Implement VeraCrypt volume handling in crypttab (#4501)

This introduces a new option, `tcrypt-veracrypt`, that sets the corresponding VeraCrypt flag in the flags passed to cryptsetup.
2024-12-22 17:35:35 +03:00 · 2016-10-30 09:25:31 -05:00 · 2016-10-30 09:25:31 -05:00 · 52028838a1
commit 52028838a1
parent 0470289b6e
2 changed files with 25 additions and 0 deletions
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@ -326,6 +326,17 @@
        option implies <option>tcrypt</option>.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>tcrypt-veracrypt</option></term>
+
+        <listitem><para>Check for a VeraCrypt volume.  VeraCrypt is a fork of
+        TrueCrypt that is mostly compatible, but uses different, stronger key
+        derivation algorithms that cannot be detected without this flag.
+        Enabling this option could substantially slow down unlocking, because
+        VeraCrypt's key derivation takes much longer than TrueCrypt's.  This
+        option implies <option>tcrypt</option>.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>timeout=</option></term>

--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -52,6 +52,7 @@ static bool arg_verify = false;
 static bool arg_discards = false;
 static bool arg_tcrypt_hidden = false;
 static bool arg_tcrypt_system = false;
+static bool arg_tcrypt_veracrypt = false;
 static char **arg_tcrypt_keyfiles = NULL;
 static uint64_t arg_offset = 0;
 static uint64_t arg_skip = 0;
@ -179,6 +180,14 @@ static int parse_one_option(const char *option) {
        } else if (streq(option, "tcrypt-system")) {
                arg_type = CRYPT_TCRYPT;
                arg_tcrypt_system = true;
+        } else if (streq(option, "tcrypt-veracrypt")) {
+#ifdef CRYPT_TCRYPT_VERA_MODES
+                arg_type = CRYPT_TCRYPT;
+                arg_tcrypt_veracrypt = true;
+#else
+                log_error("This version of cryptsetup does not support tcrypt-veracrypt; refusing.");
+                return -EINVAL;
+#endif
        } else if (STR_IN_SET(option, "plain", "swap", "tmp"))
                arg_type = CRYPT_PLAIN;
        else if (startswith(option, "timeout=")) {
@ -441,6 +450,11 @@ static int attach_tcrypt(
        if (arg_tcrypt_system)
                params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;

+#ifdef CRYPT_TCRYPT_VERA_MODES
+        if (arg_tcrypt_veracrypt)
+                params.flags |= CRYPT_TCRYPT_VERA_MODES;
+#endif
+
        if (key_file) {
                r = read_one_line_file(key_file, &passphrase);
                if (r < 0) {