[Libguestfs] [PATCH] New API: cryptsetup_reencrypt: change the master volume key on LUKS partitions.

Richard W.M. Jones rjones at redhat.com
Fri Dec 2 17:04:31 UTC 2016 

Note that cryptsetup-reencrypt is a separate package on Fedora, but is
already part of the appliance on Debian/Ubuntu.
---
 appliance/packagelist.in |  1 +
 daemon/luks.c            | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 generator/actions.ml     | 18 ++++++++++++++++++
 gobject/Makefile.inc     |  2 ++
 src/MAX_PROC_NR          |  2 +-
 5 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/appliance/packagelist.in b/appliance/packagelist.in
index bbbe4b2..485e9cd 100644
--- a/appliance/packagelist.in
+++ b/appliance/packagelist.in
@@ -26,6 +26,7 @@ ifelse(REDHAT,1,
   augeas-libs
   cryptsetup
   cryptsetup-luks      dnl old name used before Fedora 17
+  cryptsetup-reencrypt
   dhclient
   genisoimage
   gfs-utils
diff --git a/daemon/luks.c b/daemon/luks.c
index 53bb820..440caa2 100644
--- a/daemon/luks.c
+++ b/daemon/luks.c
@@ -29,6 +29,7 @@
 #define MAX_ARGS 64
 
 GUESTFSD_EXT_CMD(str_cryptsetup, cryptsetup);
+GUESTFSD_EXT_CMD(str_cryptsetup_reencrypt, cryptsetup_reencrypt);
 
 int
 optgroup_luks_available (void)
@@ -294,3 +295,48 @@ do_luks_kill_slot (const char *device, const char *key, int keyslot)
 
   return 0;
 }
+
+int
+optgroup_luksreencrypt_available (void)
+{
+  return prog_exists (str_cryptsetup_reencrypt);
+}
+
+/* Takes optional arguments, consult optargs_bitmask. */
+int
+do_cryptsetup_reencrypt (const char *device, const char *key, int keyslot,
+                         const char *cipher)
+{
+  const char *argv[MAX_ARGS];
+  size_t i = 0;
+  char keyslot_s[16];
+
+  char *tempfile = write_key_to_temp (key);
+  if (!tempfile)
+    return -1;
+
+  ADD_ARG (argv, i, str_cryptsetup_reencrypt);
+  ADD_ARG (argv, i, "-q");
+  if ((optargs_bitmask & GUESTFS_CRYPTSETUP_REENCRYPT_CIPHER_BITMASK)) {
+    ADD_ARG (argv, i, "-c");
+    ADD_ARG (argv, i, cipher);
+  }
+  ADD_ARG (argv, i, "-d");
+  ADD_ARG (argv, i, tempfile);
+  ADD_ARG (argv, i, "-S");
+  snprintf (keyslot_s, sizeof keyslot_s, "%d", keyslot);
+  ADD_ARG (argv, i, keyslot_s);
+  ADD_ARG (argv, i, device);
+  ADD_ARG (argv, i, NULL);
+
+  CLEANUP_FREE char *err = NULL;
+  int r = commandv (NULL, &err, (const char * const *) argv);
+  remove_temp (tempfile);
+
+  if (r == -1) {
+    reply_with_error ("%s", err);
+    return -1;
+  }
+
+  return 0;
+}
diff --git a/generator/actions.ml b/generator/actions.ml
index 43de38b..057db8f 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -13265,6 +13265,24 @@ is removed." };
     shortdesc = "search the entries associated to the given inode";
     longdesc = "Internal function for find_inode." };
 
+  { defaults with
+    name = "cryptsetup_reencrypt"; added = (1, 35, 15);
+    style = RErr, [Device "device"; Key "key"; Int "keyslot"], [OString "cipher"];
+    proc_nr = Some 471;
+    optional = Some "luksreencrypt";
+    shortdesc = "change the master volume key on a LUKS partition";
+    longdesc = "\
+This reencrypts a LUKS device with a new random master volume key,
+using the L<cryptsetup-reencrypt(8)> tool.  A new passphrase C<key>
+is added in key slot C<keyslot>, and all other keyslots are erased.
+
+With no optional parameters, the same type of cipher is used.  To
+change to a different cipher, supply the optional C<cipher> parameter.
+
+This command has to rewrite the entire C<device>, and so is both
+long running and will destroy all the data on the device if the
+operation is interrupted." };
+
 ]
 
 (* Non-API meta-commands available only in guestfish.
diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc
index 149e4c6..bb1ee3a 100644
--- a/gobject/Makefile.inc
+++ b/gobject/Makefile.inc
@@ -68,6 +68,7 @@ guestfs_gobject_headers= \
   include/guestfs-gobject/optargs-copy_file_to_device.h \
   include/guestfs-gobject/optargs-copy_file_to_file.h \
   include/guestfs-gobject/optargs-cpio_out.h \
+  include/guestfs-gobject/optargs-cryptsetup_reencrypt.h \
   include/guestfs-gobject/optargs-disk_create.h \
   include/guestfs-gobject/optargs-download_blocks.h \
   include/guestfs-gobject/optargs-e2fsck.h \
@@ -159,6 +160,7 @@ guestfs_gobject_sources= \
   src/optargs-copy_file_to_device.c \
   src/optargs-copy_file_to_file.c \
   src/optargs-cpio_out.c \
+  src/optargs-cryptsetup_reencrypt.c \
   src/optargs-disk_create.c \
   src/optargs-download_blocks.c \
   src/optargs-e2fsck.c \
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index 5f476b6..c305aa5 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-470
+471
-- 
2.10.2

More information about the Libguestfs mailing list