cryptsetup: Add LUKS2 token support.

LUKS2 supports so-called tokens. The libcryptsetup internally support keyring token (it tries to open device using specified keyring entry). Only if all token fails (or are not available), it uses a passphrase. This patch aligns the functionality with the cryptsetup utility (cryptsetup luksOpen tries tokens first) but does not replace the systemd native ask-password function (can be used the same in combination with this patch).
2025-01-10 01:17:44 +03:00 · 2019-05-27 09:44:14 +02:00 · 2019-05-27 09:44:14 +02:00 · 894bb3ca4c
commit 894bb3ca4c
parent ea9a9d49e4
1 changed files with 12 additions and 0 deletions
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -715,6 +715,18 @@ static int run(int argc, char *argv[]) {
                                if (r < 0)
                                        return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
                        }
+#ifdef CRYPT_ANY_TOKEN
+                        /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
+                        if (!key_file) {
+                                r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
+                                if (r >= 0) {
+                                        log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
+                                        return 0;
+                                }
+
+                                log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
+                        }
+#endif
                }

                for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {