luksy

package module
v0.0.0-...-0040a28 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 11, 2024 License: Apache-2.0 Imports: 26 Imported by: 1

README

luksy: offline encryption/decryption using LUKS formats Cirrus CI Status

luksy implements encryption and decryption using LUKSv1 and LUKSv2 formats. Think of it as a clunkier cousin of gzip/bzip2/xz that doesn't actually produce smaller output than input, but it encrypts, and that's nice.

  • The main goal is to be able to encrypt/decrypt when we don't have access to the Linux device mapper. Duplicating functions of cryptsetup that it can perform without accessing the Linux device mapper is not a priority.
  • If you can use cryptsetup instead, use cryptsetup instead.

Documentation

Index

Constants

View Source 
const (
	// Mostly verbatim from LUKS1 On-Disk Format Specification version 1.2.3
	V1Magic = "LUKS\xba\xbe"

	V1Stripes       = 4000
	V1AlignKeyslots = 4096
	V1SectorSize    = 512
)
View Source 
const (
	// Mostly verbatim from LUKS2 On-Disk Format Specification version 1.1.1
	V2Magic1 = V1Magic
	V2Magic2 = "SKUL\xba\xbe"

	V2Stripes       = 4000
	V2AlignKeyslots = 4096
	V2SectorSize    = 4096
)
View Source 
const (
	V2JSONKeyslotPriorityIgnore = V2JSONKeyslotPriority(0)
	V2JSONKeyslotPriorityNormal = V2JSONKeyslotPriority(1)
	V2JSONKeyslotPriorityHigh   = V2JSONKeyslotPriority(2)
)

Variables

This section is empty.

Functions

func DecryptReader 

func DecryptReader(fn func(ciphertext []byte) ([]byte, error), reader io.Reader, blockSize int) io.ReadCloser

DecryptReader creates an io.ReadCloser which buffers reads through a decryption function, decrypting and returning multiples of the blockSize until it reaches the end of the file. When data will no longer be read, the returned reader should be closed.

func EncryptV1 

func EncryptV1(password []string, cipher string) ([]byte, func([]byte) ([]byte, error), int, error)

EncryptV1 prepares to encrypt data using one or more passwords and the specified cipher (or a default, if the specified cipher is "").

Returns a fixed LUKSv1 header which contains keying information, a function which will encrypt blocks of data in succession, and the size of chunks of data that it expects.

func EncryptV2 

func EncryptV2(password []string, cipher string, payloadSectorSize int) ([]byte, func([]byte) ([]byte, error), int, error)

EncryptV2 prepares to encrypt data using one or more passwords and the specified cipher (or a default, if the specified cipher is "").

Returns a fixed LUKSv2 header which contains keying information, a function which will encrypt blocks of data in succession, and the size of chunks of data that it expects.

func EncryptWriter 

func EncryptWriter(fn func(plaintext []byte) ([]byte, error), writer io.Writer, blockSize int) io.WriteCloser

EncryptWriter creates an io.WriteCloser which buffers writes through an encryption function, transforming and writing multiples of the blockSize. After writing a final block, the returned writer should be closed. If only a partial block has been written when Close() is called, a final block with its length padded with zero bytes will be transformed and written.

func IterationsPBKDF2 

func IterationsPBKDF2(salt []byte, keyLen int, h func() hash.Hash) int

func MemoryCostArgon2 

func MemoryCostArgon2(salt []byte, keyLen, timeCost, threadsCost int) int

func MemoryCostArgon2i 

func MemoryCostArgon2i(salt []byte, keyLen, timeCost, threadsCost int) int

func ReadHeaders 

func ReadHeaders(f io.ReaderAt, options ReadHeaderOptions) (*V1Header, *V2Header, *V2Header, *V2JSON, error)

ReadHeaders reads LUKS headers from the specified file, returning either a LUKSv1 header, or two LUKSv2 headers and a LUKSv2 JSON block, depending on which format is detected.

Types

type ReadHeaderOptions 

type ReadHeaderOptions struct{}

ReadHeaderOptions can control some of what ReadHeaders() does.

type ReaderAtSeekCloser 

type ReaderAtSeekCloser interface {
	io.ReaderAt
	io.Seeker
	io.Closer
}

ReaderAtSeekCloser is a combination of io.ReaderAt, io.Seeker, and io.Closer, which is all we really need from an encrypted file.

type V1Header 

type V1Header [592]uint8

func (V1Header) CipherMode 

func (h V1Header) CipherMode() string

func (V1Header) CipherName 

func (h V1Header) CipherName() string

func (V1Header) Decrypt 

func (h V1Header) Decrypt(password string, f ReaderAtSeekCloser) (func([]byte) ([]byte, error), int, int64, int64, error)

Decrypt attempts to verify the specified password using information from the header and read from the specified file.

Returns a function which will decrypt payload blocks in succession, the size of chunks of data that the function expects, the offset in the file where the payload begins, and the size of the payload, assuming the payload runs to the end of the file.

func (V1Header) HashSpec 

func (h V1Header) HashSpec() string

func (V1Header) KeyBytes 

func (h V1Header) KeyBytes() uint32

func (*V1Header) KeySlot 

func (h *V1Header) KeySlot(slot int) (V1KeySlot, error)

func (V1Header) MKDigest 

func (h V1Header) MKDigest() []uint8

func (V1Header) MKDigestIter 

func (h V1Header) MKDigestIter() uint32

func (V1Header) MKDigestSalt 

func (h V1Header) MKDigestSalt() []uint8

func (V1Header) Magic 

func (h V1Header) Magic() string

func (V1Header) PayloadOffset 

func (h V1Header) PayloadOffset() uint32

func (*V1Header) SetCipherMode 

func (h *V1Header) SetCipherMode(mode string)

func (*V1Header) SetCipherName 

func (h *V1Header) SetCipherName(name string)

func (*V1Header) SetHashSpec 

func (h *V1Header) SetHashSpec(spec string)

func (*V1Header) SetKeyBytes 

func (h *V1Header) SetKeyBytes(bytes uint32)

func (*V1Header) SetKeySlot 

func (h *V1Header) SetKeySlot(slot int, ks V1KeySlot) error

func (*V1Header) SetMKDigest 

func (h *V1Header) SetMKDigest(digest []uint8)

func (*V1Header) SetMKDigestIter 

func (h *V1Header) SetMKDigestIter(bytes uint32)

func (*V1Header) SetMKDigestSalt 

func (h *V1Header) SetMKDigestSalt(salt []uint8)

func (*V1Header) SetMagic 

func (h *V1Header) SetMagic(magic string) error

func (*V1Header) SetPayloadOffset 

func (h *V1Header) SetPayloadOffset(offset uint32)

func (*V1Header) SetUUID 

func (h *V1Header) SetUUID(uuid string)

func (*V1Header) SetVersion 

func (h *V1Header) SetVersion(version uint16) error

func (V1Header) UUID 

func (h V1Header) UUID() string

func (V1Header) Version 

func (h V1Header) Version() uint16

type V1KeySlot 

type V1KeySlot [48]uint8

func (V1KeySlot) Active 

func (s V1KeySlot) Active() (bool, error)

func (V1KeySlot) Iterations 

func (s V1KeySlot) Iterations() uint32

func (V1KeySlot) KeyMaterialOffset 

func (s V1KeySlot) KeyMaterialOffset() uint32

func (V1KeySlot) KeySlotSalt 

func (s V1KeySlot) KeySlotSalt() []uint8

func (*V1KeySlot) SetActive 

func (s *V1KeySlot) SetActive(active bool)

func (*V1KeySlot) SetIterations 

func (s *V1KeySlot) SetIterations(iterations uint32)

func (*V1KeySlot) SetKeyMaterialOffset 

func (s *V1KeySlot) SetKeyMaterialOffset(material uint32)

func (*V1KeySlot) SetKeySlotSalt 

func (s *V1KeySlot) SetKeySlotSalt(salt []uint8)

func (*V1KeySlot) SetStripes 

func (s *V1KeySlot) SetStripes(stripes uint32)

func (V1KeySlot) Stripes 

func (s V1KeySlot) Stripes() uint32

type V2Header 

type V2Header [4096]uint8

func (V2Header) Checksum 

func (h V2Header) Checksum() []uint8

func (V2Header) ChecksumAlgorithm 

func (h V2Header) ChecksumAlgorithm() string

func (V2Header) Decrypt 

func (h V2Header) Decrypt(password string, f ReaderAtSeekCloser, j V2JSON) (func([]byte) ([]byte, error), int, int64, int64, error)

Decrypt attempts to verify the specified password using information from the header, JSON block, and read from the specified file.

Returns a function which will decrypt payload blocks in succession, the size of chunks of data that the function expects, the offset in the file where the payload begins, and the size of the payload, assuming the payload runs to the end of the file.

func (V2Header) HeaderOffset 

func (h V2Header) HeaderOffset() uint64

func (V2Header) HeaderSize 

func (h V2Header) HeaderSize() uint64

func (V2Header) Label 

func (h V2Header) Label() string

func (V2Header) Magic 

func (h V2Header) Magic() string

func (V2Header) Salt 

func (h V2Header) Salt() []uint8

func (V2Header) SequenceID 

func (h V2Header) SequenceID() uint64

func (*V2Header) SetChecksum 

func (h *V2Header) SetChecksum(sum []uint8)

func (*V2Header) SetChecksumAlgorithm 

func (h *V2Header) SetChecksumAlgorithm(alg string)

func (*V2Header) SetHeaderOffset 

func (h *V2Header) SetHeaderOffset(o uint64)

func (*V2Header) SetHeaderSize 

func (h *V2Header) SetHeaderSize(size uint64)

func (*V2Header) SetLabel 

func (h *V2Header) SetLabel(label string)

func (*V2Header) SetMagic 

func (h *V2Header) SetMagic(magic string) error

func (*V2Header) SetSalt 

func (h *V2Header) SetSalt(salt []uint8)

func (*V2Header) SetSequenceID 

func (h *V2Header) SetSequenceID(id uint64)

func (*V2Header) SetSubsystem 

func (h *V2Header) SetSubsystem(ss string)

func (*V2Header) SetUUID 

func (h *V2Header) SetUUID(uuid string)

func (*V2Header) SetVersion 

func (h *V2Header) SetVersion(version uint16) error

func (V2Header) Subsystem 

func (h V2Header) Subsystem() string

func (V2Header) UUID 

func (h V2Header) UUID() string

func (V2Header) Version 

func (h V2Header) Version() uint16

type V2JSON 

type V2JSON struct {
	Config   V2JSONConfig             `json:"config"`
	Keyslots map[string]V2JSONKeyslot `json:"keyslots"`
	Digests  map[string]V2JSONDigest  `json:"digests"`
	Segments map[string]V2JSONSegment `json:"segments"`
	Tokens   map[string]V2JSONToken   `json:"tokens"`
}

type V2JSONAF 

type V2JSONAF struct {
	Type           string `json:"type"` // "luks1"
	*V2JSONAFLUKS1        // type == "luks1"
}

type V2JSONAFLUKS1 

type V2JSONAFLUKS1 struct {
	Stripes int    `json:"stripes"` // 4000
	Hash    string `json:"hash"`    // "sha256"
}

type V2JSONArea 

type V2JSONArea struct {
	Type                         string `json:"type"` // only "raw", "none", "journal", "checksum", "datashift", "datashift-journal", "datashift-checksum"
	Offset                       int64  `json:"offset,string"`
	Size                         int64  `json:"size,string"`
	*V2JSONAreaRaw                      // type = "raw"
	*V2JSONAreaChecksum                 // type = "checksum"
	*V2JSONAreaDatashift                // type = "datashift"
	*V2JSONAreaDatashiftChecksum        // type = "datashift-checksum"
}

type V2JSONAreaChecksum 

type V2JSONAreaChecksum struct {
	Hash       string `json:"hash"`
	SectorSize int    `json:"sector_size"`
}

type V2JSONAreaDatashift 

type V2JSONAreaDatashift struct {
	ShiftSize int `json:"shift_size,string"`
}

type V2JSONAreaDatashiftChecksum 

type V2JSONAreaDatashiftChecksum struct {
	V2JSONAreaChecksum
	V2JSONAreaDatashift
}

type V2JSONAreaRaw 

type V2JSONAreaRaw struct {
	Encryption string `json:"encryption"`
	KeySize    int    `json:"key_size"`
}

type V2JSONConfig 

type V2JSONConfig struct {
	JsonSize     int      `json:"json_size,string"`
	KeyslotsSize int      `json:"keyslots_size,string,omitempty"`
	Flags        []string `json:"flags,omitempty"` // one or more of "allow-discards", "same-cpu-crypt", "submit-from-crypt-cpus", "no-journal", "no-read-workqueue", "no-write-workqueue"
	Requirements []string `json:"requirements,omitempty"`
}

type V2JSONDigest 

type V2JSONDigest struct {
	Type                string   `json:"type"`
	Keyslots            []string `json:"keyslots"`
	Segments            []string `json:"segments"`
	Salt                []byte   `json:"salt"`
	Digest              []byte   `json:"digest"`
	*V2JSONDigestPbkdf2          // type == "pbkdf2"
}

type V2JSONDigestPbkdf2 

type V2JSONDigestPbkdf2 struct {
	Hash       string `json:"hash"`
	Iterations int    `json:"iterations"`
}

type V2JSONKdf 

type V2JSONKdf struct {
	Type              string `json:"type"`
	Salt              []byte `json:"salt"`
	*V2JSONKdfPbkdf2         // type = "pbkdf2"
	*V2JSONKdfArgon2i        // type = "argon2i" or type = "argon2id"
}

type V2JSONKdfArgon2i 

type V2JSONKdfArgon2i struct {
	Time   int `json:"time"`
	Memory int `json:"memory"`
	CPUs   int `json:"cpus"`
}

type V2JSONKdfPbkdf2 

type V2JSONKdfPbkdf2 struct {
	Hash       string `json:"hash"`
	Iterations int    `json:"iterations"`
}

type V2JSONKeyslot 

type V2JSONKeyslot struct {
	Type                    string                 `json:"type"`
	KeySize                 int                    `json:"key_size"`
	Area                    V2JSONArea             `json:"area"`
	Priority                *V2JSONKeyslotPriority `json:"priority,omitempty"`
	*V2JSONKeyslotLUKS2                            // type = "luks2"
	*V2JSONKeyslotReencrypt                        // type = "reencrypt"
}

type V2JSONKeyslotLUKS2 

type V2JSONKeyslotLUKS2 struct {
	AF  V2JSONAF  `json:"af"`
	Kdf V2JSONKdf `json:"kdf"`
}

type V2JSONKeyslotPriority 

type V2JSONKeyslotPriority int

func (V2JSONKeyslotPriority) String 

func (p V2JSONKeyslotPriority) String() string

type V2JSONKeyslotReencrypt 

type V2JSONKeyslotReencrypt struct {
	Mode      string `json:"mode"`      // only "reencrypt", "encrypt", "decrypt"
	Direction string `json:"direction"` // only "forward", "backward"
}

type V2JSONSegment 

type V2JSONSegment struct {
	Type                string              `json:"type"` // only "linear", "crypt"
	Offset              string              `json:"offset"`
	Size                string              `json:"size"` // numeric value or "dynamic"
	Flags               []string            `json:"flags,omitempty"`
	*V2JSONSegmentCrypt `json:",omitempty"` // type = "crypt"
}

type V2JSONSegmentCrypt 

type V2JSONSegmentCrypt struct {
	IVTweak    int                     `json:"iv_tweak,string"`
	Encryption string                  `json:"encryption"`
	SectorSize int                     `json:"sector_size"` // 512 or 1024 or 2048 or 4096
	Integrity  *V2JSONSegmentIntegrity `json:"integrity,omitempty"`
}

type V2JSONSegmentIntegrity 

type V2JSONSegmentIntegrity struct {
	Type              string `json:"type"`
	JournalEncryption string `json:"journal_encryption"`
	JournalIntegrity  string `json:"journal_integrity"`
}

type V2JSONToken 

type V2JSONToken struct {
	Type                     string   `json:"type"` // "luks2-keyring"
	Keyslots                 []string `json:"keyslots,omitempty"`
	*V2JSONTokenLUKS2Keyring          // type == "luks2-keyring"
}

type V2JSONTokenLUKS2Keyring 

type V2JSONTokenLUKS2Keyring struct {
	KeyDescription string `json:"key_description"`
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
luksy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.