypt“ не може да ради са новом унутрашњом врстом скупине „%s“."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Нисам успео да прочитам заставице активирања из заглавља резерве."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Нисам успео да упишем заставице активирања у ново заглавље."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Нисам успео да прочитам потрепштине из заглавља резерве."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Направљена је резерва „%s“ заглавља за уређај „%s“."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Није успело прављење резерве ЛУКС заглавља."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Не могу да повратим „%s“ заглавље на уређају „%s“."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Повраћено је „%s“ заглавље на уређају „%s“."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Не могу да отворим привремени ЛУКС уређај."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Не могу да добавим величину уређаја."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "УИ грешка за време поновног шифровања."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Достављени УУИД није исправан."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Не могу да отворим датотеку дневника поновног шифровања."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Нема описа у напретку, достављени УУИД се може користити само за настављање заустављеног процеса дешифровања."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Измењени су „pbkdf“ параметри у утору кључа %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Само вредности између 1 MiB и 64 MiB су допуштене завеличину блока поновног шифровања."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Највећа величина смањења уређаја је 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[ОПЦИЈА...] <уређај>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Поновно шифровање ће изменити: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "кључ волумена"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "поставља хеш на "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", поставља шифрера на "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Потребан је аргумент."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Опција „--new“ се мора користити са „--reduce-device-size“ или „--header“."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Опција „--keep-key“ може да се користи само са „--hash“, „--iter-time“ или „--pbkdf-force-iterations“."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Опција „--new“ не може да се користи са „--decrypt“."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Опција „--decrypt“ није сагласна са наведеним параметрима."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Опција „--uuid“ је дозвољена само заједно са „--decrypt“."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Неисправна лукс врста. Користите: „luks“, „luks1“ или „luks2“."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3100,7 +2912,7 @@ msgstr ""
"========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3111,147 +2923,173 @@ msgstr ""
"\n"
"Да ли сте сигурни? (Упишите „yes“ великим словима): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Грешка читања одговора из терминала."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Наредба је успела."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "погрешни или недостајући параметри"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "нема овлашћења или је лоша пропусна реч"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "нема више меморије"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "наведен је погрешан уређај или датотека"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "уређај већ постоји или је заузет"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "непозната грешка"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Наредба није успела са кодом %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Утор кључа „%i“ је направљен."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Утор кључа „%i“ је откључан."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Утор кључа „%i“ је уклоњен."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Скупина „%i“ је направљена."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Скупина „%i“ је уклоњена."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Ниједна скупина неће бити откључана овим ПИН-ом."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Скупина „%i“ захтева ПИН."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Скупина (врста „%s“) захтева ПИН."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Скупина „%i“ не може да откључа додељени утор кључа (погрешна лозинка)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Скупина (врста „%s“) не може да откључа додељени утор кључа (погрешна лозинка)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Скупина „%i“ захтева додтни ресурс који недостаје."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Скупина (врста „%s“) захтева додтни ресурс који недостаје."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Нема доступне употребљиве скупине (врста „%s“)."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Нема доступне употребљиве скупине."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Брисање је прекинуто."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Поновно шифровање је прекинуто."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Не могу да прочитам датотеку кључа „%s“."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Не могу да прочитам %d бајта из датотеке кључа „%s“."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Не могу да отворим датотеку кључа „%s“ за упис."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Не могу да пишем у датотеку кључа „%s“."
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> дана"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> „%s“ је записано"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "брзина %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Напредовање: %5.1f%%, ETA %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Завршено, време %s, %s, %s\n"
+
#: src/utils_password.c:41 src/utils_password.c:74
#, c-format
msgid "Cannot check password quality: %s"
@@ -3271,54 +3109,58 @@ msgstr ""
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Провера квалитета лозинке није успела: Лоша шифра (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:231 src/utils_password.c:245
msgid "Error reading passphrase from terminal."
msgstr "Грешка читања пропусне речи из терминала."
-#: src/utils_password.c:236
+#: src/utils_password.c:243
msgid "Verify passphrase: "
msgstr "Провери пропусну реч: "
-#: src/utils_password.c:243
+#: src/utils_password.c:250
msgid "Passphrases do not match."
msgstr "Пропусне речи се не подударају."
-#: src/utils_password.c:280
+#: src/utils_password.c:288
msgid "Cannot use offset with terminal input."
msgstr "Не могу да користим померај са улазом терминала."
-#: src/utils_password.c:283
+#: src/utils_password.c:292
#, c-format
msgid "Enter passphrase: "
msgstr "Унесите пропусну реч: "
-#: src/utils_password.c:286
+#: src/utils_password.c:295
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Унесите пропусну реч за „%s“: "
-#: src/utils_password.c:317
+#: src/utils_password.c:329
msgid "No key available with this passphrase."
msgstr "Нема доступног кључа са овом пропусном речју."
-#: src/utils_password.c:319
+#: src/utils_password.c:331
msgid "No usable keyslot is available."
msgstr "Нема доступног употребљивог утора кључа."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Не могу да одрадим проверу пропусне речи на не-конзолним улазима."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Нисам успео да отворим датотеку „%s“ у режиму само за читање."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Обезбеђује исправан „JSON“ ЛУКС2 скупине:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Нисам успео да прочитам „JSON“ датотеку."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3326,12 +3168,12 @@ msgstr ""
"\n"
"Читање је прекинуто."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Нисам успео да отворим датотеку „%s“ у режиму писања."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3339,54 +3181,409 @@ msgstr ""
"\n"
"Писање је прекинуто."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Нисам успео да упишем „JSON“ датотеку."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Самооткривени активан дм уређај „%sд за уређај података „%s“.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Нисам успео да самооткријем држаче „%s“ уређаја."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Уређај „%s“ није блок уређај.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Не могу да одлучим да ли је уређај „%s“ активиран или није.\n"
+"Да ли сигурно желите да наставите са поновним шифровањем у режиму ван мреже?\n"
+"То може довести до оштећења података ако је уређај заправо активиран.\n"
+"Да покренете поновно шифровање у режиму на мрежи, користите параметар „--active-name“.\n"
+
+#: src/utils_reencrypt.c:175
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--encrypt“."
+
+#: src/utils_reencrypt.c:180
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--decrypt“."
+
+#: src/utils_reencrypt.c:187
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Уређај је у поновном шифровању користећи гипкост помака података. Захтевана опција „--resilience“ се не може применити."
+
+#: src/utils_reencrypt.c:193 src/utils_reencrypt.c:199
+#: src/utils_reencrypt.c:205 src/utils_reencrypt.c:681
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Захтевана опција „--resilience“ се не може применити на текућој радњи поновног шифровања."
+
+#: src/utils_reencrypt.c:258
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Уређај захтева опоравак поновног шифровања. Прво покрените поправку."
+
+#: src/utils_reencrypt.c:268
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Да ли желите да наставите са претходно започетом радњом?"
+
+#: src/utils_reencrypt.c:314
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Старо ЛУКС2 поновно шифровања више није подржано."
+
+#: src/utils_reencrypt.c:379
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Поновно шифровање уређаја са профилом целовитости није подржано."
+
+#: src/utils_reencrypt.c:410
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Захтевано „--sector-size“ %<PRIu32> је несагласно са „%s“ суперблоком\n"
+"(величина блока: %<PRIu32> бајта) је откривено на уређају „%s“."
+
+#: src/utils_reencrypt.c:455
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Шифровање без откаченог заглавља (--header) није могуће без смањења величине уређаја података (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:461
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Затражени померај података мора бити мањи или једнак половини параметра „--reduce-device-size“."
+
+#: src/utils_reencrypt.c:471
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Подешавам „--reduce-device-size“ вредност на двоструко од „--offset“ %<PRIu64> (подеока).\n"
+
+#: src/utils_reencrypt.c:501
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Привремена датотека заглавља „%s“ већ постоји. Прекидам."
+
+#: src/utils_reencrypt.c:503 src/utils_reencrypt.c:510
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Не могу да направим привремену датотеку заглавља „%s“."
+
+#: src/utils_reencrypt.c:535
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Величина ЛУКС2 метаподатака је већа од вредности помака података."
+
+#: src/utils_reencrypt.c:572
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Нисам успео да ставим ново заглавље на главу уређаја „%s“."
+
+#: src/utils_reencrypt.c:582
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "„%s/%s“ је сада активно и спремно за шифровање на мрежи.\n"
+
+#: src/utils_reencrypt.c:618
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Радни уређај „%s“ није ЛУКС2."
+
+#: src/utils_reencrypt.c:646
+msgid "Restoring original LUKS2 header."
+msgstr "Враћам изворно ЛУКС2 заглавље."
+
+#: src/utils_reencrypt.c:654
+msgid "Original LUKS2 header restore failed."
+msgstr "Враћање изворног ЛУКС2 заглавља није успело."
+
+#: src/utils_reencrypt.c:722
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Нисам успео да додам дозволе за читање/писање у извезену датотеку заглавља."
+
+#: src/utils_reencrypt.c:775
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Покретање поновног шифровања није успело. Резерва заглавља је доступна у „%s“."
+
+#: src/utils_reencrypt.c:803
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "ЛУКС2 дешифровање је подржано само са откаченим уређајем заглавља (са померајем података постављеним на 0)."
+
+#: src/utils_reencrypt.c:934 src/utils_reencrypt.c:943
+msgid "Not enough free keyslots for reencryption."
+msgstr "Нема довољно слободних утора кључева за поновно шифровање."
+
+#: src/utils_reencrypt.c:964 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним активним утором кључа."
+
+#: src/utils_reencrypt.c:973 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Унесите пропусну реч за утор кључа %d: "
+
+#: src/utils_reencrypt.c:985
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Унесите пропусну реч за утор кључа %u: "
+
+#: src/utils_reencrypt.c:1037
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Пребацујем шифрера података на „%s“.\n"
+
+#: src/utils_reencrypt.c:1091
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Никакви параметри подеока података нису измењени. Поновно шифровање је прекинуто."
+
+#: src/utils_reencrypt.c:1187
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Повећање величине одељка шифровања на не прикљученом уређају није подржано.\n"
+"Прво покрените уређај или користите опцију „--force-offline-reencrypt“ (опасно, вруће!!)."
+
+#: src/utils_reencrypt.c:1227 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Поновно шифровање је прекинуто."
+
+#: src/utils_reencrypt.c:1232
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Настављам са ЛУКС2 поновним шифровањем у насилном ванмрежном режиму.\n"
+
+#: src/utils_reencrypt.c:1249
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Уређај „%s“ садржи оштећене ЛУКС2 метаподатке. Прекидам радњу."
+
+#: src/utils_reencrypt.c:1265 src/utils_reencrypt.c:1287
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Уређај „%s“ већ јесте ЛУКС уређај. Прекидам радњу."
+
+#: src/utils_reencrypt.c:1293
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Прекидам радњу."
+
+#: src/utils_reencrypt.c:1366
+msgid "LUKS2 decryption requires --header option."
+msgstr "ЛУКС2 дешифровање захтева опцију „--header“."
+
+#: src/utils_reencrypt.c:1414
+msgid "Command requires device as argument."
+msgstr "Наредба захтева уређај као аргумент."
+
+#: src/utils_reencrypt.c:1427
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС1."
+
+#: src/utils_reencrypt.c:1433
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС1 поновном шифровању."
+
+#: src/utils_reencrypt.c:1439
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС2."
+
+#: src/utils_reencrypt.c:1445
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС2 поновном шифровању."
+
+#: src/utils_reencrypt.c:1451
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "ЛУКС2 поновно шифровање је већ покренуто. Прекидам радњу."
+
+#: src/utils_reencrypt.c:1458
+msgid "Device reencryption not in progress."
+msgstr "Поновно шифровање уређаја није у току."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Не могу изричито да отворим „%s“, уређај је у употреби."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Додела поређане меморије није успела."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Не могу да читам уређај „%s“."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Означавам ЛУКС1 уређај „%s“ неупотребљивим."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Не могу да пишем на уређају „%s“."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Не могу да запишем датотеку дневника поновног шифровања."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Не могу да прочитам датотеку дневника поновног шифровања."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Погрешан формат дневника."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Датотека дневника „%s“ постоји, настављам поновно шифровање.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Покрећем привремени уређај користећи старо ЛУКС заглавље."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Покрећем привремени уређај користећи ново ЛУКС заглавље."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Покретање привременог уређаја није успело."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Нисам успео да поставим померај података."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Нисам успео да поставим величину метаподатака."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Направљено је ново ЛУКС заглавље за уређај „%s“."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Направљена је резерва „%s“ заглавља за уређај „%s“."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Није успело прављење резерве ЛУКС заглавља."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Не могу да повратим „%s“ заглавље на уређају „%s“."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Повраћено је „%s“ заглавље на уређају „%s“."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Не могу да отворим привремени ЛУКС уређај."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Не могу да добавим величину уређаја."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "УИ грешка за време поновног шифровања."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Достављени УУИД није исправан."
+
+#: src/utils_reencrypt_luks1.c:1220
+msgid "Cannot open reencryption log file."
+msgstr "Не могу да отворим датотеку дневника поновног шифровања."
+
+#: src/utils_reencrypt_luks1.c:1226
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Нема описа у напретку, достављени УУИД се може користити само за настављање заустављеног процеса дешифровања."
+
+#: src/utils_reencrypt_luks1.c:1280
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Поновно шифровање ће изменити: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1281
+msgid "volume key"
+msgstr "кључ волумена"
+
+#: src/utils_reencrypt_luks1.c:1283
+msgid "set hash to "
+msgstr "поставља хеш на "
+
+#: src/utils_reencrypt_luks1.c:1284
+msgid ", set cipher to "
+msgstr ", поставља шифрера на "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "УПОЗОРЕЊЕ: Уређај „%s“ већ садржи „%s“ потпис партиције.\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "УПОЗОРЕЊЕ: Уређај „%s“ већ садржи „%s“ потпис суперблока.\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Нисам успео да покренем пробе потписа уређаја."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Нисам успео да добавим податке уређаја „%s“."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Уређај „%s“ је у употреби. Не могу да наставим са радњом форматирања."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Нисам успео да отворим датотеку „%s“ у режиму читања/писања."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Постојећи потпис „%s“ партиције на уређају „%s“ биће обрисан."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Постојећи потпис „%s“ суперблока на уређају „%s“ биће обрисан."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Нисам успео да обришем потпис уређаја."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Нисам успео да испробам уређај „%s“ за потписом."
@@ -3396,16 +3593,16 @@ msgstr "Нисам успео да испробам уређај „%s“ за
msgid "Invalid size specification in parameter --%s."
msgstr "Неисправна одредба величине у параметру „--%s“."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Опција „--%s“ није дозвољена са радњом „%s“."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Нисам успео да запишем „json“ скупине безбедне шкољке."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3421,110 +3618,110 @@ msgstr ""
"\n"
"Напомена: Информација достављена приликом додавања скупине (адреса сервера безбедне шкољке, корисник и путање) биће смештена у ЛУКС2 заглављу у обичном тексту."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<радња> <уређај>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Опције за радњу „add“ (додај):"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "ИП адреса/УРЛ удаљеног сервера за ову скупину"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Корисничко име коришћено за удаљени сервер"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Путања до датотеке кључа на удаљеном серверу"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Путања до кључа безбедне шкољке за повезивање на удаљени сервер"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Утор кључа коме се додељује скупина. Ако није наведено, скупина ће бити додељена првом утору кључа који поклопи достављену лозинку."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Опште опције:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Приказује опширније поруке о грешкама"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Приказује поруке прочишћавања"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Приказује поруке прочишћавања укључујући „JSON“ метаподатке"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Нисам успео да отворим и увезем приватни кључ:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Нисам успео да увезем приватни кључ (заштићен лозинком?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "„%s@%s“ лозинка: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Нисам успео да обрадим аргументе.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Мора бити наведена радња\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Уређај мора бити наведен за радњу „%s“.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Сервер безбедне шкољке мора бити наведен за радњу „%s“.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Корисник безбедне шкољке мора бити наведен за радњу „%s“.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Путања безбедне шкољке мора бити наведена за радњу „%s“.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Путања кључа безбедне шкољке мора бити наведена за радњу „%s“.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Нисам успео да отворим „%s“ користећи достављена уверења.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "Само радња „add“ (додај) је тренутно подржана овим прикључком.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Не могу да направим сфтп сесију: "
@@ -3532,6 +3729,10 @@ msgstr "Не могу да направим сфтп сесију: "
msgid "Cannot init sftp session: "
msgstr "Не могу да покренем сфтп сесију: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Не могу да отворим сфтп сесију: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Не могу да добавим податке сфтп датотеке: "
@@ -3560,6 +3761,81 @@ msgstr "Метода потврђивања идентитета јавног к
msgid "Public key authentication error: "
msgstr "Грешка потврђивања идентитета јавног кључа: "
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Нисам успео да прочитам „BITLK“ потпис из „%s“."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Неисправан или непознат потпис за „BITLK“ уређај."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Нисам успео да очистим податке подеока резерве."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Нисам успео да искључим заставицу захтева поновног шифровања."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Шифровање је подржано само за ЛУКС2 запис."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "Откривен је ЛУКС уређај на „%s“. Да ли желите опет да шифрујете тај ЛУКС уређај?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "Само је ЛУКС2 запис тренутно подржан. Користите алат „cryptsetup-reencrypt“ за ЛУКС1."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Старо ванмрежно поновно шифровање је већ у току. Користите помагало „cryptsetup-reencrypt“."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "ЛУКС2 уређај није у поновном шифровању."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Постављам заставицу ЛУКС2 ванмрежног поновног шифровања на уређају „%s“."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Ово издање „cryptsetup-reencrypt“ не може да ради са новом унутрашњом врстом скупине „%s“."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Нисам успео да прочитам заставице активирања из заглавља резерве."
+
+#~ msgid "Failed to read requirements from backup header."
+#~ msgstr "Нисам успео да прочитам потрепштине из заглавља резерве."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Измењени су „pbkdf“ параметри у утору кључа %i."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Само вредности између 1 MiB и 64 MiB су допуштене завеличину блока поновног шифровања."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Највећа величина смањења уређаја је 64 MiB."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[ОПЦИЈА...] <уређај>"
+
+#~ msgid "Argument required."
+#~ msgstr "Потребан је аргумент."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Опција „--new“ се мора користити са „--reduce-device-size“ или „--header“."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Опција „--keep-key“ може да се користи само са „--hash“, „--iter-time“ или „--pbkdf-force-iterations“."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Опција „--new“ не може да се користи са „--decrypt“."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Опција „--decrypt“ није сагласна са наведеним параметрима."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Опција „--uuid“ је дозвољена само заједно са „--decrypt“."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Неисправна лукс врста. Користите: „luks“, „luks1“ или „luks2“."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Уређај „%s“ је у употреби. Не могу да наставим са радњом форматирања."
+
#~ msgid "No free token slot."
#~ msgstr "Нема слободног утора скупине."
diff --git a/po/sv.po b/po/sv.po
index a290f2a..69eb18e 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -1,15 +1,15 @@
# Swedish translation for cryptsetup.
-# Copyright © 2021 Free Software Foundation, Inc.
+# Copyright © 2022 Free Software Foundation, Inc.
# This file is distributed under the same license as the cryptsetup package.
-# Daniel Nylander <po@danielnylander.se>, 2009.
-# Josef Andersson <l10nl18nsweja@gmail.com>, 2016-2021.
#
+# Daniel Nylander <po@danielnylander.se>, 2009.
+# Josef Andersson <l10nl18nsweja@gmail.com>, 2016-2022.
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-12-12 08:46+0100\n"
+"Project-Id-Version: cryptsetup 2.5.0-rc1\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2022-07-14 14:04+0200\n"
+"PO-Revision-Date: 2022-11-11 12:23+0100\n"
"Last-Translator: Josef Andersson <l10nl18nsweja@gmail.com>\n"
"Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
"Language: sv\n"
@@ -17,70 +17,70 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 3.0\n"
+"X-Generator: Lokalize 22.08.3\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:417
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Det går inte att initiera device-mapper, kör som icke-root-användare."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:420
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Det går inte att initiera device-mapper. Är kärnmodulen dm_mod inläst?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1171
msgid "Requested deferred flag is not supported."
msgstr "Begärd flagga deferred stöds inte."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1240
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "DM-UUID för enheten %s förkortades."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1570
msgid "Unknown dm target type."
msgstr "Okänd måltyp dm."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1694 lib/libdevmapper.c:1699 lib/libdevmapper.c:1763
+#: lib/libdevmapper.c:1766
msgid "Requested dm-crypt performance options are not supported."
msgstr "Begärd flagga för dm-crypt-prestanda stöds inte."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1706 lib/libdevmapper.c:1710
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Begärd flagga för dm-verity-dataintegritet stöds inte."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1714
msgid "Requested dm-verity FEC options are not supported."
msgstr "Begärd flagga dm-verity FEC stöds inte."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1718
msgid "Requested data integrity options are not supported."
msgstr "Begärd flagga för dataintegritet stöds inte."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1720
msgid "Requested sector_size option is not supported."
msgstr "Begärd flagga sector_size stöds inte."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1729
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Begärd automatisk beräkning av integritetstaggar stöds inte."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1733 lib/libdevmapper.c:1769 lib/libdevmapper.c:1772
+#: lib/luks2/luks2_json_metadata.c:2552
msgid "Discard/TRIM is not supported."
msgstr "Discard/TRIM stöds inte."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1737
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Begärt dm-integrity bitmap-läge stöds inte."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2763
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Misslyckades med att läsa dm-%s-segment."
-#: lib/random.c:75
+#: lib/random.c:74
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -88,24 +88,24 @@ msgstr ""
"Systemet fick slut på entropi under generering av volymnyckeln.\n"
"Rör på musen eller skriv in text i ett annat fönster för att samla in slumpmässiga händelser.\n"
-#: lib/random.c:79
+#: lib/random.c:78
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Genererar nyckel (%d%% done).\n"
-#: lib/random.c:165
+#: lib/random.c:164
msgid "Running in FIPS mode."
msgstr "Kör i FIPS-läge."
-#: lib/random.c:171
+#: lib/random.c:170
msgid "Fatal error during RNG initialisation."
msgstr "Ödesdigert fel under RNG-initiering."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Okänd RNG-kvalitet begärd."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Fel vid läsning från RNG."
@@ -117,7 +117,7 @@ msgstr "Det går inte att initiera RNG-krypteringsbakände."
msgid "Cannot initialize crypto backend."
msgstr "Det går inte att initiera krypteringsbakände."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:263 lib/setup.c:2080 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Hashalgoritmen %s stöds inte."
@@ -131,7 +131,7 @@ msgstr "Fel vid nyckelbearbetning (använder hash %s)."
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Det går inte att avgöra enhetstyp. Inkompatibel aktivering av enhet?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:338 lib/setup.c:3221
msgid "This operation is supported only for LUKS device."
msgstr "Denna åtgärd stöds endast av LUKS-enheter."
@@ -139,7 +139,7 @@ msgstr "Denna åtgärd stöds endast av LUKS-enheter."
msgid "This operation is supported only for LUKS2 device."
msgstr "Denna åtgärd stöds endast av LUKS2-enheter."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2985
msgid "All key slots full."
msgstr "Alla nyckelplatser är upptagna."
@@ -153,7 +153,7 @@ msgstr "Nyckelplats %d är ogiltig. Välj mellan 0 och %d."
msgid "Key slot %d is full, please select another one."
msgstr "Nyckelplats %d är full. Välj en annan."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:522 lib/setup.c:2946
msgid "Device size is not aligned to device logical block size."
msgstr "Storlek på enhet är inte justerad till enhetens logiska blockstorlek."
@@ -162,7 +162,8 @@ msgstr "Storlek på enhet är inte justerad till enhetens logiska blockstorlek."
msgid "Header detected but device %s is too small."
msgstr "Huvud identifierat men enheten %s är för liten."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:661 lib/setup.c:2851 lib/setup.c:4335
+#: lib/luks2/luks2_reencrypt.c:3757 lib/luks2/luks2_reencrypt.c:4159
msgid "This operation is not supported for this device type."
msgstr "Denna åtgärd stöds inte för denna enhetstyp."
@@ -170,396 +171,416 @@ msgstr "Denna åtgärd stöds inte för denna enhetstyp."
msgid "Illegal operation with reencryption in-progress."
msgstr "Ogiltig åtgärd under pågående omkryptering."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:833 lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
+#: lib/luks2/luks2_json_metadata.c:1267 src/cryptsetup.c:1449
+#: src/cryptsetup.c:1581 src/cryptsetup.c:1636 src/cryptsetup.c:1756
+#: src/cryptsetup.c:1861 src/cryptsetup.c:2142 src/cryptsetup.c:2380
+#: src/cryptsetup.c:2440 src/utils_reencrypt.c:1378
+#: src/utils_reencrypt_luks1.c:1188 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Enheten %s är inte en giltig LUKS-enhet."
+
+#: lib/setup.c:836 lib/luks1/keymanage.c:527
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "LUKS-versionen %d stöds inte."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1431 lib/setup.c:2602 lib/setup.c:2682 lib/setup.c:2694
+#: lib/setup.c:2859 lib/setup.c:4807
#, c-format
msgid "Device %s is not active."
msgstr "Enheten %s är inte aktiv."
-#: lib/setup.c:1447
+#: lib/setup.c:1448
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Underliggande enhet för krypteringsenhet %s försvann."
-#: lib/setup.c:1527
+#: lib/setup.c:1528
msgid "Invalid plain crypt parameters."
msgstr "Ogiltiga parametrar för plain-kryptering."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1533 lib/setup.c:1983
msgid "Invalid key size."
msgstr "Ogiltig nyckelstorlek."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1538 lib/setup.c:1988 lib/setup.c:2191
msgid "UUID is not supported for this crypt type."
msgstr "UUID stöds inte för denna krypteringstyp."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1543 lib/setup.c:1993
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Frånkopplad metadataenhet stöds ej av denna crypt-typ."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1553 lib/setup.c:1765 lib/luks2/luks2_reencrypt.c:2941
+#: src/cryptsetup.c:1250 src/cryptsetup.c:3072
msgid "Unsupported encryption sector size."
msgstr "Stöder inte sektorstorleken för kryptering."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1561 lib/setup.c:1896 lib/setup.c:2940
msgid "Device size is not aligned to requested sector size."
msgstr "Storlek på enhet är inte justerad till begärd sektorstorlek."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1613 lib/setup.c:1733
msgid "Can't format LUKS without device."
msgstr "Det går inte att formatera LUKS utan enhet."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1619 lib/setup.c:1739
msgid "Requested data alignment is not compatible with data offset."
msgstr "Begärd datajustering är inte kompatibel med dataoffset."
-#: lib/setup.c:1686 lib/setup.c:1882
+#: lib/setup.c:1687 lib/setup.c:1883
msgid "WARNING: Data offset is outside of currently available data device.\n"
msgstr "VARNING: Dataoffset ligger utanför aktuell dataenhet.\n"
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1697 lib/setup.c:1913 lib/setup.c:1934 lib/setup.c:2203
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Det går inte att rensa huvudet på enheten %s."
-#: lib/setup.c:1763
+#: lib/setup.c:1774
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "VARNING: Enhetsaktiveringen kommer att misslyckas, dm-crypt saknar stöd för begärd krypteringsektorstorlek.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1797
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Volymnyckeln är för liten för kryptering med integritetstillägg."
-#: lib/setup.c:1856
+#: lib/setup.c:1857
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Chiffret %s-%s (nyckelstorlek %zd bitar) är inte tillgängligt."
-#: lib/setup.c:1885
+#: lib/setup.c:1886
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "VARNING: storlek på LUKS2-metadata ändrades till %<PRIu64> byte.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1890
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "VARNING: storlek på LUKS2-nyckelplatsområde ändrades till %<PRIu64> byte.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1916 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3009 lib/luks2/luks2_reencrypt.c:4254
#, c-format
msgid "Device %s is too small."
msgstr "Enheten %s är för liten."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1927 lib/setup.c:1953
#, c-format
msgid "Cannot format device %s in use."
msgstr "Det går inte att formatera enheten %s då den används."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1930 lib/setup.c:1956
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Det går inte att formatera enheten %s, behörighet nekad."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:1942 lib/setup.c:2263
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Det går inte att formatera integritet för enheten %s."
-#: lib/setup.c:1959
+#: lib/setup.c:1960
#, c-format
msgid "Cannot format device %s."
msgstr "Det går inte att formatera enheten %s."
-#: lib/setup.c:1977
+#: lib/setup.c:1978
msgid "Can't format LOOPAES without device."
msgstr "Kan inte formatera LOOPAES utan enhet."
-#: lib/setup.c:2022
+#: lib/setup.c:2023
msgid "Can't format VERITY without device."
msgstr "Det går inte att formatera VERITY utan enhet."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2034 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "VERITY-hashtyp %d stöds inte."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2040 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "VERITY-blockstorlek som inte stöds."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2045 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "VERITY-hashoffset som inte stöds."
-#: lib/setup.c:2049
+#: lib/setup.c:2050
msgid "Unsupported VERITY FEC offset."
msgstr "VERITY-FEC-offset som inte stöds."
-#: lib/setup.c:2073
+#: lib/setup.c:2074
msgid "Data area overlaps with hash area."
msgstr "Dataområde spiller över på hashområdet."
-#: lib/setup.c:2098
+#: lib/setup.c:2099
msgid "Hash area overlaps with FEC area."
msgstr "Hashområde spiller över på FEC-mrådet."
-#: lib/setup.c:2105
+#: lib/setup.c:2106
msgid "Data area overlaps with FEC area."
msgstr "Dataområde spiller över på FEC-mrådet."
-#: lib/setup.c:2241
+#: lib/setup.c:2242
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "VARNING: Begärd taggstorlek på %d byte skiljer sig från %s utdatastorlek (%d byte).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2321
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Okänd typ av krypteringsenhet %s begärd."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2608 lib/setup.c:2687 lib/setup.c:2700
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Parametrar som inte stöds på enheten %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2614 lib/setup.c:2707 lib/luks2/luks2_reencrypt.c:2837
+#: lib/luks2/luks2_reencrypt.c:3074 lib/luks2/luks2_reencrypt.c:3459
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Kan inte rensa huvudet på enheten %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2731
msgid "Crypt devices mismatch."
msgstr "Krypteringsenheter har matchningsfel."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2768 lib/setup.c:2773 lib/luks2/luks2_reencrypt.c:2315
+#: lib/luks2/luks2_reencrypt.c:2853 lib/luks2/luks2_reencrypt.c:4007
#, c-format
msgid "Failed to reload device %s."
msgstr "Misslyckades med att läsa om enhet %s."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2779 lib/setup.c:2785 lib/luks2/luks2_reencrypt.c:2286
+#: lib/luks2/luks2_reencrypt.c:2293 lib/luks2/luks2_reencrypt.c:2867
#, c-format
msgid "Failed to suspend device %s."
msgstr "Misslyckades med att försätta enhet %s i vänteläge."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2791 lib/luks2/luks2_reencrypt.c:2300
+#: lib/luks2/luks2_reencrypt.c:2888 lib/luks2/luks2_reencrypt.c:3920
+#: lib/luks2/luks2_reencrypt.c:4011
#, c-format
msgid "Failed to resume device %s."
msgstr "Misslyckades med att återuppta enhet %s."
-#: lib/setup.c:2803
+#: lib/setup.c:2806
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Ödesdigert fel vid omläsning av enhet %s (ovanpå enhet %s)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2809 lib/setup.c:2811
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Misslyckades med att växla enhet %s till dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2891
msgid "Cannot resize loop device."
msgstr "Det går inte att ändra storlek på loop-enhet."
-#: lib/setup.c:2958
+#: lib/setup.c:2931
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "VARNING: Maximal storlek redan satt eller så stöder inte kärnan storleksändring.\n"
+
+#: lib/setup.c:2989
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Misslyckades med storleksändring, kärnan stöder inte detta."
+
+#: lib/setup.c:3021
msgid "Do you really want to change UUID of device?"
msgstr "Vill du verkligen ändra UUID för en enhet?"
-#: lib/setup.c:3034
+#: lib/setup.c:3113
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Säkerhetskopian för huvud innehåller inte något giltigt LUKS-huvud."
-#: lib/setup.c:3150
+#: lib/setup.c:3229
#, c-format
msgid "Volume %s is not active."
msgstr "Volymen %s är inte aktiv."
-#: lib/setup.c:3161
+#: lib/setup.c:3240
#, c-format
msgid "Volume %s is already suspended."
msgstr "Volymen %s är redan i vänteläge."
-#: lib/setup.c:3174
+#: lib/setup.c:3253
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Vänteläge stöds inte för enhet %s."
-#: lib/setup.c:3176
+#: lib/setup.c:3255
#, c-format
msgid "Error during suspending device %s."
msgstr "Fel då enheten %s försattes i vänteläge."
-#: lib/setup.c:3212
+#: lib/setup.c:3290
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Att återuppta stöds inte för enhet %s."
-#: lib/setup.c:3214
+#: lib/setup.c:3292
#, c-format
msgid "Error during resuming device %s."
msgstr "Fel då enheten %s återupptogs."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3326 lib/setup.c:3374 lib/setup.c:3444 lib/setup.c:3489
+#: src/cryptsetup.c:2207
#, c-format
msgid "Volume %s is not suspended."
msgstr "Volymen %s är inte i vänteläge."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3459 lib/setup.c:3862 lib/setup.c:4584 lib/setup.c:4597
+#: lib/setup.c:4605 lib/setup.c:4618 lib/setup.c:6142 src/cryptsetup.c:1790
msgid "Volume key does not match the volume."
msgstr "Volymnyckeln stämmer inte överens med volymen."
-#: lib/setup.c:3428 lib/setup.c:3633
+#: lib/setup.c:3540 lib/setup.c:3745
msgid "Cannot add key slot, all slots disabled and no volume key provided."
msgstr "Det går inte att lägga till nyckelplats. Alla platser är inaktiverade och ingen volymnyckel har angivits."
-#: lib/setup.c:3585
+#: lib/setup.c:3697
msgid "Failed to swap new key slot."
msgstr "Misslyckades med att byta ny nyckelplats."
-#: lib/setup.c:3771
+#: lib/setup.c:3883
#, c-format
msgid "Key slot %d is invalid."
msgstr "Nyckelplats %d är ogiltig."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3889 src/cryptsetup.c:1594 src/cryptsetup.c:1936
+#: src/cryptsetup.c:2540 src/cryptsetup.c:2597
#, c-format
msgid "Keyslot %d is not active."
msgstr "Nyckelplats %d är inte aktiv."
-#: lib/setup.c:3796
+#: lib/setup.c:3908
msgid "Device header overlaps with data area."
msgstr "Dataområde spiller över på hashområdet."
-#: lib/setup.c:4089
+#: lib/setup.c:4213
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Omkryptering pågår. Det går inte att aktivera enheten."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4215 lib/luks2/luks2_json_metadata.c:2635
+#: lib/luks2/luks2_reencrypt.c:3565
msgid "Failed to get reencryption lock."
msgstr "Misslyckades med att erhålla omkrypteringslås."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4228 lib/luks2/luks2_reencrypt.c:3584
msgid "LUKS2 reencryption recovery failed."
msgstr "Misslyckades med återhämtning av LUKS2-omkryptering."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4396 lib/setup.c:4661
msgid "Device type is not properly initialized."
msgstr "Enhetstypen är inte korrekt initierad."
-#: lib/setup.c:4283
+#: lib/setup.c:4444
#, c-format
msgid "Device %s already exists."
msgstr "Enheten %s finns redan."
-#: lib/setup.c:4290
+#: lib/setup.c:4451
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Det går inte att använda enheten %s som fortfarande används eller har ett ogiltigt namn."
-#: lib/setup.c:4410
+#: lib/setup.c:4571
msgid "Incorrect volume key specified for plain device."
msgstr "Felaktig volymnyckel för plain-enhet."
-#: lib/setup.c:4526
+#: lib/setup.c:4687
msgid "Incorrect root hash specified for verity device."
msgstr "Felaktig rothash angiven för verity-enhet."
-#: lib/setup.c:4533
+#: lib/setup.c:4697
msgid "Root hash signature required."
msgstr "Root-hashsignatur krävs."
-#: lib/setup.c:4542
+#: lib/setup.c:4706
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Kärnans nyckelring saknas: krävs för att skicka signatur till kärnan."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4723 lib/setup.c:6218
msgid "Failed to load key in kernel keyring."
msgstr "Misslyckades med att öppna nyckelringen för kärnan."
-#: lib/setup.c:4615
+#: lib/setup.c:4779
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Misslyckades med att avbryta fördröjd borttagning från enheten %s."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4786 lib/setup.c:4802 lib/luks2/luks2_json_metadata.c:2688
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Enheten %s används fortfarande."
-#: lib/setup.c:4647
+#: lib/setup.c:4811
#, c-format
msgid "Invalid device %s."
msgstr "Ogiltig enhet %s."
-#: lib/setup.c:4763
+#: lib/setup.c:4927
msgid "Volume key buffer too small."
msgstr "Buffert för volymnyckelen är för liten."
-#: lib/setup.c:4771
+#: lib/setup.c:4935
msgid "Cannot retrieve volume key for plain device."
msgstr "Kan inte hämta volymnyckel för plain-enhet."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Det går inte att hämta root-hash för verity-enhet."
-#: lib/setup.c:4792
+#: lib/setup.c:4956
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Denna åtgärd stöds inte för krypteringsenheter av typen %s."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5130 lib/setup.c:5141
msgid "Dump operation is not supported for this device type."
msgstr "Utskriftsåtgärden stöds inte för denna enhetstyp."
-#: lib/setup.c:5337
+#: lib/setup.c:5471
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Dataförskjutning är inte en multipel av %u byte."
-#: lib/setup.c:5622
+#: lib/setup.c:5756
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Det går inte konvertera enheten %s som fortfarande används."
-#: lib/setup.c:5941
+#: lib/setup.c:6075
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Misslyckades med att tilldela nyckelplats %u som ny volymnyckel."
-#: lib/setup.c:6014
+#: lib/setup.c:6148
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Misslyckades med att initiera standardnyckelplats för LUKS2-parametrar."
-#: lib/setup.c:6020
+#: lib/setup.c:6154
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Misslyckades med att tilldela nyckelplats %d till kontrollsummor."
-#: lib/setup.c:6151
+#: lib/setup.c:6285
msgid "Kernel keyring is not supported by the kernel."
msgstr "Kärnans nyckelring stöds inte av kärnan."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6295 lib/luks2/luks2_reencrypt.c:3782
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Misslyckades med att läsa lösenfras från nyckelringsnyckel (fel %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6319
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Misslyckades med att inhämta globalt minneshårt serialiseringslås."
@@ -587,8 +608,8 @@ msgstr "Misslyckades med att ta stat på nyckelfilen."
msgid "Cannot seek to requested keyfile offset."
msgstr "Det går inte att söka till begärd nyckelfilsoffset."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:226
+#: src/utils_password.c:238
msgid "Out of memory while reading passphrase."
msgstr "Slut på minne vid läsning av lösenfras."
@@ -609,7 +630,7 @@ msgid "Cannot read requested amount of data."
msgstr "Det går inte läsa begärd mängd data."
#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1353
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Enheten %s finns inte eller åtkomst nekas."
@@ -739,12 +760,12 @@ msgstr "Rättigheterna för låskatalogen %s/%s kommer att skapas med inkompiler
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Låsningen avbruten. Låsningsökvägen %s/%s oanvändbar (%s är inte en katalog)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Det går inte att söka till enhetsoffset."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Fel vid radering av enhet, förskjutning %<PRIu64>."
@@ -768,7 +789,7 @@ msgstr "Chifferspecifikation ska vara i formatet [chiffer] - [läge] - [iv]."
#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks2/luks2_json_metadata.c:1421 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Kan inte skriva till enhet %s, behörighet nekad."
@@ -782,17 +803,17 @@ msgid "Failed to access temporary keystore device."
msgstr "Misslyckades med att komma åt temporär nyckellagringsenhet."
#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "In-/utfel vid kryptering av nyckelplats."
#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
+#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:680
+#: lib/verity/verity.c:80 lib/verity/verity.c:196 lib/verity/verity_hash.c:320
#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/verity/verity_fec.c:260 lib/verity/verity_fec.c:272
+#: lib/verity/verity_fec.c:277 lib/luks2/luks2_json_metadata.c:1424
+#: src/utils_reencrypt_luks1.c:121 src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Det går inte att öppna enheten %s."
@@ -813,43 +834,32 @@ msgstr "Enhet %s är för liten. (LUKS1 kräver minst %<PRIu64> byte.)"
msgid "LUKS keyslot %u is invalid."
msgstr "LUKS-nyckelplats %u är ogiltig."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Enheten %s är inte en giltig LUKS-enhet."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1284
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Begärd säkerhetskopia %s av huvud finns redan."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1286
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Det går inte att skapa säkerhetskopia för huvud %s."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1293
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Det går inte skriva säkerhetskopia för huvud %s."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1330
msgid "Backup file does not contain valid LUKS header."
msgstr "Säkerhetskopian innehåller inte något giltigt LUKS-huvud."
#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks2/luks2_json_metadata.c:1351
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Det går inte att öppna säkerhetskopia för huvud %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1359
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Det går inte att läsa säkerhetskopia för huvud %s."
@@ -871,7 +881,7 @@ msgstr "innehåller inget LUKS-huvud. Ersättning av huvud kan förstöra data p
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "innehåller redan LUKS-huvud. Ersättningen av huvud kommer att förstöra befintliga nyckelplatser."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1393
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -945,7 +955,7 @@ msgstr "LUKS-chifferläge %s är ogiltigt."
msgid "LUKS hash %s is invalid."
msgstr "LUKS-hash %s är ogiltig."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1144
msgid "No known problems detected for LUKS header."
msgstr "Inga kända problem identifierade för LUKS-huvud."
@@ -964,8 +974,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Data-offset för fristående LUKS-huvud måste vara antingen 0 eller större än huvudstorleken."
#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1175
+#: src/utils_reencrypt.c:475
msgid "Wrong LUKS UUID format provided."
msgstr "Felaktigt LUKS-UUID-format angavs."
@@ -998,7 +1008,7 @@ msgstr "Det går inte att öppna nyckeplats (använder hash %s)."
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Nyckelplats %d är ogiltig. Välj en nyckelplats mellan 0 och %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Kan inte rensa enheten %s."
@@ -1029,205 +1039,213 @@ msgstr "Fel vid läsning av nyckelfil %s."
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Högsta TCRYPT-lösenfraslängd (%zu) överskriden."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:601
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "PBKDF2-hashalgoritm %s ej tillgänglig, hoppar över."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1019
msgid "Required kernel crypto interface not available."
msgstr "Begärt kryptogränssnitt för kärnan inte tillgängligt."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:622 src/cryptsetup.c:1021
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Försäkra dig om att kärnmodulen algif_skcipher är inläst."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:763
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Aktivering stöds inte för sektorstorlek %d."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:769
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "Kärnan stöder inte aktivering för detta föråldrade TCRYPT-läge."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:800
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Aktiverar TCRYPT-systemkryptering för partition %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:883
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "Kärnan stöder inte TCRYPT-kompatibel mappning."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1096
msgid "This function is not supported without TCRYPT header load."
msgstr "Denna funktion stöds inte utan inläsning av TCRYPT-huvud."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:275
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av volymhuvudnyckel."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:328
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Ogiltig sträng funnen vid tolkning av volymhuvudnyckel."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:332
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Oväntad sträng (”%s”) funnen vid tolkning av volymhuvudnycklar som stöds."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:349
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Oväntad metadatapostvärde av typ ”%u” funnen vid tolkning av volymhuvudnycklar som stöds."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Misslyckades med att läsa BITLK-signatur från %s."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Ogiltig eller okänd signatur för BITLK-enhet."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:451
msgid "BITLK version 1 is currently not supported."
msgstr "BITLK version 1 stöds ej för närvarande."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:457
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Ogiltig eller okänd boot-signatur för BITLK-enhet."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:469
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Stöder inte sektorstorleken %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:477
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Misslyckades med att läsa BITLK-huvud från %s."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:502
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Misslyckades med att läsa BITLK FVE-metadata från %s."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:554
msgid "Unknown or unsupported encryption type."
msgstr "Krypteringstypen är okänd eller stöds ej."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:587
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Misslyckades med att läsa BITLK -metadataposter från %s."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:681
+msgid "Failed to convert BITLK volume description"
+msgstr "Misslyckades med att konvertera BITLK-volymbeskrivning"
+
+#: lib/bitlk/bitlk.c:841
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av extern nyckel."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:860
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "BEK-filens GUID '%s' stämmer inte överens med GUID för volymen."
+
+#: lib/bitlk/bitlk.c:864
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Oväntad metadatapostvärde av typ ”%u” funnen vid tolkning av extern nyckel."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:903
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Inget stöd för BEK metadata-version %<PRIu32>"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:908
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Oväntad BEK-metadatastorlek %<PRIu32> matchar inte BEK-fillängd"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:933
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av uppstartsnyckel."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1029
msgid "This operation is not supported."
msgstr "Denna åtgärd stöds ej."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1037
msgid "Unexpected key data size."
msgstr "Oväntad nyckeldatastorlek."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1163
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Denna BITLK-enhet är i tillstånd som inte stöds och kan inte aktiveras."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1168
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Det går inte att aktivera BITLK-enheter av typen ”%s”."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1175
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Aktivering av delvis avkrypterade BITLK-enheter stöds ej."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1216
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "VARNING: BitLocker-volymstorlek %<PRIu64> överensstämmer inte med underliggande enhetstorlek %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1343
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för BITLK IV."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1347
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för BITLK Elephant diffuser."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1351
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för stor sektorstorlek."
+
+#: lib/bitlk/bitlk.c:1355
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Det går inte att aktivera enheten, kärnmodulen dm-zero saknas."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "Verity-enheten %s använder inte huvud på disk."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Enheten %s är inte en giltig VERITY-enhet."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "VERITY-versionen %d stöds inte."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "VERITY-huvud är skadat."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "Felaktigt VERITY-UUID-format angivet på enhet %s."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Fel vid uppdatering av verity-huvud på enheten %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Begärd hashsignaturverifiering %s stöds inte."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Det går inte reparera fel med FEC-enhet."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "Fann %u reparerbara fel med FEC-enhet."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "Kärnan stöder inte dm-verity-mappning."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "Kärnan stöder inte flaggan för dm-verity-signatur."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Verity-enhet identifierades som skadad efter aktivering."
@@ -1299,37 +1317,42 @@ msgstr "Misslyckades med att skriva paritet för RS block %<PRIu64>."
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Misslyckades med att skriva paritet för RS block %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Blockstorlekar måste matcha för FEC."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Ogiltigt antal paritet-byte."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Ogiltig FEC-segmentlängd."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Misslyckades med att bestämma storlek för enhet %s."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Inkompatibel kärnmetadata dm-integrity (version %u) identifierad på %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "Kärnan stöder inte dm-integrity-mappning."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "Kärnan stöder inte fast metadataförskjutning för dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Kärnan tillåter inte att den osäkra flaggan recalculate aktiveras (se föråldrade aktiveringsflaggor för att åsidosätta)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks2/luks2_json_metadata.c:1413
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Misslyckades med att få skrivlås på enheten %s."
@@ -1355,40 +1378,40 @@ msgstr "Begärd dataoff för liten."
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "VARNING: nyckelplatsområdet (%<PRIu64> byte) är väldigt liten, tillgängligt LUKS2-nyckelplatsantal är väldigt begränsat.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:1120 lib/luks2/luks2_json_metadata.c:1258
+#: lib/luks2/luks2_json_metadata.c:1319 lib/luks2/luks2_keyslot_luks2.c:92
#: lib/luks2/luks2_keyslot_luks2.c:114
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Misslyckades med att erhålla läslås på enheten %s."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1336
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "Förbjudna LUKS2-krav identifierade i säkerhetskopian %s."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1377
msgid "Data offset differ on device and backup, restore failed."
msgstr "Dataoffset skiljer sig på enhet och säkerhetskopia. Återställningen misslyckades."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1383
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Binärhuvud med nyckelstorlek skiljer sig på enhet och säkerhetskopia. Återställningen misslyckades."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1390
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Enhet %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1391
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "innehåller inget LUKS2-huvud. Ersättning av huvud kan förstöra data på enheten."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1392
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "innehåller redan LUKS2-huvud. Ersättningen av huvud kommer att förstöra befintliga nyckelplatser."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1394
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1398,7 +1421,7 @@ msgstr ""
"VARNING:okända LUKS2-krav identifierade i huvudet för riktig enhet!\n"
"Att ersätta huvudet med en säkerhetskopia kan göra data korrupt på enheten!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1396
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1408,58 +1431,58 @@ msgstr ""
"VARNING:Oavslutad frånkopplade kryptering identifierad på enheten!\n"
"Att ersätta huvudet med en säkerhetskopia kan orsaka korrupt data."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1494
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Ignorerade okänd flagga %s."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2402 lib/luks2/luks2_reencrypt.c:2015
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Saknar nyckel för dm-crypt-segmentet %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2414 lib/luks2/luks2_reencrypt.c:2029
msgid "Failed to set dm-crypt segment."
msgstr "Misslyckades med att läsa dm-crypt-segment."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2420 lib/luks2/luks2_reencrypt.c:2035
msgid "Failed to set dm-linear segment."
msgstr "Misslyckades med att läsa dm-linear-segment."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2547
msgid "Unsupported device integrity configuration."
msgstr "Integritetskonfiguration som ej stöds på enheten."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2633
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Omkryptering pågår. Det går inte att inaktivera enhet."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2644 lib/luks2/luks2_reencrypt.c:4057
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Misslyckades med att ersätta inaktiverad enhet %s med målet dm-error."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2724
msgid "Failed to read LUKS2 requirements."
msgstr "Misslyckades med att läsa LUKS2-krav."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2731
msgid "Unmet LUKS2 requirements detected."
msgstr "Ej uppfyllt LUKS2-krav identifierat."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2739
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Åtgärden inkompatibel med enhet markerad för föråldrad omkryptering. Avbryter."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2741
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Åtgärden inkompatibel med enhet markerad för LUKS2-omkryptering. Avbryter."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Inte nog med minne för att öppna en nyckelplats."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Misslyckades med att öppna nyckelplats."
@@ -1468,348 +1491,406 @@ msgstr "Misslyckades med att öppna nyckelplats."
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Det går inte att använda %s-%s-chiffer för nyckelplatskryptering."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:496
msgid "No space for new keyslot."
msgstr "Inget utrymme för ny nyckelplats."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2615
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Hashalgoritm %s är inte tillgänglig."
+
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Begärde ogiltigt återhämtningsläge för omkryptering."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Det går inte att uppdatera återhämtningstup. Ny typ tillhandahåller %<PRIu64> byte, begärt utrymme är: %<PRIu64> byte."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Misslyckades med att sammandrag för omkrypteringsverifikation."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Det går inte kontrollera status för enheten med uuid: %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Det går inte att konvertera huvud med ytterligare metadata för LUKSMETA."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3715
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Det går inte att använda chiffer-spefikationen %s-%s för LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Kunde inte flytta nyckelplatsområde. Inte nog med utrymme."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Det går inte att konvertera till LUKS2-format - ogiltig metadata."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Kunde inte flytta nyckelplatsområde. Området för LUKS2-nyckelplatser är för litet."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Kunde inte flytta nyckelplatsområde."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Det går inte att konvertera till LUKS1-format - standardkrypteringstorleken är inte 512 byte."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Det går inte att konvertera till LUKS1-format - kontrollsummor för nyckelplatser är inte LUKS1-kompatibla."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Det går inte att konvertera till LUKS1-format - enheterna använder inbäddat nyckelchiffer %s."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Det går inte att konvertera till LUKS1-format - enheten använder flera segment."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Det går inte att konvertera till LUKS1-format - LUKS2-huvud innehåller %u token."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Det går inte att konvertera till LUKS1-format - nyckelplats %u är i ogiltigt tillstånd."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Det går inte att konvertera till LUKS1-format - plats %u (av maximalt antal platser) är fortfarande aktiv."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "Det går inte att konvertera till LUKS1-format - nyckelplats %u är inte LUKS1-kompatibel."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1107
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Hotzone-storleken måste vara en multipel av beräknad zonjustering (%zu-byte)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1112
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Enhetsstorleken måste vara en multipel av beräknad zonstorlek (%zu byte)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Stöder inte motståndsläge %s"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1319 lib/luks2/luks2_reencrypt.c:1505
+#: lib/luks2/luks2_reencrypt.c:1588 lib/luks2/luks2_reencrypt.c:1630
+#: lib/luks2/luks2_reencrypt.c:3852
msgid "Failed to initialize old segment storage wrapper."
msgstr "Misslyckades med att initiera gammal segmentlagringsinbäddning."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1333 lib/luks2/luks2_reencrypt.c:1483
msgid "Failed to initialize new segment storage wrapper."
msgstr "Misslyckades med att initiera ny segmentlagringsinbäddning."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1460 lib/luks2/luks2_reencrypt.c:3864
+msgid "Failed to initialize hotzone protection."
+msgstr "Misslyckades med att initiera skydd av hotzone."
+
+#: lib/luks2/luks2_reencrypt.c:1532
msgid "Failed to read checksums for current hotzone."
msgstr "Misslyckades med att läsa kontrollsummor från aktuell varm zon."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1539 lib/luks2/luks2_reencrypt.c:3878
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Misslyckades med att läsa område för varm zon med början %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1558
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Misslyckades med att dekryptera sektor %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1564
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Misslyckades med återhämta sektor %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2128
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Käll- och målenhetstorlekar stämmer inte överens. Källa %<PRIu64>, mål: %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2226
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Misslyckades med att aktivera varm zon-enhet %s."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2243
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Misslyckades med att aktivera överlagringsenheten %s med aktuell ursprungstabell."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2250
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Misslyckades med att läsa in ny mappning för enhet %s."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2321
msgid "Failed to refresh reencryption devices stack."
msgstr "Misslyckades med att uppdatera listan över omkrypteringsenheter."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2497
msgid "Failed to set new keyslots area size."
msgstr "Misslyckades med att sätta en ny storlek på nyckelplatsområdet."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2633
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Dataskiftning är inte justerad till begärd sektorstorlek (%<PRIu32> byte)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Dataskiftning är inte justerad till krypteringssektorstorlek (%<PRIu32> byte)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2664
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Dataenhet är inte justerad till begärd sektorstorlek (%<PRIu32> byte)."
+msgid "Unsupported resilience mode %s"
+msgstr "Stöder inte motståndsläge %s"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2741
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Flyttat segmentstorlek kan inte vara större än dataskift-värdet."
+
+#: lib/luks2/luks2_reencrypt.c:2799
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Flyttat segment för stor. Begärd storlek %<PRIu64>, tillgänglig storlek för: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2886
+msgid "Failed to clear table."
+msgstr "Misslyckades med att rensa tabellen."
+
+#: lib/luks2/luks2_reencrypt.c:2972
+msgid "Reduced data size is larger than real device size."
+msgstr "Minskad datastorlek är större än den riktiga enhetsstorleken."
+
+#: lib/luks2/luks2_reencrypt.c:2979
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Dataenhet är inte justerad till krypteringssektorstorlek (%<PRIu32> byte)."
+
+#: lib/luks2/luks2_reencrypt.c:3013
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Dataskiftning (%<PRIu64> sektorer) är mindre än framtida dataförskjutning (%<PRIu64> sektorer)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3020 lib/luks2/luks2_reencrypt.c:3508
+#: lib/luks2/luks2_reencrypt.c:3529
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Misslyckades med att öppna %s i exklusivt läge (redan mappad eller monterad)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3209
msgid "Device not marked for LUKS2 reencryption."
msgstr "Enheten är inte markerad för LUKS2-omkryptering."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3226 lib/luks2/luks2_reencrypt.c:4181
msgid "Failed to load LUKS2 reencryption context."
msgstr "Misslyckades med att läsa in LUKS2-omkrypteringskontext."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3306
msgid "Failed to get reencryption state."
msgstr "Misslyckades med att erhålla status för omkryptering."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3310 lib/luks2/luks2_reencrypt.c:3624
msgid "Device is not in reencryption."
msgstr "Enheten är inte i omkryptering."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3317 lib/luks2/luks2_reencrypt.c:3631
msgid "Reencryption process is already running."
msgstr "Omkrypteringsprocessen pågår redan."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3319 lib/luks2/luks2_reencrypt.c:3633
msgid "Failed to acquire reencryption lock."
msgstr "Misslyckades med att erhålla skrivlås för omkryptering."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3337
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Det går inte att fortsätta med omkryptering. Kör återställning av omkryptering först."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3472
msgid "Active device size and requested reencryption size don't match."
msgstr "Aktiv enhetsstorlek och begärd omkrypteringsstorlek skiljer sig åt."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3486
msgid "Illegal device size requested in reencryption parameters."
msgstr "Ogiltig enhetsstorlek begärd i omkrypteringsparametrarna."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3563
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Omkryptering pågår redan. Det går inte att utföra återhämtning."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3732
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "LUKS2-omkryptering är redan initierad i metadata."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3739
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Misslyckades med att initiera LUKS2-omkryptering i metadata."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3834
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Misslyckades med sätta enhetssegment för nästa varm zon-omkryptering."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3886
msgid "Failed to write reencryption resilience metadata."
msgstr "Misslyckades med att skriva motståndsmetadata för omkryptering."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3893
msgid "Decryption failed."
msgstr "Avkryptering misslyckades."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3898
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Misslyckades med att skriva område för varm zon med början vid %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3903
msgid "Failed to sync data."
msgstr "Misslyckades med att synkronisera data."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Misslyckades med att uppdatera metadata efter aktuell varm zon för omkrypteringär färdigställd."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4000
msgid "Failed to write LUKS2 metadata."
msgstr "Misslyckades med att skriva LUKS2-metadata."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Misslyckades med att radera säkerhetskopia av segmentdata."
+#: lib/luks2/luks2_reencrypt.c:4023
+msgid "Failed to wipe unused data device area."
+msgstr "Misslyckades med att radera oanvänt område på dataenheten."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Misslyckades med att inaktivera flaggan för omkrypteringskrav."
+#: lib/luks2/luks2_reencrypt.c:4029
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Misslyckades med att ta bort oanvänd (obunden) nyckelplats %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4039
+msgid "Failed to remove reencryption keyslot."
+msgstr "Misslyckades med att ta bort nyckelplats för omkryptering."
+
+#: lib/luks2/luks2_reencrypt.c:4049
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Ödesdigert fel vid omkrypteringschunk med start vid %<PRIu64>, %<PRIu64> sektorer lång."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4053
msgid "Online reencryption failed."
msgstr "Misslyckades med omkryptering."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4058
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Återuppta inte enheten om inte den ersatts med felmål manuellt."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4112
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Det går inte att fortsätta med omkryptering. Oväntat omkrypteringsläge."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4118
msgid "Missing or invalid reencrypt context."
msgstr "Saknat eller ogiltigt omkrypteringskontext."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4125
msgid "Failed to initialize reencryption device stack."
msgstr "Misslyckades med att initiera listan för omkrypteringsenheter."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4147 lib/luks2/luks2_reencrypt.c:4194
msgid "Failed to update reencryption context."
msgstr "Misslyckades med att uppdatera omkrypteringskontext."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Kan inte verifiera lösenfras på icke-tty-ingångar."
+#: lib/luks2/luks2_reencrypt_digest.c:406
+msgid "Reencryption metadata is invalid."
+msgstr "Omkryperingsmetadata är ogiltigt."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Krypteringsparametrar för nyckelplatser stöds endast av LUKS2-enheter."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108
#, c-format
msgid "Enter token PIN:"
msgstr "Ange token-PIN:"
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110
#, c-format
msgid "Enter token %d PIN:"
msgstr "Ange token-PIN %d :"
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:966 src/cryptsetup.c:1293
+#: src/utils_reencrypt.c:1048 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Inget känt chifferspecifikationsmönster kunde identifieras."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "VARNING: parametern --hash ignoreras i plain-läge med specificerad nyckelfil.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "VARNING: flaggan --keyfile-size ignoreras, lässtorleken är densamma som storleken för krypteringsnyckeln.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "Identfierar enhetssignatur(er) på %s. Att fortsätta kan skada befintlig data."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1040 src/cryptsetup.c:1088
+#: src/cryptsetup.c:1154 src/cryptsetup.c:1270 src/cryptsetup.c:1343
+#: src/cryptsetup.c:1994 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:275
msgid "Operation aborted.\n"
msgstr "Åtgärd avbruten.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Flaggan --key-file krävs."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Ange VeraCrypt PIM: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Ogiltigt PIM-värde:tolkningsfel."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Ogiltigt PIM-värde: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Ogiltigt PIM-värde:utanför intervallet."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Inget enhetshuvud finns tillgängligt med denna lösenfras."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Enheten %s är inte en giltig BITLK-enhet."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Det går inte att avgöra volymens nyckelstorlek för BTLK, använd flaggan --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1819,7 +1900,7 @@ msgstr ""
"som tillåter åtkomst till krypterad partition utan lösenfras.\n"
"Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:2019
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1829,88 +1910,104 @@ msgstr ""
"som tillåter åtkomst till krypterad partition utan lösenfras.\n"
"Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:664 src/veritysetup.c:321 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Enheten %s är fortfarande aktiv och schemalagd för uppskjuten borttagning.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:698
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Att ändra storlek på aktiv enhet kräver volymnyckel i nyckelringen, men -flaggan --disable-keyring är angiven."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:845
msgid "Benchmark interrupted."
msgstr "Prestandamätning avbruten."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:866
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s N/A\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:868
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u iterationer per sekund för %zu-bitnyckel\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:882
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s N/A\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:884
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u iterationer, %5u minne, %1u parallella trådar (CPU:er) för %zu-bitnyckelplats (begärde %u ms)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:908
msgid "Result of benchmark is not reliable."
msgstr "Resultat från prestandamätningen är inte pålitligt."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:958
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Tester är ungefärliga och använder endast minne (ingen lagrings-IO).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:978
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "#%*s Algoritm | Nyckel | Kryptering | Avkryptering\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:982
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Chiffret %s (med nyckel av %i bitar) är inte tillgängligt."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1001
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "# Algoritm | Nyckel | Kryptering | AVkryptering\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1012
msgid "N/A"
msgstr "N/A"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1037
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Verkar som enheten inte kräver omkrypteringsåterställning.\n"
-"Vill du ändå fortsätta?"
+"Oskyddad LUKS2-omkryperingsmetadata identiferad. Vänligen verifiera att omkryperingsåtgärden behövs (se luksDump-utdata)\n"
+"och fortsätt (uppgradera metadata) endast om du anser åtgärden som behövd."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1043
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Ange lösenfras för att skydda och uppgradera omkrypteringmetadata:"
+
+#: src/cryptsetup.c:1087
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Vill du verkligen fortsätta med LUKS2-omkrypteringsåterställning?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1096
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Ange lösenfras för att verifiera sammandrag för metadata-omkryptering:"
+
+#: src/cryptsetup.c:1098
msgid "Enter passphrase for reencryption recovery: "
msgstr "Ange lösenfras för omkrypteringsåterhämtning: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1153
msgid "Really try to repair LUKS device header?"
msgstr "Vill du verkligen försöka att reparera LUKS-enhetshuvud?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1177 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Skrivning avbruten."
+
+#: src/cryptsetup.c:1182 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1918,113 +2015,119 @@ msgstr ""
"Rensar enheten för att initialisera kontrollsumma för integritet.\n"
"Du kan avbryta detta genom att trycka ned CTRL+c (resten av den ej rensade enheten kommer att innehålla en ogiltigt kontrollsumma).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1204 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Det går inte att inaktivera temporär enhet %s."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1255
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Flaggan för integritet kan endast användas för formatet LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1260 src/cryptsetup.c:1320
msgid "Unsupported LUKS2 metadata size options."
msgstr "Flaggorna för storlekar på LUKS2-metadata stöds inte."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1269
msgid "Header file does not exist, do you want to create it?"
msgstr "Deklarationsfilen existerar inte, vill du skapa den?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1277
#, c-format
msgid "Cannot create header file %s."
msgstr "Det går inte att skapa huvudfil %s."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1300 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Inga kända integritetspecifikationsmönster identifierat."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1313
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Det går inte att använda %s som diskhuvud."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1337 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Detta kommer att skriva över data på %s och går inte att ångra."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1370 src/cryptsetup.c:1707 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1876 src/cryptsetup.c:1942 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Misslyckades med att sätta pbkdf-parametrar."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1455
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Förminskad dataoffset endast tillåtet för fristående LUKS-huvuden."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1466 src/cryptsetup.c:1778
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Det går inte att avgöra volymens nyckelstorlek för LUKS utan nyckelplatser, använd flaggen --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1512
msgid "Device activated but cannot make flags persistent."
msgstr "Enheten aktiverad men kan inte spara undan flaggorna."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1591 src/cryptsetup.c:1659
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Nyckelplats %d markerad för borttagning."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1603 src/cryptsetup.c:1663
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Detta är sista nyckelplatsen. Enheten kommer att bli oanvändbar efter att denna nyckel tagits bort."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1604
msgid "Enter any remaining passphrase: "
msgstr "Ange eventuell återstående lösenfras: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1605 src/cryptsetup.c:1665
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Åtgärden avbröts, nyckelplatsen raderades INTE.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1641
msgid "Enter passphrase to be deleted: "
msgstr "Ange lösenfras att ta bort: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1691 src/cryptsetup.c:1925 src/cryptsetup.c:2505
+#: src/cryptsetup.c:2649
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Enheten %s är inte en giltig LUKS2-enhet."
+
+#: src/cryptsetup.c:1721 src/cryptsetup.c:1795 src/cryptsetup.c:1829
msgid "Enter new passphrase for key slot: "
msgstr "Ange ny lösenfras för nyckelplats: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1812 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Ange valfri existerande lösenfras: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:1880
msgid "Enter passphrase to be changed: "
msgstr "Ange lösenfras att ändra: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:1896 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Ange ny lösenfras: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:1946
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Ange lösenfras för nyckelplats att konvertera: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:1970
msgid "Only one device argument for isLuks operation is supported."
msgstr "Endast ett enhetsargument för operationen isLuks stöds."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2078
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Nyckelplats %d innehåller inte obunden nyckel."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2083
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2032,40 +2135,40 @@ msgstr ""
"Utskrift av huvudet med obunden nyckel är känslig information.\n"
"Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2169 src/cryptsetup.c:2198
#, c-format
msgid "%s is not active %s device name."
msgstr "%s är inte ett aktivt %s-enhetsnamn."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2193
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s är inte ett aktivt LUKS-enhetsnamn eller så saknas deklaration."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2255 src/cryptsetup.c:2274
msgid "Option --header-backup-file is required."
msgstr "Flaggan --header-backup-file krävs."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2305
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s är inte en cryptsetup-hanterad enhet."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2316
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Att uppdatera stöds inte för enhetstypen %s"
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2362
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Okänd metadata för enhetstypen %s."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2364
msgid "Command requires device and mapped name as arguments."
msgstr "Kommandot kräver enhet och mappat namn som argument."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2385
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2074,335 +2177,325 @@ msgstr ""
"Denna åtgärd kommer att ta bort alla nyckelplatser på enhet %s.\n"
"Enheten kommer att bli oanvändbar efter denna åtgärd."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2392
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Åtgärden avbryten, nyckelplatser raderades EJ.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2431
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Ogiltig LUKS-typ, endast luks1 och luks2 stöds."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2447
#, c-format
msgid "Device is already %s type."
msgstr "Enheten är redan av %s-typ."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2454
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Denna åtgärd kommer att konvertera %s till %s-format.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2457
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Åtgärden avbröts, enheten konverterades INTE.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2497
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Saknar flaggan --priority, --label eller --subsystem."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2531 src/cryptsetup.c:2568 src/cryptsetup.c:2588
#, c-format
msgid "Token %d is invalid."
msgstr "Token %d är ogiltig."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2534 src/cryptsetup.c:2591
#, c-format
msgid "Token %d in use."
msgstr "Token %d används."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2546
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Misslyckades med att lägga till luks2-nyckelringsstoken %d."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2554 src/cryptsetup.c:2617
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Misslyckades med att tilldela token %d till nyckelplats %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2571
#, c-format
msgid "Token %d is not in use."
msgstr "Token %d används ej."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2608
msgid "Failed to import token from file."
msgstr "Misslyckades med att importera token från fil."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2633
#, c-format
msgid "Failed to get token %d for export."
msgstr "Misslyckades med att hämta token %d för export."
+#: src/cryptsetup.c:2682
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Flaggorna --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup stöds endast på TCRYPT-enhet."
+
+#: src/cryptsetup.c:2685
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Flaggan --veracrypt eller --disable-veracrypt stöds endast för TCRYPT-enhetstyper."
+
+#: src/cryptsetup.c:2688
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Flaggan --veracrypt-pim stöds endast för VeraCrypt-kompatibla enheter."
+
+#: src/cryptsetup.c:2692
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Flaggan --veracrypt-query-pim stöds endast för VeraCrypt-kompatibla enheter."
+
+#: src/cryptsetup.c:2694
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Flaggorna --veracrypt-pim och --veracrypt-query-pim är ömsesidigt uteslutande."
+
+#: src/cryptsetup.c:2703
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Flaggan --persistent är ej tillåtet med --test-passphrase."
+
+#: src/cryptsetup.c:2706
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Flaggorna --refresh och --test-passphrase är ömsesidigt uteslutande."
+
+#: src/cryptsetup.c:2709
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Flaggan --shared är endast tillåten för öppning av plain-enhet."
+
+#: src/cryptsetup.c:2712
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Flaggan --skip stöds endast för öppning av plain-enheter och loopaes-enheter."
+
+#: src/cryptsetup.c:2715
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Flaggan --offset med åtgärden öppna stöds endast för öppning av plain-enheter och loopaes-enheter."
+
+#: src/cryptsetup.c:2718
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Flaggan --tcrypt-hidden kan inte kombineras med --allow-discards."
+
+#: src/cryptsetup.c:2722
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Flaggan för sektorstorlek med åtgärden öppna stöds endast för plain-enheter."
+
+#: src/cryptsetup.c:2726
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Flaggan för stora IV-sektorer stöds endast för att öppna enheter av plain-typ med sektorstorlek större än 512 byte."
+
+#: src/cryptsetup.c:2730
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
+msgstr "Flaggan --test-passphrase är endast tillåten för open för LUKS-, TCRYPT-, och BITLK-enheter."
+
+#: src/cryptsetup.c:2733 src/cryptsetup.c:2756
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Flaggan --device-size och --size kan inte kombineras."
+
+#: src/cryptsetup.c:2736
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Flaggan --unbound är endast tillåten för öppning av luks-enhet."
+
+#: src/cryptsetup.c:2739
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Flaggan --unbound kan inte användas utan --test-passphrase."
+
+#: src/cryptsetup.c:2748 src/veritysetup.c:664 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Flaggorna --cancel-deferred och --deferred går inte att använda samtidigt."
+
+#: src/cryptsetup.c:2764
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Flaggan --reduce-device-size och --data-size kan inte kombineras."
+
+#: src/cryptsetup.c:2767
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Flaggan --active-name kan endast anges för LUKS2-enheter."
+
+#: src/cryptsetup.c:2770
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Flaggan --active-name och --force-offline-reencrypt kan inte kombineras."
+
+#: src/cryptsetup.c:2778 src/cryptsetup.c:2808
+msgid "Keyslot specification is required."
+msgstr "Specifikation för nyckelplats krävs."
+
+#: src/cryptsetup.c:2786
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Flaggan --align-payload och --offset kan inte kombineras."
+
#: src/cryptsetup.c:2789
-#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Auto-identifierade aktiv dm-enhet ”%s” för dataenheten %s.\n"
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Flaggan --integrity-no-wipe kan endast användas för åtgärden formatera med integritetsutökningar."
-#: src/cryptsetup.c:2793
-#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Enheten %s är inte en giltig blockenhet.\n"
+#: src/cryptsetup.c:2792
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Endast en av flaggorna --use-[u]random är tillåten."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Misslyckades med att identifiera kopplingarna till enhet %s."
+#: src/cryptsetup.c:2800
+msgid "Key size is required with --unbound option."
+msgstr "Nyckelstorlek krävs med flaggan --unbound."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Det går inte att avgöra om enheten %s är aktiverade eller ej.\n"
-"Är du säker på att du vill fortsätta kryptera om i frånkopplat läge?\n"
-"Det kan leda till datakorruption om enheten är aktiverad.\n"
-"För att kryptera om i uppkopplat läge, använd istället flaggan --active-name.\n"
+#: src/cryptsetup.c:2819
+msgid "Invalid token action."
+msgstr "Ogiltig tokenåtgärd."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Kryptering stöds endast för formatet LUKS2."
+#: src/cryptsetup.c:2822
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "parametern --key-description krävs för åtgärden lägg till token."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Kryptering utan frånkopplat huvud (--header) är inte möjligt utan att minska datastorleken på enheten (--reduce-device-size)."
+#: src/cryptsetup.c:2826
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Åtgärden kräver specifik token. Använd parametern --token-id."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Begärd dataförskjutning måste vara mindre än, eller lika med halva av parametern --reduce-device-size."
-
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Justera värdet av --reduce-device-size-värdet till dubbla --offset %<PRIu64> (sektorer).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Identifierade LUKS-enhet på %s. Vill du kryptera LUKS-enheten igen?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Tillfällig huvudfil %s finns redan. Avbryter."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Det går inte att skapa tillfällig huvudfil %s."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "LUKS2-metadatastorleken är större än dataskift-värdet."
-
-#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Misslyckades med att placera ny header i början på enheten %s."
-
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s är nu aktiv och redo för uppkopplad kryptering.\n"
-
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "LUKS2-dekryptering stöds endast för enheter med fristående header (med data-offset satt till 0)."
-
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Inte nog med fria nyckelplatser för omkryptering."
-
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Nyckelfil kan endast användas med --key-slot eller precis en aktiv nyckelplats."
-
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Ange lösenfras för nyckelplats %d: "
-
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Ange lösenfras för nyckelplats %u: "
-
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Byter krypteringschiffer till %s.\n"
-
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Kommandot kräver en enhet som argument."
-
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "Stödjer endast LUKS2-formatet. Använd verktyget cryptsetup-reencrypt för LUKS1."
-
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Föråldrad frånkopplad omkryptering pågår redan. Använd verktyget cryptsetup-reencrypt."
-
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Kryptering för enhet med integritetsprofil stöds ej."
-
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "LUKS2-omkryptering är redan initierad. Avbryter åtgärd."
-
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "LUKS2-enheten är inte i omkryptering."
-
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:2840
msgid "<device> [--type <type>] [<name>]"
msgstr "<enhet> [--type <typ>] [<namn>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:2840 src/veritysetup.c:487 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "öppna enhet som <namn>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:2841 src/cryptsetup.c:2842 src/cryptsetup.c:2843
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<namn>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:2841 src/veritysetup.c:488 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "stäng enhet (ta bort mappning)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:2842 src/integritysetup.c:539
msgid "resize active device"
msgstr "ändra storlek på aktiv enhet"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:2843
msgid "show device status"
msgstr "visa enhetsstatus"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:2844
msgid "[--cipher <cipher>]"
msgstr "[--cipher <chiffer>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:2844
msgid "benchmark cipher"
msgstr "prestandamät chiffer"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:2845 src/cryptsetup.c:2846 src/cryptsetup.c:2847
+#: src/cryptsetup.c:2848 src/cryptsetup.c:2849 src/cryptsetup.c:2856
+#: src/cryptsetup.c:2857 src/cryptsetup.c:2858 src/cryptsetup.c:2859
+#: src/cryptsetup.c:2860 src/cryptsetup.c:2861 src/cryptsetup.c:2862
+#: src/cryptsetup.c:2863 src/cryptsetup.c:2864
msgid "<device>"
msgstr "<enhet>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:2845
msgid "try to repair on-disk metadata"
msgstr "försök att reparera metadata på disken"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:2846
msgid "reencrypt LUKS2 device"
msgstr "omkryptering av LUKS2-enhet"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:2847
msgid "erase all keyslots (remove encryption key)"
msgstr "ta bort alla nyckelplatser (ta bort krypteringsnyckeln)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:2848
msgid "convert LUKS from/to LUKS2 format"
msgstr "konvertera LUKS från/till LUKS2-format"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:2849
msgid "set permanent configuration options for LUKS2"
msgstr "ange permanenta konfigurationsflaggor för LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:2850 src/cryptsetup.c:2851
msgid "<device> [<new key file>]"
msgstr "<enhet> [<ny nyckelfil>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:2850
msgid "formats a LUKS device"
msgstr "formaterar en LUKS-enhet"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:2851
msgid "add key to LUKS device"
msgstr "lägg till nyckel till LUKS-enhet"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:2852 src/cryptsetup.c:2853 src/cryptsetup.c:2854
msgid "<device> [<key file>]"
msgstr "<enhet> [<nyckelfil>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:2852
msgid "removes supplied key or key file from LUKS device"
msgstr "tar bort angiven nyckel eller nyckelfil från LUKS-enhet"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:2853
msgid "changes supplied key or key file of LUKS device"
msgstr "ändrar angiven nyckel eller nyckelfil för LUKS-enhet"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:2854
msgid "converts a key to new pbkdf parameters"
msgstr "konverterar en nyckel till nya pbkdf-parametrar"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:2855
msgid "<device> <key slot>"
msgstr "<enhet> <nyckelplats>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:2855
msgid "wipes key with number <key slot> from LUKS device"
msgstr "rensar nyckeln med nummer <nyckelplats> från LUKS-enhet"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:2856
msgid "print UUID of LUKS device"
msgstr "skriv ut UUID för LUKS-enhet"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:2857
msgid "tests <device> for LUKS partition header"
msgstr "testar <enhet> för LUKS-partitionshuvud"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:2858
msgid "dump LUKS partition information"
msgstr "skriver ut information om LUKS-partition"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:2859
msgid "dump TCRYPT device information"
msgstr "skriver ut information om TCRYPT-partition"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:2860
msgid "dump BITLK device information"
msgstr "skriv ut BITLK-enhetsinformation"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:2861
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Försätt LUKS-enhet i vänteläge och rensa nyckel (alla in-/ut-åtgärder är frusna)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:2862
msgid "Resume suspended LUKS device"
msgstr "Återuppta LUKS-enhet i vänteläge"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:2863
msgid "Backup LUKS device header and keyslots"
msgstr "Säkerhetskopiera huvud och nyckelplatser från LUKS-enhet"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:2864
msgid "Restore LUKS device header and keyslots"
msgstr "Återställ huvud och nyckelplatser för LUKS-enhet"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:2865
msgid "<add|remove|import|export> <device>"
msgstr "<läggtill|tabort|importera|exportera> <enhet>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:2865
msgid "Manipulate LUKS2 tokens"
msgstr "Manipulera LUKS2-token"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:2884 src/veritysetup.c:505 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2410,7 +2503,7 @@ msgstr ""
"\n"
"<åtgärd> är en av:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:2890
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
@@ -2422,7 +2515,7 @@ msgstr ""
"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkOpen\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:2894
#, c-format
msgid ""
"\n"
@@ -2437,7 +2530,7 @@ msgstr ""
"<nyckelplats> är numret för LUKS-nyckelplatsen att ändra\n"
"<nyckelfil> valfri nyckelfil för den nya nyckeln för luksAddKey-åtgärden\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:2901
#, c-format
msgid ""
"\n"
@@ -2446,7 +2539,7 @@ msgstr ""
"\n"
"Inkompilerat standardmetadataformat är %s (för luksFormat-åtgärd).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:2906 src/cryptsetup.c:2909
#, c-format
msgid ""
"\n"
@@ -2455,20 +2548,20 @@ msgstr ""
"\n"
"Stöd för externa LUKS2-insticksmoduler är %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:2906
msgid "compiled-in"
msgstr "inkompilerad"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:2907
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Sökväg för externa LUKS2-insticksmoduler är %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:2909
msgid "disabled"
msgstr "inaktiverad"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:2913
#, c-format
msgid ""
"\n"
@@ -2485,7 +2578,7 @@ msgstr ""
"Standard-PBKDF för LUKS2: %s\n"
"\tIterationstid: %d, Minne: %dkB, Parallella trådar: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:2924
#, c-format
msgid ""
"\n"
@@ -2500,206 +2593,96 @@ msgstr ""
"\tplain: %s, Nyckel: %d bitar, Lösenordshashning: %s\n"
"\tLUKS1: %s, Nyckel: %d bitar, LUKS-huvudhashning %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:2933
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: Standardnyckelstorlek med XTS-läge (två interna nycklar) kommer att dubbleras.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:2951 src/veritysetup.c:644 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: kräver %s som argument"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:2997 src/utils_reencrypt_luks1.c:1194
msgid "Key slot is invalid."
msgstr "Nyckelplatsen är ogiltig."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3024
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Enhetsstorlek måste vara en multipel av sektor på 512-byte."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3029
msgid "Invalid max reencryption hotzone size specification."
msgstr "Ogiltig högsta storlekspecifikation för varm zon-omkryptering."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3043 src/cryptsetup.c:3055
msgid "Key size must be a multiple of 8 bits"
msgstr "Nyckelstorlek måste vara en multipel av 8 bitar"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3060
msgid "Maximum device reduce size is 1 GiB."
msgstr "Högsta förminskningsstorlek för enhet är 1 GiB."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3063
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Minskningsstorlek måste vara en multipel av 512-bytesektor."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3080
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Flaggan --priority kan endast vara ignore/normal/prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3099 src/veritysetup.c:568 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Visa detta hjälpmeddelande"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3100 src/veritysetup.c:569 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Visa kort information om användning"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3101 src/veritysetup.c:570 src/integritysetup.c:636
msgid "Print package version"
msgstr "Skriv ut paketversion"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3112 src/veritysetup.c:581 src/integritysetup.c:647
msgid "Help options:"
msgstr "Hjälpflaggor:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3132 src/veritysetup.c:599 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[FLAGGA…] <åtgärd> <åtgärdsspecifik>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3141 src/veritysetup.c:608 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Argumentet <åtgärd> saknas."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3211 src/veritysetup.c:639 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Okänd åtgärd."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Flaggorna --refresh och --test-passphrase är ömsesidigt uteslutande."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Flaggorna --cancel-deferred och --deferred går inte att använda samtidigt."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Flaggan --shared är endast tillåten för öppning av plain-enhet."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Flaggan --persistent är ej tillåtet med --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Flaggan --integrity-no-wipe kan endast användas för åtgärden formatera med integritetsutökningar."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Flaggan --test-passphrase är endast tillåten för open för LUKS-, TCRYPT-, och BITLK-enheter."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3229
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Flaggan --key-file åsidosätter specificerade nyckelfilsargument."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3235
msgid "Only one --key-file argument is allowed."
msgstr "Endast ett argument för --key-file är tillåtet."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Endast en av flaggorna --use-[u]random är tillåten."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Flaggan --align-payload och --offset kan inte kombineras."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Flaggan --skip stöds endast för öppning av plain-enheter och loopaes-enheter."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Flaggan --offset med åtgärden öppna stöds endast för öppning av plain-enheter och loopaes-enheter."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Flaggorna --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup stöds endast på TCRYPT-enhet."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Flaggan --tcrypt-hidden kan inte kombineras med --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Flaggan --veracrypt eller --disable-veracrypt stöds endast för TCRYPT-enhetstyper."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Flaggan --veracrypt-pim stöds endast för VeraCrypt-kompatibla enheter."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Flaggan --veracrypt-query-pim stöds endast för VeraCrypt-kompatibla enheter."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Flaggorna --veracrypt-pim och --veracrypt-query-pim är ömsesidigt uteslutande."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Specifikation för nyckelplats krävs."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3240
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Password-based key derivation function (PBKDF) kan endast vara pbkdf2 eller argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3245
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Tvingade PBKDF-iterationer går inte att kombinera med flaggan iteration time."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Flaggan för sektorstorlek med åtgärden öppna stöds endast för plain-enheter."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Flaggan för stora IV-sektorer stöds endast för att öppna enheter av plain-typ med sektorstorlek större än 512 byte."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Nyckelstorlek krävs med flaggan --unbound."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "LUKS2-dekryptering kräver flaggan --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Flaggan --reduce-device-size och --data-size kan inte kombineras."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Flaggan --device-size och --size kan inte kombineras."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3256
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Flaggorna --keyslot-cipher och --keyslot-key-size måste användas tillsammans."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3264
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Ingen åtgärd utfördes. Startades med flaggan --test-args\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Ogiltig tokenåtgärd."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "parametern --key-description krävs för åtgärden lägg till token."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Åtgärden kräver specifik token. Använd parametern --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3277
msgid "Cannot disable metadata locking."
msgstr "Det går inte att inaktivera metadatalås."
@@ -2727,67 +2710,72 @@ msgstr "Kan inte skapa root-hashfil %s för skrivning."
msgid "Cannot write to root hash file %s."
msgstr "Det går inte att skriva till root-hash-filen %s."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:196 src/veritysetup.c:472
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Enheten %s är inte en giltig VERITY-enhet."
+
+#: src/veritysetup.c:213 src/veritysetup.c:230
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Det går inte att läsa rot-hash-filen %s."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:218
#, c-format
msgid "Invalid root hash file %s."
msgstr "Ogiltig rothashsträng %s."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:239
msgid "Invalid root hash string specified."
msgstr "Angav ogiltig rothashsträng."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:247
#, c-format
msgid "Invalid signature file %s."
msgstr "Ogiltig signaturfil %s."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:254
#, c-format
msgid "Cannot read signature file %s."
msgstr "Det går inte att läsa signaturfilen %s."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:277 src/veritysetup.c:291
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Kommandot kräver <root-hash> eller flaggan --root-hash-file som argument."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:485
msgid "<data_device> <hash_device>"
msgstr "<dataenhet> <hashenhet>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:485 src/integritysetup.c:534
msgid "format device"
msgstr "formatera enhet"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<dataenhet> <hashenhet> <root_hash>"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
msgid "verify device"
msgstr "verifiera enhet"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:487
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<dataenhet> <namn> <hashenhet> [<root_hash>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:489 src/integritysetup.c:537
msgid "show active device status"
msgstr "visa statistik för aktiv enhet"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:490
msgid "<hash_device>"
msgstr "<hash_enhet>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:490 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "visa information från disk"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:509
#, c-format
msgid ""
"\n"
@@ -2802,7 +2790,7 @@ msgstr ""
"<hashenhet> är enheten som innehåller verifieringsdata\n"
"<rothash> hash för rotnoden på <hashenhet>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:516
#, c-format
msgid ""
"\n"
@@ -2813,28 +2801,46 @@ msgstr ""
"Inkompilerade standardparametrar för dm-verity:\n"
"\tHash: %s, Datablock (byte): %u, Hashblock (byte): %u, Saltstorlek: %u, Hashformat: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:654
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Flaggorna --ignore-corruption och --restart-on-corruption kan inte användas tillsammans."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:659
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Det går inte att använda flaggorna --panic-on-corruption och --restart-on-corruption tillsammans."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Det här kommer oåterkalligen tatt skriva över data på %s och %s.\n"
+"För att bevara dataenheten använd flaggan --no-wipe (och aktivera sedan med --integrity-recalculate).:w "
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Formaterad med taggstorlek %u, intern integritet %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Att sätta flaggan för att räkna om stöds ej, överväg att använda --wipe istället."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Enheten %s är inte en giltig INTEGRITY-enhet."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<integrity_enhet>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<integritet_enhet> <namn>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2845,7 +2851,7 @@ msgstr ""
"<namn> är enheten att skapa under %s\n"
"<integritetsenhet> är enheten som innehåller data med integritetstaggar\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2859,241 +2865,44 @@ msgstr ""
"\tMaximal nyckelfilstorlek: %dkB\n"
"\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Ogiltig --%s-storlek. Maximal storlek är %u byte."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Både flaggor för nyckelfil och nyckelstorlek måste specifiiceras."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Både flaggor för nyckelfil för journalintegritet och nyckelstorlek måste specificeras."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Integritetsalgoritm för journal måste anges om integritetsnyckel för journal används."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Både flaggor för nyckelfil för journalkryptering och nyckelstorlek måste specificeras."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Krypteringsalgoritm för journal måste anges om integritetsnyckel för journal används."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Flaggorna för återställning- och bitmap-läge är ömsesidigt uteslutande."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Det går inte att använda journalflaggor i bitmap-läge."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Flaggan för integritet kan endast användas i bitmap-läge."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Omkryptering pågår redan."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Kan inte öppna %s exklusivt, enheten används."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Misslyckades med allokering av justerat minne."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Det går inte att läsa enheten %s."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Markerar LUKS1-enhet %s som oanvändbar."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Sätter LUKS2-flaggan för att kryptera om på enheten %s."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Det går inte att skriva till enheten %s."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Det går inte att skriva loggfil för omkryptering."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Det går inte att läsa loggfil för omkryptering."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Fel loggformat."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Loggfilen %s existerar, återupptar kryptering.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Aktiverar temporär enhet användandes gammalt LUKS-huvud."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Aktiverar temporär enhet användandes nytt LUKS-huvud."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Aktivering av temporära enheter misslyckades."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Misslyckades med att sätta dataoffset."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Misslyckades med att sätta metadatastorlek."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Skapade nytt LUKS-huvud för enhet %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Denna version av cryptsetup-reencrypt kan inte hantera ny interna tokentypen %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Misslyckades med att läsa aktiveringsflaggor från säkerhetskopia av huvud."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Misslyckades med att skriva aktiveringsflaggor till nytt huvud."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Misslyckades med att läsa krav från säkerhetskopiehuvud."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Skapade säkerhetskopia av %s-huvud på enhet %s."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Misslyckades med att skapa en säkerhetskopia av LUKS-huvuden."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Det går inte återställa %s-huvudet på enheten %s."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Återställde %s-huvudet på enheten %s."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Misslyckades med att öppna temporär LUKS-enhet."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Det går inte att hämta enhetsstorlek."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "In-/utfel under återkryptering."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Angivet UUID är ogiltigt."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Det går inte att öppna loggfilen för omkryptering."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Ingen dekryptering pågår, givet UUID kan endast användas för att återuppta vilande dekrypteringsprocess."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Ändrade pbkdf-parametrarna i nyckelplatsen %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Endast värden mellan 1 MiB och 64 MiB är tillåtna som blockstorlek för omkryptering."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Högsta förminskningsstorlek för enhet är 64 MiB."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[FLAGGA…] <enhet>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Omkryptering kommer att ändra: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "volymnyckeln"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "sätt hash till "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", sätt chiffer till "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Kräver argument."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Flaggan --new måste användas tillsammans med --reduce-device-size eller --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Flaggan --keep-key kan endast användas med --hash, --iter-time eller --pbkdf-force-iterations."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Flaggan --new kan inte användas tillsammans med --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Flaggan --decrypt är inkompatibel med specificerade parametrar."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Flaggan --uuid är endast tillåten tillsammans med --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Ogiltig luks-typ. Använd en av dessa: 'luks', 'luks1' or 'luks2'."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3104,7 +2913,7 @@ msgstr ""
"========\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3115,147 +2924,173 @@ msgstr ""
"\n"
"Är du säker (Ange 'yes' i versaler): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Fel vid läsning av svar från terminal."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Kommandot lyckades."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "fel eller saknar parametrar"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "ingen behörighet eller dålig lösenfras"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "slut på minne"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "angav fel enhet eller fil"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "enheten existerar redan eller så är enheten upptagen"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "okänt fel"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Kommandot misslyckades med kod %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Nyckelplats %i är ändrad."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Nyckelplats %i är upplåst."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Nyckelplats %i är upplåst."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Token %i används."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Token %i används."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "Ingen token kunde låsas upp med denna PIN."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Token %i kräver PIN."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Token (type %s) kräver PIN."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token %i kan inte låsa upp tilldelade nyckelplatser (felaktigt lösenord)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Token (typ %s) kan inte låsa upp tilldelade nyckelplatser (felaktigt lösenord)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Token %i kräver en saknad resurs."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Token (typ %s) kräver en saknad resurs."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Ingen användbar token (typ %s) tillgänglig."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Ingen användbar token tillgänglig."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Skrivning avbruten."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Omkryptering avbryten."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Det går inte att läsa nyckelfilen %s."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Det går inte att läsa %d byte från nyckelfilen %s."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Det går inte att öppna nyckelfilen %s för skrivning."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Det går inte att skriva till nyckelfilen %s."
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>t%02<PRIu64>m%02<PRIu64>s"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> dagar"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "skrev %4<PRIu64> %s"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "hastighet %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Förlopp: %5.1f%%, ETA %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Avslutad, tid %s, %s, %s\n"
+
#: src/utils_password.c:41 src/utils_password.c:74
#, c-format
msgid "Cannot check password quality: %s"
@@ -3275,54 +3110,58 @@ msgstr ""
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Misslyckades med kvalitetskontroll av lösenord: Dålig lösenfras (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:231 src/utils_password.c:245
msgid "Error reading passphrase from terminal."
msgstr "Fel vid läsning av lösenfras från terminal."
-#: src/utils_password.c:236
+#: src/utils_password.c:243
msgid "Verify passphrase: "
msgstr "Verifiera lösenfras: "
-#: src/utils_password.c:243
+#: src/utils_password.c:250
msgid "Passphrases do not match."
msgstr "Lösenfraserna stämmer inte överens."
-#: src/utils_password.c:280
+#: src/utils_password.c:288
msgid "Cannot use offset with terminal input."
msgstr "Det går inte att använda offset med terminalinmatning."
-#: src/utils_password.c:283
+#: src/utils_password.c:292
#, c-format
msgid "Enter passphrase: "
msgstr "Ange lösenfras: "
-#: src/utils_password.c:286
+#: src/utils_password.c:295
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Ange lösenfras för %s: "
-#: src/utils_password.c:317
+#: src/utils_password.c:329
msgid "No key available with this passphrase."
msgstr "Ingen nyckel finns tillgänglig med denna lösenfras."
-#: src/utils_password.c:319
+#: src/utils_password.c:331
msgid "No usable keyslot is available."
msgstr "Ingen tillgänglig användbar nyckelplats."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Kan inte verifiera lösenfras på icke-tty-ingångar."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Misslyckades med att öppna filen %s i skrivskyddat läge."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Tillhandahåll giltig JSON för LUKS2-token:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Misslyckades med att läsa in JSON-filen."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3330,12 +3169,12 @@ msgstr ""
"\n"
"Läsning avbryten."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Misslyckades med att öppna filen %s in skrivläge."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3343,54 +3182,409 @@ msgstr ""
"\n"
"Skrivning avbruten."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Misslyckades med att skriva JSON-fil."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Auto-identifierade aktiv dm-enhet ”%s” för dataenheten %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Misslyckades med att identifiera kopplingarna till enhet %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Enheten %s är inte en giltig blockenhet.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Det går inte att avgöra om enheten %s är aktiverade eller ej.\n"
+"Är du säker på att du vill fortsätta kryptera om i frånkopplat läge?\n"
+"Det kan leda till datakorruption om enheten är aktiverad.\n"
+"För att kryptera om i uppkopplat läge, använd istället flaggan --active-name.\n"
+
+#: src/utils_reencrypt.c:175
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Enheten är inte under LUKS2-omkryptering. Motsägelsefull flagga --encrypt."
+
+#: src/utils_reencrypt.c:180
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Enheten är inte i LUKS2-dekryptering. Motsägelsefull flagga --decrypt."
+
+#: src/utils_reencrypt.c:187
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Enheten är under omkryptering med dataskiftåterhämtning. Begärd flagga --resillence kan inte tillämpas."
+
+#: src/utils_reencrypt.c:193 src/utils_reencrypt.c:199
+#: src/utils_reencrypt.c:205 src/utils_reencrypt.c:681
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Begärd flagga --resilience kan inte tillämpas på aktuell omkrypteringsåtgärd."
+
+#: src/utils_reencrypt.c:258
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Enheten kräver omkrypteringsåterställning. Starta repair först."
+
+#: src/utils_reencrypt.c:268
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Enheten %s är redan under LUKS2-omkryptering. Vill du återuppta tidigare intierad åtgärd?"
+
+#: src/utils_reencrypt.c:314
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Stöder inte längre föråldrad LUKS2-omkryptering."
+
+#: src/utils_reencrypt.c:379
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Kryptering för enhet med integritetsprofil stöds ej."
+
+#: src/utils_reencrypt.c:410
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Begärde --sector-size %<PRIu32> är inkompatibel med superblock %s\n"
+"(blockstorlek: %<PRIu32> byte) identifierad på enheten %s."
+
+#: src/utils_reencrypt.c:455
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Kryptering utan frånkopplat huvud (--header) är inte möjligt utan att minska datastorleken på enheten (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:461
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Begärd dataförskjutning måste vara mindre än, eller lika med halva av parametern --reduce-device-size."
+
+#: src/utils_reencrypt.c:471
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Justera värdet av --reduce-device-size-värdet till dubbla --offset %<PRIu64> (sektorer).\n"
+
+#: src/utils_reencrypt.c:501
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Tillfällig huvudfil %s finns redan. Avbryter."
+
+#: src/utils_reencrypt.c:503 src/utils_reencrypt.c:510
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Det går inte att skapa tillfällig huvudfil %s."
+
+#: src/utils_reencrypt.c:535
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "LUKS2-metadatastorleken är större än dataskift-värdet."
+
+#: src/utils_reencrypt.c:572
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Misslyckades med att placera ny header i början på enheten %s."
+
+#: src/utils_reencrypt.c:582
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s är nu aktiv och redo för uppkopplad kryptering.\n"
+
+#: src/utils_reencrypt.c:618
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Aktiva enheten: %s är inte LUKS2."
+
+#: src/utils_reencrypt.c:646
+msgid "Restoring original LUKS2 header."
+msgstr "Återställer ursprungligt LUKS2-huvud."
+
+#: src/utils_reencrypt.c:654
+msgid "Original LUKS2 header restore failed."
+msgstr "Misslyckades med återställning av ursprungligt LUKS2-huvud."
+
+#: src/utils_reencrypt.c:722
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Misslyckades med att läsa/skriva behörighetsflaggor till exporterad huvudfil."
+
+#: src/utils_reencrypt.c:775
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Misslyckades med initiering av omkryptering. Säkerhetskopian av huvudet är tillgänglig i %s."
+
+#: src/utils_reencrypt.c:803
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "LUKS2-dekryptering stöds endast för enheter med fristående header (med data-offset satt till 0)."
+
+#: src/utils_reencrypt.c:934 src/utils_reencrypt.c:943
+msgid "Not enough free keyslots for reencryption."
+msgstr "Inte nog med fria nyckelplatser för omkryptering."
+
+#: src/utils_reencrypt.c:964 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Nyckelfil kan endast användas med --key-slot eller precis en aktiv nyckelplats."
+
+#: src/utils_reencrypt.c:973 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Ange lösenfras för nyckelplats %d: "
+
+#: src/utils_reencrypt.c:985
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Ange lösenfras för nyckelplats %u: "
+
+#: src/utils_reencrypt.c:1037
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Byter krypteringschiffer till %s.\n"
+
+#: src/utils_reencrypt.c:1091
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Inga parametrar för datasegment ändrades. Omkryptering avbruten."
+
+#: src/utils_reencrypt.c:1187
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Ökning av sektorstorlek för kryptering på en frånkopplad enhet stöds ej.\n"
+"Aktivera enheten för eller använd flaggan --force-offline-reencrypt (farligt!)."
+
+#: src/utils_reencrypt.c:1227 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Omkryptering avbryten."
+
+#: src/utils_reencrypt.c:1232
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Återupptar LUKS-omkryptering i tvingat frånkopplat läge.\n"
+
+#: src/utils_reencrypt.c:1249
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Enheten %s innehåller felaktig LUKS-metadata. Avbryter åtgärden."
+
+#: src/utils_reencrypt.c:1265 src/utils_reencrypt.c:1287
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Enheten %s är redan en LUKS-enhet. Avbryter åtgärd."
+
+#: src/utils_reencrypt.c:1293
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Enheten %s är redan i LUKS-omkryptering. Avbryter åtgärd."
+
+#: src/utils_reencrypt.c:1366
+msgid "LUKS2 decryption requires --header option."
+msgstr "LUKS2-dekryptering kräver flaggan --header."
+
+#: src/utils_reencrypt.c:1414
+msgid "Command requires device as argument."
+msgstr "Kommandot kräver en enhet som argument."
+
+#: src/utils_reencrypt.c:1427
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Versionskonflikt. Enheten %s är LUKS1."
+
+#: src/utils_reencrypt.c:1433
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Versionskonflikt. Enheten %s är under LUKS2-omkryptering."
+
+#: src/utils_reencrypt.c:1439
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Versionskonflikt. Enheten %s är LUKS2."
+
+#: src/utils_reencrypt.c:1445
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Versionskonflikt: Enheten %s är under LUKS2-omkryptering."
+
+#: src/utils_reencrypt.c:1451
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "LUKS2-omkryptering är redan initierad. Avbryter åtgärd."
+
+#: src/utils_reencrypt.c:1458
+msgid "Device reencryption not in progress."
+msgstr "Enhetsomkryptering pågår ej"
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Kan inte öppna %s exklusivt, enheten används."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Misslyckades med allokering av justerat minne."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Det går inte att läsa enheten %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Markerar LUKS1-enhet %s som oanvändbar."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Det går inte att skriva till enheten %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Det går inte att skriva loggfil för omkryptering."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Det går inte att läsa loggfil för omkryptering."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Fel loggformat."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Loggfilen %s existerar, återupptar kryptering.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Aktiverar temporär enhet användandes gammalt LUKS-huvud."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Aktiverar temporär enhet användandes nytt LUKS-huvud."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Aktivering av temporära enheter misslyckades."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Misslyckades med att sätta dataoffset."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Misslyckades med att sätta metadatastorlek."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Skapade nytt LUKS-huvud för enhet %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Skapade säkerhetskopia av %s-huvud på enhet %s."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Misslyckades med att skapa en säkerhetskopia av LUKS-huvuden."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Det går inte återställa %s-huvudet på enheten %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Återställde %s-huvudet på enheten %s."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Misslyckades med att öppna temporär LUKS-enhet."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Det går inte att hämta enhetsstorlek."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "In-/utfel under återkryptering."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Angivet UUID är ogiltigt."
+
+#: src/utils_reencrypt_luks1.c:1220
+msgid "Cannot open reencryption log file."
+msgstr "Det går inte att öppna loggfilen för omkryptering."
+
+#: src/utils_reencrypt_luks1.c:1226
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Ingen dekryptering pågår, givet UUID kan endast användas för att återuppta vilande dekrypteringsprocess."
+
+#: src/utils_reencrypt_luks1.c:1280
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Omkryptering kommer att ändra: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1281
+msgid "volume key"
+msgstr "volymnyckeln"
+
+#: src/utils_reencrypt_luks1.c:1283
+msgid "set hash to "
+msgstr "sätt hash till "
+
+#: src/utils_reencrypt_luks1.c:1284
+msgid ", set cipher to "
+msgstr ", sätt chiffer till "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "VARNING: Enheten %s innehåller redan en ”%s”-partitionssignatur.\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "VARNING: Enheten %s innehåller redan en ”%s”-superblocksignatur.\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Misslyckades med att initiera identifiering av enhetssignatur."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Misslyckades med att ta status på enhet %s."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Enheten %s används. Det går inte att fortsätta med formateringsåtgärden."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Misslyckades med att öppna filen %s i läs-/skrivläge."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Kommer att rensa befintlig ”%s” på enheten %s."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Kommer att rensa befintlig ”%s” på enheten %s."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Misslyckades med att radera enhetssignatur."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Misslyckades med söka av enheten %s efter en signatur."
@@ -3400,16 +3594,16 @@ msgstr "Misslyckades med söka av enheten %s efter en signatur."
msgid "Invalid size specification in parameter --%s."
msgstr "Ogiltig datastorlekspecifikation i flaggan --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Flaggan --%s tillåts inte med åtgärden --%s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Misslyckades med att skriva ssh-token i json."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3425,110 +3619,110 @@ msgstr ""
"\n"
"Observera: Information som anges när token läggs till (SSH-serverns, adress, användare och sökvägar) kommer att lagras i LUKS2-headern i klartext."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<åtgärd> <enhet>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Flaggor för åtgärden ”add”:"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "Fjärrserverns IP-adress/URL för denna token"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Användarnamn för fjärrservern"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Sökvägen till nyckelfilen på fjärrservern"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Sökväg till SSH-nyckeln för anslutning till fjärrservern"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Nyckelplats att ange token till. Om ej angiven så kommer token att tilldelas till den första nyckelplats som matchar angivet lösenfras."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Allmänna flaggor:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Visar mer detaljerade felmeddelanden"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Visa felsökningsmeddelanden"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Visa felsökningsmeddelanden inklusive JSON-metadata"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Misslyckades med att öppna och importera privat nyckel:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Misslyckades med att importera privat nyckel (lösenordskyddad?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "%s@%s's lösenord: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Misslyckades med att tolka argument.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "En åtgärd måste anges\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "En enhet måste anges för åtgärden ”%s”.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "SSH-servern måste anges för åtgärden ”%s”.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "SSH-användare måste anges för åtgärden ”%s”.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "SSH-sökväg måste anges för åtgärden ”%s”.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "SSH-nyckelplats måste anges för åtgärden ”%s”.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Misslyckades med att öppna %s med tillhandahållna autentiseringsuppgifter.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "Endast åtgärden ”add” stöds för närvarande av denna insticksmodul.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Det går inte att skapa sftp-sessionen: "
@@ -3536,6 +3730,10 @@ msgstr "Det går inte att skapa sftp-sessionen: "
msgid "Cannot init sftp session: "
msgstr "Det går inte att initiera sftp-sessionen: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Det går inte att öppna sftp-sessionen:"
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Det går inte att stat sftp-filen: "
@@ -3564,6 +3762,81 @@ msgstr "Den öppna nyckelns auth-metod tills inte på värddatorn.\n"
msgid "Public key authentication error: "
msgstr "Autentiseringsfel för öppen nyckel: "
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Misslyckades med att läsa BITLK-signatur från %s."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Ogiltig eller okänd signatur för BITLK-enhet."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Misslyckades med att radera säkerhetskopia av segmentdata."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Misslyckades med att inaktivera flaggan för omkrypteringskrav."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Kryptering stöds endast för formatet LUKS2."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "Identifierade LUKS-enhet på %s. Vill du kryptera LUKS-enheten igen?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "Stödjer endast LUKS2-formatet. Använd verktyget cryptsetup-reencrypt för LUKS1."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Föråldrad frånkopplad omkryptering pågår redan. Använd verktyget cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "LUKS2-enheten är inte i omkryptering."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Sätter LUKS2-flaggan för att kryptera om på enheten %s."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Denna version av cryptsetup-reencrypt kan inte hantera ny interna tokentypen %s."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Misslyckades med att läsa aktiveringsflaggor från säkerhetskopia av huvud."
+
+#~ msgid "Failed to read requirements from backup header."
+#~ msgstr "Misslyckades med att läsa krav från säkerhetskopiehuvud."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Ändrade pbkdf-parametrarna i nyckelplatsen %i."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Endast värden mellan 1 MiB och 64 MiB är tillåtna som blockstorlek för omkryptering."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Högsta förminskningsstorlek för enhet är 64 MiB."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[FLAGGA…] <enhet>"
+
+#~ msgid "Argument required."
+#~ msgstr "Kräver argument."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Flaggan --new måste användas tillsammans med --reduce-device-size eller --header."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Flaggan --keep-key kan endast användas med --hash, --iter-time eller --pbkdf-force-iterations."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Flaggan --new kan inte användas tillsammans med --decrypt."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Flaggan --decrypt är inkompatibel med specificerade parametrar."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Flaggan --uuid är endast tillåten tillsammans med --decrypt."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Ogiltig luks-typ. Använd en av dessa: 'luks', 'luks1' or 'luks2'."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Enheten %s används. Det går inte att fortsätta med formateringsåtgärden."
+
#~ msgid "No free token slot."
#~ msgstr "Ingen fri plats för token."
@@ -4120,9 +4393,6 @@ msgstr "Autentiseringsfel för öppen nyckel: "
#~ msgid "Function not available in FIPS mode."
#~ msgstr "Funktionen är inte tillgänglig i FIPS-läge."
-#~ msgid "Cipher %s is not available."
-#~ msgstr "Chiffret %s är inte tillgängligt."
-
#~ msgid "Key slot %d selected for deletion."
#~ msgstr "Nyckelplats %d markerad för borttagning."
diff --git a/po/uk.po b/po/uk.po
index 3b83693..6b0218f 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -2,13 +2,13 @@
# Copyright (C) 2012 Free Software Foundation, Inc.
# This file is put in the public domain.
#
-# Yuri Chornoivan <yurchor@ukr.net>, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021.
+# Yuri Chornoivan <yurchor@ukr.net>, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023.
msgid ""
msgstr ""
-"Project-Id-Version: cryptsetup 2.4.2-rc0\n"
-"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2021-11-11 19:08+0100\n"
-"PO-Revision-Date: 2021-11-12 17:12+0200\n"
+"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2023-02-01 15:58+0100\n"
+"PO-Revision-Date: 2023-02-02 10:48+0200\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
"Language: uk\n"
@@ -19,67 +19,71 @@ msgstr ""
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Lokalize 20.12.0\n"
-#: lib/libdevmapper.c:396
+#: lib/libdevmapper.c:419
msgid "Cannot initialize device-mapper, running as non-root user."
msgstr "Не можна ініціалізувати device-mapper, якщо програму запущено не від імені адміністратора (root)."
-#: lib/libdevmapper.c:399
+#: lib/libdevmapper.c:422
msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
msgstr "Не вдалося ініціалізувати device-mapper. Чи завантажено модуль ядра dm_mod?"
-#: lib/libdevmapper.c:1170
+#: lib/libdevmapper.c:1102
msgid "Requested deferred flag is not supported."
msgstr "Підтримки бажаного прапорця відкладення, %s, не передбачено."
-#: lib/libdevmapper.c:1239
+#: lib/libdevmapper.c:1171
#, c-format
msgid "DM-UUID for device %s was truncated."
msgstr "DM-UUID для пристрою %s було обрізано."
-#: lib/libdevmapper.c:1567
+#: lib/libdevmapper.c:1501
msgid "Unknown dm target type."
msgstr "Невідомий тип призначення dm."
-#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757
-#: lib/libdevmapper.c:1760
+#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
+#: lib/libdevmapper.c:1727
msgid "Requested dm-crypt performance options are not supported."
msgstr "Підтримки вказаних параметрів швидкодії dm-crypt не передбачено."
-#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704
+#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
msgid "Requested dm-verity data corruption handling options are not supported."
msgstr "Підтримки вказаних параметрів обробки пошкоджених даних за допомогою dm-verity не передбачено."
-#: lib/libdevmapper.c:1708
+#: lib/libdevmapper.c:1641
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Підтримки вказаного параметра завдань dm-verity не передбачено."
+
+#: lib/libdevmapper.c:1653
msgid "Requested dm-verity FEC options are not supported."
msgstr "Підтримки вказаних параметрів FEC за допомогою dm-verity не передбачено."
-#: lib/libdevmapper.c:1712
+#: lib/libdevmapper.c:1659
msgid "Requested data integrity options are not supported."
msgstr "Підтримки вказаних параметрів цілісності даних не передбачено."
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1663
msgid "Requested sector_size option is not supported."
msgstr "Підтримки вказаного параметра sector_size не передбачено."
-#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723
+#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
msgid "Requested automatic recalculation of integrity tags is not supported."
msgstr "Підтримки потрібного вам автоматичного повторного обчислення міток цілісності не передбачено."
-#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766
-#: lib/luks2/luks2_json_metadata.c:2204
+#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
+#: lib/luks2/luks2_json_metadata.c:2620
msgid "Discard/TRIM is not supported."
msgstr "Підтримки відкидання або обрізання не передбачено."
-#: lib/libdevmapper.c:1731
+#: lib/libdevmapper.c:1688
msgid "Requested dm-integrity bitmap mode is not supported."
msgstr "Підтримки вказаного режиму бітової карти цілісності dm не передбачено."
-#: lib/libdevmapper.c:2705
+#: lib/libdevmapper.c:2724
#, c-format
msgid "Failed to query dm-%s segment."
msgstr "Не вдалося опитати сегмент dm-%s."
-#: lib/random.c:75
+#: lib/random.c:73
msgid ""
"System is out of entropy while generating volume key.\n"
"Please move mouse or type some text in another window to gather some random events.\n"
@@ -87,576 +91,611 @@ msgstr ""
"Під час створення ключа тому було вичерпано буфер ентропії системи.\n"
"Будь ласка, пересуньте вказівник миші або наберіть якийсь текст у іншому вікні, щоб зібрати додаткові дані на основі випадкових подій.\n"
-#: lib/random.c:79
+#: lib/random.c:77
#, c-format
msgid "Generating key (%d%% done).\n"
msgstr "Створення ключа (виконано %d%%).\n"
-#: lib/random.c:165
+#: lib/random.c:163
msgid "Running in FIPS mode."
msgstr "Працюємо у режимі FIPS."
-#: lib/random.c:171
+#: lib/random.c:169
msgid "Fatal error during RNG initialisation."
msgstr "Критична помилка під час ініціалізації генератора псевдовипадкових чисел."
-#: lib/random.c:208
+#: lib/random.c:207
msgid "Unknown RNG quality requested."
msgstr "Надійшов запит щодо невідомої якості псевдовипадкових чисел."
-#: lib/random.c:213
+#: lib/random.c:212
msgid "Error reading from RNG."
msgstr "Помилка читання з генератора псевдовипадкових чисел."
-#: lib/setup.c:226
+#: lib/setup.c:231
msgid "Cannot initialize crypto RNG backend."
msgstr "Не вдалося ініціалізувати допоміжну програму шифрування генератора псевдовипадкових чисел."
-#: lib/setup.c:232
+#: lib/setup.c:237
msgid "Cannot initialize crypto backend."
msgstr "Не вдалося ініціалізувати допоміжну програму шифрування."
-#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119
+#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
#, c-format
msgid "Hash algorithm %s not supported."
msgstr "Підтримки алгоритму хешування %s не передбачено."
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:271 lib/loopaes/loopaes.c:90
#, c-format
msgid "Key processing error (using hash %s)."
msgstr "Помилка під час обробки ключа (на основі хешу %s)."
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:342 lib/setup.c:369
msgid "Cannot determine device type. Incompatible activation of device?"
msgstr "Не вдалося визначити тип пристрою. Несумісна дія з активації пристрою?"
-#: lib/setup.c:338 lib/setup.c:3142
+#: lib/setup.c:348 lib/setup.c:3320
msgid "This operation is supported only for LUKS device."
msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS."
-#: lib/setup.c:365
+#: lib/setup.c:375
msgid "This operation is supported only for LUKS2 device."
msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS2."
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440
+#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
msgid "All key slots full."
msgstr "Заповнено всі слоти ключів."
-#: lib/setup.c:431
+#: lib/setup.c:438
#, c-format
msgid "Key slot %d is invalid, please select between 0 and %d."
msgstr "Слот ключа %d є некоректним, будь ласка, виберіть число від 0 до %d."
-#: lib/setup.c:437
+#: lib/setup.c:444
#, c-format
msgid "Key slot %d is full, please select another one."
msgstr "Слот ключа %d заповнено, будь ласка, виберіть інший."
-#: lib/setup.c:522 lib/setup.c:2900
+#: lib/setup.c:529 lib/setup.c:3042
msgid "Device size is not aligned to device logical block size."
msgstr "Розмір пристрою не вирівняно за розміром логічного блоку пристрою."
-#: lib/setup.c:620
+#: lib/setup.c:627
#, c-format
msgid "Header detected but device %s is too small."
msgstr "Виявлено заголовок, але об’єм пристрою %s є надто малим."
-#: lib/setup.c:661 lib/setup.c:2845
+#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
+#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
msgid "This operation is not supported for this device type."
msgstr "Підтримки цієї дії для цього типу пристроїв не передбачено."
-#: lib/setup.c:666
+#: lib/setup.c:673
msgid "Illegal operation with reencryption in-progress."
msgstr "Виконуємо заборонену дію із повторного шифрування."
-#: lib/setup.c:834 lib/luks1/keymanage.c:527
+#: lib/setup.c:802
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Не вдалося відкотити метадані LUKS2 у пам'яті."
+
+#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
+#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
+#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
+#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
+#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
+#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Пристрій %s не є коректним пристроєм LUKS."
+
+#: lib/setup.c:892 lib/luks1/keymanage.c:530
#, c-format
msgid "Unsupported LUKS version %d."
msgstr "Непідтримувана версія LUKS, %d."
-#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695
-#: lib/setup.c:2853 lib/setup.c:4643
+#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
+#: lib/setup.c:2952 lib/setup.c:4764
#, c-format
msgid "Device %s is not active."
msgstr "Пристрій %s є неактивним."
-#: lib/setup.c:1447
+#: lib/setup.c:1508
#, c-format
msgid "Underlying device for crypt device %s disappeared."
msgstr "Зник основний пристрій для пристрою для шифрування %s."
-#: lib/setup.c:1527
+#: lib/setup.c:1590
msgid "Invalid plain crypt parameters."
msgstr "Некоректні параметри звичайного шифрування."
-#: lib/setup.c:1532 lib/setup.c:1982
+#: lib/setup.c:1595 lib/setup.c:2054
msgid "Invalid key size."
msgstr "Некоректний розмір ключа."
-#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190
+#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
msgid "UUID is not supported for this crypt type."
msgstr "Підтримки UUID для цього типу шифрування не передбачено."
-#: lib/setup.c:1542 lib/setup.c:1992
+#: lib/setup.c:1605 lib/setup.c:2064
msgid "Detached metadata device is not supported for this crypt type."
msgstr "Підтримки пристрою від'єднаних метаданих для цього типу шифрування не передбачено."
-#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401
-#: src/cryptsetup.c:1358 src/cryptsetup.c:3723
+#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
+#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
msgid "Unsupported encryption sector size."
msgstr "Непідтримуваний розмір сектора шифрування."
-#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894
+#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
msgid "Device size is not aligned to requested sector size."
msgstr "Розмір пристрою не вирівняно за вказаним розміром сектора."
-#: lib/setup.c:1612 lib/setup.c:1732
+#: lib/setup.c:1675 lib/setup.c:1799
msgid "Can't format LUKS without device."
msgstr "Форматування LUKS без пристрою неможливе."
-#: lib/setup.c:1618 lib/setup.c:1738
+#: lib/setup.c:1681 lib/setup.c:1805
msgid "Requested data alignment is not compatible with data offset."
msgstr "Потрібне вам вирівнювання даних є несумісним із відступом у даних."
-#: lib/setup.c:1686 lib/setup.c:1882
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "Увага: відступ у даних виходить за межі поточного доступного пристрою для зберігання даних.\n"
-
-#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202
+#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
#, c-format
msgid "Cannot wipe header on device %s."
msgstr "Не можна витирати заголовок на пристрої %s."
-#: lib/setup.c:1763
+#: lib/setup.c:1769 lib/setup.c:2036
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Пристрій %s є надто малим для активації, на ньому не лишиться місця для даних.\n"
+
+#: lib/setup.c:1840
msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
msgstr "Увага: спроба активувати пристрій завершиться невдало, у dm-crypt не передбачено підтримки для вказаного розміру сектора шифрування.\n"
-#: lib/setup.c:1786
+#: lib/setup.c:1863
msgid "Volume key is too small for encryption with integrity extensions."
msgstr "Ключ тому є надто малим для шифрування із розширеннями цілісності."
-#: lib/setup.c:1856
+#: lib/setup.c:1923
#, c-format
msgid "Cipher %s-%s (key size %zd bits) is not available."
msgstr "Шифрування %s-%s (розмір ключа — %zd бітів) є недоступним."
-#: lib/setup.c:1885
+#: lib/setup.c:1949
#, c-format
msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
msgstr "Увага: розмір метаданих LUKS2 змінено до %<PRIu64> байтів.\n"
-#: lib/setup.c:1889
+#: lib/setup.c:1953
#, c-format
msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
msgstr "Увага: розмір області слотів ключів LUKS2 змінено до %<PRIu64> байтів.\n"
-#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488
+#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
#, c-format
msgid "Device %s is too small."
msgstr "Об’єм пристрою %s є надто малим."
-#: lib/setup.c:1926 lib/setup.c:1952
+#: lib/setup.c:1990 lib/setup.c:2016
#, c-format
msgid "Cannot format device %s in use."
msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні."
-#: lib/setup.c:1929 lib/setup.c:1955
+#: lib/setup.c:1993 lib/setup.c:2019
#, c-format
msgid "Cannot format device %s, permission denied."
msgstr "Не можна форматувати пристрій %s, недостатні права доступу."
-#: lib/setup.c:1941 lib/setup.c:2262
+#: lib/setup.c:2005 lib/setup.c:2334
#, c-format
msgid "Cannot format integrity for device %s."
msgstr "Не вдалося форматувати цілісність для пристрою %s."
-#: lib/setup.c:1959
+#: lib/setup.c:2023
#, c-format
msgid "Cannot format device %s."
msgstr "Не вдалося форматувати пристрій %s."
-#: lib/setup.c:1977
+#: lib/setup.c:2049
msgid "Can't format LOOPAES without device."
msgstr "Не можна форматувати LOOPAES без пристрою."
-#: lib/setup.c:2022
+#: lib/setup.c:2094
msgid "Can't format VERITY without device."
msgstr "Форматування VERITY без пристрою неможливе."
-#: lib/setup.c:2033 lib/verity/verity.c:102
+#: lib/setup.c:2105 lib/verity/verity.c:101
#, c-format
msgid "Unsupported VERITY hash type %d."
msgstr "Непідтримуваний тип хешування VERITY, %d."
-#: lib/setup.c:2039 lib/verity/verity.c:110
+#: lib/setup.c:2111 lib/verity/verity.c:109
msgid "Unsupported VERITY block size."
msgstr "Непідтримуваний розмір блоку VERITY."
-#: lib/setup.c:2044 lib/verity/verity.c:74
+#: lib/setup.c:2116 lib/verity/verity.c:74
msgid "Unsupported VERITY hash offset."
msgstr "Непідтримуваний відступ хешу VERITY."
-#: lib/setup.c:2049
+#: lib/setup.c:2121
msgid "Unsupported VERITY FEC offset."
msgstr "Непідтримуваний зсув FEC VERITY."
-#: lib/setup.c:2073
+#: lib/setup.c:2145
msgid "Data area overlaps with hash area."
msgstr "Область даних перекривається із областю хешу."
-#: lib/setup.c:2098
+#: lib/setup.c:2170
msgid "Hash area overlaps with FEC area."
msgstr "Область хешування перекриваються з областю FEC."
-#: lib/setup.c:2105
+#: lib/setup.c:2177
msgid "Data area overlaps with FEC area."
msgstr "Область даних перекривається із областю FEC."
-#: lib/setup.c:2241
+#: lib/setup.c:2313
#, c-format
msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
msgstr "Увага: бажаний розмір мітки у %d байтів відрізняється від розміру у результаті %s (%d байтів).\n"
-#: lib/setup.c:2320
+#: lib/setup.c:2392
#, c-format
msgid "Unknown crypt device type %s requested."
msgstr "Надіслано запит щодо невідомого типу пристрою шифрування, %s."
-#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701
+#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
#, c-format
msgid "Unsupported parameters on device %s."
msgstr "Непідтримувані параметри на пристрої %s."
-#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503
-#: lib/luks2/luks2_reencrypt.c:2847
+#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
+#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
#, c-format
msgid "Mismatching parameters on device %s."
msgstr "Невідповідність параметрів на пристрої %s."
-#: lib/setup.c:2728
+#: lib/setup.c:2822
msgid "Crypt devices mismatch."
msgstr "Невідповідність пристроїв шифрування."
-#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143
-#: lib/luks2/luks2_reencrypt.c:3255
+#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
+#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
#, c-format
msgid "Failed to reload device %s."
msgstr "Не вдалося перезавантажити пристрій %s."
-#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114
-#: lib/luks2/luks2_reencrypt.c:2121
+#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
+#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
#, c-format
msgid "Failed to suspend device %s."
msgstr "Не вдалося приспати пристрій %s."
-#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128
-#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259
+#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
+#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4036
#, c-format
msgid "Failed to resume device %s."
msgstr "Не вдалося відновити роботу пристрою %s."
-#: lib/setup.c:2803
+#: lib/setup.c:2897
#, c-format
msgid "Fatal error while reloading device %s (on top of device %s)."
msgstr "Критична помилка під час перезавантаження пристрої %s (над пристроєм %s)."
-#: lib/setup.c:2806 lib/setup.c:2808
+#: lib/setup.c:2900 lib/setup.c:2902
#, c-format
msgid "Failed to switch device %s to dm-error."
msgstr "Не вдалося перемкнути пристрій %s у режим dm-error."
-#: lib/setup.c:2885
+#: lib/setup.c:2984
msgid "Cannot resize loop device."
msgstr "Неможливо змінити розмір петльового пристрою."
-#: lib/setup.c:2958
+#: lib/setup.c:3027
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "УВАГА: уже вказано максимальний розмір або у ядрі не передбачено можливості зміни розміру.\n"
+
+#: lib/setup.c:3088
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Не вдалося змінити розмір, у ядрі не передбачено підтримки такої дії."
+
+#: lib/setup.c:3120
msgid "Do you really want to change UUID of device?"
msgstr "Ви справді хочете змінити UUID пристрою?"
-#: lib/setup.c:3034
+#: lib/setup.c:3212
msgid "Header backup file does not contain compatible LUKS header."
msgstr "Файл резервної копії заголовка не містить сумісного із LUKS заголовка."
-#: lib/setup.c:3150
+#: lib/setup.c:3328
#, c-format
msgid "Volume %s is not active."
msgstr "Том %s не є активним."
-#: lib/setup.c:3161
+#: lib/setup.c:3339
#, c-format
msgid "Volume %s is already suspended."
msgstr "Том %s вже приспано."
-#: lib/setup.c:3174
+#: lib/setup.c:3352
#, c-format
msgid "Suspend is not supported for device %s."
msgstr "Підтримки присипляння для пристрою %s не передбачено."
-#: lib/setup.c:3176
+#: lib/setup.c:3354
#, c-format
msgid "Error during suspending device %s."
msgstr "Помилка під час спроби приспати пристрій %s."
-#: lib/setup.c:3212
+#: lib/setup.c:3389
#, c-format
msgid "Resume is not supported for device %s."
msgstr "Підтримки дії з пробудження для пристрою %s не передбачено."
-#: lib/setup.c:3214
+#: lib/setup.c:3391
#, c-format
msgid "Error during resuming device %s."
msgstr "Помилка під час спроби пробудити пристрій %s."
-#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366
+#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
+#: src/cryptsetup.c:2479
#, c-format
msgid "Volume %s is not suspended."
msgstr "Том %s не приспано."
-#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436
-#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008
+#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
+#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
+#: src/cryptsetup.c:2011
msgid "Volume key does not match the volume."
msgstr "Ключ тому не відповідає тому."
-#: lib/setup.c:3428 lib/setup.c:3633
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому."
-
-#: lib/setup.c:3585
+#: lib/setup.c:3737
msgid "Failed to swap new key slot."
msgstr "Не вдалося зарезервувати новий слот ключа."
-#: lib/setup.c:3771
+#: lib/setup.c:3835
#, c-format
msgid "Key slot %d is invalid."
msgstr "Слот ключа %d є некоректним."
-#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041
-#: src/cryptsetup.c:2632 src/cryptsetup.c:2689
+#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
+#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
#, c-format
msgid "Keyslot %d is not active."
msgstr "Слот ключа %d не є активним."
-#: lib/setup.c:3796
+#: lib/setup.c:3860
msgid "Device header overlaps with data area."
msgstr "Заголовок пристрою перекривається із областю даних."
-#: lib/setup.c:4089
+#: lib/setup.c:4165
msgid "Reencryption in-progress. Cannot activate device."
msgstr "Виконуємо повторне шифрування. Не можна активувати пристрій."
-#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287
-#: lib/luks2/luks2_reencrypt.c:2946
+#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
+#: lib/luks2/luks2_reencrypt.c:3590
msgid "Failed to get reencryption lock."
msgstr "Не вдалося отримати стан блокування для повторного шифрування."
-#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965
+#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
msgid "LUKS2 reencryption recovery failed."
msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2."
-#: lib/setup.c:4235 lib/setup.c:4500
+#: lib/setup.c:4352 lib/setup.c:4618
msgid "Device type is not properly initialized."
msgstr "Тип пристрою не ініціалізовано належним чином."
-#: lib/setup.c:4283
+#: lib/setup.c:4400
#, c-format
msgid "Device %s already exists."
msgstr "Пристрій %s вже існує."
-#: lib/setup.c:4290
+#: lib/setup.c:4407
#, c-format
msgid "Cannot use device %s, name is invalid or still in use."
msgstr "Неможливо скористатися пристроєм %s, некоректна назва або пристрій усе ще використовується."
-#: lib/setup.c:4410
+#: lib/setup.c:4527
msgid "Incorrect volume key specified for plain device."
msgstr "Для пристрою зі звичайним шифруванням вказано помилковий ключ тому."
-#: lib/setup.c:4526
+#: lib/setup.c:4644
msgid "Incorrect root hash specified for verity device."
msgstr "Для пристрою перевірки вказано помилковий кореневий хеш."
-#: lib/setup.c:4533
+#: lib/setup.c:4654
msgid "Root hash signature required."
msgstr "Потрібен хеш-підпис кореневої теки."
-#: lib/setup.c:4542
+#: lib/setup.c:4663
msgid "Kernel keyring missing: required for passing signature to kernel."
msgstr "Немає сховища ключів ядра: це сховище потрібне для передавання підпису ядру."
-#: lib/setup.c:4559 lib/setup.c:6084
+#: lib/setup.c:4680 lib/setup.c:6423
msgid "Failed to load key in kernel keyring."
msgstr "Не вдалося завантажити ключ до сховища ключів ядра."
-#: lib/setup.c:4615
+#: lib/setup.c:4736
#, c-format
msgid "Could not cancel deferred remove from device %s."
msgstr "Не вдалося скасувати відкладене вилучення з пристрою %s."
-#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340
-#: src/cryptsetup.c:2785
+#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
+#: src/utils_reencrypt.c:116
#, c-format
msgid "Device %s is still in use."
msgstr "Пристрій %s все ще використовується."
-#: lib/setup.c:4647
+#: lib/setup.c:4768
#, c-format
msgid "Invalid device %s."
msgstr "Некоректний пристрій %s."
-#: lib/setup.c:4763
+#: lib/setup.c:4908
msgid "Volume key buffer too small."
msgstr "Буфер ключів тому є занадто малим."
-#: lib/setup.c:4771
+#: lib/setup.c:4925
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS2."
+
+#: lib/setup.c:4934
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS1."
+
+#: lib/setup.c:4944
msgid "Cannot retrieve volume key for plain device."
msgstr "Неможливо отримати ключ тому для пристрою зі звичайним шифруванням."
-#: lib/setup.c:4788
+#: lib/setup.c:4952
msgid "Cannot retrieve root hash for verity device."
msgstr "Не вдалося отримати кореневий хеш для пристрою VERITY."
-#: lib/setup.c:4792
+#: lib/setup.c:4959
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Неможливо отримати ключ тому для пристрою BITLK."
+
+#: lib/setup.c:4964
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Неможливо отримати ключ тому для пристрою FVAULT2."
+
+#: lib/setup.c:4966
#, c-format
msgid "This operation is not supported for %s crypt device."
msgstr "Підтримки цієї дії для шифрованого пристрою %s не передбачено."
-#: lib/setup.c:4998 lib/setup.c:5009
+#: lib/setup.c:5147 lib/setup.c:5158
msgid "Dump operation is not supported for this device type."
msgstr "Підтримки дії зі створення дампу для цього типу пристроїв не передбачено."
-#: lib/setup.c:5337
+#: lib/setup.c:5500
#, c-format
msgid "Data offset is not multiple of %u bytes."
msgstr "Зсув у даних не є кратним до %u байтів."
-#: lib/setup.c:5622
+#: lib/setup.c:5788
#, c-format
msgid "Cannot convert device %s which is still in use."
msgstr "Не можна перетворити пристрій %s, який перебуває у користуванні."
-#: lib/setup.c:5941
+#: lib/setup.c:6098 lib/setup.c:6237
#, c-format
msgid "Failed to assign keyslot %u as the new volume key."
msgstr "Не вдалося прив'язати слот ключа %u як новий ключ тому."
-#: lib/setup.c:6014
+#: lib/setup.c:6122
msgid "Failed to initialize default LUKS2 keyslot parameters."
msgstr "Не вдалося ініціалізувати типові параметри слоту ключів LUKS2."
-#: lib/setup.c:6020
+#: lib/setup.c:6128
#, c-format
msgid "Failed to assign keyslot %d to digest."
msgstr "Не вдалося прив'язати слот ключа %d до контрольної суми."
-#: lib/setup.c:6151
+#: lib/setup.c:6353
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому."
+
+#: lib/setup.c:6490
msgid "Kernel keyring is not supported by the kernel."
msgstr "У ядрі не передбачено підтримки сховища ключів ядра."
-#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062
+#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
#, c-format
msgid "Failed to read passphrase from keyring (error %d)."
msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів (помилка %d)."
-#: lib/setup.c:6185
+#: lib/setup.c:6523
msgid "Failed to acquire global memory-hard access serialization lock."
msgstr "Не вдалося створити загальне блокування серіалізації доступу до пам'яті."
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Не вдалося отримати значення пріоритетності процесу."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Не вдалося розблокувати пам’ять."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
msgid "Failed to open key file."
msgstr "Не вдалося відкрити файл ключа."
-#: lib/utils.c:173
+#: lib/utils.c:163
msgid "Cannot read keyfile from a terminal."
msgstr "Не вдалося прочитати файл ключа з термінала."
-#: lib/utils.c:189
+#: lib/utils.c:179
msgid "Failed to stat key file."
msgstr "Не вдалося отримати статистичні дані щодо файла ключа."
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:187 lib/utils.c:208
msgid "Cannot seek to requested keyfile offset."
msgstr "Не вдалося встановити потрібну позицію у файлі ключа."
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219
-#: src/utils_password.c:231
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
msgid "Out of memory while reading passphrase."
msgstr "Під час читання пароля вичерпано пам’ять."
-#: lib/utils.c:247
+#: lib/utils.c:237
msgid "Error reading passphrase."
msgstr "Помилка під час читання пароля."
-#: lib/utils.c:264
+#: lib/utils.c:254
msgid "Nothing to read on input."
msgstr "Нічого читати з вхідних даних."
-#: lib/utils.c:271
+#: lib/utils.c:261
msgid "Maximum keyfile size exceeded."
msgstr "Перевищено максимальний розмір файла ключа."
-#: lib/utils.c:276
+#: lib/utils.c:266
msgid "Cannot read requested amount of data."
msgstr "Не вдалося прочитати бажаний об’єм даних."
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
#, c-format
msgid "Device %s does not exist or access denied."
msgstr "Пристрою %s не існує або доступ до цього пристрою заборонено."
-#: lib/utils_device.c:218
+#: lib/utils_device.c:217
#, c-format
msgid "Device %s is not compatible."
msgstr "Пристрій %s є сумісним."
-#: lib/utils_device.c:562
+#: lib/utils_device.c:561
#, c-format
msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
msgstr "Ігноруємо фіктивний розмір optimal-io для пристрою даних (%u байтів)."
-#: lib/utils_device.c:720
+#: lib/utils_device.c:722
#, c-format
msgid "Device %s is too small. Need at least %<PRIu64> bytes."
msgstr "Обсяг пристрою %s є надто малим. Потрібно принаймні %<PRIu64> байтів."
-#: lib/utils_device.c:801
+#: lib/utils_device.c:803
#, c-format
msgid "Cannot use device %s which is in use (already mapped or mounted)."
msgstr "Не можна використовувати пристрій %s, оскільки його вже використано (призначено або змонтовано)."
-#: lib/utils_device.c:805
+#: lib/utils_device.c:807
#, c-format
msgid "Cannot use device %s, permission denied."
msgstr "Не можна скористатися пристроєм %s, недостатні права доступу."
-#: lib/utils_device.c:808
+#: lib/utils_device.c:810
#, c-format
msgid "Cannot get info about device %s."
msgstr "Не вдалося отримати дані щодо пристрою %s."
-#: lib/utils_device.c:831
+#: lib/utils_device.c:833
msgid "Cannot use a loopback device, running as non-root user."
msgstr "Не можна використовувати петльовий пристрій, програму запущено не від імені адміністративного користувача (root)."
-#: lib/utils_device.c:842
+#: lib/utils_device.c:844
msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
msgstr "Спроба долучення петльового пристрою зазнала невдачі (потрібен петльовий пристрій з встановленим прапорцем автоматичного спорожнення)."
-#: lib/utils_device.c:890
+#: lib/utils_device.c:892
#, c-format
msgid "Requested offset is beyond real size of device %s."
msgstr "Бажана точка відступу перебуває за межами об’єму пристрою %s."
-#: lib/utils_device.c:898
+#: lib/utils_device.c:900
#, c-format
msgid "Device %s has zero size."
msgstr "Об’єм пристрою %s є нульовим."
@@ -710,40 +749,35 @@ msgstr "Вказана кількість паралельних потоків
msgid "Only PBKDF2 is supported in FIPS mode."
msgstr "У режимі FIPS передбачено підтримку лише PBKDF2."
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:175
msgid "PBKDF benchmark disabled but iterations not set."
msgstr "Тестування PBKDF вимкнено, але кількість ітерацій не встановлено."
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:194
#, c-format
msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
msgstr "Несумісні параметри PBKDF2 (з використанням алгоритму хешування %s)."
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:214
msgid "Not compatible PBKDF options."
msgstr "Несумісні параметри PBKDF."
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:101
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
msgstr "Блокування перервано. Шлях блокування %s/%s є непридатним для користування (не є каталогом або його не вказано)."
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Буде створено каталог блокування %s/%s із типовими вбудованими правами доступу."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:118
#, c-format
msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
msgstr "Блокування перервано Шлях блокування %s/%s є непридатним для користування (%s не є каталогом)."
-#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922
-#: src/cryptsetup_reencrypt.c:1010
+#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
+#: src/utils_reencrypt_luks1.c:832
msgid "Cannot seek to device offset."
msgstr "Не вдалося встановити вказану позицію на пристрої."
-#: lib/utils_wipe.c:208
+#: lib/utils_wipe.c:247
#, c-format
msgid "Device wipe error, offset %<PRIu64>."
msgstr "Помилка витирання пристрою, зсув %<PRIu64>."
@@ -765,9 +799,9 @@ msgstr "Розмір ключа у режимі XTS має бути рівним
msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
msgstr "Специфікацію шифрування слід вказувати так: [алгоритм]-[режим]-[iv]."
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
+#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
#, c-format
msgid "Cannot write to device %s, permission denied."
msgstr "Не вдалося виконати запис на пристрій %s, недостатні права доступу."
@@ -780,23 +814,24 @@ msgstr "Не вдалося відкрити пристрій тимчасово
msgid "Failed to access temporary keystore device."
msgstr "Не вдалося отримати доступ до пристрою тимчасового сховища ключів."
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
+#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
msgid "IO error while encrypting keyslot."
msgstr "Помилка введення-виведення під час шифрування слоту ключів."
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677
-#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263
-#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279
-#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
+#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
+#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
+#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
+#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
+#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
+#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
+#: src/utils_reencrypt_luks1.c:133
#, c-format
msgid "Cannot open device %s."
msgstr "Не вдалося відкрити пристрій %s."
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
msgid "IO error while decrypting keyslot."
msgstr "Помилка введення-виведення під час розшифрування слоту ключів."
@@ -812,65 +847,54 @@ msgstr "Обсяг пристрою %s є надто малим. (LUKS1 потр
msgid "LUKS keyslot %u is invalid."
msgstr "Слот ключа LUKS %u є некоректним."
-#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557
-#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798
-#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030
-#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532
-#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423
-#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373
-#, c-format
-msgid "Device %s is not a valid LUKS device."
-msgstr "Пристрій %s не є коректним пристроєм LUKS."
-
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124
+#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
#, c-format
msgid "Requested header backup file %s already exists."
msgstr "Потрібний вам файл резервної копії заголовка, %s, вже існує."
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
#, c-format
msgid "Cannot create header backup file %s."
msgstr "Не вдалося створити файл резервної копії заголовка, %s."
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133
+#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
#, c-format
msgid "Cannot write header backup file %s."
msgstr "Не вдалося записати файл резервної копії заголовка, %s."
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
msgid "Backup file does not contain valid LUKS header."
msgstr "Файл резервної копії не містить коректного заголовка LUKS."
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1206
+#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
+#: lib/luks2/luks2_json_metadata.c:1420
#, c-format
msgid "Cannot open header backup file %s."
msgstr "Не вдалося відкрити файл резервної копії заголовка, %s."
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
#, c-format
msgid "Cannot read header backup file %s."
msgstr "Не вдалося прочитати дані з файла резервної копії заголовка, %s."
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:339
msgid "Data offset or key size differs on device and backup, restore failed."
msgstr "Відступ у даних або розмір ключа на пристрої і у резервній копії є різними. Відновлення неможливе."
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:347
#, c-format
msgid "Device %s %s%s"
msgstr "Пристрій %s %s%s"
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:348
msgid "does not contain LUKS header. Replacing header can destroy data on that device."
msgstr "не містить заголовка LUKS. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:349
msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
msgstr "вже містить заголовок LUKS. Заміна заголовка призведе до руйнування вже створених слотів ключів."
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248
+#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
msgid ""
"\n"
"WARNING: real device header has different UUID than backup!"
@@ -878,126 +902,130 @@ msgstr ""
"\n"
"ПОПЕРЕДЖЕННЯ: заголовок, що зберігається на пристрої, має інший UUID, ніж заголовок у резервній копії!"
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:398
msgid "Non standard key size, manual repair required."
msgstr "Нестандартний розмір ключа, слід виправити дані вручну."
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:408
msgid "Non standard keyslots alignment, manual repair required."
msgstr "Нестандартне вирівнювання слотів ключів, слід виправити дані вручну."
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:417
#, c-format
msgid "Cipher mode repaired (%s -> %s)."
msgstr "Виправлений режим шифрування (%s -> %s)."
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:428
#, c-format
msgid "Cipher hash repaired to lowercase (%s)."
msgstr "Виправлений хеш шифрування малими літерами (%s)."
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:792
#, c-format
msgid "Requested LUKS hash %s is not supported."
msgstr "Підтримки бажаного хешування LUKS, %s, не передбачено."
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:444
msgid "Repairing keyslots."
msgstr "Виправлення слотів ключів."
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:463
#, c-format
msgid "Keyslot %i: offset repaired (%u -> %u)."
msgstr "Слот ключа %i: виправлено відступ (%u -> %u)."
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:471
#, c-format
msgid "Keyslot %i: stripes repaired (%u -> %u)."
msgstr "Слот ключа %i: виправлено смужки (%u -> %u)."
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:480
#, c-format
msgid "Keyslot %i: bogus partition signature."
msgstr "Слот ключа %i: зайвий підпис розділу."
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:485
#, c-format
msgid "Keyslot %i: salt wiped."
msgstr "Слот ключа %i: дані ініціалізації (сіль) витерто."
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:502
msgid "Writing LUKS header to disk."
msgstr "Запис заголовка LUKS на диск."
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:507
msgid "Repair failed."
msgstr "Спроба виправлення зазнала невдачі."
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:562
#, c-format
msgid "LUKS cipher mode %s is invalid."
msgstr "Режим шифрування LUKS %s є некоректним."
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:567
#, c-format
msgid "LUKS hash %s is invalid."
msgstr "Хеш-сума LUKS %s є некоректною."
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243
+#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
msgid "No known problems detected for LUKS header."
msgstr "У заголовку LUKS не виявлено жодних проблем."
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:702
#, c-format
msgid "Error during update of LUKS header on device %s."
msgstr "Помилка під час оновлення заголовка LUKS на пристрої %s."
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:710
#, c-format
msgid "Error re-reading LUKS header after update on device %s."
msgstr "Помилка під час спроби повторного читання заголовка LUKS після оновлення на пристрої %s."
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:786
msgid "Data offset for LUKS header must be either 0 or higher than header size."
msgstr "Відступ даних для заголовка LUKS має бути або рівним нулеві, або перевищувати розмір заголовка."
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015
-#: src/cryptsetup.c:2904
+#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
+#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
+#: src/utils_reencrypt.c:539
msgid "Wrong LUKS UUID format provided."
msgstr "Вказано UUID LUKS у помилковому форматі."
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:819
msgid "Cannot create LUKS header: reading random salt failed."
msgstr "Не вдалося створити заголовок LUKS: помилка читання випадкових даних для ініціалізації."
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:845
#, c-format
msgid "Cannot create LUKS header: header digest failed (using hash %s)."
msgstr "Не вдалося створити заголовок LUKS: помилка під час обчислення контрольної суми заголовка (з використанням хешу %s)."
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:889
#, c-format
msgid "Key slot %d active, purge first."
msgstr "Слот ключа %d є активним. Його слід спочатку спорожнити."
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:895
#, c-format
msgid "Key slot %d material includes too few stripes. Header manipulation?"
msgstr "Ентропія даних слота ключа %d є надто низькою. Маніпуляції з заголовком?"
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+msgid "PBKDF2 iteration value overflow."
+msgstr "Переповнення значення ітерації PBKDF2."
+
+#: lib/luks1/keymanage.c:1040
#, c-format
msgid "Cannot open keyslot (using hash %s)."
msgstr "Не вдалося відкрити слот ключа (за допомогою хешу %s)."
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1118
#, c-format
msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
msgstr "Слот ключа %d є некоректним, будь ласка, виберіть слот ключа з номером від 0 до %d."
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744
+#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
#, c-format
msgid "Cannot wipe device %s."
msgstr "Не вдалося витерти пристрій %s."
@@ -1018,215 +1046,233 @@ msgstr "Виявлено несумісний з loop-AES файл ключа."
msgid "Kernel does not support loop-AES compatible mapping."
msgstr "У ядрі не передбачено підтримки призначення, сумісного з loop-AES."
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:508
#, c-format
msgid "Error reading keyfile %s."
msgstr "Помилка під час спроби читання файла ключа %s."
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:558
#, c-format
msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
msgstr "Перевищено максимальну можливу довжину пароля TCRYPT (%zu)."
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:600
#, c-format
msgid "PBKDF2 hash algorithm %s not available, skipping."
msgstr "Засіб створення хешів PBKDF2 за алгоритмом %s недоступний, пропускаємо."
-#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110
+#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
msgid "Required kernel crypto interface not available."
msgstr "Потрібний для роботи інтерфейс ядра для шифрування недоступний."
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112
+#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
msgid "Ensure you have algif_skcipher kernel module loaded."
msgstr "Переконайтеся, що завантажено модуль ядра algif_skcipher."
-#: lib/tcrypt/tcrypt.c:760
+#: lib/tcrypt/tcrypt.c:762
#, c-format
msgid "Activation is not supported for %d sector size."
msgstr "Підтримки активації для розміру сектора %d не передбачено."
-#: lib/tcrypt/tcrypt.c:766
+#: lib/tcrypt/tcrypt.c:768
msgid "Kernel does not support activation for this TCRYPT legacy mode."
msgstr "У ядрі не передбачено підтримки вмикання цього застарілого режиму TCRYPT."
-#: lib/tcrypt/tcrypt.c:797
+#: lib/tcrypt/tcrypt.c:799
#, c-format
msgid "Activating TCRYPT system encryption for partition %s."
msgstr "Активуємо шифрування системи за допомогою TCRYPT для розділу %s."
-#: lib/tcrypt/tcrypt.c:875
+#: lib/tcrypt/tcrypt.c:882
msgid "Kernel does not support TCRYPT compatible mapping."
msgstr "У ядрі не передбачено підтримки призначення, сумісного з TCRYPT."
-#: lib/tcrypt/tcrypt.c:1088
+#: lib/tcrypt/tcrypt.c:1095
msgid "This function is not supported without TCRYPT header load."
msgstr "Підтримки цієї дії без завантаження заголовка TCRYPT."
-#: lib/bitlk/bitlk.c:350
+#: lib/bitlk/bitlk.c:278
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний тип запису метаданих «%u»."
-#: lib/bitlk/bitlk.c:397
+#: lib/bitlk/bitlk.c:337
msgid "Invalid string found when parsing Volume Master Key."
msgstr "Під час обробки основного ключа тому виявлено некоректний рядок."
-#: lib/bitlk/bitlk.c:402
+#: lib/bitlk/bitlk.c:341
#, c-format
msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний рядок («%s»)."
-#: lib/bitlk/bitlk.c:419
+#: lib/bitlk/bitlk.c:358
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуване значення запису метаданих «%u»."
-#: lib/bitlk/bitlk.c:502
-#, c-format
-msgid "Failed to read BITLK signature from %s."
-msgstr "Не вдалося прочитати підпис BITLK з %s."
-
-#: lib/bitlk/bitlk.c:514
-msgid "Invalid or unknown signature for BITLK device."
-msgstr "Некоректний або невідомий підпис для пристрою BITLK."
-
-#: lib/bitlk/bitlk.c:520
+#: lib/bitlk/bitlk.c:460
msgid "BITLK version 1 is currently not supported."
msgstr "Підтримки BITLK версії 1 у поточній версії не передбачено."
-#: lib/bitlk/bitlk.c:526
+#: lib/bitlk/bitlk.c:466
msgid "Invalid or unknown boot signature for BITLK device."
msgstr "Некоректний або невідомий підпис завантаження для пристрою BITLK."
-#: lib/bitlk/bitlk.c:538
+#: lib/bitlk/bitlk.c:478
#, c-format
msgid "Unsupported sector size %<PRIu16>."
msgstr "Непідтримуваний розмір сектора %<PRIu16>."
-#: lib/bitlk/bitlk.c:546
+#: lib/bitlk/bitlk.c:486
#, c-format
msgid "Failed to read BITLK header from %s."
msgstr "Не вдалося прочитати заголовок BITLK з %s."
-#: lib/bitlk/bitlk.c:571
+#: lib/bitlk/bitlk.c:511
#, c-format
msgid "Failed to read BITLK FVE metadata from %s."
msgstr "Не вдалося прочитати метадані FVE BITLK з %s."
-#: lib/bitlk/bitlk.c:622
+#: lib/bitlk/bitlk.c:562
msgid "Unknown or unsupported encryption type."
msgstr "Невідомий або непідтримуваний тип шифрування."
-#: lib/bitlk/bitlk.c:655
+#: lib/bitlk/bitlk.c:602
#, c-format
msgid "Failed to read BITLK metadata entries from %s."
msgstr "Не вдалося прочитати записи метаданих BITLK з %s."
-#: lib/bitlk/bitlk.c:897
+#: lib/bitlk/bitlk.c:719
+msgid "Failed to convert BITLK volume description"
+msgstr "Не вдалося перетворити опис тому BITLK"
+
+#: lib/bitlk/bitlk.c:882
#, c-format
msgid "Unexpected metadata entry type '%u' found when parsing external key."
msgstr "Під час обробки зовнішнього ключа виявлено неочікуваний тип запису метаданих «%u»."
-#: lib/bitlk/bitlk.c:912
+#: lib/bitlk/bitlk.c:905
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "Файл GUID BEK «%s» не відповідає GUID тому."
+
+#: lib/bitlk/bitlk.c:909
#, c-format
msgid "Unexpected metadata entry value '%u' found when parsing external key."
msgstr "Під час обробки зовнішнього ключа виявлено неочікуване значення запису метаданих «%u»."
-#: lib/bitlk/bitlk.c:950
+#: lib/bitlk/bitlk.c:948
#, c-format
msgid "Unsupported BEK metadata version %<PRIu32>"
msgstr "Непідтримувана версія метаданих BEK, %<PRIu32>"
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:953
#, c-format
msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
msgstr "Неочікуваний розмір метаданих BEK, %<PRIu32>, не відповідає довжині файла BEK"
-#: lib/bitlk/bitlk.c:980
+#: lib/bitlk/bitlk.c:979
msgid "Unexpected metadata entry found when parsing startup key."
msgstr "Під час обробки ключа запуску виявлено неочікуваний запис метаданих."
-#: lib/bitlk/bitlk.c:1071
+#: lib/bitlk/bitlk.c:1075
msgid "This operation is not supported."
msgstr "Підтримки цієї дії не передбачено."
-#: lib/bitlk/bitlk.c:1079
+#: lib/bitlk/bitlk.c:1083
msgid "Unexpected key data size."
msgstr "Неочікуваний розмір даних ключа."
-#: lib/bitlk/bitlk.c:1205
+#: lib/bitlk/bitlk.c:1209
msgid "This BITLK device is in an unsupported state and cannot be activated."
msgstr "Цей пристрій BITLK перебуває у непідтримуваному стані — його неможливо активувати."
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1214
#, c-format
msgid "BITLK devices with type '%s' cannot be activated."
msgstr "Пристрої BITLK типу «%s» неможливо активувати."
-#: lib/bitlk/bitlk.c:1217
+#: lib/bitlk/bitlk.c:1221
msgid "Activation of partially decrypted BITLK device is not supported."
msgstr "Активації частково розшифрованого пристрою BITLK не передбачено."
-#: lib/bitlk/bitlk.c:1380
+#: lib/bitlk/bitlk.c:1262
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "УВАГА: розмір тому BitLocker %<PRIu64> не відповідає розміру базового пристрою %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1389
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки BITLK IV."
-#: lib/bitlk/bitlk.c:1384
+#: lib/bitlk/bitlk.c:1393
msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки дифузера Elephant BITLK."
-#: lib/verity/verity.c:68 lib/verity/verity.c:179
+#: lib/bitlk/bitlk.c:1397
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки великого розміру секторів."
+
+#: lib/bitlk/bitlk.c:1401
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Не вдалося активувати пристрій — немає модуля ядра dm-zero."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Не вдалося прочитати %u байтів заголовка тому."
+
+#: lib/fvault2/fvault2.c:554
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Непідтримувана версія FVAULT2 %<PRIu16>."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:182
#, c-format
msgid "Verity device %s does not use on-disk header."
msgstr "На пристрої VERITY %s не використовується вбудований заголовок."
-#: lib/verity/verity.c:90
-#, c-format
-msgid "Device %s is not a valid VERITY device."
-msgstr "Пристрій %s не є коректним пристроєм VERITY."
-
-#: lib/verity/verity.c:97
+#: lib/verity/verity.c:96
#, c-format
msgid "Unsupported VERITY version %d."
msgstr "Непідтримувана версія VERITY, %d."
-#: lib/verity/verity.c:128
+#: lib/verity/verity.c:131
msgid "VERITY header corrupted."
msgstr "Пошкоджено заголовок VERITY."
-#: lib/verity/verity.c:173
+#: lib/verity/verity.c:176
#, c-format
msgid "Wrong VERITY UUID format provided on device %s."
msgstr "На пристрої %s вказано UUID VERITY у помилковому форматі."
-#: lib/verity/verity.c:217
+#: lib/verity/verity.c:220
#, c-format
msgid "Error during update of verity header on device %s."
msgstr "Помилка під час оновлення заголовка verity на пристрої %s."
-#: lib/verity/verity.c:275
+#: lib/verity/verity.c:278
msgid "Root hash signature verification is not supported."
msgstr "Підтримки перевірки підпису кореневого хешу не передбачено."
-#: lib/verity/verity.c:287
+#: lib/verity/verity.c:290
msgid "Errors cannot be repaired with FEC device."
msgstr "Помилки не може бути виправлено за допомогою пристрою FEC."
-#: lib/verity/verity.c:289
+#: lib/verity/verity.c:292
#, c-format
msgid "Found %u repairable errors with FEC device."
msgstr "За допомогою пристрою FEC виявлено %u придатних до виправлення помилок."
-#: lib/verity/verity.c:332
+#: lib/verity/verity.c:335
msgid "Kernel does not support dm-verity mapping."
msgstr "У ядрі не передбачено підтримки прив'язки dm-verity."
-#: lib/verity/verity.c:336
+#: lib/verity/verity.c:339
msgid "Kernel does not support dm-verity signature option."
msgstr "У ядрі не передбачено підтримки параметра підпису dm-verity."
-#: lib/verity/verity.c:347
+#: lib/verity/verity.c:350
msgid "Verity device detected corruption after activation."
msgstr "Виявлено пошкодження даних на пристрої перевірки після активації."
@@ -1298,46 +1344,51 @@ msgstr "Не вдалося відновити парність для блок
msgid "Failed to write parity for RS block %<PRIu64>."
msgstr "Не вдалося прочитати парність для блоку RS %<PRIu64>."
-#: lib/verity/verity_fec.c:228
+#: lib/verity/verity_fec.c:208
msgid "Block sizes must match for FEC."
msgstr "Розміри блоків для FEC мають бути однаковими."
-#: lib/verity/verity_fec.c:234
+#: lib/verity/verity_fec.c:214
msgid "Invalid number of parity bytes."
msgstr "Некоректна кількість байтів парності."
-#: lib/verity/verity_fec.c:239
+#: lib/verity/verity_fec.c:248
msgid "Invalid FEC segment length."
msgstr "Некоректна довжина сегмента FEC."
-#: lib/verity/verity_fec.c:303
+#: lib/verity/verity_fec.c:316
#, c-format
msgid "Failed to determine size for device %s."
msgstr "Не вдалося визначити розмір для пристрою %s."
-#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355
+#: lib/integrity/integrity.c:57
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Виявлено несумісні метадані dm-integrity ядра (версія %u) у %s."
+
+#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
msgid "Kernel does not support dm-integrity mapping."
msgstr "У ядрі не передбачено підтримки прив'язки dm-integrity."
-#: lib/integrity/integrity.c:278
+#: lib/integrity/integrity.c:283
msgid "Kernel does not support dm-integrity fixed metadata alignment."
msgstr "У ядрі не передбачено підтримки вирівнювання фіксованих метаданих dm-integrity."
-#: lib/integrity/integrity.c:287
+#: lib/integrity/integrity.c:292
msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
msgstr "Ядром відмовлено у активації небезпечного параметра повторного обчислення (див. застарілі параметри активації, щоб скористатися обчисленням попри це)."
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973
-#: lib/luks2/luks2_json_metadata.c:1268
+#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
+#: lib/luks2/luks2_json_metadata.c:1482
#, c-format
msgid "Failed to acquire write lock on device %s."
msgstr "Не вдалося отримати блокування запису на пристрої %s."
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:400
msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
msgstr "Виявлено спробу конкурентного оновлення метаданих LUKS2. Перериваємо виконання дії."
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
msgid ""
"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
"Please run \"cryptsetup repair\" for recovery."
@@ -1345,49 +1396,49 @@ msgstr ""
"Пристрій містить неоднозначні підписи. Автоматичне відновлення LUKS2 неможливе.\n"
"Будь ласка, запустіть «cryptsetup repair» для відновлення."
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:229
msgid "Requested data offset is too small."
msgstr "Вказаний відступ у даних є надто малим."
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:274
#, c-format
msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
msgstr "Увага: область слоту ключів є надто малою (%<PRIu64> байтів), доступна кількість слотів ключів LUKS2 буде дуже обмеженою.\n"
-#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098
-#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
+#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
+#: lib/luks2/luks2_keyslot_luks2.c:116
#, c-format
msgid "Failed to acquire read lock on device %s."
msgstr "Не вдалося отримати блокування читання на пристрої %s."
-#: lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks2/luks2_json_metadata.c:1405
#, c-format
msgid "Forbidden LUKS2 requirements detected in backup %s."
msgstr "У резервній копії %s виявлено заборонені вимоги щодо LUKS2."
-#: lib/luks2/luks2_json_metadata.c:1232
+#: lib/luks2/luks2_json_metadata.c:1446
msgid "Data offset differ on device and backup, restore failed."
msgstr "Зсуви даних на пристрої і на резервній копії різняться, не вдалося відновити."
-#: lib/luks2/luks2_json_metadata.c:1238
+#: lib/luks2/luks2_json_metadata.c:1452
msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
msgstr "Двійкові заголовки із розмірами областей слотів ключів на пристрої і у резервній копії різняться, не вдалося відновити копію."
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1459
#, c-format
msgid "Device %s %s%s%s%s"
msgstr "Пристрій %s %s%s%s%s"
-#: lib/luks2/luks2_json_metadata.c:1246
+#: lib/luks2/luks2_json_metadata.c:1460
msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
msgstr "не містить заголовка LUKS2. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
-#: lib/luks2/luks2_json_metadata.c:1247
+#: lib/luks2/luks2_json_metadata.c:1461
msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
msgstr "вже містить заголовок LUKS2. Заміна заголовка призведе до руйнування вже створених слотів ключів."
-#: lib/luks2/luks2_json_metadata.c:1249
+#: lib/luks2/luks2_json_metadata.c:1463
msgid ""
"\n"
"WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1397,7 +1448,7 @@ msgstr ""
"ПОПЕРЕДЖЕННЯ: виявлено невідомі вимоги LUKS2 у справжньому заголовку пристрою!\n"
"Заміна заголовка резервною копією може пошкодити дані на пристрої!"
-#: lib/luks2/luks2_json_metadata.c:1251
+#: lib/luks2/luks2_json_metadata.c:1465
msgid ""
"\n"
"WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1407,408 +1458,471 @@ msgstr ""
"ПОПЕРЕДЖЕННЯ: на пристрої виявлено дані незавершеного повторного шифрування!\n"
"Заміна заголовка заголовком із резервної копії може пошкодити дані."
-#: lib/luks2/luks2_json_metadata.c:1349
+#: lib/luks2/luks2_json_metadata.c:1562
#, c-format
msgid "Ignored unknown flag %s."
msgstr "Проігноровано невідомий прапорець %s."
-#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843
+#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
#, c-format
msgid "Missing key for dm-crypt segment %u"
msgstr "Не вистачає ключа для сегмента dm-crypt %u"
-#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857
+#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
msgid "Failed to set dm-crypt segment."
msgstr "Не вдалося встановити сегмент dm-crypt."
-#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863
+#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
msgid "Failed to set dm-linear segment."
msgstr "Не вдалося встановити сегмент dm-linear."
-#: lib/luks2/luks2_json_metadata.c:2199
+#: lib/luks2/luks2_json_metadata.c:2615
msgid "Unsupported device integrity configuration."
msgstr "Непідтримувані налаштування цілісності даних на пристрої."
-#: lib/luks2/luks2_json_metadata.c:2285
+#: lib/luks2/luks2_json_metadata.c:2701
msgid "Reencryption in-progress. Cannot deactivate device."
msgstr "Виконуємо повторне шифрування. Не можна деактивувати пристрій."
-#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300
+#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
#, c-format
msgid "Failed to replace suspended device %s with dm-error target."
msgstr "Не вдалося замінити пристрій %s, роботу якого призупинено, ціллю dm-error."
-#: lib/luks2/luks2_json_metadata.c:2376
+#: lib/luks2/luks2_json_metadata.c:2792
msgid "Failed to read LUKS2 requirements."
msgstr "Не вдалося прочитати вимоги LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2383
+#: lib/luks2/luks2_json_metadata.c:2799
msgid "Unmet LUKS2 requirements detected."
msgstr "Виявлено невідповідність вимог LUKS2."
-#: lib/luks2/luks2_json_metadata.c:2391
+#: lib/luks2/luks2_json_metadata.c:2807
msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування застарілого варіанта. Перериваємо дію."
-#: lib/luks2/luks2_json_metadata.c:2393
+#: lib/luks2/luks2_json_metadata.c:2809
msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування LUKS2. Перериваємо дію."
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
msgid "Not enough available memory to open a keyslot."
msgstr "Недостатньо пам'яті для відкриття слоту ключів."
-#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593
+#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
msgid "Keyslot open failed."
msgstr "Не вдалося відкрити слот ключів."
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
#, c-format
msgid "Cannot use %s-%s cipher for keyslot encryption."
msgstr "Не можна використовувати шифрування %s-%s для слотів ключів."
-#: lib/luks2/luks2_keyslot_luks2.c:485
+#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
+#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Алгоритм хешування %s є недоступним."
+
+#: lib/luks2/luks2_keyslot_luks2.c:510
msgid "No space for new keyslot."
msgstr "Немає простору для нового слоту ключа."
-#: lib/luks2/luks2_luks1_convert.c:482
+#: lib/luks2/luks2_keyslot_reenc.c:593
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Отримано запит щодо некоректної зміни режиму стійкості для повторного шифрування."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Не вдалося оновити тип стійкості. Новим типом передбачено %<PRIu64> байтів, потрібне місце: %<PRIu64> байтів."
+
+#: lib/luks2/luks2_keyslot_reenc.c:724
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Не вдалося освіжити контрольні суми для перевірки для повторного шифрування."
+
+#: lib/luks2/luks2_luks1_convert.c:512
#, c-format
msgid "Cannot check status of device with uuid: %s."
msgstr "Не вдалося перевірити стан пристрою з uuid %s."
-#: lib/luks2/luks2_luks1_convert.c:508
+#: lib/luks2/luks2_luks1_convert.c:538
msgid "Unable to convert header with LUKSMETA additional metadata."
msgstr "Не вдалося перетворити заголовок з додатковими метаданими LUKSMETA."
-#: lib/luks2/luks2_luks1_convert.c:548
+#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Не вдалося використати специфікацію шифрування %s-%s для LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:584
msgid "Unable to move keyslot area. Not enough space."
msgstr "Не вдалося пересунути область слотів ключів. Недостатньо місця."
-#: lib/luks2/luks2_luks1_convert.c:599
+#: lib/luks2/luks2_luks1_convert.c:619
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Не вдалося перетворити до формату LUKS2 - некоректні метадані."
+
+#: lib/luks2/luks2_luks1_convert.c:636
msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
msgstr "Не вдалося пересунути область слотів ключів. Область слотів ключів LUKS2 є надто малою."
-#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889
+#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
msgid "Unable to move keyslot area."
msgstr "Не вдалося пересунути область слотів ключів."
-#: lib/luks2/luks2_luks1_convert.c:697
+#: lib/luks2/luks2_luks1_convert.c:732
msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
msgstr "Не вдалося перетворити на формат LUKS1 — типовий розмір сектору шифрування сегмента не дорівнює 512 байтам."
-#: lib/luks2/luks2_luks1_convert.c:705
+#: lib/luks2/luks2_luks1_convert.c:740
msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
msgstr "Не вдалося перетворити до формату LUKS1 — контрольні суми слотів ключів не сумісні з LUKS1."
-#: lib/luks2/luks2_luks1_convert.c:717
+#: lib/luks2/luks2_luks1_convert.c:752
#, c-format
msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується загорнуте шифрування ключів %s."
-#: lib/luks2/luks2_luks1_convert.c:725
+#: lib/luks2/luks2_luks1_convert.c:757
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується більше сегментів."
+
+#: lib/luks2/luks2_luks1_convert.c:765
#, c-format
msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
msgstr "Не вдалося перетворити до формату LUKS1 - заголовок LUKS2 містить %u жетонів."
-#: lib/luks2/luks2_luks1_convert.c:739
+#: lib/luks2/luks2_luks1_convert.c:779
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
msgstr "Не вдалося перетворити до формату LUKS1 - слот ключа %u перебуває у некоректному стані."
-#: lib/luks2/luks2_luks1_convert.c:744
+#: lib/luks2/luks2_luks1_convert.c:784
#, c-format
msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
msgstr "Не вдалося перетворити до формату LUKS1 — слот %u (перевищує максимальну кількість слотів) усе ще є активним."
-#: lib/luks2/luks2_luks1_convert.c:749
+#: lib/luks2/luks2_luks1_convert.c:789
#, c-format
msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
msgstr "не вдалося перетворити до формату LUKS1 — слот ключів %u є несумісним з LUKS1."
-#: lib/luks2/luks2_reencrypt.c:993
+#: lib/luks2/luks2_reencrypt.c:1152
#, c-format
msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Розмір «гарячої» ділянки має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)."
-#: lib/luks2/luks2_reencrypt.c:998
+#: lib/luks2/luks2_reencrypt.c:1157
#, c-format
msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
msgstr "Розмір пристрою має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)."
-#: lib/luks2/luks2_reencrypt.c:1042
-#, c-format
-msgid "Unsupported resilience mode %s"
-msgstr "Непідтримуваний режим стійкості %s"
-
-#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414
-#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531
-#: lib/luks2/luks2_reencrypt.c:3140
+#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
+#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
+#: lib/luks2/luks2_reencrypt.c:3877
msgid "Failed to initialize old segment storage wrapper."
msgstr "Не вдалося ініціалізувати обгортку старого сховища сегментів."
-#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392
+#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
msgid "Failed to initialize new segment storage wrapper."
msgstr "Не вдалося ініціалізувати обгортку нового сховища сегментів."
-#: lib/luks2/luks2_reencrypt.c:1441
+#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+msgid "Failed to initialize hotzone protection."
+msgstr "Не вдалося ініціалізувати захист «гарячої» зони"
+
+#: lib/luks2/luks2_reencrypt.c:1578
msgid "Failed to read checksums for current hotzone."
msgstr "Не вдалося прочитати контрольні суми для поточної «гарячої» ділянки."
-#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148
+#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
#, c-format
msgid "Failed to read hotzone area starting at %<PRIu64>."
msgstr "Не вдалося прочитати «гарячу» ділянку, починаючи з %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:1467
+#: lib/luks2/luks2_reencrypt.c:1604
#, c-format
msgid "Failed to decrypt sector %zu."
msgstr "Не вдалося розшифрувати сектор %zu."
-#: lib/luks2/luks2_reencrypt.c:1473
+#: lib/luks2/luks2_reencrypt.c:1610
#, c-format
msgid "Failed to recover sector %zu."
msgstr "Не вдалося відновити сектор %zu."
-#: lib/luks2/luks2_reencrypt.c:1956
+#: lib/luks2/luks2_reencrypt.c:2174
#, c-format
msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
msgstr "Розміри пристроїв джерела та призначення не збігаються. Розмір джерела — %<PRIu64>, розмір призначення — %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:2272
#, c-format
msgid "Failed to activate hotzone device %s."
msgstr "Не вдалося задіяти пристрій «гарячої» ділянки %s."
-#: lib/luks2/luks2_reencrypt.c:2071
+#: lib/luks2/luks2_reencrypt.c:2289
#, c-format
msgid "Failed to activate overlay device %s with actual origin table."
msgstr "Не вдалося задіяти пристрій-накладку %s зі справжньою таблицею походження."
-#: lib/luks2/luks2_reencrypt.c:2078
+#: lib/luks2/luks2_reencrypt.c:2296
#, c-format
msgid "Failed to load new mapping for device %s."
msgstr "Не вдалося завантажити нову прив'язку для пристрою %s."
-#: lib/luks2/luks2_reencrypt.c:2149
+#: lib/luks2/luks2_reencrypt.c:2367
msgid "Failed to refresh reencryption devices stack."
msgstr "Не вдалося освіжити тек пристрої для повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:2309
+#: lib/luks2/luks2_reencrypt.c:2550
msgid "Failed to set new keyslots area size."
msgstr "Не вдалося встановити розмір області нових слотів ключів."
-#: lib/luks2/luks2_reencrypt.c:2413
+#: lib/luks2/luks2_reencrypt.c:2686
#, c-format
-msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Зміщення даних не вирівняно до запитаного розміру сектора для шифрування (%<PRIu32> байтів)."
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Значення зміщення даних не вирівняно до розміру сектора для шифрування (%<PRIu32> байтів)."
-#: lib/luks2/luks2_reencrypt.c:2434
+#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
#, c-format
-msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
-msgstr "Пристрій зберігання даних не вирівняно до запитаного розміру сектора для шифрування (%<PRIu32> байтів)."
+msgid "Unsupported resilience mode %s"
+msgstr "Непідтримуваний режим стійкості %s"
-#: lib/luks2/luks2_reencrypt.c:2455
+#: lib/luks2/luks2_reencrypt.c:2760
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Розмір пересунутого сегмента не може перевищувати значення зсуву даних."
+
+#: lib/luks2/luks2_reencrypt.c:2802
+msgid "Invalid reencryption resilience parameters."
+msgstr "Некоректні параметри стійкості для повторного шифрування."
+
+#: lib/luks2/luks2_reencrypt.c:2824
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Пересунутий сегмент є надто великим. Потрібний розмір %<PRIu64>, доступне місце: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2911
+msgid "Failed to clear table."
+msgstr "Не вдалося очистити таблицю."
+
+#: lib/luks2/luks2_reencrypt.c:2997
+msgid "Reduced data size is larger than real device size."
+msgstr "Зменшений розмір даних перевищує справжній розмір пристрою."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Пристрій зберігання даних не вирівняно до розміру сектора для шифрування (%<PRIu32> байтів)."
+
+#: lib/luks2/luks2_reencrypt.c:3038
#, c-format
msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
msgstr "Зміщення даних (%<PRIu64> секторів) є меншим за майбутній зсув даних (%<PRIu64> секторів)."
-#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889
-#: lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
+#: lib/luks2/luks2_reencrypt.c:3554
#, c-format
msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
msgstr "Не вдалося відкрити %s в ексклюзивному режимі (вже пов'язано або змонтовано)."
-#: lib/luks2/luks2_reencrypt.c:2629
+#: lib/luks2/luks2_reencrypt.c:3234
msgid "Device not marked for LUKS2 reencryption."
msgstr "Пристрій не позначено для повторного шифрування LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415
+#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
msgid "Failed to load LUKS2 reencryption context."
msgstr "Не вдалося завантажити контекст повторного шифрування LUKS2."
-#: lib/luks2/luks2_reencrypt.c:2715
+#: lib/luks2/luks2_reencrypt.c:3331
msgid "Failed to get reencryption state."
msgstr "Не вдалося отримати стан повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:2719
+#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
msgid "Device is not in reencryption."
msgstr "Пристрій не перебуває у повторному шифруванні."
-#: lib/luks2/luks2_reencrypt.c:2726
+#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
msgid "Reencryption process is already running."
msgstr "Процес повторного шифрування вже виконується."
-#: lib/luks2/luks2_reencrypt.c:2728
+#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
msgid "Failed to acquire reencryption lock."
msgstr "Не вдалося створити блокування для повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:2746
+#: lib/luks2/luks2_reencrypt.c:3362
msgid "Cannot proceed with reencryption. Run reencryption recovery first."
msgstr "Продовження повторного шифрування неможливе. Спочатку слід виконати відновлення повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:2860
+#: lib/luks2/luks2_reencrypt.c:3497
msgid "Active device size and requested reencryption size don't match."
msgstr "Не збігаються розмір активного пристрою і запитаний розмір повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:2874
+#: lib/luks2/luks2_reencrypt.c:3511
msgid "Illegal device size requested in reencryption parameters."
msgstr "У параметрах повторного шифрування вказано некоректний розмір пристрою."
-#: lib/luks2/luks2_reencrypt.c:2944
+#: lib/luks2/luks2_reencrypt.c:3588
msgid "Reencryption in-progress. Cannot perform recovery."
msgstr "Виконується повторне шифрування. Неможливо виконати відновлення."
-#: lib/luks2/luks2_reencrypt.c:3016
+#: lib/luks2/luks2_reencrypt.c:3757
msgid "LUKS2 reencryption already initialized in metadata."
msgstr "Повторне шифрування LUKS2 вже ініційовано у метаданих."
-#: lib/luks2/luks2_reencrypt.c:3023
+#: lib/luks2/luks2_reencrypt.c:3764
msgid "Failed to initialize LUKS2 reencryption in metadata."
msgstr "Не вдалося ініціалізувати повторне шифрування LUKS2 лише у метаданих."
-#: lib/luks2/luks2_reencrypt.c:3114
+#: lib/luks2/luks2_reencrypt.c:3859
msgid "Failed to set device segments for next reencryption hotzone."
msgstr "Не вдалося встановити сегменти пристрою для наступної «гарячої» ділянки повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:3156
+#: lib/luks2/luks2_reencrypt.c:3911
msgid "Failed to write reencryption resilience metadata."
msgstr "Не вдалося записати метадані стійкості для повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3918
msgid "Decryption failed."
msgstr "Помилка розшифрування."
-#: lib/luks2/luks2_reencrypt.c:3168
+#: lib/luks2/luks2_reencrypt.c:3923
#, c-format
msgid "Failed to write hotzone area starting at %<PRIu64>."
msgstr "Не вдалося записати «гарячу» ділянку, починаючи з %<PRIu64>."
-#: lib/luks2/luks2_reencrypt.c:3173
+#: lib/luks2/luks2_reencrypt.c:3928
msgid "Failed to sync data."
msgstr "Не вдалося синхронізувати дані."
-#: lib/luks2/luks2_reencrypt.c:3181
+#: lib/luks2/luks2_reencrypt.c:3936
msgid "Failed to update metadata after current reencryption hotzone completed."
msgstr "Не вдалося оновити метадані після завершення обробки поточної «гарячої» зони повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:3248
+#: lib/luks2/luks2_reencrypt.c:4025
msgid "Failed to write LUKS2 metadata."
msgstr "Не вдалося записати метадані LUKS2."
-#: lib/luks2/luks2_reencrypt.c:3271
-msgid "Failed to wipe backup segment data."
-msgstr "Не вдалося витерти дані резервного сегмента."
+#: lib/luks2/luks2_reencrypt.c:4048
+msgid "Failed to wipe unused data device area."
+msgstr "Не вдалося витерти область невикористаних даних пристрою."
-#: lib/luks2/luks2_reencrypt.c:3284
-msgid "Failed to disable reencryption requirement flag."
-msgstr "Не вдалося вимкнути прапорець вимоги повторного шифрування."
+#: lib/luks2/luks2_reencrypt.c:4054
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Не вдалося вилучити невикористаний (непов'язаний) слот ключа %d."
-#: lib/luks2/luks2_reencrypt.c:3292
+#: lib/luks2/luks2_reencrypt.c:4064
+msgid "Failed to remove reencryption keyslot."
+msgstr "Не вдалося вилучити слот ключа для повторного шифрування."
+
+#: lib/luks2/luks2_reencrypt.c:4074
#, c-format
msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
msgstr "Критична помилка під час повторного шифрування фрагмента, починаючи з %<PRIu64>, довжиною у %<PRIu64> секторів."
-#: lib/luks2/luks2_reencrypt.c:3296
+#: lib/luks2/luks2_reencrypt.c:4078
msgid "Online reencryption failed."
msgstr "Не вдалося виконати інтерактивне повторне шифрування."
-#: lib/luks2/luks2_reencrypt.c:3301
+#: lib/luks2/luks2_reencrypt.c:4083
msgid "Do not resume the device unless replaced with error target manually."
msgstr "Не відновлюйте пристрій, якщо не заміните вручну пристрій призначення для помилок."
-#: lib/luks2/luks2_reencrypt.c:3353
+#: lib/luks2/luks2_reencrypt.c:4137
msgid "Cannot proceed with reencryption. Unexpected reencryption status."
msgstr "Не вдалося виконати повторне шифрування. Неочікуваний стан засобу повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:3359
+#: lib/luks2/luks2_reencrypt.c:4143
msgid "Missing or invalid reencrypt context."
msgstr "Не вказано контекст повторного шифрування або вказано некоректний контекст."
-#: lib/luks2/luks2_reencrypt.c:3366
+#: lib/luks2/luks2_reencrypt.c:4150
msgid "Failed to initialize reencryption device stack."
msgstr "Не вдалося ініціалізувати стос пристроїв повторного шифрування."
-#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428
+#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
msgid "Failed to update reencryption context."
msgstr "Не вдалося оновити контекст повторного шифрування."
-#: src/cryptsetup.c:108
-msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty."
+#: lib/luks2/luks2_reencrypt_digest.c:405
+msgid "Reencryption metadata is invalid."
+msgstr "Метадані повторного шифрування є некоректними."
-#: src/cryptsetup.c:171
+#: src/cryptsetup.c:85
msgid "Keyslot encryption parameters can be set only for LUKS2 device."
msgstr "Параметри шифрування слоту ключів можна встановлювати лише для пристроїв LUKS2."
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:108 src/cryptsetup.c:1901
#, c-format
-msgid "Enter token PIN:"
-msgstr "Введіть пінкод жетона:"
+msgid "Enter token PIN: "
+msgstr "Введіть пінкод жетона: "
-#: src/cryptsetup.c:200
+#: src/cryptsetup.c:110 src/cryptsetup.c:1903
#, c-format
-msgid "Enter token %d PIN:"
-msgstr "Введіть пінкод жетона %d:"
+msgid "Enter token %d PIN: "
+msgstr "Введіть пінкод жетона %d: "
-#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401
-#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700
-#: src/cryptsetup_reencrypt.c:770
+#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
+#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt_luks1.c:580
msgid "No known cipher specification pattern detected."
msgstr "Не виявлено жодного відомого зразка специфікації шифрування."
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:167
msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
msgstr "Попередження: параметр --hash у простому режимі із вказаним файлом ключа ігнорується.\n"
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:175
msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
msgstr "Попередження: параметр --keyfile-size проігноровано, розмір прочитаних даних збігається із розміром ключа шифрування.\n"
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:215
#, c-format
msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
msgstr "На %s виявлено підписи пристроїв. Подальша обробка може пошкодити наявні дані."
-#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253
-#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099
-#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176
+#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
+#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
+#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
+#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
msgid "Operation aborted.\n"
msgstr "Дію перервано.\n"
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:294
msgid "Option --key-file is required."
msgstr "Слід вказати параметр --key-file."
-#: src/cryptsetup.c:426
+#: src/cryptsetup.c:345
msgid "Enter VeraCrypt PIM: "
msgstr "Введіть PIM VeraCrypt: "
-#: src/cryptsetup.c:435
+#: src/cryptsetup.c:354
msgid "Invalid PIM value: parse error."
msgstr "Некоректне значення PIM: помилка обробки."
-#: src/cryptsetup.c:438
+#: src/cryptsetup.c:357
msgid "Invalid PIM value: 0."
msgstr "Некоректне значення PIM: 0."
-#: src/cryptsetup.c:441
+#: src/cryptsetup.c:360
msgid "Invalid PIM value: outside of range."
msgstr "Некоректне значення PIM: поза межами діапазону."
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:383
msgid "No device header detected with this passphrase."
msgstr "Для цього пароля не виявлено заголовка пристрою."
-#: src/cryptsetup.c:537
+#: src/cryptsetup.c:456 src/cryptsetup.c:632
#, c-format
msgid "Device %s is not a valid BITLK device."
msgstr "Пристрій %s не є коректним пристроєм BITLK."
-#: src/cryptsetup.c:545
+#: src/cryptsetup.c:464
msgid "Cannot determine volume key size for BITLK, please use --key-size option."
msgstr "Неможливо визначити розмір ключа тому для BITLK. Будь ласка, скористайтеся параметром --key-size."
-#: src/cryptsetup.c:588
+#: src/cryptsetup.c:506
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -1819,7 +1933,7 @@ msgstr ""
"без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
"у безпечному місці."
-#: src/cryptsetup.c:661 src/cryptsetup.c:2125
+#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
msgid ""
"The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
@@ -1830,88 +1944,113 @@ msgstr ""
"без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
"у безпечному місці."
-#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313
+#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Пристрій %s не є коректним пристроєм FVAULT2."
+
+#: src/cryptsetup.c:747
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Неможливо визначити розмір ключа тому для FVAULT2. Будь ласка, скористайтеся параметром --key-size."
+
+#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
#, c-format
msgid "Device %s is still active and scheduled for deferred removal.\n"
msgstr "Пристрій %s усе ще є активним, його заплановано для відкладеного вилучення.\n"
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:835
msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
msgstr "Зміна розмірів активного пристрою потребує наявності ключа тому у сховищі ключів, але вказано параметр --disable-keyring."
-#: src/cryptsetup.c:936
+#: src/cryptsetup.c:982
msgid "Benchmark interrupted."
msgstr "Тестування перервано."
-#: src/cryptsetup.c:957
+#: src/cryptsetup.c:1003
#, c-format
msgid "PBKDF2-%-9s N/A\n"
msgstr "PBKDF2-%-9s н/д\n"
-#: src/cryptsetup.c:959
+#: src/cryptsetup.c:1005
#, c-format
msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
msgstr "PBKDF2-%-9s %7u ітерацій за секунду для %zu-бітового ключа\n"
-#: src/cryptsetup.c:973
+#: src/cryptsetup.c:1019
#, c-format
msgid "%-10s N/A\n"
msgstr "%-10s н/д\n"
-#: src/cryptsetup.c:975
+#: src/cryptsetup.c:1021
#, c-format
msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
msgstr "%-10s %4u ітерацій, пам'ять: %5u, %1u паралельних потоків (процесорів) для %zu-бітового ключа (запит на %u мс часу)\n"
-#: src/cryptsetup.c:999
+#: src/cryptsetup.c:1045
msgid "Result of benchmark is not reliable."
msgstr "Результат тестування є ненадійним."
-#: src/cryptsetup.c:1049
+#: src/cryptsetup.c:1095
msgid "# Tests are approximate using memory only (no storage IO).\n"
msgstr "# Наближені значення під час перевірки визначаються лише за допомогою оперативної пам’яті (без запису на диск).\n"
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1115
#, c-format
msgid "#%*s Algorithm | Key | Encryption | Decryption\n"
msgstr "№%*s Алгоритм | Ключ | Шифрування | Розшифрування\n"
-#: src/cryptsetup.c:1073
+#: src/cryptsetup.c:1119
#, c-format
msgid "Cipher %s (with %i bits key) is not available."
msgstr "Шифрування %s (розмір ключа — %i бітів) є недоступним."
#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1138
msgid "# Algorithm | Key | Encryption | Decryption\n"
msgstr "№ Алгоритм | Ключ | Шифрування | Розшифрування\n"
-#: src/cryptsetup.c:1103
+#: src/cryptsetup.c:1149
msgid "N/A"
msgstr "н/д"
-#: src/cryptsetup.c:1190
+#: src/cryptsetup.c:1174
msgid ""
-"Seems device does not require reencryption recovery.\n"
-"Do you want to proceed anyway?"
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
msgstr ""
-"Здається, пристрій не потребує відновлення повторного шифрування.\n"
-"Хочете виконати цю дію попри це?"
+"Виявлено незахищені метадані повторного шифрування LUKS2. Будь ласка, перевірте, чи бажаною є дія з повторного шифрування\n"
+"(див. виведення luksDump), і продовжуйте (оновлення метаданих), лише якщо впевнені, що дія є бажаною."
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1180
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Вкажіть пароль для захисту і оновлення метаданих повторного шифрування: "
+
+#: src/cryptsetup.c:1224
msgid "Really proceed with LUKS2 reencryption recovery?"
msgstr "Ви справді хочете продовжити процедуру відновлення повторного шифрування LUKS2?"
-#: src/cryptsetup.c:1204
+#: src/cryptsetup.c:1233
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Вкажіть пароль для перевірки контрольної суми метаданих повторного шифрування: "
+
+#: src/cryptsetup.c:1235
msgid "Enter passphrase for reencryption recovery: "
msgstr "Вкажіть пароль для відновлення повторного шифрування: "
-#: src/cryptsetup.c:1252
+#: src/cryptsetup.c:1290
msgid "Really try to repair LUKS device header?"
msgstr "Спробувати відновити заголовок пристрою LUKS?"
-#: src/cryptsetup.c:1277 src/integritysetup.c:90
+#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Витирання перервано."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
msgid ""
"Wiping device to initialize integrity checksum.\n"
"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1919,113 +2058,128 @@ msgstr ""
"Витираємо пристрій для ініціалізації контрольних сум для цілісності.\n"
"Ви можете перервати цей процес натисканням комбінації клавіш CTRL+C (решта невитертого пристрою міститиме некоректну контрольну суму).\n"
-#: src/cryptsetup.c:1299 src/integritysetup.c:112
+#: src/cryptsetup.c:1341 src/integritysetup.c:116
#, c-format
msgid "Cannot deactivate temporary device %s."
msgstr "Не можна скасувати активацію тимчасового пристрою %s."
-#: src/cryptsetup.c:1363
+#: src/cryptsetup.c:1392
msgid "Integrity option can be used only for LUKS2 format."
msgstr "Параметр цілісності може бути використано лише для формату LUKS2."
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1428
+#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
msgid "Unsupported LUKS2 metadata size options."
msgstr "Непідтримувані параметри розміру метаданих LUKS2."
-#: src/cryptsetup.c:1377
+#: src/cryptsetup.c:1406
msgid "Header file does not exist, do you want to create it?"
msgstr "Файла заголовка не існує. Хочете його створити?"
-#: src/cryptsetup.c:1385
+#: src/cryptsetup.c:1414
#, c-format
msgid "Cannot create header file %s."
msgstr "Не вдалося створити файл заголовка %s."
-#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146
-#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238
-#: src/integritysetup.c:248
+#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
+#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
+#: src/integritysetup.c:333
msgid "No known integrity specification pattern detected."
msgstr "Не виявлено жодного відомого зразка специфікації цілісності."
-#: src/cryptsetup.c:1421
+#: src/cryptsetup.c:1450
#, c-format
msgid "Cannot use %s as on-disk header."
msgstr "Не можна використовувати %s як заголовок на диску."
-#: src/cryptsetup.c:1445 src/integritysetup.c:170
+#: src/cryptsetup.c:1474 src/integritysetup.c:181
#, c-format
msgid "This will overwrite data on %s irrevocably."
msgstr "Дані на %s буде перезаписано без можливості відновлення."
-#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879
-#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530
+#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
+#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
msgid "Failed to set pbkdf parameters."
msgstr "Не вдалося встановити параметри pbkdf."
-#: src/cryptsetup.c:1563
+#: src/cryptsetup.c:1593
msgid "Reduced data offset is allowed only for detached LUKS header."
msgstr "Зменшений відступ даних можна використовувати лише для від’єднаних заголовків LUKS."
-#: src/cryptsetup.c:1574 src/cryptsetup.c:1885
+#: src/cryptsetup.c:1600
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Контейнер файлів LUKS %s є надто малим для активації, на ньому не лишиться місця для даних."
+
+#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
msgstr "Неможливо визначити розмір ключа тому для LUKS без слотів ключів. Будь ласка, скористайтеся параметром --key-size."
-#: src/cryptsetup.c:1619
+#: src/cryptsetup.c:1658
msgid "Device activated but cannot make flags persistent."
msgstr "Пристрій задіяно, але не вдалося зробити прапорці сталими."
-#: src/cryptsetup.c:1698 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
#, c-format
msgid "Keyslot %d is selected for deletion."
msgstr "Слот ключа %d позначено для вилучення."
-#: src/cryptsetup.c:1710 src/cryptsetup.c:1770
+#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Це останній слот ключа. Пристрій стане непридатним для використання після спорожнення цього ключа."
-#: src/cryptsetup.c:1711
+#: src/cryptsetup.c:1750
msgid "Enter any remaining passphrase: "
msgstr "Введіть будь-який інший пароль: "
-#: src/cryptsetup.c:1712 src/cryptsetup.c:1772
+#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
msgid "Operation aborted, the keyslot was NOT wiped.\n"
msgstr "Дію перервано, слот ключів НЕ витерто.\n"
-#: src/cryptsetup.c:1748
+#: src/cryptsetup.c:1787
msgid "Enter passphrase to be deleted: "
msgstr "Введіть пароль, який слід вилучити: "
-#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
+#: src/cryptsetup.c:2948
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Пристрій %s не є коректним пристроєм LUKS2."
+
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
msgid "Enter new passphrase for key slot: "
msgstr "Введіть новий пароль для слота ключа: "
-#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup.c:1968
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "Попередження: параметр --key-slot використано для нового числа слоту ключа.\n"
+
+#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Введіть будь-який пароль: "
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2152
msgid "Enter passphrase to be changed: "
msgstr "Введіть пароль, який слід змінити: "
-#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314
+#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
msgid "Enter new passphrase: "
msgstr "Введіть новий пароль: "
-#: src/cryptsetup.c:2051
+#: src/cryptsetup.c:2218
msgid "Enter passphrase for keyslot to be converted: "
msgstr "Вкажіть пароль для слоту ключа, який буде перетворено: "
-#: src/cryptsetup.c:2075
+#: src/cryptsetup.c:2242
msgid "Only one device argument for isLuks operation is supported."
msgstr "У команді isLuks можна використовувати лише один аргумент назви пристрою."
-#: src/cryptsetup.c:2190
+#: src/cryptsetup.c:2350
#, c-format
msgid "Keyslot %d does not contain unbound key."
msgstr "Слот ключа %d не містить непов'язаного ключа."
-#: src/cryptsetup.c:2195
+#: src/cryptsetup.c:2355
msgid ""
"The header dump with unbound key is sensitive information.\n"
"This dump should be stored encrypted in a safe place."
@@ -2033,40 +2187,40 @@ msgstr ""
"Дамп заголовка з непов'язаним ключем є конфіденційними даними.\n"
"Цей дамп слід зберігати у зашифрованому форматі у безпечному місці."
-#: src/cryptsetup.c:2286 src/cryptsetup.c:2314
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
#, c-format
msgid "%s is not active %s device name."
msgstr "%s не є назвою активного пристрою %s."
-#: src/cryptsetup.c:2309
+#: src/cryptsetup.c:2465
#, c-format
msgid "%s is not active LUKS device name or header is missing."
msgstr "%s не є назвою активного пристрою LUKS або пропущено заголовок."
-#: src/cryptsetup.c:2347 src/cryptsetup.c:2366
+#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
msgid "Option --header-backup-file is required."
msgstr "Слід вказати параметр --header-backup-file."
-#: src/cryptsetup.c:2397
+#: src/cryptsetup.c:2577
#, c-format
msgid "%s is not cryptsetup managed device."
msgstr "%s не є керованим cryptsetup пристроєм."
-#: src/cryptsetup.c:2408
+#: src/cryptsetup.c:2588
#, c-format
msgid "Refresh is not supported for device type %s"
msgstr "Підтримки дії з оновлення для пристрою типу %s не передбачено."
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:2638
#, c-format
msgid "Unrecognized metadata device type %s."
msgstr "Нерозпізнаний тип пристрою метаданих, %s."
-#: src/cryptsetup.c:2456
+#: src/cryptsetup.c:2640
msgid "Command requires device and mapped name as arguments."
msgstr "Аргументами команди мають бути назва пристрою та призначена до нього назва."
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2661
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -2075,335 +2229,351 @@ msgstr ""
"У результаті виконання цієї операції буде витерто усі слоти ключів на пристрої %s.\n"
"Після виконання цієї дії пристроєм не можна буде скористатися."
-#: src/cryptsetup.c:2484
+#: src/cryptsetup.c:2668
msgid "Operation aborted, keyslots were NOT wiped.\n"
msgstr "Дію перервано, слоти ключів НЕ витерто.\n"
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:2707
msgid "Invalid LUKS type, only luks1 and luks2 are supported."
msgstr "Некоректний тип LUKS. Передбачено підтримку лише luks1 і luks2."
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2723
#, c-format
msgid "Device is already %s type."
msgstr "Пристрій вже належить до типу %s."
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:2730
#, c-format
msgid "This operation will convert %s to %s format.\n"
msgstr "Ця дія перетворить %s до формату %s.\n"
-#: src/cryptsetup.c:2549
+#: src/cryptsetup.c:2733
msgid "Operation aborted, device was NOT converted.\n"
msgstr "Дію перервано, дані пристрою НЕ перетворено.\n"
-#: src/cryptsetup.c:2589
+#: src/cryptsetup.c:2773
msgid "Option --priority, --label or --subsystem is missing."
msgstr "Пропущено параметр --priority, --label або --subsystem."
-#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680
+#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
#, c-format
msgid "Token %d is invalid."
msgstr "Жетон %d є некоректним."
-#: src/cryptsetup.c:2626 src/cryptsetup.c:2683
+#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
#, c-format
msgid "Token %d in use."
msgstr "Жетон %d використовується."
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2822
#, c-format
msgid "Failed to add luks2-keyring token %d."
msgstr "Не вдалося додати жетон %d зі сховища ключів luks2."
-#: src/cryptsetup.c:2646 src/cryptsetup.c:2709
+#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
#, c-format
msgid "Failed to assign token %d to keyslot %d."
msgstr "Не вдалося прив'язати жетон %d до слоту ключа %d."
-#: src/cryptsetup.c:2663
+#: src/cryptsetup.c:2850
#, c-format
msgid "Token %d is not in use."
msgstr "Жетон %d не використовується."
-#: src/cryptsetup.c:2700
+#: src/cryptsetup.c:2887
msgid "Failed to import token from file."
msgstr "Не вдалося імпортувати жетон з файла."
-#: src/cryptsetup.c:2725
+#: src/cryptsetup.c:2912
#, c-format
msgid "Failed to get token %d for export."
msgstr "Не вдалося отримати жетон %d для експортування."
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:2925
#, c-format
-msgid "Auto-detected active dm device '%s' for data device %s.\n"
-msgstr "Автоматично виявлено активний пристрій dm «%s» для пристрою даних %s.\n"
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Жетон %d не пов'язано зі слотом ключа %d."
-#: src/cryptsetup.c:2793
+#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
#, c-format
-msgid "Device %s is not a block device.\n"
-msgstr "Пристрій %s не є блоковим пристроєм.\n"
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Не вдалося відв'язати жетон %d від слоту ключа %d."
-#: src/cryptsetup.c:2795
-#, c-format
-msgid "Failed to auto-detect device %s holders."
-msgstr "Не вдалося автоматично визначити утримувачів пристрою %s."
+#: src/cryptsetup.c:2983
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT."
-#: src/cryptsetup.c:2799
-#, c-format
-msgid ""
-"Unable to decide if device %s is activated or not.\n"
-"Are you sure you want to proceed with reencryption in offline mode?\n"
-"It may lead to data corruption if the device is actually activated.\n"
-"To run reencryption in online mode, use --active-name parameter instead.\n"
-msgstr ""
-"Не вдалося визначити, чи задіяно пристрій %s.\n"
-"Ви справді хочете продовжити повторне шифрування у режимі з від'єднанням?\n"
-"Таке шифрування може призвести до пошкодження даних, якщо пристрій задіяно.\n"
-"Щоб запустити повторне шифрування у режимі без від'єднання, скористайтеся параметром --active-name.\n"
+#: src/cryptsetup.c:2986
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Підтримку параметра --veracrypt або --disable-veracrypt передбачено лише для пристроїв TCRYPT."
-#: src/cryptsetup.c:2881
-msgid "Encryption is supported only for LUKS2 format."
-msgstr "Підтримку шифрування передбачено лише для формату LUKS2."
+#: src/cryptsetup.c:2989
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Параметр --veracrypt-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
-#: src/cryptsetup.c:2886
-msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
-msgstr "Шифрування без від'єднаного заголовка (--header) є неможливим без зменшення розміру пристрою зберігання даних (--reduce-device-size)."
+#: src/cryptsetup.c:2993
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Параметр --veracrypt-query-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
-#: src/cryptsetup.c:2891
-msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
-msgstr "Вказаний зсув даних має бути меншим або рівним половині значення параметра --reduce-device-size."
+#: src/cryptsetup.c:2995
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Не можна поєднувати параметри --veracrypt-pim і --veracrypt-query-pim."
-#: src/cryptsetup.c:2900
-#, c-format
-msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
-msgstr "Коригуємо значення --reduce-device-size до подвійного значення --offset %<PRIu64> (у секторах).\n"
-
-#: src/cryptsetup.c:2923
-#, c-format
-msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-msgstr "Виявлено пристрій LUKS на %s. Хочете зашифрувати цей пристрій LUKS знову?"
-
-#: src/cryptsetup.c:2941
-#, c-format
-msgid "Temporary header file %s already exists. Aborting."
-msgstr "Файл тимчасового заголовка %s вже існує. Перериваємо обробку."
-
-#: src/cryptsetup.c:2943 src/cryptsetup.c:2950
-#, c-format
-msgid "Cannot create temporary header file %s."
-msgstr "Не вдалося створити файл тимчасового заголовка %s."
-
-#: src/cryptsetup.c:2975
-msgid "LUKS2 metadata size is larger than data shift value."
-msgstr "Розмір метаданих LUKS2 перевищує значення зсуву даних."
+#: src/cryptsetup.c:3004
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Параметр --persistent не можна використовувати разом із --test-passphrase."
#: src/cryptsetup.c:3007
-#, c-format
-msgid "Failed to place new header at head of device %s."
-msgstr "Не вдалося розмістити новий заголовок на початку пристрою %s."
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Не можна поєднувати параметри --refresh і --test-passphrase."
-#: src/cryptsetup.c:3018
-#, c-format
-msgid "%s/%s is now active and ready for online encryption.\n"
-msgstr "%s/%s задіяно, система готова до інтерактивного шифрування.\n"
+#: src/cryptsetup.c:3010
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою."
-#: src/cryptsetup.c:3055
-msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
-msgstr "Підтримку розшифровування LUKS2 передбачено лише для пристроїв із від'єднаним заголовком (із встановленим нульовим відступом даних)."
+#: src/cryptsetup.c:3013
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes."
-#: src/cryptsetup.c:3189 src/cryptsetup.c:3195
-msgid "Not enough free keyslots for reencryption."
-msgstr "Недостатньо вільних слотів ключів для повторного шифрування."
+#: src/cryptsetup.c:3016
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Підтримку параметра --offset разом із дією з відкриття передбачено лише для незашифрованих пристроїв та пристроїв loopaes."
-#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
+#: src/cryptsetup.c:3019
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards."
-#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1337
-#, c-format
-msgid "Enter passphrase for key slot %d: "
-msgstr "Вкажіть пароль для слоту ключа %d: "
+#: src/cryptsetup.c:3023
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Підтримку параметра розміру сектора разом із дією з відкриття передбачено лише для незашифрованих пристроїв."
-#: src/cryptsetup.c:3233
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Вкажіть пароль для слоту ключа %u: "
+#: src/cryptsetup.c:3027
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Підтримку можливості використання великих секторів IV передбачено лише для відкриття пристроїв простого типу з розміром сектора, який перевищує 512 байтів."
-#: src/cryptsetup.c:3278
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
-msgstr "Перемикаємося на шифрування даних %s.\n"
+#: src/cryptsetup.c:3032
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS, TCRYPT, BITLK та FVAULT2."
-#: src/cryptsetup.c:3415
-msgid "Command requires device as argument."
-msgstr "Комарні слід передати аргумент пристрою."
+#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Не можна одночасно використовувати параметри --device-size і --size."
-#: src/cryptsetup.c:3437
-msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-msgstr "У поточній версії передбачено підтримку лише формату LUKS2. Для роботи з LUKS1, будь ласка, скористайтеся програмою cryptsetup-reencrypt."
+#: src/cryptsetup.c:3038
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Параметр --sunbound можна використовувати лише для відкриття пристрою LUKS."
-#: src/cryptsetup.c:3449
-msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-msgstr "Вже виконується повторне шифрування з від'єднанням у застарілому режимі. Скористайтеся програмою cryptsetup-reencrypt."
+#: src/cryptsetup.c:3041
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Параметр --unbound не можна використовувати без --test-passphrase."
-#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Підтримки повторного шифрування пристрою із профілем цілісності не передбачено."
+#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Не можна одночасно використовувати параметр --cancel-deferred і --deferred."
-#: src/cryptsetup.c:3467
-msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr "Вже ініційовано повторне шифрування LUKS2. Перериваємо виконання дії."
+#: src/cryptsetup.c:3066
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --data-size."
-#: src/cryptsetup.c:3471
-msgid "LUKS2 device is not in reencryption."
-msgstr "Пристрій LUKS2 не перебуває у стані повторного шифрування."
+#: src/cryptsetup.c:3069
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Параметр --active-name можна встановлювати лише для пристроїв LUKS2."
-#: src/cryptsetup.c:3498
+#: src/cryptsetup.c:3072
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Не можна одночасно використовувати параметри ---active-name і --force-offline-reencrypt."
+
+#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+msgid "Keyslot specification is required."
+msgstr "Слід вказати специфікація слотів ключів."
+
+#: src/cryptsetup.c:3088
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Не можна одночасно використовувати параметри --align-payload і --offset."
+
+#: src/cryptsetup.c:3091
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Параметром --integrity-no-wipe можна користуватися лише для дії з форматування із розширенням забезпечення цілісності."
+
+#: src/cryptsetup.c:3094
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Можна використовувати лише один з параметрів --use-[u]random."
+
+#: src/cryptsetup.c:3102
+msgid "Key size is required with --unbound option."
+msgstr "Разом із параметром --unbound слід вказувати розмір ключа."
+
+#: src/cryptsetup.c:3122
+msgid "Invalid token action."
+msgstr "Некоректна дія з жетоном."
+
+#: src/cryptsetup.c:3125
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Параметр --key-description є обов'язковим для дій із додавання жетонів."
+
+#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Для виконання дії потрібен специфічний жетон. Скористайтеся параметром --token-id."
+
+#: src/cryptsetup.c:3133
+msgid "Option --unbound is valid only with token add action."
+msgstr "Параметр --unbound можна використовувати лише разом із дією з додавання жетона."
+
+#: src/cryptsetup.c:3135
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Не можна поєднувати параметри --key-slot і --unbound."
+
+#: src/cryptsetup.c:3140
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Дія потребує зазначення слоту ключа. Скористайтеся параметром --key-slot."
+
+#: src/cryptsetup.c:3156
msgid "<device> [--type <type>] [<name>]"
msgstr "<пристрій> [--type <тип>] [<назва>]"
-#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446
+#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
msgid "open device as <name>"
msgstr "відкрити пристрій як <назва>"
-#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447
-#: src/integritysetup.c:448
+#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
+#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
+#: src/integritysetup.c:537 src/integritysetup.c:539
msgid "<name>"
msgstr "<назва>"
-#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447
+#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
msgid "close device (remove mapping)"
msgstr "закрити пристрій (вилучити призначення)"
-#: src/cryptsetup.c:3500
+#: src/cryptsetup.c:3158 src/integritysetup.c:539
msgid "resize active device"
msgstr "змінити розмір активного пристрою"
-#: src/cryptsetup.c:3501
+#: src/cryptsetup.c:3159
msgid "show device status"
msgstr "показати стан пристрою"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "[--cipher <cipher>]"
msgstr "[--cipher <шифр>]"
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3160
msgid "benchmark cipher"
msgstr "перевірити швидкодію шифрування"
-#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
-#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517
-#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520
-#: src/cryptsetup.c:3521 src/cryptsetup.c:3522
+#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
+#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
+#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
+#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
+#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
msgid "<device>"
msgstr "<пристрій>"
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3161
msgid "try to repair on-disk metadata"
msgstr "спробувати виправити метадані на диску"
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3162
msgid "reencrypt LUKS2 device"
msgstr "повторно зашифрувати пристрій LUKS2"
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3163
msgid "erase all keyslots (remove encryption key)"
msgstr "витерти усі слоти ключів (вилучити ключ шифрування)"
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3164
msgid "convert LUKS from/to LUKS2 format"
msgstr "перетворити LUKS із формату LUKS2 або навпаки"
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3165
msgid "set permanent configuration options for LUKS2"
msgstr "встановити сталі параметри налаштування для LUKS2"
-#: src/cryptsetup.c:3508 src/cryptsetup.c:3509
+#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
msgid "<device> [<new key file>]"
msgstr "<пристрій> [<новий файл ключа>]"
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3166
msgid "formats a LUKS device"
msgstr "форматує пристрій LUKS"
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3167
msgid "add key to LUKS device"
msgstr "додати ключ до пристрою LUKS"
-#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512
+#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
msgid "<device> [<key file>]"
msgstr "<пристрій> [<файл ключа>]"
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3168
msgid "removes supplied key or key file from LUKS device"
msgstr "вилучає наданий ключ або файл ключа з пристрою LUKS"
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3169
msgid "changes supplied key or key file of LUKS device"
msgstr "змінює наданий ключ або файл ключа пристрою LUKS"
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3170
msgid "converts a key to new pbkdf parameters"
msgstr "перетворює ключ до нових параметрів pbkdf"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "<device> <key slot>"
msgstr "<пристрій> <слот ключа>"
-#: src/cryptsetup.c:3513
+#: src/cryptsetup.c:3171
msgid "wipes key with number <key slot> from LUKS device"
msgstr "вилучає ключ з номером <слот ключа> з пристрою LUKS"
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3172
msgid "print UUID of LUKS device"
msgstr "вивести UUID пристрою LUKS"
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3173
msgid "tests <device> for LUKS partition header"
msgstr "виконати спробу виявлення заголовка розділу LUKS на пристрої <пристрій>"
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3174
msgid "dump LUKS partition information"
msgstr "створити дамп даних щодо розділу LUKS"
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3175
msgid "dump TCRYPT device information"
msgstr "створити дамп даних пристрою TCRYPT"
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3176
msgid "dump BITLK device information"
msgstr "створити дамп даних пристрою BITLK"
-#: src/cryptsetup.c:3519
+#: src/cryptsetup.c:3177
+msgid "dump FVAULT2 device information"
+msgstr "створити дамп даних пристрою FVAULT2"
+
+#: src/cryptsetup.c:3178
msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
msgstr "Приспати пристрій LUKS і витерти ключ (роботу всіх каналів введення-виведення буде заморожено)"
-#: src/cryptsetup.c:3520
+#: src/cryptsetup.c:3179
msgid "Resume suspended LUKS device"
msgstr "Відновити роботу приспаного пристрою LUKS"
-#: src/cryptsetup.c:3521
+#: src/cryptsetup.c:3180
msgid "Backup LUKS device header and keyslots"
msgstr "Створити резервну копію заголовка пристрою LUKS і слотів ключів"
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3181
msgid "Restore LUKS device header and keyslots"
msgstr "Відновити заголовок пристрою LUKS і слоти ключів"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "<add|remove|import|export> <device>"
msgstr "<add|remove|import|export> <пристрій>"
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3182
msgid "Manipulate LUKS2 tokens"
msgstr "Керування жетонами LUKS2"
-#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464
+#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
msgid ""
"\n"
"<action> is one of:\n"
@@ -2411,20 +2581,20 @@ msgstr ""
"\n"
"<дія> є однією з таких:\n"
-#: src/cryptsetup.c:3549
+#: src/cryptsetup.c:3207
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
msgstr ""
"\n"
"Ви також можете скористатися застарілими альтернативними\n"
"синтаксичними конструкціями для запису <дія>:\n"
-"\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
-#: src/cryptsetup.c:3553
+#: src/cryptsetup.c:3211
#, c-format
msgid ""
"\n"
@@ -2439,7 +2609,7 @@ msgstr ""
"<слот ключа> — номер слота ключа LUKS, який слід змінити\n"
"<файл ключа> — необов’язковий файл ключа для нового ключа для дії luksAddKey\n"
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3218
#, c-format
msgid ""
"\n"
@@ -2448,7 +2618,7 @@ msgstr ""
"\n"
"Типовий укомпільований формат метаданих — %s (для дії luksFormat).\n"
-#: src/cryptsetup.c:3565 src/cryptsetup.c:3568
+#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
#, c-format
msgid ""
"\n"
@@ -2457,20 +2627,20 @@ msgstr ""
"\n"
"Підтримка додатків зовнішніх жетонів LUKS2 — %s.\n"
-#: src/cryptsetup.c:3565
+#: src/cryptsetup.c:3223
msgid "compiled-in"
msgstr "вбудована"
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3224
#, c-format
msgid "LUKS2 external token plugin path: %s.\n"
msgstr "Шлях до теки додатків зовнішніх жетонів LUKS2: %s.\n"
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3226
msgid "disabled"
msgstr "вимкнено"
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3230
#, c-format
msgid ""
"\n"
@@ -2487,7 +2657,7 @@ msgstr ""
"Типовий PBKDF для LUKS2: %s\n"
"\tЧас ітерації: %d, потрібний обсяг пам'яті: %d кБ, паралельних потоків: %d\n"
-#: src/cryptsetup.c:3583
+#: src/cryptsetup.c:3241
#, c-format
msgid ""
"\n"
@@ -2502,206 +2672,96 @@ msgstr ""
"\tзвичайне: %s, ключ: %d-бітовий, хешування пароля: %s\n"
"\tLUKS: %s, ключ: %d-бітовий, хешування заголовка LUKS: %s, RNG: %s\n"
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3250
msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
msgstr "\tLUKS: типовий розмір ключа у режимі XTS (два вбудованих ключа) буде подвоєно.\n"
-#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620
+#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: слід вказати у параметрах %s"
-#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379
-#: src/cryptsetup_reencrypt.c:1704
+#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
msgid "Key slot is invalid."
msgstr "Некоректний слот ключа."
-#: src/cryptsetup.c:3675
+#: src/cryptsetup.c:3335
msgid "Device size must be multiple of 512 bytes sector."
msgstr "Розмір пристрою має бути кратним до 512-байтового сектора."
-#: src/cryptsetup.c:3680
+#: src/cryptsetup.c:3340
msgid "Invalid max reencryption hotzone size specification."
msgstr "Некоректна специфікація розміру «гарячої» ділянки повторного шифрування."
-#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
msgid "Key size must be a multiple of 8 bits"
msgstr "Розмір ключа має бути кратним 8 бітам"
-#: src/cryptsetup.c:3711
+#: src/cryptsetup.c:3371
msgid "Maximum device reduce size is 1 GiB."
msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 1 ГіБ."
-#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3374
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Розмір зменшення має бути кратним до 512-байтового сектора."
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3391
msgid "Option --priority can be only ignore/normal/prefer."
msgstr "Значенням для параметра --priority може бути лише один з таких рядків: ignore, normal або prefer."
-#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
msgid "Show this help message"
msgstr "Показати цю довідку"
-#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
msgid "Display brief usage"
msgstr "Показати короткі настанови щодо користування"
-#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
msgid "Print package version"
msgstr "Вивести дані щодо версії пакунка"
-#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
msgid "Help options:"
msgstr "Пункти довідки:"
-#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573
+#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
msgid "[OPTION...] <action> <action-specific>"
msgstr "[ПАРАМЕТР...] <дія> <параметри_дії>"
-#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584
+#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
msgid "Argument <action> missing."
msgstr "Не вказано аргумент <дія>."
-#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615
+#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
msgid "Unknown action."
msgstr "Невідома дія."
-#: src/cryptsetup.c:3861
-msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr "Не можна поєднувати параметри --refresh і --test-passphrase."
-
-#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
-msgstr "Не можна одночасно використовувати параметр --cancel-deferred і --deferred."
-
-#: src/cryptsetup.c:3872
-msgid "Option --shared is allowed only for open of plain device."
-msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою."
-
-#: src/cryptsetup.c:3877
-msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "Параметр --persistent не можна використовувати разом із --test-passphrase."
-
-#: src/cryptsetup.c:3882
-msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "Параметром --integrity-no-wipe можна користуватися лише для дії з форматування із розширенням забезпечення цілісності."
-
-#: src/cryptsetup.c:3889
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS, TCRYPT та BITLK."
-
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:3546
msgid "Option --key-file takes precedence over specified key file argument."
msgstr "Параметр --key-file має пріоритет над вказаним параметром файла ключа."
-#: src/cryptsetup.c:3907
+#: src/cryptsetup.c:3552
msgid "Only one --key-file argument is allowed."
msgstr "Можна використовувати лише один аргумент --key-file."
-#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1708
-msgid "Only one of --use-[u]random options is allowed."
-msgstr "Можна використовувати лише один з параметрів --use-[u]random."
-
-#: src/cryptsetup.c:3915
-msgid "Options --align-payload and --offset cannot be combined."
-msgstr "Не можна одночасно використовувати параметри --align-payload і --offset."
-
-#: src/cryptsetup.c:3921
-msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes."
-
-#: src/cryptsetup.c:3927
-msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "Підтримку параметра --offset разом із дією з відкриття передбачено лише для незашифрованих пристроїв та пристроїв loopaes."
-
-#: src/cryptsetup.c:3933
-msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT."
-
-#: src/cryptsetup.c:3938
-msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards."
-
-#: src/cryptsetup.c:3943
-msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "Підтримку параметра --veracrypt або --disable-veracrypt передбачено лише для пристроїв TCRYPT."
-
-#: src/cryptsetup.c:3948
-msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "Параметр --veracrypt-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
-
-#: src/cryptsetup.c:3954
-msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "Параметр --veracrypt-query-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
-
-#: src/cryptsetup.c:3958
-msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr "Не можна поєднувати параметри --veracrypt-pim і --veracrypt-query-pim."
-
-#: src/cryptsetup.c:3966 src/cryptsetup.c:4002
-msgid "Keyslot specification is required."
-msgstr "Слід вказати специфікація слотів ключів."
-
-#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694
+#: src/cryptsetup.c:3557
msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
msgstr "Функцією отримання ключа на основі пароля (PBKDF) може бути лише pbkdf2 або argon2i/argon2id."
-#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699
+#: src/cryptsetup.c:3562
msgid "PBKDF forced iterations cannot be combined with iteration time option."
msgstr "Примусові ітерації PBKDF не можна поєднувати із параметром тривалості ітерацій."
-#: src/cryptsetup.c:3983
-msgid "Sector size option with open action is supported only for plain devices."
-msgstr "Підтримку параметра розміру сектора разом із дією з відкриття передбачено лише для незашифрованих пристроїв."
-
-#: src/cryptsetup.c:3990
-msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr "Підтримку можливості використання великих секторів IV передбачено лише для відкриття пристроїв простого типу з розміром сектора, який перевищує 512 байтів."
-
-#: src/cryptsetup.c:3996
-msgid "Key size is required with --unbound option."
-msgstr "Разом із параметром --unbound слід вказувати розмір ключа."
-
-#: src/cryptsetup.c:4012
-msgid "LUKS2 decryption requires option --header."
-msgstr "Розшифрування LUKS2 потребує параметра --header."
-
-#: src/cryptsetup.c:4016
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --data-size."
-
-#: src/cryptsetup.c:4020
-msgid "Options --device-size and --size cannot be combined."
-msgstr "Не можна одночасно використовувати параметри --device-size і --size."
-
-#: src/cryptsetup.c:4024
+#: src/cryptsetup.c:3573
msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
msgstr "Параметри --keyslot-cipher і --keyslot-key-size має бути використано разом."
-#: src/cryptsetup.c:4028
+#: src/cryptsetup.c:3581
msgid "No action taken. Invoked with --test-args option.\n"
msgstr "Дій не виконано. Викликано із параметром --test-args.\n"
-#: src/cryptsetup.c:4040
-msgid "Invalid token action."
-msgstr "Некоректна дія з жетоном."
-
-#: src/cryptsetup.c:4045
-msgid "--key-description parameter is mandatory for token add action."
-msgstr "Параметр --key-description є обов'язковим для дій із додавання жетонів."
-
-#: src/cryptsetup.c:4051
-msgid "Action requires specific token. Use --token-id parameter."
-msgstr "Для виконання дії потрібен специфічний жетон. Скористайтеся параметром --token-id."
-
-#: src/cryptsetup.c:4062
+#: src/cryptsetup.c:3594
msgid "Cannot disable metadata locking."
msgstr "Не вдалося вимкнути блокування метаданих."
@@ -2729,67 +2789,72 @@ msgstr "Не вдалося створити файл кореневого хе
msgid "Cannot write to root hash file %s."
msgstr "Не вдалося записати файл кореневого хешу %s."
-#: src/veritysetup.c:210 src/veritysetup.c:227
+#: src/veritysetup.c:198 src/veritysetup.c:476
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Пристрій %s не є коректним пристроєм VERITY."
+
+#: src/veritysetup.c:215 src/veritysetup.c:232
#, c-format
msgid "Cannot read root hash file %s."
msgstr "Не вдалося прочитати файл кореневого хешу %s."
-#: src/veritysetup.c:215
+#: src/veritysetup.c:220
#, c-format
msgid "Invalid root hash file %s."
msgstr "Некоректний файл кореневого хешу %s."
-#: src/veritysetup.c:236
+#: src/veritysetup.c:241
msgid "Invalid root hash string specified."
msgstr "Вказано некоректний рядок кореневого хешу."
-#: src/veritysetup.c:244
+#: src/veritysetup.c:249
#, c-format
msgid "Invalid signature file %s."
msgstr "Некоректний файл підпису %s."
-#: src/veritysetup.c:251
+#: src/veritysetup.c:256
#, c-format
msgid "Cannot read signature file %s."
msgstr "Не вдалося прочитати файл підпису %s."
-#: src/veritysetup.c:274 src/veritysetup.c:288
+#: src/veritysetup.c:279 src/veritysetup.c:293
msgid "Command requires <root_hash> or --root-hash-file option as argument."
msgstr "Для виконання команди потрібен <кореневий_хеш> або параметр --root-hash-file як аргумент."
-#: src/veritysetup.c:478
+#: src/veritysetup.c:489
msgid "<data_device> <hash_device>"
msgstr "<пристрій_даних> <пристрій_хешу>"
-#: src/veritysetup.c:478 src/integritysetup.c:445
+#: src/veritysetup.c:489 src/integritysetup.c:534
msgid "format device"
msgstr "форматувати пристрій"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "<data_device> <hash_device> [<root_hash>]"
msgstr "<пристрій_даних> <пристрій_хешу> [<кореневий_хеш>]"
-#: src/veritysetup.c:479
+#: src/veritysetup.c:490
msgid "verify device"
msgstr "перевірити пристрій"
-#: src/veritysetup.c:480
+#: src/veritysetup.c:491
msgid "<data_device> <name> <hash_device> [<root_hash>]"
msgstr "<пристрій_даних> <назва> <пристрій_хешу> [<кореневий_хеш>]"
-#: src/veritysetup.c:482 src/integritysetup.c:448
+#: src/veritysetup.c:493 src/integritysetup.c:537
msgid "show active device status"
msgstr "показати стан активного пристрою"
-#: src/veritysetup.c:483
+#: src/veritysetup.c:494
msgid "<hash_device>"
msgstr "<пристрій_хешу>"
-#: src/veritysetup.c:483 src/integritysetup.c:449
+#: src/veritysetup.c:494 src/integritysetup.c:538
msgid "show on-disk information"
msgstr "показати вбудовані дані"
-#: src/veritysetup.c:502
+#: src/veritysetup.c:513
#, c-format
msgid ""
"\n"
@@ -2804,7 +2869,7 @@ msgstr ""
"<пристрій_хешу> — пристрій, на якому зберігаються дані для перевірки\n"
"<кореневий_хеш> — хеш кореневого вузла на пристрої <пристрій_хешу>\n"
-#: src/veritysetup.c:509
+#: src/veritysetup.c:520
#, c-format
msgid ""
"\n"
@@ -2815,28 +2880,46 @@ msgstr ""
"Типові вбудовані параметри dm-verity:\n"
"\tхеш: %s, блок даних (у байтах): %u, блок хешу (у байтах): %u, розмір солі: %u, формат хешування: %u\n"
-#: src/veritysetup.c:646
+#: src/veritysetup.c:658
msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
msgstr "Параметри --ignore-corruption і --restart-on-corruption не можна використовувати одночасно."
-#: src/veritysetup.c:651
+#: src/veritysetup.c:663
msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
msgstr "Параметри --panic-on-corruption і --restart-on-corruption не можна використовувати одночасно."
-#: src/integritysetup.c:201
+#: src/integritysetup.c:177
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Дані на %s і %s буде перезаписано без можливості відновлення.\n"
+"Щоб зберегти пристрій даних, скористайтеся параметром --no-wipe (а потім активуйте за допомогою --integrity-recalculate)."
+
+#: src/integritysetup.c:212
#, c-format
msgid "Formatted with tag size %u, internal integrity %s.\n"
msgstr "Форматовано із розміром мітки %u, внутрішня цілісність %s.\n"
-#: src/integritysetup.c:445 src/integritysetup.c:449
+#: src/integritysetup.c:289
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Підтримки встановлення прапорця повторного обчислення не передбачено. Вам варто розглянути можливість використання --wipe."
+
+#: src/integritysetup.c:364 src/integritysetup.c:521
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Пристрій %s не є коректним пристроєм INTEGRITY."
+
+#: src/integritysetup.c:534 src/integritysetup.c:538
msgid "<integrity_device>"
msgstr "<пристрій_цілісності>"
-#: src/integritysetup.c:446
+#: src/integritysetup.c:535
msgid "<integrity_device> <name>"
msgstr "<пристрій_цілісності> <назва>"
-#: src/integritysetup.c:468
+#: src/integritysetup.c:558
#, c-format
msgid ""
"\n"
@@ -2847,7 +2930,7 @@ msgstr ""
"<назва> є пристроєм, який слід створити у %s\n"
"<пристрій_цілісності> є пристроєм, на якому зберігаються дані із мітками цілісності\n"
-#: src/integritysetup.c:473
+#: src/integritysetup.c:563
#, c-format
msgid ""
"\n"
@@ -2860,241 +2943,44 @@ msgstr ""
"\tАлгоритм обчислення контрольної суми: %s\n"
"\tМаксимальний розмір файла ключа: %d кБ\n"
-#: src/integritysetup.c:530
+#: src/integritysetup.c:620
#, c-format
msgid "Invalid --%s size. Maximum is %u bytes."
msgstr "Некоректний розмір --%s. Максимальний розмір дорівнює %u байтів."
-#: src/integritysetup.c:628
+#: src/integritysetup.c:720
msgid "Both key file and key size options must be specified."
msgstr "Не можна одночасно вказувати параметри файла ключа і розміру ключа."
-#: src/integritysetup.c:632
+#: src/integritysetup.c:724
msgid "Both journal integrity key file and key size options must be specified."
msgstr "Не можна одночасно вказувати параметри файла ключа цілісності журналу і розміру ключа."
-#: src/integritysetup.c:635
+#: src/integritysetup.c:727
msgid "Journal integrity algorithm must be specified if journal integrity key is used."
msgstr "Якщо використано ключ цілісності журналу, має бути вказано алгоритм забезпечення цілісності журналу."
-#: src/integritysetup.c:639
+#: src/integritysetup.c:731
msgid "Both journal encryption key file and key size options must be specified."
msgstr "Не можна одночасно вказувати параметри файла ключа шифрування журналу і розміру ключа."
-#: src/integritysetup.c:642
+#: src/integritysetup.c:734
msgid "Journal encryption algorithm must be specified if journal encryption key is used."
msgstr "Якщо використано ключ шифрування журналу, має бути вказано алгоритм забезпечення шифрування журналу."
-#: src/integritysetup.c:646
+#: src/integritysetup.c:738
msgid "Recovery and bitmap mode options are mutually exclusive."
msgstr "Не можна поєднувати параметри відновлення і бітової карти."
-#: src/integritysetup.c:653
+#: src/integritysetup.c:745
msgid "Journal options cannot be used in bitmap mode."
msgstr "Параметри журналу у режимі бітової карти використовувати не можна."
-#: src/integritysetup.c:658
+#: src/integritysetup.c:750
msgid "Bitmap options can be used only in bitmap mode."
msgstr "Параметри бітової карти можна використовувати лише у режимі бітового карти."
-#: src/cryptsetup_reencrypt.c:149
-msgid "Reencryption already in-progress."
-msgstr "Вже виконується повторне шифрування."
-
-#: src/cryptsetup_reencrypt.c:185
-#, c-format
-msgid "Cannot exclusively open %s, device in use."
-msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується."
-
-#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120
-msgid "Allocation of aligned memory failed."
-msgstr "Спроба розподілу вирівняних ділянок пам’яті зазнала невдачі."
-
-#: src/cryptsetup_reencrypt.c:206
-#, c-format
-msgid "Cannot read device %s."
-msgstr "Не вдалося виконати читання з пристрою %s."
-
-#: src/cryptsetup_reencrypt.c:217
-#, c-format
-msgid "Marking LUKS1 device %s unusable."
-msgstr "Позначаємо пристрій LUKS1 %s як непридатний."
-
-#: src/cryptsetup_reencrypt.c:221
-#, c-format
-msgid "Setting LUKS2 offline reencrypt flag on device %s."
-msgstr "Встановлюємо прапорець повторного шифрування LUKS2 з від'єднанням на пристрій %s."
-
-#: src/cryptsetup_reencrypt.c:238
-#, c-format
-msgid "Cannot write device %s."
-msgstr "Не вдалося виконати запис на пристрій %s."
-
-#: src/cryptsetup_reencrypt.c:286
-msgid "Cannot write reencryption log file."
-msgstr "Не вдалося записати файл журналу повторного шифрування."
-
-#: src/cryptsetup_reencrypt.c:342
-msgid "Cannot read reencryption log file."
-msgstr "Не вдалося прочитати файл журналу повторного шифрування."
-
-#: src/cryptsetup_reencrypt.c:353
-msgid "Wrong log format."
-msgstr "Помилкове форматування журналу."
-
-#: src/cryptsetup_reencrypt.c:380
-#, c-format
-msgid "Log file %s exists, resuming reencryption.\n"
-msgstr "Файл журналу %s вже існує, поновлюємо повторне шифрування.\n"
-
-#: src/cryptsetup_reencrypt.c:429
-msgid "Activating temporary device using old LUKS header."
-msgstr "Спроба задіяти тимчасовий пристрій за допомогою старого заголовка LUKS."
-
-#: src/cryptsetup_reencrypt.c:439
-msgid "Activating temporary device using new LUKS header."
-msgstr "Спроба задіяти тимчасовий пристрій за допомогою нового заголовка LUKS."
-
-#: src/cryptsetup_reencrypt.c:449
-msgid "Activation of temporary devices failed."
-msgstr "Спроба задіяти тимчасові пристрої зазнала невдачі."
-
-#: src/cryptsetup_reencrypt.c:536
-msgid "Failed to set data offset."
-msgstr "Не вдалося встановити відступ у даних."
-
-#: src/cryptsetup_reencrypt.c:542
-msgid "Failed to set metadata size."
-msgstr "Не вдалося встановити розмір метаданих."
-
-#: src/cryptsetup_reencrypt.c:550
-#, c-format
-msgid "New LUKS header for device %s created."
-msgstr "Створено новий заголовок LUKS для пристрою %s."
-
-#: src/cryptsetup_reencrypt.c:610
-#, c-format
-msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-msgstr "Ця версія cryptsetup-reencrypt не може обробляти новий тип вбудованих жетонів %s."
-
-#: src/cryptsetup_reencrypt.c:632
-msgid "Failed to read activation flags from backup header."
-msgstr "Не вдалося прочитати прапорці активації з резервного заголовка."
-
-#: src/cryptsetup_reencrypt.c:636
-msgid "Failed to write activation flags to new header."
-msgstr "Не вдалося записати прапорці активації до нового заголовка."
-
-#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644
-msgid "Failed to read requirements from backup header."
-msgstr "Не вдалося прочитати вимоги із резервного заголовка."
-
-#: src/cryptsetup_reencrypt.c:682
-#, c-format
-msgid "%s header backup of device %s created."
-msgstr "Створено резервну копію заголовка %s пристрою %s."
-
-#: src/cryptsetup_reencrypt.c:745
-msgid "Creation of LUKS backup headers failed."
-msgstr "Спроба створення заголовків резервних копій LUKS зазнала невдачі."
-
-#: src/cryptsetup_reencrypt.c:878
-#, c-format
-msgid "Cannot restore %s header on device %s."
-msgstr "Не вдалося відновити заголовок %s на пристрої %s."
-
-#: src/cryptsetup_reencrypt.c:880
-#, c-format
-msgid "%s header on device %s restored."
-msgstr "Відновлено заголовок %s на пристрої %s."
-
-#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098
-msgid "Cannot open temporary LUKS device."
-msgstr "Неможливо відкрити тимчасовий пристрій LUKS."
-
-#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108
-msgid "Cannot get device size."
-msgstr "Не вдалося отримати дані щодо розміру пристрою."
-
-#: src/cryptsetup_reencrypt.c:1143
-msgid "IO error during reencryption."
-msgstr "Помилка введення-виведення під час повторного шифрування."
-
-#: src/cryptsetup_reencrypt.c:1174
-msgid "Provided UUID is invalid."
-msgstr "Наданий UUID є некоректним."
-
-#: src/cryptsetup_reencrypt.c:1408
-msgid "Cannot open reencryption log file."
-msgstr "Не вдалося відкрити файл журналу повторного шифрування."
-
-#: src/cryptsetup_reencrypt.c:1414
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
-msgstr "Розшифровування не виконується. Наданий UUID можна використовувати лише для відновлення призупиненого процесу розшифровування."
-
-#: src/cryptsetup_reencrypt.c:1489
-#, c-format
-msgid "Changed pbkdf parameters in keyslot %i."
-msgstr "Змінено параметри pbkdf у слоті ключа %i."
-
-#: src/cryptsetup_reencrypt.c:1614
-msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-msgstr "Розмір блоку повторного шифрування повинен належати діапазону від 1 МіБ до 64 МІБ."
-
-#: src/cryptsetup_reencrypt.c:1628
-msgid "Maximum device reduce size is 64 MiB."
-msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 64 МіБ."
-
-#: src/cryptsetup_reencrypt.c:1669
-msgid "[OPTION...] <device>"
-msgstr "[ПАРАМЕТР...] <пристрій>"
-
-#: src/cryptsetup_reencrypt.c:1677
-#, c-format
-msgid "Reencryption will change: %s%s%s%s%s%s."
-msgstr "Повторне шифрування призведе до зміни: %s%s%s%s%s%s."
-
-#: src/cryptsetup_reencrypt.c:1678
-msgid "volume key"
-msgstr "ключ тому"
-
-#: src/cryptsetup_reencrypt.c:1680
-msgid "set hash to "
-msgstr "встановити хеш у значення "
-
-#: src/cryptsetup_reencrypt.c:1681
-msgid ", set cipher to "
-msgstr ", встановити шифрування "
-
-#: src/cryptsetup_reencrypt.c:1685
-msgid "Argument required."
-msgstr "Слід вказати аргумент."
-
-#: src/cryptsetup_reencrypt.c:1712
-msgid "Option --new must be used together with --reduce-device-size or --header."
-msgstr "Параметр --new слід використовувати разом з --reduce-device-size або --header."
-
-#: src/cryptsetup_reencrypt.c:1716
-msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-msgstr "Параметр --keep-key можна використовувати лише разом з параметром --hash --iter-time або --pbkdf-force-iterations."
-
-#: src/cryptsetup_reencrypt.c:1720
-msgid "Option --new cannot be used together with --decrypt."
-msgstr "Параметр --new не можна використовувати разом з --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1726
-msgid "Option --decrypt is incompatible with specified parameters."
-msgstr "Параметр --decrypt є несумісним із вказаними параметрами."
-
-#: src/cryptsetup_reencrypt.c:1730
-msgid "Option --uuid is allowed only together with --decrypt."
-msgstr "Параметр --uuid можна використовувати лише разом із --decrypt."
-
-#: src/cryptsetup_reencrypt.c:1734
-msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-msgstr "Некоректний тип luks. Скористайтеся одним з таких типів: luks, luks1 або luks2."
-
-#: src/utils_tools.c:119
+#: src/utils_tools.c:118
msgid ""
"\n"
"WARNING!\n"
@@ -3105,7 +2991,7 @@ msgstr ""
"======\n"
#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:121
+#: src/utils_tools.c:120
#, c-format
msgid ""
"%s\n"
@@ -3116,148 +3002,174 @@ msgstr ""
"\n"
"Ви впевнені? (Введіть «yes» великими літерами): "
-#: src/utils_tools.c:127
+#: src/utils_tools.c:126
msgid "Error reading response from terminal."
msgstr "Помилка під час спроби читання відповіді з термінала."
-#: src/utils_tools.c:159
+#: src/utils_tools.c:158
msgid "Command successful."
msgstr "Команду виконано успішно."
-#: src/utils_tools.c:167
+#: src/utils_tools.c:166
msgid "wrong or missing parameters"
msgstr "помилкові параметри або параметри не вказано"
-#: src/utils_tools.c:169
+#: src/utils_tools.c:168
msgid "no permission or bad passphrase"
msgstr "немає права доступу або помилковий пароль"
-#: src/utils_tools.c:171
+#: src/utils_tools.c:170
msgid "out of memory"
msgstr "недостатньо пам'яті"
-#: src/utils_tools.c:173
+#: src/utils_tools.c:172
msgid "wrong device or file specified"
msgstr "вказано помилковий пристрій або файл"
-#: src/utils_tools.c:175
+#: src/utils_tools.c:174
msgid "device already exists or device is busy"
msgstr "пристрій вже існує або пристрій зайнято"
-#: src/utils_tools.c:177
+#: src/utils_tools.c:176
msgid "unknown error"
msgstr "невідома помилка"
-#: src/utils_tools.c:179
+#: src/utils_tools.c:178
#, c-format
msgid "Command failed with code %i (%s)."
msgstr "Спроба виконання команди завершилася повідомленням про помилку з кодом %i (%s)."
-#: src/utils_tools.c:257
+#: src/utils_tools.c:256
#, c-format
msgid "Key slot %i created."
msgstr "Створено слот ключа %i."
-#: src/utils_tools.c:259
+#: src/utils_tools.c:258
#, c-format
msgid "Key slot %i unlocked."
msgstr "Слот ключа %i розблоковано."
-#: src/utils_tools.c:261
+#: src/utils_tools.c:260
#, c-format
msgid "Key slot %i removed."
msgstr "Слот ключа %i вилучено."
-#: src/utils_tools.c:270
+#: src/utils_tools.c:269
#, c-format
msgid "Token %i created."
msgstr "Створено жетон %i."
-#: src/utils_tools.c:272
+#: src/utils_tools.c:271
#, c-format
msgid "Token %i removed."
msgstr "Жетон %i вилучено."
-#: src/utils_tools.c:282
+#: src/utils_tools.c:281
msgid "No token could be unlocked with this PIN."
msgstr "За допомогою цього коду не можна розблокувати жоден жетон."
-#: src/utils_tools.c:284
+#: src/utils_tools.c:283
#, c-format
msgid "Token %i requires PIN."
msgstr "Для доступу до жетона %i потрібен пінкод."
-#: src/utils_tools.c:286
+#: src/utils_tools.c:285
#, c-format
msgid "Token (type %s) requires PIN."
msgstr "Для доступу до жетона (тип %s) потрібен пінкод."
-#: src/utils_tools.c:289
+#: src/utils_tools.c:288
#, c-format
msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Жетон %i не може розблокувати пов'язані слоти ключів (помилковий пароль до слота ключів)."
-#: src/utils_tools.c:291
+#: src/utils_tools.c:290
#, c-format
msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
msgstr "Жетон (типу %s) не може розблокувати пов'язані слоти ключів (помилковий пароль до слота ключів)."
-#: src/utils_tools.c:294
+#: src/utils_tools.c:293
#, c-format
msgid "Token %i requires additional missing resource."
msgstr "Жетону %i потрібен додатковий ресурс, якого не вистачає."
-#: src/utils_tools.c:296
+#: src/utils_tools.c:295
#, c-format
msgid "Token (type %s) requires additional missing resource."
msgstr "Жетону (типу %s) потрібен додатковий ресурс, якого не вистачає."
-#: src/utils_tools.c:299
+#: src/utils_tools.c:298
#, c-format
msgid "No usable token (type %s) is available."
msgstr "Немає придатного до використання жетона (типу %s)."
-#: src/utils_tools.c:301
+#: src/utils_tools.c:300
msgid "No usable token is available."
msgstr "Немає придатного до використання жетона."
-#: src/utils_tools.c:463
-msgid ""
-"\n"
-"Wipe interrupted."
-msgstr ""
-"\n"
-"Витирання перервано."
-
-#: src/utils_tools.c:492
-msgid ""
-"\n"
-"Reencryption interrupted."
-msgstr ""
-"\n"
-"Повторне шифрування перервано."
-
-#: src/utils_tools.c:511
+#: src/utils_tools.c:393
#, c-format
msgid "Cannot read keyfile %s."
msgstr "Не вдалося прочитати файл ключа %s."
-#: src/utils_tools.c:516
+#: src/utils_tools.c:398
#, c-format
msgid "Cannot read %d bytes from keyfile %s."
msgstr "Не вдалося прочитати %d байтів з файла ключа %s."
-#: src/utils_tools.c:541
+#: src/utils_tools.c:423
#, c-format
msgid "Cannot open keyfile %s for write."
msgstr "Не вдалося відкрити файл ключа %s для запису."
-#: src/utils_tools.c:548
+#: src/utils_tools.c:430
#, c-format
msgid "Cannot write to keyfile %s."
msgstr "Не вдалося виконати запису до файла ключа %s."
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_progress.c:74
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>х%02<PRIu64>с"
+
+#: src/utils_progress.c:76
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>г%02<PRIu64>х%02<PRIu64>с"
+
+#: src/utils_progress.c:78
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> днів"
+
+#: src/utils_progress.c:105 src/utils_progress.c:138
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "Записано %4<PRIu64> %s"
+
+#: src/utils_progress.c:109 src/utils_progress.c:142
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "швидкість %5.1f %s/с"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:118
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Поступ: %5.1f%%, приблизний час %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:150
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Завершено, час %s, %s, %s\n"
+
+#: src/utils_password.c:41 src/utils_password.c:72
#, c-format
msgid "Cannot check password quality: %s"
msgstr "Не вдалося перевірити якість пароля: %s"
@@ -3271,59 +3183,63 @@ msgstr ""
"Помилка під час спроби оцінити якість пароля:\n"
" %s"
-#: src/utils_password.c:81
+#: src/utils_password.c:79
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)"
msgstr "Помилка під час спроби оцінити якість пароля: некоректний пароль (%s)"
-#: src/utils_password.c:224 src/utils_password.c:238
+#: src/utils_password.c:230 src/utils_password.c:244
msgid "Error reading passphrase from terminal."
msgstr "Помилка під час читання пароля з термінала."
-#: src/utils_password.c:236
+#: src/utils_password.c:242
msgid "Verify passphrase: "
msgstr "Перевірка пароля: "
-#: src/utils_password.c:243
+#: src/utils_password.c:249
msgid "Passphrases do not match."
msgstr "Паролі не збігаються."
-#: src/utils_password.c:280
+#: src/utils_password.c:287
msgid "Cannot use offset with terminal input."
msgstr "Не можна використовувати відступ у даних, що надходять з термінала."
-#: src/utils_password.c:283
+#: src/utils_password.c:291
#, c-format
msgid "Enter passphrase: "
msgstr "Введіть пароль: "
-#: src/utils_password.c:286
+#: src/utils_password.c:294
#, c-format
msgid "Enter passphrase for %s: "
msgstr "Введіть пароль до %s: "
-#: src/utils_password.c:317
+#: src/utils_password.c:328
msgid "No key available with this passphrase."
msgstr "Для цього пароля немає відповідного ключа."
-#: src/utils_password.c:319
+#: src/utils_password.c:330
msgid "No usable keyslot is available."
msgstr "Немає доступних придатних до користування слотів ключів."
-#: src/utils_luks2.c:47
+#: src/utils_luks.c:67
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty."
+
+#: src/utils_luks.c:182
#, c-format
msgid "Failed to open file %s in read-only mode."
msgstr "Не вдалося відкрити файл %s у режимі лише читання."
-#: src/utils_luks2.c:60
+#: src/utils_luks.c:195
msgid "Provide valid LUKS2 token JSON:\n"
msgstr "Надайте коректний жетон JSON LUKS2:\n"
-#: src/utils_luks2.c:67
+#: src/utils_luks.c:202
msgid "Failed to read JSON file."
msgstr "Не вдалося прочитати файл JSON."
-#: src/utils_luks2.c:72
+#: src/utils_luks.c:207
msgid ""
"\n"
"Read interrupted."
@@ -3331,12 +3247,12 @@ msgstr ""
"\n"
"Читання перервано."
-#: src/utils_luks2.c:113
+#: src/utils_luks.c:248
#, c-format
msgid "Failed to open file %s in write mode."
msgstr "Не вдалося відкрити файл %s у режимі запису."
-#: src/utils_luks2.c:122
+#: src/utils_luks.c:257
msgid ""
"\n"
"Write interrupted."
@@ -3344,54 +3260,423 @@ msgstr ""
"\n"
"Запис перервано."
-#: src/utils_luks2.c:126
+#: src/utils_luks.c:261
msgid "Failed to write JSON file."
msgstr "Не вдалося записати файл JSON."
-#: src/utils_blockdev.c:192
+#: src/utils_reencrypt.c:120
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Автоматично виявлено активний пристрій dm «%s» для пристрою даних %s.\n"
+
+#: src/utils_reencrypt.c:124
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Не вдалося автоматично визначити утримувачів пристрою %s."
+
+#: src/utils_reencrypt.c:130
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Пристрій %s не є блоковим пристроєм.\n"
+
+#: src/utils_reencrypt.c:132
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Не вдалося визначити, чи задіяно пристрій %s.\n"
+"Ви справді хочете продовжити повторне шифрування у режимі з від'єднанням?\n"
+"Таке шифрування може призвести до пошкодження даних, якщо пристрій задіяно.\n"
+"Щоб запустити повторне шифрування у режимі без від'єднання, скористайтеся параметром --active-name.\n"
+
+#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Пристрій %s не є блоковим пристроєм. Не можна визначити, чи є він активним.\n"
+"Скористайтеся --force-offline-reencrypt для обходу перевірки та запуску в автономному режимі (небезпечно!)."
+
+#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
+#: src/utils_reencrypt.c:231
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Вказаний параметр --resilience не може бути застосовано до поточної дії з повторного шифрування."
+
+#: src/utils_reencrypt.c:203
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Пристрій не у шифруванні LUKS2. Конфліктний параметр --encrypt."
+
+#: src/utils_reencrypt.c:208
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Пристрій не у розшифруванні LUKS2. Конфліктний параметр --decrypt."
+
+#: src/utils_reencrypt.c:215
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Пристрій перебуває у повторному шифруванні з використанням стійкості зсуву даних. Вказаний параметр --resilience не може бути застосовано."
+
+#: src/utils_reencrypt.c:293
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Пристрій потребує відновлення повторного шифрування. Спочатку виконайте відновлення."
+
+#: src/utils_reencrypt.c:307
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS2. Хочете відновити раніше ініціалізовану дію?"
+
+#: src/utils_reencrypt.c:353
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Підтримки застарілого повторного шифрування LUKS2 більше не передбачено."
+
+#: src/utils_reencrypt.c:418
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Підтримки повторного шифрування пристрою із профілем цілісності не передбачено."
+
+#: src/utils_reencrypt.c:449
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Вказаний --sector-size %<PRIu32> є несумісним із суперблоком %s\n"
+"(розмір блоку: %<PRIu32> байтів), який виявлено на пристрої %s."
+
+#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Шифрування без від'єднаного заголовка (--header) є неможливим без зменшення розміру пристрою зберігання даних (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:525
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Вказаний зсув даних має бути меншим або рівним половині значення параметра --reduce-device-size."
+
+#: src/utils_reencrypt.c:535
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Коригуємо значення --reduce-device-size до подвійного значення --offset %<PRIu64> (у секторах).\n"
+
+#: src/utils_reencrypt.c:565
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Файл тимчасового заголовка %s вже існує. Перериваємо обробку."
+
+#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Не вдалося створити файл тимчасового заголовка %s."
+
+#: src/utils_reencrypt.c:599
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Розмір метаданих LUKS2 перевищує значення зсуву даних."
+
+#: src/utils_reencrypt.c:636
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Не вдалося розмістити новий заголовок на початку пристрою %s."
+
+#: src/utils_reencrypt.c:646
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s задіяно, система готова до інтерактивного шифрування.\n"
+
+#: src/utils_reencrypt.c:682
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Активний пристрій %s не є пристроєм LUKS2."
+
+#: src/utils_reencrypt.c:710
+msgid "Restoring original LUKS2 header."
+msgstr "Відновлюємо початковий заголовок LUKS2."
+
+#: src/utils_reencrypt.c:718
+msgid "Original LUKS2 header restore failed."
+msgstr "Спроба відновлення початкового заголовка LUKS2 зазнала невдачі."
+
+#: src/utils_reencrypt.c:744
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Файла заголовка %s не існує. Хочете ініціалізувати розшифрування LUKS2 пристрою %s і експортувати заголовок LUKS2 до файла %s?"
+
+#: src/utils_reencrypt.c:792
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Не вдалося додати права доступу для читання-запису до експортованого файла заголовка."
+
+#: src/utils_reencrypt.c:845
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Не вдалося ініціалізувати повторне шифрування. Резервна копія заголовка перебуває у %s."
+
+#: src/utils_reencrypt.c:873
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Підтримку розшифровування LUKS2 передбачено лише для пристроїв із від'єднаним заголовком (із встановленим нульовим відступом даних)."
+
+#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+msgid "Not enough free keyslots for reencryption."
+msgstr "Недостатньо вільних слотів ключів для повторного шифрування."
+
+#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
+
+#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt_luks1.c:1158
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Вкажіть пароль для слоту ключа %d: "
+
+#: src/utils_reencrypt.c:1059
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Вкажіть пароль для слоту ключа %u: "
+
+#: src/utils_reencrypt.c:1111
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Перемикаємося на шифрування даних %s.\n"
+
+#: src/utils_reencrypt.c:1165
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Не змінено параметри сегмента даних. Повторне шифрування перервано."
+
+#: src/utils_reencrypt.c:1267
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Підтримки збільшення розміру сектора шифрування на вимкненому пристрої не передбачено.\n"
+"Спочатку активуйте пристрій або скористайтеся параметром --force-offline-reencrypt (небезпечно!)."
+
+#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt_luks1.c:798
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Повторне шифрування перервано."
+
+#: src/utils_reencrypt.c:1312
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Відновлюємо повторне шифрування LUKS у примусовому вимкненому режимі.\n"
+
+#: src/utils_reencrypt.c:1329
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "На пристрої %s містяться пошкоджені метадані LUKS. Перериваємо дію."
+
+#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Пристрій %s вже є пристроєм LUKS. Перериваємо дію."
+
+#: src/utils_reencrypt.c:1373
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS. Перериваємо дію."
+
+#: src/utils_reencrypt.c:1453
+msgid "LUKS2 decryption requires --header option."
+msgstr "Для розшифровування LUKS2 потрібен параметр --header."
+
+#: src/utils_reencrypt.c:1501
+msgid "Command requires device as argument."
+msgstr "Комарні слід передати аргумент пристрою."
+
+#: src/utils_reencrypt.c:1514
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS1."
+
+#: src/utils_reencrypt.c:1520
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS1."
+
+#: src/utils_reencrypt.c:1526
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS2."
+
+#: src/utils_reencrypt.c:1532
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS2."
+
+#: src/utils_reencrypt.c:1538
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "Вже ініційовано повторне шифрування LUKS2. Перериваємо виконання дії."
+
+#: src/utils_reencrypt.c:1545
+msgid "Device reencryption not in progress."
+msgstr "Повторне шифрування пристрою не виконується."
+
+#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується."
+
+#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+msgid "Allocation of aligned memory failed."
+msgstr "Спроба розподілу вирівняних ділянок пам’яті зазнала невдачі."
+
+#: src/utils_reencrypt_luks1.c:150
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Не вдалося виконати читання з пристрою %s."
+
+#: src/utils_reencrypt_luks1.c:161
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "Позначаємо пристрій LUKS1 %s як непридатний."
+
+#: src/utils_reencrypt_luks1.c:177
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Не вдалося виконати запис на пристрій %s."
+
+#: src/utils_reencrypt_luks1.c:226
+msgid "Cannot write reencryption log file."
+msgstr "Не вдалося записати файл журналу повторного шифрування."
+
+#: src/utils_reencrypt_luks1.c:282
+msgid "Cannot read reencryption log file."
+msgstr "Не вдалося прочитати файл журналу повторного шифрування."
+
+#: src/utils_reencrypt_luks1.c:293
+msgid "Wrong log format."
+msgstr "Помилкове форматування журналу."
+
+#: src/utils_reencrypt_luks1.c:320
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Файл журналу %s вже існує, поновлюємо повторне шифрування.\n"
+
+#: src/utils_reencrypt_luks1.c:369
+msgid "Activating temporary device using old LUKS header."
+msgstr "Спроба задіяти тимчасовий пристрій за допомогою старого заголовка LUKS."
+
+#: src/utils_reencrypt_luks1.c:379
+msgid "Activating temporary device using new LUKS header."
+msgstr "Спроба задіяти тимчасовий пристрій за допомогою нового заголовка LUKS."
+
+#: src/utils_reencrypt_luks1.c:389
+msgid "Activation of temporary devices failed."
+msgstr "Спроба задіяти тимчасові пристрої зазнала невдачі."
+
+#: src/utils_reencrypt_luks1.c:449
+msgid "Failed to set data offset."
+msgstr "Не вдалося встановити відступ у даних."
+
+#: src/utils_reencrypt_luks1.c:455
+msgid "Failed to set metadata size."
+msgstr "Не вдалося встановити розмір метаданих."
+
+#: src/utils_reencrypt_luks1.c:463
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Створено новий заголовок LUKS для пристрою %s."
+
+#: src/utils_reencrypt_luks1.c:500
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "Створено резервну копію заголовка %s пристрою %s."
+
+#: src/utils_reencrypt_luks1.c:556
+msgid "Creation of LUKS backup headers failed."
+msgstr "Спроба створення заголовків резервних копій LUKS зазнала невдачі."
+
+#: src/utils_reencrypt_luks1.c:685
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Не вдалося відновити заголовок %s на пристрої %s."
+
+#: src/utils_reencrypt_luks1.c:687
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "Відновлено заголовок %s на пристрої %s."
+
+#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+msgid "Cannot open temporary LUKS device."
+msgstr "Неможливо відкрити тимчасовий пристрій LUKS."
+
+#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+msgid "Cannot get device size."
+msgstr "Не вдалося отримати дані щодо розміру пристрою."
+
+#: src/utils_reencrypt_luks1.c:968
+msgid "IO error during reencryption."
+msgstr "Помилка введення-виведення під час повторного шифрування."
+
+#: src/utils_reencrypt_luks1.c:998
+msgid "Provided UUID is invalid."
+msgstr "Наданий UUID є некоректним."
+
+#: src/utils_reencrypt_luks1.c:1224
+msgid "Cannot open reencryption log file."
+msgstr "Не вдалося відкрити файл журналу повторного шифрування."
+
+#: src/utils_reencrypt_luks1.c:1230
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Розшифровування не виконується. Наданий UUID можна використовувати лише для відновлення призупиненого процесу розшифровування."
+
+#: src/utils_reencrypt_luks1.c:1286
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Повторне шифрування призведе до зміни: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1287
+msgid "volume key"
+msgstr "ключ тому"
+
+#: src/utils_reencrypt_luks1.c:1289
+msgid "set hash to "
+msgstr "встановити хеш у значення "
+
+#: src/utils_reencrypt_luks1.c:1290
+msgid ", set cipher to "
+msgstr ", встановити шифрування "
+
+#: src/utils_blockdev.c:189
#, c-format
msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
msgstr "Попередження: пристрій %s вже містить підпис розділу «%s».\n"
-#: src/utils_blockdev.c:200
+#: src/utils_blockdev.c:197
#, c-format
msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
msgstr "Попередження: пристрій %s вже містить підпис суперблоку «%s».\n"
-#: src/utils_blockdev.c:221 src/utils_blockdev.c:285
+#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
msgid "Failed to initialize device signature probes."
msgstr "Не вдалося ініціалізувати зондування підписів пристроїв."
-#: src/utils_blockdev.c:265
+#: src/utils_blockdev.c:274
#, c-format
msgid "Failed to stat device %s."
msgstr "Не вдалося зібрати статистичні дані щодо пристрою %s."
-#: src/utils_blockdev.c:278
-#, c-format
-msgid "Device %s is in use. Cannot proceed with format operation."
-msgstr "Пристрій %s використовується сторонньою програмою. Продовження дій з форматування неможливе."
-
-#: src/utils_blockdev.c:280
+#: src/utils_blockdev.c:289
#, c-format
msgid "Failed to open file %s in read/write mode."
msgstr "Не вдалося відкрити файл %s у режимі читання-запису."
-#: src/utils_blockdev.c:294
+#: src/utils_blockdev.c:307
#, c-format
msgid "Existing '%s' partition signature on device %s will be wiped."
msgstr "Наявний підпис розділу «%s» на пристрої %s буде витерто."
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:310
#, c-format
msgid "Existing '%s' superblock signature on device %s will be wiped."
msgstr "Наявний підпис суперблоку «%s» на пристрої %s буде витерто."
-#: src/utils_blockdev.c:300
+#: src/utils_blockdev.c:313
msgid "Failed to wipe device signature."
msgstr "Не вдалося витерти підпис пристрою."
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:320
#, c-format
msgid "Failed to probe device %s for a signature."
msgstr "Не вдалося виконати зондування пристрою %s з метою виявлення підпису."
@@ -3401,16 +3686,16 @@ msgstr "Не вдалося виконати зондування пристро
msgid "Invalid size specification in parameter --%s."
msgstr "Некоректна специфікація розміру у параметрі --%s."
-#: src/utils_args.c:121
+#: src/utils_args.c:125
#, c-format
msgid "Option --%s is not allowed with %s action."
msgstr "Параметр --%s не можна використовувати разом із дією %s."
-#: tokens/ssh/cryptsetup-ssh.c:108
+#: tokens/ssh/cryptsetup-ssh.c:110
msgid "Failed to write ssh token json."
msgstr "Не вдалося записати JSON жетона ssh."
-#: tokens/ssh/cryptsetup-ssh.c:126
+#: tokens/ssh/cryptsetup-ssh.c:128
msgid ""
"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
"\n"
@@ -3426,110 +3711,110 @@ msgstr ""
"\n"
"Зауваження: дані, які надано при додаванні жетона (адреса сервера SSH, користувач та шляхи) буде збережено у заголовку LUKS2 у форматі звичайного тексту."
-#: tokens/ssh/cryptsetup-ssh.c:136
+#: tokens/ssh/cryptsetup-ssh.c:138
msgid "<action> <device>"
msgstr "<дія> <пристрій>"
-#: tokens/ssh/cryptsetup-ssh.c:139
+#: tokens/ssh/cryptsetup-ssh.c:141
msgid "Options for the 'add' action:"
msgstr "Параметри дії «add» (додати):"
-#: tokens/ssh/cryptsetup-ssh.c:140
+#: tokens/ssh/cryptsetup-ssh.c:142
msgid "IP address/URL of the remote server for this token"
msgstr "IP-адреса/Назва віддаленого сервера для цього жетона"
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:143
msgid "Username used for the remote server"
msgstr "Ім'я користувача для доступу до віддаленого сервера"
-#: tokens/ssh/cryptsetup-ssh.c:142
+#: tokens/ssh/cryptsetup-ssh.c:144
msgid "Path to the key file on the remote server"
msgstr "Шлях до файла ключа на віддаленому сервері"
-#: tokens/ssh/cryptsetup-ssh.c:143
+#: tokens/ssh/cryptsetup-ssh.c:145
msgid "Path to the SSH key for connecting to the remote server"
msgstr "Шлях до ключа SSH для з'єднання із віддаленим сервером"
-#: tokens/ssh/cryptsetup-ssh.c:144
+#: tokens/ssh/cryptsetup-ssh.c:146
msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
msgstr "Слот ключа для прив'язування жетона. Якщо не вказано, жетон буде пов'язано із першим слотом ключа, який відповідає наданому паролю."
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:148
msgid "Generic options:"
msgstr "Загальні параметри:"
-#: tokens/ssh/cryptsetup-ssh.c:147
+#: tokens/ssh/cryptsetup-ssh.c:149
msgid "Shows more detailed error messages"
msgstr "Показувати докладні повідомлення про помилки"
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
msgid "Show debug messages"
msgstr "Показувати діагностичні повідомлення"
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
msgid "Show debug messages including JSON metadata"
msgstr "Показувати діагностичні повідомлення, зокрема метадані JSON"
-#: tokens/ssh/cryptsetup-ssh.c:260
+#: tokens/ssh/cryptsetup-ssh.c:262
msgid "Failed to open and import private key:\n"
msgstr "Не вдалося відкрити і імпортувати закритий ключ:\n"
-#: tokens/ssh/cryptsetup-ssh.c:264
+#: tokens/ssh/cryptsetup-ssh.c:266
msgid "Failed to import private key (password protected?).\n"
msgstr "Не вдалося імпортувати закритий ключ (захищено паролем?).\n"
#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:268
#, c-format
msgid "%s@%s's password: "
msgstr "Пароль до %s@%s: "
-#: tokens/ssh/cryptsetup-ssh.c:355
+#: tokens/ssh/cryptsetup-ssh.c:357
#, c-format
msgid "Failed to parse arguments.\n"
msgstr "Не вдалося обробити аргументи.\n"
-#: tokens/ssh/cryptsetup-ssh.c:366
+#: tokens/ssh/cryptsetup-ssh.c:368
#, c-format
msgid "An action must be specified\n"
msgstr "Має бути вказано дію\n"
-#: tokens/ssh/cryptsetup-ssh.c:372
+#: tokens/ssh/cryptsetup-ssh.c:374
#, c-format
msgid "Device must be specified for '%s' action.\n"
msgstr "Для виконання дії «%s» має бути вказано пристрій.\n"
-#: tokens/ssh/cryptsetup-ssh.c:377
+#: tokens/ssh/cryptsetup-ssh.c:379
#, c-format
msgid "SSH server must be specified for '%s' action.\n"
msgstr "Для виконання дії «%s» має бути вказано сервер SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:382
+#: tokens/ssh/cryptsetup-ssh.c:384
#, c-format
msgid "SSH user must be specified for '%s' action.\n"
msgstr "Для виконання дії «%s» має бути вказано користувача SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:389
#, c-format
msgid "SSH path must be specified for '%s' action.\n"
msgstr "Для виконання дії «%s» має бути вказано шлях до SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:392
+#: tokens/ssh/cryptsetup-ssh.c:394
#, c-format
msgid "SSH key path must be specified for '%s' action.\n"
msgstr "Для виконання дії «%s» має бути вказано шлях до ключа SSH.\n"
-#: tokens/ssh/cryptsetup-ssh.c:399
+#: tokens/ssh/cryptsetup-ssh.c:401
#, c-format
msgid "Failed open %s using provided credentials.\n"
msgstr "Не вдалося відкрити %s за допомогою наданих реєстраційних даних.\n"
-#: tokens/ssh/cryptsetup-ssh.c:415
+#: tokens/ssh/cryptsetup-ssh.c:417
#, c-format
msgid "Only 'add' action is currently supported by this plugin.\n"
msgstr "У поточній версії цього додатка передбачено підтримку лише дії «add» (додати0.\n"
-#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
msgid "Cannot create sftp session: "
msgstr "Не вдалося створити сеанс sftp: "
@@ -3537,6 +3822,10 @@ msgstr "Не вдалося створити сеанс sftp: "
msgid "Cannot init sftp session: "
msgstr "Не вдалося ініціалізувати сеанс sftp: "
+#: tokens/ssh/ssh-utils.c:59
+msgid "Cannot open sftp session: "
+msgstr "Не вдалося відкрити сеанс sftp: "
+
#: tokens/ssh/ssh-utils.c:66
msgid "Cannot stat sftp file: "
msgstr "Не вдалося статистично обробити файл sftp: "
@@ -3565,6 +3854,93 @@ msgstr "На вузлі заборонено спосіб розпізнаван
msgid "Public key authentication error: "
msgstr "Помилка розпізнавання за відкритим ключем: "
+#~ msgid "WARNING: Data offset is outside of currently available data device.\n"
+#~ msgstr "Увага: відступ у даних виходить за межі поточного доступного пристрою для зберігання даних.\n"
+
+#~ msgid "Cannot get process priority."
+#~ msgstr "Не вдалося отримати значення пріоритетності процесу."
+
+#~ msgid "Cannot unlock memory."
+#~ msgstr "Не вдалося розблокувати пам’ять."
+
+#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions."
+#~ msgstr "Буде створено каталог блокування %s/%s із типовими вбудованими правами доступу."
+
+#~ msgid "Failed to read BITLK signature from %s."
+#~ msgstr "Не вдалося прочитати підпис BITLK з %s."
+
+#~ msgid "Invalid or unknown signature for BITLK device."
+#~ msgstr "Некоректний або невідомий підпис для пристрою BITLK."
+
+#~ msgid "Failed to wipe backup segment data."
+#~ msgstr "Не вдалося витерти дані резервного сегмента."
+
+#~ msgid "Failed to disable reencryption requirement flag."
+#~ msgstr "Не вдалося вимкнути прапорець вимоги повторного шифрування."
+
+#~ msgid "Encryption is supported only for LUKS2 format."
+#~ msgstr "Підтримку шифрування передбачено лише для формату LUKS2."
+
+#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+#~ msgstr "Виявлено пристрій LUKS на %s. Хочете зашифрувати цей пристрій LUKS знову?"
+
+#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+#~ msgstr "У поточній версії передбачено підтримку лише формату LUKS2. Для роботи з LUKS1, будь ласка, скористайтеся програмою cryptsetup-reencrypt."
+
+#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+#~ msgstr "Вже виконується повторне шифрування з від'єднанням у застарілому режимі. Скористайтеся програмою cryptsetup-reencrypt."
+
+#~ msgid "LUKS2 device is not in reencryption."
+#~ msgstr "Пристрій LUKS2 не перебуває у стані повторного шифрування."
+
+#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
+#~ msgstr "Встановлюємо прапорець повторного шифрування LUKS2 з від'єднанням на пристрій %s."
+
+#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+#~ msgstr "Ця версія cryptsetup-reencrypt не може обробляти новий тип вбудованих жетонів %s."
+
+#~ msgid "Failed to read activation flags from backup header."
+#~ msgstr "Не вдалося прочитати прапорці активації з резервного заголовка."
+
+#~ msgid "Failed to write activation flags to new header."
+#~ msgstr "Не вдалося записати прапорці активації до нового заголовка."
+
+#~ msgid "Changed pbkdf parameters in keyslot %i."
+#~ msgstr "Змінено параметри pbkdf у слоті ключа %i."
+
+#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+#~ msgstr "Розмір блоку повторного шифрування повинен належати діапазону від 1 МіБ до 64 МІБ."
+
+#~ msgid "Maximum device reduce size is 64 MiB."
+#~ msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 64 МіБ."
+
+#~ msgid "[OPTION...] <device>"
+#~ msgstr "[ПАРАМЕТР...] <пристрій>"
+
+#~ msgid "Argument required."
+#~ msgstr "Слід вказати аргумент."
+
+#~ msgid "Option --new must be used together with --reduce-device-size or --header."
+#~ msgstr "Параметр --new слід використовувати разом з --reduce-device-size або --header."
+
+#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
+#~ msgstr "Параметр --keep-key можна використовувати лише разом з параметром --hash --iter-time або --pbkdf-force-iterations."
+
+#~ msgid "Option --new cannot be used together with --decrypt."
+#~ msgstr "Параметр --new не можна використовувати разом з --decrypt."
+
+#~ msgid "Option --decrypt is incompatible with specified parameters."
+#~ msgstr "Параметр --decrypt є несумісним із вказаними параметрами."
+
+#~ msgid "Option --uuid is allowed only together with --decrypt."
+#~ msgstr "Параметр --uuid можна використовувати лише разом із --decrypt."
+
+#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+#~ msgstr "Некоректний тип luks. Скористайтеся одним з таких типів: luks, luks1 або luks2."
+
+#~ msgid "Device %s is in use. Cannot proceed with format operation."
+#~ msgstr "Пристрій %s використовується сторонньою програмою. Продовження дій з форматування неможливе."
+
#~ msgid "No free token slot."
#~ msgstr "Немає вільного слоту ключів."
@@ -3887,9 +4263,6 @@ msgstr "Помилка розпізнавання за відкритим клю
#~ msgid "Sector size option is not supported for this command."
#~ msgstr "У цій команді не передбачено підтримки параметра розміру сектора."
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "Параметр --unbound можна використовувати лише з діями luksAddKey і luksDump."
-
#~ msgid "Option --refresh may be used only with open action."
#~ msgstr "Параметр --refresh можна використовувати лише під час дії з відкриття (open)."
@@ -4070,9 +4443,6 @@ msgstr "Помилка розпізнавання за відкритим клю
#~ msgid "Read new volume (master) key from file"
#~ msgstr "Прочитати новий ключ тому (основний ключ) з файла"
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "Тривалість ітерації PBKDF2 для LUKS (у мс)"
-
#~ msgid "Use direct-io when accessing devices"
#~ msgstr "Використовувати безпосереднє введення-виведення під час доступу до пристроїв"
diff --git a/src/Makemodule.am b/src/Makemodule.am
index 49e0c5a..57fff40 100644
--- a/src/Makemodule.am
+++ b/src/Makemodule.am
@@ -9,10 +9,14 @@ cryptsetup_SOURCES = \
src/utils_args.c \
src/utils_tools.c \
src/utils_password.c \
- src/utils_luks2.c \
+ src/utils_luks.c \
+ src/utils_luks.h \
src/utils_blockdev.c \
src/utils_arg_names.h \
src/utils_arg_macros.h \
+ src/utils_reencrypt.c \
+ src/utils_reencrypt_luks1.c \
+ src/utils_progress.c \
src/cryptsetup.c \
src/cryptsetup.h \
src/cryptsetup_args.h \
@@ -88,6 +92,7 @@ integritysetup_SOURCES = \
src/utils_arg_macros.h \
src/utils_tools.c \
src/utils_blockdev.c \
+ src/utils_progress.c \
src/integritysetup.c \
src/integritysetup_args.h \
src/integritysetup_arg_list.h \
@@ -111,40 +116,3 @@ integritysetup_static_LDADD = \
@DEVMAPPER_STATIC_LIBS@
endif
endif
-
-# reencrypt
-if REENCRYPT
-cryptsetup_reencrypt_SOURCES = \
- lib/utils_crypt.c \
- lib/utils_io.c \
- lib/utils_blkid.c \
- src/utils_tools.c \
- lib/utils_loop.c \
- src/utils_args.c \
- src/utils_password.c \
- src/cryptsetup_reencrypt.c \
- src/cryptsetup_reencrypt_args.h \
- src/cryptsetup_reencrypt_arg_list.h \
- src/cryptsetup.h
-
-cryptsetup_reencrypt_LDADD = $(LDADD) \
- libcryptsetup.la \
- @POPT_LIBS@ \
- @PWQUALITY_LIBS@ \
- @PASSWDQC_LIBS@ \
- @UUID_LIBS@ \
- @BLKID_LIBS@
-
-sbin_PROGRAMS += cryptsetup-reencrypt
-
-if STATIC_TOOLS
-sbin_PROGRAMS += cryptsetup-reencrypt.static
-cryptsetup_reencrypt_static_SOURCES = $(cryptsetup_reencrypt_SOURCES)
-cryptsetup_reencrypt_static_LDFLAGS = $(AM_LDFLAGS) -all-static
-cryptsetup_reencrypt_static_LDADD = \
- $(cryptsetup_reencrypt_LDADD) \
- @CRYPTO_STATIC_LIBS@ \
- @PWQUALITY_STATIC_LIBS@ \
- @DEVMAPPER_STATIC_LIBS@
-endif
-endif
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 9623fe6..e387c1c 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -25,15 +25,16 @@
#include "cryptsetup.h"
#include "cryptsetup_args.h"
+#include "utils_luks.h"
static char *keyfiles[MAX_KEYFILES];
static char *keyfile_stdin = NULL;
static int keyfiles_count = 0;
-static int64_t data_shift = 0;
+int64_t data_shift = 0;
-static const char *device_type = "luks";
-static const char *set_pbkdf = NULL;
+const char *device_type = "luks";
+const char *set_pbkdf = NULL;
static const char **action_argv;
static int action_argc;
@@ -42,6 +43,12 @@ static int total_keyfiles = 0;
static struct tools_log_params log_parms;
+struct tools_arg tool_core_args[] = { { NULL, false, CRYPT_ARG_BOOL }, /* leave unused due to popt library */
+#define ARG(A, B, C, D, E, F, G, H) { A, false, F, G, H },
+#include "cryptsetup_arg_list.h"
+#undef ARG
+};
+
void tools_cleanup(void)
{
tools_args_free(tool_core_args, ARRAY_SIZE(tool_core_args));
@@ -62,104 +69,11 @@ static const char *uuid_or_device_header(const char **data_device)
return uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]);
}
-static const char *luksType(const char *type)
-{
- if (type && !strcmp(type, "luks2"))
- return CRYPT_LUKS2;
-
- if (type && !strcmp(type, "luks1"))
- return CRYPT_LUKS1;
-
- if (type && !strcmp(type, "luks"))
- return CRYPT_LUKS; /* NULL */
-
- if (type && *type)
- return type;
-
- return CRYPT_LUKS; /* NULL */
-}
-
-static bool isLUKS1(const char *type)
-{
- return type && !strcmp(type, CRYPT_LUKS1);
-}
-
-static bool isLUKS2(const char *type)
-{
- return type && !strcmp(type, CRYPT_LUKS2);
-}
-
static bool isLUKS(const char *type)
{
return isLUKS2(type) || isLUKS1(type);
}
-static int _verify_passphrase(int def)
-{
- /* Batch mode switch off verify - if not overridden by -y */
- if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
- def = 1;
- else if (ARG_SET(OPT_BATCH_MODE_ID))
- def = 0;
-
- /* Non-tty input doesn't allow verify */
- if (def && !isatty(STDIN_FILENO)) {
- if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
- log_err(_("Can't do passphrase verification on non-tty inputs."));
- def = 0;
- }
-
- return def;
-}
-
-static void _set_activation_flags(uint32_t *flags)
-{
- if (ARG_SET(OPT_READONLY_ID))
- *flags |= CRYPT_ACTIVATE_READONLY;
-
- if (ARG_SET(OPT_ALLOW_DISCARDS_ID))
- *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
-
- if (ARG_SET(OPT_PERF_SAME_CPU_CRYPT_ID))
- *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
-
- if (ARG_SET(OPT_PERF_SUBMIT_FROM_CRYPT_CPUS_ID))
- *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
-
- if (ARG_SET(OPT_PERF_NO_READ_WORKQUEUE_ID))
- *flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE;
-
- if (ARG_SET(OPT_PERF_NO_WRITE_WORKQUEUE_ID))
- *flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
-
- if (ARG_SET(OPT_INTEGRITY_NO_JOURNAL_ID))
- *flags |= CRYPT_ACTIVATE_NO_JOURNAL;
-
- /* In persistent mode, we use what is set on command line */
- if (ARG_SET(OPT_PERSISTENT_ID))
- *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
-
- /* Only for LUKS2 but ignored elsewhere */
- if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
- *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
-
- if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
- *flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
-
- /* Only for plain */
- if (ARG_SET(OPT_IV_LARGE_SECTORS_ID))
- *flags |= CRYPT_ACTIVATE_IV_LARGE_SECTORS;
-}
-
-static void _set_reencryption_flags(uint32_t *flags)
-{
- if (ARG_SET(OPT_INIT_ONLY_ID))
- *flags |= CRYPT_REENCRYPT_INITIALIZE_ONLY;
-
- if (ARG_SET(OPT_RESUME_ONLY_ID))
- *flags |= CRYPT_REENCRYPT_RESUME_ONLY;
-}
-
static int _set_keyslot_encryption_params(struct crypt_device *cd)
{
const char *type = crypt_get_type(cd);
@@ -175,17 +89,13 @@ static int _set_keyslot_encryption_params(struct crypt_device *cd)
return crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8);
}
-static int _set_tries_tty(void)
-{
- return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
-}
-
static int _try_token_pin_unlock(struct crypt_device *cd,
int token_id,
const char *activated_name,
const char *token_type,
uint32_t activate_flags,
- int tries)
+ int tries,
+ bool activation)
{
size_t pin_len;
char msg[64], *pin = NULL;
@@ -195,24 +105,29 @@ static int _try_token_pin_unlock(struct crypt_device *cd,
assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
if (token_id == CRYPT_ANY_TOKEN)
- r = snprintf(msg, sizeof(msg), _("Enter token PIN:"));
+ r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
else
- r = snprintf(msg, sizeof(msg), _("Enter token %d PIN:"), token_id);
+ r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
if (r < 0 || (size_t)r >= sizeof(msg))
return -EINVAL;
do {
r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL,
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
break;
- r = crypt_activate_by_token_pin(cd, activated_name, token_type, ARG_INT32(OPT_TOKEN_ID_ID),
- pin, pin_len, NULL, activate_flags);
+ if (activation)
+ r = crypt_activate_by_token_pin(cd, activated_name, token_type,
+ token_id, pin, pin_len, NULL,
+ activate_flags);
+ else
+ r = crypt_resume_by_token_pin(cd, activated_name, token_type,
+ token_id, pin, pin_len, NULL);
crypt_safe_free(pin);
pin = NULL;
tools_keyslot_msg(r, UNLOCKED);
- tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), true);
+ tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), token_id, true);
check_signal(&r);
} while (r == -ENOANO && (--tries > 0));
@@ -229,7 +144,6 @@ static int action_open_plain(void)
.hash = ARG_SET(OPT_HASH_ID) ? ARG_STR(OPT_HASH_ID) : DEFAULT_PLAIN_HASH,
.skip = ARG_UINT64(OPT_SKIP_ID),
.offset = ARG_UINT64(OPT_OFFSET_ID),
- .size = ARG_UINT64(OPT_SIZE_ID),
.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
};
char *password = NULL;
@@ -292,7 +206,7 @@ static int action_open_plain(void)
/* Skip blkid scan when activating plain device with offset */
if (!ARG_UINT64(OPT_OFFSET_ID)) {
/* Print all present signatures in read-only mode */
- r = tools_detect_signatures(action_argv[0], 0, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
+ r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
if (r < 0)
goto out;
}
@@ -314,6 +228,11 @@ static int action_open_plain(void)
pmode = cipher_mode;
}
+ if (ARG_SET(OPT_DEVICE_SIZE_ID))
+ params.size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
+ else if (ARG_SET(OPT_SIZE_ID))
+ params.size = ARG_UINT64(OPT_SIZE_ID);
+
r = crypt_format(cd, CRYPT_PLAIN,
pcipher, pmode,
NULL, NULL,
@@ -326,7 +245,7 @@ static int action_open_plain(void)
if (ARG_SET(OPT_SHARED_ID))
activate_flags |= CRYPT_ACTIVATE_SHARED;
- _set_activation_flags(&activate_flags);
+ set_activation_flags(&activate_flags);
if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
/* If no hash, key is read directly, read size is always key_size
@@ -343,7 +262,7 @@ static int action_open_plain(void)
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), key_size_max,
ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -393,7 +312,7 @@ static int action_open_loopaes(void)
goto out;
}
- _set_activation_flags(&activate_flags);
+ set_activation_flags(&activate_flags);
r = crypt_activate_by_keyfile_device_offset(cd, activated_name, CRYPT_ANY_SLOT,
tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) ? "/dev/stdin" : ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
@@ -408,12 +327,12 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
{
int r, tries, eperm = 0;
- tries = _set_tries_tty();
+ tries = set_tries_tty();
do {
/* TCRYPT header is encrypted, get passphrase now */
r = tools_get_key(NULL, CONST_CAST(char**)¶ms->passphrase,
¶ms->passphrase_size, 0, 0, keyfile_stdin, ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
continue;
@@ -426,7 +345,7 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
r = tools_get_key(_("Enter VeraCrypt PIM: "),
&tmp_pim_nptr,
&tmp_pim_size, 0, 0, keyfile_stdin, ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
continue;
@@ -506,7 +425,7 @@ static int action_open_tcrypt(void)
if (r < 0)
goto out;
- _set_activation_flags(&activate_flags);
+ set_activation_flags(&activate_flags);
if (activated_name)
r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, activate_flags);
@@ -537,9 +456,9 @@ static int action_open_bitlk(void)
log_err(_("Device %s is not a valid BITLK device."), action_argv[0]);
goto out;
}
- _set_activation_flags(&activate_flags);
+ set_activation_flags(&activate_flags);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
keysize = crypt_get_volume_key_size(cd);
if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
log_err(_("Cannot determine volume key size for BITLK, please use --key-size option."));
@@ -548,17 +467,17 @@ static int action_open_bitlk(void)
} else if (!keysize)
keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
if (r < 0)
goto out;
r = crypt_activate_by_volume_key(cd, activated_name,
key, keysize, activate_flags);
} else {
- tries = _set_tries_tty();
+ tries = set_tries_tty();
do {
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -581,7 +500,6 @@ static int tcryptDump_with_volume_key(struct crypt_device *cd)
{
char *vk = NULL;
size_t vk_size;
- unsigned i;
int r;
if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
@@ -606,12 +524,7 @@ static int tcryptDump_with_volume_key(struct crypt_device *cd)
log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
log_std("MK bits: \t%d\n", (int)vk_size * 8);
log_std("MK dump:\t");
-
- for(i = 0; i < vk_size; i++) {
- if (i && !(i % 16))
- log_std("\n\t\t");
- log_std("%02hhx ", (char)vk[i]);
- }
+ crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
log_std("\n");
out:
crypt_safe_free(vk);
@@ -639,7 +552,7 @@ static int action_tcryptDump(void)
if (r < 0)
goto out;
- if (ARG_SET(OPT_DUMP_MASTER_KEY_ID))
+ if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
r = tcryptDump_with_volume_key(cd);
else
r = crypt_dump(cd);
@@ -654,10 +567,9 @@ static int bitlkDump_with_volume_key(struct crypt_device *cd)
char *vk = NULL, *password = NULL;
size_t passwordLen = 0;
size_t vk_size;
- unsigned i;
int r;
- if (!yesDialog(
+ if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
_("The header dump with volume key is sensitive information\n"
"that allows access to encrypted partition without a passphrase.\n"
"This dump should be stored encrypted in a safe place."),
@@ -683,8 +595,8 @@ static int bitlkDump_with_volume_key(struct crypt_device *cd)
goto out;
tools_keyslot_msg(r, UNLOCKED);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_write_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), vk, vk_size);
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
if (r < 0)
goto out;
}
@@ -694,19 +606,13 @@ static int bitlkDump_with_volume_key(struct crypt_device *cd)
log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
log_std("UUID: \t%s\n", crypt_get_uuid(cd));
log_std("MK bits: \t%d\n", (int)vk_size * 8);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- log_std("Key stored to file %s.\n", ARG_STR(OPT_MASTER_KEY_FILE_ID));
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
goto out;
}
log_std("MK dump:\t");
-
- for(i = 0; i < vk_size; i++) {
- if (i && !(i % 16))
- log_std("\n\t\t");
- log_std("%02hhx ", (char)vk[i]);
- }
+ crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
log_std("\n");
-
out:
crypt_safe_free(password);
crypt_safe_free(vk);
@@ -722,10 +628,12 @@ static int action_bitlkDump(void)
goto out;
r = crypt_load(cd, CRYPT_BITLK, NULL);
- if (r < 0)
+ if (r < 0) {
+ log_err(_("Device %s is not a valid BITLK device."), action_argv[0]);
goto out;
+ }
- if (ARG_SET(OPT_DUMP_MASTER_KEY_ID))
+ if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
r = bitlkDump_with_volume_key(cd);
else
r = crypt_dump(cd);
@@ -734,6 +642,143 @@ out:
return r;
}
+static int fvault2Dump_with_volume_key(struct crypt_device *cd)
+{
+ char *vk = NULL;
+ char *password = NULL;
+ size_t vk_size = 0;
+ size_t pass_len = 0;
+ int r = 0;
+
+ if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
+ _("The header dump with volume key is sensitive information\n"
+ "that allows access to encrypted partition without a passphrase.\n"
+ "This dump should be stored encrypted in a safe place."),
+ NULL))
+ return -EPERM;
+
+ vk_size = crypt_get_volume_key_size(cd);
+ vk = crypt_safe_alloc(vk_size);
+ if (vk == NULL)
+ return -ENOMEM;
+
+ r = tools_get_key(NULL, &password, &pass_len,
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+ ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size, password, pass_len);
+ tools_passphrase_msg(r);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ tools_keyslot_msg(r, UNLOCKED);
+
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
+ if (r < 0)
+ goto out;
+ }
+
+ r = crypt_dump(cd);
+ if (r < 0)
+ goto out;
+
+ log_std("Volume key: \t");
+ crypt_log_hex(cd, vk, vk_size, " ", 0, NULL);
+ log_std("\n");
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(vk);
+ return r;
+}
+
+static int action_fvault2Dump(void)
+{
+ struct crypt_device *cd = NULL;
+ int r = 0;
+
+ r = crypt_init(&cd, action_argv[0]);
+ if (r < 0)
+ goto out;
+
+ r = crypt_load(cd, CRYPT_FVAULT2, NULL);
+ if (r < 0) {
+ log_err(_("Device %s is not a valid FVAULT2 device."), action_argv[0]);
+ goto out;
+ }
+
+ if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
+ r = fvault2Dump_with_volume_key(cd);
+ else
+ r = crypt_dump(cd);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_open_fvault2(void)
+{
+ struct crypt_device *cd = NULL;
+ const char *activated_name;
+ uint32_t activate_flags = 0;
+ int r, tries, keysize;
+ char *password = NULL;
+ char *key = NULL;
+ size_t passwordLen;
+
+ activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ r = crypt_load(cd, CRYPT_FVAULT2, NULL);
+ if (r < 0) {
+ log_err(_("Device %s is not a valid FVAULT2 device."), action_argv[0]);
+ goto out;
+ }
+ set_activation_flags(&activate_flags);
+
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ keysize = crypt_get_volume_key_size(cd);
+ if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
+ log_err(_("Cannot determine volume key size for FVAULT2, please use --key-size option."));
+ r = -EINVAL;
+ goto out;
+ } else if (!keysize)
+ keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
+
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
+ if (r < 0)
+ goto out;
+ r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags);
+ } else {
+ tries = set_tries_tty();
+ do {
+ r = tools_get_key(NULL, &password, &passwordLen,
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+ ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
+ verify_passphrase(0), 0, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT,
+ password, passwordLen, activate_flags);
+ tools_passphrase_msg(r);
+ check_signal(&r);
+ crypt_safe_free(password);
+ password = NULL;
+ } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
+ }
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(key);
+ crypt_free(cd);
+ return r;
+}
+
static int action_close(void)
{
struct crypt_device *cd = NULL;
@@ -746,7 +791,7 @@ static int action_close(void)
if (ARG_SET(OPT_CANCEL_DEFERRED_ID))
flags |= CRYPT_DEACTIVATE_DEFERRED_CANCEL;
- r = crypt_init_by_name(&cd, action_argv[0]);
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], ARG_STR(OPT_HEADER_ID));
if (r == 0)
r = crypt_deactivate_by_name(cd, action_argv[0], flags);
@@ -799,16 +844,17 @@ static int action_resize(void)
tools_keyslot_msg(r, UNLOCKED);
tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
- /* Token requires PIN, but ask only if there is no password query later */
- if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO)
- r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, 1);
+ /* Token requires PIN. Ask if there is evident preference for tokens */
+ if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
+ ARG_SET(OPT_TOKEN_ID_ID)))
+ r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, 1, true);
- if (r >= 0 || ARG_SET(OPT_TOKEN_ONLY_ID))
+ if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
goto out;
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -951,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.time_ms = 1000,
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "bar", 3, key_size,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
&benchmark_callback, &pbkdf);
if (r < 0)
log_std(_("PBKDF2-%-9s N/A\n"), hash);
@@ -966,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
key_size, &benchmark_callback, &pbkdf);
if (r < 0)
@@ -1115,63 +1161,6 @@ static int action_benchmark(void)
return r;
}
-static int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
-{
- const struct crypt_pbkdf_type *pbkdf_default;
- struct crypt_pbkdf_type pbkdf = {};
-
- pbkdf_default = crypt_get_pbkdf_default(dev_type);
- if (!pbkdf_default)
- return -EINVAL;
-
- pbkdf.type = set_pbkdf ?: pbkdf_default->type;
- pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
- pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
- if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
- pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
- pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
- }
-
- if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
- pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
- pbkdf.time_ms = 0;
- pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
- }
-
- return crypt_set_pbkdf_type(cd, &pbkdf);
-}
-
-static int set_keyslot_params(struct crypt_device *cd, int keyslot)
-{
- const char *cipher;
- struct crypt_pbkdf_type pbkdf;
- size_t key_size;
-
- cipher = crypt_keyslot_get_encryption(cd, keyslot, &key_size);
- if (!cipher)
- return -EINVAL;
-
- if (crypt_is_cipher_null(cipher)) {
- log_dbg("Keyslot %d uses cipher_null. Replacing with default encryption in new keyslot.", keyslot);
- cipher = DEFAULT_LUKS2_KEYSLOT_CIPHER;
- key_size = DEFAULT_LUKS2_KEYSLOT_KEYBITS / 8;
- }
-
- if (crypt_keyslot_set_encryption(cd, cipher, key_size))
- return -EINVAL;
-
- /* if requested any of those just reinitialize context pbkdf */
- if (set_pbkdf || ARG_SET(OPT_HASH_ID) || ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID) || ARG_SET(OPT_ITER_TIME_ID))
- return set_pbkdf_params(cd, CRYPT_LUKS2);
-
- if (crypt_keyslot_get_pbkdf(cd, keyslot, &pbkdf))
- return -EINVAL;
-
- pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
-
- return crypt_set_pbkdf_type(cd, &pbkdf);
-}
-
static int reencrypt_metadata_repair(struct crypt_device *cd)
{
char *password;
@@ -1188,10 +1177,10 @@ static int reencrypt_metadata_repair(struct crypt_device *cd)
_("Operation aborted.\n")))
return -EINVAL;
- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
&password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
return r;
@@ -1247,7 +1236,7 @@ static int luks2_reencrypt_repair(struct crypt_device *cd)
r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
return r;
@@ -1293,7 +1282,7 @@ static int action_luksRepair(void)
goto out;
}
- r = tools_detect_signatures(action_argv[0], 1, NULL, ARG_SET(OPT_BATCH_MODE_ID));
+ r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
if (r < 0)
goto out;
@@ -1316,10 +1305,14 @@ static int _wipe_data_device(struct crypt_device *cd)
{
char tmp_name[64], tmp_path[128], tmp_uuid[40];
uuid_t tmp_uuid_bin;
- int r;
+ int r = -EINVAL;
+ char *backing_file = NULL;
struct tools_progress_params prog_parms = {
.frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
- .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nWipe interrupted."),
+ .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file)
};
if (!ARG_SET(OPT_BATCH_MODE_ID))
@@ -1331,23 +1324,25 @@ static int _wipe_data_device(struct crypt_device *cd)
uuid_generate(tmp_uuid_bin);
uuid_unparse(tmp_uuid_bin, tmp_uuid);
if (snprintf(tmp_name, sizeof(tmp_name), "temporary-cryptsetup-%s", tmp_uuid) < 0)
- return -EINVAL;
+ goto out;
if (snprintf(tmp_path, sizeof(tmp_path), "%s/%s", crypt_get_dir(), tmp_name) < 0)
- return -EINVAL;
+ goto out;
r = crypt_activate_by_volume_key(cd, tmp_name, NULL, 0,
CRYPT_ACTIVATE_PRIVATE | CRYPT_ACTIVATE_NO_JOURNAL);
if (r < 0)
- return r;
+ goto out;
/* Wipe the device */
set_int_handler(0);
r = crypt_wipe(cd, tmp_path, CRYPT_WIPE_ZERO, 0, 0, DEFAULT_WIPE_BLOCK,
- 0, &tools_wipe_progress, &prog_parms);
+ 0, &tools_progress, &prog_parms);
if (crypt_deactivate(cd, tmp_name))
log_err(_("Cannot deactivate temporary device %s."), tmp_path);
set_int_block(0);
+out:
+ free(backing_file);
return r;
}
@@ -1356,22 +1351,7 @@ static int strcmp_or_null(const char *str, const char *expected)
return !str ? 0 : strcmp(str, expected);
}
-static int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize)
-{
- uint32_t keysize_bits = ARG_UINT32(OPT_KEY_SIZE_ID);
-
-#ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
- if (!ARG_SET(OPT_KEY_SIZE_ID) && !strncmp(cipher_mode, "xts-", 4)) {
- if (default_size_bits == 128)
- keysize_bits = 256;
- else if (default_size_bits == 256)
- keysize_bits = 512;
- }
-#endif
- return (keysize_bits ?: default_size_bits) / 8 + integrity_keysize;
-}
-
-static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
+int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
{
int r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0;
struct stat st;
@@ -1486,7 +1466,7 @@ static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_
}
/* Print all present signatures in read-only mode */
- r = tools_detect_signatures(header_device, 0, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
+ r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
if (r < 0)
goto out;
@@ -1512,12 +1492,12 @@ static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
if (r < 0)
goto out;
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
if (r < 0)
goto out;
}
@@ -1529,7 +1509,7 @@ static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_
}
/* Signature candidates found */
- if (signatures && ((r = tools_wipe_all_signatures(header_device)) < 0))
+ if (signatures && ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
goto out;
if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
@@ -1549,7 +1529,7 @@ static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_
key, keysize,
password, passwordLen);
if (r < 0) {
- (void) tools_wipe_all_signatures(header_device);
+ (void) tools_wipe_all_signatures(header_device, true, false);
goto out;
}
tools_keyslot_msg(r, CREATED);
@@ -1574,7 +1554,7 @@ out:
static int action_luksFormat(void)
{
- return _luksFormat(NULL, NULL, NULL);
+ return luksFormat(NULL, NULL, NULL);
}
static int action_open_luks(void)
@@ -1587,6 +1567,7 @@ static int action_open_luks(void)
int r, keysize, tries;
char *password = NULL;
size_t passwordLen;
+ struct stat st;
if (ARG_SET(OPT_REFRESH_ID)) {
activated_name = action_argc > 1 ? action_argv[1] : action_argv[0];
@@ -1613,11 +1594,19 @@ static int action_open_luks(void)
r = -EINVAL;
goto out;
}
+
+ if (activated_name && !stat(crypt_get_device_name(cd), &st) && S_ISREG(st.st_mode) &&
+ crypt_get_data_offset(cd) >= ((uint64_t)st.st_size / SECTOR_SIZE)) {
+ log_err(_("LUKS file container %s is too small for activation, there is no remaining space for data."),
+ crypt_get_device_name(cd));
+ r = -EINVAL;
+ goto out;
+ }
}
- _set_activation_flags(&activate_flags);
+ set_activation_flags(&activate_flags);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
keysize = crypt_get_volume_key_size(cd);
if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
@@ -1626,7 +1615,7 @@ static int action_open_luks(void)
} else if (!keysize)
keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
if (r < 0)
goto out;
r = crypt_activate_by_volume_key(cd, activated_name,
@@ -1637,18 +1626,19 @@ static int action_open_luks(void)
tools_keyslot_msg(r, UNLOCKED);
tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
- /* Token requires PIN, but ask only if there is no password query later */
- if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO)
- r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, _set_tries_tty());
+ /* Token requires PIN. Ask if there is evident preference for tokens */
+ if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
+ ARG_SET(OPT_TOKEN_ID_ID)))
+ r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, set_tries_tty(), true);
- if (r >= 0 || r == -EEXIST || ARG_SET(OPT_TOKEN_ONLY_ID))
+ if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
goto out;
- tries = _set_tries_tty();
+ tries = set_tries_tty();
do {
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -1688,7 +1678,7 @@ static int verify_keyslot(struct crypt_device *cd, int key_slot, crypt_keyslot_i
r = tools_get_key(msg_pass, &password, &passwordLen,
keyfile_offset, keyfile_size, key_file, ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
+ verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -1798,7 +1788,7 @@ static int action_luksRemoveKey(void)
&password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0,
+ verify_passphrase(0), 0,
cd);
if(r < 0)
goto out;
@@ -1844,7 +1834,7 @@ static int luksAddUnboundKey(void)
goto out;
if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
- log_err(_("Device %s is not a valid LUKS device."),
+ log_err(_("Device %s is not a valid LUKS2 device."),
uuid_or_device_header(NULL));
goto out;
}
@@ -1864,8 +1854,8 @@ static int luksAddUnboundKey(void)
goto out;
}
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
if (r < 0)
goto out;
@@ -1878,7 +1868,7 @@ static int luksAddUnboundKey(void)
&password_new, &password_new_size,
ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
new_key_file, ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+ verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
if (r < 0)
goto out;
@@ -1892,19 +1882,94 @@ out:
return r;
}
+static int _ask_for_pin(struct crypt_device *cd,
+ int token_id, char **r_pin, size_t *r_pin_size,
+ struct crypt_keyslot_context *kc)
+{
+ int r;
+ char msg[64];
+
+ assert(r_pin);
+ assert(r_pin_size);
+ assert(kc);
+ assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
+
+ if (crypt_keyslot_context_get_type(kc) != CRYPT_KC_TYPE_TOKEN)
+ return -EINVAL;
+
+ if (token_id == CRYPT_ANY_TOKEN)
+ r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
+ else
+ r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
+ if (r < 0 || (size_t)r >= sizeof(msg))
+ return -EINVAL;
+
+ r = tools_get_key(msg, r_pin, r_pin_size, 0, 0, NULL,
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+ if (r < 0)
+ return r;
+
+ r = crypt_keyslot_context_set_pin(cd, *r_pin, *r_pin_size, kc);
+ if (r < 0) {
+ crypt_safe_free(*r_pin);
+ *r_pin = NULL;
+ *r_pin_size = 0;
+ }
+
+ return r;
+}
+
+static int try_keyslot_add(struct crypt_device *cd,
+ int keyslot_existing,
+ int keyslot_new,
+ struct crypt_keyslot_context *kc,
+ struct crypt_keyslot_context *kc_new,
+ bool pin_provided,
+ bool new_pin_provided)
+{
+ int r;
+
+ r = crypt_keyslot_add_by_keyslot_context(cd, keyslot_existing, kc, keyslot_new, kc_new, 0);
+ if (crypt_keyslot_context_get_type(kc) == CRYPT_KC_TYPE_TOKEN)
+ tools_token_error_msg(crypt_keyslot_context_get_error(kc), ARG_STR(OPT_TOKEN_TYPE_ID),
+ ARG_INT32(OPT_TOKEN_ID_ID), pin_provided);
+ if (crypt_keyslot_context_get_type(kc_new) == CRYPT_KC_TYPE_TOKEN)
+ tools_token_error_msg(crypt_keyslot_context_get_error(kc_new), NULL,
+ ARG_INT32(OPT_NEW_TOKEN_ID_ID), new_pin_provided);
+ return r;
+}
+
static int action_luksAddKey(void)
{
- int r = -EINVAL, keysize = 0;
- char *key = NULL;
+ int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL;
const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
- char *password = NULL, *password_new = NULL;
- size_t password_size = 0, password_new_size = 0;
+ char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL;
+ size_t pin_size, pin_size_new, password_size = 0, password_new_size = 0;
struct crypt_device *cd = NULL;
+ struct crypt_keyslot_context *p_kc_new = NULL, *kc = NULL, *kc_new = NULL;
/* Unbound keyslot (no assigned data segment) is special case */
if (ARG_SET(OPT_UNBOUND_ID))
return luksAddUnboundKey();
+ /* maintain backward compatibility of luksAddKey action positional parameter */
+ if (!new_key_file)
+ new_key_file = ARG_STR(OPT_NEW_KEYFILE_ID);
+
+ keyslot_old = ARG_INT32(OPT_KEY_SLOT_ID);
+ keyslot_new = ARG_INT32(OPT_NEW_KEY_SLOT_ID);
+
+ /*
+ * maintain backward compatibility of --key-slot/-S as 'new keyslot number'
+ * unless --new-key-slot is used.
+ */
+ if (!ARG_SET(OPT_NEW_KEY_SLOT_ID) && ARG_SET(OPT_KEY_SLOT_ID)) {
+ if (!ARG_SET(OPT_BATCH_MODE_ID))
+ log_std(_("WARNING: The --key-slot parameter is used for new keyslot number.\n"));
+ keyslot_old = CRYPT_ANY_SLOT;
+ keyslot_new = ARG_INT32(OPT_KEY_SLOT_ID);
+ }
+
if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
goto out;
@@ -1929,7 +1994,7 @@ static int action_luksAddKey(void)
goto out;
}
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
r = -EINVAL;
@@ -1937,36 +2002,33 @@ static int action_luksAddKey(void)
} else if (!keysize)
keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
if (r < 0)
goto out;
r = crypt_volume_key_verify(cd, key, keysize);
+ if (r == -EPERM)
+ log_err(_("Volume key does not match the volume."));
check_signal(&r);
if (r < 0)
goto out;
-
- r = tools_get_key(_("Enter new passphrase for key slot: "),
- &password_new, &password_new_size,
- ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
- new_key_file, ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
- if (r < 0)
- goto out;
-
- r = crypt_keyslot_add_by_volume_key(cd, ARG_INT32(OPT_KEY_SLOT_ID), key, keysize,
- password_new, password_new_size);
- } else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) &&
- new_key_file && !tools_is_stdin(new_key_file)) {
- r = crypt_keyslot_add_by_keyfile_device_offset(cd, ARG_INT32(OPT_KEY_SLOT_ID),
- ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
- new_key_file, ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID));
- tools_passphrase_msg(r);
+ r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc);
+ } else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
+ r = crypt_keyslot_context_init_by_keyfile(cd,
+ ARG_STR(OPT_KEY_FILE_ID),
+ ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
+ &kc);
+ else if (ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || ARG_SET(OPT_TOKEN_ONLY_ID)) {
+ r = crypt_keyslot_context_init_by_token(cd,
+ ARG_INT32(OPT_TOKEN_ID_ID),
+ ARG_STR(OPT_TOKEN_TYPE_ID),
+ NULL, 0, NULL, &kc);
} else {
r = tools_get_key(_("Enter any existing passphrase: "),
&password, &password_size,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -1980,21 +2042,77 @@ static int action_luksAddKey(void)
goto out;
tools_keyslot_msg(r, UNLOCKED);
+ r = crypt_keyslot_context_init_by_passphrase(cd, password, password_size, &kc);
+ }
+
+ if (r < 0)
+ goto out;
+
+ if (new_key_file && !tools_is_stdin(new_key_file)) {
+ if (ARG_SET(OPT_KEY_FILE_ID) && !strcmp(ARG_STR(OPT_KEY_FILE_ID), new_key_file))
+ p_kc_new = kc;
+ else {
+ r = crypt_keyslot_context_init_by_keyfile(cd,
+ new_key_file,
+ ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
+ ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
+ &kc_new);
+ p_kc_new = kc_new;
+ }
+ } else if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
+ if (ARG_INT32(OPT_NEW_TOKEN_ID_ID) == ARG_INT32(OPT_TOKEN_ID_ID))
+ p_kc_new = kc;
+ else {
+ r = crypt_keyslot_context_init_by_token(cd,
+ ARG_INT32(OPT_NEW_TOKEN_ID_ID),
+ NULL, NULL, 0, NULL, &kc_new);
+ p_kc_new = kc_new;
+ }
+ } else {
r = tools_get_key(_("Enter new passphrase for key slot: "),
- &password_new, &password_new_size,
- ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+ &password_new, &password_new_size,
+ ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+
+ if (r < 0)
+ goto out;
+ r = crypt_keyslot_context_init_by_passphrase(cd, password_new, password_new_size, &kc_new);
+ }
+
+ if (r < 0)
+ goto out;
+
+ if (!p_kc_new)
+ p_kc_new = kc_new;
+
+ r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
+ if (r >= 0 || r != -ENOANO)
+ goto out;
+
+ if (crypt_keyslot_context_get_error(kc) == -ENOANO) {
+ r = _ask_for_pin(cd, ARG_INT32(OPT_TOKEN_ID_ID), &pin, &pin_size, kc);
if (r < 0)
goto out;
- r = crypt_keyslot_add_by_passphrase(cd, ARG_INT32(OPT_KEY_SLOT_ID),
- password, password_size,
- password_new, password_new_size);
+ r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
+ if (r >= 0 || r != -ENOANO)
+ goto out;
+ }
+
+ if (crypt_keyslot_context_get_error(p_kc_new) == -ENOANO) {
+ r = _ask_for_pin(cd, ARG_INT32(OPT_NEW_TOKEN_ID_ID), &pin_new, &pin_size_new, p_kc_new);
+ if (r < 0)
+ goto out;
+ r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
}
out:
tools_keyslot_msg(r, CREATED);
+ crypt_keyslot_context_free(kc);
+ crypt_keyslot_context_free(kc_new);
crypt_safe_free(password);
crypt_safe_free(password_new);
+ crypt_safe_free(pin);
+ crypt_safe_free(pin_new);
crypt_safe_free(key);
crypt_free(cd);
return r;
@@ -2034,7 +2152,7 @@ static int action_luksChangeKey(void)
r = tools_get_key(_("Enter passphrase to be changed: "),
&password, &password_size,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -2051,7 +2169,7 @@ static int action_luksChangeKey(void)
&password_new, &password_new_size,
ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
new_key_file,
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
if (r < 0)
goto out;
@@ -2076,7 +2194,7 @@ static int action_luksConvertKey(void)
goto out;
if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
- log_err(_("Device %s is not a valid LUKS device."),
+ log_err(_("Device %s is not a valid LUKS2 device."),
uuid_or_device_header(NULL));
goto out;
}
@@ -2100,7 +2218,7 @@ static int action_luksConvertKey(void)
r = tools_get_key(_("Enter passphrase for keyslot to be converted: "),
&password, &password_size,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
@@ -2167,7 +2285,6 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
char *vk = NULL, *password = NULL;
size_t passwordLen = 0;
size_t vk_size;
- unsigned i;
int r;
if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(
@@ -2196,8 +2313,8 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
goto out;
tools_keyslot_msg(r, UNLOCKED);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_write_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), vk, vk_size);
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), vk, vk_size);
if (r < 0)
goto out;
}
@@ -2208,19 +2325,13 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
log_std("UUID: \t%s\n", crypt_get_uuid(cd));
log_std("MK bits: \t%d\n", (int)vk_size * 8);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- log_std("Key stored to file %s.\n", ARG_STR(OPT_MASTER_KEY_FILE_ID));
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
goto out;
}
log_std("MK dump:\t");
-
- for(i = 0; i < vk_size; i++) {
- if (i && !(i % 16))
- log_std("\n\t\t");
- log_std("%02hhx ", (char)vk[i]);
- }
+ crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
log_std("\n");
-
out:
crypt_safe_free(password);
crypt_safe_free(vk);
@@ -2232,7 +2343,7 @@ static int luksDump_with_unbound_key(struct crypt_device *cd)
crypt_keyslot_info ki;
char *uk = NULL, *password = NULL;
size_t uk_size, passwordLen = 0;
- int i, r;
+ int r;
ki = crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID));
if (ki != CRYPT_SLOT_UNBOUND) {
@@ -2268,8 +2379,8 @@ static int luksDump_with_unbound_key(struct crypt_device *cd)
goto out;
tools_keyslot_msg(r, UNLOCKED);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_write_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), uk, uk_size);
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_write_mk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), uk, uk_size);
if (r < 0)
goto out;
}
@@ -2278,17 +2389,12 @@ static int luksDump_with_unbound_key(struct crypt_device *cd)
log_std("UUID: \t%s\n", crypt_get_uuid(cd));
log_std("Keyslot: \t%d\n", ARG_INT32(OPT_KEY_SLOT_ID));
log_std("Key bits:\t%d\n", (int)uk_size * 8);
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- log_std("Key stored to file %s.\n", ARG_STR(OPT_MASTER_KEY_FILE_ID));
+ if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ log_std("Key stored to file %s.\n", ARG_STR(OPT_VOLUME_KEY_FILE_ID));
goto out;
}
log_std("Unbound Key:\t");
-
- for(i = 0; i < (int)uk_size; i++) {
- if (i && !(i % 16))
- log_std("\n\t\t");
- log_std("%02hhx ", (char)uk[i]);
- }
+ crypt_log_hex(NULL, uk, uk_size, " ", 16, "\n\t\t");
log_std("\n");
out:
crypt_safe_free(password);
@@ -2310,7 +2416,7 @@ static int action_luksDump(void)
goto out;
}
- if (ARG_SET(OPT_DUMP_MASTER_KEY_ID))
+ if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
r = luksDump_with_volume_key(cd);
else if (ARG_SET(OPT_UNBOUND_ID))
r = luksDump_with_unbound_key(cd);
@@ -2345,6 +2451,7 @@ static int action_luksResume(void)
char *password = NULL;
size_t passwordLen;
int r, tries;
+ struct crypt_active_device cad;
const char *req_type = luksType(device_type);
if (req_type && !isLUKS(req_type))
@@ -2364,15 +2471,39 @@ static int action_luksResume(void)
goto out;
}
- tries = _set_tries_tty();
+ r = crypt_get_active_device(cd, action_argv[0], &cad);
+ if (r < 0)
+ goto out;
+
+ if (!(cad.flags & CRYPT_ACTIVATE_SUSPENDED)) {
+ log_err(_("Volume %s is not suspended."), action_argv[0]);
+ r = -EINVAL;
+ goto out;
+ }
+
+ /* try to resume LUKS2 device by token first */
+ r = crypt_resume_by_token_pin(cd, action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID),
+ ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL);
+ tools_keyslot_msg(r, UNLOCKED);
+ tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false);
+
+ /* Token requires PIN. Ask if there is evident preference for tokens */
+ if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) ||
+ ARG_SET(OPT_TOKEN_ID_ID)))
+ r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, set_tries_tty(), false);
+
+ if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
+ goto out;
+
+ tries = set_tries_tty();
do {
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
- r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
+ r = crypt_resume_by_passphrase(cd, action_argv[0], ARG_INT32(OPT_KEY_SLOT_ID),
password, passwordLen);
tools_passphrase_msg(r);
check_signal(&r);
@@ -2496,6 +2627,10 @@ static int action_open(void)
if (action_argc < 2 && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
goto out;
return action_open_bitlk();
+ } else if (!strcmp(device_type, "fvault2")) {
+ if (action_argc < 2 && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
+ goto out;
+ return action_open_fvault2();
} else
r = -ENOENT;
out:
@@ -2643,7 +2778,7 @@ static int action_luksConfig(void)
return r;
if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
- log_err(_("Device %s is not a valid LUKS device."),
+ log_err(_("Device %s is not a valid LUKS2 device."),
uuid_or_device_header(NULL));
goto out;
}
@@ -2671,7 +2806,7 @@ static int _token_add(struct crypt_device *cd)
if (token_info < CRYPT_TOKEN_INACTIVE) {
log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
return -EINVAL;
- } else if (token_info > CRYPT_TOKEN_INACTIVE) {
+ } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
return -EINVAL;
}
@@ -2690,6 +2825,9 @@ static int _token_add(struct crypt_device *cd)
token = r;
+ if (ARG_SET(OPT_UNBOUND_ID))
+ return token;
+
r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID));
if (r < 0) {
log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID));
@@ -2728,7 +2866,7 @@ static int _token_import(struct crypt_device *cd)
if (token_info < CRYPT_TOKEN_INACTIVE) {
log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
return -EINVAL;
- } else if (token_info > CRYPT_TOKEN_INACTIVE) {
+ } else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
return -EINVAL;
}
@@ -2778,6 +2916,26 @@ static int _token_export(struct crypt_device *cd)
return tools_write_json_file(ARG_STR(OPT_JSON_FILE_ID), json);
}
+static int _token_unassign(struct crypt_device *cd)
+{
+ int r = crypt_token_is_assigned(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+ if (r < 0) {
+ if (r == -ENOENT)
+ log_err(_("Token %d is not assigned to keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+ else
+ log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+ return r;
+ }
+
+ r = crypt_token_unassign_keyslot(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+ if (r < 0)
+ log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+ return r;
+}
+
static int action_token(void)
{
int r;
@@ -2787,7 +2945,7 @@ static int action_token(void)
return r;
if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
- log_err(_("Device %s is not a valid LUKS device."),
+ log_err(_("Device %s is not a valid LUKS2 device."),
uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[1]));
crypt_free(cd);
return r;
@@ -2806,770 +2964,222 @@ static int action_token(void)
tools_token_msg(r, CREATED);
} else if (!strcmp(action_argv[0], "export"))
r = _token_export(cd);
+ else if (!strcmp(action_argv[0], "unassign"))
+ r = _token_unassign(cd);
crypt_free(cd);
return r;
}
-static int auto_detect_active_name(struct crypt_device *cd, const char *data_device, char *dm_name, size_t dm_name_len)
-{
- int r;
-
- r = tools_lookup_crypt_device(cd, crypt_get_type(cd), data_device, dm_name, dm_name_len);
- if (r > 0)
- log_dbg("Device %s has %d active holders.", data_device, r);
-
- return r;
-}
-
-static int _get_device_active_name(struct crypt_device *cd, const char *data_device, char *buffer, size_t buffer_size)
-{
- char *msg;
- int r;
-
- r = auto_detect_active_name(cd, action_argv[0], buffer, buffer_size);
- if (r > 0) {
- if (*buffer == '\0') {
- log_err(_("Device %s is still in use."), data_device);
- return -EINVAL;
- }
- if (!ARG_SET(OPT_BATCH_MODE_ID))
- log_std(_("Auto-detected active dm device '%s' for data device %s.\n"), buffer, data_device);
- }
- if (r < 0) {
- if (r == -ENOTBLK)
- log_std(_("Device %s is not a block device.\n"), data_device);
- else
- log_err(_("Failed to auto-detect device %s holders."), data_device);
-
- r = -EINVAL;
- if (!ARG_SET(OPT_BATCH_MODE_ID)) {
- r = asprintf(&msg, _("Unable to decide if device %s is activated or not.\n"
- "Are you sure you want to proceed with reencryption in offline mode?\n"
- "It may lead to data corruption if the device is actually activated.\n"
- "To run reencryption in online mode, use --active-name parameter instead.\n"), data_device);
- if (r < 0)
- return -ENOMEM;
- r = noDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
- free(msg);
- }
- }
-
- return r;
-}
-
-static int action_reencrypt_load(struct crypt_device *cd)
-{
- int r;
- size_t passwordLen;
- char dm_name[PATH_MAX] = {}, *password = NULL;
- const char *active_name = NULL;
- struct crypt_params_reencrypt params = {
- .resilience = ARG_STR(OPT_RESILIENCE_ID) ?: "checksum",
- .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
- .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
- .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
- .flags = CRYPT_REENCRYPT_RESUME_ONLY
- };
-
- r = tools_get_key(NULL, &password, &passwordLen,
- ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
- if (r < 0)
- return r;
-
- if (!ARG_SET(OPT_ACTIVE_NAME_ID)) {
- r = _get_device_active_name(cd, action_argv[0], dm_name, sizeof(dm_name));
- if (r > 0)
- active_name = dm_name;
- if (r < 0) {
- crypt_safe_free(password);
- return -EINVAL;
- }
- } else
- active_name = ARG_STR(OPT_ACTIVE_NAME_ID);
-
- r = crypt_reencrypt_init_by_passphrase(cd, active_name, password, passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_KEY_SLOT_ID), NULL, NULL, ¶ms);
-
- crypt_safe_free(password);
-
- return r;
-}
-
-static int action_encrypt_luks2(struct crypt_device **cd)
-{
- char *tmp;
- const char *type, *activated_name = NULL;
- int keyslot, r, fd;
- uuid_t uuid;
- size_t passwordLen;
- char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
- uint32_t activate_flags = 0;
- const struct crypt_params_luks2 luks2_params = {
- .sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
- };
- struct crypt_params_reencrypt params = {
- .mode = CRYPT_REENCRYPT_ENCRYPT,
- .direction = data_shift < 0 ? CRYPT_REENCRYPT_BACKWARD : CRYPT_REENCRYPT_FORWARD,
- .resilience = ARG_STR(OPT_RESILIENCE_ID) ?: "checksum",
- .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
- .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
- .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
- .luks2 = &luks2_params,
- .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
- };
-
- _set_reencryption_flags(¶ms.flags);
-
- type = luksType(device_type);
- if (!type)
- type = crypt_get_default_type();
-
- if (!isLUKS2(type)) {
- log_err(_("Encryption is supported only for LUKS2 format."));
- return -EINVAL;
- }
-
- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
- return -ENOTSUP;
- }
-
- if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) && data_shift && (ARG_UINT64(OPT_OFFSET_ID) > (imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
- log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
- return -EINVAL;
- }
-
- /* TODO: ask user to confirm. It's useless to do data device reduction and than use smaller value */
- if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) && data_shift && (ARG_UINT64(OPT_OFFSET_ID) < (imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
- data_shift = -(ARG_UINT64(OPT_OFFSET_ID) * 2 * SECTOR_SIZE);
- if (data_shift >= 0)
- return -EINVAL;
- log_std(_("Adjusting --reduce-device-size value to twice the --offset %" PRIu64 " (sectors).\n"), ARG_UINT64(OPT_OFFSET_ID) * 2);
- }
-
- if (ARG_SET(OPT_UUID_ID) && uuid_parse(ARG_STR(OPT_UUID_ID), uuid) == -1) {
- log_err(_("Wrong LUKS UUID format provided."));
- return -EINVAL;
- }
-
- if (!ARG_SET(OPT_UUID_ID)) {
- uuid_generate(uuid);
- uuid_unparse(uuid, uuid_str);
- if (!(tmp = strdup(uuid_str)))
- return -ENOMEM;
- ARG_SET_STR(OPT_UUID_ID, tmp);
- }
-
- /* Check the data device is not LUKS device already */
- if ((r = crypt_init(cd, action_argv[0])))
- return r;
- r = crypt_load(*cd, CRYPT_LUKS, NULL);
- crypt_free(*cd);
- *cd = NULL;
- if (!r && !ARG_SET(OPT_BATCH_MODE_ID)) {
- r = asprintf(&msg, _("Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"), action_argv[0]);
- if (r == -1)
- return -ENOMEM;
-
- r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
- free(msg);
- if (r < 0)
- return r;
- }
-
- if (!ARG_SET(OPT_HEADER_ID)) {
- r = snprintf(header_file, sizeof(header_file), "LUKS2-temp-%s.new", ARG_STR(OPT_UUID_ID));
- if (r < 0 || (size_t)r >= sizeof(header_file))
- return -EINVAL;
-
- fd = open(header_file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
- if (fd == -1) {
- if (errno == EEXIST)
- log_err(_("Temporary header file %s already exists. Aborting."), header_file);
- else
- log_err(_("Cannot create temporary header file %s."), header_file);
- return -EINVAL;
- }
-
- r = posix_fallocate(fd, 0, 4096);
- close(fd);
- if (r) {
- log_err(_("Cannot create temporary header file %s."), header_file);
- r = -EINVAL;
- goto out;
- }
-
- if (!(tmp = strdup(header_file))) {
- r = -ENOMEM;
- goto out;
- }
- ARG_SET_STR(OPT_HEADER_ID, tmp);
-
- /*
- * FIXME: just override offset here, but we should support both.
- * offset and implicit offset via data shift (lvprepend?)
- */
- if (!ARG_UINT64(OPT_OFFSET_ID))
- ARG_SET_UINT64(OPT_OFFSET_ID, imaxabs(data_shift) / (2 * SECTOR_SIZE));
- data_shift >>= 1;
- params.flags |= CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT;
- } else if (data_shift < 0) {
- if (!ARG_SET(OPT_LUKS2_METADATA_SIZE_ID))
- ARG_SET_UINT64(OPT_LUKS2_METADATA_SIZE_ID, 0x4000); /* missing default here */
- if (!ARG_SET(OPT_LUKS2_KEYSLOTS_SIZE_ID))
- ARG_SET_UINT64(OPT_LUKS2_KEYSLOTS_SIZE_ID, -data_shift - 2 * ARG_UINT64(OPT_LUKS2_METADATA_SIZE_ID));
- if (2 * ARG_UINT64(OPT_LUKS2_METADATA_SIZE_ID) + ARG_UINT64(OPT_LUKS2_KEYSLOTS_SIZE_ID) > (uint64_t)-data_shift) {
- log_err(_("LUKS2 metadata size is larger than data shift value."));
- return -EINVAL;
- }
- }
-
- r = _luksFormat(cd, &password, &passwordLen);
- if (r < 0)
- goto out;
-
- if (data_shift) {
- params.data_shift = imaxabs(data_shift) / SECTOR_SIZE,
- params.resilience = "datashift";
- }
- keyslot = !ARG_SET(OPT_KEY_SLOT_ID) ? 0 : ARG_INT32(OPT_KEY_SLOT_ID);
- r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen,
- CRYPT_ANY_SLOT, keyslot, crypt_get_cipher(*cd),
- crypt_get_cipher_mode(*cd), ¶ms);
- if (r < 0) {
- crypt_keyslot_destroy(*cd, keyslot);
- goto out;
- }
-
- /* Restore temporary header in head of data device */
- if (*header_file) {
- crypt_free(*cd);
- *cd = NULL;
-
- r = crypt_init(cd, action_argv[0]);
- if (!r)
- r = crypt_header_restore(*cd, CRYPT_LUKS2, header_file);
-
- if (r) {
- log_err(_("Failed to place new header at head of device %s."), action_argv[0]);
- goto out;
- }
- }
-
- /* activate device */
- if (action_argc > 1) {
- activated_name = action_argv[1];
- _set_activation_flags(&activate_flags);
- r = crypt_activate_by_passphrase(*cd, activated_name, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags);
- if (r >= 0)
- log_std(_("%s/%s is now active and ready for online encryption.\n"), crypt_get_dir(), activated_name);
- }
-
- if (r < 0)
- goto out;
-
- /* just load reencryption context to continue reencryption */
- if (!ARG_SET(OPT_INIT_ONLY_ID)) {
- params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
- r = crypt_reencrypt_init_by_passphrase(*cd, activated_name, password, passwordLen,
- CRYPT_ANY_SLOT, keyslot, NULL, NULL, ¶ms);
- }
-out:
- crypt_safe_free(password);
- if (*header_file)
- unlink(header_file);
- return r;
-}
-
-static int action_decrypt_luks2(struct crypt_device *cd)
-{
- int r;
- char dm_name[PATH_MAX], *password = NULL;
- const char *active_name = NULL;
- struct crypt_params_reencrypt params = {
- .mode = CRYPT_REENCRYPT_DECRYPT,
- .direction = data_shift > 0 ? CRYPT_REENCRYPT_FORWARD : CRYPT_REENCRYPT_BACKWARD,
- .resilience = data_shift ? "datashift" : (ARG_STR(OPT_RESILIENCE_ID) ?: "checksum"),
- .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
- .data_shift = imaxabs(data_shift) / SECTOR_SIZE,
- .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
- .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
- };
- size_t passwordLen;
-
- if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0 ||
- crypt_get_data_offset(cd) > 0) {
- log_err(_("LUKS2 decryption is supported with detached header device only (with data offset set to 0)."));
- return -ENOTSUP;
- }
-
- _set_reencryption_flags(¶ms.flags);
-
- r = tools_get_key(NULL, &password, &passwordLen,
- ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
- ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
- if (r < 0)
- return r;
-
- if (!ARG_SET(OPT_ACTIVE_NAME_ID)) {
- r = _get_device_active_name(cd, action_argv[0], dm_name, sizeof(dm_name));
- if (r > 0)
- active_name = dm_name;
- if (r < 0)
- goto out;
- } else
- active_name = ARG_STR(OPT_ACTIVE_NAME_ID);
-
- if (!active_name)
- log_dbg("Device %s seems unused. Proceeding with offline operation.", action_argv[0]);
-
- r = crypt_reencrypt_init_by_passphrase(cd, active_name, password,
- passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), CRYPT_ANY_SLOT, NULL, NULL, ¶ms);
-out:
- crypt_safe_free(password);
- return r;
-}
-
-struct keyslot_passwords {
- char *password;
- size_t passwordLen;
- int new;
-};
-
-static struct keyslot_passwords *init_keyslot_passwords(size_t count)
-{
- size_t i;
- struct keyslot_passwords *tmp = calloc(count, sizeof(struct keyslot_passwords));
-
- if (!tmp)
- return tmp;
-
- for (i = 0; i < count; i++)
- tmp[i].new = -1;
-
- return tmp;
-}
-
-static int init_passphrase(struct keyslot_passwords *kp, size_t keyslot_passwords_length,
- struct crypt_device *cd, const char *msg, int slot_to_check)
-{
- crypt_keyslot_info ki;
- char *password;
- int r = -EINVAL, retry_count;
- size_t passwordLen;
-
- if (slot_to_check != CRYPT_ANY_SLOT) {
- ki = crypt_keyslot_status(cd, slot_to_check);
- if (ki < CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_UNBOUND)
- return -ENOENT;
- }
-
- retry_count = _set_tries_tty();
-
- while (retry_count--) {
- r = tools_get_key(msg, &password, &passwordLen, 0, 0,
- ARG_STR(OPT_KEY_FILE_ID), 0, 0, 0 /*pwquality*/, cd);
- if (r < 0)
- return r;
- if (quit) {
- crypt_safe_free(password);
- password = NULL;
- passwordLen = 0;
- return -EAGAIN;
- }
-
- r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
- password, passwordLen, 0);
- if (r < 0) {
- crypt_safe_free(password);
- password = NULL;
- passwordLen = 0;
- }
- if (r < 0 && r != -EPERM)
- return r;
-
- if (r >= 0) {
- tools_keyslot_msg(r, UNLOCKED);
- if ((size_t)r >= keyslot_passwords_length) {
- crypt_safe_free(password);
- return -EINVAL;
- }
- kp[r].password = password;
- kp[r].passwordLen = passwordLen;
- break;
- }
- tools_passphrase_msg(r);
- }
-
- password = NULL;
- passwordLen = 0;
-
- return r;
-}
-
-static int _check_luks2_keyslots(struct crypt_device *cd)
-{
- int i, max = crypt_keyslot_max(CRYPT_LUKS2), active = 0, unbound = 0;
-
- if (max < 0)
- return max;
-
- for (i = 0; i < max; i++) {
- switch (crypt_keyslot_status(cd, i)) {
- case CRYPT_SLOT_INVALID:
- return -EINVAL;
- case CRYPT_SLOT_ACTIVE:
- /* fall-through */
- case CRYPT_SLOT_ACTIVE_LAST:
- active++;
- break;
- case CRYPT_SLOT_UNBOUND:
- unbound++;
- /* fall-through */
- default:
- break;
- }
- }
-
- /* at least one keyslot for reencryption plus new volume key */
- if (active + unbound > max - 2) {
- log_err(_("Not enough free keyslots for reencryption."));
- return -EINVAL;
- }
-
- if ((ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) &&
- (2 * active + unbound > max - 1)) {
- log_err(_("Not enough free keyslots for reencryption."));
- return -EINVAL;
- }
-
- return 0;
-}
-
-static int fill_keyslot_passwords(struct crypt_device *cd,
- struct keyslot_passwords *kp, size_t kp_size)
-{
- char msg[128];
- crypt_keyslot_info ki;
- int i, r = 0;
-
- if (ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT && ARG_SET(OPT_KEY_FILE_ID)) {
- for (i = 0; (size_t)i < kp_size; i++) {
- ki = crypt_keyslot_status(cd, i);
- if (ki == CRYPT_SLOT_INVALID)
- return -EINVAL;
- if (ki == CRYPT_SLOT_ACTIVE) {
- log_err(_("Key file can be used only with --key-slot or with "
- "exactly one key slot active."));
- return -EINVAL;
- }
- }
- }
-
- if (ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) {
- for (i = 0; (size_t)i < kp_size; i++) {
- if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i) < 0)
- return -EINVAL;
- r = init_passphrase(kp, kp_size, cd, msg, i);
- if (r == -ENOENT)
- r = 0;
- if (r < 0)
- break;
- }
- } else {
- if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), ARG_INT32(OPT_KEY_SLOT_ID)) < 0)
- return -EINVAL;
- r = init_passphrase(kp, kp_size, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID));
- }
-
- return r < 0 ? r : 0;
-}
-
-static int assign_tokens(struct crypt_device *cd, int keyslot_old, int keyslot_new)
-{
- int token = 0, r = crypt_token_is_assigned(cd, token, keyslot_old);
-
- while (r != -EINVAL) {
- if (!r && (token != crypt_token_assign_keyslot(cd, token, keyslot_new)))
- return -EINVAL;
- token++;
- r = crypt_token_is_assigned(cd, token, keyslot_old);
- }
-
- /* we reached max token number, exit */
- return 0;
-}
-
-static int action_reencrypt_luks2(struct crypt_device *cd)
-{
- size_t i, vk_size, kp_size;
- int r, keyslot_old = CRYPT_ANY_SLOT, keyslot_new = CRYPT_ANY_SLOT, key_size;
- char dm_name[PATH_MAX], cipher [MAX_CIPHER_LEN], mode[MAX_CIPHER_LEN], *vk = NULL;
- const char *active_name = NULL;
- struct keyslot_passwords *kp;
- struct crypt_params_luks2 luks2_params = {};
- struct crypt_params_reencrypt params = {
- .mode = CRYPT_REENCRYPT_REENCRYPT,
- .direction = data_shift < 0 ? CRYPT_REENCRYPT_BACKWARD : CRYPT_REENCRYPT_FORWARD,
- .resilience = data_shift ? "datashift" : (ARG_STR(OPT_RESILIENCE_ID) ?: "checksum"),
- .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
- .data_shift = imaxabs(data_shift) / SECTOR_SIZE,
- .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
- .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
- .luks2 = &luks2_params,
- };
-
- _set_reencryption_flags(¶ms.flags);
-
- if (!ARG_SET(OPT_CIPHER_ID) && crypt_is_cipher_null(crypt_get_cipher(cd))) {
- log_std(_("Switching data encryption cipher to %s.\n"), DEFAULT_CIPHER(LUKS1));
- ARG_SET_STR(OPT_CIPHER_ID, strdup(DEFAULT_CIPHER(LUKS1)));
- }
-
- if (!ARG_SET(OPT_CIPHER_ID)) {
- strncpy(cipher, crypt_get_cipher(cd), MAX_CIPHER_LEN - 1);
- strncpy(mode, crypt_get_cipher_mode(cd), MAX_CIPHER_LEN - 1);
- cipher[MAX_CIPHER_LEN-1] = '\0';
- mode[MAX_CIPHER_LEN-1] = '\0';
- } else if ((r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID), cipher, NULL, mode))) {
- log_err(_("No known cipher specification pattern detected."));
- return r;
- }
-
- luks2_params.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: (uint32_t)crypt_get_sector_size(cd);
-
- r = _check_luks2_keyslots(cd);
- if (r)
- return r;
-
- if (ARG_SET(OPT_KEY_SIZE_ID) || ARG_SET(OPT_CIPHER_ID))
- key_size = get_adjusted_key_size(mode, DEFAULT_LUKS1_KEYBITS, 0);
- else
- key_size = crypt_get_volume_key_size(cd);
-
- if (!key_size)
- return -EINVAL;
- vk_size = key_size;
-
- r = crypt_keyslot_max(CRYPT_LUKS2);
- if (r < 0)
- return r;
- kp_size = r;
- kp = init_keyslot_passwords(kp_size);
-
- if (!kp)
- return -ENOMEM;
-
- r = fill_keyslot_passwords(cd, kp, kp_size);
- if (r)
- goto out;
-
- if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &vk, key_size);
- if (r < 0)
- goto out;
- }
-
- r = -ENOENT;
-
- for (i = 0; i < kp_size; i++) {
- if (kp[i].password && keyslot_new < 0) {
- r = set_keyslot_params(cd, i);
- if (r < 0)
- break;
- r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
- kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT);
- tools_keyslot_msg(r, CREATED);
- if (r < 0)
- break;
-
- kp[i].new = r;
- keyslot_new = r;
- keyslot_old = i;
- if (!vk) {
- /* key generated in crypt_keyslot_add_by_key() call above */
- vk = crypt_safe_alloc(key_size);
- if (!vk) {
- r = -ENOMEM;
- break;
- }
- r = crypt_volume_key_get(cd, keyslot_new, vk, &vk_size, kp[i].password, kp[i].passwordLen);
- if (r < 0)
- break;
- }
- r = assign_tokens(cd, i, r);
- if (r < 0)
- break;
- } else if (kp[i].password) {
- r = set_keyslot_params(cd, i);
- if (r < 0)
- break;
- r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
- kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_DIGEST_REUSE);
- tools_keyslot_msg(r, CREATED);
- if (r < 0)
- break;
- kp[i].new = r;
- r = assign_tokens(cd, i, r);
- if (r < 0)
- break;
- }
- }
-
- if (r < 0)
- goto out;
-
- if (!ARG_SET(OPT_ACTIVE_NAME_ID) && !ARG_SET(OPT_INIT_ONLY_ID)) {
- r = _get_device_active_name(cd, action_argv[0], dm_name, sizeof(dm_name));
- if (r > 0)
- active_name = dm_name;
- if (r < 0)
- goto out;
- } else if (ARG_SET(OPT_ACTIVE_NAME_ID))
- active_name = ARG_STR(OPT_ACTIVE_NAME_ID);
-
- if (!active_name && !ARG_SET(OPT_INIT_ONLY_ID))
- log_dbg("Device %s seems unused. Proceeding with offline operation.", action_argv[0]);
-
- r = crypt_reencrypt_init_by_passphrase(cd, active_name, kp[keyslot_old].password,
- kp[keyslot_old].passwordLen, keyslot_old, kp[keyslot_old].new,
- cipher, mode, ¶ms);
-out:
- crypt_safe_free(vk);
- for (i = 0; i < kp_size; i++) {
- crypt_safe_free(kp[i].password);
- if (r < 0 && kp[i].new >= 0 &&
- crypt_reencrypt_status(cd, NULL) == CRYPT_REENCRYPT_NONE &&
- crypt_keyslot_destroy(cd, kp[i].new))
- log_dbg("Failed to remove keyslot %d with unbound key.", kp[i].new);
- }
- free(kp);
- return r;
-}
-
static int action_reencrypt(void)
{
- uint32_t flags;
- struct crypt_device *cd = NULL;
- struct crypt_params_integrity ip = { 0 };
- int r = 0;
- struct tools_progress_params prog_parms = {
- .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
- .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
- };
+ return reencrypt(action_argc, action_argv);
+}
- if (action_argc < 1 && (!ARG_SET(OPT_ACTIVE_NAME_ID) || ARG_SET(OPT_ENCRYPT_ID))) {
- log_err(_("Command requires device as argument."));
- return -EINVAL;
+static const char *verify_tcryptdump(void)
+{
+ if ((ARG_SET(OPT_TCRYPT_HIDDEN_ID) || ARG_SET(OPT_TCRYPT_SYSTEM_ID) || ARG_SET(OPT_TCRYPT_BACKUP_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
+ return _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.");
+
+ if ((ARG_SET(OPT_VERACRYPT_ID) || ARG_SET(OPT_DISABLE_VERACRYPT_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
+ return _("Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type.");
+
+ if (ARG_SET(OPT_VERACRYPT_PIM_ID) && ARG_SET(OPT_DISABLE_VERACRYPT_ID))
+ return _("Option --veracrypt-pim is supported only for VeraCrypt compatible devices.");
+
+ if (ARG_SET(OPT_VERACRYPT_QUERY_PIM_ID)) {
+ if (ARG_SET(OPT_DISABLE_VERACRYPT_ID))
+ return _("Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.");
+ else if (ARG_SET(OPT_VERACRYPT_PIM_ID))
+ return _("The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.");
}
- if (!ARG_SET(OPT_ENCRYPT_ID) || ARG_SET(OPT_RESUME_ONLY_ID)) {
- if (ARG_SET(OPT_ACTIVE_NAME_ID)) {
- r = crypt_init_by_name_and_header(&cd, ARG_STR(OPT_ACTIVE_NAME_ID), ARG_STR(OPT_HEADER_ID));
- if (r || !isLUKS2(crypt_get_type(cd))) {
- log_err(_("Device %s is not a valid LUKS device."), ARG_STR(OPT_ACTIVE_NAME_ID));
- r = -EINVAL;
- goto out;
- }
- } else {
- if ((r = crypt_init_data_device(&cd, uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]), action_argv[0])))
- return r;
+ return NULL;
+}
- if ((r = crypt_load(cd, CRYPT_LUKS, NULL))) {
- log_err(_("Device %s is not a valid LUKS device."),
- uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
- goto out;
- }
- if (strcmp(crypt_get_type(cd), CRYPT_LUKS2)) {
- log_err(_("Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."));
- r = -EINVAL;
- goto out;
- }
- }
+static const char * verify_open(void)
+{
+ if (ARG_SET(OPT_PERSISTENT_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
+ return _("Option --persistent is not allowed with --test-passphrase.");
- if (crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &flags)) {
- r = -EINVAL;
- goto out;
- }
+ if (ARG_SET(OPT_REFRESH_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
+ return _("Options --refresh and --test-passphrase are mutually exclusive.");
- if (flags & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
- log_err(_("Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."));
- r = -EINVAL;
- goto out;
- }
+ if (ARG_SET(OPT_SHARED_ID) && strcmp_or_null(device_type, "plain"))
+ return _("Option --shared is allowed only for open of plain device.");
- if (flags & CRYPT_REQUIREMENT_ONLINE_REENCRYPT)
- r = -EBUSY;
+ if (ARG_SET(OPT_SKIP_ID) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
+ return _("Option --skip is supported only for open of plain and loopaes devices.");
- /* raw integrity info is available since 2.0 */
- if (crypt_get_integrity_info(cd, &ip) || ip.tag_size) {
- log_err(_("Reencryption of device with integrity profile is not supported."));
- r = -ENOTSUP;
- goto out;
- }
+ if (ARG_SET(OPT_OFFSET_ID) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
+ return _("Option --offset with open action is only supported for plain and loopaes devices.");
+
+ if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
+ return _("Option --tcrypt-hidden cannot be combined with --allow-discards.");
+
+ if (ARG_SET(OPT_SECTOR_SIZE_ID) &&
+ (!device_type || strcmp(device_type, "plain")))
+ return _("Sector size option with open action is supported only for plain devices.");
+
+ if (ARG_SET(OPT_IV_LARGE_SECTORS_ID) && (!device_type || strcmp(device_type, "plain") ||
+ ARG_UINT32(OPT_SECTOR_SIZE_ID) <= SECTOR_SIZE))
+ return _("Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes.");
+
+ if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && (!device_type ||
+ (strncmp(device_type, "luks", 4) && strcmp(device_type, "tcrypt") &&
+ strcmp(device_type, "bitlk") && strcmp(device_type, "fvault2"))))
+ return _("Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices.");
+
+ if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
+ return _("Options --device-size and --size cannot be combined.");
+
+ if (ARG_SET(OPT_UNBOUND_ID) && device_type && strncmp(device_type, "luks", 4))
+ return _("Option --unbound is allowed only for open of luks device.");
+
+ if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
+ return _("Option --unbound cannot be used without --test-passphrase.");
+
+ /* "open --type tcrypt" and "tcryptDump" checks are identical */
+ return verify_tcryptdump();
+}
+
+static const char *verify_close(void)
+{
+ if (ARG_SET(OPT_CANCEL_DEFERRED_ID) && ARG_SET(OPT_DEFERRED_ID))
+ return _("Options --cancel-deferred and --deferred cannot be used at the same time.");
+
+ return NULL;
+}
+
+static const char *verify_resize(void)
+{
+ if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
+ return _("Options --device-size and --size cannot be combined.");
+
+ return NULL;
+}
+
+static const char *verify_reencrypt(void)
+{
+ if (ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && ARG_SET(OPT_DEVICE_SIZE_ID))
+ return _("Options --reduce-device-size and --data-size cannot be combined.");
+
+ if (isLUKS1(luksType(device_type)) && ARG_SET(OPT_ACTIVE_NAME_ID))
+ return _("Option --active-name can be set only for LUKS2 device.");
+
+ if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
+ return _("Options --active-name and --force-offline-reencrypt cannot be combined.");
+
+ return NULL;
+}
+
+static const char *verify_config(void)
+{
+ if (ARG_SET(OPT_PRIORITY_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT)
+ return _("Keyslot specification is required.");
+
+ return NULL;
+}
+
+static const char *verify_format(void)
+{
+ if (ARG_SET(OPT_ALIGN_PAYLOAD_ID) && ARG_SET(OPT_OFFSET_ID))
+ return _("Options --align-payload and --offset cannot be combined.");
+
+ if (ARG_SET(OPT_INTEGRITY_NO_WIPE_ID) && !ARG_SET(OPT_INTEGRITY_ID))
+ return _("Option --integrity-no-wipe can be used only for format action with integrity extension.");
+
+ if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
+ return _("Only one of --use-[u]random options is allowed.");
+
+ return NULL;
+}
+
+static const char *verify_addkey(void)
+{
+ if (ARG_SET(OPT_UNBOUND_ID) && !ARG_UINT32(OPT_KEY_SIZE_ID))
+ return _("Key size is required with --unbound option.");
+
+ return NULL;
+}
+
+static const char *verify_luksDump(void)
+{
+ if (ARG_SET(OPT_UNBOUND_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT)
+ return _("Keyslot specification is required.");
+
+ return NULL;
+}
+
+static const char *verify_token(void)
+{
+ if (strcmp(action_argv[0], "add") &&
+ strcmp(action_argv[0], "remove") &&
+ strcmp(action_argv[0], "import") &&
+ strcmp(action_argv[0], "export") &&
+ strcmp(action_argv[0], "unassign"))
+ return _("Invalid token action.");
+
+ if (!ARG_SET(OPT_KEY_DESCRIPTION_ID) && !strcmp(action_argv[0], "add"))
+ return _("--key-description parameter is mandatory for token add action.");
+
+ if (ARG_INT32(OPT_TOKEN_ID_ID) == CRYPT_ANY_TOKEN &&
+ (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export")))
+ return _("Action requires specific token. Use --token-id parameter.");
+
+ if (ARG_SET(OPT_UNBOUND_ID)) {
+ if (strcmp(action_argv[0], "add"))
+ return _("Option --unbound is valid only with token add action.");
+ if (ARG_SET(OPT_KEY_SLOT_ID))
+ return _("Options --key-slot and --unbound cannot be combined.");
}
- if (r == -EBUSY) {
- if (ARG_SET(OPT_INIT_ONLY_ID))
- log_err(_("LUKS2 reencryption already initialized. Aborting operation."));
- else
- r = action_reencrypt_load(cd);
- } else if (!r && ARG_SET(OPT_RESUME_ONLY_ID)) {
- log_err(_("LUKS2 device is not in reencryption."));
- r = -EINVAL;
- } else if (ARG_SET(OPT_DECRYPT_ID))
- r = action_decrypt_luks2(cd);
- else if (ARG_SET(OPT_ENCRYPT_ID) && !ARG_SET(OPT_RESUME_ONLY_ID))
- r = action_encrypt_luks2(&cd);
- else
- r = action_reencrypt_luks2(cd);
-
- if (r >= 0 && !ARG_SET(OPT_INIT_ONLY_ID)) {
- set_int_handler(0);
- r = crypt_reencrypt_run(cd, tools_reencrypt_progress, &prog_parms);
+ if (!strcmp(action_argv[0], "unassign")) {
+ if (!ARG_SET(OPT_KEY_SLOT_ID))
+ return _("Action requires specific keyslot. Use --key-slot parameter.");
+ if (!ARG_SET(OPT_TOKEN_ID_ID))
+ return _("Action requires specific token. Use --token-id parameter.");
}
-out:
- crypt_free(cd);
- return r;
+ return NULL;
}
static struct action_type {
const char *type;
int (*handler)(void);
+ const char *(*verify)(void);
int required_action_argc;
- int required_memlock;
const char *arg_desc;
const char *desc;
} action_types[] = {
- { OPEN_ACTION, action_open, 1, 1, N_("<device> [--type <type>] [<name>]"),N_("open device as <name>") },
- { CLOSE_ACTION, action_close, 1, 1, N_("<name>"), N_("close device (remove mapping)") },
- { RESIZE_ACTION, action_resize, 1, 1, N_("<name>"), N_("resize active device") },
- { STATUS_ACTION, action_status, 1, 0, N_("<name>"), N_("show device status") },
- { BENCHMARK_ACTION, action_benchmark, 0, 0, N_("[--cipher <cipher>]"), N_("benchmark cipher") },
- { REPAIR_ACTION, action_luksRepair, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
- { REENCRYPT_ACTION, action_reencrypt, 0, 0, N_("<device>"), N_("reencrypt LUKS2 device") },
- { ERASE_ACTION, action_luksErase, 1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
- { CONVERT_ACTION, action_luksConvert, 1, 1, N_("<device>"), N_("convert LUKS from/to LUKS2 format") },
- { CONFIG_ACTION, action_luksConfig, 1, 1, N_("<device>"), N_("set permanent configuration options for LUKS2") },
- { FORMAT_ACTION, action_luksFormat, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
- { ADDKEY_ACTION, action_luksAddKey, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
- { REMOVEKEY_ACTION, action_luksRemoveKey, 1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
- { CHANGEKEY_ACTION, action_luksChangeKey, 1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
- { CONVERTKEY_ACTION, action_luksConvertKey, 1, 1, N_("<device> [<key file>]"), N_("converts a key to new pbkdf parameters") },
- { KILLKEY_ACTION, action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
- { UUID_ACTION, action_luksUUID, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
- { ISLUKS_ACTION, action_isLuks, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
- { LUKSDUMP_ACTION, action_luksDump, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
- { TCRYPTDUMP_ACTION, action_tcryptDump, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
- { BITLKDUMP_ACTION, action_bitlkDump, 1, 1, N_("<device>"), N_("dump BITLK device information") },
- { SUSPEND_ACTION, action_luksSuspend, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen)") },
- { RESUME_ACTION, action_luksResume, 1, 1, N_("<device>"), N_("Resume suspended LUKS device") },
- { HEADERBACKUP_ACTION, action_luksBackup, 1, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
- { HEADERRESTORE_ACTION, action_luksRestore, 1, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
- { TOKEN_ACTION, action_token, 2, 0, N_("<add|remove|import|export> <device>"), N_("Manipulate LUKS2 tokens") },
+ { OPEN_ACTION, action_open, verify_open, 1, N_("<device> [--type <type>] [<name>]"),N_("open device as <name>") },
+ { CLOSE_ACTION, action_close, verify_close, 1, N_("<name>"), N_("close device (remove mapping)") },
+ { RESIZE_ACTION, action_resize, verify_resize, 1, N_("<name>"), N_("resize active device") },
+ { STATUS_ACTION, action_status, NULL, 1, N_("<name>"), N_("show device status") },
+ { BENCHMARK_ACTION, action_benchmark, NULL, 0, N_("[--cipher <cipher>]"), N_("benchmark cipher") },
+ { REPAIR_ACTION, action_luksRepair, NULL, 1, N_("<device>"), N_("try to repair on-disk metadata") },
+ { REENCRYPT_ACTION, action_reencrypt, verify_reencrypt, 0, N_("<device>"), N_("reencrypt LUKS2 device") },
+ { ERASE_ACTION, action_luksErase, NULL, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
+ { CONVERT_ACTION, action_luksConvert, NULL, 1, N_("<device>"), N_("convert LUKS from/to LUKS2 format") },
+ { CONFIG_ACTION, action_luksConfig, verify_config, 1, N_("<device>"), N_("set permanent configuration options for LUKS2") },
+ { FORMAT_ACTION, action_luksFormat, verify_format, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
+ { ADDKEY_ACTION, action_luksAddKey, verify_addkey, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
+ { REMOVEKEY_ACTION, action_luksRemoveKey, NULL, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
+ { CHANGEKEY_ACTION, action_luksChangeKey, NULL, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
+ { CONVERTKEY_ACTION, action_luksConvertKey, NULL, 1, N_("<device> [<key file>]"), N_("converts a key to new pbkdf parameters") },
+ { KILLKEY_ACTION, action_luksKillSlot, NULL, 2, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
+ { UUID_ACTION, action_luksUUID, NULL, 1, N_("<device>"), N_("print UUID of LUKS device") },
+ { ISLUKS_ACTION, action_isLuks, NULL, 1, N_("<device>"), N_("tests <device> for LUKS partition header") },
+ { LUKSDUMP_ACTION, action_luksDump, verify_luksDump, 1, N_("<device>"), N_("dump LUKS partition information") },
+ { TCRYPTDUMP_ACTION, action_tcryptDump, verify_tcryptdump, 1, N_("<device>"), N_("dump TCRYPT device information") },
+ { BITLKDUMP_ACTION, action_bitlkDump, NULL, 1, N_("<device>"), N_("dump BITLK device information") },
+ { FVAULT2DUMP_ACTION, action_fvault2Dump, NULL, 1, N_("<device>"), N_("dump FVAULT2 device information") },
+ { SUSPEND_ACTION, action_luksSuspend, NULL, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen)") },
+ { RESUME_ACTION, action_luksResume, NULL, 1, N_("<device>"), N_("Resume suspended LUKS device") },
+ { HEADERBACKUP_ACTION, action_luksBackup, NULL, 1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
+ { HEADERRESTORE_ACTION, action_luksRestore, NULL, 1, N_("<device>"), N_("Restore LUKS device header and keyslots") },
+ { TOKEN_ACTION, action_token, verify_token, 2, N_("<add|remove|import|export> <device>"), N_("Manipulate LUKS2 tokens") },
{}
};
@@ -3585,8 +3195,7 @@ static void help(poptContext popt_context,
struct action_type *action;
const struct crypt_pbkdf_type *pbkdf_luks1, *pbkdf_luks2;
- log_std("%s\n",PACKAGE_STRING);
-
+ tools_package_version(PACKAGE_NAME, true);
poptPrintHelp(popt_context, stdout, 0);
log_std(_("\n"
@@ -3597,8 +3206,8 @@ static void help(poptContext popt_context,
log_std(_("\n"
"You can also use old <action> syntax aliases:\n"
- "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
- "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"));
+ "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+ "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"));
log_std(_("\n"
"<name> is the device to create under %s\n"
"<device> is the encrypted device\n"
@@ -3644,7 +3253,7 @@ static void help(poptContext popt_context,
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
} else if (key->shortName == 'V') {
- log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
+ tools_package_version(PACKAGE_NAME, true);
tools_cleanup();
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
@@ -3656,7 +3265,8 @@ static void help_args(struct action_type *action, poptContext popt_context)
{
char buf[128];
- snprintf(buf, sizeof(buf), _("%s: requires %s as arguments"), action->type, action->arg_desc);
+ if (snprintf(buf, sizeof(buf), _("%s: requires %s as arguments"), action->type, action->arg_desc) < 0)
+ buf[0] = '\0';
usage(popt_context, EXIT_FAILURE, buf, poptGetInvocationName(popt_context));
}
@@ -3666,15 +3276,9 @@ static int run_action(struct action_type *action)
log_dbg("Running command %s.", action->type);
- if (action->required_memlock)
- crypt_memory_lock(NULL, 1);
-
set_int_handler(0);
r = action->handler();
- if (action->required_memlock)
- crypt_memory_lock(NULL, 0);
-
/* Some functions returns keyslot # */
if (r > 0)
r = 0;
@@ -3684,6 +3288,13 @@ static int run_action(struct action_type *action)
return translate_errno(r);
}
+static const char *verify_action(struct action_type *action)
+{
+ log_dbg("Verifying parameters for command %s.", action->type);
+
+ return action->verify ? action->verify() : NULL;
+}
+
static bool needs_size_conversion(unsigned arg_id)
{
return (arg_id == OPT_DEVICE_SIZE_ID || arg_id == OPT_HOTZONE_SIZE_ID ||
@@ -3783,6 +3394,15 @@ static void basic_options_cb(poptContext popt_context,
}
}
+static void cryptsetup_init_arg_aliases(void)
+{
+ unsigned i;
+
+ for (i = 1; i < ARRAY_SIZE(tool_core_args); i++)
+ if (tool_core_args[i].type == CRYPT_ARG_ALIAS)
+ ARG_INIT_ALIAS(i);
+}
+
int main(int argc, const char **argv)
{
static struct poptOption popt_help_options[] = {
@@ -3796,7 +3416,7 @@ int main(int argc, const char **argv)
{ NULL, '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
#define ARG(A, B, C, D, E, F, G, H) { A, B, C, NULL, A ## _ID, D, E },
#include "cryptsetup_arg_list.h"
-#undef arg
+#undef ARG
POPT_TABLEEND
};
static struct poptOption popt_options[] = {
@@ -3806,9 +3426,12 @@ int main(int argc, const char **argv)
};
poptContext popt_context;
struct action_type *action;
- const char *aname;
+ const char *aname, *error_message;
int r;
+ /* initialize aliases */
+ cryptsetup_init_arg_aliases();
+
crypt_set_log_callback(NULL, tool_log, &log_parms);
setlocale(LC_ALL, "");
@@ -3864,16 +3487,22 @@ int main(int argc, const char **argv)
} else if (!strcmp(aname, "bitlkOpen")) {
aname = OPEN_ACTION;
device_type = "bitlk";
+ } else if (!strcmp(aname, "fvault2Open")) {
+ aname = OPEN_ACTION;
+ device_type = "fvault2";
} else if (!strcmp(aname, "tcryptDump")) {
device_type = "tcrypt";
} else if (!strcmp(aname, "bitlkDump")) {
device_type = "bitlk";
+ } else if (!strcmp(aname, "fvault2Dump")) {
+ device_type = "fvault2";
} else if (!strcmp(aname, "remove") ||
!strcmp(aname, "plainClose") ||
!strcmp(aname, "luksClose") ||
!strcmp(aname, "loopaesClose") ||
!strcmp(aname, "tcryptClose") ||
- !strcmp(aname, "bitlkClose")) {
+ !strcmp(aname, "bitlkClose") ||
+ !strcmp(aname, "fvault2Close")) {
aname = CLOSE_ACTION;
} else if (!strcmp(aname, "luksErase")) {
aname = ERASE_ACTION;
@@ -3905,39 +3534,6 @@ int main(int argc, const char **argv)
/* this routine short circuits to exit() on error */
tools_check_args(action->type, tool_core_args, ARRAY_SIZE(tool_core_args), popt_context);
- if (ARG_SET(OPT_REFRESH_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Options --refresh and --test-passphrase are mutually exclusive."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_CANCEL_DEFERRED_ID) && ARG_SET(OPT_DEFERRED_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Options --cancel-deferred and --deferred cannot be used at the same time."),
- poptGetInvocationName(popt_context));
-
- /* open action specific check */
- if (ARG_SET(OPT_SHARED_ID) && strcmp_or_null(device_type, "plain"))
- usage(popt_context, EXIT_FAILURE,
- _("Option --shared is allowed only for open of plain device."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_PERSISTENT_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Option --persistent is not allowed with --test-passphrase."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_INTEGRITY_NO_WIPE_ID) && !ARG_SET(OPT_INTEGRITY_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Option --integrity-no-wipe"
- " can be used only for format action with integrity extension."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && (strcmp(aname, OPEN_ACTION) || !device_type ||
- (strncmp(device_type, "luks", 4) && strcmp(device_type, "tcrypt") && strcmp(device_type, "bitlk"))))
- usage(popt_context, EXIT_FAILURE,
- _("Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."),
- poptGetInvocationName(popt_context));
-
if (!strcmp(aname, KILLKEY_ACTION) && action_argc > 1) {
ARG_SET_INT32(OPT_KEY_SLOT_ID, atoi(action_argv[1]));
check_key_slot_value(popt_context);
@@ -3956,65 +3552,6 @@ int main(int argc, const char **argv)
usage(popt_context, EXIT_FAILURE, _("Only one --key-file argument is allowed."),
poptGetInvocationName(popt_context));
- if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
- usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_ALIGN_PAYLOAD_ID) && ARG_SET(OPT_OFFSET_ID))
- usage(popt_context, EXIT_FAILURE, _("Options --align-payload and --offset cannot be combined."),
- poptGetInvocationName(popt_context));
-
- /* open action specific check */
- if (ARG_SET(OPT_SKIP_ID) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
- usage(popt_context, EXIT_FAILURE,
- _("Option --skip is supported only for open of plain and loopaes devices."),
- poptGetInvocationName(popt_context));
-
- /* open action specific check */
- if (ARG_SET(OPT_OFFSET_ID) && !strcmp(aname, OPEN_ACTION) && strcmp_or_null(device_type, "plain") && strcmp(device_type, "loopaes"))
- usage(popt_context, EXIT_FAILURE,
- _("Option --offset with open action is only supported for plain and loopaes devices."),
- poptGetInvocationName(popt_context));
-
- /* open action specific check */
- if ((ARG_SET(OPT_TCRYPT_HIDDEN_ID) || ARG_SET(OPT_TCRYPT_SYSTEM_ID) || ARG_SET(OPT_TCRYPT_BACKUP_ID)) && !strcmp(aname, OPEN_ACTION) && (!device_type || strcmp(device_type, "tcrypt")))
- usage(popt_context, EXIT_FAILURE,
- _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Option --tcrypt-hidden cannot be combined with --allow-discards."),
- poptGetInvocationName(popt_context));
-
- if ((ARG_SET(OPT_VERACRYPT_ID) || ARG_SET(OPT_DISABLE_VERACRYPT_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
- usage(popt_context, EXIT_FAILURE,
- _("Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_VERACRYPT_PIM_ID) && ARG_SET(OPT_DISABLE_VERACRYPT_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Option --veracrypt-pim is supported only for VeraCrypt compatible devices."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_VERACRYPT_QUERY_PIM_ID)) {
- if (ARG_SET(OPT_DISABLE_VERACRYPT_ID)) {
- usage(popt_context, EXIT_FAILURE,
- _("Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."),
- poptGetInvocationName(popt_context));
- } else if (ARG_SET(OPT_VERACRYPT_PIM_ID)) {
- usage(popt_context, EXIT_FAILURE,
- _("The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."),
- poptGetInvocationName(popt_context));
- }
- }
-
- /* config action specific check */
- if (!strcmp(aname, CONFIG_ACTION) && ARG_SET(OPT_PRIORITY_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT)
- usage(popt_context, EXIT_FAILURE,
- _("Keyslot specification is required."),
- poptGetInvocationName(popt_context));
-
if (ARG_SET(OPT_PBKDF_ID) && crypt_parse_pbkdf(ARG_STR(OPT_PBKDF_ID), &set_pbkdf))
usage(popt_context, EXIT_FAILURE,
_("Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."),
@@ -4025,54 +3562,21 @@ int main(int argc, const char **argv)
_("PBKDF forced iterations cannot be combined with iteration time option."),
poptGetInvocationName(popt_context));
- /* open action specific check */
- if (ARG_SET(OPT_SECTOR_SIZE_ID) && !strcmp(aname, OPEN_ACTION) &&
- (!device_type || strcmp(device_type, "plain")))
- usage(popt_context, EXIT_FAILURE,
- _("Sector size option with open action is supported only for plain devices."),
- poptGetInvocationName(popt_context));
-
- /* open action specific check */
- if (ARG_SET(OPT_IV_LARGE_SECTORS_ID) && (!device_type || strcmp(device_type, "plain") ||
- ARG_UINT32(OPT_SECTOR_SIZE_ID) <= SECTOR_SIZE))
- usage(popt_context, EXIT_FAILURE,
- _("Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."),
- poptGetInvocationName(popt_context));
-
- /* luksAddKey action specific check */
- if (ARG_SET(OPT_UNBOUND_ID) && !ARG_UINT32(OPT_KEY_SIZE_ID) && !strcmp(aname, ADDKEY_ACTION))
- usage(popt_context, EXIT_FAILURE,
- _("Key size is required with --unbound option."),
- poptGetInvocationName(popt_context));
-
- /* luksDump action specific check */
- if (ARG_SET(OPT_UNBOUND_ID) && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT && !strcmp(aname, LUKSDUMP_ACTION))
- usage(popt_context, EXIT_FAILURE,
- _("Keyslot specification is required."),
- poptGetInvocationName(popt_context));
-
if (ARG_SET(OPT_DEBUG_ID) || ARG_SET(OPT_DEBUG_JSON_ID)) {
crypt_set_debug_level(ARG_SET(OPT_DEBUG_JSON_ID)? CRYPT_DEBUG_JSON : CRYPT_DEBUG_ALL);
dbg_version_and_cmd(argc, argv);
}
/* reencrypt action specific check */
- if (ARG_SET(OPT_DECRYPT_ID) && !ARG_SET(OPT_HEADER_ID))
- usage(popt_context, EXIT_FAILURE, _("LUKS2 decryption requires option --header."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && ARG_SET(OPT_DEVICE_SIZE_ID))
- usage(popt_context, EXIT_FAILURE, _("Options --reduce-device-size and --data-size cannot be combined."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
- usage(popt_context, EXIT_FAILURE, _("Options --device-size and --size cannot be combined."),
- poptGetInvocationName(popt_context));
if (ARG_SET(OPT_KEYSLOT_CIPHER_ID) != ARG_SET(OPT_KEYSLOT_KEY_SIZE_ID))
usage(popt_context, EXIT_FAILURE, _("Options --keyslot-cipher and --keyslot-key-size must be used together."),
poptGetInvocationName(popt_context));
+ error_message = verify_action(action);
+ if (error_message)
+ usage(popt_context, EXIT_FAILURE, error_message, poptGetInvocationName(popt_context));
+
if (ARG_SET(OPT_TEST_ARGS_ID)) {
log_std(_("No action taken. Invoked with --test-args option.\n"));
tools_cleanup();
@@ -4080,27 +3584,6 @@ int main(int argc, const char **argv)
return 0;
}
- /* token action specific check */
- if (!strcmp(aname, TOKEN_ACTION)) {
- if (strcmp(action_argv[0], "add") &&
- strcmp(action_argv[0], "remove") &&
- strcmp(action_argv[0], "import") &&
- strcmp(action_argv[0], "export"))
- usage(popt_context, EXIT_FAILURE, _("Invalid token action."),
- poptGetInvocationName(popt_context));
-
- if (!ARG_SET(OPT_KEY_DESCRIPTION_ID) && !strcmp(action_argv[0], "add"))
- usage(popt_context, EXIT_FAILURE,
- _("--key-description parameter is mandatory for token add action."),
- poptGetInvocationName(popt_context));
-
- if (ARG_INT32(OPT_TOKEN_ID_ID) == CRYPT_ANY_TOKEN &&
- (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export")))
- usage(popt_context, EXIT_FAILURE,
- _("Action requires specific token. Use --token-id parameter."),
- poptGetInvocationName(popt_context));
- }
-
if (ARG_SET(OPT_DISABLE_KEYRING_ID))
(void) crypt_volume_key_keyring(NULL, 0);
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
index 3145520..011a669 100644
--- a/src/cryptsetup.h
+++ b/src/cryptsetup.h
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -44,7 +44,6 @@
#include "lib/bitops.h"
#include "lib/utils_crypt.h"
#include "lib/utils_loop.h"
-#include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "lib/utils_blkid.h"
#include "lib/libcryptsetup_macros.h"
@@ -73,6 +72,7 @@ typedef enum { CREATED, UNLOCKED, REMOVED } crypt_object_op;
void tools_keyslot_msg(int keyslot, crypt_object_op op);
void tools_token_msg(int token, crypt_object_op op);
void tools_token_error_msg(int error, const char *type, int token, bool pin_provided);
+void tools_package_version(const char *name, bool use_pwlibs);
extern volatile int quit;
void set_int_block(int block);
@@ -96,22 +96,34 @@ struct tools_progress_params {
struct timeval end_time;
uint64_t start_offset;
bool batch_mode;
+ bool json_output;
+ const char *interrupt_message;
+ const char *device;
};
-int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
-int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
+int tools_progress(uint64_t size, uint64_t offset, void *usrptr);
+const char *tools_get_device_name(const char *device, char **r_backing_file);
-int tools_read_mk(const char *file, char **key, int keysize);
+int tools_read_vk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);
int tools_read_json_file(const char *file, char **json, size_t *json_size, bool batch_mode);
int tools_write_json_file(const char *file, const char *json);
-int tools_detect_signatures(const char *device, int ignore_luks, size_t *count, bool batch_mode);
-int tools_wipe_all_signatures(const char *path);
+typedef enum {
+ PRB_FILTER_NONE = 0,
+ PRB_FILTER_LUKS,
+ PRB_ONLY_LUKS
+} tools_probe_filter_info;
+
+int tools_detect_signatures(const char *device, tools_probe_filter_info filter, size_t *count, bool batch_mode);
+int tools_wipe_all_signatures(const char *path, bool exclusive, bool only_luks);
+int tools_superblock_block_size(const char *device, char *sb_name,
+ size_t sb_name_len, unsigned *r_block_size);
+bool tools_blkid_supported(void);
int tools_lookup_crypt_device(struct crypt_device *cd, const char *type,
- const char *data_device_path, char *name, size_t name_length);
+ const char *data_device_path, char **r_name);
/* each utility is required to implement it */
@@ -129,7 +141,8 @@ typedef enum {
CRYPT_ARG_INT32,
CRYPT_ARG_UINT32,
CRYPT_ARG_INT64,
- CRYPT_ARG_UINT64
+ CRYPT_ARG_UINT64,
+ CRYPT_ARG_ALIAS
} crypt_arg_type_info;
struct tools_arg {
@@ -142,6 +155,10 @@ struct tools_arg {
uint32_t u32_value;
int32_t i32_value;
int64_t i64_value;
+ union {
+ unsigned id;
+ struct tools_arg *ptr;
+ } o;
} u;
const char *actions_array[MAX_ACTIONS];
};
diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h
index 491fe8f..a7e5bb0 100644
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -1,8 +1,8 @@
/*
* Cryptsetup command line arguments list
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -39,7 +39,7 @@ ARG(OPT_DEBUG_JSON, '\0', POPT_ARG_NONE, N_("Show debug messages including JSON
ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS)
-ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, {})
+ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS)
ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})
@@ -49,16 +49,18 @@ ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys vi
ARG(OPT_DISABLE_LOCKS, '\0', POPT_ARG_NONE, N_("Disable locking of on-disk metadata"), NULL, CRYPT_ARG_BOOL, {}, {})
-ARG(OPT_DISABLE_VERACRYPT, '\0', POPT_ARG_NONE, N_("Do not scan for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_DISABLE_VERACRYPT, '\0', POPT_ARG_NONE, N_("Do not scan for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_VERACRYPT_ACTIONS)
ARG(OPT_DUMP_JSON, '\0', POPT_ARG_NONE, N_("Dump info in JSON format (LUKS2 only)"), NULL, CRYPT_ARG_BOOL, {}, {})
-ARG(OPT_DUMP_MASTER_KEY, '\0', POPT_ARG_NONE, N_("Dump volume (master) key instead of keyslots info"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of keyslots info"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection."), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)
+
ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS header"), NULL, CRYPT_ARG_STRING, {}, {})
@@ -75,14 +77,16 @@ ARG(OPT_INTEGRITY_LEGACY_PADDING,'\0', POPT_ARG_NONE, N_("Use inefficient legacy
ARG(OPT_INTEGRITY_NO_JOURNAL, '\0', POPT_ARG_NONE, N_("Disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {})
-ARG(OPT_INTEGRITY_NO_WIPE, '\0', POPT_ARG_NONE, N_("Do not wipe device after format"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_INTEGRITY_NO_WIPE, '\0', POPT_ARG_NONE, N_("Do not wipe device after format"), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_NO_WIPE_ACTIONS)
-ARG(OPT_ITER_TIME, 'i', POPT_ARG_STRING, N_("PBKDF iteration time for LUKS (in ms)"), N_("msecs"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_ITER_TIME, 'i', POPT_ARG_STRING, N_("PBKDF iteration time for LUKS (in ms)"), N_("msecs"), CRYPT_ARG_UINT32, {}, OPT_ITER_TIME_ACTIONS)
-ARG(OPT_IV_LARGE_SECTORS, '\0', POPT_ARG_NONE, N_("Use IV counted in sector size (not in 512 bytes)"), NULL , CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_IV_LARGE_SECTORS, '\0', POPT_ARG_NONE, N_("Use IV counted in sector size (not in 512 bytes)"), NULL , CRYPT_ARG_BOOL, {}, OPT_IV_LARGE_SECTORS_ACTIONS)
ARG(OPT_JSON_FILE, '\0', POPT_ARG_STRING, N_("Read or write the json from or to a file"), NULL, CRYPT_ARG_STRING, {}, {})
+ARG(OPT_KEEP_KEY, '\0', POPT_ARG_NONE, N_("Do not change volume key."), NULL, CRYPT_ARG_BOOL, {}, OPT_KEEP_KEY_ACTIONS)
+
ARG(OPT_KEY_DESCRIPTION, '\0', POPT_ARG_STRING, N_("Key description"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_KEY_FILE, 'd', POPT_ARG_STRING, N_("Read the key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
@@ -95,9 +99,9 @@ ARG(OPT_KEYFILE_OFFSET, '\0', POPT_ARG_STRING, N_("Number of bytes to skip in ke
ARG(OPT_KEYFILE_SIZE, 'l', POPT_ARG_STRING, N_("Limits the read from keyfile"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
-ARG(OPT_KEYSLOT_CIPHER, '\0', POPT_ARG_STRING, N_("LUKS2 keyslot: The cipher used for keyslot encryption"), NULL, CRYPT_ARG_STRING, {}, {})
+ARG(OPT_KEYSLOT_CIPHER, '\0', POPT_ARG_STRING, N_("LUKS2 keyslot: The cipher used for keyslot encryption"), NULL, CRYPT_ARG_STRING, {}, OPT_KEYSLOT_CIPHER_ACTIONS)
-ARG(OPT_KEYSLOT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 keyslot: The size of the encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_KEYSLOT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 keyslot: The size of the encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {}, OPT_KEYSLOT_KEY_SIZE_ACTIONS)
ARG(OPT_LABEL, '\0', POPT_ARG_STRING, N_("Set label for the LUKS2 device"), NULL, CRYPT_ARG_STRING, {}, OPT_LABEL_ACTIONS)
@@ -105,17 +109,23 @@ ARG(OPT_LUKS2_KEYSLOTS_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 header keyslots ar
ARG(OPT_LUKS2_METADATA_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 header metadata area size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_LUKS2_METADATA_SIZE_ACTIONS)
-ARG(OPT_MASTER_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the volume (master) key from file."), NULL, CRYPT_ARG_STRING, {}, {})
+ARG(OPT_VOLUME_KEY_FILE, '\0', POPT_ARG_STRING, N_("Use the volume key from file."), NULL, CRYPT_ARG_STRING, {}, {})
+
+ARG(OPT_NEW_KEYFILE, '\0', POPT_ARG_STRING, N_("Read the key for a new slot from a file"), NULL, CRYPT_ARG_STRING, {}, OPT_NEW_KEYFILE_ACTIONS)
+
+ARG(OPT_NEW_KEY_SLOT, '\0', POPT_ARG_STRING, N_("Slot number for new key (default is first free)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_SLOT }, OPT_NEW_KEY_SLOT_ACTIONS)
ARG(OPT_NEW_KEYFILE_OFFSET , '\0', POPT_ARG_STRING, N_("Number of bytes to skip in newly added keyfile"), N_("bytes"), CRYPT_ARG_UINT64, {}, {})
ARG(OPT_NEW_KEYFILE_SIZE, '\0', POPT_ARG_STRING, N_("Limits the read from newly added keyfile"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_NEW_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_TOKEN }, OPT_NEW_TOKEN_ID_ACTIONS)
+
ARG(OPT_OFFSET, 'o', POPT_ARG_STRING, N_("The start offset in the backend device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_OFFSET_ACTIONS)
-ARG(OPT_PBKDF, '\0', POPT_ARG_STRING, N_("PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"), NULL, CRYPT_ARG_STRING, {}, {})
+ARG(OPT_PBKDF, '\0', POPT_ARG_STRING, N_("PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"), NULL, CRYPT_ARG_STRING, {}, OPT_PBKDF_ACTIONS)
-ARG(OPT_PBKDF_FORCE_ITERATIONS, '\0', POPT_ARG_STRING, N_("PBKDF iterations cost (forced, disables benchmark)"), "LONG", CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_PBKDF_FORCE_ITERATIONS, '\0', POPT_ARG_STRING, N_("PBKDF iterations cost (forced, disables benchmark)"), "LONG", CRYPT_ARG_UINT32, {}, OPT_PBKDF_FORCE_ITERATIONS_ACTIONS)
ARG(OPT_PBKDF_MEMORY, '\0', POPT_ARG_STRING, N_("PBKDF memory cost limit"), N_("kilobytes"), CRYPT_ARG_UINT32, { .u32_value = DEFAULT_LUKS2_MEMORY_KB }, {})
@@ -133,6 +143,8 @@ ARG(OPT_PERSISTENT, '\0', POPT_ARG_NONE, N_("Set activation flags persistent for
ARG(OPT_PRIORITY, '\0', POPT_ARG_STRING, N_("Keyslot priority: ignore, normal, prefer"), NULL, CRYPT_ARG_STRING, {}, OPT_PRIORITY_ACTIONS)
+ARG(OPT_PROGRESS_JSON, '\0', POPT_ARG_NONE, N_("Print progress data in json format (suitable for machine processing)"), NULL, CRYPT_ARG_BOOL, {}, OPT_PROGRESS_JSON_ACTIONS)
+
ARG(OPT_PROGRESS_FREQUENCY, '\0', POPT_ARG_STRING, N_("Progress line update (in seconds)"), N_("secs"), CRYPT_ARG_UINT32, {}, {})
ARG(OPT_READONLY, 'r', POPT_ARG_NONE, N_("Create a readonly mapping"), NULL, CRYPT_ARG_BOOL, {}, {})
@@ -151,9 +163,9 @@ ARG(OPT_SECTOR_SIZE, '\0', POPT_ARG_STRING, N_("Encryption sector size (default:
ARG(OPT_SERIALIZE_MEMORY_HARD_PBKDF, '\0', POPT_ARG_NONE, N_("Use global lock to serialize memory hard PBKDF (OOM workaround)"), NULL, CRYPT_ARG_BOOL, {}, OPT_SERIALIZE_MEMORY_HARD_PBKDF_ACTIONS)
-ARG(OPT_SHARED, '\0', POPT_ARG_NONE, N_("Share device with another non-overlapping crypt segment"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_SHARED, '\0', POPT_ARG_NONE, N_("Share device with another non-overlapping crypt segment"), NULL, CRYPT_ARG_BOOL, {}, OPT_SHARED_ACTIONS )
-ARG(OPT_SIZE, 'b', POPT_ARG_STRING, N_("The size of the device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, {})
+ARG(OPT_SIZE, 'b', POPT_ARG_STRING, N_("The size of the device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_SIZE_ACTIONS)
ARG(OPT_SKIP, 'p', POPT_ARG_STRING, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_SKIP_ACTIONS)
@@ -175,13 +187,15 @@ ARG(OPT_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT
ARG(OPT_TOKEN_ONLY, '\0', POPT_ARG_NONE, N_("Do not ask for passphrase if activation by token fails"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_TOKEN_REPLACE, '\0', POPT_ARG_NONE, N_("Replace the current token"), NULL, CRYPT_ARG_BOOL, {}, OPT_TOKEN_REPLACE_ACTIONS)
+
ARG(OPT_TOKEN_TYPE, '\0', POPT_ARG_STRING, N_("Restrict allowed token types used to retrieve LUKS2 key"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {})
ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {})
-ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound (no assigned data segment) LUKS2 keyslot"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS)
+ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot)"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS)
ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_RANDOM_ACTIONS)
@@ -191,10 +205,28 @@ ARG(OPT_UUID, '\0', POPT_ARG_STRING, N_("UUID for device to use"), NULL, CRYPT_A
ARG(OPT_VERACRYPT, '\0', POPT_ARG_NONE, N_("Scan also for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, {})
-ARG(OPT_VERACRYPT_PIM, '\0', POPT_ARG_STRING, N_("Personal Iteration Multiplier for VeraCrypt compatible device"), "INT", CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_VERACRYPT_PIM, '\0', POPT_ARG_STRING, N_("Personal Iteration Multiplier for VeraCrypt compatible device"), "INT", CRYPT_ARG_UINT32, {}, OPT_VERACRYPT_PIM_ACTIONS)
ARG(OPT_VERACRYPT_QUERY_PIM, '\0', POPT_ARG_NONE, N_("Query Personal Iteration Multiplier for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_VERIFY_PASSPHRASE, 'y', POPT_ARG_NONE, N_("Verifies the passphrase by asking for it twice"), NULL, CRYPT_ARG_BOOL, {}, {})
+
+/* added for reencryption */
+
+ARG(OPT_BLOCK_SIZE, 'B', POPT_ARG_STRING, N_("Reencryption block size"), N_("MiB"), CRYPT_ARG_UINT32, { .u32_value = 4 }, {})
+
+ARG(OPT_NEW, 'N', POPT_ARG_NONE, N_("Create new header on not encrypted device"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_ENCRYPT_ID }, {})
+
+ARG(OPT_USE_DIRECTIO, '\0', POPT_ARG_NONE, N_("Use direct-io when accessing devices"), NULL, CRYPT_ARG_BOOL, {}, {})
+
+ARG(OPT_USE_FSYNC, '\0', POPT_ARG_NONE, N_("Use fsync after each block"), NULL, CRYPT_ARG_BOOL, {}, {})
+
+ARG(OPT_WRITE_LOG, '\0', POPT_ARG_NONE, N_("Update log file after every block"), NULL, CRYPT_ARG_BOOL, {}, {})
+
+/* aliases */
+
+ARG(OPT_DUMP_MASTER_KEY, '\0', POPT_ARG_NONE, N_("Alias for --dump-volume-key"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_DUMP_VOLUME_KEY_ID}, {})
+
+ARG(OPT_MASTER_KEY_FILE, '\0', POPT_ARG_STRING, N_("Alias for --dump-volume-key-file"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_VOLUME_KEY_FILE_ID}, {})
diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h
index a5a4137..63604a3 100644
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -1,8 +1,8 @@
/*
* Command line arguments helpers
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,6 +31,7 @@
#define CONFIG_ACTION "config"
#define CONVERT_ACTION "convert"
#define ERASE_ACTION "erase"
+#define FVAULT2DUMP_ACTION "fvault2Dump"
#define ISLUKS_ACTION "isLuks"
#define ADDKEY_ACTION "luksAddKey"
#define CHANGEKEY_ACTION "luksChangeKey"
@@ -53,32 +54,52 @@
#define TOKEN_ACTION "token"
/* avoid unshielded commas in ARG() macros later */
-#define OPT_ALIGN_PAYLOAD_ACTIONS { FORMAT_ACTION }
+#define OPT_ALIGN_PAYLOAD_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_ALLOW_DISCARDS_ACTIONS { OPEN_ACTION }
#define OPT_DEFERRED_ACTIONS { CLOSE_ACTION }
+#define OPT_DEVICE_SIZE_ACTIONS { OPEN_ACTION, RESIZE_ACTION, REENCRYPT_ACTION }
+#define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION }
-#define OPT_INTEGRITY_ACTIONS { FORMAT_ACTION }
+#define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION }
+#define OPT_INTEGRITY_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
+#define OPT_INTEGRITY_NO_WIPE_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
+#define OPT_ITER_TIME_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
+#define OPT_IV_LARGE_SECTORS_ACTIONS { OPEN_ACTION }
+#define OPT_KEEP_KEY_ACTIONS { REENCRYPT_ACTION }
#define OPT_KEY_SIZE_ACTIONS { OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION }
-#define OPT_KEY_SLOT_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION }
-#define OPT_LABEL_ACTIONS { CONFIG_ACTION, FORMAT_ACTION }
+#define OPT_KEY_SLOT_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION }
+#define OPT_KEYSLOT_CIPHER_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION }
+#define OPT_KEYSLOT_KEY_SIZE_ACTIONS OPT_KEYSLOT_CIPHER_ACTIONS
+#define OPT_NEW_KEYFILE_ACTIONS { ADDKEY_ACTION }
+#define OPT_NEW_KEY_SLOT_ACTIONS { ADDKEY_ACTION }
+#define OPT_NEW_TOKEN_ID_ACTIONS { ADDKEY_ACTION }
+#define OPT_LABEL_ACTIONS { CONFIG_ACTION, FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_LUKS2_KEYSLOTS_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION }
#define OPT_LUKS2_METADATA_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION }
#define OPT_OFFSET_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, FORMAT_ACTION }
+#define OPT_PBKDF_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
+#define OPT_PBKDF_FORCE_ITERATIONS_ACTIONS { FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
#define OPT_PERSISTENT_ACTIONS { OPEN_ACTION }
#define OPT_PRIORITY_ACTIONS { CONFIG_ACTION }
+#define OPT_PROGRESS_JSON_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_REFRESH_ACTIONS { OPEN_ACTION }
#define OPT_SECTOR_SIZE_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, FORMAT_ACTION }
#define OPT_SERIALIZE_MEMORY_HARD_PBKDF_ACTIONS { OPEN_ACTION }
+#define OPT_SHARED_ACTIONS { OPEN_ACTION }
+#define OPT_SIZE_ACTIONS { OPEN_ACTION, RESIZE_ACTION }
#define OPT_SKIP_ACTIONS { OPEN_ACTION }
-#define OPT_SUBSYSTEM_ACTIONS { CONFIG_ACTION, FORMAT_ACTION }
+#define OPT_SUBSYSTEM_ACTIONS { CONFIG_ACTION, FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_TCRYPT_BACKUP_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION }
-#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION }
-#define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION }
-#define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION }
-#define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION }
+#define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION }
+#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION, TOKEN_ACTION }
+#define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
+#define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
+#define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION }
+#define OPT_VERACRYPT_PIM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
+#define OPT_VERACRYPT_QUERY_PIM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
enum {
OPT_UNUSED_ID = 0, /* leave unused due to popt library */
@@ -87,10 +108,6 @@ OPT_UNUSED_ID = 0, /* leave unused due to popt library */
#undef ARG
};
-static struct tools_arg tool_core_args[] = { { NULL, false, CRYPT_ARG_BOOL }, /* leave unused due to popt library */
-#define ARG(A, B, C, D, E, F, G, H) { A, false, F, G, H },
-#include "cryptsetup_arg_list.h"
-#undef ARG
-};
+extern struct tools_arg tool_core_args[];
#endif
diff --git a/src/cryptsetup_reencrypt_arg_list.h b/src/cryptsetup_reencrypt_arg_list.h
deleted file mode 100644
index 2309494..0000000
--- a/src/cryptsetup_reencrypt_arg_list.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Cryptsetup-reencrypt command line arguments list
- *
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-/* long name, short name, popt type, help description, units, internal argument type, default value */
-
-ARG(OPT_BATCH_MODE, 'q', POPT_ARG_NONE, N_("Do not ask for confirmation"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_BLOCK_SIZE, 'B', POPT_ARG_STRING, N_("Reencryption block size"), N_("MiB"), CRYPT_ARG_UINT32, { .u32_value = 4 })
-
-ARG(OPT_CIPHER, 'c', POPT_ARG_STRING, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Permanently decrypt device (remove encryption)"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {})
-
-ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS header"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_ITER_TIME, 'i', POPT_ARG_STRING, N_("PBKDF iteration time for LUKS (in ms)"), N_("msecs"), CRYPT_ARG_UINT32, {})
-
-ARG(OPT_KEEP_KEY, '\0', POPT_ARG_NONE, N_("Do not change key, no data area reencryption"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_KEY_FILE, 'd', POPT_ARG_STRING, N_("Read the key from a file"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_KEY_SIZE, 's', POPT_ARG_STRING, N_("The size of the encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {})
-
-ARG(OPT_KEYFILE_OFFSET, '\0', POPT_ARG_STRING, N_("Number of bytes to skip in keyfile"), N_("bytes"), CRYPT_ARG_UINT64, {})
-
-ARG(OPT_KEYFILE_SIZE, 'l', POPT_ARG_STRING, N_("Limits the read from keyfile"), N_("bytes"), CRYPT_ARG_UINT32, {})
-
-ARG(OPT_KEY_SLOT, 'S', POPT_ARG_STRING, N_("Use only this slot (others will be disabled)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_SLOT })
-
-ARG(OPT_MASTER_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read new volume (master) key from file"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_NEW, 'N', POPT_ARG_NONE, N_("Create new header on not encrypted device"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_PBKDF, '\0', POPT_ARG_STRING, N_("PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_PBKDF_FORCE_ITERATIONS, '\0', POPT_ARG_STRING, N_("PBKDF iterations cost (forced, disables benchmark)"), "LONG", CRYPT_ARG_UINT32, {})
-
-ARG(OPT_PBKDF_MEMORY, '\0', POPT_ARG_STRING, N_("PBKDF memory cost limit"), N_("kilobytes"), CRYPT_ARG_UINT32, { .u32_value = DEFAULT_LUKS2_MEMORY_KB })
-
-ARG(OPT_PBKDF_PARALLEL, '\0', POPT_ARG_STRING, N_("PBKDF parallel cost"), N_("threads"), CRYPT_ARG_UINT32, { .u32_value = DEFAULT_LUKS2_PARALLEL_THREADS })
-
-ARG(OPT_PROGRESS_FREQUENCY, '\0', POPT_ARG_STRING, N_("Progress line update (in seconds)"), N_("secs"), CRYPT_ARG_UINT32, {})
-
-ARG(OPT_REDUCE_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Reduce data device size (move data offset). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {})
-
-ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 })
-
-ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of LUKS metadata: luks1, luks2"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_USE_DIRECTIO, '\0', POPT_ARG_NONE, N_("Use direct-io when accessing devices"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_USE_FSYNC, '\0', POPT_ARG_NONE, N_("Use fsync after each block"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_USE_URANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/urandom for generating volume key"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_UUID, '\0', POPT_ARG_STRING, N_("The UUID used to resume decryption"), NULL, CRYPT_ARG_STRING, {})
-
-ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {})
-
-ARG(OPT_WRITE_LOG, '\0', POPT_ARG_NONE, N_("Update log file after every block"), NULL, CRYPT_ARG_BOOL, {})
diff --git a/src/cryptsetup_reencrypt_args.h b/src/cryptsetup_reencrypt_args.h
deleted file mode 100644
index 1a25571..0000000
--- a/src/cryptsetup_reencrypt_args.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Command line arguments helpers
- *
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef CRYPTSETUP_REENCRYPT_ARGS_H
-#define CRYPTSETUP_REENCRYPT_ARGS_H
-
-#include "utils_arg_names.h"
-#include "utils_arg_macros.h"
-
-enum {
-OPT_UNUSED_ID = 0,
-#define ARG(A, B, C, D, E, F, G) A ## _ID,
-#include "cryptsetup_reencrypt_arg_list.h"
-#undef ARG
-};
-
-static struct tools_arg tool_core_args[] = { { NULL, false, CRYPT_ARG_BOOL }, // UNUSED
-#define ARG(A, B, C, D, E, F, G) { A, false, F, G },
-#include "cryptsetup_reencrypt_arg_list.h"
-#undef ARG
-};
-
-#endif
diff --git a/src/integritysetup.c b/src/integritysetup.c
index 4604302..eee6171 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -1,8 +1,8 @@
/*
* integritysetup - setup integrity protected volumes for dm-integrity
*
- * Copyright (C) 2017-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2017-2021 Milan Broz
+ * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -43,14 +43,14 @@ static int _read_keys(char **integrity_key, struct crypt_params_integrity *param
int r;
if (integrity_key && ARG_SET(OPT_INTEGRITY_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_INTEGRITY_KEY_FILE_ID), &int_key, ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID));
+ r = tools_read_vk(ARG_STR(OPT_INTEGRITY_KEY_FILE_ID), &int_key, ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID));
if (r < 0)
return r;
params->integrity_key_size = ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID);
}
if (ARG_SET(OPT_JOURNAL_INTEGRITY_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_JOURNAL_INTEGRITY_KEY_FILE_ID), &journal_integrity_key, ARG_UINT32(OPT_JOURNAL_INTEGRITY_KEY_SIZE_ID));
+ r = tools_read_vk(ARG_STR(OPT_JOURNAL_INTEGRITY_KEY_FILE_ID), &journal_integrity_key, ARG_UINT32(OPT_JOURNAL_INTEGRITY_KEY_SIZE_ID));
if (r < 0) {
crypt_safe_free(int_key);
return r;
@@ -60,7 +60,7 @@ static int _read_keys(char **integrity_key, struct crypt_params_integrity *param
}
if (ARG_SET(OPT_JOURNAL_CRYPT_KEY_FILE_ID)) {
- r = tools_read_mk(ARG_STR(OPT_JOURNAL_CRYPT_KEY_FILE_ID), &journal_crypt_key, ARG_UINT32(OPT_JOURNAL_CRYPT_KEY_SIZE_ID));
+ r = tools_read_vk(ARG_STR(OPT_JOURNAL_CRYPT_KEY_FILE_ID), &journal_crypt_key, ARG_UINT32(OPT_JOURNAL_CRYPT_KEY_SIZE_ID));
if (r < 0) {
crypt_safe_free(int_key);
crypt_safe_free(journal_integrity_key);
@@ -80,10 +80,14 @@ static int _wipe_data_device(struct crypt_device *cd, const char *integrity_key)
{
char tmp_name[64], tmp_path[128], tmp_uuid[40];
uuid_t tmp_uuid_bin;
- int r;
+ int r = -EINVAL;
+ char *backing_file = NULL;
struct tools_progress_params prog_parms = {
.frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
- .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nWipe interrupted."),
+ .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file)
};
if (!ARG_SET(OPT_BATCH_MODE_ID))
@@ -95,23 +99,25 @@ static int _wipe_data_device(struct crypt_device *cd, const char *integrity_key)
uuid_generate(tmp_uuid_bin);
uuid_unparse(tmp_uuid_bin, tmp_uuid);
if (snprintf(tmp_name, sizeof(tmp_name), "temporary-cryptsetup-%s", tmp_uuid) < 0)
- return -EINVAL;
+ goto out;
if (snprintf(tmp_path, sizeof(tmp_path), "%s/%s", crypt_get_dir(), tmp_name) < 0)
- return -EINVAL;
+ goto out;
r = crypt_activate_by_volume_key(cd, tmp_name, integrity_key,
ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID), CRYPT_ACTIVATE_PRIVATE | CRYPT_ACTIVATE_NO_JOURNAL);
if (r < 0)
- return r;
+ goto out;
/* Wipe the device */
set_int_handler(0);
r = crypt_wipe(cd, tmp_path, CRYPT_WIPE_ZERO, 0, 0, DEFAULT_WIPE_BLOCK,
- 0, &tools_wipe_progress, &prog_parms);
+ 0, &tools_progress, &prog_parms);
if (crypt_deactivate(cd, tmp_name))
log_err(_("Cannot deactivate temporary device %s."), tmp_path);
set_int_block(0);
+out:
+ free(backing_file);
return r;
}
@@ -167,7 +173,12 @@ static int action_format(void)
goto out;
if (!ARG_SET(OPT_BATCH_MODE_ID)) {
- r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]);
+ if (ARG_SET(OPT_DATA_DEVICE_ID) && !ARG_SET(OPT_NO_WIPE_ID))
+ r = asprintf(&msg, _("This will overwrite data on %s and %s irrevocably.\n"
+ "To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."),
+ action_argv[0], ARG_STR(OPT_DATA_DEVICE_ID));
+ else
+ r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]);
if (r == -1) {
r = -ENOMEM;
goto out;
@@ -179,12 +190,12 @@ static int action_format(void)
goto out;
}
- r = tools_detect_signatures(action_argv[0], 0, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
+ r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
if (r < 0)
goto out;
/* Signature candidates found */
- if (signatures && ((r = tools_wipe_all_signatures(action_argv[0])) < 0))
+ if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0))
goto out;
if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
@@ -211,6 +222,80 @@ out:
return r;
}
+static int action_resize(void)
+{
+ int r;
+ struct crypt_device *cd = NULL;
+ struct crypt_active_device cad;
+ uint64_t new_dev_size = 0;
+ uint64_t old_dev_size;
+ char path[PATH_MAX];
+ char *backing_file = NULL;
+ struct tools_progress_params prog_parms = {
+ .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nWipe interrupted."),
+ .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file)
+ };
+
+ if (ARG_SET(OPT_DEVICE_SIZE_ID))
+ new_dev_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
+ else if (ARG_SET(OPT_SIZE_ID))
+ new_dev_size = ARG_UINT64(OPT_SIZE_ID);
+
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], NULL);
+ if (r)
+ goto out;
+
+ r = crypt_get_active_device(cd, action_argv[0], &cad);
+ if (r)
+ goto out;
+ old_dev_size = cad.size;
+
+ r = snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), action_argv[0]);
+ if (r < 0)
+ goto out;
+ r = crypt_resize(cd, action_argv[0], new_dev_size);
+ if (r)
+ goto out;
+
+ if (!new_dev_size) {
+ r = crypt_get_active_device(cd, action_argv[0], &cad);
+ if (r)
+ goto out;
+ new_dev_size = cad.size;
+ }
+
+ if (new_dev_size > old_dev_size) {
+ if (ARG_SET(OPT_WIPE_ID)) {
+ if (ARG_SET(OPT_BATCH_MODE_ID))
+ log_dbg("Wiping the end of the resized device");
+ else
+ log_std(_("Wiping device to initialize integrity checksum.\n"
+ "You can interrupt this by pressing CTRL+c "
+ "(rest of not wiped device will contain invalid checksum).\n"));
+
+ set_int_handler(0);
+ r = crypt_wipe(cd, path, CRYPT_WIPE_ZERO, old_dev_size * SECTOR_SIZE,
+ (new_dev_size - old_dev_size) * SECTOR_SIZE, DEFAULT_WIPE_BLOCK,
+ 0, &tools_progress, &prog_parms);
+ set_int_block(0);
+ } else {
+ log_dbg("Setting recalculate flag");
+ r = crypt_activate_by_volume_key(cd, action_argv[0], NULL, 0, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_RECALCULATE);
+
+ if (r == -ENOTSUP)
+ log_err(_("Setting recalculate flag is not supported, you may consider using --wipe instead."));
+ }
+ }
+out:
+ if (backing_file)
+ free(backing_file);
+ crypt_free(cd);
+ return r;
+}
+
static int action_open(void)
{
struct crypt_device *cd = NULL;
@@ -275,8 +360,10 @@ static int action_open(void)
goto out;
r = crypt_load(cd, CRYPT_INTEGRITY, ¶ms);
- if (r)
+ if (r) {
+ log_err(_("Device %s is not a valid INTEGRITY device."), action_argv[0]);
goto out;
+ }
if (ARG_SET(OPT_INTEGRITY_LEGACY_RECALC_ID))
crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_RECALC);
@@ -430,6 +517,8 @@ static int action_dump(void)
r = crypt_load(cd, CRYPT_INTEGRITY, ¶ms);
if (!r)
crypt_dump(cd);
+ else
+ log_err(_("Device %s is not a valid INTEGRITY device."), action_argv[0]);
crypt_free(cd);
return r;
@@ -447,6 +536,7 @@ static struct action_type {
{ CLOSE_ACTION, action_close, 1, N_("<name>"),N_("close device (remove mapping)") },
{ STATUS_ACTION,action_status, 1, N_("<name>"),N_("show active device status") },
{ DUMP_ACTION, action_dump, 1, N_("<integrity_device>"),N_("show on-disk information") },
+ { RESIZE_ACTION,action_resize, 1, N_("<name>"), N_("resize active device") },
{}
};
@@ -459,7 +549,7 @@ static void help(poptContext popt_context,
struct action_type *action;
if (key->shortName == '?') {
- log_std("%s %s\n", PACKAGE_INTEGRITY, PACKAGE_VERSION);
+ tools_package_version(PACKAGE_INTEGRITY, false);
poptPrintHelp(popt_context, stdout, 0);
log_std(_("\n"
"<action> is one of:\n"));
@@ -478,7 +568,7 @@ static void help(poptContext popt_context,
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
} else if (key->shortName == 'V') {
- log_std("%s %s\n", PACKAGE_INTEGRITY, PACKAGE_VERSION);
+ tools_package_version(PACKAGE_INTEGRITY, false);
tools_cleanup();
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
@@ -500,7 +590,7 @@ static int run_action(struct action_type *action)
static bool needs_size_conversion(unsigned int arg_id)
{
- return arg_id == OPT_JOURNAL_SIZE_ID;
+ return (arg_id == OPT_JOURNAL_SIZE_ID || arg_id == OPT_DEVICE_SIZE_ID);
}
static void basic_options_cb(poptContext popt_context,
@@ -527,8 +617,9 @@ static void basic_options_cb(poptContext popt_context,
/* fall through */
case OPT_JOURNAL_CRYPT_KEY_SIZE_ID:
if (ARG_UINT32(key->val) > (DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB * 1024)) {
- snprintf(msg, sizeof(msg), _("Invalid --%s size. Maximum is %u bytes."),
- key->longName, DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB * 1024);
+ if (snprintf(msg, sizeof(msg), _("Invalid --%s size. Maximum is %u bytes."),
+ key->longName, DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB * 1024) < 0)
+ msg[0] = '\0';
usage(popt_context, EXIT_FAILURE, msg,
poptGetInvocationName(popt_context));
}
@@ -549,7 +640,7 @@ int main(int argc, const char **argv)
{ NULL, '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
#define ARG(A, B, C, D, E, F, G, H) { A, B, C, NULL, A ## _ID, D, E },
#include "integritysetup_arg_list.h"
-#undef arg
+#undef ARG
POPT_TABLEEND
};
static struct poptOption popt_options[] = {
@@ -617,7 +708,8 @@ int main(int argc, const char **argv)
if (action_argc < action->required_action_argc) {
char buf[128];
- snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
+ if (snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc) < 0)
+ buf[0] ='\0';
usage(popt_context, EXIT_FAILURE, buf,
poptGetInvocationName(popt_context));
}
diff --git a/src/integritysetup_arg_list.h b/src/integritysetup_arg_list.h
index 2baab74..39f2906 100644
--- a/src/integritysetup_arg_list.h
+++ b/src/integritysetup_arg_list.h
@@ -1,8 +1,8 @@
/*
* Integritysetup command line arguments list
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -75,8 +75,12 @@ ARG(OPT_JOURNAL_WATERMARK, '\0', POPT_ARG_STRING, N_("Journal watermark"), N_("p
ARG(OPT_NO_WIPE, '\0', POPT_ARG_NONE, N_("Do not wipe device after format"), NULL, CRYPT_ARG_BOOL, {}, OPT_NO_WIPE_ACTIONS)
+ARG(OPT_WIPE, '\0', POPT_ARG_NONE, N_("Wipe the end of the device after resize"), NULL, CRYPT_ARG_BOOL, {}, OPT_WIPE_ACTIONS)
+
ARG(OPT_PROGRESS_FREQUENCY, '\0', POPT_ARG_STRING, N_("Progress line update (in seconds)"), N_("secs"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_PROGRESS_JSON, '\0', POPT_ARG_NONE, N_("Print wipe progress data in json format (suitable for machine processing)"), NULL, CRYPT_ARG_BOOL, {}, OPT_PROGRESS_JSON_ACTIONS)
+
ARG(OPT_INTEGRITY_BITMAP_MODE, 'B', POPT_ARG_NONE, N_("Use bitmap to track changes and disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_INTEGRITY_RECALCULATE, '\0', POPT_ARG_NONE, N_("Recalculate initial tags automatically."), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_RECALCULATE_ACTIONS)
@@ -90,3 +94,7 @@ ARG(OPT_SECTOR_SIZE, 's', POPT_ARG_STRING, N_("Sector size"), N_("bytes"), CRYPT
ARG(OPT_TAG_SIZE, 't', POPT_ARG_STRING, N_("Tag size (per-sector)"), N_("bytes"), CRYPT_ARG_UINT32, {}, OPT_TAG_SIZE_ACTIONS)
ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {}, {})
+
+ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS)
+
+ARG(OPT_SIZE, 'b', POPT_ARG_STRING, N_("The size of the device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_SIZE_ACTIONS)
diff --git a/src/integritysetup_args.h b/src/integritysetup_args.h
index c883561..8241008 100644
--- a/src/integritysetup_args.h
+++ b/src/integritysetup_args.h
@@ -1,8 +1,8 @@
/*
* Command line arguments helpers
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -30,6 +30,7 @@
#define CLOSE_ACTION "close"
#define STATUS_ACTION "status"
#define DUMP_ACTION "dump"
+#define RESIZE_ACTION "resize"
#define OPT_ALLOW_DISCARDS_ACTIONS { OPEN_ACTION }
#define OPT_DEFERRED_ACTIONS { CLOSE_ACTION }
@@ -37,8 +38,12 @@
#define OPT_JOURNAL_SIZE_ACTIONS { FORMAT_ACTION }
#define OPT_NO_WIPE_ACTIONS { FORMAT_ACTION }
#define OPT_INTERLEAVE_SECTORS_ACTIONS { FORMAT_ACTION }
+#define OPT_PROGRESS_JSON_ACTIONS { FORMAT_ACTION, RESIZE_ACTION }
#define OPT_SECTOR_SIZE_ACTIONS { FORMAT_ACTION }
#define OPT_TAG_SIZE_ACTIONS { FORMAT_ACTION }
+#define OPT_DEVICE_SIZE_ACTIONS { RESIZE_ACTION }
+#define OPT_SIZE_ACTIONS { RESIZE_ACTION }
+#define OPT_WIPE_ACTIONS { RESIZE_ACTION }
enum {
OPT_UNUSED_ID = 0,
diff --git a/src/utils_arg_macros.h b/src/utils_arg_macros.h
index 5d626f6..901b3f4 100644
--- a/src/utils_arg_macros.h
+++ b/src/utils_arg_macros.h
@@ -1,8 +1,8 @@
/*
* Command line arguments parsing helpers
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -93,4 +93,11 @@ do { \
tool_core_args[(X)].set = true; \
} while (0)
+
+#define ARG_INIT_ALIAS(X) \
+do { \
+ assert(tool_core_args[(X)].type == CRYPT_ARG_ALIAS); \
+ tool_core_args[(X)].u.o.ptr = &tool_core_args[tool_core_args[(X)].u.o.id]; \
+} while (0)
+
#endif
diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h
index d536d57..66a59e8 100644
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -1,8 +1,8 @@
/*
* Command line arguments name list
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -47,11 +47,13 @@
#define OPT_DISABLE_VERACRYPT "disable-veracrypt"
#define OPT_DUMP_JSON "dump-json-metadata"
#define OPT_DUMP_MASTER_KEY "dump-master-key"
+#define OPT_DUMP_VOLUME_KEY "dump-volume-key"
#define OPT_ENCRYPT "encrypt"
#define OPT_FEC_DEVICE "fec-device"
#define OPT_FEC_OFFSET "fec-offset"
#define OPT_FEC_ROOTS "fec-roots"
#define OPT_FORCE_PASSWORD "force-password"
+#define OPT_FORCE_OFFLINE_REENCRYPT "force-offline-reencrypt"
#define OPT_FORMAT "format"
#define OPT_HASH "hash"
#define OPT_HASH_BLOCK_SIZE "hash-block-size"
@@ -98,13 +100,18 @@
#define OPT_KEYSLOT_KEY_SIZE "keyslot-key-size"
#define OPT_NO_SUPERBLOCK "no-superblock"
#define OPT_NO_WIPE "no-wipe"
+#define OPT_WIPE "wipe"
#define OPT_LABEL "label"
#define OPT_LUKS2_KEYSLOTS_SIZE "luks2-keyslots-size"
#define OPT_LUKS2_METADATA_SIZE "luks2-metadata-size"
#define OPT_MASTER_KEY_FILE "master-key-file"
+#define OPT_VOLUME_KEY_FILE "volume-key-file"
#define OPT_NEW "new"
+#define OPT_NEW_KEY_SLOT "new-key-slot"
+#define OPT_NEW_KEYFILE "new-keyfile"
#define OPT_NEW_KEYFILE_OFFSET "new-keyfile-offset"
#define OPT_NEW_KEYFILE_SIZE "new-keyfile-size"
+#define OPT_NEW_TOKEN_ID "new-token-id"
#define OPT_OFFSET "offset"
#define OPT_PANIC_ON_CORRUPTION "panic-on-corruption"
#define OPT_PBKDF "pbkdf"
@@ -118,6 +125,7 @@
#define OPT_PERSISTENT "persistent"
#define OPT_PLUGIN "plugin"
#define OPT_PRIORITY "priority"
+#define OPT_PROGRESS_JSON "progress-json"
#define OPT_PROGRESS_FREQUENCY "progress-frequency"
#define OPT_READONLY "readonly"
#define OPT_REDUCE_DEVICE_SIZE "reduce-device-size"
@@ -144,6 +152,7 @@
#define OPT_TIMEOUT "timeout"
#define OPT_TOKEN_ID "token-id"
#define OPT_TOKEN_ONLY "token-only"
+#define OPT_TOKEN_REPLACE "token-replace"
#define OPT_TOKEN_TYPE "token-type"
#define OPT_TRIES "tries"
#define OPT_TYPE "type"
@@ -152,6 +161,7 @@
#define OPT_USE_FSYNC "use-fsync"
#define OPT_USE_RANDOM "use-random"
#define OPT_USE_URANDOM "use-urandom"
+#define OPT_USE_TASKLETS "use-tasklets"
#define OPT_UUID "uuid"
#define OPT_VERACRYPT "veracrypt"
#define OPT_VERACRYPT_PIM "veracrypt-pim"
diff --git a/src/utils_args.c b/src/utils_args.c
index 8007a1c..fda2350 100644
--- a/src/utils_args.c
+++ b/src/utils_args.c
@@ -1,8 +1,8 @@
/*
* Command line arguments parsing helpers
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -62,7 +62,8 @@ void tools_parse_arg_value(poptContext popt_context, crypt_arg_type_info type, s
/* special size strings with units converted to integers */
if (needs_size_conv_fn && needs_size_conv_fn(popt_val)) {
if (tools_string_to_size(popt_arg, &arg->u.u64_value)) {
- snprintf(msg, sizeof(msg), _("Invalid size specification in parameter --%s."), arg->name);
+ if (snprintf(msg, sizeof(msg), _("Invalid size specification in parameter --%s."), arg->name) < 0)
+ msg[0] = '\0';
usage(popt_context, EXIT_FAILURE, msg,
poptGetInvocationName(popt_context));
}
@@ -74,6 +75,9 @@ void tools_parse_arg_value(poptContext popt_context, crypt_arg_type_info type, s
arg->u.u64_value = ull;
}
break;
+ case CRYPT_ARG_ALIAS:
+ tools_parse_arg_value(popt_context, arg->u.o.ptr->type, arg->u.o.ptr, popt_arg, arg->u.o.id, needs_size_conv_fn);
+ break;
default:
/* this signals internal tools coding mistake */
abort();
@@ -118,7 +122,8 @@ void tools_check_args(const char *action, const struct tools_arg *args, size_t a
if (action_allowed(action, args[i].actions_array, MAX_ACTIONS)) {
continue;
} else {
- (void)snprintf(msg, sizeof(msg), _("Option --%s is not allowed with %s action."), args[i].name, action);
+ if (snprintf(msg, sizeof(msg), _("Option --%s is not allowed with %s action."), args[i].name, action) < 0)
+ msg[0] = '\0';
usage(popt_context, EXIT_FAILURE, msg, poptGetInvocationName(popt_context));
}
}
diff --git a/src/utils_blockdev.c b/src/utils_blockdev.c
index 8b88c7a..ae6dec4 100644
--- a/src/utils_blockdev.c
+++ b/src/utils_blockdev.c
@@ -1,8 +1,8 @@
/*
* Linux block devices helpers
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Ondrej Kozina
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -48,29 +48,28 @@ static int dm_prepare_uuid(const char *type, const char *uuid, char *buf, size_t
}
}
- snprintf(buf, buflen, DM_UUID_PREFIX "%s%s%s%s",
- type ?: "", type ? "-" : "",
- uuid2[0] ? uuid2 : "", uuid2[0] ? "-" : "");
+ if (snprintf(buf, buflen, DM_UUID_PREFIX "%s%s%s%s",
+ type ?: "", type ? "-" : "",
+ uuid2[0] ? uuid2 : "", uuid2[0] ? "-" : "") < 0)
+ return 0;
return 1;
}
/* return number of holders in general, if matched dm_uuid prefix it's returned via dm_name */
/* negative value is error */
-static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char *dm_name, size_t dm_name_length)
+static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char **r_dm_name)
{
struct dirent *entry;
- char dm_subpath[PATH_MAX], data_dev_dir[PATH_MAX], uuid[DM_UUID_LEN];
+ char dm_subpath[PATH_MAX], data_dev_dir[PATH_MAX], uuid[DM_UUID_LEN], dm_name[PATH_MAX] = {};
ssize_t s;
struct stat st;
int dmfd, fd, len, r = 0; /* not found */
DIR *dir;
- if (!dm_name || !dm_name_length)
+ if (!r_dm_name)
return -EINVAL;
- *dm_name = '\0';
-
len = snprintf(data_dev_dir, PATH_MAX, "/sys/dev/block/%u:%u/holders", major(devno), minor(devno));
if (len < 0 || len >= PATH_MAX)
return -EINVAL;
@@ -138,12 +137,14 @@ static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char *dm_name
}
/* reads binary data */
- s = read_buffer(fd, dm_name, dm_name_length - 1);
+ s = read_buffer(fd, dm_name, sizeof(dm_name));
close(fd);
close(dmfd);
if (s > 1) {
dm_name[s-1] = '\0';
log_dbg("Found dm device %s", dm_name);
+ if (!(*r_dm_name = strdup(dm_name)))
+ return -ENOMEM;
}
}
@@ -153,9 +154,8 @@ static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char *dm_name
}
int tools_lookup_crypt_device(struct crypt_device *cd, const char *type,
- const char *data_device_path, char *name, size_t name_length)
+ const char *data_device_path, char **r_name)
{
- int r;
char *c;
struct stat st;
char dev_uuid[DM_UUID_LEN + DM_BY_ID_PREFIX_LEN] = DM_BY_ID_PREFIX;
@@ -178,12 +178,9 @@ int tools_lookup_crypt_device(struct crypt_device *cd, const char *type,
if (!S_ISBLK(st.st_mode))
return -ENOTBLK;
- r = lookup_holder_dm_name(dev_uuid + DM_BY_ID_PREFIX_LEN,
- st.st_rdev, name, name_length);
- return r;
+ return lookup_holder_dm_name(dev_uuid + DM_BY_ID_PREFIX_LEN, st.st_rdev, r_name);
}
-
static void report_partition(const char *value, const char *device, bool batch_mode)
{
if (batch_mode)
@@ -200,7 +197,8 @@ static void report_superblock(const char *value, const char *device, bool batch_
log_std(_("WARNING: Device %s already contains a '%s' superblock signature.\n"), device, value);
}
-int tools_detect_signatures(const char *device, int ignore_luks, size_t *count, bool batch_mode)
+int tools_detect_signatures(const char *device, tools_probe_filter_info filter,
+ size_t *count,bool batch_mode)
{
int r;
size_t tmp_count;
@@ -222,11 +220,22 @@ int tools_detect_signatures(const char *device, int ignore_luks, size_t *count,
return -EINVAL;
}
- blk_set_chains_for_full_print(h);
-
- if (ignore_luks && blk_superblocks_filter_luks(h)) {
- r = -EINVAL;
- goto out;
+ switch (filter) {
+ case PRB_FILTER_LUKS:
+ if (blk_superblocks_filter_luks(h)) {
+ r = -EINVAL;
+ goto out;
+ }
+ /* fall-through */
+ case PRB_FILTER_NONE:
+ blk_set_chains_for_full_print(h);
+ break;
+ case PRB_ONLY_LUKS:
+ blk_set_chains_for_fast_detection(h);
+ if (blk_superblocks_only_luks(h)) {
+ r = -EINVAL;
+ goto out;
+ }
}
while ((pr = blk_probe(h)) < PRB_EMPTY) {
@@ -249,7 +258,7 @@ out:
return r;
}
-int tools_wipe_all_signatures(const char *path)
+int tools_wipe_all_signatures(const char *path, bool exclusive, bool only_luks)
{
int fd, flags, r;
blk_probe_status pr;
@@ -267,15 +276,15 @@ int tools_wipe_all_signatures(const char *path)
}
flags = O_RDWR;
- if (S_ISBLK(st.st_mode))
+ if (S_ISBLK(st.st_mode) && exclusive)
flags |= O_EXCL;
/* better than opening regular file with O_EXCL (undefined) */
/* coverity[toctou] */
- fd = open(path, flags);
+ fd = open(path, flags); /* lgtm[cpp/toctou-race-condition] */
if (fd < 0) {
if (errno == EBUSY)
- log_err(_("Device %s is in use. Cannot proceed with format operation."), path);
+ log_err(_("Cannot exclusively open %s, device in use."), path);
else
log_err(_("Failed to open file %s in read/write mode."), path);
return -EINVAL;
@@ -288,6 +297,10 @@ int tools_wipe_all_signatures(const char *path)
}
blk_set_chains_for_wipes(h);
+ if (only_luks && (r = blk_superblocks_only_luks(h))) {
+ r = -EINVAL;
+ goto out;
+ }
while ((pr = blk_probe(h)) < PRB_EMPTY) {
if (blk_is_partition(h))
@@ -296,7 +309,7 @@ int tools_wipe_all_signatures(const char *path)
if (blk_is_superblock(h))
log_verbose(_("Existing '%s' superblock signature on device %s will be wiped."),
blk_get_superblock_type(h), path);
- if (blk_do_wipe(h)) {
+ if (blk_do_wipe(h) || fsync(fd)) {
log_err(_("Failed to wipe device signature."));
r = -EINVAL;
goto out;
@@ -312,3 +325,58 @@ out:
blk_free(h);
return r;
}
+
+int tools_superblock_block_size(const char *device, char *sb_name, size_t sb_name_len, unsigned *r_block_size)
+{
+ struct blkid_handle *h;
+ const char *name;
+ int r = 0;
+
+ if (!r_block_size || !sb_name || sb_name_len < 1)
+ return -EINVAL;
+
+ if (!blk_supported()) {
+ log_dbg("Blkid support disabled.");
+ return 0;
+ }
+
+ if ((r = blk_init_by_path(&h, device))) {
+ log_err(_("Failed to initialize device signature probes."));
+ return -EINVAL;
+ }
+
+ blk_set_chains_for_superblocks(h);
+
+ switch (blk_probe(h)) {
+ case PRB_OK:
+ *r_block_size = blk_get_block_size(h);
+ if (!*r_block_size) /* same as not-found */
+ break;
+
+ if (!(name = blk_get_superblock_type(h))) {
+ r = -EINVAL;
+ break;
+ }
+
+ /* we don't mind truncating */
+ strncpy(sb_name, name, sb_name_len - 1);
+ sb_name[sb_name_len-1] = '\0';
+
+ log_dbg("Detected superblock %s on device %s (block size: %u).", sb_name, device, *r_block_size);
+ r = 1;
+ /* fall-through */
+ case PRB_EMPTY:
+ break;
+ default:
+ r = -EINVAL;
+ }
+
+ blk_free(h);
+
+ return r;
+}
+
+bool tools_blkid_supported(void)
+{
+ return blk_supported() != 0;
+}
diff --git a/src/utils_luks.c b/src/utils_luks.c
new file mode 100644
index 0000000..6a10ab6
--- /dev/null
+++ b/src/utils_luks.c
@@ -0,0 +1,274 @@
+/*
+ * Helper utilities for LUKS2 features
+ *
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Milan Broz
+ * Copyright (C) 2018-2023 Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+#include "cryptsetup_args.h"
+#include "utils_luks.h"
+
+extern const char *set_pbkdf;
+
+const char *luksType(const char *type)
+{
+ if (type && !strcmp(type, "luks2"))
+ return CRYPT_LUKS2;
+
+ if (type && !strcmp(type, "luks1"))
+ return CRYPT_LUKS1;
+
+ if (type && !strcmp(type, "luks"))
+ return CRYPT_LUKS; /* NULL */
+
+ if (type && *type)
+ return type;
+
+ return CRYPT_LUKS; /* NULL */
+}
+
+bool isLUKS1(const char *type)
+{
+ return type && !strcmp(type, CRYPT_LUKS1);
+}
+
+bool isLUKS2(const char *type)
+{
+ return type && !strcmp(type, CRYPT_LUKS2);
+}
+
+int verify_passphrase(int def)
+{
+ /* Batch mode switch off verify - if not overridden by -y */
+ if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
+ def = 1;
+ else if (ARG_SET(OPT_BATCH_MODE_ID))
+ def = 0;
+
+ /* Non-tty input doesn't allow verify */
+ if (def && !isatty(STDIN_FILENO)) {
+ if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
+ log_err(_("Can't do passphrase verification on non-tty inputs."));
+ def = 0;
+ }
+
+ return def;
+}
+
+void set_activation_flags(uint32_t *flags)
+{
+ if (ARG_SET(OPT_READONLY_ID))
+ *flags |= CRYPT_ACTIVATE_READONLY;
+
+ if (ARG_SET(OPT_ALLOW_DISCARDS_ID))
+ *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
+
+ if (ARG_SET(OPT_PERF_SAME_CPU_CRYPT_ID))
+ *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
+
+ if (ARG_SET(OPT_PERF_SUBMIT_FROM_CRYPT_CPUS_ID))
+ *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
+
+ if (ARG_SET(OPT_PERF_NO_READ_WORKQUEUE_ID))
+ *flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE;
+
+ if (ARG_SET(OPT_PERF_NO_WRITE_WORKQUEUE_ID))
+ *flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
+
+ if (ARG_SET(OPT_INTEGRITY_NO_JOURNAL_ID))
+ *flags |= CRYPT_ACTIVATE_NO_JOURNAL;
+
+ /* In persistent mode, we use what is set on command line */
+ if (ARG_SET(OPT_PERSISTENT_ID))
+ *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
+
+ /* Only for LUKS2 but ignored elsewhere */
+ if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
+ (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
+ *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
+
+ if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
+ *flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
+
+ /* Only for plain */
+ if (ARG_SET(OPT_IV_LARGE_SECTORS_ID))
+ *flags |= CRYPT_ACTIVATE_IV_LARGE_SECTORS;
+}
+
+int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
+{
+ const struct crypt_pbkdf_type *pbkdf_default;
+ struct crypt_pbkdf_type pbkdf = {};
+
+ pbkdf_default = crypt_get_pbkdf_default(dev_type);
+ if (!pbkdf_default)
+ return -EINVAL;
+
+ pbkdf.type = set_pbkdf ?: pbkdf_default->type;
+ pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
+ pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
+ if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
+ pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
+ pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
+ }
+
+ if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
+ pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
+ pbkdf.time_ms = 0;
+ pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
+ }
+
+ return crypt_set_pbkdf_type(cd, &pbkdf);
+}
+
+int set_tries_tty(void)
+{
+ return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
+}
+
+int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize)
+{
+ uint32_t keysize_bits = ARG_UINT32(OPT_KEY_SIZE_ID);
+
+#ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
+ if (!ARG_SET(OPT_KEY_SIZE_ID) && !strncmp(cipher_mode, "xts-", 4)) {
+ if (default_size_bits == 128)
+ keysize_bits = 256;
+ else if (default_size_bits == 256)
+ keysize_bits = 512;
+ }
+#endif
+ return (keysize_bits ?: default_size_bits) / 8 + integrity_keysize;
+}
+
+/*
+ * FIXME: 4MiBs is max LUKS2 mda length (including binary header).
+ * In future, read max allowed JSON size from config section.
+ */
+#define LUKS2_MAX_MDA_SIZE 0x400000
+int tools_read_json_file(const char *file, char **json, size_t *json_size, bool batch_mode)
+{
+ ssize_t ret;
+ int fd, block, r;
+ void *buf = NULL;
+
+ block = tools_signals_blocked();
+ if (block)
+ set_int_block(0);
+
+ if (tools_is_stdin(file)) {
+ fd = STDIN_FILENO;
+ log_dbg("STDIN descriptor JSON read requested.");
+ } else {
+ log_dbg("File descriptor JSON read requested.");
+ fd = open(file, O_RDONLY);
+ if (fd < 0) {
+ log_err(_("Failed to open file %s in read-only mode."), file);
+ r = -EINVAL;
+ goto out;
+ }
+ }
+
+ buf = malloc(LUKS2_MAX_MDA_SIZE);
+ if (!buf) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (isatty(fd) && !batch_mode)
+ log_std(_("Provide valid LUKS2 token JSON:\n"));
+
+ /* we expect JSON (string) */
+ r = 0;
+ ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
+ if (ret < 0) {
+ r = -EIO;
+ log_err(_("Failed to read JSON file."));
+ goto out;
+ }
+ check_signal(&r);
+ if (r) {
+ log_err(_("\nRead interrupted."));
+ goto out;
+ }
+
+ *json_size = (size_t)ret;
+ *json = buf;
+ *(*json + ret) = '\0';
+out:
+ if (block && !quit)
+ set_int_block(1);
+ if (fd >= 0 && fd != STDIN_FILENO)
+ close(fd);
+ if (r && buf) {
+ memset(buf, 0, LUKS2_MAX_MDA_SIZE);
+ free(buf);
+ }
+ return r;
+}
+
+int tools_write_json_file(const char *file, const char *json)
+{
+ int block, fd, r;
+ size_t json_len;
+ ssize_t ret;
+
+ if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
+ return -EINVAL;
+
+ block = tools_signals_blocked();
+ if (block)
+ set_int_block(0);
+
+ if (tools_is_stdin(file)) {
+ fd = STDOUT_FILENO;
+ log_dbg("STDOUT descriptor JSON write requested.");
+ } else {
+ log_dbg("File descriptor JSON write requested.");
+ fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
+ }
+
+ if (fd < 0) {
+ log_err(_("Failed to open file %s in write mode."), file ?: "");
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = 0;
+ ret = write_buffer_intr(fd, json, json_len, &quit);
+ check_signal(&r);
+ if (r) {
+ log_err(_("\nWrite interrupted."));
+ goto out;
+ }
+ if (ret < 0 || (size_t)ret != json_len) {
+ log_err(_("Failed to write JSON file."));
+ r = -EIO;
+ goto out;
+ }
+
+ if (isatty(fd))
+ (void) write_buffer_intr(fd, "\n", 1, &quit);
+out:
+ if (block && !quit)
+ set_int_block(1);
+ if (fd >=0 && fd != STDOUT_FILENO)
+ close(fd);
+ return r;
+}
diff --git a/src/utils_luks.h b/src/utils_luks.h
new file mode 100644
index 0000000..28220ab
--- /dev/null
+++ b/src/utils_luks.h
@@ -0,0 +1,52 @@
+/*
+ * Helper utilities for LUKS in cryptsetup
+ *
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Milan Broz
+ * Copyright (C) 2018-2023 Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef UTILS_LUKS_H
+#define UTILS_LUKS_H
+
+#include <stdint.h>
+
+const char *luksType(const char *type);
+
+bool isLUKS1(const char *type);
+
+bool isLUKS2(const char *type);
+
+int verify_passphrase(int def);
+
+void set_activation_flags(uint32_t *flags);
+
+int set_pbkdf_params(struct crypt_device *cd, const char *dev_type);
+
+int set_tries_tty(void);
+
+int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize);
+
+int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen);
+
+int reencrypt(int action_argc, const char **action_argv);
+
+int reencrypt_luks1(const char *device);
+
+int reencrypt_luks1_in_progress(const char *device);
+
+#endif /* UTILS_LUKS_H */
diff --git a/src/utils_luks2.c b/src/utils_luks2.c
deleted file mode 100644
index a682e3b..0000000
--- a/src/utils_luks2.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Helper utilities for LUKS2 features
- *
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Milan Broz
- * Copyright (C) 2018-2021 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "cryptsetup.h"
-
-/*
- * FIXME: 4MiBs is max LUKS2 mda length (including binary header).
- * In future, read max allowed JSON size from config section.
- */
-#define LUKS2_MAX_MDA_SIZE 0x400000
-int tools_read_json_file(const char *file, char **json, size_t *json_size, bool batch_mode)
-{
- ssize_t ret;
- int fd, block, r;
- void *buf = NULL;
-
- block = tools_signals_blocked();
- if (block)
- set_int_block(0);
-
- if (tools_is_stdin(file)) {
- fd = STDIN_FILENO;
- log_dbg("STDIN descriptor JSON read requested.");
- } else {
- log_dbg("File descriptor JSON read requested.");
- fd = open(file, O_RDONLY);
- if (fd < 0) {
- log_err(_("Failed to open file %s in read-only mode."), file);
- r = -EINVAL;
- goto out;
- }
- }
-
- buf = malloc(LUKS2_MAX_MDA_SIZE);
- if (!buf) {
- r = -ENOMEM;
- goto out;
- }
-
- if (isatty(fd) && !batch_mode)
- log_std(_("Provide valid LUKS2 token JSON:\n"));
-
- /* we expect JSON (string) */
- r = 0;
- ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
- if (ret < 0) {
- r = -EIO;
- log_err(_("Failed to read JSON file."));
- goto out;
- }
- check_signal(&r);
- if (r) {
- log_err(_("\nRead interrupted."));
- goto out;
- }
-
- *json_size = (size_t)ret;
- *json = buf;
- *(*json + ret) = '\0';
-out:
- if (block && !quit)
- set_int_block(1);
- if (fd >= 0 && fd != STDIN_FILENO)
- close(fd);
- if (r && buf) {
- memset(buf, 0, LUKS2_MAX_MDA_SIZE);
- free(buf);
- }
- return r;
-}
-
-int tools_write_json_file(const char *file, const char *json)
-{
- int block, fd, r;
- size_t json_len;
- ssize_t ret;
-
- if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
- return -EINVAL;
-
- block = tools_signals_blocked();
- if (block)
- set_int_block(0);
-
- if (tools_is_stdin(file)) {
- fd = STDOUT_FILENO;
- log_dbg("STDOUT descriptor JSON write requested.");
- } else {
- log_dbg("File descriptor JSON write requested.");
- fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
- }
-
- if (fd < 0) {
- log_err(_("Failed to open file %s in write mode."), file ?: "");
- r = -EINVAL;
- goto out;
- }
-
- r = 0;
- ret = write_buffer_intr(fd, json, json_len, &quit);
- check_signal(&r);
- if (r) {
- log_err(_("\nWrite interrupted."));
- goto out;
- }
- if (ret < 0 || (size_t)ret != json_len) {
- log_err(_("Failed to write JSON file."));
- r = -EIO;
- goto out;
- }
-
- if (isatty(fd))
- (void) write_buffer_intr(fd, "\n", 1, &quit);
-out:
- if (block && !quit)
- set_int_block(1);
- if (fd >=0 && fd != STDOUT_FILENO)
- close(fd);
- return r;
-}
diff --git a/src/utils_password.c b/src/utils_password.c
index 65618b9..3374e18 100644
--- a/src/utils_password.c
+++ b/src/utils_password.c
@@ -1,8 +1,8 @@
/*
* Password quality check wrapper
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -49,10 +49,8 @@ static int tools_check_pwquality(const char *password)
log_err(_("Password quality check failed:\n %s"),
pwquality_strerror(NULL, 0, r, auxerror));
r = -EPERM;
- } else {
- log_dbg("New password libpwquality score is %d.", r);
+ } else
r = 0;
- }
pwquality_free_settings(pwq);
return r;
@@ -106,6 +104,7 @@ static int tools_check_password(const char *password)
/* Password reading helpers */
+/* coverity[ -taint_source : arg-1 ] */
static ssize_t read_tty_eol(int fd, char *pass, size_t maxlen)
{
bool eol = false;
@@ -128,14 +127,17 @@ static ssize_t read_tty_eol(int fd, char *pass, size_t maxlen)
}
/* The pass buffer is zeroed and has trailing \0 already " */
-static int untimed_read(int fd, char *pass, size_t maxlen)
+static int untimed_read(int fd, char *pass, size_t maxlen, size_t *realsize)
{
ssize_t i;
i = read_tty_eol(fd, pass, maxlen);
if (i > 0) {
- if (pass[i-1] == '\n')
+ if (pass[i-1] == '\n') {
pass[i-1] = '\0';
+ *realsize = i - 1;
+ } else
+ *realsize = i;
i = 0;
} else if (i == 0) /* empty input */
i = -1;
@@ -143,7 +145,7 @@ static int untimed_read(int fd, char *pass, size_t maxlen)
return i;
}
-static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
+static int timed_read(int fd, char *pass, size_t maxlen, size_t *realsize, long timeout)
{
struct timeval t;
fd_set fds = {}; /* Just to avoid scan-build false report for FD_SET */
@@ -155,7 +157,7 @@ static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
t.tv_usec = 0;
if (select(fd+1, &fds, NULL, NULL, &t) > 0)
- failed = untimed_read(fd, pass, maxlen);
+ failed = untimed_read(fd, pass, maxlen, realsize);
return failed;
}
@@ -166,6 +168,7 @@ static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
struct termios orig, tmp;
int failed = -1;
int infd, outfd;
+ size_t realsize = 0;
if (maxlen < 1)
return failed;
@@ -189,13 +192,16 @@ static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
tcsetattr(infd, TCSAFLUSH, &tmp);
if (timeout)
- failed = timed_read(infd, pass, maxlen, timeout);
+ failed = timed_read(infd, pass, maxlen, &realsize, timeout);
else
- failed = untimed_read(infd, pass, maxlen);
+ failed = untimed_read(infd, pass, maxlen, &realsize);
tcsetattr(infd, TCSAFLUSH, &orig);
out:
if (!failed && write(outfd, "\n", 1)) {};
+ if (realsize == maxlen)
+ log_dbg("Read stopped at maximal interactive input length, passphrase can be trimmed.");
+
if (infd != STDIN_FILENO)
close(infd);
return failed;
@@ -247,6 +253,7 @@ static int crypt_get_key_tty(const char *prompt,
}
*key = pass;
+ /* coverity[string_null] (crypt_safe_alloc wipes string with additional \0) */
*key_size = strlen(pass);
r = 0;
out:
@@ -279,14 +286,18 @@ int tools_get_key(const char *prompt,
if (keyfile_offset) {
log_err(_("Cannot use offset with terminal input."));
} else {
+ r = 0;
if (!prompt && !crypt_get_device_name(cd))
- snprintf(tmp, sizeof(tmp), _("Enter passphrase: "));
+ r = snprintf(tmp, sizeof(tmp), _("Enter passphrase: "));
else if (!prompt) {
backing_file = crypt_loop_backing_file(crypt_get_device_name(cd));
- snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "), backing_file ?: crypt_get_device_name(cd));
+ r = snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "), backing_file ?: crypt_get_device_name(cd));
free(backing_file);
}
- r = crypt_get_key_tty(prompt ?: tmp, key, key_size, timeout, verify);
+ if (r >= 0)
+ r = crypt_get_key_tty(prompt ?: tmp, key, key_size, timeout, verify);
+ else
+ r = -EINVAL;
}
} else {
log_dbg("STDIN descriptor passphrase entry requested.");
diff --git a/src/utils_progress.c b/src/utils_progress.c
new file mode 100644
index 0000000..76b1818
--- /dev/null
+++ b/src/utils_progress.c
@@ -0,0 +1,301 @@
+/*
+ * cryptsetup - progress output utilities
+ *
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <assert.h>
+#include "cryptsetup.h"
+
+#define MINUTES_90 UINT64_C(5400000000) /* 90 minutes in microseconds */
+#define HOURS_36 UINT64_C(129600000000) /* 36 hours in microseconds */
+
+#define MINUTES(A) (A) / UINT64_C(60000000) /* microseconds to minutes */
+#define SECONDS(A) (A) / UINT64_C(1000000) /* microseconds to seconds */
+#define HOURS(A) (A) / UINT64_C(3600000000) /* microseconds to hours */
+#define DAYS(A) (A) / UINT64_C(86400000000) /* microseconds to days */
+
+#define REMAIN_SECONDS(A) (SECONDS((A))) % 60
+#define REMAIN_MINUTES(A) (MINUTES((A))) % 60
+
+/* The difference in microseconds between two times in "timeval" format. */
+static uint64_t time_diff(struct timeval *start, struct timeval *end)
+{
+ return (end->tv_sec - start->tv_sec) * UINT64_C(1000000)
+ + (end->tv_usec - start->tv_usec);
+}
+
+static void tools_clear_line(void)
+{
+ /* vt100 code clear line */
+ log_std("\33[2K\r");
+}
+
+static void bytes_to_units(uint64_t *bytes, const char **units)
+{
+ if (*bytes < (UINT64_C(1) << 32)) { /* less than 4 GiBs */
+ *units = "MiB";
+ *bytes >>= 20;
+ } else if (*bytes < (UINT64_C(1) << 42)) { /* less than 4 TiBs */
+ *units = "GiB";
+ *bytes >>= 30;
+ } else if (*bytes < (UINT64_C(1) << 52)) { /* less than 4 PiBs */
+ *units = "TiB";
+ *bytes >>= 40;
+ } else if (*bytes < (UINT64_C(1) << 62)) { /* less than 4 EiBs */
+ *units = "PiB";
+ *bytes >>= 50;
+ } else {
+ *units = "EiB";
+ *bytes >>= 60;
+ }
+}
+
+static bool time_to_human_string(uint64_t usecs, char *buf, size_t buf_len)
+{
+ ssize_t r;
+
+ if (usecs < MINUTES_90)
+ r = snprintf(buf, buf_len, _("%02" PRIu64 "m%02" PRIu64 "s"), MINUTES(usecs), REMAIN_SECONDS(usecs));
+ else if (usecs < HOURS_36)
+ r = snprintf(buf, buf_len, _("%02" PRIu64 "h%02" PRIu64 "m%02" PRIu64 "s"), HOURS(usecs), REMAIN_MINUTES(usecs), REMAIN_SECONDS(usecs));
+ else
+ r = snprintf(buf, buf_len, _("%02" PRIu64 " days"), DAYS(usecs));
+
+ if (r < 0 || (size_t)r >= buf_len)
+ return false;
+
+ return true;
+}
+
+static void log_progress(uint64_t bytes, uint64_t device_size, uint64_t eta, double uib, const char *ustr, const char *eol)
+{
+ double progress;
+ int r;
+ const char *units;
+ char time[128], written[128], speed[128];
+
+ /*
+ * TRANSLATORS: 'time' string with examples:
+ * "12m44s" : meaning 12 minutes 44 seconds
+ * "26h12m44s" : meaning 26 hours 12 minutes 44 seconds
+ * "3 days"
+ */
+ if (!time_to_human_string(eta, time, sizeof(time)))
+ return;
+
+ progress = (double)bytes / device_size * 100.0;
+
+ bytes_to_units(&bytes, &units);
+ r = snprintf(written, sizeof(written), _("%4" PRIu64 " %s written"), bytes, units);
+ if (r < 0 || (size_t)r >= sizeof(written))
+ return;
+
+ r = snprintf(speed, sizeof(speed), _("speed %5.1f %s/s"), uib, ustr);
+ if (r < 0 || (size_t)r >= sizeof(speed))
+ return;
+
+ /*
+ * TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+ * to get translated as well. 'eol' is always new-line or empty.
+ * See above.
+ */
+ log_std(_("Progress: %5.1f%%, ETA %s, %s, %s%s"),
+ progress, time, written, speed, eol);
+}
+
+static void log_progress_final(uint64_t time_spent, uint64_t bytes, double uib, const char *ustr)
+{
+ int r;
+ const char *units;
+ char time[128], written[128], speed[128];
+
+ /*
+ * TRANSLATORS: 'time' string with examples:
+ * "12m44s" : meaning 12 minutes 44 seconds
+ * "26h12m44s" : meaning 26 hours 12 minutes 44 seconds
+ * "3 days"
+ */
+ if (!time_to_human_string(time_spent, time, sizeof(time)))
+ return;
+
+ bytes_to_units(&bytes, &units);
+ r = snprintf(written, sizeof(written) - 1, _("%4" PRIu64 " %s written"), bytes, units);
+ if (r < 0 || (size_t)r >= sizeof(written))
+ return;
+
+ r = snprintf(speed, sizeof(speed) - 1, _("speed %5.1f %s/s"), uib, ustr);
+ if (r < 0 || (size_t)r >= sizeof(speed))
+ return;
+
+ /*
+ * TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+ * to get translated as well. See above
+ */
+ log_std(_("Finished, time %s, %s, %s\n"), time, written, speed);
+}
+
+static bool calculate_tdiff(bool final, uint64_t bytes, struct tools_progress_params *parms, double *r_tdiff)
+{
+ uint64_t frequency;
+ struct timeval now_time;
+
+ assert(r_tdiff);
+
+ gettimeofday(&now_time, NULL);
+ if (parms->start_time.tv_sec == 0 && parms->start_time.tv_usec == 0) {
+ parms->start_time = now_time;
+ parms->end_time = now_time;
+ parms->start_offset = bytes;
+ return false;
+ }
+
+ if (parms->frequency)
+ frequency = parms->frequency * UINT64_C(1000000);
+ else
+ frequency = 500000;
+
+ if (!final && time_diff(&parms->end_time, &now_time) < frequency)
+ return false;
+
+ parms->end_time = now_time;
+
+ *r_tdiff = time_diff(&parms->start_time, &parms->end_time) / 1E6;
+ if (!*r_tdiff)
+ return false;
+
+ return true;
+}
+
+static void tools_time_progress(uint64_t device_size, uint64_t bytes, struct tools_progress_params *parms)
+{
+ uint64_t eta;
+ double tdiff, uib;
+ const char *eol, *ustr;
+ bool final = (bytes == device_size);
+
+ if (!calculate_tdiff(final, bytes, parms, &tdiff))
+ return;
+
+ if (parms->frequency)
+ eol = "\n";
+ else
+ eol = "";
+
+ uib = (double)(bytes - parms->start_offset) / tdiff;
+
+ eta = (uint64_t)((device_size / uib - tdiff) * 1E6);
+
+ if (uib > 1073741824.0f) {
+ uib /= 1073741824.0f;
+ ustr = "GiB";
+ } else if (uib > 1048576.0f) {
+ uib /= 1048576.0f;
+ ustr = "MiB";
+ } else if (uib > 1024.0f) {
+ uib /= 1024.0f;
+ ustr = "KiB";
+ } else
+ ustr = "B";
+
+ if (!parms->frequency)
+ tools_clear_line();
+
+ if (final)
+ log_progress_final((uint64_t)(tdiff * 1E6), bytes, uib, ustr);
+ else
+ log_progress(bytes, device_size, eta, uib, ustr, eol);
+
+ fflush(stdout);
+}
+
+static void log_progress_json(const char *device, uint64_t bytes, uint64_t device_size, uint64_t eta, uint64_t uib, uint64_t time_spent)
+{
+ int r;
+ char json[PATH_MAX+256];
+
+ r = snprintf(json, sizeof(json) - 1,
+ "{\"device\":\"%s\","
+ "\"device_bytes\":\"%" PRIu64 "\"," /* in bytes */
+ "\"device_size\":\"%" PRIu64 "\"," /* in bytes */
+ "\"speed\":\"%" PRIu64 "\"," /* in bytes per second */
+ "\"eta_ms\":\"%" PRIu64 "\"," /* in milliseconds */
+ "\"time_ms\":\"%" PRIu64 "\"}\n", /* in milliseconds */
+ device, bytes, device_size, uib, eta, time_spent);
+
+ if (r < 0 || (size_t)r >= sizeof(json) - 1)
+ return;
+
+ log_std("%s", json);
+}
+
+static void tools_time_progress_json(uint64_t device_size, uint64_t bytes, struct tools_progress_params *parms)
+{
+ double tdiff, uib;
+ bool final = (bytes == device_size);
+
+ if (!calculate_tdiff(final, bytes, parms, &tdiff))
+ return;
+
+ uib = (double)(bytes - parms->start_offset) / tdiff;
+
+ log_progress_json(parms->device,
+ bytes,
+ device_size,
+ final ? UINT64_C(0) : (uint64_t)((device_size / uib - tdiff) * 1E3),
+ (uint64_t)uib,
+ (uint64_t)(tdiff * 1E3));
+
+ fflush(stdout);
+}
+
+int tools_progress(uint64_t size, uint64_t offset, void *usrptr)
+{
+ int r = 0;
+ struct tools_progress_params *parms = (struct tools_progress_params *)usrptr;
+
+ if (parms && parms->json_output)
+ tools_time_progress_json(size, offset, parms);
+ else if (parms && !parms->batch_mode)
+ tools_time_progress(size, offset, parms);
+
+ check_signal(&r);
+ if (r) {
+ if (!parms || (!parms->frequency && !parms->json_output))
+ tools_clear_line();
+ if (parms && parms->interrupt_message)
+ log_err("%s", parms->interrupt_message);
+ }
+
+ return r;
+}
+
+const char *tools_get_device_name(const char *device, char **r_backing_file)
+{
+ char *bfile;
+
+ assert(r_backing_file);
+
+ bfile = crypt_loop_backing_file(device);
+ if (bfile) {
+ *r_backing_file = bfile;
+ return bfile;
+ }
+
+ return device;
+}
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
new file mode 100644
index 0000000..a78557c
--- /dev/null
+++ b/src/utils_reencrypt.c
@@ -0,0 +1,1560 @@
+/*
+ * cryptsetup - action re-encryption utilities
+ *
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
+ * Copyright (C) 2021-2023 Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <uuid/uuid.h>
+
+#include "cryptsetup.h"
+#include "cryptsetup_args.h"
+#include "utils_luks.h"
+
+extern int64_t data_shift;
+extern const char *device_type;
+extern const char *set_pbkdf;
+
+enum device_status_info {
+ DEVICE_LUKS2 = 0, /* LUKS2 device */
+ DEVICE_LUKS2_REENCRYPT, /* LUKS2 device in reencryption */
+ DEVICE_LUKS1, /* LUKS1 device */
+ DEVICE_LUKS1_UNUSABLE, /* LUKS1 device in reencryption (legacy) */
+ DEVICE_NOT_LUKS, /* device is not LUKS type */
+ DEVICE_INVALID /* device is invalid */
+};
+
+static void _set_reencryption_flags(uint32_t *flags)
+{
+ if (ARG_SET(OPT_INIT_ONLY_ID))
+ *flags |= CRYPT_REENCRYPT_INITIALIZE_ONLY;
+
+ if (ARG_SET(OPT_RESUME_ONLY_ID))
+ *flags |= CRYPT_REENCRYPT_RESUME_ONLY;
+}
+
+static int reencrypt_check_passphrase(struct crypt_device *cd,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_len)
+{
+ int r;
+
+ assert(cd);
+
+ r = crypt_activate_by_passphrase(cd, NULL, keyslot,
+ passphrase, passphrase_len, 0);
+ check_signal(&r);
+ tools_passphrase_msg(r);
+ tools_keyslot_msg(r, UNLOCKED);
+
+ return r;
+}
+
+static int set_keyslot_params(struct crypt_device *cd, int keyslot)
+{
+ const char *cipher;
+ struct crypt_pbkdf_type pbkdf;
+ size_t key_size;
+
+ cipher = crypt_keyslot_get_encryption(cd, keyslot, &key_size);
+ if (!cipher)
+ return -EINVAL;
+
+ if (crypt_is_cipher_null(cipher)) {
+ log_dbg("Keyslot %d uses cipher_null. "
+ "Replacing with default encryption in new keyslot.", keyslot);
+ cipher = DEFAULT_LUKS2_KEYSLOT_CIPHER;
+ key_size = DEFAULT_LUKS2_KEYSLOT_KEYBITS / 8;
+ }
+
+ if (crypt_keyslot_set_encryption(cd, cipher, key_size))
+ return -EINVAL;
+
+ /* if requested any of those just reinitialize context pbkdf */
+ if (set_pbkdf || ARG_SET(OPT_HASH_ID) || ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID) ||
+ ARG_SET(OPT_ITER_TIME_ID))
+ return set_pbkdf_params(cd, CRYPT_LUKS2);
+
+ if (crypt_keyslot_get_pbkdf(cd, keyslot, &pbkdf))
+ return -EINVAL;
+
+ pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
+
+ return crypt_set_pbkdf_type(cd, &pbkdf);
+}
+
+static int get_active_device_name(struct crypt_device *cd,
+ const char *data_device,
+ char **r_active_name)
+{
+ char *msg;
+ int r;
+
+ assert(data_device);
+
+ r = tools_lookup_crypt_device(cd, crypt_get_type(cd), data_device, r_active_name);
+ if (r > 0) {
+ log_dbg("Device %s has %d active holders.", data_device, r);
+
+ if (!*r_active_name) {
+ log_err(_("Device %s is still in use."), data_device);
+ return -EINVAL;
+ }
+ if (!ARG_SET(OPT_BATCH_MODE_ID))
+ log_std(_("Auto-detected active dm device '%s' for data device %s.\n"),
+ *r_active_name, data_device);
+ } else if (r < 0) {
+ if (r != -ENOTBLK) {
+ log_err(_("Failed to auto-detect device %s holders."), data_device);
+ return -EINVAL;
+ }
+
+ r = -EINVAL;
+ if (!ARG_SET(OPT_BATCH_MODE_ID)) {
+ log_std(_("Device %s is not a block device.\n"), data_device);
+
+ r = asprintf(&msg, _("Unable to decide if device %s is activated or not.\n"
+ "Are you sure you want to proceed with reencryption in offline mode?\n"
+ "It may lead to data corruption if the device is actually activated.\n"
+ "To run reencryption in online mode, use --active-name parameter instead.\n"), data_device);
+ if (r < 0)
+ return -ENOMEM;
+ r = noDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
+ free(msg);
+ } else {
+ log_err(_("Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+ "Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."), data_device);
+ }
+ } else {
+ *r_active_name = NULL;
+ log_dbg("Device %s is unused. Proceeding with offline reencryption.", data_device);
+ }
+
+ return r;
+}
+
+static int reencrypt_get_active_name(struct crypt_device *cd,
+ const char *data_device,
+ char **r_active_name)
+{
+ assert(cd);
+ assert(r_active_name);
+
+ if (ARG_SET(OPT_ACTIVE_NAME_ID))
+ return (*r_active_name = strdup(ARG_STR(OPT_ACTIVE_NAME_ID))) ? 0 : -ENOMEM;
+
+ return get_active_device_name(cd, data_device, r_active_name);
+}
+
+static int decrypt_verify_and_set_params(struct crypt_params_reencrypt *params)
+{
+ const char *resilience;
+
+ assert(params);
+
+ if (!ARG_SET(OPT_RESILIENCE_ID))
+ return 0;
+
+ resilience = ARG_STR(OPT_RESILIENCE_ID);
+
+ if (!strcmp(resilience, "datashift") ||
+ !strcmp(resilience, "none")) {
+ log_err(_("Requested --resilience option cannot be applied "
+ "to current reencryption operation."));
+ return -EINVAL;
+ } else if (!strcmp(resilience, "journal"))
+ params->resilience = "datashift-journal";
+ else if (!strcmp(resilience, "checksum"))
+ params->resilience = "datashift-checksum";
+ else if (!strcmp(resilience, "datashift-checksum") ||
+ !strcmp(resilience, "datashift-journal"))
+ params->resilience = resilience;
+ else {
+ log_err(_("Unsupported resilience mode %s"), resilience);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int reencrypt_verify_and_update_params(struct crypt_params_reencrypt *params,
+ char **r_hash)
+{
+ assert(params);
+ assert(r_hash);
+
+ if (ARG_SET(OPT_ENCRYPT_ID) && params->mode != CRYPT_REENCRYPT_ENCRYPT) {
+ log_err(_("Device is not in LUKS2 encryption. Conflicting option --encrypt."));
+ return -EINVAL;
+ }
+
+ if (ARG_SET(OPT_DECRYPT_ID) && params->mode != CRYPT_REENCRYPT_DECRYPT) {
+ log_err(_("Device is not in LUKS2 decryption. Conflicting option --decrypt."));
+ return -EINVAL;
+ }
+
+ if (ARG_SET(OPT_RESILIENCE_ID)) {
+ if (!strcmp(params->resilience, "datashift") &&
+ strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
+ log_err(_("Device is in reencryption using datashift resilience. "
+ "Requested --resilience option cannot be applied."));
+ return -EINVAL;
+ }
+ if (strcmp(params->resilience, "datashift") &&
+ !strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
+ log_err(_("Requested --resilience option cannot be applied "
+ "to current reencryption operation."));
+ return -EINVAL;
+ }
+
+ if (!strncmp(params->resilience, "datashift-", 10)) {
+ /* decryption with datashift in progress */
+ if (decrypt_verify_and_set_params(params))
+ return -EINVAL;
+ } else if (!strncmp(ARG_STR(OPT_RESILIENCE_ID), "datashift-", 10)) {
+ log_err(_("Requested --resilience option cannot be applied "
+ "to current reencryption operation."));
+ return -EINVAL;
+ } else
+ params->resilience = ARG_STR(OPT_RESILIENCE_ID);
+
+ /* we have to copy hash string returned by API */
+ if (params->hash && !ARG_SET(OPT_RESILIENCE_HASH_ID)) {
+ /* r_hash owns the memory. Freed by caller */
+ *r_hash = strdup(params->hash);
+ if (!*r_hash)
+ return -ENOMEM;
+ params->hash = *r_hash;
+ }
+
+ /* Add default hash when switching to checksum based resilience */
+ if (!params->hash && !ARG_SET(OPT_RESILIENCE_HASH_ID) &&
+ (!strcmp(params->resilience, "checksum") ||
+ !strcmp(params->resilience, "datashift-checksum")))
+ params->hash = "sha256";
+
+ if (ARG_SET(OPT_RESILIENCE_HASH_ID))
+ params->hash = ARG_STR(OPT_RESILIENCE_HASH_ID);
+ } else
+ params->resilience = NULL;
+
+ params->max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE;
+ params->device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
+ params->flags = CRYPT_REENCRYPT_RESUME_ONLY;
+
+ return 0;
+}
+
+static int reencrypt_hint_force_offline_reencrypt(const char *data_device)
+{
+ struct stat st;
+
+ if (ARG_SET(OPT_ACTIVE_NAME_ID) ||
+ !ARG_SET(OPT_BATCH_MODE_ID) ||
+ ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
+ return 0;
+
+ if (stat(data_device, &st) == 0 && S_ISREG(st.st_mode)) {
+ log_err(_("Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+ "Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."), data_device);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device)
+{
+ char *msg;
+ crypt_reencrypt_info ri;
+ int r;
+ size_t passwordLen;
+ char *active_name = NULL, *hash = NULL, *password = NULL;
+ struct crypt_params_reencrypt params = {};
+
+ ri = crypt_reencrypt_status(cd, ¶ms);
+ if (ri == CRYPT_REENCRYPT_CRASH)
+ log_err(_("Device requires reencryption recovery. Run repair first."));
+
+ if (ri != CRYPT_REENCRYPT_CLEAN)
+ return -EINVAL;
+
+ r = reencrypt_verify_and_update_params(¶ms, &hash);
+ if (r < 0)
+ return r;
+
+ r = reencrypt_hint_force_offline_reencrypt(data_device);
+ if (r < 0)
+ goto out;
+
+ if (!ARG_SET(OPT_BATCH_MODE_ID) && !ARG_SET(OPT_RESUME_ONLY_ID)) {
+ r = asprintf(&msg, _("Device %s is already in LUKS2 reencryption. "
+ "Do you wish to resume previously initialised operation?"),
+ crypt_get_metadata_device_name(cd) ?: data_device);
+ if (r < 0) {
+ r = -ENOMEM;
+ goto out;
+ }
+ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
+ free(msg);
+ if (r < 0)
+ goto out;
+ }
+
+ r = tools_get_key(NULL, &password, &passwordLen,
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+ ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
+ verify_passphrase(0), 0, cd);
+ if (r < 0)
+ goto out;
+
+ if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
+ r = reencrypt_get_active_name(cd, data_device, &active_name);
+ if (r >= 0)
+ r = crypt_reencrypt_init_by_passphrase(cd, active_name, password,
+ passwordLen, ARG_INT32(OPT_KEY_SLOT_ID),
+ ARG_INT32(OPT_KEY_SLOT_ID), NULL, NULL, ¶ms);
+out:
+ free(hash);
+ crypt_safe_free(password);
+ free(active_name);
+ return r;
+}
+
+/*
+ * 1: in-progress
+ * 0: clean luks2 device
+ * < 0: error
+ */
+static int luks2_reencrypt_in_progress(struct crypt_device *cd)
+{
+ uint32_t flags;
+
+ if (crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &flags))
+ return -EINVAL;
+
+ if (flags & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
+ log_err(_("Legacy LUKS2 reencryption is no longer supported."));
+ return -EINVAL;
+ }
+
+ return flags & CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
+}
+
+/*
+ * Returns crypt context for:
+ * DEVICE_LUKS2
+ * DEVICE_LUKS2_REENCRYPT
+ * DEVICE_LUKS1
+ */
+static enum device_status_info load_luks(struct crypt_device **r_cd,
+ const char *header_device,
+ const char *data_device)
+{
+ int r;
+ struct crypt_device *cd;
+ struct stat st;
+
+ assert(r_cd);
+ assert(data_device);
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return DEVICE_NOT_LUKS;
+
+ if (crypt_init_data_device(&cd, uuid_or_device(header_device ?: data_device), data_device))
+ return DEVICE_INVALID;
+
+ if ((r = crypt_load(cd, CRYPT_LUKS, NULL))) {
+ crypt_free(cd);
+
+ if (r == -EBUSY) /* luks2 locking error (message printed by libcryptsetup) */
+ return DEVICE_INVALID;
+
+ r = reencrypt_luks1_in_progress(uuid_or_device(header_device ?: data_device));
+ if (!r)
+ return DEVICE_LUKS1_UNUSABLE;
+
+ return DEVICE_NOT_LUKS;
+ }
+
+ if (isLUKS2(crypt_get_type(cd))) {
+ r = luks2_reencrypt_in_progress(cd);
+ if (r < 0) {
+ crypt_free(cd);
+ return DEVICE_INVALID;
+ }
+ }
+
+ *r_cd = cd;
+
+ if (r > 0)
+ return DEVICE_LUKS2_REENCRYPT;
+
+ return isLUKS2(crypt_get_type(cd)) ? DEVICE_LUKS2 : DEVICE_LUKS1;
+}
+
+static bool luks2_reencrypt_eligible(struct crypt_device *cd)
+{
+ struct crypt_params_integrity ip = { 0 };
+
+ /* raw integrity info is available since 2.0 */
+ if (crypt_get_integrity_info(cd, &ip) || ip.tag_size) {
+ log_err(_("Reencryption of device with integrity profile is not supported."));
+ return false;
+ }
+
+ return true;
+}
+
+static enum device_status_info check_luks_device(const char *device)
+{
+ enum device_status_info dev_st;
+ struct crypt_device *cd = NULL;
+
+ dev_st = load_luks(&cd, NULL, device);
+ crypt_free(cd);
+
+ return dev_st;
+}
+
+static int reencrypt_check_data_sb_block_size(const char *data_device, uint32_t new_sector_size)
+{
+ int r;
+ char sb_name[32];
+ unsigned block_size;
+
+ assert(data_device);
+
+ r = tools_superblock_block_size(data_device, sb_name, sizeof(sb_name), &block_size);
+ if (r <= 0)
+ return r;
+
+ if (new_sector_size > block_size) {
+ log_err(_("Requested --sector-size %" PRIu32 " is incompatible with %s superblock\n"
+ "(block size: %" PRIu32 " bytes) detected on device %s."),
+ new_sector_size, sb_name, block_size, data_device);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int reencrypt_check_active_device_sb_block_size(const char *active_device, uint32_t new_sector_size)
+{
+ int r;
+ char dm_device[PATH_MAX];
+
+ r = snprintf(dm_device, sizeof(dm_device), "%s/%s", crypt_get_dir(), active_device);
+ if (r < 0 || (size_t)r >= sizeof(dm_device))
+ return -EINVAL;
+
+ return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
+}
+
+static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
+{
+ int r;
+ struct stat st;
+ struct crypt_device *cd;
+
+ if (!header_device)
+ return 0;
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return 1;
+
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
+ return r;
+
+ r = crypt_header_is_detached(cd);
+ crypt_free(cd);
+ return r;
+}
+
+static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
+{
+ int keyslot, r, fd;
+ uuid_t uuid;
+ size_t passwordLen;
+ char *tmp, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
+ uint32_t activate_flags = 0;
+ const struct crypt_params_luks2 luks2_params = {
+ .sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
+ };
+ struct crypt_params_reencrypt params = {
+ .mode = CRYPT_REENCRYPT_ENCRYPT,
+ .direction = data_shift < 0 ? CRYPT_REENCRYPT_BACKWARD : CRYPT_REENCRYPT_FORWARD,
+ .resilience = ARG_STR(OPT_RESILIENCE_ID) ?: "checksum",
+ .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
+ .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
+ .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
+ .luks2 = &luks2_params,
+ .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
+ };
+
+ _set_reencryption_flags(¶ms.flags);
+
+ if (!data_shift) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
+ if (r < 0)
+ return r;
+ if (!r) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
+ }
+
+ if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
+ data_shift && (ARG_UINT64(OPT_OFFSET_ID) > (uint64_t)(imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
+ log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
+ return -EINVAL;
+ }
+
+ /* TODO: ask user to confirm. It's useless to do data device reduction and than use smaller value */
+ if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
+ data_shift && (ARG_UINT64(OPT_OFFSET_ID) < (uint64_t)(imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
+ data_shift = -(ARG_UINT64(OPT_OFFSET_ID) * 2 * SECTOR_SIZE);
+ if (data_shift >= 0)
+ return -EINVAL;
+ log_std(_("Adjusting --reduce-device-size value to twice the --offset %" PRIu64 " (sectors).\n"), ARG_UINT64(OPT_OFFSET_ID) * 2);
+ }
+
+ if (ARG_SET(OPT_UUID_ID) && uuid_parse(ARG_STR(OPT_UUID_ID), uuid) == -1) {
+ log_err(_("Wrong LUKS UUID format provided."));
+ return -EINVAL;
+ }
+
+ if (ARG_SET(OPT_SECTOR_SIZE_ID)) {
+ r = reencrypt_check_data_sb_block_size(data_device, ARG_UINT32(OPT_SECTOR_SIZE_ID));
+ if (r < 0)
+ return r;
+ }
+
+ if (!ARG_SET(OPT_UUID_ID)) {
+ uuid_generate(uuid);
+ uuid_unparse(uuid, uuid_str);
+ if (!(tmp = strdup(uuid_str)))
+ return -ENOMEM;
+ ARG_SET_STR(OPT_UUID_ID, tmp);
+ }
+
+ if (!ARG_SET(OPT_HEADER_ID)) {
+ r = snprintf(header_file, sizeof(header_file), "LUKS2-temp-%s.new", ARG_STR(OPT_UUID_ID));
+ if (r < 0 || (size_t)r >= sizeof(header_file))
+ return -EINVAL;
+
+ fd = open(header_file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
+ if (fd == -1) {
+ if (errno == EEXIST)
+ log_err(_("Temporary header file %s already exists. Aborting."), header_file);
+ else
+ log_err(_("Cannot create temporary header file %s."), header_file);
+ return -EINVAL;
+ }
+
+ r = posix_fallocate(fd, 0, 4096);
+ close(fd);
+ if (r) {
+ log_err(_("Cannot create temporary header file %s."), header_file);
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!(tmp = strdup(header_file))) {
+ r = -ENOMEM;
+ goto out;
+ }
+ ARG_SET_STR(OPT_HEADER_ID, tmp);
+
+ /*
+ * FIXME: just override offset here, but we should support both.
+ * offset and implicit offset via data shift (lvprepend?)
+ */
+ if (!ARG_UINT64(OPT_OFFSET_ID))
+ ARG_SET_UINT64(OPT_OFFSET_ID, imaxabs(data_shift) / (2 * SECTOR_SIZE));
+ data_shift >>= 1;
+ params.flags |= CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT;
+ } else if (data_shift < 0) {
+ if (!ARG_SET(OPT_LUKS2_METADATA_SIZE_ID))
+ ARG_SET_UINT64(OPT_LUKS2_METADATA_SIZE_ID, 0x4000); /* missing default here */
+ if (!ARG_SET(OPT_LUKS2_KEYSLOTS_SIZE_ID))
+ ARG_SET_UINT64(OPT_LUKS2_KEYSLOTS_SIZE_ID, -data_shift - 2 * ARG_UINT64(OPT_LUKS2_METADATA_SIZE_ID));
+ if (2 * ARG_UINT64(OPT_LUKS2_METADATA_SIZE_ID) + ARG_UINT64(OPT_LUKS2_KEYSLOTS_SIZE_ID) > (uint64_t)-data_shift) {
+ log_err(_("LUKS2 metadata size is larger than data shift value."));
+ return -EINVAL;
+ }
+ }
+
+ r = luksFormat(cd, &password, &passwordLen);
+ if (r < 0)
+ goto out;
+
+ if (!luks2_reencrypt_eligible(*cd)) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (data_shift) {
+ params.data_shift = imaxabs(data_shift) / SECTOR_SIZE,
+ params.resilience = "datashift";
+ }
+ keyslot = !ARG_SET(OPT_KEY_SLOT_ID) ? 0 : ARG_INT32(OPT_KEY_SLOT_ID);
+ r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen,
+ CRYPT_ANY_SLOT, keyslot, crypt_get_cipher(*cd),
+ crypt_get_cipher_mode(*cd), ¶ms);
+ if (r < 0) {
+ crypt_keyslot_destroy(*cd, keyslot);
+ goto out;
+ }
+
+ /* Restore temporary header in head of data device */
+ if (*header_file) {
+ crypt_free(*cd);
+ *cd = NULL;
+
+ r = crypt_init(cd, data_device);
+ if (!r)
+ r = crypt_header_restore(*cd, CRYPT_LUKS2, header_file);
+
+ if (r) {
+ log_err(_("Failed to place new header at head of device %s."), data_device);
+ goto out;
+ }
+ }
+
+ /* activate device */
+ if (device_name) {
+ set_activation_flags(&activate_flags);
+ r = crypt_activate_by_passphrase(*cd, device_name, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags);
+ if (r >= 0)
+ log_std(_("%s/%s is now active and ready for online encryption.\n"), crypt_get_dir(), device_name);
+ }
+
+ if (r < 0)
+ goto out;
+
+ /* just load reencryption context to continue reencryption */
+ if (!ARG_SET(OPT_INIT_ONLY_ID)) {
+ params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
+ r = crypt_reencrypt_init_by_passphrase(*cd, device_name, password, passwordLen,
+ CRYPT_ANY_SLOT, keyslot, NULL, NULL, ¶ms);
+ }
+out:
+ crypt_safe_free(password);
+ if (*header_file)
+ unlink(header_file);
+ return r;
+}
+
+static enum device_status_info load_luks2_by_name(struct crypt_device **r_cd, const char *active_name, const char *header_device)
+{
+ int r;
+ struct crypt_device *cd;
+ struct stat st;
+
+ assert(r_cd);
+ assert(active_name);
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return DEVICE_NOT_LUKS;
+
+ r = crypt_init_by_name_and_header(&cd, active_name, header_device);
+ if (r)
+ return DEVICE_INVALID;
+
+ if (!isLUKS2(crypt_get_type(cd))) {
+ log_err(_("Active device %s is not LUKS2."), active_name);
+ crypt_free(cd);
+ return DEVICE_INVALID;
+ }
+
+ r = luks2_reencrypt_in_progress(cd);
+ if (r < 0) {
+ crypt_free(cd);
+ return DEVICE_INVALID;
+ }
+
+ *r_cd = cd;
+
+ return !r ? DEVICE_LUKS2 : DEVICE_LUKS2_REENCRYPT;
+}
+
+static int reencrypt_restore_header(struct crypt_device **cd,
+ const char *data_device, const char *header)
+{
+ int r;
+
+ assert(cd);
+ assert(data_device);
+ assert(header);
+
+ crypt_free(*cd);
+ *cd = NULL;
+
+ log_verbose(_("Restoring original LUKS2 header."));
+
+ r = crypt_init(cd, data_device);
+ if (r < 0)
+ return r;
+
+ r = crypt_header_restore(*cd, CRYPT_LUKS2, header);
+ if (r < 0)
+ log_err(_("Original LUKS2 header restore failed."));
+
+ return r;
+}
+
+static int decrypt_luks2_datashift_init(struct crypt_device **cd,
+ const char *data_device,
+ const char *expheader)
+{
+ int fd, r;
+ size_t passwordLen;
+ struct stat hdr_st;
+ bool remove_header = false;
+ char *msg, *active_name = NULL, *password = NULL;
+ struct crypt_params_reencrypt params = {
+ .mode = CRYPT_REENCRYPT_DECRYPT,
+ .direction = CRYPT_REENCRYPT_FORWARD,
+ .resilience = "datashift-checksum",
+ .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
+ .data_shift = crypt_get_data_offset(*cd),
+ .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
+ .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
+ .flags = CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+ };
+
+ if (!ARG_SET(OPT_BATCH_MODE_ID)) {
+ r = asprintf(&msg, _("Header file %s does not exist. Do you want to initialize LUKS2 "
+ "decryption of device %s and export LUKS2 header to file %s?"),
+ expheader, data_device, expheader);
+ if (r < 0)
+ return -ENOMEM;
+ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
+ free(msg);
+ if (r < 0)
+ return r;
+ }
+
+ if ((r = decrypt_verify_and_set_params(¶ms)))
+ return r;
+
+ r = reencrypt_hint_force_offline_reencrypt(data_device);
+ if (r < 0)
+ return r;
+
+ r = tools_get_key(NULL, &password, &passwordLen,
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+ ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
+ verify_passphrase(0), 0, *cd);
+ if (r < 0)
+ return r;
+
+ r = reencrypt_check_passphrase(*cd, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen);
+ if (r < 0)
+ goto out;
+
+ r = crypt_header_backup(*cd, CRYPT_LUKS2, expheader);
+ if (r < 0)
+ goto out;
+
+ remove_header = true;
+
+ fd = open(expheader, O_RDONLY);
+ if (fd < 0)
+ goto out;
+
+ if (fstat(fd, &hdr_st)) {
+ close(fd);
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = fchmod(fd, hdr_st.st_mode | S_IRUSR | S_IWUSR);
+ close(fd);
+ if (r) {
+ log_err(_("Failed to add read/write permissions to exported header file."));
+ r = -EINVAL;
+ goto out;
+ }
+
+ crypt_free(*cd);
+ *cd = NULL;
+
+ /* reload with exported header */
+ if (ARG_SET(OPT_ACTIVE_NAME_ID)) {
+ if (load_luks2_by_name(cd, ARG_STR(OPT_ACTIVE_NAME_ID), expheader) != DEVICE_LUKS2) {
+ r = -EINVAL;
+ goto out;
+ }
+ } else {
+ if ((r = crypt_init_data_device(cd, expheader, data_device)))
+ goto out;
+ if ((r = crypt_load(*cd, CRYPT_LUKS2, NULL)))
+ goto out;
+ }
+
+ _set_reencryption_flags(¶ms.flags);
+
+ if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
+ r = reencrypt_get_active_name(*cd, data_device, &active_name);
+
+ if (r < 0)
+ goto out;
+
+ r = tools_wipe_all_signatures(data_device, active_name == NULL, true);
+ if (r < 0) {
+ /* if header restore fails keep original header backup */
+ if (reencrypt_restore_header(cd, data_device, expheader) < 0)
+ remove_header = false;
+ goto out;
+ }
+
+ remove_header = false;
+
+ r = crypt_reencrypt_init_by_passphrase(*cd, active_name, password,
+ passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), CRYPT_ANY_SLOT,
+ NULL, NULL, ¶ms);
+
+ if (r < 0 && crypt_reencrypt_status(*cd, NULL) == CRYPT_REENCRYPT_NONE) {
+ /* if restore is successful we can remove header backup */
+ if (!reencrypt_restore_header(cd, data_device, expheader))
+ remove_header = true;
+ }
+out:
+ free(active_name);
+ crypt_safe_free(password);
+
+ if (r < 0 && !remove_header && !stat(expheader, &hdr_st) && S_ISREG(hdr_st.st_mode))
+ log_err(_("Reencryption initialization failed. Header backup is available in %s."),
+ expheader);
+ if (remove_header)
+ unlink(expheader);
+
+ return r;
+}
+
+static int decrypt_luks2_init(struct crypt_device *cd, const char *data_device)
+{
+ int r;
+ size_t passwordLen;
+ char *active_name = NULL, *password = NULL;
+ struct crypt_params_reencrypt params = {
+ .mode = CRYPT_REENCRYPT_DECRYPT,
+ .direction = data_shift > 0 ? CRYPT_REENCRYPT_FORWARD : CRYPT_REENCRYPT_BACKWARD,
+ .resilience = data_shift ? "datashift" : (ARG_STR(OPT_RESILIENCE_ID) ?: "checksum"),
+ .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
+ .data_shift = imaxabs(data_shift) / SECTOR_SIZE,
+ .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
+ .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
+ };
+
+ if (!luks2_reencrypt_eligible(cd))
+ return -EINVAL;
+
+ if ((!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0 ||
+ crypt_get_data_offset(cd) > 0)) {
+ log_err(_("LUKS2 decryption is supported with detached header device only (with data offset set to 0)."));
+ return -ENOTSUP;
+ }
+
+ r = reencrypt_hint_force_offline_reencrypt(data_device);
+ if (r < 0)
+ return r;
+
+ _set_reencryption_flags(¶ms.flags);
+
+ r = tools_get_key(NULL, &password, &passwordLen,
+ ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
+ ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+ if (r < 0)
+ return r;
+
+ r = reencrypt_check_passphrase(cd, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen);
+ if (r < 0)
+ goto out;
+
+ if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
+ r = reencrypt_get_active_name(cd, data_device, &active_name);
+ if (r >= 0)
+ r = crypt_reencrypt_init_by_passphrase(cd, active_name, password,
+ passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), CRYPT_ANY_SLOT, NULL, NULL, ¶ms);
+
+out:
+ free(active_name);
+ crypt_safe_free(password);
+ return r;
+}
+
+struct keyslot_passwords {
+ char *password;
+ size_t passwordLen;
+ int new;
+};
+
+static struct keyslot_passwords *init_keyslot_passwords(size_t count)
+{
+ size_t i;
+ struct keyslot_passwords *tmp = calloc(count, sizeof(struct keyslot_passwords));
+
+ if (!tmp)
+ return tmp;
+
+ for (i = 0; i < count; i++)
+ tmp[i].new = -1;
+
+ return tmp;
+}
+
+static int init_passphrase(struct keyslot_passwords *kp, size_t keyslot_passwords_length,
+ struct crypt_device *cd, const char *msg, int slot_to_check)
+{
+ crypt_keyslot_info ki;
+ char *password;
+ int r = -EINVAL, retry_count;
+ size_t passwordLen;
+
+ if (slot_to_check != CRYPT_ANY_SLOT) {
+ ki = crypt_keyslot_status(cd, slot_to_check);
+ if (ki < CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_UNBOUND)
+ return -ENOENT;
+ }
+
+ retry_count = set_tries_tty();
+
+ while (retry_count--) {
+ r = tools_get_key(msg, &password, &passwordLen, 0, 0,
+ ARG_STR(OPT_KEY_FILE_ID), 0, 0, 0 /*pwquality*/, cd);
+ if (r < 0)
+ return r;
+ if (quit) {
+ crypt_safe_free(password);
+ password = NULL;
+ passwordLen = 0;
+ return -EAGAIN;
+ }
+
+ r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
+ password, passwordLen, 0);
+ if (r < 0) {
+ crypt_safe_free(password);
+ password = NULL;
+ passwordLen = 0;
+ }
+ if (r < 0 && r != -EPERM)
+ return r;
+
+ if (r >= 0) {
+ tools_keyslot_msg(r, UNLOCKED);
+ if ((size_t)r >= keyslot_passwords_length) {
+ crypt_safe_free(password);
+ return -EINVAL;
+ }
+ kp[r].password = password;
+ kp[r].passwordLen = passwordLen;
+ break;
+ }
+ tools_passphrase_msg(r);
+ }
+
+ password = NULL;
+ passwordLen = 0;
+
+ return r;
+}
+
+static int _check_luks2_keyslots(struct crypt_device *cd, bool vk_change)
+{
+ int i, new_vk_slot = (vk_change ? 1 : 0), max = crypt_keyslot_max(CRYPT_LUKS2), active = 0, unbound = 0;
+
+ if (max < 0)
+ return max;
+
+ for (i = 0; i < max; i++) {
+ switch (crypt_keyslot_status(cd, i)) {
+ case CRYPT_SLOT_INVALID:
+ return -EINVAL;
+ case CRYPT_SLOT_ACTIVE:
+ /* fall-through */
+ case CRYPT_SLOT_ACTIVE_LAST:
+ active++;
+ break;
+ case CRYPT_SLOT_UNBOUND:
+ unbound++;
+ /* fall-through */
+ default:
+ break;
+ }
+ }
+
+ /* at least one keyslot for reencryption plus new volume key (if needed) */
+ if (active + unbound + new_vk_slot + 1 > max) {
+ log_err(_("Not enough free keyslots for reencryption."));
+ return -EINVAL;
+ }
+
+ if (!vk_change)
+ return 0;
+
+ if ((ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) &&
+ (2 * active + unbound + 1 > max)) {
+ log_err(_("Not enough free keyslots for reencryption."));
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int fill_keyslot_passwords(struct crypt_device *cd,
+ struct keyslot_passwords *kp, size_t kp_size,
+ bool vk_change)
+{
+ char msg[128];
+ crypt_keyslot_info ki;
+ int i, r = 0;
+
+ if (vk_change && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT && ARG_SET(OPT_KEY_FILE_ID)) {
+ for (i = 0; (size_t)i < kp_size; i++) {
+ ki = crypt_keyslot_status(cd, i);
+ if (ki == CRYPT_SLOT_INVALID)
+ return -EINVAL;
+ if (ki == CRYPT_SLOT_ACTIVE) {
+ log_err(_("Key file can be used only with --key-slot or with "
+ "exactly one key slot active."));
+ return -EINVAL;
+ }
+ }
+ }
+
+ if (ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) {
+ for (i = 0; (size_t)i < kp_size; i++) {
+ if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i) < 0)
+ return -EINVAL;
+ r = init_passphrase(kp, kp_size, cd, msg, i);
+ /* no need to initialize all keyslots with --keep-key */
+ if (r >= 0 && !vk_change)
+ break;
+ if (r == -ENOENT)
+ r = 0;
+ if (r < 0)
+ break;
+ }
+ } else {
+ if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), ARG_INT32(OPT_KEY_SLOT_ID)) < 0)
+ return -EINVAL;
+ r = init_passphrase(kp, kp_size, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID));
+ }
+
+ return r < 0 ? r : 0;
+}
+
+static int assign_tokens(struct crypt_device *cd, int keyslot_old, int keyslot_new)
+{
+ int token = 0, r = crypt_token_is_assigned(cd, token, keyslot_old);
+
+ while (r != -EINVAL) {
+ if (!r && (token != crypt_token_assign_keyslot(cd, token, keyslot_new)))
+ return -EINVAL;
+ token++;
+ r = crypt_token_is_assigned(cd, token, keyslot_old);
+ }
+
+ /* we reached max token number, exit */
+ return 0;
+}
+
+static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device)
+{
+ bool vk_size_change, sector_size_change, sector_size_increase, vk_change;
+ size_t i, vk_size, kp_size;
+ int r, keyslot_old = CRYPT_ANY_SLOT, keyslot_new = CRYPT_ANY_SLOT, key_size;
+ char cipher[MAX_CIPHER_LEN], mode[MAX_CIPHER_LEN], *vk = NULL, *active_name = NULL;
+ const char *new_cipher = NULL;
+ struct keyslot_passwords *kp = NULL;
+ struct crypt_params_luks2 luks2_params = {};
+ struct crypt_params_reencrypt params = {
+ .mode = CRYPT_REENCRYPT_REENCRYPT,
+ .direction = data_shift < 0 ? CRYPT_REENCRYPT_BACKWARD : CRYPT_REENCRYPT_FORWARD,
+ .resilience = data_shift ? "datashift" : (ARG_STR(OPT_RESILIENCE_ID) ?: "checksum"),
+ .hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
+ .data_shift = imaxabs(data_shift) / SECTOR_SIZE,
+ .max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
+ .device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
+ .luks2 = &luks2_params,
+ };
+
+ if (!luks2_reencrypt_eligible(cd))
+ return -EINVAL;
+
+ _set_reencryption_flags(¶ms.flags);
+
+ /* cipher */
+ if (ARG_SET(OPT_CIPHER_ID))
+ new_cipher = ARG_STR(OPT_CIPHER_ID);
+ else if (!ARG_SET(OPT_CIPHER_ID) && crypt_is_cipher_null(crypt_get_cipher(cd))) {
+ log_std(_("Switching data encryption cipher to %s.\n"), DEFAULT_CIPHER(LUKS1));
+ new_cipher = DEFAULT_CIPHER(LUKS1);
+ }
+
+ if (!new_cipher) {
+ strncpy(cipher, crypt_get_cipher(cd), MAX_CIPHER_LEN - 1);
+ strncpy(mode, crypt_get_cipher_mode(cd), MAX_CIPHER_LEN - 1);
+ cipher[MAX_CIPHER_LEN-1] = '\0';
+ mode[MAX_CIPHER_LEN-1] = '\0';
+ } else {
+ if ((r = crypt_parse_name_and_mode(new_cipher, cipher, NULL, mode))) {
+ log_err(_("No known cipher specification pattern detected."));
+ return r;
+ }
+
+ /* the segment cipher is identical with existing one */
+ if (!strcmp(cipher, crypt_get_cipher(cd)) && !strcmp(mode, crypt_get_cipher_mode(cd)))
+ new_cipher = NULL;
+ }
+
+ /* sector size */
+ luks2_params.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: (uint32_t)crypt_get_sector_size(cd);
+ sector_size_change = luks2_params.sector_size != (uint32_t)crypt_get_sector_size(cd);
+ sector_size_increase = luks2_params.sector_size > (uint32_t)crypt_get_sector_size(cd);
+
+ /* key size */
+ if (ARG_SET(OPT_KEY_SIZE_ID) || new_cipher)
+ key_size = get_adjusted_key_size(mode, DEFAULT_LUKS1_KEYBITS, 0);
+ else
+ key_size = crypt_get_volume_key_size(cd);
+
+ if (!key_size)
+ return -EINVAL;
+ vk_size = key_size;
+
+ vk_size_change = key_size != crypt_get_volume_key_size(cd);
+
+ /* volume key */
+ vk_change = !ARG_SET(OPT_KEEP_KEY_ID);
+
+ if (vk_change && ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &vk, key_size);
+ if (r < 0)
+ goto out;
+
+ if (!crypt_volume_key_verify(cd, vk, key_size)) {
+ /* passed key was valid volume key */
+ vk_change = false;
+ crypt_safe_free(vk);
+ vk = NULL;
+ }
+ }
+
+ if (!vk_change && !vk_size_change && !new_cipher && !sector_size_change) {
+ log_err(_("No data segment parameters changed. Reencryption aborted."));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!ARG_SET(OPT_INIT_ONLY_ID) || (tools_blkid_supported() && sector_size_increase)) {
+ r = reencrypt_hint_force_offline_reencrypt(data_device);
+ if (r < 0)
+ goto out;
+ }
+
+ r = _check_luks2_keyslots(cd, vk_change);
+ if (r)
+ goto out;
+
+ r = crypt_keyslot_max(CRYPT_LUKS2);
+ if (r < 0)
+ goto out;
+ kp_size = r;
+
+ kp = init_keyslot_passwords(kp_size);
+ if (!kp) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ /* coverity[overrun-call] */
+ r = fill_keyslot_passwords(cd, kp, kp_size, vk_change);
+ if (r)
+ goto out;
+
+ r = -ENOENT;
+
+ for (i = 0; i < kp_size; i++) {
+ if (!vk_change) {
+ if (kp[i].password) {
+ r = keyslot_old = kp[i].new = i;
+ break;
+ }
+ continue;
+ }
+
+ if (kp[i].password && keyslot_new < 0) {
+ r = set_keyslot_params(cd, i);
+ if (r < 0)
+ break;
+ r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
+ kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT);
+ tools_keyslot_msg(r, CREATED);
+ if (r < 0)
+ break;
+
+ kp[i].new = r;
+ keyslot_new = r;
+ keyslot_old = i;
+ if (!vk) {
+ /* key generated in crypt_keyslot_add_by_key() call above */
+ vk = crypt_safe_alloc(key_size);
+ if (!vk) {
+ r = -ENOMEM;
+ break;
+ }
+ r = crypt_volume_key_get(cd, keyslot_new, vk, &vk_size, kp[i].password, kp[i].passwordLen);
+ if (r < 0)
+ break;
+ }
+ r = assign_tokens(cd, i, r);
+ if (r < 0)
+ break;
+ } else if (kp[i].password) {
+ r = set_keyslot_params(cd, i);
+ if (r < 0)
+ break;
+ r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
+ kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_DIGEST_REUSE);
+ tools_keyslot_msg(r, CREATED);
+ if (r < 0)
+ break;
+ kp[i].new = r;
+ r = assign_tokens(cd, i, r);
+ if (r < 0)
+ break;
+ }
+ }
+
+ if (r < 0)
+ goto out;
+
+ /*
+ * with --init-only lookup active device only if
+ * blkid probes are allowed and sector size increase
+ * is requested.
+ */
+ if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID) &&
+ (!ARG_SET(OPT_INIT_ONLY_ID) || (tools_blkid_supported() && sector_size_increase))) {
+ r = reencrypt_get_active_name(cd, data_device, &active_name);
+ if (r < 0)
+ goto out;
+ }
+
+ if (sector_size_increase && !active_name && tools_blkid_supported() &&
+ !ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID)) {
+ log_err(_("Encryption sector size increase on offline device is not supported.\n"
+ "Activate the device first or use --force-offline-reencrypt option (dangerous!)."));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (sector_size_increase && active_name) {
+ r = reencrypt_check_active_device_sb_block_size(active_name, luks2_params.sector_size);
+ if (r < 0)
+ goto out;
+ }
+
+ r = crypt_reencrypt_init_by_passphrase(cd,
+ ARG_SET(OPT_INIT_ONLY_ID) ? NULL : active_name,
+ kp[keyslot_old].password, kp[keyslot_old].passwordLen,
+ keyslot_old, kp[keyslot_old].new, cipher, mode, ¶ms);
+out:
+ crypt_safe_free(vk);
+ if (kp) {
+ for (i = 0; i < kp_size; i++) {
+ crypt_safe_free(kp[i].password);
+ if (r < 0 && kp[i].new >= 0 && kp[i].new != (int)i &&
+ crypt_reencrypt_status(cd, NULL) == CRYPT_REENCRYPT_NONE &&
+ crypt_keyslot_destroy(cd, kp[i].new))
+ log_dbg("Failed to remove keyslot %d with unbound key.", kp[i].new);
+ }
+ free(kp);
+ }
+ free(active_name);
+ return r;
+}
+
+static int reencrypt_luks2_resume(struct crypt_device *cd)
+{
+ int r;
+ char *backing_file = NULL;
+ struct tools_progress_params prog_parms = {
+ .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nReencryption interrupted."),
+ .device = tools_get_device_name(crypt_get_device_name(cd), &backing_file)
+ };
+
+ if (ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID) && !ARG_SET(OPT_BATCH_MODE_ID))
+ log_std(_("Resuming LUKS reencryption in forced offline mode.\n"));
+
+ set_int_handler(0);
+ r = crypt_reencrypt_run(cd, tools_progress, &prog_parms);
+ free(backing_file);
+ return r;
+}
+
+static int check_broken_luks_signature(const char *device)
+{
+ int r;
+ size_t count;
+
+ r = tools_detect_signatures(device, PRB_ONLY_LUKS, &count, ARG_SET(OPT_BATCH_MODE_ID));
+ if (r < 0)
+ return -EINVAL;
+ if (count) {
+ log_err(_("Device %s contains broken LUKS metadata. Aborting operation."), device);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int _encrypt(struct crypt_device *cd, const char *type, enum device_status_info dev_st, int action_argc, const char **action_argv)
+{
+ const char *device_ptr;
+ enum device_status_info data_dev_st;
+ struct stat st;
+ struct crypt_device *encrypt_cd = NULL;
+ int r = -EINVAL;
+
+ if (dev_st == DEVICE_LUKS2 || dev_st == DEVICE_LUKS1) {
+ log_err(_("Device %s is already LUKS device. Aborting operation."),
+ uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
+ return -EINVAL;
+ }
+
+ if (dev_st == DEVICE_NOT_LUKS &&
+ (!ARG_SET(OPT_HEADER_ID) || !stat(ARG_STR(OPT_HEADER_ID), &st))) {
+ device_ptr = ARG_SET(OPT_HEADER_ID) ? ARG_STR(OPT_HEADER_ID) : action_argv[0];
+ r = check_broken_luks_signature(device_ptr);
+ if (r < 0)
+ return r;
+ }
+
+ /* check data device type/state */
+ if (ARG_SET(OPT_HEADER_ID)) {
+ device_ptr = cd ? crypt_get_device_name(cd) : action_argv[0];
+ data_dev_st = check_luks_device(device_ptr);
+
+ if (data_dev_st == DEVICE_INVALID)
+ return -EINVAL;
+
+ if (data_dev_st == DEVICE_LUKS2 || data_dev_st == DEVICE_LUKS1) {
+ log_err(_("Device %s is already LUKS device. Aborting operation."),
+ device_ptr);
+ return -EINVAL;
+ }
+
+ if (data_dev_st == DEVICE_LUKS2_REENCRYPT || data_dev_st == DEVICE_LUKS1_UNUSABLE) {
+ log_err(_("Device %s is already in LUKS reencryption. Aborting operation."),
+ device_ptr);
+ return -EINVAL;
+ }
+
+ r = check_broken_luks_signature(device_ptr);
+ if (r < 0)
+ return r;
+ }
+
+ if (!type)
+ type = crypt_get_default_type();
+
+ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
+ if (r < 0)
+ return r;
+ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
+ return reencrypt_luks1(action_argv[0]);
+ } else if (dev_st == DEVICE_NOT_LUKS) {
+ r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
+ if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
+ crypt_free(encrypt_cd);
+ return r;
+ }
+ cd = encrypt_cd;
+ dev_st = DEVICE_LUKS2_REENCRYPT;
+ } else if (dev_st == DEVICE_LUKS2_REENCRYPT &&
+ (r = reencrypt_luks2_load(cd, action_argv[0])) < 0)
+ return r;
+
+ if (dev_st != DEVICE_LUKS2_REENCRYPT)
+ return -EINVAL;
+
+ r = reencrypt_luks2_resume(cd);
+
+ crypt_free(encrypt_cd);
+ return r;
+}
+
+static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, const char *data_device)
+{
+ int r;
+ struct stat st;
+ bool export_header = false;
+
+ assert(cd);
+
+ if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE)
+ return reencrypt_luks1(data_device);
+
+ /* header file does not exist, try loading device type from data device */
+ if (dev_st == DEVICE_NOT_LUKS && ARG_SET(OPT_HEADER_ID) &&
+ (stat(ARG_STR(OPT_HEADER_ID), &st) < 0) && errno == ENOENT) {
+ if (ARG_SET(OPT_ACTIVE_NAME_ID))
+ dev_st = load_luks2_by_name(cd, ARG_STR(OPT_ACTIVE_NAME_ID), NULL);
+ else
+ dev_st = load_luks(cd, NULL, uuid_or_device(data_device));
+
+ /*
+ * If data device is not LUKS2 report 'header is missing' error
+ * message user would get originally.
+ */
+ if (dev_st != DEVICE_LUKS2) {
+ log_err(_("Device %s does not exist or access denied."),
+ ARG_STR(OPT_HEADER_ID));
+ return -EINVAL;
+ }
+
+ export_header = true;
+ }
+
+ if (dev_st == DEVICE_LUKS2_REENCRYPT) {
+ if ((r = reencrypt_luks2_load(*cd, data_device)) < 0)
+ return r;
+ } else if (dev_st == DEVICE_LUKS2) {
+ if (!ARG_SET(OPT_HEADER_ID)) {
+ log_err(_("LUKS2 decryption requires --header option."));
+ return -EINVAL;
+ }
+
+ if (export_header)
+ r = decrypt_luks2_datashift_init(cd, data_device, ARG_STR(OPT_HEADER_ID));
+ else
+ r = decrypt_luks2_init(*cd, data_device);
+
+ if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID))
+ return r;
+ } else if (dev_st == DEVICE_NOT_LUKS) {
+ log_err(_("Device %s is not a valid LUKS device."),
+ ARG_STR(OPT_HEADER_ID) ?: uuid_or_device(data_device));
+ return -EINVAL;
+ }
+
+ r = reencrypt_luks2_resume(*cd);
+ return r;
+}
+
+static int _reencrypt(struct crypt_device *cd, enum device_status_info dev_st, const char *data_device)
+{
+ int r;
+
+ if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE)
+ return reencrypt_luks1(data_device);
+ else if (dev_st == DEVICE_LUKS2_REENCRYPT) {
+ if ((r = reencrypt_luks2_load(cd, data_device)) < 0)
+ return r;
+ } else if (dev_st == DEVICE_LUKS2) {
+ r = reencrypt_luks2_init(cd, data_device);
+ if (r < 0|| ARG_SET(OPT_INIT_ONLY_ID))
+ return r;
+ } else
+ return -EINVAL;
+
+ return reencrypt_luks2_resume(cd);
+}
+
+int reencrypt(int action_argc, const char **action_argv)
+{
+ enum device_status_info dev_st;
+ int r = -EINVAL;
+ struct crypt_device *cd = NULL;
+ const char *type = luksType(device_type);
+
+ if (action_argc < 1 && (!ARG_SET(OPT_ACTIVE_NAME_ID) || ARG_SET(OPT_ENCRYPT_ID))) {
+ log_err(_("Command requires device as argument."));
+ return r;
+ }
+
+ if (ARG_SET(OPT_ACTIVE_NAME_ID))
+ dev_st = load_luks2_by_name(&cd, ARG_STR(OPT_ACTIVE_NAME_ID), ARG_STR(OPT_HEADER_ID));
+ else
+ dev_st = load_luks(&cd, ARG_STR(OPT_HEADER_ID), uuid_or_device(action_argv[0]));
+
+ if (dev_st == DEVICE_INVALID)
+ return r;
+
+ if (dev_st == DEVICE_LUKS1 && isLUKS2(type)) {
+ log_err(_("Conflicting versions. Device %s is LUKS1."),
+ uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
+ goto out;
+ }
+
+ if (dev_st == DEVICE_LUKS1_UNUSABLE && isLUKS2(type)) {
+ log_err(_("Conflicting versions. Device %s is in LUKS1 reencryption."),
+ uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
+ goto out;
+ }
+
+ if (dev_st == DEVICE_LUKS2 && isLUKS1(type)) {
+ log_err(_("Conflicting versions. Device %s is LUKS2."),
+ uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
+ goto out;
+ }
+
+ if (dev_st == DEVICE_LUKS2_REENCRYPT && isLUKS1(type)) {
+ log_err(_("Conflicting versions. Device %s is in LUKS2 reencryption."),
+ uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]));
+ goto out;
+ }
+
+ if (dev_st == DEVICE_LUKS2_REENCRYPT && ARG_SET(OPT_INIT_ONLY_ID)) {
+ log_err(_("LUKS2 reencryption already initialized. Aborting operation."));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (ARG_SET(OPT_RESUME_ONLY_ID) &&
+ (dev_st == DEVICE_LUKS2 || dev_st == DEVICE_LUKS1 || dev_st == DEVICE_NOT_LUKS)) {
+ log_err(_("Device reencryption not in progress."));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (ARG_SET(OPT_ENCRYPT_ID))
+ r = _encrypt(cd, type, dev_st, action_argc, action_argv);
+ else if (ARG_SET(OPT_DECRYPT_ID))
+ r = _decrypt(&cd, dev_st, action_argv[0]);
+ else
+ r = _reencrypt(cd, dev_st, action_argv[0]);
+
+out:
+ crypt_free(cd);
+ return r;
+}
diff --git a/src/cryptsetup_reencrypt.c b/src/utils_reencrypt_luks1.c
similarity index 62%
rename from src/cryptsetup_reencrypt.c
rename to src/utils_reencrypt_luks1.c
index 9904687..ae849c0 100644
--- a/src/cryptsetup_reencrypt.c
+++ b/src/utils_reencrypt_luks1.c
@@ -1,8 +1,8 @@
/*
- * cryptsetup-reencrypt - crypt utility for offline re-encryption
+ * cryptsetup - LUKS1 utility for offline re-encryption
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz All rights reserved.
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -24,20 +24,15 @@
#include <uuid/uuid.h>
#include "cryptsetup.h"
-#include "cryptsetup_reencrypt_args.h"
-
-#define PACKAGE_REENC "cryptsetup-reencrypt"
+#include "cryptsetup_args.h"
+#include "utils_luks.h"
#define NO_UUID "cafecafe-cafe-cafe-cafe-cafecafeeeee"
-static const char **action_argv;
+extern int64_t data_shift;
-static const char *set_pbkdf = NULL;
+#define MAX_SLOT 8
-static struct tools_log_params log_parms;
-
-#define MAX_SLOT 32
-#define MAX_TOKEN 32
struct reenc_ctx {
char *device;
char *device_header;
@@ -50,13 +45,12 @@ struct reenc_ctx {
uint64_t device_shift;
uint64_t data_offset;
- unsigned int stained:1;
- unsigned int in_progress:1;
+ bool stained;
+ bool in_progress;
enum { FORWARD = 0, BACKWARD = 1 } reencrypt_direction;
enum { REENCRYPT = 0, ENCRYPT = 1, DECRYPT = 2 } reencrypt_mode;
char header_file_org[PATH_MAX];
- char header_file_tmp[PATH_MAX];
char header_file_new[PATH_MAX];
char log_file[PATH_MAX];
@@ -85,11 +79,6 @@ typedef enum {
CHECK_OPEN,
} header_magic;
-void tools_cleanup(void)
-{
- tools_args_free(tool_core_args, ARRAY_SIZE(tool_core_args));
-}
-
static void _quiet_log(int level, const char *msg, void *usrptr)
{
if (!ARG_SET(OPT_DEBUG_ID))
@@ -113,58 +102,13 @@ static size_t pagesize(void)
return r < 0 ? 4096 : (size_t)r;
}
-static const char *luksType(const char *type)
-{
- if (type && !strcmp(type, "luks2"))
- return CRYPT_LUKS2;
-
- if (type && !strcmp(type, "luks1"))
- return CRYPT_LUKS1;
-
- if (!type || !strcmp(type, "luks"))
- return crypt_get_default_type();
-
- return NULL;
-}
-
static const char *hdr_device(const struct reenc_ctx *rc)
{
return rc->device_header ?: rc->device;
}
-static int set_reencrypt_requirement(const struct reenc_ctx *rc)
-{
- uint32_t reqs;
- int r = -EINVAL;
- struct crypt_device *cd = NULL;
- struct crypt_params_integrity ip = { 0 };
-
- if (crypt_init(&cd, hdr_device(rc)) ||
- crypt_load(cd, CRYPT_LUKS2, NULL) ||
- crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
- goto out;
-
- /* reencrypt already in-progress */
- if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
- log_err(_("Reencryption already in-progress."));
- goto out;
- }
-
- /* raw integrity info is available since 2.0 */
- if (crypt_get_integrity_info(cd, &ip) || ip.tag_size) {
- log_err(_("Reencryption of device with integrity profile is not supported."));
- r = -ENOTSUP;
- goto out;
- }
-
- r = crypt_persistent_flags_set(cd, CRYPT_FLAGS_REQUIREMENTS, reqs | CRYPT_REQUIREMENT_OFFLINE_REENCRYPT);
-out:
- crypt_free(cd);
- return r;
-}
-
/* Depends on the first two fields of LUKS1 header format, magic and version */
-static int device_check(struct reenc_ctx *rc, const char *device, header_magic set_magic)
+static int device_check(struct reenc_ctx *rc, const char *device, header_magic set_magic, bool exclusive)
{
char *buf = NULL;
int r, devfd;
@@ -179,7 +123,7 @@ static int device_check(struct reenc_ctx *rc, const char *device, header_magic s
}
/* coverity[toctou] */
- devfd = open(device, O_RDWR | (S_ISBLK(st.st_mode) ? O_EXCL : 0));
+ devfd = open(device, O_RDWR | ((S_ISBLK(st.st_mode) && exclusive) ? O_EXCL : 0)); /* lgtm[cpp/toctou-race-condition] */
if (devfd == -1) {
if (errno == EBUSY) {
log_err(_("Cannot exclusively open %s, device in use."),
@@ -217,14 +161,9 @@ static int device_check(struct reenc_ctx *rc, const char *device, header_magic s
log_verbose(_("Marking LUKS1 device %s unusable."), device);
memcpy(buf, NOMAGIC, MAGIC_L);
r = 0;
- } else if (set_magic == MAKE_UNUSABLE && version == 2) {
- log_verbose(_("Setting LUKS2 offline reencrypt flag on device %s."), device);
- r = set_reencrypt_requirement(rc);
- if (!r)
- rc->stained = 1;
} else if (set_magic == CHECK_UNUSABLE && version == 1) {
r = memcmp(buf, NOMAGIC, MAGIC_L) ? -EINVAL : 0;
- if (!r)
+ if (rc && !r)
rc->device_uuid = strndup(&buf[0xa8], 40);
goto out;
} else
@@ -238,8 +177,8 @@ static int device_check(struct reenc_ctx *rc, const char *device, header_magic s
log_err(_("Cannot write device %s."), device);
r = -EIO;
}
- if (s > 0 && set_magic == MAKE_UNUSABLE)
- rc->stained = 1;
+ if (rc && s > 0 && set_magic == MAKE_UNUSABLE)
+ rc->stained = true;
}
if (r)
log_dbg("LUKS signature check failed for %s.", device);
@@ -272,11 +211,12 @@ static int write_log(struct reenc_ctx *rc)
ssize_t r;
memset(rc->log_buf, 0, SECTOR_SIZE);
- snprintf(rc->log_buf, SECTOR_SIZE, "# LUKS reencryption log, DO NOT EDIT OR DELETE.\n"
- "version = %d\nUUID = %s\ndirection = %d\nmode = %d\n"
- "offset = %" PRIu64 "\nshift = %" PRIu64 "\n# EOF\n",
- 2, rc->device_uuid, rc->reencrypt_direction, rc->reencrypt_mode,
- rc->device_offset, rc->device_shift);
+ if (snprintf(rc->log_buf, SECTOR_SIZE, "# LUKS reencryption log, DO NOT EDIT OR DELETE.\n"
+ "version = %d\nUUID = %s\ndirection = %d\nmode = %d\n"
+ "offset = %" PRIu64 "\nshift = %" PRIu64 "\n# EOF\n",
+ 2, rc->device_uuid, rc->reencrypt_direction, rc->reencrypt_mode,
+ rc->device_offset, rc->device_shift) < 0)
+ return -EINVAL;
if (lseek(rc->log_fd, 0, SEEK_SET) == -1)
return -EIO;
@@ -379,7 +319,7 @@ static int open_log(struct reenc_ctx *rc)
} else if (errno == EEXIST) {
log_std(_("Log file %s exists, resuming reencryption.\n"), rc->log_file);
rc->log_fd = open(rc->log_file, O_RDWR|flags);
- rc->in_progress = 1;
+ rc->in_progress = true;
}
if (rc->log_fd == -1)
@@ -423,7 +363,7 @@ static int activate_luks_headers(struct reenc_ctx *rc)
return -EINVAL;
if ((r = crypt_init_data_device(&cd, rc->header_file_org, rc->device)) ||
- (r = crypt_load(cd, CRYPT_LUKS, NULL)))
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL)))
goto out;
log_verbose(_("Activating temporary device using old LUKS header."));
@@ -433,7 +373,7 @@ static int activate_luks_headers(struct reenc_ctx *rc)
goto out;
if ((r = crypt_init_data_device(&cd_new, rc->header_file_new, rc->device)) ||
- (r = crypt_load(cd_new, CRYPT_LUKS, NULL)))
+ (r = crypt_load(cd_new, CRYPT_LUKS1, NULL)))
goto out;
log_verbose(_("Activating temporary device using new LUKS header."));
@@ -450,32 +390,6 @@ out:
return r;
}
-static int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
-{
- const struct crypt_pbkdf_type *pbkdf_default;
- struct crypt_pbkdf_type pbkdf = {};
-
- pbkdf_default = crypt_get_pbkdf_default(dev_type);
- if (!pbkdf_default)
- return -EINVAL;
-
- pbkdf.type = set_pbkdf ?: pbkdf_default->type;
- pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
- pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
- if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
- pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
- pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
- }
-
- if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
- pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
- pbkdf.time_ms = 0;
- pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
- }
-
- return crypt_set_pbkdf_type(cd, &pbkdf);
-}
-
static int create_new_keyslot(struct reenc_ctx *rc, int keyslot,
struct crypt_device *cd_old,
struct crypt_device *cd_new)
@@ -509,7 +423,6 @@ static int create_new_header(struct reenc_ctx *rc, struct crypt_device *cd_old,
const char *cipher, const char *cipher_mode,
const char *uuid,
const char *key, int key_size,
- const char *type,
uint64_t metadata_size,
uint64_t keyslots_size,
void *params)
@@ -525,7 +438,7 @@ static int create_new_header(struct reenc_ctx *rc, struct crypt_device *cd_old,
else if (ARG_SET(OPT_USE_URANDOM_ID))
crypt_set_rng_type(cd_new, CRYPT_RNG_URANDOM);
- r = set_pbkdf_params(cd_new, type);
+ r = set_pbkdf_params(cd_new, CRYPT_LUKS1);
if (r) {
log_err(_("Failed to set pbkdf parameters."));
goto out;
@@ -543,13 +456,13 @@ static int create_new_header(struct reenc_ctx *rc, struct crypt_device *cd_old,
goto out;
}
- r = crypt_format(cd_new, type, cipher, cipher_mode, uuid, key, key_size, params);
+ r = crypt_format(cd_new, CRYPT_LUKS1, cipher, cipher_mode, uuid, key, key_size, params);
check_signal(&r);
if (r < 0)
goto out;
log_verbose(_("New LUKS header for device %s created."), rc->device);
- for (i = 0; i < crypt_keyslot_max(type); i++) {
+ for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
if (!rc->p[i].password)
continue;
@@ -565,97 +478,10 @@ out:
return r;
}
-static int isLUKS2(const char *type)
-{
- return (type && !strcmp(type, CRYPT_LUKS2));
-}
-
-static int luks2_metadata_copy(struct reenc_ctx *rc)
-{
- const char *json, *type;
- crypt_token_info ti;
- uint32_t flags;
- int i, r = -EINVAL;
- struct crypt_device *cd_old = NULL, *cd_new = NULL;
-
- if (crypt_init(&cd_old, rc->header_file_tmp) ||
- crypt_load(cd_old, CRYPT_LUKS2, NULL))
- goto out;
-
- if (crypt_init(&cd_new, rc->header_file_new) ||
- crypt_load(cd_new, CRYPT_LUKS2, NULL))
- goto out;
-
- /*
- * we have to erase keyslots missing in new header so that we can
- * transfer tokens from old header to new one
- */
- for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++)
- if (!rc->p[i].password && crypt_keyslot_status(cd_old, i) == CRYPT_SLOT_ACTIVE) {
- r = crypt_keyslot_destroy(cd_old, i);
- if (r < 0)
- goto out;
- }
-
- for (i = 0; i < MAX_TOKEN; i++) {
- ti = crypt_token_status(cd_old, i, &type);
- switch (ti) {
- case CRYPT_TOKEN_INVALID:
- log_dbg("Internal error.");
- r = -EINVAL;
- goto out;
- case CRYPT_TOKEN_INACTIVE:
- break;
- case CRYPT_TOKEN_INTERNAL_UNKNOWN:
- log_err(_("This version of cryptsetup-reencrypt can't handle new internal token type %s."), type);
- r = -EINVAL;
- goto out;
- case CRYPT_TOKEN_INTERNAL:
- /* fallthrough */
- case CRYPT_TOKEN_EXTERNAL:
- /* fallthrough */
- case CRYPT_TOKEN_EXTERNAL_UNKNOWN:
- if (crypt_token_json_get(cd_old, i, &json) != i) {
- log_dbg("Failed to get %s token (%d).", type, i);
- r = -EINVAL;
- goto out;
- }
- if (crypt_token_json_set(cd_new, i, json) != i) {
- log_dbg("Failed to create %s token (%d).", type, i);
- r = -EINVAL;
- goto out;
- }
- }
- }
-
- if ((r = crypt_persistent_flags_get(cd_old, CRYPT_FLAGS_ACTIVATION, &flags))) {
- log_err(_("Failed to read activation flags from backup header."));
- goto out;
- }
- if ((r = crypt_persistent_flags_set(cd_new, CRYPT_FLAGS_ACTIVATION, flags))) {
- log_err(_("Failed to write activation flags to new header."));
- goto out;
- }
- if ((r = crypt_persistent_flags_get(cd_old, CRYPT_FLAGS_REQUIREMENTS, &flags))) {
- log_err(_("Failed to read requirements from backup header."));
- goto out;
- }
- if ((r = crypt_persistent_flags_set(cd_new, CRYPT_FLAGS_REQUIREMENTS, flags)))
- log_err(_("Failed to read requirements from backup header."));
-out:
- crypt_free(cd_old);
- crypt_free(cd_new);
- unlink(rc->header_file_tmp);
-
- return r;
-}
-
static int backup_luks_headers(struct reenc_ctx *rc)
{
struct crypt_device *cd = NULL;
struct crypt_params_luks1 params = {0};
- struct crypt_params_luks2 params2 = {0};
- struct stat st;
char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
char *key = NULL;
size_t key_size;
@@ -665,21 +491,13 @@ static int backup_luks_headers(struct reenc_ctx *rc)
log_dbg("Creating LUKS header backup for device %s.", hdr_device(rc));
if ((r = crypt_init(&cd, hdr_device(rc))) ||
- (r = crypt_load(cd, CRYPT_LUKS, NULL)))
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL)))
goto out;
- if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
+ if ((r = crypt_header_backup(cd, CRYPT_LUKS1, rc->header_file_org)))
goto out;
- if (isLUKS2(rc->type)) {
- if ((r = crypt_header_backup(cd, CRYPT_LUKS2, rc->header_file_tmp)))
- goto out;
- if ((r = stat(rc->header_file_tmp, &st)))
- goto out;
- /* coverity[toctou] */
- if ((r = chmod(rc->header_file_tmp, st.st_mode | S_IWUSR)))
- goto out;
- }
- log_verbose(_("%s header backup of device %s created."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", rc->device);
+
+ log_verbose(_("%s header backup of device %s created."), "LUKS1", rc->device);
/* For decrypt, new header will be fake one, so we are done here. */
if (rc->reencrypt_mode == DECRYPT)
@@ -691,8 +509,7 @@ static int backup_luks_headers(struct reenc_ctx *rc)
goto out;
params.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH;
- params2.data_device = params.data_device = rc->device;
- params2.sector_size = crypt_get_sector_size(cd);
+ params.data_device = rc->device;
if (ARG_SET(OPT_CIPHER_ID)) {
r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID), cipher, NULL, cipher_mode);
@@ -714,30 +531,24 @@ static int backup_luks_headers(struct reenc_ctx *rc)
}
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size,
rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen);
- } else if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
+ } else if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
log_dbg("Loading new key from file.");
- r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, key_size);
+ r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, key_size);
}
if (r < 0)
goto out;
- if (isLUKS2(crypt_get_type(cd)) && crypt_get_metadata_size(cd, &mdata_size, &keyslots_size))
- goto out;
-
r = create_new_header(rc, cd,
ARG_SET(OPT_CIPHER_ID) ? cipher : crypt_get_cipher(cd),
ARG_SET(OPT_CIPHER_ID) ? cipher_mode : crypt_get_cipher_mode(cd),
crypt_get_uuid(cd),
key,
key_size,
- rc->type,
mdata_size,
keyslots_size,
- isLUKS2(rc->type) ? (void*)¶ms2 : (void*)¶ms);
+ (void*)¶ms);
- if (!r && isLUKS2(rc->type))
- r = luks2_metadata_copy(rc);
out:
crypt_free(cd);
crypt_safe_free(key);
@@ -751,7 +562,6 @@ static int backup_fake_header(struct reenc_ctx *rc)
{
struct crypt_device *cd_new = NULL;
struct crypt_params_luks1 params = {0};
- struct crypt_params_luks2 params2 = {0};
char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
const char *header_file_fake;
int r;
@@ -777,10 +587,8 @@ static int backup_fake_header(struct reenc_ctx *rc)
return r;
params.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH;
- params2.data_alignment = params.data_alignment = 0;
- params2.data_device = params.data_device = rc->device;
- params2.sector_size = crypt_get_sector_size(NULL);
- params2.pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS2);
+ params.data_alignment = 0;
+ params.data_device = rc->device;
r = crypt_init(&cd_new, header_file_fake);
if (r < 0)
@@ -808,16 +616,15 @@ static int backup_fake_header(struct reenc_ctx *rc)
if (r < 0)
goto out;
- params2.data_alignment = params.data_alignment = ROUND_SECTOR(ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID));
+ params.data_alignment = ROUND_SECTOR(ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID));
r = create_new_header(rc, NULL,
ARG_SET(OPT_CIPHER_ID) ? cipher : DEFAULT_LUKS1_CIPHER,
ARG_SET(OPT_CIPHER_ID) ? cipher_mode : DEFAULT_LUKS1_MODE,
NULL, NULL,
ARG_UINT32(OPT_KEY_SIZE_ID) / 8,
- rc->type,
0,
0,
- isLUKS2(rc->type) ? (void*)¶ms2 : (void*)¶ms);
+ (void*)¶ms);
out:
crypt_free(cd_new);
return r;
@@ -851,7 +658,7 @@ static int restore_luks_header(struct reenc_ctx *rc)
* For new encryption and new detached header in file just move it.
* For existing file try to ensure we have preallocated space for restore.
*/
- if (ARG_SET(OPT_NEW_ID) && rc->device_header) {
+ if (ARG_SET(OPT_ENCRYPT_ID) && rc->device_header) {
r = stat(rc->device_header, &st);
if (r == -1) {
r = rename(rc->header_file_new, rc->device_header);
@@ -869,16 +676,16 @@ static int restore_luks_header(struct reenc_ctx *rc)
r = crypt_init(&cd, hdr_device(rc));
if (r == 0) {
- r = crypt_header_restore(cd, rc->type, rc->header_file_new);
+ r = crypt_header_restore(cd, CRYPT_LUKS1, rc->header_file_new);
}
crypt_free(cd);
out:
if (r)
- log_err(_("Cannot restore %s header on device %s."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", hdr_device(rc));
+ log_err(_("Cannot restore %s header on device %s."), "LUKS1", hdr_device(rc));
else {
- log_verbose(_("%s header on device %s restored."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", hdr_device(rc));
- rc->stained = 0;
+ log_verbose(_("%s header on device %s restored."), "LUKS1", hdr_device(rc));
+ rc->stained = false;
}
return r;
}
@@ -910,33 +717,40 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
size_t block_size, void *buf, uint64_t *bytes)
{
ssize_t s1, s2;
+ int r = -EIO;
+ char *backing_file = NULL;
struct tools_progress_params prog_parms = {
.frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
- .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nReencryption interrupted."),
+ .device = tools_get_device_name(rc->device, &backing_file)
};
log_dbg("Reencrypting in forward direction.");
- if (lseek64(fd_old, rc->device_offset, SEEK_SET) < 0 ||
- lseek64(fd_new, rc->device_offset, SEEK_SET) < 0) {
+ if (lseek(fd_old, rc->device_offset, SEEK_SET) < 0 ||
+ lseek(fd_new, rc->device_offset, SEEK_SET) < 0) {
log_err(_("Cannot seek to device offset."));
- return -EIO;
+ goto out;
}
rc->resume_bytes = *bytes = rc->device_offset;
- tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
+ tools_progress(rc->device_size, *bytes, &prog_parms);
if (write_log(rc) < 0)
- return -EIO;
+ goto out;
while (!quit && rc->device_offset < rc->device_size) {
+ if ((rc->device_size - rc->device_offset) < (uint64_t)block_size)
+ block_size = rc->device_size - rc->device_offset;
s1 = read_buf(fd_old, buf, block_size);
if (s1 < 0 || ((size_t)s1 != block_size &&
(rc->device_offset + s1) != rc->device_size)) {
log_dbg("Read error, expecting %zu, got %zd.",
block_size, s1);
- return -EIO;
+ goto out;
}
/* If device_size is forced, never write more than limit */
@@ -947,34 +761,42 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
if (s2 < 0) {
log_dbg("Write error, expecting %zu, got %zd.",
block_size, s2);
- return -EIO;
+ goto out;
}
rc->device_offset += s1;
if (ARG_SET(OPT_WRITE_LOG_ID) && write_log(rc) < 0)
- return -EIO;
+ goto out;
if (ARG_SET(OPT_USE_FSYNC_ID) && fsync(fd_new) < 0) {
log_dbg("Write error, fsync.");
- return -EIO;
+ goto out;
}
*bytes += (uint64_t)s2;
- tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
+ tools_progress(rc->device_size, *bytes, &prog_parms);
}
- return quit ? -EAGAIN : 0;
+ r = 0;
+out:
+ free(backing_file);
+ return quit ? -EAGAIN : r;
}
static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
size_t block_size, void *buf, uint64_t *bytes)
{
ssize_t s1, s2, working_block;
- off64_t working_offset;
+ off_t working_offset;
+ int r = -EIO;
+ char *backing_file = NULL;
struct tools_progress_params prog_parms = {
.frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
- .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
+ .batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
+ .json_output = ARG_SET(OPT_PROGRESS_JSON_ID),
+ .interrupt_message = _("\nReencryption interrupted."),
+ .device = tools_get_device_name(rc->device, &backing_file)
};
log_dbg("Reencrypting in backward direction.");
@@ -988,13 +810,13 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
*bytes = rc->resume_bytes;
}
- tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
+ tools_progress(rc->device_size, *bytes, &prog_parms);
if (write_log(rc) < 0)
- return -EIO;
+ goto out;
/* dirty the device during ENCRYPT mode */
- rc->stained = 1;
+ rc->stained = true;
while (!quit && rc->device_offset) {
if (rc->device_offset < block_size) {
@@ -1005,41 +827,44 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
working_block = block_size;
}
- if (lseek64(fd_old, working_offset, SEEK_SET) < 0 ||
- lseek64(fd_new, working_offset, SEEK_SET) < 0) {
+ if (lseek(fd_old, working_offset, SEEK_SET) < 0 ||
+ lseek(fd_new, working_offset, SEEK_SET) < 0) {
log_err(_("Cannot seek to device offset."));
- return -EIO;
+ goto out;
}
s1 = read_buf(fd_old, buf, working_block);
if (s1 < 0 || (s1 != working_block)) {
log_dbg("Read error, expecting %zu, got %zd.",
block_size, s1);
- return -EIO;
+ goto out;
}
s2 = write(fd_new, buf, working_block);
if (s2 < 0) {
log_dbg("Write error, expecting %zu, got %zd.",
block_size, s2);
- return -EIO;
+ goto out;
}
rc->device_offset -= s1;
if (ARG_SET(OPT_WRITE_LOG_ID) && write_log(rc) < 0)
- return -EIO;
+ goto out;
if (ARG_SET(OPT_USE_FSYNC_ID) && fsync(fd_new) < 0) {
log_dbg("Write error, fsync.");
- return -EIO;
+ goto out;
}
*bytes += (uint64_t)s2;
- tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
+ tools_progress(rc->device_size, *bytes, &prog_parms);
}
- return quit ? -EAGAIN : 0;
+ r = 0;
+out:
+ free(backing_file);
+ return quit ? -EAGAIN : r;
}
static void zero_rest_of_device(int fd, size_t block_size, void *buf,
@@ -1049,7 +874,7 @@ static void zero_rest_of_device(int fd, size_t block_size, void *buf,
log_dbg("Zeroing rest of device.");
- if (lseek64(fd, offset, SEEK_SET) < 0) {
+ if (lseek(fd, offset, SEEK_SET) < 0) {
log_dbg("Cannot seek to device offset.");
return;
}
@@ -1160,9 +985,8 @@ static int initialize_uuid(struct reenc_ctx *rc)
log_dbg("Initialising UUID.");
- if (ARG_SET(OPT_NEW_ID)) {
+ if (ARG_SET(OPT_ENCRYPT_ID)) {
rc->device_uuid = strdup(NO_UUID);
- rc->type = luksType(ARG_STR(OPT_TYPE_ID));
return 0;
}
@@ -1180,15 +1004,12 @@ static int initialize_uuid(struct reenc_ctx *rc)
if ((r = crypt_init(&cd, hdr_device(rc))))
return r;
crypt_set_log_callback(cd, _quiet_log, NULL);
- r = crypt_load(cd, CRYPT_LUKS, NULL);
+ r = crypt_load(cd, CRYPT_LUKS1, NULL);
if (!r)
rc->device_uuid = strdup(crypt_get_uuid(cd));
else
/* Reencryption already in progress - magic header? */
- r = device_check(rc, hdr_device(rc), CHECK_UNUSABLE);
-
- if (!r)
- rc->type = isLUKS2(crypt_get_type(cd)) ? CRYPT_LUKS2 : CRYPT_LUKS1;
+ r = device_check(rc, hdr_device(rc), CHECK_UNUSABLE, true);
crypt_free(cd);
return r;
@@ -1316,7 +1137,7 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
}
if ((r = crypt_init_data_device(&cd, device, rc->device)) ||
- (r = crypt_load(cd, CRYPT_LUKS, NULL))) {
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL))) {
crypt_free(cd);
return r;
}
@@ -1333,7 +1154,7 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT ||
rc->reencrypt_mode == DECRYPT) {
r = init_passphrase1(rc, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID), 1, 0);
- } else for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++) {
+ } else for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i);
r = init_passphrase1(rc, cd, msg, i, 1, 0);
if (r == -ENOENT) {
@@ -1352,13 +1173,11 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
{
log_dbg("Initialising reencryption context.");
- rc->log_fd = -1;
+ memset(rc, 0, sizeof(*rc));
- /* FIXME: replace MAX_KEYSLOT with crypt_keyslot_max(CRYPT_LUKS2) */
- if (crypt_keyslot_max(CRYPT_LUKS2) > MAX_SLOT) {
- log_dbg("Internal error");
- return -EINVAL;
- }
+ rc->in_progress = false;
+ rc->stained = true;
+ rc->log_fd = -1;
if (!(rc->device = strndup(device, PATH_MAX)))
return -ENOMEM;
@@ -1366,7 +1185,7 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
if (ARG_SET(OPT_HEADER_ID) && !(rc->device_header = strndup(ARG_STR(OPT_HEADER_ID), PATH_MAX)))
return -ENOMEM;
- if (device_check(rc, rc->device, CHECK_OPEN) < 0)
+ if (device_check(rc, rc->device, CHECK_OPEN, true) < 0)
return -EINVAL;
if (initialize_uuid(rc)) {
@@ -1375,7 +1194,7 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
}
if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT &&
- ARG_INT32(OPT_KEY_SLOT_ID) >= crypt_keyslot_max(rc->type)) {
+ ARG_INT32(OPT_KEY_SLOT_ID) >= crypt_keyslot_max(CRYPT_LUKS1)) {
log_err(_("Key slot is invalid."));
return -EINVAL;
}
@@ -1390,9 +1209,6 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
if (snprintf(rc->header_file_new, PATH_MAX,
"LUKS-%s.new", rc->device_uuid) < 0)
return -ENOMEM;
- if (snprintf(rc->header_file_tmp, PATH_MAX,
- "LUKS-%s.tmp", rc->device_uuid) < 0)
- return -ENOMEM;
/* Paths to encrypted devices */
if (snprintf(rc->crypt_path_org, PATH_MAX,
@@ -1423,7 +1239,7 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
rc->device_offset = (uint64_t)~0;
}
- if (ARG_SET(OPT_NEW_ID))
+ if (ARG_SET(OPT_ENCRYPT_ID))
rc->reencrypt_mode = ENCRYPT;
else if (ARG_SET(OPT_DECRYPT_ID))
rc->reencrypt_mode = DECRYPT;
@@ -1447,7 +1263,6 @@ static void destroy_context(struct reenc_ctx *rc)
unlink(rc->log_file);
unlink(rc->header_file_org);
unlink(rc->header_file_new);
- unlink(rc->header_file_tmp);
}
for (i = 0; i < MAX_SLOT; i++)
@@ -1458,220 +1273,14 @@ static void destroy_context(struct reenc_ctx *rc)
free(rc->device_uuid);
}
-static int luks2_change_pbkdf_params(struct reenc_ctx *rc)
-{
- int i, r;
- struct crypt_device *cd = NULL;
-
- if ((r = initialize_passphrase(rc, hdr_device(rc))))
- return r;
-
- if (crypt_init(&cd, hdr_device(rc)) ||
- crypt_load(cd, CRYPT_LUKS2, NULL)) {
- r = -EINVAL;
- goto out;
- }
-
- if ((r = set_pbkdf_params(cd, CRYPT_LUKS2)))
- goto out;
-
- log_dbg("LUKS2 keyslot pbkdf params change.");
-
- r = -EINVAL;
-
- for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++) {
- if (!rc->p[i].password)
- continue;
- if ((r = crypt_keyslot_change_by_passphrase(cd, i, i,
- rc->p[i].password, rc->p[i].passwordLen,
- rc->p[i].password, rc->p[i].passwordLen)) < 0)
- goto out;
- log_verbose(_("Changed pbkdf parameters in keyslot %i."), r);
- r = 0;
- }
-
- if (r)
- goto out;
-
- /* see create_new_header */
- for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++)
- if (!rc->p[i].password)
- (void)crypt_keyslot_destroy(cd, i);
-out:
- crypt_free(cd);
- return r;
-}
-
-static int run_reencrypt(const char *device)
+int reencrypt_luks1(const char *device)
{
int r = -EINVAL;
- static struct reenc_ctx rc = {
- .stained = 1
- };
+ struct reenc_ctx *rc;
- set_int_handler(0);
-
- if (initialize_context(&rc, device))
- goto out;
-
- /* short-circuit LUKS2 keyslot parameters change */
- if (ARG_SET(OPT_KEEP_KEY_ID) && isLUKS2(rc.type)) {
- r = luks2_change_pbkdf_params(&rc);
- goto out;
- }
-
- log_dbg("Running reencryption.");
-
- if (!rc.in_progress) {
- if ((r = initialize_passphrase(&rc, hdr_device(&rc))))
- goto out;
-
- log_dbg("Storing backup of LUKS headers.");
- if (rc.reencrypt_mode == ENCRYPT) {
- /* Create fake header for existing device */
- if ((r = backup_fake_header(&rc)))
- goto out;
- } else {
- if ((r = backup_luks_headers(&rc)))
- goto out;
- /* Create fake header for decrypted device */
- if (rc.reencrypt_mode == DECRYPT &&
- (r = backup_fake_header(&rc)))
- goto out;
- if ((r = device_check(&rc, hdr_device(&rc), MAKE_UNUSABLE)))
- goto out;
- }
- } else {
- if ((r = initialize_passphrase(&rc, ARG_SET(OPT_DECRYPT_ID) ? rc.header_file_org : rc.header_file_new)))
- goto out;
- }
-
- if (!ARG_SET(OPT_KEEP_KEY_ID)) {
- log_dbg("Running data area reencryption.");
- if ((r = activate_luks_headers(&rc)))
- goto out;
-
- if ((r = copy_data(&rc)))
- goto out;
- } else
- log_dbg("Keeping existing key, skipping data area reencryption.");
-
- // FIXME: fix error path above to not skip this
- if (rc.reencrypt_mode != DECRYPT)
- r = restore_luks_header(&rc);
- else
- rc.stained = 0;
-out:
- destroy_context(&rc);
- return r;
-}
-
-static void help(poptContext popt_context,
- enum poptCallbackReason reason __attribute__((unused)),
- struct poptOption *key,
- const char *arg __attribute__((unused)),
- void *data __attribute__((unused)))
-{
- if (key->shortName == '?') {
- log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
- poptPrintHelp(popt_context, stdout, 0);
- tools_cleanup();
- poptFreeContext(popt_context);
- exit(EXIT_SUCCESS);
- } else if (key->shortName == 'V') {
- log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
- tools_cleanup();
- poptFreeContext(popt_context);
- exit(EXIT_SUCCESS);
- } else
- usage(popt_context, EXIT_SUCCESS, NULL, NULL);
-}
-
-static bool needs_size_conversion(unsigned arg_id)
-{
- return arg_id == OPT_DEVICE_SIZE_ID || arg_id == OPT_REDUCE_DEVICE_SIZE_ID;
-}
-
-static void basic_options_cb(poptContext popt_context,
- enum poptCallbackReason reason __attribute__((unused)),
- struct poptOption *key,
- const char *arg,
- void *data __attribute__((unused)))
-{
- tools_parse_arg_value(popt_context, tool_core_args[key->val].type, tool_core_args + key->val, arg, key->val, needs_size_conversion);
-
- /* special cases additional handling */
- switch (key->val) {
- case OPT_DEBUG_ID:
- log_parms.debug = true;
- /* fall through */
- case OPT_VERBOSE_ID:
- log_parms.verbose = true;
- break;
- case OPT_BLOCK_SIZE_ID:
- if (ARG_UINT32(OPT_BLOCK_SIZE_ID) < 1 || ARG_UINT32(OPT_BLOCK_SIZE_ID) > 64)
- usage(popt_context, EXIT_FAILURE,
- _("Only values between 1 MiB and 64 MiB allowed for reencryption block size."),
- poptGetInvocationName(popt_context));
- break;
- case OPT_KEY_SIZE_ID:
- if (ARG_UINT32(OPT_KEY_SIZE_ID) == 0)
- usage(popt_context, EXIT_FAILURE, poptStrerror(POPT_ERROR_BADNUMBER),
- poptGetInvocationName(popt_context));
- if (ARG_UINT32(OPT_KEY_SIZE_ID) % 8)
- usage(popt_context, EXIT_FAILURE,
- _("Key size must be a multiple of 8 bits"),
- poptGetInvocationName(popt_context));
- break;
- case OPT_REDUCE_DEVICE_SIZE_ID:
- if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) > 64 * 1024 * 1024)
- usage(popt_context, EXIT_FAILURE, _("Maximum device reduce size is 64 MiB."),
- poptGetInvocationName(popt_context));
- if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) % SECTOR_SIZE)
- usage(popt_context, EXIT_FAILURE, _("Reduce size must be multiple of 512 bytes sector."),
- poptGetInvocationName(popt_context));
- break;
- }
-}
-
-int main(int argc, const char **argv)
-{
- static struct poptOption popt_help_options[] = {
- { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
- { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
- { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
- { "version",'V', POPT_ARG_NONE, NULL, 0, N_("Print package version"), NULL },
- POPT_TABLEEND
- };
- static struct poptOption popt_basic_options[] = {
- { NULL, '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
-#define ARG(A, B, C, D, E, F, G) { A, B, C, NULL, A ## _ID, D, E },
-#include "cryptsetup_reencrypt_arg_list.h"
-#undef arg
- POPT_TABLEEND
- };
- static struct poptOption popt_options[] = {
- { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
- { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_basic_options, 0, NULL, NULL },
- POPT_TABLEEND
- };
- poptContext popt_context;
- int r;
-
- crypt_set_log_callback(NULL, tool_log, &log_parms);
-
- setlocale(LC_ALL, "");
- bindtextdomain(PACKAGE, LOCALEDIR);
- textdomain(PACKAGE);
-
- popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
- poptSetOtherOptionHelp(popt_context,
- _("[OPTION...] <device>"));
-
- while((r = poptGetNextOpt(popt_context)) > 0) ;
- if (r < -1)
- usage(popt_context, EXIT_FAILURE, poptStrerror(r),
- poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
+ rc = malloc(sizeof(*rc));
+ if (!rc)
+ return -ENOMEM;
if (!ARG_SET(OPT_BATCH_MODE_ID))
log_verbose(_("Reencryption will change: %s%s%s%s%s%s."),
@@ -1679,68 +1288,67 @@ int main(int argc, const char **argv)
(!ARG_SET(OPT_KEEP_KEY_ID) && ARG_SET(OPT_HASH_ID)) ? ", " : "",
ARG_SET(OPT_HASH_ID) ? _("set hash to ") : "", ARG_STR(OPT_HASH_ID) ?: "",
ARG_SET(OPT_CIPHER_ID) ? _(", set cipher to "): "", ARG_STR(OPT_CIPHER_ID) ?: "");
+ /* FIXME: block all non pbkdf2 pkdfs */
- action_argv = poptGetArgs(popt_context);
- if(!action_argv)
- usage(popt_context, EXIT_FAILURE, _("Argument required."),
- poptGetInvocationName(popt_context));
+ set_int_handler(0);
- if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
- usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
- poptGetInvocationName(popt_context));
+ if (initialize_context(rc, device))
+ goto out;
- if (ARG_SET(OPT_PBKDF_ID) && crypt_parse_pbkdf(ARG_STR(OPT_PBKDF_ID), &set_pbkdf))
- usage(popt_context, EXIT_FAILURE,
- _("Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."),
- poptGetInvocationName(popt_context));
+ log_dbg("Running reencryption.");
- if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID) && ARG_SET(OPT_ITER_TIME_ID))
- usage(popt_context, EXIT_FAILURE,
- _("PBKDF forced iterations cannot be combined with iteration time option."),
- poptGetInvocationName(popt_context));
+ if (!rc->in_progress) {
+ if ((r = initialize_passphrase(rc, hdr_device(rc))))
+ goto out;
- if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT &&
- (ARG_INT32(OPT_KEY_SLOT_ID) < 0 || ARG_INT32(OPT_KEY_SLOT_ID) >= crypt_keyslot_max(CRYPT_LUKS2)))
- usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
- usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_NEW_ID) && (!ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && !ARG_SET(OPT_HEADER_ID)))
- usage(popt_context, EXIT_FAILURE, _("Option --new must be used together with --reduce-device-size or --header."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_KEEP_KEY_ID) && (ARG_SET(OPT_CIPHER_ID) || ARG_SET(OPT_NEW_ID) || ARG_SET(OPT_MASTER_KEY_FILE_ID)))
- usage(popt_context, EXIT_FAILURE, _("Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_NEW_ID) && ARG_SET(OPT_DECRYPT_ID))
- usage(popt_context, EXIT_FAILURE, _("Option --new cannot be used together with --decrypt."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_DECRYPT_ID) &&
- (ARG_SET(OPT_CIPHER_ID) || ARG_SET(OPT_HASH_ID) || ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) ||
- ARG_SET(OPT_KEEP_KEY_ID) || ARG_SET(OPT_DEVICE_SIZE_ID)))
- usage(popt_context, EXIT_FAILURE, _("Option --decrypt is incompatible with specified parameters."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_UUID_ID) && !ARG_SET(OPT_DECRYPT_ID))
- usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only together with --decrypt."),
- poptGetInvocationName(popt_context));
-
- if (!luksType(ARG_STR(OPT_TYPE_ID)))
- usage(popt_context, EXIT_FAILURE, _("Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."),
- poptGetInvocationName(popt_context));
-
- if (ARG_SET(OPT_DEBUG_ID)) {
- crypt_set_debug_level(CRYPT_DEBUG_ALL);
- dbg_version_and_cmd(argc, argv);
+ log_dbg("Storing backup of LUKS headers.");
+ if (rc->reencrypt_mode == ENCRYPT) {
+ /* Create fake header for existing device */
+ if ((r = backup_fake_header(rc)))
+ goto out;
+ } else {
+ if ((r = backup_luks_headers(rc)))
+ goto out;
+ /* Create fake header for decrypted device */
+ if (rc->reencrypt_mode == DECRYPT &&
+ (r = backup_fake_header(rc)))
+ goto out;
+ if ((r = device_check(rc, hdr_device(rc), MAKE_UNUSABLE, true)))
+ goto out;
+ }
+ } else {
+ if ((r = initialize_passphrase(rc, ARG_SET(OPT_DECRYPT_ID) ? rc->header_file_org : rc->header_file_new)))
+ goto out;
}
- r = run_reencrypt(action_argv[0]);
- tools_cleanup();
- poptFreeContext(popt_context);
- return translate_errno(r);
+ if (!ARG_SET(OPT_KEEP_KEY_ID)) {
+ log_dbg("Running data area reencryption.");
+ if ((r = activate_luks_headers(rc)))
+ goto out;
+
+ if ((r = copy_data(rc)))
+ goto out;
+ } else
+ log_dbg("Keeping existing key, skipping data area reencryption.");
+
+ // FIXME: fix error path above to not skip this
+ if (rc->reencrypt_mode != DECRYPT)
+ r = restore_luks_header(rc);
+ else
+ rc->stained = false;
+out:
+ destroy_context(rc);
+ free(rc);
+
+ return r;
+}
+
+int reencrypt_luks1_in_progress(const char *device)
+{
+ struct stat st;
+
+ if (stat(device, &st) || (size_t)st.st_size < pagesize())
+ return -EINVAL;
+
+ return device_check(NULL, device, CHECK_UNUSABLE, false);
}
diff --git a/src/utils_tools.c b/src/utils_tools.c
index 01ca673..a0e2ebc 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -3,8 +3,8 @@
*
* Copyright (C) 2004 Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -22,7 +22,6 @@
*/
#include "cryptsetup.h"
-#include <math.h>
#include <signal.h>
/* interrupt handling */
@@ -367,105 +366,6 @@ int tools_string_to_size(const char *s, uint64_t *size)
return 0;
}
-/* Time progress helper */
-
-/* The difference in seconds between two times in "timeval" format. */
-static double time_diff(struct timeval *start, struct timeval *end)
-{
- return (end->tv_sec - start->tv_sec)
- + (end->tv_usec - start->tv_usec) / 1E6;
-}
-
-static void tools_clear_line(void)
-{
- /* vt100 code clear line */
- log_std("\33[2K\r");
-}
-
-static void tools_time_progress(uint64_t device_size, uint64_t bytes, struct tools_progress_params *parms)
-{
- struct timeval now_time;
- unsigned long long mbytes, eta;
- double tdiff, uib, frequency;
- int final = (bytes == device_size);
- const char *eol, *ustr = "";
-
- gettimeofday(&now_time, NULL);
- if (parms->start_time.tv_sec == 0 && parms->start_time.tv_usec == 0) {
- parms->start_time = now_time;
- parms->end_time = now_time;
- parms->start_offset = bytes;
- return;
- }
-
- if (parms->frequency) {
- frequency = (double)parms->frequency;
- eol = "\n";
- } else {
- frequency = 0.5;
- eol = "";
- }
-
- if (!final && time_diff(&parms->end_time, &now_time) < frequency)
- return;
-
- parms->end_time = now_time;
-
- tdiff = time_diff(&parms->start_time, &parms->end_time);
- if (!tdiff)
- return;
-
- mbytes = bytes / 1024 / 1024;
- uib = (double)(bytes - parms->start_offset) / tdiff;
-
- eta = (unsigned long long)(device_size / uib - tdiff);
-
- if (uib > 1073741824.0f) {
- uib /= 1073741824.0f;
- ustr = "Gi";
- } else if (uib > 1048576.0f) {
- uib /= 1048576.0f;
- ustr = "Mi";
- } else if (uib > 1024.0f) {
- uib /= 1024.0f;
- ustr = "Ki";
- }
-
- if (!parms->frequency)
- tools_clear_line();
- if (final)
- log_std("Finished, time %02llu:%02llu.%03llu, "
- "%4llu MiB written, speed %5.1f %sB/s\n",
- (unsigned long long)tdiff / 60,
- (unsigned long long)tdiff % 60,
- (unsigned long long)((tdiff - floor(tdiff)) * 1000.0),
- mbytes, uib, ustr);
- else
- log_std("Progress: %5.1f%%, ETA %02llu:%02llu, "
- "%4llu MiB written, speed %5.1f %sB/s%s",
- (double)bytes / device_size * 100,
- eta / 60, eta % 60, mbytes, uib, ustr, eol);
- fflush(stdout);
-}
-
-int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr)
-{
- int r = 0;
- struct tools_progress_params *parms = (struct tools_progress_params *)usrptr;
-
- if (parms && !parms->batch_mode)
- tools_time_progress(size, offset, parms);
-
- check_signal(&r);
- if (r) {
- if (!parms || !parms->frequency)
- tools_clear_line();
- log_err(_("\nWipe interrupted."));
- }
-
- return r;
-}
-
/*
* Keyfile - is standard input treated as a binary file (no EOL handling).
*/
@@ -477,25 +377,7 @@ int tools_is_stdin(const char *key_file)
return strcmp(key_file, "-") ? 0 : 1;
}
-int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr)
-{
- int r = 0;
- struct tools_progress_params *parms = (struct tools_progress_params *)usrptr;
-
- if (parms && !parms->batch_mode)
- tools_time_progress(size, offset, parms);
-
- check_signal(&r);
- if (r) {
- if (!parms || !parms->frequency)
- tools_clear_line();
- log_err(_("\nReencryption interrupted."));
- }
-
- return r;
-}
-
-int tools_read_mk(const char *file, char **key, int keysize)
+int tools_read_vk(const char *file, char **key, int keysize)
{
int fd = -1, r = -EINVAL;
@@ -550,3 +432,37 @@ int tools_write_mk(const char *file, const char *key, int keysize)
close(fd);
return r;
}
+
+void tools_package_version(const char *name, bool use_pwlibs)
+{
+ bool udev = false, blkid = false, keyring = false, fips = false;
+ bool kernel_capi = false, pwquality = false, passwdqc = false;
+#ifdef USE_UDEV
+ udev = true;
+#endif
+#ifdef HAVE_BLKID
+ blkid = true;
+#endif
+#ifdef KERNEL_KEYRING
+ keyring = true;
+#endif
+#ifdef ENABLE_FIPS
+ fips = true;
+#endif
+#ifdef ENABLE_AF_ALG
+ kernel_capi = true;
+#endif
+#if defined(ENABLE_PWQUALITY)
+ pwquality = true;
+#elif defined(ENABLE_PASSWDQC)
+ passwdqc = true;
+#endif
+ log_std("%s %s flags: %s%s%s%s%s%s%s\n", name, PACKAGE_VERSION,
+ udev ? "UDEV " : "",
+ blkid ? "BLKID " : "",
+ keyring ? "KEYRING " : "",
+ fips ? "FIPS " : "",
+ kernel_capi ? "KERNEL_CAPI " : "",
+ pwquality && use_pwlibs ? "PWQUALITY " : "",
+ passwdqc && use_pwlibs ? "PASSWDQC " : "");
+}
diff --git a/src/veritysetup.c b/src/veritysetup.c
index 04fd996..8be81cc 100644
--- a/src/veritysetup.c
+++ b/src/veritysetup.c
@@ -1,8 +1,8 @@
/*
* veritysetup - setup cryptographic volumes for dm-verity
*
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -184,6 +184,8 @@ static int _activate(const char *dm_device,
activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
if (ARG_SET(OPT_CHECK_AT_MOST_ONCE_ID))
activate_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;
+ if (ARG_SET(OPT_USE_TASKLETS_ID))
+ activate_flags |= CRYPT_ACTIVATE_TASKLETS;
if (!ARG_SET(OPT_NO_SUPERBLOCK_ID)) {
params.flags = flags;
@@ -192,6 +194,9 @@ static int _activate(const char *dm_device,
params.fec_device = ARG_STR(OPT_FEC_DEVICE_ID);
params.fec_roots = ARG_UINT32(OPT_FEC_ROOTS_ID);
r = crypt_load(cd, CRYPT_VERITY, ¶ms);
+ if (r)
+ log_err(_("Device %s is not a valid VERITY device."), hash_device);
+
} else {
r = _prepare_format(¶ms, data_device, flags | CRYPT_VERITY_NO_HEADER);
if (r < 0)
@@ -246,7 +251,7 @@ static int _activate(const char *dm_device,
goto out;
}
signature_size = st.st_size;
- r = tools_read_mk(ARG_STR(OPT_ROOT_HASH_SIGNATURE_ID), &signature, signature_size);
+ r = tools_read_vk(ARG_STR(OPT_ROOT_HASH_SIGNATURE_ID), &signature, signature_size);
if (r < 0) {
log_err(_("Cannot read signature file %s."), ARG_STR(OPT_ROOT_HASH_SIGNATURE_ID));
goto out;
@@ -332,7 +337,7 @@ static int action_status(void)
struct stat st;
char *backing_file, *root_hash;
size_t root_hash_size;
- unsigned i, path = 0;
+ unsigned path = 0;
int r = 0;
/* perhaps a path, not a dm device name */
@@ -385,8 +390,7 @@ static int action_status(void)
log_std(" hash name: %s\n", vp.hash_name);
log_std(" salt: ");
if (vp.salt_size)
- for(i = 0; i < vp.salt_size; i++)
- log_std("%02hhx", (const char)vp.salt[i]);
+ crypt_log_hex(NULL, vp.salt, vp.salt_size, "", 0, NULL);
else
log_std("-");
log_std("\n");
@@ -424,8 +428,7 @@ static int action_status(void)
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash, &root_hash_size, NULL, 0);
if (!r) {
log_std(" root hash: ");
- for (i = 0; i < root_hash_size; i++)
- log_std("%02hhx", (const char)root_hash[i]);
+ crypt_log_hex(NULL, root_hash, root_hash_size, "", 0, NULL);
log_std("\n");
}
free(root_hash);
@@ -435,13 +438,15 @@ static int action_status(void)
CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
CRYPT_ACTIVATE_PANIC_ON_CORRUPTION|
CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
- CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE))
- log_std(" flags: %s%s%s%s%s\n",
+ CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE|
+ CRYPT_ACTIVATE_TASKLETS))
+ log_std(" flags: %s%s%s%s%s%s\n",
(cad.flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? "ignore_corruption " : "",
(cad.flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? "restart_on_corruption " : "",
(cad.flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? "panic_on_corruption " : "",
(cad.flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? "ignore_zero_blocks " : "",
- (cad.flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? "check_at_most_once" : "");
+ (cad.flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? "check_at_most_once" : "",
+ (cad.flags & CRYPT_ACTIVATE_TASKLETS) ? "try_verify_in_tasklet" : "");
}
out:
crypt_free(cd);
@@ -461,9 +466,15 @@ static int action_dump(void)
params.hash_area_offset = ARG_UINT64(OPT_HASH_OFFSET_ID);
params.fec_area_offset = ARG_UINT64(OPT_FEC_OFFSET_ID);
+ params.fec_device = ARG_STR(OPT_FEC_DEVICE_ID);
+ params.fec_roots = ARG_UINT32(OPT_FEC_ROOTS_ID);
+
r = crypt_load(cd, CRYPT_VERITY, ¶ms);
if (!r)
crypt_dump(cd);
+ else
+ log_err(_("Device %s is not a valid VERITY device."), action_argv[0]);
+
crypt_free(cd);
return r;
}
@@ -493,7 +504,7 @@ static void help(poptContext popt_context,
struct action_type *action;
if (key->shortName == '?') {
- log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
+ tools_package_version(PACKAGE_VERITY, false);
poptPrintHelp(popt_context, stdout, 0);
log_std(_("\n"
"<action> is one of:\n"));
@@ -516,7 +527,7 @@ static void help(poptContext popt_context,
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
} else if (key->shortName == 'V') {
- log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
+ tools_package_version(PACKAGE_VERITY, false);
tools_cleanup();
poptFreeContext(popt_context);
exit(EXIT_SUCCESS);
@@ -567,7 +578,7 @@ int main(int argc, const char **argv)
{ NULL, '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
#define ARG(A, B, C, D, E, F, G, H) { A, B, C, NULL, A ## _ID, D, E },
#include "veritysetup_arg_list.h"
-#undef arg
+#undef ARG
POPT_TABLEEND
};
static struct poptOption popt_options[] = {
@@ -634,7 +645,8 @@ int main(int argc, const char **argv)
if (action_argc < action->required_action_argc) {
char buf[128];
- snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
+ if (snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc) < 0)
+ buf[0] = '\0';
usage(popt_context, EXIT_FAILURE, buf,
poptGetInvocationName(popt_context));
}
diff --git a/src/veritysetup_arg_list.h b/src/veritysetup_arg_list.h
index 40e136b..014273e 100644
--- a/src/veritysetup_arg_list.h
+++ b/src/veritysetup_arg_list.h
@@ -1,8 +1,8 @@
/*
* Veritysetup command line arguments list
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -63,6 +63,8 @@ ARG(OPT_ROOT_HASH_SIGNATURE, '\0', POPT_ARG_STRING, N_("Path to root hash signat
ARG(OPT_SALT, 's', POPT_ARG_STRING, N_("Salt"), N_("hex string"), CRYPT_ARG_STRING, {}, {})
+ARG(OPT_USE_TASKLETS, '\0', POPT_ARG_NONE, N_("Use kernel tasklets for performance"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_TASKLETS_ACTIONS)
+
ARG(OPT_UUID, '\0', POPT_ARG_STRING, N_("UUID for device to use"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {}, {})
diff --git a/src/veritysetup_args.h b/src/veritysetup_args.h
index 2dd3813..d47813d 100644
--- a/src/veritysetup_args.h
+++ b/src/veritysetup_args.h
@@ -1,8 +1,8 @@
/*
* Command line arguments helpers
*
- * Copyright (C) 2020-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2021 Ondrej Kozina
+ * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -39,6 +39,7 @@
#define OPT_PANIC_ON_CORRUPTION_ACTIONS { OPEN_ACTION }
#define OPT_ROOT_HASH_FILE_ACTIONS { FORMAT_ACTION, OPEN_ACTION, VERIFY_ACTION }
#define OPT_ROOT_HASH_SIGNATURE_ACTIONS { OPEN_ACTION }
+#define OPT_USE_TASKLETS_ACTIONS { OPEN_ACTION }
enum {
OPT_UNUSED_ID = 0,
diff --git a/tests/00modules-test b/tests/00modules-test
index 10f52cc..f816b80 100755
--- a/tests/00modules-test
+++ b/tests/00modules-test
@@ -28,7 +28,6 @@ free -m
pversion cryptsetup
pversion veritysetup
pversion integritysetup
-pversion cryptsetup-reencrypt
[ -x $CRYPTSETUP_PATH/cryptsetup ] && {
echo -e "Cryptsetup defaults:"
diff --git a/tests/Makefile.am b/tests/Makefile.am
index da974cc..c8a46a8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,7 +1,7 @@
TESTS = 00modules-test \
api-test \
api-test-2 \
- compat-test-args \
+ compat-args-test \
compat-test \
compat-test2 \
loopaes-test \
@@ -18,43 +18,55 @@ TESTS = 00modules-test \
luks2-validation-test \
luks2-integrity-test \
vectors-test \
- blockwise-compat \
+ blockwise-compat-test \
bitlk-compat-test \
- run-all-symbols
+ fvault2-compat-test \
+ run-all-symbols \
+ unit-utils-crypt-test \
+ unit-wipe-test \
+ reencryption-compat-test \
+ luks2-reencryption-test \
+ luks2-reencryption-mangle-test
if VERITYSETUP
TESTS += verity-compat-test
endif
-if REENCRYPT
-TESTS += reencryption-compat-test reencryption-compat-test2 luks2-reencryption-test luks2-reencryption-mangle-test
-endif
-
if INTEGRITYSETUP
TESTS += integrity-compat-test
endif
if SSHPLUGIN_TOKEN
-TESTS += ssh-plugin-test
+TESTS += ssh-test-plugin
endif
-ssh-plugin-test: fake_token_path.so
+if EXTERNAL_TOKENS
+TESTS += systemd-test-plugin
+endif
-fake_token_path.so:
- $(CC) $(CFLAGS) -I $(top_srcdir)/lib -fPIC -shared \
+ssh-test-plugin: fake_token_path.so
+systemd-test-plugin: fake_token_path.so fake_systemd_tpm_path.so
+
+# Do not use global CFLAGS here as the *.so link does not support sanitizers
+fake_token_path.so: fake_token_path.c
+ $(CC) $(LDFLAGS) -I $(top_srcdir)/lib -fPIC -shared -D_GNU_SOURCE \
-Wl,--version-script=$(top_srcdir)/lib/libcryptsetup.sym \
-o fake_token_path.so $(top_srcdir)/tests/fake_token_path.c \
-DBUILD_DIR=\"$(abs_top_srcdir)/.libs/\"
+fake_systemd_tpm_path.so: fake_systemd_tpm_path.c
+ $(CC) $(LDFLAGS) -fPIC -shared -D_GNU_SOURCE -o fake_systemd_tpm_path.so \
+ $(top_srcdir)/tests/fake_systemd_tpm_path.c
+
EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
compatimage2.img.xz \
conversion_imgs.tar.xz \
luks2_keyslot_unassigned.img.xz \
img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz \
+ xfs_512_block_size.img.xz \
valid_header_file.xz \
luks2_valid_hdr.img.xz \
- luks2_header_requirements.xz \
- luks2_header_requirements_free.xz \
+ luks2_header_requirements.tar.xz \
luks2_mda_images.tar.xz \
evil_hdr-payload_overwrite.xz \
evil_hdr-stripes_payload_dmg.xz \
@@ -64,13 +76,12 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
tcrypt-images.tar.xz \
luks1-images.tar.xz \
00modules-test \
- compat-test-args \
+ compat-args-test \
compat-test \
compat-test2 \
loopaes-test align-test discards-test mode-test password-hash-test \
align-test2 verity-compat-test \
reencryption-compat-test \
- reencryption-compat-test2 \
luks2-reencryption-test \
luks2-reencryption-mangle-test \
tcrypt-compat-test \
@@ -82,19 +93,24 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
keyring-compat-test \
integrity-compat-test \
cryptsetup-valg-supps valg.sh valg-api.sh \
- blockwise-compat \
+ blockwise-compat-test \
blkid-luks2-pv.img.xz \
Makefile.localtest \
bitlk-compat-test \
bitlk-images.tar.xz \
- ssh-plugin-test \
+ fvault2-compat-test \
+ fvault2-images.tar.xz \
+ ssh-test-plugin \
generate-symbols-list \
run-all-symbols \
- fake_token_path.c
+ fake_token_path.c \
+ fake_systemd_tpm_path.c \
+ unit-wipe-test \
+ systemd-test-plugin
-CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_token_path.so
+CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_token_path.so fake_systemd_tpm_path.so
clean-local:
- -rm -rf tcrypt-images luks1-images luks2-images bitlk-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp
+ -rm -rf tcrypt-images luks1-images luks2-images bitlk-images fvault2-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp external-tokens
differ_SOURCES = differ.c
differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
@@ -123,6 +139,18 @@ unit_utils_io_LDFLAGS = $(AM_LDFLAGS) -static
unit_utils_io_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/lib
unit_utils_io_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
+unit_utils_crypt_test_SOURCES = unit-utils-crypt.c ../lib/utils_crypt.c ../lib/utils_crypt.h
+unit_utils_crypt_test_LDADD = ../libcryptsetup.la
+unit_utils_crypt_test_LDFLAGS = $(AM_LDFLAGS) -static
+unit_utils_crypt_test_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/lib
+unit_utils_crypt_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
+
+unit_wipe_SOURCES = unit-wipe.c
+unit_wipe_LDADD = ../libcryptsetup.la
+unit_wipe_LDFLAGS = $(AM_LDFLAGS) -static
+unit_wipe_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/lib
+unit_wipe_CPPFLAGS = $(AM_CPPFLAGS)
+
BUILT_SOURCES = test-symbols-list.h
test-symbols-list.h: $(top_srcdir)/lib/libcryptsetup.sym generate-symbols-list
@@ -135,9 +163,9 @@ all_symbols_test_LDFLAGS = $(AM_LDFLAGS) -ldl
all_symbols_test_CFLAGS = $(AM_CFLAGS)
all_symbols_test_CPPFLAGS = $(AM_CPPFLAGS) -D_GNU_SOURCE
-check_PROGRAMS = api-test api-test-2 differ vectors-test unit-utils-io all-symbols-test
+check_PROGRAMS = api-test api-test-2 differ vectors-test unit-utils-io unit-utils-crypt-test unit-wipe all-symbols-test
-check-programs: $(check_PROGRAMS) fake_token_path.so
+check-programs: test-symbols-list.h $(check_PROGRAMS) fake_token_path.so fake_systemd_tpm_path.so
conversion_imgs:
@tar xJf conversion_imgs.tar.xz
@@ -146,7 +174,7 @@ compatimage.img:
@xz -k -d compatimage.img.xz
valgrind-check: api-test api-test-2 differ
- @VALG=1 ./compat-test-args
+ @VALG=1 ./compat-args-test
@VALG=1 ./compat-test
@VALG=1 ./compat-test2
@VALG=1 ./luks2-validation-test
@@ -158,6 +186,21 @@ valgrind-check: api-test api-test-2 differ
@VALG=1 ./luks2-reencryption-mangle-test
@VALG=1 ./bitlk-compat-test
@VALG=1 ./tcrypt-compat-test
- @grep -l "ERROR SUMMARY: [^0] errors" valglog* || echo "No leaks detected."
+ @VALG=1 ./align-test
+ @VALG=1 ./align-test2
+ @VALG=1 ./device-test
+ @VALG=1 ./discards-test
+ @VALG=1 ./keyring-compat-test
+ @VALG=1 ./loopaes-test
+ @VALG=1 ./luks1-compat-test
+ @VALG=1 ./luks2-integrity-test
+ @VALG=1 ./mode-test
+ @VALG=1 ./password-hash-test
+ @VALG=1 ./reencryption-compat-test
+ @VALG=1 ./fvault2-compat-test
+ @[ -z "$RUN_SSH_PLUGIN_TEST" ] || VALG=1 ./ssh-test-plugin
+ @INFOSTRING="unit-utils-crypt-test" ./valg-api.sh ./unit-utils-crypt-test
+ @INFOSTRING="vectors-test" ./valg-api.sh ./vectors-test
+ @grep -l "ERROR SUMMARY: [^0][0-9]* errors" valglog* || echo "No leaks detected."
.PHONY: valgrind-check
diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
index ec132ed..89ce2c3 100644
--- a/tests/Makefile.localtest
+++ b/tests/Makefile.localtest
@@ -1,11 +1,25 @@
#
# Makefile to run tests with system binaries
# USE: make -f Makefile.localtest tests CRYPTSETUP_PATH=/sbin
+# (append TESTSUITE_NOSKIP=y to avoid treating skipped tests as success)
#
-CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
-CFLAGS=-O2 -g -Wall
+CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING \
+ -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
+CFLAGS=-O2 -g -Wall -D_GNU_SOURCE
LDLIBS=-lcryptsetup -ldevmapper
-TESTS=$(wildcard *-test *-test2) api-test api-test-2 all-symbols-test
+TESTS=$(wildcard *-test *-test2) api-test api-test-2 all-symbols-test unit-utils-crypt-test
+TESTS_UTILS=differ unit-utils-io unit-wipe
+
+ifneq ($(RUN_SSH_PLUGIN_TEST),)
+TESTS += ssh-test-plugin
+endif
+
+ifneq ($(RUN_SYSTEMD_PLUGIN_TEST),)
+TESTS += systemd-test-plugin
+TESTS_UTILS += fake_systemd_tpm_path.so
+endif
+
+check-programs: $(TESTS_UTILS) $(TESTS)
differ: differ.o
$(CC) -o $@ $^
@@ -16,24 +30,37 @@ api-test: api-test.o test_utils.o
api-test-2: api-test-2.o test_utils.o
$(CC) -o $@ $^ $(LDLIBS)
+unit-wipe: unit-wipe.o
+ $(CC) -o $@ $^ $(LDLIBS)
+
+unit-utils-io: unit-utils-io.o ../lib/utils_io.o
+ $(CC) -o $@ $^
+
+unit-utils-crypt-test: unit-utils-crypt.o ../lib/utils_crypt.o
+ $(CC) -o $@ $^ $(LDLIBS)
+
test-symbols-list.h: generate-symbols-list
./generate-symbols-list ../lib/libcryptsetup.sym > test-symbols-list.h
all-symbols-test.o: test-symbols-list.h
- $(CC) -D_GNU_SOURCE -c $*.c
+ $(CC) -c $*.c
all-symbols-test: all-symbols-test.o
$(CC) -o $@ $^ -ldl
-tests: differ $(TESTS)
+fake_systemd_tpm_path.so: fake_systemd_tpm_path.c
+ $(CC) -fPIC -shared -D_GNU_SOURCE -o fake_systemd_tpm_path.so fake_systemd_tpm_path.c
+
+tests: $(TESTS_UTILS) $(TESTS)
@for test in $(sort $(TESTS)); do \
echo [$$test]; \
./$$test; \
- [ $$? -ne 77 -a $$? -ne 0 ] && exit 1; \
+ [ $(if $(TESTSUITE_NOSKIP),,$$? -ne 77 -a) $$? -ne 0 ] && exit 1; \
true; \
done;
clean:
- rm -f *.o differ api-test api-test-2 all-symbols-test test-symbols-list.h
+ rm -f *.o $(TESTS_UTILS) api-test api-test-2 unit-utils-crypt-test \
+ all-symbols-test test-symbols-list.h
.PHONY: clean
diff --git a/tests/align-test b/tests/align-test
index 9ae606c..5941cde 100755
--- a/tests/align-test
+++ b/tests/align-test
@@ -10,11 +10,21 @@ PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF="--pbkdf-force-iterations 1000"
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
+
cleanup() {
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
- umount -f $MNT_DIR 2>/dev/null
- rmdir $MNT_DIR 2>/dev/null
+ umount -f $MNT_DIR 2>/dev/null
+ rmdir $MNT_DIR 2>/dev/null
fi
[ -b /dev/mapper/$DEV_STACKED ] && dmsetup remove --retry $DEV_STACKED >/dev/null 2>&1
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
@@ -40,6 +50,18 @@ skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
function dm_crypt_features()
{
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -104,7 +126,7 @@ format() # key_bits expected [forced]
[ $ALIGN -ne $2 ] && fail "Expected alignment differs: expected $2 != detected $ALIGN"
# test some operation, just in case
- echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV $FAST_PBKDF --key-slot 1
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV $FAST_PBKDF --new-key-slot 1
[ $? -ne 0 ] && fail "Keyslot add failed."
$CRYPTSETUP -q luksKillSlot $DEV 1
@@ -137,7 +159,7 @@ format_null()
[ $POFF != $2 ] && fail "Expected data offset differs: expected $2 != detected $POFF"
if [ -n "$4" ] ; then
for j in 1 2 3 4 5 6 7 ; do
- echo -e "\n" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF --key-slot $j -c null $PARAMS
+ echo -e "\n" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF --new-key-slot $j -c null $PARAMS
echo -n $j
[ $? -ne 0 ] && fail
done
@@ -173,6 +195,8 @@ format_plain_fail() # sector size
fi
}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
if [ $(id -u) != 0 ]; then
echo "WARNING: You must be root to run this test, test skipped."
exit 77
@@ -259,14 +283,11 @@ format_plain_fail 2048
format_plain_fail 4096
cleanup
+# skip tests using empty passphrase (LUKS1 cipher_null)
+if [ ! fips_mode ]; then
echo "# Offset check: 512B sector drive"
add_device dev_size_mb=16 sector_size=512 num_tgts=1
# |k| expO reqO expected slot offsets
-format_null 64 2048 0 8:72:136:200:264:328:392:456
-format_null 64 520 1
-format_null 64 520 8
-format_null 64 640 128
-format_null 64 2048 2048
format_null 128 2048 0 8:136:264:392:520:648:776:904
format_null 128 1032 1
format_null 128 1032 8
@@ -286,11 +307,6 @@ cleanup
echo "# Offset check: 4096B sector drive"
add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
-format_null 64 2048 0 8:72:136:200:264:328:392:456
-format_null 64 520 1
-format_null 64 520 8
-format_null 64 640 128
-format_null 64 2048 2048
format_null 128 2048 0 8:136:264:392:520:648:776:904
format_null 128 1032 1
format_null 128 1032 8
@@ -307,6 +323,7 @@ format_null 512 4040 8
format_null 512 4096 128
format_null 512 4096 2048
cleanup
+fi
echo "# Create enterprise-class 4K drive with fs and LUKS images."
# loop device here presents 512 block but images have 4k block
diff --git a/tests/align-test2 b/tests/align-test2
index 3db4aae..33126a4 100755
--- a/tests/align-test2
+++ b/tests/align-test2
@@ -5,16 +5,20 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
DEV=""
DEV_STACKED="luks0xbabe"
DEV_NAME="dummyalign"
+HDR="test_luks2_hdr"
MNT_DIR="./mnt_luks"
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
cleanup() {
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
- umount -f $MNT_DIR 2>/dev/null
- rmdir $MNT_DIR 2>/dev/null
+ umount -f $MNT_DIR 2>/dev/null
+ rmdir $MNT_DIR 2>/dev/null
fi
[ -b /dev/mapper/$DEV_STACKED ] && dmsetup remove --retry $DEV_STACKED >/dev/null 2>&1
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
@@ -22,6 +26,7 @@ cleanup() {
sleep 1
rmmod scsi_debug >/dev/null 2>&1
sleep 1
+ rm -f $HDR 2>/dev/null
}
fail()
@@ -40,6 +45,18 @@ skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
function dm_crypt_features()
{
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -58,7 +75,7 @@ function dm_crypt_features()
[ $VER_MIN -lt 14 ] && return
DM_PERF_CPU=1
- if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
+ if [ $VER_MIN -ge 17 ]; then
DM_SECTOR_SIZE=1
fi
}
@@ -120,7 +137,7 @@ format() # expected [forced] [encryption_sector_size]
[ $ALIGN -ne $_exp ] && fail "Expected alignment differs: expected $_exp != detected $ALIGN"
# test some operation, just in case
- echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV $FAST_PBKDF --key-slot 1
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV $FAST_PBKDF --new-key-slot 1
[ $? -ne 0 ] && fail "Keyslot add failed."
$CRYPTSETUP -q luksKillSlot $DEV 1
@@ -155,6 +172,43 @@ format_fail() # expected [forced] [encryption_sector_size]
echo "PASSED"
}
+auto_sector() # expected device header
+{
+ local _exp=$1
+ local _dev=$2
+ local _hdr=$2
+ local _hdrstr=""
+ local _hdrmsg=""
+
+ if [ -n "$3" ]; then
+ _hdrstr="--header $3"
+ _hdr=$3
+ _hdrmsg=" detached header"
+ fi
+
+ echo -n "Formatting$_hdrmsg using optimal encryption sector size (expecting $_exp)..."
+
+ if [ -z "$DM_SECTOR_SIZE" -a $_exp -ne 512 ]; then
+ echo "SKIPPED"
+ return
+ fi
+
+ echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF --type luks2 $_hdrstr $_dev -q >/dev/null 2>&1 || fail
+
+ # check the device can be activated
+ echo $PWD1 | $CRYPTSETUP luksOpen $_hdrstr $_dev $DEV_NAME || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ SECTOR=$($CRYPTSETUP luksDump $_hdr | grep -A4 "0: crypt" | grep "sector:" | cut -d ' ' -f2)
+
+ [ -z "$SECTOR" ] && fail
+ [ $SECTOR -ne $_exp ] && fail "Expected sector size differs: expected $_exp != detected $SECTOR"
+
+ echo "PASSED"
+}
+
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
if [ $(id -u) != 0 ]; then
echo "WARNING: You must be root to run this test, test skipped."
exit 77
@@ -369,3 +423,27 @@ for file in $(ls img_fs_*.img.xz) ; do
umount $MNT_DIR
done
cleanup
+
+echo "# Create classic 512B drive"
+echo "# (logical_block_size=512, physical_block_size=512, alignment_offset=0)"
+add_device dev_size_mb=32 sector_size=512 num_tgts=1
+auto_sector 512 $DEV
+auto_sector 512 $DEV $HDR
+cleanup
+echo "# Create desktop-class 4K drive"
+echo "# (logical_block_size=512, physical_block_size=4096, alignment_offset=0)"
+add_device dev_size_mb=32 sector_size=512 physblk_exp=3 num_tgts=1
+auto_sector 4096 $DEV
+auto_sector 4096 $DEV $HDR
+DEV2=$DEV
+DEV=/dev/mapper/$DEV_STACKED
+dmsetup create $DEV_STACKED --table "0 $((`blockdev --getsz $DEV2`-1)) linear $DEV2 0"
+auto_sector 512 $DEV
+auto_sector 512 $DEV $HDR
+cleanup
+echo "# Create enterprise-class 4K drive"
+echo "# (logical_block_size=4096, physical_block_size=4096, alignment_offset=0)"
+add_device dev_size_mb=32 sector_size=4096 num_tgts=1 opt_blks=64
+auto_sector 4096 $DEV
+auto_sector 4096 $DEV $HDR
+cleanup
diff --git a/tests/all-symbols-test.c b/tests/all-symbols-test.c
index adc5616..10c7fe2 100644
--- a/tests/all-symbols-test.c
+++ b/tests/all-symbols-test.c
@@ -1,7 +1,7 @@
/*
* Test utility checking symbol versions in libcryptsetup.
*
- * Copyright (C) 2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2021-2023 Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index ce9a9a6..824ae65 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -1,9 +1,9 @@
/*
* cryptsetup library LUKS2 API check functions
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
#define CONV_L2_512_DET_FULL "l2_512b_det_full"
#define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
#define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
-#define PASS0 "aaa"
-#define PASS1 "hhh"
-#define PASS2 "ccc"
-#define PASS3 "ddd"
-#define PASS4 "eee"
-#define PASS5 "fff"
-#define PASS6 "ggg"
-#define PASS7 "bbb"
-#define PASS8 "iii"
+#define PASS0 "aaablabl"
+#define PASS1 "hhhblabl"
+#define PASS2 "cccblabl"
+#define PASS3 "dddblabl"
+#define PASS4 "eeeblabl"
+#define PASS5 "fffblabl"
+#define PASS6 "gggblabl"
+#define PASS7 "bbbblabl"
+#define PASS8 "iiiblabl"
static int _fips_mode = 0;
@@ -199,6 +199,11 @@ static int get_luks2_offsets(int metadata_device,
struct crypt_device *cd = NULL;
static uint64_t default_header_size = 0;
+ if (r_header_size)
+ *r_header_size = 0;
+ if (r_payload_offset)
+ *r_payload_offset = 0;
+
if (!default_header_size) {
if (crypt_init(&cd, THE_LOOP_DEV))
return -EINVAL;
@@ -382,8 +387,9 @@ static int _setup(void)
return 1;
}
close(fd);
- snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
- test_loop_file, TST_SECTOR_SIZE, TST_LOOP_FILE_SIZE);
+ if (snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ test_loop_file, TST_SECTOR_SIZE, TST_LOOP_FILE_SIZE) < 0)
+ return 1;
if (_system(cmd, 1))
return 1;
@@ -399,14 +405,18 @@ static int _setup(void)
return 1;
}
close(fd);
- snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
- tmp_file_1, TST_SECTOR_SIZE, 10);
+ if (snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ tmp_file_1, TST_SECTOR_SIZE, 10) < 0)
+ return 1;
if (_system(cmd, 1))
return 1;
_system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\"", 1);
_system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\"", 1);
+ if (t_set_readahead(DEVICE_ERROR, 0))
+ printf("cannot set read ahead on device %s\n", DEVICE_ERROR);
+
_system(" [ ! -e " IMAGE1 " ] && xz -dk " IMAGE1 ".xz", 1);
fd = loop_attach(&DEVICE_1, IMAGE1, 0, 0, &ro);
close(fd);
@@ -419,11 +429,11 @@ static int _setup(void)
_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
@@ -699,10 +709,10 @@ static void AddDeviceLuks2(void)
};
char key[128], key2[128], key3[128];
- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size_1;
@@ -714,8 +724,8 @@ static void AddDeviceLuks2(void)
pbkdf.max_memory_kb = 0;
}
- crypt_decode_key(key, mk_hex, key_size);
- crypt_decode_key(key3, mk_hex2, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key3, vk_hex2, key_size);
// init test devices
OK_(get_luks2_offsets(0, 0, 0, &r_header_size, &r_payload_offset));
@@ -879,7 +889,7 @@ static void AddDeviceLuks2(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
@@ -964,8 +974,7 @@ static void AddDeviceLuks2(void)
OK_(!(global_lines != 0));
reset_log();
OK_(crypt_dump_json(cd, &tmp_buf, 0));
- OK_(!tmp_buf);
- OK_(!(strlen(tmp_buf) != 0));
+ OK_(!(tmp_buf && strlen(tmp_buf) != 0));
FAIL_(crypt_set_uuid(cd, "blah"), "wrong UUID format");
OK_(crypt_set_uuid(cd, DEVICE_TEST_UUID));
@@ -1047,9 +1056,8 @@ static void Luks2MetadataSize(void)
};
char key[128], tmp[128];
- const char *passphrase = "blabla";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_header_size, default_mdata_size, default_keyslots_size, mdata_size,
@@ -1063,7 +1071,7 @@ static void Luks2MetadataSize(void)
pbkdf.iterations = 1000;
}
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
// init test devices
OK_(get_luks2_offsets(0, 0, 0, &r_header_size, NULL));
@@ -1094,7 +1102,7 @@ static void Luks2MetadataSize(void)
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms));
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
@@ -1189,9 +1197,9 @@ static void UseTempVolumes(void)
// Dirty checks: device without UUID
// we should be able to remove it but not manipulate with it
- snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ GE_(snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
- "%s 2048\"", CDEVICE_2, DEVICE_2);
+ "%s 2048\"", CDEVICE_2, DEVICE_2), 0);
_system(tmp, 1);
OK_(crypt_init_by_name(&cd, CDEVICE_2));
OK_(crypt_deactivate(cd, CDEVICE_2));
@@ -1199,10 +1207,10 @@ static void UseTempVolumes(void)
CRYPT_FREE(cd);
// Dirty checks: device with UUID but LUKS header key fingerprint must fail)
- snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ GE_(snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
"%s 2048\" -u CRYPT-LUKS2-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-ctest1",
- CDEVICE_2, DEVICE_2);
+ CDEVICE_2, DEVICE_2), 0);
_system(tmp, 1);
OK_(crypt_init_by_name(&cd, CDEVICE_2));
OK_(crypt_deactivate(cd, CDEVICE_2));
@@ -1232,7 +1240,7 @@ static void Luks2HeaderRestore(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -1242,8 +1250,8 @@ static void Luks2HeaderRestore(void)
};
uint32_t flags = 0;
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset;
@@ -1255,7 +1263,7 @@ static void Luks2HeaderRestore(void)
pbkdf.max_memory_kb = 0;
}
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
OK_(get_luks2_offsets(0, params.data_alignment, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
@@ -1337,15 +1345,15 @@ static void Luks2HeaderLoad(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
};
char key[128], cmd[256];
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size, img_size;
@@ -1357,7 +1365,7 @@ static void Luks2HeaderLoad(void)
pbkdf.max_memory_kb = 0;
}
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
// hardcoded values for existing image IMAGE1
img_size = 8192;
@@ -1368,7 +1376,8 @@ static void Luks2HeaderLoad(void)
// prepared header on a device too small to contain header and payload
//OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1));
OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, img_size - 1));
- snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, img_size - 1);
+ GE_(snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32
+ " count=%" PRIu64 " 2>/dev/null", params.sector_size, img_size - 1), 0);
OK_(_system(cmd, 1));
// some device
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
@@ -1476,8 +1485,8 @@ static void Luks2HeaderBackup(void)
char key[128];
int fd, ro = O_RDONLY;
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset;
@@ -1491,7 +1500,7 @@ static void Luks2HeaderBackup(void)
pbkdf.max_memory_kb = 0;
}
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
OK_(get_luks2_offsets(1, params.data_alignment, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -1573,10 +1582,10 @@ static void ResizeDeviceLuks2(void)
};
char key[128];
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
- const char *cipher = "aes";
- const char *cipher_mode = "cbc-essiv:sha256";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes", *capi_cipher = "capi:cbc(aes)";
+ const char *cipher_mode = "cbc-essiv:sha256", *capi_cipher_mode = "essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size;
/* Cannot use Argon2 in FIPS */
@@ -1586,7 +1595,7 @@ static void ResizeDeviceLuks2(void)
pbkdf.max_memory_kb = 0;
}
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
// prepare env
OK_(get_luks2_offsets(0, params.data_alignment, 0, NULL, &r_payload_offset));
@@ -1718,6 +1727,18 @@ static void ResizeDeviceLuks2(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
+ if (t_dm_capi_string_supported()) {
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_format(cd, CRYPT_LUKS2, capi_cipher, capi_cipher_mode, NULL, key, key_size, NULL));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_resize(cd, CDEVICE_1, 8));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(8, r_size >> TST_SECTOR_SHIFT);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+ }
+
_cleanup_dmdevices();
}
@@ -1734,7 +1755,7 @@ static void TokenActivationByKeyring(void)
.key_description = KEY_DESC_TEST0
}, params2 = {
.key_description = KEY_DESC_TEST1
- };
+ }, params_invalid = {};
uint64_t r_payload_offset;
if (!t_dm_crypt_keyring_support()) {
@@ -1753,6 +1774,7 @@ static void TokenActivationByKeyring(void)
OK_(set_fast_pbkdf(cd));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
+ FAIL_(crypt_token_luks2_keyring_set(cd, CRYPT_ANY_TOKEN, ¶ms_invalid), "Invalid key description property.");
EQ_(crypt_token_luks2_keyring_set(cd, 3, ¶ms), 3);
EQ_(crypt_token_assign_keyslot(cd, 3, 0), 3);
CRYPT_FREE(cd);
@@ -1910,6 +1932,7 @@ static void Tokens(void)
const char *cipher_mode = "xts-plain64";
char passptr[] = PASSPHRASE;
char passptr1[] = PASSPHRASE1;
+ struct crypt_active_device cad;
static const crypt_token_handler th = {
.name = "test_token",
@@ -2121,6 +2144,13 @@ static void Tokens(void)
EQ_(crypt_activate_by_token_pin(cd, NULL, "test_token", 11, NULL, 0, passptr, 0), -ENOENT);
EQ_(crypt_activate_by_token_pin(cd, NULL, "test_token", 11, NULL, 0, passptr, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -ENOENT);
+ // test crypt_resume_by_token_pin
+ EQ_(crypt_activate_by_token_pin(cd, CDEVICE_1, "test_token", CRYPT_ANY_TOKEN, NULL, 0, passptr, 0), 5);
+ OK_(crypt_suspend(cd, CDEVICE_1));
+ EQ_(crypt_resume_by_token_pin(cd, CDEVICE_1, "test_token", CRYPT_ANY_TOKEN, NULL, 0, passptr), 5);
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(0, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
EQ_(crypt_token_max(CRYPT_LUKS2), 32);
@@ -2142,7 +2172,7 @@ static void LuksConvert(void)
.parallel_threads = 1
}, pbkdf2 = {
.type = CRYPT_KDF_PBKDF2,
- .hash = "sha1",
+ .hash = "sha256",
.time_ms = 1
};
@@ -2675,7 +2705,7 @@ static void Pbkdf(void)
.hash = default_luks1_hash
};
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -2874,11 +2904,11 @@ static void Pbkdf(void)
pbkdf2.time_ms = 9;
pbkdf2.hash = NULL;
FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
- pbkdf2.hash = "sha1";
+ pbkdf2.hash = "sha256";
OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
argon2.time_ms = 9;
- argon2.hash = "sha1"; // will be ignored
+ argon2.hash = "sha256"; // will be ignored
OK_(crypt_set_pbkdf_type(cd, &argon2));
argon2.hash = NULL;
OK_(crypt_set_pbkdf_type(cd, &argon2));
@@ -2908,9 +2938,9 @@ static void Luks2KeyslotAdd(void)
{
char key[128], key2[128], key_ret[128];
const char *cipher = "aes", *cipher_mode="xts-plain64";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
- size_t key_ret_len, key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_ret_len, key_size = strlen(vk_hex) / 2;
uint64_t r_payload_offset;
struct crypt_pbkdf_type pbkdf = {
.type = "argon2i",
@@ -2925,8 +2955,8 @@ static void Luks2KeyslotAdd(void)
.sector_size = TST_SECTOR_SIZE
};
- crypt_decode_key(key, mk_hex, key_size);
- crypt_decode_key(key2, mk_hex2, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key2, vk_hex2, key_size);
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
@@ -3047,13 +3077,13 @@ static void Luks2KeyslotParams(void)
char key[128], key2[128];
const char *cipher = "aes", *cipher_mode="xts-plain64";
const char *cipher_spec = "aes-xts-plain64", *cipher_keyslot = "aes-cbc-essiv:sha256";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
- size_t key_size_ret, key_size = strlen(mk_hex) / 2, keyslot_key_size = 16;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size_ret, key_size = strlen(vk_hex) / 2, keyslot_key_size = 16;
uint64_t r_payload_offset;
- crypt_decode_key(key, mk_hex, key_size);
- crypt_decode_key(key2, mk_hex2, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key2, vk_hex2, key_size);
OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
@@ -3277,8 +3307,8 @@ static void Luks2Requirements(void)
.key_description = KEY_DESC_TEST0
};
- OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
- OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
/* crypt_load (unrestricted) */
OK_(crypt_init(&cd, DEVICE_5));
@@ -3321,15 +3351,22 @@ static void Luks2Requirements(void)
FAIL_((r = crypt_set_label(cd, "label", "subsystem")), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
+ /* crypt_get_label (unrestricted) */
+ NOTNULL_(crypt_get_label(cd));
+ OK_(strcmp("", crypt_get_label(cd)));
+ /* crypt_get_subsystem (unrestricted) */
+ NOTNULL_(crypt_get_subsystem(cd));
+ OK_(strcmp("", crypt_get_subsystem(cd)));
+
/* crypt_repair (with current repair capabilities it's unrestricted) */
OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
/* crypt_keyslot_add_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_change_by_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_keyfile (restricted) */
@@ -3341,18 +3378,18 @@ static void Luks2Requirements(void)
EQ_(r, -ETXTBSY);
/* crypt_volume_key_get (unrestricted, but see below) */
- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
+ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
/* crypt_keyslot_add_by_volume_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_persistent_flasgs_set (restricted) */
@@ -3361,13 +3398,13 @@ static void Luks2Requirements(void)
/* crypt_persistent_flasgs_get (unrestricted) */
OK_(crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &flags));
- EQ_(flags, (uint32_t) CRYPT_REQUIREMENT_UNKNOWN);
+ EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
/* crypt_activate_by_passphrase (restricted for activation only) */
- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
/* crypt_activate_by_keyfile (restricted for activation only) */
@@ -3384,7 +3421,7 @@ static void Luks2Requirements(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
NOTFAIL_(kid, "Test or kernel keyring are broken.");
/* crypt_activate_by_keyring (restricted for activation only) */
@@ -3392,6 +3429,8 @@ static void Luks2Requirements(void)
EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
@@ -3477,10 +3516,15 @@ static void Luks2Requirements(void)
/* crypt_activate_by_token (restricted for activation only) */
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
@@ -3492,7 +3536,7 @@ static void Luks2Requirements(void)
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
/* replace header with no requirements */
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
@@ -3530,7 +3574,7 @@ static void Luks2Requirements(void)
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* crypt_resume_by_passphrase (restricted) */
- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_resume_by_keyfile (restricted) */
@@ -3544,13 +3588,13 @@ static void Luks2Requirements(void)
OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
CRYPT_FREE(cd);
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* load VK in keyring */
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
/* crypt_resize (restricted) */
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
@@ -3586,7 +3630,6 @@ static void Luks2Integrity(void)
.integrity = "hmac(sha256)"
};
size_t key_size = 32 + 32;
- const char *passphrase = "blabla";
const char *cipher = "aes";
const char *cipher_mode = "xts-random";
int ret;
@@ -3600,8 +3643,8 @@ static void Luks2Integrity(void)
return;
}
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
CRYPT_FREE(cd);
@@ -3631,17 +3674,17 @@ static void Luks2Refresh(void)
uint64_t r_payload_offset;
char key[128], key1[128];
const char *cipher = "aes", *mode = "xts-plain64";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c645be6a5b84818afe7a78a6de7a1a";
- const char *mk_hex2 = "bb22158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c645be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb22158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
struct crypt_params_luks2 params = {
.sector_size = 512,
.integrity = "aead"
};
struct crypt_active_device cad = {};
- crypt_decode_key(key, mk_hex, key_size);
- crypt_decode_key(key1, mk_hex2, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key1, vk_hex2, key_size);
OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
@@ -3653,36 +3696,36 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(set_fast_pbkdf(cd));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
/* check we can refresh significant flags */
if (t_dm_crypt_discard_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
if (t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
}
OK_(crypt_volume_key_keyring(cd, 0));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
cad.flags = 0;
@@ -3690,7 +3733,7 @@ static void Luks2Refresh(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
OK_(crypt_volume_key_keyring(cd, 1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
cad.flags = 0;
@@ -3699,26 +3742,26 @@ static void Luks2Refresh(void)
/* multiple flags at once */
if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
cad.flags = 0;
/* reload flag is dropped silently */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
/* check read-only flag is not lost after reload */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
cad.flags = 0;
@@ -3726,7 +3769,7 @@ static void Luks2Refresh(void)
/* check LUKS2 with auth. enc. reload */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, ¶ms)) {
- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
+ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
@@ -3736,11 +3779,11 @@ static void Luks2Refresh(void)
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
OK_(crypt_deactivate(cd2, CDEVICE_2));
} else {
printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
@@ -3750,8 +3793,8 @@ static void Luks2Refresh(void)
/* Use LUKS1 context on LUKS2 device */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
CRYPT_FREE(cd2);
/* Use PLAIN context on LUKS2 device */
@@ -3767,8 +3810,8 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
OK_(set_fast_pbkdf(cd2));
OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -3798,10 +3841,19 @@ static void Luks2Flags(void)
flags = CRYPT_ACTIVATE_ALLOW_DISCARDS | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
OK_(crypt_persistent_flags_set(cd, CRYPT_FLAGS_ACTIVATION, flags));
- flags = (uint32_t)~0;
+ flags = ~UINT32_C(0);
OK_(crypt_persistent_flags_get(cd, CRYPT_FLAGS_ACTIVATION, &flags));
EQ_(flags,CRYPT_ACTIVATE_ALLOW_DISCARDS | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS);
+ /* label and subsystem (second label */
+ OK_(crypt_set_label(cd, "label", "subsystem"));
+ OK_(strcmp("label", crypt_get_label(cd)));
+ OK_(strcmp("subsystem", crypt_get_subsystem(cd)));
+
+ OK_(crypt_set_label(cd, NULL, NULL));
+ OK_(strcmp("", crypt_get_label(cd)));
+ OK_(strcmp("", crypt_get_subsystem(cd)));
+
CRYPT_FREE(cd);
}
@@ -3839,16 +3891,16 @@ static void Luks2Reencryption(void)
struct crypt_params_reencrypt retparams = {}, rparams = {
.direction = CRYPT_REENCRYPT_FORWARD,
.resilience = "checksum",
- .hash = "sha1",
+ .hash = "sha256",
.luks2 = ¶ms2,
};
dev_t devno;
- const char *mk_hex = "bb21babe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21babe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
char key[128];
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
/* reencryption currently depends on kernel keyring support in dm-crypt */
if (!t_dm_crypt_keyring_support())
@@ -3983,7 +4035,7 @@ static void Luks2Reencryption(void)
rparams.hash = "hamSter";
FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
- rparams.hash = "sha1";
+ rparams.hash = "sha256";
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
OK_(crypt_reencrypt_run(cd, NULL, NULL));
@@ -4039,7 +4091,7 @@ static void Luks2Reencryption(void)
EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, 1, "aes", "xts-plain64", &rparams), 2);
/* interrupt reencryption after 'test_progress_steps' */
- test_progress_steps = 1;
+ test_progress_steps = 2;
OK_(crypt_reencrypt_run(cd, &test_progress, NULL));
EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_CLEAN);
@@ -4447,8 +4499,8 @@ static void Luks2Reencryption(void)
rparams.flags = 0;
rparams.max_hotzone_size = 8;
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "cbc-essiv:sha256", &rparams));
- /* reencrypt 8 srectors of device */
- test_progress_steps = 1;
+ /* reencrypt 8 sectors of device */
+ test_progress_steps = 2;
OK_(crypt_reencrypt_run(cd, &test_progress, NULL));
/* activate another data device with same LUKS2 header (this is wrong, but we can't detect such mistake) */
@@ -4460,7 +4512,7 @@ static void Luks2Reencryption(void)
/* reencrypt yet another 8 sectors of first device */
rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY;
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "cbc-essiv:sha256", &rparams));
- test_progress_steps = 1;
+ test_progress_steps = 2;
OK_(crypt_reencrypt_run(cd, &test_progress, NULL));
/* Now active mapping for second data device does not match its metadata */
@@ -4493,7 +4545,7 @@ static void Luks2Reencryption(void)
rparams.flags = 0;
EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "xts-plain64", &rparams));
- test_progress_steps = 1;
+ test_progress_steps = 2;
OK_(crypt_reencrypt_run(cd, &test_progress, NULL));
EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_CLEAN);
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
@@ -4535,23 +4587,443 @@ static void Luks2Reencryption(void)
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
OK_(crypt_keyslot_destroy(cd, 9));
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
- crypt_free(cd);
+ CRYPT_FREE(cd);
_cleanup_dmdevices();
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 2 * r_header_size));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
+
+ rparams = (struct crypt_params_reencrypt) {
+ .mode = CRYPT_REENCRYPT_DECRYPT,
+ .direction = CRYPT_REENCRYPT_FORWARD,
+ .resilience = "datashift-checksum",
+ .hash = "sha256",
+ .data_shift = r_header_size,
+ .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+ };
+
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, NULL));
+ EQ_(0, crypt_keyslot_add_by_volume_key(cd, 0, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
+ CRYPT_FREE(cd);
+
+ params2.data_device = DMDIR L_DEVICE_OK;
+ params2.sector_size = 512;
+
+ /* create detached LUKS2 header (with data_offset == 0) */
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, ¶ms2));
+ EQ_(crypt_get_data_offset(cd), 0);
+ OK_(set_fast_pbkdf(cd));
+ EQ_(0, crypt_keyslot_add_by_volume_key(cd, 0, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)));
+ CRYPT_FREE(cd);
+
+ /* initiate LUKS2 decryption with datashift on bogus LUKS2 header (data_offset == 0) */
+ OK_(crypt_init_data_device(&cd, DMDIR H_DEVICE, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Illegal data offset");
+ /* reencryption must not initialize */
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+ CRYPT_FREE(cd);
+ /* original data device must stay untouched */
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+ CRYPT_FREE(cd);
+
+ OK_(chmod(BACKUP_FILE, S_IRUSR|S_IWUSR));
+ OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+
+ /* simulate read error at first segment beyond data offset*/
+ OK_(dmdevice_error_io(L_DEVICE_OK, DMDIR L_DEVICE_OK, DEVICE_ERROR, 0, r_header_size, 8, ERR_RD));
+
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Could not read first data segment");
+ CRYPT_FREE(cd);
+
+ /* Device must not be in reencryption */
+ OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ /* simulate write error in original LUKS2 header area */
+ OK_(dmdevice_error_io(L_DEVICE_OK, DMDIR L_DEVICE_OK, DEVICE_ERROR, 0, 0, 8, ERR_WR));
+
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Could not write first data segment");
+ CRYPT_FREE(cd);
+
+ /* Device must not be in reencryption */
+ OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+ CRYPT_FREE(cd);
+ remove(BACKUP_FILE);
+
+ /* remove error mapping */
+ OK_(dmdevice_error_io(L_DEVICE_OK, DMDIR L_DEVICE_OK, DEVICE_ERROR, 0, 0, 8, ERR_REMOVE));
+
+ /* test various bogus reencryption resilience parameters */
+ rparams = (struct crypt_params_reencrypt) {
+ .mode = CRYPT_REENCRYPT_DECRYPT,
+ .direction = CRYPT_REENCRYPT_FORWARD,
+ .resilience = "checksum", /* should have been datashift-checksum */
+ .hash = "sha256",
+ .data_shift = r_header_size,
+ .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+ };
+
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, NULL));
+ EQ_(0, crypt_keyslot_add_by_volume_key(cd, 0, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
+ CRYPT_FREE(cd);
+
+ OK_(chmod(BACKUP_FILE, S_IRUSR|S_IWUSR));
+ OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+
+ /* decryption on device with data offset and no datashift subvariant mode */
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ rparams.resilience = "journal"; /* should have been datashift-journal */
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ rparams = (struct crypt_params_reencrypt) {
+ .mode = CRYPT_REENCRYPT_DECRYPT,
+ .direction = CRYPT_REENCRYPT_FORWARD,
+ .resilience = "datashift-checksum",
+ .hash = "sha256",
+ .data_shift = 0, /* must be non zero */
+ .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+ };
+
+ /* datashift = 0 */
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ rparams.resilience = "datashift-journal";
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ rparams.resilience = "datashift"; /* datashift only is not supported in decryption mode with moved segment */
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ CRYPT_FREE(cd);
+
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, ¶ms2));
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 21, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 21);
+
+ rparams = (struct crypt_params_reencrypt) {
+ .mode = CRYPT_REENCRYPT_REENCRYPT,
+ .direction = CRYPT_REENCRYPT_FORWARD,
+ .resilience = "datashift-checksum",
+ .hash = "sha256",
+ .data_shift = r_header_size,
+ .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
+ };
+
+ /* regular reencryption must not accept datashift subvariants */
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ rparams.resilience = "datashift-journal";
+ FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, CRYPT_ANY_SLOT, NULL, NULL, &rparams), "Invalid reencryption params");
+ EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+
+ CRYPT_FREE(cd);
+ _cleanup_dmdevices();
}
#endif
+static void LuksKeyslotAdd(void)
+{
+ struct crypt_params_luks2 params = {
+ .sector_size = 512
+ };
+ char key[128], key3[128];
+#ifdef KERNEL_KEYRING
+ int ks;
+ key_serial_t kid;
+#endif
+ const struct crypt_token_params_luks2_keyring tparams = {
+ .key_description = KEY_DESC_TEST0
+ };
+
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset;
+ struct crypt_keyslot_context *um1, *um2;
+
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key3, vk_hex2, key_size);
+
+ // init test devices
+ OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_payload_offset + 1));
+
+ // test support for embedded key (after crypt_format)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 3, um2, 0), 3);
+ EQ_(crypt_keyslot_status(cd, 3), CRYPT_SLOT_ACTIVE_LAST);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+ CRYPT_FREE(cd);
+
+ // test add by volume key
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE1, strlen(PASSPHRASE1), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, CRYPT_ANY_SLOT, um2, 0), 0);
+ EQ_(crypt_keyslot_status(cd, 0), CRYPT_SLOT_ACTIVE);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // Add by same passphrase
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 1, um1, 0), 1);
+ EQ_(crypt_keyslot_status(cd, 1), CRYPT_SLOT_ACTIVE);
+ crypt_keyslot_context_free(um1);
+
+ // new passphrase can't be provided by key method
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, 1, um1, CRYPT_ANY_SLOT, um2, 0), "Can't get passphrase via selected unlock method");
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // add by keyfile
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE1, strlen(PASSPHRASE1)));
+ OK_(prepare_keyfile(KEYFILE2, KEY1, strlen(KEY1)));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, 0, um1, 2, um2, 0), 2);
+ EQ_(crypt_keyslot_status(cd, 2), CRYPT_SLOT_ACTIVE);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // add by same keyfile
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um1));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, 2, um1, 4, um1, 0), 4);
+ EQ_(crypt_keyslot_status(cd, 4), CRYPT_SLOT_ACTIVE);
+ crypt_keyslot_context_free(um1);
+
+ // keyslot already exists
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, 3, um1, 0, um2, 0), "Keyslot already exists.");
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // generate new unbound key
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
+ EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ EQ_(crypt_token_luks2_keyring_set(cd, 3, &tparams), 3);
+ EQ_(crypt_token_assign_keyslot(cd, 3, 1), 3);
+ EQ_(crypt_token_assign_keyslot(cd, 3, 3), 3);
+
+ // test unlocking/adding keyslot by LUKS2 token
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ // passphrase not in keyring
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 13, um2, 0), "No token available.");
+#ifdef KERNEL_KEYRING
+ // wrong passphrase in keyring
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE1, strlen(PASSPHRASE1), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 13, um2, 0), "No token available.");
+
+ // token unlocks keyslot
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 13, um2, 0), 13);
+ EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_ACTIVE);
+
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // token provides passphrase for new keyslot
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, 3, um1, 30, um2, 0), 30);
+ EQ_(crypt_keyslot_status(cd, 30), CRYPT_SLOT_ACTIVE);
+ OK_(crypt_token_is_assigned(cd, 3, 30));
+
+ // unlock and add by same token
+ crypt_keyslot_context_free(um1);
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um1));
+ ks = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, CRYPT_ANY_SLOT, um1, 0);
+ GE_(ks, 0);
+ EQ_(crypt_keyslot_status(cd, ks), CRYPT_SLOT_ACTIVE);
+ OK_(crypt_token_is_assigned(cd, 3, ks));
+#endif
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ CRYPT_FREE(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void VolumeKeyGet(void)
+{
+ struct crypt_params_luks2 params = {
+ .sector_size = 512
+ };
+ char key[256], key2[256];
+#ifdef KERNEL_KEYRING
+ key_serial_t kid;
+ const struct crypt_token_params_luks2_keyring tparams = {
+ .key_description = KEY_DESC_TEST0
+ };
+#endif
+
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"
+ "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1b";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "xts-plain64";
+ uint64_t r_payload_offset;
+ struct crypt_keyslot_context *um1, *um2;
+
+ crypt_decode_key(key, vk_hex, key_size);
+
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE1, strlen(PASSPHRASE1)));
+
+#ifdef KERNEL_KEYRING
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE1, strlen(PASSPHRASE1), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+#endif
+
+ // init test devices
+ OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_payload_offset + 1));
+
+ // test support for embedded key (after crypt_format)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ key_size--;
+ FAIL_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL), "buffer too small");
+
+ // check cached generated volume key can be retrieved
+ key_size++;
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL));
+ OK_(crypt_volume_key_verify(cd, key2, key_size));
+ CRYPT_FREE(cd);
+
+ // check we can add keyslot via retrieved key
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key2, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 3, um2, 0), 3);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+ CRYPT_FREE(cd);
+
+ // check selected volume key can be retrieved and added
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ memset(key2, 0, key_size);
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL));
+ OK_(memcmp(key, key2, key_size));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key2, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 0, um2, 0), 0);
+ crypt_keyslot_context_free(um2);
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 1, um2, 0), 1);
+ crypt_keyslot_context_free(um2);
+#ifdef KERNEL_KEYRING
+ EQ_(crypt_token_luks2_keyring_set(cd, 0, &tparams), 0);
+ EQ_(crypt_token_assign_keyslot(cd, 0, 1), 0);
+#endif
+ crypt_keyslot_context_free(um1);
+ CRYPT_FREE(cd);
+
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+ // check key context is not usable
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), -EINVAL);
+ crypt_keyslot_context_free(um1);
+
+ // by passphrase
+ memset(key2, 0, key_size);
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 0);
+ OK_(memcmp(key, key2, key_size));
+ memset(key2, 0, key_size);
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, 0, key2, &key_size, um1), 0);
+ OK_(memcmp(key, key2, key_size));
+ crypt_keyslot_context_free(um1);
+
+ // by keyfile
+ memset(key2, 0, key_size);
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 1);
+ OK_(memcmp(key, key2, key_size));
+ memset(key2, 0, key_size);
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, 1, key2, &key_size, um1), 1);
+ crypt_keyslot_context_free(um1);
+
+#ifdef KERNEL_KEYRING
+ // by token
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um1));
+ memset(key2, 0, key_size);
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 1);
+ OK_(memcmp(key, key2, key_size));
+ crypt_keyslot_context_free(um1);
+#endif
+ CRYPT_FREE(cd);
+
+ _remove_keyfiles();
+ _cleanup_dmdevices();
+}
+
+static int _crypt_load_check(struct crypt_device *cd)
+{
+#ifdef HAVE_BLKID
+ return crypt_load(cd, CRYPT_LUKS, NULL);
+#else
+ return -ENOTSUP;
+#endif
+}
+
static void Luks2Repair(void)
{
char rollback[256];
- snprintf(rollback, sizeof(rollback),
- "dd if=" IMAGE_PV_LUKS2_SEC ".bcp of=%s bs=1M 2>/dev/null",
- DEVICE_6);
+ GE_(snprintf(rollback, sizeof(rollback),
+ "dd if=" IMAGE_PV_LUKS2_SEC ".bcp of=%s bs=1M 2>/dev/null", DEVICE_6), 0);
OK_(crypt_init(&cd, DEVICE_6));
- FAIL_(crypt_load(cd, CRYPT_LUKS, NULL), "Ambiguous signature detected");
+ FAIL_(_crypt_load_check(cd), "Ambiguous signature detected");
FAIL_(crypt_repair(cd, CRYPT_LUKS1, NULL), "Not a LUKS2 device");
/* check explicit LUKS2 repair works */
@@ -4562,7 +5034,7 @@ static void Luks2Repair(void)
/* rollback */
OK_(_system(rollback, 1));
- FAIL_(crypt_load(cd, CRYPT_LUKS, NULL), "Ambiguous signature detected");
+ FAIL_(_crypt_load_check(cd), "Ambiguous signature detected");
/* check repair with type detection works */
OK_(crypt_repair(cd, CRYPT_LUKS, NULL));
@@ -4574,7 +5046,7 @@ static void Luks2Repair(void)
OK_(crypt_init(&cd, DEVICE_6));
OK_(crypt_metadata_locking(cd, 0));
- FAIL_(crypt_load(cd, CRYPT_LUKS, NULL), "Ambiguous signature detected");
+ FAIL_(_crypt_load_check(cd), "Ambiguous signature detected");
FAIL_(crypt_repair(cd, CRYPT_LUKS1, NULL), "Not a LUKS2 device");
/* check explicit LUKS2 repair works */
@@ -4585,7 +5057,7 @@ static void Luks2Repair(void)
/* rollback */
OK_(_system(rollback, 1));
- FAIL_(crypt_load(cd, CRYPT_LUKS, NULL), "Ambiguous signature detected");
+ FAIL_(_crypt_load_check(cd), "Ambiguous signature detected");
/* check repair with type detection works */
OK_(crypt_repair(cd, CRYPT_LUKS, NULL));
@@ -4658,6 +5130,8 @@ int main(int argc, char *argv[])
#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION
RUN_(Luks2Reencryption, "LUKS2 reencryption");
#endif
+ RUN_(LuksKeyslotAdd, "Adding keyslot via new API");
+ RUN_(VolumeKeyGet, "Getting volume key via keyslot context API");
RUN_(Luks2Repair, "LUKS2 repair"); // test disables metadata locking. Run always last!
_cleanup();
diff --git a/tests/api-test.c b/tests/api-test.c
index 93ac8e0..aa430dd 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -1,9 +1,9 @@
/*
* cryptsetup library API check functions
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -65,8 +65,8 @@
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -245,8 +245,9 @@ static int _setup(void)
return 1;
}
close(fd);
- snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
- test_loop_file, TST_SECTOR_SIZE, TST_LOOP_FILE_SIZE);
+ if (snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ test_loop_file, TST_SECTOR_SIZE, TST_LOOP_FILE_SIZE) < 0)
+ return 1;
if (_system(cmd, 1))
return 1;
@@ -262,8 +263,9 @@ static int _setup(void)
return 1;
}
close(fd);
- snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
- tmp_file_1, TST_SECTOR_SIZE, 10);
+ if (snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ tmp_file_1, TST_SECTOR_SIZE, 10) < 0)
+ return 1;
if (_system(cmd, 1))
return 1;
@@ -298,6 +300,10 @@ static int _setup(void)
_system("modprobe dm-crypt >/dev/null 2>&1", 0);
_system("modprobe dm-verity >/dev/null 2>&1", 0);
+ _system("modprobe dm-integrity >/dev/null 2>&1", 0);
+
+ if (t_dm_check_versions())
+ return 1;
_fips_mode = fips_mode();
if (_debug)
@@ -312,24 +318,25 @@ static int _setup(void)
static void AddDevicePlain(void)
{
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
};
int fd;
char key[128], key2[128], path[128];
+ struct crypt_keyslot_context *kc = NULL;
- const char *passphrase = PASSPHRASE;
+ const char *passphrase = "blabla";
// hashed hex version of PASSPHRASE
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t size, r_size;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
FAIL_(crypt_init(&cd, ""), "empty device string");
FAIL_(crypt_init(&cd, DEVICE_WRONG), "nonexistent device name ");
FAIL_(crypt_init(&cd, DEVICE_CHAR), "character device as backing device");
@@ -384,7 +391,7 @@ static void AddDevicePlain(void)
OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
- snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1);
+ GE_(snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1), 0);
if (t_device_size(path, &r_size) >= 0)
EQ_(r_size >> TST_SECTOR_SHIFT, 1);
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -438,7 +445,7 @@ static void AddDevicePlain(void)
OK_(crypt_deactivate(cd,CDEVICE_1));
CRYPT_FREE(cd);
- params.hash = "sha1";
+ params.hash = "sha256";
params.offset = 0;
params.size = 0;
params.skip = 0;
@@ -452,7 +459,7 @@ static void AddDevicePlain(void)
// device status check
GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
- snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1);
+ GE_(snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1), 0);
fd = open(path, O_RDONLY);
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_BUSY);
FAIL_(crypt_deactivate(cd, CDEVICE_1), "Device is busy");
@@ -572,6 +579,11 @@ static void AddDevicePlain(void)
key_size++;
OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
OK_(memcmp(key, key2, key_size));
+ memset(key2, 0, key_size);
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase, strlen(passphrase), &kc));
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, kc));
+ OK_(memcmp(key, key2, key_size));
+ crypt_keyslot_context_free(kc);
OK_(strcmp(cipher, crypt_get_cipher(cd)));
OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
@@ -604,6 +616,9 @@ static void AddDevicePlain(void)
FAIL_(crypt_keyslot_add_by_keyfile(cd,CRYPT_ANY_SLOT,KEYFILE1,strlen(KEY1),KEYFILE2,strlen(KEY2)),"can't add keyslot to plain device");
FAIL_(crypt_keyslot_destroy(cd,1),"can't manipulate keyslots on plain device");
EQ_(crypt_keyslot_status(cd, 0), CRYPT_SLOT_INVALID);
+ FAIL_(crypt_set_label(cd, "label", "subsystem"), "can't set labels for plain device");
+ NULL_(crypt_get_label(cd));
+ NULL_(crypt_get_subsystem(cd));
_remove_keyfiles();
CRYPT_FREE(cd);
@@ -620,7 +635,7 @@ static void new_log(int level, const char *msg, void *usrptr)
static void CallbacksTest(void)
{
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
};
@@ -757,6 +772,10 @@ static void SuspendDevice(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
+ /* skip tests using empty passphrase */
+ if(_fips_mode)
+ return;
+
OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -791,17 +810,17 @@ static void AddDeviceLuks(void)
};
char key[128], key2[128], key3[128];
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size_1;
struct crypt_pbkdf_type pbkdf;
- crypt_decode_key(key, mk_hex, key_size);
- crypt_decode_key(key3, mk_hex2, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key3, vk_hex2, key_size);
// init test devices
OK_(get_luks_offsets(1, key_size, 0, 0, &r_header_size, &r_payload_offset));
@@ -941,7 +960,7 @@ static void AddDeviceLuks(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
@@ -1036,6 +1055,10 @@ static void AddDeviceLuks(void)
OK_(crypt_set_uuid(cd, DEVICE_TEST_UUID));
OK_(strcmp(DEVICE_TEST_UUID, crypt_get_uuid(cd)));
+ FAIL_(crypt_set_label(cd, "label", "subsystem"), "can't set labels for LUKS1 device");
+ NULL_(crypt_get_label(cd));
+ NULL_(crypt_get_subsystem(cd));
+
FAIL_(crypt_deactivate(cd, CDEVICE_2), "not active");
CRYPT_FREE(cd);
@@ -1071,9 +1094,9 @@ static void UseTempVolumes(void)
// Dirty checks: device without UUID
// we should be able to remove it but not manipulate with it
- snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ GE_(snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
- "%s 2048\"", CDEVICE_2, DEVICE_2);
+ "%s 2048\"", CDEVICE_2, DEVICE_2), 0);
_system(tmp, 1);
OK_(crypt_init_by_name(&cd, CDEVICE_2));
OK_(crypt_deactivate(cd, CDEVICE_2));
@@ -1081,10 +1104,10 @@ static void UseTempVolumes(void)
CRYPT_FREE(cd);
// Dirty checks: device with UUID but LUKS header key fingerprint must fail)
- snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ GE_(snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
"%s 2048\" -u CRYPT-LUKS1-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-ctest1",
- CDEVICE_2, DEVICE_2);
+ CDEVICE_2, DEVICE_2), 0);
_system(tmp, 1);
OK_(crypt_init_by_name(&cd, CDEVICE_2));
OK_(crypt_deactivate(cd, CDEVICE_2));
@@ -1116,20 +1139,20 @@ static void LuksHeaderRestore(void)
.data_alignment = 2048, // 4M, data offset will be 4096
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
};
char key[128], key2[128], cmd[256];
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
@@ -1154,7 +1177,7 @@ static void LuksHeaderRestore(void)
FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_5), "Header corrupted");
OK_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER));
// wipe valid luks header
- snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=512 count=%" PRIu64 " 2>/dev/null", r_payload_offset);
+ GE_(snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=512 count=%" PRIu64 " 2>/dev/null", r_payload_offset), 0);
OK_(_system(cmd, 1));
FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_1), "Header corrupted");
FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_2), "Header corrupted");
@@ -1203,21 +1226,21 @@ static void LuksHeaderLoad(void)
.data_alignment = 2048,
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
};
char key[128], cmd[256];
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size;
uint64_t mdata_size, keyslots_size;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
// prepare test env
OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, &r_header_size, &r_payload_offset));
@@ -1226,8 +1249,8 @@ static void LuksHeaderLoad(void)
// prepared header on a device too small to contain header and payload
//OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1));
OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, 2050 - 1)); //FIXME
- //snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%" PRIu64, r_payload_offset - 1);
- snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%d 2>/dev/null", 2050 - 1);
+ //GE_(snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%" PRIu64, r_payload_offset - 1), 0);
+ GE_(snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%d 2>/dev/null", 2050 - 1), 0);
OK_(_system(cmd, 1));
// some device
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
@@ -1322,15 +1345,15 @@ static void LuksHeaderBackup(void)
char key[128];
int fd, ro = O_RDONLY;
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset;
const char *passphrase = PASSPHRASE;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -1404,13 +1427,13 @@ static void ResizeDeviceLuks(void)
};
char key[128];
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
- size_t key_size = strlen(mk_hex) / 2;
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
// prepare env
OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
@@ -1492,7 +1515,7 @@ static void HashDevicePlain(void)
};
size_t key_size;
- const char *mk_hex, *keystr;
+ const char *vk_hex, *keystr;
char key[256];
OK_(crypt_init(&cd, DEVICE_1));
@@ -1505,41 +1528,41 @@ static void HashDevicePlain(void)
// hash PLAIN, exact key
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
- mk_hex = "caffeecaffeecaffeecaffeecaffee88";
+ vk_hex = "caffeecaffeecaffeecaffeecaffee88";
key_size = 16;
- crypt_decode_key(key, mk_hex, key_size);
+ crypt_decode_key(key, vk_hex, key_size);
OK_(prepare_keyfile(KEYFILE1, key, key_size));
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
// Limit plain key
- mk_hex = "caffeecaffeecaffeecaffeeca000000";
+ vk_hex = "caffeecaffeecaffeecaffeeca000000";
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size - 3, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
_remove_keyfiles();
// hash PLAIN, long key
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
- mk_hex = "caffeecaffeecaffeecaffeecaffee88babebabe";
+ vk_hex = "caffeecaffeecaffeecaffeecaffee88babebabe";
key_size = 16;
- crypt_decode_key(key, mk_hex, key_size);
- OK_(prepare_keyfile(KEYFILE1, key, strlen(mk_hex) / 2));
+ crypt_decode_key(key, vk_hex, key_size);
+ OK_(prepare_keyfile(KEYFILE1, key, strlen(vk_hex) / 2));
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- FAIL_(strcmp(key, mk_hex), "only key length used");
- OK_(strncmp(key, mk_hex, key_size));
+ FAIL_(strcmp(key, vk_hex), "only key length used");
+ OK_(strncmp(key, vk_hex, key_size));
OK_(crypt_deactivate(cd, CDEVICE_1));
// Now without explicit limit
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- FAIL_(strcmp(key, mk_hex), "only key length used");
- OK_(strncmp(key, mk_hex, key_size));
+ FAIL_(strcmp(key, vk_hex), "only key length used");
+ OK_(strncmp(key, vk_hex, key_size));
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
@@ -1548,15 +1571,15 @@ static void HashDevicePlain(void)
// Handling of legacy "plain" hash (no hash)
params.hash = "plain";
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
- mk_hex = "aabbcaffeecaffeecaffeecaffeecaff";
+ vk_hex = "aabbcaffeecaffeecaffeecaffeecaff";
key_size = 16;
- crypt_decode_key(key, mk_hex, key_size);
- OK_(prepare_keyfile(KEYFILE1, key, strlen(mk_hex) / 2));
+ crypt_decode_key(key, vk_hex, key_size);
+ OK_(prepare_keyfile(KEYFILE1, key, strlen(vk_hex) / 2));
OK_(crypt_init(&cd, DEVICE_1));
OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
@@ -1568,19 +1591,19 @@ static void HashDevicePlain(void)
OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
- mk_hex = "c62e4615bd39e222572f3a1bf7c2132e";
+ vk_hex = "c62e4615bd39e222572f3a1bf7c2132e";
keystr = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
key_size = strlen(keystr); // 32
OK_(prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
// Read full keyfile
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
_remove_keyfiles();
@@ -1590,7 +1613,7 @@ static void HashDevicePlain(void)
OK_(prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
- OK_(strcmp(key, mk_hex));
+ OK_(strcmp(key, vk_hex));
OK_(crypt_deactivate(cd, CDEVICE_1));
// Full keyfile
@@ -1702,6 +1725,10 @@ static void VerityTest(void)
OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_out, &root_hash_out_size, NULL, 0));
EQ_(32, root_hash_out_size);
OK_(memcmp(root_hash, root_hash_out, root_hash_out_size));
+ memset(root_hash_out, 0, root_hash_out_size);
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, root_hash_out, &root_hash_out_size, NULL));
+ EQ_(32, root_hash_out_size);
+ OK_(memcmp(root_hash, root_hash_out, root_hash_out_size));
OK_(crypt_deactivate(cd, CDEVICE_1));
/* hash fail */
@@ -1778,6 +1805,9 @@ static void TcryptTest(void)
key_size++;
OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
OK_(memcmp(key, key_def, key_size));
+ memset(key, 0, key_size);
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key, &key_size, NULL));
+ OK_(memcmp(key, key_def, key_size));
reset_log();
OK_(crypt_dump(cd));
@@ -1792,6 +1822,7 @@ static void TcryptTest(void)
GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "Need crypt_load");
+ FAIL_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key, &key_size, NULL), "Need crypt_load");
// check params after init_by_name
OK_(strcmp("xts-plain64", crypt_get_cipher_mode(cd)));
@@ -1836,6 +1867,150 @@ static void TcryptTest(void)
EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_INACTIVE);
}
+static void ResizeIntegrity(void)
+{
+ struct crypt_params_integrity params = {
+ .tag_size = 4,
+ .integrity = "crc32c",
+ .sector_size = 4096,
+ };
+ int ret;
+ uint64_t r_size, whole_device_size = 0;
+
+ if (!t_dm_integrity_resize_support()) {
+ printf("WARNING: integrity device resize not supported, skipping test.\n");
+ return;
+ }
+
+ OK_(crypt_init(&cd, DEVICE_2));
+ ret = crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,¶ms);
+ if (ret < 0) {
+ printf("WARNING: cannot format integrity device, skipping test.\n");
+ CRYPT_FREE(cd);
+ return;
+ }
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, 0));
+ t_device_size(DMDIR CDEVICE_1, &whole_device_size);
+ // shrink the device
+ OK_(crypt_resize(cd, CDEVICE_1, 1024 * 1024 / 512));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1024 * 1024 / 512, r_size >> TST_SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ // fill the whole device again (size = 0)
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(whole_device_size, r_size);
+ GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
+ // detached metadata
+ OK_(create_dmdevice_over_loop(H_DEVICE, 1024 * 1024 / 512));
+ OK_(crypt_init_data_device(&cd, DMDIR H_DEVICE, DEVICE_2));
+ OK_(crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &whole_device_size))
+ EQ_(10 * 1024 * 1024 / 512, whole_device_size >> TST_SECTOR_SHIFT);
+ // shrink the device
+ OK_(crypt_resize(cd, CDEVICE_1, 1024 * 1024 / 512));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1024 * 1024 / 512, r_size >> TST_SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ // fill the whole device again (size = 0)
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(whole_device_size, r_size);
+ GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void ResizeIntegrityWithKey(void)
+{
+ struct crypt_params_integrity params = {
+ .tag_size = 4,
+ .integrity = "hmac(sha256)",
+ .journal_integrity = "hmac(sha256)",
+ .journal_crypt = "cbc(aes)",
+ .sector_size = 4096,
+ };
+ int ret;
+ uint64_t r_size, whole_device_size = 0;
+
+ const char *key_integrity_hex = "41b06f3968ff10783edf3dd8c31d0d6e";
+ const char *key_journal_integrity_hex = "9a3f924d03ab4a3307b148f844628f59";
+ const char *key_journal_crypt_hex = "087a6943383f6c344cef03695b4f7277";
+
+ char integrity_key[128], journal_integrity_key[128], journal_crypt_key[128];
+
+ size_t integrity_key_size = strlen(key_integrity_hex) / 2;
+ size_t journal_integrity_key_size = strlen(key_journal_integrity_hex) / 2;
+ size_t journal_crypt_key_size = strlen(key_journal_crypt_hex) / 2;
+
+ crypt_decode_key(integrity_key, key_integrity_hex, integrity_key_size);
+ crypt_decode_key(journal_integrity_key, key_journal_integrity_hex, journal_integrity_key_size);
+ crypt_decode_key(journal_crypt_key, key_journal_crypt_hex, journal_crypt_key_size);
+
+ params.integrity_key_size = integrity_key_size;
+
+ params.journal_integrity_key_size = journal_integrity_key_size;
+ params.journal_integrity_key = journal_integrity_key;
+
+ params.journal_crypt_key_size = journal_crypt_key_size;
+ params.journal_crypt_key = journal_crypt_key;
+
+ if (!t_dm_integrity_resize_support()) {
+ printf("WARNING: integrity device resize not supported, skipping test.\n");
+ return;
+ }
+
+ OK_(crypt_init(&cd, DEVICE_2));
+ ret = crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,¶ms);
+ if (ret < 0) {
+ printf("WARNING: cannot format integrity device, skipping test.\n");
+ CRYPT_FREE(cd);
+ return;
+ }
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, integrity_key, integrity_key_size, 0));
+ t_device_size(DMDIR CDEVICE_1, &whole_device_size);
+ // shrink the device
+ OK_(crypt_resize(cd, CDEVICE_1, 1024*1024/512));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1024*1024/512, r_size >> TST_SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ // fill the whole device again (size = 0)
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(whole_device_size, r_size);
+ GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
+ // detached metadata
+ OK_(create_dmdevice_over_loop(H_DEVICE, 1024 * 1024 / 512));
+ OK_(crypt_init_data_device(&cd, DMDIR H_DEVICE, DEVICE_2));
+ OK_(crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, integrity_key, integrity_key_size, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &whole_device_size))
+ EQ_(10*1024*1024/512, whole_device_size >> TST_SECTOR_SHIFT);
+ // shrink the device
+ OK_(crypt_resize(cd, CDEVICE_1, 1024*1024/512));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1024*1024/512, r_size >> TST_SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ // fill the whole device again (size = 0)
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(whole_device_size, r_size);
+ GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
+ _cleanup_dmdevices();
+}
+
static void IntegrityTest(void)
{
struct crypt_params_integrity params = {
@@ -1843,6 +2018,7 @@ static void IntegrityTest(void)
.integrity = "crc32c",
.sector_size = 4096,
}, ip = {};
+ struct crypt_active_device cad;
int ret;
// FIXME: this should be more detailed
@@ -1862,6 +2038,7 @@ static void IntegrityTest(void)
EQ_(ip.interleave_sectors, params.interleave_sectors);
EQ_(ip.journal_size, params.journal_size);
EQ_(ip.journal_watermark, params.journal_watermark);
+ EQ_(ip.integrity_key_size, 0);
OK_(strcmp(ip.integrity,params.integrity));
FAIL_(crypt_set_uuid(cd,DEVICE_1_UUID),"can't set uuid to integrity device");
CRYPT_FREE(cd);
@@ -1885,10 +2062,253 @@ static void IntegrityTest(void)
EQ_(ip.tag_size, params.tag_size);
OK_(strcmp(ip.integrity,params.integrity));
OK_(strcmp(CRYPT_INTEGRITY,crypt_get_type(cd)));
+
+ if (t_dm_integrity_recalculate_support()) {
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(cad.flags & CRYPT_ACTIVATE_RECALCULATE, 0);
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_RECALCULATE));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(cad.flags & CRYPT_ACTIVATE_RECALCULATE, CRYPT_ACTIVATE_RECALCULATE);
+ }
+
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
}
+static void WipeTest(void)
+{
+ OK_(crypt_init(&cd, NULL));
+ FAIL_(crypt_wipe(cd, NULL, CRYPT_WIPE_ZERO, 0, 4096, 0, 0, NULL, NULL), "No device");
+ FAIL_(crypt_wipe(cd, DEVICE_WRONG, CRYPT_WIPE_ZERO, 0, 4096, 0, 0, NULL, NULL), "Wrong device");
+ OK_(crypt_wipe(cd, DEVICE_1, CRYPT_WIPE_ZERO, 0, 4096, 0, 0, NULL, NULL));
+ OK_(crypt_wipe(cd, DEVICE_1, CRYPT_WIPE_RANDOM, 0, 4096, 0, 0, NULL, NULL));
+ OK_(crypt_wipe(cd, DEVICE_1, CRYPT_WIPE_RANDOM, 0, 4096, 0, CRYPT_WIPE_NO_DIRECT_IO, NULL, NULL));
+ CRYPT_FREE(cd);
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_wipe(cd, NULL, CRYPT_WIPE_ZERO, 0, 4096, 0, 0, NULL, NULL));
+ OK_(crypt_wipe(cd, NULL, CRYPT_WIPE_RANDOM, 0, 4096, TST_SECTOR_SIZE, 0, NULL, NULL));
+ FAIL_(crypt_wipe(cd, NULL, CRYPT_WIPE_RANDOM, 0, 4096, TST_SECTOR_SIZE-1, 0, NULL, NULL), "Sector size");
+ FAIL_(crypt_wipe(cd, NULL, CRYPT_WIPE_RANDOM, 0, 4096 - 1, 0, 0, NULL, NULL), "Length size not aligned");
+ FAIL_(crypt_wipe(cd, NULL, CRYPT_WIPE_RANDOM, 1, 4096, 0, 0, NULL, NULL), "Offset not aligned");
+ CRYPT_FREE(cd);
+}
+
+static void LuksKeyslotAdd(void)
+{
+ enum { OFFSET_1M = 2048 , OFFSET_2M = 4096, OFFSET_4M = 8192, OFFSET_8M = 16384 };
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = OFFSET_1M, // 4M, data offset will be 4096
+ };
+ struct crypt_pbkdf_type min_pbkdf2 = {
+ .type = "pbkdf2",
+ .hash = "sha256",
+ .iterations = 1000,
+ .flags = CRYPT_PBKDF_NO_BENCHMARK
+ };
+ char key[128], key3[128];
+
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset;
+ struct crypt_keyslot_context *um1, *um2;
+
+ crypt_decode_key(key, vk_hex, key_size);
+ crypt_decode_key(key3, vk_hex2, key_size);
+
+ // init test devices
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_payload_offset + 1));
+
+ // test support for embedded key (after crypt_format)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase, strlen(passphrase), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 3, um2, 0), 3);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+ CRYPT_FREE(cd);
+
+ // test add by volume key
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase2, strlen(passphrase2), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, CRYPT_ANY_SLOT, um2, 0), 0);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // Add by same passphrase
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase, strlen(passphrase), &um1));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 1, um1, 0), 1);
+ crypt_keyslot_context_free(um1);
+
+ // new passphrase can't be provided by key method
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase, strlen(passphrase), &um1));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, 1, um1, CRYPT_ANY_SLOT, um2, 0), "Can't get passphrase via selected unlock method");
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // add by keyfile
+ OK_(prepare_keyfile(KEYFILE1, passphrase2, strlen(passphrase2)));
+ OK_(prepare_keyfile(KEYFILE2, KEY1, strlen(KEY1)));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, 0, um1, 2, um2, 0), 2);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // add by same keyfile
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um1));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 4, um1, 0), 4);
+ crypt_keyslot_context_free(um1);
+
+ // keyslot already exists
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, passphrase2, strlen(passphrase2), &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, 3, um1, 0, um2, 0), "Keyslot already exists.");
+ crypt_keyslot_context_free(um2);
+
+ // flags not supported with LUKS1
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, CRYPT_ANY_SLOT, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), "Not supported with LUKS1.");
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ // LUKS2 token not supported
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um1));
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, 2, um1, CRYPT_ANY_SLOT, um2, 0), "Not supported with LUKS1.");
+ EQ_(crypt_keyslot_context_get_error(um2), -EINVAL);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &um1));
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um2));
+ FAIL_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um2, CRYPT_ANY_SLOT, um1, 0), "Not supported with LUKS1.");
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+
+ CRYPT_FREE(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void VolumeKeyGet(void)
+{
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048, // 2M, data offset will be 2048
+ };
+ struct crypt_pbkdf_type min_pbkdf2 = {
+ .type = "pbkdf2",
+ .hash = "sha256",
+ .iterations = 1000,
+ .flags = CRYPT_PBKDF_NO_BENCHMARK
+ };
+ char key[128], key2[128];
+
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset;
+ struct crypt_keyslot_context *um1, *um2;
+
+ crypt_decode_key(key, vk_hex, key_size);
+
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE1, strlen(PASSPHRASE1)));
+
+ // init test devices
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_payload_offset + 1));
+
+ // test support for embedded key (after crypt_format)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ key_size--;
+ FAIL_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL), "buffer too small");
+
+ // check cached generated volume key can be retrieved
+ key_size++;
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL));
+ OK_(crypt_volume_key_verify(cd, key2, key_size));
+ CRYPT_FREE(cd);
+
+ // check we can add keyslot via retrieved key
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key2, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 3, um2, 0), 3);
+ crypt_keyslot_context_free(um1);
+ crypt_keyslot_context_free(um2);
+ CRYPT_FREE(cd);
+
+ // check selected volume key can be retrieved and added
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_set_pbkdf_type(cd, &min_pbkdf2));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ memset(key2, 0, key_size);
+ OK_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, NULL));
+ OK_(memcmp(key, key2, key_size));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key2, key_size, &um1));
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 0, um2, 0), 0);
+ crypt_keyslot_context_free(um2);
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 1, um2, 0), 1);
+ crypt_keyslot_context_free(um2);
+ crypt_keyslot_context_free(um1);
+ CRYPT_FREE(cd);
+
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ // check key context is not usable
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), -EINVAL);
+ crypt_keyslot_context_free(um1);
+
+ // check token context is not usable
+ OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), -EINVAL);
+ crypt_keyslot_context_free(um1);
+
+ // by passphrase
+ memset(key2, 0, key_size);
+ OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 0);
+ OK_(memcmp(key, key2, key_size));
+ memset(key2, 0, key_size);
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, 0, key2, &key_size, um1), 0);
+ OK_(memcmp(key, key2, key_size));
+ crypt_keyslot_context_free(um1);
+
+ // by keyfile
+ memset(key2, 0, key_size);
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um1));
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 1);
+ OK_(memcmp(key, key2, key_size));
+ memset(key2, 0, key_size);
+ EQ_(crypt_volume_key_get_by_keyslot_context(cd, 1, key2, &key_size, um1), 1);
+ crypt_keyslot_context_free(um1);
+ CRYPT_FREE(cd);
+
+ _remove_keyfiles();
+ _cleanup_dmdevices();
+}
+
// Check that gcrypt is properly initialised in format
static void NonFIPSAlg(void)
{
@@ -1980,6 +2400,11 @@ int main(int argc, char *argv[])
RUN_(VerityTest, "DM verity");
RUN_(TcryptTest, "Tcrypt API");
RUN_(IntegrityTest, "Integrity API");
+ RUN_(ResizeIntegrity, "Integrity raw resize");
+ RUN_(ResizeIntegrityWithKey, "Integrity raw resize with key");
+ RUN_(WipeTest, "Wipe device");
+ RUN_(LuksKeyslotAdd, "Adding keyslot via new API");
+ RUN_(VolumeKeyGet, "Getting volume key via keyslot context API");
_cleanup();
return 0;
diff --git a/tests/api_test.h b/tests/api_test.h
index f9109e5..14efead 100644
--- a/tests/api_test.h
+++ b/tests/api_test.h
@@ -1,9 +1,9 @@
/*
* cryptsetup library API check functions
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
- * Copyright (C) 2016-2021 Ondrej Kozina
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
+ * Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -38,6 +38,10 @@ int t_dm_check_versions(void);
int t_dm_crypt_keyring_support(void);
int t_dm_crypt_cpu_switch_support(void);
int t_dm_crypt_discard_support(void);
+int t_dm_integrity_resize_support(void);
+int t_dm_integrity_recalculate_support(void);
+int t_dm_capi_string_supported(void);
+int t_set_readahead(const char *device, unsigned value);
int fips_mode(void);
@@ -96,6 +100,9 @@ void xlog(const char *msg, const char *tst, const char *func, int line, const ch
#define CRYPT_FREE(x) do { crypt_free(x); x = NULL; } while (0)
+/* to silent clang -Wcast-align when working with byte arrays */
+#define VOIDP_CAST(x) (x)(void*)
+
#define DMDIR "/dev/mapper/"
#define TST_SECTOR_SHIFT 9L
@@ -118,7 +125,23 @@ void xlog(const char *msg, const char *tst, const char *func, int line, const ch
#define T_DM_VERITY_FEC_SUPPORTED (1 << 10) /* Forward Error Correction (FEC) */
#define T_DM_KERNEL_KEYRING_SUPPORTED (1 << 11) /* dm-crypt allows loading kernel keyring keys */
#define T_DM_INTEGRITY_SUPPORTED (1 << 12) /* dm-integrity target supported */
-//FIXME add T_DM_SECTOR_SIZE once we have version
+#define T_DM_SECTOR_SIZE_SUPPORTED (1 << 13) /* support for sector size setting in dm-crypt/dm-integrity */
+#define T_DM_CAPI_STRING_SUPPORTED (1 << 14) /* support for cryptoapi format cipher definition */
+#define T_DM_DEFERRED_SUPPORTED (1 << 15) /* deferred removal of device */
+#define T_DM_INTEGRITY_RECALC_SUPPORTED (1 << 16) /* dm-integrity automatic recalculation supported */
+#define T_DM_INTEGRITY_BITMAP_SUPPORTED (1 << 17) /* dm-integrity bitmap mode supported */
+#define T_DM_GET_TARGET_VERSION_SUPPORTED (1 << 18) /* dm DM_GET_TARGET version ioctl supported */
+#define T_DM_INTEGRITY_FIX_PADDING_SUPPORTED (1 << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
+#define T_DM_BITLK_EBOIV_SUPPORTED (1 << 20) /* EBOIV for BITLK supported */
+#define T_DM_BITLK_ELEPHANT_SUPPORTED (1 << 21) /* Elephant diffuser for BITLK supported */
+#define T_DM_VERITY_SIGNATURE_SUPPORTED (1 << 22) /* Verity option root_hash_sig_key_desc supported */
+#define T_DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */
+#define T_DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
+#define T_DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption */
+#define T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt suppot for bypassing workqueues */
+#define T_DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */
+#define T_DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */
+#define T_DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */
/* loop helpers */
int loop_device(const char *loop);
@@ -129,4 +152,14 @@ int loop_detach(const char *loop);
int t_device_size_by_devno(dev_t devno, uint64_t *retval);
int t_get_devno(const char *dev, dev_t *devno);
+typedef enum { ERR_RD = 0, ERR_WR, ERR_RW, ERR_REMOVE } error_io_info;
+
+int dmdevice_error_io(const char *dm_name,
+ const char *dm_device,
+ const char *error_device,
+ uint64_t data_offset,
+ uint64_t offset,
+ uint64_t length,
+ error_io_info ei);
+
#endif
diff --git a/tests/bitlk-compat-test b/tests/bitlk-compat-test
index 54cc6bf..8559e06 100755
--- a/tests/bitlk-compat-test
+++ b/tests/bitlk-compat-test
@@ -6,7 +6,7 @@
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
TST_DIR=bitlk-images
MAP=bitlktst
-DUMP_MK_FILE=bitlk-test-mk
+DUMP_VK_FILE=bitlk-test-vk
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
@@ -51,6 +51,14 @@ function check_dump()
# load variables for this image from config file
load_vars $file
+ # volume size
+ dump_size=$(echo "$dump" | grep "Volume size:" | cut -d: -f2 | tr -d "\t\n ")
+ [ "$dump_size" = "104857600[bytes]" -o "$dump_size" = "134217728[bytes]" ] || fail " volume size check from dump failed."
+
+ # description
+ dump_desc=$(echo "$dump" | grep Description: | cut -d: -f2 | tr -d "\t\n ")
+ [ "${dump_desc:0:7}" = "DESKTOP" -o "${dump_desc:0:3}" = "WIN" ] || fail " Description check from dump failed."
+
# GUID
dump_guid=$(echo "$dump" | grep Version -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
[ ! -z "$GUID" -a "$dump_guid" = "$GUID" ] || fail " GUID check from dump failed."
@@ -83,7 +91,7 @@ function check_dump()
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -94,6 +102,7 @@ function valgrind_run()
}
export LANG=C
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ ! -d $TST_DIR ] && tar xJSf $srcdir/bitlk-images.tar.xz --no-same-owner 2>/dev/null || skip "Incompatible tar."
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
@@ -133,7 +142,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
$CRYPTSETUP status $MAP >/dev/null || fail
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
- uuid=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
$CRYPTSETUP remove $MAP || fail
[ "$uuid" = "$UUID" ] || fail " UUID check failed."
@@ -141,29 +150,29 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
echo " [OK]"
done
- # test with master key
- rm -f $DUMP_MK_FILE >/dev/null 2>&1
+ # test with volume key
+ rm -f $DUMP_VK_FILE >/dev/null 2>&1
echo -n " $file"
- echo $PASSPHRASE | $CRYPTSETUP bitlkDump -r $file --dump-master-key --master-key-file $DUMP_MK_FILE >/dev/null 2>&1
+ echo $PASSPHRASE | $CRYPTSETUP bitlkDump -r $file --dump-volume-key --volume-key-file $DUMP_VK_FILE >/dev/null 2>&1
ret=$?
- [ $ret -eq 0 ] || fail " failed to dump master key"
- $CRYPTSETUP bitlkOpen -r $file $MAP --master-key-file $DUMP_MK_FILE >/dev/null 2>&1
+ [ $ret -eq 0 ] || fail " failed to dump volume key"
+ $CRYPTSETUP bitlkOpen -r $file $MAP --volume-key-file $DUMP_VK_FILE >/dev/null 2>&1
ret=$?
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "-4k.img" ) && echo " [N/A]" && continue
- [ $ret -eq 0 ] || fail " failed to open $file using master key ($ret)"
+ [ $ret -eq 0 ] || fail " failed to open $file using volume key ($ret)"
$CRYPTSETUP status $MAP >/dev/null || fail
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
- uuid=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
$CRYPTSETUP remove $MAP || fail
[ "$uuid" = "$UUID" ] || fail " UUID check failed."
[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
echo " [OK]"
- rm -f $DUMP_MK_FILE >/dev/null 2>&1
+ rm -f $DUMP_VK_FILE >/dev/null 2>&1
# startup key test -- we need to use BEK file from the archive
if echo "$file" | grep -q -e "startup-key"; then
@@ -177,7 +186,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
$CRYPTSETUP status $MAP >/dev/null || fail
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
- uuid=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
$CRYPTSETUP remove $MAP || fail
[ "$uuid" = "$UUID" ] || fail " UUID check failed."
diff --git a/tests/blockwise-compat b/tests/blockwise-compat-test
similarity index 92%
rename from tests/blockwise-compat
rename to tests/blockwise-compat-test
index f08f983..11db493 100755
--- a/tests/blockwise-compat
+++ b/tests/blockwise-compat-test
@@ -56,20 +56,19 @@ skip()
{
echo "TEST SKIPPED: $1"
cleanup
- exit 0
+ exit 77
}
add_device() {
rmmod scsi_debug >/dev/null 2>&1
if [ -d /sys/module/scsi_debug ] ; then
- echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
- exit 77
+ skip "Cannot use scsi_debug module (in use or compiled-in)."
fi
modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
if [ $? -ne 0 ] ; then
- echo "This kernel seems to not support proper scsi_debug module, test skipped."
- exit 77
+ skip "This kernel seems to not support proper scsi_debug module."
fi
+ grep -q scsi_debug /sys/block/*/device/model || sleep 2
DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
DEV="/dev/$DEV"
[ -b $DEV ] || fail "Cannot find $DEV."
@@ -81,24 +80,24 @@ falloc() {
run_all_in_fs() {
for file in $(ls img_fs_*.img.xz) ; do
- echo "Run tests in $file put on top block device."
- xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
- [ ! -d $MNT_DIR ] && mkdir $MNT_DIR
- mount $DEV $MNT_DIR
- if [ $? -ne 0 ]; then
- echo "Mounting image $file failed, skipped."
- continue;
- fi
- rm -rf $MNT_DIR/* 2>/dev/null
- local tfile=$MNT_DIR/bwunit_tstfile
- falloc $DEVSIZEMB $tfile || fail "enospc?"
- local iobsize=$(stat -c "%o" $tfile)
- test -n "$iobsize" -a $iobsize -gt 0 || fail
- local oldbsize=$BSIZE
- BSIZE=$iobsize
- run_all $tfile
- BSIZE=$oldbsize
- umount $MNT_DIR
+ echo "Run tests in $file put on top block device."
+ xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
+ [ ! -d $MNT_DIR ] && mkdir $MNT_DIR
+ mount $DEV $MNT_DIR
+ if [ $? -ne 0 ]; then
+ echo "Mounting image $file failed, skipped."
+ continue;
+ fi
+ rm -rf $MNT_DIR/* 2>/dev/null
+ local tfile=$MNT_DIR/bwunit_tstfile
+ falloc $DEVSIZEMB $tfile || fail "enospc?"
+ local iobsize=$(stat -c "%o" $tfile)
+ test -n "$iobsize" -a $iobsize -gt 0 || fail
+ local oldbsize=$BSIZE
+ BSIZE=$iobsize
+ run_all $tfile
+ BSIZE=$oldbsize
+ umount $MNT_DIR
done
}
@@ -309,9 +308,7 @@ run_all() {
RUN "$BD_FAIL" $1 write_lseek_blockwise $((BSIZE+1)) $BSIZE $((DEVSIZE-BSIZE))
}
-[ -n "$CRYPTSETUP_PATH" ] && skip "Cannot run this test with CRYPTSETUP_PATH set."
-
-which $STRACE > /dev/null 2>&1 || unset STRACE
+command -v $STRACE >/dev/null || unset STRACE
test -x $BW_UNIT || skip "Run \"make `basename $BW_UNIT`\" first"
FAILS=0
diff --git a/tests/compat-test-args b/tests/compat-args-test
similarity index 94%
rename from tests/compat-test-args
rename to tests/compat-args-test
index 6b3c38c..c41e942 100755
--- a/tests/compat-test-args
+++ b/tests/compat-args-test
@@ -25,9 +25,17 @@ function fail()
exit 2
}
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "Test skipped."
+ cleanup
+ exit 77
+}
+
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -62,10 +70,10 @@ function exp_pass()
}
export LANG=C
-
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
-# initial test constructed acccording to current cryptsetup content
+# initial test constructed according to current cryptsetup content
echo "[1] Current state"
exp_fail resize NAME --test-passphrase
exp_fail close NAME --test-passphrase
@@ -250,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0
exp_pass luksAddKey DEV --unbound --key-size 8
exp_pass luksDump DEV --unbound -S5
exp_fail luksDump DEV --unbound
+exp_pass open DEV --unbound --test-passphrase
+exp_pass open DEV --unbound --test-passphrase -S5
+exp_fail open DEV --unbound NAME
+exp_fail open DEV --unbound -S5 NAME
exp_fail resize NAME --refresh
exp_fail open DEV NAME --test-passphrase --refresh
@@ -264,13 +276,13 @@ exp_fail reencrypt DEV --reduce-device-size $((64*1024*1024+1))
exp_fail reencrypt DEV --reduce-device-size -64m
exp_pass reencrypt DEV --reduce-device-size 64m
exp_fail reencrypt DEV --reduce-device-size 64m --device-size 100g
-exp_fail reencrypt DEV --decrypt
# bugs
# exp_fail open DEV --decrypt --header H
# exp_fail open DEV --encrypt
# exp_fail open DEV NAME --device-size 32m
# exp_fail open DEV NAME --size 100
exp_pass open DEV NAME --device-size 32m --type plain
+exp_fail open DEV NAME --device-size $((32*1024*1024+1)) --type plain
exp_pass open DEV NAME --size 100 --type plain
exp_fail open DEV NAME --size 100 --device-size $((512*100)) --type plain
exp_fail reencrypt DEV --device-size $((32*1024*1024+1))
diff --git a/tests/compat-test b/tests/compat-test
index a71b247..6dc8004 100755
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -8,6 +8,7 @@ CRYPTSETUP_RAW=$CRYPTSETUP
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
+DIFFER=./differ
DEV_NAME=dummy
DEV_NAME2=dummy2
DEV_NAME3=dummy3
@@ -44,7 +45,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
@@ -87,7 +88,7 @@ function skip()
{
[ -n "$1" ] && echo "$1"
remove_mapping
- [ -z "$2" ] && exit $2
+ [ -n "$2" ] && exit $2
exit 77
}
@@ -151,7 +152,7 @@ function check()
{
sync
[ -z "$1" ] && return
- ./differ $ORIG_IMG $IMG $1 || fail
+ $DIFFER $ORIG_IMG $IMG $1 || fail
}
function check_exists()
@@ -195,7 +196,7 @@ function add_scsi_device() {
function valgrind_setup()
{
[ -n "$VALG" ] || return
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
CRYPTSETUP=valgrind_run
@@ -215,6 +216,8 @@ function expect_run()
}
export LANG=C
+
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
valgrind_setup
# LUKS non-root-tests
@@ -284,12 +287,16 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -d $KEY1 || fail
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $IMG | grep -q $TEST_UUID || fail
+echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-volume-key 2>/dev/null && fail
echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-master-key 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-volume-key | grep -q "MK dump:" || fail
echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $IMG --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+$CRYPTSETUP luksDump -q $IMG --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
-echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $IMG || fail
+rm -f $VK_FILE
+echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
+echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $IMG || fail
echo "[10] uuid"
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG || fail
@@ -297,13 +304,14 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
+[ ! -x "$DIFFER" ] && skip "Cannot find $DIFFER, test skipped."
# LUKS root-tests
prepare "[1] open - compat image - acceptance check" new
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
check_exists
-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# Check it can be opened from header backup as well
@@ -315,6 +323,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
# Repeat for V1.0 header - not aligned first keyslot
+if [ ! fips_mode ] ; then
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
check_exists
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -326,6 +335,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
check_exists
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
prepare "[2] open - compat image - denial check" new
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -428,9 +438,9 @@ tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
prepare "[16] luksFormat" wipe
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV || fail
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
-$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by UUID
@@ -440,29 +450,32 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
# open by volume key
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 $LOOPDEV || fail
-$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
-$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksOpen --volume-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# unsupported pe-keyslot encryption
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-cipher "aes-cbc-plain" $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-key-size 256 $LOOPDEV 2>/dev/null && fail
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
-# masterkey
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
+# volumekey
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 3 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
-echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 4 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/null --key-slot 5 2>/dev/null && fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 5 $KEY1 || fail
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
@@ -479,28 +492,28 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
-$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
# keyfile/keyfile
-$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
# passphrase/keyfile
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
# passphrase/passphrase
-echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
+echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
-$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
@@ -526,7 +539,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
prepare "[19] create & status & resize" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
@@ -546,15 +559,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
# 4k sector resize (if kernel supports it)
-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
if [ $? -eq 0 ] ; then
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
$CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
@@ -567,7 +580,7 @@ if [ $? -eq 0 ] ; then
fi
# Resize not aligned to logical block size
add_scsi_device dev_size_mb=32 sector_size=4096
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
$CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
@@ -575,10 +588,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+
test $OLD_SIZE -eq $NEW_SIZE || fail
$CRYPTSETUP close $DEV_NAME || fail
# Add check for unaligned plain crypt activation
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
# verify is ignored on non-tty input
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
@@ -606,11 +619,11 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
-echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
-echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE > /dev/null || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
+echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key | grep -q "MK dump:" || fail
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
+echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE > /dev/null || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $LOOPDEV || fail
prepare "[22] remove disappeared device" wipe
dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
@@ -625,7 +638,7 @@ dmsetup remove --retry $DEV_NAME || fail
prepare "[23] ChangeKey passphrase and keyfile" wipe
# [0]$KEY1 [1]key0
$CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
# keyfile [0] / keyfile [0]
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
# passphrase [1] / passphrase [1]
@@ -695,15 +708,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
dmsetup remove --retry $DEV_NAME2
prepare "[25] Create shared segments" wipe
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
$CRYPTSETUP -q remove $DEV_NAME2 || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
prepare "[26] Suspend/Resume" wipe
# only LUKS is supported
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail
@@ -718,14 +731,17 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
echo | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
-prepare "[27] luksOpen with specified key slot number" wipe
+prepare "[27] luksOpen/luksResume with specified key slot number" wipe
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -S 5 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
@@ -733,8 +749,12 @@ echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
+$CRYPTSETUP luksSuspend $DEV_NAME || fail
+echo $PWD3 | $CRYPTSETUP luksResume -S 4 $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
+echo $PWD3 | $CRYPTSETUP luksResume -S 5 $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
-echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
+echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
@@ -743,10 +763,14 @@ echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
# second, try it with keyfiles
$CRYPTSETUP luksFormat --type luks1 -q -S 5 -d $KEY5 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
check_exists
+$CRYPTSETUP luksSuspend $DEV_NAME || fail
+$CRYPTSETUP luksResume -S 1 -d $KEY5 $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
+$CRYPTSETUP luksResume -S 5 -d $KEY5 $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
@@ -776,7 +800,7 @@ $CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
@@ -804,7 +828,7 @@ $CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[30] LUKS erase" wipe
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY5 --key-slot 5 || fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksErase -q $LOOPDEV || fail
@@ -832,12 +856,11 @@ fi
# Interactive tests
# Do not remove sleep 0.1 below, the password query flushes TTY buffer (so the code is racy).
-which expect >/dev/null 2>&1 || skip "WARNING: expect tool missing, interactive test will be skipped." 0
+command -v expect >/dev/null || skip "WARNING: expect tool missing, interactive test will be skipped." 0
prepare "[32] Interactive password retry from terminal." new
EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
-EXPECT_TIMEOUT=10
-[ -n "$VALG" ] && EXPECT_TIMEOUT=60
+EXPECT_TIMEOUT=60
expect_run - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
@@ -967,7 +990,7 @@ sleep 0.1
send "$PWD1\n"
expect timeout abort "Command successful."
expect timeout abort eof
-eval spawn $CRYPTSETUP_RAW luksOpen $FAST_PBKDF_OPT -v $LOOPDEV --test-passphrase
+eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
expect timeout abort "Enter passphrase"
sleep 0.1
send "$PWD1\n"
@@ -1081,5 +1104,34 @@ expect timeout abort eof
EOF
[ $? -eq 0 ] || fail "Expect script failed."
+prepare "[41] New luksAddKey options." file
+rm -f $VK_FILE
+echo "$PWD1" | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $IMG || fail
+echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
+
+# pass pass
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT $IMG || fail
+echo $PWD2 | $CRYPTSETUP open -q --test-passphrase -S1 $IMG || fail
+
+# pass file
+echo "$PWD2" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S1 --new-key-slot 2 $IMG $KEY1 || fail
+$CRYPTSETUP open --test-passphrase -q -S2 -d $KEY1 $IMG || fail
+
+# file pass
+echo "$PWD3" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 -d $KEY1 --new-key-slot 3 $IMG || fail
+echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S3 $IMG || fail
+
+# file file
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 4 -d $KEY1 --new-keyfile $KEY2 $IMG || fail
+$CRYPTSETUP open --test-passphrase -q -S4 -d $KEY2 $IMG || fail
+
+# vk pass
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S5 --volume-key-file $VK_FILE $IMG || fail
+echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S5 $IMG || fail
+
+# vk file
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $IMG || fail
+$CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $IMG || fail
+
remove_mapping
exit 0
diff --git a/tests/compat-test2 b/tests/compat-test2
index 031800a..c54dc7e 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
@@ -152,7 +152,7 @@ function check_exists()
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -217,7 +217,7 @@ function dm_crypt_sector_size_support()
}
function test_and_prepare_keyring() {
- which keyctl > /dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
+ command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
@@ -244,6 +244,11 @@ function setup_luks2_env() {
else
HAVE_KEYRING=0
fi
+ if $($CRYPTSETUP --version | grep -q "BLKID"); then
+ HAVE_BLKID=1
+ else
+ HAVE_BLKID=0
+ fi
$CRYPTSETUP close $DEV_NAME || fail
}
@@ -281,6 +286,7 @@ function add_scsi_device() {
export LANG=C
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
@@ -322,7 +328,7 @@ prepare "[4] format using hash sha512" wipe
echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
$CRYPTSETUP -q luksDump $LOOPDEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail
# Check JSON dump for some mandatory section
-$CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata | grep -q '\"tokens\":' || fail
+$CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata | grep -q '"tokens":' || fail
prepare "[5] open"
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
@@ -409,9 +415,9 @@ tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
prepare "[16] luksFormat" wipe
-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV || fail
-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by UUID
@@ -421,26 +427,30 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrases
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
+
# open by volume key
-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail
-$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
-$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksOpen --volume-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
-# masterkey
-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
+# volumekey
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --volume-key-file /dev/zero --key-slot 3 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
-echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 4 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/null --key-slot 5 2>/dev/null && fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 5 $KEY1 || fail
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
@@ -457,21 +467,21 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
-$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
# keyfile/keyfile
-$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
# passphrase/keyfile
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
# passphrase/passphrase
-echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
+echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
@@ -572,16 +582,18 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TE
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
-echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key | grep -q "MK dump:" || fail
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
-echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
+rm -f $VK_FILE
+echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
+echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $LOOPDEV || fail
# Use volume key file without keyslots
$CRYPTSETUP luksErase -q $LOOPDEV || fail
-$CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --volume-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
prepare "[22] remove disappeared device" wipe
@@ -597,7 +609,7 @@ dmsetup remove --retry $DEV_NAME || fail
prepare "[23] ChangeKey passphrase and keyfile" wipe
# [0]$KEY1 [1]key0
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --key-size 256 --luks2-keyslots-size 256k >/dev/null || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
# keyfile [0] / keyfile [0]
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
# passphrase [1] / passphrase [1]
@@ -672,24 +684,32 @@ $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
-prepare "[27] luksOpen with specified key slot number" wipe
+prepare "[27] luksOpen/Resume with specified key slot number" wipe
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
+$CRYPTSETUP luksSuspend $DEV_NAME || fail
+echo $PWD3 | $CRYPTSETUP luksResume -S 4 $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
+echo $PWD3 | $CRYPTSETUP luksResume -S 5 $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
-echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
+echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
# second, try it with keyfiles
$CRYPTSETUP -q luksFormat -q -S 5 $FAST_PBKDF_OPT -d $KEY5 --type luks2 $LOOPDEV || fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
check_exists
+$CRYPTSETUP luksSuspend $DEV_NAME || fail
+$CRYPTSETUP luksResume -S 1 -d $KEY5 $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
+$CRYPTSETUP luksResume -S 5 -d $KEY5 $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
@@ -699,7 +719,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
# otoh it should be allowed to test for proper passphrase
prepare "" new
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
@@ -708,7 +728,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/de
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
prepare "[28] Detached LUKS header" wipe
@@ -730,7 +750,7 @@ $CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
@@ -744,10 +764,12 @@ $CRYPTSETUP -q luksDump $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[byte
prepare "[29] Repair metadata" wipe
xz -dk $HEADER_LUKS2_PV.xz
-$CRYPTSETUP isLuks --disable-locks $HEADER_LUKS2_PV && fail
-$CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
-$CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
-$CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
+if [ "$HAVE_BLKID" -gt 0 ]; then
+ $CRYPTSETUP isLuks --disable-locks $HEADER_LUKS2_PV && fail
+ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
+ $CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
+ $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
+fi
$CRYPTSETUP -q repair $HEADER_LUKS2_PV || fail
$CRYPTSETUP isLuks $HEADER_LUKS2_PV || fail
$CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV || fail
@@ -755,7 +777,7 @@ $CRYPTSETUP isLuks --type luks1 $HEADER_LUKS2_PV && fail
prepare "[30] LUKS erase" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP luksErase -q $LOOPDEV || fail
@@ -764,7 +786,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" && fail
prepare "[31] LUKS convert" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata >/dev/null 2>&1 && fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
@@ -774,8 +796,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
# hash test
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
-$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
@@ -791,6 +813,18 @@ $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
$CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
+# keyslot 1 area offset is higher than keyslot 0 area
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --key-slot 0 $LOOPDEV || fail
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_OPT --key-slot 1 $LOOPDEV || fail
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP -q luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
+# convert to LUKS1 and back; LUKS1 does not store length, only offset
+$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
+echo $PWD2 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
+$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
+echo $PWD2 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
+
if dm_crypt_keyring_flawed; then
prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
@@ -852,6 +886,11 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase || fail
$CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME > /dev/null || fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP luksResume $DEV_NAME <&- || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
$CRYPTSETUP close $DEV_NAME || fail
# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
@@ -865,9 +904,26 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail
# test we can remove keyslot with token
- echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
- $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
+ $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
+ $CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
+
+ # test we can add unassigned token
+ $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
+ $CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
+
+ # test token unassign works
+ $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV || fail
+ $CRYPTSETUP token unassign --token-id 0 $LOOPDEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign -S0 $LOOPDEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
+ $CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail
fi
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
@@ -887,7 +943,7 @@ diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
prepare "[34] LUKS keyslot priority" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -S 1 || fail
-echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
$CRYPTSETUP config $LOOPDEV -S 0 --priority prefer && fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority bla >/dev/null 2>&1 && fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
@@ -943,55 +999,53 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
prepare "[38] luksAddKey unbound tests" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
# unbound key may have arbitrary size
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
-echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 512 -S 3 --master-key-file $KEY_FILE0 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" || fail
# unbound key size is required
echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $LOOPDEV 2>/dev/null && fail
-echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --master-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail
-# do not allow to replace keyslot by unbound slot
+echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --volume-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail
+# do not allow one to replace keyslot by unbound slot
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
# check we're able to change passphrase for unbound keyslot
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
-echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP open --test-passphrase -S 2 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP -q open -S 2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
# do not allow adding keyslot by unbound keyslot
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
# check adding keyslot works when there's unbound keyslot
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP close $DEV_NAME || fail
$CRYPTSETUP luksKillSlot -q $LOOPDEV 2
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" && fail
-echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 $LOOPDEV 2> /dev/null && fail
+echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 $LOOPDEV 2> /dev/null && fail
echo $PWD3 | $CRYPTSETUP luksDump --unbound 2> /dev/null $LOOPDEV 2> /dev/null && fail
-echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV > /dev/null || fail
+echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV > /dev/null || fail
diff $KEY_FILE0 $KEY_FILE1 || fail
-echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV 2> /dev/null && fail
+echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV 2> /dev/null && fail
diff $KEY_FILE0 $KEY_FILE1 || fail
rm $KEY_FILE1 || fail
-echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV | grep -q "Unbound Key:" && fail
+echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV | grep -q "Unbound Key:" && fail
echo $PWD3 | $CRYPTSETUP luksDump --unbound -S3 $LOOPDEV | grep -q "Unbound Key:" || fail
$CRYPTSETUP luksKillSlot -q $LOOPDEV 3 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
@@ -1003,7 +1057,7 @@ for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
echo -n "[$mda KiB]"
echo $PWD4 | $CRYPTSETUP open test_image_$mda $DEV_NAME || fail
$CRYPTSETUP close $DEV_NAME || fail
- echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT test_image_$mda || fail
+ echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -q -S9 $FAST_PBKDF_OPT test_image_$mda || fail
echo $PWD4 | $CRYPTSETUP open --test-passphrase test_image_$mda || fail
echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase test_image_$mda || fail
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import test_image_$mda --token-id 10 || fail
@@ -1042,18 +1096,18 @@ KEYSLOT_CIPHER="aes-cbc-plain64"
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
-$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
-$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail
+$CRYPTSETUP luksAddKey -q $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
# unbound keyslot
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
@@ -1067,5 +1121,84 @@ for cipher in $CIPHERS ; do
done
echo
+prepare "[43] New luksAddKey options." wipe
+rm -f $VK_FILE
+echo "$PWD1" | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG || fail
+echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
+
+# pass pass
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT $IMG || fail
+echo $PWD2 | $CRYPTSETUP open -q --test-passphrase -S1 $IMG || fail
+
+# pass file
+echo "$PWD2" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S1 --new-key-slot 2 $IMG $KEY1 || fail
+$CRYPTSETUP open --test-passphrase -q -S2 -d $KEY1 $IMG || fail
+
+# file pass
+echo "$PWD3" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 -d $KEY1 --new-key-slot 3 $IMG || fail
+echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S3 $IMG || fail
+
+# file file
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 4 -d $KEY1 --new-keyfile $KEY2 $IMG || fail
+$CRYPTSETUP open --test-passphrase -q -S4 -d $KEY2 $IMG || fail
+
+# vk pass
+echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S5 --volume-key-file $VK_FILE $IMG || fail
+echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S5 $IMG || fail
+
+# vk file
+$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $IMG || fail
+$CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $IMG || fail
+
+if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
+ test_and_prepare_keyring
+ load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+ load_key user $TEST_TOKEN1 $PWDW "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+ $CRYPTSETUP token add $IMG --key-description $TEST_TOKEN0 --token-id 0 -S0 || fail
+ $CRYPTSETUP token add $IMG --key-description $TEST_TOKEN1 --token-id 1 --unbound || fail
+
+ # pass token
+ echo -e "$PWD1" | $CRYPTSETUP luksAddKey -q -S7 --new-token-id 1 $FAST_PBKDF_OPT $IMG || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
+
+ # file token
+ $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 7 --new-token-id 1 -d $KEY1 $IMG || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
+
+ # vk token
+ $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --volume-key-file $VK_FILE --new-token-id 1 $IMG || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
+
+ # token pass
+ echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --token-id 0 $IMG || fail
+ echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S7 $IMG || fail
+
+ # token file
+ echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S8 --token-id 0 $IMG $KEY2 || fail
+ $CRYPTSETUP open -q --test-passphrase -S8 --key-file $KEY2 $IMG || fail
+
+ # token token
+ $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S9 --token-id 0 --new-token-id 1 $IMG || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
+
+ # reuse same token
+ $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S0 --new-key-slot 9 --token-id 0 --new-token-id 0 $IMG || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
+
+ # reuse same token
+ $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --token-id 0 --new-token-id 0 $IMG || fail
+ echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
+ $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
+fi
+
remove_mapping
exit 0
diff --git a/tests/compatimage.img.xz b/tests/compatimage.img.xz
index 37fe163..cb515f4 100644
Binary files a/tests/compatimage.img.xz and b/tests/compatimage.img.xz differ
diff --git a/tests/conversion_imgs.tar.xz b/tests/conversion_imgs.tar.xz
index cdeb961..43e35fe 100644
Binary files a/tests/conversion_imgs.tar.xz and b/tests/conversion_imgs.tar.xz differ
diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c
index 39cad45..ae8dd68 100644
--- a/tests/crypto-vectors.c
+++ b/tests/crypto-vectors.c
@@ -1,7 +1,7 @@
/*
* cryptsetup crypto backend test vectors
*
- * Copyright (C) 2018-2021 Milan Broz
+ * Copyright (C) 2018-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -953,6 +953,73 @@ static struct cipher_iv_test_vector cipher_iv_test_vectors[] = {
},
}}};
+/* Base64 test vectors */
+struct base64_test_vector {
+ size_t decoded_len;
+ const char *decoded;
+ const char *encoded;
+};
+
+static struct base64_test_vector base64_test_vectors[] = {
+ { 0, "", "" },
+ { 1, "\x00", "AA==" },
+ { 1, "f", "Zg==" },
+ { 2, "fo", "Zm8=" },
+ { 3, "foo", "Zm9v" },
+ { 4, "foob", "Zm9vYg==" },
+ { 5, "fooba", "Zm9vYmE=" },
+ { 6, "foobar", "Zm9vYmFy" },
+ { 11, "Hello world", "SGVsbG8gd29ybGQ=" },
+ { 22, "\x36\x03\x84\xdc\x4e\x03\x46\xa0\xb5\x2d\x03"
+ "\x6e\xd0\x56\xed\xa0\x37\x02\xac\xc6\x65\xd1",
+ "NgOE3E4DRqC1LQNu0FbtoDcCrMZl0Q==" },
+ { 3, "***", "Kioq" },
+ { 4, "\x01\x02\x03\x04", "AQIDBA==" },
+ { 5, "\xAD\xAD\xAD\xAD\xAD", "ra2tra0=" },
+ { 5, "\xFF\xFF\xFF\xFF\xFF", "//////8=" },
+ { 32, "\x40\xC1\x3F\xBD\x05\x4C\x72\x2A\xA3\xC2\xF2"
+ "\x11\x73\xC0\x69\xEA\x49\x7D\x35\x29\x6B\xCC"
+ "\x24\x65\xF6\xF9\xD0\x41\x08\x7B\xD7\xA9",
+ "QME/vQVMciqjwvIRc8Bp6kl9NSlrzCRl9vnQQQh716k=" },
+ { 7, "\x54\x0f\xdc\xf0\x0f\xaf\x4a", "VA/c8A+vSg==" },
+ {179, "blah blah blah blah blah blah blah blah blah "
+ "blah blah blah blah blah blah blah blah blah "
+ "blah blah blah blah blah blah blah blah blah "
+ "blah blah blah blah blah blah blah blah blah",
+ "YmxhaCBibGFoIGJsYWggYmxhaCBibGFoIGJsYWggYmxh"
+ "aCBibGFoIGJsYWggYmxhaCBibGFoIGJsYWggYmxhaCBi"
+ "bGFoIGJsYWggYmxhaCBibGFoIGJsYWggYmxhaCBibGFo"
+ "IGJsYWggYmxhaCBibGFoIGJsYWggYmxhaCBibGFoIGJs"
+ "YWggYmxhaCBibGFoIGJsYWggYmxhaCBibGFoIGJsYWgg"
+ "YmxhaCBibGFoIGJsYWg=" },
+};
+
+/* UTF8 to UTF16LE test vectors */
+struct utf8_16_test_vector {
+ size_t len8;
+ size_t len16;
+ const char *utf8;
+ const char *utf16;
+};
+
+static struct utf8_16_test_vector utf8_16_test_vectors[] = {
+ { 1, 2, "a", "\x61\x00" },
+ { 16, 32, "0123456789abcdef",
+ "\x30\x00\x31\x00\x32\x00\x33\x00\x34\x00\x35\x00\x36\x00\x37\x00"
+ "\x38\x00\x39\x00\x61\x00\x62\x00\x63\x00\x64\x00\x65\x00\x66\x00" },
+ { 77, 78,
+ "\xf2\xa4\xa5\x94\x49\xf2\xa1\x98\x98\xd8\x8a\xe1\xb4\x88\xea\xa7"
+ "\xaa\xde\x95\xe2\x85\xb1\xe7\xb1\x9a\xf2\xb5\xa1\xae\x37\x2d\xd0"
+ "\xa9\xe1\x9a\x9c\xe8\xb0\xb7\xc8\x95\x0a\xf3\xaa\x92\xba\xf2\x83"
+ "\xb0\x99\xf0\x9b\xbe\x8f\x4f\xc8\x86\x30\xe7\xab\xa0\xda\xb9\xd8"
+ "\x89\xd8\xbc\xd7\x8a\xd9\xbc\xc3\x8f\x33\x62\xda\xb7",
+ "\x52\xda\x54\xdd\x49\x00\x45\xda\x18\xde\x0a\x06\x08\x1d\xea\xa9"
+ "\x95\x07\x71\x21\x5a\x7c\x96\xda\x6e\xdc\x37\x00\x2d\x00\x29\x04"
+ "\x9c\x16\x37\x8c\x15\x02\x0a\x00\x69\xdb\xba\xdc\xcf\xd9\x19\xdc"
+ "\x2f\xd8\x8f\xdf\x4f\x00\x06\x02\x30\x00\xe0\x7a\xb9\x06\x09\x06"
+ "\x3c\x06\xca\x05\x7c\x06\xcf\x00\x33\x00\x62\x00\xb7\x06" },
+};
+
static int pbkdf_test_vectors(void)
{
char result[256];
@@ -1262,7 +1329,9 @@ static int cipher_iv_test(void)
if (vector->data_length > sizeof(result))
return EXIT_FAILURE;
- snprintf(mode_iv, sizeof(mode_iv)-2, "%s-%s", vector->cipher_mode, vector->iv_name);
+ if (snprintf(mode_iv, sizeof(mode_iv)-2, "%s-%s", vector->cipher_mode, vector->iv_name) < 0)
+ return EXIT_FAILURE;
+
r = crypt_storage_init(&storage, vector->out[j].sector_size, vector->cipher_name, mode_iv,
vector->key, vector->key_length, vector->out[j].large_iv);
if (r == -ENOENT || r == -ENOTSUP) {
@@ -1325,6 +1394,83 @@ static int check_hash(const char *hash)
return EXIT_SUCCESS;
}
+static int base64_test(void)
+{
+ unsigned int i;
+ char *s;
+ size_t s_len;
+
+ for (i = 0; i < ARRAY_SIZE(base64_test_vectors); i++) {
+ printf("BASE64 %02d ", i);
+ s = NULL;
+ s_len = 0;
+ if (crypt_base64_encode(&s, &s_len,
+ base64_test_vectors[i].decoded,
+ base64_test_vectors[i].decoded_len) < 0) {
+ printf("[ENCODE FAILED]\n");
+ return EXIT_FAILURE;
+ } else if (strcmp(s, base64_test_vectors[i].encoded)) {
+ printf("[ENCODE FAILED]\n");
+ free(s);
+ return EXIT_FAILURE;
+ }
+ printf("[encode]");
+ free(s);
+
+ s = NULL;
+ s_len = 0;
+ if (crypt_base64_decode(&s, &s_len,
+ base64_test_vectors[i].encoded,
+ strlen(base64_test_vectors[i].encoded)) < 0) {
+ printf("[DECODE FAILED]\n");
+ return EXIT_FAILURE;
+ } else if (s_len != base64_test_vectors[i].decoded_len ||
+ memcmp(s, base64_test_vectors[i].decoded, s_len)) {
+ printf("[DECODE FAILED]\n");
+ return EXIT_FAILURE;
+ }
+ printf("[decode]\n");
+ free(s);
+ }
+
+ return EXIT_SUCCESS;
+}
+
+static int utf8_16_test(void)
+{
+ unsigned int i;
+ char s8[128], *s;
+ char16_t c16[256], s16[256], *su;
+
+ for (i = 0; i < ARRAY_SIZE(utf8_16_test_vectors); i++) {
+ printf("UTF8/16 %02d ", i);
+ crypt_backend_memzero(s16, sizeof(s16));
+ su = &s16[0];
+ if (crypt_utf8_to_utf16(&su, utf8_16_test_vectors[i].utf8,
+ utf8_16_test_vectors[i].len8) < 0 ||
+ memcmp(utf8_16_test_vectors[i].utf16, s16,
+ utf8_16_test_vectors[i].len16)) {
+ printf("[UTF8_TO_UTF16 FAILED]\n");
+ return EXIT_FAILURE;
+ }
+ printf("[UTF8_TO_UTF16]");
+
+ crypt_backend_memzero(s8, sizeof(s8));
+ s = &s8[0];
+ memcpy(c16, utf8_16_test_vectors[i].utf16, utf8_16_test_vectors[i].len16);
+ if (crypt_utf16_to_utf8(&s, c16, utf8_16_test_vectors[i].len16) < 0 ||
+ utf8_16_test_vectors[i].len8 != strlen(s8) ||
+ memcmp(utf8_16_test_vectors[i].utf8, s8,
+ utf8_16_test_vectors[i].len8)) {
+ printf("[UTF16_TO_UTF8 FAILED]\n");
+ return EXIT_FAILURE;
+ }
+ printf("[UTF16_TO_UTF8]\n");
+ }
+
+ return EXIT_SUCCESS;
+}
+
static int default_alg_test(void)
{
printf("Defaults: [LUKS1 hash %s] ", DEFAULT_LUKS1_HASH);
@@ -1344,6 +1490,18 @@ static int default_alg_test(void)
return EXIT_SUCCESS;
}
+static int memcmp_test(void)
+{
+ printf("MEMEQ ");
+ if (!crypt_backend_memeq("aaaaaaaa", "bbbbbbbb", 8))
+ return EXIT_FAILURE;
+ if (crypt_backend_memeq("aaaaaaaa", "aaaaaaaa", 8))
+ return EXIT_FAILURE;
+ printf("[OK]\n");
+
+ return EXIT_SUCCESS;
+}
+
static void __attribute__((noreturn)) exit_test(const char *msg, int r)
{
if (msg)
@@ -1381,6 +1539,15 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
if (cipher_iv_test())
exit_test("IV test failed.", EXIT_FAILURE);
+ if (base64_test())
+ exit_test("BASE64 test failed.", EXIT_FAILURE);
+
+ if (memcmp_test())
+ exit_test("Memcmp test failed.", EXIT_FAILURE);
+
+ if (utf8_16_test())
+ exit_test("UTF8/16 test failed.", EXIT_FAILURE);
+
if (default_alg_test()) {
if (fips_mode())
printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
diff --git a/tests/cryptsetup-valg-supps b/tests/cryptsetup-valg-supps
index 493e125..fc9913a 100644
--- a/tests/cryptsetup-valg-supps
+++ b/tests/cryptsetup-valg-supps
@@ -1,4 +1,4 @@
-# Suppresion file for valgrind
+# Suppression file for valgrind
# known problem in libgcrypt
{
diff --git a/tests/device-test b/tests/device-test
index 4164a4e..c8b53bb 100755
--- a/tests/device-test
+++ b/tests/device-test
@@ -10,12 +10,15 @@ PWD2="mymJeD8ivEhE"
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
SKIP_COUNT=0
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
- umount -f $MNT_DIR 2>/dev/null
- rmdir $MNT_DIR 2>/dev/null
+ umount -f $MNT_DIR 2>/dev/null
+ rmdir $MNT_DIR 2>/dev/null
fi
rmmod scsi_debug >/dev/null 2>&1
}
@@ -36,6 +39,18 @@ skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
add_device() {
rmmod scsi_debug >/dev/null 2>&1
[ -d /sys/module/scsi_debug ] && skip "Cannot use scsi_debug module (in use or compiled-in)."
@@ -49,6 +64,11 @@ add_device() {
[ -b "/dev/$SCSI_DEV" ] || fail "Cannot find $SCSI_DEV."
}
+add_image()
+{
+ dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
+}
+
function dm_crypt_features()
{
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
@@ -97,13 +117,13 @@ function dm_crypt_keyring_support()
format() # format
{
- dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
+ add_image
echo $PWD1 | $CRYPTSETUP luksFormat --type $1 $DEV -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256
[ $? -ne 0 ] && fail "Format failed."
# test some operation, just in case
- echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV -i1 --key-slot 1
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV -i1 --new-key-slot 1
[ $? -ne 0 ] && fail "Keyslot add failed."
$CRYPTSETUP -q luksKillSlot $DEV 1
@@ -118,6 +138,14 @@ check_sector_size() # $1 expected sector size
fi
}
+check_io()
+{
+ dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M count=32 iflag=direct 2>/dev/null || fail
+ dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M count=32 oflag=direct 2>/dev/null || fail
+}
+
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
if [ $(id -u) != 0 ]; then
skip "You must be root to run this test, test skipped."
fi
@@ -129,8 +157,8 @@ dm_crypt_features
echo "[1] Using tmpfs for image"
DEV="$MNT_DIR/test.img"
mount -t tmpfs none $MNT_DIR || skip "Mounting tmpfs not available."
-format luks1
+add_image
echo "[2] Kernel dmcrypt performance options"
if [ -z "$DM_PERF_CPU" ]; then
echo "TEST SKIPPED: dmcrypt options not available"
@@ -140,11 +168,13 @@ else
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
+ check_io
$CRYPTSETUP close $DEV_NAME || fail
echo -n "allow_discards "
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
+ check_io
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
@@ -164,10 +194,12 @@ else
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-no_read_workqueue --perf-no_write_workqueue || fail
$CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail
$CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail
+ check_io
fi
$CRYPTSETUP close $DEV_NAME || fail
echo
+ format luks1
echo -n "LUKS: same_cpu_crypt submit_from_cpus "
echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
diff --git a/tests/differ.c b/tests/differ.c
index ec811a4..95da8e5 100644
--- a/tests/differ.c
+++ b/tests/differ.c
@@ -1,7 +1,7 @@
/*
* cryptsetup file differ check (rewritten Clemens' fileDiffer in Python)
*
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
diff --git a/tests/discards-test b/tests/discards-test
index 7ffaa84..870f74d 100755
--- a/tests/discards-test
+++ b/tests/discards-test
@@ -6,6 +6,9 @@ DEV_NAME="discard-t3st"
DEV=""
PWD1="93R4P4pIqAH8"
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
udevadm settle >/dev/null 2>&1
@@ -21,6 +24,24 @@ fail()
exit 100
}
+skip()
+{
+ [ -n "$1" ] && echo "$1"
+ exit 77
+}
+
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
add_device() {
rmmod scsi_debug >/dev/null 2>&1
if [ -d /sys/module/scsi_debug ] ; then
@@ -54,6 +75,8 @@ function check_version()
return 1
}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
if [ $(id -u) != 0 ]; then
echo "WARNING: You must be root to run this test, test skipped."
exit 77
@@ -80,7 +103,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
echo "[2] Allowing discards for plain device"
-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
$CRYPTSETUP resize $DEV_NAME --size 100 || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
diff --git a/tests/fake_systemd_tpm_path.c b/tests/fake_systemd_tpm_path.c
new file mode 100644
index 0000000..6d82989
--- /dev/null
+++ b/tests/fake_systemd_tpm_path.c
@@ -0,0 +1,17 @@
+#include <string.h>
+#include <stdlib.h>
+
+/* systemd tpm2-util.h */
+int tpm2_find_device_auto(int log_level, char **ret);
+
+extern int tpm2_find_device_auto(int log_level __attribute__((unused)), char **ret)
+{
+ const char *path = getenv("TPM_PATH");
+
+ if (!path)
+ *ret = NULL;
+ else
+ *ret = strdup(path);
+
+ return 0;
+}
diff --git a/tests/fuzz/FuzzerInterface.h b/tests/fuzz/FuzzerInterface.h
new file mode 100644
index 0000000..b238253
--- /dev/null
+++ b/tests/fuzz/FuzzerInterface.h
@@ -0,0 +1,81 @@
+// Based on https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/FuzzerInterface.h
+//
+//===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Define the interface between libFuzzer and the library being tested.
+//===----------------------------------------------------------------------===//
+
+// NOTE: the libFuzzer interface is thin and in the majority of cases
+// you should not include this file into your target. In 95% of cases
+// all you need is to define the following function in your file:
+// extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+// WARNING: keep the interface in C.
+
+#ifndef LLVM_FUZZER_INTERFACE_H
+#define LLVM_FUZZER_INTERFACE_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif // __cplusplus
+
+// Define FUZZER_INTERFACE_VISIBILITY to set default visibility in a way that
+// doesn't break MSVC.
+#if defined(_WIN32)
+#define FUZZER_INTERFACE_VISIBILITY __declspec(dllexport)
+#else
+#define FUZZER_INTERFACE_VISIBILITY __attribute__((visibility("default")))
+#endif
+
+// Mandatory user-provided target function.
+// Executes the code under test with [Data, Data+Size) as the input.
+// libFuzzer will invoke this function *many* times with different inputs.
+// Must return 0.
+FUZZER_INTERFACE_VISIBILITY int
+LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+// Optional user-provided initialization function.
+// If provided, this function will be called by libFuzzer once at startup.
+// It may read and modify argc/argv.
+// Must return 0.
+FUZZER_INTERFACE_VISIBILITY int LLVMFuzzerInitialize(int *argc, char ***argv);
+
+// Optional user-provided custom mutator.
+// Mutates raw data in [Data, Data+Size) inplace.
+// Returns the new size, which is not greater than MaxSize.
+// Given the same Seed produces the same mutation.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize,
+ unsigned int Seed);
+
+// Optional user-provided custom cross-over function.
+// Combines pieces of Data1 & Data2 together into Out.
+// Returns the new size, which is not greater than MaxOutSize.
+// Should produce the same mutation given the same Seed.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
+ const uint8_t *Data2, size_t Size2, uint8_t *Out,
+ size_t MaxOutSize, unsigned int Seed);
+
+// Experimental, may go away in future.
+// libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator.
+// Mutates raw data in [Data, Data+Size) inplace.
+// Returns the new size, which is not greater than MaxSize.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+
+#undef FUZZER_INTERFACE_VISIBILITY
+
+#ifdef __cplusplus
+} // extern "C"
+#endif // __cplusplus
+
+#endif // LLVM_FUZZER_INTERFACE_H
diff --git a/tests/fuzz/LUKS2.proto b/tests/fuzz/LUKS2.proto
new file mode 100644
index 0000000..3a0f287
--- /dev/null
+++ b/tests/fuzz/LUKS2.proto
@@ -0,0 +1,379 @@
+/*
+ * cryptsetup LUKS2 custom mutator
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+syntax = "proto2";
+
+package LUKS2_proto;
+
+// ---------------------------------------------------------------------------
+// ----------------------------- GENERIC OBJECTS -----------------------------
+// ---------------------------------------------------------------------------
+
+message object_id {
+ oneof id {
+ // int_id will be mapped to range -16 to 16 (mod 33)
+ // this way iy should be easier to generate valid
+ // object cross-references
+ uint32 int_id = 1;
+ string string_id = 2;
+ }
+}
+
+message string_uint64 {
+ required bool negative = 1;
+ oneof number {
+ uint32 uint_num = 2;
+ string string_num = 3;
+ }
+}
+
+enum hash_algorithm {
+ HASH_ALG_SHA1 = 1;
+ HASH_ALG_SHA256 = 2;
+}
+
+
+// ---------------------------------------------------------------------------
+// ----------------------------- BINARY HEADER -------------------------------
+// ---------------------------------------------------------------------------
+
+enum luks2_magic {
+ INVALID = 0;
+ FIRST = 1;
+ SECOND = 2;
+}
+
+enum luks_version {
+ ONE = 1;
+ TWO = 2;
+ THREE = 3;
+}
+
+// we limit the size to 64KiB to make the fuzzing faster
+// because the checksum needs to be calculated for the whole image
+enum hdr_size {
+ size_16_KB = 16384;
+ size_32_KB = 32768;
+ size_64_KB = 65536;
+// size_128_KB = 131072;
+// size_256_KB = 262144;
+// size_512_KB = 524288;
+// size_1_MB = 1048576;
+// size_2_MB = 2097152;
+// size_4_MB = 4194304;
+}
+
+enum seqid_description {
+ PRIMARY_GREATER = 0;
+ SECONDARY_GREATER = 1;
+ EQUAL = 2;
+}
+
+// message luks2_hdr_disk {
+// char magic[LUKS2_MAGIC_L];
+// //uint16_t version; /* Version 2 */
+// uint64_t hdr_size; /* in bytes, including JSON area */
+// uint64_t seqid; /* increased on every update */
+// char label[LUKS2_LABEL_L];
+// char checksum_alg[LUKS2_CHECKSUM_ALG_L];
+// uint8_t salt[LUKS2_SALT_L]; /* unique for every header/offset */
+// char uuid[LUKS2_UUID_L];
+// char subsystem[LUKS2_LABEL_L]; /* owner subsystem label */
+// uint64_t hdr_offset; /* offset from device start in bytes */
+// char _padding[184];
+// uint8_t csum[LUKS2_CHECKSUM_L];
+// }
+message LUKS2_header {
+ required luks_version version = 1;
+ required luks2_magic magic = 2;
+ required hdr_size hdr_size = 3;
+ required bool use_correct_checksum = 4;
+
+ optional uint64 selected_offset = 5;
+}
+
+message LUKS2_both_headers {
+ required LUKS2_header primary_header = 1;
+ required LUKS2_header secondary_header = 2;
+
+ required seqid_description seqid = 3;
+ required json_area_description json_area = 4;
+}
+
+message json_area_description {
+ optional config_description config = 1;
+ repeated keyslot_description keyslots = 2;
+ repeated digest_description digests = 3;
+ repeated segment_description segments = 4;
+ repeated token_description tokens = 5;
+}
+
+// ---------------------------------------------------------------------------
+// ----------------------------- KEYSLOT OBJECT ------------------------------
+// ---------------------------------------------------------------------------
+
+enum keyslot_type {
+ KEYSLOT_TYPE_LUKS2 = 1;
+ KEYSLOT_TYPE_REENCRYPT = 2;
+ KEYSLOT_TYPE_PLACEHOLDER = 3;
+}
+
+enum reencrypt_keyslot_mode {
+ MODE_REENCRYPT = 1;
+ MODE_ENCRYPT = 2;
+ MODE_DECRYPT = 3;
+}
+
+enum reencrypt_keyslot_direction {
+ DIRECTION_FORWARD = 1;
+ DIRECTION_BACKWARD = 2;
+}
+
+// The area object contains these mandatory fields:
+// - type [string] the area type.
+// - offset [string-uint64] the offset from the device start to the beginning of the binary area (in bytes).
+// - size [string-uint64] the area size (in bytes).
+//
+// Area type raw contains these additional fields:
+// - encryption [string] the area encryption algorithm, in dm-crypt notation (for example aes-xts-plain64).
+// - key_size [integer] the area encryption key size.
+//
+// Area type none and journal (used only for reencryption optional extension) contain only mandatory fields.
+//
+// Area type checksum (used only for reencryption optional extension) contains these additional fields:
+// - hash [string] The hash algorithm for the checksum resilience mode.
+// - sector_size [integer] The data unit size for digest checksum calculated with the hash algorithm.
+//
+// Area type datashift (used only for reencryption optional extension) contains this additional field:
+// - shift_size [string-uint64] The data shift (in bytes) performed during reencryption (shift direction is according to direction field).
+
+enum keyslot_area_type {
+ KEYSLOT_AREA_TYPE_RAW = 1;
+ KEYSLOT_AREA_TYPE_NONE = 2;
+ KEYSLOT_AREA_TYPE_JOURNAL = 3;
+ KEYSLOT_AREA_TYPE_CHECKSUM = 4;
+ KEYSLOT_AREA_TYPE_DATASHIFT = 5;
+}
+
+message keyslot_area_description {
+ // mandatory fields
+ optional keyslot_area_type type = 1;
+ optional string_uint64 offset = 2;
+ optional string_uint64 size = 3;
+
+ // raw type fields
+ optional string encryption = 4;
+ optional int32 key_size = 5;
+
+ // checksum type field
+ optional hash_algorithm hash = 6;
+ optional int32 sector_size = 7;
+
+ // datashift type fields
+ optional string_uint64 shift_size = 8;
+}
+
+// The object describes PBKDF attributes used for the keyslot.
+// The kdf object mandatory fields are:
+// - type [string] the PBKDF type.
+// - salt [base64] the salt for PBKDF (binary data).
+//
+// The pbkdf2 type (compatible with LUKS1) contains these additional fields:
+// - hash [string] the hash algorithm for the PBKDF2 (SHA-256).
+// - iterations [integer] the PBKDF2 iterations count.
+//
+// The argon2i and argon2id type contains these additional fields:
+// - time [integer] the time cost (in fact the iterations count for Argon2).
+// - memory [integer] the memory cost, in kilobytes. If not available, the keyslot cannot be unlocked.
+// - cpus [integer] the required number of threads (CPU cores number cost). If not available, unlocking will be slower.
+
+enum keyslot_kdf_type {
+ KEYSLOT_KDF_TYPE_PBKDF2 = 1;
+ KEYSLOT_KDF_TYPE_ARGON2I = 2;
+ KEYSLOT_KDF_TYPE_ARGON2ID = 3;
+}
+
+message keyslot_kdf_description {
+ optional keyslot_kdf_type type = 1;
+ optional string salt = 2;
+
+ // pbkdf2 type
+ optional hash_algorithm hash = 3;
+ optional int32 iterations = 4;
+
+ // argon2i and argon2id types
+ optional int32 time = 5;
+ optional int32 memory = 6;
+ optional int32 cpus = 7;
+}
+
+enum keyslot_af_type {
+ KEYSLOT_AF_TYPE_LUKS1 = 1;
+}
+
+// The af (anti-forensic splitter) object contains this madatory field:
+// - type [string] the anti-forensic function type.
+// AF type luks1 (compatible with LUKS1 [1]) contains these additional fields:
+// - stripes [integer] the number of stripes, for historical reasons only the 4000 value is supported.
+// - hash [string] the hash algorithm used.
+
+message keyslot_af_description {
+ optional keyslot_af_type type = 1;
+ optional int32 stripes = 2;
+ optional hash_algorithm hash = 3;
+}
+
+// - type [string] the keyslot type.
+// - key_size [integer] the key size (in bytes) stored in keyslot.
+// - priority [integer,optional] the keyslot priority. Here 0 means ignore (the slot should be used only if explicitly stated), 1 means normal priority and 2 means high priority (tried before normal priority).
+
+// REENCRYPT
+// The key size field must be set to 1. The area type must be none, checksum,
+// journal or datashift.
+// The reencrypt object must contain these additional fields:
+// - mode [string] the reencryption mode. reencrypt, encrypt and decrypt
+// - direction [string] the reencryption direction. forward backward
+
+// - area [object] the allocated area in the binary keyslots area.
+// LUKS2 object must contain these additional fields:
+// - kdf [object] the PBKDF type and parameters used.
+// - af [object] the anti-forensic splitter [1] (only the luks1 type is currently
+// used).
+
+message keyslot_description {
+ // type
+ required object_id oid = 1;
+
+ optional keyslot_type type = 2;
+ optional int32 key_size = 3;
+ optional int32 priority = 4;
+
+ // reencrypt extension
+ optional reencrypt_keyslot_mode mode = 5;
+ optional reencrypt_keyslot_direction direction = 6;
+
+ // objects
+ optional keyslot_area_description area = 7;
+ optional keyslot_kdf_description kdf = 8;
+ optional keyslot_af_description af = 9;
+}
+
+// ---------------------------------------------------------------------------
+// ------------------------------ DIGEST OBJECT ------------------------------
+// ---------------------------------------------------------------------------
+
+message digest_description {
+ required object_id oid = 1;
+
+ optional keyslot_kdf_type type = 2;
+ repeated object_id keyslots = 3;
+ repeated object_id segments = 4;
+ optional string salt = 5;
+ optional string digest = 6;
+
+ // pbkdf2 digest fields
+ optional hash_algorithm hash = 7;
+ optional int32 iterations = 8;
+}
+
+// ---------------------------------------------------------------------------
+// ----------------------------- SEGMENT OBJECT ------------------------------
+// ---------------------------------------------------------------------------
+
+enum segment_type {
+ SEGMENT_TYPE_LINEAR = 1;
+ SEGMENT_TYPE_CRYPT = 2;
+}
+
+enum segment_flag {
+ IN_REENCRYPTION = 1;
+ BACKUP_FINAL = 2;
+ BACKUP_PREVIOUS = 3;
+ BACKUP_MOVED_SEGMENT = 4;
+}
+
+message segment_integrity_description {
+ optional string type = 1;
+ optional string journal_encryption = 2;
+ optional string journal_integrity = 3;
+}
+
+message segment_description {
+ required object_id oid = 1;
+ optional segment_type type = 2;
+ optional string_uint64 offset = 3;
+ optional string_uint64 size = 4;
+ repeated segment_flag flags = 5;
+
+ // segment type crypt
+ optional string_uint64 iv_tweak = 6;
+ optional string encryption = 7;
+ optional int32 sector_size = 8;
+ optional segment_integrity_description integrity = 9;
+}
+
+// ---------------------------------------------------------------------------
+// ------------------------------ TOKEN OBJECT -------------------------------
+// ---------------------------------------------------------------------------
+
+message token_description {
+ required object_id oid = 1;
+
+ optional string type = 2;
+ repeated object_id keyslots = 3;
+ optional string key_description = 4;
+}
+
+// ---------------------------------------------------------------------------
+// ------------------------------ CONFIG OBJECT ------------------------------
+// ---------------------------------------------------------------------------
+
+// - allow-discards allows TRIM (discards) on the active device.
+// - same-cpu-crypt compatibility performance flag for dm-crypt [3] to per- form encryption using the same CPU that originated the request.
+// - submit-from-crypt-cpus compatibility performance flag for dm-crypt [3] to disable offloading write requests to a separate thread after encryption.
+// - no-journal disable data journalling for dm-integrity [10].
+// - no-read-workqueue compatibility performance flag for dm-crypt [3] to bypass dm-crypt read workqueue and process read requests synchronously.
+// - no-write-workqueue compatibility performance flag for dm-crypt [3] to bypass dm-crypt write workqueue and process write requests synchronously.
+enum config_flag {
+ CONFIG_FLAG_ALLOW_DISCARDS = 1;
+ CONFIG_FLAG_SAME_CPU_CRYPT = 2;
+ CONFIG_FLAG_SUBMIT_FROM_CRYPT_CPUS = 3;
+ CONFIG_FLAG_NO_JOURNAL = 4;
+ CONFIG_FLAG_NO_READ_WORKQUEUE = 5;
+ CONFIG_FLAG_NO_WRITE_WORKQUEUE = 6;
+}
+
+enum config_requirement {
+ CONFIG_REQUIREMENT_OFFLINE_REENCRYPT = 1;
+ CONFIG_REQUIREMENT_ONLINE_REENCRYPT_V2 = 2;
+}
+
+// - json_size [string-uint64] the JSON area size (in bytes). Must match the binary header.
+// - keyslots_size [string-uint64] the binary keyslot area size (in bytes). Must be aligned to 4096 bytes.
+// - flags [array, optional] the array of string objects with persistent flags for the device.
+// - requirements [array, optional] the array of string objects with additional required features for the LUKS device.
+
+message config_description {
+ required bool use_primary_hdr_size = 2;
+
+ repeated config_flag config_flags = 3;
+ repeated config_requirement requirements = 4;
+}
diff --git a/tests/fuzz/LUKS2_plain_JSON.proto b/tests/fuzz/LUKS2_plain_JSON.proto
new file mode 100644
index 0000000..59096b7
--- /dev/null
+++ b/tests/fuzz/LUKS2_plain_JSON.proto
@@ -0,0 +1,190 @@
+/*
+ * cryptsetup LUKS2 custom mutator
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+syntax = "proto2";
+
+package json_proto;
+
+// ---------------------------------------------------------------------------
+// ----------------------------- GENERIC OBJECTS -----------------------------
+// ---------------------------------------------------------------------------
+
+message object_id {
+ oneof id {
+ // int_id will be mapped to range -16 to 16 (mod 33)
+ // this way iy should be easier to generate valid
+ // object cross-references
+ uint32 int_id = 1;
+ string string_id = 2;
+ }
+}
+
+message string_uint64 {
+ required bool negative = 1;
+ oneof number {
+ uint32 uint_num = 2;
+ string string_num = 3;
+ }
+}
+
+enum hash_algorithm {
+ HASH_ALG_SHA1 = 1;
+ HASH_ALG_SHA256 = 2;
+}
+
+
+// ---------------------------------------------------------------------------
+// ----------------------------- BINARY HEADER -------------------------------
+// ---------------------------------------------------------------------------
+
+enum luks2_magic {
+ INVALID = 0;
+ FIRST = 1;
+ SECOND = 2;
+}
+
+enum luks_version {
+ ONE = 1;
+ TWO = 2;
+ THREE = 3;
+}
+
+// we limit the size to 64KiB to make the fuzzing faster
+// because the checksum needs to be calculated for the whole image
+enum hdr_size {
+ size_16_KB = 16384;
+ size_32_KB = 32768;
+ size_64_KB = 65536;
+// size_128_KB = 131072;
+// size_256_KB = 262144;
+// size_512_KB = 524288;
+// size_1_MB = 1048576;
+// size_2_MB = 2097152;
+// size_4_MB = 4194304;
+}
+
+enum seqid_description {
+ PRIMARY_GREATER = 0;
+ SECONDARY_GREATER = 1;
+ EQUAL = 2;
+}
+
+// message luks2_hdr_disk {
+// char magic[LUKS2_MAGIC_L];
+// //uint16_t version; /* Version 2 */
+// uint64_t hdr_size; /* in bytes, including JSON area */
+// uint64_t seqid; /* increased on every update */
+// char label[LUKS2_LABEL_L];
+// char checksum_alg[LUKS2_CHECKSUM_ALG_L];
+// uint8_t salt[LUKS2_SALT_L]; /* unique for every header/offset */
+// char uuid[LUKS2_UUID_L];
+// char subsystem[LUKS2_LABEL_L]; /* owner subsystem label */
+// uint64_t hdr_offset; /* offset from device start in bytes */
+// char _padding[184];
+// uint8_t csum[LUKS2_CHECKSUM_L];
+// }
+message LUKS2_header {
+ required luks_version version = 1;
+ required luks2_magic magic = 2;
+ required hdr_size hdr_size = 3;
+ required bool use_correct_checksum = 4;
+
+ optional uint64 selected_offset = 5;
+}
+
+message LUKS2_both_headers {
+ required LUKS2_header primary_header = 1;
+ required LUKS2_header secondary_header = 2;
+
+ required seqid_description seqid = 3;
+ required JsonObject json_area = 4;
+}
+
+message JsonObject {
+ required string name = 1;
+ required JsonValue value = 2;
+}
+
+message JsonValue {
+ oneof value {
+ // Json value types:
+
+ // null: null, will be used when 'oneof' contains nothing
+
+ // object: another json object of any type
+ JsonObject object_value = 1;
+
+ // array: an array of values
+ ArrayValue array_value = 2;
+
+ // number: can be an integer, a float, an exponent
+ NumberValue number_value = 3;
+
+ // string: unicode string
+ StringValue string_value = 4;
+
+ // boolean: true or talse
+ BooleanValue boolean_value = 5;
+ }
+}
+
+message ArrayValue {
+ repeated JsonValue value = 1;
+}
+
+message NumberInteger {
+ required int64 value = 1;
+}
+
+message NumberFloat {
+ required double value = 1;
+}
+
+message NumberExponent {
+ required int32 base = 1;
+ required int32 exponent = 2;
+ required bool use_uppercase = 3;
+}
+
+message NumberExponentFrac {
+ required float base = 1;
+ required int32 exponent = 2;
+ required bool use_uppercase = 3;
+}
+
+message NumberValue {
+ required NumberInteger integer_value = 1;
+
+ // integer_value is used when oneof field below has nothing.
+ oneof value {
+ NumberFloat float_value = 2;
+ NumberExponent exponent_value = 3;
+ NumberExponentFrac exponent_frac_value = 4;
+ }
+}
+
+message StringValue {
+ required string value = 1;
+}
+
+message BooleanValue {
+ required bool value = 1;
+}
diff --git a/tests/fuzz/Makefile.am b/tests/fuzz/Makefile.am
new file mode 100644
index 0000000..c7a6cdf
--- /dev/null
+++ b/tests/fuzz/Makefile.am
@@ -0,0 +1,122 @@
+EXTRA_DIST = README.md oss-fuzz-build.sh
+dist_noinst_DATA = \
+ LUKS2.proto \
+ LUKS2_plain_JSON.proto \
+ crypt2_load_fuzz.dict \
+ crypt2_load_ondisk_fuzz.dict \
+ crypt2_load_proto_plain_json_fuzz.dict \
+ unpoison-mutated-buffers-from-libfuzzer.patch
+CLEANFILES = \
+ LUKS2.pb.h \
+ LUKS2.pb.cc \
+ LUKS2_plain_JSON.pb.h \
+ LUKS2_plain_JSON.pb.cc
+
+distclean-local:
+ -rm -rf out build
+
+LIB_FUZZING_ENGINE := $(if $(LIB_FUZZING_ENGINE),$(LIB_FUZZING_ENGINE),"-fsanitize=fuzzer")
+SANITIZER := $(if $(SANITIZER),,"-fsanitize=address")
+
+DEPS_PATH := $(top_srcdir)/tests/fuzz/build/static_lib_deps
+
+crypt2_load_fuzz_SOURCES = FuzzerInterface.h crypt2_load_fuzz.cc
+crypt2_load_fuzz_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib
+crypt2_load_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER)
+crypt2_load_fuzz_CXXFLAGS = $(AM_CXXFLAGS) -I$(top_srcdir)/lib -I$(top_srcdir)/tests/fuzz
+
+crypt2_load_ondisk_fuzz_SOURCES = FuzzerInterface.h crypt2_load_ondisk_fuzz.cc
+crypt2_load_ondisk_fuzz_LDADD = ../../libcryptsetup.la -L$(DEPS_PATH)/lib
+crypt2_load_ondisk_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER)
+crypt2_load_ondisk_fuzz_CXXFLAGS = $(AM_CXXFLAGS) -I$(top_srcdir)/lib -I$(top_srcdir)/tests/fuzz
+
+test-environment-m:
+ @ if test ! -d $(DEPS_PATH); then \
+ echo "You need to build static libraries first; use oss-fuzz-build.sh script."; \
+ exit 1; \
+ fi
+test-environment: | test-environment-m $(DEPS_PATH)
+
+LUKS2.pb.h: LUKS2.proto
+ $(DEPS_PATH)/bin/protoc LUKS2.proto --cpp_out=.
+LUKS2.pb.cc: LUKS2.pb.h
+
+LUKS2_plain_JSON.pb.h: LUKS2_plain_JSON.proto
+ $(DEPS_PATH)/bin/protoc LUKS2_plain_JSON.proto --cpp_out=.
+LUKS2_plain_JSON.pb.cc: LUKS2_plain_JSON.pb.h
+
+crypt2_load_proto_fuzz-crypt2_load_proto_fuzz.$(OBJEXT): LUKS2.pb.cc
+crypt2_load_proto_plain_json_fuzz-crypt2_load_proto_plain_json_fuzz.$(OBJEXT): LUKS2_plain_JSON.pb.cc
+
+nodist_crypt2_load_proto_fuzz_SOURCES = LUKS2.pb.h LUKS2.pb.cc
+crypt2_load_proto_fuzz_SOURCES = FuzzerInterface.h \
+ crypt2_load_proto_fuzz.cc \
+ proto_to_luks2_converter.h \
+ proto_to_luks2_converter.cc
+crypt2_load_proto_fuzz_LDADD = \
+ ../../libcryptsetup.la \
+ ../../libcrypto_backend.la \
+ -L$(DEPS_PATH)/lib -lprotobuf-mutator-libfuzzer -lprotobuf-mutator -lprotobuf
+crypt2_load_proto_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER)
+crypt2_load_proto_fuzz_CXXFLAGS = $(AM_CXXFLAGS) \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/tests/fuzz \
+ -I$(DEPS_PATH)/include \
+ -I$(DEPS_PATH)/include/libprotobuf-mutator -I$(DEPS_PATH)/include/libprotobuf-mutator/src
+
+nodist_crypt2_load_proto_plain_json_fuzz_SOURCES = LUKS2_plain_JSON.pb.h LUKS2_plain_JSON.pb.cc
+crypt2_load_proto_plain_json_fuzz_SOURCES = FuzzerInterface.h \
+ crypt2_load_proto_plain_json_fuzz.cc \
+ json_proto_converter.h \
+ json_proto_converter.cc \
+ plain_json_proto_to_luks2_converter.h \
+ plain_json_proto_to_luks2_converter.cc
+crypt2_load_proto_plain_json_fuzz_LDADD = \
+ ../../libcryptsetup.la \
+ ../../libcrypto_backend.la \
+ -L$(DEPS_PATH)/lib -lprotobuf-mutator-libfuzzer -lprotobuf-mutator -lprotobuf
+crypt2_load_proto_plain_json_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER)
+crypt2_load_proto_plain_json_fuzz_CXXFLAGS = $(AM_CXXFLAGS) \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/tests/fuzz \
+ -I$(DEPS_PATH)/include \
+ -I$(DEPS_PATH)/include/libprotobuf-mutator -I$(DEPS_PATH)/include/libprotobuf-mutator/src
+
+nodist_proto_to_luks2_SOURCES = LUKS2.pb.h LUKS2.pb.cc
+proto_to_luks2_SOURCES = \
+ proto_to_luks2.cc \
+ proto_to_luks2_converter.h \
+ proto_to_luks2_converter.cc
+proto_to_luks2_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib -lprotobuf
+proto_to_luks2_LDFLAGS = $(AM_LDFLAGS) -fsanitize=fuzzer-no-link $(SANITIZER)
+proto_to_luks2_CXXFLAGS = $(AM_CXXFLAGS) \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/tests/fuzz \
+ -I$(DEPS_PATH)/include
+
+nodist_plain_json_proto_to_luks2_SOURCES = LUKS2_plain_JSON.pb.h LUKS2_plain_JSON.pb.cc
+plain_json_proto_to_luks2_SOURCES = \
+ plain_json_proto_to_luks2.cc \
+ plain_json_proto_to_luks2_converter.h \
+ plain_json_proto_to_luks2_converter.cc \
+ json_proto_converter.h \
+ json_proto_converter.cc
+plain_json_proto_to_luks2_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib -lprotobuf
+plain_json_proto_to_luks2_LDFLAGS = $(AM_LDFLAGS) -fsanitize=fuzzer-no-link $(SANITIZER)
+plain_json_proto_to_luks2_CXXFLAGS = $(AM_CXXFLAGS) \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/tests/fuzz \
+ -I$(DEPS_PATH)/include
+
+if ENABLE_FUZZ_TARGETS
+noinst_PROGRAMS = \
+ crypt2_load_fuzz \
+ crypt2_load_ondisk_fuzz \
+ crypt2_load_proto_fuzz \
+ crypt2_load_proto_plain_json_fuzz \
+ proto_to_luks2 \
+ plain_json_proto_to_luks2
+
+fuzz-targets: test-environment $(noinst_PROGRAMS)
+.PHONY: fuzz-targets
+endif
diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md
new file mode 100644
index 0000000..fdcfa27
--- /dev/null
+++ b/tests/fuzz/README.md
@@ -0,0 +1,66 @@
+# Fuzzing target for cryptsetup project
+
+This directory contains experimental targets for fuzzing testing.
+It can be run in the OSS-Fuzz project but also compiled separately.
+
+# Requirements
+
+Fuzzers use address sanitizer. To properly detect problems, all
+important libraries must be compiled statically with sanitizer enabled.
+
+Compilation requires *clang* and *clang++* compilers (gcc is not
+supported yet).
+
+# Standalone build
+
+The script `oss-fuzz-build.sh` can be used to prepare the tree
+with pre-compiled library dependencies.
+We use upstream git for projects, which can clash with locally
+installed versions. The best is to use only basic system installation
+without development packages (script will use custom include, libs,
+and pkg-config paths).
+
+# Build Docker image and fuzzers
+
+You can also run OSS-Fuzz in a Docker image, use these commands
+to prepare fuzzers:
+```
+sudo python3 infra/helper.py build_image cryptsetup
+sudo python3 infra/helper.py build_fuzzers cryptsetup
+```
+On SELinux systems also add (https://github.com/google/oss-fuzz/issues/30):
+```
+sudo chcon -Rt svirt_sandbox_file_t build/
+```
+
+# Run LUKS2 fuzzer
+`FUZZER_NAME` can be one of: `crypt2_load_fuzz`, `crypt2_load_proto_fuzz`, `crypt2_load_proto_plain_json_fuzz`
+```
+FUZZER_NAME="crypt2_load_proto_plain_json_fuzz"
+sudo mkdir -p build/corpus/cryptsetup/$FUZZER_NAME
+sudo python infra/helper.py run_fuzzer --corpus-dir build/corpus/cryptsetup/$FUZZER_NAME/ --sanitizer address cryptsetup $FUZZER_NAME '-jobs=8 -workers=8'
+```
+
+The output of the parallel threads will be written to `fuzz-<N>.log` (where `<N>` is the number of the process).
+You can watch it using e.g.:
+```
+tail -f build/out/cryptsetup/fuzz-*
+```
+
+Optionally, you can use experimental `fork` mode for parallelization and the output will be displayed directly on the terminal:
+```
+sudo python infra/helper.py run_fuzzer --corpus-dir build/corpus/cryptsetup/$FUZZER_NAME/ --sanitizer address cryptsetup $FUZZER_NAME '-fork=8 '
+```
+
+# Rebuild fuzz targets for coverage
+```
+sudo python infra/helper.py build_fuzzers --sanitizer coverage cryptsetup
+```
+
+# Generate coverage report
+```
+sudo python infra/helper.py coverage cryptsetup --no-corpus-download --fuzz-target $FUZZER_NAME
+```
+
+# Further information
+For more details, you can look into the [Using fuzzing for Linux disk encryption tools](https://is.muni.cz/th/bum03/?lang=en) thesis.
diff --git a/tests/fuzz/crypt2_load_fuzz.cc b/tests/fuzz/crypt2_load_fuzz.cc
new file mode 100644
index 0000000..1251d72
--- /dev/null
+++ b/tests/fuzz/crypt2_load_fuzz.cc
@@ -0,0 +1,112 @@
+/*
+ * cryptsetup LUKS2 fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+extern "C" {
+#define FILESIZE (16777216)
+#include "src/cryptsetup.h"
+#include <err.h>
+#include "luks2/luks2.h"
+#include "crypto_backend/crypto_backend.h"
+#include "FuzzerInterface.h"
+
+static int calculate_checksum(const uint8_t* data, size_t size) {
+ struct crypt_hash *hd = NULL;
+ struct luks2_hdr_disk *hdr = NULL;
+ int hash_size;
+ uint64_t hdr_size1, hdr_size2;
+ int r = 0;
+
+ /* primary header */
+ if (sizeof(struct luks2_hdr_disk) > size)
+ return 0;
+ hdr = CONST_CAST(struct luks2_hdr_disk *) data;
+
+ hdr_size1 = be64_to_cpu(hdr->hdr_size);
+ if (hdr_size1 > size)
+ return 0;
+ memset(&hdr->csum, 0, LUKS2_CHECKSUM_L);
+ if ((r = crypt_hash_init(&hd, "sha256")))
+ goto out;
+ if ((r = crypt_hash_write(hd, CONST_CAST(char*) data, hdr_size1)))
+ goto out;
+ hash_size = crypt_hash_size("sha256");
+ if (hash_size <= 0) {
+ r = 1;
+ goto out;
+ }
+ if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size)))
+ goto out;
+ crypt_hash_destroy(hd);
+
+ /* secondary header */
+ if (hdr_size1 < sizeof(struct luks2_hdr_disk))
+ hdr_size1 = sizeof(struct luks2_hdr_disk);
+
+ if (hdr_size1 + sizeof(struct luks2_hdr_disk) > size)
+ return 0;
+ hdr = CONST_CAST(struct luks2_hdr_disk *) (data + hdr_size1);
+
+ hdr_size2 = be64_to_cpu(hdr->hdr_size);
+ if (hdr_size2 > size || (hdr_size1 + hdr_size2) > size)
+ return 0;
+
+ memset(&hdr->csum, 0, LUKS2_CHECKSUM_L);
+ if ((r = crypt_hash_init(&hd, "sha256")))
+ goto out;
+ if ((r = crypt_hash_write(hd, (char*) hdr, hdr_size2)))
+ goto out;
+ if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size)))
+ goto out;
+
+out:
+ if (hd)
+ crypt_hash_destroy(hd);
+ return r;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ int fd;
+ struct crypt_device *cd = NULL;
+ char name[] = "/tmp/test-script-fuzz.XXXXXX";
+
+ if (calculate_checksum(data, size))
+ return 0;
+
+ fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC);
+ if (fd == -1)
+ err(EXIT_FAILURE, "mkostemp() failed");
+
+ /* enlarge header */
+ if (ftruncate(fd, FILESIZE) == -1)
+ goto out;
+
+ if (write_buffer(fd, data, size) != (ssize_t)size)
+ goto out;
+
+ if (crypt_init(&cd, name) == 0)
+ (void)crypt_load(cd, CRYPT_LUKS2, NULL);
+ crypt_free(cd);
+out:
+ close(fd);
+ unlink(name);
+ return 0;
+}
+}
diff --git a/tests/fuzz/crypt2_load_fuzz.dict b/tests/fuzz/crypt2_load_fuzz.dict
new file mode 100644
index 0000000..fedf1a4
--- /dev/null
+++ b/tests/fuzz/crypt2_load_fuzz.dict
@@ -0,0 +1,130 @@
+# LUKS2 dictionary based on AFL dictionary for JSON
+# -------------------------------------------------
+# JSON dictionary from https://github.com/google/AFL/blob/master/dictionaries/json.dict
+# Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
+#
+# LUKS2 keywords by Daniel Zatovic
+
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"
+
+"$ref"
+"type"
+"coordinates"
+"@context"
+"@id"
+
+","
+":"
+
+"1024"
+"2048"
+"4096"
+"512"
+"aegis128-random"
+"aes-cbc:essiv:sha256"
+"aes-xts-plain64"
+"af"
+"allow-discards"
+"area"
+"argon2i"
+"argon2id"
+"backup-final"
+"backup-moved-segment"
+"backup-previous"
+"checksum"
+"config"
+"cpus"
+"crypt"
+"datashift"
+"digest"
+"digests"
+"direction"
+"encryption"
+"flags"
+"hash"
+"in-reencryption"
+"integrity"
+"iterations"
+"iv_tweak"
+"journal"
+"journal_encryption"
+"journal_integrity"
+"json_size"
+"kdf"
+"key_description"
+"key_size"
+"keyslots"
+"keyslots_size"
+"linear"
+"luks2"
+"luks2-keyring"
+"LUKS\xBA\xBE"
+"memory"
+"mode"
+"no-journal"
+"none"
+"no-read-workqueue"
+"no-write-workqueue"
+"offline-reencrypt"
+"offset"
+"online-reencrypt-v2"
+"pbkdf2"
+"priority"
+"raw"
+"reencrypt"
+"requirements"
+"salt"
+"same-cpu-crypt"
+"sector_size"
+"segments"
+"serpent-xts-plain64"
+"shift_size"
+"size"
+"SKUL\xBA\xBE"
+"stripes"
+"submit-from-crypt-cpus"
+"time"
+"tokens"
+"twofish-xts-plain64"
diff --git a/tests/fuzz/crypt2_load_ondisk_fuzz.cc b/tests/fuzz/crypt2_load_ondisk_fuzz.cc
new file mode 100644
index 0000000..9b5328d
--- /dev/null
+++ b/tests/fuzz/crypt2_load_ondisk_fuzz.cc
@@ -0,0 +1,64 @@
+/*
+ * cryptsetup LUKS1, FileVault, BitLocker fuzz target
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+extern "C" {
+#define FILESIZE (16777216)
+#include "src/cryptsetup.h"
+#include <err.h>
+#include "luks1/luks.h"
+#include "crypto_backend/crypto_backend.h"
+#include "FuzzerInterface.h"
+
+void empty_log(int level, const char *msg, void *usrptr) {}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ int fd, r;
+ struct crypt_device *cd = NULL;
+ char name[] = "/tmp/test-script-fuzz.XXXXXX";
+
+ fd = mkostemp(name, O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC);
+ if (fd == -1)
+ err(EXIT_FAILURE, "mkostemp() failed");
+
+ /* enlarge header */
+ if (ftruncate(fd, FILESIZE) == -1)
+ goto out;
+
+ if (write_buffer(fd, data, size) != (ssize_t) size)
+ goto out;
+
+ crypt_set_log_callback(NULL, empty_log, NULL);
+
+ if (crypt_init(&cd, name) == 0) {
+ r = crypt_load(cd, CRYPT_LUKS1, NULL);
+ if (r == 0)
+ goto out;
+
+ r = crypt_load(cd, CRYPT_FVAULT2, NULL);
+ if (r == 0)
+ goto out;
+
+ (void) crypt_load(cd, CRYPT_BITLK, NULL);
+ }
+out:
+ crypt_free(cd);
+ close(fd);
+ unlink(name);
+ return 0;
+}
+}
diff --git a/tests/fuzz/crypt2_load_ondisk_fuzz.dict b/tests/fuzz/crypt2_load_ondisk_fuzz.dict
new file mode 100644
index 0000000..3923db5
--- /dev/null
+++ b/tests/fuzz/crypt2_load_ondisk_fuzz.dict
@@ -0,0 +1,9 @@
+"aegis128-random"
+"aes-cbc:essiv:sha256"
+"aes-xts-plain64"
+"aes-lrv-plain64"
+"twofish-xts-plain64"
+"serpent-xts-plain64"
+"whirpool"
+"sha256"
+"sha1"
diff --git a/tests/fuzz/crypt2_load_proto_fuzz.cc b/tests/fuzz/crypt2_load_proto_fuzz.cc
new file mode 100644
index 0000000..498c006
--- /dev/null
+++ b/tests/fuzz/crypt2_load_proto_fuzz.cc
@@ -0,0 +1,51 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "LUKS2.pb.h"
+#include "proto_to_luks2_converter.h"
+#include "libfuzzer/libfuzzer_macro.h"
+#include "FuzzerInterface.h"
+
+extern "C" {
+#include <libcryptsetup.h>
+#include <err.h>
+#include <fcntl.h>
+#include <unistd.h>
+}
+
+DEFINE_PROTO_FUZZER(const LUKS2_proto::LUKS2_both_headers &headers) {
+ struct crypt_device *cd = NULL;
+ char name[] = "/tmp/test-proto-fuzz.XXXXXX";
+ int fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC);
+
+ if (fd < 0)
+ err(EXIT_FAILURE, "mkostemp() failed");
+
+ LUKS2_proto::LUKS2ProtoConverter converter;
+ converter.convert(headers, fd);
+
+ if (crypt_init(&cd, name) == 0)
+ (void)crypt_load(cd, CRYPT_LUKS2, NULL);
+ crypt_free(cd);
+
+ close(fd);
+ unlink(name);
+}
diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc
new file mode 100644
index 0000000..f3565ab
--- /dev/null
+++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc
@@ -0,0 +1,51 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "LUKS2_plain_JSON.pb.h"
+#include "plain_json_proto_to_luks2_converter.h"
+#include "libfuzzer/libfuzzer_macro.h"
+#include "FuzzerInterface.h"
+
+extern "C" {
+#include <libcryptsetup.h>
+#include <err.h>
+#include <fcntl.h>
+#include <unistd.h>
+}
+
+DEFINE_PROTO_FUZZER(const json_proto::LUKS2_both_headers &headers) {
+ struct crypt_device *cd = NULL;
+ char name[] = "/tmp/test-proto-fuzz.XXXXXX";
+ int fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC);
+
+ if (fd < 0)
+ err(EXIT_FAILURE, "mkostemp() failed");
+
+ json_proto::LUKS2ProtoConverter converter;
+ converter.convert(headers, fd);
+
+ if (crypt_init(&cd, name) == 0)
+ (void)crypt_load(cd, CRYPT_LUKS2, NULL);
+ crypt_free(cd);
+
+ close(fd);
+ unlink(name);
+}
diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict
new file mode 100644
index 0000000..7d83151
--- /dev/null
+++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict
@@ -0,0 +1,72 @@
+# LUKS2 keywords by Daniel Zatovic
+
+"1024"
+"2048"
+"4096"
+"512"
+"aegis128-random"
+"aes-cbc:essiv:sha256"
+"aes-xts-plain64"
+"af"
+"allow-discards"
+"area"
+"argon2i"
+"argon2id"
+"backup-final"
+"backup-moved-segment"
+"backup-previous"
+"checksum"
+"config"
+"cpus"
+"crypt"
+"datashift"
+"digest"
+"digests"
+"direction"
+"encryption"
+"flags"
+"hash"
+"in-reencryption"
+"integrity"
+"iterations"
+"iv_tweak"
+"journal"
+"journal_encryption"
+"journal_integrity"
+"json_size"
+"kdf"
+"key_description"
+"key_size"
+"keyslots"
+"keyslots_size"
+"linear"
+"luks2"
+"luks2-keyring"
+"LUKS\xBA\xBE"
+"memory"
+"mode"
+"no-journal"
+"none"
+"no-read-workqueue"
+"no-write-workqueue"
+"offline-reencrypt"
+"offset"
+"online-reencrypt-v2"
+"pbkdf2"
+"priority"
+"raw"
+"reencrypt"
+"requirements"
+"salt"
+"same-cpu-crypt"
+"sector_size"
+"segments"
+"serpent-xts-plain64"
+"shift_size"
+"size"
+"SKUL\xBA\xBE"
+"stripes"
+"submit-from-crypt-cpus"
+"time"
+"tokens"
+"twofish-xts-plain64"
diff --git a/tests/fuzz/json_proto_converter.cc b/tests/fuzz/json_proto_converter.cc
new file mode 100644
index 0000000..ed453be
--- /dev/null
+++ b/tests/fuzz/json_proto_converter.cc
@@ -0,0 +1,87 @@
+// Copyright 2020 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include "json_proto_converter.h"
+
+namespace json_proto {
+
+void JsonProtoConverter::AppendArray(const ArrayValue& array_value) {
+ data_ << '[';
+ bool need_comma = false;
+ for (const auto& value : array_value.value()) {
+ // Trailing comma inside of an array makes JSON invalid, avoid adding that.
+ if (need_comma)
+ data_ << ',';
+ else
+ need_comma = true;
+
+ AppendValue(value);
+ }
+ data_ << ']';
+}
+
+void JsonProtoConverter::AppendNumber(const NumberValue& number_value) {
+ if (number_value.has_float_value()) {
+ data_ << number_value.float_value().value();
+ } else if (number_value.has_exponent_value()) {
+ auto value = number_value.exponent_value();
+ data_ << value.base();
+ data_ << (value.use_uppercase() ? 'E' : 'e');
+ data_ << value.exponent();
+ } else if (number_value.has_exponent_frac_value()) {
+ auto value = number_value.exponent_value();
+ data_ << value.base();
+ data_ << (value.use_uppercase() ? 'E' : 'e');
+ data_ << value.exponent();
+ } else {
+ data_ << number_value.integer_value().value();
+ }
+}
+
+void JsonProtoConverter::AppendObject(const JsonObject& json_object) {
+ data_ << '{' << '"' << json_object.name() << '"' << ':';
+ AppendValue(json_object.value());
+ data_ << '}';
+}
+
+void JsonProtoConverter::AppendValue(const JsonValue& json_value) {
+ if (json_value.has_object_value()) {
+ AppendObject(json_value.object_value());
+ } else if (json_value.has_array_value()) {
+ AppendArray(json_value.array_value());
+ } else if (json_value.has_number_value()) {
+ AppendNumber(json_value.number_value());
+ } else if (json_value.has_string_value()) {
+ data_ << '"' << json_value.string_value().value() << '"';
+ } else if (json_value.has_boolean_value()) {
+ data_ << (json_value.boolean_value().value() ? "true" : "false");
+ } else {
+ data_ << "null";
+ }
+}
+
+std::string JsonProtoConverter::Convert(const JsonObject& json_object) {
+ AppendObject(json_object);
+ return data_.str();
+}
+
+std::string JsonProtoConverter::Convert(
+ const json_proto::ArrayValue& json_array) {
+ AppendArray(json_array);
+ return data_.str();
+}
+
+} // namespace json_proto
diff --git a/tests/fuzz/json_proto_converter.h b/tests/fuzz/json_proto_converter.h
new file mode 100644
index 0000000..ca52d67
--- /dev/null
+++ b/tests/fuzz/json_proto_converter.h
@@ -0,0 +1,43 @@
+// Copyright 2020 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef JSON_PROTO_CONVERTER_H_
+#define JSON_PROTO_CONVERTER_H_
+
+#include <sstream>
+#include <string>
+
+#include "LUKS2_plain_JSON.pb.h"
+
+namespace json_proto {
+
+class JsonProtoConverter {
+ public:
+ std::string Convert(const json_proto::JsonObject&);
+ std::string Convert(const json_proto::ArrayValue&);
+
+ private:
+ std::stringstream data_;
+
+ void AppendArray(const json_proto::ArrayValue&);
+ void AppendNumber(const json_proto::NumberValue&);
+ void AppendObject(const json_proto::JsonObject&);
+ void AppendValue(const json_proto::JsonValue&);
+};
+
+} // namespace json_proto
+
+#endif // TESTING_LIBFUZZER_PROTO_JSON_PROTO_CONVERTER_H_
diff --git a/tests/fuzz/oss-fuzz-build.sh b/tests/fuzz/oss-fuzz-build.sh
new file mode 100755
index 0000000..b2f643f
--- /dev/null
+++ b/tests/fuzz/oss-fuzz-build.sh
@@ -0,0 +1,152 @@
+#!/usr/bin/env bash
+
+function in_oss_fuzz()
+{
+ test -n "$FUZZING_ENGINE"
+}
+
+echo "Running cryptsetup OSS-Fuzz build script."
+env
+set -ex
+PWD=$(pwd)
+
+export LC_CTYPE=C.UTF-8
+
+export SRC=${SRC:-$PWD/build}
+export OUT="${OUT:-$PWD/out}"
+export DEPS_PATH=$SRC/static_lib_deps
+
+export PKG_CONFIG_PATH="$DEPS_PATH"/lib/pkgconfig
+
+export CC=${CC:-clang}
+export CXX=${CXX:-clang++}
+export LIB_FUZZING_ENGINE="${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}"
+
+SANITIZER="${SANITIZER:-address -fsanitize-address-use-after-scope}"
+flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"
+
+export CFLAGS="${CFLAGS:-$flags} -I$DEPS_PATH/include"
+export CXXFLAGS="${CXXFLAGS:-$flags} -I$DEPS_PATH/include"
+export LDFLAGS="${LDFLAGS-} -L$DEPS_PATH/lib"
+
+ENABLED_FUZZERS=${ENABLED_FUZZERS:-crypt2_load_fuzz crypt2_load_ondisk_fuzz crypt2_load_proto_plain_json_fuzz}
+
+mkdir -p $SRC
+mkdir -p $OUT
+mkdir -p $DEPS_PATH
+cd $SRC
+
+LIBFUZZER_PATCH="$PWD/unpoison-mutated-buffers-from-libfuzzer.patch"
+in_oss_fuzz && LIBFUZZER_PATCH="$PWD/cryptsetup/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch"
+
+in_oss_fuzz && apt-get update && apt-get install -y \
+ make autoconf automake autopoint libtool pkg-config \
+ sharutils gettext expect keyutils ninja-build \
+ bison
+
+[ ! -d zlib ] && git clone --depth 1 https://github.com/madler/zlib.git
+[ ! -d xz ] && git clone https://git.tukaani.org/xz.git
+[ ! -d json-c ] && git clone --depth 1 https://github.com/json-c/json-c.git
+[ ! -d lvm2 ] && git clone --depth 1 https://sourceware.org/git/lvm2.git
+[ ! -d popt ] && git clone --depth 1 https://github.com/rpm-software-management/popt.git
+[ ! -d libprotobuf-mutator ] && git clone --depth 1 https://github.com/google/libprotobuf-mutator.git \
+ && [ "$SANITIZER" == "memory" ] && ( cd libprotobuf-mutator; patch -p1 < $LIBFUZZER_PATCH )
+[ ! -d openssl ] && git clone --depth 1 https://github.com/openssl/openssl
+[ ! -d util-linux ] && git clone --depth 1 https://github.com/util-linux/util-linux
+[ ! -d cryptsetup_fuzzing ] && git clone --depth 1 https://gitlab.com/cryptsetup/cryptsetup_fuzzing.git
+
+cd openssl
+./Configure --prefix="$DEPS_PATH" --libdir=lib no-shared no-module no-asm
+make build_generated
+make -j libcrypto.a
+make install_dev
+cd ..
+
+cd util-linux
+./autogen.sh
+./configure --prefix="$DEPS_PATH" --enable-static --disable-shared -disable-all-programs --enable-libuuid --enable-libblkid
+make -j
+make install
+cd ..
+
+cd zlib
+./configure --prefix="$DEPS_PATH" --static
+make -j
+make install
+cd ..
+
+cd xz
+./autogen.sh --no-po4a
+./configure --prefix="$DEPS_PATH" --enable-static --disable-shared
+make -j
+make install
+cd ..
+
+cd json-c
+mkdir -p build
+rm -fr build/*
+cd build
+cmake .. -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON
+make -j
+make install
+cd ../..
+
+cd lvm2
+./configure --prefix="$DEPS_PATH" --enable-static_link --disable-udev_sync --enable-pkgconfig --disable-selinux
+make -j libdm.device-mapper
+# build of dmsetup.static is broken
+# make install_device-mapper
+cp ./libdm/ioctl/libdevmapper.a "$DEPS_PATH"/lib/
+cp ./libdm/libdevmapper.h "$DEPS_PATH"/include/
+cp ./libdm/libdevmapper.pc "$PKG_CONFIG_PATH"
+cd ..
+
+cd popt
+# --no-undefined is incompatible with sanitizers
+sed -i -e 's/-Wl,--no-undefined //' src/CMakeLists.txt
+mkdir -p build
+rm -fr build/*
+cd build
+cmake .. -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" -DBUILD_SHARED_LIBS=OFF
+make -j
+make install
+cd ../..
+
+cd libprotobuf-mutator
+mkdir -p build
+rm -fr build/*
+cd build
+cmake .. -GNinja \
+ -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" \
+ -DPKG_CONFIG_PATH="$PKG_CONFIG_PATH" \
+ -DLIB_PROTO_MUTATOR_TESTING=OFF \
+ -DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=ON
+ninja
+ninja install
+cd external.protobuf;
+cp -Rf bin lib include "$DEPS_PATH";
+cd ../../..
+
+if in_oss_fuzz; then
+ mkdir -p cryptsetup/tests/fuzz/build
+ ln -s ../../../../static_lib_deps cryptsetup/tests/fuzz/build/static_lib_deps
+ cd cryptsetup
+else
+ cd ../../..
+fi
+./autogen.sh
+./configure --enable-static --disable-asciidoc --disable-ssh-token --disable-udev --disable-selinux --with-crypto_backend=openssl --disable-shared --enable-fuzz-targets
+make clean
+make -j fuzz-targets
+
+for fuzzer in $ENABLED_FUZZERS; do
+ cp tests/fuzz/$fuzzer $OUT
+ cp $SRC/cryptsetup_fuzzing/${fuzzer}_seed_corpus.zip $OUT
+
+ # optionally copy the dictionary if it exists
+ if [ -e tests/fuzz/${fuzzer}.dict ]; then
+ cp tests/fuzz/${fuzzer}.dict $OUT
+ fi
+done
+
+cd $PWD
diff --git a/tests/fuzz/plain_json_proto_to_luks2.cc b/tests/fuzz/plain_json_proto_to_luks2.cc
new file mode 100644
index 0000000..8c56c15
--- /dev/null
+++ b/tests/fuzz/plain_json_proto_to_luks2.cc
@@ -0,0 +1,75 @@
+/*
+ * cryptsetup LUKS2 protobuf to image converter
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <iostream>
+#include <string>
+
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <google/protobuf/text_format.h>
+#include <google/protobuf/io/zero_copy_stream_impl.h>
+
+#include "plain_json_proto_to_luks2_converter.h"
+
+using namespace json_proto;
+
+int main(int argc, char *argv[]) {
+ LUKS2_both_headers headers;
+ LUKS2ProtoConverter converter;
+ int fd;
+
+ std::string out_img_name;
+
+ if (argc != 2) {
+ std::cerr << "Usage: " << argv[0] << " <LUKS2 proto>\n";
+ return EXIT_FAILURE;
+ }
+
+ fd = open(argv[1], O_RDONLY);
+ if (fd < 0) {
+ std::cerr << "Failed to open " << argv[1] << std::endl;
+ return EXIT_FAILURE;
+ }
+
+ google::protobuf::io::FileInputStream fileInput(fd);
+
+ if (!google::protobuf::TextFormat::Parse(&fileInput, &headers)) {
+ std::cerr << "Failed to parse protobuf " << argv[1] << std::endl;
+ close(fd);
+ return EXIT_FAILURE;
+ }
+ close(fd);
+
+ out_img_name = argv[1];
+ out_img_name += ".img";
+
+ fd = open(out_img_name.c_str(), O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC|O_TRUNC, 0644);
+ if (fd < 0) {
+ std::cerr << "Failed to open output file " << out_img_name << std::endl;
+ return EXIT_FAILURE;
+ }
+ converter.set_write_headers_only(false);
+ converter.convert(headers, fd);
+
+ close(fd);
+ return EXIT_SUCCESS;
+}
diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.cc b/tests/fuzz/plain_json_proto_to_luks2_converter.cc
new file mode 100644
index 0000000..823c0c5
--- /dev/null
+++ b/tests/fuzz/plain_json_proto_to_luks2_converter.cc
@@ -0,0 +1,153 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "plain_json_proto_to_luks2_converter.h"
+#include "json_proto_converter.h"
+
+extern "C" {
+#include "src/cryptsetup.h"
+#include "luks2/luks2.h"
+#include <err.h>
+}
+
+namespace json_proto {
+
+void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid, const std::string &json_text) {
+ struct luks2_hdr_disk hdr = {};
+ int r;
+
+ if (hd)
+ crypt_hash_destroy(hd);
+ if (crypt_hash_init(&hd, "sha256"))
+ err(EXIT_FAILURE, "crypt_hash_init failed");
+
+
+ r = lseek(fd, offset, SEEK_SET);
+ if (r == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ switch (header_proto.magic()) {
+ case INVALID:
+ memset(&hdr.magic, 0, LUKS2_MAGIC_L);
+ break;
+ case FIRST:
+ memcpy(&hdr.magic, LUKS2_MAGIC_1ST, LUKS2_MAGIC_L);
+ break;
+ case SECOND:
+ memcpy(&hdr.magic, LUKS2_MAGIC_2ND, LUKS2_MAGIC_L);
+ break;
+ }
+ hdr.version = cpu_to_be16(header_proto.version());
+ hdr.hdr_size = cpu_to_be64(header_proto.hdr_size());
+ hdr.seqid = cpu_to_be64(seqid);
+ strncpy(hdr.checksum_alg, "sha256", LUKS2_CHECKSUM_ALG_L);
+ hdr.checksum_alg[LUKS2_CHECKSUM_ALG_L - 1] = '\0';
+ strncpy(hdr.uuid, "af7f64ea-3233-4581-946b-6187d812841e", LUKS2_UUID_L);
+ memset(hdr.salt, 1, LUKS2_SALT_L);
+
+
+ if (header_proto.has_selected_offset())
+ hdr.hdr_offset = cpu_to_be64(header_proto.selected_offset());
+ else
+ hdr.hdr_offset = cpu_to_be64(offset);
+
+ if (write_buffer(fd, &hdr, LUKS2_HDR_BIN_LEN) != LUKS2_HDR_BIN_LEN)
+ err(EXIT_FAILURE, "write_buffer failed");
+ if (crypt_hash_write(hd, (char*)&hdr, LUKS2_HDR_BIN_LEN))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+
+ size_t hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN;
+ uint8_t csum[LUKS2_CHECKSUM_L];
+
+ size_t write_size = json_text.length() > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text.length();
+ if (write_buffer(fd, json_text.c_str(), write_size) != (ssize_t)write_size)
+ err(EXIT_FAILURE, "write_buffer failed");
+ if (crypt_hash_write(hd, json_text.c_str(), write_size))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+
+ for (size_t i = 0; i < (hdr_json_area_len - write_size); i++) {
+ if (crypt_hash_write(hd, "\0", 1))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+ }
+
+ if (header_proto.use_correct_checksum()) {
+ if (lseek(fd, offset + offsetof(luks2_hdr_disk, csum), SEEK_SET) == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ int hash_size = crypt_hash_size("sha256");
+ if (hash_size <= 0)
+ err(EXIT_FAILURE, "crypt_hash_size failed");
+
+ if (crypt_hash_final(hd, (char*)csum, (size_t)hash_size))
+ err(EXIT_FAILURE, "crypt_hash_final failed");
+ if (write_buffer(fd, csum, hash_size) != hash_size)
+ err(EXIT_FAILURE, "write_buffer failed");
+ }
+}
+
+void LUKS2ProtoConverter::set_write_headers_only(bool headers_only) {
+ write_headers_only = headers_only;
+}
+
+void LUKS2ProtoConverter::convert(const LUKS2_both_headers &headers, int fd) {
+ uint64_t primary_seqid, secondary_seqid;
+ int result;
+
+ size_t out_size = headers.primary_header().hdr_size() + headers.secondary_header().hdr_size();
+
+ if (!write_headers_only)
+ out_size += KEYSLOTS_SIZE + DATA_SIZE;
+
+ result = ftruncate(fd, out_size);
+ if (result == -1)
+ err(EXIT_FAILURE, "truncate failed");
+
+ result = lseek(fd, 0, SEEK_SET);
+ if (result == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ switch (headers.seqid()) {
+ case EQUAL:
+ primary_seqid = 1;
+ secondary_seqid = 1;
+ break;
+ case PRIMARY_GREATER:
+ primary_seqid = 2;
+ secondary_seqid = 1;
+ break;
+ case SECONDARY_GREATER:
+ primary_seqid = 1;
+ secondary_seqid = 2;
+ break;
+ }
+
+ JsonProtoConverter converter;
+ std::string json_text = converter.Convert(headers.json_area());
+
+ emit_luks2_binary_header(headers.primary_header(), fd, 0, primary_seqid, json_text);
+ emit_luks2_binary_header(headers.secondary_header(), fd, headers.primary_header().hdr_size(), secondary_seqid, json_text);
+}
+
+LUKS2ProtoConverter::~LUKS2ProtoConverter() {
+ if (hd)
+ crypt_hash_destroy(hd);
+}
+} // namespace LUKS2_proto
diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.h b/tests/fuzz/plain_json_proto_to_luks2_converter.h
new file mode 100644
index 0000000..7decf9f
--- /dev/null
+++ b/tests/fuzz/plain_json_proto_to_luks2_converter.h
@@ -0,0 +1,58 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef LUKS2_PROTO_CONVERTER_H_
+#define LUKS2_PROTO_CONVERTER_H_
+
+#include <sstream>
+#include <string>
+#include <json-c/json.h>
+
+#include "LUKS2_plain_JSON.pb.h"
+extern "C" {
+#include "crypto_backend/crypto_backend.h"
+}
+
+namespace json_proto {
+
+class LUKS2ProtoConverter {
+ public:
+ ~LUKS2ProtoConverter();
+ void create_jobj(const LUKS2_both_headers &headers, uint64_t hdr_size);
+ void convert(const LUKS2_both_headers &headers, int fd);
+ void create_jobj(const LUKS2_both_headers &headers);
+ void emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid, const std::string &json_text);
+
+ void set_write_headers_only(bool headers_only);
+
+ const uint8_t *get_out_buffer();
+ size_t get_out_size();
+
+ static const uint64_t KEYSLOTS_SIZE = 3 * 1024 * 1024;
+ static const uint64_t DATA_SIZE = 16 * 1024 * 1024;
+ private:
+ bool write_headers_only = false;
+ struct crypt_hash *hd = NULL;
+};
+
+} // namespace LUKS2_proto
+
+#endif // LUKS2_PROTO_CONVERTER_H_
diff --git a/tests/fuzz/proto_to_luks2.cc b/tests/fuzz/proto_to_luks2.cc
new file mode 100644
index 0000000..4a27cad
--- /dev/null
+++ b/tests/fuzz/proto_to_luks2.cc
@@ -0,0 +1,75 @@
+/*
+ * cryptsetup LUKS2 protobuf to image converter
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <iostream>
+#include <string>
+
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <google/protobuf/text_format.h>
+#include <google/protobuf/io/zero_copy_stream_impl.h>
+
+#include "proto_to_luks2_converter.h"
+
+using namespace LUKS2_proto;
+
+int main(int argc, char *argv[]) {
+ LUKS2_both_headers headers;
+ LUKS2ProtoConverter converter;
+ int fd;
+
+ std::string out_img_name;
+
+ if (argc != 2) {
+ std::cerr << "Usage: " << argv[0] << " <LUKS2 proto>\n";
+ return EXIT_FAILURE;
+ }
+
+ fd = open(argv[1], O_RDONLY);
+ if (fd < 0) {
+ std::cerr << "Failed to open " << argv[1] << std::endl;
+ return EXIT_FAILURE;
+ }
+
+ google::protobuf::io::FileInputStream fileInput(fd);
+
+ if (!google::protobuf::TextFormat::Parse(&fileInput, &headers)) {
+ std::cerr << "Failed to parse protobuf " << argv[1] << std::endl;
+ close(fd);
+ return EXIT_FAILURE;
+ }
+ close(fd);
+
+ out_img_name = argv[1];
+ out_img_name += ".img";
+
+ fd = open(out_img_name.c_str(), O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC|O_TRUNC, 0644);
+ if (fd < 0) {
+ std::cerr << "Failed to open output file " << out_img_name << std::endl;
+ return EXIT_FAILURE;
+ }
+ converter.set_write_headers_only(false);
+ converter.convert(headers, fd);
+
+ close(fd);
+ return EXIT_SUCCESS;
+}
diff --git a/tests/fuzz/proto_to_luks2_converter.cc b/tests/fuzz/proto_to_luks2_converter.cc
new file mode 100644
index 0000000..96a70b7
--- /dev/null
+++ b/tests/fuzz/proto_to_luks2_converter.cc
@@ -0,0 +1,604 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "proto_to_luks2_converter.h"
+#include <iostream>
+
+extern "C" {
+#include "src/cryptsetup.h"
+#include "luks2/luks2.h"
+#include <err.h>
+}
+
+namespace LUKS2_proto {
+
+std::string LUKS2ProtoConverter::string_uint64_to_string(const string_uint64 &str_u64) {
+ std::ostringstream os;
+
+ if (str_u64.negative())
+ os << "-";
+
+ if (str_u64.has_uint_num())
+ os << str_u64.uint_num();
+ else if (str_u64.has_string_num())
+ os << str_u64.string_num();
+
+ return os.str();
+}
+
+std::string LUKS2ProtoConverter::object_id_to_string(const object_id &oid) {
+ std::ostringstream os;
+
+ if (oid.has_int_id()) {
+ os << (oid.int_id() % 33) - 16;
+ } else if (oid.has_string_id()) {
+ os << oid.string_id();
+ }
+
+ return os.str();
+}
+
+std::string LUKS2ProtoConverter::hash_algorithm_to_string(const hash_algorithm type) {
+ switch (type) {
+ case HASH_ALG_SHA1:
+ return "sha1";
+ case HASH_ALG_SHA256:
+ return "sha256";
+ }
+}
+
+std::string LUKS2ProtoConverter::keyslot_area_type_to_string(const keyslot_area_type type) {
+ switch (type) {
+ case KEYSLOT_AREA_TYPE_RAW:
+ return "raw";
+ case KEYSLOT_AREA_TYPE_NONE:
+ return "none";
+ case KEYSLOT_AREA_TYPE_JOURNAL:
+ return "journal";
+ case KEYSLOT_AREA_TYPE_CHECKSUM:
+ return "checksum";
+ case KEYSLOT_AREA_TYPE_DATASHIFT:
+ return "datashift";
+ }
+}
+
+void LUKS2ProtoConverter::generate_keyslot_area(struct json_object *jobj_area, const keyslot_area_description &keyslot_area_desc) {
+ // mandatory fields
+ if (keyslot_area_desc.has_type())
+ json_object_object_add(jobj_area, "type", json_object_new_string(keyslot_area_type_to_string(keyslot_area_desc.type()).c_str()));
+ if (keyslot_area_desc.has_offset())
+ json_object_object_add(jobj_area, "offset", json_object_new_string(string_uint64_to_string(keyslot_area_desc.offset()).c_str()));
+ if (keyslot_area_desc.has_size())
+ json_object_object_add(jobj_area, "size", json_object_new_string(string_uint64_to_string(keyslot_area_desc.size()).c_str()));
+
+ // raw type fields
+ if (keyslot_area_desc.has_encryption())
+ json_object_object_add(jobj_area, "encryption", json_object_new_string(keyslot_area_desc.encryption().c_str()));
+ if (keyslot_area_desc.has_key_size())
+ json_object_object_add(jobj_area, "key_size", json_object_new_int(keyslot_area_desc.key_size()));
+
+ // checksum type fields
+ if (keyslot_area_desc.has_hash())
+ json_object_object_add(jobj_area, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_area_desc.hash()).c_str()));
+ if (keyslot_area_desc.has_sector_size())
+ json_object_object_add(jobj_area, "sector_size", json_object_new_int(keyslot_area_desc.sector_size()));
+
+ // datashift type fields
+ if (keyslot_area_desc.has_shift_size())
+ json_object_object_add(jobj_area, "shift_size", json_object_new_string(string_uint64_to_string(keyslot_area_desc.shift_size()).c_str()));
+}
+
+std::string LUKS2ProtoConverter::keyslot_kdf_type_to_string(const keyslot_kdf_type type) {
+ switch (type) {
+ case KEYSLOT_KDF_TYPE_PBKDF2:
+ return "pbkdf2";
+ case KEYSLOT_KDF_TYPE_ARGON2I:
+ return "argon2i";
+ case KEYSLOT_KDF_TYPE_ARGON2ID:
+ return "argon2id";
+ }
+}
+
+void LUKS2ProtoConverter::generate_keyslot_kdf(struct json_object *jobj_kdf, const keyslot_kdf_description &keyslot_kdf_desc) {
+ // mandatory fields
+ if (keyslot_kdf_desc.has_type())
+ json_object_object_add(jobj_kdf, "type", json_object_new_string(keyslot_kdf_type_to_string(keyslot_kdf_desc.type()).c_str()));
+
+ if (keyslot_kdf_desc.has_salt())
+ json_object_object_add(jobj_kdf, "salt", json_object_new_string(keyslot_kdf_desc.salt().c_str()));
+ else
+ json_object_object_add(jobj_kdf, "salt", json_object_new_string("6vz4xK7cjan92rDA5JF8O6Jk2HouV0O8DMB6GlztVk="));
+
+ // pbkdf2 type
+ if (keyslot_kdf_desc.has_hash())
+ json_object_object_add(jobj_kdf, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_kdf_desc.hash()).c_str()));
+ if (keyslot_kdf_desc.has_iterations())
+ json_object_object_add(jobj_kdf, "iterations", json_object_new_int(keyslot_kdf_desc.iterations()));
+
+ // argon2i and argon2id types
+ if (keyslot_kdf_desc.has_time())
+ json_object_object_add(jobj_kdf, "time", json_object_new_int(keyslot_kdf_desc.time()));
+ if (keyslot_kdf_desc.has_memory())
+ json_object_object_add(jobj_kdf, "memory", json_object_new_int(keyslot_kdf_desc.memory()));
+ if (keyslot_kdf_desc.has_cpus())
+ json_object_object_add(jobj_kdf, "cpus", json_object_new_int(keyslot_kdf_desc.cpus()));
+}
+
+std::string LUKS2ProtoConverter::keyslot_af_type_to_string(const keyslot_af_type type) {
+ switch (type) {
+ case KEYSLOT_AF_TYPE_LUKS1:
+ return "luks1";
+ }
+}
+
+void LUKS2ProtoConverter::generate_keyslot_af(struct json_object *jobj_af, const keyslot_af_description &keyslot_af_desc) {
+ if (keyslot_af_desc.has_type())
+ json_object_object_add(jobj_af, "type", json_object_new_string(keyslot_af_type_to_string(keyslot_af_desc.type()).c_str()));
+ if (keyslot_af_desc.has_stripes())
+ json_object_object_add(jobj_af, "stripes", json_object_new_int(keyslot_af_desc.stripes()));
+ if (keyslot_af_desc.has_hash())
+ json_object_object_add(jobj_af, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_af_desc.hash()).c_str()));
+}
+
+std::string LUKS2ProtoConverter::keyslot_type_to_string(const keyslot_type type) {
+ switch (type) {
+ case KEYSLOT_TYPE_LUKS2:
+ return "luks2";
+ case KEYSLOT_TYPE_REENCRYPT:
+ return "reencrypt";
+ case KEYSLOT_TYPE_PLACEHOLDER:
+ return "placeholder";
+ }
+}
+
+std::string LUKS2ProtoConverter::reencrypt_keyslot_mode_to_string(const reencrypt_keyslot_mode mode) {
+ switch (mode) {
+ case MODE_REENCRYPT:
+ return "reencrypt";
+ case MODE_ENCRYPT:
+ return "encrypt";
+ case MODE_DECRYPT:
+ return "decrypt";
+ }
+}
+
+std::string LUKS2ProtoConverter::reencrypt_keyslot_direction_to_string(const reencrypt_keyslot_direction direction) {
+ switch (direction) {
+ case DIRECTION_FORWARD:
+ return "forward";
+ case DIRECTION_BACKWARD:
+ return "backward";
+ }
+}
+
+void LUKS2ProtoConverter::generate_keyslot(struct json_object *jobj_keyslots, const keyslot_description &keyslot_desc) {
+ struct json_object *jobj_keyslot, *jobj_area, *jobj_kdf, *jobj_af;
+
+ jobj_keyslot = json_object_new_object();
+ if (keyslot_desc.has_type())
+ json_object_object_add(jobj_keyslot, "type", json_object_new_string(keyslot_type_to_string(keyslot_desc.type()).c_str()));
+ if (keyslot_desc.has_key_size())
+ json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(keyslot_desc.key_size()));
+ if (keyslot_desc.has_priority())
+ json_object_object_add(jobj_keyslot, "priority", json_object_new_int(keyslot_desc.priority()));
+ if (keyslot_desc.has_mode())
+ json_object_object_add(jobj_keyslot, "mode", json_object_new_int(keyslot_desc.mode()));
+ if (keyslot_desc.has_direction())
+ json_object_object_add(jobj_keyslot, "direction", json_object_new_int(keyslot_desc.direction()));
+
+ /* Area object */
+ if (keyslot_desc.has_area()) {
+ jobj_area = json_object_new_object();
+ generate_keyslot_area(jobj_area, keyslot_desc.area());
+ json_object_object_add(jobj_keyslot, "area", jobj_area);
+ }
+
+ /* KDF object */
+ if (keyslot_desc.has_kdf()) {
+ jobj_kdf = json_object_new_object();
+ generate_keyslot_kdf(jobj_kdf, keyslot_desc.kdf());
+ json_object_object_add(jobj_keyslot, "kdf", jobj_kdf);
+ }
+
+ /* AF object */
+ if (keyslot_desc.has_af()) {
+ jobj_af = json_object_new_object();
+ generate_keyslot_af(jobj_af, keyslot_desc.af());
+ json_object_object_add(jobj_keyslot, "af", jobj_af);
+ }
+
+ json_object_object_add(jobj_keyslots, object_id_to_string(keyslot_desc.oid()).c_str(), jobj_keyslot);
+}
+
+void LUKS2ProtoConverter::generate_token(struct json_object *jobj_tokens, const token_description &token_desc) {
+ struct json_object *jobj_token, *jobj_keyslots;
+ jobj_token = json_object_new_object();
+
+ if (token_desc.has_type())
+ json_object_object_add(jobj_token, "type", json_object_new_string(token_desc.type().c_str()));
+
+ if (token_desc.has_key_description())
+ json_object_object_add(jobj_token, "key_description", json_object_new_string(token_desc.key_description().c_str()));
+
+ if (!token_desc.keyslots().empty()) {
+ jobj_keyslots = json_object_new_array();
+
+ for (const object_id& oid : token_desc.keyslots()) {
+ json_object_array_add(jobj_keyslots,
+ json_object_new_string(object_id_to_string(oid).c_str()));
+ }
+
+ /* Replace or add new keyslots array */
+ json_object_object_add(jobj_token, "keyslots", jobj_keyslots);
+ }
+
+ json_object_object_add(jobj_tokens, object_id_to_string(token_desc.oid()).c_str(), jobj_token);
+}
+
+void LUKS2ProtoConverter::generate_digest(struct json_object *jobj_digests, const digest_description &digest_desc) {
+ struct json_object *jobj_digest, *jobj_keyslots, *jobj_segments;
+
+ jobj_digest = json_object_new_object();
+
+ if (digest_desc.has_type())
+ json_object_object_add(jobj_digest, "type", json_object_new_string(keyslot_kdf_type_to_string(digest_desc.type()).c_str()));
+
+ if (!digest_desc.keyslots().empty()) {
+ jobj_keyslots = json_object_new_array();
+
+ for (const object_id& oid : digest_desc.keyslots()) {
+ json_object_array_add(jobj_keyslots,
+ json_object_new_string(object_id_to_string(oid).c_str()));
+ }
+
+ /* Replace or add new keyslots array */
+ json_object_object_add(jobj_digest, "keyslots", jobj_keyslots);
+ }
+
+ if (!digest_desc.segments().empty()) {
+ jobj_segments = json_object_new_array();
+
+ for (const object_id& oid : digest_desc.segments()) {
+ json_object_array_add(jobj_segments,
+ json_object_new_string(object_id_to_string(oid).c_str()));
+ }
+
+ /* Replace or add new segments array */
+ json_object_object_add(jobj_digest, "segments", jobj_segments);
+ }
+
+ if (digest_desc.has_salt())
+ json_object_object_add(jobj_digest, "salt", json_object_new_string(digest_desc.salt().c_str()));
+ if (digest_desc.has_digest())
+ json_object_object_add(jobj_digest, "digest", json_object_new_string(digest_desc.digest().c_str()));
+ if (digest_desc.has_hash())
+ json_object_object_add(jobj_digest, "hash", json_object_new_string(hash_algorithm_to_string(digest_desc.hash()).c_str()));
+ if (digest_desc.has_iterations())
+ json_object_object_add(jobj_digest, "iterations", json_object_new_int(digest_desc.iterations()));
+
+ json_object_object_add(jobj_digests, object_id_to_string(digest_desc.oid()).c_str(), jobj_digest);
+}
+
+std::string LUKS2ProtoConverter::segment_type_to_string(segment_type type) {
+ switch (type) {
+ case SEGMENT_TYPE_LINEAR:
+ return "linear";
+ case SEGMENT_TYPE_CRYPT:
+ return "crypt";
+ }
+}
+
+std::string LUKS2ProtoConverter::segment_flag_to_string(segment_flag flag) {
+ switch (flag) {
+ case IN_REENCRYPTION:
+ return "in-reencryption";
+ case BACKUP_FINAL:
+ return "backup-final";
+ case BACKUP_PREVIOUS:
+ return "backup-previous";
+ case BACKUP_MOVED_SEGMENT:
+ return "backup-moved-segment";
+ }
+}
+
+void LUKS2ProtoConverter::generate_segment_integrity(struct json_object *jobj_integrity, const segment_integrity_description &segment_integrity_desc) {
+ if (segment_integrity_desc.has_type())
+ json_object_object_add(jobj_integrity, "type", json_object_new_string(segment_integrity_desc.type().c_str()));
+ if (segment_integrity_desc.has_journal_encryption())
+ json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string(segment_integrity_desc.journal_encryption().c_str()));
+ if (segment_integrity_desc.has_journal_integrity())
+ json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string(segment_integrity_desc.journal_integrity().c_str()));
+}
+
+void LUKS2ProtoConverter::generate_segment(struct json_object *jobj_segments, const segment_description &segment_desc) {
+ json_object *jobj_flags, *jobj_integrity;
+ json_object *jobj_segment = json_object_new_object();
+
+ if (segment_desc.has_type())
+ json_object_object_add(jobj_segment, "type", json_object_new_string(segment_type_to_string(segment_desc.type()).c_str()));
+
+ if (segment_desc.has_offset())
+ json_object_object_add(jobj_segment, "offset", json_object_new_string(string_uint64_to_string(segment_desc.offset()).c_str()));
+ if (segment_desc.has_size())
+ json_object_object_add(jobj_segment, "size", json_object_new_string(string_uint64_to_string(segment_desc.size()).c_str()));
+
+ if (!segment_desc.flags().empty()) {
+ jobj_flags = json_object_new_array();
+
+ for (const int flag : segment_desc.flags()) {
+ json_object_array_add(jobj_flags,
+ json_object_new_string(segment_flag_to_string(segment_flag(flag)).c_str()));
+ }
+
+ /* Replace or add new flags array */
+ json_object_object_add(jobj_segment, "flags", jobj_flags);
+ }
+
+ if (segment_desc.has_iv_tweak())
+ json_object_object_add(jobj_segment, "iv_tweak", json_object_new_string(string_uint64_to_string(segment_desc.iv_tweak()).c_str()));
+ if (segment_desc.has_encryption())
+ json_object_object_add(jobj_segment, "encryption", json_object_new_string(segment_desc.encryption().c_str()));
+ if (segment_desc.has_sector_size())
+ json_object_object_add(jobj_segment, "sector_size", json_object_new_int(segment_desc.sector_size()));
+
+ if (segment_desc.has_integrity()) {
+ jobj_integrity = json_object_new_object();
+ generate_segment_integrity(jobj_integrity, segment_desc.integrity());
+ json_object_object_add(jobj_segment, "integrity", jobj_integrity);
+ }
+
+ json_object_object_add(jobj_segments, object_id_to_string(segment_desc.oid()).c_str(), jobj_segment);
+}
+
+void LUKS2ProtoConverter::create_jobj(const LUKS2_both_headers &headers) {
+ json_object *jobj_keyslots = NULL;
+ json_object *jobj_digests = NULL;
+ json_object *jobj_segments = NULL;
+ json_object *jobj_tokens = NULL;
+
+ const json_area_description &json_desc = headers.json_area();
+
+ jobj = json_object_new_object();
+ if (!jobj)
+ return;
+
+ jobj_keyslots = json_object_new_object();
+ for (const keyslot_description &keyslot_desc : json_desc.keyslots()) {
+ generate_keyslot(jobj_keyslots, keyslot_desc);
+ }
+ json_object_object_add(jobj, "keyslots", jobj_keyslots);
+
+ jobj_digests = json_object_new_object();
+ for (const digest_description &digest_desc : json_desc.digests()) {
+ generate_digest(jobj_digests, digest_desc);
+ }
+ json_object_object_add(jobj, "digests", jobj_digests);
+
+ jobj_segments = json_object_new_object();
+ for (const segment_description &segment_desc : json_desc.segments()) {
+ generate_segment(jobj_segments, segment_desc);
+ }
+ json_object_object_add(jobj, "segments", jobj_segments);
+
+ jobj_tokens = json_object_new_object();
+ for (const token_description &token_desc : json_desc.tokens()) {
+ generate_token(jobj_tokens, token_desc);
+ }
+ json_object_object_add(jobj, "tokens", jobj_tokens);
+
+ if (json_desc.has_config()) {
+ uint64_t hdr_size = json_desc.config().use_primary_hdr_size() ? headers.primary_header().hdr_size() : headers.secondary_header().hdr_size();
+ generate_config(json_desc.config(), hdr_size - LUKS2_HDR_BIN_LEN, KEYSLOTS_SIZE);
+ }
+}
+
+void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid) {
+ struct luks2_hdr_disk hdr = {};
+ int r;
+
+ if (hd)
+ crypt_hash_destroy(hd);
+ if (crypt_hash_init(&hd, "sha256"))
+ err(EXIT_FAILURE, "crypt_hash_init failed");
+
+
+ r = lseek(fd, offset, SEEK_SET);
+ if (r == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ switch (header_proto.magic()) {
+ case INVALID:
+ memset(&hdr.magic, 0, LUKS2_MAGIC_L);
+ break;
+ case FIRST:
+ memcpy(&hdr.magic, LUKS2_MAGIC_1ST, LUKS2_MAGIC_L);
+ break;
+ case SECOND:
+ memcpy(&hdr.magic, LUKS2_MAGIC_2ND, LUKS2_MAGIC_L);
+ break;
+ }
+ hdr.version = cpu_to_be16(header_proto.version());
+ hdr.hdr_size = cpu_to_be64(header_proto.hdr_size());
+ hdr.seqid = cpu_to_be64(seqid);
+ strncpy(hdr.checksum_alg, "sha256", LUKS2_CHECKSUM_ALG_L);
+ hdr.checksum_alg[LUKS2_CHECKSUM_ALG_L - 1] = '\0';
+ strncpy(hdr.uuid, "af7f64ea-3233-4581-946b-6187d812841e", LUKS2_UUID_L);
+ memset(hdr.salt, 1, LUKS2_SALT_L);
+
+
+ if (header_proto.has_selected_offset())
+ hdr.hdr_offset = cpu_to_be64(header_proto.selected_offset());
+ else
+ hdr.hdr_offset = cpu_to_be64(offset);
+
+ if (write_buffer(fd, &hdr, LUKS2_HDR_BIN_LEN) != LUKS2_HDR_BIN_LEN)
+ err(EXIT_FAILURE, "write_buffer failed");
+ if (crypt_hash_write(hd, (char*)&hdr, LUKS2_HDR_BIN_LEN))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+
+ size_t hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN;
+ size_t json_text_len;
+ const char *json_text;
+ uint8_t csum[LUKS2_CHECKSUM_L];
+
+ if (jobj) {
+ json_text = json_object_to_json_string_ext((struct json_object *)jobj, JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+ if (!json_text || !*json_text)
+ err(EXIT_FAILURE, "json_object_to_json_string_ext failed");
+
+ json_text_len = strlen(json_text);
+
+ size_t write_size = json_text_len > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text_len;
+ if (write_buffer(fd, json_text, write_size) != (ssize_t)write_size)
+ err(EXIT_FAILURE, "write_buffer failed");
+ if (crypt_hash_write(hd, json_text, write_size))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+
+ for (size_t i = 0; i < (hdr_json_area_len - write_size); i++) {
+ if (crypt_hash_write(hd, "\0", 1))
+ err(EXIT_FAILURE, "crypt_hash_write failed");
+ }
+ }
+
+ if (header_proto.use_correct_checksum()) {
+ if (lseek(fd, offset + offsetof(luks2_hdr_disk, csum), SEEK_SET) == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ int hash_size = crypt_hash_size("sha256");
+ if (hash_size <= 0)
+ err(EXIT_FAILURE, "crypt_hash_size failed");
+
+ if (crypt_hash_final(hd, (char*)csum, (size_t)hash_size))
+ err(EXIT_FAILURE, "crypt_hash_final failed");
+ if (write_buffer(fd, csum, hash_size) != hash_size)
+ err(EXIT_FAILURE, "write_buffer failed");
+ }
+}
+
+void LUKS2ProtoConverter::set_write_headers_only(bool headers_only) {
+ write_headers_only = headers_only;
+}
+
+void LUKS2ProtoConverter::convert(const LUKS2_both_headers &headers, int fd) {
+ uint64_t primary_seqid, secondary_seqid;
+ int result;
+
+ size_t out_size = headers.primary_header().hdr_size() + headers.secondary_header().hdr_size();
+
+ if (!write_headers_only)
+ out_size += KEYSLOTS_SIZE + DATA_SIZE;
+
+ result = ftruncate(fd, out_size);
+ if (result == -1)
+ err(EXIT_FAILURE, "truncate failed");
+
+ result = lseek(fd, 0, SEEK_SET);
+ if (result == -1)
+ err(EXIT_FAILURE, "lseek failed");
+
+ switch (headers.seqid()) {
+ case EQUAL:
+ primary_seqid = 1;
+ secondary_seqid = 1;
+ break;
+ case PRIMARY_GREATER:
+ primary_seqid = 2;
+ secondary_seqid = 1;
+ break;
+ case SECONDARY_GREATER:
+ primary_seqid = 1;
+ secondary_seqid = 2;
+ break;
+ }
+
+ create_jobj(headers);
+ emit_luks2_binary_header(headers.primary_header(), fd, 0, primary_seqid);
+ emit_luks2_binary_header(headers.secondary_header(), fd, headers.primary_header().hdr_size(), secondary_seqid);
+}
+
+std::string LUKS2ProtoConverter::config_flag_to_string(config_flag flag) {
+ switch (flag) {
+ case CONFIG_FLAG_ALLOW_DISCARDS:
+ return "allow-discards";
+ case CONFIG_FLAG_SAME_CPU_CRYPT:
+ return "same-cpu-crypt";
+ case CONFIG_FLAG_SUBMIT_FROM_CRYPT_CPUS:
+ return "submit-from-crypt-cpus";
+ case CONFIG_FLAG_NO_JOURNAL:
+ return "no-journal";
+ case CONFIG_FLAG_NO_READ_WORKQUEUE:
+ return "no-read-workqueue";
+ case CONFIG_FLAG_NO_WRITE_WORKQUEUE:
+ return "no-write-workqueue";
+ }
+}
+
+std::string LUKS2ProtoConverter::config_requirement_to_string(config_requirement requirement) {
+ switch (requirement) {
+ case CONFIG_REQUIREMENT_OFFLINE_REENCRYPT:
+ return "offline-reencrypt";
+ case CONFIG_REQUIREMENT_ONLINE_REENCRYPT_V2:
+ return "online-reencrypt-v2";
+ }
+}
+
+void LUKS2ProtoConverter::generate_config(const config_description &config_desc, uint64_t json_size, uint64_t keyslots_size) {
+ json_object *jobj_config, *jobj_flags, *jobj_requirements, *jobj_mandatory;
+ jobj_config = json_object_new_object();
+
+ json_object_object_add(jobj_config, "json_size", json_object_new_string(std::to_string(json_size).c_str()));
+ json_object_object_add(jobj_config, "keyslots_size", json_object_new_string(std::to_string(keyslots_size).c_str()));
+
+ if (!config_desc.config_flags().empty()) {
+ jobj_flags = json_object_new_array();
+
+ for (const int flag : config_desc.config_flags()) {
+ json_object_array_add(jobj_flags,
+ json_object_new_string(config_flag_to_string(config_flag(flag)).c_str()));
+ }
+
+ /* Replace or add new flags array */
+ json_object_object_add(jobj_config, "flags", jobj_flags);
+ }
+
+ if (!config_desc.requirements().empty()) {
+ jobj_requirements = json_object_new_object();
+ jobj_mandatory = json_object_new_array();
+
+ for (const int requirement : config_desc.requirements()) {
+ json_object_array_add(jobj_mandatory,
+ json_object_new_string(config_requirement_to_string(config_requirement(requirement)).c_str()));
+ }
+
+ /* Replace or add new requirements array */
+ json_object_object_add(jobj_requirements, "mandatory", jobj_mandatory);
+ json_object_object_add(jobj_config, "requirements", jobj_requirements);
+ }
+
+ json_object_object_add(jobj, "config", jobj_config);
+}
+
+LUKS2ProtoConverter::~LUKS2ProtoConverter() {
+ json_object_put(jobj);
+ if (hd)
+ crypt_hash_destroy(hd);
+}
+} // namespace LUKS2_proto
diff --git a/tests/fuzz/proto_to_luks2_converter.h b/tests/fuzz/proto_to_luks2_converter.h
new file mode 100644
index 0000000..9f926d0
--- /dev/null
+++ b/tests/fuzz/proto_to_luks2_converter.h
@@ -0,0 +1,91 @@
+/*
+ * cryptsetup LUKS2 custom mutator fuzz target
+ *
+ * Copyright (C) 2022-2023 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef LUKS2_PROTO_CONVERTER_H_
+#define LUKS2_PROTO_CONVERTER_H_
+
+#include <sstream>
+#include <string>
+#include <json-c/json.h>
+
+#include "LUKS2.pb.h"
+extern "C" {
+#include "crypto_backend/crypto_backend.h"
+}
+
+namespace LUKS2_proto {
+
+class LUKS2ProtoConverter {
+ public:
+ ~LUKS2ProtoConverter();
+ std::string string_uint64_to_string(const string_uint64 &str_u64);
+ std::string hash_algorithm_to_string(const hash_algorithm type);
+ std::string object_id_to_string(const object_id &oid);
+
+ std::string keyslot_area_type_to_string(const keyslot_area_type type);
+ std::string keyslot_kdf_type_to_string(const keyslot_kdf_type type);
+ std::string reencrypt_keyslot_mode_to_string(const reencrypt_keyslot_mode mode);
+ std::string keyslot_type_to_string(const keyslot_type type);
+ std::string reencrypt_keyslot_direction_to_string(const reencrypt_keyslot_direction direction);
+ std::string keyslot_af_type_to_string(const keyslot_af_type type);
+
+ std::string config_flag_to_string(config_flag flag);
+ std::string config_requirement_to_string(config_requirement requirements);
+
+ std::string segment_type_to_string(segment_type type);
+ std::string segment_flag_to_string(segment_flag flag);
+
+ void generate_keyslot(struct json_object *jobj_keyslots, const keyslot_description &keyslot_desc);
+ void generate_keyslot_area(struct json_object *jobj_area, const keyslot_area_description &keyslot_area_desc);
+ void generate_keyslot_kdf(struct json_object *jobj_kdf, const keyslot_kdf_description &keyslot_kdf_desc);
+ void generate_keyslot_af(struct json_object *jobj_af, const keyslot_af_description &keyslot_af_desc);
+
+ void generate_token(struct json_object *jobj_tokens, const token_description &token_desc);
+
+ void generate_digest(struct json_object *jobj_digests, const digest_description &digest_desc);
+
+ void generate_segment_integrity(struct json_object *jobj_integrity, const segment_integrity_description &segment_integrity_desc);
+ void generate_segment(struct json_object *jobj_segments, const segment_description &segment_desc);
+
+ void generate_config(const config_description &config_desc, uint64_t json_size, uint64_t keyslots_size);
+
+ void create_jobj(const LUKS2_both_headers &headers, uint64_t hdr_size);
+ void emit_luks2_binary_header(uint64_t offset, uint64_t seqid, bool is_primary, uint64_t hdr_size);
+ void convert(const LUKS2_both_headers &headers, int fd);
+ void create_jobj(const LUKS2_both_headers &headers);
+ void emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid);
+
+ void set_write_headers_only(bool headers_only);
+
+ const uint8_t *get_out_buffer();
+ size_t get_out_size();
+
+ static const uint64_t KEYSLOTS_SIZE = 3 * 1024 * 1024;
+ static const uint64_t DATA_SIZE = 16 * 1024 * 1024;
+ private:
+ bool write_headers_only = false;
+ struct crypt_hash *hd = NULL;
+ struct ::json_object *jobj = NULL;
+};
+
+} // namespace LUKS2_proto
+
+#endif // LUKS2_PROTO_CONVERTER_H_
diff --git a/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch b/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch
new file mode 100644
index 0000000..1f48339
--- /dev/null
+++ b/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch
@@ -0,0 +1,29 @@
+diff --git a/src/libfuzzer/libfuzzer_mutator.cc b/src/libfuzzer/libfuzzer_mutator.cc
+index 34d144c..b671fd4 100644
+--- a/src/libfuzzer/libfuzzer_mutator.cc
++++ b/src/libfuzzer/libfuzzer_mutator.cc
+@@ -14,6 +14,8 @@
+
+ #include "src/libfuzzer/libfuzzer_mutator.h"
+
++#include <sanitizer/msan_interface.h>
++
+ #include <string.h>
+
+ #include <algorithm>
+@@ -64,6 +66,7 @@ template <class T>
+ T MutateValue(T v) {
+ size_t size =
+ LLVMFuzzerMutate(reinterpret_cast<uint8_t*>(&v), sizeof(v), sizeof(v));
++ __msan_unpoison(reinterpret_cast<uint8_t*>(&v), size);
+ memset(reinterpret_cast<uint8_t*>(&v) + size, 0, sizeof(v) - size);
+ return v;
+ }
+@@ -93,6 +96,7 @@ std::string Mutator::MutateString(const std::string& value,
+ result.resize(std::max(1, new_size));
+ result.resize(LLVMFuzzerMutate(reinterpret_cast<uint8_t*>(&result[0]),
+ value.size(), result.size()));
++ __msan_unpoison(reinterpret_cast<uint8_t*>(&result[0]), result.size());
+ return result;
+ }
+
diff --git a/tests/fvault2-compat-test b/tests/fvault2-compat-test
new file mode 100755
index 0000000..45022d2
--- /dev/null
+++ b/tests/fvault2-compat-test
@@ -0,0 +1,134 @@
+#!/bin/bash
+
+[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+MAP=fvault2test
+TST_DIR=fvault2-images
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
+[ -z "$srcdir" ] && srcdir="."
+
+function create_mapping()
+{
+ local image=$1
+ local passphrase=$2
+ echo -n "$passphrase" | "$CRYPTSETUP" open --type fvault2 --key-file - \
+ "$image" "$MAP"
+}
+
+function remove_mapping()
+{
+ [ -b "/dev/mapper/$MAP" ] && dmsetup remove --retry "$MAP"
+ rm -rf $TST_DIR
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ echo " [FAILED]"
+ echo "FAILED backtrace:"
+ while caller $frame; do ((frame++)); done
+ remove_mapping
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "Test skipped."
+ remove_mapping
+ exit 77
+}
+
+function produce_dump()
+{
+ "$CRYPTSETUP" fvault2Dump "$1" || fail
+}
+
+function produce_dump_key()
+{
+ echo "$2" | "$CRYPTSETUP" fvault2Dump "$1" --dump-volume-key || fail
+}
+
+function check_dump()
+{
+ local dump=$1
+ local key=$2
+ local exp_value=$3
+ local regex="$key:\s*\(.*\)"
+ local value=$(echo "$dump" | sed -n "s|$regex|\1|p" | sed 's|\s*$||')
+ [ "$value" = "$exp_value" ] || fail \
+ "$key check failed: expected \"$exp_value\", got \"$value\""
+}
+
+function check_uuid()
+{
+ local exp_uuid=$1
+ local uuid=$(blkid -po value -s UUID "/dev/mapper/$MAP")
+ [ "$uuid" = "$exp_uuid" ] || fail \
+ "UUID check failed: expected \"$exp_uuid\", got \"$uuid\""
+}
+
+function check_sha256()
+{
+ local exp_sum=$1
+ local sum=$(sha256sum /dev/mapper/$MAP | head -c 64)
+ [ "$sum" = "$exp_sum" ] || fail \
+ "SHA256 sum check failed: expected \"$exp_sum\", got \"$sum\""
+}
+
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+export LANG=C
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+
+if [ ! -d $TST_DIR ]; then
+ tar xJSf $srcdir/fvault2-images.tar.xz --no-same-owner 2>/dev/null || skip "Incompatible tar."
+fi
+
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
+
+echo "HEADER CHECK"
+IMG="$TST_DIR/small"
+PWD="heslo123"
+
+echo -n " $IMG"
+dump=$(produce_dump $IMG)
+check_dump "$dump" 'Physical volume UUID' fc52bfae-5a1f-4f9b-b3a6-f33303a0e401
+check_dump "$dump" 'Family UUID' 33a76caa-1481-4bc5-8d04-1ac1707c19c0
+check_dump "$dump" 'Logical volume offset' '67108864 [bytes]'
+check_dump "$dump" 'Logical volume size' '167772160 [bytes]'
+check_dump "$dump" 'PBKDF2 iterations' 204222
+check_dump "$dump" 'PBKDF2 salt' '2c 24 9e db 66 63 d6 fb cc 79 05 b7 a4 d7 27 52'
+dump=$(produce_dump_key $IMG heslo123)
+check_dump "$dump" 'Volume key' '20 73 4d 33 89 21 27 74 d7 61 0c 29 d7 32 88 09 16 f3 be 14 c4 b1 2a c7 aa f0 7e 5c cc 77 b3 19'
+echo $PWD | $CRYPTSETUP open --type fvault2 --test-passphrase $IMG || fail
+echo " [OK]"
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run activation part of test, test skipped."
+ remove_mapping
+ exit 0
+fi
+
+echo "ACTIVATION CHECK"
+echo -n " $IMG"
+create_mapping $IMG heslo123
+check_uuid de124d8a-2164-394e-924f-8e28db0a09cb
+check_sha256 2c662e36c0f7e2f5583e6a939bbcbdc660805692d0fccaa45ad4052beb3b8e18
+echo " [OK]"
+
+remove_mapping
+exit 0
diff --git a/tests/fvault2-images.tar.xz b/tests/fvault2-images.tar.xz
new file mode 100644
index 0000000..99fab77
Binary files /dev/null and b/tests/fvault2-images.tar.xz differ
diff --git a/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh b/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
index 3938f7b..a7d3147 100755
--- a/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
+++ b/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# make area 7 access the luks2 header space
@@ -34,20 +25,12 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg off $OFFS --arg len $LEN \
@@ -55,18 +38,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-argon2-leftover-params.img.sh b/tests/generators/generate-luks2-argon2-leftover-params.img.sh
index 7f003a0..f0b74d7 100755
--- a/tests/generators/generate-luks2-argon2-leftover-params.img.sh
+++ b/tests/generators/generate-luks2-argon2-leftover-params.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# add keyslot 1 to second digest
@@ -32,40 +23,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."1".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-correct-full-json0.img.sh b/tests/generators/generate-luks2-correct-full-json0.img.sh
index f32f84b..5cba271 100755
--- a/tests/generators/generate-luks2-correct-full-json0.img.sh
+++ b/tests/generators/generate-luks2-correct-full-json0.img.sh
@@ -15,15 +15,6 @@
PATTERN="\"config\":{"
KEY="\"config_key\":\""
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -47,41 +38,21 @@ function generate()
printf $format_str $KEY $fill ${json_str:$offset} | _dd of=$TMPDIR/json0 bs=1 seek=$offset conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
#json_str_res0=$(< $TMPDIR/json_res0)
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512-1)) || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh b/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
index 3d4f729..1365e0c 100755
--- a/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
+++ b/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
@@ -11,14 +11,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -32,34 +24,19 @@ function generate()
printf "%s" $json_new_str | _dd of=$TMPDIR/json0 bs=512 count=$LUKS2_JSON_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
+ lib_mangle_json_hdr0
}
function check()
{
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
+ lib_hdr0_checksum || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh b/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
index 026393c..fcbbb1e 100755
--- a/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
+++ b/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
@@ -11,14 +11,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json1 $TGT_IMG $TMPDIR/json1
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json1
@@ -32,35 +24,19 @@ function generate()
printf "%s" $json_new_str | _dd of=$TMPDIR/json1 bs=512 count=$LUKS2_JSON_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json1 $TMPDIR/area1
- erase_checksum $TMPDIR/area1
- chks1=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks1 $TMPDIR/area1
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG
+ lib_mangle_json_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- chks_res1=$(read_sha256_checksum $TMPDIR/hdr_res1)
- test "$chks1" = "$chks_res1" || exit 2
+ lib_hdr1_checksum || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1
read -r json_str_res1 < $TMPDIR/json_res1
test ${#json_str_res1} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh b/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
index be98722..925763e 100755
--- a/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
@@ -11,42 +11,22 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
- chks0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
- chks1=$(echo "D'oh!: arbitrary chosen string" | calc_sha256_checksum_stdin)
- write_checksum $chks0 $TGT_IMG
- write_checksum $chks1 $TMPDIR/hdr1
+ CHKS0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
+ CHKS1=$(echo "D'oh!: arbitrary chosen string" | calc_sha256_checksum_stdin)
+ write_checksum $CHKS0 $TGT_IMG
+ write_checksum $CHKS1 $TMPDIR/hdr1
write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- chks_res1=$(read_sha256_checksum $TMPDIR/hdr1)
- test "$chks0" = "$chks_res0" || exit 2
- test "$chks1" = "$chks_res1" || exit 2
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh b/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
index ac75ccb..ae8c595 100755
--- a/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
@@ -11,33 +11,18 @@
# 1 full target dir
# 2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
-}
-
function generate()
{
- chks=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
- write_checksum $chks $TGT_IMG
+ CHKS0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
+ write_checksum $CHKS0 $TGT_IMG
}
function check()
{
- chks_res=$(read_sha256_checksum $TGT_IMG)
- test "$chks" = "$chks_res" || exit 2
+ lib_hdr0_checksum || exit 2
}
-#function cleanup()
-#{
-#}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-#cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh b/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
index f0ca01a..a56695d 100755
--- a/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
@@ -11,38 +11,19 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
- chks=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
- write_checksum $chks $TMPDIR/hdr1
+ CHKS1=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
+ write_checksum $CHKS1 $TMPDIR/hdr1
write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
- chks_res=$(read_sha256_checksum $TMPDIR/hdr1)
- test "$chks" = "$chks_res" || exit 2
+ lib_hdr1_checksum || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-json-size-c0.img.sh b/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
index 2866b0b..13dea92 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512+4096))
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg js $JS 'if .config.json_size != ($js | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-json-size-c1.img.sh b/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
index dcab9bc..5cdc7ce 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512-4096))
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg js $JS 'if .config.json_size != ($js | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-json-size-c2.img.sh b/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
index 6de411a..4122338 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512))
@@ -33,24 +24,14 @@ function generate()
json_str=$(jq -c '.' $TMPDIR/json0)
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
@@ -68,18 +49,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
index c4f002f..8187b72 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# make area 7 being included in area 6
@@ -34,38 +25,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg off $OFFS 'if .config.keyslots_size != ( .segments."0".offset | tonumber - ($off | tonumber) + 4096 | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
index eff2064..2ba1a9b 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
json_str=$(jq -c '.config.keyslots_size = (.config.keyslots_size | tonumber - 1 | tostring)' $TMPDIR/json0)
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.config.keyslots_size | tonumber % 4096) == 0
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
index f70f39f..f983438 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
json_str=$(jq '.config.keyslots_size = ([.keyslots[].area.size] | map(tonumber) | add - 4096 | tostring )' $TMPDIR/json0)
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .config.keyslots_size != ([.keyslots[].area.size ] | map(tonumber) | add - 4096 | tostring)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-object-type-json0.img.sh b/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
index 1063864..616120b 100755
--- a/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
+++ b/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -31,40 +22,20 @@ function generate()
printf "%s" "$json_str" | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
test "$json_str" = "$json_str_res0" || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh b/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
index 996d997..3f34692 100755
--- a/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
+++ b/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -31,40 +22,20 @@ function generate()
printf "%s" "$json_str" | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
IFS= read -r json_str_res0 < $TMPDIR/json_res0
test "$json_str" = "$json_str_res0" || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-tokens.img.sh b/tests/generators/generate-luks2-invalid-tokens.img.sh
new file mode 100755
index 0000000..9719cf7
--- /dev/null
+++ b/tests/generators/generate-luks2-invalid-tokens.img.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where keyslot is not of type object.
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c 'del(.tokens) | .tokens = 42' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if .tokens != 42
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-invalid-top-objects.img.sh b/tests/generators/generate-luks2-invalid-top-objects.img.sh
new file mode 100755
index 0000000..174dc2c
--- /dev/null
+++ b/tests/generators/generate-luks2-invalid-top-objects.img.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where multiple top objects are not of type object.
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c 'del(.tokens) | .tokens = 42 |
+ del(.digests) | .digests = 42 |
+ del(.keyslots) | .keyslots = [] |
+ del(.segments) | .segments = "hi"' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if (.tokens != 42) or (.digests != 42) or (.keyslots != []) or (.segments != "hi")
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-invalid-af.img.sh b/tests/generators/generate-luks2-keyslot-invalid-af.img.sh
new file mode 100755
index 0000000..99f7679
--- /dev/null
+++ b/tests/generators/generate-luks2-keyslot-invalid-af.img.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where keyslot AF type is invalid.
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c 'del(.keyslots."0".af.type) | .keyslots."0".af.type = 42' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if (.keyslots."0".af.type != 42)
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh b/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh
new file mode 100755
index 0000000..723d58a
--- /dev/null
+++ b/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where keyslot area object size is UINT64_MAX and will overflow with added length
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c '.keyslots."0"."area".size = "18446744073709551615"' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if (.keyslots."0"."area".size != "18446744073709551615")
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-invalid-area.img.sh b/tests/generators/generate-luks2-keyslot-invalid-area.img.sh
new file mode 100755
index 0000000..c41037e
--- /dev/null
+++ b/tests/generators/generate-luks2-keyslot-invalid-area.img.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where keyslot area object is not of type object.
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c 'del(.keyslots."0".area) | .keyslots."0".area = 42' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if (.keyslots."0".area != 42)
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh b/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh
new file mode 100755
index 0000000..5fcfef2
--- /dev/null
+++ b/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate header with well-formed json format
+# where multiple keyslots objects are not of type object.
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ json_str=$(jq -c 'del(.keyslots."0".kdf) | .keyslots."0".kdf = 42 |
+ del(.keyslots."0".af) | .keyslots."0".af = 42' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+ write_luks2_json "$json_str" $TMPDIR/json1
+
+ lib_mangle_json_hdr0
+ lib_mangle_json_hdr1
+}
+
+function check()
+{
+ lib_hdr0_checksum || exit 2
+ lib_hdr1_checksum || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if (.keyslots."0".kdf != 42) or (.keyslots."0".af != 42)
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-missing-digest.img.sh b/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
index 1914581..49aeff1 100755
--- a/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
+++ b/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str_orig < $TMPDIR/json0
@@ -33,40 +24,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json_res0)
test $((arr_len-1)) -eq $new_arr_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh b/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
index 5e1d6ef..5ba55f1 100755
--- a/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
+++ b/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# add keyslot 1 to second digest
@@ -31,40 +22,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."1".keyslots | length' $TMPDIR/json_res0)
test 1 -eq $new_arr_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
index ca6b0c8..2a44678 100755
--- a/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 128 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-128k.img.sh b/tests/generators/generate-luks2-metadata-size-128k.img.sh
index fe76598..79cccbd 100755
--- a/tests/generators/generate-luks2-metadata-size-128k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-128k.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 128KiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
index 14a6613..f0e6e8d 100755
--- a/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 16 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
index fdcd715..25c19c1 100755
--- a/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 1 MiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-1m.img.sh b/tests/generators/generate-luks2-metadata-size-1m.img.sh
index 25722dd..9228fe5 100755
--- a/tests/generators/generate-luks2-metadata-size-1m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-1m.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 1 MiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
index 0ed66e1..b4c1027 100755
--- a/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 256 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-256k.img.sh b/tests/generators/generate-luks2-metadata-size-256k.img.sh
index aa5df05..60ec878 100755
--- a/tests/generators/generate-luks2-metadata-size-256k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-256k.img.sh
@@ -15,14 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
function generate()
{
@@ -44,32 +36,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +56,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
index 4773c94..0c68905 100755
--- a/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 2 MiB metadata
@@ -44,34 +35,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -79,18 +57,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-2m.img.sh b/tests/generators/generate-luks2-metadata-size-2m.img.sh
index ae9bc30..0dbb521 100755
--- a/tests/generators/generate-luks2-metadata-size-2m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-2m.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 2 MiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
index af18f43..effd244 100755
--- a/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 32 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-32k.img.sh b/tests/generators/generate-luks2-metadata-size-32k.img.sh
index 40c921e..f970144 100755
--- a/tests/generators/generate-luks2-metadata-size-32k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-32k.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 32KiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
index 332d67e..f423850 100755
--- a/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 4 MiB metadata
@@ -44,34 +35,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -79,18 +57,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-4m.img.sh b/tests/generators/generate-luks2-metadata-size-4m.img.sh
index 21715fb..b15ad4b 100755
--- a/tests/generators/generate-luks2-metadata-size-4m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-4m.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 4 MiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
index 581dea0..4980816 100755
--- a/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 512 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-512k.img.sh b/tests/generators/generate-luks2-metadata-size-512k.img.sh
index 8b196e6..f3da37f 100755
--- a/tests/generators/generate-luks2-metadata-size-512k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-512k.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 512KiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
index 16e2078..3913f03 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 64KiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
index 7ff670b..b01f933 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 64KiB metadata
@@ -45,32 +36,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
# .keyslots.7.area.offset = ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots.7.area.size | tonumber) + 1) | tostring ) |
jq -c --arg mda $((2*TEST_MDA_SIZE_BYTES)) --arg jsize $JSON_SIZE \
@@ -79,18 +57,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
index 8f3d8d7..5b8517a 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 64KiB metadata
@@ -45,32 +36,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE --arg off $DATA_OFFSET --arg mda $((2*TEST_MDA_SIZE_BYTES)) \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -79,18 +57,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
index 1b246cc..9635ab7 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
@@ -16,15 +16,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 64 KiB metadata
@@ -45,34 +36,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -80,18 +58,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-64k.img.sh b/tests/generators/generate-luks2-metadata-size-64k.img.sh
index 4e320f2..50941b8 100755
--- a/tests/generators/generate-luks2-metadata-size-64k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# 64KiB metadata
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
index 4dd484e..d2ddd61 100755
--- a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
@@ -44,34 +35,21 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area0
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
}
function check()
{
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
- local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
- test "$str_res0" = "VACUUM" || exit 2
+ lib_hdr0_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -79,18 +57,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
index 6b9c0cf..745fc5c 100755
--- a/tests/generators/generate-luks2-metadata-size-invalid.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
@@ -15,15 +15,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
@@ -44,32 +35,19 @@ function generate()
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+ write_luks2_json "$json_str" $TMPDIR/json1 $TEST_JSN_SIZE
write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
- merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
-
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
-
- erase_checksum $TMPDIR/area1
- chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
- write_checksum $chks0 $TMPDIR/area1
-
- kill_bin_hdr $TMPDIR/area1
-
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
- write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+ lib_mangle_json_hdr0 $TEST_MDA_SIZE $TEST_JSN_SIZE
+ lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed $TEST_MDA_SIZE || exit 2
+
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
@@ -77,18 +55,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh b/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
index d6ebe3d..a0ca53c 100755
--- a/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
+++ b/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str_orig < $TMPDIR/json0
@@ -35,40 +26,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json_res0)
test $((arr_len+1)) -eq $new_arr_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh b/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
index 85798e5..84d7ed2 100755
--- a/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
+++ b/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str_orig < $TMPDIR/json0
@@ -33,40 +24,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.tokens."0".keyslots | length' $TMPDIR/json_res0)
test $new_arr_len -eq 2 || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh b/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
index 333462b..300c2dc 100755
--- a/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
+++ b/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str_orig < $TMPDIR/json0
@@ -35,40 +26,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."0".segments | length' $TMPDIR/json_res0)
test $((arr_len+1)) -eq $new_arr_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh b/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
index 916cff7..9c5ed0b 100755
--- a/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
+++ b/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
@@ -17,15 +17,6 @@
PATTERN="\"config\":{"
KEY="\"config_key\":\""
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -50,40 +41,20 @@ function generate()
printf $format_str $KEY $fill ${json_str:$offset} | _dd of=$TMPDIR/json0 bs=1 seek=$offset conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh b/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
index fbd8cd6..6f4aa7d 100755
--- a/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
+++ b/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -31,42 +22,22 @@ function generate()
printf '%s' $json_str | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
local len=${#json_str_res0}
len=$((len-1))
test ${json_str_res0:len:1} = "X" || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh b/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
index 7d46628..18abf23 100755
--- a/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
+++ b/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
@@ -17,15 +17,6 @@
QUOTE="[Homer J. Simpson]: Keep looking shocked and move slowly towards the cake."
SPACE=20
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
read -r json_str < $TMPDIR/json0
@@ -35,42 +26,22 @@ function generate()
printf '%s' "$QUOTE" | _dd of=$TMPDIR/json0 seek=$((json_len_orig+SPACE)) bs=1 conv=notrunc
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
_dd if=$TMPDIR/json_res0 of=$TMPDIR/quote skip=$((json_len_orig+SPACE)) count=${#QUOTE} bs=1
json_str_res0=$(head -c ${#QUOTE} $TMPDIR/quote)
test "$json_str_res0" = "$QUOTE" || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
index c319ca3..23883bb 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# copy area 6 offset and length into area 7
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.keyslots."6".area.offset != .keyslots."7".area.offset) or (.keyslots."6".area.size != .keyslots."7".area.size)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
index 39f0c6a..0733627 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# make area 7 being included in area 6
@@ -31,20 +22,12 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.keyslots."7".area.offset != (.keyslots."6".area.offset | tonumber + 1 | tostring)) or
@@ -53,18 +36,7 @@ function check()
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
index 4c02008..6699b38 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# make area 7 being included in area 6
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .keyslots."7".area.offset != ([.keyslots."6".area.offset, .keyslots."6".area.size ] | map(tonumber) | add - 1 | tostring)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh b/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
index 1517ed6..e035f94 100755
--- a/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
+++ b/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# add keyslot 1 to second digest
@@ -32,40 +23,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh b/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
index c6aa5bf..d82c2bd 100755
--- a/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
+++ b/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# add keyslot 1 to second digest
@@ -32,40 +23,20 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
+ lib_hdr0_checksum || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
- chks_res0=$(read_sha256_checksum $TGT_IMG)
- test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh
new file mode 100755
index 0000000..ca17aac
--- /dev/null
+++ b/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate primary header with segment empty encryption field
+#
+# secondary header is corrupted on purpose as well
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function generate()
+{
+ # remove mandatory encryption field
+ json_str=$(jq -c '.segments."0".encryption = ""' $TMPDIR/json0)
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0
+
+ lib_mangle_json_hdr0_kill_hdr1
+}
+
+function check()
+{
+ lib_hdr1_killed || exit 2
+
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+ jq -c 'if .segments."0".encryption != ""
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
index bcd648a..e92bc2a 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".encryption
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
index e64feef..77beb53 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".iv_tweak
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
index de757db..0609533 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".sector_size
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
index 59c7345..9d7e584 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".encryption | type != "object"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
index ca9461e..0830a16 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".iv_tweak != "dynamic"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
index 4ca05eb..069b6c0 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".sector_size != 1023
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
index f8d251c..c310ff1 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".sector_size != "4096"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
index 87566ec..b4b8b39 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".sector_size != -1024
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-missing-offset.img.sh b/tests/generators/generate-luks2-segment-missing-offset.img.sh
index 6652288..6d5811e 100755
--- a/tests/generators/generate-luks2-segment-missing-offset.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-offset.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".offset
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-missing-size.img.sh b/tests/generators/generate-luks2-segment-missing-size.img.sh
index 616d8b3..579858f 100755
--- a/tests/generators/generate-luks2-segment-missing-size.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-size.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-missing-type.img.sh b/tests/generators/generate-luks2-segment-missing-type.img.sh
index d0014a2..5b74c5d 100755
--- a/tests/generators/generate-luks2-segment-missing-type.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-type.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".type
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-two.img.sh b/tests/generators/generate-luks2-segment-two.img.sh
index 743bbbb..798c5be 100755
--- a/tests/generators/generate-luks2-segment-two.img.sh
+++ b/tests/generators/generate-luks2-segment-two.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."1" | type != "object"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-unknown-type.img.sh b/tests/generators/generate-luks2-segment-unknown-type.img.sh
index a6ef8ad..814344a 100755
--- a/tests/generators/generate-luks2-segment-unknown-type.img.sh
+++ b/tests/generators/generate-luks2-segment-unknown-type.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".type != "some_type"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh b/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
index 2499a5e..3ba9d47 100755
--- a/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# create illegal backup segment key (used to be bug in 32bit implementations)
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments | length < 2
then error("Unexpected segments count") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh b/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
index 702fe71..11a94d7 100755
--- a/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# create illegal backup segment key (used to be bug in 32bit implementations)
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments | length < 64
then error("Unexpected segments count") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh b/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
index 5359954..72da1f1 100755
--- a/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".flags != [ "hello", 1 ]
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-flags.img.sh b/tests/generators/generate-luks2-segment-wrong-flags.img.sh
index 3ceddbf..19d6340 100755
--- a/tests/generators/generate-luks2-segment-wrong-flags.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-flags.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".flags != "hello"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-offset.img.sh b/tests/generators/generate-luks2-segment-wrong-offset.img.sh
index 9efc756..c9b1b50 100755
--- a/tests/generators/generate-luks2-segment-wrong-offset.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-offset.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".offset != "-42"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-size-0.img.sh b/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
index 58b12ef..b9227a7 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != 4096
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-size-1.img.sh b/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
index 8171445..6be5031 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != "automatic"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-size-2.img.sh b/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
index f694cf7..311c0e8 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != "511"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-segment-wrong-type.img.sh b/tests/generators/generate-luks2-segment-wrong-type.img.sh
index 4f7fd64..c041157 100755
--- a/tests/generators/generate-luks2-segment-wrong-type.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-type.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# remove mandatory encryption field
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".type != 42
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-uint64-max-segment-size.img.sh b/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
index 27d7fd2..f966e1d 100755
--- a/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
@@ -14,15 +14,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# UINT64_MAX - 511 (so that it's sector aligned)
@@ -31,38 +22,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != "18446744073709551104"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh b/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
index 01657d6..4e064e4 100755
--- a/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
json_str=$(jq -c '.segments."0".size = "18446744073709551616"' $TMPDIR/json0)
@@ -29,38 +20,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != "18446744073709551616"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh b/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
index 0a45a05..6687f35 100755
--- a/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
@@ -13,15 +13,6 @@
# $1 full target dir
# $2 full source luks2 image
-function prepare()
-{
- cp $SRC_IMG $TGT_IMG
- test -d $TMPDIR || mkdir $TMPDIR
- read_luks2_json0 $TGT_IMG $TMPDIR/json0
- read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
-}
-
function generate()
{
# UINT64_MAX + 1 (it's 512 sector aligned)
@@ -30,38 +21,19 @@ function generate()
write_luks2_json "$json_str" $TMPDIR/json0
- merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
- erase_checksum $TMPDIR/area0
- chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
- write_checksum $chks0 $TMPDIR/area0
- write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
- kill_bin_hdr $TMPDIR/hdr1
- write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+ lib_mangle_json_hdr0_kill_hdr1
}
function check()
{
- read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
- local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
- test "$str_res1" = "VACUUM" || exit 2
+ lib_hdr1_killed || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .segments."0".size != "-512"
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
-function cleanup()
-{
- rm -f $TMPDIR/*
- rm -fd $TMPDIR
-}
-
-test $# -eq 2 || exit 1
-
-TGT_IMG=$1/$(test_img_name $0)
-SRC_IMG=$2
-
-prepare
+lib_prepare $@
generate
check
-cleanup
+lib_cleanup
diff --git a/tests/generators/lib.sh b/tests/generators/lib.sh
index 26ea683..c0e9cc1 100644
--- a/tests/generators/lib.sh
+++ b/tests/generators/lib.sh
@@ -20,6 +20,10 @@ LUKS2_BIN_HDR_CHKS_LENGTH=64
[ -z "$srcdir" ] && srcdir="."
TMPDIR=$srcdir/tmp
+# to be set by individual generator
+TGT_IMG=""
+SRC_IMG=""
+
repeat_str() {
printf "$1"'%.0s' $(eval "echo {1.."$(($2))"}");
}
@@ -178,3 +182,102 @@ function write_bin_hdr_size() {
function write_bin_hdr_offset() {
printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=32 conv=notrunc
}
+
+# generic header helpers
+# $TMPDIR/json0 - JSON hdr1
+# $TMPDIR/json1 - JSON hdr2
+# $TMPDIR/hdr0 - bin hdr1
+# $TMPDIR/hdr1 - bin hdr2
+
+# 1:target_dir 2:source_image
+function lib_prepare()
+{
+ test $# -eq 2 || exit 1
+
+ TGT_IMG=$1/$(test_img_name $0)
+ SRC_IMG=$2
+
+ # wipe checksums
+ CHKS0=0
+ CHKS1=0
+
+ cp $SRC_IMG $TGT_IMG
+ test -d $TMPDIR || mkdir $TMPDIR
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
+ read_luks2_json1 $TGT_IMG $TMPDIR/json1
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
+}
+
+function lib_cleanup()
+{
+ rm -f $TMPDIR/*
+ rm -fd $TMPDIR
+}
+
+function lib_mangle_json_hdr0()
+{
+ local mda_sz=${1:-}
+ local jsn_sz=${2:-}
+ local kill_hdr=${3:-}
+
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $jsn_sz
+ erase_checksum $TMPDIR/area0
+ CHKS0=$(calc_sha256_checksum_file $TMPDIR/area0)
+ write_checksum $CHKS0 $TMPDIR/area0
+ test -n "$kill_hdr" && kill_bin_hdr $TMPDIR/area0
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $mda_sz
+}
+
+function lib_mangle_json_hdr1()
+{
+ local mda_sz=${1:-}
+ local jsn_sz=${2:-}
+ local kill_hdr=${3:-}
+
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json1 $TMPDIR/area1 $jsn_sz
+ erase_checksum $TMPDIR/area1
+ CHKS1=$(calc_sha256_checksum_file $TMPDIR/area1)
+ write_checksum $CHKS1 $TMPDIR/area1
+ test -n "$kill_hdr" && kill_bin_hdr $TMPDIR/area1
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $mda_sz
+}
+
+function lib_mangle_json_hdr0_kill_hdr1()
+{
+ lib_mangle_json_hdr0
+
+ kill_bin_hdr $TMPDIR/hdr1
+ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
+}
+
+function lib_hdr0_killed()
+{
+ local mda_sz=${1:-}
+
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $mda_sz
+ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
+ test "$str_res0" = "VACUUM"
+}
+
+function lib_hdr1_killed()
+{
+ local mda_sz=${1:-}
+
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $mda_sz
+ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
+ test "$str_res1" = "VACUUM"
+}
+
+function lib_hdr0_checksum()
+{
+ local chks_res0=$(read_sha256_checksum $TGT_IMG)
+ test "$CHKS0" = "$chks_res0"
+}
+
+function lib_hdr1_checksum()
+{
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
+ local chks_res1=$(read_sha256_checksum $TMPDIR/hdr_res1)
+ test "$CHKS1" = "$chks_res1"
+}
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
index 89629c1..208eafb 100755
--- a/tests/integrity-compat-test
+++ b/tests/integrity-compat-test
@@ -61,6 +61,9 @@ function dm_integrity_features()
[ $VER_MIN -gt 2 ] && {
DM_INTEGRITY_BITMAP=1
}
+ [ $VER_MIN -gt 5 ] && {
+ DM_INTEGRITY_RESIZE_SUPPORTED=1
+ }
[ $VER_MIN -gt 6 ] && {
DM_INTEGRITY_HMAC_FIX=1
}
@@ -110,7 +113,7 @@ kernel_param_check() # number value
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -168,7 +171,7 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
echo -n "[FORMAT]"
$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
if [ $? -ne 0 ] ; then
- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
+ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
fail "Cannot format device."
fi
echo "[N/A]"
@@ -214,7 +217,14 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
echo -n "[INTEGRITY:$1:$2:$4:$5]"
echo -n "[FORMAT]"
- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
+ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
+ fail "Cannot format device."
+ fi
+ echo "[N/A]"
+ return
+ fi
echo -n "[ACTIVATE]"
$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
@@ -328,13 +338,91 @@ int_mode() # alg tag_size sector_size [keyfile keysize]
echo "[OK]"
}
+check_device_size() # device_name expected_size error_message
+{
+ CURRENT_SIZE=$(dmsetup table | grep $1 | cut -d' ' -f 3)
+ [ $CURRENT_SIZE -eq $2 ] || fail "$3: expected $1 to be of size $2, but is $CURRENT_SIZE"
+}
+
+test_resize() # description detached_metadata wipe args
+{
+ echo -n "$1"
+ if [ -z "$DM_INTEGRITY_RESIZE_SUPPORTED" ] ; then
+ echo "[N/A]"
+ return
+ fi
+
+ args="$4"
+ if [ $2 -ne 0 ] ; then
+ echo -n "[DETACHED]"
+ else
+ echo -n "[INTERLEAVE]"
+ fi
+ if [ $3 -ne 0 ] ; then
+ wipe_flag="--wipe"
+ echo -n "[WIPE]"
+ else
+ wipe_flag=""
+ echo -n "[RECALCULATE]"
+ fi
+
+ add_device
+ if [ $2 -ne 0 ] ; then
+ echo -n "[FORMAT]"
+ $INTSETUP format -q $args $DEV2 --data-device $DEV >/dev/null 2>&1 || fail "Cannot format device."
+ echo -n "[ACTIVATE]"
+ $INTSETUP open -q $args $DEV2 $DEV_NAME --data-device $DEV >/dev/null 2>&1 || fail "Cannot activate device."
+ else
+ echo -n "[FORMAT]"
+ $INTSETUP format -q $args $DEV >/dev/null 2>&1 || fail "Cannot format device."
+ echo -n "[ACTIVATE]"
+ $INTSETUP open -q $args $DEV $DEV_NAME >/dev/null 2>&1 || fail "Cannot activate device."
+ fi
+
+ if [ $2 -ne 0 ] ; then
+ # the whole device has 32MiB, if metadata is detached
+ WHOLE_DISK_SIZE=65536
+ else
+ WHOLE_DISK_SIZE=$(dmsetup table | grep $DEV_NAME | cut -d' ' -f 3)
+ fi
+
+ echo -n "[SHRINK]"
+ $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 1MiB || fail "Failed to resize the device to 1MiB."
+ dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after shrink."
+ check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
+
+ echo -n "[FILL]"
+ $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 0 || fail "Failed to resize the device to maximum size."
+ dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after resize to maximum size."
+ check_device_size $DEV_NAME $WHOLE_DISK_SIZE "Resizing disk to maximum size failed"
+
+ echo -n "[EXPAND FIXED]"
+ fallocate $DEV --len 64M
+ $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 40MiB || fail "Failed to expand the device to a fixed size."
+ dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after expanding to a fixed size."
+ check_device_size $DEV_NAME $(( 40*1024*1024 / 512 )) "Resizing disk after expanding to a fixed size failed"
+
+ echo -n "[FILL]"
+ $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 0 >/dev/null 2>&1 || fail "Failed to resize the device to maximum size after increasing image size."
+ dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Error detection failed after increasing image size."
+ CURRENT_SIZE=$(dmsetup table | grep $DEV_NAME | cut -d' ' -f 3)
+ [ $CURRENT_SIZE -ge $(( 40*1024*1024 / 512 )) ] || fail "Growing integrity device failed $CURRENT_SIZE is not greater than 40MB ($(( 40*1024*1024 / 512 )) blocks)."
+ if [ $2 -ne 0 ] ; then
+ [ $CURRENT_SIZE -eq 131072 ] || fail "Growing integrity device failed $CURRENT_SIZE is not equal to 64MB (131072 blocks)."
+ fi
+
+ echo -n "[REMOVE]"
+ $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
+ echo "[OK]"
+}
+
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
-which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
+command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
[ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
-which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
-which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required."
+command -v hexdump >/dev/null || skip "WARNING: hexdump tool required."
+command -v xxd >/dev/null || skip "WARNING: xxd tool required."
modprobe dm-integrity >/dev/null 2>&1
dm_integrity_features
@@ -343,6 +431,7 @@ intformat blake2s-256 blake2s-256 32 32 512 8e5fe4119558e117bfc40e3b0f13ade3
intformat blake2b-256 blake2b-256 32 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
intformat crc32c crc32c 0 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
intformat crc32 crc32 0 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
+intformat xxhash64 xxhash64 0 8 512 6ff6bb889a8485f1fb26aa82671ff5da64f60381fc469e31d7be6094241eee09
intformat sha1 sha1 0 20 512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7
intformat sha1 sha1 16 16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b
intformat sha256 sha256 0 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
@@ -352,17 +441,19 @@ intformat hmac-sha256 hmac\(sha256\) 0 32 4096 33f7dfa5163ca9f740383fb8b0919574
intformat hmac-sha256 hmac\(sha256\) 0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 4096
echo "Error detection tests:"
-int_error_detection J crc32c 0 4 512
-int_error_detection J crc32c 0 4 4096
-int_error_detection J crc32 0 4 512
-int_error_detection J crc32 0 4 4096
-int_error_detection J sha1 0 20 512
-int_error_detection J sha1 16 16 512
-int_error_detection J sha1 0 20 4096
-int_error_detection J sha256 0 32 512
-int_error_detection J sha256 0 32 4096
+int_error_detection J crc32c 0 4 512
+int_error_detection J crc32c 0 4 4096
+int_error_detection J crc32 0 4 512
+int_error_detection J crc32 0 4 4096
+int_error_detection J xxhash64 0 8 512
+int_error_detection J xxhash64 0 8 4096
+int_error_detection J sha1 0 20 512
+int_error_detection J sha1 16 16 512
+int_error_detection J sha1 0 20 4096
+int_error_detection J sha256 0 32 512
+int_error_detection J sha256 0 32 4096
-which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required."
+command -v xxd >/dev/null || skip "WARNING: xxd tool required."
int_error_detection J hmac-sha256 0 32 512 $KEY_FILE 32
int_error_detection J hmac-sha256 0 32 4096 $KEY_FILE 32
@@ -516,4 +607,45 @@ else
echo "[N/A]"
fi
+# shrinking the mapping should also work on older kernels
+echo -n "[INTEGRITY BASIC RESIZE NOKEY]"
+add_device
+ARGS="--integrity crc32"
+
+echo -n "[FORMAT]"
+$INTSETUP format -q $DEV $ARGS || fail "Cannot format device."
+echo -n "[ACTIVATE]"
+$INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate device."
+echo -n "[SHRINK]"
+$INTSETUP resize $DEV_NAME --device-size 1MiB >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB."
+check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
+dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize."
+echo "[OK]"
+
+echo -n "[INTEGRITY BASIC RESIZE KEY]"
+add_device
+
+ARGS="--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
+
+echo -n "[FORMAT]"
+$INTSETUP format -q $DEV $ARGS || fail "Cannot format device."
+echo -n "[ACTIVATE]"
+$INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate device."
+echo -n "[SHRINK]"
+$INTSETUP resize $DEV_NAME --device-size 1MiB >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB."
+check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
+dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize."
+echo "[OK]"
+
+test_resize "[INTEGRITY RESIZE NOKEY]" 0 0 "--integrity crc32"
+test_resize "[INTEGRITY RESIZE NOKEY]" 0 1 "--integrity crc32"
+test_resize "[INTEGRITY RESIZE NOKEY DETACHED]" 1 0 "--integrity crc32"
+test_resize "[INTEGRITY RESIZE NOKEY DETACHED]" 1 1 "--integrity crc32"
+if [ -n "$DM_INTEGRITY_HMAC_FIX" ] ; then
+ test_resize "[INTEGRITY RESIZE KEY]" 0 0 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
+ test_resize "[INTEGRITY RESIZE KEY]" 0 1 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
+ test_resize "[INTEGRITY RESIZE KEY DETACHED]" 1 0 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
+ test_resize "[INTEGRITY RESIZE KEY DETACHED]" 1 1 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
+fi
+
cleanup
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
index 2674404..ea88c21 100755
--- a/tests/keyring-compat-test
+++ b/tests/keyring-compat-test
@@ -21,12 +21,15 @@ NAME=testcryptdev
CHKS_DMCRYPT=vk_in_dmcrypt.chk
CHKS_KEYRING=vk_in_keyring.chk
-PWD="aaa"
+PWD="aaablabl"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
@@ -47,6 +50,18 @@ function skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
function fail()
{
[ -n "$1" ] && echo "$1"
@@ -115,11 +130,13 @@ add_device() {
[ -b $DEV ] || fail "Cannot find $DEV."
}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
-which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
-which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
+command -v dmsetup >/dev/null || skip "Cannot find dmsetup, test skipped"
+command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
+command -v xxd >/dev/null || skip "Cannot find xxd, test skipped"
+command -v sha256sum >/dev/null || skip "Cannot find sha256sum, test skipped"
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
@@ -132,23 +149,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$DEVSIZEMB oflag=direct > /dev/null 2>&1
#test aes cipher with xts mode, plain IV
echo -n "Testing $CIPHER_XTS_PLAIN..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -156,23 +173,23 @@ echo "OK"
#test aes cipher, xts mode, essiv IV
echo -n "Testing $CIPHER_CBC_ESSIV..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -181,23 +198,23 @@ echo "OK"
fips_mode || {
echo -n "Testing $CIPHER_CBC_TCW..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -207,10 +224,10 @@ echo -n "Test LUKS2 key refresh..."
echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
echo "OK"
diff --git a/tests/keyring-test b/tests/keyring-test
index 3e44792..38abcfb 100755
--- a/tests/keyring-test
+++ b/tests/keyring-test
@@ -76,8 +76,8 @@ function test_and_prepare_keyring() {
}
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
-which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
+command -v dmsetup >/dev/null || skip "Cannot find dmsetup, test skipped"
+command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
diff --git a/tests/loopaes-test b/tests/loopaes-test
index 5c28be3..fdb4cd3 100755
--- a/tests/loopaes-test
+++ b/tests/loopaes-test
@@ -3,6 +3,9 @@
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
# try to validate using loop-AES losetup/kernel if available
LOSETUP_AES=/losetup-aes.old
@@ -37,10 +40,23 @@ function fail()
function skip()
{
+ remove_mapping
[ -n "$1" ] && echo "$1"
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
function prepare()
{
remove_mapping
@@ -143,7 +159,9 @@ function check_version()
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped."
-which uuencode >/dev/null 2>&1 || skip "WARNING: test require uuencode binary, test skipped."
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
+command -v uuencode >/dev/null || skip "WARNING: test require uuencode binary, test skipped."
check_version || skip "Probably old kernel, test skipped."
# loop-AES tests
diff --git a/tests/luks1-compat-test b/tests/luks1-compat-test
index ee160c9..18afcd5 100755
--- a/tests/luks1-compat-test
+++ b/tests/luks1-compat-test
@@ -1,17 +1,14 @@
#!/bin/bash
-# check luks1 images parsing
-
-# NOTE: if image with whirlpool hash fails, check
-# that you are not using old gcrypt with flawed whirlpool
-# (see cryptsetup debug output)
-
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
TST_DIR=luks1-images
MAP=luks1tst
KEYFILE=keyfile1
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
[ -z "$srcdir" ] && srcdir="."
function remove_mapping()
@@ -33,22 +30,37 @@ function fail()
function skip()
{
[ -n "$1" ] && echo "$1"
- echo "Test skipped."
remove_mapping
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+function remove_imgs()
+{
+ echo "WARNING: $1 not available, not testing some images."
+ rm $(ls $TST_DIR/*$1*.img)
+}
+
function test_one()
{
- $CRYPTSETUP benchmark -c "$1" -s "$2" | grep -v "#" || skip
+ $CRYPTSETUP benchmark -c "$1" -s "$2" | grep -v "#" || remove_imgs $1
}
function test_required()
{
- which lsblk >/dev/null 2>&1 || skip "WARNING: lsblk tool required."
-
echo "REQUIRED KDF TEST"
- $CRYPTSETUP benchmark -h whirlpool | grep "N/A" && skip
+ $CRYPTSETUP benchmark -h whirlpool | grep "N/A" && remove_imgs whirlpool
echo "REQUIRED CIPHERS TEST"
echo "# Algorithm | Key | Encryption | Decryption"
@@ -61,9 +73,11 @@ function test_required()
}
export LANG=C
-
-test_required
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+command -v blkid >/dev/null || skip "blkid tool required, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
[ ! -d $TST_DIR ] && tar xJf $srcdir/luks1-images.tar.xz --no-same-owner
+test_required
echo "PASSPHRASE CHECK"
for file in $(ls $TST_DIR/luks1_*) ; do
@@ -100,7 +114,7 @@ for file in $(ls $TST_DIR/luks1_*) ; do
[ $ret -ne 0 ] && fail
$CRYPTSETUP status $MAP >/dev/null || fail
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
- UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
$CRYPTSETUP remove $MAP || fail
[ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
echo " [OK]"
diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test
index 0ba4b67..a8082f8 100755
--- a/tests/luks2-integrity-test
+++ b/tests/luks2-integrity-test
@@ -6,10 +6,14 @@
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
DEV_NAME=dmi_test
DEV=mode-test.img
+HEADER_IMG=mode-test-detached.img
PWD1=nHjJHjI23JK
KEY_FILE=key.img
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
dmremove() { # device
udevadm settle >/dev/null 2>&1
dmsetup remove $1 >/dev/null 2>&1
@@ -18,7 +22,7 @@ dmremove() { # device
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
[ -b /dev/mapper/"$DEV_NAME"_dif ] && dmremove "$DEV_NAME"_dif
- rm -f $DEV $KEY_FILE >/dev/null 2>&1
+ rm -f $DEV $KEY_FILE $HEADER_IMG >/dev/null 2>&1
}
fail()
@@ -37,6 +41,18 @@ skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
add_device() {
cleanup
dd if=/dev/urandom of=$KEY_FILE bs=1 count=512 >/dev/null 2>&1
@@ -44,10 +60,14 @@ add_device() {
sync
}
-status_check() # name value
+status_check() # name value [detached]
{
- #$CRYPTSETUP status $DEV_NAME
- X=$($CRYPTSETUP status $DEV_NAME | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
+ if [ -n "$3" ]; then
+ PARAMS="$DEV_NAME --header $HEADER_IMG"
+ else
+ PARAMS="$DEV_NAME"
+ fi
+ X=$($CRYPTSETUP status $PARAMS | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
if [ "$X" != "$2" ] ; then
echo "[status FAIL]"
echo " Expecting $1:$2 got \"$X\"."
@@ -57,7 +77,6 @@ status_check() # name value
dump_check() # name value
{
- #$CRYPTSETUP luksDump $DEV
X=$($CRYPTSETUP luksDump $DEV | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
if [ "$X" != "$2" ] ; then
echo "[dump FAIL]"
@@ -80,7 +99,6 @@ int_check_sum() # alg checksum
int_error_detection() # alg int sector_size
{
- # FIXME: this is just a trivial failure
echo -n "[DETECT_CORRUPTION]"
echo -n "XXXXX" | dd of=$DEV bs=1M seek=28 count=1 conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
$CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
@@ -88,7 +106,7 @@ int_error_detection() # alg int sector_size
$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
}
-intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
+intformat() # alg integrity integrity_out key_size int_key_size sector_size csum [test_hdr]
{
echo -n "[$1:$2:$4:$6]"
echo -n "[FORMAT]"
@@ -112,20 +130,39 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
int_check_sum $1 $7
echo -n "[REMOVE]"
$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
+
+ # check detached header activation
+ if [ -n "$8" ] ; then
+ echo -n "[DETACHED_HDR]"
+ $CRYPTSETUP luksHeaderBackup -q --header-backup-file $HEADER_IMG $DEV || fail
+ wipefs -a $DEV >/dev/null 2>&1 || fail
+ $CRYPTSETUP open --header $HEADER_IMG -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
+ status_check "cipher" $1 1
+ status_check "sector size" $6 1
+ status_check "integrity:" $3 1
+ status_check "keysize:" $(($4 + $5)) 1
+ [ $5 -gt 0 ] && status_check "integrity keysize:" $5 1
+ int_check_sum $1 $7
+ $CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
+ $CRYPTSETUP luksHeaderRestore -q --header-backup-file $HEADER_IMG $DEV || fail
+ rm -f $HEADER_IMG
+ fi
+
int_error_detection
echo "[OK]"
}
-
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
modprobe dm-integrity >/dev/null 2>&1
dmsetup targets | grep integrity >/dev/null 2>&1 || skip "Cannot find dm-integrity target, test skipped."
+command -v wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
add_device
-intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 128 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
+intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 128 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c 1
+intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c 1
intformat aes-xts-random hmac-sha256 hmac\(sha256\) 256 256 512 492c2d1cc9e222a850c399bfef4ed5a86bf5afc59e54f0f0c7ba8e2a64548323
intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 256 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
@@ -160,7 +197,7 @@ intformat chacha20-random poly1305 poly1305 256 0 512 5f6f3f6be03c74d9aaaeaf40
intformat chacha20-plain64 poly1305 poly1305 256 0 4096 7370c66a92708fb71b186931468be6aa9b26f4f88373b00b1c57360b9ee1304e
intformat chacha20-random poly1305 poly1305 256 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
-intformat aegis128-random aead aead 128 0 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat aegis128-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
+intformat aegis128-random aead aead 128 0 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c 1
+intformat aegis128-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b 1
cleanup
diff --git a/tests/luks2-reencryption-mangle-test b/tests/luks2-reencryption-mangle-test
index 0e963ff..5aa62e4 100755
--- a/tests/luks2-reencryption-mangle-test
+++ b/tests/luks2-reencryption-mangle-test
@@ -9,6 +9,7 @@ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
IMG=reenc-mangle-data
IMG_HDR=$IMG.hdr
+IMG_HDR_BCP=$IMG_HDR.bcp
IMG_JSON=$IMG.json
KEY1=key1
DEV_NAME=reenc3492834
@@ -21,7 +22,7 @@ JSON_MSIZE=16384
function remove_mapping()
{
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
- rm -f $IMG $IMG_HDR $IMG_JSON $KEY1 >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $IMG_HDR_BCP $IMG_JSON $KEY1 >/dev/null 2>&1
}
function fail()
@@ -43,13 +44,15 @@ function skip()
function bin_check()
{
- which $1 >/dev/null 2>&1 || skip "WARNING: test require $1 binary, test skipped."
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
}
function img_json_save()
{
+ local _hdr=$IMG
+ [ -z "$1" ] || _hdr="$1"
# FIXME: why --json-file cannot be used?
- $CRYPTSETUP luksDump --dump-json-metadata $IMG | jq -c -M . | tr -d '\n' >$IMG_JSON
+ $CRYPTSETUP luksDump --dump-json-metadata $_hdr | jq -c -M . | tr -d '\n' >$IMG_JSON
}
function img_json_dump()
@@ -84,7 +87,6 @@ function img_prepare_raw() # $1 options
function img_prepare() # $1 options
{
img_prepare_raw
- # FIXME: resilience is not saved here (always none)?
$CRYPTSETUP reencrypt $IMG $CS_PARAMS -q --init-only --resilience none $1 >/dev/null 2>&1
[ $? -ne 0 ] && skip "Reencryption unsupported, test skipped."
img_json_save
@@ -99,6 +101,7 @@ function _dd()
# header mangle functions
function img_update_json()
{
+ local _hdr="$IMG"
local LUKS2_BIN1_OFFSET=448
local LUKS2_BIN2_OFFSET=$((LUKS2_BIN1_OFFSET + $JSON_MSIZE))
local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
@@ -111,24 +114,26 @@ function img_update_json()
echo $JSON | tr -d '\n' >$IMG_JSON || fail
fi
+ [ -z "$2" ] || _hdr="$2"
+
# wipe JSON areas
- _dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=4096
- _dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+ _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+ _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
# write JSON data
- _dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=4096
- _dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+ _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+ _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
# erase sha256 checksums
- _dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN1_OFFSET
- _dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN2_OFFSET
+ _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN1_OFFSET
+ _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN2_OFFSET
# calculate sha256 and write chexksums
- local SUM1_HEX=$(_dd if=$IMG count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
- echo $SUM1_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN1_OFFSET count=64 || fail
+ local SUM1_HEX=$(_dd if=$_hdr count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+ echo $SUM1_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN1_OFFSET count=64 || fail
- local SUM2_HEX=$(_dd if=$IMG skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
- echo $SUM2_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN2_OFFSET count=64 || fail
+ local SUM2_HEX=$(_dd if=$_hdr skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+ echo $SUM2_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN2_OFFSET count=64 || fail
img_hash_save
}
@@ -143,6 +148,12 @@ function img_check_ok()
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
}
+function img_check_dump_ok()
+{
+ $CRYPTSETUP luksDump $IMG >/dev/null || fail
+ img_check_fail
+}
+
function img_check_fail()
{
if [ $(id -u) == 0 ]; then
@@ -155,43 +166,21 @@ function img_check_fail()
function img_run_reenc_ok()
{
-local EXPECT_TIMEOUT=5
-[ -n "$VALG" ] && EXPECT_TIMEOUT=60
-# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
-expect_run - >/dev/null <<EOF
-proc abort {} { send_error "Timeout. "; exit 2 }
-set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks --resilience none
-expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
-send "YES\n"
-expect timeout abort eof
-exit
-EOF
-[ $? -eq 0 ] || fail "Expect script failed."
+ $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt --resilience none || fail
+}
+
+function img_run_reenc_ok_data_shift()
+{
+ $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt || fail
}
function img_run_reenc_fail()
{
-local EXPECT_TIMEOUT=5
-[ -n "$VALG" ] && EXPECT_TIMEOUT=60
-# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
-expect_run - >/dev/null <<EOF
-proc abort {} { send_error "Timeout. "; exit 42 }
-set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks
-expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
-send "YES\n"
-expect timeout abort eof
-catch wait result
-exit [lindex \$result 3]
-EOF
-local ret=$?
-[ $ret -eq 0 ] && fail "Reencryption passed (should have failed)."
-[ $ret -eq 42 ] && fail "Expect script failed."
+$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --force-offline-reencrypt --disable-locks -q 2>/dev/null && fail "Reencryption passed (should have failed)."
img_hash_unchanged
}
-function img_check_fail_repair_ok()
+function img_check_fail_repair()
{
if [ $(id -u) == 0 ]; then
$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
@@ -203,9 +192,20 @@ function img_check_fail_repair_ok()
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
img_check_ok
+}
+
+function img_check_fail_repair_ok()
+{
+ img_check_fail_repair
img_run_reenc_ok
}
+function img_check_fail_repair_ok_data_shift()
+{
+ img_check_fail_repair
+ img_run_reenc_ok_data_shift
+}
+
function valgrind_setup()
{
bin_check valgrind
@@ -217,26 +217,20 @@ function valgrind_setup()
function valgrind_run()
{
- INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+ export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
+ $CRYPTSETUP_RAW "$@"
}
-function expect_run()
-{
- export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
- expect "$@"
-}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
bin_check jq
bin_check sha256sum
bin_check xxd
-bin_check expect
export LANG=C
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
-#while false; do
-
echo "[1] Reencryption with old flag is rejected"
img_prepare
img_update_json '.config.requirements.mandatory = ["online-reencryptx"]'
@@ -251,6 +245,25 @@ img_prepare
img_update_json 'del(.digests."2") | .config.requirements.mandatory = ["online-reencrypt"]'
img_check_fail_repair_ok
+# Simulate future version of reencrypt flag (should pass luksDump)
+img_prepare
+img_update_json '.config.requirements.mandatory = ["online-reencrypt-v999"]'
+img_check_dump_ok
+
+# Multiple reencrypt requirement flags makes LUKS2 invalid
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt-v999"]'
+img_check_fail
+
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt"]'
+img_check_fail
+
+# just regular unknown requirement
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt-v3X"]'
+img_check_dump_ok
+
# This must fail for new releases
echo "[2] Old reencryption in-progress (journal)"
img_prepare
@@ -378,7 +391,7 @@ img_update_json '
.digests."0".segments = ["0","2"] |
.digests."1".segments = ["1","3"] |
.config.requirements.mandatory = ["online-reencrypt"]'
-img_check_fail_repair_ok
+img_check_fail_repair_ok_data_shift
#
# NEW metadata (with reenc digest)
@@ -400,7 +413,6 @@ img_prepare '--reduce-device-size 2M'
img_update_json '.keyslots."2".area.shift_size = ((.keyslots."2".area.shift_size|tonumber / 2)|tostring)'
img_check_fail
-#FIXME: cannot check with correct digest for now (--init-only does not store area type)
img_prepare
img_update_json '
.keyslots."2".area.type = "checksum" |
@@ -500,5 +512,37 @@ img_update_json '
}'
$CRYPTSETUP reencrypt $IMG $CS_PARAMS >/dev/null 2>&1 && fail
+echo "[9] Decryption with datashift"
+img_prepare_raw
+$CRYPTSETUP reencrypt $CS_PARAMS --decrypt --init-only --force-offline-reencrypt --resilience checksum --header $IMG_HDR $IMG || fail
+cp $IMG_HDR $IMG_HDR_BCP
+
+# change hash
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.hash = "sha12345"' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# change sector size
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.sector_size = 1024' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# replace with new resilience mode
+img_json_save $IMG_HDR_BCP
+img_update_json 'del(.keyslots."1".area.hash) |
+ del(.keyslots."1".sector_size) |
+ .keyslots."1".area.type = "datashift-journal"' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# downgrade reencryption requirement
+img_json_save $IMG_HDR_BCP
+img_update_json '.config.requirements.mandatory = ["online-reencrypt-v2"]' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# change datashift value
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.shift_size = (((.keyslots."1".area.shift_size | tonumber) - 4096) | tostring)' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
remove_mapping
exit 0
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index 7a36a9b..a647a8c 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -1,6 +1,6 @@
#!/bin/bash
-PS4='$LINENO:'
+#PS4='$LINENO:'
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
@@ -18,6 +18,8 @@ DEV_NAME=reenc9768
DEV_NAME2=reenc97682
IMG=reenc-data
IMG_HDR=$IMG.hdr
+HEADER_LUKS2_PV=blkid-luks2-pv.img
+IMG_FS=xfs_512_block_size.img
KEY1=key1
VKEY1=vkey1
PWD1="93R4P4pIqAH8"
@@ -25,7 +27,7 @@ PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
DEV_LINK="reenc-test-link"
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function dm_crypt_features()
{
@@ -45,7 +47,7 @@ function dm_crypt_features()
[ $VER_MIN -lt 14 ] && return
DM_PERF_CPU=1
- if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
+ if [ $VER_MIN -ge 17 ]; then
DM_SECTOR_SIZE=1
fi
}
@@ -98,7 +100,7 @@ function remove_mapping()
[ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
[ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
unset LOOPDEV
- rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1
rmmod scsi_debug >/dev/null 2>&1
scsi_debug_teardown $DEV
}
@@ -220,7 +222,7 @@ function preparebig() # $1 dev1_siz
function check_hash_dev() # $1 dev, $2 hash
{
- HASH=$(sha256sum $1 | cut -d' ' -f 1)
+ HASH=$(sha1sum $1 | cut -d' ' -f 1)
[ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
}
@@ -233,7 +235,7 @@ function check_hash() # $1 pwd, $2 hash, $3 hdr
function check_hash_dev_head() # $1 dev, $2 len, $3 hash
{
- local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1)
+ local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha1sum | cut -d' ' -f1)
[ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
}
@@ -319,7 +321,7 @@ function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 h
test -z "$4" || _hdr="--header $4"
error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
- echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 --force-offline-reencrypt -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
fix_writes $OVRDEV $OLD_DEV
echo $PWD1 | $CRYPTSETUP -q repair $DEV $_hdr || fail
@@ -433,6 +435,8 @@ function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $3 $4
+ [ -f $4 ] && rm -f $4
+
echo "[OK]"
}
@@ -463,6 +467,8 @@ function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
$CRYPTSETUP close $DEV_NAME || fail
+ [ -f $4 ] && rm -f $4
+
echo "[OK]"
}
@@ -487,6 +493,8 @@ function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest
check_hash_dev $DEV $3
+ [ -f $4 ] && rm -f $4
+
echo "[OK]"
}
@@ -517,9 +525,94 @@ function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
check_hash_dev $DEV $3
+ [ -f $4 ] && rm -f $4
+
echo "[OK]"
}
+function decrypt_recover() { # $1 hash, $2 hdr, $3 dev size, $4 resilience, $5 hotzone size
+ local _res=""
+ local _maxhz=""
+ test -z "$4" || _res="--resilience $4"
+ test -z "$5" || _maxhz="--hotzone-size $5"
+ echo -n "[${4:-default}]"
+
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 --init-only $_maxhz >/dev/null || fail
+
+ error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
+ fix_writes $OVRDEV $OLD_DEV
+
+ echo $PWD1 | $CRYPTSETUP -q repair $DEV --header $2 || fail
+
+ $CRYPTSETUP luksDump $2 | grep -q "online-reencrypt"
+ if [ $? -eq 0 ]; then
+ check_hash $PWD1 $1 $2
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 $_res -q $FAST_PBKDF_ARGON || fail
+ fi
+
+ check_hash_dev_head $DEV $3 $1
+
+ [ -f $2 ] && rm -f $2
+
+ echo -n "[OK]"
+}
+
+function decrypt_recover_online() { # $1 hash, $2 hdr, $3 dev size
+ local _res=""
+ local _maxhz=""
+ test -z "$4" || _res="--resilience $4"
+ test -z "$5" || _maxhz="--hotzone-size $5"
+ echo -n "[${4:-default}]"
+
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 $_maxhz --init-only >/dev/null 2>&1 || fail
+
+ error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
+ $CRYPTSETUP status $DEV_NAME --header $2 | grep -q "reencryption: in-progress" || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ fix_writes $OVRDEV $OLD_DEV
+
+ # recovery during activation
+ echo $PWD1 | $CRYPTSETUP open $DEV --header $2 $DEV_NAME || fail
+
+ check_hash_dev /dev/mapper/$DEV_NAME $1
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q || fail
+
+ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
+ check_hash_dev_head $DEV $3 $1
+
+ [ -f $2 ] && rm -f $2
+
+ echo -n "[OK]"
+}
+
+function decrypt_recover_online_moved() { # $1 hash, $2 hdr, $3 dev size
+ local _res=""
+ local _maxhz=""
+ test -z "$4" || _res="--resilience $4"
+ test -z "$5" || _maxhz="--hotzone-size $5"
+ echo -n "[${4:-default}]"
+
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --header $2 $_maxhz $_res --init-only >/dev/null 2>&1 || fail
+
+ error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $2 -q $_res >/dev/null 2>&1 && fail
+ $CRYPTSETUP status $DEV_NAME --header $2 | grep -q "reencryption: in-progress" || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ fix_writes $OVRDEV $OLD_DEV
+
+ # recovery but activation fails due to last segment recovery makes it plaintext device
+ echo $PWD1 | $CRYPTSETUP open $DEV --header $2 $DEV_NAME 2>/dev/null && fail
+
+ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
+ check_hash_dev_head $DEV $3 $1
+
+ [ -f $2 ] && rm -f $2
+
+ echo -n "[OK]"
+}
+
# sector size (bytes)
# reenc dev size (sectors)
# reenc dev digest
@@ -530,15 +623,27 @@ function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
function reencrypt_offline_fixed_size() {
local _esz=$(($1>>9))
local _hdr=""
+ # round-up fixed size to megabytes
+ local _mbs=$((($2>>11)+1))
test -z "$7" || _hdr="--header $7"
+ if [ -z "$7" ]; then
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
+ else
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $7 $FAST_PBKDF_ARGON $DEV || fail
+ fi
+ echo $PWD1 | $CRYPTSETUP open $_hdr $DEV $DEV_NAME || fail
+ wipe_dev_head /dev/mapper/$DEV_NAME $_mbs
+ $CRYPTSETUP close $DEV_NAME || fail
+
# reencrypt with fixed device size
- echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --device-size $2s --resilience $4 || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --device-size $2s --resilience $4 --force-offline-reencrypt || fail
+
check_hash_head $PWD1 $2 $3 $7
wipe $PWD1 $7
# try to reencrypt device size + 1 encryption sector size
- echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only --force-offline-reencrypt || fail
echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
check_hash $PWD1 $6 $7
@@ -565,6 +670,7 @@ function encrypt_offline_fixed_size() {
wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --device-size $2s --resilience $4 || fail
check_hash_head $PWD1 $2 $3 $7
+ [ -f $7 ] && rm -f $7
# try to reencrypt device size + 1 encryption sector size
wipe_dev $DEV
@@ -574,12 +680,15 @@ function encrypt_offline_fixed_size() {
# misaligned reencryption size
if [ $_esz -gt 1 ]; then
+ [ -f $7 ] && rm -f $7
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
$CRYPTSETUP luksDump $7 | grep -q "2: crypt" || fail
$CRYPTSETUP luksDump $7 | grep -q "3: crypt" && fail
check_hash $PWD1 $6 $7
fi
+
+ [ -f $7 ] && rm -f $7
}
# sector size (bytes)
@@ -674,6 +783,8 @@ function reencrypt_online_fixed_size() {
$CRYPTSETUP close $DEV_NAME || fail
check_hash $PWD1 $6 $7
fi
+
+ [ -n "$7" -a -f "$7" ] && rm -f $7
}
function setup_luks2_env() {
@@ -690,9 +801,23 @@ function setup_luks2_env() {
$CRYPTSETUP close $DEV_NAME || fail
}
+function check_blkid() {
+ bin_check blkid
+ xz -dkf $HEADER_LUKS2_PV.xz
+ if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
+ HAVE_BLKID=0
+ elif $(blkid -p -n crypto_LUKS $HEADER_LUKS2_PV >/dev/null 2>&1); then
+ HAVE_BLKID=1
+ xz -dkf $IMG_FS.xz
+ blkid $IMG_FS | grep -q BLOCK_SIZE && BLKID_BLOCK_SIZE_SUPPORT=1
+ else
+ HAVE_BLKID=0
+ fi
+}
+
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -702,6 +827,11 @@ function valgrind_run()
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
}
+function bin_check()
+{
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
fips_mode && skip "This test cannot be run in FIPS mode."
@@ -725,27 +855,36 @@ export LANG=C
# REENCRYPTION tests
# 28 MiBs of zeros (32MiBs - 4MiB LUKS2 header)
-HASH1=f8280c81b347b01405277bf9e8bf0685ae8be863ff104797c65b7169f8203fd2
+HASH1=4da90c0638bd7d29ce3d0ace3df5ee99706c23da
# 1 MiB of zeros
-HASH2=30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58
+HASH2=3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3
# 256 MiBs of zeros
-HASH3=a6d72ac7690f53be6ae46ba88506bd97302a093f7108472bd9efc3cefda06484
+HASH3=7b91dbdc56c5781edf6c8847b4aa6965566c5c75
# 64 MiBs of zeroes
-HASH4=3b6a07d0d404fab4e23b6d34bc6696a6a312dd92821332385e5af7c01c421351
+HASH4=44fac4bedde4df04b9572ac665d3ac2c5cd00c7d
# 56 MiBs of zeroes
-HASH5=8afcb7e7189ce4d112fd245eaa60c3cfcf5a5d5e1d6bf4eb85941d73ef8cfbd5
+HASH5=bcd8ce9b30a43b2dacdf479493c93e167ef60946
# 43 MiBs of zeroes
-HASH6=39f7c6d38af574fe2c90ef400dfaba8ef8edccd11bdac998a3f8143a86837331
+HASH6=2cf8a5f40a2ab5373c5425d6071da480f1ce08e8
# 31 MiBs of zeroes
-HASH7=18a393d1a505e22ccf3e29effe3005ea8627e4c36b7cca0e53f58121f49b67e1
+HASH7=7ed56dd14d2841cf169fe503d097be04192666bd
# 60 MiBs of zeroes
-HASH8=cf5ac69ca412f9b3b1a8b8de27d368c5c05ed4b1b6aa40e6c38d9cbf23711342
+HASH8=233ba936226a3ac499e67babaebd0d4aafb9761a
# 240 MiBs of zeroes (256MiBs - 16MiBs default LUKS2 header size)
-HASH9=17088b031491a37e0ee9e1025a3938f55ee94ae27653370ad2fe5b0b32e35334
+HASH9=045eebed703cce308e049deb019b877f0445862f
+# 16 MiBs of zeroes
+HASH10=3b4417fc421cee30a9ad0fd9319220a8dae32da2
prepare dev_size_mb=32
setup_luks2_env
+# Check that we can use other ciphers than AES in userspace backend.
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c twofish-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Twofish cipher, test skipped"
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c serpent-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Serpent cipher, test skipped."
+wipe_dev $DEV
+
echo "[1] Reencryption"
echo -n "[512 sector]"
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
@@ -771,7 +910,6 @@ echo -n "[OK][4096 sector]"
prepare sector_size=4096 dev_size_mb=32
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
@@ -794,7 +932,6 @@ echo -n "[OK][4096/512 sector]"
prepare sector_size=512 physblk_exp=3 dev_size_mb=32
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
@@ -821,7 +958,7 @@ check_hash $PWD1 $HASH2
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH2
if [ -n "$DM_SECTOR_SIZE" ]; then
- echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 --force-offline-reencrypt || fail
check_hash $PWD1 $HASH2
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH2
@@ -840,7 +977,6 @@ check_hash_dev $DEV $HASH4
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON || fail
check_hash_head $PWD1 $((56*1024*2)) $HASH5
wipe_dev $DEV
-check_hash_dev $DEV $HASH4
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
check_hash_head $PWD1 $((43*1024*2)) $HASH6
wipe_dev $DEV
@@ -854,7 +990,7 @@ wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON > /dev/null 2>&1 && fail
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 8M --init-only -q $FAST_PBKDF_ARGON $DEV || fail
resize_file $DEVBIG -512
-echo $PWD1 | $CRYPTSETUP reencrypt $DEV 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV 2> /dev/null && fail
resize_file $DEVBIG 512
wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --offset 32760 --reduce-device-size 8M -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 && fail
@@ -893,7 +1029,6 @@ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $F
check_hash_head $PWD1 2048 $HASH2
wipe_dev_head $DEV 1
-check_hash_dev_head $DEV 2048 $HASH2
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
@@ -905,14 +1040,18 @@ wipe_dev $DEV
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH3 $IMG_HDR
wipe_dev $DEV
+rm -f $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH3 $IMG_HDR
wipe_dev $DEV
+rm -f $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH3 $IMG_HDR
wipe_dev $DEV
+rm -f $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH3 $IMG_HDR
+rm -f $IMG_HDR
# Device activation after encryption initialization
wipe_dev $DEV
@@ -924,12 +1063,14 @@ check_hash_dev /dev/mapper/$DEV_NAME $HASH3
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME
check_hash $PWD1 $HASH3 $IMG_HDR
+rm -f $IMG_HDR
# Device encryption with data offset set in detached header
wipe_dev $DEV
dd if=/dev/urandom of=$DEV bs=512 count=32768 >/dev/null 2>&1
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR --offset 32768 -q $FAST_PBKDF_ARGON $DEV || fail
check_hash $PWD1 $HASH9 $IMG_HDR
+rm -f $IMG_HDR
# Device activation using key file
wipe_dev $DEV
@@ -939,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+ln -s $DEV $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
echo "[4] Reencryption with detached header"
wipe $PWD1 $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
@@ -1007,7 +1164,7 @@ $CRYPTSETUP close $DEV_NAME
rm -f $IMG_HDR
$CRYPTSETUP luksHeaderBackup --header-backup-file $IMG_HDR $DEV || fail
chmod +w $IMG_HDR || fail
-which wipefs >/dev/null 2>&1 && {
+command -v wipefs >/dev/null && {
wipefs -a $DEV >/dev/null 2>&1 || fail
}
open_crypt $PWD1 $IMG_HDR
@@ -1032,7 +1189,6 @@ echo "sector size 512->512"
get_error_offsets 32 $OFFSET
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 512 checksum $HASH1
@@ -1044,13 +1200,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH1
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
reencrypt_recover 4096 journal $HASH1
echo "sector size 4096->4096"
@@ -1058,7 +1212,6 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH1
@@ -1072,7 +1225,6 @@ echo "sector size 512->512"
get_error_offsets 32 $OFFSET
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 512 checksum $HASH1
@@ -1084,13 +1236,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH1
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
reencrypt_recover_online 4096 journal $HASH1
echo "sector size 4096->4096"
@@ -1098,7 +1248,6 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH1
@@ -1125,13 +1274,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 31 0 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
reencrypt_recover 4096 journal $HASH7 $IMG_HDR
echo "sector size 4096->4096"
@@ -1139,7 +1286,6 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 31 0 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
@@ -1153,7 +1299,6 @@ echo "sector size 512->512"
get_error_offsets 31 0
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
-check_hash $PWD1 $HASH7 $IMG_HDR
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 512 checksum $HASH7 $IMG_HDR
@@ -1165,13 +1310,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 31 0 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
echo "sector size 4096->4096"
@@ -1179,7 +1322,6 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 31 0 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1 $IMG_HDR
- check_hash $PWD1 $HASH7 $IMG_HDR
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
@@ -1311,30 +1453,27 @@ fi
echo "[16] Offline reencryption with fixed device size."
preparebig 68
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
-wipe $PWD1
-check_hash $PWD1 $HASH8
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
- reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
- reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
+ reencrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
+ reencrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
+ reencrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
echo -n "[OK]"
done
echo ""
done
echo "[17] Online reencryption with fixed device size."
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
- reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
- reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
+ reencrypt_online_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
+ reencrypt_online_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
+ reencrypt_online_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
echo -n "[OK]"
done
echo ""
@@ -1342,43 +1481,40 @@ done
echo "[18] Offline reencryption with fixed device size (detached header)."
preparebig 60
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
-wipe $PWD1 $IMG_HDR
-check_hash $PWD1 $HASH8 $IMG_HDR
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
echo -n "[OK]"
done
echo ""
done
echo "[19] Online reencryption with fixed device size (detached header)."
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_online_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_online_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ reencrypt_online_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
echo -n "[OK]"
done
echo ""
done
echo "[20] Offline encryption with fixed device size (detached header)."
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- encrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- encrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- encrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ encrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ encrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ encrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
echo -n "[OK]"
done
echo ""
@@ -1386,13 +1522,13 @@ done
echo "[21] Offline decryption with fixed device size (detached header)."
prepare_linear_dev 60
-for test_ss in $TEST_SECTORS; do
-printf "sector size %4s: " $test_ss
+for test_sector_size in $TEST_SECTORS; do
+printf "sector size %4s: " $test_sector_size
for test_res in checksum journal none; do
echo -n "[$test_res]"
- decrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- decrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
- decrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ decrypt_offline_fixed_size $test_sector_size 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ decrypt_offline_fixed_size $test_sector_size $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
+ decrypt_offline_fixed_size $test_sector_size $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
echo -n "[OK]"
done
echo ""
@@ -1404,7 +1540,6 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 32768 $FAST_PBKDF_A
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV || fail
echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH2
echo -e "$PWD1\n$PWD2\n$PWD3" | $CRYPTSETUP reencrypt $DEV -q || fail
check_hash $PWD1 $HASH2
@@ -1463,16 +1598,33 @@ echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$
echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only -q 2>/dev/null && fail
echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q || fail
+#test error path behaves as expected for initialization with not enough space in binary area
+# create LUKS2 header with keyslots binary space for exactly 4 keyslots
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --luks2-keyslots-size $((4*258048)) -S0 -s512 --cipher aes-xts-plain64 $FAST_PBKDF_ARGON $DEV >/dev/null || fail
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S1 $DEV -q $FAST_PBKDF_ARGON || fail
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S2 $DEV -q $FAST_PBKDF_ARGON || fail
+# there is not enough space in binary area for keyslot id 4 (replacement for id 2)
+echo -e "$PWD1\n$PWD2\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail
+$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
+# check cli removed all unbound keyslots created in-before reencryption initialization
+$CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail
+
+echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 2 || fail
+# there is not enough space in binary area for reencryption keyslot
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV --init-only -q 2>/dev/null && fail
+$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
+# check cli removed all unbound keyslots created in-before reencryption initialization
+$CRYPTSETUP luksDump $DEV | grep -q "unbound" && fail
+
echo "[23] Reencryption with specified new volume key"
prepare dev_size_mb=32
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 256 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
-echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 || fail
check_hash $PWD1 $HASH1
$CRYPTSETUP luksErase -q $DEV || fail
-echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 $DEV || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 $DEV || fail
check_hash $PWD1 $HASH1
echo "[24] Reencryption with initial cipher_null"
@@ -1480,7 +1632,6 @@ echo "[24] Reencryption with initial cipher_null"
prepare dev_size_mb=32
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH1
@@ -1529,7 +1680,6 @@ echo "sector size 512->512"
get_error_offsets 32 $OFFSET
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 512 checksum $HASH1
@@ -1543,13 +1693,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH1
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
reencrypt_recover 4096 journal $HASH1
echo "sector size 4096->4096"
@@ -1557,7 +1705,6 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover 4096 checksum $HASH1
@@ -1571,7 +1718,6 @@ echo "sector size 512->512"
get_error_offsets 32 $OFFSET
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
-check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 512 checksum $HASH1
@@ -1585,13 +1731,11 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH1
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
reencrypt_recover_online 4096 journal $HASH1
echo "sector size 4096->4096"
@@ -1599,12 +1743,465 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
get_error_offsets 32 $OFFSET 4096
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
- check_hash $PWD1 $HASH1
echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
reencrypt_recover_online 4096 checksum $HASH1
reencrypt_recover_online 4096 journal $HASH1
fi
+echo "[27] Verify test passphrase mode works with reencryption metadata"
+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
+rm -f $IMG_HDR
+wipe_dev_head $DEV 1
+
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
+
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
+
+echo "[28] Prevent nested encryption"
+prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
+
+#device already LUKS2
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
+
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --reduce-device-size 2m $FAST_PBKDF2 $DEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+test -f $IMG_HDR && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --reduce-device-size 2m $FAST_PBKDF2 $DEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+test -f $IMG_HDR && fail
+#type mismatch
+echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 $DEV 2>/dev/null && fail
+wipe_dev $DEV
+
+#detached header already LUKS2
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
+
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 --header $IMG_HDR $DEV 2>/dev/null && fail
+rm -f $IMG_HDR
+
+#data device already in reencryption
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $FAST_PBKDF_ARGON $DEV || fail
+
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+test -f $IMG_HDR && fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+test -f $IMG_HDR && fail
+#type mismatch
+echo $PWD1 | $CRYPTSETUP reencrypt -q --type luks1 $DEV 2>/dev/null && fail
+wipe_dev $DEV
+rm -f $IMG_HDR
+
+#header in reencryption (type mismatch)
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
+
+echo "[29] Conflicting reencryption parameters"
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --init-only $FAST_PBKDF_ARGON || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 4M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 16M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience journal 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-checksum 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-journal 2>/dev/null && fail
+rm -f $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --encrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
+rm -f $IMG_HDR
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience datashift 2> /dev/null && fail
+test -f $IMG_HDR && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience none 2> /dev/null && fail
+test -f $IMG_HDR && fail
+$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience checksum --hotzone-size 4m || fail
+$CRYPTSETUP isLuks $DEV -q && fail
+# $CRYPTSETUP luksDump $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience datashift 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience none 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience journal || fail
+rm -f $IMG_HDR
+
+check_blkid
+if [ "$HAVE_BLKID" -gt 0 ]; then
+ echo "[30] Prevent nested encryption of broken LUKS device"
+ rm -f $IMG_HDR
+ xz -dkf $HEADER_LUKS2_PV.xz
+ wipe_dev $DEV
+
+ # broken header
+ echo $PWD1 | $CRYPTSETUP reencrypt -q --header $HEADER_LUKS2_PV $DEV $FAST_PBKDF_ARGON --encrypt --type luks2 2>/dev/null && fail
+ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
+ # broken device
+ echo $PWD1 | $CRYPTSETUP reencrypt -q $HEADER_LUKS2_PV $FAST_PBKDF_ARGON --encrypt --force-offline-reencrypt --type luks2 --reduce-device-size 8m 2>/dev/null && fail
+ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
+ # broken data device only
+ echo $PWD1 | $CRYPTSETUP reencrypt -q --header $IMG_HDR $HEADER_LUKS2_PV $FAST_PBKDF_ARGON --encrypt --force-offline-reencrypt --type luks2 2>/dev/null && fail
+ test -f $IMG_HDR && fail
+fi
+
+if [ -n "$DM_SECTOR_SIZE" -a $HAVE_BLKID -gt 0 ]; then
+ echo "[31] Prevent dangerous sector size increase"
+ preparebig 64
+ echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 512 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+
+ # block encryption sector size increase on offline device
+ echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+ $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
+ echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+ $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
+ $CRYPTSETUP luksDump $DEV | grep -q "sector: 1024" && fail
+
+ # --force-offline-reencrypt can bypass the constraint
+ echo $PWD1 | $CRYPTSETUP reencrypt --force-offline-reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV || fail
+ # resume must work
+ echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV || fail
+
+ # online with no superblock is fine
+ echo $PWD1 | $CRYPTSETUP open -q $DEV $DEV_NAME || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 4096 $FAST_PBKDF_ARGON $DEV || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ # sector size decrease is ok
+ echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 4096 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV || fail
+
+ if [ -n "$BLKID_BLOCK_SIZE_SUPPORT" ]; then
+ xz -dkf $IMG_FS.xz
+ # encryption checks must work in offline mode
+ echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
+ test -f $IMG_HDR && fail
+
+ echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
+ test -f $IMG_HDR && fail
+
+ echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
+ $CRYPTSETUP isLuks $IMG_FS && fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
+ $CRYPTSETUP isLuks $IMG_FS && fail
+
+ echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 512 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+ echo $PWD1 | $CRYPTSETUP open -q $DEV $DEV_NAME || fail
+ dd if=$IMG_FS of=/dev/mapper/$DEV_NAME bs=1M >/dev/null 2>&1
+
+ echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+ $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
+ $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" && fail
+ echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+ $CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
+ $CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
+ fi
+fi
+
+echo "[32] Removal of encryption (LUKS2 legacy cryptsetup-reencrypt test)."
+prepare dev_size_mb=32
+OFFSET=8192
+
+# offline decryption with shift
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 57344 $HASH1
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+# online decryption with shift
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 57344 $HASH1
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+# offline decryption (separate initialization and decryption steps)
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
+check_hash $PWD1 $HASH1 $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 57344 $HASH1
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+# online decryption with shift
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 57344 $HASH1
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+# same tests just with date size == LUKS2 header size
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
+wipe $PWD1
+check_hash $PWD1 $HASH10
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 32768 $HASH10
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 32768 $HASH10
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
+check_hash $PWD1 $HASH10 $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 32768 $HASH10
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 32768 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH10
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 32768 $HASH10
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+# 1MiB data size
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 63488 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+# --hotzone-size larger than data expected to get auto corrected by library
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only --hotzone-size 4M || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
+# small device (less than header size)
+prepare dev_size_mb=5
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 2048 $HASH2
+# FIXME: Should not reencryption remove it automatically?
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
+# initialization by --active-name parameter
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
+# initialization and resume by --active-name parameter
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME --init-only || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --active-name $DEV_NAME || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
+echo "[33] Decryption with datashift recovery (error in shift area)."
+prepare_linear_dev 32
+echo "sector size 512"
+
+# avoid error in moved segment area on purpose
+# Also do not create write error in last segment because
+# that would not trigger reencryption crash (read would pass)
+get_error_offsets 32 $OFFSET 512 $((32-1024*2-$OFFSET))
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+wipe $PWD1
+
+echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+echo -n "resilience:"
+decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
+
+if [ -n "$DM_SECTOR_SIZE" ]; then
+ echo -e "\nsector size 4096"
+
+ get_error_offsets 32 $OFFSET 4096 $((32-1024*2-$OFFSET))
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+ echo -n "resilience:"
+ decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
+fi
+echo ""
+
+echo "[34] Decryption with datashift recovery (error in moved segment)."
+echo "sector size 512"
+
+HZ_SIZE=$((3*1024*2))
+
+# move injected error in moved segment area
+get_error_offsets 32 0 512 $HZ_SIZE
+echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+
+echo -n "resilience:"
+for res in datashift-journal datashift-checksum; do
+
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
+done
+
+if [ -n "$DM_SECTOR_SIZE" ]; then
+ echo -e "\nsector size 4096"
+
+ # move injected error in moved segment area
+ get_error_offsets 32 0 4096 $HZ_SIZE
+ echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+
+ echo -n "resilience:"
+ for res in datashift-journal datashift-checksum; do
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ decrypt_recover $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
+ done
+fi
+echo ""
+
+echo "[35] Decryption with datashift recovery (online i/o error in shift area)."
+echo "sector size 512"
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+wipe_dev /dev/mapper/$DEV_NAME
+
+# avoid error in moved segment area on purpose
+# Also do not create write error in last segment because
+# that would not trigger reencryption crash (read would pass)
+get_error_offsets 32 $OFFSET 512 $((32-1024*2-$OFFSET))
+echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+
+echo -n "resilience:"
+decrypt_recover_online $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
+
+if [ -n "$DM_SECTOR_SIZE" ]; then
+ echo -e "\nsector size 4096"
+
+ get_error_offsets 32 $OFFSET 4096 $((32-1024*2-$OFFSET))
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+ wipe_dev /dev/mapper/$DEV_NAME
+
+ echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+ echo -n "resilience:"
+ decrypt_recover_online $HASH1 $IMG_HDR $((32*1024*2-$OFFSET))
+fi
+echo ""
+
+echo "[36] Decryption with datashift recovery (online i/o error in moved segment)."
+echo "sector size 512"
+
+# move injected error in moved segment area
+get_error_offsets 32 0 512 $HZ_SIZE
+echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+
+echo -n "resilience:"
+for res in datashift-journal datashift-checksum; do
+
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+ wipe_dev /dev/mapper/$DEV_NAME
+
+ decrypt_recover_online_moved $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
+done
+
+if [ -n "$DM_SECTOR_SIZE" ]; then
+ echo -e "\nsector size 4096"
+
+ get_error_offsets 32 0 4096 $HZ_SIZE
+ echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+
+ echo -n "resilience:"
+ for res in datashift-journal datashift-checksum; do
+
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+ wipe_dev /dev/mapper/$DEV_NAME
+
+ decrypt_recover_online_moved $HASH1 $IMG_HDR $((32*1024*2-$OFFSET)) $res $(($HZ_SIZE*512))
+ done
+fi
+echo ""
+
+echo "[37] Decryption with datashift (large data offsets)"
+prepare_linear_dev 512
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1015808 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
+check_hash_dev_head $DEV $((16*1024*2)) $HASH10
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1015808 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
+check_hash_dev_head $DEV $((16*1024*2)) $HASH10
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1046528 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
+wipe $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset 1046528 --luks2-keyslots-size 16M $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
+wipe_dev /dev/mapper/$DEV_NAME
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
+check_hash_dev_head $DEV 2048 $HASH2
+
remove_mapping
exit 0
diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
index f771e1f..cd9f0a6 100755
--- a/tests/luks2-validation-test
+++ b/tests/luks2-validation-test
@@ -80,7 +80,9 @@ function test_load()
else
$CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1
fi
- test $? -ne 0 || return 1
+ ret=$?
+ test $ret -ne 0 || return 1
+ test $ret -ne 139 || return 1
;;
*)
fail "Internal test error"
@@ -102,7 +104,7 @@ function RUN()
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -112,9 +114,10 @@ function valgrind_run()
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
-which jq >/dev/null 2>&1 || skip "Cannot find jq, test skipped."
+command -v jq >/dev/null || skip "Cannot find jq, test skipped."
prepare
@@ -129,27 +132,27 @@ cd $START_DIR
echo "[1] Test basic auto-recovery"
RUN luks2-invalid-checksum-hdr0.img "R" "Failed to recover from trivial header corruption at offset 0"
-# TODO: check epoch is incresed after recovery
+# TODO: check epoch is increased after recovery
# TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
RUN luks2-invalid-checksum-hdr1.img "R" "Failed to recover from trivial header corruption at offset 16384"
-# TODO: check epoch is incresed after recovery
+# TODO: check epoch is increased after recovery
# TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
RUN luks2-invalid-checksum-both-hdrs.img "F" "Failed to recognise corrupted header beyond repair"
echo "[2] Test ability to auto-correct mallformed json area"
RUN luks2-corrupted-hdr0-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 512"
-# TODO: check epoch is incresed after recovery
+# TODO: check epoch is increased after recovery
# TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
RUN luks2-corrupted-hdr1-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 16896"
-# TODO: check epoch is incresed after recovery
+# TODO: check epoch is increased after recovery
# TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
RUN luks2-correct-full-json0.img "R" "Failed to parse full and correct json area"
# TODO: detect noop (norecovery, epoch untouched)
-# TODO: check epoch is NOT incresed after recovery of secondary header
+# TODO: check epoch is NOT increased after recovery of secondary header
# these tests auto-correct json in-memory only. It'll get fixed on-disk after write operation
RUN luks2-argon2-leftover-params.img "R" "Failed to repair keyslot with old argon2 parameters."
@@ -201,6 +204,7 @@ RUN luks2-segment-wrong-flags.img "F" "Failed to detect invalid flags field"
RUN luks2-segment-wrong-flags-element.img "F" "Failed to detect invalid flags content"
RUN luks2-segment-wrong-backup-key-0.img "F" "Failed to detect gap in backup segments"
RUN luks2-segment-wrong-backup-key-1.img "F" "Failed to detect gap in backup segments"
+RUN luks2-segment-crypt-empty-encryption.img "F" "Failed to detect empty encryption field"
echo "[6] Test metadata size and keyslots size (config section)"
RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section"
@@ -232,6 +236,14 @@ RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secon
RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected"
RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected"
+echo "[7] Test invalid metadata object property"
+RUN luks2-invalid-tokens.img "F" "Invalid tokens objects not rejected"
+RUN luks2-invalid-top-objects.img "F" "Invalid top-level objects not rejected"
+RUN luks2-keyslot-invalid-area.img "F" "Invalid keyslot area object not rejected"
+RUN luks2-keyslot-invalid-area-size.img "F" "Invalid keyslot area size that can overflow not rejected"
+RUN luks2-keyslot-invalid-objects.img "F" "Invalid keyslot objects not rejected"
+RUN luks2-keyslot-invalid-af.img "F" "Invalid keyslot objects types not rejected"
+
remove_mapping
test $FAILS -eq 0 || fail "($FAILS wrong result(s) in total)"
diff --git a/tests/luks2_header_requirements.tar.xz b/tests/luks2_header_requirements.tar.xz
new file mode 100644
index 0000000..b198fd5
Binary files /dev/null and b/tests/luks2_header_requirements.tar.xz differ
diff --git a/tests/luks2_header_requirements.xz b/tests/luks2_header_requirements.xz
deleted file mode 100644
index eaaa73c..0000000
Binary files a/tests/luks2_header_requirements.xz and /dev/null differ
diff --git a/tests/luks2_header_requirements_free.xz b/tests/luks2_header_requirements_free.xz
deleted file mode 100644
index 7617ee6..0000000
Binary files a/tests/luks2_header_requirements_free.xz and /dev/null differ
diff --git a/tests/mode-test b/tests/mode-test
index d16482f..82171fb 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -8,6 +8,7 @@ DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
# cipher-chainmode-ivopts:ivmode
CIPHERS="aes twofish serpent"
@@ -16,16 +17,16 @@ IVMODES="null benbi plain plain64 essiv:sha256"
LOOPDEV=$(losetup -f 2>/dev/null)
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
dmremove() { # device
udevadm settle >/dev/null 2>&1
dmsetup remove --retry $1 >/dev/null 2>&1
}
cleanup() {
- for dev in $(dmsetup status --target crypt | sed s/\:\ .*// | grep "^$DEV_NAME"_); do
- dmremove $dev
- sleep 2
- done
+ [ -b /dev/mapper/"$DEV_NAME"_tstdev ] && dmremove "$DEV_NAME"_tstdev
[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
rm -f $HEADER_IMG >/dev/null 2>&1
@@ -46,6 +47,19 @@ skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+
add_device() {
cleanup
dd if=/dev/zero of=$HEADER_IMG bs=1M count=6 >/dev/null 2>&1
@@ -113,14 +127,14 @@ dmcrypt()
echo -n "[n/a]"
fi
- echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 -i 1 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
if [ $? -eq 0 ] ; then
echo -n -e " LUKS1:"
echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
dmcrypt_check "$DEV_NAME"_tstdev $OUT
fi
- echo $PASSWORD | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 -i 1 -c $1 -s 256 --offset 8192 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ echo $PASSWORD | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 $FAST_PBKDF2 -c $1 -s 256 --offset 8192 /dev/mapper/$DEV_NAME >/dev/null 2>&1
if [ $? -eq 0 ] ; then
echo -n -e " LUKS2:"
echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
@@ -138,6 +152,8 @@ dmcrypt()
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped."
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
add_device
diff --git a/tests/password-hash-test b/tests/password-hash-test
index 90ee704..6e3c78c 100755
--- a/tests/password-hash-test
+++ b/tests/password-hash-test
@@ -9,6 +9,9 @@ KEY_FILE=keyfile
DEV2=$DEV_NAME"_x"
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
dmremove() { # device
udevadm settle >/dev/null 2>&1
dmsetup remove --retry $1 >/dev/null 2>&1
@@ -29,6 +32,24 @@ function fail()
cleanup 2
}
+skip()
+{
+ echo "TEST SKIPPED: $1"
+ cleanup 77
+}
+
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
{
DEV2=$DEV_NAME"_x"
@@ -75,7 +96,7 @@ crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
esac
# ignore these cases, not all libs/kernel supports it
- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
+ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
if [ $ret -ne 0 ] ; then
echo " [N/A] ($ret, SKIPPED)"
return
@@ -95,6 +116,8 @@ crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
dmremove $DEV2
}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
if [ $(id -u) != 0 ]; then
echo "WARNING: You must be root to run this test, test skipped."
exit 77
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index 755398d..453831d 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -2,14 +2,20 @@
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-REENC=$CRYPTSETUP_PATH/cryptsetup-reencrypt
-FAST_PBKDF="--pbkdf-force-iterations 1000"
+REENC_BIN=$CRYPTSETUP
+REENC="$REENC_BIN reencrypt"
+FAST_PBKDF="--pbkdf-force-iterations 1000 --pbkdf pbkdf2"
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
DEV_NAME=reenc9768
DEV_NAME2=reenc1273
IMG=reenc-data
IMG_HDR=$IMG.hdr
+HEADER_LUKS2_PV=blkid-luks2-pv.img
ORIG_IMG=reenc-data-orig
+DEV_LINK="reenc-test-link"
KEY1=key1
PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
@@ -17,6 +23,12 @@ PWD3="1-9Qu5Ejfnqv"
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
function del_scsi_device()
{
@@ -29,7 +41,7 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
umount $MNT_DIR > /dev/null 2>&1
rmdir $MNT_DIR > /dev/null 2>&1
LOOPDEV1=""
@@ -52,6 +64,18 @@ function skip()
exit 77
}
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
function add_scsi_device() {
del_scsi_device
if [ -d /sys/module/scsi_debug ] ; then
@@ -215,9 +239,21 @@ function test_logging() {
echo
}
+function check_blkid() {
+ xz -dkf $HEADER_LUKS2_PV.xz
+ if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
+ HAVE_BLKID=0
+ elif $(blkid -p -n crypto_LUKS $HEADER_LUKS2_PV >/dev/null 2>&1); then
+ HAVE_BLKID=1
+ else
+ HAVE_BLKID=0
+ fi
+}
+
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
-which wipefs >/dev/null 2>&1 || skip "Cannot find wipefs, test skipped."
+[ ! -x "$REENC_BIN" ] && skip "Cannot find $REENC_BIN, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
+command -v wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
# REENCRYPTION tests
@@ -232,17 +268,17 @@ prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c aes-cbc-plain $FAST_PBKDF --align-payload 4096 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q --use-directio $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q --use-directio $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q --master-key-file /dev/urandom $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q --volume-key-file /dev/urandom $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q -s 512 --master-key-file /dev/urandom $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 512 --volume-key-file /dev/urandom $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
@@ -268,10 +304,24 @@ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
# FIXME echo $PWD1 | $REENC ...
echo "[4] Encryption of not yet encrypted device"
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev $LOOPDEV1
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+ln -s $LOOPDEV1 $DEV_LINK || fail
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
+if [ ! fips_mode ]; then
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
-wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove --retry $DEV_NAME2 || fail
@@ -294,6 +344,7 @@ OFFSET=4096
echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
$CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
wipe_dev $LOOPDEV1
+fi
echo "[5] Reencryption using specific keyslot"
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -338,21 +389,21 @@ simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"
echo "[8] Header only reencryption (hash and iteration time)"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --pbkdf-force-iterations 999 2>/dev/null && fail
check_hash $PWD1 $HASH1
-echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --pbkdf-force-iterations 1001
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --pbkdf-force-iterations 1001 || fail
check_hash $PWD1 $HASH1
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1001 ] || fail
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -m1 "Hash spec:" | cut -f2)" = "sha256" ] || fail
-echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha512 $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha512 $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1000 ] || fail
-echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key $FAST_PBKDF
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key $FAST_PBKDF || fail
check_hash $PWD1 $HASH1
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
@@ -367,6 +418,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
test_logging "[4096/512 sector]" || fail
test_logging_tmpfs || fail
+if [ ! fips_mode ]; then
echo "[10] Removal of encryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -386,9 +438,9 @@ prepare 8192
check_hash_dev $IMG $HASH4
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR --new --type luks1
check_hash $PWD1 $HASH4 $IMG_HDR
-echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR || fail
check_hash $PWD1 $HASH4 $IMG_HDR
-echo $PWD1 | $REENC $LOOPDEV1 -q --header $IMG_HDR --decrypt
+echo $PWD1 | $REENC $LOOPDEV1 -q --header $IMG_HDR --decrypt || fail
check_hash_dev $IMG $HASH4
# existing header of zero size
cat /dev/null >$IMG_HDR
@@ -397,5 +449,41 @@ check_hash $PWD1 $HASH4 $IMG_HDR
$CRYPTSETUP isLuks $LOOPDEV1 && fail
$CRYPTSETUP isLuks $IMG_HDR || fail
+echo "[12] Prevent nested encryption"
+prepare 8192
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+
+#data device is already LUKS device (prevent nested encryption)
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --reduce-device-size 1024S 2>/dev/null && fail
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --header $IMG_HDR 2>/dev/null && fail
+test -f $IMG_HDR && fail
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --reduce-device-size 2048S 2>/dev/null && fail
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --header $IMG_HDR 2>/dev/null && fail
+test -f $IMG_HDR && fail
+
+wipe_dev $LOOPDEV1
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --header $IMG_HDR $FAST_PBKDF $LOOPDEV1 || fail
+
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --header $IMG_HDR 2>/dev/null && fail
+echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --header $IMG_HDR 2>/dev/null && fail
+
+check_blkid
+if [ "$HAVE_BLKID" -gt 0 ]; then
+ echo "[13] Prevent nested encryption of broken LUKS device"
+ rm -f $IMG_HDR
+ wipe_dev $LOOPDEV1
+ xz -dkf $HEADER_LUKS2_PV.xz
+ # broken header
+ echo $PWD1 | $REENC --header $HEADER_LUKS2_PV $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
+ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
+ # broken device
+ echo $PWD1 | $REENC $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 --reduce-device-size 1024S 2>/dev/null && fail
+ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
+ # broken data device only
+ echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
+ test -f $IMG_HDR && fail
+fi
+fi # if [ ! fips_mode ]
+
remove_mapping
exit 0
diff --git a/tests/reencryption-compat-test2 b/tests/reencryption-compat-test2
deleted file mode 100755
index 3fb692b..0000000
--- a/tests/reencryption-compat-test2
+++ /dev/null
@@ -1,476 +0,0 @@
-#!/bin/bash
-
-[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
-CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-REENC=$CRYPTSETUP_PATH/cryptsetup-reencrypt
-FAST_PBKDF_ARGON="--pbkdf argon2i --pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
-FAST_PBKDF_PBKDF2="--pbkdf-force-iterations 1000 --pbkdf pbkdf2"
-
-DEV_NAME=reenc9768
-DEV_NAME2=reenc1273
-IMG=reenc-data
-IMG_HDR=$IMG.hdr
-ORIG_IMG=reenc-data-orig
-KEY1=key1
-PWD1="93R4P4pIqAH8"
-PWD2="1cND4319812f"
-PWD3="1-9Qu5Ejfnqv"
-
-MNT_DIR=./mnt_luks
-START_DIR=$(pwd)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
-function fips_mode()
-{
- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
-}
-
-function dm_crypt_features()
-{
- local VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
- [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
-
- local VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
- local VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
-
- [ $VER_MAJ -lt 1 ] && return
- [ $VER_MAJ -eq 1 -a $VER_MIN -lt 11 ] && return
- ALLOW_DISCARDS=--allow-discards
- [ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return
- PERF_CPU=--perf-same_cpu_crypt
-}
-
-function del_scsi_device()
-{
- rmmod scsi_debug >/dev/null 2>&1
- sleep 2
-}
-
-function remove_mapping()
-{
- [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
- [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
- umount $MNT_DIR > /dev/null 2>&1
- rmdir $MNT_DIR > /dev/null 2>&1
- del_scsi_device
-}
-
-function fail()
-{
- [ -n "$1" ] && echo "$1"
- echo "FAILED backtrace:"
- while caller $frame; do ((frame++)); done
- cd $START_DIR
- remove_mapping
- exit 2
-}
-
-function skip()
-{
- [ -n "$1" ] && echo "$1"
- exit 77
-}
-
-function add_scsi_device() {
- del_scsi_device
- if [ -d /sys/module/scsi_debug ] ; then
- echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
- exit 77
- fi
- modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
- if [ $? -ne 0 ] ; then
- echo "This kernel seems to not support proper scsi_debug module, test skipped."
- exit 77
- fi
-
- sleep 2
- SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
- [ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
-}
-
-function open_crypt() # $1 pwd, $2 hdr
-{
- if [ -n "$2" ] ; then
- echo "$1" | $CRYPTSETUP luksOpen $IMG $DEV_NAME --header $2 || fail
- elif [ -n "$1" ] ; then
- echo "$1" | $CRYPTSETUP luksOpen $IMG $DEV_NAME || fail
- else
- $CRYPTSETUP luksOpen -d $KEY1 $IMG $DEV_NAME || fail
- fi
-}
-
-function wipe_dev() # $1 dev
-{
- dd if=/dev/zero of=$1 bs=256k conv=notrunc >/dev/null 2>&1
-}
-
-function wipe() # $1 pass
-{
- open_crypt $1
- wipe_dev /dev/mapper/$DEV_NAME
- udevadm settle >/dev/null 2>&1
- $CRYPTSETUP luksClose $DEV_NAME || fail
-}
-
-function prepare() # $1 dev1_siz
-{
- remove_mapping
-
- dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
-
- if [ ! -e $KEY1 ]; then
- dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
- fi
-}
-
-function check_hash_dev() # $1 dev, $2 hash, $3 size
-{
- if [ -n "$3" ]; then
- HASH=$(head -c $3 $1 | sha256sum | cut -d' ' -f 1)
- else
- HASH=$(sha256sum $1 | cut -d' ' -f 1)
- fi
- [ $HASH != "$2" ] && fail "HASH differs ($HASH)"
-}
-
-function check_hash() # $1 pwd, $2 hash, $3 hdr
-{
- open_crypt $1 $3
- check_hash_dev /dev/mapper/$DEV_NAME $2
- $CRYPTSETUP remove $DEV_NAME || fail
-}
-
-function backup_orig()
-{
- sync
- cp $IMG $ORIG_IMG
-}
-
-function rollback()
-{
- sync
- cp $ORIG_IMG $IMG
-}
-
-function check_slot() #space separated list of active key slots
-{
- local _out=$($CRYPTSETUP luksDump $IMG | grep -e ": luks2" | sed -e 's/[[:space:]]*\([0-9]\+\):.*/\1/g')
-
- local _req
- local _hdr
- local _j
-
- for _i in $*; do
- _j=$((_i))
- _req="$_req $_j"
- done
-
- for _i in $_out; do
- _j=$((_i))
- _hdr="$_hdr $_j"
- done
-
- test "$_req" = "$_hdr"
-}
-
-function simple_scsi_reenc()
-{
- echo -n "$1"
- echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_ARGON $SCSI_DEV || fail
-
- echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
- HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
- $CRYPTSETUP luksClose $DEV_NAME || fail
-
- echo $PWD1 | $REENC -q $FAST_PBKDF_ARGON $SCSI_DEV || fail
-
- echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
- check_hash_dev /dev/mapper/$DEV_NAME $HASH
- $CRYPTSETUP luksClose $DEV_NAME || fail
-}
-
-function mount_and_test() {
- test -d $MNT_DIR || mkdir -p $MNT_DIR
- mount $@ $MNT_DIR 2>/dev/null || {
- echo -n "failed to mount [SKIP]"
- return 0
- }
- rm $MNT_DIR/* 2>/dev/null
- cd $MNT_DIR
-
- if [ "${REENC:0:1}" != "/" ] ; then
- MNT_REENC=$START_DIR/$REENC
- else
- MNT_REENC=$REENC
- fi
- echo $PWD2 | $MNT_REENC $START_DIR/$IMG -q --use-fsync --use-directio --write-log $FAST_PBKDF_ARGON || return 1
- cd $START_DIR
- umount $MNT_DIR
- echo -n [OK]
-}
-
-function test_logging_tmpfs() {
- echo -n "[tmpfs]"
- mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
- echo
-}
-
-function test_logging() {
- echo -n "$1:"
- for img in $(ls img_fs*img.xz) ; do
- wipefs -a $SCSI_DEV > /dev/null
- echo -n "[${img%.img.xz}]"
- xz -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1
- mount_and_test $SCSI_DEV || return 1
- done
- echo
-}
-
-[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
-which wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
-fips_mode && skip "This test cannot be run in FIPS mode."
-
-# REENCRYPTION tests
-
-HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
-HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
-HASH5=bb9f8df61474d25e71fa00722318cd387396ca1736605e1248821cc0de3d3af8
-HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae
-HASH7=5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
-
-echo "[1] Reencryption"
-prepare 8192
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-plain $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q -s 256 $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --use-directio $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --master-key-file /dev/urandom $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q -s 512 --master-key-file /dev/urandom $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --luks2-metadata-size 128k -c aes-cbc-plain $FAST_PBKDF_ARGON --offset 8192 $IMG > /dev/null || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON > /dev/null || fail
-check_hash $PWD1 $HASH5
-MDA_SIZE=$($CRYPTSETUP luksDump $IMG | grep "Metadata area: " | cut -f 3 -d ' ')
-test "$MDA_SIZE" -eq 131072 || fail "Unexpected Metadata area size $MDA_SIZE"
-
-echo "[2] Reencryption with data shift"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
-wipe $PWD1
-echo $PWD1 | $REENC $IMG -q -s 256 --reduce-device-size 1024S $FAST_PBKDF_ARGON || fail
-check_hash $PWD1 $HASH6
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON || fail
-check_hash $PWD1 $HASH6
-$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-
-echo "[3] Reencryption with keyfile"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
-wipe
-check_hash "" $HASH5
-echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $IMG $FAST_PBKDF_ARGON || fail
-$REENC $IMG -d $KEY1 $FAST_PBKDF_ARGON -q 2>/dev/null && fail
-$REENC $IMG -d $KEY1 -S 0 $FAST_PBKDF_ARGON -q || fail
-check_hash "" $HASH5
-check_slot 0 || fail "Only keyslot 0 expected to be enabled"
-$REENC $IMG -d $KEY1 $FAST_PBKDF_ARGON -q || fail
-$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-# FIXME echo $PWD1 | $REENC ...
-
-echo "[4] Encryption of not yet encrypted device"
-# well, movin' zeroes :-)
-OFFSET=8192 # default LUKS2 header size
-prepare 8192
-check_hash_dev $IMG $HASH4
-echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON || fail
-check_hash $PWD1 $HASH5
-$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-# 64MiB + 1 KiB
-prepare 65537
-OFFSET=131072
-check_hash_dev $IMG $HASH7 1024
-echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON || fail
-check_hash $PWD1 $HASH7
-$CRYPTSETUP --type luks2 luksDump $IMG > /dev/null || fail
-prepare 8192
-
-echo "[5] Reencryption using specific keyslot"
-echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 1 $IMG || fail
-echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 2 $IMG || fail
-echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 3 $IMG || fail
-echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 4 $IMG || fail
-echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 5 $IMG || fail
-echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 6 $IMG || fail
-echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 22 $IMG || fail
-backup_orig
-echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 0 -q $IMG || fail
-check_slot 0 || fail "Only keyslot 0 expected to be enabled"
-wipe $PWD2
-rollback
-echo $PWD1 | $REENC $FAST_PBKDF_ARGON -S 1 -q $IMG || fail
-check_slot 1 || fail "Only keyslot 1 expected to be enabled"
-wipe $PWD1
-rollback
-echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 6 -q $IMG || fail
-check_slot 6 || fail "Only keyslot 6 expected to be enabled"
-wipe $PWD2
-rollback
-echo $PWD3 | $REENC $FAST_PBKDF_ARGON -S 22 -q $IMG || fail
-check_slot 22 || fail "Only keyslot 22 expected to be enabled"
-wipe $PWD3
-rollback
-
-echo "[6] Reencryption using all active keyslots"
-echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $IMG $FAST_PBKDF_ARGON || fail
-check_slot 0 1 2 3 4 5 6 22 || fail "All keyslots expected to be enabled"
-
-echo "[7] Reencryption of block devices with different block size"
-add_scsi_device sector_size=512 dev_size_mb=32
-simple_scsi_reenc "[512 sector]"
-add_scsi_device sector_size=4096 dev_size_mb=32
-simple_scsi_reenc "[4096 sector]"
-add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=32
-simple_scsi_reenc "[4096/512 sector]"
-echo "[OK]"
-
-echo "[8] Header only reencryption (hash and iteration time)"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --keep-key || fail
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 999 2>/dev/null && fail
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf-force-iterations 3 2>/dev/null && fail
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf-force-iterations 4 --pbkdf-memory 31 2>/dev/null && fail
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --hash sha512
-check_hash $PWD1 $HASH5
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep PBKDF: | sed -e 's/[[:space:]]\+PBKDF:\ \+//g')" = "pbkdf2" ] || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Hash: | sed -e 's/[[:space:]]\+Hash:\ \+//g')" = "sha512" ] || fail
-echo $PWD1 | $REENC $IMG -q --keep-key $FAST_PBKDF_ARGON
-check_hash $PWD1 $HASH5
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep PBKDF: | sed -e 's/[[:space:]]\+PBKDF:\ \+//g')" = argon2i ] || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Time cost" | sed -e 's/[[:space:]]\+Time\ cost:\ \+//g')" -eq 4 ] || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Memory | sed -e 's/[[[:space:]]\+Memory:\ \+//g')" -eq 32 ] || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Threads | sed -e 's/[[[:space:]]\+Threads:\ \+//g')" -eq 1 ] || fail
-echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey -S21 $FAST_PBKDF_ARGON $IMG || fail
-echo $PWD2 | $REENC -S21 -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 1000 $IMG || fail
-check_hash $PWD2 $HASH5
-check_slot 21 || fail "Only keyslot 21 expected to be enabled"
-$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-
-echo "[9] Test log I/Os on various underlying block devices"
-echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-add_scsi_device sector_size=512 dev_size_mb=32
-test_logging "[512 sector]" || fail
-add_scsi_device sector_size=4096 dev_size_mb=32
-test_logging "[4096 sector]" || fail
-add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
-test_logging "[4096/512 sector]" || fail
-test_logging_tmpfs || fail
-
-echo "[10] Removal of encryption"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --decrypt || fail
-check_hash_dev $IMG $HASH4
-
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $REENC $IMG -q --decrypt || fail
-check_hash_dev $IMG $HASH4
-
-echo "[11] Reencryption with tokens"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey -S23 $FAST_PBKDF_ARGON $IMG || fail
-echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey -S1 $FAST_PBKDF_ARGON $IMG || fail
-echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey -S3 $FAST_PBKDF_ARGON $IMG || fai
-$CRYPTSETUP token add --key-description key-name0 --key-slot 23 --token-id 0 $IMG
-$CRYPTSETUP token add --key-description key-name2 --key-slot 1 --token-id 2 $IMG
-$CRYPTSETUP token add --key-description key-name31 --token-id 31 $IMG
-echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 3 || fail
-echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 23 -q $IMG || fail
-$CRYPTSETUP luksDump $IMG | grep "0: luks2-keyring" >/dev/null || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A2 -m1 "0: luks2-keyring" | grep Keyslot: | sed -e 's/[[[:space:]]\+Keyslot:\ \+//g')" -eq 23 ] || fail
-$CRYPTSETUP luksDump $IMG | grep "2: luks2-keyring" >/dev/null || fail
-$CRYPTSETUP luksDump $IMG | grep "31: luks2-keyring" >/dev/null || fail
-[ "$($CRYPTSETUP luksDump $IMG | grep -A2 -m1 "31: luks2-keyring" | grep Keyslot: | sed -e 's/[[[:space:]]\+Keyslot:\ \+//g')" -eq 23 ] || fail
-
-echo "[12] Reencryption with persistent flags"
-dm_crypt_features
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME $ALLOW_DISCARDS $PERF_CPU --persistent || fail
-$CRYPTSETUP close $DEV_NAME || fail
-echo $PWD1 | $REENC $FAST_PBKDF_ARGON -q $IMG || fail
-if [ -n "$PERF_CPU" ]; then
- $CRYPTSETUP luksDump $IMG | grep -m1 Flags: | grep same-cpu-crypt > /dev/null || fail
-fi
-if [ -n "$ALLOW_DISCARDS" ]; then
- $CRYPTSETUP luksDump $IMG | grep -m1 Flags: | grep allow-discards > /dev/null || fail
-fi
-
-echo "[13] Detached header - adding encryption/reencryption/decryption"
-prepare 8192
-check_hash_dev $IMG $HASH4
-echo $PWD1 | $REENC --type luks2 $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR --new
-check_hash $PWD1 $HASH4 $IMG_HDR
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR
-check_hash $PWD1 $HASH4 $IMG_HDR
-echo $PWD1 | $REENC $IMG -q --header $IMG_HDR --decrypt
-check_hash_dev $IMG $HASH4
-# existing header of zero size
-cat /dev/null >$IMG_HDR
-echo $PWD1 | $REENC --type luks2 $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR --new
-check_hash $PWD1 $HASH4 $IMG_HDR
-$CRYPTSETUP isLuks $IMG && fail
-$CRYPTSETUP isLuks $IMG_HDR || fail
-$CRYPTSETUP luksDump $IMG_HDR | grep -q "0: luks2" || fail
-
-echo "[14] Reencryption with unbound keyslot"
-prepare 8192
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
-echo $PWD2 | $CRYPTSETUP -q luksAddKey -S 3 --unbound --key-size 64 $FAST_PBKDF_ARGON $IMG || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-$CRYPTSETUP luksDump $IMG | grep -q "3: luks2 (unbound)" || fail
-echo $PWD2 | $REENC $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
-echo -e "$PWD1\n$PWD2" | $REENC $IMG -q $FAST_PBKDF_ARGON || fail
-$CRYPTSETUP luksDump $IMG | grep -q "3: luks2 (unbound)" || fail
-
-echo "[15] Reencryption after conversion"
-prepare 8192
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_PBKDF2 $IMG --offset 4096 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH1
-$CRYPTSETUP -q convert --type luks2 $IMG || fail
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail
-check_hash $PWD1 $HASH1
-echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $FAST_PBKDF_PBKDF2 $IMG --offset 8192 || fail
-wipe $PWD1
-check_hash $PWD1 $HASH5
-$CRYPTSETUP -q convert --type luks1 $IMG || fail
-echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail
-check_hash $PWD1 $HASH5
-
-remove_mapping
-exit 0
diff --git a/tests/ssh-plugin-test b/tests/ssh-plugin-test
deleted file mode 100755
index 4a78679..0000000
--- a/tests/ssh-plugin-test
+++ /dev/null
@@ -1,182 +0,0 @@
-#!/bin/bash
-
-[ -z "$CRYPTSETUP_PATH" ] && {
- export LD_PRELOAD=./fake_token_path.so
- CRYPTSETUP_PATH=".."
-}
-CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
-IMG="ssh_test.img"
-MAP="sshtest"
-USER="sshtest"
-PASSWD="sshtest"
-PASSWD2="sshtest2"
-LOOPDEV=$(losetup -f 2>/dev/null)
-SSH_OPTIONS="-o StrictHostKeyChecking=no"
-
-SSH_SERVER="localhost"
-SSH_PATH="/home/$USER/keyfile"
-SSH_KEY_PATH="$HOME/sshtest-key"
-
-FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
-
-[ -z "$srcdir" ] && srcdir="."
-
-function remove_mapping()
-{
- [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
- losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $IMG >/dev/null 2>&1
-}
-
-function remove_user()
-{
- id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
- rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
-}
-
-function create_user()
-{
- id -u $USER >/dev/null 2>&1
- [ $? -eq 0 ] && skip "User account $USER exists, aborting."
- [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting."
-
- useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test."
-
- ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1
- [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
-}
-
-function ssh_check()
-{
- # try to use netcat to check port 22
- nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
-}
-
-function bin_check()
-{
- which $1 >/dev/null 2>&1 || skip "WARNING: test require $1 binary, test skipped."
-}
-
-function ssh_setup()
-{
- # .ssh is used by ssh-copy-id for temp files so it must exist even if key is not there
- [ -d "$HOME/.ssh" ] || mkdir -m 700 $HOME/.ssh
-
- # ssh-copy-id
- sshpass -p $PASSWD ssh-copy-id -i $SSH_KEY_PATH $SSH_OPTIONS $USER@$SSH_SERVER >/dev/null 2>&1
- [ $? -ne 0 ] && remove_user && skip "Failed to copy SSH key."
-
- # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions
- chown -R $USER:$USER /home/$USER/.ssh
- chmod 700 /home/$USER/.ssh
- chmod 644 /home/$USER/.ssh/authorized_keys
-
- # try to ssh and also create keyfile
- ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER -f "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1
- [ $? -ne 0 ] && remove_user && skip "Failed to connect using SSH."
-}
-
-function fail()
-{
- echo "[FAILED]"
- [ -n "$1" ] && echo "$1"
- echo "FAILED backtrace:"
- while caller $frame; do ((frame++)); done
- remove_mapping
- remove_user
- exit 2
-}
-
-function skip()
-{
- [ -n "$1" ] && echo "$1"
- remove_mapping
- exit 77
-}
-
-format()
-{
- dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
- sync
- losetup $LOOPDEV $IMG
-
- echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV --force-password -q
- [ $? -ne 0 ] && fail "Format failed."
-
- echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -q
- [ $? -ne 0 ] && fail "Add key failed."
-}
-
-check_dump()
-{
- dump=$1
- keyslot=$2
-
- token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
- [ "$token" = "ssh" ] || fail " token check from dump failed."
-
- server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ")
- [ "$server" = $SSH_SERVER ] || fail " server check from dump failed."
-
- user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ")
- [ "$user" = "$USER" ] || fail " user check from dump failed."
-
- path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ")
- [ "$path" = "$SSH_PATH" ] || fail " path check from dump failed."
-
- key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
- [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed."
-
- keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
- [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
-}
-
-[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-
-# Prevent running dangerous useradd operation by default
-[ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped."
-
-bin_check nc
-bin_check useradd
-bin_check ssh
-bin_check ssh-keygen
-bin_check sshpass
-bin_check openssl
-
-format
-
-echo -n "Adding SSH token: "
-
-ssh_check
-create_user
-ssh_setup
-
-$CRYPTSETUP_SSH add $LOOPDEV --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH
-[ $? -ne 0 ] && fail "Failed to add SSH token to $LOOPDEV"
-
-out=$($CRYPTSETUP luksDump $LOOPDEV)
-check_dump "$out" 0
-echo "[OK]"
-
-echo -n "Activating using SSH token: "
-
-$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $LOOPDEV $MAP && fail "Tokens should be disabled"
-$CRYPTSETUP luksOpen -r $LOOPDEV $MAP -q >/dev/null 2>&1 <&-
-[ $? -ne 0 ] && fail "Failed to open $LOOPDEV using SSH token"
-echo "[OK]"
-
-# Remove the newly added token and test adding with --key-slot
-$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail "Failed to remove token"
-
-echo -n "Adding SSH token with --key-slot: "
-
-$CRYPTSETUP_SSH add $LOOPDEV --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
-[ $? -ne 0 ] && fail "Failed to add SSH token to $LOOPDEV"
-
-out=$($CRYPTSETUP luksDump $LOOPDEV)
-check_dump "$out" 1
-echo "[OK]"
-
-remove_mapping
-remove_user
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
new file mode 100755
index 0000000..5b3966e
--- /dev/null
+++ b/tests/ssh-test-plugin
@@ -0,0 +1,204 @@
+#!/bin/bash
+
+[ -z "$CRYPTSETUP_PATH" ] && {
+ TOKEN_PATH="./fake_token_path.so"
+ [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; }
+ export LD_PRELOAD=$TOKEN_PATH
+ CRYPTSETUP_PATH=".."
+}
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
+IMG="ssh_test.img"
+MAP="sshtest"
+USER="sshtest"
+PASSWD="sshtest1"
+PASSWD2="sshtest2"
+SSH_OPTIONS="-o StrictHostKeyChecking=no"
+
+SSH_SERVER="localhost"
+SSH_PATH="/home/$USER/keyfile"
+SSH_KEY_PATH="$HOME/sshtest-key"
+
+FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
+[ -z "$srcdir" ] && srcdir="."
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
+ rm -f $IMG >/dev/null 2>&1
+}
+
+function remove_user()
+{
+ id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
+ rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
+}
+
+function create_user()
+{
+ id -u $USER >/dev/null 2>&1
+ [ $? -eq 0 ] && skip "User account $USER exists, aborting."
+ [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting."
+
+ useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test."
+
+ ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1
+ [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
+}
+
+function ssh_check()
+{
+ # try to use netcat to check port 22
+ nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
+}
+
+function bin_check()
+{
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
+function ssh_setup()
+{
+ # copy the ssh key
+ [ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh
+ touch /home/$USER/.ssh/authorized_keys
+
+ cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys
+ [ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key."
+
+ # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions
+ chown -R $USER:$USER /home/$USER/.ssh
+ chmod 700 /home/$USER/.ssh
+ chmod 644 /home/$USER/.ssh/authorized_keys
+
+ # try to ssh and also create keyfile
+ ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1
+ [ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH."
+}
+
+function fail()
+{
+ echo "[FAILED]"
+ [ -n "$1" ] && echo "$1"
+ echo "FAILED backtrace:"
+ while caller $frame; do ((frame++)); done
+ remove_mapping
+ remove_user
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ remove_mapping
+ exit 77
+}
+
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+function valgrind_run_ssh()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@"
+}
+
+format()
+{
+ dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
+
+ echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
+ [ $? -ne 0 ] && fail "Format failed."
+
+ echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q
+ [ $? -ne 0 ] && fail "Add key failed."
+}
+
+check_dump()
+{
+ dump=$1
+ keyslot=$2
+
+ token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
+ [ "$token" = "ssh" ] || fail " token check from dump failed."
+
+ server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ")
+ [ "$server" = $SSH_SERVER ] || fail " server check from dump failed."
+
+ user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ")
+ [ "$user" = "$USER" ] || fail " user check from dump failed."
+
+ path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ")
+ [ "$path" = "$SSH_PATH" ] || fail " path check from dump failed."
+
+ key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
+ [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed."
+
+ keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
+ [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
+}
+
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+
+# Prevent running dangerous useradd operation by default
+[ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped."
+
+bin_check nc
+bin_check useradd
+bin_check ssh
+bin_check ssh-keygen
+bin_check sshpass
+bin_check openssl
+
+format
+
+echo -n "Adding SSH token: "
+
+ssh_check
+create_user
+ssh_setup
+
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH
+[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
+
+out=$($CRYPTSETUP luksDump $IMG)
+check_dump "$out" 0
+echo "[OK]"
+
+echo -n "Activating using SSH token: "
+
+$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled"
+$CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&-
+[ $? -ne 0 ] && fail "Failed to open $IMG using SSH token"
+echo "[OK]"
+
+# Remove the newly added token and test adding with --key-slot
+$CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token"
+
+echo -n "Adding SSH token with --key-slot: "
+
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
+[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
+
+out=$($CRYPTSETUP luksDump $IMG)
+check_dump "$out" 1
+echo "[OK]"
+
+remove_mapping
+remove_user
diff --git a/tests/systemd-test-plugin b/tests/systemd-test-plugin
new file mode 100755
index 0000000..5f37324
--- /dev/null
+++ b/tests/systemd-test-plugin
@@ -0,0 +1,150 @@
+#!/bin/bash
+
+CC="cc"
+
+PASSWD="tpm2_test"
+PASSWD2="tpm2_test2"
+FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+IMG=systemd_token_test.img
+MAP="systemd_tpm2_test"
+
+function bin_check()
+{
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
+function cleanup() {
+ [ -S $SWTPM_STATE_DIR/ctrl.sock ] && {
+ # shutdown TPM via control socket
+ swtpm_ioctl -s --unix $SWTPM_STATE_DIR/ctrl.sock
+ sleep 1
+ }
+
+ # if graceful shutdown was successful, pidfile should be deleted
+ # if it is still present, we forcefully kill the process
+ [ -f "$SWTPM_PIDFILE" ] && {
+ kill -9 $(cat $SWTPM_PIDFILE) >/dev/null 2>&1
+ }
+
+ [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
+
+ rm -f $SWTPM_PIDFILE >/dev/null 2>&1
+ rm -rf $SWTPM_STATE_DIR >/dev/null 2>&1
+ rm -f $IMG >/dev/null 2>&1
+}
+
+function fail()
+{
+ echo "[FAILED]"
+ [ -n "$1" ] && echo "$1"
+ echo "FAILED backtrace:"
+ while caller $frame; do ((frame++)); done
+ cleanup
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ cleanup
+ exit 77
+}
+
+# Prevent downloading and compiling systemd by default
+[ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SYSTEMD_PLUGIN_TEST must be defined, test skipped."
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+bin_check swtpm
+bin_check swtpm_ioctl
+
+CRYPTENROLL_LD_PRELOAD=""
+
+# if CRYPTSETUP_PATH is defined, we run against installed binaries,
+# otherwise we compile systemd tokens from source
+[ -z "$CRYPTSETUP_PATH" ] && {
+ bin_check git
+ bin_check meson
+ bin_check ninja
+ bin_check pkgconf
+
+ TOKEN_PATH=fake_token_path.so
+ [ -f $TOKEN_PATH ] || skip "Please compile $TOKEN_PATH."
+ INSTALL_PATH=$(pwd)/external-tokens/install
+ make -C .. install DESTDIR=$INSTALL_PATH
+ PC_FILE="$(find $INSTALL_PATH -name 'libcryptsetup.pc')"
+ sed -i "s/^prefix=/prefix=${INSTALL_PATH//\//\\\/}/g" "$PC_FILE"
+ export PKG_CONFIG_PATH=$(dirname $PC_FILE)
+
+ # systemd build system misses libcryptsetup.h if it is installed in non-default path
+ export CFLAGS="${CFLAGS:-} $(pkgconf --cflags libcryptsetup)"
+
+ SYSTEMD_PATH=$(pwd)/external-tokens/systemd
+ CRYPTSETUP_PATH=$(pwd)/..
+ SYSTEMD_CRYPTENROLL=$SYSTEMD_PATH/build/systemd-cryptenroll
+
+ mkdir -p $SYSTEMD_PATH
+ [ "$(ls -A $SYSTEMD_PATH)" ] || git clone --depth=1 https://github.com/systemd/systemd.git $SYSTEMD_PATH
+ cd $SYSTEMD_PATH
+ meson -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true build/ || skip "Failed to configure systemd via meson, some dependencies are probably missing."
+ ninja -C build/ systemd-cryptenroll libcryptsetup-token-systemd-tpm2.so || skip "Failed to build systemd."
+
+ cd $CRYPTSETUP_PATH/tests
+ cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so ../.libs/
+ cp $SYSTEMD_PATH/build/src/shared/*.so ../.libs/
+
+ export LD_PRELOAD="${LD_PRELOAD-}:$CRYPTSETUP_PATH/tests/$TOKEN_PATH"
+ CRYPTENROLL_LD_PRELOAD="$CRYPTSETUP_PATH/.libs/libcryptsetup.so"
+}
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+
+[ -z "$SYSTEMD_CRYPTENROLL" ] && {
+ bin_check systemd-cryptenroll
+ SYSTEMD_CRYPTENROLL="systemd-cryptenroll"
+}
+
+[ -z "$TPM_PATH" ] && {
+ echo "Setting up virtual TPM using swtpm..."
+ SWTPM_PIDFILE=$(mktemp /tmp/systemd_swtpm_pid.XXXXXX)
+ SWTPM_STATE_DIR=$(mktemp -d /tmp/systemd_swtpm_state.XXXXXX)
+ modprobe tpm_vtpm_proxy || skip "Failed to load tpm_vtpm_proxy kernel module, required for emulated TPM."
+ SWTPM_LOG=$(swtpm chardev --vtpm-proxy --tpm2 --tpmstate dir=$SWTPM_STATE_DIR -d --pid file=$SWTPM_PIDFILE --ctrl type=unixio,path=$SWTPM_STATE_DIR/ctrl.sock)
+ TPM_PATH=$(echo $SWTPM_LOG | grep -Eo '/dev/tpm([0-9])+' | sed 's/tpm/tpmrm/')
+ [ -z "$TPM_PATH" ] && skip "No TPM_PATH set and swtpm failed, test skipped."
+ sleep 1
+ echo "Virtual TPM set up at $TPM_PATH"
+}
+
+FAKE_TPM_PATH="$(pwd)/fake_systemd_tpm_path.so"
+[ -f $FAKE_TPM_PATH ] || skip "Please compile $FAKE_TPM_PATH."
+export LD_PRELOAD="$LD_PRELOAD:$FAKE_TPM_PATH"
+
+export TPM_PATH=$TPM_PATH
+echo "TPM path is $TPM_PATH"
+
+dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
+echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
+
+echo "Enrolling the device to TPM 2 using systemd-cryptenroll.."
+LD_PRELOAD="$LD_PRELOAD:$CRYPTENROLL_LD_PRELOAD" PASSWORD="$PASSWD" $SYSTEMD_CRYPTENROLL $IMG --tpm2-device=$TPM_PATH >/dev/null 2>&1
+
+$CRYPTSETUP luksDump $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)."
+echo "Activating the device via TPM2 external token.."
+$CRYPTSETUP open --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token."
+$CRYPTSETUP close $MAP >/dev/null 2>&1 || fail "Failed to close $MAP."
+
+echo "Adding passphrase via TPM2 token.."
+echo $PASSWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token."
+echo $PASSWD2 | $CRYPTSETUP open $IMG --test-passphrase --disable-external-tokens >/dev/null 2>&1 || fail "Failed to test passphrase added by tpm2 token."
+
+echo "Exporting and removing TPM2 token.."
+EXPORTED_TOKEN=$($CRYPTSETUP token export $IMG --token-id 0)
+$CRYPTSETUP token remove $IMG --token-id 0
+$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal."
+
+echo "Re-importing TPM2 token.."
+echo $EXPORTED_TOKEN | $CRYPTSETUP token import $IMG --token-id 0 || fail "Failed to re-import deleted token."
+$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token."
+
+cleanup
+exit 0
diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test
index f20981e..c0fc50a 100755
--- a/tests/tcrypt-compat-test
+++ b/tests/tcrypt-compat-test
@@ -37,7 +37,6 @@ function fail()
function skip()
{
[ -n "$1" ] && echo "$1"
- echo "Test skipped."
remove_mapping
exit 77
}
@@ -67,9 +66,16 @@ function test_kdf() # hash
fi
}
+function get_HASH_CIPHER() # filename
+{
+ # speed up the test by limiting options for hash and (first) cipher
+ HASH=$(echo $file | cut -d'-' -f3)
+ CIPHER=$(echo $file | cut -d'-' -f5)
+}
+
function test_required()
{
- which lsblk >/dev/null 2>&1 || skip "WARNING: lsblk tool required."
+ command -v blkid >/dev/null || skip "blkid tool required, test skipped."
echo "REQUIRED KDF TEST"
test_kdf sha256
@@ -101,12 +107,12 @@ function test_required()
test_one camellia xts 512 camellia
test_one kuznyechik xts 512 kuznyechik
- ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images."
+ ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images, test skipped."
}
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -117,6 +123,7 @@ function valgrind_run()
}
export LANG=C
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ ! -d $TST_DIR ] && tar xJf $srcdir/tcrypt-images.tar.xz --no-same-owner
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
@@ -130,7 +137,8 @@ for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
SYS_OPT=""
[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
- echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT $file >/dev/null || fail
+ get_HASH_CIPHER $file
+ echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null || fail
if [[ $file =~ .*-sha512-xts-aes$ ]] ; then
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c aes $file >/dev/null || fail
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h xxxx $file 2>/dev/null && fail
@@ -144,14 +152,16 @@ for file in $(ls $TST_DIR/vc_* $TST_DIR/vcpim_*) ; do
echo -n " $file"
PIM_OPT=""
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
- echo $PASSWORD | $CRYPTSETUP tcryptDump --disable-veracrypt $PIM_OPT $file >/dev/null 2>&1 && fail
+ get_HASH_CIPHER $file
+ echo $PASSWORD | $CRYPTSETUP tcryptDump --disable-veracrypt $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null 2>&1 && fail
echo " [OK]"
done
echo "HEADER CHECK (HIDDEN)"
for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
echo -n " $file (hidden)"
- echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
+ get_HASH_CIPHER $file
+ echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden -h $HASH -c $CIPHER $file >/dev/null || fail
echo " [OK]"
done
@@ -161,7 +171,8 @@ for file in $(ls $TST_DIR/[tv]ck_*) ; do
PWD=$PASSWORD
[[ $file =~ vck_1_nopw.* ]] && PWD=""
[[ $file =~ vck_1_pw72.* ]] && PWD=$PASSWORD_72C
- echo $PWD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
+ get_HASH_CIPHER $file
+ echo $PWD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 -h $HASH -c $CIPHER $file >/dev/null || fail
echo " [OK]"
done
@@ -179,14 +190,15 @@ for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
SYS_OPT=""
[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
- out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r $file $MAP 2>&1)
+ get_HASH_CIPHER $file
+ out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r -h $HASH -c $CIPHER $file $MAP 2>&1)
ret=$?
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
[ $ret -ne 0 ] && fail
$CRYPTSETUP status $MAP >/dev/null || fail
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
- UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
$CRYPTSETUP remove $MAP || fail
[ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
echo " [OK]"
@@ -195,12 +207,13 @@ done
echo "ACTIVATION FS UUID (HIDDEN) CHECK"
for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
echo -n " $file"
- out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden 2>&1)
+ get_HASH_CIPHER $file
+ out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r -h $HASH -c $CIPHER $file $MAP --tcrypt-hidden 2>&1)
ret=$?
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
[ $ret -ne 0 ] && fail
- UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
$CRYPTSETUP remove $MAP || fail
[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
echo " [OK]"
diff --git a/tests/test_utils.c b/tests/test_utils.c
index 9f4a633..97c62a0 100644
--- a/tests/test_utils.c
+++ b/tests/test_utils.c
@@ -1,8 +1,8 @@
/*
* cryptsetup library API test utilities
*
- * Copyright (C) 2009-2021 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2021 Milan Broz
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,6 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
+#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
@@ -161,6 +162,20 @@ int t_device_size(const char *device, uint64_t *size)
return r;
}
+int t_set_readahead(const char *device, unsigned value)
+{
+ int devfd, r = 0;
+
+ devfd = open(device, O_RDONLY);
+ if(devfd == -1)
+ return -EINVAL;
+
+ if (ioctl(devfd, BLKRASET, value) < 0)
+ r = -EINVAL;
+ close(devfd);
+ return r;
+}
+
int fips_mode(void)
{
int fd;
@@ -196,14 +211,151 @@ int create_dmdevice_over_loop(const char *dm_name, const uint64_t size)
printf("No enough space on backing loop device\n.");
return -2;
}
- snprintf(cmd, sizeof(cmd),
- "dmsetup create %s --table \"0 %" PRIu64 " linear %s %" PRIu64 "\"",
- dm_name, size, THE_LOOP_DEV, t_dev_offset);
+ r = snprintf(cmd, sizeof(cmd),
+ "dmsetup create %s --table \"0 %" PRIu64 " linear %s %" PRIu64 "\"",
+ dm_name, size, THE_LOOP_DEV, t_dev_offset);
+ if (r < 0 || (size_t)r >= sizeof(cmd))
+ return -3;
+
if (!(r = _system(cmd, 1)))
t_dev_offset += size;
return r;
}
+__attribute__((format(printf, 3, 4)))
+static int _snprintf(char **r_ptr, size_t *r_remains, const char *format, ...)
+{
+ int len, r = 0;
+ va_list argp;
+
+ assert(r_remains);
+ assert(r_ptr);
+
+ va_start(argp, format);
+
+ len = vsnprintf(*r_ptr, *r_remains, format, argp);
+ if (len < 0 || (size_t)len >= *r_remains) {
+ r = -EINVAL;
+ } else {
+ *r_ptr += len;
+ *r_remains -= len;
+ }
+
+ va_end(argp);
+
+ return r;
+}
+
+int dmdevice_error_io(const char *dm_name,
+ const char *dm_device,
+ const char *error_device,
+ uint64_t data_offset,
+ uint64_t offset,
+ uint64_t length,
+ error_io_info ei)
+{
+ char str[256], cmd[384];
+ int r;
+ uint64_t dev_size;
+ size_t remains;
+ char *ptr;
+
+ if (t_device_size(dm_device, &dev_size) < 0 || !length)
+ return -1;
+
+ dev_size >>= TST_SECTOR_SHIFT;
+
+ if (dev_size <= offset)
+ return -1;
+
+ if (ei == ERR_REMOVE) {
+ r = snprintf(cmd, sizeof(cmd),
+ "dmsetup load %s --table \"0 %" PRIu64 " linear %s %" PRIu64 "\"",
+ dm_name, dev_size, THE_LOOP_DEV, data_offset);
+ if (r < 0 || (size_t)r >= sizeof(str))
+ return -3;
+
+ if ((r = _system(cmd, 1)))
+ return r;
+
+ r = snprintf(cmd, sizeof(cmd), "dmsetup resume %s", dm_name);
+ if (r < 0 || (size_t)r >= sizeof(cmd))
+ return -3;
+
+ return _system(cmd, 1);
+ }
+
+ if ((dev_size - offset) < length) {
+ printf("Not enough space on target device\n.");
+ return -2;
+ }
+
+ remains = sizeof(str);
+ ptr = str;
+
+ if (offset) {
+ r = _snprintf(&ptr, &remains,
+ "0 %" PRIu64 " linear %s %" PRIu64 "\n",
+ offset, THE_LOOP_DEV, data_offset);
+ if (r < 0)
+ return r;
+ }
+ r = _snprintf(&ptr, &remains, "%" PRIu64 " %" PRIu64 " delay ",
+ offset, length);
+ if (r < 0)
+ return r;
+
+ if (ei == ERR_RW || ei == ERR_RD) {
+ r = _snprintf(&ptr, &remains, "%s 0 0",
+ error_device);
+ if (r < 0)
+ return r;
+ if (ei == ERR_RD) {
+ r = _snprintf(&ptr, &remains, " %s %" PRIu64 " 0",
+ THE_LOOP_DEV, data_offset + offset);
+ if (r < 0)
+ return r;
+ }
+ } else if (ei == ERR_WR) {
+ r = _snprintf(&ptr, &remains, "%s %" PRIu64 " 0 %s 0 0",
+ THE_LOOP_DEV, data_offset + offset, error_device);
+ if (r < 0)
+ return r;
+ }
+
+ if (dev_size > (offset + length)) {
+ r = _snprintf(&ptr, &remains,
+ "\n%" PRIu64 " %" PRIu64 " linear %s %" PRIu64,
+ offset + length, dev_size - offset - length, THE_LOOP_DEV,
+ data_offset + offset + length);
+ if (r < 0)
+ return r;
+ }
+
+ /*
+ * Hello darkness, my old friend...
+ *
+ * On few old distributions there's issue with
+ * processing multiline tables via dmsetup load --table.
+ * This workaround passes on all systems we run tests on.
+ */
+ r = snprintf(cmd, sizeof(cmd), "dmsetup load %s <<EOF\n%s\nEOF", dm_name, str);
+ if (r < 0 || (size_t)r >= sizeof(cmd))
+ return -3;
+
+ if ((r = _system(cmd, 1)))
+ return r;
+
+ r = snprintf(cmd, sizeof(cmd), "dmsetup resume %s", dm_name);
+ if (r < 0 || (size_t)r >= sizeof(cmd))
+ return -3;
+
+ if ((r = _system(cmd, 1)))
+ return r;
+
+ return t_set_readahead(dm_device, 0);
+}
+
// Get key from kernel dm mapping table using dm-ioctl
int get_key_dm(const char *name, char *buffer, unsigned int buffer_size)
{
@@ -211,7 +363,6 @@ int get_key_dm(const char *name, char *buffer, unsigned int buffer_size)
struct dm_info dmi;
uint64_t start, length;
char *target_type, *key, *params;
- void *next = NULL;
int r = -EINVAL;
if (!(dmt = dm_task_create(DM_DEVICE_TABLE)))
@@ -225,7 +376,7 @@ int get_key_dm(const char *name, char *buffer, unsigned int buffer_size)
if (!dmi.exists)
goto out;
- next = dm_get_next_target(dmt, next, &start, &length, &target_type, ¶ms);
+ dm_get_next_target(dmt, NULL, &start, &length, &target_type, ¶ms);
if (!target_type || strcmp(target_type, "crypt") != 0)
goto out;
@@ -389,6 +540,20 @@ static void t_dm_set_crypt_compat(const char *dm_version, unsigned crypt_maj,
if (t_dm_satisfies_version(1, 18, 1, crypt_maj, crypt_min, crypt_patch) && _keyring_check())
t_dm_crypt_flags |= T_DM_KERNEL_KEYRING_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 17, 0, crypt_maj, crypt_min, crypt_patch)) {
+ t_dm_crypt_flags |= T_DM_SECTOR_SIZE_SUPPORTED;
+ t_dm_crypt_flags |= T_DM_CAPI_STRING_SUPPORTED;
+ }
+
+ if (t_dm_satisfies_version(1, 19, 0, crypt_maj, crypt_min, crypt_patch))
+ t_dm_crypt_flags |= T_DM_BITLK_EBOIV_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 20, 0, crypt_maj, crypt_min, crypt_patch))
+ t_dm_crypt_flags |= T_DM_BITLK_ELEPHANT_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 22, 0, crypt_maj, crypt_min, crypt_patch))
+ t_dm_crypt_flags |= T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED;
}
static void t_dm_set_verity_compat(const char *dm_version __attribute__((unused)),
@@ -410,6 +575,15 @@ static void t_dm_set_verity_compat(const char *dm_version __attribute__((unused)
t_dm_crypt_flags |= T_DM_VERITY_ON_CORRUPTION_SUPPORTED;
t_dm_crypt_flags |= T_DM_VERITY_FEC_SUPPORTED;
}
+
+ if (t_dm_satisfies_version(1, 5, 0, verity_maj, verity_min, verity_patch))
+ t_dm_crypt_flags |= T_DM_VERITY_SIGNATURE_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 7, 0, verity_maj, verity_min, verity_patch))
+ t_dm_crypt_flags |= T_DM_VERITY_PANIC_CORRUPTION_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
+ t_dm_crypt_flags |= T_DM_VERITY_TASKLETS_SUPPORTED;
}
static void t_dm_set_integrity_compat(const char *dm_version __attribute__((unused)),
@@ -419,6 +593,24 @@ static void t_dm_set_integrity_compat(const char *dm_version __attribute__((unus
{
if (integrity_maj > 0)
t_dm_crypt_flags |= T_DM_INTEGRITY_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 2, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_RECALC_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 3, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_BITMAP_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 4, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_FIX_PADDING_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 6, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_DISCARDS_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 7, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_FIX_HMAC_SUPPORTED;
+
+ if (t_dm_satisfies_version(1, 8, 0, integrity_maj, integrity_min, integrity_patch))
+ t_dm_crypt_flags |= T_DM_INTEGRITY_RESET_RECALC_SUPPORTED;
}
int t_dm_check_versions(void)
@@ -456,7 +648,7 @@ int t_dm_check_versions(void)
(unsigned)target->version[1],
(unsigned)target->version[2]);
}
- target = (struct dm_versions *)((char *) target + target->next);
+ target = VOIDP_CAST(struct dm_versions *)((char *) target + target->next);
} while (last_target != target);
r = 0;
@@ -483,6 +675,21 @@ int t_dm_crypt_discard_support(void)
return t_dm_crypt_flags & T_DM_DISCARDS_SUPPORTED;
}
+int t_dm_integrity_resize_support(void)
+{
+ return t_dm_crypt_flags & T_DM_INTEGRITY_RESIZE_SUPPORTED;
+}
+
+int t_dm_integrity_recalculate_support(void)
+{
+ return t_dm_crypt_flags & T_DM_INTEGRITY_RECALC_SUPPORTED;
+}
+
+int t_dm_capi_string_supported(void)
+{
+ return t_dm_crypt_flags & T_DM_CAPI_STRING_SUPPORTED;
+}
+
/* loop helpers */
#define LOOP_DEV_MAJOR 7
@@ -515,7 +722,7 @@ int loop_device(const char *loop)
static char *crypt_loop_get_device_old(void)
{
- char dev[20];
+ char dev[64];
int i, loop_fd;
struct loop_info64 lo64 = {0};
diff --git a/tests/unit-utils-crypt.c b/tests/unit-utils-crypt.c
new file mode 100644
index 0000000..4ab3c96
--- /dev/null
+++ b/tests/unit-utils-crypt.c
@@ -0,0 +1,259 @@
+/*
+ * cryptsetup crypto name and hex conversion helper test vectors
+ *
+ * Copyright (C) 2022-2023 Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "utils_crypt.h"
+#include "libcryptsetup.h"
+
+#ifndef ARRAY_SIZE
+# define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
+#endif
+
+/*
+ * Cryptsetup/dm-crypt algorithm naming conversion test
+ */
+struct mode_test_vector {
+ const char *input;
+ const char *cipher;
+ const char *mode;
+ int keys;
+};
+static struct mode_test_vector mode_test_vectors[] = {
+ { "aes-xts-plain", "aes", "xts-plain", 1 },
+ { "aes-xts-plain64", "aes", "xts-plain64", 1 },
+ { "aes-cbc-plain", "aes", "cbc-plain", 1 },
+ { "aes-cbc-plain64", "aes", "cbc-plain64", 1 },
+ { "aes-cbc-essiv:sha256", "aes", "cbc-essiv:sha256", 1 },
+ { "aes", "aes", "cbc-plain", 1 },
+ { "twofish", "twofish", "cbc-plain", 1 },
+ { "cipher_null", "cipher_null", "ecb", 0 },
+ { "null", "cipher_null", "ecb", 0 },
+ { "xchacha12,aes-adiantum-plain64", "xchacha12,aes", "adiantum-plain64", 1 },
+ { "xchacha20,aes-adiantum-plain64", "xchacha20,aes", "adiantum-plain64", 1 },
+ { "aes:64-cbc-lmk", "aes:64", "cbc-lmk", 64 },
+ { "des3_ede-cbc-tcw", "des3_ede" ,"cbc-tcw", 1 },
+ { "aes-lrw-benbi", "aes","lrw-benbi", 1 },
+};
+
+static int test_parse_mode(void)
+{
+ char cipher[MAX_CIPHER_LEN], mode[MAX_CIPHER_LEN];
+ unsigned int i;
+ int keys;
+
+ printf("MODECONV:");
+ for (i = 0; i < ARRAY_SIZE(mode_test_vectors); i++) {
+ if (i && !(i % 8))
+ printf("\n");
+ keys = -1;
+ memset(cipher, 0, sizeof(cipher));
+ memset(mode, 0, sizeof(mode));
+ printf("[%s]", mode_test_vectors[i].input ?: "NULL");
+ if (crypt_parse_name_and_mode(mode_test_vectors[i].input, cipher, &keys, mode) < 0 ||
+ strcmp(mode_test_vectors[i].cipher, cipher) ||
+ strcmp(mode_test_vectors[i].mode, mode) ||
+ mode_test_vectors[i].keys != keys) {
+ printf("[FAILED (%s / %s / %i)]\n", cipher, mode, keys);
+ return EXIT_FAILURE;
+ }
+ }
+ printf("[OK]\n");
+
+ return EXIT_SUCCESS;
+}
+
+/*
+ * Cryptsetup/dm-crypt/dm-integrity algorithm naming conversion test
+ */
+struct integrity_test_vector {
+ bool int_mode; /* non-null if it is supported as integrity mode for LUKS2 */
+ const char *input;
+ const char *integrity;
+ int key_size;
+};
+static struct integrity_test_vector integrity_test_vectors[] = {
+ { true, "aead", "aead", 0 },
+ { true, "poly1305", "poly1305", 0 },
+ { true, "none", "none", 0 },
+ { false, "crc32", "crc32", 0 },
+ { true, "hmac-sha1", "hmac(sha1)", 20 },
+ { true, "hmac-sha256", "hmac(sha256)", 32 },
+ { true, "hmac-sha512", "hmac(sha512)", 64 },
+ { true, "cmac-aes", "cmac(aes)", 16 },
+ { false, "blake2b-256", "blake2b-256", 0 },
+};
+
+static int test_parse_integrity_mode(void)
+{
+ char integrity[MAX_CIPHER_LEN];
+ unsigned int i;
+ int key_size;
+
+ printf("INTEGRITYCONV:");
+ for (i = 0; i < ARRAY_SIZE(integrity_test_vectors); i++) {
+ memset(integrity, 0, sizeof(integrity));
+ printf("[%s,%i]", integrity_test_vectors[i].input ?: "NULL", integrity_test_vectors[i].key_size);
+ if (crypt_parse_hash_integrity_mode(integrity_test_vectors[i].input, integrity) < 0 ||
+ strcmp(integrity_test_vectors[i].integrity, integrity)) {
+ printf("[FAILED (%s)]\n", integrity);
+ return EXIT_FAILURE;
+ }
+ key_size = -1;
+ memset(integrity, 0, sizeof(integrity));
+ if (integrity_test_vectors[i].int_mode &&
+ (crypt_parse_integrity_mode(integrity_test_vectors[i].input, integrity, &key_size) < 0 ||
+ strcmp(integrity_test_vectors[i].integrity, integrity) ||
+ integrity_test_vectors[i].key_size != key_size)) {
+ printf("[FAILED (%s / %i)]\n", integrity, key_size);
+ return EXIT_FAILURE;
+ }
+ }
+ printf("[OK]\n");
+
+ return EXIT_SUCCESS;
+}
+
+/*
+ * Cryptsetup null cipher bypass algorithm name
+ */
+struct null_test_vector {
+ const char *cipher;
+ bool ok;
+};
+static struct null_test_vector null_test_vectors[] = {
+ { "cipher_null-ecb", true },
+ { "cipher_null", true },
+ { "null", true },
+ { "cipher-null", false },
+ { "aes-ecb", false },
+ { NULL, false },
+};
+
+static int test_cipher_null(void)
+{
+ unsigned int i;
+
+ printf("NULLCONV:");
+ for (i = 0; i < ARRAY_SIZE(null_test_vectors); i++) {
+ printf("[%s]", null_test_vectors[i].cipher ?: "NULL");
+ if (crypt_is_cipher_null(null_test_vectors[i].cipher) !=
+ null_test_vectors[i].ok) {
+ printf("[FAILED]\n");
+ return EXIT_FAILURE;
+ }
+ }
+ printf("[OK]\n");
+
+ return EXIT_SUCCESS;
+}
+
+struct hex_test_vector {
+ const char *hex;
+ const char *bytes;
+ ssize_t bytes_size;
+ bool ok;
+};
+static struct hex_test_vector hex_test_vectors[] = {
+ { "0000000000000000", "\x00\x00\x00\x00\x00\x00\x00\x00", 8, true },
+ { "abcdef0123456789", "\xab\xcd\xef\x01\x23\x45\x67\x89", 8, true },
+ { "aBCDef0123456789", "\xab\xcd\xef\x01\x23\x45\x67\x89", 8, true },
+ { "ff", "\xff", 1, true },
+ { "f", NULL , 1, false },
+ { "a-cde", NULL, 2, false },
+ { "FAKE", NULL, 2, false },
+ { "\x01\x02\xff", NULL, 3, false },
+ { NULL, NULL, 1, false },
+ { "fff", NULL, 2, false },
+ { "fg", NULL, 1, false },
+};
+
+/*
+ * Hexa conversion test (also should be constant time)
+ */
+static int test_hex_conversion(void)
+{
+ char *bytes, *hex;
+ ssize_t len;
+ unsigned int i;
+
+ printf("HEXCONV:");
+ for (i = 0; i < ARRAY_SIZE(hex_test_vectors); i++) {
+ bytes = NULL;
+ hex = NULL;
+ if (hex_test_vectors[i].hex && *hex_test_vectors[i].hex >= '0')
+ printf("[%s]", hex_test_vectors[i].hex);
+ else
+ printf("[INV:%i]", i);
+ len = crypt_hex_to_bytes(hex_test_vectors[i].hex, &bytes, 1);
+ if ((hex_test_vectors[i].ok && len != hex_test_vectors[i].bytes_size) ||
+ (!hex_test_vectors[i].ok && len >= 0)) {
+ printf("[FAILED]\n");
+ crypt_safe_free(bytes);
+ return EXIT_FAILURE;
+ }
+ crypt_safe_free(bytes);
+ hex = crypt_bytes_to_hex(hex_test_vectors[i].bytes_size, hex_test_vectors[i].bytes);
+ if ((hex_test_vectors[i].ok && strcasecmp(hex, hex_test_vectors[i].hex)) ||
+ (!hex_test_vectors[i].ok && hex)) {
+ printf("[FAILED]\n");
+ crypt_safe_free(hex);
+ return EXIT_FAILURE;
+ }
+ crypt_safe_free(hex);
+ }
+ printf("[OK]\n");
+
+ return EXIT_SUCCESS;
+}
+
+static void __attribute__((noreturn)) exit_test(const char *msg, int r)
+{
+ if (msg)
+ printf("%s\n", msg);
+ exit(r);
+}
+
+int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[])
+{
+ setvbuf(stdout, NULL, _IONBF, 0);
+
+#ifndef NO_CRYPTSETUP_PATH
+ if (getenv("CRYPTSETUP_PATH")) {
+ printf("Cannot run this test with CRYPTSETUP_PATH set.\n");
+ exit(77);
+ }
+#endif
+ if (test_parse_mode())
+ exit_test("Parse mode test failed.", EXIT_FAILURE);
+
+ if (test_parse_integrity_mode())
+ exit_test("Parse integrity mode test failed.", EXIT_FAILURE);
+
+ if (test_cipher_null())
+ exit_test("CIPHER null test failed.", EXIT_FAILURE);
+
+ if (test_hex_conversion())
+ exit_test("HEX conversion test failed.", EXIT_FAILURE);
+
+ exit_test(NULL, EXIT_SUCCESS);
+}
diff --git a/tests/unit-utils-io.c b/tests/unit-utils-io.c
index 8120842..3bfc762 100644
--- a/tests/unit-utils-io.c
+++ b/tests/unit-utils-io.c
@@ -1,7 +1,7 @@
/*
* simple unit test for utils_io.c (blockwise low level functions)
*
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -311,6 +311,12 @@ int main(int argc, char **argv)
long ps;
int r = EXIT_FAILURE;
+#ifndef NO_CRYPTSETUP_PATH
+ if (getenv("CRYPTSETUP_PATH")) {
+ printf("Cannot run this test with CRYPTSETUP_PATH set.\n");
+ exit(77);
+ }
+#endif
if (parse_input_params(argc, argv))
return r;
diff --git a/tests/unit-wipe-test b/tests/unit-wipe-test
new file mode 100755
index 0000000..4d0a078
--- /dev/null
+++ b/tests/unit-wipe-test
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+WIPE_UNIT=./unit-wipe
+FILE=./wipe_localfile
+FILE_RAND=./wipe_random_localfile
+MB_BYTES=$((1024*1024))
+DEVSIZEMB=8
+DEVSIZE=$((DEVSIZEMB*$MB_BYTES))
+
+HASH_EMPTY=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
+
+function cleanup() {
+ rm -f $FILE $FILE_RAND 2> /dev/null
+ sleep 1
+ rmmod scsi_debug >/dev/null 2>&1
+}
+
+function fail()
+{
+ if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi
+ echo "FAILED backtrace:"
+ while caller $frame; do ((frame++)); done
+ cleanup
+ exit 100
+}
+
+function skip()
+{
+ echo "TEST SKIPPED: $1"
+ cleanup
+ exit 77
+}
+
+function add_device()
+{
+ rmmod scsi_debug >/dev/null 2>&1
+ if [ -d /sys/module/scsi_debug ] ; then
+ skip "Cannot use scsi_debug module (in use or compiled-in)."
+ fi
+ modprobe scsi_debug dev_size_mb=$DEVSIZEMB num_tgts=1 delay=0 >/dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ skip "This kernel seems to not support proper scsi_debug module."
+ fi
+ grep -q scsi_debug /sys/block/*/device/model || sleep 2
+ DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+ DEV="/dev/$DEV"
+ [ -b $DEV ] || fail "Cannot find $DEV."
+}
+
+function check_hash() # $1 dev, $2 hash
+{
+ local HASH=$(sha256sum $1 | cut -d' ' -f 1)
+ [ $HASH == "$2" ]
+}
+
+function init_hash_dd() # $1 dev, $dev orig
+{
+ dd if=/dev/urandom of=$2 bs=1M count=$DEVSIZEMB conv=notrunc 2> /dev/null
+ dd if=$2 of=$1 bs=1M conv=notrunc 2> /dev/null
+ HASH_0=$(sha256sum $1 | cut -d' ' -f 1)
+ # second MB wiped
+ dd if=/dev/zero of=$1 bs=1M seek=1 count=1 conv=notrunc 2> /dev/null
+ HASH_1=$(sha256sum $1 | cut -d' ' -f 1)
+ # 4,5,6 MB wiped
+ dd if=/dev/zero of=$1 bs=1M seek=4 count=3 conv=notrunc 2> /dev/null
+ HASH_2=$(sha256sum $1 | cut -d' ' -f 1)
+ dd if=$2 of=$1 bs=1M conv=notrunc 2> /dev/null
+}
+
+function add_file()
+{
+ dd if=/dev/zero of=$FILE bs=1M count=$DEVSIZEMB 2> /dev/null || fail
+ dd if=/dev/zero of=$FILE_RAND bs=1M count=$DEVSIZEMB 2> /dev/null || fail
+ check_hash $FILE $HASH_EMPTY || fail
+ check_hash $FILE_RAND $HASH_EMPTY || fail
+ dd if=$FILE of=/dev/null bs=4096 count=1 iflag=direct >/dev/null 2>&1 || FILE_NODIO=1
+}
+
+function test_wipe_full() # $1 dev, $2 block size, [$3 flags]
+{
+ # wipe random and back to zero
+ $WIPE_UNIT $1 random 0 $DEVSIZE $2 $3 || fail
+ check_hash $1 $HASH_EMPTY && fail "Failed random wipe"
+ $WIPE_UNIT $1 zero 0 $DEVSIZE $2 $3 || fail
+ check_hash $1 $HASH_EMPTY || fail "Failed zero wipe"
+}
+
+# wipe MB blocks, with zero, random and special and back to original
+function test_wipe_blocks() # $1 dev $2 block sizem [$3 flags]
+{
+ init_hash_dd $1 $FILE_RAND
+ check_hash $1 $HASH_0 || fail
+
+ $WIPE_UNIT $1 zero $((1*$MB_BYTES)) $((1*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_1 || fail
+ $WIPE_UNIT $1 random $((1*$MB_BYTES)) $((1*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_1 && fail
+ $WIPE_UNIT $1 special $((1*$MB_BYTES)) $((1*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_1 && fail
+ $WIPE_UNIT $1 zero $((1*$MB_BYTES)) $((1*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_1 || fail
+
+ $WIPE_UNIT $1 zero $((4*$MB_BYTES)) $((3*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_2 || fail
+ $WIPE_UNIT $1 random $((4*$MB_BYTES)) $((3*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_2 && fail
+ $WIPE_UNIT $1 special $((4*$MB_BYTES)) $((3*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_2 && fail
+ $WIPE_UNIT $1 zero $((4*$MB_BYTES)) $((3*$MB_BYTES)) $2 $3 || fail
+ check_hash $1 $HASH_2 || fail
+}
+
+test -x $WIPE_UNIT || skip "Run \"make `basename $WIPE_UNIT`\" first"
+
+cleanup
+add_file
+
+echo -n "[1] Wipe full file "
+for bs in 0 $MB_BYTES $((4*$MB_BYTES)); do
+ if [ -n "$FILE_NODIO" ]; then
+ echo -n [$bs/DIO N/A]
+ else
+ echo -n [$bs/DIO]
+ test_wipe_full $FILE $bs
+ fi
+ echo -n [$bs]
+ test_wipe_full $FILE $bs no-dio
+done
+echo "[OK]"
+
+echo -n "[2] Wipe blocks in file "
+for bs in 0 $MB_BYTES $((4*$MB_BYTES)); do
+ if [ -n "$FILE_NODIO" ]; then
+ echo -n [$bs/DIO N/A]
+ else
+ echo -n [$bs/DIO]
+ test_wipe_blocks $FILE $bs
+ fi
+ echo -n [$bs]
+ test_wipe_blocks $FILE $bs no-dio
+done
+echo "[OK]"
+
+[ $(id -u) -eq 0 ] || {
+ echo "WARNING: You must be root to run remaining tests."
+ cleanup
+ exit 0
+}
+
+add_device
+
+echo -n "[3] Wipe full block device "
+for bs in 0 $MB_BYTES $((4*$MB_BYTES)); do
+ echo -n [$bs/DIO]
+ test_wipe_full $DEV $bs
+ echo -n [$bs]
+ test_wipe_full $DEV $bs no-dio
+done
+echo "[OK]"
+
+echo -n "[4] Wipe blocks in block device "
+for bs in 0 $MB_BYTES $((4*$MB_BYTES)); do
+ echo -n [$bs/DIO]
+ test_wipe_blocks $DEV $bs
+ echo -n [$bs]
+ test_wipe_blocks $DEV $bs no-dio
+done
+echo "[OK]"
+
+cleanup
diff --git a/tests/unit-wipe.c b/tests/unit-wipe.c
new file mode 100644
index 0000000..c3019c7
--- /dev/null
+++ b/tests/unit-wipe.c
@@ -0,0 +1,138 @@
+/*
+ * unit test helper for crypt_wipe API call
+ *
+ * Copyright (C) 2022-2023 Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include "libcryptsetup.h"
+
+const char *test_file;
+uint64_t test_offset, test_length, test_block;
+uint32_t flags;
+crypt_wipe_pattern pattern;
+
+static void usage(void)
+{
+ fprintf(stderr, "Use:\tunit-wipe file/device zero|random|special offset length bsize [no-dio].\n");
+}
+
+static bool parse_u64(const char *arg, uint64_t *u64)
+{
+ unsigned long long ull;
+ char *end;
+
+ ull = strtoull(arg, &end, 10);
+ if (*end || !*arg || errno == ERANGE)
+ return false;
+
+ if (ull % 512)
+ return false;
+
+ *u64 = ull;
+ return true;
+}
+
+static bool parse_input_params(int argc, char **argv)
+{
+ struct stat st;
+
+ if (argc < 6 || argc > 7) {
+ usage();
+ return false;
+ }
+
+ if (stat(argv[1], &st)) {
+ fprintf(stderr, "File/device %s is missing?\n", argv[1]);
+ return false;
+ }
+ test_file = argv[1];
+
+ if (!strcmp(argv[2], "random"))
+ pattern = CRYPT_WIPE_RANDOM;
+ else if (!strcmp(argv[2], "zero"))
+ pattern = CRYPT_WIPE_ZERO;
+ else if (!strcmp(argv[2], "special"))
+ pattern = CRYPT_WIPE_SPECIAL;
+ else {
+ fprintf(stderr, "Wrong pattern specification.\n");
+ return false;
+ }
+
+ if (!parse_u64(argv[3], &test_offset)) {
+ fprintf(stderr, "Wrong offset specification.\n");
+ return false;
+ }
+
+ if (!parse_u64(argv[4], &test_length)) {
+ fprintf(stderr, "Wrong length specification.\n");
+ return false;
+ }
+
+ if (!parse_u64(argv[5], &test_block)) {
+ fprintf(stderr, "Wrong block length specification.\n");
+ return false;
+ }
+
+ if (argc > 6) {
+ if (!strcmp(argv[6], "no-dio"))
+ flags = CRYPT_WIPE_NO_DIRECT_IO;
+ else {
+ fprintf(stderr, "Wrong flags specification.\n");
+ return false;
+ }
+ }
+
+ return true;
+}
+
+int main(int argc, char **argv)
+{
+ struct crypt_device *cd;
+ int r;
+
+#ifndef NO_CRYPTSETUP_PATH
+ if (getenv("CRYPTSETUP_PATH")) {
+ printf("Cannot run this test with CRYPTSETUP_PATH set.\n");
+ exit(77);
+ }
+#endif
+
+ if (!parse_input_params(argc, argv))
+ return EXIT_FAILURE;
+
+ r = crypt_init(&cd, NULL);
+ if (r < 0) {
+ fprintf(stderr, "Context init failure %i.\n", r);
+ return EXIT_FAILURE;
+ }
+
+ r = crypt_wipe(cd, test_file, pattern, test_offset, test_length,
+ test_block, flags, NULL, NULL);
+ crypt_free(cd);
+
+ if (r)
+ fprintf(stderr, "Failure %i\n", r);
+
+ return r == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
index 1f09aa2..8a28a12 100755
--- a/tests/verity-compat-test
+++ b/tests/verity-compat-test
@@ -89,8 +89,7 @@ function compare_out() # $1 what, $2 expected
function check_root_hash_fail()
{
echo -n "Root hash check "
- ARR=(`$VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256`)
- ROOT_HASH=${ARR[28]}
+ ROOT_HASH=$($VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256 | grep -e "Root hash" | cut -d: -f2 | tr -d "\t\n ")
ROOT_HASH_BAD=abcdef0000000000000000000000000000000000000000000000000000000000
$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH || fail
@@ -148,7 +147,13 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
for fail in data hash; do
wipe
echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
+ if [ $? -ne 0 ] ; then
+ if [[ $1 =~ "sha2" ]] ; then
+ fail "Cannot format device."
+ fi
+ return
+ fi
echo -n "[root hash]"
compare_out "root hash" $2
@@ -243,16 +248,12 @@ function check_fec()
if [[ "$1" == "$2" && "$1" == "$3" ]]; then
echo -n "[one_device_test]"
dd if=/dev/zero of=$IMG_TMP bs=$4 count=$5 > /dev/null 2>&1
- ARR=(`sha256sum $IMG_TMP`)
- HASH_ORIG=${ARR[0]}
+ HASH_ORIG=$(sha256sum $IMG_TMP | cut -d' ' -f 1)
else
- ARR=(`sha256sum $1`)
- HASH_ORIG=${ARR[0]}
+ HASH_ORIG=$(sha256sum $1 | cut -d' ' -f 1)
fi
- ARR=(`$VERITYSETUP format $1 $2 --fec-device=$3 $PARAMS`)
- SALT=${ARR[$INDEX]}
- ROOT_HASH=${ARR[$(($INDEX+3))]}
+ ROOT_HASH=$($VERITYSETUP format $1 $2 --fec-device=$3 $PARAMS | grep -e "Root hash" | cut -d: -f2 | tr -d "\t\n ")
corrupt_device $1 $(($5 * $4)) ${10}
@@ -265,9 +266,7 @@ function check_fec()
udevadm settle > /dev/null 2>&1
dd if=/dev/mapper/$DEV_NAME of=$IMG_TMP > /dev/null 2>&1
- ARR=(`sha256sum $IMG_TMP`)
-
- HASH_REPAIRED=${ARR[0]}
+ HASH_REPAIRED=$(sha256sum $IMG_TMP | cut -d' ' -f 1)
$VERITYSETUP close $DEV_NAME
@@ -279,11 +278,11 @@ function check_fec()
else
echo -n "[repaired in kernel]"
$VERITYSETUP verify $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS >/dev/null 2>&1 || fail "Userspace verify failed"
- echo "[userspace verify][OK]"
- RET=0
- fi
+ echo "[userspace verify][OK]"
+ RET=0
+ fi
rm $1 $2 $3 $IMG_TMP > /dev/null 2>&1
- return $RET
+ return $RET
}
function check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 CLI option, $7 status option
@@ -303,7 +302,7 @@ function check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 CLI
function valgrind_setup()
{
- which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $VERITYSETUP_VALGRIND ] && fail "Unable to get location of veritysetup executable."
export LD_LIBRARY_PATH="$VERITYSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
@@ -380,8 +379,7 @@ function checkUserSpaceRepair()
echo -n "[nroots::$3]"
- ARR=(`$VERITYSETUP format $IMG $HASH_DEV --fec-device $FEC $PARAMS --salt=$DEV_SALT --uuid=$DEV_UUID`)
- ROOT_HASH=${ARR[28]}
+ ROOT_HASH=$($VERITYSETUP format $IMG $HASH_DEV --fec-device $FEC $PARAMS --salt=$DEV_SALT --uuid=$DEV_UUID | grep -e "Root hash" | cut -d: -f2 | tr -d "\t\n ")
echo -n "[Errors can be corrected]"
corrupt_device $IMG $(($BS*$COUNT)) $7
@@ -412,17 +410,19 @@ function check_concurrent() # $1 hash
# Then do two concurrent opens, and check that libdevmapper did not return -EINVAL, which is
# not gracefully recoverable. Either could fail depending on scheduling, so just check that
# the libdevmapper error does not appear in either of the outputs.
- exec {out_1}< <($VERITYSETUP create -v $DEV_NAME $DEV_PARAMS $1 2>&1)
- exec {out_2}< <($VERITYSETUP create -v $DEV_NAME $DEV_PARAMS $1 2>&1)
+ cat /dev/null >$DEV_OUT
+ $VERITYSETUP create -v $DEV_NAME $DEV_PARAMS $1 >>$DEV_OUT 2>&1 &
+ $VERITYSETUP create -v $DEV_NAME $DEV_PARAMS $1 >>$DEV_OUT 2>&1 &
wait
- cat <&${out_1} | grep -q "Command failed with code .* (wrong or missing parameters)" && fail
- cat <&${out_2} | grep -q "Command failed with code .* (wrong or missing parameters)" && fail
+ grep -q "Command failed with code .* (wrong or missing parameters)" $DEV_OUT && fail
check_exists
+ rm $DEV_OUT
$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
echo "[OK]"
}
+export LANG=C
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$VERITYSETUP" ] && skip "Cannot find $VERITYSETUP, test skipped."
@@ -477,6 +477,11 @@ if check_version 1 3; then
if check_version 1 7; then
check_option 512 $HASH $SALT 1 sha256 "--panic-on-corruption" "panic_on_corruption"
fi
+
+ if check_version 1 9; then
+ echo "Verity data performance options test."
+ check_option 512 $HASH $SALT 1 sha256 "--use-tasklets" "try_verify_in_tasklet"
+ fi
fi
echo "Veritysetup [hash-offset bigger than 2G works] "
@@ -537,17 +542,17 @@ $VERITYSETUP close $DEV_NAME >/dev/null 2>&1 && fail
$VERITYSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$VERITYSETUP close --deferred $DEV_NAME >/dev/null 2>&1
if [ $? -eq 0 ] ; then
- dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail
- $VERITYSETUP close --cancel-deferred $DEV_NAME >/dev/null 2>&1
- dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" >/dev/null 2>&1 && fail
- $VERITYSETUP close --deferred $DEV_NAME >/dev/null 2>&1
- dmsetup remove $DEV_NAME2 || fail
- $VERITYSETUP status $DEV_NAME >/dev/null 2>&1 && fail
- echo "[OK]"
+ dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail
+ $VERITYSETUP close --cancel-deferred $DEV_NAME >/dev/null 2>&1
+ dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" >/dev/null 2>&1 && fail
+ $VERITYSETUP close --deferred $DEV_NAME >/dev/null 2>&1
+ dmsetup remove $DEV_NAME2 || fail
+ $VERITYSETUP status $DEV_NAME >/dev/null 2>&1 && fail
+ echo "[OK]"
else
- dmsetup remove $DEV_NAME2 >/dev/null 2>&1
- $VERITYSETUP close $DEV_NAME >/dev/null 2>&1
- echo "[N/A]"
+ dmsetup remove $DEV_NAME2 >/dev/null 2>&1
+ $VERITYSETUP close $DEV_NAME >/dev/null 2>&1
+ echo "[N/A]"
fi
remove_mapping
diff --git a/tests/xfs_512_block_size.img.xz b/tests/xfs_512_block_size.img.xz
new file mode 100644
index 0000000..047c788
Binary files /dev/null and b/tests/xfs_512_block_size.img.xz differ
diff --git a/tokens/ssh/cryptsetup-ssh.c b/tokens/ssh/cryptsetup-ssh.c
index c1d0a60..7c0bf02 100644
--- a/tokens/ssh/cryptsetup-ssh.c
+++ b/tokens/ssh/cryptsetup-ssh.c
@@ -1,8 +1,8 @@
/*
* Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE)
*
- * Copyright (C) 2016-2021 Milan Broz <gmazyland@gmail.com>
- * Copyright (C) 2021 Vojtech Trefny
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2021-2023 Vojtech Trefny
*
* Use:
* - generate ssh example token
@@ -73,8 +73,10 @@ static int token_add(
return r;
r = crypt_load(cd, CRYPT_LUKS2, NULL);
- if (r)
+ if (r) {
+ l_err(cd, _("Device %s is not a valid LUKS device."), device);
goto out;
+ }
r = -EINVAL;
jobj = json_object_new_object();
diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c
index 406af65..639b25d 100644
--- a/tokens/ssh/libcryptsetup-token-ssh.c
+++ b/tokens/ssh/libcryptsetup-token-ssh.c
@@ -1,8 +1,8 @@
/*
* Example of LUKS2 ssh token handler (EXPERIMENTAL)
*
- * Copyright (C) 2016-2021 Milan Broz <gmazyland@gmail.com>
- * Copyright (C) 2020-2021 Vojtech Trefny
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
*
* Use:
* - generate LUKS device
@@ -80,6 +80,9 @@ int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pi
ssh_session ssh;
jobj_token = get_token_jobj(cd, token);
+ if (!jobj_token)
+ return -ENOMEM;
+
json_object_object_get_ex(jobj_token, "ssh_server", &jobj_server);
json_object_object_get_ex(jobj_token, "ssh_user", &jobj_user);
json_object_object_get_ex(jobj_token, "ssh_path", &jobj_path);
@@ -87,6 +90,7 @@ int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pi
r = ssh_pki_import_privkey_file(json_object_get_string(jobj_keypath), pin, NULL, NULL, &pkey);
if (r != SSH_OK) {
+ json_object_put(jobj_token);
if (r == SSH_EOF) {
crypt_log(cd, CRYPT_LOG_ERROR, "Failed to open and import private key.\n");
return -EINVAL;
@@ -98,6 +102,7 @@ int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pi
ssh = sshplugin_session_init(cd, json_object_get_string(jobj_server),
json_object_get_string(jobj_user));
if (!ssh) {
+ json_object_put(jobj_token);
ssh_key_free(pkey);
return -EINVAL;
}
@@ -111,6 +116,7 @@ int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pi
ssh_disconnect(ssh);
ssh_free(ssh);
+ json_object_put(jobj_token);
return r ? -EINVAL : r;
}
@@ -135,14 +141,14 @@ void cryptsetup_token_dump(struct crypt_device *cd, const char *json)
json_object_object_get_ex(jobj_token, "ssh_path", &jobj_path);
json_object_object_get_ex(jobj_token, "ssh_keypath",&jobj_keypath);
- snprintf(buf, sizeof(buf) - 1, "\tssh_server: %s\n\tssh_user: %s\n"
- "\tssh_path: %s\n\tssh_key_path: %s\n",
- json_object_get_string(jobj_server),
- json_object_get_string(jobj_user),
- json_object_get_string(jobj_path),
- json_object_get_string(jobj_keypath));
+ if (snprintf(buf, sizeof(buf) - 1, "\tssh_server: %s\n\tssh_user: %s\n"
+ "\tssh_path: %s\n\tssh_key_path: %s\n",
+ json_object_get_string(jobj_server),
+ json_object_get_string(jobj_user),
+ json_object_get_string(jobj_path),
+ json_object_get_string(jobj_keypath)) > 0)
+ crypt_log(cd, CRYPT_LOG_NORMAL, buf);
- crypt_log(cd, CRYPT_LOG_NORMAL, buf);
json_object_put(jobj_token);
}
diff --git a/tokens/ssh/ssh-utils.c b/tokens/ssh/ssh-utils.c
index ab1915b..564d858 100644
--- a/tokens/ssh/ssh-utils.c
+++ b/tokens/ssh/ssh-utils.c
@@ -1,8 +1,8 @@
/*
* ssh plugin utilities
*
- * Copyright (C) 2016-2021 Milan Broz <gmazyland@gmail.com>
- * Copyright (C) 2020-2021 Vojtech Trefny
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -56,7 +56,7 @@ int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh,
file = sftp_open(sftp, path, O_RDONLY, 0);
if (!file) {
- crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot create sftp session: "));
+ crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot open sftp session: "));
r = SSH_FX_FAILURE;
goto out;
}
diff --git a/tokens/ssh/ssh-utils.h b/tokens/ssh/ssh-utils.h
index a40a53d..a491275 100644
--- a/tokens/ssh/ssh-utils.h
+++ b/tokens/ssh/ssh-utils.h
@@ -1,8 +1,8 @@
/*
* ssh plugin utilities
*
- * Copyright (C) 2016-2021 Milan Broz <gmazyland@gmail.com>
- * Copyright (C) 2020-2021 Vojtech Trefny
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public