diff options
author | Ondrej Kozina <okozina@redhat.com> | 2023-10-27 11:18:04 +0200 |
---|---|---|
committer | Ondrej Kozina <okozina@redhat.com> | 2023-10-31 11:13:58 +0100 |
commit | 4081037bdbb3a60e90689ece1495157d454bcef8 (patch) | |
tree | 48d80350d52ab893dd28609361510c08763d0d37 | |
parent | f15b2ffdec33f2effe052e676a5f12fc76b36cbe (diff) | |
download | cryptsetup-4081037bdbb3a60e90689ece1495157d454bcef8.tar.gz |
Add --key-file support in luksErase action with LUKS2 opal.
-rw-r--r-- | man/common_options.adoc | 10 | ||||
-rw-r--r-- | man/cryptsetup-erase.8.adoc | 6 | ||||
-rw-r--r-- | src/cryptsetup.c | 7 |
3 files changed, 18 insertions, 5 deletions
diff --git a/man/common_options.adoc b/man/common_options.adoc index d1fbedf3..eac7fa69 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -159,6 +159,16 @@ If this option is not used, cryptsetup will ask for all active keyslot passphrases. endif::[] endif::[] +ifdef::ACTION_ERASE[] +*--key-file, -d* _name_ *(LUKS2 with HW OPAL only)*:: + +Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file +depending on options used. ++ +If the name given is "-", then the secret will be read from stdin. +In this case, reading will not stop at newline characters. ++ +endif::[] ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[] *--keyfile-offset* _value_:: diff --git a/man/cryptsetup-erase.8.adoc b/man/cryptsetup-erase.8.adoc index a8bbc586..6ad7ecae 100644 --- a/man/cryptsetup-erase.8.adoc +++ b/man/cryptsetup-erase.8.adoc @@ -18,15 +18,17 @@ cryptsetup-erase, cryptsetup-luksErase - erase all keyslots == DESCRIPTION Erase all keyslots and make the LUKS container permanently inaccessible. -You do not need to provide any password for this operation. +Unless the device is configured with HW OPAL support you do not need to +provide any password for this operation. *WARNING:* This operation is irreversible. + *WARNING:* with *--hw-opal-factory-reset* ALL data is lost on the device, regardless of the partition it is ran on, if any, and regardless of any LUKS2 header backup, and does not require a valid LUKS2 header to be present on the device to run. -*<options>* can be [--header, --disable-locks, --hw-opal-factory-reset]. +*<options>* can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 47730c42..053b2c87 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2877,9 +2877,10 @@ static int opal_erase(struct crypt_device *cd, bool factory_reset) { int r; r = tools_get_key(factory_reset ? _("Enter OPAL PSID: ") : _("Enter OPAL Admin password: "), - &password, &password_size, - 0, 0, NULL, - ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd); + &password, &password_size, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), + ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), + ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), + !ARG_SET(OPT_FORCE_PASSWORD_ID), cd); if (r < 0) return r; |