| Top | |
|
|
|
A plugin for operations with encrypted devices. For now, only LUKS devices are supported.
Functions taking a parameter called "device" require the backing device to be passed. On the other hand functions taking the "luks_device" parameter require the LUKS device (/dev/mapper/SOMETHING").
Sizes are given in bytes unless stated otherwise.
void
bd_crypto_close (void);
Cleans up after the plugin. **This function is called automatically by the library's functions that unload it.**
gboolean
bd_crypto_init (void);
Initializes the plugin. **This function is called automatically by the library's initialization functions.**
gchar *
bd_crypto_generate_backup_passphrase (GError **error);
A newly generated BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH-long passphrase.
See BD_CRYPTO_BACKUP_PASSPHRASE_CHARSET for the definition of the charset used for the passphrase.
Tech category: always available
gboolean bd_crypto_device_is_luks (const gchar *device,GError **error);
TRUE if the given device
is a LUKS device or FALSE if not or
failed to determine (the error
) is populated with the error in such
cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY
gboolean bd_crypto_device_seems_encrypted (const gchar *device,GError **error);
Determines whether a block device seems to be encrypted.
TCRYPT volumes are not easily identifiable, because they have no cleartext header, but are completely encrypted. This function is used to determine whether a block device is a candidate for being TCRYPT encrypted.
To achieve this, we calculate the chi square value of the first 512 Bytes and treat devices with a chi square value between 136 and 426 as candidates for being encrypted. For the reasoning, see: https://tails.boum.org/blueprint/veracrypt/
TRUE if the given device
seems to be encrypted or FALSE if not or
failed to determine (the error
) is populated with the error in such
cases)
Tech category: BD_CRYPTO_TECH_TRUECRYPT-BD_CRYPTO_TECH_MODE_QUERY
gchar * bd_crypto_luks_uuid (const gchar *device,GError **error);
UUID of the device
or NULL if failed to determine (error
is populated with the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY
guint64 bd_crypto_luks_get_metadata_size (const gchar *device,GError **error);
luks device metadata size of the device
or 0 if failed to determine (error
is populated
with the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY
gchar * bd_crypto_luks_status (const gchar *luks_device,GError **error);
one of "invalid", "inactive", "active" or "busy" or
NULL if failed to determine (error
is populated with the error in
such cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY.
[transfer none]
gboolean bd_crypto_luks_format (const gchar *device,const gchar *cipher,guint64 key_size,const gchar *passphrase,const gchar *key_file,guint64 min_entropy,GError **error);
Formats the given device
as LUKS according to the other parameters given. If
min_entropy
is specified (greater than 0), the function waits for enough
entropy to be available in the random data pool (WHICH MAY POTENTIALLY TAKE
FOREVER).
device |
a device to format as LUKS |
|
cipher |
cipher specification (type-mode, e.g. "aes-xts-plain64") or |
[nullable] |
key_size |
size of the volume key in bits or 0 to use the default |
|
passphrase |
a passphrase for the new LUKS device or |
[nullable] |
key_file |
a key file for the new LUKS device or |
[nullable] |
min_entropy |
minimum random data entropy (in bits) required to format |
|
error |
place to store error (if any). |
[out][optional] |
whether the given device
was successfully formatted as LUKS or not
(the error
) contains the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_CREATE
gboolean bd_crypto_luks_format_blob (const gchar *device,const gchar *cipher,guint64 key_size,const guint8 *pass_data,gsize data_len,guint64 min_entropy,GError **error);
Formats the given device
as LUKS according to the other parameters given. If
min_entropy
is specified (greater than 0), the function waits for enough
entropy to be available in the random data pool (WHICH MAY POTENTIALLY TAKE
FOREVER).
device |
a device to format as LUKS |
|
cipher |
cipher specification (type-mode, e.g. "aes-xts-plain64") or |
[nullable] |
key_size |
size of the volume key in bits or 0 to use the default |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
min_entropy |
minimum random data entropy (in bits) required to format |
|
error |
place to store error (if any). |
[out][optional] |
whether the given device
was successfully formatted as LUKS or not
(the error
) contains the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_CREATE
void
bd_crypto_luks_extra_free (BDCryptoLUKSExtra *extra);
Frees extra
.
[skip]
BDCryptoLUKSExtra *
bd_crypto_luks_extra_copy (BDCryptoLUKSExtra *extra);
Creates a new copy of extra
.
[skip]
BDCryptoLUKSExtra * bd_crypto_luks_extra_new (guint64 data_alignment,const gchar *data_device,const gchar *integrity,guint64 sector_size,const gchar *label,const gchar *subsystem,BDCryptoLUKSPBKDF *pbkdf);
[constructor]
data_alignment |
data alignment in sectors, 0 for default/auto detection |
|
data_device |
detached encrypted data device or NULL. |
[nullable] |
integrity |
integrity algorithm (e.g. "hmac-sha256") or NULL for no integrity support. |
[nullable] |
sector_size |
encryption sector size, 0 for default (512) |
|
label |
LUKS header label or NULL. |
[nullable] |
subsystem |
LUKS header subsystem or NULL. |
[nullable] |
pbkdf |
key derivation function specification or NULL for default. |
[nullable] |
void
bd_crypto_luks_pbkdf_free (BDCryptoLUKSPBKDF *pbkdf);
Frees pbkdf
.
[skip]
BDCryptoLUKSPBKDF *
bd_crypto_luks_pbkdf_copy (BDCryptoLUKSPBKDF *pbkdf);
Creates a new copy of pbkdf
.
[skip]
BDCryptoLUKSPBKDF * bd_crypto_luks_pbkdf_new (const gchar *type,const gchar *hash,guint32 max_memory_kb,guint32 iterations,guint32 time_ms,guint32 parallel_threads);
[constructor]
type |
PBKDF algorithm. |
[nullable] |
hash |
hash for LUKS header or NULL for default. |
[nullable] |
max_memory_kb |
requested memory cost (in KiB) or 0 for default (benchmark) |
|
iterations |
requested iterations or 0 for default (benchmark) |
|
time_ms |
requested time cost or 0 for default (benchmark) |
|
parallel_threads |
requested parallel cost (threads) or 0 for default (benchmark) |
gboolean bd_crypto_luks_format_luks2 (const gchar *device,const gchar *cipher,guint64 key_size,const gchar *passphrase,const gchar *key_file,guint64 min_entropy,BDCryptoLUKSVersion luks_version,BDCryptoLUKSExtra *extra,GError **error);
Formats the given device
as LUKS according to the other parameters given. If
min_entropy
is specified (greater than 0), the function waits for enough
entropy to be available in the random data pool (WHICH MAY POTENTIALLY TAKE
FOREVER).
Either passphrase
or key_file
has to be != NULL.
Using this function with luks_version
set to BD_CRYPTO_LUKS_VERSION_LUKS1 and
extra
to NULL is the same as calling bd_crypto_luks_format.
device |
a device to format as LUKS |
|
cipher |
cipher specification (type-mode, e.g. "aes-xts-plain64") or |
[nullable] |
key_size |
size of the volume key in bits or 0 to use the default |
|
passphrase |
a passphrase for the new LUKS device or |
[nullable] |
key_file |
a key file for the new LUKS device or |
[nullable] |
min_entropy |
minimum random data entropy (in bits) required to format |
|
luks_version |
whether to use LUKS v1 or LUKS v2 |
|
extra |
extra arguments for LUKS format creation. |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the given device
was successfully formatted as LUKS or not
(the error
) contains the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS2-BD_CRYPTO_TECH_MODE_CREATE
gboolean bd_crypto_luks_format_luks2_blob (const gchar *device,const gchar *cipher,guint64 key_size,const guint8 *pass_data,gsize data_len,guint64 min_entropy,BDCryptoLUKSVersion luks_version,BDCryptoLUKSExtra *extra,GError **error);
Formats the given device
as LUKS according to the other parameters given. If
min_entropy
is specified (greater than 0), the function waits for enough
entropy to be available in the random data pool (WHICH MAY POTENTIALLY TAKE
FOREVER).
Using this function with luks_version
set to BD_CRYPTO_LUKS_VERSION_LUKS1 and
extra
to NULL is the same as calling bd_crypto_luks_format_blob.
device |
a device to format as LUKS |
|
cipher |
cipher specification (type-mode, e.g. "aes-xts-plain64") or |
[nullable] |
key_size |
size of the volume key in bits or 0 to use the default |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
min_entropy |
minimum random data entropy (in bits) required to format |
|
luks_version |
whether to use LUKS v1 or LUKS v2 |
|
extra |
extra arguments for LUKS format creation. |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the given device
was successfully formatted as LUKS or not
(the error
) contains the error in such cases)
Tech category: BD_CRYPTO_TECH_LUKS2-BD_CRYPTO_TECH_MODE_CREATE
gboolean bd_crypto_luks_open (const gchar *device,const gchar *name,const gchar *passphrase,const gchar *key_file,gboolean read_only,GError **error);
device |
the device to open |
|
name |
name for the LUKS device |
|
passphrase |
passphrase to open the |
[nullable] |
key_file |
key file path to use for opening the |
[nullable] |
read_only |
whether to open as read-only or not (meaning read-write) |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
One of passphrase
, key_file
has to be != NULL.
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_luks_open_blob (const gchar *device,const gchar *name,const guint8 *pass_data,gsize data_len,gboolean read_only,GError **error);
device |
the device to open |
|
name |
name for the LUKS device |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
read_only |
whether to open as read-only or not (meaning read-write) |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_luks_close (const gchar *luks_device,GError **error);
whether the given luks_device
was successfully closed or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_luks_add_key (const gchar *device,const gchar *pass,const gchar *key_file,const gchar *npass,const gchar *nkey_file,GError **error);
whether the npass
or nkey_file
was successfully added to device
or not
One of pass
, key_file
has to be != NULL and the same applies to npass
,
nkey_file
.
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_ADD_KEY
gboolean bd_crypto_luks_add_key_blob (const gchar *device,const guint8 *pass_data,gsize data_len,const guint8 *npass_data,gsize ndata_len,GError **error);
device |
device to add new key to |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
npass_data |
a new passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=ndata_len] |
ndata_len |
length of the |
|
error |
place to store error (if any). |
[out][optional] |
whether the npass_data
was successfully added to device
or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_ADD_KEY
gboolean bd_crypto_luks_remove_key (const gchar *device,const gchar *pass,const gchar *key_file,GError **error);
whether the key was successfully removed or not
Either pass
or key_file
has to be != NULL.
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_REMOVE_KEY
gboolean bd_crypto_luks_remove_key_blob (const gchar *device,const guint8 *pass_data,gsize data_len,GError **error);
device |
device to add new key to |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data) to remove. |
[array length=data_len] |
data_len |
length of the |
|
error |
place to store error (if any). |
[out][optional] |
whether the key was successfully removed or not
Either pass
or key_file
has to be != NULL.
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_REMOVE_KEY
gboolean bd_crypto_luks_change_key (const gchar *device,const gchar *pass,const gchar *npass,GError **error);
device |
device to change key of |
|
pass |
old passphrase |
|
npass |
new passphrase |
|
error |
place to store error (if any). |
[out][optional] |
whether the key was successfully changed or not
No support for changing key files (yet).
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_ADD_KEY&BD_CRYPTO_TECH_MODE_REMOVE_KEY
gboolean bd_crypto_luks_change_key_blob (const gchar *device,const guint8 *pass_data,gsize data_len,const guint8 *npass_data,gsize ndata_len,GError **error);
device |
device to change key of |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
npass_data |
a new passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=ndata_len] |
ndata_len |
length of the |
|
error |
place to store error (if any). |
[out][optional] |
whether the key was successfully changed or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_ADD_KEY&BD_CRYPTO_TECH_MODE_REMOVE_KEY
gboolean bd_crypto_luks_resize (const gchar *luks_device,guint64 size,GError **error);
You need to specify passphrase when resizing LUKS 2 devices that don't have
verified key loaded in kernel. If you don't specify a passphrase, resize
will fail with BD_CRYPTO_ERROR_RESIZE_PERM. Use bd_crypto_luks_resize_luks2
or bd_crypto_luks_resize_luks2_blob for these devices.
luks_device |
opened LUKS device to resize |
|
size |
requested size in sectors or 0 to adapt to the backing device |
|
error |
place to store error (if any). |
[out][optional] |
whether the luks_device
was successfully resized or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_RESIZE
gboolean bd_crypto_luks_resize_luks2 (const gchar *luks_device,guint64 size,const gchar *passphrase,const gchar *key_file,GError **error);
luks_device |
opened LUKS device to resize |
|
passphrase |
passphrase to resize the |
[nullable] |
key_file |
key file path to use for resizing the |
[nullable] |
size |
requested size in sectors or 0 to adapt to the backing device |
|
error |
place to store error (if any). |
[out][optional] |
whether the luks_device
was successfully resized or not
You need to specify either passphrase
or keyfile
for LUKS 2 devices that
don't have verified key loaded in kernel.
For LUKS 1 devices you can set both passphrase
and keyfile
to NULL to
achieve the same as calling bd_crypto_luks_resize.
Tech category: BD_CRYPTO_TECH_LUKS2-BD_CRYPTO_TECH_MODE_RESIZE
gboolean bd_crypto_luks_resize_luks2_blob (const gchar *luks_device,guint64 size,const guint8 *pass_data,gsize data_len,GError **error);
luks_device |
opened LUKS device to resize |
|
pass_data |
a passphrase for the new LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
size |
requested size in sectors or 0 to adapt to the backing device |
|
error |
place to store error (if any). |
[out][optional] |
whether the luks_device
was successfully resized or not
You need to specify pass_data
for LUKS 2 devices that don't have
verified key loaded in kernel.
Tech category: BD_CRYPTO_TECH_LUKS2-BD_CRYPTO_TECH_MODE_RESIZE
gboolean bd_crypto_luks_suspend (const gchar *luks_device,GError **error);
whether the given luks_device
was successfully suspended or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_SUSPEND_RESUME
gboolean bd_crypto_luks_resume_blob (const gchar *luks_device,const guint8 *pass_data,gsize data_len,GError **error);
luks_device |
LUKS device to resume |
|
pass_data |
a passphrase for the LUKS device (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
error |
place to store error (if any). |
[out][optional] |
whether the given luks_device
was successfully resumed or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_SUSPEND_RESUME
gboolean bd_crypto_luks_resume (const gchar *luks_device,const gchar *passphrase,const gchar *key_file,GError **error);
whether the given luks_device
was successfully resumed or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_SUSPEND_RESUME
gboolean bd_crypto_luks_kill_slot (const gchar *device,gint slot,GError **error);
Note: This can destroy last remaining keyslot without confirmation making the LUKS device permanently inaccessible.
device |
device to kill slot on |
|
slot |
keyslot to destroy |
|
error |
place to store error (if any). |
[out][optional] |
whether the given slot
was successfully destroyed or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_REMOVE_KEY
gboolean bd_crypto_luks_header_backup (const gchar *device,const gchar *backup_file,GError **error);
device |
device to backup the LUKS header |
|
backup_file |
file to save the header backup to |
|
error |
place to store error (if any). |
[out][optional] |
whether the given backup of device
was successfully written to
backup_file
or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_BACKUP_RESTORE
gboolean bd_crypto_luks_header_restore (const gchar *device,const gchar *backup_file,GError **error);
device |
device to restore the LUKS header to |
|
backup_file |
existing file with a LUKS header backup |
|
error |
place to store error (if any). |
[out][optional] |
whether the given device
LUKS header was successfully restored
from backup_file
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_BACKUP_RESTORE
gboolean bd_crypto_luks_set_label (const gchar *device,const gchar *label,const gchar *subsystem,GError **error);
device |
device to set label on |
|
label |
label to set. |
[nullable] |
subsystem |
subsystem to set. |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the given label
and subsystem
were successfully set or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_MODIFY
gboolean bd_crypto_luks_set_uuid (const gchar *device,const gchar *uuid,GError **error);
device |
device to set UUID on |
|
uuid |
UUID to set or |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the given uuid
was successfully set or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_MODIFY
void
bd_crypto_luks_info_free (BDCryptoLUKSInfo *info);
Frees info
.
[skip]
BDCryptoLUKSInfo *
bd_crypto_luks_info_copy (BDCryptoLUKSInfo *info);
Creates a new copy of info
.
[skip]
BDCryptoLUKSInfo * bd_crypto_luks_info (const gchar *device,GError **error);
device |
a device to get information about |
|
error |
place to store error (if any). |
[out][optional] |
information about the device
or NULL in case of error
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY
void
bd_crypto_integrity_info_free (BDCryptoIntegrityInfo *info);
Frees info
.
[skip]
BDCryptoIntegrityInfo *
bd_crypto_integrity_info_copy (BDCryptoIntegrityInfo *info);
Creates a new copy of info
.
[skip]
BDCryptoIntegrityInfo * bd_crypto_integrity_info (const gchar *device,GError **error);
device |
a device to get information about |
|
error |
place to store error (if any). |
[out][optional] |
information about the device
or NULL in case of error
Tech category: BD_CRYPTO_TECH_INTEGRITY-BD_CRYPTO_TECH_MODE_QUERY
BDCryptoIntegrityExtra *
bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra);
Creates a new copy of extra
.
[skip]
void
bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra);
Frees extra
.
[skip]
BDCryptoIntegrityExtra * bd_crypto_integrity_extra_new (guint64 sector_size,guint64 journal_size,guint journal_watermark,guint journal_commit_time,guint64 interleave_sectors,guint64 tag_size,guint64 buffer_sectors);
[constructor]
sector_size |
integrity sector size, 0 for default (512) |
|
journal_size |
size of journal in bytes |
|
journal_watermark |
journal flush watermark in percents; in bitmap mode sectors-per-bit |
|
journal_commit_time |
journal commit time (or bitmap flush time) in ms |
|
interleave_sectors |
number of interleave sectors (power of two) |
|
tag_size |
tag size per-sector in bytes |
|
buffer_sectors |
number of sectors in one buffer |
gboolean bd_crypto_integrity_format (const gchar *device,const gchar *algorithm,gboolean wipe,const guint8 *key_data,gsize key_size,BDCryptoIntegrityExtra *extra,GError **error);
Formats the given device
as integrity according to the other parameters given.
device |
a device to format as integrity |
|
algorithm |
integrity algorithm specification (e.g. "crc32c" or "sha256") or |
|
wipe |
whether to wipe the device after format; a device that is not initially wiped will contain invalid checksums |
|
key_data |
integrity key or |
[nullable][array length=key_size] |
key_size |
size the integrity key and |
|
extra |
extra arguments for integrity format creation. |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the given device
was successfully formatted as integrity or not
(the error
) contains the error in such cases)
Tech category: BD_CRYPTO_TECH_INTEGRITY-BD_CRYPTO_TECH_MODE_CREATE
gboolean bd_crypto_integrity_open (const gchar *device,const gchar *name,const gchar *algorithm,const guint8 *key_data,gsize key_size,BDCryptoIntegrityOpenFlags flags,BDCryptoIntegrityExtra *extra,GError **error);
device |
integrity device to open |
|
name |
name for the opened |
|
algorithm |
integrity algorithm specification (e.g. "crc32c" or "sha256") or |
[nullable] |
key_data |
integrity key or |
[nullable][array length=key_size] |
key_size |
size the integrity key and |
|
flags |
flags for the integrity device activation |
|
extra |
extra arguments for integrity open. |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_INTEGRITY-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_integrity_close (const gchar *integrity_device,GError **error);
integrity_device |
integrity device to close |
|
error |
place to store error (if any). |
[out][optional] |
whether the given integrity_device
was successfully closed or not
Tech category: BD_CRYPTO_TECH_INTEGRITY-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
void
bd_crypto_luks_token_info_free (BDCryptoLUKSTokenInfo *info);
Frees info
.
[skip]
BDCryptoLUKSTokenInfo *
bd_crypto_luks_token_info_copy (BDCryptoLUKSTokenInfo *info);
Creates a new copy of info
.
[skip]
BDCryptoLUKSTokenInfo ** bd_crypto_luks_token_info (const gchar *device,GError **error);
device |
a device to get LUKS2 token information about |
|
error |
place to store error (if any). |
[out][optional] |
information about tokens on device
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_QUERY.
[array zero-terminated=1]
gboolean bd_crypto_keyring_add_key (const gchar *key_desc,const guint8 *key_data,gsize data_len,GError **error);
key_desc |
kernel keyring key description |
|
key_data |
a key to add to kernel keyring (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
error |
place to store error (if any) *. |
[out][optional] |
whether the given key was successfully saved to kernel keyring or not
Tech category: BD_CRYPTO_TECH_KEYRING-BD_CRYPTO_TECH_MODE_ADD_KEY
gboolean bd_crypto_luks_open_keyring (const gchar *device,const gchar *name,const gchar *key_desc,gboolean read_only,GError **error);
Note: Keyslot passphrase must be stored in 'user' key type and the key has to be reachable by process context on behalf of which this function is called.
device |
the device to open |
|
name |
name for the LUKS device |
|
key_desc |
kernel keyring key description |
|
read_only |
whether to open as read-only or not (meaning read-write) |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_LUKS-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_tc_open (const gchar *device,const gchar *name,const guint8 *pass_data,gsize data_len,gboolean read_only,GError **error);
device |
the device to open |
|
name |
name for the TrueCrypt/VeraCrypt device |
|
pass_data |
a passphrase for the TrueCrypt/VeraCrypt volume (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
read_only |
whether to open as read-only or not (meaning read-write) |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_TRUECRYPT-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_tc_open_full (const gchar *device,const gchar *name,const guint8 *pass_data,gsize data_len,const gchar **keyfiles,gboolean hidden,gboolean system,gboolean veracrypt,guint32 veracrypt_pim,gboolean read_only,GError **error);
device |
the device to open |
|
name |
name for the TrueCrypt/VeraCrypt device |
|
pass_data |
a passphrase for the TrueCrypt/VeraCrypt volume (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
read_only |
whether to open as read-only or not (meaning read-write) |
|
keyfiles |
paths to the keyfiles for the TrueCrypt/VeraCrypt volume. |
[nullable][array zero-terminated=1] |
hidden |
whether a hidden volume inside the volume should be opened |
|
system |
whether to try opening as an encrypted system (with boot loader) |
|
veracrypt |
whether to try VeraCrypt modes (TrueCrypt modes are tried anyway) |
|
veracrypt_pim |
VeraCrypt PIM value |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_TRUECRYPT-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_tc_close (const gchar *tc_device,GError **error);
tc_device |
TrueCrypt/VeraCrypt device to close |
|
error |
place to store error (if any). |
[out][optional] |
whether the given tc_device
was successfully closed or not
Tech category: BD_CRYPTO_TECH_TRUECRYPT-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_escrow_device (const gchar *device,const gchar *passphrase,const gchar *cert_data,const gchar *directory,const gchar *backup_passphrase,GError **error);
device |
path of the device to create escrow data for |
|
passphrase |
passphrase used for the device |
|
cert_data |
certificate data to use for escrow. |
[array zero-terminated=1][element-type gchar] |
directory |
directory to put escrow data into |
|
backup_passphrase |
backup passphrase for the device or |
[nullable] |
error |
place to store error (if any). |
[out][optional] |
whether the escrow data was successfully created for device
or not
Tech category: BD_CRYPTO_TECH_ESCROW-BD_CRYPTO_TECH_MODE_CREATE
gboolean bd_crypto_bitlk_open (const gchar *device,const gchar *name,const guint8 *pass_data,gsize data_len,gboolean read_only,GError **error);
device |
the device to open |
|
name |
name for the BITLK device |
|
pass_data |
a passphrase for the BITLK volume (may contain arbitrary binary data). |
[array length=data_len] |
data_len |
length of the |
|
read_only |
whether to open as read-only or not (meaning read-write) |
|
error |
place to store error (if any). |
[out][optional] |
whether the device
was successfully opened or not
Tech category: BD_CRYPTO_TECH_BITLK-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_bitlk_close (const gchar *bitlk_device,GError **error);
whether the given bitlk_device
was successfully closed or not
Tech category: BD_CRYPTO_TECH_BITLK-BD_CRYPTO_TECH_MODE_OPEN_CLOSE
gboolean bd_crypto_is_tech_avail (BDCryptoTech tech,guint64 mode,GError **error);
tech |
the queried tech |
|
mode |
a bit mask of queried modes of operation (BDCryptoTechMode) for |
|
error |
place to store error (details about why the |
[out][optional] |
#define BD_CRYPTO_BACKUP_PASSPHRASE_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"
typedef struct {
guint64 data_alignment;
gchar *data_device;
gchar *integrity;
guint64 sector_size;
gchar *label;
gchar *subsystem;
BDCryptoLUKSPBKDF *pbkdf;
} BDCryptoLUKSExtra;
guint64 |
data alignment in sectors, 0 for default/auto detection |
|
gchar * |
detached encrypted data device or NULL |
|
gchar * |
integrity algorithm (e.g. "hmac-sha256") or NULL for no integrity support Note: this field is valid only for LUKS 2 |
|
guint64 |
encryption sector size, 0 for default (512) Note: this field is valid only for LUKS 2 |
|
gchar * |
LUKS header label or NULL Note: this field is valid only for LUKS 2 |
|
gchar * |
LUKS header subsystem or NULL Note: this field is valid only for LUKS 2 |
|
BDCryptoLUKSPBKDF * |
key derivation function specification or NULL for default Note: this field is valid only for LUKS 2 |
typedef struct {
gchar *type;
gchar *hash;
guint32 max_memory_kb;
guint32 iterations;
guint32 time_ms;
guint32 parallel_threads;
} BDCryptoLUKSPBKDF;
gchar * |
PBKDF algorithm |
|
gchar * |
hash for LUKS header or NULL |
|
guint32 |
requested memory cost (in KiB) or 0 for default (benchmark) |
|
guint32 |
requested iterations or 0 for default (benchmark) |
|
guint32 |
requested time cost or 0 for default (benchmark) |
|
guint32 |
requested parallel cost (threads) or 0 for default (benchmark) |
typedef struct {
BDCryptoLUKSVersion version;
gchar *cipher;
gchar *mode;
gchar *uuid;
gchar *backing_device;
gint64 sector_size;
gchar *label;
gchar *subsystem;
} BDCryptoLUKSInfo;
BDCryptoLUKSVersion |
LUKS version |
|
gchar * |
used cipher (e.g. "aes") |
|
gchar * |
used cipher mode (e.g. "xts-plain") |
|
gchar * |
UUID of the LUKS device |
|
gchar * |
name of the underlying block device |
|
gint64 |
size (in bytes) of encryption sector (valid only for LUKS 2) |
|
gchar * |
label of the LUKS device (valid only for LUKS 2) |
|
gchar * |
subsystem of the LUKS device (valid only for LUKS 2) |
typedef struct {
gchar *algorithm;
guint32 key_size;
guint32 sector_size;
guint32 tag_size;
guint32 interleave_sectors;
guint64 journal_size;
gchar *journal_crypt;
gchar *journal_integrity;
} BDCryptoIntegrityInfo;
gchar * |
integrity algorithm |
|
guint32 |
integrity key size in bytes |
|
guint32 |
sector size in bytes |
|
guint32 |
tag size per-sector in bytes |
|
guint32 |
number of interleave sectors |
|
guint64 |
size of journal in bytes |
|
gchar * |
journal encryption algorithm |
|
gchar * |
journal integrity algorithm |
typedef struct {
guint32 sector_size;
guint64 journal_size;
guint journal_watermark;
guint journal_commit_time;
guint32 interleave_sectors;
guint32 tag_size;
guint32 buffer_sectors;
} BDCryptoIntegrityExtra;
guint32 |
integrity sector size |
|
guint64 |
size of journal in bytes |
|
guint |
journal flush watermark in percents; in bitmap mode sectors-per-bit |
|
guint |
journal commit time (or bitmap flush time) in ms |
|
guint32 |
number of interleave sectors (power of two) |
|
guint32 |
tag size per-sector in bytes |
|
guint32 |
number of sectors in one buffer |
typedef struct {
guint id;
gchar *type;
gint keyslot;
} BDCryptoLUKSTokenInfo;