cryptsetup

package module
v0.0.1-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2023 License: BSD-2-Clause Imports: 5 Imported by: 0

README

Pure Go bindings for libcryptsetup

This project is a drop-in replacement for the excellent go-cryptsetup library, using dlopen / dlsym to load the libcryptsetup library at runtime. This allows the code to be compiled on systems without libcryptsetup installed, and to be used with different versions of libcryptsetup.

This method of runtime discovery is also used by systemd.

Please refer to the original project for documentation and examples.

Warning

This project is work in progress and not yet ready for production use.

Documentation

Index

Constants

View Source 
const (
	/** enable discards aka trim */
	CRYPT_ACTIVATE_ALLOW_DISCARDS = 0x8

	/** corruption detected (verity), output only */
	CRYPT_ACTIVATE_CORRUPTED = 0x20

	/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
	CRYPT_ACTIVATE_IGNORE_CORRUPTION = 0x100

	/** ignore persistently stored flags */
	CRYPT_ACTIVATE_IGNORE_PERSISTENT = 0x4000

	/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
	CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS = 0x400

	/** key loaded in kernel keyring instead directly in dm-crypt */
	CRYPT_ACTIVATE_KEYRING_KEY = 0x800

	/** dm-integrity: direct writes, do not use journal */
	CRYPT_ACTIVATE_NO_JOURNAL = 0x1000

	/** only reported for device without uuid */
	CRYPT_ACTIVATE_NO_UUID = 0x2

	/** skip global udev rules in activation ("private device"), input only */
	CRYPT_ACTIVATE_PRIVATE = 0x10

	/** device is read only */
	CRYPT_ACTIVATE_READONLY = 0x1

	/** dm-integrity: recovery mode - no journal, no integrity checks */
	CRYPT_ACTIVATE_RECOVERY = 0x2000

	/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
	CRYPT_ACTIVATE_RESTART_ON_CORRUPTION = 0x200

	/** use same_cpu_crypt option for dm-crypt */
	CRYPT_ACTIVATE_SAME_CPU_CRYPT = 0x40

	/** activate even if cannot grant exclusive access (dangerous) */
	CRYPT_ACTIVATE_SHARED = 0x4

	/** use submit_from_crypt_cpus for dm-crypt */
	CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS = 0x80

	/** iterate through all keyslots and find first one that fits */
	CRYPT_ANY_SLOT = -0x1

	/** iterate through all tokens */
	CRYPT_ANY_TOKEN = -0x1
	/** lazy deactivation - remove once last user releases it */
	CRYPT_DEACTIVATE_DEFERRED = 0x1

	/** force deactivation - if the device is busy, it is replaced by error device */
	CRYPT_DEACTIVATE_FORCE = 0x2

	/** debug all */
	CRYPT_DEBUG_ALL = -0x1

	/** debug none */
	CRYPT_DEBUG_NONE = 0x0

	/** integrity dm-integrity device */
	CRYPT_INTEGRITY = "INTEGRITY"

	/** argon2i according to rfc */
	CRYPT_KDF_ARGON2I = "argon2i"

	/** argon2id according to rfc */
	CRYPT_KDF_ARGON2ID = "argon2id"

	/** pbkdf2 according to rfc2898, luks1 legacy */
	CRYPT_KDF_PBKDF2 = "pbkdf2"

	/** read key only to the first end of line (\\n). */
	CRYPT_KEYFILE_STOP_EOL = 0x1

	/** debug log level - always on stdout */
	CRYPT_LOG_DEBUG = -0x1

	/** error log level */
	CRYPT_LOG_ERROR = 0x1

	/** normal log level */
	CRYPT_LOG_NORMAL = 0x0

	/** verbose log level */
	CRYPT_LOG_VERBOSE = 0x2

	/** loop-aes compatibility mode */
	CRYPT_LOOPAES = "LOOPAES"

	/** luks version 1 header on-disk */
	CRYPT_LUKS1 = "LUKS1"

	/** luks version 2 header on-disk */
	CRYPT_LUKS2 = "LUKS2"

	/** iteration time set by crypt_set_iteration_time(), for compatibility only. */
	CRYPT_PBKDF_ITER_TIME_SET = 0x1

	/** never run benchmarks, use pre-set value or defaults. */
	CRYPT_PBKDF_NO_BENCHMARK = 0x2

	/** plain crypt device, no on-disk header */
	CRYPT_PLAIN = "PLAIN"

	/** unfinished offline reencryption */
	CRYPT_REQUIREMENT_OFFLINE_REENCRYPT = 0x1

	/** unknown requirement in header (output only) */
	CRYPT_REQUIREMENT_UNKNOWN = 0x80000000

	/** crypt_rng_random  - use /dev/random (waits if no entropy in system) */
	CRYPT_RNG_RANDOM = 0x1

	/** crypt_rng_urandom - use /dev/urandom */
	CRYPT_RNG_URANDOM = 0x0

	/** tcrypt (truecrypt-compatible and veracrypt-compatible) mode */
	CRYPT_TCRYPT = "TCRYPT"

	/** try to load backup header */
	CRYPT_TCRYPT_BACKUP_HEADER = 0x4

	/** try to load hidden header (describing hidden device) */
	CRYPT_TCRYPT_HIDDEN_HEADER = 0x2

	/** include legacy modes when scanning for header */
	CRYPT_TCRYPT_LEGACY_MODES = 0x1

	/** device contains encrypted system (with boot loader) */
	CRYPT_TCRYPT_SYSTEM_HEADER = 0x8

	/** include veracrypt modes when scanning for header,
	 *  all other tcrypt flags applies as well.
	 *  veracrypt device is reported as tcrypt type.
	 */
	CRYPT_TCRYPT_VERA_MODES = 0x10

	/** dm-verity mode */
	CRYPT_VERITY = "VERITY"

	/** verity hash in userspace before activation */
	CRYPT_VERITY_CHECK_HASH = 0x2

	/** create hash - format hash device */
	CRYPT_VERITY_CREATE_HASH = 0x4

	/** no on-disk header (only hashes) */
	CRYPT_VERITY_NO_HEADER = 0x1

	/** create keyslot with volume key not associated with current dm-crypt segment */
	CRYPT_VOLUME_KEY_NO_SEGMENT = 0x1

	/** use direct-io */
	CRYPT_WIPE_NO_DIRECT_IO = 0x1

	/**< Fill with zeroes */
	CRYPT_WIPE_ZERO = 0x0

	/**< Use RNG to fill data */
	CRYPT_WIPE_RANDOM = 0x1

	/**< Add encryption and fill with zeroes as plaintext */
	CRYPT_WIPE_ENCRYPTED_ZERO = 0x2

	/**< Compatibility only, do not use (Gutmann method) */
	CRYPT_WIPE_SPECIAL = 0x3
)
View Source 
const (
	// token is invalid.
	CRYPT_TOKEN_INVALID = 0x0
	// token is empty (free).
	CRYPT_TOKEN_INACTIVE = 0x1
	// active internal token with driver.
	CRYPT_TOKEN_INTERNAL = 0x3
	// active internal token (reserved name) with missing token driver.
	CRYPT_TOKEN_INTERNAL_UNKNOWN = 0x3
	// active external (user defined) token with driver
	CRYPT_TOKEN_EXTERNAL = 0x4
	// active external (user defined) token with missing token driver
	CRYPT_TOKEN_EXTERNAL_UNKNOWN = 0x5
)

Variables

This section is empty.

Functions

func SetDebugLevel 

func SetDebugLevel(debugLevel int)

SetDebugLevel sets the debug level for the library. C equivalent: crypt_set_debug_level

Types

type Device 

type Device struct {
	// contains filtered or unexported fields
}

Device is a handle to the crypto device. It encapsulates libcryptsetup's 'crypt_device' struct.

func Init 

func Init(devicePath string) (*Device, error)

Init initializes a crypt device backed by 'devicePath'. Returns a pointer to the newly allocated Device or any error encountered. C equivalent: crypt_init

func InitByName 

func InitByName(name string) (*Device, error)

InitByName initializes a crypt device from provided active device 'name'. Returns a pointer to the newly allocated Device or any error encountered. C equivalent: crypt_init_by_name

func (*Device) ActivateByPassphrase 

func (device *Device) ActivateByPassphrase(deviceName string, keyslot int, passphrase string, flags int) error

ActivateByPassphrase activates a device by using a passphrase from a specific keyslot. If deviceName is empty only check passphrase. Returns nil on success, or an error otherwise. C equivalent: crypt_activate_by_passphrase

func (*Device) ActivateByToken 

func (device *Device) ActivateByToken(deviceName string, token int, usrptr string, flags int) error

ActivateByToken activates a device or checks key using a token. C equivalent: crypt_activate_by_token

func (*Device) ActivateByVolumeKey 

func (device *Device) ActivateByVolumeKey(deviceName string, volumeKey string, volumeKeySize int, flags int) error

ActivateByVolumeKey activates a device by using a volume key. If deviceName is empty only check passphrase. Returns nil on success, or an error otherwise. C equivalent: crypt_activate_by_volume_key

func (*Device) Deactivate 

func (device *Device) Deactivate(deviceName string) error

Deactivate deactivates a device. Returns nil on success, or an error otherwise. C equivalent: crypt_deactivate

func (*Device) Dump 

func (device *Device) Dump() int

C equivalent: crypt_dump

func (*Device) Format 

func (device *Device) Format(deviceType DeviceType, genericParams GenericParams) error

Format formats a Device, using a specific device type, and type-independent parameters. Returns nil on success, or an error otherwise. C equivalent: crypt_format

func (*Device) Free 

func (device *Device) Free() bool

Free releases crypt device context and used memory. C equivalent: crypt_free

func (*Device) GetDeviceName 

func (device *Device) GetDeviceName() string

GetDeviceName gets the path to the underlying device. C equivalent: crypt_get_device_name

func (*Device) GetUUID 

func (device *Device) GetUUID() string

GetUUID gets the device's UUID. C equivalent: crypt_get_uuid

func (*Device) KeyslotAddByPassphrase 

func (device *Device) KeyslotAddByPassphrase(keyslot int, currentPassphrase string, newPassphrase string) error

KeyslotAddByPassphrase adds a key slot using a previously added passphrase to perform the required security check. Returns nil on success, or an error otherwise. C equivalent: crypt_keyslot_add_by_passphrase

func (*Device) KeyslotAddByVolumeKey 

func (device *Device) KeyslotAddByVolumeKey(keyslot int, volumeKey string, passphrase string) error

KeyslotAddByVolumeKey adds a key slot using a volume key to perform the required security check. Returns nil on success, or an error otherwise. C equivalent: crypt_keyslot_add_by_volume_key

func (*Device) KeyslotChangeByPassphrase 

func (device *Device) KeyslotChangeByPassphrase(currentKeyslot int, newKeyslot int, currentPassphrase string, newPassphrase string) error

KeyslotChangeByPassphrase changes a defined a key slot using a previously added passphrase to perform the required security check. Returns nil on success, or an error otherwise. C equivalent: crypt_keyslot_change_by_passphrase

func (*Device) Load 

func (device *Device) Load(deviceType DeviceType) error

Load loads crypt device parameters from the device type parameters if it is specified, otherwise it loads the device from the on-disk header. Returns nil on success, or an error otherwise. C equivalent: crypt_load

func (*Device) Resize 

func (device *Device) Resize(name string, newSize uint64) error

Resize the crypt device. Set newSize to 0 to use all of the underlying device size Returns nil on success, or an error otherwise. C equivalent: crypt_resize

func (*Device) TokenAssignKeyslot 

func (device *Device) TokenAssignKeyslot(token int, keyslot int) error

TokenAssignKeyslot assigns a token to particular keyslot. (There can be more keyslots assigned to one token id.) Use CRYPT_ANY_TOKEN to assign all tokens to keyslot. Use CRYPT_ANY SLOT to assign all active keyslots to token. C equivalent: crypt_token_assign_keyslot

func (*Device) TokenIsAssigned 

func (device *Device) TokenIsAssigned(token int, keyslot int) error

TokenIsAssigned gets info about token assignment to particular keyslot. C equivalent: crypt_token_is_assigned

func (*Device) TokenJSONGet 

func (device *Device) TokenJSONGet(token int) (string, error)

TokenJSONGet gets content of a token definition in JSON format. C equivalent: crypt_token_json_get

func (*Device) TokenJSONSet 

func (device *Device) TokenJSONSet(token int, json string) (int, error)

TokenJSONSet stores content of a token definition in JSON format. Use CRYPT_ANY_TOKEN to allocate new one. Returns allocated token ID on success, or an error otherwise. C equivalent: crypt_token_json_set

func (*Device) TokenLUKS2KeyRingGet 

func (device *Device) TokenLUKS2KeyRingGet(token int) (TokenParamsLUKS2Keyring, error)

TokenLUKS2KeyRingGet gets LUKS2 keyring token params. C equivalent: crypt_token_luks2_keyring_get

func (*Device) TokenLUKS2KeyRingSet 

func (device *Device) TokenLUKS2KeyRingSet(token int, params TokenParamsLUKS2Keyring) (int, error)

TokenLUKS2KeyRingSet creates a new luks2 keyring token. C equivalent: crypt_token_luks2_keyring_set

func (*Device) TokenStatus 

func (device *Device) TokenStatus(token int) (string, TokenInfo)

TokenStatus gets info for specific token. On success returns the token type as string. C equivalent: crypt_token_status

func (*Device) TokenUnassignKeyslot 

func (device *Device) TokenUnassignKeyslot(token int, keyslot int) error

TokenUnassignKeyslot unassigns a token from particular keyslot. There can be more keyslots assigned to one token id. Use CRYPT_ANY_TOKEN to unassign all tokens from keyslot. Use CRYPT_ANY SLOT to unassign all active keyslots from token. C equivalent: crypt_token_unassign_keyslot

func (*Device) Type 

func (device *Device) Type() string

Type returns the device's type as a string. Returns an empty string if the information is not available.

func (*Device) VolumeKeyGet 

func (device *Device) VolumeKeyGet(keyslot int, passphrase string) ([]byte, int, error)

VolumeKeyGet gets the volume key from a crypt device. Returns a slice of bytes having the volume key and the unlocked key slot number, or an error otherwise. C equivalent: crypt_volume_key_get

func (*Device) Wipe 

func (device *Device) Wipe(devicePath string, pattern int, offset, length uint64, wipeBlockSize, flags int, progress func(size, offset uint64) int) error

Wipe wipes/fills (part of) a device with the selected pattern. Returns nil on success, or an error otherwise. C equivalent: crypt_wipe

type DeviceType 

type DeviceType interface {
	Name() string
	Unmanaged() (unsafe.Pointer, func())
}

Interface that all device types must implement.

type Error 

type Error struct {
	// contains filtered or unexported fields
}

Error holds the name and the return value of a libcryptsetup function that was executed with an error.

func (*Error) Code 

func (e *Error) Code() int

Code returns the error code returned by a libcryptsetup function.

func (*Error) Error 

func (e *Error) Error() string

type GenericParams 

type GenericParams struct {
	Cipher        string
	CipherMode    string
	UUID          string
	VolumeKey     string
	VolumeKeySize int
}

GenericParams are device type independent parameters that are used to manipulate devices in various ways.

type IntegrityParams 

type IntegrityParams struct {
	JournalSize       uint64
	JournalWatermark  uint
	JournalCommitTime uint

	InterleaveSectors uint32
	TagSize           uint32
	SectorSize        uint32
	BufferSectors     uint32

	Integrity        string
	IntegrityKeySize uint32

	JournalIntegrity        string
	JournalIntegrityKey     string
	JournalIntegrityKeySize uint32

	JournalCrypt        string
	JournalCryptKey     string
	JournalCryptKeySize uint32
}

type LUKS1 

type LUKS1 struct {
	Hash          string
	DataAlignment int
	DataDevice    string
}

LUKS1 is the struct used to manipulate LUKS1 devices.

func (LUKS1) Name 

func (luks1 LUKS1) Name() string

Name returns the LUKS1 device type name as a string.

func (LUKS1) Unmanaged 

func (luks1 LUKS1) Unmanaged() (unsafe.Pointer, func())

Unmanaged is used to specialize LUKS1.

type LUKS2 

type LUKS2 struct {
	PBKDFType       *PbkdfType
	Integrity       string
	IntegrityParams *IntegrityParams
	DataAlignment   int
	DataDevice      string
	SectorSize      uint32
	Label           string
	Subsystem       string
}

LUKS2 is the struct used to manipulate LUKS2 devices.

func (LUKS2) Name 

func (luks2 LUKS2) Name() string

Name returns the LUKS2 device type name as a string.

func (LUKS2) Unmanaged 

func (luks2 LUKS2) Unmanaged() (unsafe.Pointer, func())

Unmanaged is used to specialize LUKS2.

type PbkdfType 

type PbkdfType struct {
	Type            string
	Hash            string
	TimeMs          uint32
	Iterations      uint32
	MaxMemoryKb     uint32
	ParallelThreads uint32
	Flags           uint32
}

type Plain 

type Plain struct {
	Hash       string
	Offset     uint64
	Skip       uint64
	Size       uint64
	SectorSize uint32
}

func (Plain) Name 

func (plain Plain) Name() string

Name returns the PLAIN device type name as a string.

func (Plain) Unmanaged 

func (plain Plain) Unmanaged() (unsafe.Pointer, func())

type TokenInfo 

type TokenInfo int

TokenInfo is an enum type for token information.

type TokenParamsLUKS2Keyring 

type TokenParamsLUKS2Keyring struct {
	KeyDescription string
}

TokenParamsLUKS2KeyRing defines LUKS2 keyring token parameters.

Source Files

View all Source files

Directories

Path Synopsis
internal
dlopen/crypt
dlopen/libc
strings

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.