Project import generated by Copybara.
GitOrigin-RevId: 94b8ab38d80d7969aab916d6fcc7c1a9a731bc81
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..642bbce
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,40 @@
+po/*gmo
+*~
+Makefile
+Makefile.in
+Makefile.in.in
+*.lo
+*.la
+*.o
+.deps/
+.libs/
+src/cryptsetup
+src/veritysetup
+aclocal.m4
+autom4te.cache/
+compile
+config.guess
+config.h
+config.h.in
+config.log
+config.rpath
+config.status
+config.sub
+configure
+depcomp
+install-sh
+lib/libcryptsetup.pc
+libtool
+ltmain.sh
+m4/
+missing
+po/Makevars.template
+po/POTFILES
+po/Rules-quot
+po/*.pot
+po/*.header
+po/*.sed
+po/*.sin
+po/stamp-po
+stamp-h1
+
diff --git a/ABOUT-NLS b/ABOUT-NLS
new file mode 100644
index 0000000..3575535
--- /dev/null
+++ b/ABOUT-NLS
@@ -0,0 +1,1111 @@
+1 Notes on the Free Translation Project
+***************************************
+
+Free software is going international! The Free Translation Project is
+a way to get maintainers of free software, translators, and users all
+together, so that free software will gradually become able to speak many
+languages. A few packages already provide translations for their
+messages.
+
+ If you found this `ABOUT-NLS' file inside a distribution, you may
+assume that the distributed package does use GNU `gettext' internally,
+itself available at your nearest GNU archive site. But you do _not_
+need to install GNU `gettext' prior to configuring, installing or using
+this package with messages translated.
+
+ Installers will find here some useful hints. These notes also
+explain how users should proceed for getting the programs to use the
+available translations. They tell how people wanting to contribute and
+work on translations can contact the appropriate team.
+
+ When reporting bugs in the `intl/' directory or bugs which may be
+related to internationalization, you should tell about the version of
+`gettext' which is used. The information can be found in the
+`intl/VERSION' file, in internationalized packages.
+
+1.1 Quick configuration advice
+==============================
+
+If you want to exploit the full power of internationalization, you
+should configure it using
+
+ ./configure --with-included-gettext
+
+to force usage of internationalizing routines provided within this
+package, despite the existence of internationalizing capabilities in the
+operating system where this package is being installed. So far, only
+the `gettext' implementation in the GNU C library version 2 provides as
+many features (such as locale alias, message inheritance, automatic
+charset conversion or plural form handling) as the implementation here.
+It is also not possible to offer this additional functionality on top
+of a `catgets' implementation. Future versions of GNU `gettext' will
+very likely convey even more functionality. So it might be a good idea
+to change to GNU `gettext' as soon as possible.
+
+ So you need _not_ provide this option if you are using GNU libc 2 or
+you have installed a recent copy of the GNU gettext package with the
+included `libintl'.
+
+1.2 INSTALL Matters
+===================
+
+Some packages are "localizable" when properly installed; the programs
+they contain can be made to speak your own native language. Most such
+packages use GNU `gettext'. Other packages have their own ways to
+internationalization, predating GNU `gettext'.
+
+ By default, this package will be installed to allow translation of
+messages. It will automatically detect whether the system already
+provides the GNU `gettext' functions. If not, the included GNU
+`gettext' library will be used. This library is wholly contained
+within this package, usually in the `intl/' subdirectory, so prior
+installation of the GNU `gettext' package is _not_ required.
+Installers may use special options at configuration time for changing
+the default behaviour. The commands:
+
+ ./configure --with-included-gettext
+ ./configure --disable-nls
+
+will, respectively, bypass any pre-existing `gettext' to use the
+internationalizing routines provided within this package, or else,
+_totally_ disable translation of messages.
+
+ When you already have GNU `gettext' installed on your system and run
+configure without an option for your new package, `configure' will
+probably detect the previously built and installed `libintl.a' file and
+will decide to use this. This might not be desirable. You should use
+the more recent version of the GNU `gettext' library. I.e. if the file
+`intl/VERSION' shows that the library which comes with this package is
+more recent, you should use
+
+ ./configure --with-included-gettext
+
+to prevent auto-detection.
+
+ The configuration process will not test for the `catgets' function
+and therefore it will not be used. The reason is that even an
+emulation of `gettext' on top of `catgets' could not provide all the
+extensions of the GNU `gettext' library.
+
+ Internationalized packages usually have many `po/LL.po' files, where
+LL gives an ISO 639 two-letter code identifying the language. Unless
+translations have been forbidden at `configure' time by using the
+`--disable-nls' switch, all available translations are installed
+together with the package. However, the environment variable `LINGUAS'
+may be set, prior to configuration, to limit the installed set.
+`LINGUAS' should then contain a space separated list of two-letter
+codes, stating which languages are allowed.
+
+1.3 Using This Package
+======================
+
+As a user, if your language has been installed for this package, you
+only have to set the `LANG' environment variable to the appropriate
+`LL_CC' combination. Here `LL' is an ISO 639 two-letter language code,
+and `CC' is an ISO 3166 two-letter country code. For example, let's
+suppose that you speak German and live in Germany. At the shell
+prompt, merely execute `setenv LANG de_DE' (in `csh'),
+`export LANG; LANG=de_DE' (in `sh') or `export LANG=de_DE' (in `bash').
+This can be done from your `.login' or `.profile' file, once and for
+all.
+
+ You might think that the country code specification is redundant.
+But in fact, some languages have dialects in different countries. For
+example, `de_AT' is used for Austria, and `pt_BR' for Brazil. The
+country code serves to distinguish the dialects.
+
+ The locale naming convention of `LL_CC', with `LL' denoting the
+language and `CC' denoting the country, is the one use on systems based
+on GNU libc. On other systems, some variations of this scheme are
+used, such as `LL' or `LL_CC.ENCODING'. You can get the list of
+locales supported by your system for your language by running the
+command `locale -a | grep '^LL''.
+
+ Not all programs have translations for all languages. By default, an
+English message is shown in place of a nonexistent translation. If you
+understand other languages, you can set up a priority list of languages.
+This is done through a different environment variable, called
+`LANGUAGE'. GNU `gettext' gives preference to `LANGUAGE' over `LANG'
+for the purpose of message handling, but you still need to have `LANG'
+set to the primary language; this is required by other parts of the
+system libraries. For example, some Swedish users who would rather
+read translations in German than English for when Swedish is not
+available, set `LANGUAGE' to `sv:de' while leaving `LANG' to `sv_SE'.
+
+ Special advice for Norwegian users: The language code for Norwegian
+bokma*l changed from `no' to `nb' recently (in 2003). During the
+transition period, while some message catalogs for this language are
+installed under `nb' and some older ones under `no', it's recommended
+for Norwegian users to set `LANGUAGE' to `nb:no' so that both newer and
+older translations are used.
+
+ In the `LANGUAGE' environment variable, but not in the `LANG'
+environment variable, `LL_CC' combinations can be abbreviated as `LL'
+to denote the language's main dialect. For example, `de' is equivalent
+to `de_DE' (German as spoken in Germany), and `pt' to `pt_PT'
+(Portuguese as spoken in Portugal) in this context.
+
+1.4 Translating Teams
+=====================
+
+For the Free Translation Project to be a success, we need interested
+people who like their own language and write it well, and who are also
+able to synergize with other translators speaking the same language.
+Each translation team has its own mailing list. The up-to-date list of
+teams can be found at the Free Translation Project's homepage,
+`http://www.iro.umontreal.ca/contrib/po/HTML/', in the "National teams"
+area.
+
+ If you'd like to volunteer to _work_ at translating messages, you
+should become a member of the translating team for your own language.
+The subscribing address is _not_ the same as the list itself, it has
+`-request' appended. For example, speakers of Swedish can send a
+message to `sv-request@li.org', having this message body:
+
+ subscribe
+
+ Keep in mind that team members are expected to participate
+_actively_ in translations, or at solving translational difficulties,
+rather than merely lurking around. If your team does not exist yet and
+you want to start one, or if you are unsure about what to do or how to
+get started, please write to `translation@iro.umontreal.ca' to reach the
+coordinator for all translator teams.
+
+ The English team is special. It works at improving and uniformizing
+the terminology in use. Proven linguistic skill are praised more than
+programming skill, here.
+
+1.5 Available Packages
+======================
+
+Languages are not equally supported in all packages. The following
+matrix shows the current state of internationalization, as of July
+2006. The matrix shows, in regard of each package, for which languages
+PO files have been submitted to translation coordination, with a
+translation percentage of at least 50%.
+
+ Ready PO files af am ar az be bg bs ca cs cy da de el en en_GB eo
+ +----------------------------------------------------+
+ GNUnet | [] |
+ a2ps | [] [] [] [] [] |
+ aegis | () |
+ ant-phone | () |
+ anubis | [] |
+ ap-utils | |
+ aspell | [] [] [] [] |
+ bash | [] [] [] |
+ batchelor | [] |
+ bfd | |
+ bibshelf | [] |
+ binutils | [] |
+ bison | [] [] |
+ bison-runtime | [] |
+ bluez-pin | [] [] [] [] [] |
+ cflow | [] |
+ clisp | [] [] |
+ console-tools | [] [] |
+ coreutils | [] [] [] [] |
+ cpio | |
+ cpplib | [] [] [] |
+ cryptonit | [] |
+ darkstat | [] () [] |
+ dialog | [] [] [] [] [] [] |
+ diffutils | [] [] [] [] [] [] |
+ doodle | [] |
+ e2fsprogs | [] [] |
+ enscript | [] [] [] [] |
+ error | [] [] [] [] |
+ fetchmail | [] [] () [] |
+ fileutils | [] [] |
+ findutils | [] [] [] |
+ flex | [] [] [] |
+ fslint | [] |
+ gas | |
+ gawk | [] [] [] |
+ gbiff | [] |
+ gcal | [] |
+ gcc | [] |
+ gettext-examples | [] [] [] [] [] |
+ gettext-runtime | [] [] [] [] [] |
+ gettext-tools | [] [] |
+ gimp-print | [] [] [] [] |
+ gip | [] |
+ gliv | [] |
+ glunarclock | [] |
+ gmult | [] [] |
+ gnubiff | () |
+ gnucash | () () [] |
+ gnucash-glossary | [] () |
+ gnuedu | |
+ gnulib | [] [] [] [] [] [] |
+ gnunet-gtk | |
+ gnutls | |
+ gpe-aerial | [] [] |
+ gpe-beam | [] [] |
+ gpe-calendar | [] [] |
+ gpe-clock | [] [] |
+ gpe-conf | [] [] |
+ gpe-contacts | |
+ gpe-edit | [] |
+ gpe-filemanager | |
+ gpe-go | [] |
+ gpe-login | [] [] |
+ gpe-ownerinfo | [] [] |
+ gpe-package | |
+ gpe-sketchbook | [] [] |
+ gpe-su | [] [] |
+ gpe-taskmanager | [] [] |
+ gpe-timesheet | [] |
+ gpe-today | [] [] |
+ gpe-todo | |
+ gphoto2 | [] [] [] [] |
+ gprof | [] [] |
+ gpsdrive | () () |
+ gramadoir | [] [] |
+ grep | [] [] [] [] [] [] |
+ gretl | |
+ gsasl | |
+ gss | |
+ gst-plugins | [] [] [] [] |
+ gst-plugins-base | [] [] [] |
+ gst-plugins-good | [] [] [] [] [] [] [] |
+ gstreamer | [] [] [] [] [] [] [] |
+ gtick | [] () |
+ gtkam | [] [] [] |
+ gtkorphan | [] [] |
+ gtkspell | [] [] [] [] |
+ gutenprint | [] |
+ hello | [] [] [] [] [] |
+ id-utils | [] [] |
+ impost | |
+ indent | [] [] [] |
+ iso_3166 | [] [] |
+ iso_3166_1 | [] [] [] [] [] |
+ iso_3166_2 | |
+ iso_3166_3 | [] |
+ iso_4217 | [] |
+ iso_639 | [] [] |
+ jpilot | [] |
+ jtag | |
+ jwhois | |
+ kbd | [] [] [] [] |
+ keytouch | |
+ keytouch-editor | |
+ keytouch-keyboa... | |
+ latrine | () |
+ ld | [] |
+ leafpad | [] [] [] [] [] |
+ libc | [] [] [] [] [] |
+ libexif | [] |
+ libextractor | [] |
+ libgpewidget | [] [] [] |
+ libgpg-error | [] |
+ libgphoto2 | [] [] |
+ libgphoto2_port | [] [] |
+ libgsasl | |
+ libiconv | [] [] |
+ libidn | [] [] |
+ lifelines | [] () |
+ lilypond | [] |
+ lingoteach | |
+ lynx | [] [] [] [] |
+ m4 | [] [] [] [] |
+ mailutils | [] |
+ make | [] [] |
+ man-db | [] () [] [] |
+ minicom | [] [] [] |
+ mysecretdiary | [] [] |
+ nano | [] [] () [] |
+ nano_1_0 | [] () [] [] |
+ opcodes | [] |
+ parted | |
+ pilot-qof | [] |
+ psmisc | [] |
+ pwdutils | |
+ python | |
+ qof | |
+ radius | [] |
+ recode | [] [] [] [] [] [] |
+ rpm | [] [] |
+ screem | |
+ scrollkeeper | [] [] [] [] [] [] [] [] |
+ sed | [] [] [] |
+ sh-utils | [] [] |
+ shared-mime-info | [] [] [] |
+ sharutils | [] [] [] [] [] [] |
+ shishi | |
+ silky | |
+ skencil | [] () |
+ sketch | [] () |
+ solfege | |
+ soundtracker | [] [] |
+ sp | [] |
+ stardict | [] |
+ system-tools-ba... | [] [] [] [] [] [] [] [] [] |
+ tar | [] |
+ texinfo | [] [] [] |
+ textutils | [] [] [] |
+ tin | () () |
+ tp-robot | [] |
+ tuxpaint | [] [] [] [] [] |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux | [] [] [] [] |
+ vorbis-tools | [] [] [] [] |
+ wastesedge | () |
+ wdiff | [] [] [] [] |
+ wget | [] [] |
+ xchat | [] [] [] [] [] |
+ xkeyboard-config | |
+ xpad | [] [] |
+ +----------------------------------------------------+
+ af am ar az be bg bs ca cs cy da de el en en_GB eo
+ 11 0 1 2 8 21 1 42 43 2 62 99 18 1 16 16
+
+ es et eu fa fi fr ga gl gu he hi hr hu id is it
+ +--------------------------------------------------+
+ GNUnet | |
+ a2ps | [] [] [] () |
+ aegis | |
+ ant-phone | [] |
+ anubis | [] |
+ ap-utils | [] [] |
+ aspell | [] [] [] |
+ bash | [] [] [] |
+ batchelor | [] [] |
+ bfd | [] |
+ bibshelf | [] [] [] |
+ binutils | [] [] [] |
+ bison | [] [] [] [] [] [] |
+ bison-runtime | [] [] [] [] [] |
+ bluez-pin | [] [] [] [] [] |
+ cflow | |
+ clisp | [] [] |
+ console-tools | |
+ coreutils | [] [] [] [] [] [] |
+ cpio | [] [] [] |
+ cpplib | [] [] |
+ cryptonit | [] |
+ darkstat | [] () [] [] [] |
+ dialog | [] [] [] [] [] [] [] [] |
+ diffutils | [] [] [] [] [] [] [] [] [] |
+ doodle | [] [] |
+ e2fsprogs | [] [] [] |
+ enscript | [] [] [] |
+ error | [] [] [] [] [] |
+ fetchmail | [] |
+ fileutils | [] [] [] [] [] [] |
+ findutils | [] [] [] [] |
+ flex | [] [] [] |
+ fslint | [] |
+ gas | [] [] |
+ gawk | [] [] [] [] |
+ gbiff | [] |
+ gcal | [] [] |
+ gcc | [] |
+ gettext-examples | [] [] [] [] [] |
+ gettext-runtime | [] [] [] [] [] [] |
+ gettext-tools | [] [] [] |
+ gimp-print | [] [] |
+ gip | [] [] [] |
+ gliv | () |
+ glunarclock | [] [] [] |
+ gmult | [] [] [] |
+ gnubiff | () () |
+ gnucash | () () () |
+ gnucash-glossary | [] [] |
+ gnuedu | [] |
+ gnulib | [] [] [] [] [] [] [] [] |
+ gnunet-gtk | |
+ gnutls | |
+ gpe-aerial | [] [] |
+ gpe-beam | [] [] |
+ gpe-calendar | [] [] [] [] |
+ gpe-clock | [] [] [] [] |
+ gpe-conf | [] |
+ gpe-contacts | [] [] |
+ gpe-edit | [] [] [] [] |
+ gpe-filemanager | [] |
+ gpe-go | [] [] [] |
+ gpe-login | [] [] [] |
+ gpe-ownerinfo | [] [] [] [] [] |
+ gpe-package | [] |
+ gpe-sketchbook | [] [] |
+ gpe-su | [] [] [] [] |
+ gpe-taskmanager | [] [] [] |
+ gpe-timesheet | [] [] [] [] |
+ gpe-today | [] [] [] [] |
+ gpe-todo | [] |
+ gphoto2 | [] [] [] [] [] |
+ gprof | [] [] [] [] |
+ gpsdrive | () () [] () |
+ gramadoir | [] [] |
+ grep | [] [] [] [] [] [] [] [] [] [] [] [] |
+ gretl | [] [] [] |
+ gsasl | [] |
+ gss | [] |
+ gst-plugins | [] [] [] |
+ gst-plugins-base | [] [] |
+ gst-plugins-good | [] [] [] |
+ gstreamer | [] [] [] |
+ gtick | [] [] [] [] [] |
+ gtkam | [] [] [] [] |
+ gtkorphan | [] [] |
+ gtkspell | [] [] [] [] [] [] |
+ gutenprint | [] |
+ hello | [] [] [] [] [] [] [] [] [] [] [] [] [] |
+ id-utils | [] [] [] [] [] |
+ impost | [] [] |
+ indent | [] [] [] [] [] [] [] [] [] [] |
+ iso_3166 | [] [] [] |
+ iso_3166_1 | [] [] [] [] [] [] [] |
+ iso_3166_2 | [] |
+ iso_3166_3 | [] |
+ iso_4217 | [] [] [] [] |
+ iso_639 | [] [] [] [] [] |
+ jpilot | [] [] |
+ jtag | [] |
+ jwhois | [] [] [] [] [] |
+ kbd | [] [] |
+ keytouch | [] |
+ keytouch-editor | [] |
+ keytouch-keyboa... | [] |
+ latrine | [] [] [] |
+ ld | [] [] |
+ leafpad | [] [] [] [] [] [] |
+ libc | [] [] [] [] [] |
+ libexif | [] |
+ libextractor | [] |
+ libgpewidget | [] [] [] [] [] |
+ libgpg-error | |
+ libgphoto2 | [] [] [] |
+ libgphoto2_port | [] [] |
+ libgsasl | [] [] |
+ libiconv | [] |
+ libidn | [] [] |
+ lifelines | () |
+ lilypond | [] |
+ lingoteach | [] [] [] |
+ lynx | [] [] [] |
+ m4 | [] [] [] [] |
+ mailutils | [] [] |
+ make | [] [] [] [] [] [] [] [] |
+ man-db | () |
+ minicom | [] [] [] [] |
+ mysecretdiary | [] [] [] |
+ nano | [] () [] [] [] [] |
+ nano_1_0 | [] [] [] [] [] |
+ opcodes | [] [] [] [] |
+ parted | [] [] [] [] |
+ pilot-qof | |
+ psmisc | [] [] [] |
+ pwdutils | |
+ python | |
+ qof | |
+ radius | [] [] |
+ recode | [] [] [] [] [] [] [] [] |
+ rpm | [] [] |
+ screem | |
+ scrollkeeper | [] [] [] |
+ sed | [] [] [] [] [] |
+ sh-utils | [] [] [] [] [] [] [] |
+ shared-mime-info | [] [] [] [] [] [] |
+ sharutils | [] [] [] [] [] [] [] [] |
+ shishi | |
+ silky | [] |
+ skencil | [] [] |
+ sketch | [] [] |
+ solfege | [] |
+ soundtracker | [] [] [] |
+ sp | [] |
+ stardict | [] |
+ system-tools-ba... | [] [] [] [] [] [] [] [] |
+ tar | [] [] [] [] [] [] |
+ texinfo | [] [] |
+ textutils | [] [] [] [] [] |
+ tin | [] () |
+ tp-robot | [] [] [] [] |
+ tuxpaint | [] [] |
+ unicode-han-tra... | |
+ unicode-transla... | [] [] |
+ util-linux | [] [] [] [] [] [] [] |
+ vorbis-tools | [] [] |
+ wastesedge | () |
+ wdiff | [] [] [] [] [] [] [] [] |
+ wget | [] [] [] [] [] [] [] [] |
+ xchat | [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] [] [] |
+ xpad | [] [] [] |
+ +--------------------------------------------------+
+ es et eu fa fi fr ga gl gu he hi hr hu id is it
+ 89 21 16 2 41 119 61 14 1 8 1 6 61 30 0 53
+
+ ja ko ku ky lg lt lv mk mn ms mt nb ne nl nn no
+ +--------------------------------------------------+
+ GNUnet | |
+ a2ps | () [] [] () |
+ aegis | () |
+ ant-phone | [] |
+ anubis | [] [] [] |
+ ap-utils | [] |
+ aspell | [] [] |
+ bash | [] |
+ batchelor | [] [] |
+ bfd | |
+ bibshelf | [] |
+ binutils | |
+ bison | [] [] [] |
+ bison-runtime | [] [] [] |
+ bluez-pin | [] [] [] |
+ cflow | |
+ clisp | [] |
+ console-tools | |
+ coreutils | [] |
+ cpio | |
+ cpplib | [] |
+ cryptonit | [] |
+ darkstat | [] [] |
+ dialog | [] [] |
+ diffutils | [] [] [] |
+ doodle | |
+ e2fsprogs | [] |
+ enscript | [] |
+ error | [] |
+ fetchmail | [] [] |
+ fileutils | [] [] |
+ findutils | [] |
+ flex | [] [] |
+ fslint | [] [] |
+ gas | |
+ gawk | [] [] |
+ gbiff | [] |
+ gcal | |
+ gcc | |
+ gettext-examples | [] [] |
+ gettext-runtime | [] [] [] |
+ gettext-tools | [] [] |
+ gimp-print | [] [] |
+ gip | [] [] |
+ gliv | [] |
+ glunarclock | [] [] |
+ gmult | [] [] |
+ gnubiff | |
+ gnucash | () () |
+ gnucash-glossary | [] |
+ gnuedu | |
+ gnulib | [] [] [] [] |
+ gnunet-gtk | |
+ gnutls | |
+ gpe-aerial | [] |
+ gpe-beam | [] |
+ gpe-calendar | [] |
+ gpe-clock | [] [] |
+ gpe-conf | [] [] |
+ gpe-contacts | [] |
+ gpe-edit | [] [] |
+ gpe-filemanager | [] |
+ gpe-go | [] [] |
+ gpe-login | [] [] |
+ gpe-ownerinfo | [] |
+ gpe-package | [] |
+ gpe-sketchbook | [] [] |
+ gpe-su | [] [] |
+ gpe-taskmanager | [] [] [] |
+ gpe-timesheet | [] |
+ gpe-today | [] |
+ gpe-todo | |
+ gphoto2 | [] [] |
+ gprof | |
+ gpsdrive | () () () |
+ gramadoir | () |
+ grep | [] [] [] |
+ gretl | |
+ gsasl | [] |
+ gss | |
+ gst-plugins | [] |
+ gst-plugins-base | |
+ gst-plugins-good | [] |
+ gstreamer | [] |
+ gtick | [] |
+ gtkam | [] |
+ gtkorphan | [] |
+ gtkspell | [] [] |
+ gutenprint | |
+ hello | [] [] [] [] [] [] [] [] |
+ id-utils | [] |
+ impost | |
+ indent | [] [] |
+ iso_3166 | [] |
+ iso_3166_1 | [] [] |
+ iso_3166_2 | [] |
+ iso_3166_3 | [] |
+ iso_4217 | [] [] [] |
+ iso_639 | [] [] |
+ jpilot | () () () |
+ jtag | |
+ jwhois | [] |
+ kbd | [] |
+ keytouch | [] |
+ keytouch-editor | |
+ keytouch-keyboa... | |
+ latrine | [] |
+ ld | |
+ leafpad | [] [] |
+ libc | [] [] [] [] [] |
+ libexif | |
+ libextractor | |
+ libgpewidget | [] |
+ libgpg-error | |
+ libgphoto2 | [] |
+ libgphoto2_port | [] |
+ libgsasl | [] |
+ libiconv | |
+ libidn | [] [] |
+ lifelines | [] |
+ lilypond | |
+ lingoteach | [] |
+ lynx | [] [] |
+ m4 | [] [] |
+ mailutils | |
+ make | [] [] [] |
+ man-db | () |
+ minicom | [] |
+ mysecretdiary | [] |
+ nano | [] [] [] |
+ nano_1_0 | [] [] [] |
+ opcodes | [] |
+ parted | [] [] |
+ pilot-qof | |
+ psmisc | [] [] [] |
+ pwdutils | |
+ python | |
+ qof | |
+ radius | |
+ recode | [] |
+ rpm | [] [] |
+ screem | [] |
+ scrollkeeper | [] [] [] [] |
+ sed | [] [] |
+ sh-utils | [] [] |
+ shared-mime-info | [] [] [] [] [] |
+ sharutils | [] [] |
+ shishi | |
+ silky | [] |
+ skencil | |
+ sketch | |
+ solfege | |
+ soundtracker | |
+ sp | () |
+ stardict | [] [] |
+ system-tools-ba... | [] [] [] [] |
+ tar | [] [] [] |
+ texinfo | [] [] [] |
+ textutils | [] [] [] |
+ tin | |
+ tp-robot | [] |
+ tuxpaint | [] |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux | [] [] |
+ vorbis-tools | [] |
+ wastesedge | [] |
+ wdiff | [] [] |
+ wget | [] [] |
+ xchat | [] [] [] [] |
+ xkeyboard-config | [] |
+ xpad | [] [] [] |
+ +--------------------------------------------------+
+ ja ko ku ky lg lt lv mk mn ms mt nb ne nl nn no
+ 40 24 2 1 1 3 1 2 3 21 0 15 1 101 5 3
+
+ nso or pa pl pt pt_BR rm ro ru rw sk sl sq sr sv ta
+ +------------------------------------------------------+
+ GNUnet | |
+ a2ps | () [] [] [] [] [] [] |
+ aegis | () () |
+ ant-phone | [] [] |
+ anubis | [] [] [] |
+ ap-utils | () |
+ aspell | [] [] |
+ bash | [] [] [] |
+ batchelor | [] [] |
+ bfd | |
+ bibshelf | [] |
+ binutils | [] [] |
+ bison | [] [] [] [] [] |
+ bison-runtime | [] [] [] [] |
+ bluez-pin | [] [] [] [] [] [] [] [] [] |
+ cflow | [] |
+ clisp | [] |
+ console-tools | [] |
+ coreutils | [] [] [] [] |
+ cpio | [] [] [] |
+ cpplib | [] |
+ cryptonit | [] [] |
+ darkstat | [] [] [] [] [] [] |
+ dialog | [] [] [] [] [] [] [] [] [] |
+ diffutils | [] [] [] [] [] [] |
+ doodle | [] [] |
+ e2fsprogs | [] [] |
+ enscript | [] [] [] [] [] |
+ error | [] [] [] [] |
+ fetchmail | [] [] [] |
+ fileutils | [] [] [] [] [] |
+ findutils | [] [] [] [] [] [] |
+ flex | [] [] [] [] [] |
+ fslint | [] [] [] [] |
+ gas | |
+ gawk | [] [] [] [] |
+ gbiff | [] |
+ gcal | [] |
+ gcc | [] |
+ gettext-examples | [] [] [] [] [] [] [] [] |
+ gettext-runtime | [] [] [] [] [] [] [] [] |
+ gettext-tools | [] [] [] [] [] [] [] |
+ gimp-print | [] [] |
+ gip | [] [] [] [] |
+ gliv | [] [] [] [] |
+ glunarclock | [] [] [] [] [] [] |
+ gmult | [] [] [] [] |
+ gnubiff | () |
+ gnucash | () [] |
+ gnucash-glossary | [] [] [] |
+ gnuedu | |
+ gnulib | [] [] [] [] [] |
+ gnunet-gtk | [] |
+ gnutls | [] [] |
+ gpe-aerial | [] [] [] [] [] [] [] |
+ gpe-beam | [] [] [] [] [] [] [] |
+ gpe-calendar | [] [] [] [] [] [] [] [] |
+ gpe-clock | [] [] [] [] [] [] [] [] |
+ gpe-conf | [] [] [] [] [] [] [] |
+ gpe-contacts | [] [] [] [] [] |
+ gpe-edit | [] [] [] [] [] [] [] [] |
+ gpe-filemanager | [] [] |
+ gpe-go | [] [] [] [] [] [] |
+ gpe-login | [] [] [] [] [] [] [] [] |
+ gpe-ownerinfo | [] [] [] [] [] [] [] [] |
+ gpe-package | [] [] |
+ gpe-sketchbook | [] [] [] [] [] [] [] [] |
+ gpe-su | [] [] [] [] [] [] [] [] |
+ gpe-taskmanager | [] [] [] [] [] [] [] [] |
+ gpe-timesheet | [] [] [] [] [] [] [] [] |
+ gpe-today | [] [] [] [] [] [] [] [] |
+ gpe-todo | [] [] [] [] |
+ gphoto2 | [] [] [] [] [] |
+ gprof | [] [] [] |
+ gpsdrive | [] [] [] |
+ gramadoir | [] [] |
+ grep | [] [] [] [] [] [] [] [] |
+ gretl | [] |
+ gsasl | [] [] |
+ gss | [] [] [] |
+ gst-plugins | [] [] [] [] |
+ gst-plugins-base | [] |
+ gst-plugins-good | [] [] [] [] |
+ gstreamer | [] [] [] |
+ gtick | [] [] [] |
+ gtkam | [] [] [] [] |
+ gtkorphan | [] |
+ gtkspell | [] [] [] [] [] [] [] [] |
+ gutenprint | [] |
+ hello | [] [] [] [] [] [] [] [] |
+ id-utils | [] [] [] [] |
+ impost | [] |
+ indent | [] [] [] [] [] [] |
+ iso_3166 | [] [] [] [] [] [] |
+ iso_3166_1 | [] [] [] [] |
+ iso_3166_2 | |
+ iso_3166_3 | [] [] [] [] |
+ iso_4217 | [] [] [] [] |
+ iso_639 | [] [] [] [] |
+ jpilot | |
+ jtag | [] |
+ jwhois | [] [] [] [] |
+ kbd | [] [] [] |
+ keytouch | [] |
+ keytouch-editor | [] |
+ keytouch-keyboa... | [] |
+ latrine | [] [] |
+ ld | [] |
+ leafpad | [] [] [] [] [] [] |
+ libc | [] [] [] [] [] |
+ libexif | [] |
+ libextractor | [] [] |
+ libgpewidget | [] [] [] [] [] [] [] |
+ libgpg-error | [] [] |
+ libgphoto2 | [] |
+ libgphoto2_port | [] [] [] |
+ libgsasl | [] [] [] [] |
+ libiconv | |
+ libidn | [] [] () |
+ lifelines | [] [] |
+ lilypond | |
+ lingoteach | [] |
+ lynx | [] [] [] |
+ m4 | [] [] [] [] [] |
+ mailutils | [] [] [] [] |
+ make | [] [] [] [] |
+ man-db | [] [] |
+ minicom | [] [] [] [] [] |
+ mysecretdiary | [] [] [] [] |
+ nano | [] [] |
+ nano_1_0 | [] [] [] [] |
+ opcodes | [] [] |
+ parted | [] |
+ pilot-qof | [] |
+ psmisc | [] [] |
+ pwdutils | [] [] |
+ python | |
+ qof | [] |
+ radius | [] [] |
+ recode | [] [] [] [] [] [] [] |
+ rpm | [] [] [] [] |
+ screem | |
+ scrollkeeper | [] [] [] [] [] [] [] |
+ sed | [] [] [] [] [] [] [] [] [] |
+ sh-utils | [] [] [] |
+ shared-mime-info | [] [] [] [] [] |
+ sharutils | [] [] [] [] |
+ shishi | [] |
+ silky | [] |
+ skencil | [] [] [] |
+ sketch | [] [] [] |
+ solfege | [] |
+ soundtracker | [] [] |
+ sp | |
+ stardict | [] [] [] |
+ system-tools-ba... | [] [] [] [] [] [] [] [] [] |
+ tar | [] [] [] [] [] |
+ texinfo | [] [] [] [] |
+ textutils | [] [] [] |
+ tin | () |
+ tp-robot | [] |
+ tuxpaint | [] [] [] [] [] |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux | [] [] [] [] |
+ vorbis-tools | [] [] |
+ wastesedge | |
+ wdiff | [] [] [] [] [] [] |
+ wget | [] [] [] [] |
+ xchat | [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] |
+ xpad | [] [] [] |
+ +------------------------------------------------------+
+ nso or pa pl pt pt_BR rm ro ru rw sk sl sq sr sv ta
+ 0 2 3 58 31 53 5 76 72 5 42 48 12 51 130 2
+
+ tg th tk tr uk ven vi wa xh zh_CN zh_HK zh_TW zu
+ +---------------------------------------------------+
+ GNUnet | [] | 2
+ a2ps | [] [] [] | 19
+ aegis | | 0
+ ant-phone | [] [] | 6
+ anubis | [] [] [] | 11
+ ap-utils | () [] | 4
+ aspell | [] [] [] | 14
+ bash | [] | 11
+ batchelor | [] [] | 9
+ bfd | | 1
+ bibshelf | [] | 7
+ binutils | [] [] [] | 9
+ bison | [] [] [] | 19
+ bison-runtime | [] [] [] | 16
+ bluez-pin | [] [] [] [] [] [] | 28
+ cflow | [] [] | 4
+ clisp | | 6
+ console-tools | [] [] | 5
+ coreutils | [] [] | 17
+ cpio | [] [] [] | 9
+ cpplib | [] [] [] [] | 11
+ cryptonit | | 5
+ darkstat | [] () () | 15
+ dialog | [] [] [] [] [] | 30
+ diffutils | [] [] [] [] | 28
+ doodle | [] | 6
+ e2fsprogs | [] [] | 10
+ enscript | [] [] [] | 16
+ error | [] [] [] [] | 18
+ fetchmail | [] [] | 12
+ fileutils | [] [] [] | 18
+ findutils | [] [] [] | 17
+ flex | [] [] | 15
+ fslint | [] | 9
+ gas | [] | 3
+ gawk | [] [] | 15
+ gbiff | [] | 5
+ gcal | [] | 5
+ gcc | [] [] [] | 6
+ gettext-examples | [] [] [] [] [] [] | 26
+ gettext-runtime | [] [] [] [] [] [] | 28
+ gettext-tools | [] [] [] [] [] | 19
+ gimp-print | [] [] | 12
+ gip | [] [] | 12
+ gliv | [] [] | 8
+ glunarclock | [] [] [] | 15
+ gmult | [] [] [] [] | 15
+ gnubiff | [] | 1
+ gnucash | () | 2
+ gnucash-glossary | [] [] | 9
+ gnuedu | [] | 2
+ gnulib | [] [] [] [] [] | 28
+ gnunet-gtk | | 1
+ gnutls | | 2
+ gpe-aerial | [] [] | 14
+ gpe-beam | [] [] | 14
+ gpe-calendar | [] [] [] [] | 19
+ gpe-clock | [] [] [] [] | 20
+ gpe-conf | [] [] | 14
+ gpe-contacts | [] [] | 10
+ gpe-edit | [] [] [] [] | 19
+ gpe-filemanager | [] | 5
+ gpe-go | [] [] | 14
+ gpe-login | [] [] [] [] [] | 20
+ gpe-ownerinfo | [] [] [] [] | 20
+ gpe-package | [] | 5
+ gpe-sketchbook | [] [] | 16
+ gpe-su | [] [] [] | 19
+ gpe-taskmanager | [] [] [] | 19
+ gpe-timesheet | [] [] [] [] | 18
+ gpe-today | [] [] [] [] [] | 20
+ gpe-todo | [] | 6
+ gphoto2 | [] [] [] [] | 20
+ gprof | [] [] | 11
+ gpsdrive | | 4
+ gramadoir | [] | 7
+ grep | [] [] [] [] | 33
+ gretl | | 4
+ gsasl | [] [] | 6
+ gss | [] | 5
+ gst-plugins | [] [] [] | 15
+ gst-plugins-base | [] [] [] | 9
+ gst-plugins-good | [] [] [] | 18
+ gstreamer | [] [] [] | 17
+ gtick | [] | 11
+ gtkam | [] | 13
+ gtkorphan | [] | 7
+ gtkspell | [] [] [] [] [] [] | 26
+ gutenprint | | 3
+ hello | [] [] [] [] [] | 39
+ id-utils | [] [] | 14
+ impost | [] | 4
+ indent | [] [] [] [] | 25
+ iso_3166 | [] [] [] | 15
+ iso_3166_1 | [] [] | 20
+ iso_3166_2 | | 2
+ iso_3166_3 | [] [] | 9
+ iso_4217 | [] [] | 14
+ iso_639 | [] | 14
+ jpilot | [] [] [] [] | 7
+ jtag | [] | 3
+ jwhois | [] [] [] | 13
+ kbd | [] [] | 12
+ keytouch | [] | 4
+ keytouch-editor | | 2
+ keytouch-keyboa... | | 2
+ latrine | [] [] | 8
+ ld | [] [] [] [] | 8
+ leafpad | [] [] [] [] | 23
+ libc | [] [] [] | 23
+ libexif | [] | 4
+ libextractor | [] | 5
+ libgpewidget | [] [] [] | 19
+ libgpg-error | [] | 4
+ libgphoto2 | [] | 8
+ libgphoto2_port | [] [] [] | 11
+ libgsasl | [] | 8
+ libiconv | [] | 4
+ libidn | [] [] | 10
+ lifelines | | 4
+ lilypond | | 2
+ lingoteach | [] | 6
+ lynx | [] [] [] | 15
+ m4 | [] [] [] | 18
+ mailutils | [] | 8
+ make | [] [] [] | 20
+ man-db | [] | 6
+ minicom | [] | 14
+ mysecretdiary | [] [] | 12
+ nano | [] [] | 15
+ nano_1_0 | [] [] [] | 18
+ opcodes | [] [] | 10
+ parted | [] [] [] | 10
+ pilot-qof | [] | 3
+ psmisc | [] | 10
+ pwdutils | [] | 3
+ python | | 0
+ qof | [] | 2
+ radius | [] | 6
+ recode | [] [] [] | 25
+ rpm | [] [] [] [] | 14
+ screem | [] | 2
+ scrollkeeper | [] [] [] [] | 26
+ sed | [] [] [] | 22
+ sh-utils | [] | 15
+ shared-mime-info | [] [] [] [] | 23
+ sharutils | [] [] [] | 23
+ shishi | | 1
+ silky | [] | 4
+ skencil | [] | 7
+ sketch | | 6
+ solfege | | 2
+ soundtracker | [] [] | 9
+ sp | [] | 3
+ stardict | [] [] [] [] | 11
+ system-tools-ba... | [] [] [] [] [] [] [] | 37
+ tar | [] [] [] [] | 19
+ texinfo | [] [] [] | 15
+ textutils | [] [] [] | 17
+ tin | | 1
+ tp-robot | [] [] [] | 10
+ tuxpaint | [] [] [] | 16
+ unicode-han-tra... | | 0
+ unicode-transla... | | 2
+ util-linux | [] [] [] | 20
+ vorbis-tools | [] [] | 11
+ wastesedge | | 1
+ wdiff | [] [] | 22
+ wget | [] [] [] | 19
+ xchat | [] [] [] [] | 28
+ xkeyboard-config | [] [] [] [] | 11
+ xpad | [] [] [] | 14
+ +---------------------------------------------------+
+ 77 teams tg th tk tr uk ven vi wa xh zh_CN zh_HK zh_TW zu
+ 172 domains 0 1 1 78 39 0 135 13 1 50 3 54 0 2054
+
+ Some counters in the preceding matrix are higher than the number of
+visible blocks let us expect. This is because a few extra PO files are
+used for implementing regional variants of languages, or language
+dialects.
+
+ For a PO file in the matrix above to be effective, the package to
+which it applies should also have been internationalized and
+distributed as such by its maintainer. There might be an observable
+lag between the mere existence a PO file and its wide availability in a
+distribution.
+
+ If July 2006 seems to be old, you may fetch a more recent copy of
+this `ABOUT-NLS' file on most GNU archive sites. The most up-to-date
+matrix with full percentage details can be found at
+`http://www.iro.umontreal.ca/contrib/po/HTML/matrix.html'.
+
+1.6 Using `gettext' in new packages
+===================================
+
+If you are writing a freely available program and want to
+internationalize it you are welcome to use GNU `gettext' in your
+package. Of course you have to respect the GNU Library General Public
+License which covers the use of the GNU `gettext' library. This means
+in particular that even non-free programs can use `libintl' as a shared
+library, whereas only free software can use `libintl' as a static
+library or use modified versions of `libintl'.
+
+ Once the sources are changed appropriately and the setup can handle
+the use of `gettext' the only thing missing are the translations. The
+Free Translation Project is also available for packages which are not
+developed inside the GNU project. Therefore the information given above
+applies also for every other Free Software Project. Contact
+`translation@iro.umontreal.ca' to make the `.pot' files available to
+the translation teams.
+
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..38c73fc
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,3 @@
+Jana Saout <jana@saout.de>
+Clemens Fruhwirth <clemens@endorphin.org>
+Milan Broz <gmazyland@gmail.com>
diff --git a/Android.mk b/Android.mk
new file mode 100644
index 0000000..e98c014
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,143 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := libcryptsetup-host
+
+LOCAL_SRC_FILES := \
+ lib/setup.c \
+ lib/utils.c \
+ lib/utils_benchmark.c \
+ lib/utils_crypt.c \
+ lib/utils_loop.c \
+ lib/utils_devpath.c \
+ lib/utils_wipe.c \
+ lib/utils_fips.c \
+ lib/utils_device.c \
+ lib/libdevmapper.c \
+ lib/volumekey.c \
+ lib/random.c \
+ lib/crypt_plain.c \
+ lib/crypto_backend/crypto_cipher_kernel.c \
+ lib/crypto_backend/crypto_storage.c \
+ lib/crypto_backend/pbkdf_check.c \
+ lib/crypto_backend/crc32.c \
+ lib/crypto_backend/crypto_openssl.c \
+ lib/luks1/af.c \
+ lib/luks1/keymanage.c \
+ lib/luks1/keyencryption.c \
+ lib/tcrypt/tcrypt.c \
+ lib/verity/verity_hash.c \
+ lib/verity/verity_fec.c \
+ lib/verity/verity.c \
+ lib/verity/rs_encode_char.c \
+ lib/loopaes/loopaes.c
+
+LOCAL_CFLAGS := -include $(LOCAL_PATH)/config.h
+LOCAL_C_INCLUDES := \
+ $(LOCAL_PATH)/lib \
+ $(LOCAL_PATH)/lib/loopaes \
+ $(LOCAL_PATH)/lib/luks1 \
+ $(LOCAL_PATH)/lib/verity \
+ $(LOCAL_PATH)/lib/tcrypt \
+ $(LOCAL_PATH)/lib/crypto_backend
+
+include $(BUILD_HOST_STATIC_LIBRARY)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := libcryptsetup
+
+LOCAL_ADDITIONAL_DEPENDENCIES := toolchain-libs
+
+LOCAL_SRC_FILES := \
+ lib/setup.c \
+ lib/utils.c \
+ lib/utils_benchmark.c \
+ lib/utils_crypt.c \
+ lib/utils_loop.c \
+ lib/utils_devpath.c \
+ lib/utils_wipe.c \
+ lib/utils_fips.c \
+ lib/utils_device.c \
+ lib/libdevmapper.c \
+ lib/volumekey.c \
+ lib/random.c \
+ lib/crypt_plain.c \
+ lib/crypto_backend/crypto_cipher_kernel.c \
+ lib/crypto_backend/crypto_storage.c \
+ lib/crypto_backend/pbkdf_check.c \
+ lib/crypto_backend/crc32.c \
+ lib/crypto_backend/crypto_openssl.c \
+ lib/luks1/af.c \
+ lib/luks1/keymanage.c \
+ lib/luks1/keyencryption.c \
+ lib/tcrypt/tcrypt.c \
+ lib/verity/verity_hash.c \
+ lib/verity/verity_fec.c \
+ lib/verity/verity.c \
+ lib/verity/rs_encode_char.c \
+ lib/loopaes/loopaes.c
+
+LOCAL_CFLAGS := -include $(LOCAL_PATH)/config.h --sysroot=$(TARGET_OUT)/../build_sysroot/
+LOCAL_C_INCLUDES := \
+ $(LOCAL_PATH)/lib \
+ $(LOCAL_PATH)/lib/loopaes \
+ $(LOCAL_PATH)/lib/luks1 \
+ $(LOCAL_PATH)/lib/verity \
+ $(LOCAL_PATH)/lib/tcrypt \
+ $(LOCAL_PATH)/lib/crypto_backend \
+ $(LOCAL_PATH)/../lvm2/libdm \
+ $(LOCAL_PATH)/../oprofile/libpopt \
+ $(LOCAL_PATH)/../boringssl/include
+
+include $(BUILD_STATIC_LIBRARY)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := cryptsetup
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := \
+ lib/utils_crypt.c \
+ lib/utils_loop.c \
+ src/utils_tools.c \
+ src/utils_password.c \
+ src/cryptsetup.c
+
+LOCAL_C_INCLUDES := \
+ $(LOCAL_PATH)/lib \
+ $(LOCAL_PATH)/lib/loopaes \
+ $(LOCAL_PATH)/lib/luks1 \
+ $(LOCAL_PATH)/lib/verity \
+ $(LOCAL_PATH)/lib/tcrypt \
+ $(LOCAL_PATH)/lib/crypto_backend \
+ $(LOCAL_PATH)/../lvm2/libdm \
+ $(LOCAL_PATH)/../oprofile/libpopt \
+ $(LOCAL_PATH)/../boringssl/include
+
+LOCAL_CFLAGS := -include $(LOCAL_PATH)/config.h --sysroot=$(TARGET_OUT)/../build_sysroot/
+
+LOCAL_STATIC_LIBRARIES := libcryptsetup libdm liboprofile_popt
+LOCAL_SHARED_LIBRARIES := libuuid libssl libcrypto
+
+include $(BUILD_EXECUTABLE)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := veritysetup
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := \
+ lib/utils_crypt.c \
+ lib/utils_loop.c \
+ src/utils_tools.c \
+ src/veritysetup.c
+
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/lib
+
+LOCAL_CFLAGS := -include $(LOCAL_PATH)/config.h
+LOCAL_LDFLAGS := -lpopt -l:libcrypto.a -lz -ldl -lpthread -ldevmapper -luuid
+
+LOCAL_STATIC_LIBRARIES := libcryptsetup-host
+
+include $(BUILD_HOST_EXECUTABLE)
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..86289a1
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,354 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+
+-----
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+
+You must obey the GNU General Public License in all respects
+for all of the code used other than OpenSSL. If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so. If you
+do not wish to do so, delete this exception statement from your
+version. If you delete this exception statement from all source
+files in the program, then also delete it here.
diff --git a/COPYING.LGPL b/COPYING.LGPL
new file mode 100644
index 0000000..7e354d5
--- /dev/null
+++ b/COPYING.LGPL
@@ -0,0 +1,517 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL. It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+ This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+ When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+ To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+ For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+
+ We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+ To protect each distributor, we want to make it very clear that
+there is no warranty for the free library. Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+�
+ Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+ Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+ When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+ We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+
+ For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard. To achieve this, non-free programs must be
+allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+ In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+ Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+ The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+�
+ GNU LESSER GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+ A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+ The "Library", below, refers to any such software library or work
+which has been distributed under these terms. A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language. (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+ "Source code" for a work means the preferred form of the work for
+making modifications to it. For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+ Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it). Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+ 1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+ You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+�
+ 2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) The modified work must itself be a software library.
+
+ b) You must cause the files modified to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ c) You must cause the whole of the work to be licensed at no
+ charge to all third parties under the terms of this License.
+
+ d) If a facility in the modified Library refers to a function or a
+ table of data to be supplied by an application program that uses
+ the facility, other than as an argument passed when the facility
+ is invoked, then you must make a good faith effort to ensure that,
+ in the event an application does not supply such function or
+ table, the facility still operates, and performs whatever part of
+ its purpose remains meaningful.
+
+ (For example, a function in a library to compute square roots has
+ a purpose that is entirely well-defined independent of the
+ application. Therefore, Subsection 2d requires that any
+ application-supplied function or table used by this function must
+ be optional: if the application does not supply it, the square
+ root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library. To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License. (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.) Do not make any other change in
+these notices.
+�
+ Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+ This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+ 4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+ If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library". Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+ However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library". The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+ When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library. The
+threshold for this to be true is not precisely defined by law.
+
+ If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work. (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+ Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+�
+ 6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+ You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License. You must supply a copy of this License. If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License. Also, you must do one
+of these things:
+
+ a) Accompany the work with the complete corresponding
+ machine-readable source code for the Library including whatever
+ changes were used in the work (which must be distributed under
+ Sections 1 and 2 above); and, if the work is an executable linked
+ with the Library, with the complete machine-readable "work that
+ uses the Library", as object code and/or source code, so that the
+ user can modify the Library and then relink to produce a modified
+ executable containing the modified Library. (It is understood
+ that the user who changes the contents of definitions files in the
+ Library will not necessarily be able to recompile the application
+ to use the modified definitions.)
+
+ b) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (1) uses at run time a
+ copy of the library already present on the user's computer system,
+ rather than copying library functions into the executable, and (2)
+ will operate properly with a modified version of the library, if
+ the user installs one, as long as the modified version is
+ interface-compatible with the version that the work was made with.
+
+ c) Accompany the work with a written offer, valid for at
+ least three years, to give the same user the materials
+ specified in Subsection 6a, above, for a charge no more
+ than the cost of performing this distribution.
+
+ d) If distribution of the work is made by offering access to copy
+ from a designated place, offer equivalent access to copy the above
+ specified materials from the same place.
+
+ e) Verify that the user has already received a copy of these
+ materials or that you have already sent this user a copy.
+
+ For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it. However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+ It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system. Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+�
+ 7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+ a) Accompany the combined library with a copy of the same work
+ based on the Library, uncombined with any other library
+ facilities. This must be distributed under the terms of the
+ Sections above.
+
+ b) Give prominent notice with the combined library of the fact
+ that part of it is a work based on the Library, and explaining
+ where to find the accompanying uncombined form of the same work.
+
+ 8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License. Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License. However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+ 9. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Library or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+ 10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+�
+ 11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all. For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded. In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+ 13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+�
+ 14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission. For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this. Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+ NO WARRANTY
+
+ 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Libraries
+
+ If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change. You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+ To apply these terms, attach the following notices to the library. It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the library's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the
+ library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+ <signature of Ty Coon>, 1 April 1990
+ Ty Coon, President of Vice
+
+That's all there is to it!
+
+-----
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+
+You must obey the GNU Lesser General Public License in all respects
+for all of the code used other than OpenSSL. If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so. If you
+do not wish to do so, delete this exception statement from your
+version. If you delete this exception statement from all source
+files in the program, then also delete it here.
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..b6c11ba
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,6 @@
+Since version 1.6 this file is no longer maintained.
+
+See docs/*ReleaseNotes for release changes documentation.
+
+See version control history for full commit messages.
+ https://gitlab.com/cryptsetup/cryptsetup/commits/master
diff --git a/FAQ b/FAQ
new file mode 100644
index 0000000..30f17f1
--- /dev/null
+++ b/FAQ
@@ -0,0 +1,2807 @@
+Frequently Asked Questions.
+
+Sections
+1. General Questions
+2. Setup
+3. Common Problems
+4. Troubleshooting
+5. Security Aspects
+6. Backup and Data Recovery
+7. Interoperability with other Disk Encryption Tools
+8. Issues with Specific Versions of cryptsetup
+9. The Initrd question
+10. References and Further Reading
+A. Contributors
+
+1. General Questions
+
+
+ * 1.1 What is this?
+
+ This is the FAQ (Frequently Asked Questions) for cryptsetup. It
+ covers Linux disk encryption with plain dm-crypt (one passphrase, no
+ management, no metadata on disk) and LUKS (multiple user keys with
+ one master key, anti-forensic features, metadata block at start of
+ device, ...). The latest version of this FAQ should usually be
+ available at
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
+
+
+ * 1.2 WARNINGS
+
+ ATTENTION: If you are going to read just one thing, make it the
+ section on Backup and Data Recovery. By far the most questions on
+ the cryptsetup mailing list are from people that managed to damage
+ the start of their LUKS partitions, i.e. the LUKS header. In most
+ cases, there is nothing that can be done to help these poor souls
+ recover their data. Make sure you understand the problem and
+ limitations imposed by the LUKS security model BEFORE you face such a
+ disaster! In particular, make sure you have a current header backup
+ before doing any potentially dangerous operations.
+
+ DEBUG COMMANDS: While the --debug option does not leak data, "strace"
+ and the like can leak your full passphrase. Do not post an strace
+ output with the correct passphrase to a mailing-list or online! See
+ Item 4.5 for more explanation.
+
+ SSDs/FLASH DRIVES: SSDs and Flash are different. Currently it is
+ unclear how to get LUKS or plain dm-crypt to run on them with the
+ full set of security features intact. This may or may not be a
+ problem, depending on the attacker model. See Section 5.19.
+
+ BACKUP: Yes, encrypted disks die, just as normal ones do. A full
+ backup is mandatory, see Section "6. Backup and Data Recovery" on
+ options for doing encrypted backup.
+
+ CLONING/IMAGING: If you clone or image a LUKS container, you make a
+ copy of the LUKS header and the master key will stay the same! That
+ means that if you distribute an image to several machines, the same
+ master key will be used on all of them, regardless of whether you
+ change the passphrases. Do NOT do this! If you do, a root-user on
+ any of the machines with a mapped (decrypted) container or a
+ passphrase on that machine can decrypt all other copies, breaking
+ security. See also Item 6.15.
+
+ DISTRIBUTION INSTALLERS: Some distribution installers offer to create
+ LUKS containers in a way that can be mistaken as activation of an
+ existing container. Creating a new LUKS container on top of an
+ existing one leads to permanent, complete and irreversible data loss.
+ It is strongly recommended to only use distribution installers after
+ a complete backup of all LUKS containers has been made.
+
+ UBUNTU INSTALLER: In particular the Ubuntu installer seems to be
+ quite willing to kill LUKS containers in several different ways.
+ Those responsible at Ubuntu seem not to care very much (it is very
+ easy to recognize a LUKS container), so treat the process of
+ installing Ubuntu as a severe hazard to any LUKS container you may
+ have.
+
+ NO WARNING ON NON-INTERACTIVE FORMAT: If you feed cryptsetup from
+ STDIN (e.g. via GnuPG) on LUKS format, it does not give you the
+ warning that you are about to format (and e.g. will lose any
+ pre-existing LUKS container on the target), as it assumes it is used
+ from a script. In this scenario, the responsibility for warning the
+ user and possibly checking for an existing LUKS header is shifted to
+ the script. This is a more general form of the previous item.
+
+ LUKS PASSPHRASE IS NOT THE MASTER KEY: The LUKS passphrase is not
+ used in deriving the master key. It is used in decrypting a master
+ key that is randomly selected on header creation. This means that if
+ you create a new LUKS header on top of an old one with exactly the
+ same parameters and exactly the same passphrase as the old one, it
+ will still have a different master key and your data will be
+ permanently lost.
+
+ PASSPHRASE CHARACTER SET: Some people have had difficulties with this
+ when upgrading distributions. It is highly advisable to only use the
+ 95 printable characters from the first 128 characters of the ASCII
+ table, as they will always have the same binary representation.
+ Other characters may have different encoding depending on system
+ configuration and your passphrase will not work with a different
+ encoding. A table of the standardized first 128 ASCII characters
+ can, e.g. be found on http://en.wikipedia.org/wiki/ASCII
+
+ KEYBOARD NUM-PAD: Apparently some pre-boot authentication
+ environments (these are done by the distro, not by cryptsetup, so
+ complain there) treat digits entered on the num-pad and ones entered
+ regularly different. This may be because the BIOS USB keyboard
+ driver is used and that one may have bugs on some computers. If you
+ cannot open your device in pre-boot, try entering the digits over the
+ regular digit keys.
+
+
+ * 1.3 System specific warnings
+
+ - Ubuntu as of 4/2011: It seems the installer offers to create LUKS
+ partitions in a way that several people mistook for an offer to
+ activate their existing LUKS partition. The installer gives no or an
+ inadequate warning and will destroy your old LUKS header, causing
+ permanent data loss. See also the section on Backup and Data
+ Recovery.
+
+ This issue has been acknowledged by the Ubuntu dev team, see
+ here: http://launchpad.net/bugs/420080
+
+ Update 4/2013: I am still unsure whether this has been fixed by now,
+ best be careful. They also seem to have added even more LUKS killer
+ functionality to the Ubuntu installer. I can only strongly
+ recommended to not install Ubuntu on a system with existing LUKS
+ containers without complete backups.
+
+ Update 11/2014: There seem to be other problems withe existing LUKS
+ containers and Ubuntu as well, be extra careful when using LUKS
+ on Ubuntu in any way, but exactly as the Ubuntu installer does.
+
+
+ * 1.4 My LUKS-device is broken! Help!
+
+ First: Do not panic! In many cases the data is still recoverable.
+ Do not do anything hasty! Steps:
+
+ - Take some deep breaths. Maybe add some relaxing music. This may
+ sound funny, but I am completely serious. Often, critical damage is
+ done only after the initial problem.
+
+ - Do not reboot. The keys may still be in the kernel if the device is
+ mapped.
+
+ - Make sure others do not reboot the system.
+
+ - Do not write to your disk without a clear understanding why this
+ will not make matters worse. Do a sector-level backup before any
+ writes. Often you do not need to write at all to get enough access
+ to make a backup of the data.
+
+ - Relax some more.
+
+ - Read section 6 of this FAQ.
+
+ - Ask on the mailing-list if you need more help.
+
+
+ * 1.5 Who wrote this?
+
+ Current FAQ maintainer is Arno Wagner <arno@wagner.name>. If you want
+ to send me encrypted email, my current PGP key is DSA key CB5D9718,
+ fingerprint 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718.
+
+ Other contributors are listed at the end. If you want to contribute,
+ send your article, including a descriptive headline, to the
+ maintainer, or the dm-crypt mailing list with something like "FAQ
+ ..." in the subject. You can also send more raw information and have
+ me write the section. Please note that by contributing to this FAQ,
+ you accept the license described below.
+
+ This work is under the "Attribution-Share Alike 3.0 Unported"
+ license, which means distribution is unlimited, you may create
+ derived works, but attributions to original authors and this license
+ statement must be retained and the derived work must be under the
+ same license. See http://creativecommons.org/licenses/by-sa/3.0/ for
+ more details of the license.
+
+ Side note: I did text license research some time ago and I think this
+ license is best suited for the purpose at hand and creates the least
+ problems.
+
+
+ * 1.6 Where is the project website?
+
+ There is the project website at
+ https://gitlab.com/cryptsetup/cryptsetup/ Please do not post
+ questions there, nobody will read them. Use the mailing-list
+ instead.
+
+
+ * 1.7 Is there a mailing-list?
+
+ Instructions on how to subscribe to the mailing-list are at on the
+ project website. People are generally helpful and friendly on the
+ list.
+
+ The question of how to unsubscribe from the list does crop up
+ sometimes. For this you need your list management URL, which is sent
+ to you initially and once at the start of each month. Go to the URL
+ mentioned in the email and select "unsubscribe". This page also
+ allows you to request a password reminder.
+
+ Alternatively, you can send an Email to dm-crypt-request@saout.de
+ with just the word "help" in the subject or message body. Make sure
+ to send it from your list address.
+
+ The mailing list archive is here:
+ http://dir.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt
+
+
+ * 1.8 Unsubscribe from the mailing-list
+
+ Send mail to dm-crypt-unsubscribe@saout.de from the subscribed
+ account. You will get an email with instructions.
+
+ Basically, you just have to respond to it unmodified to get
+ unsubscribed. The listserver admin functions are not very fast. It
+ can take 15 minutes or longer for a reply to arrive (I suspect
+ greylisting is in use), so be patient.
+
+ Also note that nobody on the list can unsubscribe you, sending
+ demands to be unsubscribed to the list just annoys people that are
+ entirely blameless for you being subscribed.
+
+ If you are subscribed, a subscription confirmation email was sent to
+ your email account and it had to be answered before the subscription
+ went active. The confirmation emails from the listserver have
+ subjects like these (with other numbers):
+
+ Subject: confirm 9964cf10.....
+
+ and are sent from dm-crypt-request@saout.de. You should check whether
+ you have anything like it in your sent email folder. If you find
+ nothing and are sure you did not confirm, then you should look into a
+ possible compromise of your email account.
+
+
+2. Setup
+
+ * 2.1 LUKS Container Setup mini-HOWTO
+
+ This item tries to give you a very brief list of all the steps you
+ should go though when creating a new LUKS encrypted container, i.e.
+ encrypted disk, partition or loop-file.
+
+ 01) All data will be lost, if there is data on the target, make a
+ backup.
+
+ 02) Make very sure you have the right target disk, partition or
+ loop-file.
+
+ 03) If the target was in use previously, it is a good idea to wipe it
+ before creating the LUKS container in order to remove any trace of
+ old file systems and data. For example, some users have managed to
+ run e2fsck on a partition containing a LUKS container, possibly
+ because of residual ext2 superblocks from an earlier use. This can
+ do arbitrary damage up to complete and permanent loss of all data in
+ the LUKS container.
+
+ To just quickly wipe file systems (old data may remain), use
+
+ wipefs -a <target device>
+
+
+ To wipe file system and data, use something like
+
+ cat /dev/zero > <target device>
+
+
+ This can take a while. To get a progress indicator, you can use the
+ tool dd_rescue (->google) instead or use my stream meter "wcs"
+ (source here: http://www.tansi.org/tools/index.html) in the following
+ fashion:
+
+ cat /dev/zero | wcs > <target device>
+
+
+ Be very sure you have the right target, all data will be lost!
+
+ Note that automatic wiping is on the TODO list for cryptsetup, so at
+ some time in the future this will become unnecessary.
+
+ Alternatively, plain dm-crypt can be used for a very fast wipe with
+ crypto-grade randomness, see Item 2.19
+
+ 04) Create the LUKS container:
+
+ cryptsetup luksFormat <target device>
+
+
+ Just follow the on-screen instructions.
+
+ Note: Passphrase iteration is determined by cryptsetup depending on
+ CPU power. On a slow device, this may be lower than you want. I
+ recently benchmarked this on a Raspberry Pi and it came out at about
+ 1/15 of the iteration count for a typical PC. If security is
+ paramount, you may want to increase the time spent in iteration, at
+ the cost of a slower unlock later. For the Raspberry Pi, using
+
+ cryptsetup luksFormat -i 15000 <target device>
+
+ gives you an iteration count and security level equal to an average
+ PC for passphrase iteration and master-key iteration. If in doubt,
+ check the iteration counts with
+
+ cryptsetup luksDump <target device>
+
+ and adjust the iteration count accordingly by creating the container
+ again with a different iteration time (the number after '-i' is the
+ iteration time in milliseconds) until your requirements are met.
+
+ 05) Map the container. Here it will be mapped to /dev/mapper/c1:
+
+ cryptsetup luksOpen <target device> c1
+
+
+ 06) (Optionally) wipe the container (make sure you have the right
+ target!):
+
+ cat /dev/zero > /dev/mapper/c1
+
+
+ Note that this creates a small information leak, as an attacker can
+ determine whether a 512 byte block is zero if the attacker has access
+ to the encrypted container multiple times. Typically a competent
+ attacker that has access multiple times can install a passphrase
+ sniffer anyways, so this leakage is not very significant. For
+ getting a progress indicator, see step 03.
+
+ Note that at some time in the future, cryptsetup will do this for
+ you, but currently it is a TODO list item.
+
+ 07) Create a file system in the mapped container, for example an
+ ext3 file system (any other file system is possible):
+
+ mke2fs -j /dev/mapper/c1
+
+
+ 08) Mount your encrypted file system, here on /mnt:
+
+ mount /dev/mapper/c1 /mnt
+
+
+ Done. You can now use the encrypted file system to store data. Be
+ sure to read though the rest of the FAQ, these are just the very
+ basics. In particular, there are a number of mistakes that are easy
+ to make, but will compromise your security.
+
+
+ * 2.2 LUKS on partitions or raw disks?
+
+ This is a complicated question, and made more so by the availability
+ of RAID and LVM. I will try to give some scenarios and discuss
+ advantages and disadvantages. Note that I say LUKS for simplicity,
+ but you can do all the things described with plain dm-crypt as well.
+ Also note that your specific scenario may be so special that most or
+ even all things I say below do not apply.
+
+ Be aware that if you add LVM into the mix, things can get very
+ complicated. Same with RAID but less so. In particular, data
+ recovery can get exceedingly difficult. Only do so if you have a
+ really good reason and always remember KISS is what separates an
+ engineer from an amateur. Of course, if you really need the added
+ complexity, KISS is satisfied. But be very sure as there is a price
+ to pay for it. In engineering, complexity is always the enemy and
+ needs to be fought without mercy when encountered.
+
+ Also consider using RAID instead of LVM, as at least with the old
+ superblock format 0.90, the RAID superblock is in the place (end of
+ disk) where the risk of it permanently damaging the LUKS header is
+ smallest and you can have your array assembled by the RAID controller
+ (i.e. the kernel), as it should be. Use partition type 0xfd for
+ that. I recommend staying away from superblock formats 1.0, 1.1 and
+ 1.2 unless you really need them. Be aware that you lose
+ autodetection with them and have to fall back to some user-space
+ script to do it.
+
+ Scenarios:
+
+ (1) Encrypted partition: Just make a partition to your liking, and
+ put LUKS on top of it and a filesystem into the LUKS container. This
+ gives you isolation of differently-tasked data areas, just as
+ ordinary partitioning does. You can have confidential data,
+ non-confidential data, data for some specific applications,
+ user-homes, root, etc. Advantages are simplicity as there is a 1:1
+ mapping between partitions and filesystems, clear security
+ functionality and the ability to separate data into different,
+ independent (!) containers.
+
+ Note that you cannot do this for encrypted root, that requires an
+ initrd. On the other hand, an initrd is about as vulnerable to a
+ competent attacker as a non-encrypted root, so there really is no
+ security advantage to doing it that way. An attacker that wants to
+ compromise your system will just compromise the initrd or the kernel
+ itself. The better way to deal with this is to make sure the root
+ partition does not store any critical data and move that to
+ additional encrypted partitions. If you really are concerned your
+ root partition may be sabotaged by somebody with physical access
+ (that would however strangely not, say, sabotage your BIOS, keyboard,
+ etc.), protect it in some other way. The PC is just not set-up for a
+ really secure boot-chain (whatever some people may claim).
+
+ (2) Fully encrypted raw block device: For this, put LUKS on the raw
+ device (e.g. /dev/sdb) and put a filesystem into the LUKS container,
+ no partitioning whatsoever involved. This is very suitable for
+ things like external USB disks used for backups or offline
+ data-storage.
+
+ (3) Encrypted RAID: Create your RAID from partitions and/or full
+ devices. Put LUKS on top of the RAID device, just if it were an
+ ordinary block device. Applications are just the same as above, but
+ you get redundancy. (Side note as many people seem to be unaware of
+ it: You can do RAID1 with an arbitrary number of components in
+ Linux.) See also Item 2.8.
+
+ (4) Now, some people advocate doing the encryption below the RAID
+ layer. That has several serious problems. One is that suddenly
+ debugging RAID issues becomes much harder. You cannot do automatic
+ RAID assembly anymore. You need to keep the encryption keys for the
+ components in sync or manage them somehow. The only possible
+ advantage is that things may run a little faster as more CPUs do the
+ encryption, but if speed is a priority over security and simplicity,
+ you are doing this wrong anyways. A good way to mitigate a speed
+ issue is to get a CPU that does hardware AES.
+
+
+ * 2.3 How do I set up encrypted swap?
+
+ As things that are confidential can end up in swap (keys,
+ passphrases, etc. are usually protected against being swapped to
+ disk, but other things may not be), it may be advisable to do
+ something about the issue. One option is to run without swap, which
+ generally works well in a desktop-context. It may cause problems in
+ a server-setting or under special circumstances. The solution to
+ that is to encrypt swap with a random key at boot-time.
+
+ NOTE: This is for Debian, and should work for Debian-derived
+ distributions. For others you may have to write your own startup
+ script or use other mechanisms.
+
+ 01) Add the swap partition to /etc/crypttab. A line like the
+ following should do it:
+
+ swap /dev/<partition> /dev/urandom swap,noearly
+
+
+ Warning: While Debian refuses to overwrite partitions with a
+ filesystem or RAID signature on it, if your disk IDs may change
+ (adding or removing disks, failure of disk during boot, etc.), you
+ may want to take additional precautions. Yes, this means that your
+ kernel device names like sda, sdb, ... can change between reboots!
+ This is not a concern if you have only one disk. One possibility is
+ to make sure the partition number is not present on additional disks
+ or also swap there. Another is to encapsulate the swap partition (by
+ making it a 1-disk RAID1 or by using LVM), so that it gets a
+ persistent identifier. Specifying it directly by UUID does not work,
+ unfortunately, as the UUID is part of the swap signature and that is
+ not visible from the outside due to the encryption and in addition
+ changes on each reboot with this setup.
+
+ Note: Use /dev/random if you are paranoid or in a potential
+ low-entropy situation (embedded system, etc.). This may cause the
+ operation to take a long time during boot. If you are in a "no
+ entropy" situation, you cannot encrypt swap securely. In this
+ situation you should find some entropy, also because nothing else
+ using crypto will be secure, like ssh, ssl or GnuPG.
+
+ Note: The "noearly" option makes sure things like LVM, RAID, etc.
+ are running. As swap is non-critical for boot, it is fine to start
+ it late.
+
+ 02) Add the swap partition to /etc/fstab. A line like the following
+ should do it:
+
+ /dev/mapper/swap none swap sw 0 0
+
+
+ That is it. Reboot or start it manually to activate encrypted swap.
+ Manual start would look like this:
+
+ /etc/init.d/crypdisks start
+ swapon /dev/mapper/swap
+
+
+
+ * 2.4 What is the difference between "plain" and LUKS format?
+
+ First, unless you happen to understand the cryptographic background
+ well, you should use LUKS. It does protect the user from a lot of
+ common mistakes. Plain dm-crypt is for experts.
+
+ Plain format is just that: It has no metadata on disk, reads all
+ parameters from the commandline (or the defaults), derives a
+ master-key from the passphrase and then uses that to de-/encrypt the
+ sectors of the device, with a direct 1:1 mapping between encrypted
+ and decrypted sectors.
+
+ Primary advantage is high resilience to damage, as one damaged
+ encrypted sector results in exactly one damaged decrypted sector.
+ Also, it is not readily apparent that there even is encrypted data on
+ the device, as an overwrite with crypto-grade randomness (e.g. from
+ /dev/urandom) looks exactly the same on disk.
+
+ Side-note: That has limited value against the authorities. In
+ civilized countries, they cannot force you to give up a crypto-key
+ anyways. In quite a few countries around the world, they can force
+ you to give up the keys (using imprisonment or worse to pressure you,
+ sometimes without due process), and in the worst case, they only need
+ a nebulous "suspicion" about the presence of encrypted data.
+ Sometimes this applies to everybody, sometimes only when you are
+ suspected of having "illicit data" (definition subject to change) and
+ sometimes specifically when crossing a border. Note that this is
+ going on in countries like the US and the UK, to different degrees
+ and sometimes with courts restricting what the authorities can
+ actually demand.
+
+ My advice is to either be ready to give up the keys or to not have
+ encrypted data when traveling to those countries, especially when
+ crossing the borders. The latter also means not having any
+ high-entropy (random) data areas on your disk, unless you can explain
+ them and demonstrate that explanation. Hence doing a zero-wipe of
+ all free space, including unused space, may be a good idea.
+
+ Disadvantages are that you do not have all the nice features that the
+ LUKS metadata offers, like multiple passphrases that can be changed,
+ the cipher being stored in the metadata, anti-forensic properties
+ like key-slot diffusion and salts, etc..
+
+ LUKS format uses a metadata header and 8 key-slot areas that are
+ being placed at the beginning of the disk, see below under "What does
+ the LUKS on-disk format looks like?". The passphrases are used to
+ decrypt a single master key that is stored in the anti-forensic
+ stripes.
+
+ Advantages are a higher usability, automatic configuration of
+ non-default crypto parameters, defenses against low-entropy
+ passphrases like salting and iterated PBKDF2 passphrase hashing, the
+ ability to change passphrases, and others.
+
+ Disadvantages are that it is readily obvious there is encrypted data
+ on disk (but see side note above) and that damage to the header or
+ key-slots usually results in permanent data-loss. See below under
+ "6. Backup and Data Recovery" on how to reduce that risk. Also the
+ sector numbers get shifted by the length of the header and key-slots
+ and there is a loss of that size in capacity (1MB+4096B for defaults
+ and 2MB for the most commonly used non-default XTS mode).
+
+
+ * 2.5 Can I encrypt an already existing, non-empty partition to use LUKS?
+
+ There is no converter, and it is not really needed. The way to do
+ this is to make a backup of the device in question, securely wipe the
+ device (as LUKS device initialization does not clear away old data),
+ do a luksFormat, optionally overwrite the encrypted device, create a
+ new filesystem and restore your backup on the now encrypted device.
+ Also refer to sections "Security Aspects" and "Backup and Data
+ Recovery".
+
+ For backup, plain GNU tar works well and backs up anything likely
+ to be in a filesystem.
+
+
+ * 2.6 How do I use LUKS with a loop-device?
+
+ This can be very handy for experiments. Setup is just the same as
+ with any block device. If you want, for example, to use a 100MiB
+ file as LUKS container, do something like this:
+
+ head -c 100M /dev/zero > luksfile # create empty file
+ losetup /dev/loop0 luksfile # map luksfile to /dev/loop0
+ cryptsetup luksFormat /dev/loop0 # create LUKS on loop device
+
+ Afterwards just use /dev/loop0 as a you would use a LUKS partition.
+ To unmap the file when done, use "losetup -d /dev/loop0".
+
+
+ * 2.7 When I add a new key-slot to LUKS, it asks for a passphrase
+ but then complains about there not being a key-slot with that
+ passphrase?
+
+ That is as intended. You are asked a passphrase of an existing
+ key-slot first, before you can enter the passphrase for the new
+ key-slot. Otherwise you could break the encryption by just adding a
+ new key-slot. This way, you have to know the passphrase of one of
+ the already configured key-slots in order to be able to configure a
+ new key-slot.
+
+
+ * 2.8 Encryption on top of RAID or the other way round?
+
+ Unless you have special needs, place encryption between RAID and
+ filesystem, i.e. encryption on top of RAID. You can do it the other
+ way round, but you have to be aware that you then need to give the
+ passphrase for each individual disk and RAID autodetection will not
+ work anymore. Therefore it is better to encrypt the RAID device,
+ e.g. /dev/dm0 .
+
+ This means that the typical layering looks like this:
+
+ Filesystem <- top
+ |
+ Encryption
+ |
+ RAID
+ |
+ Raw partitions
+ |
+ Raw disks <- bottom
+
+ The big advantage is that you can manage the RAID container just like
+ any RAID container, it does not care that what is in it is encrypted.
+
+
+ * 2.9 How do I read a dm-crypt key from file?
+
+ Use the --key-file option, like this:
+
+ cryptsetup create --key-file keyfile e1 /dev/loop0
+
+ This will read the binary key from file, i.e. no hashing or
+ transformation will be applied to the keyfile before its bits are
+ used as key. Extra bits (beyond the length of the key) at the end
+ are ignored. Note that if you read from STDIN, the data will still
+ be hashed, just as a key read interactively from the terminal. See
+ the man-page sections "NOTES ON PASSPHRASE PROCESSING..." for more
+ detail.
+
+ * 2.10 How do I read a LUKS slot key from file?
+
+ What you really do here is to read a passphrase from file, just as
+ you would with manual entry of a passphrase for a key-slot. You can
+ add a new passphrase to a free key-slot, set the passphrase of an
+ specific key-slot or put an already configured passphrase into a
+ file. In the last case make sure no trailing newline (0x0a) is
+ contained in the key file, or the passphrase will not work because
+ the whole file is used as input.
+
+ To add a new passphrase to a free key slot from file, use something
+ like this:
+
+ cryptsetup luksAddKey /dev/loop0 keyfile
+
+
+ To add a new passphrase to a specific key-slot, use something
+ like this:
+
+ cryptsetup luksAddKey --key-slot 7 /dev/loop0 keyfile
+
+
+ To supply a key from file to any LUKS command, use the --key-file
+ option, e.g. like this:
+
+ cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
+
+
+
+ * 2.11 How do I read the LUKS master key from file?
+
+ The question you should ask yourself first is why you would want to
+ do this. The only legitimate reason I can think of is if you want to
+ have two LUKS devices with the same master key. Even then, I think
+ it would be preferable to just use key-slots with the same
+ passphrase, or to use plain dm-crypt instead. If you really have a
+ good reason, please tell me. If I am convinced, I will add how to do
+ this here.
+
+
+ * 2.12 What are the security requirements for a key read from file?
+
+ A file-stored key or passphrase has the same security requirements as
+ one entered interactively, however you can use random bytes and
+ thereby use bytes you cannot type on the keyboard. You can use any
+ file you like as key file, for example a plain text file with a human
+ readable passphrase. To generate a file with random bytes, use
+ something like this:
+
+ head -c 256 /dev/random > keyfile
+
+
+
+ * 2.13 If I map a journaled file system using dm-crypt/LUKS, does
+ it still provide its usual transactional guarantees?
+
+ Yes, it does, unless a very old kernel is used. The required flags
+ come from the filesystem layer and are processed and passed onwards
+ by dm-crypt. A bit more information on the process by which
+ transactional guarantees are implemented can be found here:
+
+ http://lwn.net/Articles/400541/
+
+ Please note that these "guarantees" are weaker than they appear to
+ be. One problem is that quite a few disks lie to the OS about having
+ flushed their buffers. Some other things can go wrong as well. The
+ filesystem developers are aware of these problems and typically can
+ make it work anyways. That said, dm-crypt/LUKS will not make things
+ worse.
+
+ One specific problem you can run into though is that you can get
+ short freezes and other slowdowns due to the encryption layer.
+ Encryption takes time and forced flushes will block for that time.
+ For example, I did run into frequent small freezes (1-2 sec) when
+ putting a vmware image on ext3 over dm-crypt. When I went back to
+ ext2, the problem went away. This seems to have gotten better with
+ kernel 2.6.36 and the reworking of filesystem flush locking mechanism
+ (less blocking of CPU activity during flushes). It should improve
+ further and eventually the problem should go away.
+
+
+ * 2.14 Can I use LUKS or cryptsetup with a more secure (external)
+ medium for key storage, e.g. TPM or a smartcard?
+
+ Yes, see the answers on using a file-supplied key. You do have to
+ write the glue-logic yourself though. Basically you can have
+ cryptsetup read the key from STDIN and write it there with your own
+ tool that in turn gets the key from the more secure key storage.
+
+ For TPM support, you may want to have a look at tpm-luks at
+ https://github.com/shpedoikal/tpm-luks. Note that tpm-luks is not
+ related to the cryptsetup project.
+
+
+ * 2.15 Can I resize a dm-crypt or LUKS partition?
+
+ Yes, you can, as neither dm-crypt nor LUKS stores partition size.
+ Whether you should is a different question. Personally I recommend
+ backup, recreation of the encrypted partition with new size,
+ recreation of the filesystem and restore. This gets around the
+ tricky business of resizing the filesystem. Resizing a dm-crypt or
+ LUKS container does not resize the filesystem in it. The backup is
+ really non-optional here, as a lot can go wrong, resulting in partial
+ or complete data loss. Using something like gparted to resize an
+ encrypted partition is slow, but typically works. This will not
+ change the size of the filesystem hidden under the encryption though.
+
+ You also need to be aware of size-based limitations. The one
+ currently relevant is that aes-xts-plain should not be used for
+ encrypted container sizes larger than 2TiB. Use aes-xts-plain64 for
+ that.
+
+
+ * 2.16 How do I Benchmark the Ciphers, Hashes and Modes?
+
+ Since version 1.60 cryptsetup supports the "benchmark" command.
+ Simply run as root:
+
+ cryptsetup benchmark
+
+ It will output first iterations/second for the key-derivation
+ function PBKDF2 parameterized with different hash-functions, and then
+ the raw encryption speed of ciphers with different modes and
+ key-sizes. You can get more than the default benchmarks, see the
+ man-page for the relevant parameters. Note that XTS mode takes two
+ keys, hence the listed key sizes are double that for other modes and
+ half of it is the cipher key, the other half is the XTS key.
+
+
+ * 2.17 How do I Verify I have an Authentic cryptsetup Source Package?
+
+ Current maintainer is Milan Broz and he signs the release packages
+ with his PGP key. The key he currently uses is the "RSA key ID
+ D93E98FC", fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E
+ 98FC. While I have every confidence this really is his key and that
+ he is who he claims to be, don't depend on it if your life is at
+ stake. For that matter, if your life is at stake, don't depend on me
+ being who I claim to be either.
+
+ That said, as cryptsetup is under good version control, a malicious
+ change should be noticed sooner or later, but it may take a while.
+ Also, the attacker model makes compromising the sources in a
+ non-obvious way pretty hard. Sure, you could put the master-key
+ somewhere on disk, but that is rather obvious as soon as somebody
+ looks as there would be data in an empty LUKS container in a place it
+ should not be. Doing this in a more nefarious way, for example
+ hiding the master-key in the salts, would need a look at the sources
+ to be discovered, but I think that somebody would find that sooner or
+ later as well.
+
+ That said, this discussion is really a lot more complicated and
+ longer as an FAQ can sustain. If in doubt, ask on the mailing list.
+
+
+ * 2.18 Is there a concern with 4k Sectors?
+
+ Not from dm-crypt itself. Encryption will be done in 512B blocks, but
+ if the partition and filesystem are aligned correctly and the
+ filesystem uses multiples of 4kiB as block size, the dm-crypt layer
+ will just process 8 x 512B = 4096B at a time with negligible
+ overhead. LUKS does place data at an offset, which is 2MiB per
+ default and will not break alignment. See also Item 6.12 of this FAQ
+ for more details. Note that if your partition or filesystem is
+ misaligned, dm-crypt can make the effect worse though.
+
+
+ * 2.19 How can I wipe a device with crypto-grade randomness?
+
+ The conventional recommendation if you want to not just do a
+ zero-wipe is to use something like
+
+ cat /dev/urandom > <taget-device>
+
+ That is very slow and painful at 10-20MB/s on a fast computer.
+ Using cryptsetup and a plain dm-crypt device with a random key,
+ it is much faster and gives you the same level of security. The
+ defaults are quite enough.
+
+ For device set-up, do the following:
+
+ cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped
+
+ This maps the container as plain under /dev/mapper/to_be_wiped with a
+ random password. For the actual wipe you have several options.
+ Simple wipe without progress-indicator:
+
+ cat /dev/zero > /dev/mapper/to_be_wiped
+
+ Progress-indicator by dd_rescue:
+
+ dd_rescue -w /dev/zero /dev/mapper/to_be_wiped
+
+ Progress-indicator by my "wcs" stream meter (available from
+ http://www.tansi.org/tools/index.html ):
+
+ cat /dev/zero | wcs > /dev/mapper/to_be_wiped
+
+
+ Remove the mapping at the end and you are done.
+
+ * 2.20 How to I wipe only the LUKS header?
+
+ This is not the emergency wipe procedure. That is in Item 5.4. This procedure
+ is intended to be used when the data should stay intact, e.g. when you change
+ your LUKS container to use a detached header and want to remove the old one.
+
+ Most safe way is this (backup is still a good idea):
+
+ 01) Determine header size in 512 Byte sectors with "luksDump":
+
+ cryptsetup luksDump <device with LUKS container>
+
+-> ...
+ Payload offset: <number>
+ ...
+
+ 02) Take the result number and write number * 512 zeros to the start of the
+ device, e.g. like this:
+
+ dd bs=512 count=<number> if=/dev/zero of=<device>
+
+ That is it.
+
+
+3. Common Problems
+
+
+ * 3.1 My dm-crypt/LUKS mapping does not work! What general steps
+ are there to investigate the problem?
+
+ If you get a specific error message, investigate what it claims
+ first. If not, you may want to check the following things.
+
+ - Check that "/dev", including "/dev/mapper/control" is there. If it
+ is missing, you may have a problem with the "/dev" tree itself or you
+ may have broken udev rules.
+
+ - Check that you have the device mapper and the crypt target in your
+ kernel. The output of "dmsetup targets" should list a "crypt"
+ target. If it is not there or the command fails, add device mapper
+ and crypt-target to the kernel.
+
+ - Check that the hash-functions and ciphers you want to use are in
+ the kernel. The output of "cat /proc/crypto" needs to list them.
+
+
+ * 3.2 My dm-crypt mapping suddenly stopped when upgrading cryptsetup.
+
+ The default cipher, hash or mode may have changed (the mode changed
+ from 1.0.x to 1.1.x). See under "Issues With Specific Versions of
+ cryptsetup".
+
+
+ * 3.3 When I call cryptsetup from cron/CGI, I get errors about
+ unknown features?
+
+ If you get errors about unknown parameters or the like that are not
+ present when cryptsetup is called from the shell, make sure you have
+ no older version of cryptsetup on your system that then gets called
+ by cron/CGI. For example some distributions install cryptsetup into
+ /usr/sbin, while a manual install could go to /usr/local/sbin. As a
+ debugging aid, call "cryptsetup --version" from cron/CGI or the
+ non-shell mechanism to be sure the right version gets called.
+
+
+ * 3.4 Unlocking a LUKS device takes very long. Why?
+
+ The iteration time for a key-slot (see Section 5 for an explanation
+ what iteration does) is calculated when setting a passphrase. By
+ default it is 1 second on the machine where the passphrase is set.
+ If you set a passphrase on a fast machine and then unlock it on a
+ slow machine, the unlocking time can be much longer. Also take into
+ account that up to 8 key-slots have to be tried in order to find the
+ right one.
+
+ If this is problem, you can add another key-slot using the slow
+ machine with the same passphrase and then remove the old key-slot.
+ The new key-slot will have an iteration count adjusted to 1 second on
+ the slow machine. Use luksKeyAdd and then luksKillSlot or
+ luksRemoveKey.
+
+ However, this operation will not change volume key iteration count
+ (MK iterations in output of "cryptsetup luksDump"). In order to
+ change that, you will have to backup the data in the LUKS container
+ (i.e. your encrypted data), luksFormat on the slow machine and
+ restore the data. Note that in the original LUKS specification this
+ value was fixed to 10, but it is now derived from the PBKDF2
+ benchmark as well and set to iterations in 0.125 sec or 1000,
+ whichever is larger. Also note that MK iterations are not very
+ security relevant. But as each key-slot already takes 1 second,
+ spending the additional 0.125 seconds really does not matter.
+
+ * 3.5 "blkid" sees a LUKS UUID and an ext2/swap UUID on the same
+ device. What is wrong?
+
+ Some old versions of cryptsetup have a bug where the header does not
+ get completely wiped during LUKS format and an older ext2/swap
+ signature remains on the device. This confuses blkid.
+
+ Fix: Wipe the unused header areas by doing a backup and restore of
+ the header with cryptsetup 1.1.x:
+
+ cryptsetup luksHeaderBackup --header-backup-file <file> <device>
+ cryptsetup luksHeaderRestore --header-backup-file <file> <device>
+
+
+
+ * 3.6 cryptsetup segfaults on Gentoo amd64 hardened ...
+
+ There seems to be some interference between the hardening and and the
+ way cryptsetup benchmarks PBKDF2. The solution to this is currently
+ not quite clear for an encrypted root filesystem. For other uses,
+ you can apparently specify USE="dynamic" as compile flag, see
+ http://bugs.gentoo.org/show_bug.cgi?id=283470
+
+
+4. Troubleshooting
+
+
+ * 4.1 I get the error "LUKS keyslot x is invalid." What does that mean?
+
+ This means that the given keyslot has an offset that points outside
+ the valid keyslot area. Typically, the reason is a corrupted LUKS
+ header because something was written to the start of the device the
+ LUKS container is on. Refer to Section "Backup and Data Recovery"
+ and ask on the mailing list if you have trouble diagnosing and (if
+ still possible) repairing this.
+
+
+ * 4.2 I cannot unlock my LUKS container! What could be the problem?
+
+ First, make sure you have a correct passphrase. Then make sure you
+ have the correct key-map and correct keyboard. And then make sure
+ you have the correct character set and encoding, see also "PASSPHRASE
+ CHARACTER SET" under Section 1.2.
+
+ If you are sure you are entering the passphrase right, there is the
+ possibility that the respective key-slot has been damaged. There is
+ no way to recover a damaged key-slot, except from a header backup
+ (see Section 6). For security reasons, there is also no checksum in
+ the key-slots that could tell you whether a key-slot has been
+ damaged. The only checksum present allows recognition of a correct
+ passphrase, but that only works if the passphrase is correct and the
+ respective key-slot is intact.
+
+ In order to find out whether a key-slot is damaged one has to look
+ for "non-random looking" data in it. There is a tool that
+ automatizes this in the cryptsetup distribution from version 1.6.0
+ onwards. It is located in misc/keyslot_checker/. Instructions how
+ to use and how to interpret results are in the README file. Note
+ that this tool requires a libcryptsetup from cryptsetup 1.6.0 or
+ later (which means libcryptsetup.so.4.5.0 or later). If the tool
+ complains about missing functions in libcryptsetup, you likely have
+ an earlier version from your distribution still installed. You can
+ either point the symbolic link(s) from libcryptsetup.so.4 to the new
+ version manually, or you can uninstall the distribution version of
+ cryptsetup and re-install that from cryptsetup >= 1.6.0 again to fix
+ this.
+
+
+ * 4.3 Can a bad RAM module cause problems?
+
+ LUKS and dm-crypt can give the RAM quite a workout, especially when
+ combined with software RAID. In particular the combination RAID5 +
+ LUKS + XFS seems to uncover RAM problems that never caused obvious
+ problems before. Symptoms vary, but often the problem manifest
+ itself when copying large amounts of data, typically several times
+ larger than your main memory.
+
+ Side note: One thing you should always do on large data
+ copy/movements is to run a verify, for example with the "-d" option
+ of "tar" or by doing a set of MD5 checksums on the source or target
+ with
+
+ find . -type f -exec md5sum \{\} \; > checksum-file
+
+ and then a "md5sum -c checksum-file" on the other side. If you get
+ mismatches here, RAM is the primary suspect. A lesser suspect is an
+ overclocked CPU. I have found countless hardware problems in verify
+ runs after copying or making backups. Bit errors are much more
+ common than most people think.
+
+ Some RAM issues are even worse and corrupt structures in one of the
+ layers. This typically results in lockups, CPU state dumps in the
+ system logs, kernel panic or other things. It is quite possible to
+ have the problem with an encrypted device, but not with an otherwise
+ the same unencrypted device. The reason for that is that encryption
+ has an error amplification property: You flip one bit in an encrypted
+ data block, and the decrypted version has half of its bits flipped.
+ This is an important security property for modern ciphers. With the
+ usual modes in cryptsetup (CBC, ESSIV, XTS), you get up to a
+ completely changed 512 byte block per bit error. A corrupt block
+ causes a lot more havoc than the occasionally flipped single bit and
+ can result in various obscure errors.
+
+ Note that a verify run on copying between encrypted or unencrypted
+ devices will reliably detect corruption, even when the copying itself
+ did not report any problems. If you find defect RAM, assume all
+ backups and copied data to be suspect, unless you did a verify.
+
+
+ * 4.4 How do I test RAM?
+
+ First you should know that overclocking often makes memory problems
+ worse. So if you overclock (which I strongly recommend against in a
+ system holding data that has some worth), run the tests with the
+ overclocking active.
+
+ There are two good options. One is Memtest86+ and the other is
+ "memtester" by Charles Cazabon. Memtest86+ requires a reboot and
+ then takes over the machine, while memtester runs from a root-shell.
+ Both use different testing methods and I have found problems fast
+ with each one that the other needed long to find. I recommend
+ running the following procedure until the first error is found:
+
+ - Run Memtest86+ for one cycle
+
+ - Run memtester for one cycle (shut down as many other applications
+ as possible)
+
+ - Run Memtest86+ for 24h or more
+
+ - Run memtester for 24h or more
+
+ If all that does not produce error messages, your RAM may be sound,
+ but I have had one weak bit that Memtest86+ needed around 60 hours to
+ find. If you can reproduce the original problem reliably, a good
+ additional test may be to remove half of the RAM (if you have more
+ than one module) and try whether the problem is still there and if
+ so, try with the other half. If you just have one module, get a
+ different one and try with that. If you do overclocking, reduce the
+ settings to the most conservative ones available and try with that.
+
+
+ * 4.5 Is there a risk using debugging tools like strace?
+
+ There most definitely is. An dump from strace and friends can contain
+ all data entered, including the full passphrase. Example with strace
+ and passphrase "test":
+
+ > strace cryptsetup luksOpen /dev/sda10 c1
+ ...
+ read(6, "test\n", 512) = 5
+ ...
+
+ Depending on different factors and the tool used, the passphrase may
+ also be encoded and not plainly visible. Hence it is never a good
+ idea to give such a trace from a live container to anybody. Recreate
+ the problem with a test container or set a temporary passphrase like
+ "test" and use that for the trace generation. Item 2.6 explains how
+ to create a loop-file backed LUKS container that may come in handy
+ for this purpose.
+
+ See also Item 6.10 for another set of data you should not give to
+ others.
+
+
+5. Security Aspects
+
+
+ * 5.1 How long is a secure passphrase ?
+
+ This is just the short answer. For more info and explanation of some
+ of the terms used in this item, read the rest of Section 5. The
+ actual recommendation is at the end of this item.
+
+ First, passphrase length is not really the right measure, passphrase
+ entropy is. For example, a random lowercase letter (a-z) gives you
+ 4.7 bit of entropy, one element of a-z0-9 gives you 5.2 bits of
+ entropy, an element of a-zA-Z0-9 gives you 5.9 bits and
+ a-zA-Z0-9!@#$%\^&:-+ gives you 6.2 bits. On the other hand, a random
+ English word only gives you 0.6...1.3 bits of entropy per character.
+ Using sentences that make sense gives lower entropy, series of random
+ words gives higher entropy. Do not use sentences that can be tied to
+ you or found on your computer. This type of attack is done routinely
+ today.
+
+ That said, it does not matter too much what scheme you use, but it
+ does matter how much entropy your passphrase contains, because an
+ attacker has to try on average
+
+ 1/2 * 2^(bits of entropy in passphrase)
+
+ different passphrases to guess correctly.
+
+ Historically, estimations tended to use computing time estimates, but
+ more modern approaches try to estimate cost of guessing a passphrase.
+
+ As an example, I will try to get an estimate from the numbers in
+ http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
+ More references can be found a the end of this document. Note that
+ these are estimates from the defender side, so assuming something is
+ easier than it actually is is fine. An attacker may still have
+ vastly higher cost than estimated here.
+
+ LUKS uses SHA1 for hashing per default. The claim in the reference is
+ 63 billion tries/second for SHA1. We will leave aside the check
+ whether a try actually decrypts a key-slot. Now, the machine has 25
+ GPUs, which I will estimate at an overall lifetime cost of USD/EUR
+ 1000 each, and an useful lifetime of 2 years. (This is on the low
+ side.) Disregarding downtime, the machine can then break
+
+ N = 63*10^9 * 3600 * 24 * 365 * 2 ~ 4*10^18
+
+ passphrases for EUR/USD 25k. That is one 62 bit passphrase hashed
+ once with SHA1 for EUR/USD 25k. Note that as this can be
+ parallelized, it can be done faster than 2 years with several of
+ these machines.
+
+ For plain dm-crypt (no hash iteration) this is it. This gives (with
+ SHA1, plain dm-crypt default is ripemd160 which seems to be slightly
+ slower than SHA1):
+
+ Passphrase entropy Cost to break
+ 60 bit EUR/USD 6k
+ 65 bit EUR/USD 200K
+ 70 bit EUR/USD 6M
+ 75 bit EUR/USD 200M
+ 80 bit EUR/USD 6B
+ 85 bit EUR/USD 200B
+ ... ...
+
+
+ For LUKS, you have to take into account hash iteration in PBKDF2.
+ For a current CPU, there are about 100k iterations (as can be queried
+ with ''cryptsetup luksDump''.
+
+ The table above then becomes:
+
+ Passphrase entropy Cost to break
+ 50 bit EUR/USD 600k
+ 55 bit EUR/USD 20M
+ 60 bit EUR/USD 600M
+ 65 bit EUR/USD 20B
+ 70 bit EUR/USD 600B
+ 75 bit EUR/USD 20T
+ ... ...
+
+
+ Recommendation:
+
+ To get reasonable security for the next 10 years, it is a good idea
+ to overestimate by a factor of at least 1000.
+
+ Then there is the question of how much the attacker is willing to
+ spend. That is up to your own security evaluation. For general use,
+ I will assume the attacker is willing to spend up to 1 million
+ EUR/USD. Then we get the following recommendations:
+
+ Plain dm-crypt: Use > 80 bit. That is e.g. 17 random chars from a-z
+ or a random English sentence of > 135 characters length.
+
+ LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random
+ English sentence of > 108 characters length.
+
+ If paranoid, add at least 20 bit. That is roughly four additional
+ characters for random passphrases and roughly 32 characters for a
+ random English sentence.
+
+
+ * 5.2 Is LUKS insecure? Everybody can see I have encrypted data!
+
+ In practice it does not really matter. In most civilized countries
+ you can just refuse to hand over the keys, no harm done. In some
+ countries they can force you to hand over the keys, if they suspect
+ encryption. However the suspicion is enough, they do not have to
+ prove anything. This is for practical reasons, as even the presence
+ of a header (like the LUKS header) is not enough to prove that you
+ have any keys. It might have been an experiment, for example. Or it
+ was used as encrypted swap with a key from /dev/random. So they make
+ you prove you do not have encrypted data. Of course that is just as
+ impossible as the other way round.
+
+ This means that if you have a large set of random-looking data, they
+ can already lock you up. Hidden containers (encryption hidden within
+ encryption), as possible with Truecrypt, do not help either. They
+ will just assume the hidden container is there and unless you hand
+ over the key, you will stay locked up. Don't have a hidden
+ container? Though luck. Anybody could claim that.
+
+ Still, if you are concerned about the LUKS header, use plain dm-crypt
+ with a good passphrase. See also Section 2, "What is the difference
+ between "plain" and LUKS format?"
+
+
+ * 5.3 Should I initialize (overwrite) a new LUKS/dm-crypt partition?
+
+ If you just create a filesystem on it, most of the old data will
+ still be there. If the old data is sensitive, you should overwrite
+ it before encrypting. In any case, not initializing will leave the
+ old data there until the specific sector gets written. That may
+ enable an attacker to determine how much and where on the partition
+ data was written. If you think this is a risk, you can prevent this
+ by overwriting the encrypted device (here assumed to be named "e1")
+ with zeros like this:
+
+ dd_rescue -w /dev/zero /dev/mapper/e1
+
+ or alternatively with one of the following more standard commands:
+
+ cat /dev/zero > /dev/mapper/e1
+ dd if=/dev/zero of=/dev/mapper/e1
+
+
+
+ * 5.4 How do I securely erase a LUKS (or other) partition?
+
+ For LUKS, if you are in a desperate hurry, overwrite the LUKS header
+ and key-slot area. This means overwriting the first (keyslots x
+ stripes x keysize) + offset bytes. For the default parameters, this
+ is the 1'052'672 bytes, i.e. 1MiB + 4096 of the LUKS partition. For
+ 512 bit key length (e.g. for aes-xts-plain with 512 bit key) this is
+ 2MiB. (The different offset stems from differences in the sector
+ alignment of the key-slots.) If in doubt, just be generous and
+ overwrite the first 10MB or so, it will likely still be fast enough.
+ A single overwrite with zeros should be enough. If you anticipate
+ being in a desperate hurry, prepare the command beforehand. Example
+ with /dev/sde1 as the LUKS partition and default parameters:
+
+ head -c 1052672 /dev/zero > /dev/sde1; sync
+
+ A LUKS header backup or full backup will still grant access to most
+ or all data, so make sure that an attacker does not have access to
+ backups or destroy them as well.
+
+ If you have time, overwrite the whole LUKS partition with a single
+ pass of zeros. This is enough for current HDDs. For SSDs or FLASH
+ (USB sticks) you may want to overwrite the whole drive several times
+ to be sure data is not retained by wear leveling. This is possibly
+ still insecure as SSD technology is not fully understood in this
+ regard. Still, due to the anti-forensic properties of the LUKS
+ key-slots, a single overwrite of an SSD or FLASH drive could be
+ enough. If in doubt, use physical destruction in addition. Here is
+ a link to some current research results on erasing SSDs and FLASH
+ drives: http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
+
+ Keep in mind to also erase all backups.
+
+ Example for a zero-overwrite erase of partition sde1 done with
+ dd_rescue:
+
+ dd_rescue -w /dev/zero /dev/sde1
+
+
+
+ * 5.5 How do I securely erase a backup of a LUKS partition or header?
+
+ That depends on the medium it is stored on. For HDD and SSD, use
+ overwrite with zeros. For an SSD or FLASH drive (USB stick), you may
+ want to overwrite the complete SSD several times and use physical
+ destruction in addition, see last item. For re-writable CD/DVD, a
+ single overwrite should also be enough, due to the anti-forensic
+ properties of the LUKS keyslots. For write-once media, use physical
+ destruction. For low security requirements, just cut the CD/DVD into
+ several parts. For high security needs, shred or burn the medium.
+ If your backup is on magnetic tape, I advise physical destruction by
+ shredding or burning, after overwriting . The problem with magnetic
+ tape is that it has a higher dynamic range than HDDs and older data
+ may well be recoverable after overwrites. Also write-head alignment
+ issues can lead to data not actually being deleted at all during
+ overwrites.
+
+
+ * 5.6 What about backup? Does it compromise security?
+
+ That depends. See item 6.7.
+
+
+ * 5.7 Why is all my data permanently gone if I overwrite the LUKS header?
+
+ Overwriting the LUKS header in part or in full is the most common
+ reason why access to LUKS containers is lost permanently.
+ Overwriting can be done in a number of fashions, like creating a new
+ filesystem on the raw LUKS partition, making the raw partition part
+ of a raid array and just writing to the raw partition.
+
+ The LUKS header contains a 256 bit "salt" per key-slot and without
+ that no decryption is possible. While the salts are not secret, they
+ are key-grade material and cannot be reconstructed. This is a
+ cryptographically strong "cannot". From observations on the
+ cryptsetup mailing-list, people typically go though the usual stages
+ of grief (Denial, Anger, Bargaining, Depression, Acceptance) when
+ this happens to them. Observed times vary between 1 day and 2 weeks
+ to complete the cycle. Seeking help on the mailing-list is fine.
+ Even if we usually cannot help with getting back your data, most
+ people found the feedback comforting.
+
+ If your header does not contain an intact key-slot salt, best go
+ directly to the last stage ("Acceptance") and think about what to do
+ now. There is one exception that I know of: If your LUKS container
+ is still open, then it may be possible to extract the master key from
+ the running system. See Item "How do I recover the master key from a
+ mapped LUKS container?" in Section "Backup and Data Recovery".
+
+
+ * 5.8 What is a "salt"?
+
+ A salt is a random key-grade value added to the passphrase before it
+ is processed. It is not kept secret. The reason for using salts is
+ as follows: If an attacker wants to crack the password for a single
+ LUKS container, then every possible passphrase has to be tried.
+ Typically an attacker will not try every binary value, but will try
+ words and sentences from a dictionary.
+
+ If an attacker wants to attack several LUKS containers with the same
+ dictionary, then a different approach makes sense: Compute the
+ resulting slot-key for each dictionary element and store it on disk.
+ Then the test for each entry is just the slow unlocking with the slot
+ key (say 0.00001 sec) instead of calculating the slot-key first (1
+ sec). For a single attack, this does not help. But if you have more
+ than one container to attack, this helps tremendously, also because
+ you can prepare your table before you even have the container to
+ attack! The calculation is also very simple to parallelize. You
+ could, for example, use the night-time unused CPU power of your
+ desktop PCs for this.
+
+ This is where the salt comes in. If the salt is combined with the
+ passphrase (in the simplest form, just appended to it), you suddenly
+ need a separate table for each salt value. With a reasonably-sized
+ salt value (256 bit, e.g.) this is quite infeasible.
+
+
+ * 5.9 Is LUKS secure with a low-entropy (bad) passphrase?
+
+ Note: You should only use the 94 printable characters from 7 bit
+ ASCII code to prevent your passphrase from failing when the character
+ encoding changes, e.g. because of a system upgrade, see also the
+ note at the very start of this FAQ under "WARNINGS".
+
+ This needs a bit of theory. The quality of your passphrase is
+ directly related to its entropy (information theoretic, not
+ thermodynamic). The entropy says how many bits of "uncertainty" or
+ "randomness" are in you passphrase. In other words, that is how
+ difficult guessing the passphrase is.
+
+ Example: A random English sentence has about 1 bit of entropy per
+ character. A random lowercase (or uppercase) character has about 4.7
+ bit of entropy.
+
+ Now, if n is the number of bits of entropy in your passphrase and t
+ is the time it takes to process a passphrase in order to open the
+ LUKS container, then an attacker has to spend at maximum
+
+ attack_time_max = 2^n * t
+
+ time for a successful attack and on average half that. There is no
+ way getting around that relationship. However, there is one thing
+ that does help, namely increasing t, the time it takes to use a
+ passphrase, see next FAQ item.
+
+ Still, if you want good security, a high-entropy passphrase is the
+ only option. For example, a low-entropy passphrase can never be
+ considered secure against a TLA-level (Three Letter Agency level,
+ i.e. government-level) attacker, no matter what tricks are used in
+ the key-derivation function. Use at least 64 bits for secret stuff.
+ That is 64 characters of English text (but only if randomly chosen)
+ or a combination of 12 truly random letters and digits.
+
+ For passphrase generation, do not use lines from very well-known
+ texts (religious texts, Harry potter, etc.) as they are to easy to
+ guess. For example, the total Harry Potter has about 1'500'000 words
+ (my estimation). Trying every 64 character sequence starting and
+ ending at a word boundary would take only something like 20 days on a
+ single CPU and is entirely feasible. To put that into perspective,
+ using a number of Amazon EC2 High-CPU Extra Large instances (each
+ gives about 8 real cores), this test costs currently about 50USD/EUR,
+ but can be made to run arbitrarily fast.
+
+ On the other hand, choosing 1.5 lines from, say, the Wheel of Time
+ is in itself not more secure, but the book selection adds quite
+ a bit of entropy. (Now that I have mentioned it here, don't use
+ tWoT either!) If you add 2 or 3 typos or switch some words around,
+ then this is good passphrase material.
+
+
+ * 5.10 What is "iteration count" and why is decreasing it a bad idea?
+
+ Iteration count is the number of PBKDF2 iterations a passphrase is
+ put through before it is used to unlock a key-slot. Iterations are
+ done with the explicit purpose to increase the time that it takes to
+ unlock a key-slot. This provides some protection against use of
+ low-entropy passphrases.
+
+ The idea is that an attacker has to try all possible passphrases.
+ Even if the attacker knows the passphrase is low-entropy (see last
+ item), it is possible to make each individual try take longer. The
+ way to do this is to repeatedly hash the passphrase for a certain
+ time. The attacker then has to spend the same time (given the same
+ computing power) as the user per try. With LUKS, the default is 1
+ second of PBKDF2 hashing.
+
+ Example 1: Lets assume we have a really bad passphrase (e.g. a
+ girlfriends name) with 10 bits of entropy. With the same CPU, an
+ attacker would need to spend around 500 seconds on average to break
+ that passphrase. Without iteration, it would be more like 0.0001
+ seconds on a modern CPU.
+
+ Example 2: The user did a bit better and has 32 chars of English
+ text. That would be about 32 bits of entropy. With 1 second
+ iteration, that means an attacker on the same CPU needs around 136
+ years. That is pretty impressive for such a weak passphrase.
+ Without the iterations, it would be more like 50 days on a modern
+ CPU, and possibly far less.
+
+ In addition, the attacker can both parallelize and use special
+ hardware like GPUs or FPGAs to speed up the attack. The attack can
+ also happen quite some time after the luksFormat operation and CPUs
+ can have become faster and cheaper. For that reason you want a bit
+ of extra security. Anyways, in Example 1 your are screwed. In
+ example 2, not necessarily. Even if the attack is faster, it still
+ has a certain cost associated with it, say 10000 EUR/USD with
+ iteration and 1 EUR/USD without iteration. The first can be
+ prohibitively expensive, while the second is something you try even
+ without solid proof that the decryption will yield something useful.
+
+ The numbers above are mostly made up, but show the idea. Of course
+ the best thing is to have a high-entropy passphrase.
+
+ Would a 100 sec iteration time be even better? Yes and no.
+ Cryptographically it would be a lot better, namely 100 times better.
+ However, usability is a very important factor for security technology
+ and one that gets overlooked surprisingly often. For LUKS, if you
+ have to wait 2 minutes to unlock the LUKS container, most people will
+ not bother and use less secure storage instead. It is better to have
+ less protection against low-entropy passphrases and people actually
+ use LUKS, than having them do without encryption altogether.
+
+ Now, what about decreasing the iteration time? This is generally a
+ very bad idea, unless you know and can enforce that the users only
+ use high-entropy passphrases. If you decrease the iteration time
+ without ensuring that, then you put your users at increased risk, and
+ considering how rarely LUKS containers are unlocked in a typical
+ work-flow, you do so without a good reason. Don't do it. The
+ iteration time is already low enough that users with entropy low
+ passphrases are vulnerable. Lowering it even further increases this
+ danger significantly.
+
+
+ * 5.11 Some people say PBKDF2 is insecure?
+
+ There is some discussion that a hash-function should have a "large
+ memory" property, i.e. that it should require a lot of memory to be
+ computed. This serves to prevent attacks using special programmable
+ circuits, like FPGAs, and attacks using graphics cards. PBKDF2 does
+ not need a lot of memory and is vulnerable to these attacks.
+ However, the publication usually referred in these discussions is not
+ very convincing in proving that the presented hash really is "large
+ memory" (that may change, email the FAQ maintainer when it does) and
+ it is of limited usefulness anyways. Attackers that use clusters of
+ normal PCs will not be affected at all by a "large memory" property.
+ For example the US Secret Service is known to use the off-hour time
+ of all the office PCs of the Treasury for password breaking. The
+ Treasury has about 110'000 employees. Assuming every one has an
+ office PC, that is significant computing power, all of it with plenty
+ of memory for computing "large memory" hashes. Bot-net operators
+ also have all the memory they want. The only protection against a
+ resourceful attacker is a high-entropy passphrase, see items 5.9 and
+ 5.10.
+
+
+ * 5.12 What about iteration count with plain dm-crypt?
+
+ Simple: There is none. There is also no salting. If you use plain
+ dm-crypt, the only way to be secure is to use a high entropy
+ passphrase. If in doubt, use LUKS instead.
+
+
+ * 5.13 Is LUKS with default parameters less secure on a slow CPU?
+
+ Unfortunately, yes. However the only aspect affected is the
+ protection for low-entropy passphrase or master-key. All other
+ security aspects are independent of CPU speed.
+
+ The master key is less critical, as you really have to work at it to
+ give it low entropy. One possibility is to supply the master key
+ yourself. If that key is low-entropy, then you get what you deserve.
+ The other known possibility is to use /dev/urandom for key generation
+ in an entropy-starved situation (e.g. automatic installation on an
+ embedded device without network and other entropy sources).
+
+ For the passphrase, don't use a low-entropy passphrase. If your
+ passphrase is good, then a slow CPU will not matter. If you insist
+ on a low-entropy passphrase on a slow CPU, use something like
+ "--iter-time=10000" or higher and wait a long time on each LUKS
+ unlock and pray that the attacker does not find out in which way
+ exactly your passphrase is low entropy. This also applies to
+ low-entropy passphrases on fast CPUs. Technology can do only so much
+ to compensate for problems in front of the keyboard.
+
+ Also note that power-saving modes will make your CPU slower. This
+ will reduce iteration count on LUKS container creation. It will keep
+ unlock times at the expected values though at this CPU speed.
+
+
+ * 5.14 Why was the default aes-cbc-plain replaced with aes-cbc-essiv?
+
+ Note: This item applies both to plain dm-crypt and to LUKS
+
+ The problem is that cbc-plain has a fingerprint vulnerability, where
+ a specially crafted file placed into the crypto-container can be
+ recognized from the outside. The issue here is that for cbc-plain
+ the initialization vector (IV) is the sector number. The IV gets
+ XORed to the first data chunk of the sector to be encrypted. If you
+ make sure that the first data block to be stored in a sector contains
+ the sector number as well, the first data block to be encrypted is
+ all zeros and always encrypted to the same ciphertext. This also
+ works if the first data chunk just has a constant XOR with the sector
+ number. By having several shifted patterns you can take care of the
+ case of a non-power-of-two start sector number of the file.
+
+ This mechanism allows you to create a pattern of sectors that have
+ the same first ciphertext block and signal one bit per sector to the
+ outside, allowing you to e.g. mark media files that way for
+ recognition without decryption. For large files this is a practical
+ attack. For small ones, you do not have enough blocks to signal and
+ take care of different file starting offsets.
+
+ In order to prevent this attack, the default was changed to
+ cbc-essiv. ESSIV uses a keyed hash of the sector number, with the
+ encryption key as key. This makes the IV unpredictable without
+ knowing the encryption key and the watermarking attack fails.
+
+
+ * 5.15 Are there any problems with "plain" IV? What is "plain64"?
+
+ First, "plain" and "plain64" are both not secure to use with CBC,
+ see previous FAQ item.
+
+ However there are modes, like XTS, that are secure with "plain" IV.
+ The next limit is that "plain" is 64 bit, with the upper 32 bit set
+ to zero. This means that on volumes larger than 2TiB, the IV
+ repeats, creating a vulnerability that potentially leaks some data.
+ To avoid this, use "plain64", which uses the full sector number up to
+ 64 bit. Note that "plain64" requires a kernel 2.6.33 or more recent.
+ Also note that "plain64" is backwards compatible for volume sizes of
+ maximum size 2TiB, but not for those > 2TiB. Finally, "plain64" does
+ not cause any performance penalty compared to "plain".
+
+
+ * 5.16 What about XTS mode?
+
+ XTS mode is potentially even more secure than cbc-essiv (but only if
+ cbc-essiv is insecure in your scenario). It is a NIST standard and
+ used, e.g. in Truecrypt. From version 1.6.0 of cryptsetup onwards,
+ aes-xts-plain64 is the default for LUKS. If you want to use it with
+ a cryptsetup before version 1.6.0 or with plain dm-crypt, you have to
+ specify it manually as "aes-xts-plain", i.e.
+
+ cryptsetup -c aes-xts-plain luksFormat <device>
+
+ For volumes >2TiB and kernels >= 2.6.33 use "plain64" (see FAQ item
+ on "plain" and "plain64"):
+
+ cryptsetup -c aes-xts-plain64 luksFormat <device>
+
+ There is a potential security issue with XTS mode and large blocks.
+ LUKS and dm-crypt always use 512B blocks and the issue does not
+ apply.
+
+
+ * 5.17 Is LUKS FIPS-140-2 certified?
+
+ No. But that is more a problem of FIPS-140-2 than of LUKS. From a
+ technical point-of-view, LUKS with the right parameters would be
+ FIPS-140-2 compliant, but in order to make it certified, somebody has
+ to pay real money for that. And then, whenever cryptsetup is changed
+ or extended, the certification lapses and has to be obtained again.
+
+ From the aspect of actual security, LUKS with default parameters
+ should be as good as most things that are FIPS-140-2 certified,
+ although you may want to make sure to use /dev/random (by specifying
+ --use-random on luksFormat) as randomness source for the master key
+ to avoid being potentially insecure in an entropy-starved situation.
+
+
+ * 5.18 What about Plausible Deniability?
+
+ First let me attempt a definition for the case of encrypted
+ filesystems: Plausible deniability is when you store data
+ inside an encrypted container and it is not possible to prove it is
+ there without having a special passphrase. And at the same time
+ it must be "plausible" that there actually is no hidden data there.
+
+ As a simple entropy-analysis will show that here may be data there,
+ the second part is what makes it tricky.
+
+ There seem to be a lot of misunderstandings what that
+ means, so let me make clear that this refers to the situation where
+ the attackers can prove that there is data that may be random or
+ may be part of a plausible-deniability scheme, they just cannot
+ prove which one it is. Hence a plausible-deniability
+ scheme must hold up when the attackers know there is
+ something potentially fishy. If you just hide data and rely on
+ it not being found, that is just simple deniability, not "plausible"
+ deniability and I am not talking about that in the following.
+ Simple deniability against a low-competence attacker may
+ be as simple as renaming a file or putting data into an unused
+ part of a disk. Simple deniability against a high-skill attacker
+ with time to invest is usually pointless though unless you go
+ for advanced steganographic techniques, which have their own
+ drawbacks, such as low data capacity.
+
+ Now, the idea of plausible deniability is compelling and on first
+ glance it seems possible to do it. And from a cryptographic point
+ of view, it actually is possible.
+
+ So, does it work in practice? No, unfortunately. The reasoning used
+ by its proponents is fundamentally flawed in several ways and the
+ cryptographic properties fail fatally when colliding with the real
+ world.
+
+ First, why should "I do not have a hidden partition" be any more
+ plausible than "I forgot my crypto key" or "I wiped that partition
+ with random data, nothing in there"? I do not see any reason.
+
+ Second, there are two types of situations: Either they cannot force
+ you to give them the key (then you simply do not) or they can. In the
+ second case, they can always do bad things to you, because they
+ cannot prove that you have the key in the first place! This means
+ they do not have to prove you have the key, or that this random
+ looking data on your disk is actually encrypted data. So the
+ situation will allow them to waterboard/lock-up/deport you anyways,
+ regardless of how "plausible" your deniability is. Do not have a
+ hidden partition you could show to them, but there are indications
+ you may? Too bad for you. Unfortunately "plausible deniability"
+ also means you cannot prove there is no hidden data.
+
+ Third, hidden partitions are not that hidden. There are basically
+ just two possibilities: a) Make a large crypto container, but put a
+ smaller filesystem in there and put the hidden partition into the
+ free space. Unfortunately this is glaringly obvious and can be
+ detected in an automated fashion. This means that the initial
+ suspicion to put you under duress in order to make you reveal you
+ hidden data is given. b) Make a filesystem that spans the whole
+ encrypted partition, and put the hidden partition into space not
+ currently used by that filesystem. Unfortunately that is also
+ glaringly obvious, as you then cannot write to the filesystem without
+ a high risk of destroying data in the hidden container. Have not
+ written anything to the encrypted filesystem in a while? Too bad,
+ they have the suspicion they need to do unpleasant things to you.
+
+ To be fair, if you prepare option b) carefully and directly before
+ going into danger, it may work. But then, the mere presence of
+ encrypted data may already be enough to get you into trouble in those
+ places were they can demand encryption keys.
+
+ Here is an additional reference for some problems with plausible
+ deniability: http://www.schneier.com/paper-truecrypt-dfs.pdf
+ I strongly suggest you read it.
+
+ So, no, I will not provide any instructions on how to do it with
+ plain dm-crypt or LUKS. If you insist on shooting yourself in the
+ foot, you can figure out how to do it yourself.
+
+
+ * 5.19 What about SSDs, Flash and Hybrid Drives?
+
+ The problem is that you cannot reliably erase parts of these devices,
+ mainly due to wear-leveling and possibly defect management.
+
+ Basically, when overwriting a sector (of 512B), what the device does
+ is to move an internal sector (may be 128kB or even larger) to some
+ pool of discarded, not-yet erased unused sectors, take a fresh empty
+ sector from the empty-sector pool and copy the old sector over with
+ the changes to the small part you wrote. This is done in some
+ fashion so that larger writes do not cause a lot of small internal
+ updates.
+
+ The thing is that the mappings between outside-addressable sectors
+ and inside sectors is arbitrary (and the vendors are not talking).
+ Also the discarded sectors are not necessarily erased immediately.
+ They may linger a long time.
+
+ For plain dm-crypt, the consequences are that older encrypted data
+ may be lying around in some internal pools of the device. Thus may
+ or may not be a problem and depends on the application. Remember the
+ same can happen with a filesystem if consecutive writes to the same
+ area of a file can go to different sectors.
+
+ However, for LUKS, the worst case is that key-slots and LUKS header
+ may end up in these internal pools. This means that password
+ management functionality is compromised (the old passwords may still
+ be around, potentially for a very long time) and that fast erase by
+ overwriting the header and key-slot area is insecure.
+
+ Also keep in mind that the discarded/used pool may be large. For
+ example, a 240GB SSD has about 16GB of spare area in the chips that
+ it is free to do with as it likes. You would need to make each
+ individual key-slot larger than that to allow reliable overwriting.
+ And that assumes the disk thinks all other space is in use. Reading
+ the internal pools using forensic tools is not that hard, but may
+ involve some soldering.
+
+ What to do?
+
+ If you trust the device vendor (you probably should not...) you can
+ try an ATA "secure erase" command for SSDs. That does not work for
+ USB keys though and may or may not be secure for a hybrid drive. If
+ it finishes on an SSD after a few seconds, it was possibly faked.
+ Unfortunately, for hybrid drives that indicator does not work, as the
+ drive may well take the time to truly erase the magnetic part, but
+ only mark the SSD/Flash part as erased while data is still in there.
+
+ If you can do without password management and are fine with doing
+ physical destruction for permanently deleting data (always after one
+ or several full overwrites!), you can use plain dm-crypt or LUKS.
+
+ If you want or need all the original LUKS security features to work,
+ you can use a detached LUKS header and put that on a conventional,
+ magnetic disk. That leaves potentially old encrypted data in the
+ pools on the disk, but otherwise you get LUKS with the same security
+ as on a magnetic disk.
+
+ If you are concerned about your laptop being stolen, you are likely
+ fine using LUKS on an SSD or hybrid drive. An attacker would need to
+ have access to an old passphrase (and the key-slot for this old
+ passphrase would actually need to still be somewhere in the SSD) for
+ your data to be at risk. So unless you pasted your old passphrase
+ all over the Internet or the attacker has knowledge of it from some
+ other source and does a targeted laptop theft to get at your data,
+ you should be fine.
+
+
+ * 5.20 LUKS is broken! It uses SHA-1!
+
+ No, it is not. SHA-1 is (academically) broken for finding collisions,
+ but not for using it in a key-derivation function. And that
+ collision vulnerability is for non-iterated use only. And you need
+ the hash-value in verbatim.
+
+ This basically means that if you already have a slot-key, and you
+ have set the PBKDF2 iteration count to 1 (it is > 10'000 normally),
+ you could (maybe) derive a different passphrase that gives you the
+ the same slot-key. But if you have the slot-key, you can already
+ unlock the key-slot and get the master key, breaking everything. So
+ basically, this SHA-1 vulnerability allows you to open a LUKS
+ container with high effort when you already have it open.
+
+ The real problem here is people that do not understand crypto and
+ claim things are broken just because some mechanism is used that has
+ been broken for a specific different use. The way the mechanism is
+ used matters very much. A hash that is broken for one use can be
+ completely secure for other uses and here it is.
+
+
+ * 5.21 Why is there no "Nuke-Option"?
+
+ A "Nuke-Option" or "Kill-switch" is a password that when entered upon
+ unlocking instead wipes the header and all passwords. So when
+ somebody forces you to enter your password, you can destroy the data
+ instead.
+
+ While this sounds attractive at first glance, it does not make sense
+ once a real security analysis is done. One problem is that you have
+ to have some kind of HSM (Hardware Security Module) in order to
+ implement it securely. In the movies, a HSM starts to smoke and melt
+ once the Nuke-Option has been activated. In reality, it just wipes
+ some battery-backed RAM cells. A proper HSM costs something like
+ 20'000...100'000 EUR/USD and there a Nuke-Option may make some sense.
+ BTW, a chipcard or a TPM is not a HSM, although some vendors are
+ promoting that myth.
+
+ Now, a proper HSMs will have a wipe option but not a Nuke-Option,
+ i.e. you can explicitly wipe the HSM, but by a different process
+ than unlocking it takes. Why is that? Simple: If somebody can force
+ you to reveal passwords, then they can also do bad things to you if
+ you do not or if you enter a nuke password instead. Think locking
+ you up for a few years for "destroying evidence" or for far longer
+ and without trial for being a "terrorist suspect". No HSM maker will
+ want to expose its customers to that risk.
+
+ Now think of the typical LUKS application scenario, i.e. disk
+ encryption. Usually the ones forcing you to hand over your password
+ will have access to the disk as well, and, if they have any real
+ suspicion, they will mirror your disk before entering anything
+ supplied by you. This neatly negates any Nuke-Option. If they have
+ no suspicion (just harassing people that cross some border for
+ example), the Nuke-Option would work, but see above about likely
+ negative consequences and remember that a Nuke-Option may not work
+ reliably on SSD and hybrid drives anyways.
+
+ Hence my advice is to never take data that you do not want to reveal
+ into any such situation in the first place. There is no need to
+ transfer data on physical carriers today. The Internet makes it
+ quite possible to transfer data between arbitrary places and modern
+ encryption makes it secure. If you do it right, nobody will even be
+ able to identify source or destination. (How to do that is out of
+ scope of this document. It does require advanced skills in this age
+ of pervasive surveillance.)
+
+ Hence, LUKS has not kill option because it would do much more harm
+ than good.
+
+ Still, if you have a good use-case (i.e. non-abstract real-world
+ situation) where a Nuke-Option would actually be beneficial, please
+ let me know.
+
+
+ * 5.22 Does cryptsetup open network connections to websites, etc. ?
+
+ This question seems not to make much sense at first glance, but here
+ is an example form the real world: The TrueCrypt GUI has a "Donation"
+ button. Press it, and a web-connection to the TrueCrypt website is
+ opened via the default browser, telling everybody that listens that
+ you use TrueCrypt. In the worst case, things like this can get
+ people tortured or killed.
+
+ So: Cryptsetup will never open any network connections except the
+ local netlink socket it needs to talk to the kernel crypto API.
+
+ In addition, the installation package should contain all
+ documentation, including this FAQ, so that you do not have to go to a
+ web-site to read it. (If your distro cuts the docu, please complain
+ to them.) In security software, any connection initiated to anywhere
+ outside your machine should always be the result of an explicit
+ request for such a connection by the user and cryptsetup will stay
+ true to that principle.
+
+
+6. Backup and Data Recovery
+
+
+ * 6.1 Why do I need Backup?
+
+ First, disks die. The rate for well-treated (!) disk is about 5% per
+ year, which is high enough to worry about. There is some indication
+ that this may be even worse for some SSDs. This applies both to LUKS
+ and plain dm-crypt partitions.
+
+ Second, for LUKS, if anything damages the LUKS header or the
+ key-stripe area then decrypting the LUKS device can become
+ impossible. This is a frequent occurrence. For example an
+ accidental format as FAT or some software overwriting the first
+ sector where it suspects a partition boot sector typically makes a
+ LUKS partition permanently inaccessible. See more below on LUKS
+ header damage.
+
+ So, data-backup in some form is non-optional. For LUKS, you may also
+ want to store a header backup in some secure location. This only
+ needs an update if you change passphrases.
+
+
+ * 6.2 How do I backup a LUKS header?
+
+ While you could just copy the appropriate number of bytes from the
+ start of the LUKS partition, the best way is to use command option
+ "luksHeaderBackup" of cryptsetup. This protects also against errors
+ when non-standard parameters have been used in LUKS partition
+ creation. Example:
+
+ cryptsetup luksHeaderBackup --header-backup-file <file> <device>
+
+ To restore, use the inverse command, i.e.
+
+ cryptsetup luksHeaderRestore --header-backup-file <file> <device>
+
+ If you are unsure about a header to be restored, make a backup of the
+ current one first! You can also test the header-file without restoring
+ it by using the --header option for a detached header like this:
+
+ cryptsetup --header <file> luksOpen <device> </dev/mapper/ -name>
+
+ If that unlocks your keys-lot, you are good. Do not forget to close
+ the device again.
+
+ Under some circumstances (damaged header), this fails. Then use the
+ following steps:
+
+ First determine the master-key size:
+
+ cryptsetup luksDump <device>
+
+ gives a line of the form
+
+ MK bits: <bits>
+
+ with bits equal to 256 for the old defaults and 512 for the new
+ defaults. 256 bits equals a total header size of 1'052'672 Bytes and
+ 512 bits one of 2MiB. (See also Item 6.12) If luksDump fails, assume
+ 2MiB, but be aware that if you restore that, you may also restore the
+ first 1M or so of the filesystem. Do not change the filesystem if
+ you were unable to determine the header size! With that, restoring a
+ too-large header backup is still safe.
+
+ Second, dump the header to file. There are many ways to do it, I
+ prefer the following:
+
+ head -c 1052672 <device> > header_backup.dmp
+
+ or
+
+ head -c 2M <device> > header_backup.dmp
+
+ for a 2MiB header. Verify the size of the dump-file to be sure.
+
+ To restore such a backup, you can try luksHeaderRestore or do a more
+ basic
+
+ cat header_backup.dmp > <device>
+
+
+
+ * 6.3 How do I test a LUKS header?
+
+ Use
+
+ cryptsetup -v isLuks <device>
+
+ on the device. Without the "-v" it just signals its result via
+ exit-status. You can also use the more general test
+
+ blkid -p <device>
+
+ which will also detect other types and give some more info. Omit
+ "-p" for old versions of blkid that do not support it.
+
+
+ * 6.4 How do I backup a LUKS or dm-crypt partition?
+
+ There are two options, a sector-image and a plain file or filesystem
+ backup of the contents of the partition. The sector image is already
+ encrypted, but cannot be compressed and contains all empty space.
+ The filesystem backup can be compressed, can contain only part of the
+ encrypted device, but needs to be encrypted separately if so desired.
+
+ A sector-image will contain the whole partition in encrypted form,
+ for LUKS the LUKS header, the keys-slots and the data area. It can
+ be done under Linux e.g. with dd_rescue (for a direct image copy)
+ and with "cat" or "dd". Example:
+
+ cat /dev/sda10 > sda10.img
+ dd_rescue /dev/sda10 sda10.img
+
+ You can also use any other backup software that is capable of making
+ a sector image of a partition. Note that compression is ineffective
+ for encrypted data, hence it does not make sense to use it.
+
+ For a filesystem backup, you decrypt and mount the encrypted
+ partition and back it up as you would a normal filesystem. In this
+ case the backup is not encrypted, unless your encryption method does
+ that. For example you can encrypt a backup with "tar" as follows
+ with GnuPG:
+
+ tar cjf - <path> | gpg --cipher-algo AES -c - > backup.tbz2.gpg
+
+ And verify the backup like this if you are at "path":
+
+ cat backup.tbz2.gpg | gpg - | tar djf -
+
+ Note: Always verify backups, especially encrypted ones!
+
+ There is one problem with verifying like this: The kernel may still
+ have some files cached and in fact verify them against RAM or may
+ even verify RAM against RAM, which defeats the purpose of the
+ exercise. The following command empties the kernel caches:
+
+ echo 3 > /proc/sys/vm/drop_caches
+
+ Run it after backup and before verify.
+
+ In both cases GnuPG will ask you interactively for your symmetric
+ key. The verify will only output errors. Use "tar dvjf -" to get
+ all comparison results. To make sure no data is written to disk
+ unencrypted, turn off swap if it is not encrypted before doing the
+ backup.
+
+ Restore works like certification with the 'd' ('difference') replaced
+ by 'x' ('eXtract'). Refer to the man-page of tar for more
+ explanations and instructions. Note that with default options tar
+ will overwrite already existing files without warning. If you are
+ unsure about how to use tar, experiment with it in a location where
+ you cannot do damage.
+
+ You can of course use different or no compression and you can use an
+ asymmetric key if you have one and have a backup of the secret key
+ that belongs to it.
+
+ A second option for a filesystem-level backup that can be used when
+ the backup is also on local disk (e.g. an external USB drive) is to
+ use a LUKS container there and copy the files to be backed up between
+ both mounted containers. Also see next item.
+
+
+ * 6.5 Do I need a backup of the full partition? Would the header
+ and key-slots not be enough?
+
+ Backup protects you against two things: Disk loss or corruption and
+ user error. By far the most questions on the dm-crypt mailing list
+ about how to recover a damaged LUKS partition are related to user
+ error. For example, if you create a new filesystem on a LUKS
+ partition, chances are good that all data is lost permanently.
+
+ For this case, a header+key-slot backup would often be enough. But
+ keep in mind that a well-treated (!) HDD has roughly a failure risk
+ of 5% per year. It is highly advisable to have a complete backup to
+ protect against this case.
+
+
+ * 6.6 What do I need to backup if I use "decrypt_derived"?
+
+ This is a script in Debian, intended for mounting /tmp or swap with a
+ key derived from the master key of an already decrypted device. If
+ you use this for an device with data that should be persistent, you
+ need to make sure you either do not lose access to that master key or
+ have a backup of the data. If you derive from a LUKS device, a
+ header backup of that device would cover backing up the master key.
+ Keep in mind that this does not protect against disk loss.
+
+ Note: If you recreate the LUKS header of the device you derive from
+ (using luksFormat), the master key changes even if you use the same
+ passphrase(s) and you will not be able to decrypt the derived device
+ with the new LUKS header.
+
+
+ * 6.7 Does a backup compromise security?
+
+ Depends on how you do it. However if you do not have one, you are
+ going to eventually lose your encrypted data.
+
+ There are risks introduced by backups. For example if you
+ change/disable a key-slot in LUKS, a binary backup of the partition
+ will still have the old key-slot. To deal with this, you have to be
+ able to change the key-slot on the backup as well, securely erase the
+ backup or do a filesystem-level backup instead of a binary one.
+
+ If you use dm-crypt, backup is simpler: As there is no key
+ management, the main risk is that you cannot wipe the backup when
+ wiping the original. However wiping the original for dm-crypt should
+ consist of forgetting the passphrase and that you can do without
+ actual access to the backup.
+
+ In both cases, there is an additional (usually small) risk with
+ binary backups: An attacker can see how many sectors and which ones
+ have been changed since the backup. To prevent this, use a
+ filesystem level backup method that encrypts the whole backup in one
+ go, e.g. as described above with tar and GnuPG.
+
+ My personal advice is to use one USB disk (low value data) or three
+ disks (high value data) in rotating order for backups, and either use
+ independent LUKS partitions on them, or use encrypted backup with tar
+ and GnuPG.
+
+ If you do network-backup or tape-backup, I strongly recommend to go
+ the filesystem backup path with independent encryption, as you
+ typically cannot reliably delete data in these scenarios, especially
+ in a cloud setting. (Well, you can burn the tape if it is under your
+ control...)
+
+
+ * 6.8 What happens if I overwrite the start of a LUKS partition or
+ damage the LUKS header or key-slots?
+
+ There are two critical components for decryption: The salt values in
+ the key-slot descriptors of the header and the key-slots. If the
+ salt values are overwritten or changed, nothing (in the
+ cryptographically strong sense) can be done to access the data,
+ unless there is a backup of the LUKS header. If a key-slot is
+ damaged, the data can still be read with a different key-slot, if
+ there is a remaining undamaged and used key-slot. Note that in order
+ to make a key-slot unrecoverable in a cryptographically strong sense,
+ changing about 4-6 bits in random locations of its 128kiB size is
+ quite enough.
+
+
+ * 6.9 What happens if I (quick) format a LUKS partition?
+
+ I have not tried the different ways to do this, but very likely you
+ will have written a new boot-sector, which in turn overwrites the
+ LUKS header, including the salts, making your data permanently
+ irretrievable, unless you have a LUKS header backup. You may also
+ damage the key-slots in part or in full. See also last item.
+
+
+ * 6.10 How do I recover the master key from a mapped LUKS container?
+
+ This is typically only needed if you managed to damage your LUKS
+ header, but the container is still mapped, i.e. "luksOpen"ed. It
+ also helps if you have a mapped container that you forgot or do not
+ know a passphrase for (e.g. on a long running server.)
+
+ WARNING: Things go wrong, do a full backup before trying this!
+
+ WARNING: This exposes the master key of the LUKS container. Note
+ that both ways to recreate a LUKS header with the old master key
+ described below will write the master key to disk. Unless you are
+ sure you have securely erased it afterwards, e.g. by writing it to
+ an encrypted partition, RAM disk or by erasing the filesystem you
+ wrote it to by a complete overwrite, you should change the master key
+ afterwards. Changing the master key requires a full data backup,
+ luksFormat and then restore of the backup.
+
+ First, there is a script by Milan that automates the whole process,
+ except generating a new LUKS header with the old master key (it
+ prints the command for that though):
+
+ https://gitlab.com/cryptsetup/cryptsetup/blob/master/misc/luks-header-from-active
+
+ You can also do this manually. Here is how:
+
+ - Get the master key from the device mapper. This is done by the
+ following command. Substitute c5 for whatever you mapped to:
+
+ # dmsetup table --target crypt --showkey /dev/mapper/c5
+
+ Result:
+ 0 200704 crypt aes-cbc-essiv:sha256
+ a1704d9715f73a1bb4db581dcacadaf405e700d591e93e2eaade13ba653d0d09
+ 0 7:0 4096
+
+ The result is actually one line, wrapped here for clarity. The long
+ hex string is the master key.
+
+ - Convert the master key to a binary file representation. You can do
+ this manually, e.g. with hexedit. You can also use the tool "xxd"
+ from vim like this:
+
+ echo "a1704d9....53d0d09" | xxd -r -p > <master-key-file>
+
+
+ - Do a luksFormat to create a new LUKS header.
+
+ NOTE: If your header is intact and you just forgot the passphrase,
+ you can just set a new passphrase, see next sub-item.
+
+ Unmap the device before you do that (luksClose). Then do
+
+ cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>
+
+ Note that if the container was created with other than the default
+ settings of the cryptsetup version you are using, you need to give
+ additional parameters specifying the deviations. If in doubt, try
+ the script by Milan. It does recover the other parameters as well.
+
+ Side note: This is the way the decrypt_derived script gets at the
+ master key. It just omits the conversion and hashes the master key
+ string.
+
+ - If the header is intact and you just forgot the passphrase, just
+ set a new passphrase like this:
+
+ cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>
+
+ You may want to disable the old one afterwards.
+
+
+ * 6.11 What does the on-disk structure of dm-crypt look like?
+
+ There is none. dm-crypt takes a block device and gives encrypted
+ access to each of its blocks with a key derived from the passphrase
+ given. If you use a cipher different than the default, you have to
+ specify that as a parameter to cryptsetup too. If you want to change
+ the password, you basically have to create a second encrypted device
+ with the new passphrase and copy your data over. On the plus side,
+ if you accidentally overwrite any part of a dm-crypt device, the
+ damage will be limited to the area you overwrote.
+
+
+ * 6.12 What does the on-disk structure of LUKS look like?
+
+ A LUKS partition consists of a header, followed by 8 key-slot
+ descriptors, followed by 8 key slots, followed by the encrypted data
+ area.
+
+ Header and key-slot descriptors fill the first 592 bytes. The
+ key-slot size depends on the creation parameters, namely on the
+ number of anti-forensic stripes, key material offset and master key
+ size.
+
+ With the default parameters, each key-slot is a bit less than 128kiB
+ in size. Due to sector alignment of the key-slot start, that means
+ the key block 0 is at offset 0x1000-0x20400, key block 1 at offset
+ 0x21000-0x40400, and key block 7 at offset 0xc1000-0xe0400. The
+ space to the next full sector address is padded with zeros. Never
+ used key-slots are filled with what the disk originally contained
+ there, a key-slot removed with "luksRemoveKey" or "luksKillSlot" gets
+ filled with 0xff. Due to 2MiB default alignment, start of the data
+ area for cryptsetup 1.3 and later is at 2MiB, i.e. at 0x200000. For
+ older versions, it is at 0x101000, i.e. at 1'052'672 bytes, i.e. at
+ 1MiB + 4096 bytes from the start of the partition. Incidentally,
+ "luksHeaderBackup" for a LUKS container created with default
+ parameters dumps exactly the first 2MiB (or 1'052'672 bytes for
+ headers created with cryptsetup versions < 1.3) to file and
+ "luksHeaderRestore" restores them.
+
+ For non-default parameters, you have to figure out placement
+ yourself. "luksDump" helps. See also next item. For the most
+ common non-default settings, namely aes-xts-plain with 512 bit key,
+ the offsets are: 1st keyslot 0x1000-0x3f800, 2nd keyslot
+ 0x40000-0x7e000, 3rd keyslot 0x7e000-0xbd800, ..., and start of bulk
+ data at 0x200000.
+
+ The exact specification of the format is here:
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification
+
+ For your convenience, here is the LUKS header with hex offsets.
+ NOTE: The spec counts key-slots from 1 to 8, but the cryptsetup tool
+ counts from 0 to 7. The numbers here refer to the cryptsetup
+ numbers.
+
+
+Refers to LUKS On-Disk Format Specification Version 1.2.1
+
+LUKS header:
+
+offset length name data type description
+-----------------------------------------------------------------------
+0x0000 0x06 magic byte[] 'L','U','K','S', 0xba, 0xbe
+ 0 6
+0x0006 0x02 version uint16_t LUKS version
+ 6 3
+0x0008 0x20 cipher-name char[] cipher name spec.
+ 8 32
+0x0028 0x20 cipher-mode char[] cipher mode spec.
+ 40 32
+0x0048 0x20 hash-spec char[] hash spec.
+ 72 32
+0x0068 0x04 payload-offset uint32_t bulk data offset in sectors
+ 104 4 (512 bytes per sector)
+0x006c 0x04 key-bytes uint32_t number of bytes in key
+ 108 4
+0x0070 0x14 mk-digest byte[] master key checksum
+ 112 20 calculated with PBKDF2
+0x0084 0x20 mk-digest-salt byte[] salt for PBKDF2 when
+ 132 32 calculating mk-digest
+0x00a4 0x04 mk-digest-iter uint32_t iteration count for PBKDF2
+ 164 4 when calculating mk-digest
+0x00a8 0x28 uuid char[] partition UUID
+ 168 40
+0x00d0 0x30 key-slot-0 key slot key slot 0
+ 208 48
+0x0100 0x30 key-slot-1 key slot key slot 1
+ 256 48
+0x0130 0x30 key-slot-2 key slot key slot 2
+ 304 48
+0x0160 0x30 key-slot-3 key slot key slot 3
+ 352 48
+0x0190 0x30 key-slot-4 key slot key slot 4
+ 400 48
+0x01c0 0x30 key-slot-5 key slot key slot 5
+ 448 48
+0x01f0 0x30 key-slot-6 key slot key slot 6
+ 496 48
+0x0220 0x30 key-slot-7 key slot key slot 7
+ 544 48
+
+
+Key slot:
+
+offset length name data type description
+-------------------------------------------------------------------------
+0x0000 0x04 active uint32_t key slot enabled/disabled
+ 0 4
+0x0004 0x04 iterations uint32_t PBKDF2 iteration count
+ 4 4
+0x0008 0x20 salt byte[] PBKDF2 salt
+ 8 32
+0x0028 0x04 key-material-offset uint32_t key start sector
+ 40 4 (512 bytes/sector)
+0x002c 0x04 stripes uint32_t number of anti-forensic
+ 44 4 stripes
+
+
+
+ * 6.13 What is the smallest possible LUKS container?
+
+ Note: From cryptsetup 1.3 onwards, alignment is set to 1MB. With
+ modern Linux partitioning tools that also align to 1MB, this will
+ result in alignment to 2k sectors and typical Flash/SSD sectors,
+ which is highly desirable for a number of reasons. Changing the
+ alignment is not recommended.
+
+ That said, with default parameters, the data area starts at exactly
+ 2MB offset (at 0x101000 for cryptsetup versions before 1.3). The
+ smallest data area you can have is one sector of 512 bytes. Data
+ areas of 0 bytes can be created, but fail on mapping.
+
+ While you cannot put a filesystem into something this small, it may
+ still be used to contain, for example, key. Note that with current
+ formatting tools, a partition for a container this size will be 3MiB
+ anyways. If you put the LUKS container into a file (via losetup and
+ a loopback device), the file needs to be 2097664 bytes in size, i.e.
+ 2MiB + 512B.
+
+ The two ways to influence the start of the data area are key-size and
+ alignment.
+
+ For alignment, you can go down to 1 on the parameter. This will still
+ leave you with a data-area starting at 0x101000, i.e. 1MiB+4096B
+ (default parameters) as alignment will be rounded up to the next
+ multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run on a
+ larger file and dump the LUKS header to get actual information.
+
+ For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit
+ (e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode).
+ You can do 64 bit (e.g. blowfish-64 with CBC), but anything below
+ 128 bit has to be considered insecure today.
+
+ Example 1 - AES 128 bit with CBC:
+
+ cryptsetup luksFormat -s 128 --align-payload=8 <device>
+
+ This results in a data offset of 0x81000, i.e. 516KiB or 528384
+ bytes. Add one 512 byte sector and the smallest LUKS container size
+ with these parameters is 516KiB + 512B or 528896 bytes.
+
+ Example 2 - Blowfish 64 bit with CBC (WARNING: insecure):
+
+ cryptsetup luksFormat -c blowfish -s 64 --align-payload=8 /dev/loop0
+
+ This results in a data offset of 0x41000, i.e. 260kiB or 266240
+ bytes, with a minimal LUKS container size of 260kiB + 512B or 266752
+ bytes.
+
+
+ * 6.14 I think this is overly complicated. Is there an alternative?
+
+ Not really. Encryption comes at a price. You can use plain dm-crypt
+ to simplify things a bit. It does not allow multiple passphrases,
+ but on the plus side, it has zero on disk description and if you
+ overwrite some part of a plain dm-crypt partition, exactly the
+ overwritten parts are lost (rounded up to sector borders).
+
+ * 6.15 Can I clone a LUKS container?
+
+ You can, but it breaks security, because the cloned container has the
+ same header and hence the same master key. You cannot change the
+ master key on a LUKS container, even if you change the passphrase(s),
+ the master key stays the same. That means whoever has access to one
+ of the clones can decrypt them all, completely bypassing the
+ passphrases.
+
+ The right way to do this is to first luksFormat the target container,
+ then to clone the contents of the source container, with both
+ containers mapped, i.e. decrypted. You can clone the decrypted
+ contents of a LUKS container in binary mode, although you may run
+ into secondary issues with GUIDs in filesystems, partition tables,
+ RAID-components and the like. These are just the normal problems
+ binary cloning causes.
+
+ Note that if you need to ship (e.g.) cloned LUKS containers with a
+ default passphrase, that is fine as long as each container was
+ individually created (and hence has its own master key). In this
+ case, changing the default passphrase will make it secure again.
+
+
+7. Interoperability with other Disk Encryption Tools
+
+
+ * 7.1 What is this section about?
+
+ Cryptsetup for plain dm-crypt can be used to access a number of
+ on-disk formats created by tools like loop-aes patched into losetup.
+ This sometimes works and sometimes does not. This section collects
+ insights into what works, what does not and where more information is
+ required.
+
+ Additional information may be found in the mailing-list archives,
+ mentioned at the start of this FAQ document. If you have a solution
+ working that is not yet documented here and think a wider audience
+ may be interested, please email the FAQ maintainer.
+
+
+ * 7.2 loop-aes: General observations.
+
+ One problem is that there are different versions of losetup around.
+ loop-aes is a patch for losetup. Possible problems and deviations
+ from cryptsetup option syntax include:
+
+ - Offsets specified in bytes (cryptsetup: 512 byte sectors)
+
+ - The need to specify an IV offset
+
+ - Encryption mode needs specifying (e.g. "-c twofish-cbc-plain")
+
+ - Key size needs specifying (e.g. "-s 128" for 128 bit keys)
+
+ - Passphrase hash algorithm needs specifying
+
+ Also note that because plain dm-crypt and loop-aes format does not
+ have metadata, and while the loopAES extension for cryptsetup tries
+ autodetection (see command loopaesOpen), it may not always work. If
+ you still have the old set-up, using a verbosity option (-v) on
+ mapping with the old tool or having a look into the system logs after
+ setup could give you the information you need. Below, there are also
+ some things that worked for somebody.
+
+
+ * 7.3 loop-aes patched into losetup on Debian 5.x, kernel 2.6.32
+
+ In this case, the main problem seems to be that this variant of
+ losetup takes the offset (-o option) in bytes, while cryptsetup takes
+ it in sectors of 512 bytes each.
+
+ Example: The losetup command
+
+ losetup -e twofish -o 2560 /dev/loop0 /dev/sdb1
+ mount /dev/loop0 mount-point
+
+ translates to
+
+ cryptsetup create -c twofish -o 5 --skip 5 e1 /dev/sdb1
+ mount /dev/mapper/e1 mount-point
+
+
+
+ * 7.4 loop-aes with 160 bit key
+
+ This seems to be sometimes used with twofish and blowfish and
+ represents a 160 bit ripemed160 hash output padded to 196 bit key
+ length. It seems the corresponding options for cryptsetup are
+
+ --cipher twofish-cbc-null -s 192 -h ripemd160:20
+
+
+
+ * 7.5 loop-aes v1 format OpenSUSE
+
+ Apparently this is done by older OpenSUSE distros and stopped working
+ from OpenSUSE 12.1 to 12.2. One user had success with the following:
+
+ cryptsetup create <target> <device> -c aes -s 128 -h sha256
+
+
+
+ * 7.6 Kernel encrypted loop device (cryptoloop)
+
+ There are a number of different losetup implementations for using
+ encrypted loop devices so getting this to work may need a bit of
+ experimentation.
+
+ NOTE: Do NOT use this for new containers! Some of the existing
+ implementations are insecure and future support is uncertain.
+
+ Example for a compatible mapping:
+
+ losetup -e twofish -N /dev/loop0 /image.img
+
+ translates to
+
+ cryptsetup create image_plain /image.img -c twofish-cbc-plain -H plain
+
+ with the mapping being done to /dev/mapper/image_plain instead of
+ to /dev/loop0.
+
+ More details:
+
+ Cipher, mode and pasword hash (or no hash):
+
+ -e cipher [-N] => -c cipher-cbc-plain -H plain [-s 256]
+ -e cipher => -c cipher-cbc-plain -H ripemd160 [-s 256]
+
+
+ Key size and offsets (losetup: bytes, cryptsetuop: sectors of 512 bytes):
+
+ -k 128 => -s 128
+ -o 2560 => -o 5 -p 5 # 2560/512 = 5
+
+
+ There is no replacement for --pass-fd, it has to be emulated using
+ keyfiles, see the cryptsetup man-page.
+
+
+8. Issues with Specific Versions of cryptsetup
+
+
+ * 8.1 When using the create command for plain dm-crypt with
+ cryptsetup 1.1.x, the mapping is incompatible and my data is not
+ accessible anymore!
+
+ With cryptsetup 1.1.x, the distro maintainer can define different
+ default encryption modes. You can check the compiled-in defaults
+ using "cryptsetup --help". Moreover, the plain device default
+ changed because the old IV mode was vulnerable to a watermarking
+ attack.
+
+ If you are using a plain device and you need a compatible mode, just
+ specify cipher, key size and hash algorithm explicitly. For
+ compatibility with cryptsetup 1.0.x defaults, simple use the
+ following:
+
+ cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 <name> <dev>
+
+
+ LUKS stores cipher and mode in the metadata on disk, avoiding this
+ problem.
+
+
+ * 8.2 cryptsetup on SLED 10 has problems...
+
+ SLED 10 is missing an essential kernel patch for dm-crypt, which is
+ broken in its kernel as a result. There may be a very old version of
+ cryptsetup (1.0.x) provided by SLED, which should also not be used
+ anymore as well. My advice would be to drop SLED 10.
+
+
+ * 8.3 Gcrypt 1.6.x and later break Whirlpool
+
+ It is the other way round: In gcrypt 1.5.x, Whirlpool is broken and
+ it was fixed in 1.6.0 and later. If you selected whirlpool as hash
+ on creation of a LUKS container, it does not work anymore with the
+ fixed library. This shows one serious risk of using rarely used
+ settings.
+
+ Note that at the time this FAQ item was written, 1.5.4 was the latest
+ 1.5.x version and it has the flaw, i.e. works with the old Whirlpool
+ version. Possibly later 1.5.x versions will work as well. If not,
+ please let me know.
+
+ The only two ways to access older LUKS containers created with
+ Whirlpool are to either decrypt with an old gcrypt version that has
+ the flaw or to use a compatibility feature introduced in cryptsetup
+ 1.6.4 and gcrypt 1.6.1 or later. Version 1.6.0 cannot be used.
+
+ Steps:
+
+ - Make at least a header backup or better, refresh your full backup.
+ (You have a full backup, right? See Item 6.1 and following.)
+
+ - Make sure you have cryptsetup 1.6.4 or later and check the gcrypt
+ version:
+
+
+ cryptsetup luksDump <your luks device> --debug | grep backend
+
+
+ If gcrypt is at version 1.5.x or before:
+
+ - Reencrypt the LUKS header with a different hash. (Requires entering
+ all keyslot passphrases. If you do not have all, remove the ones you
+ do not have before.):
+
+
+ cryptsetup-reencrypt --keep-key --hash sha256 <your luks device>
+
+
+ If gcrypt is at version 1.6.1 or later:
+
+ - Patch the hash name in the LUKS header from "whirlpool" to
+ "whirlpool_gcryptbug". This activates the broken implementation.
+ The detailed header layout is in Item 6.12 of this FAQ and in the
+ LUKS on-disk format specification. One way to change the hash is
+ with the following command:
+
+
+ echo -n -e 'whirlpool_gcryptbug\0' | dd of=<luks device> bs=1 seek=72 conv=notrunc
+
+
+ - You can now open the device again. It is highly advisable to change
+ the hash now with cryptsetup-reencrypt as described above. While you
+ can reencrypt to use the fixed whirlpool, that may not be a good idea
+ as almost nobody seems to use it and hence the long time until the
+ bug was discovered.
+
+
+9. The Initrd question
+
+* 9.1 My initrd is broken with cryptsetup or does now work as I want it to
+
+That is not nice! However the initrd is supplied by your distribution, not by
+the cryptsetup project and hence you should complain to them. We cannot
+really do anything about it.
+
+* 9.2 CVE-2016-4484 says cryptsetup is broken!
+
+Not really. It says the initrd in some Debian versions have a behavior that
+under some very special and unusual conditions may be considered
+a vulnerability. Incidentally, at this time (1-Jan-17) CVE-2016-4484 still says
+absolutely nothing, which means that the reporters could not be bothered
+do actually describe the problem so far and hence it cannot be that bad.
+If it were, you would expect that they would have a CVE description in
+there more than 30 days (!) after reporting the problem to the press.
+
+What happens is that you can trick the initrd to go to a rescue-shell
+if you enter the LUKS password wrongly in a specific way. But falling
+back to a rescue shell on initrd errors is a sensible default behavior
+in the first place. It gives you about as much access as booting
+a rescue system from CD or USB-Stick or as removing the disk would
+give you. So this only applies when an attacker has physical access,
+but cannot boot anything else or remove the disk. These will be rare
+circumstances indeed, and if you rely on the default distribution
+initrd to keep you safe under these circumstances, than you have
+bigger problems than this somewhat expected behavior.
+
+My take is this was much more driven by some big egos that wanted
+to make a splash for self-aggrandizement, than by any actual
+security concerns. Ignore it.
+
+* 9.3 How do I do my own inird with cryptsetup?
+
+It depends on the distribution. Below, I give a very simple example
+and step-by-step instructions for Debian. With a bit of work, it
+should be possible to adapt this to other distributions. Note that
+the description is pretty general, so if you want to do other things
+with an initrd it provides an useful starting point for that too.
+
+01) Unpacking an existing initrd to use as template
+
+A Linux initrd is in gzip'ed cpio format. To unpack it, use something
+like this:
+
+ md tmp; cd tmp; cat ../initrd | gunzip | cpio -id
+
+After this, you have the full initrd content in tmp/
+
+02) Inspecting the init-script
+The init-script is the only thing the kernel cares about. All activity
+starts there. Its traditional location is /sbin/init on disk, but /init
+in an initrd. In an initrd unpacked as above it is tmp/init.
+
+While init can be a binary despite usually being called "init script",
+in Debian the main init on the root partition is a binary, but the
+init in the initrd (and only that one is called by the kernel) is a script
+and starts like this:
+
+ #!/bin/sh
+ ....
+
+The "sh" used here is in tmp/bin/sh as just unpacked, and in
+Debian it currently is a busybox.
+
+03) Creating your own initrd
+The two examples below should give you most of what is needed.
+
+Here is a really minimal example. It does nothing but set up some
+things and then drop to an interactive shell. It is perfect to try
+out things that you want to go into the init-script.
+
+!/bin/sh
+export PATH=/sbin:/bin
+[ -d /sys ] || mkdir /sys
+[ -d /proc ] || mkdir /proc
+[ -d /tmp ] || mkdir /tmp
+mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
+mount -t proc -o nodev,noexec,nosuid proc /proc
+echo "initrd is running, starting BusyBox..."
+exec /bin/sh --login
+
+
+Here is an example that opens the first LUKS-partition it
+finds with the hard-coded password "test2" and then
+mounts it as root-filesystem. This is intended to be
+used on an USB-stick that after boot goes into a safe,
+as it contains the LUKS-passphrase in plain text and is
+not secure to be left in the system. The script contains
+debug-output that should make it easier to see what
+is going on. Note that the final hand-over to the
+init on the encrypted root-partition is done
+by "exec switch_root /mnt/root /sbin/init", after
+mounting the decrypted LUKS container
+with "mount /dev/mapper/c1 /mnt/root".
+The second argument of switch_root is relative to the
+first argument, i.e. the init started with this command
+is really /mnt/sbin/init before switch_root runs.
+
+!/bin/sh
+export PATH=/sbin:/bin
+[ -d /sys ] || mkdir /sys
+[ -d /proc ] || mkdir /proc
+[ -d /tmp ] || mkdir /tmp
+mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
+mount -t proc -o nodev,noexec,nosuid proc /proc
+echo "detecting LUKS containers in sda1-10, sdb1-10"; sleep 1
+for i in a b
+do
+ for j in 1 2 3 4 5 6 7 8 9 10
+ do
+ sleep 0.5
+ d="/dev/sd"$i""$j
+ echo -n $d
+ cryptsetup isLuks $d >/dev/null 2>&1
+ r=$?
+ echo -n " result: "$r""
+ # 0 = is LUKS, 1 = is not LUKS, 4 = other error
+ if expr $r = 0 > /dev/null
+ then
+ echo " is LUKS, attempting unlock"
+ echo -n "test2" | cryptsetup luksOpen --key-file=- $d c1
+ r=$?
+ echo " result of unlock attempt: "$r""
+ sleep 2
+ if expr $r = 0 > /dev/null
+ then
+ echo "*** LUKS partition unlocked, switching root *** (waiting 30 seconds before doing that)"
+ mount /dev/mapper/c1 /mnt/root
+ sleep 30
+ exec switch_root /mnt/root /sbin/init
+ fi
+ else
+ echo " is not LUKS"
+ fi
+ done
+done
+echo "FAIL finding root on LUKS, loading BusyBox..."; sleep 5
+exec /bin/sh --login
+
+
+04) What if I want a binary in the initrd, but libraries are missing?
+
+That is a bit tricky. One option is to compile statically, but that
+does not work for everything. Debian puts some libraries into
+lib/ and lib64/ which are usually enough. If you need more, you
+can add the libraries you need there. That may or may not need a
+configuration change for the dynamic linker "ld" as well.
+Refer to standard Linux documentation
+on how to add a library to a Linux system. A running initrd is
+just a running Linux system after all, it is not special in any way.
+
+05) How do I repack the initrd?
+
+Simply repack the changed directory. While in tmp/, do
+the following:
+
+find . | cpio --create --format='newc' | gzip > ../new_initrd
+
+Rename "new_initrd" to however you want it called (the name of
+the initrd is a kernel-parameter) and move to /boot. That is it.
+
+10. References and Further Reading
+
+ * Purpose of this Section
+
+ The purpose of this section is to collect references to all materials
+ that do not fit the FAQ but are relevant in some fashion. This can
+ be core topics like the LUKS spec or disk encryption, but it can also
+ be more tangential, like secure storage management or cryptography
+ used in LUKS. It should still have relevance to cryptsetup and its
+ applications.
+
+ If you want to see something added here, send email to the maintainer
+ (or the cryptsetup mailing list) giving an URL, a description (1-3
+ lines preferred) and a section to put it in. You can also propose
+ new sections.
+
+ At this time I would like to limit the references to things that are
+ available on the web.
+
+ * Specifications
+
+ - LUKS on-disk format spec:
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification
+
+ * Code Examples
+
+ - Some code examples are in the source package under docs/examples
+
+ - LUKS AF Splitter in Ruby by John Lane: https://rubygems.org/gems/afsplitter
+
+ * Brute-forcing passphrases
+
+ - http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
+
+ - http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
+
+ * Tools
+
+ * SSD and Flash Disk Related
+
+ * Disk Encryption
+
+ * Attacks Against Disk Encryption
+
+ * Risk Management as Relevant for Disk Encryption
+
+ * Cryptography
+
+ * Secure Storage
+
+
+A. Contributors
+In no particular order:
+
+ - Arno Wagner
+
+ - Milan Broz
+
+___
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..a4b3414
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,229 @@
+Copyright 1994, 1995, 1996, 1999, 2000, 2001, 2002 Free Software
+Foundation, Inc.
+
+ This file is free documentation; the Free Software Foundation gives
+unlimited permission to copy, distribute and modify it.
+
+Basic Installation
+==================
+
+ These are generic installation instructions.
+
+ The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation. It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions. Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, and a
+file `config.log' containing compiler output (useful mainly for
+debugging `configure').
+
+ It can also use an optional file (typically called `config.cache'
+and enabled with `--cache-file=config.cache' or simply `-C') that saves
+the results of its tests to speed up reconfiguring. (Caching is
+disabled by default to prevent problems with accidental use of stale
+cache files.)
+
+ If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release. If you are using the cache, and at
+some point `config.cache' contains results you don't want to keep, you
+may remove or edit it.
+
+ The file `configure.ac' (or `configure.in') is used to create
+`configure' by a program called `autoconf'. You only need
+`configure.ac' if you want to change it or regenerate `configure' using
+a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+ 1. `cd' to the directory containing the package's source code and type
+ `./configure' to configure the package for your system. If you're
+ using `csh' on an old version of System V, you might need to type
+ `sh ./configure' instead to prevent `csh' from trying to execute
+ `configure' itself.
+
+ Running `configure' takes awhile. While running, it prints some
+ messages telling which features it is checking for.
+
+ 2. Type `make' to compile the package.
+
+ 3. Optionally, type `make check' to run any self-tests that come with
+ the package.
+
+ 4. Type `make install' to install the programs and any data files and
+ documentation.
+
+ 5. You can remove the program binaries and object files from the
+ source code directory by typing `make clean'. To also remove the
+ files that `configure' created (so you can compile the package for
+ a different kind of computer), type `make distclean'. There is
+ also a `make maintainer-clean' target, but that is intended mainly
+ for the package's developers. If you use it, you may have to get
+ all sorts of other programs in order to regenerate files that came
+ with the distribution.
+
+Compilers and Options
+=====================
+
+ Some systems require unusual options for compilation or linking that
+the `configure' script does not know about. Run `./configure --help'
+for details on some of the pertinent environment variables.
+
+ You can give `configure' initial values for configuration parameters
+by setting variables in the command line or in the environment. Here
+is an example:
+
+ ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix
+
+ *Note Defining Variables::, for more details.
+
+Compiling For Multiple Architectures
+====================================
+
+ You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory. To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'. `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script. `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+ If you have to use a `make' that does not support the `VPATH'
+variable, you have to compile the package for one architecture at a
+time in the source code directory. After you have installed the
+package for one architecture, use `make distclean' before reconfiguring
+for another architecture.
+
+Installation Names
+==================
+
+ By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc. You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+ You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files. If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+ In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files. Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+ If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+ Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System). The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+ For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+ There may be some features `configure' cannot figure out
+automatically, but needs to determine by the type of machine the package
+will run on. Usually, assuming the package is built to be run on the
+_same_ architectures, `configure' can figure that out, but if it prints
+a message saying it cannot guess the machine type, give it the
+`--build=TYPE' option. TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name which has the form:
+
+ CPU-COMPANY-SYSTEM
+
+where SYSTEM can have one of these forms:
+
+ OS KERNEL-OS
+
+ See the file `config.sub' for the possible values of each field. If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the machine type.
+
+ If you are _building_ compiler tools for cross-compiling, you should
+use the `--target=TYPE' option to select the type of system they will
+produce code for.
+
+ If you want to _use_ a cross compiler, that generates code for a
+platform different from the build platform, you should specify the
+"host" platform (i.e., that on which the generated programs will
+eventually be run) with `--host=TYPE'.
+
+Sharing Defaults
+================
+
+ If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists. Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Defining Variables
+==================
+
+ Variables not defined in a site shell script can be set in the
+environment passed to `configure'. However, some packages may run
+configure again during the build, and the customized values of these
+variables may be lost. In order to avoid this problem, you should set
+them in the `configure' command line, using `VAR=value'. For example:
+
+ ./configure CC=/usr/local2/bin/gcc
+
+will cause the specified gcc to be used as the C compiler (unless it is
+overridden in the site shell script).
+
+`configure' Invocation
+======================
+
+ `configure' recognizes the following options to control how it
+operates.
+
+`--help'
+`-h'
+ Print a summary of the options to `configure', and exit.
+
+`--version'
+`-V'
+ Print the version of Autoconf used to generate the `configure'
+ script, and exit.
+
+`--cache-file=FILE'
+ Enable the cache: use and save the results of the tests in FILE,
+ traditionally `config.cache'. FILE defaults to `/dev/null' to
+ disable caching.
+
+`--config-cache'
+`-C'
+ Alias for `--cache-file=config.cache'.
+
+`--quiet'
+`--silent'
+`-q'
+ Do not print messages saying which checks are being made. To
+ suppress all normal output, redirect it to `/dev/null' (any error
+ messages will still be shown).
+
+`--srcdir=DIR'
+ Look for the package's source code in directory DIR. Usually
+ `configure' can determine that directory automatically.
+
+`configure' also accepts some other, not widely useful, options. Run
+`configure --help' for more details.
+
diff --git a/MODULE_LICENSE_GPL b/MODULE_LICENSE_GPL
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/MODULE_LICENSE_GPL
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..d6a4c43
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,13 @@
+EXTRA_DIST = COPYING.LGPL FAQ docs misc
+SUBDIRS = \
+ lib \
+ src \
+ man \
+ python \
+ tests \
+ po
+
+ACLOCAL_AMFLAGS = -I m4
+
+clean-local:
+ -rm -rf docs/doxygen_api_docs
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..168617a
--- /dev/null
+++ b/NEWS
@@ -0,0 +1 @@
+See docs/* directory for Release Notes.
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..86289a1
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,354 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+
+-----
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+
+You must obey the GNU General Public License in all respects
+for all of the code used other than OpenSSL. If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so. If you
+do not wish to do so, delete this exception statement from your
+version. If you delete this exception statement from all source
+files in the program, then also delete it here.
diff --git a/README b/README
new file mode 100644
index 0000000..613aa09
--- /dev/null
+++ b/README
@@ -0,0 +1,31 @@
+
+ cryptsetup
+
+setup cryptographic volumes for dm-crypt (including LUKS extension)
+
+WEB PAGE:
+
+ https://gitlab.com/cryptsetup/cryptsetup/
+
+FAQ:
+
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
+
+MAILING LIST:
+
+ E-MAIL: dm-crypt@saout.de
+ URL: http://www.saout.de/mailman/listinfo/dm-crypt
+
+DOWNLOAD:
+
+ https://www.kernel.org/pub/linux/utils/cryptsetup/
+
+SOURCE CODE:
+
+ URL: https://gitlab.com/cryptsetup/cryptsetup/tree/master
+ Checkout: git clone https://gitlab.com/cryptsetup/cryptsetup.git
+
+NLS (PO TRANSLATIONS):
+
+ PO files are maintained by:
+ http://translationproject.org/domain/cryptsetup.html
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d034709
--- /dev/null
+++ b/README.md
@@ -0,0 +1,90 @@
+
+
+What the ...?
+=============
+**Cryptsetup** is utility used to conveniently setup disk encryption based
+on [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
+
+These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**
+and **TrueCrypt** (including **VeraCrypt** extension) format.
+
+Project also includes **veritysetup** utility used to conveniently setup
+[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module.
+
+LUKS Design
+-----------
+**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not
+only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.
+In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header,
+enabling the user to transport or migrate his data seamlessly.
+
+Last version of the LUKS format specification is
+[available here](https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-format.pdf).
+
+Why LUKS?
+---------
+ * compatiblity via standardization,
+ * secure against low entropy attacks,
+ * support for multiple keys,
+ * effective passphrase revocation,
+ * free.
+
+[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
+-----------------
+
+**CVE-2016-4484 (Initrd root shell)**
+
+This is problem in **intramfs** **scripts** only (these are **not** part of cryptsetup project), it is neiter bug in cryptsetup nor in LUKS.
+Some distributions could add these scripts to distributed package, please check your distro updates for more info.
+
+
+[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
+--------------------------------
+
+Download
+--------
+All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+
+**The latest cryptsetup version is 1.7.5**
+ * [cryptsetup-1.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz)
+ * Signature [cryptsetup-1.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign)
+ _(You need to decompress file first to check signature.)_
+ * [Cryptsetup 1.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
+
+Previous versions
+ * [Version 1.7.4](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.4-ReleaseNotes).
+ * [Version 1.7.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.3-ReleaseNotes).
+ * [Version 1.7.2](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.2-ReleaseNotes).
+ * [Version 1.7.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.1-ReleaseNotes).
+ * [Version 1.7.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.xz) -
+ [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.sign) -
+ [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.0-ReleaseNotes).
+
+Source and API docs
+-------------------
+For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
+mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
+
+For libcryptsetup documentation see [libcryptsetup API](https://gitlab.com/cryptsetup/cryptsetup/wikis/API/index.html) page.
+
+The libcryptsetup API/ABI changes are tracked in [compatibility report](https://gitlab.com/cryptsetup/cryptsetup/wikis/ABI-tracker/timeline/libcryptsetup/index.html).
+
+NLS PO files are maintained by [TranslationProject](http://translationproject.org/domain/cryptsetup.html).
+
+Help!
+-----
+Please always read [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) first.
+For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, [dm-crypt@saout.de](mailto:dm-crypt@saout.de).
+
+If you want to subscribe just send an empty mail to [dm-crypt-subscribe@saout.de](mailto:dm-crypt-subscribe@saout.de).
+
+You can also browse [list archive](http://www.saout.de/pipermail/dm-crypt/) or read it through
+[web interface](http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt).
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..137136a
--- /dev/null
+++ b/TODO
@@ -0,0 +1,8 @@
+Version 1.7:
+- Export wipe device functions
+- Support K/M suffixes for align payload (new switch?).
+- TRIM for keyslots
+- Do we need crypt_data_path() - path to data device (if differs)?
+- Resync ETA time is not accurate, calculate it better (last minute window?).
+- Fix all crazy automake warnings (or switch to Cmake).
+- Nettle3 backend is not compatible
diff --git a/autogen.sh b/autogen.sh
new file mode 100755
index 0000000..ffc3002
--- /dev/null
+++ b/autogen.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+# Run this to generate all the initial makefiles, etc.
+
+srcdir=`dirname $0`
+PKG_NAME="cryptsetup"
+
+DIE=0
+
+(autopoint --version) < /dev/null > /dev/null 2>&1 || {
+ echo
+ echo "**Error**: You must have autopoint installed."
+ echo "Download the appropriate package for your distribution,"
+ echo "or see http://www.gnu.org/software/gettext"
+ DIE=1
+}
+
+(autoconf --version) < /dev/null > /dev/null 2>&1 || {
+ echo
+ echo "**Error**: You must have autoconf installed to."
+ echo "Download the appropriate package for your distribution,"
+ echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
+ DIE=1
+}
+
+(grep "^AM_PROG_LIBTOOL" $srcdir/configure.ac >/dev/null) && {
+ (libtool --version) < /dev/null > /dev/null 2>&1 || {
+ echo
+ echo "**Error**: You must have libtool installed."
+ echo "Get ftp://ftp.gnu.org/pub/gnu/"
+ echo "(or a newer version if it is available)"
+ DIE=1
+ }
+}
+
+(automake --version) < /dev/null > /dev/null 2>&1 || {
+ echo
+ echo "**Error**: You must have automake installed."
+ echo "Get ftp://ftp.gnu.org/pub/gnu/"
+ echo "(or a newer version if it is available)"
+ DIE=1
+ NO_AUTOMAKE=yes
+}
+
+
+# if no automake, don't bother testing for aclocal
+test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
+ echo
+ echo "**Error**: Missing aclocal. The version of automake"
+ echo "installed doesn't appear recent enough."
+ echo "Get ftp://ftp.gnu.org/pub/gnu/"
+ echo "(or a newer version if it is available)"
+ DIE=1
+}
+
+if test "$DIE" -eq 1; then
+ exit 1
+fi
+
+if test -z "$*"; then
+ echo
+ echo "**Warning**: I am going to run 'configure' with no arguments."
+ echo "If you wish to pass any to it, please specify them on the"
+ echo \'$0\'" command line."
+fi
+
+echo
+echo "Generate build-system by:"
+echo " autopoint: $(autopoint --version | head -1)"
+echo " aclocal: $(aclocal --version | head -1)"
+echo " autoconf: $(autoconf --version | head -1)"
+echo " automake: $(automake --version | head -1)"
+echo " libtoolize: $(libtoolize --version | head -1)"
+echo
+
+
+set -e
+autopoint --force $AP_OPTS
+libtoolize --force --copy
+aclocal -I m4 $AL_OPTS
+autoheader $AH_OPTS
+automake --add-missing --copy --gnu $AM_OPTS
+autoconf $AC_OPTS
+
+if test x$NOCONFIGURE = x; then
+ echo Running $srcdir/configure $conf_flags "$@" ...
+ $srcdir/configure $conf_flags "$@" \
+ && echo Now type \`make\' to compile $PKG_NAME
+else
+ echo Skipping configure process.
+fi
diff --git a/config.h b/config.h
new file mode 100644
index 0000000..e202d9c
--- /dev/null
+++ b/config.h
@@ -0,0 +1,340 @@
+/* config.h. Generated from config.h.in by configure. */
+/* config.h.in. Generated from configure.ac by autoheader. */
+
+/* Define if building universal (internal helper macro) */
+/* #undef AC_APPLE_UNIVERSAL_BUILD */
+
+/* maximum keyfile size (in KiB) */
+#define DEFAULT_KEYFILE_SIZE_MAXKB 8192
+
+/* cipher for loop-AES mode */
+#define DEFAULT_LOOPAES_CIPHER "aes"
+
+/* key length in bits for loop-AES mode */
+#define DEFAULT_LOOPAES_KEYBITS 256
+
+/* cipher for LUKS1 */
+#define DEFAULT_LUKS1_CIPHER "aes"
+
+/* hash function for LUKS1 header */
+#define DEFAULT_LUKS1_HASH "sha256"
+
+/* PBKDF2 iteration time for LUKS1 (in ms) */
+#define DEFAULT_LUKS1_ITER_TIME 2000
+
+/* key length in bits for LUKS1 */
+#define DEFAULT_LUKS1_KEYBITS 256
+
+/* cipher mode for LUKS1 */
+#define DEFAULT_LUKS1_MODE "xts-plain64"
+
+/* maximum keyfile size (in characters) */
+#define DEFAULT_PASSPHRASE_SIZE_MAX 512
+
+/* cipher for plain mode */
+#define DEFAULT_PLAIN_CIPHER "aes"
+
+/* password hashing function for plain mode */
+#define DEFAULT_PLAIN_HASH "ripemd160"
+
+/* key length in bits for plain mode */
+#define DEFAULT_PLAIN_KEYBITS 256
+
+/* cipher mode for plain mode */
+#define DEFAULT_PLAIN_MODE "cbc-essiv:sha256"
+
+/* default RNG type for key generator */
+#define DEFAULT_RNG "/dev/urandom"
+
+/* data block size for verity mode */
+#define DEFAULT_VERITY_DATA_BLOCK 4096
+
+/* parity bytes for verity FEC */
+#define DEFAULT_VERITY_FEC_ROOTS 2
+
+/* hash function for verity mode */
+#define DEFAULT_VERITY_HASH "sha256"
+
+/* hash block size for verity mode */
+#define DEFAULT_VERITY_HASH_BLOCK 4096
+
+/* salt size for verity mode */
+#define DEFAULT_VERITY_SALT_SIZE 32
+
+/* Enable using of kernel userspace crypto */
+#define ENABLE_AF_ALG 1
+
+/* Enable FIPS mode restrictions */
+/* #undef ENABLE_FIPS */
+
+/* Define to 1 if translation of program messages to the user's native
+ language is requested. */
+#define ENABLE_NLS 1
+
+/* Enable password quality checking using passwdqc library */
+/* #undef ENABLE_PASSWDQC */
+
+/* Enable password quality checking using pwquality library */
+/* #undef ENABLE_PWQUALITY */
+
+/* Requested gcrypt version */
+#define GCRYPT_REQ_VERSION "1.1.42"
+
+/* Define to 1 if you have the <byteswap.h> header file. */
+#define HAVE_BYTESWAP_H 1
+
+/* Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the
+ CoreFoundation framework. */
+/* #undef HAVE_CFLOCALECOPYCURRENT */
+
+/* Define to 1 if you have the MacOS X function CFPreferencesCopyAppValue in
+ the CoreFoundation framework. */
+/* #undef HAVE_CFPREFERENCESCOPYAPPVALUE */
+
+/* Define to 1 if you have the `clock_gettime' function. */
+#define HAVE_CLOCK_GETTIME 1
+
+/* Define to 1 if you have the <ctype.h> header file. */
+#define HAVE_CTYPE_H 1
+
+/* Define if the GNU dcgettext() function is already present or preinstalled.
+ */
+#define HAVE_DCGETTEXT 1
+
+/* Define to 1 if you have the declaration of `dm_task_retry_remove', and to 0
+ if you don't. */
+#define HAVE_DECL_DM_TASK_RETRY_REMOVE 1
+
+/* Define to 1 if you have the declaration of `dm_task_secure_data', and to 0
+ if you don't. */
+#define HAVE_DECL_DM_TASK_SECURE_DATA 1
+
+/* Define to 1 if you have the declaration of
+ `DM_UDEV_DISABLE_DISK_RULES_FLAG', and to 0 if you don't. */
+#define HAVE_DECL_DM_UDEV_DISABLE_DISK_RULES_FLAG 1
+
+/* Define to 1 if you have the declaration of `NSS_GetVersion', and to 0 if
+ you don't. */
+/* #undef HAVE_DECL_NSS_GETVERSION */
+
+/* Define to 1 if you have the declaration of `strerror_r', and to 0 if you
+ don't. */
+#define HAVE_DECL_STRERROR_R 1
+
+/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
+ */
+#define HAVE_DIRENT_H 1
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if you have the <endian.h> header file. */
+#define HAVE_ENDIAN_H 1
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#define HAVE_FCNTL_H 1
+
+/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
+#define HAVE_FSEEKO 1
+
+/* Define if the GNU gettext() function is already present or preinstalled. */
+#define HAVE_GETTEXT 1
+
+/* Define if you have the iconv() function. */
+/* #undef HAVE_ICONV */
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the `devmapper' library (-ldevmapper). */
+/* #undef HAVE_LIBDEVMAPPER */
+
+/* Define to 1 if you have the `gcrypt' library (-lgcrypt). */
+/* #undef HAVE_LIBGCRYPT */
+
+/* Define to 1 if you have the `nettle' library (-lnettle). */
+/* #undef HAVE_LIBNETTLE */
+
+/* Define to 1 if you have the `popt' library (-lpopt). */
+#define HAVE_LIBPOPT 1
+
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+/* #undef HAVE_LIBSELINUX */
+
+/* Define to 1 if you have the `sepol' library (-lsepol). */
+/* #undef HAVE_LIBSEPOL */
+
+/* Define to 1 if you have the `uuid' library (-luuid). */
+#define HAVE_LIBUUID 1
+
+/* Define to 1 if you have the <linux/if_alg.h> header file. */
+#define HAVE_LINUX_IF_ALG_H 1
+
+/* Define to 1 if you have the <locale.h> header file. */
+#define HAVE_LOCALE_H 1
+
+/* Define to 1 if you have the <malloc.h> header file. */
+#define HAVE_MALLOC_H 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
+/* #undef HAVE_NDIR_H */
+
+/* Define to 1 if you have the <nettle/sha.h> header file. */
+/* #undef HAVE_NETTLE_SHA_H */
+
+/* Define to 1 if you have the `posix_memalign' function. */
+#define HAVE_POSIX_MEMALIGN 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strerror_r' function. */
+#define HAVE_STRERROR_R 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
+ */
+/* #undef HAVE_SYS_DIR_H */
+
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#define HAVE_SYS_IOCTL_H 1
+
+/* Define to 1 if you have the <sys/mman.h> header file. */
+#define HAVE_SYS_MMAN_H 1
+
+/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
+ */
+/* #undef HAVE_SYS_NDIR_H */
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+#define HAVE_SYS_SYSMACROS_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if you have the <uuid/uuid.h> header file. */
+#define HAVE_UUID_UUID_H 1
+
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#define LT_OBJDIR ".libs/"
+
+/* Name of package */
+#define PACKAGE "cryptsetup"
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT ""
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "cryptsetup"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "cryptsetup 1.7.4-git"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "cryptsetup"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "1.7.4-git"
+
+/* passwdqc library config file */
+#define PASSWDQC_CONFIG_FILE ""
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* Define to 1 if strerror_r returns char *. */
+#define STRERROR_R_CHAR_P 1
+
+/* Use internal PBKDF2 */
+#define USE_INTERNAL_PBKDF2 1
+
+/* Enable extensions on AIX 3, Interix. */
+#ifndef _ALL_SOURCE
+# define _ALL_SOURCE 1
+#endif
+/* Enable GNU extensions on systems that have them. */
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE 1
+#endif
+/* Enable threading extensions on Solaris. */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# define _POSIX_PTHREAD_SEMANTICS 1
+#endif
+/* Enable extensions on HP NonStop. */
+#ifndef _TANDEM_SOURCE
+# define _TANDEM_SOURCE 1
+#endif
+/* Enable general extensions on Solaris. */
+#ifndef __EXTENSIONS__
+# define __EXTENSIONS__ 1
+#endif
+
+
+/* Try to use udev synchronisation? */
+#define USE_UDEV 1
+
+/* Version number of package */
+#define VERSION "1.7.4-git"
+
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+/* # undef WORDS_BIGENDIAN */
+# endif
+#endif
+
+/* Enable large inode numbers on Mac OS X 10.5. */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
+/* #undef _LARGEFILE_SOURCE */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
+
+/* Define to 1 if on MINIX. */
+/* #undef _MINIX */
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+ this defined. */
+/* #undef _POSIX_1_SOURCE */
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+/* #undef _POSIX_SOURCE */
+
+/* Define to empty if `const' does not conform to ANSI C. */
+/* #undef const */
+
+/* Define to `long int' if <sys/types.h> does not define. */
+/* #undef off_t */
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..9614d7a
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,477 @@
+AC_PREREQ([2.67])
+AC_INIT([cryptsetup],[1.7.4-git])
+
+dnl library version from <major>.<minor>.<release>[-<suffix>]
+LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
+LIBCRYPTSETUP_VERSION_INFO=11:0:7
+
+AM_SILENT_RULES([yes])
+AC_CONFIG_SRCDIR(src/cryptsetup.c)
+AC_CONFIG_MACRO_DIR([m4])
+
+AC_CONFIG_HEADERS([config.h:config.h.in])
+
+# We do not want to run test in parallel. Really.
+# http://lists.gnu.org/archive/html/automake/2013-01/msg00060.html
+
+# For old automake use this
+#AM_INIT_AUTOMAKE(dist-xz)
+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests])
+
+if test "x$prefix" = "xNONE"; then
+ sysconfdir=/etc
+fi
+AC_PREFIX_DEFAULT(/usr)
+
+AC_CANONICAL_HOST
+AC_USE_SYSTEM_EXTENSIONS
+AC_PROG_CC
+AM_PROG_CC_C_O
+AC_PROG_CPP
+AC_PROG_INSTALL
+AC_PROG_MAKE_SET
+AC_ENABLE_STATIC(no)
+LT_INIT
+PKG_PROG_PKG_CONFIG
+
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
+ sys/sysmacros.h ctype.h unistd.h locale.h byteswap.h endian.h)
+
+AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([You need the uuid library.])])
+AC_CHECK_HEADER(libdevmapper.h,,[AC_MSG_ERROR([You need the device-mapper library.])])
+
+saved_LIBS=$LIBS
+AC_CHECK_LIB(uuid, uuid_clear, ,[AC_MSG_ERROR([You need the uuid library.])])
+AC_SUBST(UUID_LIBS, $LIBS)
+LIBS=$saved_LIBS
+
+AC_SEARCH_LIBS([clock_gettime],[rt posix4])
+AC_CHECK_FUNCS([posix_memalign clock_gettime])
+
+if test "x$enable_largefile" = "xno" ; then
+ AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.])
+fi
+
+AC_C_CONST
+AC_C_BIGENDIAN
+AC_TYPE_OFF_T
+AC_SYS_LARGEFILE
+AC_FUNC_FSEEKO
+AC_PROG_GCC_TRADITIONAL
+AC_FUNC_STRERROR_R
+
+dnl ==========================================================================
+
+AM_GNU_GETTEXT([external],[need-ngettext])
+AM_GNU_GETTEXT_VERSION([0.15])
+
+dnl ==========================================================================
+
+saved_LIBS=$LIBS
+AC_CHECK_LIB(popt, poptConfigFileToString,,
+ [AC_MSG_ERROR([You need popt 1.7 or newer to compile.])])
+AC_SUBST(POPT_LIBS, $LIBS)
+LIBS=$saved_LIBS
+
+dnl ==========================================================================
+dnl FIPS extensions (only for RHEL)
+AC_ARG_ENABLE([fips], AS_HELP_STRING([--enable-fips],[enable FIPS mode restrictions]),
+[with_fips=$enableval],
+[with_fips=no])
+
+if test "x$with_fips" = "xyes"; then
+ AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions])
+
+ if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then
+ AC_MSG_ERROR([Static build is not compatible with FIPS.])
+ fi
+fi
+
+AC_DEFUN([NO_FIPS], [
+ if test "x$with_fips" = "xyes"; then
+ AC_MSG_ERROR([This option is not compatible with FIPS.])
+ fi
+])
+
+dnl ==========================================================================
+dnl pwquality library (cryptsetup CLI only)
+AC_ARG_ENABLE([pwquality],
+ AS_HELP_STRING([--enable-pwquality],
+ [enable password quality checking using pwquality library]),
+ [with_pwquality=$enableval],
+ [with_pwquality=no])
+
+if test "x$with_pwquality" = "xyes"; then
+ AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking using pwquality library])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality >= 1.0.0],,
+ AC_MSG_ERROR([You need pwquality library.]))
+
+ dnl FIXME: this is really hack for now
+ PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
+fi
+
+dnl ==========================================================================
+dnl passwdqc library (cryptsetup CLI only)
+AC_ARG_ENABLE([passwdqc],
+ AS_HELP_STRING([--enable-passwdqc@<:@=CONFIG_PATH@:>@],
+ [enable password quality checking using passwdqc library (optionally with CONFIG_PATH)]),
+ [enable_passwdqc=$enableval],
+ [enable_passwdqc=no])
+
+case "$enable_passwdqc" in
+ yes|no) use_passwdqc_config="" ;;
+ /*) use_passwdqc_config="$enable_passwdqc"; enable_passwdqc=yes ;;
+ *) AC_MSG_ERROR([Unrecognized --enable-passwdqc parameter.]) ;;
+esac
+AC_DEFINE_UNQUOTED([PASSWDQC_CONFIG_FILE], ["$use_passwdqc_config"], [passwdqc library config file])
+
+if test "x$enable_passwdqc" = "xyes"; then
+ AC_DEFINE(ENABLE_PASSWDQC, 1, [Enable password quality checking using passwdqc library])
+
+ PASSWDQC_LIBS="-lpasswdqc"
+fi
+
+if test "x$with_pwquality$enable_passwdqc" = "xyesyes"; then
+ AC_MSG_ERROR([--enable-pwquality and --enable-passwdqc are mutually incompatible.])
+fi
+
+dnl ==========================================================================
+dnl Crypto backend functions
+
+AC_DEFUN([CONFIGURE_GCRYPT], [
+ if test "x$with_fips" = "xyes"; then
+ GCRYPT_REQ_VERSION=1.4.5
+ else
+ GCRYPT_REQ_VERSION=1.1.42
+ fi
+ dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password)
+ AC_ARG_ENABLE([gcrypt-pbkdf2], AS_HELP_STRING([--enable-gcrypt-pbkdf2],[force enable internal gcrypt PBKDF2]),
+ if test "x$enableval" = "xyes"; then
+ [use_internal_pbkdf2=0]
+ else
+ [use_internal_pbkdf2=1]
+ fi,
+ [AM_PATH_LIBGCRYPT([1.6.1], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])])
+ AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])
+
+ AC_MSG_CHECKING([if internal cryptsetup PBKDF2 is compiled-in])
+ if test $use_internal_pbkdf2 = 0; then
+ AC_MSG_RESULT([no])
+ else
+ AC_MSG_RESULT([yes])
+ NO_FIPS([])
+ fi
+
+ if test x$enable_static_cryptsetup = xyes; then
+ saved_LIBS=$LIBS
+ LIBS="$saved_LIBS $LIBGCRYPT_LIBS -static"
+ AC_CHECK_LIB(gcrypt, gcry_check_version,,
+ AC_MSG_ERROR([Cannot find static gcrypt library.]),
+ [-lgpg-error])
+ LIBGCRYPT_STATIC_LIBS="$LIBGCRYPT_LIBS -lgpg-error"
+ LIBS=$saved_LIBS
+ fi
+
+ CRYPTO_CFLAGS=$LIBGCRYPT_CFLAGS
+ CRYPTO_LIBS=$LIBGCRYPT_LIBS
+ CRYPTO_STATIC_LIBS=$LIBGCRYPT_STATIC_LIBS
+
+ AC_DEFINE_UNQUOTED(GCRYPT_REQ_VERSION, ["$GCRYPT_REQ_VERSION"], [Requested gcrypt version])
+])
+
+AC_DEFUN([CONFIGURE_OPENSSL], [
+ PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],,
+ AC_MSG_ERROR([You need openssl library.]))
+ CRYPTO_CFLAGS=$OPENSSL_CFLAGS
+ CRYPTO_LIBS=$OPENSSL_LIBS
+ use_internal_pbkdf2=0
+
+ if test x$enable_static_cryptsetup = xyes; then
+ saved_PKG_CONFIG=$PKG_CONFIG
+ PKG_CONFIG="$PKG_CONFIG --static"
+ PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl])
+ CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS
+ PKG_CONFIG=$saved_PKG_CONFIG
+ fi
+ NO_FIPS([])
+])
+
+AC_DEFUN([CONFIGURE_NSS], [
+ if test x$enable_static_cryptsetup = xyes; then
+ AC_MSG_ERROR([Static build of cryptsetup is not supported with NSS.])
+ fi
+
+ AC_MSG_WARN([NSS backend does NOT provide backward compatibility (missing ripemd160 hash).])
+
+ PKG_CHECK_MODULES([NSS], [nss],,
+ AC_MSG_ERROR([You need nss library.]))
+
+ saved_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $NSS_CFLAGS"
+ AC_CHECK_DECLS([NSS_GetVersion], [], [], [#include <nss.h>])
+ CFLAGS=$saved_CFLAGS
+
+ CRYPTO_CFLAGS=$NSS_CFLAGS
+ CRYPTO_LIBS=$NSS_LIBS
+ use_internal_pbkdf2=1
+ NO_FIPS([])
+])
+
+AC_DEFUN([CONFIGURE_KERNEL], [
+ AC_CHECK_HEADERS(linux/if_alg.h,,
+ [AC_MSG_ERROR([You need Linux kernel headers with userspace crypto interface.])])
+# AC_CHECK_DECLS([AF_ALG],,
+# [AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
+# [#include <sys/socket.h>])
+ use_internal_pbkdf2=1
+ NO_FIPS([])
+])
+
+AC_DEFUN([CONFIGURE_NETTLE], [
+ AC_CHECK_HEADERS(nettle/sha.h,,
+ [AC_MSG_ERROR([You need Nettle cryptographic library.])])
+
+ saved_LIBS=$LIBS
+ AC_CHECK_LIB(nettle, nettle_pbkdf2_hmac_sha256,,
+ [AC_MSG_ERROR([You need Nettle library version 2.6 or more recent.])])
+ CRYPTO_LIBS=$LIBS
+ LIBS=$saved_LIBS
+
+ CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+ use_internal_pbkdf2=0
+ NO_FIPS([])
+])
+
+dnl ==========================================================================
+saved_LIBS=$LIBS
+
+AC_ARG_ENABLE([static-cryptsetup],
+ AS_HELP_STRING([--enable-static-cryptsetup],
+ [enable build of static cryptsetup binary]))
+if test x$enable_static_cryptsetup = xyes; then
+ if test x$enable_static = xno; then
+ AC_MSG_WARN([Requested static cryptsetup build, enabling static library.])
+ enable_static=yes
+ fi
+fi
+AM_CONDITIONAL(STATIC_TOOLS, test x$enable_static_cryptsetup = xyes)
+
+AC_ARG_ENABLE(veritysetup,
+ AS_HELP_STRING([--disable-veritysetup],
+ [disable veritysetup support]),[], [enable_veritysetup=yes])
+AM_CONDITIONAL(VERITYSETUP, test x$enable_veritysetup = xyes)
+
+AC_ARG_ENABLE([cryptsetup-reencrypt],
+ AS_HELP_STRING([--enable-cryptsetup-reencrypt],
+ [enable cryptsetup-reencrypt tool]))
+AM_CONDITIONAL(REENCRYPT, test x$enable_cryptsetup_reencrypt = xyes)
+
+AC_ARG_ENABLE(selinux,
+ AS_HELP_STRING([--disable-selinux],
+ [disable selinux support [default=auto]]),[], [])
+
+AC_ARG_ENABLE([udev],
+ AS_HELP_STRING([--disable-udev],
+ [disable udev support]),[], enable_udev=yes)
+
+dnl Try to use pkg-config for devmapper, but fallback to old detection
+PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03],, [
+ AC_CHECK_LIB(devmapper, dm_task_set_name,,
+ [AC_MSG_ERROR([You need the device-mapper library.])])
+ AC_CHECK_LIB(devmapper, dm_task_set_message,,
+ [AC_MSG_ERROR([The device-mapper library on your system is too old.])])
+ DEVMAPPER_LIBS=$LIBS
+])
+LIBS=$saved_LIBS
+
+LIBS="$LIBS $DEVMAPPER_LIBS"
+AC_CHECK_DECLS([dm_task_secure_data], [], [], [#include <libdevmapper.h>])
+AC_CHECK_DECLS([dm_task_retry_remove], [], [], [#include <libdevmapper.h>])
+AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include <libdevmapper.h>])
+if test "x$enable_udev" = xyes; then
+ if test "x$have_cookie" = xno; then
+ AC_MSG_WARN([The device-mapper library on your system has no udev support, udev support disabled.])
+ else
+ AC_DEFINE(USE_UDEV, 1, [Try to use udev synchronisation?])
+ fi
+fi
+LIBS=$saved_LIBS
+
+dnl Crypto backend configuration.
+AC_ARG_WITH([crypto_backend],
+ AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle) [gcrypt]]),
+ [], with_crypto_backend=gcrypt
+)
+
+dnl Kernel crypto API backend needed for benchmark and tcrypt
+AC_ARG_ENABLE([kernel_crypto], AS_HELP_STRING([--disable-kernel_crypto],
+ [disable kernel userspace crypto (no benchmark and tcrypt)]),
+ [with_kernel_crypto=$enableval],
+ [with_kernel_crypto=yes])
+
+if test "x$with_kernel_crypto" = "xyes"; then
+ AC_CHECK_HEADERS(linux/if_alg.h,,
+ [AC_MSG_ERROR([You need Linux kernel headers with userspace crypto interface. (Or use --disable-kernel_crypto.)])])
+ AC_DEFINE(ENABLE_AF_ALG, 1, [Enable using of kernel userspace crypto])
+fi
+
+case $with_crypto_backend in
+ gcrypt) CONFIGURE_GCRYPT([]) ;;
+ openssl) CONFIGURE_OPENSSL([]) ;;
+ nss) CONFIGURE_NSS([]) ;;
+ kernel) CONFIGURE_KERNEL([]) ;;
+ nettle) CONFIGURE_NETTLE([]) ;;
+ *) AC_MSG_ERROR([Unknown crypto backend.]) ;;
+esac
+AM_CONDITIONAL(CRYPTO_BACKEND_GCRYPT, test $with_crypto_backend = gcrypt)
+AM_CONDITIONAL(CRYPTO_BACKEND_OPENSSL, test $with_crypto_backend = openssl)
+AM_CONDITIONAL(CRYPTO_BACKEND_NSS, test $with_crypto_backend = nss)
+AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL, test $with_crypto_backend = kernel)
+AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE, test $with_crypto_backend = nettle)
+
+AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
+AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])
+
+dnl Magic for cryptsetup.static build.
+if test x$enable_static_cryptsetup = xyes; then
+ saved_PKG_CONFIG=$PKG_CONFIG
+ PKG_CONFIG="$PKG_CONFIG --static"
+
+ LIBS="$saved_LIBS -static"
+ AC_CHECK_LIB(popt, poptGetContext,,
+ AC_MSG_ERROR([Cannot find static popt library.]))
+
+ dnl Try to detect needed device-mapper static libraries, try pkg-config first.
+ LIBS="$saved_LIBS -static"
+ PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper >= 1.02.27],,[
+ DEVMAPPER_STATIC_LIBS=$DEVMAPPER_LIBS
+ if test "x$enable_selinux" != xno; then
+ AC_CHECK_LIB(sepol, sepol_bool_set)
+ AC_CHECK_LIB(selinux, is_selinux_enabled)
+ DEVMAPPER_STATIC_LIBS="$DEVMAPPER_STATIC_LIBS $LIBS"
+ fi
+ ])
+ LIBS="$saved_LIBS $DEVMAPPER_STATIC_LIBS"
+ AC_CHECK_LIB(devmapper, dm_task_set_uuid,,
+ AC_MSG_ERROR([Cannot link with static device-mapper library.]))
+
+ dnl Try to detect uuid static library.
+ LIBS="$saved_LIBS -static"
+ AC_CHECK_LIB(uuid, uuid_generate,,
+ AC_MSG_ERROR([Cannot find static uuid library.]))
+
+ LIBS=$saved_LIBS
+ PKG_CONFIG=$saved_PKG_CONFIG
+fi
+
+AC_SUBST([DEVMAPPER_LIBS])
+AC_SUBST([DEVMAPPER_STATIC_LIBS])
+
+AC_SUBST([PWQUALITY_LIBS])
+AC_SUBST([PWQUALITY_STATIC_LIBS])
+
+AC_SUBST([PASSWDQC_LIBS])
+
+AC_SUBST([CRYPTO_CFLAGS])
+AC_SUBST([CRYPTO_LIBS])
+AC_SUBST([CRYPTO_STATIC_LIBS])
+
+AC_SUBST([LIBCRYPTSETUP_VERSION])
+AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
+
+dnl ==========================================================================
+AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random],
+[use blocking /dev/random by default for key generator (otherwise use /dev/urandom)]),
+[default_rng=/dev/random], [default_rng=/dev/urandom])
+AC_DEFINE_UNQUOTED(DEFAULT_RNG, ["$default_rng"], [default RNG type for key generator])
+
+dnl ==========================================================================
+AC_DEFUN([CS_DEFINE],
+ [AC_DEFINE_UNQUOTED(DEFAULT_[]m4_translit([$1], [-a-z], [_A-Z]), [$2], [$3])
+])
+
+AC_DEFUN([CS_STR_WITH], [AC_ARG_WITH([$1],
+ [AS_HELP_STRING(--with-[$1], [default $2 [$3]])],
+ [CS_DEFINE([$1], ["$withval"], [$2])],
+ [CS_DEFINE([$1], ["$3"], [$2])]
+)])
+
+AC_DEFUN([CS_NUM_WITH], [AC_ARG_WITH([$1],
+ [AS_HELP_STRING(--with-[$1], [default $2 [$3]])],
+ [CS_DEFINE([$1], [$withval], [$2])],
+ [CS_DEFINE([$1], [$3], [$2])]
+)])
+
+dnl ==========================================================================
+dnl Python bindings
+AC_ARG_ENABLE([python], AS_HELP_STRING([--enable-python],[enable Python bindings]),
+[with_python=$enableval],
+[with_python=no])
+
+AC_ARG_WITH([python_version],
+ AS_HELP_STRING([--with-python_version=VERSION], [required Python version [2.6]]),
+ [PYTHON_VERSION=$withval], [PYTHON_VERSION=2.6])
+
+if test "x$with_python" = "xyes"; then
+ AM_PATH_PYTHON([$PYTHON_VERSION])
+
+ AC_PATH_PROGS([PYTHON_CONFIG], [python${PYTHON_VERSION}-config python-config], [no])
+ if test "${PYTHON_CONFIG}" = "no"; then
+ AC_MSG_ERROR([cannot find python${PYTHON_VERSION}-config or python-config in PATH])
+ fi
+
+ AC_MSG_CHECKING(for python headers using $PYTHON_CONFIG --includes)
+ PYTHON_INCLUDES=$($PYTHON_CONFIG --includes)
+ AC_MSG_RESULT($PYTHON_INCLUDES)
+ AC_SUBST(PYTHON_INCLUDES)
+
+ AC_MSG_CHECKING(for python libraries using $PYTHON_CONFIG --libs)
+ PYTHON_LIBS=$($PYTHON_CONFIG --libs)
+ AC_MSG_RESULT($PYTHON_LIBS)
+ AC_SUBST(PYTHON_LIBS)
+fi
+AM_CONDITIONAL([PYTHON_CRYPTSETUP], [test "x$with_python" = "xyes"])
+
+dnl ==========================================================================
+CS_STR_WITH([plain-hash], [password hashing function for plain mode], [ripemd160])
+CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
+CS_STR_WITH([plain-mode], [cipher mode for plain mode], [cbc-essiv:sha256])
+CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])
+
+CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha256])
+CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
+CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [xts-plain64])
+CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
+CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in ms)], [2000])
+
+CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
+CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
+
+CS_NUM_WITH([keyfile-size-maxkb],[maximum keyfile size (in KiB)], [8192])
+CS_NUM_WITH([passphrase-size-max],[maximum keyfile size (in characters)], [512])
+
+CS_STR_WITH([verity-hash], [hash function for verity mode], [sha256])
+CS_NUM_WITH([verity-data-block], [data block size for verity mode], [4096])
+CS_NUM_WITH([verity-hash-block], [hash block size for verity mode], [4096])
+CS_NUM_WITH([verity-salt-size], [salt size for verity mode], [32])
+CS_NUM_WITH([verity-fec-roots], [parity bytes for verity FEC], [2])
+
+dnl ==========================================================================
+
+AC_CONFIG_FILES([ Makefile
+lib/Makefile
+lib/libcryptsetup.pc
+lib/crypto_backend/Makefile
+lib/luks1/Makefile
+lib/loopaes/Makefile
+lib/verity/Makefile
+lib/tcrypt/Makefile
+src/Makefile
+po/Makefile.in
+man/Makefile
+tests/Makefile
+python/Makefile
+])
+AC_OUTPUT
diff --git a/docs/ChangeLog.old b/docs/ChangeLog.old
new file mode 100644
index 0000000..e51d362
--- /dev/null
+++ b/docs/ChangeLog.old
@@ -0,0 +1,887 @@
+2012-12-21 Milan Broz <gmazyland@gmail.com>
+ * Since version 1.6 This file is no longer maintained.
+ * See version control log http://code.google.com/p/cryptsetup/source/list
+
+2012-10-11 Milan Broz <gmazyland@gmail.com>
+ * Added keyslot checker (by Arno Wagner).
+ * Version 1.5.1.
+
+2012-09-11 Milan Broz <gmazyland@gmail.com>
+ * Add crypt_keyslot_area() API call.
+
+2012-08-27 Milan Broz <gmazyland@gmail.com>
+ * Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
+ * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
+
+2012-08-12 Milan Broz <gmazyland@gmail.com>
+ * Allocate loop device late (only when real block device needed).
+ * Rework underlying device/file access functions.
+ * Create hash image if doesn't exist in veritysetup format.
+ * Provide better error message if running as non-root user (device-mapper, loop).
+
+2012-07-10 Milan Broz <gmazyland@gmail.com>
+ * Version 1.5.0.
+
+2012-06-25 Milan Broz <gmazyland@gmail.com>
+ * Add --device-size option for reencryption tool.
+ * Switch to use unit suffix for --reduce-device-size option.
+ * Remove open device debugging feature (no longer needed).
+ * Fix library name for FIPS check.
+
+2012-06-20 Milan Broz <gmazyland@gmail.com>
+ * Version 1.5.0-rc2.
+
+2012-06-18 Milan Broz <gmazyland@gmail.com>
+ * Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
+ * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
+ * Add --test-passphrase option for luksOpen (check passphrase only).
+
+2012-06-11 Milan Broz <gmazyland@gmail.com>
+ * Introduce veritysetup for dm-verity target management.
+ * Version 1.5.0-rc1.
+
+2012-06-10 Milan Broz <gmazyland@gmail.com>
+ * Both data and header device can now be a file.
+ * Loop is automatically allocated in crypt_set_data_device().
+ * Require only up to last keyslot area for header device (ignore data offset).
+ * Fix header backup and restore to work on files with large data offset.
+
+2012-05-27 Milan Broz <gmazyland@gmail.com>
+ * Fix readonly activation if underlying device is readonly (1.4.0).
+ * Include stddef.h in libdevmapper.h (size_t definition).
+ * Version 1.4.3.
+
+2012-05-21 Milan Broz <gmazyland@gmail.com>
+ * Add --enable-fips for linking with fipscheck library.
+ * Initialize binary and library selfcheck if running in FIPS mode.
+ * Use FIPS RNG in FIPS mode for KEY and SALT (only gcrypt backend supported).
+
+2012-05-09 Milan Broz <gmazyland@gmail.com>
+ * Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0).
+ * Allow empty cipher (cipher_null) for testing.
+
+2012-05-02 Milan Broz <gmazyland@gmail.com>
+ * Fix loop mapping on readonly file.
+ * Relax --shared test, allow mapping even for overlapping segments.
+ * Support shared flag for LUKS devices (dangerous).
+ * Switch on retry on device remove for libdevmapper.
+ * Allow "private" activation (skip some udev global rules) flag.
+
+2012-04-09 Milan Broz <gmazyland@gmail.com>
+ * Fix header check to support old (cryptsetup 1.0.0) header alignment. (1.4.0)
+ * Version 1.4.2.
+
+2012-03-16 Milan Broz <gmazyland@gmail.com>
+ * Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
+ * Add repair command and crypt_repair() for known LUKS metadata problems repair.
+ * Allow to specify --align-payload only for luksFormat.
+
+2012-03-16 Milan Broz <mbroz@redhat.com>
+ * Unify password verification option.
+ * Support password verification with quiet flag if possible. (1.2.0)
+ * Fix retry if entered passphrases (with verify option) do not match.
+ * Support UUID=<LUKS_UUID> format for device specification.
+
+2012-02-11 Milan Broz <mbroz@redhat.com>
+ * Add --master-key-file option to luksOpen (open using volume key).
+
+2012-01-12 Milan Broz <mbroz@redhat.com>
+ * Fix use of empty keyfile.
+
+2011-11-13 Milan Broz <mbroz@redhat.com>
+ * Fix error message for luksClose and detached LUKS header.
+ * Allow --header for status command to get full info with detached header.
+
+2011-11-09 Milan Broz <mbroz@redhat.com>
+ * Version 1.4.1.
+
+2011-11-05 Milan Broz <mbroz@redhat.com>
+ * Merge pycryptsetup (Python libcryptsetup bindings).
+ * Fix stupid typo in set_iteration_time API call.
+ * Fix cryptsetup status output if parameter is device path.
+
+2011-10-27 Milan Broz <mbroz@redhat.com>
+ * Fix crypt_get_volume_key_size() for plain device.
+ * Fix FSF address in license text.
+
+2011-10-25 Milan Broz <mbroz@redhat.com>
+ * Print informative message in isLuks only in verbose mode.
+ * Version 1.4.0.
+
+2011-10-10 Milan Broz <mbroz@redhat.com>
+ * Version 1.4.0-rc1.
+
+2011-10-05 Milan Broz <mbroz@redhat.com>
+ * Support Nettle 2.4 crypto backend (for ripemd160).
+ * If device is not rotational, do not use Gutmann wipe method.
+ * Add crypt_last_error() API call.
+ * Fix luksKillSLot exit code if slot is inactive or invalid.
+ * Fix exit code if passphrases do not match in luksAddKey.
+ * Add LUKS on-disk format description into package.
+
+2011-09-22 Milan Broz <mbroz@redhat.com>
+ * Support key-slot option for luksOpen (use only explicit keyslot).
+
+2011-08-22 Milan Broz <mbroz@redhat.com>
+ * Add more paranoid checks for LUKS header and keyslot attributes.
+ * Fix crypt_load to properly check device size.
+ * Use new /dev/loop-control (kernel 3.1) if possible.
+ * Enhance check of device size before writing LUKS header.
+ * Do not allow context format of already formatted device.
+
+2011-07-25 Milan Broz <mbroz@redhat.com>
+ * Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
+ * Improve check for invalid offset and size values.
+
+2011-07-19 Milan Broz <mbroz@redhat.com>
+ * Revert default initialisation of volume key in crypt_init_by_name().
+ * Do not allow key retrieval while suspended (key could be wiped).
+ * Do not allow suspend for non-LUKS devices.
+ * Support retries and timeout parameters for luksSuspend.
+ * Add --header option for detached metadata (on-disk LUKS header) device.
+ * Add crypt_init_by_name_and_header() and crypt_set_data_device() to API.
+ * Allow different data offset setting for detached header.
+
+2011-07-07 Milan Broz <mbroz@redhat.com>
+ * Remove old API functions (all functions using crypt_options).
+ * Add --enable-discards option to allow discards/TRIM requests.
+ * Add crypt_get_iv_offset() function to API.
+
+2011-07-01 Milan Broz <mbroz@redhat.com>
+ * Add --shared option for creating non-overlapping crypt segments.
+ * Add shared flag to libcryptsetup api.
+ * Fix plain crypt format parameters to include size option (API change).
+
+2011-06-08 Milan Broz <mbroz@redhat.com>
+ * Fix return code for status command when device doesn't exists.
+
+2011-05-24 Milan Broz <mbroz@redhat.com>
+ * Version 1.3.1.
+
+2011-05-17 Milan Broz <mbroz@redhat.com>
+ * Fix keyfile=- processing in create command (1.3.0).
+ * Simplify device path status check.
+
+2011-05-03 Milan Broz <mbroz@redhat.com>
+ * Do not ignore size argument for create command (1.2.0).
+
+2011-04-18 Milan Broz <mbroz@redhat.com>
+ * Fix error paths in blockwise code and lseek_write call.
+ * Add Nettle crypto backend support.
+
+2011-04-05 Milan Broz <mbroz@redhat.com>
+ * Version 1.3.0.
+
+2011-03-22 Milan Broz <mbroz@redhat.com>
+ * Also support --skip and --hash option for loopaesOpen.
+ * Fix return code when passphrase is read from pipe.
+ * Document cryptsetup exit codes.
+
+2011-03-18 Milan Broz <mbroz@redhat.com>
+ * Respect maximum keyfile size paramater.
+ * Introduce maximum default keyfile size, add configure option.
+ * Require the whole key read from keyfile in create command (broken in 1.2.0).
+ * Fix offset option for loopaesOpen.
+ * Lock memory also in luksDump command.
+ * Version 1.3.0-rc2.
+
+2011-03-14 Milan Broz <mbroz@redhat.com>
+ * Version 1.3.0-rc1.
+
+2011-03-11 Milan Broz <mbroz@redhat.com>
+ * Add loop manipulation code and support mapping of images in file.
+ * Add backing device loop info into status message.
+ * Add luksChangeKey command.
+
+2011-03-05 Milan Broz <mbroz@redhat.com>
+ * Add exception to COPYING for binary distribution linked with OpenSSL library.
+ * Set secure data flag (wipe all ioclt buffers) if devmapper library supports it.
+
+2011-01-29 Milan Broz <mbroz@redhat.com>
+ * Fix mapping removal if device disappeared but node still exists.
+ * Fix luksAddKey return code if master key is used.
+
+2011-01-25 Milan Broz <mbroz@redhat.com>
+ * Add loop-AES handling (loopaesOpen and loopaesClose commands).
+ (requires kernel 2.6.38 and above)
+
+2011-01-05 Milan Broz <mbroz@redhat.com>
+ * Fix static build (--disable-static-cryptsetup now works properly).
+
+2010-12-30 Milan Broz <mbroz@redhat.com>
+ * Add compile time crypto backends implementation
+ (gcrypt, OpenSSL, NSS and userspace Linux kernel crypto api).
+ * Currently NSS is lacking ripemd160, cannot provide full plain compatibility.
+ * Use --with-crypto_backend=[gcrypt|openssl|nss|kernel] to configure.
+
+2010-12-20 Milan Broz <mbroz@redhat.com>
+ * Version 1.2.0.
+
+2010-11-25 Milan Broz <mbroz@redhat.com>
+ * Fix crypt_activate_by_keyfile() to work with PLAIN devices.
+ * Fix create command to properly handle keyfile size.
+
+2010-11-16 Milan Broz <mbroz@redhat.com>
+ * Version 1.2.0-rc1.
+
+2010-11-13 Milan Broz <mbroz@redhat.com>
+ * Fix password callback call.
+ * Fix default plain password entry from terminal in activate_by_passphrase.
+ * Add --dump-master-key option for luksDump to allow volume key dump.
+ * Allow to activate by internally cached volume key
+ (format/activate without keyslots active - used for temporary devices).
+ * Initialize volume key from active device in crypt_init_by_name()
+ * Fix cryptsetup binary exitcodes.
+ * Increase library version (still binary compatible with 1.1.x release).
+
+2010-11-01 Milan Broz <mbroz@redhat.com>
+ * No longer support luksDelKey, reload and --non-exclusive.
+ * Remove some obsolete info from man page.
+ * Add crypt_get_type(), crypt_resize(), crypt_keyslot_max()
+ and crypt_get_active_device() to API.
+ * Rewrite all implementations in cryptsetup to new API.
+ * Fix luksRemoveKey to behave as documented (do not ask
+ for remaining keyslot passphrase).
+ * Add more regression tests for commands.
+ * Disallow mapping of device which is already in use (mapped or mounted).
+ * Disallow luksFormat on device in use.
+
+2010-10-27 Milan Broz <mbroz@redhat.com>
+ * Rewrite cryptsetup luksFormat, luksOpen, luksAddKey to use new API
+ to allow adding new features.
+ * Implement --use-random and --use-urandom for luksFormat to allow
+ setting of RNG for volume key generator.
+ * Add crypt_set_rng_type() and crypt_get_rng_type() to API.
+ * Add crypt_set_uuid() to API.
+ * Allow UUID setting in luksFormat and luksUUID (--uuid parameter).
+ * Add --keyfile-size and --new-keyfile-size (in bytes) size and disallow overloading
+ of --key-size for limiting keyfile reads.
+ * Fix luksFormat to properly use key file with --master-key-file switch.
+ * Fix possible double free when handling master key file.
+
+2010-10-17 Milan Broz <mbroz@redhat.com>
+ * Add crypt_get_device_name() to API (get underlying device name).
+ * Change detection for static libraries.
+ * Fix pkg-config use in automake scripts.
+ * Remove --disable-shared-library switch and handle static library build
+ by common libtool logic (using --enable-static).
+ * Add --enable-static-cryptsetup option to build cryptsetup.static binary
+ together with shared build.
+
+2010-08-05 Milan Broz <mbroz@redhat.com>
+ * Wipe iteration and salt after KillSlot in LUKS header.
+ * Rewrite file differ test to C (and fix it to really work).
+ * Switch to 1MiB default alignment of data.
+ For more info see https://bugzilla.redhat.com/show_bug.cgi?id=621684
+ * Do not query non-existent device twice (cryptsetup status /dev/nonexistent).
+ * Check if requested hash is supported before writing LUKS header.
+
+2010-07-28 Arno Wagner <arno@wagner.name>
+ * Add FAQ (Frequently Asked Questions) file to distribution.
+
+2010-07-03 Milan Broz <mbroz@redhat.com>
+ * Fix udev support for old libdevmapper with not compatible definition.
+ * Version 1.1.3.
+
+2010-06-01 Milan Broz <mbroz@redhat.com>
+ * Fix device alignment ioctl calls parameters.
+ * Fix activate_by_* API calls to handle NULL device name as documented.
+
+2010-05-30 Milan Broz <mbroz@redhat.com>
+ * Version 1.1.2.
+
+2010-05-27 Milan Broz <mbroz@redhat.com>
+ * Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
+ * Support --key-file/-d option for luksFormat.
+ * Fix description of --key-file and add --verbose and --debug options to man page.
+ * Add verbose log level and move unlocking message there.
+ * Remove device even if underlying device disappeared.
+ * Fix (deprecated) reload device command to accept new device argument.
+
+2010-05-23 Milan Broz <mbroz@redhat.com>
+ * Fix luksClose operation for stacked DM devices.
+ * Version 1.1.1.
+
+2010-05-03 Milan Broz <mbroz@redhat.com>
+ * Fix automatic dm-crypt module loading.
+ * Escape hyphens in man page.
+ * Version 1.1.1-rc2.
+
+2010-04-30 Milan Broz <mbroz@redhat.com>
+ * Try to use pkgconfig for device mapper library.
+ * Detect old dm-crypt module and disable LUKS suspend/resume.
+ * Fix apitest to work on older systems.
+ * Allow no hash specification in plain device constructor.
+ * Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified).
+ * Fix isLuks to initialise crypto backend (blkid instead is suggested anyway).
+ * Version 1.1.1-rc1.
+
+2010-04-12 Milan Broz <mbroz@redhat.com>
+ * Fix package config to use proper package version.
+ * Avoid class C++ keyword in library header.
+ * Detect and use devmapper udev support if available (disable by --disable-udev).
+
+2010-04-06 Milan Broz <mbroz@redhat.com>
+ * Prefer some device paths in status display.
+ * Support device topology detectionfor data alignment.
+
+2010-02-25 Milan Broz <mbroz@redhat.com>
+ * Do not verify unlocking passphrase in luksAddKey command.
+ * Properly initialise crypto backend in header backup/restore commands.
+
+2010-01-17 Milan Broz <mbroz@redhat.com>
+ * If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c).
+ * Version 1.1.0.
+
+2010-01-10 Milan Broz <mbroz@redhat.com>
+ * Fix initialisation of gcrypt duting luksFormat.
+ * Convert hash name to lower case in header (fix sha1 backward comatible header)
+ * Check for minimum required gcrypt version.
+
+2009-12-30 Milan Broz <mbroz@redhat.com>
+ * Fix key slot iteration count calculation (small -i value was the same as default).
+ * The slot and key digest iteration minimun is now 1000.
+ * The key digest iteration # is calculated from iteration time (approx 1/8 of that).
+ * Version 1.1.0-rc4.
+
+2009-12-11 Milan Broz <mbroz@redhat.com>
+ * Fix error handling during reading passhrase.
+
+2009-12-01 Milan Broz <mbroz@redhat.com>
+ * Allow changes of default compiled-in cipher parameters through configure.
+ * Switch default key size for LUKS to 256bits.
+ * Switch default plain mode to aes-cbc-essiv:sha256 (default is backward incompatible!).
+
+2009-11-14 Milan Broz <mbroz@redhat.com>
+ * Add CRYPT_ prefix to enum defined in libcryptsetup.h.
+ * Fix status call to fail when running as non-root user.
+ * Check in configure if selinux libraries are required in static version.
+ * Add temporary debug code to find processes locking internal device.
+ * Simplify build system, use autopoint and clean gettext processing.
+ * Use proper NLS macros and detection (so the message translation works again).
+ * Version 1.1.0-rc3.
+
+2009-09-30 Milan Broz <mbroz@redhat.com>
+ * Fix exported symbols and versions in libcryptsetup.
+ * Do not use internal lib functions in cryptsetup.
+ * Add crypt_log to library.
+ * Fix crypt_remove_device (remove, luksClose) implementation.
+ * Move dm backend initialisation to library calls.
+ * Move duplicate Command failed message to verbose level (error is printed always).
+ * Add some password and used algorithms notes to man page.
+ * Version 1.1.0-rc2.
+
+2009-09-28 Milan Broz <mbroz@redhat.com>
+ * Add luksHeaderBackup and luksHeaderRestore commands.
+ * Fail passphrase read if piped input no longer exists.
+ * Version 1.1.0-rc1.
+
+2009-09-15 Milan Broz <mbroz@redhat.com>
+ * Initialize crypto library before LUKS header load.
+ * Fix manpage to not require --size which expands to device size by default.
+
+2009-09-10 Milan Broz <mbroz@redhat.com>
+ * Clean up Makefiles and configure script.
+ * Version 1.1.0-test0.
+
+2009-09-08 Milan Broz <mbroz@redhat.com>
+ * Use dm-uuid for all crypt devices, contains device type and name now.
+ * Try to read first sector from device to properly check that device is ready.
+
+2009-09-02 Milan Broz <mbroz@redhat.com>
+ * Add luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
+
+2009-08-30 Milan Broz <mbroz@redhat.com>
+ * Require device device-mapper to build and do not use backend wrapper for dm calls.
+ * Move memory locking and dm initialization to command layer.
+ * Increase priority of process if memory is locked.
+ * Add log macros and make logging modre consitent.
+ * Move command successful messages to verbose level.
+ * Introduce --debug parameter.
+ * Move device utils code and provide context parameter (for log).
+ * Keyfile now must be provided by path, only stdin file descriptor is used (api only).
+ * Do not call isatty() on closed keyfile descriptor.
+ * Run performance check for PBKDF2 from LUKS code, do not mix hash algoritms results.
+ * Add ability to provide pre-generated master key and UUID in LUKS header format.
+ * Add LUKS function to verify master key digest.
+ * Move key slot manuipulation function into LUKS specific code.
+ * Replace global options struct with separate parameters in helper functions.
+ * Add new libcryptsetup API (documented in libcryptsetup.h).
+ * Implement old API calls using new functions.
+ * Remove old API code helper functions.
+ * Add --master-key-file option for luksFormat and luksAddKey.
+
+2009-08-17 Milan Broz <mbroz@redhat.com>
+ * Fix PBKDF2 speed calculation for large passhrases.
+ * Allow using passphrase provided in options struct for LuksOpen.
+ * Allow restrict keys size in LuksOpen.
+
+2009-07-30 Milan Broz <mbroz@redhat.com>
+ * Fix errors when compiled with LUKS_DEBUG.
+ * Print error when getline fails.
+ * Remove po/cryptsetup-luks.pot, it's autogenerated.
+ * Return ENOENT for empty keyslots, EINVAL will be used later for other type of error.
+ * Switch PBKDF2 from internal SHA1 to libgcrypt, make hash algorithm not hardcoded to SHA1 here.
+ * Add required parameters for changing hash used in LUKS key setup scheme.
+ * Do not export simple XOR helper now used only inside AF functions.
+ * Completely remove internal SHA1 implementanion code, not needed anymore.
+ * Enable hash algorithm selection for LUKS through -h luksFormat option.
+
+2009-07-28 Milan Broz <mbroz@redhat.com>
+ * Pad luks header to 512 sector size.
+ * Rework read/write blockwise to not split operation to many pieces.
+ * Use posix_memalign if available.
+
+2009-07-22 Milan Broz <mbroz@redhat.com>
+ * Fix segfault if provided slot in luksKillslot is invalid.
+ * Remove unneeded timeout when remove of temporary device succeeded.
+
+2009-07-22 Milan Broz <mbroz@redhat.com>
+ * version 1.0.7
+
+2009-07-16 Milan Broz <mbroz@redhat.com>
+ * Allow removal of last slot in luksRemoveKey and luksKillSlot.
+
+2009-07-11 Milan Broz <mbroz@redhat.com>
+
+ * Add --disable-selinux option and fix static build if selinux is required.
+ * Reject unsupported --offset and --skip options for luksFormat and update man page.
+
+2009-06-22 Milan Broz <mbroz@redhat.com>
+
+ * Summary of changes in subversion for 1.0.7-rc1:
+ * Various man page fixes.
+ * Set UUID in device-mapper for LUKS devices.
+ * Retain readahead of underlying device.
+ * Display device name when asking for password.
+ * Check device size when loading LUKS header. Remove misleading error message later.
+ * Add error hint if dm-crypt mapping failed.
+ * Use better error messages if device doesn't exist or is already used by other mapping.
+ * Fix make distcheck.
+ * Check if all slots are full during luksAddKey.
+ * Fix segfault in set_error.
+ * Code cleanups, remove precompiled pot files, remove unnecessary files from po directory
+ * Fix uninitialized return value variable in setup.c.
+ * Code cleanups. (thanks to Ivan Stankovic)
+ * Fix wrong output for remaining key at key deletion.
+ * Allow deletion of key slot while other keys have the same key information.
+ * Add missing AM_PROG_CC_C_O to configure.in
+ * Remove duplicate sentence in man page.
+ * Wipe start of device (possible fs signature) before LUKS-formatting.
+ * Do not process configure.in in hidden directories.
+ * Return more descriptive error in case of IO or header format error.
+ * Use remapping to error target instead of calling udevsettle for temporary crypt device.
+ * Check device mapper communication and warn user if device-mapper support missing in kernel.
+ * Fix signal handler to properly close device.
+ * write_lseek_blockwise: declare innerCount outside the if block.
+ * add -Wall to the default CFLAGS. fix some signedness issues.
+ * Error handling improvement.
+ * Add non-exclusive override to interface definition.
+ * Refactor key slot selection into keyslot_from_option.
+
+2007-05-01 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/backends.c, man/cryptsetup.8: Apply patch from Ludwig Nussel
+ <ludwig.nussel@suse.de>, for old SuSE compat hashing.
+
+2007-04-16 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Summary of changes in subversion:
+ Fix segfault for key size > 32 bytes.
+ Kick ancient header version conversion.
+ Fix http://bugs.debian.org/403075
+ No passwort retrying for I/O errors.
+ Fix hang on "-i 0".
+ Fix parenthesization error that prevented --tries from working
+ correctly.
+
+2006-11-28 gettextize <bug-gnu-gettext@gnu.org>
+
+ * m4/gettext.m4: Upgrade to gettext-0.15.
+ * m4/glibc2.m4: New file, from gettext-0.15.
+ * m4/intmax.m4: New file, from gettext-0.15.
+ * m4/inttypes-h.m4: New file, from gettext-0.15.
+ * m4/inttypes-pri.m4: Upgrade to gettext-0.15.
+ * m4/lib-link.m4: Upgrade to gettext-0.15.
+ * m4/lib-prefix.m4: Upgrade to gettext-0.15.
+ * m4/lock.m4: New file, from gettext-0.15.
+ * m4/longdouble.m4: New file, from gettext-0.15.
+ * m4/longlong.m4: New file, from gettext-0.15.
+ * m4/nls.m4: Upgrade to gettext-0.15.
+ * m4/po.m4: Upgrade to gettext-0.15.
+ * m4/printf-posix.m4: New file, from gettext-0.15.
+ * m4/signed.m4: New file, from gettext-0.15.
+ * m4/size_max.m4: New file, from gettext-0.15.
+ * m4/visibility.m4: New file, from gettext-0.15.
+ * m4/wchar_t.m4: New file, from gettext-0.15.
+ * m4/wint_t.m4: New file, from gettext-0.15.
+ * m4/xsize.m4: New file, from gettext-0.15.
+ * m4/Makefile.am: New file.
+ * configure.in (AC_OUTPUT): Add m4/Makefile.
+ (AM_GNU_GETTEXT_VERSION): Bump to 0.15.
+
+2006-10-22 David Härdeman <david@hardeman.nu>
+
+ * Allow hashing of keys passed through stdin.
+
+2006-10-13 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: 1.0.4 release
+
+2006-10-13 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * man/cryptsetup.8: Document --tries switch; patch by Jonas
+ Meurer.
+
+2006-10-13 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c: Added terminal timeout rewrite as forwarded by
+ Jonas Meurer
+
+2006-10-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Merged patch from Marc Merlin <marc@merlins.org> to allow user
+ selection of key slot.
+
+2006-09-26 gettextize <bug-gnu-gettext@gnu.org>
+
+ * m4/codeset.m4: Upgrade to gettext-0.14.4.
+ * m4/gettext.m4: Upgrade to gettext-0.14.4.
+ * m4/glibc2.m4: New file, from gettext-0.14.4.
+ * m4/glibc21.m4: Upgrade to gettext-0.14.4.
+ * m4/iconv.m4: Upgrade to gettext-0.14.4.
+ * m4/intdiv0.m4: Upgrade to gettext-0.14.4.
+ * m4/intmax.m4: New file, from gettext-0.14.4.
+ * m4/inttypes.m4: Upgrade to gettext-0.14.4.
+ * m4/inttypes_h.m4: Upgrade to gettext-0.14.4.
+ * m4/inttypes-pri.m4: Upgrade to gettext-0.14.4.
+ * m4/isc-posix.m4: Upgrade to gettext-0.14.4.
+ * m4/lcmessage.m4: Upgrade to gettext-0.14.4.
+ * m4/lib-ld.m4: Upgrade to gettext-0.14.4.
+ * m4/lib-link.m4: Upgrade to gettext-0.14.4.
+ * m4/lib-prefix.m4: Upgrade to gettext-0.14.4.
+ * m4/longdouble.m4: New file, from gettext-0.14.4.
+ * m4/longlong.m4: New file, from gettext-0.14.4.
+ * m4/nls.m4: Upgrade to gettext-0.14.4.
+ * m4/po.m4: Upgrade to gettext-0.14.4.
+ * m4/printf-posix.m4: New file, from gettext-0.14.4.
+ * m4/progtest.m4: Upgrade to gettext-0.14.4.
+ * m4/signed.m4: New file, from gettext-0.14.4.
+ * m4/size_max.m4: New file, from gettext-0.14.4.
+ * m4/stdint_h.m4: Upgrade to gettext-0.14.4.
+ * m4/uintmax_t.m4: Upgrade to gettext-0.14.4.
+ * m4/ulonglong.m4: Upgrade to gettext-0.14.4.
+ * m4/wchar_t.m4: New file, from gettext-0.14.4.
+ * m4/wint_t.m4: New file, from gettext-0.14.4.
+ * m4/xsize.m4: New file, from gettext-0.14.4.
+ * Makefile.am (ACLOCAL_AMFLAGS): New variable.
+ * configure.in (AM_GNU_GETTEXT_VERSION): Bump to 0.14.4.
+
+2006-08-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: 1.0.4-rc2
+
+2006-08-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/Makefile.am: Add a few regression tests
+
+2006-08-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (get_key): Applied patch from David Härdeman
+ <david@2gen.com> for reading binary keys from stdin using
+ the "-" as key file.
+
+2006-08-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (__crypt_luks_add_key): For checking options struct
+ (optionsCheck) filter out CRYPT_FLAG_VERIFY and
+ CRYPT_FLAG_VERIFY_IF_POSSIBLE, so that in no case password verification is done
+ for password retrieval.
+
+2006-08-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: Merge Patch from http://bugs.gentoo.org/show_bug.cgi?id=132126 for sepol
+
+2006-07-23 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Applied patches from David Härdeman <david@2gen.com> to fix 64
+ bit compiler warning issues.
+
+2006-05-19 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Applied patches from Jonas Meurer
+ - fix terminal status after timeout
+ - add remark for --tries to manpage
+ - allow more than 32 chars from standard input.
+ - exit status fix for cryptsetup status.
+
+2006-05-06 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c (yesDialog): Fix getline problem for 64-bit archs.
+
+2006-04-05 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: Release 1.0.3.
+
+ * Applied patch by Johannes Weißl for more meaningful exit codes
+ and password retries
+
+2006-03-30 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (__crypt_create_device): (char *) -> (const char *)
+
+2006-03-30 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Apply alignPayload patch from Peter Palfrader <weasel@debian.org>
+
+2006-03-15 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: 1.0.3-rc3. Most unplease release ever.
+ * lib/setup.c (__crypt_create_device): More verbose error message.
+
+2006-02-26 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c: Revert to 1.0.1 key reading.
+
+2006-02-25 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * man/cryptsetup.8: merge patch from Jonas Meurer
+
+2006-02-25 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: 1.0.3-rc2
+
+2006-02-25 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/libdevmapper.c (dm_create_device): Remove dup check here.
+ * lib/setup.c (__crypt_luks_open): Adopt same dup check as regular
+ create command.
+
+2006-02-22 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: Spin 1.0.3-rc1
+
+2006-02-22 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c (action_create): Change defaulting.
+ (action_luksFormat): Change defaulting.
+
+ * lib/setup.c (parse_into_name_and_mode): Revert that default
+ change. This is FORBIDDEN here, as it will change cryptsetup
+ entire default. This is BAD in a non-LUKS world.
+
+2006-02-21 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/keyencryption.c (setup_mapping): Add proper size restriction to mapping.
+ (LUKS_endec_template): Add more verbose error message.
+
+2006-02-21 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/libdevmapper.c (dm_query_device): Incorporate patch from
+ Bastian Blank
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344313
+
+2006-02-21 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c: Rename show_error -> show_status.
+
+2006-02-20 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/libdevmapper.c (dm_create_device): Prevent existing mapping
+ from being removed when a mapping with the same name is added
+
+ * Add timeout patch from Jonas Meurer
+
+ * src/cryptsetup.c: Remove conditional error printing to enable
+ printing the no-error msg (Command successful). Verify passphrase
+ for LUKS volumes.
+ (main): Add no-verify-passphrase
+
+ * lib/setup.c (parse_into_name_and_mode): Change default mode complition to essiv:sha256.
+
+2006-01-04 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c (help): Merge patch from Gentoo: change gettext(..) to _(..).
+
+2005-12-06 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * man/cryptsetup.8: Correct "seconds" to "microseconds" in the explaination for -i.
+
+2005-11-09 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c (main): Add version string.
+
+2005-11-08 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/backends.c: compile fix.
+
+2005-09-11 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (get_key): Fixed another incompatibility from my
+ get_key rewrite with original cryptsetup.
+
+2005-09-11 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Merged changes from Florian Knauf's fk02 branch.
+
+2005-09-08 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (get_key): Fixed another incompatiblity with
+ original cryptsetup.
+
+2005-08-20 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * Checked in a patch from Michael Gebetsroither <gebi@sbox.tugraz.at>
+ to silent all confirmation dialogs.
+
+2005-06-23 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c (help): print PACKAGE_STRING
+
+2005-06-20 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/keymanage.c (LUKS_set_key): Security check against header manipulation
+
+ * src/cryptsetup.c (action_luksDelKey): Safety check in luksDelKey
+
+ * luks/keymanage.c: Changed disk layout generation to align key material to 4k boundaries.
+ (LUKS_is_last_keyslot): Added LUKS_is_last_keyslot function.
+
+ * Applied patch from Bill Nottingham fixing a lot of prototypes.
+
+ * src/cryptsetup.c (action_luksOpen): Add support for -r flag.
+
+ * configure.in: Version bump 1.0.1
+
+2005-06-16 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (__crypt_luks_open): Remove mem leaking of dmCipherSpec.
+ (get_key): Fix missing zero termination for read string.
+
+2005-06-12 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/keyencryption.c (setup_mapping): Added CRYPT_FLAG_READONLY in case of O_RDONLY mode
+
+2005-06-11 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: Version bump 1.0.1-pre
+
+2005-06-09 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/utils.c: Added write_llseek_blocksize method to support sector wiping on sector_size != 512
+ media
+
+2005-05-23 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/setup.c (crypt_luksDelKey): Added missing return statement
+ (setup_leave): Added missing return statement
+
+ * luks/keyencryption.c (clear_mapping): Added missing return statement
+
+2005-05-19 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * lib/utils.c (write_blockwise, read_blockwise): Changed to soft bsize instead of SECTOR_SIZE
+
+ * luks/keymanage.c (wipe): Changed open mode to O_DIRECT | O_SYNC, and changed write
+ to use the blockwise write helper
+
+2005-04-21 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * man/cryptsetup.8: Corrected an error, thanks to Dick Middleton.
+
+2005-04-09 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/sha/hmac.c: Add 64 bit bug fix courtesy to
+ Oliver Paukstadt <pstadt@sourcentral.org>.
+
+ * luks/pbkdf.c, luks/keyencryption.c, luks/keymanage.c, luks/af.c: Added a license
+ disclaimer and remove option for "any future GPL versions".
+
+2005-03-25 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * configure.in: man page Makefile. Version bump 1.0.
+
+ * man/cryptsetup.8: finalize man page and move to section 8.
+
+ * src/cryptsetup.c (action_luksFormat): Add "are you sure" for interactive sessions.
+
+ * lib/setup.c (crypt_luksDump), src/cryptsetup.c: add LUKS dump command
+
+2005-03-24 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * src/cryptsetup.c, luks/Makefile.am (test), lib/setup.c (setup_enter):
+ rename luksInit to luksFormat
+
+2005-03-12 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * man/cryptsetup.1: Add man page.
+
+ * lib/setup.c: Remove unneccessary LUKS_write_phdr call, so the
+ phdr is written after passphrase reading, so the user can change
+ his mind, and not have a partial written LUKS header on it's disk.
+
+2005-02-09 Clemens Fruhwirth <clemens@endorphin.org>
+
+ * luks/keymanage.c (LUKS_write_phdr): converted argument phdr to
+ pointer, and make a copy of phdr for conversion
+
+ * configure.in: Version dump.
+
+ * luks/keyencryption.c: Convert to read|write_blockwise.
+
+ * luks/keymanage.c: Convert to read|write_blockwise.
+
+ * lib/utils.c: Add read|write_blockwise functions, to use in
+ O_DIRECT file accesses.
+
+2004-03-11 Thursday 15:52 Jana Saout <jana@saout.de>
+
+ * lib/blockdev.h: BLKGETSIZE64 really uses size_t as third
+ argument, the rest is wrong.
+
+2004-03-10 Wednesday 17:50 Jana Saout <jana@saout.de>
+
+ * lib/: libcryptsetup.h, libdevmapper.c: Small fixes.
+
+2004-03-09 Tuesday 21:41 Jana Saout <jana@saout.de>
+
+ * lib/internal.h, lib/libcryptsetup.h, lib/libdevmapper.c,
+ lib/setup.c, po/de.po, src/cryptsetup.c: Added internal flags to
+ keep track of malloc'ed return values in struct crypt_options and
+ add a function to free the memory. Also add a readonly flag to
+ libcryptsetup.
+
+2004-03-09 Tuesday 16:03 Jana Saout <jana@saout.de>
+
+ * ChangeLog, configure.in, setup-gettext, lib/Makefile.am,
+ lib/backends.c, lib/blockdev.h, lib/gcrypt.c, lib/internal.h,
+ lib/libcryptsetup.h, lib/libdevmapper.c, lib/setup.c,
+ lib/utils.c, po/de.po, src/Makefile.am, src/cryptsetup.c: More
+ reorganization work.
+
+2004-03-08 Monday 01:38 Jana Saout <jana@saout.de>
+
+ * ChangeLog, Makefile.am, acinclude.m4, configure.in,
+ lib/Makefile.am, lib/backends.c, lib/blockdev.h, lib/gcrypt.c,
+ lib/libdevmapper.c, lib/setup.c, lib/utils.c, po/de.po,
+ src/Makefile.am: BLKGETSIZE64 fixes and started modularity
+ enhancements
+
+2004-03-04 Thursday 21:06 Jana Saout <jana@saout.de>
+
+ * Makefile.am, po/de.po, src/cryptsetup.c, src/cryptsetup.h: First
+ backward compatible working version.
+
+2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de>
+
+ * NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh,
+ configure.in, setup-gettext, po/ChangeLog, po/LINGUAS,
+ po/POTFILES.in, po/de.po, src/cryptsetup.c, src/cryptsetup.h,
+ src/Makefile.am (utags: initial): Initial checkin.
+
+2004-03-04 Thursday 00:42 Jana Saout <jana@saout.de>
+
+ * NEWS, AUTHORS, ChangeLog, Makefile.am, README, autogen.sh,
+ configure.in, setup-gettext, po/ChangeLog, po/LINGUAS,
+ po/POTFILES.in, po/de.po, src/cryptsetup.c, src/cryptsetup.h,
+ src/Makefile.am: Initial revision
diff --git a/docs/doxyfile b/docs/doxyfile
new file mode 100644
index 0000000..1257eff
--- /dev/null
+++ b/docs/doxyfile
@@ -0,0 +1,280 @@
+# Doxyfile 1.7.4
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+DOXYFILE_ENCODING = UTF-8
+PROJECT_NAME = "cryptsetup API"
+PROJECT_NUMBER =
+PROJECT_BRIEF = "Public cryptsetup API"
+PROJECT_LOGO =
+OUTPUT_DIRECTORY = doxygen_api_docs
+CREATE_SUBDIRS = NO
+OUTPUT_LANGUAGE = English
+BRIEF_MEMBER_DESC = YES
+REPEAT_BRIEF = YES
+ABBREVIATE_BRIEF =
+ALWAYS_DETAILED_SEC = NO
+INLINE_INHERITED_MEMB = NO
+FULL_PATH_NAMES = YES
+STRIP_FROM_PATH =
+STRIP_FROM_INC_PATH =
+SHORT_NAMES = NO
+JAVADOC_AUTOBRIEF = NO
+QT_AUTOBRIEF = NO
+MULTILINE_CPP_IS_BRIEF = NO
+INHERIT_DOCS = YES
+SEPARATE_MEMBER_PAGES = NO
+TAB_SIZE = 8
+ALIASES =
+OPTIMIZE_OUTPUT_FOR_C = YES
+OPTIMIZE_OUTPUT_JAVA = NO
+OPTIMIZE_FOR_FORTRAN = NO
+OPTIMIZE_OUTPUT_VHDL = NO
+EXTENSION_MAPPING =
+BUILTIN_STL_SUPPORT = NO
+CPP_CLI_SUPPORT = NO
+SIP_SUPPORT = NO
+IDL_PROPERTY_SUPPORT = YES
+DISTRIBUTE_GROUP_DOC = NO
+SUBGROUPING = YES
+INLINE_GROUPED_CLASSES = NO
+TYPEDEF_HIDES_STRUCT = YES
+SYMBOL_CACHE_SIZE = 0
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+EXTRACT_ALL = NO
+EXTRACT_PRIVATE = NO
+EXTRACT_STATIC = NO
+EXTRACT_LOCAL_CLASSES = YES
+EXTRACT_LOCAL_METHODS = NO
+EXTRACT_ANON_NSPACES = NO
+HIDE_UNDOC_MEMBERS = NO
+HIDE_UNDOC_CLASSES = NO
+HIDE_FRIEND_COMPOUNDS = NO
+HIDE_IN_BODY_DOCS = NO
+INTERNAL_DOCS = NO
+CASE_SENSE_NAMES = YES
+HIDE_SCOPE_NAMES = NO
+SHOW_INCLUDE_FILES = YES
+FORCE_LOCAL_INCLUDES = NO
+INLINE_INFO = YES
+SORT_MEMBER_DOCS = YES
+SORT_BRIEF_DOCS = NO
+SORT_MEMBERS_CTORS_1ST = NO
+SORT_GROUP_NAMES = NO
+SORT_BY_SCOPE_NAME = NO
+STRICT_PROTO_MATCHING = NO
+GENERATE_TODOLIST = YES
+GENERATE_TESTLIST = YES
+GENERATE_BUGLIST = YES
+GENERATE_DEPRECATEDLIST= YES
+ENABLED_SECTIONS =
+MAX_INITIALIZER_LINES = 30
+SHOW_USED_FILES = YES
+SHOW_DIRECTORIES = NO
+SHOW_FILES = YES
+SHOW_NAMESPACES = YES
+FILE_VERSION_FILTER =
+LAYOUT_FILE =
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+QUIET = NO
+WARNINGS = YES
+WARN_IF_UNDOCUMENTED = YES
+WARN_IF_DOC_ERROR = YES
+WARN_NO_PARAMDOC = NO
+WARN_FORMAT = "$file:$line: $text"
+WARN_LOGFILE =
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+INPUT = "doxygen_index" "../lib/libcryptsetup.h"
+INPUT_ENCODING = UTF-8
+FILE_PATTERNS =
+RECURSIVE = NO
+EXCLUDE =
+EXCLUDE_SYMLINKS = NO
+EXCLUDE_PATTERNS =
+EXCLUDE_SYMBOLS =
+EXAMPLE_PATH = "examples"
+EXAMPLE_PATTERNS =
+EXAMPLE_RECURSIVE = NO
+IMAGE_PATH =
+INPUT_FILTER =
+FILTER_PATTERNS =
+FILTER_SOURCE_FILES = NO
+FILTER_SOURCE_PATTERNS =
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+SOURCE_BROWSER = NO
+INLINE_SOURCES = NO
+STRIP_CODE_COMMENTS = YES
+REFERENCED_BY_RELATION = NO
+REFERENCES_RELATION = NO
+REFERENCES_LINK_SOURCE = YES
+USE_HTAGS = NO
+VERBATIM_HEADERS = YES
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+ALPHABETICAL_INDEX = YES
+COLS_IN_ALPHA_INDEX = 5
+IGNORE_PREFIX =
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+GENERATE_HTML = YES
+HTML_OUTPUT = html
+HTML_FILE_EXTENSION = .html
+HTML_HEADER =
+HTML_FOOTER =
+HTML_STYLESHEET =
+HTML_EXTRA_FILES =
+HTML_COLORSTYLE_HUE = 220
+HTML_COLORSTYLE_SAT = 100
+HTML_COLORSTYLE_GAMMA = 80
+HTML_TIMESTAMP = YES
+HTML_ALIGN_MEMBERS = YES
+HTML_DYNAMIC_SECTIONS = NO
+GENERATE_DOCSET = NO
+DOCSET_FEEDNAME = "Doxygen generated docs"
+DOCSET_BUNDLE_ID = org.doxygen.Project
+DOCSET_PUBLISHER_ID = org.doxygen.Publisher
+DOCSET_PUBLISHER_NAME = Publisher
+GENERATE_HTMLHELP = NO
+CHM_FILE =
+HHC_LOCATION =
+GENERATE_CHI = NO
+CHM_INDEX_ENCODING =
+BINARY_TOC = NO
+TOC_EXPAND = NO
+GENERATE_QHP = NO
+QCH_FILE =
+QHP_NAMESPACE = org.doxygen.Project
+QHP_VIRTUAL_FOLDER = doc
+QHP_CUST_FILTER_NAME =
+QHP_CUST_FILTER_ATTRS =
+QHP_SECT_FILTER_ATTRS =
+QHG_LOCATION =
+GENERATE_ECLIPSEHELP = NO
+ECLIPSE_DOC_ID = org.doxygen.Project
+DISABLE_INDEX = NO
+ENUM_VALUES_PER_LINE = 4
+GENERATE_TREEVIEW = NO
+USE_INLINE_TREES = NO
+TREEVIEW_WIDTH = 250
+EXT_LINKS_IN_WINDOW = NO
+FORMULA_FONTSIZE = 10
+FORMULA_TRANSPARENT = YES
+USE_MATHJAX = NO
+MATHJAX_RELPATH = http://www.mathjax.org/mathjax
+SEARCHENGINE = YES
+SERVER_BASED_SEARCH = NO
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+GENERATE_LATEX = YES
+LATEX_OUTPUT = latex
+LATEX_CMD_NAME = latex
+MAKEINDEX_CMD_NAME = makeindex
+COMPACT_LATEX = NO
+PAPER_TYPE = a4
+EXTRA_PACKAGES =
+LATEX_HEADER =
+LATEX_FOOTER =
+PDF_HYPERLINKS = YES
+USE_PDFLATEX = YES
+LATEX_BATCHMODE = NO
+LATEX_HIDE_INDICES = NO
+LATEX_SOURCE_CODE = NO
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+GENERATE_RTF = NO
+RTF_OUTPUT = rtf
+COMPACT_RTF = NO
+RTF_HYPERLINKS = NO
+RTF_STYLESHEET_FILE =
+RTF_EXTENSIONS_FILE =
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+GENERATE_MAN = NO
+MAN_OUTPUT = man
+MAN_EXTENSION = .3
+MAN_LINKS = NO
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+GENERATE_XML = NO
+XML_OUTPUT = xml
+XML_SCHEMA =
+XML_DTD =
+XML_PROGRAMLISTING = YES
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+GENERATE_AUTOGEN_DEF = NO
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+GENERATE_PERLMOD = NO
+PERLMOD_LATEX = NO
+PERLMOD_PRETTY = YES
+PERLMOD_MAKEVAR_PREFIX =
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+ENABLE_PREPROCESSING = YES
+MACRO_EXPANSION = NO
+EXPAND_ONLY_PREDEF = NO
+SEARCH_INCLUDES = YES
+INCLUDE_PATH =
+INCLUDE_FILE_PATTERNS =
+PREDEFINED =
+EXPAND_AS_DEFINED =
+SKIP_FUNCTION_MACROS = YES
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references
+#---------------------------------------------------------------------------
+TAGFILES =
+GENERATE_TAGFILE =
+ALLEXTERNALS = NO
+EXTERNAL_GROUPS = YES
+PERL_PATH =
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+CLASS_DIAGRAMS = YES
+MSCGEN_PATH =
+HIDE_UNDOC_RELATIONS = YES
+HAVE_DOT = NO
+DOT_NUM_THREADS = 0
+DOT_FONTNAME = Helvetica
+DOT_FONTSIZE = 10
+DOT_FONTPATH =
+CLASS_GRAPH = YES
+COLLABORATION_GRAPH = YES
+GROUP_GRAPHS = YES
+UML_LOOK = NO
+TEMPLATE_RELATIONS = NO
+INCLUDE_GRAPH = YES
+INCLUDED_BY_GRAPH = YES
+CALL_GRAPH = NO
+CALLER_GRAPH = NO
+GRAPHICAL_HIERARCHY = YES
+DIRECTORY_GRAPH = YES
+DOT_IMAGE_FORMAT = png
+DOT_PATH =
+DOTFILE_DIRS =
+MSCFILE_DIRS =
+DOT_GRAPH_MAX_NODES = 50
+MAX_DOT_GRAPH_DEPTH = 0
+DOT_TRANSPARENT = NO
+DOT_MULTI_TARGETS = NO
+GENERATE_LEGEND = YES
+DOT_CLEANUP = YES
diff --git a/docs/doxygen_index b/docs/doxygen_index
new file mode 100644
index 0000000..ec394ad
--- /dev/null
+++ b/docs/doxygen_index
@@ -0,0 +1,125 @@
+/**
+ * @mainpage Cryptsetup API
+ *
+ * The documentation covers public parts of cryptsetup API. In the following sections you'll find
+ * the examples that describe some features of cryptsetup API.
+ * For more info about libcryptsetup API versions see
+ * <a href="http://upstream-tracker.org/versions/libcryptsetup.html">Upstream Tracker</a>.
+ *
+ * <OL type="A">
+ * <LI>@ref cexamples "Cryptsetup API examples"</LI>
+ * <OL type="1">
+ * <LI>@ref cluks "crypt_luks_usage" - cryptsetup LUKS device type usage examples</LI>
+ * <UL>
+ * <LI>@ref cinit "crypt_init()"</LI>
+ * <LI>@ref cformat "crypt_format()" - header and payload on mutual device</LI>
+ * <LI>@ref ckeys "Keyslot operations" </LI>
+ * <UL>
+ * <LI>@ref ckeyslot_vol "crypt_keyslot_add_by_volume_key()"</LI>
+ * <LI>@ref ckeyslot_pass "crypt_keyslot_add_by_passphrase()"</LI>
+ * </UL>
+ * <LI>@ref cload "crypt_load()"
+ * <LI>@ref cactivate "crypt_activate_by_passphrase()"</LI>
+ * <LI>@ref cactive_pars "crypt_get_active_device()"</LI>
+ * <LI>@ref cinit_by_name "crypt_init_by_name()"</LI>
+ * <LI>@ref cdeactivate "crypt_deactivate()"</LI>
+ * <LI>@ref cluks_ex "crypt_luks_usage.c"</LI>
+ * </UL>
+ * <LI>@ref clog "crypt_log_usage" - cryptsetup logging API examples</LI>
+ * </OL>
+ * </OL>
+ *
+ * @section cexamples Cryptsetup API examples
+ * @section cluks crypt_luks_usage - cryptsetup LUKS device type usage
+ * @subsection cinit crypt_init()
+ *
+ * Every time you need to do something with cryptsetup or dmcrypt device
+ * you need a valid context. The first step to start your work is
+ * @ref crypt_init call. You can call it either with path
+ * to the block device or path to the regular file. If you don't supply the path,
+ * empty context is initialized.
+ *
+ * @subsection cformat crypt_format() - header and payload on mutual device
+ *
+ * This section covers basic use cases for formatting LUKS devices. Format operation
+ * sets device type in context and in case of LUKS header is written at the beginning
+ * of block device. In the example bellow we use the scenario where LUKS header and data
+ * are both stored on the same device. There's also a possibility to store header and
+ * data separately.
+ *
+ * <B>Bear in mind</B> that @ref crypt_format() is destructive operation and it
+ * overwrites part of the backing block device.
+ *
+ * @subsection ckeys Keyslot operations examples
+ *
+ * After successful @ref crypt_format of LUKS device, volume key is not stored
+ * in a persistent way on the device. Keyslot area is an array beyond LUKS header, where
+ * volume key is stored in the encrypted form using user input passphrase. For more info about
+ * LUKS keyslots and how it's actually protected, please look at
+ * <A HREF="https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification">LUKS specification</A>.
+ * There are two basic methods to create a new keyslot:
+ *
+ * @subsection ckeyslot_vol crypt_keyslot_add_by_volume_key()
+ *
+ * Creates a new keyslot directly by encrypting volume_key stored in the device
+ * context. Passphrase should be supplied or user is prompted if passphrase param is
+ * NULL.
+ *
+ * @subsection ckeyslot_pass crypt_keyslot_add_by_passphrase()
+ *
+ * Creates a new keyslot for the volume key by opening existing active keyslot,
+ * extracting volume key from it and storing it into a new keyslot
+ * protected by a new passphrase
+ *
+ * @subsection cload crypt_load()
+ *
+ * Function loads header from backing block device into device context.
+ *
+ * @subsection cactivate crypt_activate_by_passphrase()
+ *
+ * Activates crypt device by user supplied password for keyslot containing the volume_key.
+ * If <I>keyslot</I> parameter is set to <I>CRYPT_ANY_SLOT</I> then all active keyslots
+ * are tried one by one until the volume key is found.
+ *
+ * @subsection cactive_pars crypt_get_active_device()
+ *
+ * This call returns structure containing runtime attributes of active device.
+ *
+ * @subsection cinit_by_name crypt_init_by_name()
+ *
+ * In case you need to do operations with active device (device which already
+ * has its corresponding mapping) and you miss valid device context stored in
+ * *crypt_device reference, you should use this call. Function tries to
+ * get path to backing device from DM, initializes context for it and loads LUKS
+ * header.
+ *
+ * @subsection cdeactivate crypt_deactivate()
+ *
+ * Deactivates crypt device (removes DM mapping and safely erases volume key from kernel).
+ *
+ * @subsection cluks_ex crypt_luks_usage.c - Complex example
+ *
+ * To compile and run use following commands in examples directory:
+ *
+ * @code
+ * make
+ * ./crypt_luks_usage _path_to_[block_device]_file
+ * @endcode
+ *
+ * Note that you need to have the cryptsetup library compiled. @include crypt_luks_usage.c
+ *
+ * @section clog crypt_log_usage - cryptsetup logging API example
+ *
+ * Example describes basic use case for cryptsetup logging. To compile and run
+ * use following commands in examples directory:
+ *
+ * @code
+ * make
+ * ./crypt_log_usage
+ * @endcode
+ *
+ * Note that you need to have the cryptsetup library compiled. @include crypt_log_usage.c
+ *
+ * @example crypt_luks_usage.c
+ * @example crypt_log_usage.c
+ */
diff --git a/docs/examples/Makefile b/docs/examples/Makefile
new file mode 100644
index 0000000..845b6cb
--- /dev/null
+++ b/docs/examples/Makefile
@@ -0,0 +1,17 @@
+TARGETS=crypt_log_usage crypt_luks_usage
+CFLAGS=-O0 -g -Wall -D_GNU_SOURCE
+LDLIBS=-lcryptsetup
+CC=gcc
+
+all: $(TARGETS)
+
+crypt_log_usage: crypt_log_usage.o
+ $(CC) -o $@ $^ $(LDLIBS)
+
+crypt_luks_usage: crypt_luks_usage.o
+ $(CC) -o $@ $^ $(LDLIBS)
+
+clean:
+ rm -f *.o *~ core $(TARGETS)
+
+.PHONY: clean
diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c
new file mode 100644
index 0000000..6322c8f
--- /dev/null
+++ b/docs/examples/crypt_log_usage.c
@@ -0,0 +1,96 @@
+/*
+ * An example of using logging through libcryptsetup API
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <libcryptsetup.h>
+
+/*
+ * This is an example of function that can be registered using crypt_set_log_callback API.
+ *
+ * Its prototype is void (*log)(int level, const char *msg, void *usrptr) as defined
+ * in crypt_set_log_callback
+ */
+static void simple_syslog_wrapper(int level, const char *msg, void *usrptr)
+{
+ const char *prefix = (const char *)usrptr;
+ int priority;
+
+ switch(level) {
+ case CRYPT_LOG_NORMAL: priority = LOG_NOTICE; break;
+ case CRYPT_LOG_ERROR: priority = LOG_ERR; break;
+ case CRYPT_LOG_VERBOSE: priority = LOG_INFO; break;
+ case CRYPT_LOG_DEBUG: priority = LOG_DEBUG; break;
+ default:
+ fprintf(stderr, "Unsupported log level requested!\n");
+ return;
+ }
+
+ if (prefix)
+ syslog(priority, "%s:%s", prefix, msg);
+ else
+ syslog(priority, "%s", msg);
+}
+
+int main(void)
+{
+ struct crypt_device *cd;
+ char usrprefix[] = "cslog_example";
+ int r;
+
+ if (geteuid()) {
+ printf("Using of libcryptsetup requires super user privileges.\n");
+ return 1;
+ }
+
+ openlog("cryptsetup", LOG_CONS | LOG_PID, LOG_USER);
+
+ /* Initialize empty crypt device context */
+ r = crypt_init(&cd, NULL);
+ if (r < 0) {
+ printf("crypt_init() failed.\n");
+ return 2;
+ }
+
+ /* crypt_set_log_callback() - register a log function for crypt context */
+ crypt_set_log_callback(cd, &simple_syslog_wrapper, (void *)usrprefix);
+
+ /* send messages ithrough the crypt_log() interface */
+ crypt_log(cd, CRYPT_LOG_NORMAL, "This is normal log message");
+ crypt_log(cd, CRYPT_LOG_ERROR, "This is error log message");
+ crypt_log(cd, CRYPT_LOG_VERBOSE, "This is verbose log message");
+ crypt_log(cd, CRYPT_LOG_DEBUG, "This is debug message");
+
+ /* release crypt context */
+ crypt_free(cd);
+
+ /* Initialize default (global) log function */
+ crypt_set_log_callback(NULL, &simple_syslog_wrapper, NULL);
+
+ crypt_log(NULL, CRYPT_LOG_NORMAL, "This is normal log message");
+ crypt_log(NULL, CRYPT_LOG_ERROR, "This is error log message");
+ crypt_log(NULL, CRYPT_LOG_VERBOSE, "This is verbose log message");
+ crypt_log(NULL, CRYPT_LOG_DEBUG, "This is debug message");
+
+ closelog();
+ return 0;
+}
diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c
new file mode 100644
index 0000000..9915564
--- /dev/null
+++ b/docs/examples/crypt_luks_usage.c
@@ -0,0 +1,294 @@
+/*
+ * An example of using LUKS device through libcryptsetup API
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <libcryptsetup.h>
+
+static int format_and_add_keyslots(const char *path)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params;
+ int r;
+
+ /*
+ * crypt_init() call precedes most of operations of cryptsetup API. The call is used
+ * to initialize crypt device context stored in structure referenced by _cd_ in
+ * the example. Second parameter is used to pass underlaying device path.
+ *
+ * Note:
+ * If path refers to a regular file it'll be attached to a first free loop device.
+ * crypt_init() operation fails in case there's no more loop device available.
+ * Also, loop device will have the AUTOCLEAR flag set, so the file loopback will
+ * be detached automatically.
+ */
+
+ r = crypt_init(&cd, path);
+ if (r < 0 ) {
+ printf("crypt_init() failed for %s.\n", path);
+ return r;
+ }
+
+ printf("Context is attached to block device %s.\n", crypt_get_device_name(cd));
+
+ /*
+ * So far no data were written on your device. This will change with call of
+ * crypt_format() only if you specify CRYPT_LUKS1 as device type.
+ */
+ printf("Device %s will be formatted to LUKS device after 5 seconds.\n"
+ "Press CTRL+C now if you want to cancel this operation.\n", path);
+ sleep(5);
+
+
+ /*
+ * Prepare LUKS format parameters
+ *
+ * hash parameter defines PBKDF2 hash algorithm used in LUKS header.
+ * For compatibility reason we use SHA1 here.
+ */
+ params.hash = "sha1";
+
+ /*
+ * data_alignment parameter is relevant only in case of the luks header
+ * and the payload are both stored on same device.
+ *
+ * if you set data_alignment = 0, cryptsetup will autodetect
+ * data_alignment according to underlaying device topology.
+ */
+ params.data_alignment = 0;
+
+ /*
+ * data_device parameter defines that no external device
+ * for luks header will be used
+ */
+ params.data_device = NULL;
+
+ /*
+ * NULLs for uuid and volume_key means that these attributes will be
+ * generated during crypt_format(). Volume key is generated with respect
+ * to key size parameter passed to function.
+ *
+ * crypt_format() checks device size (LUKS header must fit there).
+ */
+ r = crypt_format(cd, /* crypt context */
+ CRYPT_LUKS1, /* LUKS1 is standard LUKS header */
+ "aes", /* used cipher */
+ "xts-plain64", /* used block mode and IV generator*/
+ NULL, /* generate UUID */
+ NULL, /* generate volume key from RNG */
+ 256 / 8, /* 256bit key - here AES-128 in XTS mode, size is in bytes */
+ ¶ms); /* parameters above */
+
+ if(r < 0) {
+ printf("crypt_format() failed on device %s\n", crypt_get_device_name(cd));
+ crypt_free(cd);
+ return r;
+ }
+
+ /*
+ * The device now contains LUKS1 header, but there is
+ * no active keyslot with encrypted volume key yet.
+ */
+
+ /*
+ * cryptt_kesylot_add_* call stores volume_key in encrypted form into keyslot.
+ * Without keyslot you can't manipulate with LUKS device after the context will be freed.
+ *
+ * To create a new keyslot you need to supply the existing one (to get the volume key from) or
+ * you need to supply the volume key.
+ *
+ * After format, we have volume key stored internally in context so add new keyslot
+ * using this internal volume key.
+ */
+ r = crypt_keyslot_add_by_volume_key(cd, /* crypt context */
+ CRYPT_ANY_SLOT, /* just use first free slot */
+ NULL, /* use internal volume key */
+ 0, /* unused (size of volume key) */
+ "foo", /* passphrase - NULL means query*/
+ 3); /* size of passphrase */
+
+ if (r < 0) {
+ printf("Adding keyslot failed.\n");
+ crypt_free(cd);
+ return r;
+ }
+
+ printf("The first keyslot is initialized.\n");
+
+ /*
+ * Add another keyslot, now using the first keyslot.
+ * It will decrypt volume key from the first keyslot and creates new one with another passphrase.
+ */
+ r = crypt_keyslot_add_by_passphrase(cd, /* crypt context */
+ CRYPT_ANY_SLOT, /* just use first free slot */
+ "foo", 3, /* passphrase for the old keyslot */
+ "bar", 3); /* passphrase for the new kesylot */
+ if (r < 0) {
+ printf("Adding keyslot failed.\n");
+ crypt_free(cd);
+ return r;
+ }
+
+ printf("The second keyslot is initialized.\n");
+
+ crypt_free(cd);
+ return 0;
+}
+
+static int activate_and_check_status(const char *path, const char *device_name)
+{
+ struct crypt_device *cd;
+ struct crypt_active_device cad;
+ int r;
+
+ /*
+ * LUKS device activation example.
+ * It's sequence of sub-steps: device initialization, LUKS header load
+ * and the device activation itself.
+ */
+ r = crypt_init(&cd, path);
+ if (r < 0 ) {
+ printf("crypt_init() failed for %s.\n", path);
+ return r;
+ }
+
+ /*
+ * crypt_load() is used to load the LUKS header from block device
+ * into crypt_device context.
+ */
+ r = crypt_load(cd, /* crypt context */
+ CRYPT_LUKS1, /* requested type */
+ NULL); /* additional parameters (not used) */
+
+ if (r < 0) {
+ printf("crypt_load() failed on device %s.\n", crypt_get_device_name(cd));
+ crypt_free(cd);
+ return r;
+ }
+
+ /*
+ * Device activation creates device-mapper devie mapping with name device_name.
+ */
+ r = crypt_activate_by_passphrase(cd, /* crypt context */
+ device_name, /* device name to activate */
+ CRYPT_ANY_SLOT,/* which slot use (ANY - try all) */
+ "foo", 3, /* passphrase */
+ CRYPT_ACTIVATE_READONLY); /* flags */
+ if (r < 0) {
+ printf("Device %s activation failed.\n", device_name);
+ crypt_free(cd);
+ return r;
+ }
+
+ printf("LUKS device %s/%s is active.\n", crypt_get_dir(), device_name);
+ printf("\tcipher used: %s\n", crypt_get_cipher(cd));
+ printf("\tcipher mode: %s\n", crypt_get_cipher_mode(cd));
+ printf("\tdevice UUID: %s\n", crypt_get_uuid(cd));
+
+ /*
+ * Get info about active device (query DM backend)
+ */
+ r = crypt_get_active_device(cd, device_name, &cad);
+ if (r < 0) {
+ printf("Get info about active device %s failed.\n", device_name);
+ crypt_deactivate(cd, device_name);
+ crypt_free(cd);
+ return r;
+ }
+
+ printf("Active device parameters for %s:\n"
+ "\tDevice offset (in sectors): %" PRIu64 "\n"
+ "\tIV offset (in sectors) : %" PRIu64 "\n"
+ "\tdevice size (in sectors) : %" PRIu64 "\n"
+ "\tread-only flag : %s\n",
+ device_name, cad.offset, cad.iv_offset, cad.size,
+ cad.flags & CRYPT_ACTIVATE_READONLY ? "1" : "0");
+
+ crypt_free(cd);
+ return 0;
+}
+
+static int handle_active_device(const char *device_name)
+{
+ struct crypt_device *cd;
+ int r;
+
+ /*
+ * crypt_init_by_name() initializes device context and loads LUKS header from backing device
+ */
+ r = crypt_init_by_name(&cd, device_name);
+ if (r < 0) {
+ printf("crypt_init_by_name() failed for %s.\n", device_name);
+ return r;
+ }
+
+ if (crypt_status(cd, device_name) == CRYPT_ACTIVE)
+ printf("Device %s is still active.\n", device_name);
+ else {
+ printf("Something failed perhaps, device %s is not active.\n", device_name);
+ crypt_free(cd);
+ return -1;
+ }
+
+ /*
+ * crypt_deactivate() is used to deactivate device
+ */
+ r = crypt_deactivate(cd, device_name);
+ if (r < 0) {
+ printf("crypt_deactivate() failed.\n");
+ crypt_free(cd);
+ return r;
+ }
+
+ printf("Device %s is now deactivated.\n", device_name);
+
+ crypt_free(cd);
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ if (geteuid()) {
+ printf("Using of libcryptsetup requires super user privileges.\n");
+ return 1;
+ }
+
+ if (argc != 2) {
+ printf("usage: ./crypt_luks_usage <path>\n"
+ "<path> refers to either a regular file or a block device.\n"
+ " WARNING: the file or device will be wiped.\n");
+ return 2;
+ }
+
+ if (format_and_add_keyslots(argv[1]))
+ return 3;
+
+ if (activate_and_check_status(argv[1], "example_device"))
+ return 4;
+
+ if (handle_active_device("example_device"))
+ return 5;
+
+ return 0;
+}
diff --git a/docs/on-disk-format.pdf b/docs/on-disk-format.pdf
new file mode 100644
index 0000000..ff78400
--- /dev/null
+++ b/docs/on-disk-format.pdf
Binary files differ
diff --git a/docs/v1.0.7-ReleaseNotes b/docs/v1.0.7-ReleaseNotes
new file mode 100644
index 0000000..9288c60
--- /dev/null
+++ b/docs/v1.0.7-ReleaseNotes
@@ -0,0 +1,92 @@
+cryptsetup 1.0.7 Release Notes (2009-07-22)
+===========================================
+
+Changes since 1.0.7-rc1
+------------------------
+[committer name]
+
+ * Allow removal of last slot in luksRemoveKey
+and luksKillSlot. [Milan Broz]
+
+ * Add --disable-selinux option and fix static build if selinux
+is required. [Milan Broz]
+
+ * Reject unsupported --offset and --skip options for luksFormat
+and update man page. [Milan Broz]
+
+
+Changes since 1.0.6
+--------------------
+[committer name]
+
+* Various man page fixes. Also merged some Debian/Ubuntu man page
+fixes. (thanks to Martin Pitt) [Milan Broz]
+
+* Set UUID in device-mapper for LUKS devices. [Milan Broz]
+
+* Retain readahead of underlying device. [Milan Broz]
+
+* Display device name when asking for password. (thanks to Till
+Maas) [Milan Broz]
+
+* Check device size when loading LUKS header. Remove misleading
+error message later. [Milan Broz]
+
+* Add error hint if dm-crypt mapping failed. (Key size and kernel
+version check for XTS and LRW mode for now.) [Milan Broz]
+
+* Use better error messages if device doesn't exist or is already
+used by other mapping. [Milan Broz]
+
+* Fix make distcheck. (thanks to Mike Kelly) [Milan Broz]
+
+* Check if all slots are full during luksAddKey. [Clemens Fruhwirth]
+
+* Fix segfault in set_error (thanks to Oliver Metz). [Clemens Fruhwirth]
+
+* Remove precompiled pot files. Fix uninitialized return value
+variable in setup.c. [Clemens Fruhwirth]
+
+* Code cleanups. (thanks to Ivan Stankovic) [Clemens Fruhwirth]
+
+* Remove unnecessary files from po directory. They will be
+regenerated by autogen.sh. [Clemens Fruhwirth]
+
+* Fix wrong output for remaining key at key deletion. Allow deletion
+of key slot while other keys have the same key information. [Clemens
+Fruhwirth]
+
+* Add missing AM_PROG_CC_C_O to configure.in [Milan Broz]
+
+* Remove duplicate sentence in man page (thanks to Till Maas).
+[Milan Broz]
+
+* Wipe start of device (possible fs signature) before
+LUKS-formatting. [Milan Broz]
+
+* Do not process configure.in in hidden directories. [Milan Broz]
+
+* Return more descriptive error in case of IO or header format
+error. [Milan Broz]
+
+* Use remapping to error target instead of calling udevsettle
+for temporary crypt device. [Milan Broz]
+
+* Check device mapper communication and warn user in case the
+communication fails. (thanks to Milan Broz) [Clemens Fruhwirth]
+
+* Fix signal handler to proper close device. (thanks to Milan Broz)
+[Clemens Fruhwirth]
+
+* write_lseek_blockwise: declare innerCount outside the if block,
+add -Wall to the default CFLAGS, * fix some signedness issues
+(thanks to Ivan Stankovic) [Clemens Fruhwirth]
+
+* Error handling improvement. (thanks to Erik Edin) [Clemens Fruhwirth]
+
+* Add non-exclusive override to interface definition. [Clemens
+Fruhwirth]
+
+* Refactor key slot selection into keyslot_from_option. Either
+autoselect next free keyslot or honor user choice (after checking).
+[Clemens Fruhwirth]
diff --git a/docs/v1.1.0-ReleaseNotes b/docs/v1.1.0-ReleaseNotes
new file mode 100644
index 0000000..7ee6dea
--- /dev/null
+++ b/docs/v1.1.0-ReleaseNotes
@@ -0,0 +1,110 @@
+Cryptsetup 1.1.0 Release Notes
+==============================
+
+Changes since version 1.0.7
+----------------------------
+
+Important changes:
+~~~~~~~~~~~~~~~~~~
+
+ * IMPORTANT: the default compiled-in cipher parameters changed
+ plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
+ LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
+ In both modes is now default key size 256bits.
+
+ * Default compiled-in parameters are now configurable through configure options:
+ --with-plain-* / --with-luks1-* (see configure --help)
+
+ * If you need backward compatible defaults for distribution use
+ configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
+
+ Default compiled-in modes are printed in "cryptsetup --help" output.
+
+ * Change in iterations count (LUKS):
+ The slot and key digest iteration minimum count is now 1000.
+ The key digest iteration count is calculated from iteration time (approx 1/8 of req. time).
+ For more info about above items see discussion here: http://tinyurl.com/yaug97y
+
+ * New libcryptsetup API (documented in libcryptsetup.h).
+
+ The old API (using crypt_options struct) is still available but will remain
+ frozen and not used for new functions.
+ Soname of library changed to libcryptsetup.so.1.0.0.
+ (But only recompilation should be needed for old programs.)
+
+ The new API provides much more flexible operation over LUKS device for
+ applications, it is preferred that new applications will use libcryptsetup
+ and not wrapper around cryptsetup binary.
+
+ * New luksHeaderBackup and luksHeaderRestore commands.
+
+ These commands allows binary backup of LUKS header.
+ Please read man page about possible security issues with backup files.
+
+ * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
+
+ luksSuspend wipe encryption key in kernel memory and set device to suspend
+ (blocking all IO) state. This option can be used for situations when you need
+ temporary wipe encryption key (like suspend to RAM etc.)
+ Please read man page for more information.
+
+ * New --master-key-file option for luksFormat and luksAddKey.
+
+ User can now specify pre-generated master key in file, which allows regenerating
+ LUKS header or add key with only master key knowledge.
+
+ * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
+
+ Please note that using different hash for LUKS header make device incompatible with
+ old cryptsetup releases.
+
+ * Introduces --debug parameter.
+
+ Use when reporting bugs (just run cryptsetup with --debug and attach output
+ to issue report.) Sensitive data are never printed to this log.
+
+ * Moves command successful messages to verbose level.
+
+ * Requires device-mapper library and libgcrypt to build.
+
+ * Uses dm-uuid for all crypt devices, contains device type and name now.
+
+ * Removes support for dangerous non-exclusive option
+ (it is ignored now, LUKS device must be always opened exclusive)
+
+Other changes:
+~~~~~~~~~~~~~~
+ * Fixed localization to work again. Also cryptsetup is now translated by translationproject.org.
+ * Fix some libcryptsetup problems, including
+ * exported symbols and versions in libcryptsetup (properly use versioned symbols)
+ * Add crypt_log library function.
+ * Add CRYPT_ prefix to enum defined in libcryptsetup.h.
+ * Move duplicate Command failed message to verbose level (error is printed always).
+ * Fix several problems in build system
+ * use autopoint and clean gettext processing.
+ * Check in configure if selinux libraries are required in static version.
+ * Fix build for non-standard location of gcrypt library.
+ * Add temporary debug code to find processes locking internal device.
+ * Fix error handling during reading passphrase.
+ * Fail passphrase read if piped input no longer exists.
+ * Fix man page to not require --size which expands to device size by default.
+ * Clean up Makefiles and configure script.
+ * Try to read first sector from device to properly check that device is ready.
+ * Move memory locking and dm initialization to command layer.
+ * Increase priority of process if memory is locked.
+ * Add log macros and make logging more consistent.
+ * Keyfile now must be provided by path, only stdin file descriptor is used (api only).
+ * Do not call isatty() on closed keyfile descriptor.
+ * Move key slot manipulation function into LUKS specific code.
+ * Replace global options struct with separate parameters in helper functions.
+ * Implement old API calls using new functions.
+ * Allow using passphrase provided in options struct for LuksOpen.
+ * Allow restrict keys size in LuksOpen.
+ * Fix errors when compiled with LUKS_DEBUG.
+ * Print error when getline fails.
+ * Completely remove internal SHA1 implementation code, not needed anymore.
+ * Pad luks header to 512 sector size.
+ * Rework read/write blockwise to not split operation to many pieces.
+ * Use posix_memalign if available.
+ * Fix segfault if provided slot in luksKillslot is invalid.
+ * Remove unneeded timeout when remove of temporary device succeeded.
diff --git a/docs/v1.1.1-ReleaseNotes b/docs/v1.1.1-ReleaseNotes
new file mode 100644
index 0000000..e85107c
--- /dev/null
+++ b/docs/v1.1.1-ReleaseNotes
@@ -0,0 +1,47 @@
+Cryptsetup 1.1.1 Release Notes
+==============================
+
+Changes since version 1.1.1-rc2
+* Fix luksClose error if underlying device is LVM logical volume.
+
+Changes since version 1.1.1-rc1
+* Fix automatic dm-crypt module loading.
+
+Changes since version 1.1.0
+
+Important changes:
+~~~~~~~~~~~~~~~~~~
+
+* Detects and use device-mapper udev support if available.
+
+ This should allow synchronisation with udev rules and avoid races with udev.
+
+ If package maintainer want to use old, direct libdevmapper device node creation,
+ use configure option --disable-udev.
+
+* Supports device topology detection for data alignment.
+
+ If kernel provides device topology ioctl calls, the LUKS data area
+ alignment is automatically set to optimal value.
+
+ This means that stacked devices (like LUKS over MD/LVM)
+ should use the most optimal data alignment.
+
+ (You can still overwrite this calculation using --align-payload option.)
+
+* Prefers some device paths in status display.
+ (So status command will try to find top level device name, like /dev/sdb.)
+
+* Fix package config file to use proper package version.
+
+Other changes:
+~~~~~~~~~~~~~~
+* Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified).
+* Fix isLuks to initialise crypto backend (blkid instead is suggested anyway).
+* Properly initialise crypto backend in header backup/restore commands.
+* Do not verify unlocking passphrase in luksAddKey command.
+* Allow no hash specification in plain device constructor - user can provide volume key directly.
+* Try to use pkgconfig for device mapper library in configuration script.
+* Add some compatibility checks and disable LUKS suspend/resume if not supported.
+* Rearrange tests, "make check" now run all available test for package.
+* Avoid class C++ keyword in library header.
diff --git a/docs/v1.1.2-ReleaseNotes b/docs/v1.1.2-ReleaseNotes
new file mode 100644
index 0000000..9931f05
--- /dev/null
+++ b/docs/v1.1.2-ReleaseNotes
@@ -0,0 +1,33 @@
+== Cryptsetup 1.1.2 Release Notes ==
+
+This release fixes a regression (introduced in 1.1.1 version) in handling
+key files containing new line characters (affects only files read from
+standard input).
+
+Cryptsetup can accept passphrase on stdin (standard input).
+
+Handling of new line (\n) character is defined by input specification:
+
+ * if keyfile is specified as "-" (using --key-file=- of by "-" positional argument
+ in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action>),
+ input is processed as normal binary file and no new line is interpreted.
+
+ * if there is no key file specification (with default input from stdin pipe
+ like echo passphrase | cryptsetup <action>) input is processed as input from terminal,
+ reading will stop after new line is detected.
+
+Moreover, luksFormat now understands --key-file (in addition to positional key
+file argument).
+
+N.B. Using of standard input and pipes for passphrases should be avoided if possible,
+cryptsetup have no control of used pipe buffers between commands in scripts and cannot
+guarantee that all passphrase/key-file buffers are properly wiped after use.
+
+=== changes since version 1.1.1 ===
+
+ * Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
+ * Support --key-file/-d option for luksFormat.
+ * Fix description of --key-file and add --verbose and --debug options to man page.
+ * Add verbose log level and move unlocking message there.
+ * Remove device even if underlying device disappeared (remove, luksClose).
+ * Fix (deprecated) reload device command to accept new device argument.
diff --git a/docs/v1.1.3-ReleaseNotes b/docs/v1.1.3-ReleaseNotes
new file mode 100644
index 0000000..94ee73e
--- /dev/null
+++ b/docs/v1.1.3-ReleaseNotes
@@ -0,0 +1,13 @@
+== Cryptsetup 1.1.3 Release Notes ==
+
+=== changes since version 1.1.2 ===
+
+* Fix device alignment ioctl calls parameters.
+ (Device alignment code was not working properly on some architectures like ppc64.)
+
+* Fix activate_by_* API calls to handle NULL device name as documented.
+ (To enable check of passphrase/keyfile using libcryptsetup without activating the device.)
+
+* Fix udev support for old libdevmapper with not compatible definition.
+
+* Added Polish translation file.
diff --git a/docs/v1.2.0-ReleaseNotes b/docs/v1.2.0-ReleaseNotes
new file mode 100644
index 0000000..f3061d9
--- /dev/null
+++ b/docs/v1.2.0-ReleaseNotes
@@ -0,0 +1,126 @@
+Cryptsetup 1.2.0 Release Notes
+==============================
+
+Changes since version 1.2.0-rc1
+
+ * Fix crypt_activate_by_keyfile() to work with PLAIN devices.
+ * Fix plain create command to properly handle keyfile size.
+ * Update translations.
+
+Changes since version 1.1.3
+
+Important changes
+~~~~~~~~~~~~~~~~~
+
+ * Add text version of *FAQ* (Frequently Asked Questions) to distribution.
+
+ * Add selection of random/urandom number generator for luksFormat
+ (option --use-random and --use-urandom).
+
+ (This affects only long term volume key in *luksFormat*,
+ not RNG used for salt and AF splitter).
+
+ You can also set the default to /dev/random during compilation with
+ --enable-dev-random. Compiled-in default is printed in --help output.
+
+ Be very careful before changing default to blocking /dev/random use here.
+
+ * Fix *luksRemoveKey* to not ask for remaining keyslot passphrase,
+ only for removed one.
+
+ * No longer support *luksDelKey* (replaced with luksKillSlot).
+ * if you want to remove particular passphrase, use *luksKeyRemove*
+ * if you want to remove particular keyslot, use *luksKillSlot*
+
+ Note that in batch mode *luksKillSlot* allows removing of any keyslot
+ without question, in normal mode requires passphrase or keyfile from
+ other keyslot.
+
+ * *Default alignment* for device (if not overridden by topology info)
+ is now (multiple of) *1MiB*.
+ This reflects trends in storage technologies and aligns to the same
+ defaults for partitions and volume management.
+
+ * Allow explicit UUID setting in *luksFormat* and allow change it later
+ in *luksUUID* (--uuid parameter).
+
+ * All commands using key file now allows limited read from keyfile using
+ --keyfile-size and --new-keyfile-size parameters (in bytes).
+
+ This change also disallows overloading of --key-size parameter which
+ is now exclusively used for key size specification (in bits.)
+
+ * *luksFormat* using pre-generated master key now properly allows
+ using key file (only passphrase was allowed prior to this update).
+
+ * Add --dump-master-key option for *luksDump* to perform volume (master)
+ key dump. Note that printed information allows accessing device without
+ passphrase so it must be stored encrypted.
+
+ This operation is useful for simple Key Escrow function (volume key and
+ encryption parameters printed on paper on safe place).
+
+ This operation requires passphrase or key file.
+
+ * The reload command is no longer supported.
+ (Use dmsetup reload instead if needed. There is no real use for this
+ function except explicit data corruption:-)
+
+ * Cryptsetup now properly checks if underlying device is in use and
+ disallows *luksFormat*, *luksOpen* and *create* commands on open
+ (e.g. already mapped or mounted) device.
+
+ * Option --non-exclusive (already deprecated) is removed.
+
+Libcryptsetup API additions:
+
+ * new functions
+ * crypt_get_type() - explicit query to crypt device context type
+ * crypt_resize() - new resize command using context
+ * crypt_keyslot_max() - helper to get number of supported keyslots
+ * crypt_get_active_device() - get active device info
+ * crypt_set/get_rng_type() - random/urandom RNG setting
+ * crypt_set_uuid() - explicit UUID change of existing device
+ * crypt_get_device_name() - get underlying device name
+
+ * Fix optional password callback handling.
+
+ * Allow to activate by internally cached volume key immediately after
+ crypt_format() without active slot (for temporary devices with
+ on-disk metadata)
+
+ * libcryptsetup is binary compatible with 1.1.x release and still
+ supports legacy API calls
+
+ * cryptsetup binary now uses only new API calls.
+
+ * Static compilation of both library (--enable-static) and cryptsetup
+ binary (--enable-static-cryptsetup) is now properly implemented by common
+ libtool logic.
+
+ Prior to this it produced miscompiled dynamic cryptsetup binary with
+ statically linked libcryptsetup.
+
+ The static binary is compiled as src/cryptsetup.static in parallel
+ with dynamic build if requested.
+
+Other changes
+~~~~~~~~~~~~~
+ * Fix default plain password entry from terminal in activate_by_passphrase.
+ * Initialize volume key from active device in crypt_init_by_name()
+ * Fix cryptsetup binary exit codes.
+ 0 - success, otherwise fail
+ 1 - wrong parameters
+ 2 - no permission
+ 3 - out of memory
+ 4 - wrong device specified
+ 5 - device already exists or device is busy
+ * Remove some obsolete info from man page.
+ * Add more regression tests for commands.
+ * Fix possible double free when handling master key file.
+ * Fix pkg-config use in automake scripts.
+ * Wipe iteration and salt after luksKillSlot in LUKS header.
+ * Rewrite file differ test to C (and fix it to really work).
+ * Do not query non-existent device twice (cryptsetup status /dev/nonexistent).
+ * Check if requested hash is supported before writing LUKS header.
+ * Fix problems reported by clang scan-build.
diff --git a/docs/v1.3.0-ReleaseNotes b/docs/v1.3.0-ReleaseNotes
new file mode 100644
index 0000000..9ba8a3b
--- /dev/null
+++ b/docs/v1.3.0-ReleaseNotes
@@ -0,0 +1,101 @@
+Cryptsetup 1.3.0 Release Notes
+==============================
+
+Changes since version 1.2.0
+
+Important changes
+~~~~~~~~~~~~~~~~~
+ * Several userspace crypto backends support
+
+ cryptsetup now supports generic crypto backend interface which allows
+ compile package with various crypto libraries, these are already implemented:
+
+ * gcrypt (default, used in previous versions)
+ * OpenSSL
+ * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
+ * kernel userspace API (provided by kernel 2.6.38 and above)
+ (Note that kernel userspace backend is very slow for this type of operation.
+ But it can be usefull for embedded systems, because you can avoid userspace
+ crypto library completely.)
+
+ Backend is selected during configure time, using --with-crypto_backend option.
+
+ configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]
+
+ Note that performance checked (iterations) in LUKS header will cause that
+ real iteration time will differ with different backends.
+ (There are huge differences in speed between libraries.)
+
+ * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
+ argument is file and not plain device.
+
+ This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).
+
+ You can see backing file in cryptsetup status output if underlying device is loopback.
+
+ * Introduce maximum default keyfile size, add configure option, visible in --help.
+
+ Cryptsetup now fails if read from keyfile exceeds internal limit.
+ You can always specify keyfile size (overrides limit) by using --keyfile-size option.
+
+ * Adds luksChangeKey command
+
+ cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X]
+ cryptestup luksChangeKey [--key-slot X] (for passphrase change)
+
+ This command allows passphrase/keyfile change in one step. If no key slot is
+ specified (and there is still free key slot on device) new slot is allocated before
+ the old is purged.
+
+ If --key-slot option is specified (or there is no free slot) command will overwrite
+ existing slot.
+ WARNING: Be sure you have another slot active or header backup when using explicit
+ key slot (so you can unlock the device even after possible media failure).
+
+ * Adds compatible support for loop-AES encryption type in loopaesOpen command.
+
+ Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
+ (including multi-key and special CBC mode, all three modes are supported).
+
+ If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
+ access loop-AES volume using
+ cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>
+
+ If you are using GPG encrypted keyfile
+ gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>
+
+ Do not forget to specify key size. Version and hash is automatically detected
+ according to number of lines in key file. For special configuration you can
+ override IV sector offset using --skip option, device offset with --offset
+ and hash algorithm using --hash, see man page for details.
+
+ Please note that loopAES dm-crypt mode is provided for compatibility reasons
+ (so you do not need to patch kernel and util-linux to map existing volumes)
+ but it is not, and never will be, optimized for speed.
+ It is experimental feature for now.
+
+ * Require the whole key read from keyfile in create command (regression in 1.2.0).
+
+ * WARNING: This is the last cryptsetup release which supports library with
+ old API (using struct crypt_options).
+ These calls are deprecated since 1.1.0 and AFAIK no application
+ is using it in recent distros. Removing compatible code will allow
+ new features to be implemented easily.
+
+Other changes
+~~~~~~~~~~~~~
+ * Lock memory also in luksDump command.
+ * Fix return code when passphrase is read from pipe.
+ * Increase libcryptsetup version (loopAES change), still fully backward compatible.
+ * Fixes static build (--disable-static-cryptsetup now works properly).
+ * Supports secure data flag for device-mapper ioctl (will be in 2.6.39,
+ forcing kernel to wipe all ioctl buffers with possible key data).
+ To enable this flag you need new device-mapper library, in LVM2 2.02.84.
+ * Add copyright texts into some files and adds GPL exception allowing
+ to distribute resulting binaries linked with OpenSSL.
+ * Update FAQ.
+ * Fix message when locking memory fails.
+ * Fix luksAddKey return code if master key is used.
+ * Update some text files in distributions.
+ * Add docs directory with Release Notes archive.
+ * Do not hardcode loopback device name in tests, use internal loopback library.
diff --git a/docs/v1.3.1-ReleaseNotes b/docs/v1.3.1-ReleaseNotes
new file mode 100644
index 0000000..8b2d1dd
--- /dev/null
+++ b/docs/v1.3.1-ReleaseNotes
@@ -0,0 +1,14 @@
+Cryptsetup 1.3.1 Release Notes
+==============================
+
+Changes since version 1.3.0
+
+ * Fix keyfile=- processing in create command (regression in 1.3.0).
+
+ * Simplify device path status check (use /sys and do not scan /dev).
+
+ * Do not ignore device size argument for create command (regression in 1.2.0).
+
+ * Fix error paths in blockwise code and lseek_write call.
+
+ * Add optional Nettle crypto backend support.
diff --git a/docs/v1.4.0-ReleaseNotes b/docs/v1.4.0-ReleaseNotes
new file mode 100644
index 0000000..6a176d4
--- /dev/null
+++ b/docs/v1.4.0-ReleaseNotes
@@ -0,0 +1,131 @@
+Cryptsetup 1.4.0 Release Notes
+==============================
+
+Changes since version 1.3.1
+
+Important changes
+~~~~~~~~~~~~~~~~~
+
+WARNING: This release removes old deprecated API from libcryptsetup
+ (all functions using struct crypt_options).
+
+ This require libcrypsetup version change and
+ rebuild of applications using cryptsetup library.
+ All new API symbols are backward compatible.
+
+* If device is not rotational disk, cryptsetup no longer tries
+ to wipe keyslot with Gutmann algorithm for magnetic media erase
+ but simply rewrites area once by random data.
+
+* The on-disk LUKS header can now be detached (e.g. placed on separate
+ device or in file) using new --header option.
+
+ This option is only relevant for LUKS devices and can be used in
+ luksFormat, luksOpen, luksSuspend, luksResume and resize commands.
+
+ If used with luksFormat the --align-payload option is taken
+ as absolute sector alignment on ciphertext device and can be zero.
+
+ Example:
+ Create LUKS device with ciphertext device on /dev/sdb and header
+ on device /dev/sdc. Use all space on /dev/sdb (no reserved area for header).
+
+ cryptsetup luksFormat /dev/sdb --header /dev/sdc --align-payload 0
+
+ Activate such device:
+ cryptsetup luksOpen /dev/sdb --header /dev/sdc test_disk
+
+ You can use file for LUKS header (loop device will be used while
+ manipulating with such detached header), just you have to create
+ large enough file in advance.
+
+ dd if=/dev/zero of=/mnt/luks_header bs=1M count=4
+ cryptsetup luksFormat /dev/sdb --header /mnt/luks_header --align-payload 0
+
+ Activation is the same as above.
+
+ cryptsetup luksOpen /dev/sdb --header /mnt/luks_header test_disk
+
+ All keyslot operations need to be run on _header_ not on ciphertext device,
+ an example:
+
+ cryptsetup luksAddKey /mnt/luks_header
+
+ If you do not use --align-payload 0, you can later restore LUKS header
+ on device itself (and use it as normal LUKS device without detached header).
+
+ WARNING: There is no possible check that specified ciphertext device
+ matches detached on-disk header. Use with care, it can destroy
+ your data in case of a mistake.
+
+ WARNING: Storing LUKS header in a file means that anti-forensic splitter
+ cannot properly work (there is filesystem allocation layer between
+ header and disk).
+
+* Support --allow-discards option to allow discards/TRIM requests.
+
+ Since kernel 3.1, dm-crypt devices optionally (not by default) support
+ block discards (TRIM) commands.
+ If you want to enable this operation, you have to enable it manually
+ on every activation using --allow-discards
+
+ cryptsetup luksOpen --allow-discards /dev/sdb test_disk
+
+ WARNING: There are several security consequences, please read at least
+ http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
+ before you enable it.
+
+* Add --shared option for creating non-overlapping crypt segments.
+
+ The --shared options checks that mapped segments are not overlapping
+ and allows non-exclusive access to underlying device.
+ Only plain crypt devices can be used in this mode.
+
+ Example - map 64M of device disk and following 32 M area as another disk.
+
+ cryptsetup create outer_disk /dev/sdb --offset 0 --size 65536
+ cryptsetup create inner_disk /dev/sdb --offset 65536 --size 32768 --shared
+
+ (It can be used to simulate trivial hidden disk concepts.)
+
+libcryptsetup API changes:
+ * Added options to suport detached metadata device
+ crypt_init_by_name_and_header()
+ crypt_set_data_device()
+ * Add crypt_last_error() API call.
+ * Fix plain crypt format parameters to include size option.
+ * Add crypt_get_iv_offset() function.
+
+ * Remove old API functions (all functions using crypt_options).
+
+* Support key-slot option for luksOpen (use only explicit keyslot).
+
+ You can now specify key slot in luksOpen and limit checking
+ only to specified slot.
+
+* Support retries and timeout parameters for luksSuspend.
+ (The same way as in luksOpen.)
+
+* Add doxygen-like documentation (it will be available on project page later).
+ (To generate it manually run doxygen in docs directory.)
+
+Other changes
+~~~~~~~~~~~~~
+* Fix crypt_load to properly check device size.
+* Do not allow context format of already formatted device.
+* Do not allow key retrieval while suspended (key could be wiped).
+* Do not allow suspend for non-LUKS devices.
+* Fix luksKillSLot exit code if slot is inactive or invalid.
+* Fix exit code if passphrases do not match in luksAddKey.
+* Fix return code for status command when device doesn't exists.
+* Fix verbose messages in isLuks command.
+* Support Nettle 2.4 crypto backend (supports ripemd160).
+* Add LUKS on-disk format description into package.
+* Enhance check of device size before writing LUKS header.
+* Add more paranoid checks for LUKS header and keyslot attributes.
+* Use new /dev/loop-control (kernel 3.1) if possible.
+* Remove hash/hmac restart from crypto backend and make it part of hash/hmac final.
+* Improve check for invalid offset and size values.
+* Revert default initialisation of volume key in crypt_init_by_name().
+* Add more regression tests.
+* Add some libcryptsetup example files (see docs/examples).
diff --git a/docs/v1.4.1-ReleaseNotes b/docs/v1.4.1-ReleaseNotes
new file mode 100644
index 0000000..ea68cb8
--- /dev/null
+++ b/docs/v1.4.1-ReleaseNotes
@@ -0,0 +1,25 @@
+Cryptsetup 1.4.1 Release Notes
+==============================
+
+Changes since version 1.4.0
+
+* Merge experimental Python cryptsetup (pycryptsetup) binding.
+
+ This option is disabled by default, you can enable build of Python binding
+ with --enable--python configure switch.
+
+ Note that binding currently covers only partial libcryptsetup functions,
+ mainly LUKS device handling needed for Anaconda installer.
+ Until now provided separately as python-cryptsetup.
+ Thanks to Martin Sivak for the code.
+
+ See python subdirectory for more info.
+
+ Python binding code is experimental for now, no stable API guarantee.
+
+* Fix crypt_get_volume_key_size() for plain device.
+ (cryptsetup status reported zero key size for plain crypt devices).
+
+* Fix typo in set_iteration_time API call (old name remains for compatibility reasons).
+
+* Fix FSF address in license and add LGPL license text.
diff --git a/docs/v1.4.2-ReleaseNotes b/docs/v1.4.2-ReleaseNotes
new file mode 100644
index 0000000..9dbeb46
--- /dev/null
+++ b/docs/v1.4.2-ReleaseNotes
@@ -0,0 +1,44 @@
+Cryptsetup 1.4.2 Release Notes
+==============================
+
+Changes since version 1.4.1
+
+* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
+ These options can be used to skip start of keyfile or device used as keyfile.
+
+* Add repair command and crypt_repair() for known LUKS metadata problems repair.
+
+ Some well-known LUKS metadata corruptions are easy to repair, this
+ command should provide a way to fix these problems.
+
+ Always create binary backup of header device before running repair,
+ (only 4kB - visible header) for example by using dd:
+ dd if=/dev/<LUKS header device> of=repair_bck.img bs=1k count=4
+
+ Then you can try to run repair:
+ cryptsetup repair <device>
+
+ Note, not all problems are possible to repair and if keyslot or some header
+ parameters are overwritten, device is lost permanently.
+
+* Fix header check to support old (cryptsetup 1.0.0) header alignment.
+ (Regression in 1.4.0)
+
+* Allow to specify --align-payload only for luksFormat.
+
+* Add --master-key-file option to luksOpen (open using volume key).
+
+* Support UUID=<LUKS_UUID> format for device specification.
+ You can open device by UUID (only shortcut to /dev/disk/by-uuid/ symlinks).
+
+* Support password verification with quiet flag if possible. (1.2.0)
+ Password verification can be still possible if input is terminal.
+
+* Fix retry if entered passphrases (with verify option) do not match.
+ (It should retry if requested, not fail.)
+
+* Fix use of empty keyfile.
+
+* Fix error message for luksClose and detached LUKS header.
+
+* Allow --header for status command to get full info with detached header.
diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes
new file mode 100644
index 0000000..f084e06
--- /dev/null
+++ b/docs/v1.4.3-ReleaseNotes
@@ -0,0 +1,62 @@
+Cryptsetup 1.4.3 Release Notes
+==============================
+
+Changes since version 1.4.2
+
+* Fix readonly activation if underlying device is readonly (1.4.0).
+
+* Fix loop mapping on readonly file.
+
+* Include stddef.h in libdevmapper.h (size_t definition).
+
+* Fix keyslot removal for device with 4k hw block (1.4.0).
+(Wipe keyslot failed in this case.)
+
+* Relax --shared flag to allow mapping even for overlapping segments.
+
+ The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able
+ to map arbitrary overlapping area. From API it is even usable
+ for LUKS devices.
+ It is user responsibility to not cause data corruption though.
+
+ This allows e.g. scubed to work again and also allows some
+ tricky extensions later.
+
+* Allow empty cipher (cipher_null) for testing.
+
+ You can now use "null" (or directly cipher_null-ecb) in cryptsetup.
+ This means no encryption, useful for performance tests
+ (measure dm-crypt layer overhead).
+
+* Switch on retry on device remove for libdevmapper.
+ Device-mapper now retry removal if device is busy.
+
+* Allow "private" activation (skip some udev global rules) flag.
+ Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE,
+ which means that some udev rules are not processed.
+ (Used for temporary devices, like internal keyslot mappings where
+ it is not desirable to run any device scans.)
+
+* This release also includes some Red Hat/Fedora specific extensions
+related to FIPS140-2 compliance.
+
+In fact, all these patches are more formal changes and are just subset
+of building blocks for FIPS certification. See FAQ for more details
+about FIPS.
+
+FIPS extensions are enabled by using --enable-fips configure switch.
+
+In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode)
+
+ - it provides library and binary integrity verification using
+ libfipscheck (requires pre-generated checksums)
+
+ - it uses FIPS approved RNG for encryption key and salt generation
+ (note that using /dev/random is not formally FIPS compliant RNG).
+
+ - only gcrypt crypto backend is currently supported in FIPS mode.
+
+The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation.
+(Recommendation for Password-Based Key Derivation. Part 1: Storage Applications.
+http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf)
+LUKS should be aligned to this recommendation otherwise.
diff --git a/docs/v1.5.0-ReleaseNotes b/docs/v1.5.0-ReleaseNotes
new file mode 100644
index 0000000..16a34cb
--- /dev/null
+++ b/docs/v1.5.0-ReleaseNotes
@@ -0,0 +1,241 @@
+Cryptsetup 1.5.0 Release Notes
+==============================
+
+This release covers mainly inclusion of:
+
+ * Veritysetup tool (and related libcryptsetup extensions for dm-verity).
+
+ * Experimental cryptsetup-reencrypt tool (LUKS offline reencryption).
+
+Changes since version 1.5.0-rc2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * Add --device-size option for reencryption tool.
+
+ * Switch to use unit suffix for --reduce-device-size option.
+
+ * Remove open device debugging feature (no longer needed).
+
+ * Fix library name for FIPS check.
+
+ * Add example of using reencryption inside dracut (see misc/dracut).
+
+Changes since version 1.5.0-rc1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
+
+! cryptsetup-reencrypt tool is EXPERIMENTAL
+! ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL
+
+This tool tries to simplify situation when you need to re-encrypt the whole
+LUKS device in situ (without need to move data elsewhere).
+
+This can happen for example when you want to change volume (master) key,
+encryption algorithm, or other encryption parameter.
+
+Cryptsetup-reencrypt can even optionally shift data on device
+(reducing data device size - you need some free space at the end of device).
+
+In general, cryptsetup-reencrypt can be used to
+
+ - re-generate volume key
+ - change arbitrary encryption parameters
+ - add encryption to not yet encrypted drive
+
+Side effect of reencryption is that final device will contain
+only ciphertext (for all sectors) so even if device was not properly
+wiped by random data, after reencryption you cannot distinguish
+which sectors are used.
+(Reecryption is done always for the whole device.)
+
+There are for sure bugs, please TEST IT IN TEST ENVIRONMENT before
+use for your data.
+
+This tool is not resistant to HW and kernel failures - hw crash
+will cause serious data corruption.
+
+You can enable compilation of this tool with --enable-cryptsetup-reencrypt
+configure option (it is switched off by default).
+(Tool requires libcryptsetup 1.4.3 and later.)
+
+You have to provide all keyslot passphrases or use --keyslot-option
+(then all other keyslots will be disabled).
+
+EXAMPLES (from man page)
+
+Reencrypt /dev/sdb1 (change volume key)
+ # cryptsetup-reencrypt /dev/sdb1
+
+Reencrypt and also change cipher and cipher mode
+ # cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64
+
+ Note: if you are changing key size, there must be enough space
+ for keyslots in header or you have to use --reduce-device size and
+ reduce fs in advance.
+
+Add LUKS encryption to not yet encrypted device
+ First, be sure you have space added to disk.
+ Or, alternatively, shrink filesystem in advance.
+
+ Here we need 4096 512-bytes sectors (enough for 2x128 bit key).
+
+ # fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors
+
+ # cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096
+
+There are some options which can improve performance (depends on system),
+namely --use-directio (use direct IO for all operations) can be faster
+on some systems. See man page.
+
+Progress and estimated time is printed during reencryption.
+
+You can suspend reencryption (using ctrl+c or term signal).
+To continue reencryption you have to provide only
+the device parameter (offset is stored in temporary log file).
+
+Please note LUKS device is marked invalid during reencryption and
+you have to retain tool temporary files until reencryption finishes.
+
+Temporary files are LUKS-<uuid>.[log|org|new]
+
+Other changes
+~~~~~~~~~~~~~
+
+ * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
+
+ * Add --test-passphrase option for luksOpen (check passphrase only).
+
+ * Fix parsing of hexadecimal string (salt or root hash) in veritysetup.
+
+Changes since version 1.4.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Introduce veritysetup tool for dm-verity target management.
+
+The dm-verity device-mapper target was added to Linux kernel 3.4 and
+provides transparent integrity checking of block devices using a cryptographic
+digest provided by the kernel crypto API. This target is read-only.
+
+It is meant to be setup as part of a verified boot path (it was originally
+developed by Chrome OS authors as part of verified boot infrastructure).
+
+For deeper description please see http://code.google.com/p/cryptsetup/wiki/DMVerity
+and kernel dm-verity documentation.
+
+The libcryptsetup library was extended to support manipulation
+with dm-verity kernel module and new veritysetup CLI tool is added.
+
+There are no additional library requirements (it uses the same crypto
+backend as cryptsetup).
+
+If you want compile cryptsetup without veritysetup tool,
+use --disable-veritysetup configure option.
+For other configuration option see configure --help and veritysetup --help
+(e.g. default parameters).
+
+Supported libcryptsetup functions new CRYPT_VERITY type:
+ crypt_init
+ crypt_init_by_name
+ crypt_set_data device
+ crypt_get_type
+ crypt_format
+ crypt_load
+ crypt_get_active_device
+ crypt_activate_by_volume_key (volume key == root hash here)
+ crypt_dump
+and new introduced function
+ crypt_get_verity_info
+
+Please see comments in libcryptsetup.h and veritysetup.c as an code example
+how to use CRYPT_VERITY API.
+
+The veritysetup tool supports these operations:
+
+ veritysetup format <data_device> <hash_device>
+ Formats <hash_device> (calculates all hash areas according to <data_device>).
+ This is initial command to prepare device <hash_device> for later verification.
+
+ veritysetup create <name> <data_device> <hash_device> <root_hash>
+ Creates (activates) a dm-verity mapping with <name> backed by device <data_device>
+ and using <hash_device> for in-kernel verification.
+
+ veritysetup verify <data_device> <hash_device> <root_hash>
+ Verifies data in userspace (no kernel device is activated).
+
+ veritysetup remove <name>
+ Removes activated device from kernel (similar to dmsetup remove).
+
+ veritysetup status <name>
+ Reports status for the active kernel dm-verity device.
+
+ veritysetup dump <hash_device>
+ Reports parameters of verity device from on-disk stored superblock.
+
+For more info see veritysetup --help and veritysetup man page.
+
+Other changes
+~~~~~~~~~~~~~
+
+ * Both data and header device can now be a file and
+ loop device is automatically allocated.
+
+ * Require only up to last keyslot area for header device, previously
+ backup (and activation) required device/file of size up to data start
+ offset (data payload).
+
+ * Fix header backup and restore to work on files with large data offset.
+ Backup and restore now works even if backup file is smaller than data offset.
+
+Appendix: Examples of veritysetup use
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Format device using default parameters, info and final root hash is printed:
+ # veritysetup format /dev/sdb /dev/sdc
+ VERITY header information for /dev/sdc
+ UUID: fad30431-0c59-4fa6-9b57-732a90501f75
+ Hash type: 1
+ Data blocks: 52224
+ Data block size: 4096
+ Hash block size: 4096
+ Hash algorithm: sha256
+ Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9
+ Root hash: 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1
+
+ Activation of device in-kernel:
+ # veritysetup create vr /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1
+ Note - if device is corrupted, kernel mapping is created but will report failure:
+ Verity device detected corruption after activation.
+
+ Userspace verification:
+ # veritysetup verify /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1
+ Verification failed at position 8192.
+ Verification of data area failed.
+
+ Active device status report:
+ # veritysetup status vr
+ /dev/mapper/vr is active.
+ type: VERITY
+ status: verified
+ hash type: 1
+ data block: 4096
+ hash block: 4096
+ hash name: sha256
+ salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9
+ data device: /dev/sdb
+ size: 417792 sectors
+ mode: readonly
+ hash device: /dev/sdc
+ hash offset: 8 sectors
+
+ Dump of on-disk superblock information:
+ # veritysetup dump /dev/sdc
+ VERITY header information for /dev/sdc
+ UUID: fad30431-0c59-4fa6-9b57-732a90501f75
+ Hash type: 1
+ Data blocks: 52224
+ Data block size: 4096
+ Hash block size: 4096
+ Hash algorithm: sha256
+ Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9
+
+ Remove mapping:
+ # veritysetup remove vr
diff --git a/docs/v1.5.1-ReleaseNotes b/docs/v1.5.1-ReleaseNotes
new file mode 100644
index 0000000..7202a8c
--- /dev/null
+++ b/docs/v1.5.1-ReleaseNotes
@@ -0,0 +1,32 @@
+Cryptsetup 1.5.1 Release Notes
+==============================
+
+Changes since version 1.5.0
+
+* The libcryptsetup library now tries to initialize device-mapper backend and
+ loop devices only if they are really needed (lazy initializations).
+ This allows some operations to be run by a non-root user.
+
+ (Unfortunately LUKS header keyslot operations still require temporary dm-crypt
+ device and device-mapper subsystem is available only to superuser.)
+
+ Also clear error messages are provided if running as non-root user and
+ operation requires privileged user.
+
+* Veritysetup can be now used by a normal user for creating hash image to file
+ and also it can create hash image if doesn't exist.
+ (Previously it required pre-allocated space.)
+
+* Added crypt_keyslot_area() API call which allows external tools
+ to get exact keyslot offsets and analyse content.
+
+ An example of a tool that searches the keyslot area of a LUKS container
+ for positions where entropy is low and hence there is a high probability
+ of damage is in misc/kesylot_checker.
+ (Thanks to Arno Wagner for the code.)
+
+* Optimized seek to keyfile-offset if key offset is large.
+
+* Fixed luksHeaderBackup for very old v1.0 unaligned LUKS headers.
+
+* Various fixes for problems found by a several static analysis tools.
diff --git a/docs/v1.6.0-ReleaseNotes b/docs/v1.6.0-ReleaseNotes
new file mode 100644
index 0000000..fe8770d
--- /dev/null
+++ b/docs/v1.6.0-ReleaseNotes
@@ -0,0 +1,261 @@
+Cryptsetup 1.6.0 Release Notes
+==============================
+
+Changes since version 1.6.0-rc1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * Change LUKS default cipher to to use XTS encryption mode,
+ aes-xts-plain64 (i.e. using AES128-XTS).
+
+ XTS mode becomes standard in hard disk encryption.
+
+ You can still use any old mode:
+ - compile cryptsetup with old default:
+ configure --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
+ - format LUKS device with old default:
+ cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 <device>
+
+
+ * Skip tests and fix error messages if running on old systems (or with old kernel).
+
+ * Rename configure.in to configure.ac and fix issues with new automake and pkgconfig
+ and --disable-kernel_crypto option to allow compilation with old kernel headers.
+
+ * Allow repair of 512 bits key header.
+
+ * Fix status of device if path argument is used and fix double path prefix
+ for non-existent device path.
+
+
+Changes since version 1.5.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Important changes
+~~~~~~~~~~~~~~~~~
+
+ * Cryptsetup and libcryptsetup is now released under GPLv2+
+ (GPL version 2 or any later).
+ Some internal code handling files (loopaes, verity, tcrypt
+ and crypto backend wrapper) are LGPLv2+.
+
+ Previously code was GPL version 2 only.
+
+
+ * Introducing new unified command open and close.
+
+ Example:
+ cryptsetup open --type plain|luks|loopaes|tcrypt <device> <name>
+ (type defaults to luks)
+
+ with backward-compatible aliases plainOpen, luksOpen, loopaesOpen,
+ tcryptOpen. Basically "open --type xyz" has alias "xyzOpen".
+
+ The "create" command (plain device create) is DEPRECATED but will
+ be still supported.
+ (This command is confusing because of switched arguments order.)
+
+ The close command is generic command to remove mapping and have
+ backward compatible aliases (remove, luksClose, ...) which behaves
+ exactly the same.
+
+ While all old syntax is still supported, I strongly suggest to use
+ new command syntax which is common for all device types (and possible
+ new formats added in future).
+
+
+ * cryptsetup now support directly TCRYPT (TrueCrypt and compatible tc-play)
+ on-disk format
+ (Code is independent implementation not related to original project).
+
+ Only dump (tcryptDump command) and activation (open --type tcrypt or tcryptOpen)
+ of TCRYPT device are supported. No header changes are supported.
+
+ It is intended to easily access containers shared with other operating systems
+ without need to install 3rd party software. For native Linux installations LUKS
+ is the preferred format.
+
+ WARNING: TCRYPT extension requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
+
+ Because TCRYPT header is encrypted, you have to always provide valid
+ passphrase and keyfiles. Keyfiles are handled exactly the same as in original
+ format (basically, first 1MB of every keyfile is mixed using CRC32 into pool).
+
+ Cryptsetup should recognize all TCRYPT header variants ever released, except
+ legacy cipher chains using LRW encryption mode with 64 bits encryption block
+ (namely Blowfish in LRW mode is not recognized, this is limitation of kernel
+ crypto API).
+
+ Device activation is supported only for LRW/XTS modes (again, limitation
+ of kernel dmcrypt which do not implements TCRYPT extensions to CBC mode).
+ (So old containers cannot be activated, but you can use libcryptsetup
+ for lost password search, example of such code is included in misc directory.)
+
+ Hidden header are supported using --tcrypt-hidden option, system encryption
+ using --tcrypt-system option.
+
+ For detailed description see man page.
+
+ EXAMPLE:
+ * Dump device parameters of container in file:
+
+ # cryptsetup tcryptDump tst
+ Enter passphrase:
+
+ TCRYPT header information for tst
+ Version: 5
+ Driver req.: 7
+ Sector size: 512
+ MK offset: 131072
+ PBKDF2 hash: sha512
+ Cipher chain: serpent-twofish-aes
+ Cipher mode: xts-plain64
+ MK bits: 1536
+
+ You can also dump master key using --dump-master-key.
+ Dump does not require superuser privilege.
+
+ * Activation of this container
+
+ # cryptsetup tcryptOpen tst tcrypt_dev
+ Enter passphrase:
+ (Chain of dmcrypt devices is activated as /dev/mapper/tcrypt_dev.)
+
+ * See status of active TCRYPT device
+
+ # cryptsetup status tcrypt_dev
+
+ /dev/mapper/tcrypt_dev is active.
+ type: TCRYPT
+ cipher: serpent-twofish-aes-xts-plain64
+ keysize: 1536 bits
+ device: /dev/loop0
+ loop: /tmp/tst
+ offset: 256 sectors
+ size: 65024 sectors
+ skipped: 256 sectors
+ mode: read/write
+
+ * And plaintext filesystem now ready to mount
+
+ # blkid /dev/mapper/tcrypt_dev
+ /dev/mapper/tcrypt_dev: SEC_TYPE="msdos" UUID="9F33-2954" TYPE="vfat"
+
+
+ * Add (optional) support for lipwquality for new LUKS passwords.
+
+ If password is entered through terminal (no keyfile specified)
+ and cryptsetup is compiled with --enable-pwquality, default
+ system pwquality settings are used to check password quality.
+
+ You can always override this check by using new --force-password option.
+
+ For more info about pwquality project see http://libpwquality.fedorahosted.org/
+
+
+ * Proper handle interrupt signals (ctrl+c and TERM signal) in tools
+
+ Code should now handle interrupt properly, release and explicitly wipe
+ in-memory key materials on interrupt.
+ (Direct users of libcryptsetup should always call crypt_free() when
+ code is interrupted to wipe all resources. There is no signal handling
+ in library, it is up to the tool using it.)
+
+
+ * Add new benchmark command
+
+ The "benchmark" command now tries to benchmark PBKDF2 and some block
+ cipher variants. You can specify you own parameters (--cipher/--key-size
+ for block ciphers, --hash for PBKDF2).
+
+ See man page for detailed description.
+
+ WARNING: benchmark command requires kernel userspace crypto API to be
+ available (introduced in Linux kernel 2.6.38).
+ If you are configuring kernel yourself, enable "User-space interface
+ for symmetric key cipher algorithms" in "Cryptographic API" section
+ (CRYPTO_USER_API_SKCIPHER .config option).
+
+ EXAMPLE:
+ # cryptsetup benchmark
+ # Tests are approximate using memory only (no storage IO).
+ PBKDF2-sha1 111077 iterations per second
+ PBKDF2-sha256 53718 iterations per second
+ PBKDF2-sha512 18832 iterations per second
+ PBKDF2-ripemd160 89775 iterations per second
+ PBKDF2-whirlpool 23918 iterations per second
+ # Algorithm | Key | Encryption | Decryption
+ aes-cbc 128b 212.0 MiB/s 428.0 MiB/s
+ serpent-cbc 128b 23.1 MiB/s 66.0 MiB/s
+ twofish-cbc 128b 46.1 MiB/s 50.5 MiB/s
+ aes-cbc 256b 163.0 MiB/s 350.0 MiB/s
+ serpent-cbc 256b 23.1 MiB/s 66.0 MiB/s
+ twofish-cbc 256b 47.0 MiB/s 50.0 MiB/s
+ aes-xts 256b 190.0 MiB/s 190.0 MiB/s
+ serpent-xts 256b 58.4 MiB/s 58.0 MiB/s
+ twofish-xts 256b 49.0 MiB/s 49.5 MiB/s
+ aes-xts 512b 175.0 MiB/s 175.0 MiB/s
+ serpent-xts 512b 59.0 MiB/s 58.0 MiB/s
+ twofish-xts 512b 48.5 MiB/s 49.5 MiB/s
+
+ Or you can specify cipher yourself:
+ # cryptsetup benchmark --cipher cast5-cbc-essiv:sha256 -s 128
+ # Tests are approximate using memory only (no storage IO).
+ # Algorithm | Key | Encryption | Decryption
+ cast5-cbc 128b 32.4 MiB/s 35.0 MiB/s
+
+ WARNING: these tests do not use dmcrypt, only crypto API.
+ You have to benchmark the whole device stack and you can get completely
+ different results. But is is usable for basic comparison.
+ (Note for example AES-NI decryption optimization effect in example above.)
+
+Features
+~~~~~~~~
+
+ * Do not maintain ChangeLog file anymore, see git log for detailed changes,
+ e.g. here http://code.google.com/p/cryptsetup/source/list
+
+ * Move change key into library, add crypt_keyslot_change_by_passphrase().
+ This change is useful mainly in FIPS mode, where we cannot
+ extract volume key directly from libcryptsetup.
+
+ * Add verbose messages during reencryption.
+
+ * Default LUKS PBKDF2 iteration time is now configurable.
+
+ * Add simple cipher benchmarking API.
+
+ * Add kernel skcipher backend.
+
+ * Add CRC32 implementation (for TCRYPT).
+
+ * Move PBKDF2 into crypto backend wrapper.
+ This allows use it in other formats, use library implementations and
+ also possible use of different KDF function in future.
+
+ * New PBKDF2 benchmark using getrusage().
+
+Fixes
+~~~~~
+
+ * Avoid O_DIRECT open if underlying storage doesn't support it.
+
+ * Fix some non-translated messages.
+
+ * Fix regression in header backup (1.5.1) with container in file.
+
+ * Fix blockwise read/write for end writes near end of device.
+ (was not used in previous versions)
+
+ * Ignore setpriority failure.
+
+ * Code changes to fix/ignore problems found by Coverity static analysis, including
+ - Get page size should never fail.
+ - Fix time of check/use (TOCTOU test) in tools
+ - Fix time of check/use in loop/wipe utils.
+ - Fix time of check/use in device utils.
+
+ * Disallow header restore if context is non-LUKS device.
diff --git a/docs/v1.6.1-ReleaseNotes b/docs/v1.6.1-ReleaseNotes
new file mode 100644
index 0000000..8fdc7d0
--- /dev/null
+++ b/docs/v1.6.1-ReleaseNotes
@@ -0,0 +1,32 @@
+Cryptsetup 1.6.1 Release Notes
+==============================
+
+Changes since version 1.6.0
+
+* Fix loop-AES keyfile parsing.
+ Loop-AES keyfile should be text keyfile, reject keyfiles which
+ are not properly terminated.
+
+* Fix passphrase pool overflow for too long TCRYPT passphrase.
+ (Maximal TCRYPT passphrase length is 64 characters.)
+
+* Return EPERM (translated to exit code 2) for too long TCRYPT passphrase.
+
+* Fix deactivation of device when failed underlying node disappeared.
+
+* Fix API deactivate call for TCRYPT format and NULL context parameter.
+
+* Improve keyslot checker example documentation.
+
+* Report error message if deactivation fails and device is still busy.
+
+* Make passphrase prompts more consistent (and remove "LUKS" form prompt).
+
+* Fix some missing headers (compilation failed with alternative libc).
+
+* Remove not functional API UUID support for plain & loopaes devices.
+ (not persistent activation UUID).
+
+* Properly cleanup devices on interrupt in api-test.
+
+* Support all tests run if kernel is in FIPS mode.
diff --git a/docs/v1.6.2-ReleaseNotes b/docs/v1.6.2-ReleaseNotes
new file mode 100644
index 0000000..192f4a6
--- /dev/null
+++ b/docs/v1.6.2-ReleaseNotes
@@ -0,0 +1,25 @@
+Cryptsetup 1.6.2 Release Notes
+==============================
+
+Changes since version 1.6.1
+
+* Print error and fail if more device arguments are present for isLuks command.
+
+* Fix cipher specification string parsing (found by gcc -fsanitize=address option).
+
+* Try to map TCRYPT system encryption through partition
+ (allows to activate mapping when other partition on the same device is mounted).
+
+* Print a warning if system encryption is used and device is a partition.
+ (TCRYPT system encryption uses whole device argument.)
+
+* Disallow explicit small payload offset for LUKS detached header.
+ LUKS detached header only allows data payload 0 (whole data device is used)
+ or explicit offset larger than header + keyslots size.
+
+* Fix boundary condition for verity device that caused failure for certain device sizes.
+
+* Various fixes to documentation, including update FAQ, default modes
+ and TCRYPT description.
+
+* Workaround for some recent changes in automake (serial-tests).
diff --git a/docs/v1.6.3-ReleaseNotes b/docs/v1.6.3-ReleaseNotes
new file mode 100644
index 0000000..24254b8
--- /dev/null
+++ b/docs/v1.6.3-ReleaseNotes
@@ -0,0 +1,50 @@
+Cryptsetup 1.6.3 Release Notes
+==============================
+
+Changes since version 1.6.2
+
+* Fix cryptsetup reencryption tool to work properly
+ with devices using 4kB sectors.
+
+* Always use page size if running through loop device,
+ this fixes failures for external LUKS header and
+ filesystem requiring 4kB block size.
+
+* Fix TCRYPT system encryption mapping for multiple partitions.
+ Since this commit, one can use partition directly as device parameter.
+ If you need to activate such partition from image in file,
+ please first use map partitioned loop device (losetup -P)
+ on image.
+ (Cryptsetup require partition offsets visible in kernel sysfs
+ in this mode.)
+
+* Support activation of old TrueCrypt containers using CBC mode
+ and whitening (created in TrueCrypt version < 4.1).
+ This requires Linux kernel 3.13 or later.
+ (Containers with cascade CBC ciphers are not supported.)
+
+* Properly display keys in dump --dump-master-key command
+ for TrueCrypt CBC containers.
+
+* Rewrite cipher benchmark loop which was unreliable
+ on very fast machines.
+
+* Add warning if LUKS device was activated using non-cryptsetup
+ library which did not set UUID properly (e.g. cryptmount).
+ (Some commands, like luksSuspend, are not available then.)
+
+* Support length limitation also for plain (no hash) length.
+ This can be used for mapping problematic cryptosystems which
+ wipes some key (losetup sometimes set last 32 byte to zero,
+ which can be now configured as --hash plain:31 parameter).
+
+* Fix hash limit if parameter is not a number.
+ (The whole key was set to zero instead of command failure.)
+
+* Unify --key-slot behavior in cryptsetup_reencrypt tool.
+
+* Update dracut example scripts for system reencryption on first boot.
+
+* Add command line option --tcrypt-backup to access TCRYPT backup header.
+
+* Fix static compilation with OpenSSL.
diff --git a/docs/v1.6.4-ReleaseNotes b/docs/v1.6.4-ReleaseNotes
new file mode 100644
index 0000000..ebc71cb
--- /dev/null
+++ b/docs/v1.6.4-ReleaseNotes
@@ -0,0 +1,57 @@
+Cryptsetup 1.6.4 Release Notes
+==============================
+
+Changes since version 1.6.3
+
+* Implement new erase (with alias luksErase) command.
+
+ The erase cryptsetup command can be used to permanently erase
+ all keyslots and make the LUKS container inaccessible.
+ (The only way to unlock such device is to use LUKS header backup
+ created before erase command was used.)
+
+ You do not need to provide any password for this operation.
+
+ This operation is irreversible.
+
+* Add internal "whirlpool_gcryptbug hash" for accessing flawed
+ Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above).
+
+ The gcrypt version of Whirlpool hash algorithm was flawed in some
+ situations.
+
+ This means that if you used Whirlpool in LUKS header and upgraded
+ to new gcrypt library your LUKS container become inaccessible.
+
+ Please refer to cryptsetup FAQ for detail how to fix this situation.
+
+* Allow to use --disable-gcrypt-pbkdf2 during configuration
+ to force use internal PBKDF2 code.
+
+* Require gcrypt 1.6.1 for imported implementation of PBKDF2
+ (PBKDF2 in gcrypt 1.6.0 is too slow).
+
+* Add --keep-key to cryptsetup-reencrypt.
+
+ This allows change of LUKS header hash (and iteration count) without
+ the need to reencrypt the whole data area.
+ (Reencryption of LUKS header only without master key change.)
+
+* By default verify new passphrase in luksChangeKey and luksAddKey
+ commands (if input is from terminal).
+
+* Fix memory leak in Nettle crypto backend.
+
+* Support --tries option even for TCRYPT devices in cryptsetup.
+
+* Support --allow-discards option even for TCRYPT devices.
+ (Note that this could destroy hidden volume and it is not suggested
+ by original TrueCrypt security model.)
+
+* Link against -lrt for clock_gettime to fix undefined reference
+ to clock_gettime error (introduced in 1.6.2).
+
+* Fix misleading error message when some algorithms are not available.
+
+* Count system time in PBKDF2 benchmark if kernel returns no self usage info.
+ (Workaround to broken getrusage() syscall with some hypervisors.)
diff --git a/docs/v1.6.5-ReleaseNotes b/docs/v1.6.5-ReleaseNotes
new file mode 100644
index 0000000..dc9f525
--- /dev/null
+++ b/docs/v1.6.5-ReleaseNotes
@@ -0,0 +1,54 @@
+Cryptsetup 1.6.5 Release Notes
+==============================
+
+Changes since version 1.6.4
+
+* Allow LUKS header operation handling without requiring root privilege.
+ It means that you can manipulate with keyslots as a regular user, only
+ write access to device (or image) is required.
+
+ This requires kernel crypto wrapper (similar to TrueCrypt device handling)
+ to be available (CRYPTO_USER_API_SKCIPHER kernel option).
+ If this kernel interface is not available, code fallbacks to old temporary
+ keyslot device creation (where root privilege is required).
+
+ Note that activation, deactivation, resize and suspend operations still
+ need root privilege (limitation of kernel device-mapper backend).
+
+* Fix internal PBKDF2 key derivation function implementation for alternative
+ crypto backends (kernel, NSS) which do not support PBKDF2 directly and have
+ issues with longer HMAC keys.
+
+ This fixes the problem for long keyfiles where either calculation is too slow
+ (because of internal rehashing in every iteration) or there is a limit
+ (kernel backend seems to not support HMAC key longer than 20480 bytes).
+
+ (Note that for recent version of gcrypt, nettle or openssl the internal
+ PBKDF2 code is not compiled in and crypto library internal functions are
+ used instead.)
+
+* Support for Python3 for simple Python binding.
+ Python >= 2.6 is now required. You can set Python compiled version by setting
+ --with-python_version configure option (together with --enable-python).
+
+* Use internal PBKDF2 in Nettle library for Nettle crypto backend.
+ Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend).
+
+* Allow simple status of crypt device without providing metadata header.
+ The command "cryptsetup status" will print basic info, even if you
+ do not provide detached header argument.
+
+* Allow to specify ECB mode in cryptsetup benchmark.
+
+* Add some LUKS images for regression testing.
+ Note that if image with Whirlpool fails, the most probable cause is that
+ you have old gcrypt library with flawed whirlpool hash.
+ Read FAQ section 8.3 for more info.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function trhough crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
diff --git a/docs/v1.6.6-ReleaseNotes b/docs/v1.6.6-ReleaseNotes
new file mode 100644
index 0000000..9d1fbee
--- /dev/null
+++ b/docs/v1.6.6-ReleaseNotes
@@ -0,0 +1,29 @@
+Cryptsetup 1.6.6 Release Notes
+==============================
+
+Changes since version 1.6.5
+
+* LUKS: Fix keyslot device access for devices which
+ do not support direct IO operations. (Regression in 1.6.5.)
+
+* LUKS: Fallback to old temporary keyslot device mapping method
+ if hash (for ESSIV) is not supported by userspace crypto
+ library. (Regression in 1.6.5.)
+
+* Properly activate device with discard (TRIM for SSDs)
+ if requested even if dm_crypt module is not yet loaded.
+ Only if discard is not supported by the old kernel then
+ the discard option is ignored.
+
+* Fix some static analysis build warnings (scan-build).
+
+* Report crypto lib version only once (and always add kernel
+ version) in debug output.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function through crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
diff --git a/docs/v1.6.7-ReleaseNotes b/docs/v1.6.7-ReleaseNotes
new file mode 100644
index 0000000..edb73e5
--- /dev/null
+++ b/docs/v1.6.7-ReleaseNotes
@@ -0,0 +1,84 @@
+Cryptsetup 1.6.7 Release Notes
+==============================
+
+Changes since version 1.6.6
+
+* Cryptsetup git and wiki are now hosted on GitLab.
+ https://gitlab.com/cryptsetup/cryptsetup
+
+ Repository of stable releases remains on kernel.org site
+ https://www.kernel.org/pub/linux/utils/cryptsetup/
+
+ For more info please see README file.
+
+* Cryptsetup TCRYPT mode now supports VeraCrypt devices (TrueCrypt extension).
+
+ The VeraCrypt extension only increases iteration count for the key
+ derivation function (on-disk format is the same as TrueCrypt format).
+
+ Note that unlocking of a VeraCrypt device can take very long time if used
+ on slow machines.
+
+ To use this extension, add --veracrypt option, for example
+ cryptsetup open --type tcrypt --veracrypt <container> <name>
+
+ For use through libcryptsetup, just add CRYPT_TCRYPT_VERA_MODES flag.
+
+* Support keyfile-offset and keyfile-size options even for plain volumes.
+
+* Support keyfile option for luksAddKey if the master key is specified.
+
+* For historic reasons, hashing in the plain mode is not used
+ if keyfile is specified (with exception of --key-file=-).
+ Print a warning if these parameters are ignored.
+
+* Support permanent device decryption for cryptsetup-reencrypt.
+ To remove LUKS encryption from a device, you can now use --decrypt option.
+
+* Allow to use --header option in all LUKS commands.
+ The --header always takes precedence over positional device argument.
+
+* Allow luksSuspend without need to specify a detached header.
+
+* Detect if O_DIRECT is usable on a device allocation.
+ There are some strange storage stack configurations which wrongly allows
+ to open devices with direct-io but fails on all IO operations later.
+
+ Cryptsetup now tries to read the device first sector to ensure it can use
+ direct-io.
+
+* Add low-level performance options tuning for dmcrypt (for Linux 4.0 and later).
+
+ Linux kernel 4.0 contains rewritten dmcrypt code which tries to better utilize
+ encryption on parallel CPU cores.
+
+ While tests show that this change increases performance on most configurations,
+ dmcrypt now provides some switches to change its new behavior.
+
+ You can use them (per-device) with these cryptsetup switches:
+ --perf-same_cpu_crypt
+ --perf-submit_from_crypt_cpus
+
+ Please use these only in the case of serious performance problems.
+ Refer to the cryptsetup man page and dm-crypt documentation
+ (for same_cpu_crypt and submit_from_crypt_cpus options).
+ https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
+
+* Get rid of libfipscheck library.
+ (Note that this option was used only for Red Hat and derived distributions.)
+ With recent FIPS changes we do not need to link to this FIPS monster anymore.
+ Also drop some no longer needed FIPS mode checks.
+
+* Many fixes and clarifications to man pages.
+
+* Prevent compiler to optimize-out zeroing of buffers for on-stack variables.
+
+* Fix a crash if non-GNU strerror_r is used.
+
+Cryptsetup API NOTE:
+The direct terminal handling for passphrase entry will be removed from
+libcryptsetup in next major version (application should handle it itself).
+
+It means that you have to always either provide password in buffer or set
+your own password callback function through crypt_set_password_callback().
+See API documentation (or libcryptsetup.h) for more info.
diff --git a/docs/v1.6.8-ReleaseNotes b/docs/v1.6.8-ReleaseNotes
new file mode 100644
index 0000000..43b4f2c
--- /dev/null
+++ b/docs/v1.6.8-ReleaseNotes
@@ -0,0 +1,47 @@
+Cryptsetup 1.6.8 Release Notes
+==============================
+
+Changes since version 1.6.7
+
+* If the null cipher (no encryption) is used, allow only empty password for LUKS.
+ (Previously cryptsetup accepted any password in this case.)
+
+ The null cipher can be used only for testing and it is used temporarily during
+ offline encrypting not yet encrypted device (cryptsetup-reencrypt tool).
+
+ Accepting only empty password prevents situation when someone adds another
+ LUKS device using the same UUID (UUID of existing LUKS device) with faked
+ header containing null cipher.
+ This could force user to use different LUKS device (with no encryption)
+ without noticing.
+ (IOW it prevents situation when attacker intentionally forces
+ user to boot into different system just by LUKS header manipulation.)
+
+ Properly configured systems should have an additional integrity protection
+ in place here (LUKS here provides only confidentiality) but it is better
+ to not allow this situation in the first place.
+
+ (For more info see QubesOS Security Bulletin QSB-019-2015.)
+
+* Properly support stdin "-" handling for luksAddKey for both new and old
+ keyfile parameters.
+
+* If encrypted device is file-backed (it uses underlying loop device),
+ cryptsetup resize will try to resize underlying loop device as well.
+ (It can be used to grow up file-backed device in one step.)
+
+* Cryptsetup now allows to use empty password through stdin pipe.
+ (Intended only for testing in scripts.)
+
+Cryptsetup API NOTE:
+
+Direct terminal handling and password calling callback for passphrase
+entry will be removed from libcryptsetup in next major (2.x) version
+(application should handle it itself).
+It means that application have to always provide password in API calls.
+
+Functions returning last error will be removed in next major version (2.x).
+These functions did not work properly for early initialization errors
+and application can implement better function easily using own error callback.
+
+See comments in libcryptsetup.h for more info about deprecated functions.
diff --git a/docs/v1.7.0-ReleaseNotes b/docs/v1.7.0-ReleaseNotes
new file mode 100644
index 0000000..cd568c1
--- /dev/null
+++ b/docs/v1.7.0-ReleaseNotes
@@ -0,0 +1,81 @@
+Cryptsetup 1.7.0 Release Notes
+==============================
+
+The cryptsetup 1.7 release changes defaults for LUKS,
+there are no API changes.
+
+Changes since version 1.6.8
+
+* Default hash function is now SHA256 (used in key derivation function
+ and anti-forensic splitter).
+
+ Note that replacing SHA1 with SHA256 is not for security reasons.
+ (LUKS does not have problems even if collisions are found for SHA1,
+ for details see FAQ item 5.20).
+
+ Using SHA256 as default is mainly to prevent compatibility problems
+ on hardened systems where SHA1 is already be phased out.
+
+ Note that all checks (kernel crypto API availability check) now uses
+ SHA256 as well.
+
+* Default iteration time for PBKDF2 is now 2 seconds.
+
+ Increasing iteration time is in combination with PBKDF2 benchmark
+ fixes a try to keep PBKDF2 iteration count still high enough and
+ also still acceptable for users.
+
+ N.B. Long term is to replace PBKDF2 algorithm with Password Hashing
+ Competition winner - Argon2.
+
+ Distributions can still change these defaults in compilation time.
+
+ You can change iteration time and used hash function in existing LUKS
+ header with cryptsetup-reencrypt utility even without full reencryption
+ of device (see --keep-key option).
+
+* Fix PBKDF2 iteration benchmark for longer key sizes.
+
+ The previous PBKDF2 benchmark code did not take into account
+ output key length properly.
+
+ For SHA1 (with 160-bits output) and 256-bit keys (and longer)
+ it means that the final iteration value was higher than it should be.
+
+ For other hash algorithms (like SHA256 or SHA512) it caused
+ that iteration count was lower (in comparison to SHA1) than
+ expected for the requested time period.
+
+ The PBKDF2 benchmark code is now fixed to use the key size for
+ the formatted device (or default LUKS key size if running in informational
+ benchmark mode).
+
+ Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
+ (http://www.club.di.unimi.it/) for point this out.
+ (Based on "What users should know about Full Disk Encryption
+ based on LUKS" paper to be presented on CANS2015).
+
+* Remove experimental warning for reencrypt tool.
+ The strong request for full backup before using reencryption utility
+ still applies :)
+
+* Add optional libpasswdqc support for new LUKS passwords.
+
+ If password is entered through terminal (no keyfile specified) and
+ cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
+ configured system passwdqc settings are used to check password quality.
+
+* Update FAQ document.
+
+Cryptsetup API NOTE:
+
+Direct terminal handling and password calling callback for passphrase
+entry will be removed from libcryptsetup in next major (2.x) version
+(application should handle it itself).
+It means that application have to always provide password in API calls.
+
+Functions returning last error will be removed in next major version (2.x).
+These functions did not work properly for early initialization errors
+and application can implement better function easily using own error callback.
+
+See comments in libcryptsetup.h for more info about deprecated functions.
diff --git a/docs/v1.7.1-ReleaseNotes b/docs/v1.7.1-ReleaseNotes
new file mode 100644
index 0000000..057c135
--- /dev/null
+++ b/docs/v1.7.1-ReleaseNotes
@@ -0,0 +1,36 @@
+Cryptsetup 1.7.1 Release Notes
+==============================
+
+Changes since version 1.7.0
+
+* Code now uses kernel crypto API backend according to new
+ changes introduced in mainline kernel
+
+ While mainline kernel should contain backward compatible
+ changes, some stable series kernels do not contain fully
+ backported compatibility patches.
+ Without these patches most of cryptsetup operations
+ (like unlocking device) fail.
+
+ This change in cryptsetup ensures that all operations using
+ kernel crypto API works even on these kernels.
+
+* The cryptsetup-reencrypt utility now properly detects removal
+ of underlying link to block device and does not remove
+ ongoing re-encryption log.
+ This allows proper recovery (resume) of reencrypt operation later.
+
+ NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility,
+ this link disappears once the device metadata is temporarily
+ removed from device.
+
+* Cryptsetup now allows special "-" (standard input) keyfile handling
+ even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices.
+
+* Cryptsetup now fails if there are more keyfiles specified
+ for non-TCRYPT device.
+
+* The luksKillSlot command now does not suppress provided password
+ in batch mode (if password is wrong slot is not destroyed).
+ Note that not providing password in batch mode means that keyslot
+ is destroyed unconditionally.
diff --git a/docs/v1.7.2-ReleaseNotes b/docs/v1.7.2-ReleaseNotes
new file mode 100644
index 0000000..6323430
--- /dev/null
+++ b/docs/v1.7.2-ReleaseNotes
@@ -0,0 +1,37 @@
+Cryptsetup 1.7.2 Release Notes
+==============================
+
+Changes since version 1.7.1
+
+* Update LUKS documentation format.
+ Clarify fixed sector size and keyslots alignment.
+
+* Support activation options for error handling modes in Linux kernel
+ dm-verity module:
+
+ --ignore-corruption - dm-verity just logs detected corruption
+
+ --restart-on-corruption - dm-verity restarts the kernel if corruption is detected
+
+ If the options above are not specified, default behavior for dm-verity remains.
+ Default is that I/O operation fails with I/O error if corrupted block is detected.
+
+ --ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected
+ to contain zeroes and always return zeroes directly instead.
+
+ NOTE that these options could have security or functional impacts,
+ do not use them without assessing the risks!
+
+* Fix help text for cipher benchmark specification (mention --cipher option).
+
+* Fix off-by-one error in maximum keyfile size.
+ Allow keyfiles up to compiled-in default and not that value minus one.
+
+* Support resume of interrupted decryption in cryptsetup-reencrypt utility.
+ To resume decryption, LUKS device UUID (--uuid option) option must be used.
+
+* Do not use direct-io for LUKS header with unaligned keyslots.
+ Such headers were used only by the first cryptsetup-luks-1.0.0 release (2005).
+
+* Fix device block size detection to properly work on particular file-based
+ containers over underlying devices with 4k sectors.
diff --git a/docs/v1.7.3-ReleaseNotes b/docs/v1.7.3-ReleaseNotes
new file mode 100644
index 0000000..4a2757c
--- /dev/null
+++ b/docs/v1.7.3-ReleaseNotes
@@ -0,0 +1,20 @@
+Cryptsetup 1.7.3 Release Notes
+==============================
+
+Changes since version 1.7.2
+
+* Fix device access to hash offsets located beyond the 2GB device boundary in veritysetup.
+
+* Set configured (compile-time) default iteration time for devices created directly through
+ libcryptsetup (default was hardcoded 1 second, the configured value applied only
+ for cryptsetup application).
+
+* Fix PBKDF2 benchmark to not double iteration count for specific corner case.
+ If the measurement function returns exactly 500 ms, the iteration calculation loop
+ doubled iteration count but instead of repeating measurement it used this value directly.
+
+* OpenSSL backend: fix memory leak if hash context was repeatedly reused.
+
+* OpenSSL backend: add support for OpenSSL 1.1.0.
+
+* Fix several minor spelling errors.
diff --git a/docs/v1.7.4-ReleaseNotes b/docs/v1.7.4-ReleaseNotes
new file mode 100644
index 0000000..73dbaa7
--- /dev/null
+++ b/docs/v1.7.4-ReleaseNotes
@@ -0,0 +1,22 @@
+Cryptsetup 1.7.4 Release Notes
+==============================
+
+Changes since version 1.7.3
+
+* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
+
+* Use LUKS1 compiled-in defaults also in Python wrapper.
+
+* OpenSSL backend: Fix OpenSSL 1.1.0 support without backward compatible API.
+
+* OpenSSL backend: Fix LibreSSL compatibility.
+
+* Check for data device and hash device area overlap in veritysetup.
+
+* Fix a possible race while allocating a free loop device.
+
+* Fix possible file descriptor leaks if libcryptsetup is run from a forked process.
+
+* Fix missing same_cpu_crypt flag in status command.
+
+* Various updates to FAQ and man pages.
diff --git a/docs/v1.7.5-ReleaseNotes b/docs/v1.7.5-ReleaseNotes
new file mode 100644
index 0000000..eec4315
--- /dev/null
+++ b/docs/v1.7.5-ReleaseNotes
@@ -0,0 +1,22 @@
+Cryptsetup 1.7.5 Release Notes
+==============================
+
+Changes since version 1.7.4
+
+* Fixes to luksFormat to properly support recent kernel running in FIPS mode.
+
+ Cryptsetup must never use a weak key even if it is just used for testing
+ of algorithm availability. In FIPS mode, weak keys are always rejected.
+
+ A weak key is for example detected if the XTS encryption mode use
+ the same key for the tweak and the encryption part.
+
+* Fixes accesses to unaligned hidden legacy TrueCrypt header.
+
+ On a native 4k-sector device the old hidden TrueCrypt header is not
+ aligned with the hw sector size (this problem was fixed in later TrueCrypt
+ on-disk format versions).
+
+ Cryptsetup now properly aligns the read so it does not fail.
+
+* Fixes to optional dracut ramdisk scripts for offline re-encryption on initial boot.
diff --git a/lib/Makefile.am b/lib/Makefile.am
new file mode 100644
index 0000000..6662568
--- /dev/null
+++ b/lib/Makefile.am
@@ -0,0 +1,70 @@
+SUBDIRS = crypto_backend luks1 loopaes verity tcrypt
+
+moduledir = $(libdir)/cryptsetup
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libcryptsetup.pc
+
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir) \
+ -I$(top_srcdir)/lib/crypto_backend \
+ -I$(top_srcdir)/lib/luks1 \
+ -I$(top_srcdir)/lib/loopaes \
+ -I$(top_srcdir)/lib/verity \
+ -I$(top_srcdir)/lib/tcrypt \
+ -DDATADIR=\""$(datadir)"\" \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DPREFIX=\""$(prefix)"\" \
+ -DSYSCONFDIR=\""$(sysconfdir)"\" \
+ -DVERSION=\""$(VERSION)"\"
+
+lib_LTLIBRARIES = libcryptsetup.la
+
+common_ldadd = \
+ crypto_backend/libcrypto_backend.la \
+ luks1/libluks1.la \
+ loopaes/libloopaes.la \
+ verity/libverity.la \
+ tcrypt/libtcrypt.la
+
+libcryptsetup_la_DEPENDENCIES = $(common_ldadd) libcryptsetup.sym
+
+libcryptsetup_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined \
+ -Wl,--version-script=$(top_srcdir)/lib/libcryptsetup.sym \
+ -version-info @LIBCRYPTSETUP_VERSION_INFO@
+
+libcryptsetup_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
+
+libcryptsetup_la_LIBADD = \
+ @UUID_LIBS@ \
+ @DEVMAPPER_LIBS@ \
+ @CRYPTO_LIBS@ \
+ $(common_ldadd)
+
+
+libcryptsetup_la_SOURCES = \
+ setup.c \
+ internal.h \
+ bitops.h \
+ nls.h \
+ libcryptsetup.h \
+ utils.c \
+ utils_benchmark.c \
+ utils_crypt.c \
+ utils_crypt.h \
+ utils_loop.c \
+ utils_loop.h \
+ utils_devpath.c \
+ utils_wipe.c \
+ utils_fips.c \
+ utils_fips.h \
+ utils_device.c \
+ libdevmapper.c \
+ utils_dm.h \
+ volumekey.c \
+ random.c \
+ crypt_plain.c
+
+include_HEADERS = libcryptsetup.h
+
+EXTRA_DIST = libcryptsetup.pc.in libcryptsetup.sym
diff --git a/lib/bitops.h b/lib/bitops.h
new file mode 100644
index 0000000..a991687
--- /dev/null
+++ b/lib/bitops.h
@@ -0,0 +1,123 @@
+/*
+ * No copyright is claimed. This code is in the public domain; do with
+ * it what you wish.
+ *
+ * Written by Karel Zak <kzak@redhat.com>
+ */
+#ifndef BITOPS_H
+#define BITOPS_H
+
+#include <stdint.h>
+#include <sys/param.h>
+
+#if defined(HAVE_BYTESWAP_H)
+# include <byteswap.h>
+#endif
+
+#if defined(HAVE_ENDIAN_H)
+# include <endian.h>
+#elif defined(HAVE_SYS_ENDIAN_H) /* BSDs have them here */
+# include <sys/endian.h>
+#endif
+
+#if defined(__OpenBSD__)
+# include <sys/types.h>
+# define be16toh(x) betoh16(x)
+# define be32toh(x) betoh32(x)
+# define be64toh(x) betoh64(x)
+#endif
+
+/*
+ * Fallbacks
+ */
+#ifndef bswap_16
+# define bswap_16(x) ((((x) & 0x00FF) << 8) | \
+ (((x) & 0xFF00) >> 8))
+#endif
+
+#ifndef bswap_32
+# define bswap_32(x) ((((x) & 0x000000FF) << 24) | \
+ (((x) & 0x0000FF00) << 8) | \
+ (((x) & 0x00FF0000) >> 8) | \
+ (((x) & 0xFF000000) >> 24))
+#endif
+
+#ifndef bswap_64
+# define bswap_64(x) ((((x) & 0x00000000000000FFULL) << 56) | \
+ (((x) & 0x000000000000FF00ULL) << 40) | \
+ (((x) & 0x0000000000FF0000ULL) << 24) | \
+ (((x) & 0x00000000FF000000ULL) << 8) | \
+ (((x) & 0x000000FF00000000ULL) >> 8) | \
+ (((x) & 0x0000FF0000000000ULL) >> 24) | \
+ (((x) & 0x00FF000000000000ULL) >> 40) | \
+ (((x) & 0xFF00000000000000ULL) >> 56))
+#endif
+
+#ifndef htobe16
+# if !defined(WORDS_BIGENDIAN)
+# define htobe16(x) bswap_16 (x)
+# define htole16(x) (x)
+# define be16toh(x) bswap_16 (x)
+# define le16toh(x) (x)
+# define htobe32(x) bswap_32 (x)
+# define htole32(x) (x)
+# define be32toh(x) bswap_32 (x)
+# define le32toh(x) (x)
+# define htobe64(x) bswap_64 (x)
+# define htole64(x) (x)
+# define be64toh(x) bswap_64 (x)
+# define le64toh(x) (x)
+# else
+# define htobe16(x) (x)
+# define htole16(x) bswap_16 (x)
+# define be16toh(x) (x)
+# define le16toh(x) bswap_16 (x)
+# define htobe32(x) (x)
+# define htole32(x) bswap_32 (x)
+# define be32toh(x) (x)
+# define le32toh(x) bswap_32 (x)
+# define htobe64(x) (x)
+# define htole64(x) bswap_64 (x)
+# define be64toh(x) (x)
+# define le64toh(x) bswap_64 (x)
+# endif
+#endif
+
+/*
+ * Byte swab macros (based on linux/byteorder/swab.h)
+ */
+#define swab16(x) bswap_16(x)
+#define swab32(x) bswap_32(x)
+#define swab64(x) bswap_64(x)
+
+#define cpu_to_le16(x) ((uint16_t) htole16(x))
+#define cpu_to_le32(x) ((uint32_t) htole32(x))
+#define cpu_to_le64(x) ((uint64_t) htole64(x))
+
+#define cpu_to_be16(x) ((uint16_t) htobe16(x))
+#define cpu_to_be32(x) ((uint32_t) htobe32(x))
+#define cpu_to_be64(x) ((uint64_t) htobe64(x))
+
+#define le16_to_cpu(x) ((uint16_t) le16toh(x))
+#define le32_to_cpu(x) ((uint32_t) le32toh(x))
+#define le64_to_cpu(x) ((uint64_t) le64toh(x))
+
+#define be16_to_cpu(x) ((uint16_t) be16toh(x))
+#define be32_to_cpu(x) ((uint32_t) be32toh(x))
+#define be64_to_cpu(x) ((uint64_t) be64toh(x))
+
+/*
+ * Bit map related macros. Usually provided by libc.
+ */
+#ifndef NBBY
+# define NBBY CHAR_BIT
+#endif
+
+#ifndef setbit
+# define setbit(a,i) ((a)[(i)/NBBY] |= 1<<((i)%NBBY))
+# define clrbit(a,i) ((a)[(i)/NBBY] &= ~(1<<((i)%NBBY)))
+# define isset(a,i) ((a)[(i)/NBBY] & (1<<((i)%NBBY)))
+# define isclr(a,i) (((a)[(i)/NBBY] & (1<<((i)%NBBY))) == 0)
+#endif
+
+#endif /* BITOPS_H */
diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c
new file mode 100644
index 0000000..89a2e12
--- /dev/null
+++ b/lib/crypt_plain.c
@@ -0,0 +1,117 @@
+/*
+ * cryptsetup plain device helper functions
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2010-2017 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+
+#include "libcryptsetup.h"
+#include "internal.h"
+
+static int hash(const char *hash_name, size_t key_size, char *key,
+ size_t passphrase_size, const char *passphrase)
+{
+ struct crypt_hash *md = NULL;
+ size_t len;
+ int round, i, r = 0;
+
+ if (crypt_hash_init(&md, hash_name))
+ return -ENOENT;
+
+ len = crypt_hash_size(hash_name);
+
+ for(round = 0; key_size && !r; round++) {
+ /* hack from hashalot to avoid null bytes in key */
+ for(i = 0; i < round; i++)
+ if (crypt_hash_write(md, "A", 1))
+ r = 1;
+
+ if (crypt_hash_write(md, passphrase, passphrase_size))
+ r = 1;
+
+ if (len > key_size)
+ len = key_size;
+
+ if (crypt_hash_final(md, key, len))
+ r = 1;
+
+ key += len;
+ key_size -= len;
+ }
+
+ crypt_hash_destroy(md);
+ return r;
+}
+
+#define PLAIN_HASH_LEN_MAX 256
+
+int crypt_plain_hash(struct crypt_device *ctx __attribute__((unused)),
+ const char *hash_name,
+ char *key, size_t key_size,
+ const char *passphrase, size_t passphrase_size)
+{
+ char hash_name_buf[PLAIN_HASH_LEN_MAX], *s;
+ size_t hash_size, pad_size;
+ int r;
+
+ log_dbg("Plain: hashing passphrase using %s.", hash_name);
+
+ if (strlen(hash_name) >= PLAIN_HASH_LEN_MAX)
+ return -EINVAL;
+ strncpy(hash_name_buf, hash_name, PLAIN_HASH_LEN_MAX);
+ hash_name_buf[PLAIN_HASH_LEN_MAX - 1] = '\0';
+
+ /* hash[:hash_length] */
+ if ((s = strchr(hash_name_buf, ':'))) {
+ *s = '\0';
+ s++;
+ if (!*s || sscanf(s, "%zd", &hash_size) != 1) {
+ log_dbg("Hash length is not a number");
+ return -EINVAL;
+ }
+ if (hash_size > key_size) {
+ log_dbg("Hash length %zd > key length %zd",
+ hash_size, key_size);
+ return -EINVAL;
+ }
+ pad_size = key_size - hash_size;
+ } else {
+ hash_size = key_size;
+ pad_size = 0;
+ }
+
+ /* No hash, copy passphrase directly */
+ if (!strcmp(hash_name_buf, "plain")) {
+ if (passphrase_size < hash_size) {
+ log_dbg("Too short plain passphrase.");
+ return -EINVAL;
+ }
+ memcpy(key, passphrase, hash_size);
+ r = 0;
+ } else
+ r = hash(hash_name_buf, hash_size, key, passphrase_size, passphrase);
+
+ if (r == 0 && pad_size)
+ memset(key + hash_size, 0, pad_size);
+
+ return r;
+}
diff --git a/lib/crypto_backend/Makefile.am b/lib/crypto_backend/Makefile.am
new file mode 100644
index 0000000..942d258
--- /dev/null
+++ b/lib/crypto_backend/Makefile.am
@@ -0,0 +1,30 @@
+moduledir = $(libdir)/cryptsetup
+
+noinst_LTLIBRARIES = libcrypto_backend.la
+
+libcrypto_backend_la_CFLAGS = $(AM_CFLAGS) -Wall @CRYPTO_CFLAGS@
+
+libcrypto_backend_la_SOURCES = crypto_backend.h \
+ crypto_cipher_kernel.c crypto_storage.c pbkdf_check.c crc32.c
+
+if CRYPTO_BACKEND_GCRYPT
+libcrypto_backend_la_SOURCES += crypto_gcrypt.c
+endif
+if CRYPTO_BACKEND_OPENSSL
+libcrypto_backend_la_SOURCES += crypto_openssl.c
+endif
+if CRYPTO_BACKEND_NSS
+libcrypto_backend_la_SOURCES += crypto_nss.c
+endif
+if CRYPTO_BACKEND_KERNEL
+libcrypto_backend_la_SOURCES += crypto_kernel.c
+endif
+if CRYPTO_BACKEND_NETTLE
+libcrypto_backend_la_SOURCES += crypto_nettle.c
+endif
+
+if CRYPTO_INTERNAL_PBKDF2
+libcrypto_backend_la_SOURCES += pbkdf2_generic.c
+endif
+
+AM_CPPFLAGS = -include config.h -I$(top_srcdir)/lib
diff --git a/lib/crypto_backend/crc32.c b/lib/crypto_backend/crc32.c
new file mode 100644
index 0000000..332f383
--- /dev/null
+++ b/lib/crypto_backend/crc32.c
@@ -0,0 +1,116 @@
+/*
+ * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
+ * code or tables extracted from it, as desired without restriction.
+ *
+ * First, the polynomial itself and its table of feedback terms. The
+ * polynomial is
+ * X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0
+ *
+ * Note that we take it "backwards" and put the highest-order term in
+ * the lowest-order bit. The X^32 term is "implied"; the LSB is the
+ * X^31 term, etc. The X^0 term (usually shown as "+1") results in
+ * the MSB being 1.
+ *
+ * Note that the usual hardware shift register implementation, which
+ * is what we're using (we're merely optimizing it by doing eight-bit
+ * chunks at a time) shifts bits into the lowest-order term. In our
+ * implementation, that means shifting towards the right. Why do we
+ * do it this way? Because the calculated CRC must be transmitted in
+ * order from highest-order term to lowest-order term. UARTs transmit
+ * characters in order from LSB to MSB. By storing the CRC this way,
+ * we hand it to the UART in the order low-byte to high-byte; the UART
+ * sends each low-bit to hight-bit; and the result is transmission bit
+ * by bit from highest- to lowest-order term without requiring any bit
+ * shuffling on our part. Reception works similarly.
+ *
+ * The feedback terms table consists of 256, 32-bit entries. Notes
+ *
+ * The table can be generated at runtime if desired; code to do so
+ * is shown later. It might not be obvious, but the feedback
+ * terms simply represent the results of eight shift/xor opera-
+ * tions for all combinations of data and CRC register values.
+ *
+ * The values must be right-shifted by eight bits by the "updcrc"
+ * logic; the shift must be unsigned (bring in zeroes). On some
+ * hardware you could probably optimize the shift in assembler by
+ * using byte-swap instructions.
+ * polynomial $edb88320
+ *
+ */
+
+#include <stdio.h>
+
+#include "crypto_backend.h"
+
+
+static const uint32_t crc32_tab[] = {
+ 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
+ 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
+ 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
+ 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
+ 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
+ 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
+ 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
+ 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
+ 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
+ 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
+ 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
+ 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
+ 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
+ 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
+ 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
+ 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
+ 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
+ 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
+ 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
+ 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
+ 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
+ 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
+ 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
+ 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
+ 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
+ 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
+ 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
+ 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
+ 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
+ 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
+ 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
+ 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
+ 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
+ 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
+ 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
+ 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
+ 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
+ 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
+ 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
+ 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
+ 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
+ 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
+ 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
+ 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
+ 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
+ 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
+ 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
+ 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
+ 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
+ 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
+ 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
+ 0x2d02ef8dL
+};
+
+/*
+ * This a generic crc32() function, it takes seed as an argument,
+ * and does __not__ xor at the end. Then individual users can do
+ * whatever they need.
+ */
+uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+{
+ uint32_t crc = seed;
+ const unsigned char *p = buf;
+
+ while(len-- > 0)
+ crc = crc32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8);
+
+ return crc;
+}
+
diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
new file mode 100644
index 0000000..7f1eccc
--- /dev/null
+++ b/lib/crypto_backend/crypto_backend.h
@@ -0,0 +1,112 @@
+/*
+ * crypto backend implementation
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef _CRYPTO_BACKEND_H
+#define _CRYPTO_BACKEND_H
+
+#include <stdint.h>
+#include <string.h>
+
+struct crypt_device;
+struct crypt_hash;
+struct crypt_hmac;
+struct crypt_cipher;
+struct crypt_storage;
+
+int crypt_backend_init(struct crypt_device *ctx);
+
+#define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */
+
+uint32_t crypt_backend_flags(void);
+const char *crypt_backend_version(void);
+
+/* HASH */
+int crypt_hash_size(const char *name);
+int crypt_hash_init(struct crypt_hash **ctx, const char *name);
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length);
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length);
+int crypt_hash_destroy(struct crypt_hash *ctx);
+
+/* HMAC */
+int crypt_hmac_size(const char *name);
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length);
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length);
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
+int crypt_hmac_destroy(struct crypt_hmac *ctx);
+
+/* RNG (if fips paramater set, must provide FIPS compliance) */
+enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips);
+
+/* PBKDF*/
+int crypt_pbkdf_check(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ size_t key_length, uint64_t *iter_secs);
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations);
+
+#if USE_INTERNAL_PBKDF2
+/* internal PBKDF2 implementation */
+int pkcs5_pbkdf2(const char *hash,
+ const char *P, size_t Plen,
+ const char *S, size_t Slen,
+ unsigned int c,
+ unsigned int dkLen, char *DK,
+ unsigned int hash_block_size);
+#endif
+
+/* CRC32 */
+uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len);
+
+/* ciphers */
+int crypt_cipher_blocksize(const char *name);
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+ const char *mode, const void *buffer, size_t length);
+int crypt_cipher_destroy(struct crypt_cipher *ctx);
+int crypt_cipher_encrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length);
+int crypt_cipher_decrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length);
+
+/* storage encryption wrappers */
+int crypt_storage_init(struct crypt_storage **ctx, uint64_t sector_start,
+ const char *cipher, const char *cipher_mode,
+ char *key, size_t key_length);
+int crypt_storage_destroy(struct crypt_storage *ctx);
+int crypt_storage_decrypt(struct crypt_storage *ctx, uint64_t sector,
+ size_t count, char *buffer);
+int crypt_storage_encrypt(struct crypt_storage *ctx, uint64_t sector,
+ size_t count, char *buffer);
+
+/* Memzero helper (memset on stack can be optimized out) */
+static inline void crypt_backend_memzero(void *s, size_t n)
+{
+ volatile uint8_t *p = (volatile uint8_t *)s;
+ while(n--) *p++ = 0;
+}
+
+#endif /* _CRYPTO_BACKEND_H */
diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c
new file mode 100644
index 0000000..7dbd562
--- /dev/null
+++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -0,0 +1,269 @@
+/*
+ * Linux kernel userspace API crypto backend implementation (skcipher)
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include "crypto_backend.h"
+
+#ifdef ENABLE_AF_ALG
+
+#include <linux/if_alg.h>
+
+#ifndef AF_ALG
+#define AF_ALG 38
+#endif
+#ifndef SOL_ALG
+#define SOL_ALG 279
+#endif
+
+struct crypt_cipher {
+ int tfmfd;
+ int opfd;
+};
+
+struct cipher_alg {
+ const char *name;
+ int blocksize;
+};
+
+/* FIXME: Getting block size should be dynamic from cipher backend. */
+static struct cipher_alg cipher_algs[] = {
+ { "cipher_null", 16 },
+ { "aes", 16 },
+ { "serpent", 16 },
+ { "twofish", 16 },
+ { "anubis", 16 },
+ { "blowfish", 8 },
+ { "camellia", 16 },
+ { "cast5", 8 },
+ { "cast6", 16 },
+ { "des", 8 },
+ { "des3_ede", 8 },
+ { "khazad", 8 },
+ { "seed", 16 },
+ { "tea", 8 },
+ { "xtea", 8 },
+ { NULL, 0 }
+};
+
+static struct cipher_alg *_get_alg(const char *name)
+{
+ int i = 0;
+
+ while (name && cipher_algs[i].name) {
+ if (!strcasecmp(name, cipher_algs[i].name))
+ return &cipher_algs[i];
+ i++;
+ }
+ return NULL;
+}
+
+int crypt_cipher_blocksize(const char *name)
+{
+ struct cipher_alg *ca = _get_alg(name);
+
+ return ca ? ca->blocksize : -EINVAL;
+}
+
+/*
+ * ciphers
+ *
+ * ENOENT - algorithm not available
+ * ENOTSUP - AF_ALG family not available
+ * (but cannot check specificaly for skcipher API)
+ */
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+ const char *mode, const void *buffer, size_t length)
+{
+ struct crypt_cipher *h;
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "skcipher",
+ };
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
+ "%s(%s)", mode, name);
+
+ h->opfd = -1;
+ h->tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ if (h->tfmfd < 0) {
+ crypt_cipher_destroy(h);
+ return -ENOTSUP;
+ }
+
+ if (bind(h->tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
+ crypt_cipher_destroy(h);
+ return -ENOENT;
+ }
+
+ if (!strcmp(name, "cipher_null"))
+ length = 0;
+
+ if (setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, buffer, length) < 0) {
+ crypt_cipher_destroy(h);
+ return -EINVAL;
+ }
+
+ h->opfd = accept(h->tfmfd, NULL, 0);
+ if (h->opfd < 0) {
+ crypt_cipher_destroy(h);
+ return -EINVAL;
+ }
+
+ *ctx = h;
+ return 0;
+}
+
+/* The in/out should be aligned to page boundary */
+static int crypt_cipher_crypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length,
+ uint32_t direction)
+{
+ int r = 0;
+ ssize_t len;
+ struct af_alg_iv *alg_iv;
+ struct cmsghdr *header;
+ uint32_t *type;
+ struct iovec iov = {
+ .iov_base = (void*)(uintptr_t)in,
+ .iov_len = length,
+ };
+ int iv_msg_size = iv ? CMSG_SPACE(sizeof(*alg_iv) + iv_length) : 0;
+ char buffer[CMSG_SPACE(sizeof(*type)) + iv_msg_size];
+ struct msghdr msg = {
+ .msg_control = buffer,
+ .msg_controllen = sizeof(buffer),
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
+
+ if (!in || !out || !length)
+ return -EINVAL;
+
+ if ((!iv && iv_length) || (iv && !iv_length))
+ return -EINVAL;
+
+ memset(buffer, 0, sizeof(buffer));
+
+ /* Set encrypt/decrypt operation */
+ header = CMSG_FIRSTHDR(&msg);
+ if (!header)
+ return -EINVAL;
+
+ header->cmsg_level = SOL_ALG;
+ header->cmsg_type = ALG_SET_OP;
+ header->cmsg_len = CMSG_LEN(sizeof(*type));
+ type = (void*)CMSG_DATA(header);
+ *type = direction;
+
+ /* Set IV */
+ if (iv) {
+ header = CMSG_NXTHDR(&msg, header);
+ header->cmsg_level = SOL_ALG;
+ header->cmsg_type = ALG_SET_IV;
+ header->cmsg_len = iv_msg_size;
+ alg_iv = (void*)CMSG_DATA(header);
+ alg_iv->ivlen = iv_length;
+ memcpy(alg_iv->iv, iv, iv_length);
+ }
+
+ len = sendmsg(ctx->opfd, &msg, 0);
+ if (len != (ssize_t)length) {
+ r = -EIO;
+ goto bad;
+ }
+
+ len = read(ctx->opfd, out, length);
+ if (len != (ssize_t)length)
+ r = -EIO;
+bad:
+ crypt_backend_memzero(buffer, sizeof(buffer));
+ return r;
+}
+
+int crypt_cipher_encrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ return crypt_cipher_crypt(ctx, in, out, length,
+ iv, iv_length, ALG_OP_ENCRYPT);
+}
+
+int crypt_cipher_decrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ return crypt_cipher_crypt(ctx, in, out, length,
+ iv, iv_length, ALG_OP_DECRYPT);
+}
+
+int crypt_cipher_destroy(struct crypt_cipher *ctx)
+{
+ if (ctx->tfmfd >= 0)
+ close(ctx->tfmfd);
+ if (ctx->opfd >= 0)
+ close(ctx->opfd);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+#else /* ENABLE_AF_ALG */
+
+int crypt_cipher_blocksize(const char *name)
+{
+ return -EINVAL;
+}
+
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+ const char *mode, const void *buffer, size_t length)
+{
+ return -ENOTSUP;
+}
+
+int crypt_cipher_destroy(struct crypt_cipher *ctx)
+{
+ return 0;
+}
+
+int crypt_cipher_encrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ return -EINVAL;
+}
+int crypt_cipher_decrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ return -EINVAL;
+}
+#endif
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
new file mode 100644
index 0000000..ea95bc2
--- /dev/null
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -0,0 +1,354 @@
+/*
+ * GCRYPT crypto backend implementation
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <assert.h>
+#include <gcrypt.h>
+#include "crypto_backend.h"
+
+static int crypto_backend_initialised = 0;
+static int crypto_backend_secmem = 1;
+static int crypto_backend_whirlpool_bug = -1;
+static char version[64];
+
+struct crypt_hash {
+ gcry_md_hd_t hd;
+ int hash_id;
+ int hash_len;
+};
+
+struct crypt_hmac {
+ gcry_md_hd_t hd;
+ int hash_id;
+ int hash_len;
+};
+
+/*
+ * Test for wrong Whirlpool variant,
+ * Ref: http://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html
+ */
+static void crypt_hash_test_whirlpool_bug(void)
+{
+ struct crypt_hash *h;
+ char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
+ int r;
+
+ if (crypto_backend_whirlpool_bug >= 0)
+ return;
+
+ crypto_backend_whirlpool_bug = 0;
+ if (crypt_hash_init(&h, "whirlpool"))
+ return;
+
+ /* One shot */
+ if ((r = crypt_hash_write(h, &buf[0], 2)) ||
+ (r = crypt_hash_final(h, hash_out1, 64))) {
+ crypt_hash_destroy(h);
+ return;
+ }
+
+ /* Split buf (crypt_hash_final resets hash state) */
+ if ((r = crypt_hash_write(h, &buf[0], 1)) ||
+ (r = crypt_hash_write(h, &buf[1], 1)) ||
+ (r = crypt_hash_final(h, hash_out2, 64))) {
+ crypt_hash_destroy(h);
+ return;
+ }
+
+ crypt_hash_destroy(h);
+
+ if (memcmp(hash_out1, hash_out2, 64))
+ crypto_backend_whirlpool_bug = 1;
+}
+
+int crypt_backend_init(struct crypt_device *ctx)
+{
+ if (crypto_backend_initialised)
+ return 0;
+
+ if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
+ if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
+ return -ENOSYS;
+ }
+
+/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
+ * it drops all privileges during secure memory initialisation.
+ * For now, the only workaround is to disable secure memory in gcrypt.
+ * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
+ * and it locks its memory space anyway.
+ */
+#if 0
+ gcry_control (GCRYCTL_DISABLE_SECMEM);
+ crypto_backend_secmem = 0;
+#else
+
+ gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+ gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
+ gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
+#endif
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ }
+
+ crypto_backend_initialised = 1;
+ crypt_hash_test_whirlpool_bug();
+
+ snprintf(version, 64, "gcrypt %s%s%s",
+ gcry_check_version(NULL),
+ crypto_backend_secmem ? "" : ", secmem disabled",
+ crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : ""
+ );
+
+ return 0;
+}
+
+const char *crypt_backend_version(void)
+{
+ return crypto_backend_initialised ? version : "";
+}
+
+uint32_t crypt_backend_flags(void)
+{
+ return 0;
+}
+
+static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
+{
+ const char *hash_name = name;
+
+ /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool
+ * in libgcrypt < 1.6.0 */
+ if (name && !strcasecmp(name, "whirlpool_gcryptbug")) {
+#if GCRYPT_VERSION_NUMBER >= 0x010601
+ if (flags)
+ *flags |= GCRY_MD_FLAG_BUGEMU1;
+#endif
+ hash_name = "whirlpool";
+ }
+
+ return hash_name;
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+ int hash_id;
+
+ assert(crypto_backend_initialised);
+
+ hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL));
+ if (!hash_id)
+ return -EINVAL;
+
+ return gcry_md_get_algo_dlen(hash_id);
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+ struct crypt_hash *h;
+ unsigned int flags = 0;
+
+ assert(crypto_backend_initialised);
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
+ if (!h->hash_id) {
+ free(h);
+ return -EINVAL;
+ }
+
+ if (gcry_md_open(&h->hd, h->hash_id, flags)) {
+ free(h);
+ return -EINVAL;
+ }
+
+ h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
+ *ctx = h;
+ return 0;
+}
+
+static void crypt_hash_restart(struct crypt_hash *ctx)
+{
+ gcry_md_reset(ctx->hd);
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+ gcry_md_write(ctx->hd, buffer, length);
+ return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+ unsigned char *hash;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ hash = gcry_md_read(ctx->hd, ctx->hash_id);
+ if (!hash)
+ return -EINVAL;
+
+ memcpy(buffer, hash, length);
+ crypt_hash_restart(ctx);
+
+ return 0;
+}
+
+int crypt_hash_destroy(struct crypt_hash *ctx)
+{
+ gcry_md_close(ctx->hd);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+ return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length)
+{
+ struct crypt_hmac *h;
+ unsigned int flags = GCRY_MD_FLAG_HMAC;
+
+ assert(crypto_backend_initialised);
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
+ if (!h->hash_id) {
+ free(h);
+ return -EINVAL;
+ }
+
+ if (gcry_md_open(&h->hd, h->hash_id, flags)) {
+ free(h);
+ return -EINVAL;
+ }
+
+ if (gcry_md_setkey(h->hd, buffer, length)) {
+ gcry_md_close(h->hd);
+ free(h);
+ return -EINVAL;
+ }
+
+ h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
+ *ctx = h;
+ return 0;
+}
+
+static void crypt_hmac_restart(struct crypt_hmac *ctx)
+{
+ gcry_md_reset(ctx->hd);
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+ gcry_md_write(ctx->hd, buffer, length);
+ return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+ unsigned char *hash;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ hash = gcry_md_read(ctx->hd, ctx->hash_id);
+ if (!hash)
+ return -EINVAL;
+
+ memcpy(buffer, hash, length);
+ crypt_hmac_restart(ctx);
+
+ return 0;
+}
+
+int crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+ gcry_md_close(ctx->hd);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+ switch(quality) {
+ case CRYPT_RND_NORMAL:
+ gcry_randomize(buffer, length, GCRY_STRONG_RANDOM);
+ break;
+ case CRYPT_RND_SALT:
+ case CRYPT_RND_KEY:
+ default:
+ gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM);
+ break;
+ }
+ return 0;
+}
+
+/* PBKDF */
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations)
+{
+ const char *hash_name = crypt_hash_compat_name(hash, NULL);
+
+#if USE_INTERNAL_PBKDF2
+ if (!kdf || strncmp(kdf, "pbkdf2", 6))
+ return -EINVAL;
+
+ return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length,
+ iterations, key_length, key, 0);
+
+#else /* USE_INTERNAL_PBKDF2 */
+ int hash_id = gcry_md_map_name(hash_name);
+ int kdf_id;
+
+ if (!hash_id)
+ return -EINVAL;
+
+ if (kdf && !strncmp(kdf, "pbkdf2", 6))
+ kdf_id = GCRY_KDF_PBKDF2;
+ else
+ return -EINVAL;
+
+ if (gcry_kdf_derive(password, password_length, kdf_id, hash_id,
+ salt, salt_length, iterations, key_length, key))
+ return -EINVAL;
+
+ return 0;
+#endif /* USE_INTERNAL_PBKDF2 */
+}
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
new file mode 100644
index 0000000..2e49411
--- /dev/null
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -0,0 +1,321 @@
+/*
+ * Linux kernel userspace API crypto backend implementation
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/utsname.h>
+#include <linux/if_alg.h>
+#include "crypto_backend.h"
+
+/* FIXME: remove later */
+#ifndef AF_ALG
+#define AF_ALG 38
+#endif
+#ifndef SOL_ALG
+#define SOL_ALG 279
+#endif
+
+static int crypto_backend_initialised = 0;
+static char version[64];
+
+struct hash_alg {
+ const char *name;
+ const char *kernel_name;
+ int length;
+ unsigned int block_length;
+};
+
+static struct hash_alg hash_algs[] = {
+ { "sha1", "sha1", 20, 64 },
+ { "sha256", "sha256", 32, 64 },
+ { "sha512", "sha512", 64, 128 },
+ { "ripemd160", "rmd160", 20, 64 },
+ { "whirlpool", "wp512", 64, 64 },
+ { NULL, NULL, 0, 0 }
+};
+
+struct crypt_hash {
+ int tfmfd;
+ int opfd;
+ int hash_len;
+};
+
+struct crypt_hmac {
+ int tfmfd;
+ int opfd;
+ int hash_len;
+};
+
+static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd,
+ const void *key, size_t key_length)
+{
+ *tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ if (*tfmfd < 0)
+ return -ENOTSUP;
+
+ if (bind(*tfmfd, (struct sockaddr *)sa, sizeof(*sa)) < 0) {
+ close(*tfmfd);
+ *tfmfd = -1;
+ return -ENOENT;
+ }
+
+ if (key && setsockopt(*tfmfd, SOL_ALG, ALG_SET_KEY, key, key_length) < 0) {
+ close(*tfmfd);
+ *tfmfd = -1;
+ return -EINVAL;
+ }
+
+ *opfd = accept(*tfmfd, NULL, 0);
+ if (*opfd < 0) {
+ close(*tfmfd);
+ *tfmfd = -1;
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+int crypt_backend_init(struct crypt_device *ctx)
+{
+ struct utsname uts;
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "hash",
+ .salg_name = "sha256",
+ };
+ int tfmfd = -1, opfd = -1;
+
+ if (crypto_backend_initialised)
+ return 0;
+
+ if (uname(&uts) == -1 || strcmp(uts.sysname, "Linux"))
+ return -EINVAL;
+
+ if (crypt_kernel_socket_init(&sa, &tfmfd, &opfd, NULL, 0) < 0)
+ return -EINVAL;
+
+ close(tfmfd);
+ close(opfd);
+
+ snprintf(version, sizeof(version), "%s %s kernel cryptoAPI",
+ uts.sysname, uts.release);
+
+ crypto_backend_initialised = 1;
+ return 0;
+}
+
+uint32_t crypt_backend_flags(void)
+{
+ return CRYPT_BACKEND_KERNEL;
+}
+
+const char *crypt_backend_version(void)
+{
+ return crypto_backend_initialised ? version : "";
+}
+
+static struct hash_alg *_get_alg(const char *name)
+{
+ int i = 0;
+
+ while (name && hash_algs[i].name) {
+ if (!strcmp(name, hash_algs[i].name))
+ return &hash_algs[i];
+ i++;
+ }
+ return NULL;
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+ struct hash_alg *ha = _get_alg(name);
+
+ return ha ? ha->length : -EINVAL;
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+ struct crypt_hash *h;
+ struct hash_alg *ha;
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "hash",
+ };
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ ha = _get_alg(name);
+ if (!ha) {
+ free(h);
+ return -EINVAL;
+ }
+ h->hash_len = ha->length;
+
+ strncpy((char *)sa.salg_name, ha->kernel_name, sizeof(sa.salg_name));
+
+ if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd, NULL, 0) < 0) {
+ free(h);
+ return -EINVAL;
+ }
+
+ *ctx = h;
+ return 0;
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+ ssize_t r;
+
+ r = send(ctx->opfd, buffer, length, MSG_MORE);
+ if (r < 0 || (size_t)r < length)
+ return -EIO;
+
+ return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+ ssize_t r;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ r = read(ctx->opfd, buffer, length);
+ if (r < 0)
+ return -EIO;
+
+ return 0;
+}
+
+int crypt_hash_destroy(struct crypt_hash *ctx)
+{
+ if (ctx->tfmfd >= 0)
+ close(ctx->tfmfd);
+ if (ctx->opfd >= 0)
+ close(ctx->opfd);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+ return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length)
+{
+ struct crypt_hmac *h;
+ struct hash_alg *ha;
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ .salg_type = "hash",
+ };
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ ha = _get_alg(name);
+ if (!ha) {
+ free(h);
+ return -EINVAL;
+ }
+ h->hash_len = ha->length;
+
+ snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
+ "hmac(%s)", ha->kernel_name);
+
+ if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd, buffer, length) < 0) {
+ free(h);
+ return -EINVAL;
+ }
+
+ *ctx = h;
+ return 0;
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+ ssize_t r;
+
+ r = send(ctx->opfd, buffer, length, MSG_MORE);
+ if (r < 0 || (size_t)r < length)
+ return -EIO;
+
+ return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+ ssize_t r;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ r = read(ctx->opfd, buffer, length);
+ if (r < 0)
+ return -EIO;
+
+ return 0;
+}
+
+int crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+ if (ctx->tfmfd >= 0)
+ close(ctx->tfmfd);
+ if (ctx->opfd >= 0)
+ close(ctx->opfd);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* RNG - N/A */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+ return -EINVAL;
+}
+
+/* PBKDF */
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations)
+{
+ struct hash_alg *ha = _get_alg(hash);
+
+ if (!ha || !kdf || strncmp(kdf, "pbkdf2", 6))
+ return -EINVAL;
+
+ return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
+ iterations, key_length, key, ha->block_length);
+}
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
new file mode 100644
index 0000000..a17fb52
--- /dev/null
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -0,0 +1,305 @@
+/*
+ * Nettle crypto backend implementation
+ *
+ * Copyright (C) 2011-2017 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <nettle/sha.h>
+#include <nettle/hmac.h>
+#include <nettle/pbkdf2.h>
+#include "crypto_backend.h"
+
+static char *version = "Nettle";
+
+typedef void (*init_func) (void *);
+typedef void (*update_func) (void *, size_t, const uint8_t *);
+typedef void (*digest_func) (void *, size_t, uint8_t *);
+typedef void (*set_key_func) (void *, size_t, const uint8_t *);
+
+struct hash_alg {
+ const char *name;
+ int length;
+ init_func init;
+ update_func update;
+ digest_func digest;
+ update_func hmac_update;
+ digest_func hmac_digest;
+ set_key_func hmac_set_key;
+};
+
+static struct hash_alg hash_algs[] = {
+ { "sha1", SHA1_DIGEST_SIZE,
+ (init_func) sha1_init,
+ (update_func) sha1_update,
+ (digest_func) sha1_digest,
+ (update_func) hmac_sha1_update,
+ (digest_func) hmac_sha1_digest,
+ (set_key_func) hmac_sha1_set_key,
+ },
+ { "sha224", SHA224_DIGEST_SIZE,
+ (init_func) sha224_init,
+ (update_func) sha224_update,
+ (digest_func) sha224_digest,
+ (update_func) hmac_sha224_update,
+ (digest_func) hmac_sha224_digest,
+ (set_key_func) hmac_sha224_set_key,
+ },
+ { "sha256", SHA256_DIGEST_SIZE,
+ (init_func) sha256_init,
+ (update_func) sha256_update,
+ (digest_func) sha256_digest,
+ (update_func) hmac_sha256_update,
+ (digest_func) hmac_sha256_digest,
+ (set_key_func) hmac_sha256_set_key,
+ },
+ { "sha384", SHA384_DIGEST_SIZE,
+ (init_func) sha384_init,
+ (update_func) sha384_update,
+ (digest_func) sha384_digest,
+ (update_func) hmac_sha384_update,
+ (digest_func) hmac_sha384_digest,
+ (set_key_func) hmac_sha384_set_key,
+ },
+ { "sha512", SHA512_DIGEST_SIZE,
+ (init_func) sha512_init,
+ (update_func) sha512_update,
+ (digest_func) sha512_digest,
+ (update_func) hmac_sha512_update,
+ (digest_func) hmac_sha512_digest,
+ (set_key_func) hmac_sha512_set_key,
+ },
+ { "ripemd160", RIPEMD160_DIGEST_SIZE,
+ (init_func) ripemd160_init,
+ (update_func) ripemd160_update,
+ (digest_func) ripemd160_digest,
+ (update_func) hmac_ripemd160_update,
+ (digest_func) hmac_ripemd160_digest,
+ (set_key_func) hmac_ripemd160_set_key,
+ },
+ { NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, }
+};
+
+struct crypt_hash {
+ const struct hash_alg *hash;
+ union {
+ struct sha1_ctx sha1;
+ struct sha224_ctx sha224;
+ struct sha256_ctx sha256;
+ struct sha384_ctx sha384;
+ struct sha512_ctx sha512;
+ } nettle_ctx;
+};
+
+struct crypt_hmac {
+ const struct hash_alg *hash;
+ union {
+ struct hmac_sha1_ctx sha1;
+ struct hmac_sha224_ctx sha224;
+ struct hmac_sha256_ctx sha256;
+ struct hmac_sha384_ctx sha384;
+ struct hmac_sha512_ctx sha512;
+ } nettle_ctx;
+ size_t key_length;
+ uint8_t *key;
+};
+
+uint32_t crypt_backend_flags(void)
+{
+ return 0;
+}
+
+static struct hash_alg *_get_alg(const char *name)
+{
+ int i = 0;
+
+ while (name && hash_algs[i].name) {
+ if (!strcmp(name, hash_algs[i].name))
+ return &hash_algs[i];
+ i++;
+ }
+ return NULL;
+}
+
+int crypt_backend_init(struct crypt_device *ctx)
+{
+ return 0;
+}
+
+const char *crypt_backend_version(void)
+{
+ return version;
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+ struct hash_alg *ha = _get_alg(name);
+
+ return ha ? ha->length : -EINVAL;
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+ struct crypt_hash *h;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->hash = _get_alg(name);
+ if (!h->hash) {
+ free(h);
+ return -EINVAL;
+ }
+
+ h->hash->init(&h->nettle_ctx);
+
+ *ctx = h;
+ return 0;
+}
+
+static void crypt_hash_restart(struct crypt_hash *ctx)
+{
+ ctx->hash->init(&ctx->nettle_ctx);
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+ ctx->hash->update(&ctx->nettle_ctx, length, (const uint8_t*)buffer);
+ return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+ if (length > (size_t)ctx->hash->length)
+ return -EINVAL;
+
+ ctx->hash->digest(&ctx->nettle_ctx, length, (uint8_t *)buffer);
+ crypt_hash_restart(ctx);
+ return 0;
+}
+
+int crypt_hash_destroy(struct crypt_hash *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+ return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length)
+{
+ struct crypt_hmac *h;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+ memset(ctx, 0, sizeof(*ctx));
+
+
+ h->hash = _get_alg(name);
+ if (!h->hash)
+ goto bad;
+
+ h->key = malloc(length);
+ if (!h->key)
+ goto bad;
+
+ memcpy(h->key, buffer, length);
+ h->key_length = length;
+
+ h->hash->init(&h->nettle_ctx);
+ h->hash->hmac_set_key(&h->nettle_ctx, h->key_length, h->key);
+
+ *ctx = h;
+ return 0;
+bad:
+ free(h);
+ return -EINVAL;
+}
+
+static void crypt_hmac_restart(struct crypt_hmac *ctx)
+{
+ ctx->hash->hmac_set_key(&ctx->nettle_ctx, ctx->key_length, ctx->key);
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+ ctx->hash->hmac_update(&ctx->nettle_ctx, length, (const uint8_t *)buffer);
+ return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+ if (length > (size_t)ctx->hash->length)
+ return -EINVAL;
+
+ ctx->hash->hmac_digest(&ctx->nettle_ctx, length, (uint8_t *)buffer);
+ crypt_hmac_restart(ctx);
+ return 0;
+}
+
+int crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+ memset(ctx->key, 0, ctx->key_length);
+ free(ctx->key);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* RNG - N/A */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+ return -EINVAL;
+}
+
+/* PBKDF */
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations)
+{
+ struct crypt_hmac *h;
+ int r;
+
+ if (!kdf || strncmp(kdf, "pbkdf2", 6))
+ return -EINVAL;
+
+ r = crypt_hmac_init(&h, hash, password, password_length);
+ if (r < 0)
+ return r;
+
+ nettle_pbkdf2(&h->nettle_ctx, h->hash->nettle_hmac_update,
+ h->hash->nettle_hmac_digest, h->hash->length, iterations,
+ salt_length, (const uint8_t *)salt, key_length,
+ (uint8_t *)key);
+ crypt_hmac_destroy(h);
+
+ return 0;
+}
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
new file mode 100644
index 0000000..7a3ed69
--- /dev/null
+++ b/lib/crypto_backend/crypto_nss.c
@@ -0,0 +1,319 @@
+/*
+ * NSS crypto backend implementation
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <errno.h>
+#include <nss.h>
+#include <pk11pub.h>
+#include "crypto_backend.h"
+
+#define CONST_CAST(x) (x)(uintptr_t)
+
+static int crypto_backend_initialised = 0;
+static char version[64];
+
+struct hash_alg {
+ const char *name;
+ SECOidTag oid;
+ CK_MECHANISM_TYPE ck_type;
+ int length;
+ unsigned int block_length;
+};
+
+static struct hash_alg hash_algs[] = {
+ { "sha1", SEC_OID_SHA1, CKM_SHA_1_HMAC, 20, 64 },
+ { "sha256", SEC_OID_SHA256, CKM_SHA256_HMAC, 32, 64 },
+ { "sha384", SEC_OID_SHA384, CKM_SHA384_HMAC, 48, 128 },
+ { "sha512", SEC_OID_SHA512, CKM_SHA512_HMAC, 64, 128 },
+// { "ripemd160", SEC_OID_RIPEMD160, CKM_RIPEMD160_HMAC, 20, 64 },
+ { NULL, 0, 0, 0 }
+};
+
+struct crypt_hash {
+ PK11Context *md;
+ const struct hash_alg *hash;
+};
+
+struct crypt_hmac {
+ PK11Context *md;
+ PK11SymKey *key;
+ PK11SlotInfo *slot;
+ const struct hash_alg *hash;
+};
+
+static struct hash_alg *_get_alg(const char *name)
+{
+ int i = 0;
+
+ while (name && hash_algs[i].name) {
+ if (!strcmp(name, hash_algs[i].name))
+ return &hash_algs[i];
+ i++;
+ }
+ return NULL;
+}
+
+int crypt_backend_init(struct crypt_device *ctx)
+{
+ if (crypto_backend_initialised)
+ return 0;
+
+ if (NSS_NoDB_Init(".") != SECSuccess)
+ return -EINVAL;
+
+#if HAVE_DECL_NSS_GETVERSION
+ snprintf(version, 64, "NSS %s", NSS_GetVersion());
+#else
+ snprintf(version, 64, "NSS");
+#endif
+ crypto_backend_initialised = 1;
+ return 0;
+}
+
+uint32_t crypt_backend_flags(void)
+{
+ return 0;
+}
+
+const char *crypt_backend_version(void)
+{
+ return crypto_backend_initialised ? version : "";
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+ struct hash_alg *ha = _get_alg(name);
+
+ return ha ? ha->length : -EINVAL;
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+ struct crypt_hash *h;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->hash = _get_alg(name);
+ if (!h->hash) {
+ free(h);
+ return -EINVAL;
+ }
+
+ h->md = PK11_CreateDigestContext(h->hash->oid);
+ if (!h->md) {
+ free(h);
+ return -EINVAL;
+ }
+
+ if (PK11_DigestBegin(h->md) != SECSuccess) {
+ PK11_DestroyContext(h->md, PR_TRUE);
+ free(h);
+ return -EINVAL;
+ }
+
+ *ctx = h;
+ return 0;
+}
+
+static int crypt_hash_restart(struct crypt_hash *ctx)
+{
+ if (PK11_DigestBegin(ctx->md) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+ if (PK11_DigestOp(ctx->md, CONST_CAST(unsigned char *)buffer, length) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+ unsigned char tmp[64];
+ unsigned int tmp_len;
+
+ if (length > (size_t)ctx->hash->length)
+ return -EINVAL;
+
+ if (PK11_DigestFinal(ctx->md, tmp, &tmp_len, length) != SECSuccess)
+ return -EINVAL;
+
+ memcpy(buffer, tmp, length);
+ crypt_backend_memzero(tmp, sizeof(tmp));
+
+ if (tmp_len < length)
+ return -EINVAL;
+
+ if (crypt_hash_restart(ctx))
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_destroy(struct crypt_hash *ctx)
+{
+ PK11_DestroyContext(ctx->md, PR_TRUE);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+ return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length)
+{
+ struct crypt_hmac *h;
+ SECItem keyItem;
+ SECItem noParams;
+
+ keyItem.type = siBuffer;
+ keyItem.data = CONST_CAST(unsigned char *)buffer;
+ keyItem.len = (int)length;
+
+ noParams.type = siBuffer;
+ noParams.data = 0;
+ noParams.len = 0;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+ memset(ctx, 0, sizeof(*ctx));
+
+
+ h->hash = _get_alg(name);
+ if (!h->hash)
+ goto bad;
+
+ h->slot = PK11_GetInternalKeySlot();
+ if (!h->slot)
+ goto bad;
+
+ h->key = PK11_ImportSymKey(h->slot, h->hash->ck_type, PK11_OriginUnwrap,
+ CKA_SIGN, &keyItem, NULL);
+ if (!h->key)
+ goto bad;
+
+ h->md = PK11_CreateContextBySymKey(h->hash->ck_type, CKA_SIGN, h->key,
+ &noParams);
+ if (!h->md)
+ goto bad;
+
+ if (PK11_DigestBegin(h->md) != SECSuccess)
+ goto bad;
+
+ *ctx = h;
+ return 0;
+bad:
+ crypt_hmac_destroy(h);
+ return -EINVAL;
+}
+
+static int crypt_hmac_restart(struct crypt_hmac *ctx)
+{
+ if (PK11_DigestBegin(ctx->md) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+ if (PK11_DigestOp(ctx->md, CONST_CAST(unsigned char *)buffer, length) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+ unsigned char tmp[64];
+ unsigned int tmp_len;
+
+ if (length > (size_t)ctx->hash->length)
+ return -EINVAL;
+
+ if (PK11_DigestFinal(ctx->md, tmp, &tmp_len, length) != SECSuccess)
+ return -EINVAL;
+
+ memcpy(buffer, tmp, length);
+ crypt_backend_memzero(tmp, sizeof(tmp));
+
+ if (tmp_len < length)
+ return -EINVAL;
+
+ if (crypt_hmac_restart(ctx))
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+ if (ctx->key)
+ PK11_FreeSymKey(ctx->key);
+ if (ctx->slot)
+ PK11_FreeSlot(ctx->slot);
+ if (ctx->md)
+ PK11_DestroyContext(ctx->md, PR_TRUE);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+ if (fips)
+ return -EINVAL;
+
+ if (PK11_GenerateRandom((unsigned char *)buffer, length) != SECSuccess)
+ return -EINVAL;
+
+ return 0;
+}
+
+/* PBKDF */
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations)
+{
+ struct hash_alg *ha = _get_alg(hash);
+
+ if (!ha || !kdf || strncmp(kdf, "pbkdf2", 6))
+ return -EINVAL;
+
+ return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
+ iterations, key_length, key, ha->block_length);
+}
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
new file mode 100644
index 0000000..5c08446
--- /dev/null
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -0,0 +1,329 @@
+/*
+ * OPENSSL crypto backend implementation
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU Lesser General Public License in all respects
+ * for all of the code used other than OpenSSL.
+ */
+
+#include <string.h>
+#include <errno.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include "crypto_backend.h"
+
+static int crypto_backend_initialised = 0;
+
+struct crypt_hash {
+ EVP_MD_CTX *md;
+ const EVP_MD *hash_id;
+ int hash_len;
+};
+
+struct crypt_hmac {
+ HMAC_CTX *md;
+ const EVP_MD *hash_id;
+ int hash_len;
+};
+
+/*
+ * Compatible wrappers for OpenSSL < 1.1.0
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+static void openssl_backend_init(void)
+{
+ OpenSSL_add_all_algorithms();
+}
+
+static const char *openssl_backend_version(void)
+{
+ return SSLeay_version(SSLEAY_VERSION);
+}
+
+static EVP_MD_CTX *EVP_MD_CTX_new(void)
+{
+ EVP_MD_CTX *md = malloc(sizeof(*md));
+
+ if (md)
+ EVP_MD_CTX_init(md);
+
+ return md;
+}
+
+static void EVP_MD_CTX_free(EVP_MD_CTX *md)
+{
+ EVP_MD_CTX_cleanup(md);
+ free(md);
+}
+
+static HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *md = malloc(sizeof(*md));
+
+ if (md)
+ HMAC_CTX_init(md);
+
+ return md;
+}
+
+static void HMAC_CTX_free(HMAC_CTX *md)
+{
+ HMAC_CTX_cleanup(md);
+ free(md);
+}
+#else
+static void openssl_backend_init(void)
+{
+}
+
+static const char *openssl_backend_version(void)
+{
+ return OpenSSL_version(OPENSSL_VERSION);
+}
+#endif
+
+int crypt_backend_init(struct crypt_device *ctx)
+{
+ if (crypto_backend_initialised)
+ return 0;
+
+ openssl_backend_init();
+
+ crypto_backend_initialised = 1;
+ return 0;
+}
+
+uint32_t crypt_backend_flags(void)
+{
+ return 0;
+}
+
+const char *crypt_backend_version(void)
+{
+ return openssl_backend_version();
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+ const EVP_MD *hash_id = EVP_get_digestbyname(name);
+
+ if (!hash_id)
+ return -EINVAL;
+
+ return EVP_MD_size(hash_id);
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+ struct crypt_hash *h;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->md = EVP_MD_CTX_new();
+ if (!h->md) {
+ free(h);
+ return -ENOMEM;
+ }
+
+ h->hash_id = EVP_get_digestbyname(name);
+ if (!h->hash_id) {
+ EVP_MD_CTX_free(h->md);
+ free(h);
+ return -EINVAL;
+ }
+
+ if (EVP_DigestInit_ex(h->md, h->hash_id, NULL) != 1) {
+ EVP_MD_CTX_free(h->md);
+ free(h);
+ return -EINVAL;
+ }
+
+ h->hash_len = EVP_MD_size(h->hash_id);
+ *ctx = h;
+ return 0;
+}
+
+static int crypt_hash_restart(struct crypt_hash *ctx)
+{
+ if (EVP_DigestInit_ex(ctx->md, ctx->hash_id, NULL) != 1)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+ if (EVP_DigestUpdate(ctx->md, buffer, length) != 1)
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+ unsigned char tmp[EVP_MAX_MD_SIZE];
+ unsigned int tmp_len = 0;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ if (EVP_DigestFinal_ex(ctx->md, tmp, &tmp_len) != 1)
+ return -EINVAL;
+
+ memcpy(buffer, tmp, length);
+ crypt_backend_memzero(tmp, sizeof(tmp));
+
+ if (tmp_len < length)
+ return -EINVAL;
+
+ if (crypt_hash_restart(ctx))
+ return -EINVAL;
+
+ return 0;
+}
+
+int crypt_hash_destroy(struct crypt_hash *ctx)
+{
+ EVP_MD_CTX_free(ctx->md);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+ return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+ const void *buffer, size_t length)
+{
+ struct crypt_hmac *h;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ h->md = HMAC_CTX_new();
+ if (!h->md) {
+ free(h);
+ return -ENOMEM;
+ }
+
+ h->hash_id = EVP_get_digestbyname(name);
+ if (!h->hash_id) {
+ HMAC_CTX_free(h->md);
+ free(h);
+ return -EINVAL;
+ }
+
+ HMAC_Init_ex(h->md, buffer, length, h->hash_id, NULL);
+
+ h->hash_len = EVP_MD_size(h->hash_id);
+ *ctx = h;
+ return 0;
+}
+
+static void crypt_hmac_restart(struct crypt_hmac *ctx)
+{
+ HMAC_Init_ex(ctx->md, NULL, 0, ctx->hash_id, NULL);
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+ HMAC_Update(ctx->md, (const unsigned char *)buffer, length);
+ return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+ unsigned char tmp[EVP_MAX_MD_SIZE];
+ unsigned int tmp_len = 0;
+
+ if (length > (size_t)ctx->hash_len)
+ return -EINVAL;
+
+ HMAC_Final(ctx->md, tmp, &tmp_len);
+
+ memcpy(buffer, tmp, length);
+ crypt_backend_memzero(tmp, sizeof(tmp));
+
+ if (tmp_len < length)
+ return -EINVAL;
+
+ crypt_hmac_restart(ctx);
+
+ return 0;
+}
+
+int crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+ HMAC_CTX_free(ctx->md);
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+ return 0;
+}
+
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+ if (fips)
+ return -EINVAL;
+
+ if (RAND_bytes((unsigned char *)buffer, length) != 1)
+ return -EINVAL;
+
+ return 0;
+}
+
+/* PBKDF */
+int crypt_pbkdf(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ unsigned int iterations)
+{
+ const EVP_MD *hash_id;
+
+ if (!kdf || strncmp(kdf, "pbkdf2", 6))
+ return -EINVAL;
+
+ hash_id = EVP_get_digestbyname(hash);
+ if (!hash_id)
+ return -EINVAL;
+
+ if (!PKCS5_PBKDF2_HMAC(password, (int)password_length,
+ (const unsigned char *)salt, (int)salt_length,
+ (int)iterations, hash_id, (int)key_length, (unsigned char *)key))
+ return -EINVAL;
+
+ return 0;
+}
diff --git a/lib/crypto_backend/crypto_storage.c b/lib/crypto_backend/crypto_storage.c
new file mode 100644
index 0000000..357ae20
--- /dev/null
+++ b/lib/crypto_backend/crypto_storage.c
@@ -0,0 +1,293 @@
+/*
+ * Generic wrapper for storage encryption modes and Initial Vectors
+ * (reimplementation of some functions from Linux dm-crypt kernel)
+ *
+ * Copyright (C) 2014-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include "bitops.h"
+#include "crypto_backend.h"
+
+#define SECTOR_SHIFT 9
+#define SECTOR_SIZE (1 << SECTOR_SHIFT)
+
+/*
+ * Internal IV helper
+ * IV documentation: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
+ */
+struct crypt_sector_iv {
+ enum { IV_NONE, IV_NULL, IV_PLAIN, IV_PLAIN64, IV_ESSIV, IV_BENBI } type;
+ int iv_size;
+ char *iv;
+ struct crypt_cipher *essiv_cipher;
+ int benbi_shift;
+};
+
+/* Block encryption storage context */
+struct crypt_storage {
+ uint64_t sector_start;
+ struct crypt_cipher *cipher;
+ struct crypt_sector_iv cipher_iv;
+};
+
+static int int_log2(unsigned int x)
+{
+ int r = 0;
+ for (x >>= 1; x > 0; x >>= 1)
+ r++;
+ return r;
+}
+
+static int crypt_sector_iv_init(struct crypt_sector_iv *ctx,
+ const char *cipher_name, const char *mode_name,
+ const char *iv_name, char *key, size_t key_length)
+{
+ memset(ctx, 0, sizeof(*ctx));
+
+ ctx->iv_size = crypt_cipher_blocksize(cipher_name);
+ if (ctx->iv_size < 0)
+ return -ENOENT;
+
+ if (!iv_name ||
+ !strcmp(cipher_name, "cipher_null") ||
+ !strcmp(mode_name, "ecb")) {
+ ctx->type = IV_NONE;
+ ctx->iv_size = 0;
+ return 0;
+ } else if (!strcasecmp(iv_name, "null")) {
+ ctx->type = IV_NULL;
+ } else if (!strcasecmp(iv_name, "plain64")) {
+ ctx->type = IV_PLAIN64;
+ } else if (!strcasecmp(iv_name, "plain")) {
+ ctx->type = IV_PLAIN;
+ } else if (!strncasecmp(iv_name, "essiv:", 6)) {
+ struct crypt_hash *h = NULL;
+ char *hash_name = strchr(iv_name, ':');
+ int hash_size;
+ char tmp[256];
+ int r;
+
+ if (!hash_name)
+ return -EINVAL;
+
+ hash_size = crypt_hash_size(++hash_name);
+ if (hash_size < 0)
+ return -ENOENT;
+
+ if ((unsigned)hash_size > sizeof(tmp))
+ return -EINVAL;
+
+ if (crypt_hash_init(&h, hash_name))
+ return -EINVAL;
+
+ r = crypt_hash_write(h, key, key_length);
+ if (r) {
+ crypt_hash_destroy(h);
+ return r;
+ }
+
+ r = crypt_hash_final(h, tmp, hash_size);
+ crypt_hash_destroy(h);
+ if (r) {
+ crypt_backend_memzero(tmp, sizeof(tmp));
+ return r;
+ }
+
+ r = crypt_cipher_init(&ctx->essiv_cipher, cipher_name, "ecb",
+ tmp, hash_size);
+ crypt_backend_memzero(tmp, sizeof(tmp));
+ if (r)
+ return r;
+
+ ctx->type = IV_ESSIV;
+ } else if (!strncasecmp(iv_name, "benbi", 5)) {
+ int log = int_log2(ctx->iv_size);
+ if (log > SECTOR_SHIFT)
+ return -EINVAL;
+
+ ctx->type = IV_BENBI;
+ ctx->benbi_shift = SECTOR_SHIFT - log;
+ } else
+ return -ENOENT;
+
+ ctx->iv = malloc(ctx->iv_size);
+ if (!ctx->iv)
+ return -ENOMEM;
+
+ return 0;
+}
+
+static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector)
+{
+ uint64_t val;
+
+ switch (ctx->type) {
+ case IV_NONE:
+ break;
+ case IV_NULL:
+ memset(ctx->iv, 0, ctx->iv_size);
+ break;
+ case IV_PLAIN:
+ memset(ctx->iv, 0, ctx->iv_size);
+ *(uint32_t *)ctx->iv = cpu_to_le32(sector & 0xffffffff);
+ break;
+ case IV_PLAIN64:
+ memset(ctx->iv, 0, ctx->iv_size);
+ *(uint64_t *)ctx->iv = cpu_to_le64(sector);
+ break;
+ case IV_ESSIV:
+ memset(ctx->iv, 0, ctx->iv_size);
+ *(uint64_t *)ctx->iv = cpu_to_le64(sector);
+ return crypt_cipher_encrypt(ctx->essiv_cipher,
+ ctx->iv, ctx->iv, ctx->iv_size, NULL, 0);
+ break;
+ case IV_BENBI:
+ memset(ctx->iv, 0, ctx->iv_size);
+ val = cpu_to_be64((sector << ctx->benbi_shift) + 1);
+ memcpy(ctx->iv + ctx->iv_size - sizeof(val), &val, sizeof(val));
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int crypt_sector_iv_destroy(struct crypt_sector_iv *ctx)
+{
+ if (ctx->type == IV_ESSIV)
+ crypt_cipher_destroy(ctx->essiv_cipher);
+
+ if (ctx->iv) {
+ memset(ctx->iv, 0, ctx->iv_size);
+ free(ctx->iv);
+ }
+
+ memset(ctx, 0, sizeof(*ctx));
+ return 0;
+}
+
+/* Block encryption storage wrappers */
+
+int crypt_storage_init(struct crypt_storage **ctx,
+ uint64_t sector_start,
+ const char *cipher,
+ const char *cipher_mode,
+ char *key, size_t key_length)
+{
+ struct crypt_storage *s;
+ char mode_name[64];
+ char *cipher_iv = NULL;
+ int r = -EIO;
+
+ s = malloc(sizeof(*s));
+ if (!s)
+ return -ENOMEM;
+ memset(s, 0, sizeof(*s));
+
+ /* Remove IV if present */
+ strncpy(mode_name, cipher_mode, sizeof(mode_name));
+ mode_name[sizeof(mode_name) - 1] = 0;
+ cipher_iv = strchr(mode_name, '-');
+ if (cipher_iv) {
+ *cipher_iv = '\0';
+ cipher_iv++;
+ }
+
+ r = crypt_cipher_init(&s->cipher, cipher, mode_name, key, key_length);
+ if (r) {
+ crypt_storage_destroy(s);
+ return r;
+ }
+
+ r = crypt_sector_iv_init(&s->cipher_iv, cipher, mode_name, cipher_iv, key, key_length);
+ if (r) {
+ crypt_storage_destroy(s);
+ return r;
+ }
+
+ s->sector_start = sector_start;
+
+ *ctx = s;
+ return 0;
+}
+
+int crypt_storage_decrypt(struct crypt_storage *ctx,
+ uint64_t sector, size_t count,
+ char *buffer)
+{
+ unsigned int i;
+ int r = 0;
+
+ for (i = 0; i < count; i++) {
+ r = crypt_sector_iv_generate(&ctx->cipher_iv, sector + i);
+ if (r)
+ break;
+ r = crypt_cipher_decrypt(ctx->cipher,
+ &buffer[i * SECTOR_SIZE],
+ &buffer[i * SECTOR_SIZE],
+ SECTOR_SIZE,
+ ctx->cipher_iv.iv,
+ ctx->cipher_iv.iv_size);
+ if (r)
+ break;
+ }
+
+ return r;
+}
+
+int crypt_storage_encrypt(struct crypt_storage *ctx,
+ uint64_t sector, size_t count,
+ char *buffer)
+{
+ unsigned int i;
+ int r = 0;
+
+ for (i = 0; i < count; i++) {
+ r = crypt_sector_iv_generate(&ctx->cipher_iv, sector + i);
+ if (r)
+ break;
+ r = crypt_cipher_encrypt(ctx->cipher,
+ &buffer[i * SECTOR_SIZE],
+ &buffer[i * SECTOR_SIZE],
+ SECTOR_SIZE,
+ ctx->cipher_iv.iv,
+ ctx->cipher_iv.iv_size);
+ if (r)
+ break;
+ }
+
+ return r;
+}
+
+int crypt_storage_destroy(struct crypt_storage *ctx)
+{
+ if (!ctx)
+ return 0;
+
+ crypt_sector_iv_destroy(&ctx->cipher_iv);
+
+ if (ctx->cipher)
+ crypt_cipher_destroy(ctx->cipher);
+
+ memset(ctx, 0, sizeof(*ctx));
+ free(ctx);
+
+ return 0;
+}
diff --git a/lib/crypto_backend/pbkdf2_generic.c b/lib/crypto_backend/pbkdf2_generic.c
new file mode 100644
index 0000000..876d171
--- /dev/null
+++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -0,0 +1,426 @@
+/*
+ * Implementation of Password-Based Cryptography as per PKCS#5
+ * Copyright (C) 2002,2003 Simon Josefsson
+ * Copyright (C) 2004 Free Software Foundation
+ *
+ * cryptsetup related changes
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+#include <errno.h>
+#include <alloca.h>
+#include "crypto_backend.h"
+
+static int hash_buf(const char *src, size_t src_len,
+ char *dst, size_t dst_len,
+ const char *hash_name)
+{
+ struct crypt_hash *hd = NULL;
+ int r;
+
+ if (crypt_hash_init(&hd, hash_name))
+ return -EINVAL;
+
+ r = crypt_hash_write(hd, src, src_len);
+
+ if (!r)
+ r = crypt_hash_final(hd, dst, dst_len);
+
+ crypt_hash_destroy(hd);
+ return r;
+}
+
+/*
+ * 5.2 PBKDF2
+ *
+ * PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
+ * example) to derive keys. The length of the derived key is essentially
+ * unbounded. (However, the maximum effective search space for the
+ * derived key may be limited by the structure of the underlying
+ * pseudorandom function. See Appendix B.1 for further discussion.)
+ * PBKDF2 is recommended for new applications.
+ *
+ * PBKDF2 (P, S, c, dkLen)
+ *
+ * Options: PRF underlying pseudorandom function (hLen
+ * denotes the length in octets of the
+ * pseudorandom function output)
+ *
+ * Input: P password, an octet string (ASCII or UTF-8)
+ * S salt, an octet string
+ * c iteration count, a positive integer
+ * dkLen intended length in octets of the derived
+ * key, a positive integer, at most
+ * (2^32 - 1) * hLen
+ *
+ * Output: DK derived key, a dkLen-octet string
+ */
+
+/*
+ * if hash_block_size is not zero, the HMAC key is pre-hashed
+ * inside this function.
+ * This prevents situation when crypto backend doesn't support
+ * long HMAC keys or it tries hash long key in every iteration
+ * (because of crypt_final() cannot do simple key reset.
+ */
+
+#define MAX_PRF_BLOCK_LEN 80
+
+int pkcs5_pbkdf2(const char *hash,
+ const char *P, size_t Plen,
+ const char *S, size_t Slen,
+ unsigned int c, unsigned int dkLen,
+ char *DK, unsigned int hash_block_size)
+{
+ struct crypt_hmac *hmac;
+ char U[MAX_PRF_BLOCK_LEN];
+ char T[MAX_PRF_BLOCK_LEN];
+ char P_hash[MAX_PRF_BLOCK_LEN];
+ int i, k, rc = -EINVAL;
+ unsigned int u, hLen, l, r;
+ size_t tmplen = Slen + 4;
+ char *tmp;
+
+ tmp = alloca(tmplen);
+ if (tmp == NULL)
+ return -ENOMEM;
+
+ hLen = crypt_hmac_size(hash);
+ if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN)
+ return -EINVAL;
+
+ if (c == 0)
+ return -EINVAL;
+
+ if (dkLen == 0)
+ return -EINVAL;
+
+ /*
+ *
+ * Steps:
+ *
+ * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
+ * stop.
+ */
+
+ if (dkLen > 4294967295U)
+ return -EINVAL;
+
+ /*
+ * 2. Let l be the number of hLen-octet blocks in the derived key,
+ * rounding up, and let r be the number of octets in the last
+ * block:
+ *
+ * l = CEIL (dkLen / hLen) ,
+ * r = dkLen - (l - 1) * hLen .
+ *
+ * Here, CEIL (x) is the "ceiling" function, i.e. the smallest
+ * integer greater than, or equal to, x.
+ */
+
+ l = dkLen / hLen;
+ if (dkLen % hLen)
+ l++;
+ r = dkLen - (l - 1) * hLen;
+
+ /*
+ * 3. For each block of the derived key apply the function F defined
+ * below to the password P, the salt S, the iteration count c, and
+ * the block index to compute the block:
+ *
+ * T_1 = F (P, S, c, 1) ,
+ * T_2 = F (P, S, c, 2) ,
+ * ...
+ * T_l = F (P, S, c, l) ,
+ *
+ * where the function F is defined as the exclusive-or sum of the
+ * first c iterates of the underlying pseudorandom function PRF
+ * applied to the password P and the concatenation of the salt S
+ * and the block index i:
+ *
+ * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
+ *
+ * where
+ *
+ * U_1 = PRF (P, S || INT (i)) ,
+ * U_2 = PRF (P, U_1) ,
+ * ...
+ * U_c = PRF (P, U_{c-1}) .
+ *
+ * Here, INT (i) is a four-octet encoding of the integer i, most
+ * significant octet first.
+ *
+ * 4. Concatenate the blocks and extract the first dkLen octets to
+ * produce a derived key DK:
+ *
+ * DK = T_1 || T_2 || ... || T_l<0..r-1>
+ *
+ * 5. Output the derived key DK.
+ *
+ * Note. The construction of the function F follows a "belt-and-
+ * suspenders" approach. The iterates U_i are computed recursively to
+ * remove a degree of parallelism from an opponent; they are exclusive-
+ * ored together to reduce concerns about the recursion degenerating
+ * into a small set of values.
+ *
+ */
+
+ /* If hash_block_size is provided, hash password in advance. */
+ if (hash_block_size > 0 && Plen > hash_block_size) {
+ if (hash_buf(P, Plen, P_hash, hLen, hash))
+ return -EINVAL;
+
+ if (crypt_hmac_init(&hmac, hash, P_hash, hLen))
+ return -EINVAL;
+ crypt_backend_memzero(P_hash, sizeof(P_hash));
+ } else {
+ if (crypt_hmac_init(&hmac, hash, P, Plen))
+ return -EINVAL;
+ }
+
+ for (i = 1; (unsigned int) i <= l; i++) {
+ memset(T, 0, hLen);
+
+ for (u = 1; u <= c ; u++) {
+ if (u == 1) {
+ memcpy(tmp, S, Slen);
+ tmp[Slen + 0] = (i & 0xff000000) >> 24;
+ tmp[Slen + 1] = (i & 0x00ff0000) >> 16;
+ tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
+ tmp[Slen + 3] = (i & 0x000000ff) >> 0;
+
+ if (crypt_hmac_write(hmac, tmp, tmplen))
+ goto out;
+ } else {
+ if (crypt_hmac_write(hmac, U, hLen))
+ goto out;
+ }
+
+ if (crypt_hmac_final(hmac, U, hLen))
+ goto out;
+
+ for (k = 0; (unsigned int) k < hLen; k++)
+ T[k] ^= U[k];
+ }
+
+ memcpy(DK + (i - 1) * hLen, T, (unsigned int) i == l ? r : hLen);
+ }
+ rc = 0;
+out:
+ crypt_hmac_destroy(hmac);
+ crypt_backend_memzero(U, sizeof(U));
+ crypt_backend_memzero(T, sizeof(T));
+ crypt_backend_memzero(tmp, tmplen);
+
+ return rc;
+}
+
+#if 0
+#include <stdio.h>
+
+struct test_vector {
+ const char *hash;
+ unsigned int hash_block_length;
+ unsigned int iterations;
+ const char *password;
+ unsigned int password_length;
+ const char *salt;
+ unsigned int salt_length;
+ const char *output;
+ unsigned int output_length;
+};
+
+struct test_vector test_vectors[] = {
+ /* RFC 3962 */
+ {
+ "sha1", 64, 1,
+ "password", 8,
+ "ATHENA.MIT.EDUraeburn", 21,
+ "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01"
+ "\x56\x5a\x11\x22\xb2\x56\x35\x15"
+ "\x0a\xd1\xf7\xa0\x4b\xb9\xf3\xa3"
+ "\x33\xec\xc0\xe2\xe1\xf7\x08\x37", 32
+ }, {
+ "sha1", 64, 2,
+ "password", 8,
+ "ATHENA.MIT.EDUraeburn", 21,
+ "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e"
+ "\x98\x8b\x62\xc7\x3c\xda\x93\x5d"
+ "\xa0\x53\x78\xb9\x32\x44\xec\x8f"
+ "\x48\xa9\x9e\x61\xad\x79\x9d\x86", 32
+ }, {
+ "sha1", 64, 1200,
+ "password", 8,
+ "ATHENA.MIT.EDUraeburn", 21,
+ "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e"
+ "\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b"
+ "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f"
+ "\x70\x8a\x31\xe2\xe6\x2b\x1e\x13", 32
+ }, {
+ "sha1", 64, 5,
+ "password", 8,
+ "\0224VxxV4\022", 8, // "\x1234567878563412
+ "\xd1\xda\xa7\x86\x15\xf2\x87\xe6"
+ "\xa1\xc8\xb1\x20\xd7\x06\x2a\x49"
+ "\x3f\x98\xd2\x03\xe6\xbe\x49\xa6"
+ "\xad\xf4\xfa\x57\x4b\x6e\x64\xee", 32
+ }, {
+ "sha1", 64, 1200,
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 64,
+ "pass phrase equals block size", 29,
+ "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b"
+ "\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9"
+ "\xc5\xec\x59\xf1\xa4\x52\xf5\xcc"
+ "\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1", 32
+ }, {
+ "sha1", 64, 1200,
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 65,
+ "pass phrase exceeds block size", 30,
+ "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5"
+ "\x1b\x10\xe6\xa6\x87\x21\xbe\x61"
+ "\x1a\x8b\x4d\x28\x26\x01\xdb\x3b"
+ "\x36\xbe\x92\x46\x91\x5e\xc8\x2a", 32
+ }, {
+ "sha1", 64, 50,
+ "\360\235\204\236", 4, // g-clef ("\xf09d849e)
+ "EXAMPLE.COMpianist", 18,
+ "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43"
+ "\xa5\xb8\xbb\x27\x6a\x40\x3b\x39"
+ "\xe7\xfe\x37\xa0\xc4\x1e\x02\xc2"
+ "\x81\xff\x30\x69\xe1\xe9\x4f\x52", 32
+ }, {
+ /* RFC-6070 */
+ "sha1", 64, 1,
+ "password", 8,
+ "salt", 4,
+ "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
+ "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6", 20
+ }, {
+ "sha1", 64, 2,
+ "password", 8,
+ "salt", 4,
+ "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e"
+ "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57", 20
+ }, {
+ "sha1", 64, 4096,
+ "password", 8,
+ "salt", 4,
+ "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad"
+ "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1", 20
+ }, {
+ "sha1", 64, 16777216,
+ "password", 8,
+ "salt", 4,
+ "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94"
+ "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", 20
+ }, {
+ "sha1", 64, 4096,
+ "passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
+ "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8"
+ "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96"
+ "\x4c\xf2\xf0\x70\x38", 25
+ }, {
+ "sha1", 64, 4096,
+ "pass\0word", 9,
+ "sa\0lt", 5,
+ "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37"
+ "\xd7\xf0\x34\x25\xe0\xc3", 16
+ }, {
+ /* empty password test */
+ "sha1", 64, 2,
+ "", 0,
+ "salt", 4,
+ "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2"
+ "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97", 20
+ }, {
+ /* Password exceeds block size test */
+ "sha256", 64, 1200,
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 65,
+ "pass phrase exceeds block size", 30,
+ "\x22\x34\x4b\xc4\xb6\xe3\x26\x75"
+ "\xa8\x09\x0f\x3e\xa8\x0b\xe0\x1d"
+ "\x5f\x95\x12\x6a\x2c\xdd\xc3\xfa"
+ "\xcc\x4a\x5e\x6d\xca\x04\xec\x58", 32
+ }, {
+ "sha512", 128, 1200,
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 129,
+ "pass phrase exceeds block size", 30,
+ "\x0f\xb2\xed\x2c\x0e\x6e\xfb\x7d"
+ "\x7d\x8e\xdd\x58\x01\xb4\x59\x72"
+ "\x99\x92\x16\x30\x5e\xa4\x36\x8d"
+ "\x76\x14\x80\xf3\xe3\x7a\x22\xb9", 32
+ }, {
+ "whirlpool", 64, 1200,
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 65,
+ "pass phrase exceeds block size", 30,
+ "\x9c\x1c\x74\xf5\x88\x26\xe7\x6a"
+ "\x53\x58\xf4\x0c\x39\xe7\x80\x89"
+ "\x07\xc0\x31\x19\x9a\x50\xa2\x48"
+ "\xf1\xd9\xfe\x78\x64\xe5\x84\x50", 32
+ }
+};
+
+static void printhex(const char *s, const char *buf, size_t len)
+{
+ size_t i;
+
+ printf("%s: ", s);
+ for (i = 0; i < len; i++)
+ printf("\\x%02x", (unsigned char)buf[i]);
+ printf("\n");
+ fflush(stdout);
+}
+
+static int pkcs5_pbkdf2_test_vectors(void)
+{
+ char result[64];
+ unsigned int i, j;
+ struct test_vector *vec;
+
+ for (i = 0; i < (sizeof(test_vectors) / sizeof(*test_vectors)); i++) {
+ vec = &test_vectors[i];
+ for (j = 1; j <= vec->output_length; j++) {
+ if (pkcs5_pbkdf2(vec->hash,
+ vec->password, vec->password_length,
+ vec->salt, vec->salt_length,
+ vec->iterations,
+ j, result, vec->hash_block_length)) {
+ printf("pbkdf2 failed, vector %d\n", i);
+ return -EINVAL;
+ }
+ if (memcmp(result, vec->output, j) != 0) {
+ printf("vector %u\n", i);
+ printhex(" got", result, j);
+ printhex("want", vec->output, j);
+ return -EINVAL;
+ }
+ memset(result, 0, sizeof(result));
+ }
+ }
+ return 0;
+}
+#endif
diff --git a/lib/crypto_backend/pbkdf_check.c b/lib/crypto_backend/pbkdf_check.c
new file mode 100644
index 0000000..9061033
--- /dev/null
+++ b/lib/crypto_backend/pbkdf_check.c
@@ -0,0 +1,117 @@
+/*
+ * PBKDF performance check
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include "crypto_backend.h"
+
+static long time_ms(struct rusage *start, struct rusage *end)
+{
+ int count_kernel_time = 0;
+ long ms;
+
+ if (crypt_backend_flags() & CRYPT_BACKEND_KERNEL)
+ count_kernel_time = 1;
+
+ /*
+ * FIXME: if there is no self usage info, count system time.
+ * This seem like getrusage() bug in some hypervisors...
+ */
+ if (!end->ru_utime.tv_sec && !start->ru_utime.tv_sec &&
+ !end->ru_utime.tv_usec && !start->ru_utime.tv_usec)
+ count_kernel_time = 1;
+
+ ms = (end->ru_utime.tv_sec - start->ru_utime.tv_sec) * 1000;
+ ms += (end->ru_utime.tv_usec - start->ru_utime.tv_usec) / 1000;
+
+ if (count_kernel_time) {
+ ms += (end->ru_stime.tv_sec - start->ru_stime.tv_sec) * 1000;
+ ms += (end->ru_stime.tv_usec - start->ru_stime.tv_usec) / 1000;
+ }
+
+ return ms;
+}
+
+/* This code benchmarks PBKDF and returns iterations/second using specified hash */
+int crypt_pbkdf_check(const char *kdf, const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ size_t key_length, uint64_t *iter_secs)
+{
+ struct rusage rstart, rend;
+ int r = 0, step = 0;
+ long ms = 0;
+ char *key = NULL;
+ unsigned int iterations;
+
+ if (!kdf || !hash || key_length <= 0)
+ return -EINVAL;
+
+ key = malloc(key_length);
+ if (!key)
+ return -ENOMEM;
+
+ iterations = 1 << 15;
+ while (1) {
+ if (getrusage(RUSAGE_SELF, &rstart) < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = crypt_pbkdf(kdf, hash, password, password_length, salt,
+ salt_length, key, key_length, iterations);
+ if (r < 0)
+ goto out;
+
+ if (getrusage(RUSAGE_SELF, &rend) < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ ms = time_ms(&rstart, &rend);
+ if (ms > 500)
+ break;
+
+ if (ms <= 62)
+ iterations <<= 4;
+ else if (ms <= 125)
+ iterations <<= 3;
+ else if (ms <= 250)
+ iterations <<= 2;
+ else
+ iterations <<= 1;
+
+ if (++step > 10 || !iterations) {
+ r = -EINVAL;
+ goto out;
+ }
+ }
+
+ if (iter_secs)
+ *iter_secs = (iterations * 1000) / ms;
+out:
+ if (key) {
+ crypt_backend_memzero(key, key_length);
+ free(key);
+ }
+ return r;
+}
diff --git a/lib/internal.h b/lib/internal.h
new file mode 100644
index 0000000..cadf501
--- /dev/null
+++ b/lib/internal.h
@@ -0,0 +1,162 @@
+/*
+ * libcryptsetup - cryptsetup library internal
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef INTERNAL_H
+#define INTERNAL_H
+
+#include <stdint.h>
+#include <stdarg.h>
+#include <unistd.h>
+#include <inttypes.h>
+
+#include "nls.h"
+#include "bitops.h"
+#include "utils_crypt.h"
+#include "utils_loop.h"
+#include "utils_dm.h"
+#include "utils_fips.h"
+#include "crypto_backend.h"
+
+#include "libcryptsetup.h"
+
+/* to silent gcc -Wcast-qual for const cast */
+#define CONST_CAST(x) (x)(uintptr_t)
+
+#define SECTOR_SHIFT 9
+#define SECTOR_SIZE (1 << SECTOR_SHIFT)
+#define DEFAULT_DISK_ALIGNMENT 1048576 /* 1MiB */
+#define DEFAULT_MEM_ALIGNMENT 4096
+#define MAX_ERROR_LENGTH 512
+
+#define at_least(a, b) ({ __typeof__(a) __at_least = (a); (__at_least >= (b))?__at_least:(b); })
+
+struct crypt_device;
+
+struct volume_key {
+ size_t keylength;
+ char key[];
+};
+
+struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key);
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength);
+void crypt_free_volume_key(struct volume_key *vk);
+
+/* Device backend */
+struct device;
+int device_alloc(struct device **device, const char *path);
+void device_free(struct device *device);
+const char *device_path(const struct device *device);
+const char *device_block_path(const struct device *device);
+void device_topology_alignment(struct device *device,
+ unsigned long *required_alignment, /* bytes */
+ unsigned long *alignment_offset, /* bytes */
+ unsigned long default_alignment);
+int device_block_size(struct device *device);
+int device_read_ahead(struct device *device, uint32_t *read_ahead);
+int device_size(struct device *device, uint64_t *size);
+int device_open(struct device *device, int flags);
+void device_disable_direct_io(struct device *device);
+int device_is_identical(struct device *device1, struct device *device2);
+
+
+enum devcheck { DEV_OK = 0, DEV_EXCL = 1, DEV_SHARED = 2 };
+int device_block_adjust(struct crypt_device *cd,
+ struct device *device,
+ enum devcheck device_check,
+ uint64_t device_offset,
+ uint64_t *size,
+ uint32_t *flags);
+size_t size_round_up(size_t size, unsigned int block);
+
+/* Receive backend devices from context helpers */
+struct device *crypt_metadata_device(struct crypt_device *cd);
+struct device *crypt_data_device(struct crypt_device *cd);
+
+int crypt_confirm(struct crypt_device *cd, const char *msg);
+
+char *crypt_lookup_dev(const char *dev_id);
+int crypt_dev_is_rotational(int major, int minor);
+int crypt_dev_is_partition(const char *dev_path);
+char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
+char *crypt_get_base_device(const char *dev_path);
+uint64_t crypt_dev_partition_offset(const char *dev_path);
+
+ssize_t write_buffer(int fd, const void *buf, size_t count);
+ssize_t read_buffer(int fd, void *buf, size_t count);
+ssize_t write_blockwise(int fd, int bsize, void *buf, size_t count);
+ssize_t read_blockwise(int fd, int bsize, void *buf, size_t count);
+ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
+ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
+
+unsigned crypt_getpagesize(void);
+int init_crypto(struct crypt_device *ctx);
+
+void logger(struct crypt_device *cd, int class, const char *file, int line, const char *format, ...) __attribute__ ((format (printf, 5, 6)));
+#define log_dbg(x...) logger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
+#define log_std(c, x...) logger(c, CRYPT_LOG_NORMAL, __FILE__, __LINE__, x)
+#define log_verbose(c, x...) logger(c, CRYPT_LOG_VERBOSE, __FILE__, __LINE__, x)
+#define log_err(c, x...) logger(c, CRYPT_LOG_ERROR, __FILE__, __LINE__, x)
+
+int crypt_get_debug_level(void);
+
+int crypt_memlock_inc(struct crypt_device *ctx);
+int crypt_memlock_dec(struct crypt_device *ctx);
+
+int crypt_random_init(struct crypt_device *ctx);
+int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality);
+void crypt_random_exit(void);
+int crypt_random_default_key_rng(void);
+
+int crypt_plain_hash(struct crypt_device *ctx,
+ const char *hash_name,
+ char *key, size_t key_size,
+ const char *passphrase, size_t passphrase_size);
+int PLAIN_activate(struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vk,
+ uint64_t size,
+ uint32_t flags);
+
+void *crypt_get_hdr(struct crypt_device *cd, const char *type);
+
+/**
+ * Different methods used to erase sensitive data concerning
+ * either encrypted payload area or master key inside keyslot
+ * area
+ */
+typedef enum {
+ CRYPT_WIPE_ZERO, /**< overwrite area using zero blocks */
+ CRYPT_WIPE_DISK, /**< erase disk (using Gutmann method if it is rotational disk)*/
+ CRYPT_WIPE_SSD, /**< erase solid state disk (random write) */
+ CRYPT_WIPE_RANDOM /**< overwrite area using some up to now unspecified
+ * random algorithm */
+} crypt_wipe_type;
+
+int crypt_wipe(struct device *device,
+ uint64_t offset,
+ uint64_t size,
+ crypt_wipe_type type,
+ int exclusive);
+
+
+#endif /* INTERNAL_H */
diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
new file mode 100644
index 0000000..d3c534f
--- /dev/null
+++ b/lib/libcryptsetup.h
@@ -0,0 +1,1145 @@
+/*
+ * libcryptsetup - cryptsetup library
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/**
+ * @file libcryptsetup.h
+ * @brief Public cryptsetup API
+ *
+ * For more verbose examples of LUKS related use cases,
+ * please read @ref index "examples".
+ */
+
+#ifndef _LIBCRYPTSETUP_H
+#define _LIBCRYPTSETUP_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+struct crypt_device; /* crypt device handle */
+
+/**
+ * Initialize crypt device handle and check if provided device exists.
+ *
+ * @param cd Returns pointer to crypt device handle
+ * @param device Path to the backing device.
+ * If @e device is not a block device but a path to some file,
+ * the function will try to create a loopdevice and attach
+ * the file to the loopdevice with AUTOCLEAR flag set.
+ * If @e device is @e NULL function it will initialize dm backend only.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that logging is not initialized here, possible messages uses
+ * default log function.
+ */
+int crypt_init(struct crypt_device **cd, const char *device);
+
+/**
+ * Initialize crypt device handle from provided active device name,
+ * and, optionally, from separate metadata (header) device
+ * and check if provided device exists.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @param cd returns crypt device handle for active device
+ * @param name name of active crypt device
+ * @param header_device optional device containing on-disk header
+ * (@e NULL if it the same as underlying device on there is no on-disk header)
+ *
+ * @post In case @e device points to active LUKS device but header load fails,
+ * context device type is set to @e NULL and @e 0 is returned as if it were successful.
+ * Context with @e NULL device type can only be deactivated by crypt_deactivate
+ *
+ * @note @link crypt_init_by_name @endlink is equivalent to calling
+ * crypt_init_by_name_and_header(cd, name, NULL);
+ */
+int crypt_init_by_name_and_header(struct crypt_device **cd,
+ const char *name,
+ const char *header_device);
+
+/**
+ * This is equivalent to call
+ * @ref crypt_init_by_name_and_header "crypt_init_by_name_and_header(cd, name, NULL)"
+ *
+ * @sa crypt_init_by_name_and_header
+ */
+int crypt_init_by_name(struct crypt_device **cd, const char *name);
+
+/**
+ * @defgroup loglevel Cryptsetup logging
+ *
+ * Set of functions and defines used in cryptsetup for
+ * logging purposes
+ *
+ */
+
+/**
+ * @addtogroup loglevel
+ * @{
+ */
+
+/** normal log level */
+#define CRYPT_LOG_NORMAL 0
+/** error log level */
+#define CRYPT_LOG_ERROR 1
+/** verbose log level */
+#define CRYPT_LOG_VERBOSE 2
+/** debug log level - always on stdout */
+#define CRYPT_LOG_DEBUG -1
+
+/**
+ * Set log function.
+ *
+ * @param cd crypt device handle (can be @e NULL to set default log function)
+ * @param log user defined log function reference
+ * @param usrptr provided identification in callback
+ * @param level log level below (debug messages can uses other levels)
+ * @param msg log message
+ */
+void crypt_set_log_callback(struct crypt_device *cd,
+ void (*log)(int level, const char *msg, void *usrptr),
+ void *usrptr);
+
+/**
+ * Defines log function or use the default one otherwise.
+ *
+ * @see crypt_set_log_callback
+ *
+ * @param cd crypt device handle
+ * @param level log level
+ * @param msg log message
+ */
+void crypt_log(struct crypt_device *cd, int level, const char *msg);
+/** @} */
+
+/**
+ * Set confirmation callback (yes/no).
+ *
+ * If code need confirmation (like resetting uuid or restoring LUKS header from file)
+ * this function is called. If not defined, everything is confirmed.
+ *
+ * Callback function @e confirm should return @e 0 if operation is declined,
+ * other values mean accepted.
+ *
+ * @param cd crypt device handle
+ * @param confirm user defined confirm callback reference
+ * @param usrptr provided identification in callback
+ * @param msg Message for user to confirm
+ *
+ * @note Current version of cryptsetup API requires confirmation only when UUID is being changed
+ */
+void crypt_set_confirm_callback(struct crypt_device *cd,
+ int (*confirm)(const char *msg, void *usrptr),
+ void *usrptr);
+
+/**
+ * Set how long should cryptsetup iterate in PBKDF2 function.
+ * Default value heads towards the iterations which takes around 1 second.
+ *
+ * @param cd crypt device handle
+ * @param iteration_time_ms the time in ms
+ */
+void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms);
+
+/**
+ * Set data device
+ * For LUKS it is encrypted data device when LUKS header is separated.
+ * For VERITY it is data device when hash device is separated.
+ *
+ * @param cd crypt device handle
+ * @param device path to device
+ *
+ */
+int crypt_set_data_device(struct crypt_device *cd, const char *device);
+
+/**
+ * @defgroup rng Cryptsetup RNG
+ *
+ * @addtogroup rng
+ * @{
+ *
+ */
+
+/** CRYPT_RNG_URANDOM - use /dev/urandom */
+#define CRYPT_RNG_URANDOM 0
+/** CRYPT_RNG_RANDOM - use /dev/random (waits if no entropy in system) */
+#define CRYPT_RNG_RANDOM 1
+
+/**
+ * Set which RNG (random number generator) is used for generating long term key
+ *
+ * @param cd crypt device handle
+ * @param rng_type kernel random number generator to use
+ *
+ */
+void crypt_set_rng_type(struct crypt_device *cd, int rng_type);
+
+/**
+ * Get which RNG (random number generator) is used for generating long term key.
+ *
+ * @param cd crypt device handle
+ * @return RNG type on success or negative errno value otherwise.
+ *
+ */
+int crypt_get_rng_type(struct crypt_device *cd);
+
+/** @} */
+
+/**
+ * Helper to lock/unlock memory to avoid swap sensitive data to disk.
+ *
+ * @param cd crypt device handle, can be @e NULL
+ * @param lock 0 to unlock otherwise lock memory
+ *
+ * @returns Value indicating whether the memory is locked (function can be called multiple times).
+ *
+ * @note Only root can do this.
+ * @note It locks/unlocks all process memory, not only crypt context.
+ */
+int crypt_memory_lock(struct crypt_device *cd, int lock);
+
+/**
+ * @defgroup crypt_type Cryptsetup on-disk format types
+ *
+ * Set of functions, \#defines and structs related
+ * to on-disk format types
+ */
+
+/**
+ * @addtogroup crypt_type
+ * @{
+ */
+
+/** plain crypt device, no on-disk header */
+#define CRYPT_PLAIN "PLAIN"
+/** LUKS version 1 header on-disk */
+#define CRYPT_LUKS1 "LUKS1"
+/** loop-AES compatibility mode */
+#define CRYPT_LOOPAES "LOOPAES"
+/** dm-verity mode */
+#define CRYPT_VERITY "VERITY"
+/** TCRYPT (TrueCrypt-compatible and VeraCrypt-compatible) mode */
+#define CRYPT_TCRYPT "TCRYPT"
+
+/**
+ * Get device type
+ *
+ * @param cd crypt device handle
+ * @return string according to device type or @e NULL if not known.
+ */
+const char *crypt_get_type(struct crypt_device *cd);
+
+/**
+ *
+ * Structure used as parameter for PLAIN device type.
+ *
+ * @see crypt_format
+ */
+struct crypt_params_plain {
+ const char *hash; /**< password hash function */
+ uint64_t offset; /**< offset in sectors */
+ uint64_t skip; /**< IV offset / initialization sector */
+ uint64_t size; /**< size of mapped device or @e 0 for autodetection */
+};
+
+/**
+ * Structure used as parameter for LUKS device type.
+ *
+ * @see crypt_format, crypt_load
+ *
+ * @note during crypt_format @e data_device attribute determines
+ * if the LUKS header is separated from encrypted payload device
+ *
+ */
+struct crypt_params_luks1 {
+ const char *hash; /**< hash used in LUKS header */
+ size_t data_alignment; /**< data alignment in sectors, data offset is multiple of this */
+ const char *data_device; /**< detached encrypted data device or @e NULL */
+};
+
+/**
+ *
+ * Structure used as parameter for loop-AES device type.
+ *
+ * @see crypt_format
+ *
+ */
+struct crypt_params_loopaes {
+ const char *hash; /**< key hash function */
+ uint64_t offset; /**< offset in sectors */
+ uint64_t skip; /**< IV offset / initialization sector */
+};
+
+/**
+ *
+ * Structure used as parameter for dm-verity device type.
+ *
+ * @see crypt_format, crypt_load
+ *
+ */
+struct crypt_params_verity {
+ const char *hash_name; /**< hash function */
+ const char *data_device; /**< data_device (CRYPT_VERITY_CREATE_HASH) */
+ const char *hash_device; /**< hash_device (output only) */
+ const char *fec_device; /**< fec_device (output only) */
+ const char *salt; /**< salt */
+ uint32_t salt_size; /**< salt size (in bytes) */
+ uint32_t hash_type; /**< in-kernel hashing type */
+ uint32_t data_block_size; /**< data block size (in bytes) */
+ uint32_t hash_block_size; /**< hash block size (in bytes) */
+ uint64_t data_size; /**< data area size (in data blocks) */
+ uint64_t hash_area_offset; /**< hash/header offset (in bytes) */
+ uint64_t fec_area_offset; /**< FEC/header offset (in bytes) */
+ uint32_t fec_roots; /**< Reed-Solomon FEC roots */
+ uint32_t flags; /**< CRYPT_VERITY* flags */
+};
+
+/** No on-disk header (only hashes) */
+#define CRYPT_VERITY_NO_HEADER (1 << 0)
+/** Verity hash in userspace before activation */
+#define CRYPT_VERITY_CHECK_HASH (1 << 1)
+/** Create hash - format hash device */
+#define CRYPT_VERITY_CREATE_HASH (1 << 2)
+
+/**
+ *
+ * Structure used as parameter for TCRYPT device type.
+ *
+ * @see crypt_load
+ *
+ */
+struct crypt_params_tcrypt {
+ const char *passphrase; /**< passphrase to unlock header (input only) */
+ size_t passphrase_size; /**< passphrase size (input only, max length is 64) */
+ const char **keyfiles; /**< keyfile paths to unlock header (input only) */
+ unsigned int keyfiles_count;/**< keyfiles count (input only) */
+ const char *hash_name; /**< hash function for PBKDF */
+ const char *cipher; /**< cipher chain c1[-c2[-c3]] */
+ const char *mode; /**< cipher block mode */
+ size_t key_size; /**< key size in bytes (the whole chain) */
+ uint32_t flags; /**< CRYPT_TCRYPT* flags */
+ uint32_t veracrypt_pim; /**< VeraCrypt Personal Iteration Multiplier */
+};
+
+/** Include legacy modes when scanning for header */
+#define CRYPT_TCRYPT_LEGACY_MODES (1 << 0)
+/** Try to load hidden header (describing hidden device) */
+#define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1)
+/** Try to load backup header */
+#define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2)
+/** Device contains encrypted system (with boot loader) */
+#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3)
+/** Include VeraCrypt modes when scanning for header,
+ * all other TCRYPT flags applies as well.
+ * VeraCrypt device is reported as TCRYPT type.
+ */
+#define CRYPT_TCRYPT_VERA_MODES (1 << 4)
+
+/** @} */
+
+/**
+ * Create (format) new crypt device (and possible header on-disk) but do not activate it.
+ *
+ * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
+ *
+ * @param cd crypt device handle
+ * @param type type of device (optional params struct must be of this type)
+ * @param cipher (e.g. "aes")
+ * @param cipher_mode including IV specification (e.g. "xts-plain")
+ * @param uuid requested UUID or @e NULL if it should be generated
+ * @param volume_key pre-generated volume key or @e NULL if it should be generated (only for LUKS)
+ * @param volume_key_size size of volume key in bytes.
+ * @param params crypt type specific parameters (see @link crypt_type @endlink)
+ *
+ * @returns @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that crypt_format does not enable any keyslot (in case of work with LUKS device),
+ * but it stores volume key internally and subsequent crypt_keyslot_add_* calls can be used.
+ * @note For VERITY @link crypt_type @endlink, only uuid parameter is used, others paramaters
+ * are ignored and verity specific attributes are set through mandatory params option.
+ */
+int crypt_format(struct crypt_device *cd,
+ const char *type,
+ const char *cipher,
+ const char *cipher_mode,
+ const char *uuid,
+ const char *volume_key,
+ size_t volume_key_size,
+ void *params);
+
+/**
+ * Set new UUID for already existing device.
+ *
+ * @param cd crypt device handle
+ * @param uuid requested UUID or @e NULL if it should be generated
+ *
+ * @returns 0 on success or negative errno value otherwise.
+ *
+ * @note Currently, only LUKS device type are supported
+ */
+int crypt_set_uuid(struct crypt_device *cd,
+ const char *uuid);
+
+/**
+ * Load crypt device parameters from on-disk header.
+ *
+ * @param cd crypt device handle
+ * @param requested_type @link crypt_type @endlink or @e NULL for all known
+ * @param params crypt type specific parameters (see @link crypt_type @endlink)
+ *
+ * @returns 0 on success or negative errno value otherwise.
+ *
+ * @post In case LUKS header is read successfully but payload device is too small
+ * error is returned and device type in context is set to @e NULL
+ *
+ * @note Note that in current version load works only for LUKS and VERITY device type.
+ *
+ */
+int crypt_load(struct crypt_device *cd,
+ const char *requested_type,
+ void *params);
+
+/**
+ * Try to repair crypt device on-disk header if invalid.
+ *
+ * @param cd crypt device handle
+ * @param requested_type @link crypt_type @endlink or @e NULL for all known
+ * @param params crypt type specific parameters (see @link crypt_type @endlink)
+ *
+ * @returns 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_repair(struct crypt_device *cd,
+ const char *requested_type,
+ void *params);
+
+/**
+ * Resize crypt device.
+ *
+ * @param cd - crypt device handle
+ * @param name - name of device to resize
+ * @param new_size - new device size in sectors or @e 0 to use all of the underlying device size
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_resize(struct crypt_device *cd,
+ const char *name,
+ uint64_t new_size);
+
+/**
+ * Suspend crypt device.
+ *
+ * @param cd crypt device handle, can be @e NULL
+ * @param name name of device to suspend
+ *
+ * @return 0 on success or negative errno value otherwise.
+ *
+ * @note Only LUKS device type is supported
+ *
+ */
+int crypt_suspend(struct crypt_device *cd,
+ const char *name);
+
+/**
+ * Resume crypt device using passphrase.
+ *
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param keyslot requested keyslot or CRYPT_ANY_SLOT
+ * @param passphrase passphrase used to unlock volume key, @e NULL for query
+ * @param passphrase_size size of @e passphrase (binary data)
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ *
+ * @note Only LUKS device type is supported
+ */
+int crypt_resume_by_passphrase(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_size);
+
+/**
+ * Resume crypt device using key file.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param keyslot requested keyslot or CRYPT_ANY_SLOT
+ * @param keyfile key file used to unlock volume key, @e NULL for passphrase query
+ * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
+ * @param keyfile_offset number of bytes to skip at start of keyfile
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ */
+int crypt_resume_by_keyfile_offset(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset);
+/**
+ * Backward compatible crypt_resume_by_keyfile_offset() (without offset).
+ */
+int crypt_resume_by_keyfile(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size);
+
+/**
+ * Release crypt device context and used memory.
+ *
+ * @param cd crypt device handle
+ */
+void crypt_free(struct crypt_device *cd);
+
+/**
+ * @defgroup keyslot Cryptsetup LUKS keyslots
+ * @addtogroup keyslot
+ * @{
+ *
+ */
+
+/** iterate through all keyslots and find first one that fits */
+#define CRYPT_ANY_SLOT -1
+
+/**
+ * Add key slot using provided passphrase.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context
+ *
+ * @param cd crypt device handle
+ * @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
+ * @param passphrase passphrase used to unlock volume key, @e NULL for query
+ * @param passphrase_size size of passphrase (binary data)
+ * @param new_passphrase passphrase for new keyslot, @e NULL for query
+ * @param new_passphrase_size size of @e new_passphrase (binary data)
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ */
+int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_size,
+ const char *new_passphrase,
+ size_t new_passphrase_size);
+
+/**
+ * Change defined key slot using provided passphrase.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context
+ *
+ * @param cd crypt device handle
+ * @param keyslot_old old keyslot or @e CRYPT_ANY_SLOT
+ * @param keyslot_new new keyslot (can be the same as old)
+ * @param passphrase passphrase used to unlock volume key, @e NULL for query
+ * @param passphrase_size size of passphrase (binary data)
+ * @param new_passphrase passphrase for new keyslot, @e NULL for query
+ * @param new_passphrase_size size of @e new_passphrase (binary data)
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ *
+ * @note This function is just internal implementation of luksChange
+ * command to avoid reading of volume key outside libcryptsetup boundary
+ * in FIPS mode.
+ */
+int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
+ int keyslot_old,
+ int keyslot_new,
+ const char *passphrase,
+ size_t passphrase_size,
+ const char *new_passphrase,
+ size_t new_passphrase_size);
+
+/**
+* Add key slot using provided key file path.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context
+ *
+ * @param cd crypt device handle
+ * @param keyslot requested keyslot or @e CRYPT_ANY_SLOT
+ * @param keyfile key file used to unlock volume key, @e NULL for passphrase query
+ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
+ * @param keyfile_offset number of bytes to skip at start of keyfile
+ * @param new_keyfile keyfile for new keyslot, @e NULL for passphrase query
+ * @param new_keyfile_size number of bytes to read from @e new_keyfile, @e 0 is unlimited
+ * @param new_keyfile_offset number of bytes to skip at start of new_keyfile
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ */
+int crypt_keyslot_add_by_keyfile_offset(struct crypt_device *cd,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset,
+ const char *new_keyfile,
+ size_t new_keyfile_size,
+ size_t new_keyfile_offset);
+/**
+ * Backward compatible crypt_keyslot_add_by_keyfile_offset() (without offset).
+ */
+int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ const char *new_keyfile,
+ size_t new_keyfile_size);
+
+/**
+ * Add key slot using provided volume key.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context
+ *
+ * @param cd crypt device handle
+ * @param keyslot requested keyslot or CRYPT_ANY_SLOT
+ * @param volume_key provided volume key or @e NULL if used after crypt_format
+ * @param volume_key_size size of volume_key
+ * @param passphrase passphrase for new keyslot, @e NULL for query
+ * @param passphrase_size size of passphrase
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ */
+int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
+ int keyslot,
+ const char *volume_key,
+ size_t volume_key_size,
+ const char *passphrase,
+ size_t passphrase_size);
+
+/**
+ * Destroy (and disable) key slot.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context
+ *
+ * @param cd crypt device handle
+ * @param keyslot requested key slot to destroy
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that there is no passphrase verification used.
+ */
+int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
+
+/** @} */
+
+/**
+ * @defgroup aflags Device runtime attributes
+ *
+ * Activation flags
+ *
+ * @addtogroup aflags
+ * @{
+ *
+ */
+/** device is read only */
+#define CRYPT_ACTIVATE_READONLY (1 << 0)
+/** only reported for device without uuid */
+#define CRYPT_ACTIVATE_NO_UUID (1 << 1)
+/** activate even if cannot grant exclusive access (DANGEROUS) */
+#define CRYPT_ACTIVATE_SHARED (1 << 2)
+/** enable discards aka TRIM */
+#define CRYPT_ACTIVATE_ALLOW_DISCARDS (1 << 3)
+/** skip global udev rules in activation ("private device"), input only */
+#define CRYPT_ACTIVATE_PRIVATE (1 << 4)
+/** corruption detected (verity), output only */
+#define CRYPT_ACTIVATE_CORRUPTED (1 << 5)
+/** use same_cpu_crypt option for dm-crypt */
+#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
+/** use submit_from_crypt_cpus for dm-crypt */
+#define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (1 << 7)
+/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
+#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (1 << 8)
+/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
+#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
+/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
+#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)
+
+
+/**
+ * Active device runtime attributes
+ */
+struct crypt_active_device {
+ uint64_t offset; /**< offset in sectors */
+ uint64_t iv_offset; /**< IV initialization sector */
+ uint64_t size; /**< active device size */
+ uint32_t flags; /**< activation flags */
+};
+
+/**
+ * Receive runtime attributes of active crypt device.
+ *
+ * @param cd crypt device handle (can be @e NULL)
+ * @param name name of active device
+ * @param cad preallocated active device attributes to fill
+ *
+ * @return @e 0 on success or negative errno value otherwise
+ *
+ */
+int crypt_get_active_device(struct crypt_device *cd,
+ const char *name,
+ struct crypt_active_device *cad);
+
+/** @} */
+
+/**
+ * Activate device or check passphrase.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check passphrase
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT
+ * @param passphrase passphrase used to unlock volume key, @e NULL for query
+ * @param passphrase_size size of @e passphrase
+ * @param flags activation flags
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ */
+int crypt_activate_by_passphrase(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_size,
+ uint32_t flags);
+
+/**
+ * Activate device or check using key file.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check keyfile
+ * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
+ * @param keyfile key file used to unlock volume key
+ * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
+ * @param keyfile_offset number of bytes to skip at start of keyfile
+ * @param flags activation flags
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ */
+int crypt_activate_by_keyfile_offset(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset,
+ uint32_t flags);
+/**
+ * Backward compatible crypt_activate_by_keyfile_offset() (without offset).
+ */
+int crypt_activate_by_keyfile(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint32_t flags);
+
+/**
+ * Activate device using provided volume key.
+ *
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check volume key
+ * @param volume_key provided volume key (or @e NULL to use internal)
+ * @param volume_key_size size of volume_key
+ * @param flags activation flags
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note If @e NULL is used for volume_key, device has to be initialized
+ * by previous operation (like @ref crypt_format
+ * or @ref crypt_init_by_name)
+ * @note For VERITY the volume key means root hash required for activation.
+ * Because kernel dm-verity is always read only, you have to provide
+ * CRYPT_ACTIVATE_READONLY flag always.
+ * @note For TCRYPT the volume key should be always NULL and because master
+ * key from decrypted header is used instead.
+ */
+int crypt_activate_by_volume_key(struct crypt_device *cd,
+ const char *name,
+ const char *volume_key,
+ size_t volume_key_size,
+ uint32_t flags);
+
+/**
+ * Deactivate crypt device. This function tries to remove active device-mapper
+ * mapping from kernel. Also, sensitive data like the volume key are removed from
+ * memory
+ *
+ * @param cd crypt device handle, can be @e NULL
+ * @param name name of device to deactivate
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_deactivate(struct crypt_device *cd, const char *name);
+
+/**
+ * Get volume key from crypt device.
+ *
+ * @param cd crypt device handle
+ * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
+ * @param volume_key buffer for volume key
+ * @param volume_key_size on input, size of buffer @e volume_key,
+ * on output size of @e volume_key
+ * @param passphrase passphrase used to unlock volume key
+ * @param passphrase_size size of @e passphrase
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ *
+ * @note For TCRYPT cipher chain is the volume key concatenated
+ * for all ciphers in chain.
+ */
+int crypt_volume_key_get(struct crypt_device *cd,
+ int keyslot,
+ char *volume_key,
+ size_t *volume_key_size,
+ const char *passphrase,
+ size_t passphrase_size);
+
+/**
+ * Verify that provided volume key is valid for crypt device.
+ *
+ * @param cd crypt device handle
+ * @param volume_key provided volume key
+ * @param volume_key_size size of @e volume_key
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_volume_key_verify(struct crypt_device *cd,
+ const char *volume_key,
+ size_t volume_key_size);
+
+/**
+ * @defgroup devstat Crypt and Verity device status
+ * @addtogroup devstat
+ * @{
+ */
+
+/**
+ * Device status
+ */
+typedef enum {
+ CRYPT_INVALID, /**< device mapping is invalid in this context */
+ CRYPT_INACTIVE, /**< no such mapped device */
+ CRYPT_ACTIVE, /**< device is active */
+ CRYPT_BUSY /**< device is active and has open count > 0 */
+} crypt_status_info;
+
+/**
+ * Get status info about device name.
+ *
+ * @param cd crypt device handle, can be @e NULL
+ * @param name crypt device name
+ *
+ * @return value defined by crypt_status_info.
+ *
+ */
+crypt_status_info crypt_status(struct crypt_device *cd, const char *name);
+
+/**
+ * Dump text-formatted information about crypt or verity device to log output.
+ *
+ * @param cd crypt device handle
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_dump(struct crypt_device *cd);
+
+/**
+ * Get cipher used in device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return used cipher, e.g. "aes" or @e NULL otherwise
+ *
+ */
+const char *crypt_get_cipher(struct crypt_device *cd);
+
+/**
+ * Get cipher mode used in device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return used cipher mode e.g. "xts-plain" or @e otherwise
+ *
+ */
+const char *crypt_get_cipher_mode(struct crypt_device *cd);
+
+/**
+ * Get device UUID.
+ *
+ * @param cd crypt device handle
+ *
+ * @return device UUID or @e NULL if not set
+ *
+ */
+const char *crypt_get_uuid(struct crypt_device *cd);
+
+/**
+ * Get path to underlaying device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return path to underlaying device name
+ *
+ */
+const char *crypt_get_device_name(struct crypt_device *cd);
+
+/**
+ * Get device offset in sectors where real data starts (on underlying device).
+ *
+ * @param cd crypt device handle
+ *
+ * @return device offset in sectors
+ *
+ */
+uint64_t crypt_get_data_offset(struct crypt_device *cd);
+
+/**
+ * Get IV offset in sectors (skip).
+ *
+ * @param cd crypt device handle
+ *
+ * @return IV offset
+ *
+ */
+uint64_t crypt_get_iv_offset(struct crypt_device *cd);
+
+/**
+ * Get size (in bytes) of volume key for crypt device.
+ *
+ * @param cd crypt device handle
+ *
+ * @return volume key size
+ *
+ */
+int crypt_get_volume_key_size(struct crypt_device *cd);
+
+/**
+ * Get device parameters for VERITY device.
+ *
+ * @param cd crypt device handle
+ * @param vp verity device info
+ *
+ * @e 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_get_verity_info(struct crypt_device *cd,
+ struct crypt_params_verity *vp);
+/** @} */
+
+/**
+ * @defgroup benchmark Benchmarking
+ *
+ * Benchmarking of algorithms
+ *
+ * @addtogroup benchmark
+ * @{
+ *
+ */
+
+/**
+ * Informational benchmark for ciphers.
+ *
+ * @param cd crypt device handle
+ * @param cipher (e.g. "aes")
+ * @param cipher_mode (e.g. "xts"), IV generator is ignored
+ * @param volume_key_size size of volume key in bytes
+ * @param iv_size size of IV in bytes
+ * @param buffer_size size of encryption buffer in bytes used in test
+ * @param encryption_mbs measured encryption speed in MiB/s
+ * @param decryption_mbs measured decryption speed in MiB/s
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note If encryption_buffer_size is too small and encryption time
+ * cannot be properly measured, -ERANGE is returned.
+ */
+int crypt_benchmark(struct crypt_device *cd,
+ const char *cipher,
+ const char *cipher_mode,
+ size_t volume_key_size,
+ size_t iv_size,
+ size_t buffer_size,
+ double *encryption_mbs,
+ double *decryption_mbs);
+
+/**
+ * Informational benchmark for KDF.
+ *
+ * @param cd crypt device handle
+ * @param kdf Key derivation function (e.g. "pbkdf2")
+ * @param hash Hash algorithm used in KDF (e.g. "sha256")
+ * @param password password for benchmark
+ * @param password_size size of password
+ * @param salt salt for benchmark
+ * @param salt_size size of salt
+ * @param iterations_sec returns measured KDF iterations per second
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_benchmark_kdf(struct crypt_device *cd,
+ const char *kdf,
+ const char *hash,
+ const char *password,
+ size_t password_size,
+ const char *salt,
+ size_t salt_size,
+ uint64_t *iterations_sec);
+/** @} */
+
+/**
+ * @addtogroup keyslot
+ * @{
+ *
+ */
+
+/**
+ * Crypt keyslot info
+ */
+typedef enum {
+ CRYPT_SLOT_INVALID, /**< invalid keyslot */
+ CRYPT_SLOT_INACTIVE, /**< keyslot is inactive (free) */
+ CRYPT_SLOT_ACTIVE, /**< keyslot is active (used) */
+ CRYPT_SLOT_ACTIVE_LAST /**< keylost is active (used)
+ * and last used at the same time */
+} crypt_keyslot_info;
+
+/**
+ * Get information about particular key slot.
+ *
+ *
+ * @param cd crypt device handle
+ * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
+ *
+ * @return value defined by crypt_keyslot_info
+ *
+ */
+crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot);
+/** @} */
+
+/**
+ * Get number of keyslots supported for device type.
+ *
+ * @param type crypt device type
+ *
+ * @return slot count or negative errno otherwise if device
+ * doesn't not support keyslots.
+ */
+int crypt_keyslot_max(const char *type);
+
+/**
+ * Get keyslot area pointers (relative to metadata device).
+ *
+ * @param cd crypt device handle
+ * @param keyslot keyslot number
+ * @param offset offset on metadata device (in bytes)
+ * @param length length of keyslot area (in bytes)
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_keyslot_area(struct crypt_device *cd,
+ int keyslot,
+ uint64_t *offset,
+ uint64_t *length);
+
+/**
+ * Backup header and keyslots to file.
+ *
+ * @param cd crypt device handle
+ * @param requested_type @link crypt_type @endlink or @e NULL for all known
+ * @param backup_file file to backup header to
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_header_backup(struct crypt_device *cd,
+ const char *requested_type,
+ const char *backup_file);
+
+/**
+ * Restore header and keyslots from backup file.
+ *
+ *
+ * @param cd crypt device handle
+ * @param requested_type @link crypt_type @endlink or @e NULL for all known
+ * @param backup_file file to restore header from
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ */
+int crypt_header_restore(struct crypt_device *cd,
+ const char *requested_type,
+ const char *backup_file);
+
+/**
+ * Get directory where mapped crypt devices are created
+ *
+ * @return the directory path
+ */
+const char *crypt_get_dir(void);
+
+/**
+ * @defgroup dbg Library debug level
+ *
+ * Set library debug level
+ *
+ * @addtogroup dbg
+ * @{
+ */
+
+/** Debug all */
+#define CRYPT_DEBUG_ALL -1
+/** Debug none */
+#define CRYPT_DEBUG_NONE 0
+
+/**
+ * Set the debug level for library
+ *
+ * @param level debug level
+ *
+ */
+void crypt_set_debug_level(int level);
+
+/** @} */
+
+/**
+ * Read keyfile
+ *
+ */
+int crypt_keyfile_read(struct crypt_device *cd,
+ const char *keyfile,
+ char **key, size_t *key_size_read,
+ size_t keyfile_offset,
+ size_t keyfile_size_max,
+ uint32_t flags
+);
+/** No on-disk header (only hashes) */
+#define CRYPT_KEYFILE_STOP_EOL (1 << 0)
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _LIBCRYPTSETUP_H */
diff --git a/lib/libcryptsetup.pc.in b/lib/libcryptsetup.pc.in
new file mode 100644
index 0000000..f3d3fb1
--- /dev/null
+++ b/lib/libcryptsetup.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: cryptsetup
+Description: cryptsetup library
+Version: @LIBCRYPTSETUP_VERSION@
+Cflags: -I${includedir}
+Libs: -L${libdir} -lcryptsetup
diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym
new file mode 100644
index 0000000..3d0f78e
--- /dev/null
+++ b/lib/libcryptsetup.sym
@@ -0,0 +1,68 @@
+CRYPTSETUP_1.0 {
+ global:
+ crypt_init;
+ crypt_init_by_name;
+ crypt_init_by_name_and_header;
+ crypt_set_log_callback;
+ crypt_set_confirm_callback;
+ crypt_set_iteration_time;
+ crypt_set_uuid;
+ crypt_set_data_device;
+
+ crypt_memory_lock;
+ crypt_format;
+ crypt_load;
+ crypt_repair;
+ crypt_resize;
+ crypt_suspend;
+ crypt_resume_by_passphrase;
+ crypt_resume_by_keyfile;
+ crypt_resume_by_keyfile_offset;
+ crypt_free;
+
+ crypt_keyslot_add_by_passphrase;
+ crypt_keyslot_change_by_passphrase;
+ crypt_keyslot_add_by_keyfile;
+ crypt_keyslot_add_by_keyfile_offset;
+ crypt_keyslot_add_by_volume_key;
+ crypt_keyslot_destroy;
+ crypt_activate_by_passphrase;
+ crypt_activate_by_keyfile;
+ crypt_activate_by_keyfile_offset;
+ crypt_activate_by_volume_key;
+ crypt_deactivate;
+ crypt_volume_key_get;
+ crypt_volume_key_verify;
+ crypt_status;
+ crypt_dump;
+ crypt_benchmark;
+ crypt_benchmark_kdf;
+ crypt_get_cipher;
+ crypt_get_cipher_mode;
+ crypt_get_uuid;
+ crypt_get_data_offset;
+ crypt_get_iv_offset;
+ crypt_get_volume_key_size;
+ crypt_get_device_name;
+ crypt_get_verity_info;
+
+ crypt_get_type;
+ crypt_get_active_device;
+
+ crypt_set_rng_type;
+ crypt_get_rng_type;
+
+ crypt_keyslot_max;
+ crypt_keyslot_area;
+ crypt_keyslot_status;
+ crypt_get_dir;
+ crypt_set_debug_level;
+ crypt_log;
+
+ crypt_header_backup;
+ crypt_header_restore;
+
+ crypt_keyfile_read;
+ local:
+ *;
+};
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
new file mode 100644
index 0000000..d62e7e2
--- /dev/null
+++ b/lib/libdevmapper.c
@@ -0,0 +1,1344 @@
+/*
+ * libdevmapper - device-mapper backend for cryptsetup
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <dirent.h>
+#include <errno.h>
+#include <libdevmapper.h>
+#include <fcntl.h>
+#include <linux/fs.h>
+#include <uuid/uuid.h>
+#include <sys/stat.h>
+
+#include "internal.h"
+
+#define DM_UUID_LEN 129
+#define DM_UUID_PREFIX "CRYPT-"
+#define DM_UUID_PREFIX_LEN 6
+#define DM_CRYPT_TARGET "crypt"
+#define DM_VERITY_TARGET "verity"
+#define RETRY_COUNT 5
+
+/* Set if dm-crypt version was probed */
+static int _dm_crypt_checked = 0;
+static int _quiet_log = 0;
+static uint32_t _dm_crypt_flags = 0;
+
+static struct crypt_device *_context = NULL;
+static int _dm_use_count = 0;
+
+/* Check if we have DM flag to instruct kernel to force wipe buffers */
+#if !HAVE_DECL_DM_TASK_SECURE_DATA
+static int dm_task_secure_data(struct dm_task *dmt) { return 1; }
+#endif
+
+/* Compatibility for old device-mapper without udev support */
+#if HAVE_DECL_DM_UDEV_DISABLE_DISK_RULES_FLAG
+#define CRYPT_TEMP_UDEV_FLAGS DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG | \
+ DM_UDEV_DISABLE_DISK_RULES_FLAG | \
+ DM_UDEV_DISABLE_OTHER_RULES_FLAG
+#define _dm_task_set_cookie dm_task_set_cookie
+#define _dm_udev_wait dm_udev_wait
+#else
+#define CRYPT_TEMP_UDEV_FLAGS 0
+static int _dm_task_set_cookie(struct dm_task *dmt, uint32_t *cookie, uint16_t flags) { return 0; }
+static int _dm_udev_wait(uint32_t cookie) { return 0; };
+#endif
+
+static int _dm_use_udev(void)
+{
+#ifdef USE_UDEV /* cannot be enabled if devmapper is too old */
+ return dm_udev_get_sync_support();
+#else
+ return 0;
+#endif
+}
+
+__attribute__((format(printf, 4, 5)))
+static void set_dm_error(int level,
+ const char *file __attribute__((unused)),
+ int line __attribute__((unused)),
+ const char *f, ...)
+{
+ char *msg = NULL;
+ va_list va;
+
+ va_start(va, f);
+ if (vasprintf(&msg, f, va) > 0) {
+ if (level < 4 && !_quiet_log) {
+ log_err(_context, "%s", msg);
+ log_err(_context, "\n");
+ } else {
+ /* We do not use DM visual stack backtrace here */
+ if (strncmp(msg, "<backtrace>", 11))
+ log_dbg("%s", msg);
+ }
+ }
+ free(msg);
+ va_end(va);
+}
+
+static int _dm_simple(int task, const char *name, int udev_wait);
+
+static int _dm_satisfies_version(unsigned target_maj, unsigned target_min,
+ unsigned actual_maj, unsigned actual_min)
+{
+ if (actual_maj > target_maj)
+ return 1;
+
+ if (actual_maj == target_maj && actual_min >= target_min)
+ return 1;
+
+ return 0;
+}
+
+static void _dm_set_crypt_compat(const char *dm_version, unsigned crypt_maj,
+ unsigned crypt_min, unsigned crypt_patch)
+{
+ unsigned dm_maj, dm_min, dm_patch;
+
+ if (sscanf(dm_version, "%u.%u.%u", &dm_maj, &dm_min, &dm_patch) != 3)
+ dm_maj = dm_min = dm_patch = 0;
+
+ log_dbg("Detected dm-crypt version %i.%i.%i, dm-ioctl version %u.%u.%u.",
+ crypt_maj, crypt_min, crypt_patch, dm_maj, dm_min, dm_patch);
+
+ if (_dm_satisfies_version(1, 2, crypt_maj, crypt_min))
+ _dm_crypt_flags |= DM_KEY_WIPE_SUPPORTED;
+ else
+ log_dbg("Suspend and resume disabled, no wipe key support.");
+
+ if (_dm_satisfies_version(1, 10, crypt_maj, crypt_min))
+ _dm_crypt_flags |= DM_LMK_SUPPORTED;
+
+ if (_dm_satisfies_version(4, 20, dm_maj, dm_min))
+ _dm_crypt_flags |= DM_SECURE_SUPPORTED;
+
+ /* not perfect, 2.6.33 supports with 1.7.0 */
+ if (_dm_satisfies_version(1, 8, crypt_maj, crypt_min))
+ _dm_crypt_flags |= DM_PLAIN64_SUPPORTED;
+
+ if (_dm_satisfies_version(1, 11, crypt_maj, crypt_min))
+ _dm_crypt_flags |= DM_DISCARDS_SUPPORTED;
+
+ if (_dm_satisfies_version(1, 13, crypt_maj, crypt_min))
+ _dm_crypt_flags |= DM_TCW_SUPPORTED;
+
+ if (_dm_satisfies_version(1, 14, crypt_maj, crypt_min)) {
+ _dm_crypt_flags |= DM_SAME_CPU_CRYPT_SUPPORTED;
+ _dm_crypt_flags |= DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED;
+ }
+
+ /* Repeat test if dm-crypt is not present */
+ if (crypt_maj > 0)
+ _dm_crypt_checked = 1;
+}
+
+static void _dm_set_verity_compat(const char *dm_version, unsigned verity_maj,
+ unsigned verity_min, unsigned verity_patch)
+{
+ if (verity_maj > 0)
+ _dm_crypt_flags |= DM_VERITY_SUPPORTED;
+ else
+ return;
+ /*
+ * ignore_corruption, restart_on corruption is available since 1.2 (kernel 4.1)
+ * ignore_zero_blocks since 1.3 (kernel 4.5)
+ * (but some dm-verity targets 1.2 don't support it)
+ * FEC is added in 1.3 as well.
+ */
+ if (_dm_satisfies_version(1, 3, verity_maj, verity_min)) {
+ _dm_crypt_flags |= DM_VERITY_ON_CORRUPTION_SUPPORTED;
+ _dm_crypt_flags |= DM_VERITY_FEC_SUPPORTED;
+ }
+
+ log_dbg("Detected dm-verity version %i.%i.%i.",
+ verity_maj, verity_min, verity_patch);
+}
+
+static int _dm_check_versions(void)
+{
+ struct dm_task *dmt;
+ struct dm_versions *target, *last_target;
+ char dm_version[16];
+ int r = 0;
+
+ if (_dm_crypt_checked)
+ return 1;
+
+ /* Shut up DM while checking */
+ _quiet_log = 1;
+
+ /* FIXME: add support to DM so it forces crypt target module load here */
+ if (!(dmt = dm_task_create(DM_DEVICE_LIST_VERSIONS)))
+ goto out;
+
+ if (!dm_task_run(dmt))
+ goto out;
+
+ if (!dm_task_get_driver_version(dmt, dm_version, sizeof(dm_version)))
+ goto out;
+
+ target = dm_task_get_versions(dmt);
+ do {
+ last_target = target;
+ if (!strcmp(DM_CRYPT_TARGET, target->name)) {
+ _dm_set_crypt_compat(dm_version,
+ (unsigned)target->version[0],
+ (unsigned)target->version[1],
+ (unsigned)target->version[2]);
+ } else if (!strcmp(DM_VERITY_TARGET, target->name)) {
+ _dm_set_verity_compat(dm_version,
+ (unsigned)target->version[0],
+ (unsigned)target->version[1],
+ (unsigned)target->version[2]);
+ }
+ target = (struct dm_versions *)((char *) target + target->next);
+ } while (last_target != target);
+
+ r = 1;
+ log_dbg("Device-mapper backend running with UDEV support %sabled.",
+ _dm_use_udev() ? "en" : "dis");
+out:
+ if (dmt)
+ dm_task_destroy(dmt);
+
+ _quiet_log = 0;
+ return r;
+}
+
+uint32_t dm_flags(void)
+{
+ _dm_check_versions();
+ return _dm_crypt_flags;
+}
+
+/* This doesn't run any kernel checks, just set up userspace libdevmapper */
+void dm_backend_init(void)
+{
+ if (!_dm_use_count++) {
+ log_dbg("Initialising device-mapper backend library.");
+ dm_log_init(set_dm_error);
+ dm_log_init_verbose(10);
+ }
+}
+
+void dm_backend_exit(void)
+{
+ if (_dm_use_count && (!--_dm_use_count)) {
+ log_dbg("Releasing device-mapper backend.");
+ dm_log_init_verbose(0);
+ dm_log_init(NULL);
+ dm_lib_release();
+ }
+}
+
+/*
+ * libdevmapper is not context friendly, switch context on every DM call.
+ * FIXME: this is not safe if called in parallel but neither is DM lib.
+ */
+static int dm_init_context(struct crypt_device *cd)
+{
+ _context = cd;
+ if (!_dm_check_versions()) {
+ if (getuid() || geteuid())
+ log_err(cd, _("Cannot initialize device-mapper, "
+ "running as non-root user.\n"));
+ else
+ log_err(cd, _("Cannot initialize device-mapper. "
+ "Is dm_mod kernel module loaded?\n"));
+ _context = NULL;
+ return -ENOTSUP;
+ }
+ return 0;
+}
+static void dm_exit_context(void)
+{
+ _context = NULL;
+}
+
+/* Return path to DM device */
+char *dm_device_path(const char *prefix, int major, int minor)
+{
+ struct dm_task *dmt;
+ const char *name;
+ char path[PATH_MAX];
+
+ if (!(dmt = dm_task_create(DM_DEVICE_STATUS)))
+ return NULL;
+ if (!dm_task_set_minor(dmt, minor) ||
+ !dm_task_set_major(dmt, major) ||
+ !dm_task_run(dmt) ||
+ !(name = dm_task_get_name(dmt))) {
+ dm_task_destroy(dmt);
+ return NULL;
+ }
+
+ if (snprintf(path, sizeof(path), "%s%s", prefix ?: "", name) < 0)
+ path[0] = '\0';
+
+ dm_task_destroy(dmt);
+
+ return strdup(path);
+}
+
+static void hex_key(char *hexkey, size_t key_size, const char *key)
+{
+ unsigned i;
+
+ for(i = 0; i < key_size; i++)
+ sprintf(&hexkey[i * 2], "%02x", (unsigned char)key[i]);
+}
+
+/* https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt */
+static char *get_dm_crypt_params(struct crypt_dm_active_device *dmd, uint32_t flags)
+{
+ int r, max_size, null_cipher = 0, num_options = 0;
+ char *params, *hexkey;
+ char features[256];
+
+ if (!dmd)
+ return NULL;
+
+ if (flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
+ num_options++;
+ if (flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT)
+ num_options++;
+ if (flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)
+ num_options++;
+
+ if (num_options)
+ snprintf(features, sizeof(features)-1, " %d%s%s%s", num_options,
+ (flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? " allow_discards" : "",
+ (flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? " same_cpu_crypt" : "",
+ (flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? " submit_from_crypt_cpus" : "");
+ else
+ *features = '\0';
+
+ if (!strncmp(dmd->u.crypt.cipher, "cipher_null-", 12))
+ null_cipher = 1;
+
+ hexkey = crypt_safe_alloc(null_cipher ? 2 : (dmd->u.crypt.vk->keylength * 2 + 1));
+ if (!hexkey)
+ return NULL;
+
+ if (null_cipher)
+ strncpy(hexkey, "-", 2);
+ else
+ hex_key(hexkey, dmd->u.crypt.vk->keylength, dmd->u.crypt.vk->key);
+
+ max_size = strlen(hexkey) + strlen(dmd->u.crypt.cipher) +
+ strlen(device_block_path(dmd->data_device)) +
+ strlen(features) + 64;
+ params = crypt_safe_alloc(max_size);
+ if (!params)
+ goto out;
+
+ r = snprintf(params, max_size, "%s %s %" PRIu64 " %s %" PRIu64 "%s",
+ dmd->u.crypt.cipher, hexkey, dmd->u.crypt.iv_offset,
+ device_block_path(dmd->data_device), dmd->u.crypt.offset,
+ features);
+ if (r < 0 || r >= max_size) {
+ crypt_safe_free(params);
+ params = NULL;
+ }
+out:
+ crypt_safe_free(hexkey);
+ return params;
+}
+
+/* https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity */
+static char *get_dm_verity_params(struct crypt_params_verity *vp,
+ struct crypt_dm_active_device *dmd, uint32_t flags)
+{
+ int max_size, r, num_options = 0;
+ char *params = NULL, *hexroot = NULL, *hexsalt = NULL;
+ char features[256], fec_features[256];
+
+ if (!vp || !dmd)
+ return NULL;
+
+ /* These flags are not compatible */
+ if ((flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) &&
+ (flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION))
+ flags &= ~CRYPT_ACTIVATE_IGNORE_CORRUPTION;
+
+ if (flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION)
+ num_options++;
+ if (flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION)
+ num_options++;
+ if (flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS)
+ num_options++;
+
+ if (dmd->u.verity.fec_device) {
+ num_options += 8;
+ snprintf(fec_features, sizeof(fec_features)-1,
+ " use_fec_from_device %s fec_start %" PRIu64 " fec_blocks %" PRIu64 " fec_roots %" PRIu32,
+ device_block_path(dmd->u.verity.fec_device), dmd->u.verity.fec_offset,
+ vp->data_size + dmd->u.verity.hash_blocks, vp->fec_roots);
+ } else
+ *fec_features = '\0';
+
+ if (num_options)
+ snprintf(features, sizeof(features)-1, " %d%s%s%s", num_options,
+ (flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
+ (flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
+ (flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "");
+ else
+ *features = '\0';
+
+ hexroot = crypt_safe_alloc(dmd->u.verity.root_hash_size * 2 + 1);
+ if (!hexroot)
+ goto out;
+ hex_key(hexroot, dmd->u.verity.root_hash_size, dmd->u.verity.root_hash);
+
+ hexsalt = crypt_safe_alloc(vp->salt_size ? vp->salt_size * 2 + 1 : 2);
+ if (!hexsalt)
+ goto out;
+ if (vp->salt_size)
+ hex_key(hexsalt, vp->salt_size, vp->salt);
+ else
+ strncpy(hexsalt, "-", 2);
+
+ max_size = strlen(hexroot) + strlen(hexsalt) +
+ strlen(device_block_path(dmd->data_device)) +
+ strlen(device_block_path(dmd->u.verity.hash_device)) +
+ strlen(vp->hash_name) + strlen(features) + strlen(fec_features) + 128;
+
+ params = crypt_safe_alloc(max_size);
+ if (!params)
+ goto out;
+
+ r = snprintf(params, max_size,
+ "%u %s %s %u %u %" PRIu64 " %" PRIu64 " %s %s %s%s%s",
+ vp->hash_type, device_block_path(dmd->data_device),
+ device_block_path(dmd->u.verity.hash_device),
+ vp->data_block_size, vp->hash_block_size,
+ vp->data_size, dmd->u.verity.hash_offset,
+ vp->hash_name, hexroot, hexsalt, features, fec_features);
+ if (r < 0 || r >= max_size) {
+ crypt_safe_free(params);
+ params = NULL;
+ }
+out:
+ crypt_safe_free(hexroot);
+ crypt_safe_free(hexsalt);
+ return params;
+
+}
+
+/* DM helpers */
+static int _dm_simple(int task, const char *name, int udev_wait)
+{
+ int r = 0;
+ struct dm_task *dmt;
+ uint32_t cookie = 0;
+
+ if (!_dm_use_udev())
+ udev_wait = 0;
+
+ if (!(dmt = dm_task_create(task)))
+ return 0;
+
+ if (name && !dm_task_set_name(dmt, name))
+ goto out;
+
+#if HAVE_DECL_DM_TASK_RETRY_REMOVE
+ /* Used only in DM_DEVICE_REMOVE */
+ if (name && !dm_task_retry_remove(dmt))
+ goto out;
+#endif
+ if (udev_wait && !_dm_task_set_cookie(dmt, &cookie, 0))
+ goto out;
+
+ r = dm_task_run(dmt);
+
+ if (udev_wait)
+ (void)_dm_udev_wait(cookie);
+
+out:
+ dm_task_destroy(dmt);
+ return r;
+}
+
+static int _error_device(const char *name, size_t size)
+{
+ struct dm_task *dmt;
+ int r = 0;
+
+ if (!(dmt = dm_task_create(DM_DEVICE_RELOAD)))
+ return 0;
+
+ if (!dm_task_set_name(dmt, name))
+ goto error;
+
+ if (!dm_task_add_target(dmt, UINT64_C(0), size, "error", ""))
+ goto error;
+
+ if (!dm_task_set_ro(dmt))
+ goto error;
+
+ if (!dm_task_no_open_count(dmt))
+ goto error;
+
+ if (!dm_task_run(dmt))
+ goto error;
+
+ if (!_dm_simple(DM_DEVICE_RESUME, name, 1)) {
+ _dm_simple(DM_DEVICE_CLEAR, name, 0);
+ goto error;
+ }
+
+ r = 1;
+
+error:
+ dm_task_destroy(dmt);
+ return r;
+}
+
+int dm_remove_device(struct crypt_device *cd, const char *name,
+ int force, uint64_t size)
+{
+ int r = -EINVAL;
+ int retries = force ? RETRY_COUNT : 1;
+ int error_target = 0;
+
+ if (!name || (force && !size))
+ return -EINVAL;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
+ do {
+ r = _dm_simple(DM_DEVICE_REMOVE, name, 1) ? 0 : -EINVAL;
+ if (--retries && r) {
+ log_dbg("WARNING: other process locked internal device %s, %s.",
+ name, retries ? "retrying remove" : "giving up");
+ sleep(1);
+ if (force && !error_target) {
+ /* If force flag is set, replace device with error, read-only target.
+ * it should stop processes from reading it and also removed underlying
+ * device from mapping, so it is usable again.
+ * Force flag should be used only for temporary devices, which are
+ * intended to work inside cryptsetup only!
+ * Anyway, if some process try to read temporary cryptsetup device,
+ * it is bug - no other process should try touch it (e.g. udev).
+ */
+ _error_device(name, size);
+ error_target = 1;
+ }
+ }
+ } while (r == -EINVAL && retries);
+
+ dm_task_update_nodes();
+ dm_exit_context();
+
+ return r;
+}
+
+#define UUID_LEN 37 /* 36 + \0, libuuid ... */
+/*
+ * UUID has format: CRYPT-<devicetype>-[<uuid>-]<device name>
+ * CRYPT-PLAIN-name
+ * CRYPT-LUKS1-00000000000000000000000000000000-name
+ * CRYPT-TEMP-name
+ */
+static int dm_prepare_uuid(const char *name, const char *type, const char *uuid, char *buf, size_t buflen)
+{
+ char *ptr, uuid2[UUID_LEN] = {0};
+ uuid_t uu;
+ unsigned i = 0;
+
+ /* Remove '-' chars */
+ if (uuid) {
+ if (uuid_parse(uuid, uu) < 0) {
+ log_dbg("Requested UUID %s has invalid format.", uuid);
+ return 0;
+ }
+
+ for (ptr = uuid2, i = 0; i < UUID_LEN; i++)
+ if (uuid[i] != '-') {
+ *ptr = uuid[i];
+ ptr++;
+ }
+ }
+
+ i = snprintf(buf, buflen, DM_UUID_PREFIX "%s%s%s%s%s",
+ type ?: "", type ? "-" : "",
+ uuid2[0] ? uuid2 : "", uuid2[0] ? "-" : "",
+ name);
+
+ log_dbg("DM-UUID is %s", buf);
+ if (i >= buflen)
+ log_err(NULL, _("DM-UUID for device %s was truncated.\n"), name);
+
+ return 1;
+}
+
+static int _dm_create_device(const char *name, const char *type,
+ struct device *device, uint32_t flags,
+ const char *uuid, uint64_t size,
+ char *params, int reload)
+{
+ struct dm_task *dmt = NULL;
+ struct dm_info dmi;
+ char dev_uuid[DM_UUID_LEN] = {0};
+ int r = -EINVAL;
+ uint32_t read_ahead = 0;
+ uint32_t cookie = 0;
+ uint16_t udev_flags = 0;
+
+ if (!params)
+ return -EINVAL;
+
+ if (flags & CRYPT_ACTIVATE_PRIVATE)
+ udev_flags = CRYPT_TEMP_UDEV_FLAGS;
+
+ /* All devices must have DM_UUID, only resize on old device is exception */
+ if (reload) {
+ if (!(dmt = dm_task_create(DM_DEVICE_RELOAD)))
+ goto out_no_removal;
+
+ if (!dm_task_set_name(dmt, name))
+ goto out_no_removal;
+ } else {
+ if (!dm_prepare_uuid(name, type, uuid, dev_uuid, sizeof(dev_uuid)))
+ goto out_no_removal;
+
+ if (!(dmt = dm_task_create(DM_DEVICE_CREATE)))
+ goto out_no_removal;
+
+ if (!dm_task_set_name(dmt, name))
+ goto out_no_removal;
+
+ if (!dm_task_set_uuid(dmt, dev_uuid))
+ goto out_no_removal;
+ }
+
+ if ((dm_flags() & DM_SECURE_SUPPORTED) && !dm_task_secure_data(dmt))
+ goto out_no_removal;
+ if ((flags & CRYPT_ACTIVATE_READONLY) && !dm_task_set_ro(dmt))
+ goto out_no_removal;
+
+ if (!dm_task_add_target(dmt, 0, size,
+ !strcmp("VERITY", type) ? DM_VERITY_TARGET : DM_CRYPT_TARGET, params))
+ goto out_no_removal;
+
+#ifdef DM_READ_AHEAD_MINIMUM_FLAG
+ if (device_read_ahead(device, &read_ahead) &&
+ !dm_task_set_read_ahead(dmt, read_ahead, DM_READ_AHEAD_MINIMUM_FLAG))
+ goto out_no_removal;
+#endif
+ /* do not set cookie for DM_DEVICE_RELOAD task */
+ if (!reload && _dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
+ goto out_no_removal;
+
+ if (!dm_task_run(dmt))
+ goto out_no_removal;
+
+ if (reload) {
+ dm_task_destroy(dmt);
+ if (!(dmt = dm_task_create(DM_DEVICE_RESUME)))
+ goto out;
+ if (!dm_task_set_name(dmt, name))
+ goto out;
+ if (uuid && !dm_task_set_uuid(dmt, dev_uuid))
+ goto out;
+ if (_dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
+ goto out;
+ if (!dm_task_run(dmt))
+ goto out;
+ }
+
+ if (!dm_task_get_info(dmt, &dmi))
+ goto out;
+
+ r = 0;
+out:
+ if (_dm_use_udev()) {
+ (void)_dm_udev_wait(cookie);
+ cookie = 0;
+ }
+
+ if (r < 0 && !reload)
+ _dm_simple(DM_DEVICE_REMOVE, name, 1);
+
+out_no_removal:
+ if (cookie && _dm_use_udev())
+ (void)_dm_udev_wait(cookie);
+
+ if (dmt)
+ dm_task_destroy(dmt);
+
+ dm_task_update_nodes();
+
+ /* If code just loaded target module, update versions */
+ _dm_check_versions();
+
+ return r;
+}
+
+int dm_create_device(struct crypt_device *cd, const char *name,
+ const char *type,
+ struct crypt_dm_active_device *dmd,
+ int reload)
+{
+ char *table_params = NULL;
+ uint32_t dmd_flags;
+ int r;
+
+ if (!type)
+ return -EINVAL;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
+ dmd_flags = dmd->flags;
+
+ if (dmd->target == DM_CRYPT)
+ table_params = get_dm_crypt_params(dmd, dmd_flags);
+ else if (dmd->target == DM_VERITY)
+ table_params = get_dm_verity_params(dmd->u.verity.vp, dmd, dmd_flags);
+
+ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
+ dmd->uuid, dmd->size, table_params, reload);
+
+ /* If discard not supported try to load without discard */
+ if (!reload && r && dmd->target == DM_CRYPT &&
+ (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
+ !(dm_flags() & DM_DISCARDS_SUPPORTED)) {
+ log_dbg("Discard/TRIM is not supported, retrying activation.");
+ dmd_flags = dmd_flags & ~CRYPT_ACTIVATE_ALLOW_DISCARDS;
+ crypt_safe_free(table_params);
+ table_params = get_dm_crypt_params(dmd, dmd_flags);
+ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
+ dmd->uuid, dmd->size, table_params, reload);
+ }
+
+ if (r == -EINVAL &&
+ dmd_flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
+ !(dm_flags() & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED)))
+ log_err(cd, _("Requested dm-crypt performance options are not supported.\n"));
+
+ if (r == -EINVAL && dmd_flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
+ CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
+ CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) &&
+ !(dm_flags() & DM_VERITY_ON_CORRUPTION_SUPPORTED))
+ log_err(cd, _("Requested dm-verity data corruption handling options are not supported.\n"));
+
+ if (r == -EINVAL && dmd->target == DM_VERITY && dmd->u.verity.fec_device &&
+ !(dm_flags() & DM_VERITY_FEC_SUPPORTED))
+ log_err(cd, _("Requested dm-verity FEC options are not supported.\n"));
+
+ crypt_safe_free(table_params);
+ dm_exit_context();
+ return r;
+}
+
+static int dm_status_dmi(const char *name, struct dm_info *dmi,
+ const char *target, char **status_line)
+{
+ struct dm_task *dmt;
+ uint64_t start, length;
+ char *target_type, *params = NULL;
+ void *next = NULL;
+ int r = -EINVAL;
+
+ if (!(dmt = dm_task_create(DM_DEVICE_STATUS)))
+ goto out;
+
+ if (!dm_task_set_name(dmt, name))
+ goto out;
+
+ if (!dm_task_run(dmt))
+ goto out;
+
+ if (!dm_task_get_info(dmt, dmi))
+ goto out;
+
+ if (!dmi->exists) {
+ r = -ENODEV;
+ goto out;
+ }
+
+ next = dm_get_next_target(dmt, next, &start, &length,
+ &target_type, ¶ms);
+
+ if (!target_type || start != 0 || next)
+ goto out;
+
+ if (target && strcmp(target_type, target))
+ goto out;
+
+ /* for target == NULL check all supported */
+ if (!target && (strcmp(target_type, DM_CRYPT_TARGET) &&
+ strcmp(target_type, DM_VERITY_TARGET)))
+ goto out;
+ r = 0;
+out:
+ if (!r && status_line && !(*status_line = strdup(params)))
+ r = -ENOMEM;
+
+ if (dmt)
+ dm_task_destroy(dmt);
+
+ return r;
+}
+
+int dm_status_device(struct crypt_device *cd, const char *name)
+{
+ int r;
+ struct dm_info dmi;
+ struct stat st;
+
+ /* libdevmapper is too clever and handles
+ * path argument differenly with error.
+ * Fail early here if parameter is non-existent path.
+ */
+ if (strchr(name, '/') && stat(name, &st) < 0)
+ return -ENODEV;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+ r = dm_status_dmi(name, &dmi, NULL, NULL);
+ dm_exit_context();
+ if (r < 0)
+ return r;
+
+ return (dmi.open_count > 0);
+}
+
+int dm_status_suspended(struct crypt_device *cd, const char *name)
+{
+ int r;
+ struct dm_info dmi;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+ r = dm_status_dmi(name, &dmi, DM_CRYPT_TARGET, NULL);
+ dm_exit_context();
+ if (r < 0)
+ return r;
+
+ return dmi.suspended ? 1 : 0;
+}
+
+static int _dm_status_verity_ok(const char *name)
+{
+ int r;
+ struct dm_info dmi;
+ char *status_line = NULL;
+
+ r = dm_status_dmi(name, &dmi, DM_VERITY_TARGET, &status_line);
+ if (r < 0 || !status_line) {
+ free(status_line);
+ return r;
+ }
+
+ log_dbg("Verity volume %s status is %s.", name, status_line ?: "");
+ r = status_line[0] == 'V' ? 1 : 0;
+ free(status_line);
+
+ return r;
+}
+
+int dm_status_verity_ok(struct crypt_device *cd, const char *name)
+{
+ int r;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+ r = _dm_status_verity_ok(name);
+ dm_exit_context();
+ return r;
+}
+
+/* FIXME use hex wrapper, user val wrappers for line parsing */
+static int _dm_query_crypt(uint32_t get_flags,
+ struct dm_info *dmi,
+ char *params,
+ struct crypt_dm_active_device *dmd)
+{
+ uint64_t val64;
+ char *rcipher, *key_, *rdevice, *endp, buffer[3], *arg;
+ unsigned int i;
+ int r;
+
+ memset(dmd, 0, sizeof(*dmd));
+ dmd->target = DM_CRYPT;
+
+ rcipher = strsep(¶ms, " ");
+ /* cipher */
+ if (get_flags & DM_ACTIVE_CRYPT_CIPHER)
+ dmd->u.crypt.cipher = strdup(rcipher);
+
+ /* skip */
+ key_ = strsep(¶ms, " ");
+ if (!params)
+ return -EINVAL;
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ params++;
+
+ dmd->u.crypt.iv_offset = val64;
+
+ /* device */
+ rdevice = strsep(¶ms, " ");
+ if (get_flags & DM_ACTIVE_DEVICE) {
+ arg = crypt_lookup_dev(rdevice);
+ r = device_alloc(&dmd->data_device, arg);
+ free(arg);
+ if (r < 0 && r != -ENOTBLK)
+ return r;
+ }
+
+ /*offset */
+ if (!params)
+ return -EINVAL;
+ val64 = strtoull(params, ¶ms, 10);
+ dmd->u.crypt.offset = val64;
+
+ /* Features section, available since crypt target version 1.11 */
+ if (*params) {
+ if (*params != ' ')
+ return -EINVAL;
+ params++;
+
+ /* Number of arguments */
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ params++;
+
+ for (i = 0; i < val64; i++) {
+ if (!params)
+ return -EINVAL;
+ arg = strsep(¶ms, " ");
+ if (!strcasecmp(arg, "allow_discards"))
+ dmd->flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
+ else if (!strcasecmp(arg, "same_cpu_crypt"))
+ dmd->flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
+ else if (!strcasecmp(arg, "submit_from_crypt_cpus"))
+ dmd->flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
+ else /* unknown option */
+ return -EINVAL;
+ }
+
+ /* All parameters should be processed */
+ if (params)
+ return -EINVAL;
+ }
+
+ /* Never allow to return empty key */
+ if ((get_flags & DM_ACTIVE_CRYPT_KEY) && dmi->suspended) {
+ log_dbg("Cannot read volume key while suspended.");
+ return -EINVAL;
+ }
+
+ if (get_flags & DM_ACTIVE_CRYPT_KEYSIZE) {
+ dmd->u.crypt.vk = crypt_alloc_volume_key(strlen(key_) / 2, NULL);
+ if (!dmd->u.crypt.vk)
+ return -ENOMEM;
+
+ if (get_flags & DM_ACTIVE_CRYPT_KEY) {
+ buffer[2] = '\0';
+ for(i = 0; i < dmd->u.crypt.vk->keylength; i++) {
+ memcpy(buffer, &key_[i * 2], 2);
+ dmd->u.crypt.vk->key[i] = strtoul(buffer, &endp, 16);
+ if (endp != &buffer[2]) {
+ crypt_free_volume_key(dmd->u.crypt.vk);
+ dmd->u.crypt.vk = NULL;
+ return -EINVAL;
+ }
+ }
+ }
+ }
+ memset(key_, 0, strlen(key_));
+
+ return 0;
+}
+
+static int _dm_query_verity(uint32_t get_flags,
+ struct dm_info *dmi,
+ char *params,
+ struct crypt_dm_active_device *dmd)
+{
+ struct crypt_params_verity *vp = NULL;
+ uint32_t val32;
+ uint64_t val64;
+ ssize_t len;
+ char *str, *str2, *arg;
+ unsigned int i, features;
+ int r;
+
+ if (get_flags & DM_ACTIVE_VERITY_PARAMS)
+ vp = dmd->u.verity.vp;
+
+ memset(dmd, 0, sizeof(*dmd));
+
+ dmd->target = DM_VERITY;
+ dmd->u.verity.vp = vp;
+
+ /* version */
+ val32 = strtoul(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ if (vp)
+ vp->hash_type = val32;
+ params++;
+
+ /* data device */
+ str = strsep(¶ms, " ");
+ if (!params)
+ return -EINVAL;
+ if (get_flags & DM_ACTIVE_DEVICE) {
+ str2 = crypt_lookup_dev(str);
+ r = device_alloc(&dmd->data_device, str2);
+ free(str2);
+ if (r < 0 && r != -ENOTBLK)
+ return r;
+ }
+
+ /* hash device */
+ str = strsep(¶ms, " ");
+ if (!params)
+ return -EINVAL;
+ if (get_flags & DM_ACTIVE_VERITY_HASH_DEVICE) {
+ str2 = crypt_lookup_dev(str);
+ r = device_alloc(&dmd->u.verity.hash_device, str2);
+ free(str2);
+ if (r < 0 && r != -ENOTBLK)
+ return r;
+ }
+
+ /* data block size*/
+ val32 = strtoul(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ if (vp)
+ vp->data_block_size = val32;
+ params++;
+
+ /* hash block size */
+ val32 = strtoul(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ if (vp)
+ vp->hash_block_size = val32;
+ params++;
+
+ /* data blocks */
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ if (vp)
+ vp->data_size = val64;
+ params++;
+
+ /* hash start */
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ dmd->u.verity.hash_offset = val64;
+ params++;
+
+ /* hash algorithm */
+ str = strsep(¶ms, " ");
+ if (!params)
+ return -EINVAL;
+ if (vp)
+ vp->hash_name = strdup(str);
+
+ /* root digest */
+ str = strsep(¶ms, " ");
+ if (!params)
+ return -EINVAL;
+ len = crypt_hex_to_bytes(str, &str2, 0);
+ if (len < 0)
+ return len;
+ dmd->u.verity.root_hash_size = len;
+ if (get_flags & DM_ACTIVE_VERITY_ROOT_HASH)
+ dmd->u.verity.root_hash = str2;
+ else
+ free(str2);
+
+ /* salt */
+ str = strsep(¶ms, " ");
+ if (vp) {
+ if (!strcmp(str, "-")) {
+ vp->salt_size = 0;
+ vp->salt = NULL;
+ } else {
+ len = crypt_hex_to_bytes(str, &str2, 0);
+ if (len < 0)
+ return len;
+ vp->salt_size = len;
+ vp->salt = str2;
+ }
+ }
+
+ /* Features section, available since verity target version 1.3 */
+ if (params) {
+ /* Number of arguments */
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params != ' ')
+ return -EINVAL;
+ params++;
+
+ features = (int)val64;
+ for (i = 0; i < features; i++) {
+ if (!params)
+ return -EINVAL;
+ arg = strsep(¶ms, " ");
+ if (!strcasecmp(arg, "ignore_corruption"))
+ dmd->flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION;
+ else if (!strcasecmp(arg, "restart_on_corruption"))
+ dmd->flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
+ else if (!strcasecmp(arg, "ignore_zero_blocks"))
+ dmd->flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
+ else if (!strcasecmp(arg, "use_fec_from_device")) {
+ str = strsep(¶ms, " ");
+ str2 = crypt_lookup_dev(str);
+ if (get_flags & DM_ACTIVE_VERITY_HASH_DEVICE) {
+ r = device_alloc(&dmd->u.verity.fec_device, str2);
+ if (r < 0 && r != -ENOTBLK) {
+ free(str2);
+ return r;
+ }
+ }
+ if (vp)
+ vp->fec_device = str2;
+ i++;
+ } else if (!strcasecmp(arg, "fec_start")) {
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params)
+ params++;
+ dmd->u.verity.fec_offset = val64;
+ if (vp)
+ vp->fec_area_offset = val64 * vp->hash_block_size;
+ i++;
+ } else if (!strcasecmp(arg, "fec_blocks")) {
+ val64 = strtoull(params, ¶ms, 10);
+ if (*params)
+ params++;
+ dmd->u.verity.fec_blocks = val64;
+ i++;
+ } else if (!strcasecmp(arg, "fec_roots")) {
+ val32 = strtoul(params, ¶ms, 10);
+ if (*params)
+ params++;
+ if (vp)
+ vp->fec_roots = val32;
+ i++;
+ } else /* unknown option */
+ return -EINVAL;
+ }
+
+ /* All parameters should be processed */
+ if (params && *params)
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+int dm_query_device(struct crypt_device *cd, const char *name,
+ uint32_t get_flags, struct crypt_dm_active_device *dmd)
+{
+ struct dm_task *dmt;
+ struct dm_info dmi;
+ uint64_t start, length;
+ char *target_type, *params;
+ const char *tmp_uuid;
+ void *next = NULL;
+ int r = -EINVAL;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+ if (!(dmt = dm_task_create(DM_DEVICE_TABLE)))
+ goto out;
+ if ((dm_flags() & DM_SECURE_SUPPORTED) && !dm_task_secure_data(dmt))
+ goto out;
+ if (!dm_task_set_name(dmt, name))
+ goto out;
+ r = -ENODEV;
+ if (!dm_task_run(dmt))
+ goto out;
+
+ r = -EINVAL;
+ if (!dm_task_get_info(dmt, &dmi))
+ goto out;
+
+ if (!dmi.exists) {
+ r = -ENODEV;
+ goto out;
+ }
+
+ next = dm_get_next_target(dmt, next, &start, &length,
+ &target_type, ¶ms);
+
+ if (!target_type || start != 0 || next)
+ goto out;
+
+ if (!strcmp(target_type, DM_CRYPT_TARGET)) {
+ r = _dm_query_crypt(get_flags, &dmi, params, dmd);
+ } else if (!strcmp(target_type, DM_VERITY_TARGET)) {
+ r = _dm_query_verity(get_flags, &dmi, params, dmd);
+ if (r < 0)
+ goto out;
+ r = _dm_status_verity_ok(name);
+ if (r < 0)
+ goto out;
+ if (r == 0)
+ dmd->flags |= CRYPT_ACTIVATE_CORRUPTED;
+ r = 0;
+ } else
+ r = -EINVAL;
+
+ if (r < 0)
+ goto out;
+
+ dmd->size = length;
+
+ if (dmi.read_only)
+ dmd->flags |= CRYPT_ACTIVATE_READONLY;
+
+ tmp_uuid = dm_task_get_uuid(dmt);
+ if (!tmp_uuid)
+ dmd->flags |= CRYPT_ACTIVATE_NO_UUID;
+ else if (get_flags & DM_ACTIVE_UUID) {
+ if (!strncmp(tmp_uuid, DM_UUID_PREFIX, DM_UUID_PREFIX_LEN))
+ dmd->uuid = strdup(tmp_uuid + DM_UUID_PREFIX_LEN);
+ }
+
+ r = (dmi.open_count > 0);
+out:
+ if (dmt)
+ dm_task_destroy(dmt);
+
+ dm_exit_context();
+ return r;
+}
+
+static int _dm_message(const char *name, const char *msg)
+{
+ int r = 0;
+ struct dm_task *dmt;
+
+ if (!(dmt = dm_task_create(DM_DEVICE_TARGET_MSG)))
+ return 0;
+
+ if ((dm_flags() & DM_SECURE_SUPPORTED) && !dm_task_secure_data(dmt))
+ goto out;
+
+ if (name && !dm_task_set_name(dmt, name))
+ goto out;
+
+ if (!dm_task_set_sector(dmt, (uint64_t) 0))
+ goto out;
+
+ if (!dm_task_set_message(dmt, msg))
+ goto out;
+
+ r = dm_task_run(dmt);
+
+ out:
+ dm_task_destroy(dmt);
+ return r;
+}
+
+int dm_suspend_and_wipe_key(struct crypt_device *cd, const char *name)
+{
+ int r = -ENOTSUP;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
+ if (!(_dm_crypt_flags & DM_KEY_WIPE_SUPPORTED))
+ goto out;
+
+ if (!_dm_simple(DM_DEVICE_SUSPEND, name, 0)) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!_dm_message(name, "key wipe")) {
+ _dm_simple(DM_DEVICE_RESUME, name, 1);
+ r = -EINVAL;
+ goto out;
+ }
+ r = 0;
+out:
+ dm_exit_context();
+ return r;
+}
+
+int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
+ size_t key_size, const char *key)
+{
+ int msg_size = key_size * 2 + 10; // key set <key>
+ char *msg = NULL;
+ int r = -ENOTSUP;
+
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
+ if (!(_dm_crypt_flags & DM_KEY_WIPE_SUPPORTED))
+ goto out;
+
+ msg = crypt_safe_alloc(msg_size);
+ if (!msg) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ strcpy(msg, "key set ");
+ hex_key(&msg[8], key_size, key);
+
+ if (!_dm_message(name, msg) ||
+ !_dm_simple(DM_DEVICE_RESUME, name, 1)) {
+ r = -EINVAL;
+ goto out;
+ }
+ r = 0;
+out:
+ crypt_safe_free(msg);
+ dm_exit_context();
+ return r;
+}
+
+const char *dm_get_dir(void)
+{
+ return dm_dir();
+}
+
+int dm_is_dm_device(int major, int minor)
+{
+ return dm_is_dm_major((uint32_t)major);
+}
+
+int dm_is_dm_kernel_name(const char *name)
+{
+ return strncmp(name, "dm-", 3) ? 0 : 1;
+}
diff --git a/lib/loopaes/Makefile.am b/lib/loopaes/Makefile.am
new file mode 100644
index 0000000..0687c40
--- /dev/null
+++ b/lib/loopaes/Makefile.am
@@ -0,0 +1,14 @@
+moduledir = $(libdir)/cryptsetup
+
+noinst_LTLIBRARIES = libloopaes.la
+
+libloopaes_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
+
+libloopaes_la_SOURCES = \
+ loopaes.c \
+ loopaes.h
+
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/lib/crypto_backend
+
diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c
new file mode 100644
index 0000000..d9e1ae6
--- /dev/null
+++ b/lib/loopaes/loopaes.c
@@ -0,0 +1,250 @@
+/*
+ * loop-AES compatible volume handling
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "libcryptsetup.h"
+#include "loopaes.h"
+#include "internal.h"
+
+static const char *get_hash(unsigned int key_size)
+{
+ const char *hash;
+
+ switch (key_size) {
+ case 16: hash = "sha256"; break;
+ case 24: hash = "sha384"; break;
+ case 32: hash = "sha512"; break;
+ default: hash = NULL;
+ }
+
+ return hash;
+}
+
+static unsigned char get_tweak(unsigned int keys_count)
+{
+ switch (keys_count) {
+ case 64: return 0x55;
+ case 65: return 0xF4;
+ default: break;
+ }
+ return 0x00;
+}
+
+static int hash_key(const char *src, size_t src_len,
+ char *dst, size_t dst_len,
+ const char *hash_name)
+{
+ struct crypt_hash *hd = NULL;
+ int r;
+
+ if (crypt_hash_init(&hd, hash_name))
+ return -EINVAL;
+
+ r = crypt_hash_write(hd, src, src_len);
+ if (!r)
+ r = crypt_hash_final(hd, dst, dst_len);
+
+ crypt_hash_destroy(hd);
+ return r;
+}
+
+static int hash_keys(struct crypt_device *cd,
+ struct volume_key **vk,
+ const char *hash_override,
+ const char **input_keys,
+ unsigned int keys_count,
+ unsigned int key_len_output,
+ unsigned int key_len_input)
+{
+ const char *hash_name;
+ char tweak, *key_ptr;
+ unsigned int i;
+ int r;
+
+ hash_name = hash_override ?: get_hash(key_len_output);
+ tweak = get_tweak(keys_count);
+
+ if (!keys_count || !key_len_output || !hash_name || !key_len_input) {
+ log_err(cd, _("Key processing error (using hash %s).\n"),
+ hash_name ?: "[none]");
+ return -EINVAL;
+ }
+
+ *vk = crypt_alloc_volume_key(key_len_output * keys_count, NULL);
+ if (!*vk)
+ return -ENOMEM;
+
+ for (i = 0; i < keys_count; i++) {
+ key_ptr = &(*vk)->key[i * key_len_output];
+ r = hash_key(input_keys[i], key_len_input, key_ptr,
+ key_len_output, hash_name);
+ if (r < 0)
+ break;
+
+ key_ptr[0] ^= tweak;
+ }
+
+ if (r < 0 && *vk) {
+ crypt_free_volume_key(*vk);
+ *vk = NULL;
+ }
+ return r;
+}
+
+static int keyfile_is_gpg(char *buffer, size_t buffer_len)
+{
+ int r = 0;
+ int index = buffer_len < 100 ? buffer_len - 1 : 100;
+ char eos = buffer[index];
+
+ buffer[index] = '\0';
+ if (strstr(buffer, "BEGIN PGP MESSAGE"))
+ r = 1;
+ buffer[index] = eos;
+ return r;
+}
+
+int LOOPAES_parse_keyfile(struct crypt_device *cd,
+ struct volume_key **vk,
+ const char *hash,
+ unsigned int *keys_count,
+ char *buffer,
+ size_t buffer_len)
+{
+ const char *keys[LOOPAES_KEYS_MAX];
+ unsigned int key_lengths[LOOPAES_KEYS_MAX];
+ unsigned int i, key_index, key_len, offset;
+
+ log_dbg("Parsing loop-AES keyfile of size %zu.", buffer_len);
+
+ if (!buffer_len)
+ return -EINVAL;
+
+ if (keyfile_is_gpg(buffer, buffer_len)) {
+ log_err(cd, _("Detected not yet supported GPG encrypted keyfile.\n"));
+ log_std(cd, _("Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"));
+ return -EINVAL;
+ }
+
+ /* Remove EOL in buffer */
+ for (i = 0; i < buffer_len; i++)
+ if (buffer[i] == '\n' || buffer[i] == '\r')
+ buffer[i] = '\0';
+
+ offset = 0;
+ key_index = 0;
+ key_lengths[0] = 0;
+ while (offset < buffer_len && key_index < LOOPAES_KEYS_MAX) {
+ keys[key_index] = &buffer[offset];
+ key_lengths[key_index] = 0;;
+ while (offset < buffer_len && buffer[offset]) {
+ offset++;
+ key_lengths[key_index]++;
+ }
+ if (offset == buffer_len) {
+ log_dbg("Unterminated key #%d in keyfile.", key_index);
+ log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
+ return -EINVAL;
+ }
+ while (offset < buffer_len && !buffer[offset])
+ offset++;
+ key_index++;
+ }
+
+ /* All keys must be the same length */
+ key_len = key_lengths[0];
+ for (i = 0; i < key_index; i++)
+ if (!key_lengths[i] || (key_lengths[i] != key_len)) {
+ log_dbg("Unexpected length %d of key #%d (should be %d).",
+ key_lengths[i], i, key_len);
+ key_len = 0;
+ break;
+ }
+
+ if (offset != buffer_len || key_len == 0 ||
+ (key_index != 1 && key_index !=64 && key_index != 65)) {
+ log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
+ return -EINVAL;
+ }
+
+ log_dbg("Keyfile: %d keys of length %d.", key_index, key_len);
+
+ *keys_count = key_index;
+ return hash_keys(cd, vk, hash, keys, key_index,
+ crypt_get_volume_key_size(cd), key_len);
+}
+
+int LOOPAES_activate(struct crypt_device *cd,
+ const char *name,
+ const char *base_cipher,
+ unsigned int keys_count,
+ struct volume_key *vk,
+ uint32_t flags)
+{
+ char *cipher = NULL;
+ uint32_t req_flags;
+ int r;
+ struct crypt_dm_active_device dmd = {
+ .target = DM_CRYPT,
+ .size = 0,
+ .flags = flags,
+ .data_device = crypt_data_device(cd),
+ .u.crypt = {
+ .cipher = NULL,
+ .vk = vk,
+ .offset = crypt_get_data_offset(cd),
+ .iv_offset = crypt_get_iv_offset(cd),
+ }
+ };
+
+ r = device_block_adjust(cd, dmd.data_device, DEV_EXCL,
+ dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ if (r)
+ return r;
+
+ if (keys_count == 1) {
+ req_flags = DM_PLAIN64_SUPPORTED;
+ r = asprintf(&cipher, "%s-%s", base_cipher, "cbc-plain64");
+ } else {
+ req_flags = DM_LMK_SUPPORTED;
+ r = asprintf(&cipher, "%s:%d-%s", base_cipher, 64, "cbc-lmk");
+ }
+ if (r < 0)
+ return -ENOMEM;
+
+ dmd.u.crypt.cipher = cipher;
+ log_dbg("Trying to activate loop-AES device %s using cipher %s.",
+ name, dmd.u.crypt.cipher);
+
+ r = dm_create_device(cd, name, CRYPT_LOOPAES, &dmd, 0);
+
+ if (r < 0 && !(dm_flags() & req_flags)) {
+ log_err(cd, _("Kernel doesn't support loop-AES compatible mapping.\n"));
+ r = -ENOTSUP;
+ }
+
+ free(cipher);
+ return r;
+}
diff --git a/lib/loopaes/loopaes.h b/lib/loopaes/loopaes.h
new file mode 100644
index 0000000..ca72304
--- /dev/null
+++ b/lib/loopaes/loopaes.h
@@ -0,0 +1,45 @@
+/*
+ * loop-AES compatible volume handling
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _LOOPAES_H
+#define _LOOPAES_H
+
+#include <unistd.h>
+
+struct crypt_device;
+struct volume_key;
+
+#define LOOPAES_KEYS_MAX 65
+
+int LOOPAES_parse_keyfile(struct crypt_device *cd,
+ struct volume_key **vk,
+ const char *hash,
+ unsigned int *keys_count,
+ char *buffer,
+ size_t buffer_len);
+
+int LOOPAES_activate(struct crypt_device *cd,
+ const char *name,
+ const char *base_cipher,
+ unsigned int keys_count,
+ struct volume_key *vk,
+ uint32_t flags);
+#endif
diff --git a/lib/luks1/Makefile.am b/lib/luks1/Makefile.am
new file mode 100644
index 0000000..5d6800e
--- /dev/null
+++ b/lib/luks1/Makefile.am
@@ -0,0 +1,17 @@
+moduledir = $(libdir)/cryptsetup
+
+noinst_LTLIBRARIES = libluks1.la
+
+libluks1_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
+
+libluks1_la_SOURCES = \
+ af.c \
+ keymanage.c \
+ keyencryption.c \
+ af.h \
+ luks.h
+
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/lib/crypto_backend
+
diff --git a/lib/luks1/af.c b/lib/luks1/af.c
new file mode 100644
index 0000000..1f4dd67
--- /dev/null
+++ b/lib/luks1/af.c
@@ -0,0 +1,163 @@
+/*
+ * AFsplitter - Anti forensic information splitter
+ *
+ * Copyright (C) 2004, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ *
+ * AFsplitter diffuses information over a large stripe of data,
+ * therefor supporting secure data destruction.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include "internal.h"
+#include "af.h"
+
+static void XORblock(const char *src1, const char *src2, char *dst, size_t n)
+{
+ size_t j;
+
+ for(j = 0; j < n; ++j)
+ dst[j] = src1[j] ^ src2[j];
+}
+
+static int hash_buf(const char *src, char *dst, uint32_t iv,
+ size_t len, const char *hash_name)
+{
+ struct crypt_hash *hd = NULL;
+ char *iv_char = (char *)&iv;
+ int r;
+
+ iv = htonl(iv);
+ if (crypt_hash_init(&hd, hash_name))
+ return -EINVAL;
+
+ if ((r = crypt_hash_write(hd, iv_char, sizeof(uint32_t))))
+ goto out;
+
+ if ((r = crypt_hash_write(hd, src, len)))
+ goto out;
+
+ r = crypt_hash_final(hd, dst, len);
+out:
+ crypt_hash_destroy(hd);
+ return r;
+}
+
+/* diffuse: Information spreading over the whole dataset with
+ * the help of hash function.
+ */
+
+static int diffuse(char *src, char *dst, size_t size, const char *hash_name)
+{
+ int hash_size = crypt_hash_size(hash_name);
+ unsigned int digest_size;
+ unsigned int i, blocks, padding;
+
+ if (hash_size <= 0)
+ return 1;
+ digest_size = hash_size;
+
+ blocks = size / digest_size;
+ padding = size % digest_size;
+
+ for (i = 0; i < blocks; i++)
+ if(hash_buf(src + digest_size * i,
+ dst + digest_size * i,
+ i, (size_t)digest_size, hash_name))
+ return 1;
+
+ if(padding)
+ if(hash_buf(src + digest_size * i,
+ dst + digest_size * i,
+ i, (size_t)padding, hash_name))
+ return 1;
+
+ return 0;
+}
+
+/*
+ * Information splitting. The amount of data is multiplied by
+ * blocknumbers. The same blocksize and blocknumbers values
+ * must be supplied to AF_merge to recover information.
+ */
+
+int AF_split(const char *src, char *dst, size_t blocksize,
+ unsigned int blocknumbers, const char *hash)
+{
+ unsigned int i;
+ char *bufblock;
+ int r = -EINVAL;
+
+ if((bufblock = calloc(blocksize, 1)) == NULL) return -ENOMEM;
+
+ /* process everything except the last block */
+ for(i=0; i<blocknumbers-1; i++) {
+ r = crypt_random_get(NULL, dst+(blocksize*i), blocksize, CRYPT_RND_NORMAL);
+ if(r < 0) goto out;
+
+ XORblock(dst+(blocksize*i),bufblock,bufblock,blocksize);
+ if(diffuse(bufblock, bufblock, blocksize, hash))
+ goto out;
+ }
+ /* the last block is computed */
+ XORblock(src,bufblock,dst+(i*blocksize),blocksize);
+ r = 0;
+out:
+ free(bufblock);
+ return r;
+}
+
+int AF_merge(const char *src, char *dst, size_t blocksize,
+ unsigned int blocknumbers, const char *hash)
+{
+ unsigned int i;
+ char *bufblock;
+ int r = -EINVAL;
+
+ if((bufblock = calloc(blocksize, 1)) == NULL)
+ return -ENOMEM;
+
+ memset(bufblock,0,blocksize);
+ for(i=0; i<blocknumbers-1; i++) {
+ XORblock(src+(blocksize*i),bufblock,bufblock,blocksize);
+ if(diffuse(bufblock, bufblock, blocksize, hash))
+ goto out;
+ }
+ XORblock(src + blocksize * i, bufblock, dst, blocksize);
+ r = 0;
+out:
+ free(bufblock);
+ return r;
+}
+
+/* Size of final split data including sector alignment */
+size_t AF_split_sectors(size_t blocksize, unsigned int blocknumbers)
+{
+ size_t af_size;
+
+ /* data material * stripes */
+ af_size = blocksize * blocknumbers;
+
+ /* round up to sector */
+ af_size = (af_size + (SECTOR_SIZE - 1)) / SECTOR_SIZE;
+
+ return af_size;
+}
diff --git a/lib/luks1/af.h b/lib/luks1/af.h
new file mode 100644
index 0000000..d2a92fa
--- /dev/null
+++ b/lib/luks1/af.h
@@ -0,0 +1,60 @@
+/*
+ * AFsplitter - Anti forensic information splitter
+ *
+ * Copyright (C) 2004, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ *
+ * AFsplitter diffuses information over a large stripe of data,
+ * therefor supporting secure data destruction.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef INCLUDED_CRYPTSETUP_LUKS_AF_H
+#define INCLUDED_CRYPTSETUP_LUKS_AF_H
+
+/*
+ * AF_split operates on src and produces information split data in
+ * dst. src is assumed to be of the length blocksize. The data stripe
+ * dst points to must be capable of storing blocksize*blocknumbers.
+ * blocknumbers is the data multiplication factor.
+ *
+ * AF_merge does just the opposite: reproduces the information stored in
+ * src of the length blocksize*blocknumbers into dst of the length
+ * blocksize.
+ *
+ * On error, both functions return -1, 0 otherwise.
+ */
+
+int AF_split(const char *src, char *dst, size_t blocksize, unsigned int blocknumbers, const char *hash);
+int AF_merge(const char *src, char *dst, size_t blocksize, unsigned int blocknumbers, const char *hash);
+size_t AF_split_sectors(size_t blocksize, unsigned int blocknumbers);
+
+int LUKS_encrypt_to_storage(
+ char *src, size_t srcLength,
+ const char *cipher,
+ const char *cipher_mode,
+ struct volume_key *vk,
+ unsigned int sector,
+ struct crypt_device *ctx);
+
+int LUKS_decrypt_from_storage(
+ char *dst, size_t dstLength,
+ const char *cipher,
+ const char *cipher_mode,
+ struct volume_key *vk,
+ unsigned int sector,
+ struct crypt_device *ctx);
+
+#endif
diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c
new file mode 100644
index 0000000..27e8763
--- /dev/null
+++ b/lib/luks1/keyencryption.c
@@ -0,0 +1,260 @@
+/*
+ * LUKS - Linux Unified Key Setup
+ *
+ * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <errno.h>
+#include "luks.h"
+#include "internal.h"
+
+static void _error_hint(struct crypt_device *ctx, const char *device,
+ const char *cipher, const char *mode, size_t keyLength)
+{
+ char cipher_spec[MAX_CIPHER_LEN * 3];
+
+ if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0)
+ return;
+
+ log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n"
+ "Check that kernel supports %s cipher (check syslog for more info).\n"),
+ device, cipher_spec);
+
+ if (!strncmp(mode, "xts", 3) && (keyLength != 256 && keyLength != 512))
+ log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits.\n"));
+}
+
+static int LUKS_endec_template(char *src, size_t srcLength,
+ const char *cipher, const char *cipher_mode,
+ struct volume_key *vk,
+ unsigned int sector,
+ ssize_t (*func)(int, int, void *, size_t),
+ int mode,
+ struct crypt_device *ctx)
+{
+ char name[PATH_MAX], path[PATH_MAX];
+ char cipher_spec[MAX_CIPHER_LEN * 3];
+ struct crypt_dm_active_device dmd = {
+ .target = DM_CRYPT,
+ .uuid = NULL,
+ .flags = CRYPT_ACTIVATE_PRIVATE,
+ .data_device = crypt_metadata_device(ctx),
+ .u.crypt = {
+ .cipher = cipher_spec,
+ .vk = vk,
+ .offset = sector,
+ .iv_offset = 0,
+ }
+ };
+ int r, bsize, devfd = -1;
+
+ log_dbg("Using dmcrypt to access keyslot area.");
+
+ bsize = device_block_size(dmd.data_device);
+ if (bsize <= 0)
+ return -EINVAL;
+
+ dmd.size = size_round_up(srcLength, bsize) / SECTOR_SIZE;
+
+ if (mode == O_RDONLY)
+ dmd.flags |= CRYPT_ACTIVATE_READONLY;
+
+ if (snprintf(name, sizeof(name), "temporary-cryptsetup-%d", getpid()) < 0)
+ return -ENOMEM;
+ if (snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name) < 0)
+ return -ENOMEM;
+ if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode) < 0)
+ return -ENOMEM;
+
+ r = device_block_adjust(ctx, dmd.data_device, DEV_OK,
+ dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ if (r < 0) {
+ log_err(ctx, _("Device %s doesn't exist or access denied.\n"),
+ device_path(dmd.data_device));
+ return -EIO;
+ }
+
+ if (mode != O_RDONLY && dmd.flags & CRYPT_ACTIVATE_READONLY) {
+ log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
+ device_path(dmd.data_device));
+ return -EACCES;
+ }
+
+ r = dm_create_device(ctx, name, "TEMP", &dmd, 0);
+ if (r < 0) {
+ if (r != -EACCES && r != -ENOTSUP)
+ _error_hint(ctx, device_path(dmd.data_device),
+ cipher, cipher_mode, vk->keylength * 8);
+ return -EIO;
+ }
+
+ devfd = open(path, mode | O_DIRECT | O_SYNC);
+ if (devfd == -1) {
+ log_err(ctx, _("Failed to open temporary keystore device.\n"));
+ r = -EIO;
+ goto out;
+ }
+
+ r = func(devfd, bsize, src, srcLength);
+ if (r < 0) {
+ log_err(ctx, _("Failed to access temporary keystore device.\n"));
+ r = -EIO;
+ } else
+ r = 0;
+ out:
+ if (devfd != -1)
+ close(devfd);
+ dm_remove_device(ctx, name, 1, dmd.size);
+ return r;
+}
+
+int LUKS_encrypt_to_storage(char *src, size_t srcLength,
+ const char *cipher,
+ const char *cipher_mode,
+ struct volume_key *vk,
+ unsigned int sector,
+ struct crypt_device *ctx)
+{
+
+ struct device *device = crypt_metadata_device(ctx);
+ struct crypt_storage *s;
+ int devfd = -1, bsize, r = 0;
+
+ /* Only whole sector writes supported */
+ if (srcLength % SECTOR_SIZE)
+ return -EINVAL;
+
+ /* Encrypt buffer */
+ r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength);
+
+ if (r)
+ log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).",
+ cipher, cipher_mode, r);
+
+ /* Fallback to old temporary dmcrypt device */
+ if (r == -ENOTSUP || r == -ENOENT)
+ return LUKS_endec_template(src, srcLength, cipher, cipher_mode,
+ vk, sector, write_blockwise, O_RDWR, ctx);
+
+ if (r) {
+ _error_hint(ctx, device_path(device), cipher, cipher_mode,
+ vk->keylength * 8);
+ return r;
+ }
+
+ log_dbg("Using userspace crypto wrapper to access keyslot area.");
+
+ r = crypt_storage_encrypt(s, 0, srcLength / SECTOR_SIZE, src);
+ crypt_storage_destroy(s);
+
+ if (r)
+ return r;
+
+ r = -EIO;
+
+ /* Write buffer to device */
+ bsize = device_block_size(device);
+ if (bsize <= 0)
+ goto out;
+
+ devfd = device_open(device, O_RDWR);
+ if (devfd < 0)
+ goto out;
+
+ if (lseek(devfd, sector * SECTOR_SIZE, SEEK_SET) == -1 ||
+ write_blockwise(devfd, bsize, src, srcLength) == -1)
+ goto out;
+
+ r = 0;
+out:
+ if (devfd >= 0)
+ close(devfd);
+ if (r)
+ log_err(ctx, _("IO error while encrypting keyslot.\n"));
+
+ return r;
+}
+
+int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
+ const char *cipher,
+ const char *cipher_mode,
+ struct volume_key *vk,
+ unsigned int sector,
+ struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ struct crypt_storage *s;
+ int devfd = -1, bsize, r = 0;
+
+ /* Only whole sector reads supported */
+ if (dstLength % SECTOR_SIZE)
+ return -EINVAL;
+
+ r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength);
+
+ if (r)
+ log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).",
+ cipher, cipher_mode, r);
+
+ /* Fallback to old temporary dmcrypt device */
+ if (r == -ENOTSUP || r == -ENOENT)
+ return LUKS_endec_template(dst, dstLength, cipher, cipher_mode,
+ vk, sector, read_blockwise, O_RDONLY, ctx);
+
+ if (r) {
+ _error_hint(ctx, device_path(device), cipher, cipher_mode,
+ vk->keylength * 8);
+ return r;
+ }
+
+ log_dbg("Using userspace crypto wrapper to access keyslot area.");
+
+ r = -EIO;
+
+ /* Read buffer from device */
+ bsize = device_block_size(device);
+ if (bsize <= 0)
+ goto bad;
+
+ devfd = device_open(device, O_RDONLY);
+ if (devfd < 0)
+ goto bad;
+
+ if (lseek(devfd, sector * SECTOR_SIZE, SEEK_SET) == -1 ||
+ read_blockwise(devfd, bsize, dst, dstLength) == -1)
+ goto bad;
+
+ close(devfd);
+
+ /* Decrypt buffer */
+ r = crypt_storage_decrypt(s, 0, dstLength / SECTOR_SIZE, dst);
+ crypt_storage_destroy(s);
+
+ return r;
+bad:
+ if (devfd >= 0)
+ close(devfd);
+
+ log_err(ctx, _("IO error while decrypting keyslot.\n"));
+ crypt_storage_destroy(s);
+
+ return r;
+}
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
new file mode 100644
index 0000000..5b1421b
--- /dev/null
+++ b/lib/luks1/keymanage.c
@@ -0,0 +1,1151 @@
+/*
+ * LUKS - Linux Unified Key Setup
+ *
+ * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2013-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include <uuid/uuid.h>
+
+#include "luks.h"
+#include "af.h"
+#include "internal.h"
+
+/* Get size of struct luks_phdr with all keyslots material space */
+static size_t LUKS_device_sectors(size_t keyLen)
+{
+ size_t keyslot_sectors, sector;
+ int i;
+
+ keyslot_sectors = AF_split_sectors(keyLen, LUKS_STRIPES);
+ sector = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
+
+ for (i = 0; i < LUKS_NUMKEYS; i++) {
+ sector = size_round_up(sector, LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
+ sector += keyslot_sectors;
+ }
+
+ return sector;
+}
+
+int LUKS_keyslot_area(const struct luks_phdr *hdr,
+ int keyslot,
+ uint64_t *offset,
+ uint64_t *length)
+{
+ if(keyslot >= LUKS_NUMKEYS || keyslot < 0)
+ return -EINVAL;
+
+ *offset = (uint64_t)hdr->keyblock[keyslot].keyMaterialOffset * SECTOR_SIZE;
+ *length = AF_split_sectors(hdr->keyBytes, LUKS_STRIPES) * SECTOR_SIZE;
+
+ return 0;
+}
+
+static int LUKS_check_device_size(struct crypt_device *ctx, size_t keyLength)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ uint64_t dev_sectors, hdr_sectors;
+
+ if (!keyLength)
+ return -EINVAL;
+
+ if(device_size(device, &dev_sectors)) {
+ log_dbg("Cannot get device size for device %s.", device_path(device));
+ return -EIO;
+ }
+
+ dev_sectors >>= SECTOR_SHIFT;
+ hdr_sectors = LUKS_device_sectors(keyLength);
+ log_dbg("Key length %zu, device size %" PRIu64 " sectors, header size %"
+ PRIu64 " sectors.",keyLength, dev_sectors, hdr_sectors);
+
+ if (hdr_sectors > dev_sectors) {
+ log_err(ctx, _("Device %s is too small. (LUKS requires at least %" PRIu64 " bytes.)\n"),
+ device_path(device), hdr_sectors * SECTOR_SIZE);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+/* Check keyslot to prevent access outside of header and keyslot area */
+static int LUKS_check_keyslot_size(const struct luks_phdr *phdr, unsigned int keyIndex)
+{
+ uint32_t secs_per_stripes;
+
+ /* First sectors is the header itself */
+ if (phdr->keyblock[keyIndex].keyMaterialOffset * SECTOR_SIZE < sizeof(*phdr)) {
+ log_dbg("Invalid offset %u in keyslot %u.",
+ phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex);
+ return 1;
+ }
+
+ /* Ignore following check for detached header where offset can be zero. */
+ if (phdr->payloadOffset == 0)
+ return 0;
+
+ if (phdr->payloadOffset <= phdr->keyblock[keyIndex].keyMaterialOffset) {
+ log_dbg("Invalid offset %u in keyslot %u (beyond data area offset %u).",
+ phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex,
+ phdr->payloadOffset);
+ return 1;
+ }
+
+ secs_per_stripes = AF_split_sectors(phdr->keyBytes, phdr->keyblock[keyIndex].stripes);
+
+ if (phdr->payloadOffset < (phdr->keyblock[keyIndex].keyMaterialOffset + secs_per_stripes)) {
+ log_dbg("Invalid keyslot size %u (offset %u, stripes %u) in "
+ "keyslot %u (beyond data area offset %u).",
+ secs_per_stripes,
+ phdr->keyblock[keyIndex].keyMaterialOffset,
+ phdr->keyblock[keyIndex].stripes,
+ keyIndex, phdr->payloadOffset);
+ return 1;
+ }
+
+ return 0;
+}
+
+static const char *dbg_slot_state(crypt_keyslot_info ki)
+{
+ switch(ki) {
+ case CRYPT_SLOT_INACTIVE:
+ return "INACTIVE";
+ case CRYPT_SLOT_ACTIVE:
+ return "ACTIVE";
+ case CRYPT_SLOT_ACTIVE_LAST:
+ return "ACTIVE_LAST";
+ case CRYPT_SLOT_INVALID:
+ default:
+ return "INVALID";
+ }
+}
+
+int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ struct luks_phdr hdr;
+ int r = 0, devfd = -1;
+ ssize_t hdr_size;
+ ssize_t buffer_size;
+ char *buffer = NULL;
+
+ r = LUKS_read_phdr(&hdr, 1, 0, ctx);
+ if (r)
+ return r;
+
+ hdr_size = LUKS_device_sectors(hdr.keyBytes) << SECTOR_SHIFT;
+ buffer_size = size_round_up(hdr_size, crypt_getpagesize());
+
+ buffer = crypt_safe_alloc(buffer_size);
+ if (!buffer || hdr_size < LUKS_ALIGN_KEYSLOTS || hdr_size > buffer_size) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ log_dbg("Storing backup of header (%zu bytes) and keyslot area (%zu bytes).",
+ sizeof(hdr), hdr_size - LUKS_ALIGN_KEYSLOTS);
+
+ log_dbg("Output backup file size: %zu bytes.", buffer_size);
+
+ devfd = device_open(device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device_path(device));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (read_blockwise(devfd, device_block_size(device), buffer, hdr_size) < hdr_size) {
+ r = -EIO;
+ goto out;
+ }
+ close(devfd);
+
+ /* Wipe unused area, so backup cannot contain old signatures */
+ if (hdr.keyblock[0].keyMaterialOffset * SECTOR_SIZE == LUKS_ALIGN_KEYSLOTS)
+ memset(buffer + sizeof(hdr), 0, LUKS_ALIGN_KEYSLOTS - sizeof(hdr));
+
+ devfd = open(backup_file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR);
+ if (devfd == -1) {
+ if (errno == EEXIST)
+ log_err(ctx, _("Requested header backup file %s already exists.\n"), backup_file);
+ else
+ log_err(ctx, _("Cannot create header backup file %s.\n"), backup_file);
+ r = -EINVAL;
+ goto out;
+ }
+ if (write_buffer(devfd, buffer, buffer_size) < buffer_size) {
+ log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file);
+ r = -EIO;
+ goto out;
+ }
+
+ r = 0;
+out:
+ if (devfd >= 0)
+ close(devfd);
+ crypt_memzero(&hdr, sizeof(hdr));
+ crypt_safe_free(buffer);
+ return r;
+}
+
+int LUKS_hdr_restore(
+ const char *backup_file,
+ struct luks_phdr *hdr,
+ struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ int r = 0, devfd = -1, diff_uuid = 0;
+ ssize_t buffer_size = 0;
+ char *buffer = NULL, msg[200];
+ struct luks_phdr hdr_file;
+
+ r = LUKS_read_phdr_backup(backup_file, &hdr_file, 0, ctx);
+ if (r == -ENOENT)
+ return r;
+
+ if (!r)
+ buffer_size = LUKS_device_sectors(hdr_file.keyBytes) << SECTOR_SHIFT;
+
+ if (r || buffer_size < LUKS_ALIGN_KEYSLOTS) {
+ log_err(ctx, _("Backup file doesn't contain valid LUKS header.\n"));
+ r = -EINVAL;
+ goto out;
+ }
+
+ buffer = crypt_safe_alloc(buffer_size);
+ if (!buffer) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ devfd = open(backup_file, O_RDONLY);
+ if (devfd == -1) {
+ log_err(ctx, _("Cannot open header backup file %s.\n"), backup_file);
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (read_buffer(devfd, buffer, buffer_size) < buffer_size) {
+ log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file);
+ r = -EIO;
+ goto out;
+ }
+ close(devfd);
+ devfd = -1;
+
+ r = LUKS_read_phdr(hdr, 0, 0, ctx);
+ if (r == 0) {
+ log_dbg("Device %s already contains LUKS header, checking UUID and offset.", device_path(device));
+ if(hdr->payloadOffset != hdr_file.payloadOffset ||
+ hdr->keyBytes != hdr_file.keyBytes) {
+ log_err(ctx, _("Data offset or key size differs on device and backup, restore failed.\n"));
+ r = -EINVAL;
+ goto out;
+ }
+ if (memcmp(hdr->uuid, hdr_file.uuid, UUID_STRING_L))
+ diff_uuid = 1;
+ }
+
+ if (snprintf(msg, sizeof(msg), _("Device %s %s%s"), device_path(device),
+ r ? _("does not contain LUKS header. Replacing header can destroy data on that device.") :
+ _("already contains LUKS header. Replacing header will destroy existing keyslots."),
+ diff_uuid ? _("\nWARNING: real device header has different UUID than backup!") : "") < 0) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (!crypt_confirm(ctx, msg)) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ log_dbg("Storing backup of header (%zu bytes) and keyslot area (%zu bytes) to device %s.",
+ sizeof(*hdr), buffer_size - LUKS_ALIGN_KEYSLOTS, device_path(device));
+
+ devfd = device_open(device, O_RDWR);
+ if (devfd < 0) {
+ if (errno == EACCES)
+ log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
+ device_path(device));
+ else
+ log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (write_blockwise(devfd, device_block_size(device), buffer, buffer_size) < buffer_size) {
+ r = -EIO;
+ goto out;
+ }
+ close(devfd);
+ devfd = -1;
+
+ /* Be sure to reload new data */
+ r = LUKS_read_phdr(hdr, 1, 0, ctx);
+out:
+ if (devfd >= 0)
+ close(devfd);
+ crypt_safe_free(buffer);
+ return r;
+}
+
+/* This routine should do some just basic recovery for known problems. */
+static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
+{
+ struct luks_phdr temp_phdr;
+ const unsigned char *sector = (const unsigned char*)phdr;
+ struct volume_key *vk;
+ uint64_t PBKDF2_per_sec = 1;
+ int i, bad, r, need_write = 0;
+
+ if (phdr->keyBytes != 16 && phdr->keyBytes != 32 && phdr->keyBytes != 64) {
+ log_err(ctx, _("Non standard key size, manual repair required.\n"));
+ return -EINVAL;
+ }
+ /* cryptsetup 1.0 did not align to 4k, cannot repair this one */
+ if (phdr->keyblock[0].keyMaterialOffset < (LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE)) {
+ log_err(ctx, _("Non standard keyslots alignment, manual repair required.\n"));
+ return -EINVAL;
+ }
+
+ vk = crypt_alloc_volume_key(phdr->keyBytes, NULL);
+
+ log_verbose(ctx, _("Repairing keyslots.\n"));
+
+ log_dbg("Generating second header with the same parameters for check.");
+ /* cipherName, cipherMode, hashSpec, uuid are already null terminated */
+ /* payloadOffset - cannot check */
+ r = LUKS_generate_phdr(&temp_phdr, vk, phdr->cipherName, phdr->cipherMode,
+ phdr->hashSpec,phdr->uuid, LUKS_STRIPES,
+ phdr->payloadOffset, 0,
+ 1, &PBKDF2_per_sec,
+ 1, ctx);
+ if (r < 0) {
+ log_err(ctx, _("Repair failed."));
+ goto out;
+ }
+
+ for(i = 0; i < LUKS_NUMKEYS; ++i) {
+ if (phdr->keyblock[i].active == LUKS_KEY_ENABLED) {
+ log_dbg("Skipping repair for active keyslot %i.", i);
+ continue;
+ }
+
+ bad = 0;
+ if (phdr->keyblock[i].keyMaterialOffset != temp_phdr.keyblock[i].keyMaterialOffset) {
+ log_err(ctx, _("Keyslot %i: offset repaired (%u -> %u).\n"), i,
+ (unsigned)phdr->keyblock[i].keyMaterialOffset,
+ (unsigned)temp_phdr.keyblock[i].keyMaterialOffset);
+ phdr->keyblock[i].keyMaterialOffset = temp_phdr.keyblock[i].keyMaterialOffset;
+ bad = 1;
+ }
+
+ if (phdr->keyblock[i].stripes != temp_phdr.keyblock[i].stripes) {
+ log_err(ctx, _("Keyslot %i: stripes repaired (%u -> %u).\n"), i,
+ (unsigned)phdr->keyblock[i].stripes,
+ (unsigned)temp_phdr.keyblock[i].stripes);
+ phdr->keyblock[i].stripes = temp_phdr.keyblock[i].stripes;
+ bad = 1;
+ }
+
+ /* Known case - MSDOS partition table signature */
+ if (i == 6 && sector[0x1fe] == 0x55 && sector[0x1ff] == 0xaa) {
+ log_err(ctx, _("Keyslot %i: bogus partition signature.\n"), i);
+ bad = 1;
+ }
+
+ if(bad) {
+ log_err(ctx, _("Keyslot %i: salt wiped.\n"), i);
+ phdr->keyblock[i].active = LUKS_KEY_DISABLED;
+ memset(&phdr->keyblock[i].passwordSalt, 0x00, LUKS_SALTSIZE);
+ phdr->keyblock[i].passwordIterations = 0;
+ }
+
+ if (bad)
+ need_write = 1;
+ }
+
+ if (need_write) {
+ log_verbose(ctx, _("Writing LUKS header to disk.\n"));
+ r = LUKS_write_phdr(phdr, ctx);
+ }
+out:
+ crypt_free_volume_key(vk);
+ crypt_memzero(&temp_phdr, sizeof(temp_phdr));
+ return r;
+}
+
+static int _check_and_convert_hdr(const char *device,
+ struct luks_phdr *hdr,
+ int require_luks_device,
+ int repair,
+ struct crypt_device *ctx)
+{
+ int r = 0;
+ unsigned int i;
+ char luksMagic[] = LUKS_MAGIC;
+
+ if(memcmp(hdr->magic, luksMagic, LUKS_MAGIC_L)) { /* Check magic */
+ log_dbg("LUKS header not detected.");
+ if (require_luks_device)
+ log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device);
+ return -EINVAL;
+ } else if((hdr->version = ntohs(hdr->version)) != 1) { /* Convert every uint16/32_t item from network byte order */
+ log_err(ctx, _("Unsupported LUKS version %d.\n"), hdr->version);
+ return -EINVAL;
+ }
+
+ hdr->hashSpec[LUKS_HASHSPEC_L - 1] = '\0';
+ if (crypt_hmac_size(hdr->hashSpec) < LUKS_DIGESTSIZE) {
+ log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hdr->hashSpec);
+ return -EINVAL;
+ }
+
+ /* Header detected */
+ hdr->payloadOffset = ntohl(hdr->payloadOffset);
+ hdr->keyBytes = ntohl(hdr->keyBytes);
+ hdr->mkDigestIterations = ntohl(hdr->mkDigestIterations);
+
+ for(i = 0; i < LUKS_NUMKEYS; ++i) {
+ hdr->keyblock[i].active = ntohl(hdr->keyblock[i].active);
+ hdr->keyblock[i].passwordIterations = ntohl(hdr->keyblock[i].passwordIterations);
+ hdr->keyblock[i].keyMaterialOffset = ntohl(hdr->keyblock[i].keyMaterialOffset);
+ hdr->keyblock[i].stripes = ntohl(hdr->keyblock[i].stripes);
+ if (LUKS_check_keyslot_size(hdr, i)) {
+ log_err(ctx, _("LUKS keyslot %u is invalid.\n"), i);
+ r = -EINVAL;
+ }
+ }
+
+ /* Avoid unterminated strings */
+ hdr->cipherName[LUKS_CIPHERNAME_L - 1] = '\0';
+ hdr->cipherMode[LUKS_CIPHERMODE_L - 1] = '\0';
+ hdr->uuid[UUID_STRING_L - 1] = '\0';
+
+ if (repair) {
+ if (r == -EINVAL)
+ r = _keyslot_repair(hdr, ctx);
+ else
+ log_verbose(ctx, _("No known problems detected for LUKS header.\n"));
+ }
+
+ return r;
+}
+
+static void _to_lower(char *str, unsigned max_len)
+{
+ for(; *str && max_len; str++, max_len--)
+ if (isupper(*str))
+ *str = tolower(*str);
+}
+
+static void LUKS_fix_header_compatible(struct luks_phdr *header)
+{
+ /* Old cryptsetup expects "sha1", gcrypt allows case insensistive names,
+ * so always convert hash to lower case in header */
+ _to_lower(header->hashSpec, LUKS_HASHSPEC_L);
+
+ /* ECB mode does not use IV but dmcrypt silently allows it.
+ * Drop any IV here if ECB is used (that is not secure anyway).*/
+ if (!strncmp(header->cipherMode, "ecb-", 4)) {
+ memset(header->cipherMode, 0, LUKS_CIPHERMODE_L);
+ strcpy(header->cipherMode, "ecb");
+ }
+}
+
+int LUKS_read_phdr_backup(const char *backup_file,
+ struct luks_phdr *hdr,
+ int require_luks_device,
+ struct crypt_device *ctx)
+{
+ ssize_t hdr_size = sizeof(struct luks_phdr);
+ int devfd = 0, r = 0;
+
+ log_dbg("Reading LUKS header of size %d from backup file %s",
+ (int)hdr_size, backup_file);
+
+ devfd = open(backup_file, O_RDONLY);
+ if (devfd == -1) {
+ log_err(ctx, _("Cannot open header backup file %s.\n"), backup_file);
+ return -ENOENT;
+ }
+
+ if (read_buffer(devfd, hdr, hdr_size) < hdr_size)
+ r = -EIO;
+ else {
+ LUKS_fix_header_compatible(hdr);
+ r = _check_and_convert_hdr(backup_file, hdr,
+ require_luks_device, 0, ctx);
+ }
+
+ close(devfd);
+ return r;
+}
+
+int LUKS_read_phdr(struct luks_phdr *hdr,
+ int require_luks_device,
+ int repair,
+ struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ ssize_t hdr_size = sizeof(struct luks_phdr);
+ int devfd = 0, r = 0;
+
+ /* LUKS header starts at offset 0, first keyslot on LUKS_ALIGN_KEYSLOTS */
+ assert(sizeof(struct luks_phdr) <= LUKS_ALIGN_KEYSLOTS);
+
+ /* Stripes count cannot be changed without additional code fixes yet */
+ assert(LUKS_STRIPES == 4000);
+
+ if (repair && !require_luks_device)
+ return -EINVAL;
+
+ log_dbg("Reading LUKS header of size %zu from device %s",
+ hdr_size, device_path(device));
+
+ devfd = device_open(device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
+ return -EINVAL;
+ }
+
+ if (read_blockwise(devfd, device_block_size(device), hdr, hdr_size) < hdr_size)
+ r = -EIO;
+ else
+ r = _check_and_convert_hdr(device_path(device), hdr, require_luks_device,
+ repair, ctx);
+
+ if (!r)
+ r = LUKS_check_device_size(ctx, hdr->keyBytes);
+
+ /*
+ * Cryptsetup 1.0.0 did not align keyslots to 4k (very rare version).
+ * Disable direct-io to avoid possible IO errors if underlying device
+ * has bigger sector size.
+ */
+ if (!r && hdr->keyblock[0].keyMaterialOffset * SECTOR_SIZE < LUKS_ALIGN_KEYSLOTS) {
+ log_dbg("Old unaligned LUKS keyslot detected, disabling direct-io.");
+ device_disable_direct_io(device);
+ }
+
+ close(devfd);
+ return r;
+}
+
+int LUKS_write_phdr(struct luks_phdr *hdr,
+ struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ ssize_t hdr_size = sizeof(struct luks_phdr);
+ int devfd = 0;
+ unsigned int i;
+ struct luks_phdr convHdr;
+ int r;
+
+ log_dbg("Updating LUKS header of size %zu on device %s",
+ sizeof(struct luks_phdr), device_path(device));
+
+ r = LUKS_check_device_size(ctx, hdr->keyBytes);
+ if (r)
+ return r;
+
+ devfd = device_open(device, O_RDWR);
+ if (devfd < 0) {
+ if (errno == EACCES)
+ log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
+ device_path(device));
+ else
+ log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
+ return -EINVAL;
+ }
+
+ memcpy(&convHdr, hdr, hdr_size);
+ memset(&convHdr._padding, 0, sizeof(convHdr._padding));
+
+ /* Convert every uint16/32_t item to network byte order */
+ convHdr.version = htons(hdr->version);
+ convHdr.payloadOffset = htonl(hdr->payloadOffset);
+ convHdr.keyBytes = htonl(hdr->keyBytes);
+ convHdr.mkDigestIterations = htonl(hdr->mkDigestIterations);
+ for(i = 0; i < LUKS_NUMKEYS; ++i) {
+ convHdr.keyblock[i].active = htonl(hdr->keyblock[i].active);
+ convHdr.keyblock[i].passwordIterations = htonl(hdr->keyblock[i].passwordIterations);
+ convHdr.keyblock[i].keyMaterialOffset = htonl(hdr->keyblock[i].keyMaterialOffset);
+ convHdr.keyblock[i].stripes = htonl(hdr->keyblock[i].stripes);
+ }
+
+ r = write_blockwise(devfd, device_block_size(device), &convHdr, hdr_size) < hdr_size ? -EIO : 0;
+ if (r)
+ log_err(ctx, _("Error during update of LUKS header on device %s.\n"), device_path(device));
+ close(devfd);
+
+ /* Re-read header from disk to be sure that in-memory and on-disk data are the same. */
+ if (!r) {
+ r = LUKS_read_phdr(hdr, 1, 0, ctx);
+ if (r)
+ log_err(ctx, _("Error re-reading LUKS header after update on device %s.\n"),
+ device_path(device));
+ }
+
+ return r;
+}
+
+/* Check that kernel supports requested cipher by decryption of one sector */
+static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx)
+{
+ int r;
+ struct volume_key *empty_key;
+ char buf[SECTOR_SIZE];
+
+ log_dbg("Checking if cipher %s-%s is usable.", hdr->cipherName, hdr->cipherMode);
+
+ empty_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+ if (!empty_key)
+ return -ENOMEM;
+
+ /* No need to get KEY quality random but it must avoid known weak keys. */
+ r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
+ if (!r)
+ r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName,
+ hdr->cipherMode, empty_key, 0, ctx);
+
+ crypt_free_volume_key(empty_key);
+ crypt_memzero(buf, sizeof(buf));
+ return r;
+}
+
+int LUKS_generate_phdr(struct luks_phdr *header,
+ const struct volume_key *vk,
+ const char *cipherName, const char *cipherMode, const char *hashSpec,
+ const char *uuid, unsigned int stripes,
+ unsigned int alignPayload,
+ unsigned int alignOffset,
+ uint32_t iteration_time_ms,
+ uint64_t *PBKDF2_per_sec,
+ int detached_metadata_device,
+ struct crypt_device *ctx)
+{
+ unsigned int i = 0, hdr_sectors = LUKS_device_sectors(vk->keylength);
+ size_t blocksPerStripeSet, currentSector;
+ int r;
+ uuid_t partitionUuid;
+ char luksMagic[] = LUKS_MAGIC;
+
+ /* For separate metadata device allow zero alignment */
+ if (alignPayload == 0 && !detached_metadata_device)
+ alignPayload = DEFAULT_DISK_ALIGNMENT / SECTOR_SIZE;
+
+ if (alignPayload && detached_metadata_device && alignPayload < hdr_sectors) {
+ log_err(ctx, _("Data offset for detached LUKS header must be "
+ "either 0 or higher than header size (%d sectors).\n"),
+ hdr_sectors);
+ return -EINVAL;
+ }
+
+ if (crypt_hmac_size(hashSpec) < LUKS_DIGESTSIZE) {
+ log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hashSpec);
+ return -EINVAL;
+ }
+
+ if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
+ log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
+ return -EINVAL;
+ }
+ if (!uuid)
+ uuid_generate(partitionUuid);
+
+ memset(header,0,sizeof(struct luks_phdr));
+
+ /* Set Magic */
+ memcpy(header->magic,luksMagic,LUKS_MAGIC_L);
+ header->version=1;
+ strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L-1);
+ strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L-1);
+ strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L-1);
+
+ header->keyBytes=vk->keylength;
+
+ LUKS_fix_header_compatible(header);
+
+ r = LUKS_check_cipher(header, ctx);
+ if (r < 0)
+ return r;
+
+ log_dbg("Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes",
+ header->version, header->hashSpec ,header->cipherName, header->cipherMode,
+ header->keyBytes);
+
+ r = crypt_random_get(ctx, header->mkDigestSalt, LUKS_SALTSIZE, CRYPT_RND_SALT);
+ if(r < 0) {
+ log_err(ctx, _("Cannot create LUKS header: reading random salt failed.\n"));
+ return r;
+ }
+
+ r = crypt_benchmark_kdf(ctx, "pbkdf2", header->hashSpec,
+ "foo", 3, "bar", 3, PBKDF2_per_sec);
+ if (r < 0) {
+ log_err(ctx, _("Not compatible PBKDF2 options (using hash algorithm %s).\n"),
+ header->hashSpec);
+ return r;
+ }
+
+ /* Compute master key digest */
+ iteration_time_ms /= 8;
+ header->mkDigestIterations = at_least((uint32_t)(*PBKDF2_per_sec/1024) * iteration_time_ms,
+ LUKS_MKD_ITERATIONS_MIN);
+
+ r = crypt_pbkdf("pbkdf2", header->hashSpec, vk->key,vk->keylength,
+ header->mkDigestSalt, LUKS_SALTSIZE,
+ header->mkDigest,LUKS_DIGESTSIZE,
+ header->mkDigestIterations);
+ if(r < 0) {
+ log_err(ctx, _("Cannot create LUKS header: header digest failed (using hash %s).\n"),
+ header->hashSpec);
+ return r;
+ }
+
+ currentSector = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
+ blocksPerStripeSet = AF_split_sectors(vk->keylength, stripes);
+ for(i = 0; i < LUKS_NUMKEYS; ++i) {
+ header->keyblock[i].active = LUKS_KEY_DISABLED;
+ header->keyblock[i].keyMaterialOffset = currentSector;
+ header->keyblock[i].stripes = stripes;
+ currentSector = size_round_up(currentSector + blocksPerStripeSet,
+ LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
+ }
+
+ if (detached_metadata_device) {
+ /* for separate metadata device use alignPayload directly */
+ header->payloadOffset = alignPayload;
+ } else {
+ /* alignOffset - offset from natural device alignment provided by topology info */
+ currentSector = size_round_up(currentSector, alignPayload);
+ header->payloadOffset = currentSector + alignOffset;
+ }
+
+ uuid_unparse(partitionUuid, header->uuid);
+
+ log_dbg("Data offset %d, UUID %s, digest iterations %" PRIu32,
+ header->payloadOffset, header->uuid, header->mkDigestIterations);
+
+ return 0;
+}
+
+int LUKS_hdr_uuid_set(
+ struct luks_phdr *hdr,
+ const char *uuid,
+ struct crypt_device *ctx)
+{
+ uuid_t partitionUuid;
+
+ if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
+ log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
+ return -EINVAL;
+ }
+ if (!uuid)
+ uuid_generate(partitionUuid);
+
+ uuid_unparse(partitionUuid, hdr->uuid);
+
+ return LUKS_write_phdr(hdr, ctx);
+}
+
+int LUKS_set_key(unsigned int keyIndex,
+ const char *password, size_t passwordLen,
+ struct luks_phdr *hdr, struct volume_key *vk,
+ uint32_t iteration_time_ms,
+ uint64_t *PBKDF2_per_sec,
+ struct crypt_device *ctx)
+{
+ struct volume_key *derived_key;
+ char *AfKey = NULL;
+ size_t AFEKSize;
+ uint64_t PBKDF2_temp;
+ int r;
+
+ if(hdr->keyblock[keyIndex].active != LUKS_KEY_DISABLED) {
+ log_err(ctx, _("Key slot %d active, purge first.\n"), keyIndex);
+ return -EINVAL;
+ }
+
+ /* LUKS keyslot has always at least 4000 stripes accoding to specification */
+ if(hdr->keyblock[keyIndex].stripes < 4000) {
+ log_err(ctx, _("Key slot %d material includes too few stripes. Header manipulation?\n"),
+ keyIndex);
+ return -EINVAL;
+ }
+
+ log_dbg("Calculating data for key slot %d", keyIndex);
+
+ r = crypt_benchmark_kdf(ctx, "pbkdf2", hdr->hashSpec,
+ "foo", 3, "bar", 3, PBKDF2_per_sec);
+ if (r < 0) {
+ log_err(ctx, _("Not compatible PBKDF2 options (using hash algorithm %s).\n"),
+ hdr->hashSpec);
+ return r;
+ }
+
+ /*
+ * Avoid floating point operation
+ * Final iteration count is at least LUKS_SLOT_ITERATIONS_MIN
+ */
+ PBKDF2_temp = *PBKDF2_per_sec * (uint64_t)iteration_time_ms;
+ PBKDF2_temp /= 1024;
+ if (PBKDF2_temp > UINT32_MAX)
+ PBKDF2_temp = UINT32_MAX;
+ hdr->keyblock[keyIndex].passwordIterations = at_least((uint32_t)PBKDF2_temp,
+ LUKS_SLOT_ITERATIONS_MIN);
+
+ log_dbg("Key slot %d use %" PRIu32 " password iterations.", keyIndex, hdr->keyblock[keyIndex].passwordIterations);
+
+ derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+ if (!derived_key)
+ return -ENOMEM;
+
+ r = crypt_random_get(ctx, hdr->keyblock[keyIndex].passwordSalt,
+ LUKS_SALTSIZE, CRYPT_RND_SALT);
+ if (r < 0)
+ goto out;
+
+ r = crypt_pbkdf("pbkdf2", hdr->hashSpec, password, passwordLen,
+ hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
+ derived_key->key, hdr->keyBytes,
+ hdr->keyblock[keyIndex].passwordIterations);
+ if (r < 0)
+ goto out;
+
+ /*
+ * AF splitting, the masterkey stored in vk->key is split to AfKey
+ */
+ assert(vk->keylength == hdr->keyBytes);
+ AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
+ AfKey = crypt_safe_alloc(AFEKSize);
+ if (!AfKey) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ log_dbg("Using hash %s for AF in key slot %d, %d stripes",
+ hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes);
+ r = AF_split(vk->key,AfKey,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
+ if (r < 0)
+ goto out;
+
+ log_dbg("Updating key slot %d [0x%04x] area.", keyIndex,
+ hdr->keyblock[keyIndex].keyMaterialOffset << 9);
+ /* Encryption via dm */
+ r = LUKS_encrypt_to_storage(AfKey,
+ AFEKSize,
+ hdr->cipherName, hdr->cipherMode,
+ derived_key,
+ hdr->keyblock[keyIndex].keyMaterialOffset,
+ ctx);
+ if (r < 0)
+ goto out;
+
+ /* Mark the key as active in phdr */
+ r = LUKS_keyslot_set(hdr, (int)keyIndex, 1);
+ if (r < 0)
+ goto out;
+
+ r = LUKS_write_phdr(hdr, ctx);
+ if (r < 0)
+ goto out;
+
+ r = 0;
+out:
+ crypt_safe_free(AfKey);
+ crypt_free_volume_key(derived_key);
+ return r;
+}
+
+/* Check whether a volume key is invalid. */
+int LUKS_verify_volume_key(const struct luks_phdr *hdr,
+ const struct volume_key *vk)
+{
+ char checkHashBuf[LUKS_DIGESTSIZE];
+
+ if (crypt_pbkdf("pbkdf2", hdr->hashSpec, vk->key, vk->keylength,
+ hdr->mkDigestSalt, LUKS_SALTSIZE,
+ checkHashBuf, LUKS_DIGESTSIZE,
+ hdr->mkDigestIterations) < 0)
+ return -EINVAL;
+
+ if (memcmp(checkHashBuf, hdr->mkDigest, LUKS_DIGESTSIZE))
+ return -EPERM;
+
+ return 0;
+}
+
+/* Try to open a particular key slot */
+static int LUKS_open_key(unsigned int keyIndex,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct volume_key *vk,
+ struct crypt_device *ctx)
+{
+ crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
+ struct volume_key *derived_key;
+ char *AfKey;
+ size_t AFEKSize;
+ int r;
+
+ log_dbg("Trying to open key slot %d [%s].", keyIndex,
+ dbg_slot_state(ki));
+
+ if (ki < CRYPT_SLOT_ACTIVE)
+ return -ENOENT;
+
+ derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+ if (!derived_key)
+ return -ENOMEM;
+
+ assert(vk->keylength == hdr->keyBytes);
+ AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
+ AfKey = crypt_safe_alloc(AFEKSize);
+ if (!AfKey) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = crypt_pbkdf("pbkdf2", hdr->hashSpec, password, passwordLen,
+ hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
+ derived_key->key, hdr->keyBytes,
+ hdr->keyblock[keyIndex].passwordIterations);
+ if (r < 0)
+ goto out;
+
+ log_dbg("Reading key slot %d area.", keyIndex);
+ r = LUKS_decrypt_from_storage(AfKey,
+ AFEKSize,
+ hdr->cipherName, hdr->cipherMode,
+ derived_key,
+ hdr->keyblock[keyIndex].keyMaterialOffset,
+ ctx);
+ if (r < 0)
+ goto out;
+
+ r = AF_merge(AfKey,vk->key,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
+ if (r < 0)
+ goto out;
+
+ r = LUKS_verify_volume_key(hdr, vk);
+
+ /* Allow only empty passphrase with null cipher */
+ if (!r && !strcmp(hdr->cipherName, "cipher_null") && passwordLen)
+ r = -EPERM;
+
+ if (!r)
+ log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
+out:
+ crypt_safe_free(AfKey);
+ crypt_free_volume_key(derived_key);
+ return r;
+}
+
+int LUKS_open_key_with_hdr(int keyIndex,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct volume_key **vk,
+ struct crypt_device *ctx)
+{
+ unsigned int i;
+ int r;
+
+ *vk = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+
+ if (keyIndex >= 0) {
+ r = LUKS_open_key(keyIndex, password, passwordLen, hdr, *vk, ctx);
+ return (r < 0) ? r : keyIndex;
+ }
+
+ for(i = 0; i < LUKS_NUMKEYS; i++) {
+ r = LUKS_open_key(i, password, passwordLen, hdr, *vk, ctx);
+ if(r == 0)
+ return i;
+
+ /* Do not retry for errors that are no -EPERM or -ENOENT,
+ former meaning password wrong, latter key slot inactive */
+ if ((r != -EPERM) && (r != -ENOENT))
+ return r;
+ }
+ /* Warning, early returns above */
+ log_err(ctx, _("No key available with this passphrase.\n"));
+ return -EPERM;
+}
+
+int LUKS_del_key(unsigned int keyIndex,
+ struct luks_phdr *hdr,
+ struct crypt_device *ctx)
+{
+ struct device *device = crypt_metadata_device(ctx);
+ unsigned int startOffset, endOffset;
+ int r;
+
+ r = LUKS_read_phdr(hdr, 1, 0, ctx);
+ if (r)
+ return r;
+
+ r = LUKS_keyslot_set(hdr, keyIndex, 0);
+ if (r) {
+ log_err(ctx, _("Key slot %d is invalid, please select keyslot between 0 and %d.\n"),
+ keyIndex, LUKS_NUMKEYS - 1);
+ return r;
+ }
+
+ /* secure deletion of key material */
+ startOffset = hdr->keyblock[keyIndex].keyMaterialOffset;
+ endOffset = startOffset + AF_split_sectors(hdr->keyBytes, hdr->keyblock[keyIndex].stripes);
+
+ r = crypt_wipe(device, startOffset * SECTOR_SIZE,
+ (endOffset - startOffset) * SECTOR_SIZE,
+ CRYPT_WIPE_DISK, 0);
+ if (r) {
+ if (r == -EACCES) {
+ log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
+ device_path(device));
+ r = -EINVAL;
+ } else
+ log_err(ctx, _("Cannot wipe device %s.\n"),
+ device_path(device));
+ return r;
+ }
+
+ /* Wipe keyslot info */
+ memset(&hdr->keyblock[keyIndex].passwordSalt, 0, LUKS_SALTSIZE);
+ hdr->keyblock[keyIndex].passwordIterations = 0;
+
+ r = LUKS_write_phdr(hdr, ctx);
+
+ return r;
+}
+
+crypt_keyslot_info LUKS_keyslot_info(struct luks_phdr *hdr, int keyslot)
+{
+ int i;
+
+ if(keyslot >= LUKS_NUMKEYS || keyslot < 0)
+ return CRYPT_SLOT_INVALID;
+
+ if (hdr->keyblock[keyslot].active == LUKS_KEY_DISABLED)
+ return CRYPT_SLOT_INACTIVE;
+
+ if (hdr->keyblock[keyslot].active != LUKS_KEY_ENABLED)
+ return CRYPT_SLOT_INVALID;
+
+ for(i = 0; i < LUKS_NUMKEYS; i++)
+ if(i != keyslot && hdr->keyblock[i].active == LUKS_KEY_ENABLED)
+ return CRYPT_SLOT_ACTIVE;
+
+ return CRYPT_SLOT_ACTIVE_LAST;
+}
+
+int LUKS_keyslot_find_empty(struct luks_phdr *hdr)
+{
+ int i;
+
+ for (i = 0; i < LUKS_NUMKEYS; i++)
+ if(hdr->keyblock[i].active == LUKS_KEY_DISABLED)
+ break;
+
+ if (i == LUKS_NUMKEYS)
+ return -EINVAL;
+
+ return i;
+}
+
+int LUKS_keyslot_active_count(struct luks_phdr *hdr)
+{
+ int i, num = 0;
+
+ for (i = 0; i < LUKS_NUMKEYS; i++)
+ if(hdr->keyblock[i].active == LUKS_KEY_ENABLED)
+ num++;
+
+ return num;
+}
+
+int LUKS_keyslot_set(struct luks_phdr *hdr, int keyslot, int enable)
+{
+ crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyslot);
+
+ if (ki == CRYPT_SLOT_INVALID)
+ return -EINVAL;
+
+ hdr->keyblock[keyslot].active = enable ? LUKS_KEY_ENABLED : LUKS_KEY_DISABLED;
+ log_dbg("Key slot %d was %s in LUKS header.", keyslot, enable ? "enabled" : "disabled");
+ return 0;
+}
+
+int LUKS1_activate(struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vk,
+ uint32_t flags)
+{
+ int r;
+ char *dm_cipher = NULL;
+ enum devcheck device_check;
+ struct crypt_dm_active_device dmd = {
+ .target = DM_CRYPT,
+ .uuid = crypt_get_uuid(cd),
+ .flags = flags,
+ .size = 0,
+ .data_device = crypt_data_device(cd),
+ .u.crypt = {
+ .cipher = NULL,
+ .vk = vk,
+ .offset = crypt_get_data_offset(cd),
+ .iv_offset = 0,
+ }
+ };
+
+ if (dmd.flags & CRYPT_ACTIVATE_SHARED)
+ device_check = DEV_SHARED;
+ else
+ device_check = DEV_EXCL;
+
+ r = device_block_adjust(cd, dmd.data_device, device_check,
+ dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ if (r)
+ return r;
+
+ r = asprintf(&dm_cipher, "%s-%s", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
+ if (r < 0)
+ return -ENOMEM;
+
+ dmd.u.crypt.cipher = dm_cipher;
+ r = dm_create_device(cd, name, CRYPT_LUKS1, &dmd, 0);
+
+ free(dm_cipher);
+ return r;
+}
diff --git a/lib/luks1/luks.h b/lib/luks1/luks.h
new file mode 100644
index 0000000..5d4b9dd
--- /dev/null
+++ b/lib/luks1/luks.h
@@ -0,0 +1,181 @@
+/*
+ * LUKS - Linux Unified Key Setup
+ *
+ * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef INCLUDED_CRYPTSETUP_LUKS_LUKS_H
+#define INCLUDED_CRYPTSETUP_LUKS_LUKS_H
+
+/*
+ * LUKS partition header
+ */
+
+#include "libcryptsetup.h"
+
+#define LUKS_CIPHERNAME_L 32
+#define LUKS_CIPHERMODE_L 32
+#define LUKS_HASHSPEC_L 32
+#define LUKS_DIGESTSIZE 20 // since SHA1
+#define LUKS_HMACSIZE 32
+#define LUKS_SALTSIZE 32
+#define LUKS_NUMKEYS 8
+
+// Minimal number of iterations
+#define LUKS_MKD_ITERATIONS_MIN 1000
+#define LUKS_SLOT_ITERATIONS_MIN 1000
+
+#define LUKS_KEY_DISABLED_OLD 0
+#define LUKS_KEY_ENABLED_OLD 0xCAFE
+
+#define LUKS_KEY_DISABLED 0x0000DEAD
+#define LUKS_KEY_ENABLED 0x00AC71F3
+
+#define LUKS_STRIPES 4000
+
+// partition header starts with magic
+#define LUKS_MAGIC {'L','U','K','S', 0xba, 0xbe};
+#define LUKS_MAGIC_L 6
+
+/* Actually we need only 37, but we don't want struct autoaligning to kick in */
+#define UUID_STRING_L 40
+
+/* Offset to keyslot area [in bytes] */
+#define LUKS_ALIGN_KEYSLOTS 4096
+
+/* Any integer values are stored in network byte order on disk and must be
+converted */
+
+struct volume_key;
+struct device_backend;
+
+struct luks_phdr {
+ char magic[LUKS_MAGIC_L];
+ uint16_t version;
+ char cipherName[LUKS_CIPHERNAME_L];
+ char cipherMode[LUKS_CIPHERMODE_L];
+ char hashSpec[LUKS_HASHSPEC_L];
+ uint32_t payloadOffset;
+ uint32_t keyBytes;
+ char mkDigest[LUKS_DIGESTSIZE];
+ char mkDigestSalt[LUKS_SALTSIZE];
+ uint32_t mkDigestIterations;
+ char uuid[UUID_STRING_L];
+
+ struct {
+ uint32_t active;
+
+ /* parameters used for password processing */
+ uint32_t passwordIterations;
+ char passwordSalt[LUKS_SALTSIZE];
+
+ /* parameters used for AF store/load */
+ uint32_t keyMaterialOffset;
+ uint32_t stripes;
+ } keyblock[LUKS_NUMKEYS];
+
+ /* Align it to 512 sector size */
+ char _padding[432];
+};
+
+int LUKS_verify_volume_key(const struct luks_phdr *hdr,
+ const struct volume_key *vk);
+
+int LUKS_generate_phdr(
+ struct luks_phdr *header,
+ const struct volume_key *vk,
+ const char *cipherName,
+ const char *cipherMode,
+ const char *hashSpec,
+ const char *uuid,
+ unsigned int stripes,
+ unsigned int alignPayload,
+ unsigned int alignOffset,
+ uint32_t iteration_time_ms,
+ uint64_t *PBKDF2_per_sec,
+ int detached_metadata_device,
+ struct crypt_device *ctx);
+
+int LUKS_read_phdr(
+ struct luks_phdr *hdr,
+ int require_luks_device,
+ int repair,
+ struct crypt_device *ctx);
+
+int LUKS_read_phdr_backup(
+ const char *backup_file,
+ struct luks_phdr *hdr,
+ int require_luks_device,
+ struct crypt_device *ctx);
+
+int LUKS_hdr_uuid_set(
+ struct luks_phdr *hdr,
+ const char *uuid,
+ struct crypt_device *ctx);
+
+int LUKS_hdr_backup(
+ const char *backup_file,
+ struct crypt_device *ctx);
+
+int LUKS_hdr_restore(
+ const char *backup_file,
+ struct luks_phdr *hdr,
+ struct crypt_device *ctx);
+
+int LUKS_write_phdr(
+ struct luks_phdr *hdr,
+ struct crypt_device *ctx);
+
+int LUKS_set_key(
+ unsigned int keyIndex,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct volume_key *vk,
+ uint32_t iteration_time_ms,
+ uint64_t *PBKDF2_per_sec,
+ struct crypt_device *ctx);
+
+int LUKS_open_key_with_hdr(
+ int keyIndex,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct volume_key **vk,
+ struct crypt_device *ctx);
+
+int LUKS_del_key(
+ unsigned int keyIndex,
+ struct luks_phdr *hdr,
+ struct crypt_device *ctx);
+
+crypt_keyslot_info LUKS_keyslot_info(struct luks_phdr *hdr, int keyslot);
+int LUKS_keyslot_find_empty(struct luks_phdr *hdr);
+int LUKS_keyslot_active_count(struct luks_phdr *hdr);
+int LUKS_keyslot_set(struct luks_phdr *hdr, int keyslot, int enable);
+int LUKS_keyslot_area(const struct luks_phdr *hdr,
+ int keyslot,
+ uint64_t *offset,
+ uint64_t *length);
+
+int LUKS1_activate(struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vk,
+ uint32_t flags);
+
+#endif
diff --git a/lib/nls.h b/lib/nls.h
new file mode 100644
index 0000000..39760b1
--- /dev/null
+++ b/lib/nls.h
@@ -0,0 +1,34 @@
+#ifndef CRYPTSETUP_NLS_H
+#define CRYPTSETUP_NLS_H
+
+#ifndef LOCALEDIR
+#define LOCALEDIR "/usr/share/locale"
+#endif
+
+#ifdef HAVE_LOCALE_H
+# include <locale.h>
+#else
+# undef setlocale
+# define setlocale(Category, Locale) /* empty */
+#endif
+
+#ifdef ENABLE_NLS
+# include <libintl.h>
+# define _(Text) gettext (Text)
+# ifdef gettext_noop
+# define N_(String) gettext_noop (String)
+# else
+# define N_(String) (String)
+# endif
+#else
+# undef bindtextdomain
+# define bindtextdomain(Domain, Directory) /* empty */
+# undef textdomain
+# define textdomain(Domain) /* empty */
+# define _(Text) (Text)
+# define N_(Text) (Text)
+# define ngettext(Singular, Plural, Count) \
+ ( (Count) == 1 ? (Singular) : (Plural) )
+#endif
+
+#endif /* CRYPTSETUP_NLS_H */
diff --git a/lib/random.c b/lib/random.c
new file mode 100644
index 0000000..f8cba0c
--- /dev/null
+++ b/lib/random.c
@@ -0,0 +1,251 @@
+/*
+ * cryptsetup kernel RNG access functions
+ *
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/select.h>
+
+#include "libcryptsetup.h"
+#include "internal.h"
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+static int random_initialised = 0;
+
+#define URANDOM_DEVICE "/dev/urandom"
+static int urandom_fd = -1;
+
+#define RANDOM_DEVICE "/dev/random"
+static int random_fd = -1;
+
+/* Read random chunk - gathered data usually appears with this granularity */
+#define RANDOM_DEVICE_CHUNK 8
+
+/* Timeout to print warning if no random data (entropy) */
+#define RANDOM_DEVICE_TIMEOUT 5
+
+/* URANDOM_DEVICE access */
+static int _get_urandom(struct crypt_device *ctx __attribute__((unused)),
+ char *buf, size_t len)
+{
+ int r;
+ size_t old_len = len;
+ char *old_buf = buf;
+
+ assert(urandom_fd != -1);
+
+ while(len) {
+ r = read(urandom_fd, buf, len);
+ if (r == -1 && errno != EINTR)
+ return -EINVAL;
+ if (r > 0) {
+ len -= r;
+ buf += r;
+ }
+ }
+
+ assert(len == 0);
+ assert((size_t)(buf - old_buf) == old_len);
+
+ return 0;
+}
+
+static void _get_random_progress(struct crypt_device *ctx, int warn,
+ size_t expected_len, size_t read_len)
+{
+ if (warn)
+ log_std(ctx,
+ _("System is out of entropy while generating volume key.\n"
+ "Please move mouse or type some text in another window "
+ "to gather some random events.\n"));
+
+ log_std(ctx, _("Generating key (%d%% done).\n"),
+ (int)((expected_len - read_len) * 100 / expected_len));
+}
+
+/* RANDOM_DEVICE access */
+static int _get_random(struct crypt_device *ctx, char *buf, size_t len)
+{
+ int r, warn_once = 1;
+ size_t n, old_len = len;
+ char *old_buf = buf;
+ fd_set fds;
+ struct timeval tv;
+
+ assert(random_fd != -1);
+
+ while (len) {
+ FD_ZERO(&fds);
+ FD_SET(random_fd, &fds);
+
+ tv.tv_sec = RANDOM_DEVICE_TIMEOUT;
+ tv.tv_usec = 0;
+
+ r = select(random_fd + 1, &fds, NULL, NULL, &tv);
+ if(r == -1)
+ return -EINVAL;
+
+ if(!r) {
+ _get_random_progress(ctx, warn_once, old_len, len);
+ warn_once = 0;
+ continue;
+ }
+
+ do {
+ n = RANDOM_DEVICE_CHUNK;
+ if (len < RANDOM_DEVICE_CHUNK)
+ n = len;
+
+ r = read(random_fd, buf, n);
+
+ if (r == -1 && errno == EINTR) {
+ r = 0;
+ continue;
+ }
+
+ /* bogus read? */
+ if(r > (int)n)
+ return -EINVAL;
+
+ /* random device is opened with O_NONBLOCK, EAGAIN is expected */
+ if (r == -1 && (errno != EAGAIN && errno != EWOULDBLOCK))
+ return -EINVAL;
+
+ if (r > 0) {
+ len -= r;
+ buf += r;
+ }
+ } while (len && r > 0);
+ }
+
+ assert(len == 0);
+ assert((size_t)(buf - old_buf) == old_len);
+
+ if (!warn_once)
+ _get_random_progress(ctx, 0, old_len, len);
+
+ return 0;
+}
+/* Initialisation of both RNG file descriptors is mandatory */
+int crypt_random_init(struct crypt_device *ctx)
+{
+ if (random_initialised)
+ return 0;
+
+ /* Used for CRYPT_RND_NORMAL */
+ if(urandom_fd == -1)
+ urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
+ if(urandom_fd == -1)
+ goto fail;
+
+ /* Used for CRYPT_RND_KEY */
+ if(random_fd == -1)
+ random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
+ if(random_fd == -1)
+ goto fail;
+
+ if (crypt_fips_mode())
+ log_verbose(ctx, _("Running in FIPS mode.\n"));
+
+ random_initialised = 1;
+ return 0;
+fail:
+ crypt_random_exit();
+ log_err(ctx, _("Fatal error during RNG initialisation.\n"));
+ return -ENOSYS;
+}
+
+int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality)
+{
+ int status, rng_type;
+
+ switch(quality) {
+ case CRYPT_RND_NORMAL:
+ status = _get_urandom(ctx, buf, len);
+ break;
+ case CRYPT_RND_SALT:
+ if (crypt_fips_mode())
+ status = crypt_backend_rng(buf, len, quality, 1);
+ else
+ status = _get_urandom(ctx, buf, len);
+ break;
+ case CRYPT_RND_KEY:
+ if (crypt_fips_mode()) {
+ status = crypt_backend_rng(buf, len, quality, 1);
+ break;
+ }
+ rng_type = ctx ? crypt_get_rng_type(ctx) :
+ crypt_random_default_key_rng();
+ switch (rng_type) {
+ case CRYPT_RNG_URANDOM:
+ status = _get_urandom(ctx, buf, len);
+ break;
+ case CRYPT_RNG_RANDOM:
+ status = _get_random(ctx, buf, len);
+ break;
+ default:
+ abort();
+ }
+ break;
+ default:
+ log_err(ctx, _("Unknown RNG quality requested.\n"));
+ return -EINVAL;
+ }
+
+ if (status)
+ log_err(ctx, _("Error %d reading from RNG: %s\n"),
+ errno, strerror(errno));
+
+ return status;
+}
+
+void crypt_random_exit(void)
+{
+ random_initialised = 0;
+
+ if(random_fd != -1) {
+ (void)close(random_fd);
+ random_fd = -1;
+ }
+
+ if(urandom_fd != -1) {
+ (void)close(urandom_fd);
+ urandom_fd = -1;
+ }
+}
+
+int crypt_random_default_key_rng(void)
+{
+ /* coverity[pointless_string_compare] */
+ if (!strcmp(DEFAULT_RNG, RANDOM_DEVICE))
+ return CRYPT_RNG_RANDOM;
+
+ /* coverity[pointless_string_compare] */
+ if (!strcmp(DEFAULT_RNG, URANDOM_DEVICE))
+ return CRYPT_RNG_URANDOM;
+
+ /* RNG misconfiguration is fatal */
+ abort();
+}
diff --git a/lib/setup.c b/lib/setup.c
new file mode 100644
index 0000000..ee14c63
--- /dev/null
+++ b/lib/setup.c
@@ -0,0 +1,2556 @@
+/*
+ * libcryptsetup - cryptsetup library
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <sys/utsname.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include "libcryptsetup.h"
+#include "luks.h"
+#include "loopaes.h"
+#include "verity.h"
+#include "tcrypt.h"
+#include "internal.h"
+
+struct crypt_device {
+ char *type;
+
+ struct device *device;
+ struct device *metadata_device;
+
+ struct volume_key *volume_key;
+ uint64_t iteration_time;
+ int rng_type;
+
+ // FIXME: private binary headers and access it properly
+ // through sub-library (LUKS1, TCRYPT)
+
+ union {
+ struct { /* used in CRYPT_LUKS1 */
+ struct luks_phdr hdr;
+ uint64_t PBKDF2_per_sec;
+ } luks1;
+ struct { /* used in CRYPT_PLAIN */
+ struct crypt_params_plain hdr;
+ char *cipher;
+ char *cipher_mode;
+ unsigned int key_size;
+ } plain;
+ struct { /* used in CRYPT_LOOPAES */
+ struct crypt_params_loopaes hdr;
+ char *cipher;
+ char *cipher_mode;
+ unsigned int key_size;
+ } loopaes;
+ struct { /* used in CRYPT_VERITY */
+ struct crypt_params_verity hdr;
+ char *root_hash;
+ unsigned int root_hash_size;
+ char *uuid;
+ struct device *fec_device;
+ } verity;
+ struct { /* used in CRYPT_TCRYPT */
+ struct crypt_params_tcrypt params;
+ struct tcrypt_phdr hdr;
+ } tcrypt;
+ struct { /* used if initialized without header by name */
+ char *active_name;
+ /* buffers, must refresh from kernel on every query */
+ char cipher[MAX_CIPHER_LEN];
+ char cipher_mode[MAX_CIPHER_LEN];
+ unsigned int key_size;
+ unsigned int veracrypt_pim;
+ } none;
+ } u;
+
+ /* callbacks definitions */
+ void (*log)(int level, const char *msg, void *usrptr);
+ void *log_usrptr;
+ int (*confirm)(const char *msg, void *usrptr);
+ void *confirm_usrptr;
+};
+
+/* Just to suppress redundant messages about crypto backend */
+static int _crypto_logged = 0;
+
+/* Log helper */
+static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
+static int _debug_level = 0;
+
+void crypt_set_debug_level(int level)
+{
+ _debug_level = level;
+}
+
+int crypt_get_debug_level(void)
+{
+ return _debug_level;
+}
+
+void crypt_log(struct crypt_device *cd, int level, const char *msg)
+{
+ if (cd && cd->log)
+ cd->log(level, msg, cd->log_usrptr);
+ else if (_default_log)
+ _default_log(level, msg, NULL);
+}
+
+__attribute__((format(printf, 5, 6)))
+void logger(struct crypt_device *cd, int level, const char *file,
+ int line, const char *format, ...)
+{
+ va_list argp;
+ char *target = NULL;
+
+ va_start(argp, format);
+
+ if (vasprintf(&target, format, argp) > 0 ) {
+ if (level >= 0) {
+ crypt_log(cd, level, target);
+#ifdef CRYPT_DEBUG
+ } else if (_debug_level)
+ printf("# %s:%d %s\n", file ?: "?", line, target);
+#else
+ } else if (_debug_level)
+ printf("# %s\n", target);
+#endif
+ }
+
+ va_end(argp);
+ free(target);
+}
+
+static const char *mdata_device_path(struct crypt_device *cd)
+{
+ return device_path(cd->metadata_device ?: cd->device);
+}
+
+/* internal only */
+struct device *crypt_metadata_device(struct crypt_device *cd)
+{
+ return cd->metadata_device ?: cd->device;
+}
+
+struct device *crypt_data_device(struct crypt_device *cd)
+{
+ return cd->device;
+}
+
+int init_crypto(struct crypt_device *ctx)
+{
+ struct utsname uts;
+ int r;
+
+ r = crypt_random_init(ctx);
+ if (r < 0) {
+ log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
+ return r;
+ }
+
+ r = crypt_backend_init(ctx);
+ if (r < 0)
+ log_err(ctx, _("Cannot initialize crypto backend.\n"));
+
+ if (!r && !_crypto_logged) {
+ log_dbg("Crypto backend (%s) initialized in cryptsetup library version %s.",
+ crypt_backend_version(), PACKAGE_VERSION);
+ if (!uname(&uts))
+ log_dbg("Detected kernel %s %s %s.",
+ uts.sysname, uts.release, uts.machine);
+ _crypto_logged = 1;
+ }
+
+ return r;
+}
+
+static int process_key(struct crypt_device *cd, const char *hash_name,
+ size_t key_size, const char *pass, size_t passLen,
+ struct volume_key **vk)
+{
+ int r;
+
+ if (!key_size)
+ return -EINVAL;
+
+ *vk = crypt_alloc_volume_key(key_size, NULL);
+ if (!*vk)
+ return -ENOMEM;
+
+ if (hash_name) {
+ r = crypt_plain_hash(cd, hash_name, (*vk)->key, key_size, pass, passLen);
+ if (r < 0) {
+ if (r == -ENOENT)
+ log_err(cd, _("Hash algorithm %s not supported.\n"),
+ hash_name);
+ else
+ log_err(cd, _("Key processing error (using hash %s).\n"),
+ hash_name);
+ crypt_free_volume_key(*vk);
+ *vk = NULL;
+ return -EINVAL;
+ }
+ } else if (passLen > key_size) {
+ memcpy((*vk)->key, pass, key_size);
+ } else {
+ memcpy((*vk)->key, pass, passLen);
+ }
+
+ return 0;
+}
+
+static int isPLAIN(const char *type)
+{
+ return (type && !strcmp(CRYPT_PLAIN, type));
+}
+
+static int isLUKS(const char *type)
+{
+ return (type && !strcmp(CRYPT_LUKS1, type));
+}
+
+static int isLOOPAES(const char *type)
+{
+ return (type && !strcmp(CRYPT_LOOPAES, type));
+}
+
+static int isVERITY(const char *type)
+{
+ return (type && !strcmp(CRYPT_VERITY, type));
+}
+
+static int isTCRYPT(const char *type)
+{
+ return (type && !strcmp(CRYPT_TCRYPT, type));
+}
+
+static int onlyLUKS(struct crypt_device *cd)
+{
+ int r = 0;
+
+ if (cd && !cd->type) {
+ log_err(cd, _("Cannot determine device type. Incompatible activation of device?\n"));
+ r = -EINVAL;
+ }
+ if (!cd || !isLUKS(cd->type)) {
+ log_err(cd, _("This operation is supported only for LUKS device.\n"));
+ r = -EINVAL;
+ }
+
+ return r;
+}
+
+static void crypt_set_null_type(struct crypt_device *cd)
+{
+ if (!cd->type)
+ return;
+
+ free(cd->type);
+ cd->type = NULL;
+ cd->u.none.active_name = NULL;
+}
+
+static void crypt_reset_null_type(struct crypt_device *cd)
+{
+ if (cd->type)
+ return;
+
+ free(cd->u.none.active_name);
+ cd->u.none.active_name = NULL;
+}
+
+/* keyslot helpers */
+static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
+{
+ if (*keyslot == CRYPT_ANY_SLOT) {
+ *keyslot = LUKS_keyslot_find_empty(&cd->u.luks1.hdr);
+ if (*keyslot < 0) {
+ log_err(cd, _("All key slots full.\n"));
+ return -EINVAL;
+ }
+ }
+
+ switch (LUKS_keyslot_info(&cd->u.luks1.hdr, *keyslot)) {
+ case CRYPT_SLOT_INVALID:
+ log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
+ *keyslot, LUKS_NUMKEYS - 1);
+ return -EINVAL;
+ case CRYPT_SLOT_INACTIVE:
+ break;
+ default:
+ log_err(cd, _("Key slot %d is full, please select another one.\n"),
+ *keyslot);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+/*
+ * compares UUIDs returned by device-mapper (striped by cryptsetup) and uuid in header
+ */
+static int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid)
+{
+ int i, j;
+ char *str;
+
+ if (!dm_uuid || !hdr_uuid)
+ return -EINVAL;
+
+ str = strchr(dm_uuid, '-');
+ if (!str)
+ return -EINVAL;
+
+ for (i = 0, j = 1; hdr_uuid[i]; i++) {
+ if (hdr_uuid[i] == '-')
+ continue;
+
+ if (!str[j] || str[j] == '-')
+ return -EINVAL;
+
+ if (str[j] != hdr_uuid[i])
+ return -EINVAL;
+ j++;
+ }
+
+ return 0;
+}
+
+/*
+ * compares type of active device to provided string (only if there is no explicit type)
+ */
+static int crypt_uuid_type_cmp(struct crypt_device *cd, const char *type)
+{
+ struct crypt_dm_active_device dmd = {};
+ size_t len;
+ int r;
+
+ /* Must user header-on-disk if we know type here */
+ if (cd->type || !cd->u.none.active_name)
+ return -EINVAL;
+
+ log_dbg("Checking if active device %s without header has UUID type %s.",
+ cd->u.none.active_name, type);
+
+ r = dm_query_device(cd, cd->u.none.active_name, DM_ACTIVE_UUID, &dmd);
+ if (r < 0)
+ return r;
+
+ r = -ENODEV;
+ len = strlen(type);
+ if (dmd.uuid && strlen(dmd.uuid) > len &&
+ !strncmp(dmd.uuid, type, len) && dmd.uuid[len] == '-')
+ r = 0;
+
+ free(CONST_CAST(void*)dmd.uuid);
+ return r;
+}
+
+int PLAIN_activate(struct crypt_device *cd,
+ const char *name,
+ struct volume_key *vk,
+ uint64_t size,
+ uint32_t flags)
+{
+ int r;
+ char *dm_cipher = NULL;
+ enum devcheck device_check;
+ struct crypt_dm_active_device dmd = {
+ .target = DM_CRYPT,
+ .size = size,
+ .flags = flags,
+ .data_device = crypt_data_device(cd),
+ .u.crypt = {
+ .cipher = NULL,
+ .vk = vk,
+ .offset = crypt_get_data_offset(cd),
+ .iv_offset = crypt_get_iv_offset(cd),
+ }
+ };
+
+ if (dmd.flags & CRYPT_ACTIVATE_SHARED)
+ device_check = DEV_SHARED;
+ else
+ device_check = DEV_EXCL;
+
+ r = device_block_adjust(cd, dmd.data_device, device_check,
+ dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ if (r)
+ return r;
+
+ if (crypt_get_cipher_mode(cd))
+ r = asprintf(&dm_cipher, "%s-%s", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
+ else
+ r = asprintf(&dm_cipher, "%s", crypt_get_cipher(cd));
+ if (r < 0)
+ return -ENOMEM;
+
+ dmd.u.crypt.cipher = dm_cipher;
+ log_dbg("Trying to activate PLAIN device %s using cipher %s.",
+ name, dmd.u.crypt.cipher);
+
+ r = dm_create_device(cd, name, CRYPT_PLAIN, &dmd, 0);
+
+ free(dm_cipher);
+ return r;
+}
+
+int crypt_confirm(struct crypt_device *cd, const char *msg)
+{
+ if (!cd || !cd->confirm)
+ return 1;
+ else
+ return cd->confirm(msg, cd->confirm_usrptr);
+}
+
+void crypt_set_log_callback(struct crypt_device *cd,
+ void (*log)(int level, const char *msg, void *usrptr),
+ void *usrptr)
+{
+ if (!cd)
+ _default_log = log;
+ else {
+ cd->log = log;
+ cd->log_usrptr = usrptr;
+ }
+}
+
+void crypt_set_confirm_callback(struct crypt_device *cd,
+ int (*confirm)(const char *msg, void *usrptr),
+ void *usrptr)
+{
+ cd->confirm = confirm;
+ cd->confirm_usrptr = usrptr;
+}
+
+const char *crypt_get_dir(void)
+{
+ return dm_get_dir();
+}
+
+int crypt_init(struct crypt_device **cd, const char *device)
+{
+ struct crypt_device *h = NULL;
+ int r;
+
+ if (!cd)
+ return -EINVAL;
+
+ log_dbg("Allocating crypt device %s context.", device);
+
+ if (!(h = malloc(sizeof(struct crypt_device))))
+ return -ENOMEM;
+
+ memset(h, 0, sizeof(*h));
+
+ r = device_alloc(&h->device, device);
+ if (r < 0)
+ goto bad;
+
+ dm_backend_init();
+
+ h->iteration_time = DEFAULT_LUKS1_ITER_TIME;
+ h->rng_type = crypt_random_default_key_rng();
+ *cd = h;
+ return 0;
+bad:
+ device_free(h->device);
+ free(h);
+ return r;
+}
+
+static int crypt_check_data_device_size(struct crypt_device *cd)
+{
+ int r;
+ uint64_t size, size_min;
+
+ /* Check data device size, require at least one sector */
+ size_min = crypt_get_data_offset(cd) << SECTOR_SHIFT ?: SECTOR_SIZE;
+
+ r = device_size(cd->device, &size);
+ if (r < 0)
+ return r;
+
+ if (size < size_min) {
+ log_err(cd, _("Header detected but device %s is too small.\n"),
+ device_path(cd->device));
+ return -EINVAL;
+ }
+
+ return r;
+}
+
+int crypt_set_data_device(struct crypt_device *cd, const char *device)
+{
+ struct device *dev = NULL;
+ int r;
+
+ log_dbg("Setting ciphertext data device to %s.", device ?: "(none)");
+
+ if (!isLUKS(cd->type) && !isVERITY(cd->type)) {
+ log_err(cd, _("This operation is not supported for this device type.\n"));
+ return -EINVAL;
+ }
+
+ /* metadata device must be set */
+ if (!cd->device || !device)
+ return -EINVAL;
+
+ r = device_alloc(&dev, device);
+ if (r < 0)
+ return r;
+
+ if (!cd->metadata_device) {
+ cd->metadata_device = cd->device;
+ } else
+ device_free(cd->device);
+
+ cd->device = dev;
+
+ return crypt_check_data_device_size(cd);
+}
+
+static int _crypt_load_luks1(struct crypt_device *cd, int require_header, int repair)
+{
+ struct luks_phdr hdr;
+ int r;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ r = LUKS_read_phdr(&hdr, require_header, repair, cd);
+ if (r < 0)
+ return r;
+
+ if (!cd->type && !(cd->type = strdup(CRYPT_LUKS1)))
+ return -ENOMEM;
+
+ memcpy(&cd->u.luks1.hdr, &hdr, sizeof(hdr));
+
+ return r;
+}
+
+static int _crypt_load_tcrypt(struct crypt_device *cd, struct crypt_params_tcrypt *params)
+{
+ int r;
+
+ if (!params)
+ return -EINVAL;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ memcpy(&cd->u.tcrypt.params, params, sizeof(*params));
+
+ r = TCRYPT_read_phdr(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+
+ cd->u.tcrypt.params.passphrase = NULL;
+ cd->u.tcrypt.params.passphrase_size = 0;
+ cd->u.tcrypt.params.keyfiles = NULL;
+ cd->u.tcrypt.params.keyfiles_count = 0;
+ cd->u.tcrypt.params.veracrypt_pim = 0;
+
+ if (r < 0)
+ return r;
+
+ if (!cd->type && !(cd->type = strdup(CRYPT_TCRYPT)))
+ return -ENOMEM;
+
+ return r;
+}
+
+static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verity *params)
+{
+ int r;
+ size_t sb_offset = 0;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ if (params && params->flags & CRYPT_VERITY_NO_HEADER)
+ return -EINVAL;
+
+ if (params)
+ sb_offset = params->hash_area_offset;
+
+ r = VERITY_read_sb(cd, sb_offset, &cd->u.verity.uuid, &cd->u.verity.hdr);
+ if (r < 0)
+ return r;
+
+ //FIXME: use crypt_free
+ if (!cd->type && !(cd->type = strdup(CRYPT_VERITY))) {
+ free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
+ free(CONST_CAST(void*)cd->u.verity.hdr.salt);
+ free(cd->u.verity.uuid);
+ crypt_memzero(&cd->u.verity.hdr, sizeof(cd->u.verity.hdr));
+ return -ENOMEM;
+ }
+
+ if (params)
+ cd->u.verity.hdr.flags = params->flags;
+
+ /* Hash availability checked in sb load */
+ cd->u.verity.root_hash_size = crypt_hash_size(cd->u.verity.hdr.hash_name);
+ if (cd->u.verity.root_hash_size > 4096)
+ return -EINVAL;
+
+ if (params && params->data_device &&
+ (r = crypt_set_data_device(cd, params->data_device)) < 0)
+ return r;
+
+ if (params && params->fec_device) {
+ r = device_alloc(&cd->u.verity.fec_device, params->fec_device);
+ if (r < 0)
+ return r;
+ cd->u.verity.hdr.fec_area_offset = params->fec_area_offset;
+ cd->u.verity.hdr.fec_roots = params->fec_roots;
+ }
+
+ return r;
+}
+
+static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
+{
+ struct crypt_dm_active_device dmd = {};
+ char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ int key_nums, r;
+
+ r = dm_query_device(cd, name,
+ DM_ACTIVE_DEVICE |
+ DM_ACTIVE_UUID |
+ DM_ACTIVE_CRYPT_CIPHER |
+ DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
+ if (r < 0)
+ goto out;
+ if (r > 0)
+ r = 0;
+
+ if (isPLAIN(cd->type)) {
+ cd->u.plain.hdr.hash = NULL; /* no way to get this */
+ cd->u.plain.hdr.offset = dmd.u.crypt.offset;
+ cd->u.plain.hdr.skip = dmd.u.crypt.iv_offset;
+ cd->u.plain.key_size = dmd.u.crypt.vk->keylength;
+
+ r = crypt_parse_name_and_mode(dmd.u.crypt.cipher, cipher, NULL, cipher_mode);
+ if (!r) {
+ cd->u.plain.cipher = strdup(cipher);
+ cd->u.plain.cipher_mode = strdup(cipher_mode);
+ }
+ } else if (isLOOPAES(cd->type)) {
+ cd->u.loopaes.hdr.offset = dmd.u.crypt.offset;
+
+ r = crypt_parse_name_and_mode(dmd.u.crypt.cipher, cipher,
+ &key_nums, cipher_mode);
+ if (!r) {
+ cd->u.loopaes.cipher = strdup(cipher);
+ cd->u.loopaes.cipher_mode = strdup(cipher_mode);
+ /* version 3 uses last key for IV */
+ if (dmd.u.crypt.vk->keylength % key_nums)
+ key_nums++;
+ cd->u.loopaes.key_size = dmd.u.crypt.vk->keylength / key_nums;
+ }
+ } else if (isLUKS(cd->type)) {
+ if (crypt_metadata_device(cd)) {
+ r = _crypt_load_luks1(cd, 0, 0);
+ if (r < 0) {
+ log_dbg("LUKS device header does not match active device.");
+ crypt_set_null_type(cd);
+ r = 0;
+ goto out;
+ }
+ /* check whether UUIDs match each other */
+ r = crypt_uuid_cmp(dmd.uuid, cd->u.luks1.hdr.uuid);
+ if (r < 0) {
+ log_dbg("LUKS device header uuid: %s mismatches DM returned uuid %s",
+ cd->u.luks1.hdr.uuid, dmd.uuid);
+ crypt_set_null_type(cd);
+ r = 0;
+ }
+ } else {
+ log_dbg("LUKS device header not available.");
+ crypt_set_null_type(cd);
+ r = 0;
+ }
+ } else if (isTCRYPT(cd->type)) {
+ r = TCRYPT_init_by_name(cd, name, &dmd, &cd->device,
+ &cd->u.tcrypt.params, &cd->u.tcrypt.hdr);
+ }
+out:
+ crypt_free_volume_key(dmd.u.crypt.vk);
+ device_free(dmd.data_device);
+ free(CONST_CAST(void*)dmd.u.crypt.cipher);
+ free(CONST_CAST(void*)dmd.uuid);
+ return r;
+}
+
+static int _init_by_name_verity(struct crypt_device *cd, const char *name)
+{
+ struct crypt_params_verity params = {};
+ struct crypt_dm_active_device dmd = {
+ .target = DM_VERITY,
+ .u.verity.vp = ¶ms,
+ };
+ int r;
+
+ r = dm_query_device(cd, name,
+ DM_ACTIVE_DEVICE |
+ DM_ACTIVE_VERITY_HASH_DEVICE |
+ DM_ACTIVE_VERITY_PARAMS, &dmd);
+ if (r < 0)
+ goto out;
+ if (r > 0)
+ r = 0;
+
+ if (isVERITY(cd->type)) {
+ cd->u.verity.uuid = NULL; // FIXME
+ cd->u.verity.hdr.flags = CRYPT_VERITY_NO_HEADER; //FIXME
+ cd->u.verity.hdr.data_size = params.data_size;
+ cd->u.verity.root_hash_size = dmd.u.verity.root_hash_size;
+ cd->u.verity.root_hash = NULL;
+ cd->u.verity.hdr.hash_name = params.hash_name;
+ cd->u.verity.hdr.data_device = NULL;
+ cd->u.verity.hdr.hash_device = NULL;
+ cd->u.verity.hdr.data_block_size = params.data_block_size;
+ cd->u.verity.hdr.hash_block_size = params.hash_block_size;
+ cd->u.verity.hdr.hash_area_offset = dmd.u.verity.hash_offset;
+ cd->u.verity.hdr.fec_area_offset = dmd.u.verity.fec_offset;
+ cd->u.verity.hdr.hash_type = params.hash_type;
+ cd->u.verity.hdr.flags = params.flags;
+ cd->u.verity.hdr.salt_size = params.salt_size;
+ cd->u.verity.hdr.salt = params.salt;
+ cd->u.verity.hdr.fec_device = params.fec_device;
+ cd->u.verity.hdr.fec_roots = params.fec_roots;
+ cd->u.verity.fec_device = dmd.u.verity.fec_device;
+ cd->metadata_device = dmd.u.verity.hash_device;
+ }
+out:
+ device_free(dmd.data_device);
+ return r;
+}
+
+int crypt_init_by_name_and_header(struct crypt_device **cd,
+ const char *name,
+ const char *header_device)
+{
+ crypt_status_info ci;
+ struct crypt_dm_active_device dmd;
+ int r;
+
+ log_dbg("Allocating crypt device context by device %s.", name);
+
+ ci = crypt_status(NULL, name);
+ if (ci == CRYPT_INVALID)
+ return -ENODEV;
+
+ if (ci < CRYPT_ACTIVE) {
+ log_err(NULL, _("Device %s is not active.\n"), name);
+ return -ENODEV;
+ }
+
+ r = dm_query_device(NULL, name, DM_ACTIVE_DEVICE | DM_ACTIVE_UUID, &dmd);
+ if (r < 0)
+ goto out;
+
+ *cd = NULL;
+
+ if (header_device) {
+ r = crypt_init(cd, header_device);
+ } else {
+ r = crypt_init(cd, device_path(dmd.data_device));
+
+ /* Underlying device disappeared but mapping still active */
+ if (!dmd.data_device || r == -ENOTBLK)
+ log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
+ name);
+
+ /* Underlying device is not readable but crypt mapping exists */
+ if (r == -ENOTBLK) {
+ device_free(dmd.data_device);
+ dmd.data_device = NULL;
+ r = crypt_init(cd, NULL);
+ }
+ }
+
+ if (r < 0)
+ goto out;
+
+ if (dmd.uuid) {
+ if (!strncmp(CRYPT_PLAIN, dmd.uuid, sizeof(CRYPT_PLAIN)-1))
+ (*cd)->type = strdup(CRYPT_PLAIN);
+ else if (!strncmp(CRYPT_LOOPAES, dmd.uuid, sizeof(CRYPT_LOOPAES)-1))
+ (*cd)->type = strdup(CRYPT_LOOPAES);
+ else if (!strncmp(CRYPT_LUKS1, dmd.uuid, sizeof(CRYPT_LUKS1)-1))
+ (*cd)->type = strdup(CRYPT_LUKS1);
+ else if (!strncmp(CRYPT_VERITY, dmd.uuid, sizeof(CRYPT_VERITY)-1))
+ (*cd)->type = strdup(CRYPT_VERITY);
+ else if (!strncmp(CRYPT_TCRYPT, dmd.uuid, sizeof(CRYPT_TCRYPT)-1))
+ (*cd)->type = strdup(CRYPT_TCRYPT);
+ else
+ log_dbg("Unknown UUID set, some parameters are not set.");
+ } else
+ log_dbg("Active device has no UUID set, some parameters are not set.");
+
+ if (header_device) {
+ r = crypt_set_data_device(*cd, device_path(dmd.data_device));
+ if (r < 0)
+ goto out;
+ }
+
+ /* Try to initialise basic parameters from active device */
+
+ if (dmd.target == DM_CRYPT)
+ r = _init_by_name_crypt(*cd, name);
+ else if (dmd.target == DM_VERITY)
+ r = _init_by_name_verity(*cd, name);
+out:
+ if (r < 0) {
+ crypt_free(*cd);
+ *cd = NULL;
+ } else if (!(*cd)->type) {
+ /* For anonymous device (no header found) remember initialized name */
+ (*cd)->u.none.active_name = strdup(name);
+ }
+
+ device_free(dmd.data_device);
+ free(CONST_CAST(void*)dmd.uuid);
+ return r;
+}
+
+int crypt_init_by_name(struct crypt_device **cd, const char *name)
+{
+ return crypt_init_by_name_and_header(cd, name, NULL);
+}
+
+static int _crypt_format_plain(struct crypt_device *cd,
+ const char *cipher,
+ const char *cipher_mode,
+ const char *uuid,
+ size_t volume_key_size,
+ struct crypt_params_plain *params)
+{
+ if (!cipher || !cipher_mode) {
+ log_err(cd, _("Invalid plain crypt parameters.\n"));
+ return -EINVAL;
+ }
+
+ if (volume_key_size > 1024) {
+ log_err(cd, _("Invalid key size.\n"));
+ return -EINVAL;
+ }
+
+ if (uuid) {
+ log_err(cd, _("UUID is not supported for this crypt type.\n"));
+ return -EINVAL;
+ }
+
+ if (!(cd->type = strdup(CRYPT_PLAIN)))
+ return -ENOMEM;
+
+ cd->u.plain.key_size = volume_key_size;
+ cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
+ if (!cd->volume_key)
+ return -ENOMEM;
+
+ cd->u.plain.cipher = strdup(cipher);
+ cd->u.plain.cipher_mode = strdup(cipher_mode);
+
+
+ if (params && params->hash)
+ cd->u.plain.hdr.hash = strdup(params->hash);
+
+ cd->u.plain.hdr.offset = params ? params->offset : 0;
+ cd->u.plain.hdr.skip = params ? params->skip : 0;
+ cd->u.plain.hdr.size = params ? params->size : 0;
+
+ if (!cd->u.plain.cipher || !cd->u.plain.cipher_mode)
+ return -ENOMEM;
+
+ return 0;
+}
+
+static int _crypt_format_luks1(struct crypt_device *cd,
+ const char *cipher,
+ const char *cipher_mode,
+ const char *uuid,
+ const char *volume_key,
+ size_t volume_key_size,
+ struct crypt_params_luks1 *params)
+{
+ int r;
+ unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
+ unsigned long alignment_offset = 0;
+
+ if (!crypt_metadata_device(cd)) {
+ log_err(cd, _("Can't format LUKS without device.\n"));
+ return -EINVAL;
+ }
+
+ if (!(cd->type = strdup(CRYPT_LUKS1)))
+ return -ENOMEM;
+
+ if (volume_key)
+ cd->volume_key = crypt_alloc_volume_key(volume_key_size,
+ volume_key);
+ else
+ cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
+
+ if(!cd->volume_key)
+ return -ENOMEM;
+
+ if (params && params->data_device) {
+ cd->metadata_device = cd->device;
+ cd->device = NULL;
+ if (device_alloc(&cd->device, params->data_device) < 0)
+ return -ENOMEM;
+ required_alignment = params->data_alignment * SECTOR_SIZE;
+ } else if (params && params->data_alignment) {
+ required_alignment = params->data_alignment * SECTOR_SIZE;
+ } else
+ device_topology_alignment(cd->device,
+ &required_alignment,
+ &alignment_offset, DEFAULT_DISK_ALIGNMENT);
+
+ r = LUKS_generate_phdr(&cd->u.luks1.hdr, cd->volume_key, cipher, cipher_mode,
+ (params && params->hash) ? params->hash : DEFAULT_LUKS1_HASH,
+ uuid, LUKS_STRIPES,
+ required_alignment / SECTOR_SIZE,
+ alignment_offset / SECTOR_SIZE,
+ cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec,
+ cd->metadata_device ? 1 : 0, cd);
+ if(r < 0)
+ return r;
+
+ /* Wipe first 8 sectors - fs magic numbers etc. */
+ r = crypt_wipe(crypt_metadata_device(cd), 0, 8 * SECTOR_SIZE, CRYPT_WIPE_ZERO, 1);
+ if(r < 0) {
+ if (r == -EBUSY)
+ log_err(cd, _("Cannot format device %s which is still in use.\n"),
+ mdata_device_path(cd));
+ else if (r == -EACCES) {
+ log_err(cd, _("Cannot format device %s, permission denied.\n"),
+ mdata_device_path(cd));
+ r = -EINVAL;
+ } else
+ log_err(cd, _("Cannot wipe header on device %s.\n"),
+ mdata_device_path(cd));
+
+ return r;
+ }
+
+ r = LUKS_write_phdr(&cd->u.luks1.hdr, cd);
+
+ return r;
+}
+
+static int _crypt_format_loopaes(struct crypt_device *cd,
+ const char *cipher,
+ const char *uuid,
+ size_t volume_key_size,
+ struct crypt_params_loopaes *params)
+{
+ if (!crypt_metadata_device(cd)) {
+ log_err(cd, _("Can't format LOOPAES without device.\n"));
+ return -EINVAL;
+ }
+
+ if (volume_key_size > 1024) {
+ log_err(cd, _("Invalid key size.\n"));
+ return -EINVAL;
+ }
+
+ if (uuid) {
+ log_err(cd, _("UUID is not supported for this crypt type.\n"));
+ return -EINVAL;
+ }
+
+ if (!(cd->type = strdup(CRYPT_LOOPAES)))
+ return -ENOMEM;
+
+ cd->u.loopaes.key_size = volume_key_size;
+
+ cd->u.loopaes.cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
+
+ if (params && params->hash)
+ cd->u.loopaes.hdr.hash = strdup(params->hash);
+
+ cd->u.loopaes.hdr.offset = params ? params->offset : 0;
+ cd->u.loopaes.hdr.skip = params ? params->skip : 0;
+
+ return 0;
+}
+
+static int _crypt_format_verity(struct crypt_device *cd,
+ const char *uuid,
+ struct crypt_params_verity *params)
+{
+ int r = 0, hash_size;
+ uint64_t data_device_size;
+
+ if (!crypt_metadata_device(cd)) {
+ log_err(cd, _("Can't format VERITY without device.\n"));
+ return -EINVAL;
+ }
+
+ if (!params || !params->data_device)
+ return -EINVAL;
+
+ if (params->hash_type > VERITY_MAX_HASH_TYPE) {
+ log_err(cd, _("Unsupported VERITY hash type %d.\n"), params->hash_type);
+ return -EINVAL;
+ }
+
+ if (VERITY_BLOCK_SIZE_OK(params->data_block_size) ||
+ VERITY_BLOCK_SIZE_OK(params->hash_block_size)) {
+ log_err(cd, _("Unsupported VERITY block size.\n"));
+ return -EINVAL;
+ }
+
+ if (params->hash_area_offset % 512) {
+ log_err(cd, _("Unsupported VERITY hash offset.\n"));
+ return -EINVAL;
+ }
+
+ if (params->fec_area_offset % 512) {
+ log_err(cd, _("Unsupported VERITY FEC offset.\n"));
+ return -EINVAL;
+ }
+
+ if (!(cd->type = strdup(CRYPT_VERITY)))
+ return -ENOMEM;
+
+ r = crypt_set_data_device(cd, params->data_device);
+ if (r)
+ return r;
+ if (!params->data_size) {
+ r = device_size(cd->device, &data_device_size);
+ if (r < 0)
+ return r;
+
+ cd->u.verity.hdr.data_size = data_device_size / params->data_block_size;
+ } else
+ cd->u.verity.hdr.data_size = params->data_size;
+
+ if (device_is_identical(crypt_metadata_device(cd), crypt_data_device(cd)) &&
+ (cd->u.verity.hdr.data_size * params->data_block_size) > params->hash_area_offset) {
+ log_err(cd, _("Data area overlaps with hash area.\n"));
+ return -EINVAL;
+ }
+
+ if (params->fec_device &&
+ (r = device_alloc(&cd->u.verity.fec_device, params->fec_device)) < 0)
+ return r;
+
+ hash_size = crypt_hash_size(params->hash_name);
+ if (hash_size <= 0) {
+ log_err(cd, _("Hash algorithm %s not supported.\n"),
+ params->hash_name);
+ return -EINVAL;
+ }
+ cd->u.verity.root_hash_size = hash_size;
+
+ cd->u.verity.root_hash = malloc(cd->u.verity.root_hash_size);
+ if (!cd->u.verity.root_hash)
+ return -ENOMEM;
+
+ cd->u.verity.hdr.flags = params->flags;
+ if (!(cd->u.verity.hdr.hash_name = strdup(params->hash_name)))
+ return -ENOMEM;
+ cd->u.verity.hdr.data_device = NULL;
+ cd->u.verity.hdr.fec_device = params->fec_device;
+ cd->u.verity.hdr.fec_roots = params->fec_roots;
+ cd->u.verity.hdr.data_block_size = params->data_block_size;
+ cd->u.verity.hdr.hash_block_size = params->hash_block_size;
+ cd->u.verity.hdr.hash_area_offset = params->hash_area_offset;
+ cd->u.verity.hdr.fec_area_offset = params->fec_area_offset;
+ cd->u.verity.hdr.hash_type = params->hash_type;
+ cd->u.verity.hdr.flags = params->flags;
+ cd->u.verity.hdr.salt_size = params->salt_size;
+ if (!(cd->u.verity.hdr.salt = malloc(params->salt_size)))
+ return -ENOMEM;
+
+ if (params->salt)
+ memcpy(CONST_CAST(char*)cd->u.verity.hdr.salt, params->salt,
+ params->salt_size);
+ else
+ r = crypt_random_get(cd, CONST_CAST(char*)cd->u.verity.hdr.salt,
+ params->salt_size, CRYPT_RND_SALT);
+ if (r)
+ return r;
+
+ if (params->flags & CRYPT_VERITY_CREATE_HASH) {
+ r = VERITY_create(cd, &cd->u.verity.hdr,
+ cd->u.verity.root_hash, cd->u.verity.root_hash_size);
+ if (!r && params->fec_device)
+ r = VERITY_FEC_create(cd, &cd->u.verity.hdr, cd->u.verity.fec_device);
+ if (r)
+ return r;
+ }
+
+ if (!(params->flags & CRYPT_VERITY_NO_HEADER)) {
+ if (uuid)
+ cd->u.verity.uuid = strdup(uuid);
+ else {
+ r = VERITY_UUID_generate(cd, &cd->u.verity.uuid);
+ if (r)
+ return r;
+ }
+
+ r = VERITY_write_sb(cd, cd->u.verity.hdr.hash_area_offset,
+ cd->u.verity.uuid,
+ &cd->u.verity.hdr);
+ }
+
+ return r;
+}
+
+int crypt_format(struct crypt_device *cd,
+ const char *type,
+ const char *cipher,
+ const char *cipher_mode,
+ const char *uuid,
+ const char *volume_key,
+ size_t volume_key_size,
+ void *params)
+{
+ int r;
+
+ if (!type)
+ return -EINVAL;
+
+ if (cd->type) {
+ log_dbg("Context already formatted as %s.", cd->type);
+ return -EINVAL;
+ }
+
+ log_dbg("Formatting device %s as type %s.", mdata_device_path(cd) ?: "(none)", type);
+
+ crypt_reset_null_type(cd);
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ if (isPLAIN(type))
+ r = _crypt_format_plain(cd, cipher, cipher_mode,
+ uuid, volume_key_size, params);
+ else if (isLUKS(type))
+ r = _crypt_format_luks1(cd, cipher, cipher_mode,
+ uuid, volume_key, volume_key_size, params);
+ else if (isLOOPAES(type))
+ r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
+ else if (isVERITY(type))
+ r = _crypt_format_verity(cd, uuid, params);
+ else {
+ log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
+ r = -EINVAL;
+ }
+
+ if (r < 0) {
+ crypt_set_null_type(cd);
+ crypt_free_volume_key(cd->volume_key);
+ cd->volume_key = NULL;
+ }
+
+ return r;
+}
+
+int crypt_load(struct crypt_device *cd,
+ const char *requested_type,
+ void *params)
+{
+ int r;
+
+ log_dbg("Trying to load %s crypt type from device %s.",
+ requested_type ?: "any", mdata_device_path(cd) ?: "(none)");
+
+ if (!crypt_metadata_device(cd))
+ return -EINVAL;
+
+ crypt_reset_null_type(cd);
+
+ if (!requested_type || isLUKS(requested_type)) {
+ if (cd->type && !isLUKS(cd->type)) {
+ log_dbg("Context is already initialised to type %s", cd->type);
+ return -EINVAL;
+ }
+
+ r = _crypt_load_luks1(cd, 1, 0);
+ } else if (isVERITY(requested_type)) {
+ if (cd->type && !isVERITY(cd->type)) {
+ log_dbg("Context is already initialised to type %s", cd->type);
+ return -EINVAL;
+ }
+ r = _crypt_load_verity(cd, params);
+ } else if (isTCRYPT(requested_type)) {
+ if (cd->type && !isTCRYPT(cd->type)) {
+ log_dbg("Context is already initialised to type %s", cd->type);
+ return -EINVAL;
+ }
+ r = _crypt_load_tcrypt(cd, params);
+ } else
+ return -EINVAL;
+
+ return r;
+}
+
+int crypt_repair(struct crypt_device *cd,
+ const char *requested_type,
+ void *params __attribute__((unused)))
+{
+ int r;
+
+ log_dbg("Trying to repair %s crypt type from device %s.",
+ requested_type ?: "any", mdata_device_path(cd) ?: "(none)");
+
+ if (!crypt_metadata_device(cd))
+ return -EINVAL;
+
+ if (requested_type && !isLUKS(requested_type))
+ return -EINVAL;
+
+
+ /* Load with repair */
+ r = _crypt_load_luks1(cd, 1, 1);
+ if (r < 0)
+ return r;
+
+ /* cd->type and header must be set in context */
+ r = crypt_check_data_device_size(cd);
+ if (r < 0)
+ crypt_set_null_type(cd);
+
+ return r;
+}
+
+int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
+{
+ struct crypt_dm_active_device dmd;
+ int r;
+
+ /* Device context type must be initialised */
+ if (!cd->type)
+ return -EINVAL;
+
+ log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
+
+ r = dm_query_device(cd, name, DM_ACTIVE_DEVICE | DM_ACTIVE_CRYPT_CIPHER |
+ DM_ACTIVE_UUID | DM_ACTIVE_CRYPT_KEYSIZE |
+ DM_ACTIVE_CRYPT_KEY, &dmd);
+ if (r < 0) {
+ log_err(NULL, _("Device %s is not active.\n"), name);
+ return -EINVAL;
+ }
+
+ if (!dmd.uuid || dmd.target != DM_CRYPT) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (crypt_loop_device(crypt_get_device_name(cd))) {
+ log_dbg("Trying to resize underlying loop device %s.",
+ crypt_get_device_name(cd));
+ /* Here we always use default size not new_size */
+ if (crypt_loop_resize(crypt_get_device_name(cd)))
+ log_err(NULL, _("Cannot resize loop device.\n"));
+ }
+
+ r = device_block_adjust(cd, dmd.data_device, DEV_OK,
+ dmd.u.crypt.offset, &new_size, &dmd.flags);
+ if (r)
+ goto out;
+
+ if (new_size == dmd.size) {
+ log_dbg("Device has already requested size %" PRIu64
+ " sectors.", dmd.size);
+ r = 0;
+ } else {
+ dmd.size = new_size;
+ if (isTCRYPT(cd->type))
+ r = -ENOTSUP;
+ else
+ r = dm_create_device(cd, name, cd->type, &dmd, 1);
+ }
+out:
+ if (dmd.target == DM_CRYPT) {
+ crypt_free_volume_key(dmd.u.crypt.vk);
+ free(CONST_CAST(void*)dmd.u.crypt.cipher);
+ }
+ free(CONST_CAST(void*)dmd.data_device);
+ free(CONST_CAST(void*)dmd.uuid);
+
+ return r;
+}
+
+int crypt_set_uuid(struct crypt_device *cd, const char *uuid)
+{
+ if (!isLUKS(cd->type)) {
+ log_err(cd, _("This operation is not supported for this device type.\n"));
+ return -EINVAL;
+ }
+
+ if (uuid && !strncmp(uuid, cd->u.luks1.hdr.uuid, sizeof(cd->u.luks1.hdr.uuid))) {
+ log_dbg("UUID is the same as requested (%s) for device %s.",
+ uuid, mdata_device_path(cd));
+ return 0;
+ }
+
+ if (uuid)
+ log_dbg("Requested new UUID change to %s for %s.", uuid, mdata_device_path(cd));
+ else
+ log_dbg("Requested new UUID refresh for %s.", mdata_device_path(cd));
+
+ if (!crypt_confirm(cd, _("Do you really want to change UUID of device?")))
+ return -EPERM;
+
+ return LUKS_hdr_uuid_set(&cd->u.luks1.hdr, uuid, cd);
+}
+
+int crypt_header_backup(struct crypt_device *cd,
+ const char *requested_type,
+ const char *backup_file)
+{
+ int r;
+
+ if ((requested_type && !isLUKS(requested_type)) || !backup_file)
+ return -EINVAL;
+
+ if (cd->type && !isLUKS(cd->type))
+ return -EINVAL;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ log_dbg("Requested header backup of device %s (%s) to "
+ "file %s.", mdata_device_path(cd), requested_type, backup_file);
+
+ r = LUKS_hdr_backup(backup_file, cd);
+ return r;
+}
+
+int crypt_header_restore(struct crypt_device *cd,
+ const char *requested_type,
+ const char *backup_file)
+{
+ struct luks_phdr hdr;
+ int r;
+
+ if (requested_type && !isLUKS(requested_type))
+ return -EINVAL;
+
+ if (cd->type && !isLUKS(cd->type))
+ return -EINVAL;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ log_dbg("Requested header restore to device %s (%s) from "
+ "file %s.", mdata_device_path(cd), requested_type, backup_file);
+
+ r = LUKS_hdr_restore(backup_file, isLUKS(cd->type) ? &cd->u.luks1.hdr : &hdr, cd);
+
+ crypt_memzero(&hdr, sizeof(hdr));
+ return r;
+}
+
+void crypt_free(struct crypt_device *cd)
+{
+ if (cd) {
+ log_dbg("Releasing crypt device %s context.", mdata_device_path(cd));
+
+ dm_backend_exit();
+ crypt_free_volume_key(cd->volume_key);
+
+ device_free(cd->device);
+ device_free(cd->metadata_device);
+
+ if (isPLAIN(cd->type)) {
+ free(CONST_CAST(void*)cd->u.plain.hdr.hash);
+ free(cd->u.plain.cipher);
+ free(cd->u.plain.cipher_mode);
+ } else if (isLOOPAES(cd->type)) {
+ free(CONST_CAST(void*)cd->u.loopaes.hdr.hash);
+ free(cd->u.loopaes.cipher);
+ } else if (isVERITY(cd->type)) {
+ free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
+ free(CONST_CAST(void*)cd->u.verity.hdr.salt);
+ free(cd->u.verity.root_hash);
+ free(cd->u.verity.uuid);
+ device_free(cd->u.verity.fec_device);
+ } else if (!cd->type) {
+ free(cd->u.none.active_name);
+ }
+
+ free(cd->type);
+ /* Some structures can contain keys (TCRYPT), wipe it */
+ crypt_memzero(cd, sizeof(*cd));
+ free(cd);
+ }
+}
+
+int crypt_suspend(struct crypt_device *cd,
+ const char *name)
+{
+ crypt_status_info ci;
+ int r;
+
+ log_dbg("Suspending volume %s.", name);
+
+ if (cd->type) {
+ r = onlyLUKS(cd);
+ } else {
+ r = crypt_uuid_type_cmp(cd, CRYPT_LUKS1);
+ if (r < 0)
+ log_err(cd, _("This operation is supported only for LUKS device.\n"));
+ }
+
+ if (r < 0)
+ return r;
+
+ ci = crypt_status(NULL, name);
+ if (ci < CRYPT_ACTIVE) {
+ log_err(cd, _("Volume %s is not active.\n"), name);
+ return -EINVAL;
+ }
+
+ dm_backend_init();
+
+ r = dm_status_suspended(cd, name);
+ if (r < 0)
+ goto out;
+
+ if (r) {
+ log_err(cd, _("Volume %s is already suspended.\n"), name);
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = dm_suspend_and_wipe_key(cd, name);
+ if (r == -ENOTSUP)
+ log_err(cd, _("Suspend is not supported for device %s.\n"), name);
+ else if (r)
+ log_err(cd, _("Error during suspending device %s.\n"), name);
+out:
+ dm_backend_exit();
+ return r;
+}
+
+int crypt_resume_by_passphrase(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_size)
+{
+ struct volume_key *vk = NULL;
+ int r;
+
+ log_dbg("Resuming volume %s.", name);
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ if (!passphrase)
+ return -EINVAL;
+
+ r = dm_status_suspended(cd, name);
+ if (r < 0)
+ return r;
+
+ if (!r) {
+ log_err(cd, _("Volume %s is not suspended.\n"), name);
+ return -EINVAL;
+ }
+
+ r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size,
+ &cd->u.luks1.hdr, &vk, cd);
+ if (r >= 0) {
+ keyslot = r;
+ r = dm_resume_and_reinstate_key(cd, name, vk->keylength, vk->key);
+ if (r == -ENOTSUP)
+ log_err(cd, _("Resume is not supported for device %s.\n"), name);
+ else if (r)
+ log_err(cd, _("Error during resuming device %s.\n"), name);
+ } else
+ r = keyslot;
+
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot;
+}
+
+int crypt_resume_by_keyfile_offset(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset)
+{
+ struct volume_key *vk = NULL;
+ char *passphrase_read = NULL;
+ size_t passphrase_size_read;
+ int r;
+
+ log_dbg("Resuming volume %s.", name);
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ r = dm_status_suspended(cd, name);
+ if (r < 0)
+ return r;
+
+ if (!r) {
+ log_err(cd, _("Volume %s is not suspended.\n"), name);
+ return -EINVAL;
+ }
+
+ if (!keyfile)
+ return -EINVAL;
+
+ r = crypt_keyfile_read(cd, keyfile,
+ &passphrase_read, &passphrase_size_read,
+ keyfile_offset, keyfile_size, 0);
+ if (r < 0)
+ goto out;
+
+ r = LUKS_open_key_with_hdr(keyslot, passphrase_read,
+ passphrase_size_read, &cd->u.luks1.hdr, &vk, cd);
+ if (r < 0)
+ goto out;
+
+ keyslot = r;
+ r = dm_resume_and_reinstate_key(cd, name, vk->keylength, vk->key);
+ if (r)
+ log_err(cd, _("Error during resuming device %s.\n"), name);
+out:
+ crypt_safe_free(passphrase_read);
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot;
+}
+
+int crypt_resume_by_keyfile(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size)
+{
+ return crypt_resume_by_keyfile_offset(cd, name, keyslot,
+ keyfile, keyfile_size, 0);
+}
+
+// slot manipulation
+int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
+ int keyslot, // -1 any
+ const char *passphrase,
+ size_t passphrase_size,
+ const char *new_passphrase,
+ size_t new_passphrase_size)
+{
+ struct volume_key *vk = NULL;
+ int r;
+
+ log_dbg("Adding new keyslot, existing passphrase %sprovided,"
+ "new passphrase %sprovided.",
+ passphrase ? "" : "not ", new_passphrase ? "" : "not ");
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ if (!passphrase || !new_passphrase)
+ return -EINVAL;
+
+ r = keyslot_verify_or_find_empty(cd, &keyslot);
+ if (r)
+ return r;
+
+ if (!LUKS_keyslot_active_count(&cd->u.luks1.hdr)) {
+ /* No slots used, try to use pre-generated key in header */
+ if (cd->volume_key) {
+ vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+ r = vk ? 0 : -ENOMEM;
+ } else {
+ log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
+ return -EINVAL;
+ }
+ } else {
+ /* Passphrase provided, use it to unlock existing keyslot */
+ r = LUKS_open_key_with_hdr(CRYPT_ANY_SLOT, passphrase,
+ passphrase_size, &cd->u.luks1.hdr, &vk, cd);
+ }
+
+ if(r < 0)
+ goto out;
+
+ r = LUKS_set_key(keyslot, CONST_CAST(char*)new_passphrase, new_passphrase_size,
+ &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
+ if(r < 0)
+ goto out;
+
+ r = 0;
+out:
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot;
+}
+
+int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
+ int keyslot_old,
+ int keyslot_new,
+ const char *passphrase,
+ size_t passphrase_size,
+ const char *new_passphrase,
+ size_t new_passphrase_size)
+{
+ struct volume_key *vk = NULL;
+ int r;
+
+ log_dbg("Changing passphrase from old keyslot %d to new %d.",
+ keyslot_old, keyslot_new);
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ r = LUKS_open_key_with_hdr(keyslot_old, passphrase, passphrase_size,
+ &cd->u.luks1.hdr, &vk, cd);
+ if (r < 0)
+ goto out;
+
+ if (keyslot_old != CRYPT_ANY_SLOT && keyslot_old != r) {
+ log_dbg("Keyslot mismatch.");
+ goto out;
+ }
+ keyslot_old = r;
+
+ if (keyslot_new == CRYPT_ANY_SLOT) {
+ keyslot_new = LUKS_keyslot_find_empty(&cd->u.luks1.hdr);
+ if (keyslot_new < 0)
+ keyslot_new = keyslot_old;
+ }
+
+ if (keyslot_old == keyslot_new) {
+ log_dbg("Key slot %d is going to be overwritten.", keyslot_old);
+ (void)crypt_keyslot_destroy(cd, keyslot_old);
+ }
+
+ r = LUKS_set_key(keyslot_new, new_passphrase, new_passphrase_size,
+ &cd->u.luks1.hdr, vk, cd->iteration_time,
+ &cd->u.luks1.PBKDF2_per_sec, cd);
+
+ if (keyslot_old == keyslot_new) {
+ if (r >= 0)
+ log_verbose(cd, _("Key slot %d changed.\n"), keyslot_new);
+ } else {
+ if (r >= 0) {
+ log_verbose(cd, _("Replaced with key slot %d.\n"), keyslot_new);
+ r = crypt_keyslot_destroy(cd, keyslot_old);
+ }
+ }
+ if (r < 0)
+ log_err(cd, _("Failed to swap new key slot.\n"));
+out:
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot_new;
+}
+
+int crypt_keyslot_add_by_keyfile_offset(struct crypt_device *cd,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset,
+ const char *new_keyfile,
+ size_t new_keyfile_size,
+ size_t new_keyfile_offset)
+{
+ struct volume_key *vk = NULL;
+ char *password = NULL; size_t passwordLen;
+ char *new_password = NULL; size_t new_passwordLen;
+ int r;
+
+ log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
+ keyfile ?: "[none]", new_keyfile ?: "[none]");
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ if (!keyfile || !new_keyfile)
+ return -EINVAL;
+
+ r = keyslot_verify_or_find_empty(cd, &keyslot);
+ if (r)
+ return r;
+
+ if (!LUKS_keyslot_active_count(&cd->u.luks1.hdr)) {
+ /* No slots used, try to use pre-generated key in header */
+ if (cd->volume_key) {
+ vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+ r = vk ? 0 : -ENOMEM;
+ } else {
+ log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
+ return -EINVAL;
+ }
+ } else {
+ r = crypt_keyfile_read(cd, keyfile,
+ &password, &passwordLen,
+ keyfile_offset, keyfile_size, 0);
+ if (r < 0)
+ goto out;
+
+ r = LUKS_open_key_with_hdr(CRYPT_ANY_SLOT, password, passwordLen,
+ &cd->u.luks1.hdr, &vk, cd);
+ }
+
+ if(r < 0)
+ goto out;
+
+ r = crypt_keyfile_read(cd, new_keyfile,
+ &new_password, &new_passwordLen,
+ new_keyfile_offset, new_keyfile_size, 0);
+ if (r < 0)
+ goto out;
+
+ r = LUKS_set_key(keyslot, new_password, new_passwordLen,
+ &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(new_password);
+ crypt_free_volume_key(vk);
+ return r < 0 ? r : keyslot;
+}
+
+int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ const char *new_keyfile,
+ size_t new_keyfile_size)
+{
+ return crypt_keyslot_add_by_keyfile_offset(cd, keyslot,
+ keyfile, keyfile_size, 0,
+ new_keyfile, new_keyfile_size, 0);
+}
+
+int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
+ int keyslot,
+ const char *volume_key,
+ size_t volume_key_size,
+ const char *passphrase,
+ size_t passphrase_size)
+{
+ struct volume_key *vk = NULL;
+ int r;
+
+ log_dbg("Adding new keyslot %d using volume key.", keyslot);
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ if (!passphrase)
+ return -EINVAL;
+
+ if (volume_key)
+ vk = crypt_alloc_volume_key(volume_key_size, volume_key);
+ else if (cd->volume_key)
+ vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+
+ if (!vk)
+ return -ENOMEM;
+
+ r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
+ if (r < 0) {
+ log_err(cd, _("Volume key does not match the volume.\n"));
+ goto out;
+ }
+
+ r = keyslot_verify_or_find_empty(cd, &keyslot);
+ if (r)
+ goto out;
+
+ r = LUKS_set_key(keyslot, passphrase, passphrase_size,
+ &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
+out:
+ crypt_free_volume_key(vk);
+ return (r < 0) ? r : keyslot;
+}
+
+int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
+{
+ crypt_keyslot_info ki;
+ int r;
+
+ log_dbg("Destroying keyslot %d.", keyslot);
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ ki = crypt_keyslot_status(cd, keyslot);
+ if (ki == CRYPT_SLOT_INVALID) {
+ log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
+ return -EINVAL;
+ }
+
+ if (ki == CRYPT_SLOT_INACTIVE) {
+ log_err(cd, _("Key slot %d is not used.\n"), keyslot);
+ return -EINVAL;
+ }
+
+ return LUKS_del_key(keyslot, &cd->u.luks1.hdr, cd);
+}
+
+// activation/deactivation of device mapping
+int crypt_activate_by_passphrase(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *passphrase,
+ size_t passphrase_size,
+ uint32_t flags)
+{
+ crypt_status_info ci;
+ struct volume_key *vk = NULL;
+ int r;
+
+ log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
+ name ? "Activating" : "Checking", name ?: "",
+ keyslot, passphrase ? "" : "[none] ");
+
+ if (!passphrase)
+ return -EINVAL;
+
+ if (name) {
+ ci = crypt_status(NULL, name);
+ if (ci == CRYPT_INVALID)
+ return -EINVAL;
+ else if (ci >= CRYPT_ACTIVE) {
+ log_err(cd, _("Device %s already exists.\n"), name);
+ return -EEXIST;
+ }
+ }
+
+ /* plain, use hashed passphrase */
+ if (isPLAIN(cd->type)) {
+ if (!name)
+ return -EINVAL;
+
+ r = process_key(cd, cd->u.plain.hdr.hash,
+ cd->u.plain.key_size,
+ passphrase, passphrase_size, &vk);
+ if (r < 0)
+ goto out;
+
+ r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags);
+ keyslot = 0;
+ } else if (isLUKS(cd->type)) {
+ r = LUKS_open_key_with_hdr(keyslot, passphrase,
+ passphrase_size, &cd->u.luks1.hdr, &vk, cd);
+ if (r >= 0) {
+ keyslot = r;
+ if (name)
+ r = LUKS1_activate(cd, name, vk, flags);
+ }
+ } else
+ r = -EINVAL;
+out:
+ crypt_free_volume_key(vk);
+
+ return r < 0 ? r : keyslot;
+}
+
+int crypt_activate_by_keyfile_offset(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ size_t keyfile_offset,
+ uint32_t flags)
+{
+ crypt_status_info ci;
+ struct volume_key *vk = NULL;
+ char *passphrase_read = NULL;
+ size_t passphrase_size_read;
+ unsigned int key_count = 0;
+ int r;
+
+ log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
+ name ?: "", keyslot, keyfile ?: "[none]");
+
+ if (name) {
+ ci = crypt_status(NULL, name);
+ if (ci == CRYPT_INVALID)
+ return -EINVAL;
+ else if (ci >= CRYPT_ACTIVE) {
+ log_err(cd, _("Device %s already exists.\n"), name);
+ return -EEXIST;
+ }
+ }
+
+ if (!keyfile)
+ return -EINVAL;
+
+ if (isPLAIN(cd->type)) {
+ if (!name)
+ return -EINVAL;
+
+ r = crypt_keyfile_read(cd, keyfile,
+ &passphrase_read, &passphrase_size_read,
+ keyfile_offset, keyfile_size, 0);
+ if (r < 0)
+ goto out;
+
+ r = process_key(cd, cd->u.plain.hdr.hash,
+ cd->u.plain.key_size,
+ passphrase_read, passphrase_size_read, &vk);
+ if (r < 0)
+ goto out;
+
+ r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags);
+ } else if (isLUKS(cd->type)) {
+ r = crypt_keyfile_read(cd, keyfile,
+ &passphrase_read, &passphrase_size_read,
+ keyfile_offset, keyfile_size, 0);
+ if (r < 0)
+ goto out;
+ r = LUKS_open_key_with_hdr(keyslot, passphrase_read,
+ passphrase_size_read, &cd->u.luks1.hdr, &vk, cd);
+ if (r < 0)
+ goto out;
+ keyslot = r;
+
+ if (name) {
+ r = LUKS1_activate(cd, name, vk, flags);
+ if (r < 0)
+ goto out;
+ }
+ r = keyslot;
+ } else if (isLOOPAES(cd->type)) {
+ r = crypt_keyfile_read(cd, keyfile,
+ &passphrase_read, &passphrase_size_read,
+ keyfile_offset, keyfile_size, 0);
+ if (r < 0)
+ goto out;
+ r = LOOPAES_parse_keyfile(cd, &vk, cd->u.loopaes.hdr.hash, &key_count,
+ passphrase_read, passphrase_size_read);
+ if (r < 0)
+ goto out;
+ if (name)
+ r = LOOPAES_activate(cd, name, cd->u.loopaes.cipher,
+ key_count, vk, flags);
+ } else
+ r = -EINVAL;
+
+out:
+ crypt_safe_free(passphrase_read);
+ crypt_free_volume_key(vk);
+
+ return r;
+}
+
+int crypt_activate_by_keyfile(struct crypt_device *cd,
+ const char *name,
+ int keyslot,
+ const char *keyfile,
+ size_t keyfile_size,
+ uint32_t flags)
+{
+ return crypt_activate_by_keyfile_offset(cd, name, keyslot, keyfile,
+ keyfile_size, 0, flags);
+}
+
+int crypt_activate_by_volume_key(struct crypt_device *cd,
+ const char *name,
+ const char *volume_key,
+ size_t volume_key_size,
+ uint32_t flags)
+{
+ crypt_status_info ci;
+ struct volume_key *vk = NULL;
+ int r = -EINVAL;
+
+ log_dbg("Activating volume %s by volume key.", name ?: "[none]");
+
+ if (name) {
+ ci = crypt_status(NULL, name);
+ if (ci == CRYPT_INVALID)
+ return -EINVAL;
+ else if (ci >= CRYPT_ACTIVE) {
+ log_err(cd, _("Device %s already exists.\n"), name);
+ return -EEXIST;
+ }
+ }
+
+ /* use key directly, no hash */
+ if (isPLAIN(cd->type)) {
+ if (!name)
+ return -EINVAL;
+
+ if (!volume_key || !volume_key_size || volume_key_size != cd->u.plain.key_size) {
+ log_err(cd, _("Incorrect volume key specified for plain device.\n"));
+ return -EINVAL;
+ }
+
+ vk = crypt_alloc_volume_key(volume_key_size, volume_key);
+ if (!vk)
+ return -ENOMEM;
+
+ r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags);
+ } else if (isLUKS(cd->type)) {
+ /* If key is not provided, try to use internal key */
+ if (!volume_key) {
+ if (!cd->volume_key) {
+ log_err(cd, _("Volume key does not match the volume.\n"));
+ return -EINVAL;
+ }
+ volume_key_size = cd->volume_key->keylength;
+ volume_key = cd->volume_key->key;
+ }
+
+ vk = crypt_alloc_volume_key(volume_key_size, volume_key);
+ if (!vk)
+ return -ENOMEM;
+ r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
+
+ if (r == -EPERM)
+ log_err(cd, _("Volume key does not match the volume.\n"));
+
+ if (!r && name)
+ r = LUKS1_activate(cd, name, vk, flags);
+ } else if (isVERITY(cd->type)) {
+ /* volume_key == root hash */
+ if (!volume_key || !volume_key_size) {
+ log_err(cd, _("Incorrect root hash specified for verity device.\n"));
+ return -EINVAL;
+ }
+
+ r = VERITY_activate(cd, name, volume_key, volume_key_size, cd->u.verity.fec_device,
+ &cd->u.verity.hdr, flags|CRYPT_ACTIVATE_READONLY);
+
+ if (r == -EPERM) {
+ free(cd->u.verity.root_hash);
+ cd->u.verity.root_hash = NULL;
+ } if (!r) {
+ cd->u.verity.root_hash_size = volume_key_size;
+ if (!cd->u.verity.root_hash)
+ cd->u.verity.root_hash = malloc(volume_key_size);
+ if (cd->u.verity.root_hash)
+ memcpy(cd->u.verity.root_hash, volume_key, volume_key_size);
+ }
+ } else if (isTCRYPT(cd->type)) {
+ if (!name)
+ return 0;
+ r = TCRYPT_activate(cd, name, &cd->u.tcrypt.hdr,
+ &cd->u.tcrypt.params, flags);
+ } else
+ log_err(cd, _("Device type is not properly initialised.\n"));
+
+ crypt_free_volume_key(vk);
+
+ return r;
+}
+
+int crypt_deactivate(struct crypt_device *cd, const char *name)
+{
+ struct crypt_device *fake_cd = NULL;
+ int r;
+
+ if (!name)
+ return -EINVAL;
+
+ log_dbg("Deactivating volume %s.", name);
+
+ if (!cd) {
+ r = crypt_init_by_name(&fake_cd, name);
+ if (r < 0)
+ return r;
+ cd = fake_cd;
+ }
+
+ switch (crypt_status(cd, name)) {
+ case CRYPT_ACTIVE:
+ case CRYPT_BUSY:
+ if (isTCRYPT(cd->type))
+ r = TCRYPT_deactivate(cd, name);
+ else
+ r = dm_remove_device(cd, name, 0, 0);
+ if (r < 0 && crypt_status(cd, name) == CRYPT_BUSY) {
+ log_err(cd, _("Device %s is still in use.\n"), name);
+ r = -EBUSY;
+ }
+ break;
+ case CRYPT_INACTIVE:
+ log_err(cd, _("Device %s is not active.\n"), name);
+ r = -ENODEV;
+ break;
+ default:
+ log_err(cd, _("Invalid device %s.\n"), name);
+ r = -EINVAL;
+ }
+
+ crypt_free(fake_cd);
+
+ return r;
+}
+
+int crypt_volume_key_get(struct crypt_device *cd,
+ int keyslot,
+ char *volume_key,
+ size_t *volume_key_size,
+ const char *passphrase,
+ size_t passphrase_size)
+{
+ struct volume_key *vk = NULL;
+ unsigned key_len;
+ int r = -EINVAL;
+
+ if (crypt_fips_mode()) {
+ log_err(cd, _("Function not available in FIPS mode.\n"));
+ return -EACCES;
+ }
+
+ key_len = crypt_get_volume_key_size(cd);
+ if (key_len > *volume_key_size) {
+ log_err(cd, _("Volume key buffer too small.\n"));
+ return -ENOMEM;
+ }
+
+ if (isPLAIN(cd->type) && cd->u.plain.hdr.hash) {
+ r = process_key(cd, cd->u.plain.hdr.hash, key_len,
+ passphrase, passphrase_size, &vk);
+ if (r < 0)
+ log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
+ } else if (isLUKS(cd->type)) {
+ r = LUKS_open_key_with_hdr(keyslot, passphrase,
+ passphrase_size, &cd->u.luks1.hdr, &vk, cd);
+ } else if (isTCRYPT(cd->type)) {
+ r = TCRYPT_get_volume_key(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params, &vk);
+ } else
+ log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
+
+ if (r >= 0) {
+ memcpy(volume_key, vk->key, vk->keylength);
+ *volume_key_size = vk->keylength;
+ }
+
+ crypt_free_volume_key(vk);
+ return r;
+}
+
+int crypt_volume_key_verify(struct crypt_device *cd,
+ const char *volume_key,
+ size_t volume_key_size)
+{
+ struct volume_key *vk;
+ int r;
+
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ vk = crypt_alloc_volume_key(volume_key_size, volume_key);
+ if (!vk)
+ return -ENOMEM;
+
+ r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
+
+ if (r == -EPERM)
+ log_err(cd, _("Volume key does not match the volume.\n"));
+
+ crypt_free_volume_key(vk);
+
+ return r;
+}
+
+void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms)
+{
+ log_dbg("Iteration time set to %" PRIu64 " milliseconds.", iteration_time_ms);
+ cd->iteration_time = iteration_time_ms;
+}
+
+void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
+{
+ switch (rng_type) {
+ case CRYPT_RNG_URANDOM:
+ case CRYPT_RNG_RANDOM:
+ log_dbg("RNG set to %d (%s).", rng_type, rng_type ? "random" : "urandom");
+ cd->rng_type = rng_type;
+ }
+}
+
+int crypt_get_rng_type(struct crypt_device *cd)
+{
+ if (!cd)
+ return -EINVAL;
+
+ return cd->rng_type;
+}
+
+int crypt_memory_lock(struct crypt_device *cd, int lock)
+{
+ return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
+}
+
+// reporting
+crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
+{
+ int r;
+
+ if (!cd)
+ dm_backend_init();
+
+ r = dm_status_device(cd, name);
+
+ if (!cd)
+ dm_backend_exit();
+
+ if (r < 0 && r != -ENODEV)
+ return CRYPT_INVALID;
+
+ if (r == 0)
+ return CRYPT_ACTIVE;
+
+ if (r > 0)
+ return CRYPT_BUSY;
+
+ return CRYPT_INACTIVE;
+}
+
+static void hexprint(struct crypt_device *cd, const char *d, int n, const char *sep)
+{
+ int i;
+ for(i = 0; i < n; i++)
+ log_std(cd, "%02hhx%s", (const char)d[i], sep);
+}
+
+static int _luks_dump(struct crypt_device *cd)
+{
+ int i;
+
+ log_std(cd, "LUKS header information for %s\n\n", mdata_device_path(cd));
+ log_std(cd, "Version: \t%" PRIu16 "\n", cd->u.luks1.hdr.version);
+ log_std(cd, "Cipher name: \t%s\n", cd->u.luks1.hdr.cipherName);
+ log_std(cd, "Cipher mode: \t%s\n", cd->u.luks1.hdr.cipherMode);
+ log_std(cd, "Hash spec: \t%s\n", cd->u.luks1.hdr.hashSpec);
+ log_std(cd, "Payload offset:\t%" PRIu32 "\n", cd->u.luks1.hdr.payloadOffset);
+ log_std(cd, "MK bits: \t%" PRIu32 "\n", cd->u.luks1.hdr.keyBytes * 8);
+ log_std(cd, "MK digest: \t");
+ hexprint(cd, cd->u.luks1.hdr.mkDigest, LUKS_DIGESTSIZE, " ");
+ log_std(cd, "\n");
+ log_std(cd, "MK salt: \t");
+ hexprint(cd, cd->u.luks1.hdr.mkDigestSalt, LUKS_SALTSIZE/2, " ");
+ log_std(cd, "\n \t");
+ hexprint(cd, cd->u.luks1.hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ");
+ log_std(cd, "\n");
+ log_std(cd, "MK iterations: \t%" PRIu32 "\n", cd->u.luks1.hdr.mkDigestIterations);
+ log_std(cd, "UUID: \t%s\n\n", cd->u.luks1.hdr.uuid);
+ for(i = 0; i < LUKS_NUMKEYS; i++) {
+ if(cd->u.luks1.hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
+ log_std(cd, "Key Slot %d: ENABLED\n",i);
+ log_std(cd, "\tIterations: \t%" PRIu32 "\n",
+ cd->u.luks1.hdr.keyblock[i].passwordIterations);
+ log_std(cd, "\tSalt: \t");
+ hexprint(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt,
+ LUKS_SALTSIZE/2, " ");
+ log_std(cd, "\n\t \t");
+ hexprint(cd, cd->u.luks1.hdr.keyblock[i].passwordSalt +
+ LUKS_SALTSIZE/2, LUKS_SALTSIZE/2, " ");
+ log_std(cd, "\n");
+
+ log_std(cd, "\tKey material offset:\t%" PRIu32 "\n",
+ cd->u.luks1.hdr.keyblock[i].keyMaterialOffset);
+ log_std(cd, "\tAF stripes: \t%" PRIu32 "\n",
+ cd->u.luks1.hdr.keyblock[i].stripes);
+ }
+ else
+ log_std(cd, "Key Slot %d: DISABLED\n", i);
+ }
+ return 0;
+}
+
+static int _verity_dump(struct crypt_device *cd)
+{
+ log_std(cd, "VERITY header information for %s\n", mdata_device_path(cd));
+ log_std(cd, "UUID: \t%s\n", cd->u.verity.uuid ?: "");
+ log_std(cd, "Hash type: \t%u\n", cd->u.verity.hdr.hash_type);
+ log_std(cd, "Data blocks: \t%" PRIu64 "\n", cd->u.verity.hdr.data_size);
+ log_std(cd, "Data block size: \t%u\n", cd->u.verity.hdr.data_block_size);
+ log_std(cd, "Hash block size: \t%u\n", cd->u.verity.hdr.hash_block_size);
+ log_std(cd, "Hash algorithm: \t%s\n", cd->u.verity.hdr.hash_name);
+ log_std(cd, "Salt: \t");
+ if (cd->u.verity.hdr.salt_size)
+ hexprint(cd, cd->u.verity.hdr.salt, cd->u.verity.hdr.salt_size, "");
+ else
+ log_std(cd, "-");
+ log_std(cd, "\n");
+ if (cd->u.verity.root_hash) {
+ log_std(cd, "Root hash: \t");
+ hexprint(cd, cd->u.verity.root_hash, cd->u.verity.root_hash_size, "");
+ log_std(cd, "\n");
+ }
+ return 0;
+}
+
+int crypt_dump(struct crypt_device *cd)
+{
+ if (isLUKS(cd->type))
+ return _luks_dump(cd);
+ else if (isVERITY(cd->type))
+ return _verity_dump(cd);
+ else if (isTCRYPT(cd->type))
+ return TCRYPT_dump(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+
+ log_err(cd, _("Dump operation is not supported for this device type.\n"));
+ return -EINVAL;
+}
+
+
+static int _init_by_name_crypt_none(struct crypt_device *cd)
+{
+ struct crypt_dm_active_device dmd = {};
+ int r;
+
+ if (cd->type || !cd->u.none.active_name)
+ return -EINVAL;
+
+ r = dm_query_device(cd, cd->u.none.active_name,
+ DM_ACTIVE_CRYPT_CIPHER |
+ DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
+ if (r >= 0)
+ r = crypt_parse_name_and_mode(dmd.u.crypt.cipher,
+ cd->u.none.cipher, NULL,
+ cd->u.none.cipher_mode);
+
+ if (!r)
+ cd->u.none.key_size = dmd.u.crypt.vk->keylength;
+
+ crypt_free_volume_key(dmd.u.crypt.vk);
+ free(CONST_CAST(void*)dmd.u.crypt.cipher);
+ return r;
+}
+
+const char *crypt_get_cipher(struct crypt_device *cd)
+{
+ if (isPLAIN(cd->type))
+ return cd->u.plain.cipher;
+
+ if (isLUKS(cd->type))
+ return cd->u.luks1.hdr.cipherName;
+
+ if (isLOOPAES(cd->type))
+ return cd->u.loopaes.cipher;
+
+ if (isTCRYPT(cd->type))
+ return cd->u.tcrypt.params.cipher;
+
+ if (!cd->type && !_init_by_name_crypt_none(cd))
+ return cd->u.none.cipher;
+
+ return NULL;
+}
+
+const char *crypt_get_cipher_mode(struct crypt_device *cd)
+{
+ if (isPLAIN(cd->type))
+ return cd->u.plain.cipher_mode;
+
+ if (isLUKS(cd->type))
+ return cd->u.luks1.hdr.cipherMode;
+
+ if (isLOOPAES(cd->type))
+ return cd->u.loopaes.cipher_mode;
+
+ if (isTCRYPT(cd->type))
+ return cd->u.tcrypt.params.mode;
+
+ if (!cd->type && !_init_by_name_crypt_none(cd))
+ return cd->u.none.cipher_mode;
+
+ return NULL;
+}
+
+const char *crypt_get_uuid(struct crypt_device *cd)
+{
+ if (isLUKS(cd->type))
+ return cd->u.luks1.hdr.uuid;
+
+ if (isVERITY(cd->type))
+ return cd->u.verity.uuid;
+
+ return NULL;
+}
+
+const char *crypt_get_device_name(struct crypt_device *cd)
+{
+ const char *path = device_block_path(cd->device);
+
+ if (!path)
+ path = device_path(cd->device);
+
+ return path;
+}
+
+int crypt_get_volume_key_size(struct crypt_device *cd)
+{
+ if (isPLAIN(cd->type))
+ return cd->u.plain.key_size;
+
+ if (isLUKS(cd->type))
+ return cd->u.luks1.hdr.keyBytes;
+
+ if (isLOOPAES(cd->type))
+ return cd->u.loopaes.key_size;
+
+ if (isVERITY(cd->type))
+ return cd->u.verity.root_hash_size;
+
+ if (isTCRYPT(cd->type))
+ return cd->u.tcrypt.params.key_size;
+
+ if (!cd->type && !_init_by_name_crypt_none(cd))
+ return cd->u.none.key_size;
+
+ return 0;
+}
+
+uint64_t crypt_get_data_offset(struct crypt_device *cd)
+{
+ if (isPLAIN(cd->type))
+ return cd->u.plain.hdr.offset;
+
+ if (isLUKS(cd->type))
+ return cd->u.luks1.hdr.payloadOffset;
+
+ if (isLOOPAES(cd->type))
+ return cd->u.loopaes.hdr.offset;
+
+ if (isTCRYPT(cd->type))
+ return TCRYPT_get_data_offset(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+
+ return 0;
+}
+
+uint64_t crypt_get_iv_offset(struct crypt_device *cd)
+{
+ if (isPLAIN(cd->type))
+ return cd->u.plain.hdr.skip;
+
+ if (isLUKS(cd->type))
+ return 0;
+
+ if (isLOOPAES(cd->type))
+ return cd->u.loopaes.hdr.skip;
+
+ if (isTCRYPT(cd->type))
+ return TCRYPT_get_iv_offset(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+
+ return 0;
+}
+
+crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
+{
+ if (onlyLUKS(cd) < 0)
+ return CRYPT_SLOT_INVALID;
+
+ return LUKS_keyslot_info(&cd->u.luks1.hdr, keyslot);
+}
+
+int crypt_keyslot_max(const char *type)
+{
+ if (type && isLUKS(type))
+ return LUKS_NUMKEYS;
+
+ return -EINVAL;
+}
+
+int crypt_keyslot_area(struct crypt_device *cd,
+ int keyslot,
+ uint64_t *offset,
+ uint64_t *length)
+{
+ if (!isLUKS(cd->type))
+ return -EINVAL;
+
+ return LUKS_keyslot_area(&cd->u.luks1.hdr, keyslot, offset, length);
+}
+
+const char *crypt_get_type(struct crypt_device *cd)
+{
+ return cd->type;
+}
+
+int crypt_get_verity_info(struct crypt_device *cd,
+ struct crypt_params_verity *vp)
+{
+ if (!isVERITY(cd->type) || !vp)
+ return -EINVAL;
+
+ vp->data_device = device_path(cd->device);
+ vp->hash_device = mdata_device_path(cd);
+ vp->fec_device = device_path(cd->u.verity.fec_device);
+ vp->fec_area_offset = cd->u.verity.hdr.fec_area_offset;
+ vp->fec_roots = cd->u.verity.hdr.fec_roots;
+ vp->hash_name = cd->u.verity.hdr.hash_name;
+ vp->salt = cd->u.verity.hdr.salt;
+ vp->salt_size = cd->u.verity.hdr.salt_size;
+ vp->data_block_size = cd->u.verity.hdr.data_block_size;
+ vp->hash_block_size = cd->u.verity.hdr.hash_block_size;
+ vp->data_size = cd->u.verity.hdr.data_size;
+ vp->hash_area_offset = cd->u.verity.hdr.hash_area_offset;
+ vp->hash_type = cd->u.verity.hdr.hash_type;
+ vp->flags = cd->u.verity.hdr.flags & CRYPT_VERITY_NO_HEADER;
+ return 0;
+}
+
+int crypt_get_active_device(struct crypt_device *cd, const char *name,
+ struct crypt_active_device *cad)
+{
+ struct crypt_dm_active_device dmd;
+ int r;
+
+ r = dm_query_device(cd, name, 0, &dmd);
+ if (r < 0)
+ return r;
+
+ if (dmd.target != DM_CRYPT && dmd.target != DM_VERITY)
+ return -ENOTSUP;
+
+ if (cd && isTCRYPT(cd->type)) {
+ cad->offset = TCRYPT_get_data_offset(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+ cad->iv_offset = TCRYPT_get_iv_offset(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
+ } else {
+ cad->offset = dmd.u.crypt.offset;
+ cad->iv_offset = dmd.u.crypt.iv_offset;
+ }
+ cad->size = dmd.size;
+ cad->flags = dmd.flags;
+
+ return 0;
+}
diff --git a/lib/tcrypt/Makefile.am b/lib/tcrypt/Makefile.am
new file mode 100644
index 0000000..88bf520
--- /dev/null
+++ b/lib/tcrypt/Makefile.am
@@ -0,0 +1,14 @@
+moduledir = $(libdir)/cryptsetup
+
+noinst_LTLIBRARIES = libtcrypt.la
+
+libtcrypt_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
+
+libtcrypt_la_SOURCES = \
+ tcrypt.c \
+ tcrypt.h
+
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/lib/crypto_backend
+
diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
new file mode 100644
index 0000000..c08d277
--- /dev/null
+++ b/lib/tcrypt/tcrypt.c
@@ -0,0 +1,1077 @@
+/*
+ * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <assert.h>
+
+#include "libcryptsetup.h"
+#include "tcrypt.h"
+#include "internal.h"
+
+/* TCRYPT PBKDF variants */
+static struct {
+ unsigned int legacy:1;
+ unsigned int veracrypt:1;
+ const char *name;
+ const char *hash;
+ unsigned int iterations;
+} tcrypt_kdf[] = {
+ { 0, 0, "pbkdf2", "ripemd160", 2000 },
+ { 0, 0, "pbkdf2", "ripemd160", 1000 },
+ { 0, 0, "pbkdf2", "sha512", 1000 },
+ { 0, 0, "pbkdf2", "whirlpool", 1000 },
+ { 1, 0, "pbkdf2", "sha1", 2000 },
+ { 0, 1, "pbkdf2", "sha512", 500000 },
+ { 0, 1, "pbkdf2", "ripemd160", 655331 },
+ { 0, 1, "pbkdf2", "ripemd160", 327661 }, // boot only
+ { 0, 1, "pbkdf2", "whirlpool", 500000 },
+ { 0, 1, "pbkdf2", "sha256", 500000 }, // VeraCrypt 1.0f
+ { 0, 1, "pbkdf2", "sha256", 200000 }, // boot only
+ { 0, 0, NULL, NULL, 0 }
+};
+
+struct tcrypt_alg {
+ const char *name;
+ unsigned int key_size;
+ unsigned int iv_size;
+ unsigned int key_offset;
+ unsigned int iv_offset; /* or tweak key offset */
+ unsigned int key_extra_size;
+};
+
+struct tcrypt_algs {
+ unsigned int legacy:1;
+ unsigned int chain_count;
+ unsigned int chain_key_size;
+ const char *long_name;
+ const char *mode;
+ struct tcrypt_alg cipher[3];
+};
+
+/* TCRYPT cipher variants */
+static struct tcrypt_algs tcrypt_cipher[] = {
+/* XTS mode */
+{0,1,64,"aes","xts-plain64",
+ {{"aes", 64,16,0,32,0}}},
+{0,1,64,"serpent","xts-plain64",
+ {{"serpent",64,16,0,32,0}}},
+{0,1,64,"twofish","xts-plain64",
+ {{"twofish",64,16,0,32,0}}},
+{0,2,128,"twofish-aes","xts-plain64",
+ {{"twofish",64,16, 0,64,0},
+ {"aes", 64,16,32,96,0}}},
+{0,3,192,"serpent-twofish-aes","xts-plain64",
+ {{"serpent",64,16, 0, 96,0},
+ {"twofish",64,16,32,128,0},
+ {"aes", 64,16,64,160,0}}},
+{0,2,128,"aes-serpent","xts-plain64",
+ {{"aes", 64,16, 0,64,0},
+ {"serpent",64,16,32,96,0}}},
+{0,3,192,"aes-twofish-serpent","xts-plain64",
+ {{"aes", 64,16, 0, 96,0},
+ {"twofish",64,16,32,128,0},
+ {"serpent",64,16,64,160,0}}},
+{0,2,128,"serpent-twofish","xts-plain64",
+ {{"serpent",64,16, 0,64,0},
+ {"twofish",64,16,32,96,0}}},
+
+/* LRW mode */
+{0,1,48,"aes","lrw-benbi",
+ {{"aes", 48,16,32,0,0}}},
+{0,1,48,"serpent","lrw-benbi",
+ {{"serpent",48,16,32,0,0}}},
+{0,1,48,"twofish","lrw-benbi",
+ {{"twofish",48,16,32,0,0}}},
+{0,2,96,"twofish-aes","lrw-benbi",
+ {{"twofish",48,16,32,0,0},
+ {"aes", 48,16,64,0,0}}},
+{0,3,144,"serpent-twofish-aes","lrw-benbi",
+ {{"serpent",48,16,32,0,0},
+ {"twofish",48,16,64,0,0},
+ {"aes", 48,16,96,0,0}}},
+{0,2,96,"aes-serpent","lrw-benbi",
+ {{"aes", 48,16,32,0,0},
+ {"serpent",48,16,64,0,0}}},
+{0,3,144,"aes-twofish-serpent","lrw-benbi",
+ {{"aes", 48,16,32,0,0},
+ {"twofish",48,16,64,0,0},
+ {"serpent",48,16,96,0,0}}},
+{0,2,96,"serpent-twofish", "lrw-benbi",
+ {{"serpent",48,16,32,0,0},
+ {"twofish",48,16,64,0,0}}},
+
+/* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
+ * thus cannot be used with blowfish where block is 8 bytes.
+ * There also no GF(2^64) support.
+{1,1,64,"blowfish_le","lrw-benbi",
+ {{"blowfish_le",64,8,32,0,0}}},
+{1,2,112,"blowfish_le-aes","lrw-benbi",
+ {{"blowfish_le",64, 8,32,0,0},
+ {"aes", 48,16,88,0,0}}},
+{1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
+ {{"serpent", 48,16, 32,0,0},
+ {"blowfish_le",64, 8, 64,0,0},
+ {"aes", 48,16,120,0,0}}},*/
+
+/*
+ * CBC + "outer" CBC (both with whitening)
+ * chain_key_size: alg_keys_bytes + IV_seed_bytes + whitening_bytes
+ */
+{1,1,32+16+16,"aes","cbc-tcw",
+ {{"aes", 32,16,32,0,32}}},
+{1,1,32+16+16,"serpent","cbc-tcw",
+ {{"serpent",32,16,32,0,32}}},
+{1,1,32+16+16,"twofish","cbc-tcw",
+ {{"twofish",32,16,32,0,32}}},
+{1,2,64+16+16,"twofish-aes","cbci-tcrypt",
+ {{"twofish",32,16,32,0,0},
+ {"aes", 32,16,64,0,32}}},
+{1,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
+ {{"serpent",32,16,32,0,0},
+ {"twofish",32,16,64,0,0},
+ {"aes", 32,16,96,0,32}}},
+{1,2,64+16+16,"aes-serpent","cbci-tcrypt",
+ {{"aes", 32,16,32,0,0},
+ {"serpent",32,16,64,0,32}}},
+{1,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
+ {{"aes", 32,16,32,0,0},
+ {"twofish",32,16,64,0,0},
+ {"serpent",32,16,96,0,32}}},
+{1,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
+ {{"serpent",32,16,32,0,0},
+ {"twofish",32,16,64,0,32}}},
+{1,1,16+8+16,"cast5","cbc-tcw",
+ {{"cast5", 16,8,32,0,24}}},
+{1,1,24+8+16,"des3_ede","cbc-tcw",
+ {{"des3_ede",24,8,32,0,24}}},
+{1,1,56+8+16,"blowfish_le","cbc-tcrypt",
+ {{"blowfish_le",56,8,32,0,24}}},
+{1,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
+ {{"blowfish_le",56, 8,32,0,0},
+ {"aes", 32,16,88,0,32}}},
+{1,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
+ {{"serpent", 32,16, 32,0,0},
+ {"blowfish_le",56, 8, 64,0,0},
+ {"aes", 32,16,120,0,32}}},
+{}
+};
+
+static int TCRYPT_hdr_from_disk(struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params,
+ int kdf_index, int cipher_index)
+{
+ uint32_t crc32;
+ size_t size;
+
+ /* Check CRC32 of header */
+ size = TCRYPT_HDR_LEN - sizeof(hdr->d.keys) - sizeof(hdr->d.header_crc32);
+ crc32 = crypt_crc32(~0, (unsigned char*)&hdr->d, size) ^ ~0;
+ if (be16_to_cpu(hdr->d.version) > 3 &&
+ crc32 != be32_to_cpu(hdr->d.header_crc32)) {
+ log_dbg("TCRYPT header CRC32 mismatch.");
+ return -EINVAL;
+ }
+
+ /* Check CRC32 of keys */
+ crc32 = crypt_crc32(~0, (unsigned char*)hdr->d.keys, sizeof(hdr->d.keys)) ^ ~0;
+ if (crc32 != be32_to_cpu(hdr->d.keys_crc32)) {
+ log_dbg("TCRYPT keys CRC32 mismatch.");
+ return -EINVAL;
+ }
+
+ /* Convert header to cpu format */
+ hdr->d.version = be16_to_cpu(hdr->d.version);
+ hdr->d.version_tc = be16_to_cpu(hdr->d.version_tc);
+
+ hdr->d.keys_crc32 = be32_to_cpu(hdr->d.keys_crc32);
+
+ hdr->d.hidden_volume_size = be64_to_cpu(hdr->d.hidden_volume_size);
+ hdr->d.volume_size = be64_to_cpu(hdr->d.volume_size);
+
+ hdr->d.mk_offset = be64_to_cpu(hdr->d.mk_offset);
+ if (!hdr->d.mk_offset)
+ hdr->d.mk_offset = 512;
+
+ hdr->d.mk_size = be64_to_cpu(hdr->d.mk_size);
+
+ hdr->d.flags = be32_to_cpu(hdr->d.flags);
+
+ hdr->d.sector_size = be32_to_cpu(hdr->d.sector_size);
+ if (!hdr->d.sector_size)
+ hdr->d.sector_size = 512;
+
+ hdr->d.header_crc32 = be32_to_cpu(hdr->d.header_crc32);
+
+ /* Set params */
+ params->passphrase = NULL;
+ params->passphrase_size = 0;
+ params->hash_name = tcrypt_kdf[kdf_index].hash;
+ params->key_size = tcrypt_cipher[cipher_index].chain_key_size;
+ params->cipher = tcrypt_cipher[cipher_index].long_name;
+ params->mode = tcrypt_cipher[cipher_index].mode;
+
+ return 0;
+}
+
+/*
+ * Kernel implements just big-endian version of blowfish, hack it here
+ */
+static void TCRYPT_swab_le(char *buf)
+{
+ uint32_t *l = (uint32_t*)&buf[0];
+ uint32_t *r = (uint32_t*)&buf[4];
+ *l = swab32(*l);
+ *r = swab32(*r);
+}
+
+static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
+ const char *key, char *buf)
+{
+ int bs = alg->iv_size;
+ char iv[bs], iv_old[bs];
+ struct crypt_cipher *cipher = NULL;
+ int i, j, r;
+
+ assert(bs == 2*sizeof(uint32_t));
+
+ r = crypt_cipher_init(&cipher, "blowfish", "ecb",
+ &key[alg->key_offset], alg->key_size);
+ if (r < 0)
+ return r;
+
+ memcpy(iv, &key[alg->iv_offset], alg->iv_size);
+ for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
+ memcpy(iv_old, &buf[i], bs);
+ TCRYPT_swab_le(&buf[i]);
+ r = crypt_cipher_decrypt(cipher, &buf[i], &buf[i],
+ bs, NULL, 0);
+ TCRYPT_swab_le(&buf[i]);
+ if (r < 0)
+ break;
+ for (j = 0; j < bs; j++)
+ buf[i + j] ^= iv[j];
+ memcpy(iv, iv_old, bs);
+ }
+
+ crypt_cipher_destroy(cipher);
+ crypt_memzero(iv, bs);
+ crypt_memzero(iv_old, bs);
+ return r;
+}
+
+static void TCRYPT_remove_whitening(char *buf, const char *key)
+{
+ int j;
+
+ for (j = 0; j < TCRYPT_HDR_LEN; j++)
+ buf[j] ^= key[j % 8];
+}
+
+static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
+ char *out_key, const char *key)
+{
+ int ks2;
+ if (!strncmp(mode, "xts", 3)) {
+ ks2 = alg->key_size / 2;
+ memcpy(out_key, &key[alg->key_offset], ks2);
+ memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
+ } else if (!strncmp(mode, "lrw", 3)) {
+ ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
+ memcpy(out_key, &key[alg->key_offset], ks2);
+ memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
+ } else if (!strncmp(mode, "cbc", 3)) {
+ memcpy(out_key, &key[alg->key_offset], alg->key_size);
+ /* IV + whitening */
+ memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
+ alg->key_extra_size);
+ }
+}
+
+static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
+ const char *key,struct tcrypt_phdr *hdr)
+{
+ char backend_key[TCRYPT_HDR_KEY_LEN];
+ char iv[TCRYPT_HDR_IV_LEN] = {};
+ char mode_name[MAX_CIPHER_LEN + 1];
+ struct crypt_cipher *cipher;
+ char *c, *buf = (char*)&hdr->e;
+ int r;
+
+ /* Remove IV if present */
+ mode_name[MAX_CIPHER_LEN] = '\0';
+ strncpy(mode_name, mode, MAX_CIPHER_LEN);
+ c = strchr(mode_name, '-');
+ if (c)
+ *c = '\0';
+
+ if (!strncmp(mode, "lrw", 3))
+ iv[alg->iv_size - 1] = 1;
+ else if (!strncmp(mode, "cbc", 3)) {
+ TCRYPT_remove_whitening(buf, &key[8]);
+ if (!strcmp(alg->name, "blowfish_le"))
+ return decrypt_blowfish_le_cbc(alg, key, buf);
+ memcpy(iv, &key[alg->iv_offset], alg->iv_size);
+ }
+
+ TCRYPT_copy_key(alg, mode, backend_key, key);
+ r = crypt_cipher_init(&cipher, alg->name, mode_name,
+ backend_key, alg->key_size);
+ if (!r) {
+ r = crypt_cipher_decrypt(cipher, buf, buf, TCRYPT_HDR_LEN,
+ iv, alg->iv_size);
+ crypt_cipher_destroy(cipher);
+ }
+
+ crypt_memzero(backend_key, sizeof(backend_key));
+ crypt_memzero(iv, TCRYPT_HDR_IV_LEN);
+ return r;
+}
+
+/*
+ * For chanined ciphers and CBC mode we need "outer" decryption.
+ * Backend doesn't provide this, so implement it here directly using ECB.
+ */
+static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
+ const char *key, struct tcrypt_phdr *hdr)
+{
+ struct crypt_cipher *cipher[ciphers->chain_count];
+ unsigned int bs = ciphers->cipher[0].iv_size;
+ char *buf = (char*)&hdr->e, iv[bs], iv_old[bs];
+ unsigned int i, j;
+ int r = -EINVAL;
+
+ TCRYPT_remove_whitening(buf, &key[8]);
+
+ memcpy(iv, &key[ciphers->cipher[0].iv_offset], bs);
+
+ /* Initialize all ciphers in chain in ECB mode */
+ for (j = 0; j < ciphers->chain_count; j++)
+ cipher[j] = NULL;
+ for (j = 0; j < ciphers->chain_count; j++) {
+ r = crypt_cipher_init(&cipher[j], ciphers->cipher[j].name, "ecb",
+ &key[ciphers->cipher[j].key_offset],
+ ciphers->cipher[j].key_size);
+ if (r < 0)
+ goto out;
+ }
+
+ /* Implements CBC with chained ciphers in loop inside */
+ for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
+ memcpy(iv_old, &buf[i], bs);
+ for (j = ciphers->chain_count; j > 0; j--) {
+ r = crypt_cipher_decrypt(cipher[j - 1], &buf[i], &buf[i],
+ bs, NULL, 0);
+ if (r < 0)
+ goto out;
+ }
+ for (j = 0; j < bs; j++)
+ buf[i + j] ^= iv[j];
+ memcpy(iv, iv_old, bs);
+ }
+out:
+ for (j = 0; j < ciphers->chain_count; j++)
+ if (cipher[j])
+ crypt_cipher_destroy(cipher[j]);
+
+ crypt_memzero(iv, bs);
+ crypt_memzero(iv_old, bs);
+ return r;
+}
+
+static int TCRYPT_decrypt_hdr(struct crypt_device *cd, struct tcrypt_phdr *hdr,
+ const char *key, uint32_t flags)
+{
+ struct tcrypt_phdr hdr2;
+ int i, j, r = -EINVAL;
+
+ for (i = 0; tcrypt_cipher[i].chain_count; i++) {
+ if (!(flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_cipher[i].legacy)
+ continue;
+ log_dbg("TCRYPT: trying cipher %s-%s",
+ tcrypt_cipher[i].long_name, tcrypt_cipher[i].mode);
+
+ memcpy(&hdr2.e, &hdr->e, TCRYPT_HDR_LEN);
+
+ if (!strncmp(tcrypt_cipher[i].mode, "cbci", 4))
+ r = TCRYPT_decrypt_cbci(&tcrypt_cipher[i], key, &hdr2);
+ else for (j = tcrypt_cipher[i].chain_count - 1; j >= 0 ; j--) {
+ if (!tcrypt_cipher[i].cipher[j].name)
+ continue;
+ r = TCRYPT_decrypt_hdr_one(&tcrypt_cipher[i].cipher[j],
+ tcrypt_cipher[i].mode, key, &hdr2);
+ if (r < 0)
+ break;
+ }
+
+ if (r < 0) {
+ log_dbg("TCRYPT: returned error %d, skipped.", r);
+ if (r == -ENOTSUP)
+ break;
+ r = -ENOENT;
+ continue;
+ }
+
+ if (!strncmp(hdr2.d.magic, TCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
+ log_dbg("TCRYPT: Signature magic detected.");
+ memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
+ r = i;
+ break;
+ }
+ if ((flags & CRYPT_TCRYPT_VERA_MODES) &&
+ !strncmp(hdr2.d.magic, VCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
+ log_dbg("TCRYPT: Signature magic detected (Veracrypt).");
+ memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
+ r = i;
+ break;
+ }
+ r = -EPERM;
+ }
+
+ crypt_memzero(&hdr2, sizeof(hdr2));
+ return r;
+}
+
+static int TCRYPT_pool_keyfile(struct crypt_device *cd,
+ unsigned char pool[TCRYPT_KEY_POOL_LEN],
+ const char *keyfile)
+{
+ unsigned char data[TCRYPT_KEYFILE_LEN];
+ int i, j, fd, data_size;
+ uint32_t crc;
+
+ log_dbg("TCRYPT: using keyfile %s.", keyfile);
+
+ fd = open(keyfile, O_RDONLY);
+ if (fd < 0) {
+ log_err(cd, _("Failed to open key file.\n"));
+ return -EIO;
+ }
+
+ data_size = read_buffer(fd, data, TCRYPT_KEYFILE_LEN);
+ close(fd);
+ if (data_size < 0) {
+ log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
+ return -EIO;
+ }
+
+ for (i = 0, j = 0, crc = ~0U; i < data_size; i++) {
+ crc = crypt_crc32(crc, &data[i], 1);
+ pool[j++] += (unsigned char)(crc >> 24);
+ pool[j++] += (unsigned char)(crc >> 16);
+ pool[j++] += (unsigned char)(crc >> 8);
+ pool[j++] += (unsigned char)(crc);
+ j %= TCRYPT_KEY_POOL_LEN;
+ }
+
+ crypt_memzero(&crc, sizeof(crc));
+ crypt_memzero(data, TCRYPT_KEYFILE_LEN);
+
+ return 0;
+}
+
+static int TCRYPT_init_hdr(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params)
+{
+ unsigned char pwd[TCRYPT_KEY_POOL_LEN] = {};
+ size_t passphrase_size;
+ char *key;
+ unsigned int i, skipped = 0;
+ int r = -EPERM;
+
+ if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
+ return -ENOMEM;
+
+ if (params->keyfiles_count)
+ passphrase_size = TCRYPT_KEY_POOL_LEN;
+ else
+ passphrase_size = params->passphrase_size;
+
+ if (params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
+ log_err(cd, _("Maximum TCRYPT passphrase length (%d) exceeded.\n"),
+ TCRYPT_KEY_POOL_LEN);
+ goto out;
+ }
+
+ /* Calculate pool content from keyfiles */
+ for (i = 0; i < params->keyfiles_count; i++) {
+ r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
+ if (r < 0)
+ goto out;
+ }
+
+ /* If provided password, combine it with pool */
+ for (i = 0; i < params->passphrase_size; i++)
+ pwd[i] += params->passphrase[i];
+
+ for (i = 0; tcrypt_kdf[i].name; i++) {
+ if (!(params->flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_kdf[i].legacy)
+ continue;
+ if (!(params->flags & CRYPT_TCRYPT_VERA_MODES) && tcrypt_kdf[i].veracrypt)
+ continue;
+ if ((params->flags & CRYPT_TCRYPT_VERA_MODES) && params->veracrypt_pim) {
+ /* adjust iterations to given PIM cmdline parameter */
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+ tcrypt_kdf[i].iterations = params->veracrypt_pim * 2048;
+ else
+ tcrypt_kdf[i].iterations = 15000 + (params->veracrypt_pim * 1000);
+ }
+
+ /* Derive header key */
+ log_dbg("TCRYPT: trying KDF: %s-%s-%d.",
+ tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations);
+ r = crypt_pbkdf(tcrypt_kdf[i].name, tcrypt_kdf[i].hash,
+ (char*)pwd, passphrase_size,
+ hdr->salt, TCRYPT_HDR_SALT_LEN,
+ key, TCRYPT_HDR_KEY_LEN,
+ tcrypt_kdf[i].iterations);
+ if (r < 0 && crypt_hash_size(tcrypt_kdf[i].hash) < 0) {
+ log_verbose(cd, _("PBKDF2 hash algorithm %s not available, skipping.\n"),
+ tcrypt_kdf[i].hash);
+ continue;
+ }
+ if (r < 0)
+ break;
+
+ /* Decrypt header */
+ r = TCRYPT_decrypt_hdr(cd, hdr, key, params->flags);
+ if (r == -ENOENT) {
+ skipped++;
+ r = -EPERM;
+ }
+ if (r != -EPERM)
+ break;
+ }
+
+ if ((r < 0 && r != -EPERM && skipped && skipped == i) || r == -ENOTSUP) {
+ log_err(cd, _("Required kernel crypto interface not available.\n"));
+#ifdef ENABLE_AF_ALG
+ log_err(cd, _("Ensure you have algif_skcipher kernel module loaded.\n"));
+#endif
+ }
+ if (r < 0)
+ goto out;
+
+ r = TCRYPT_hdr_from_disk(hdr, params, i, r);
+ if (!r) {
+ log_dbg("TCRYPT: Magic: %s, Header version: %d, req. %d, sector %d"
+ ", mk_offset %" PRIu64 ", hidden_size %" PRIu64
+ ", volume size %" PRIu64, tcrypt_kdf[i].veracrypt ?
+ VCRYPT_HDR_MAGIC : TCRYPT_HDR_MAGIC,
+ (int)hdr->d.version, (int)hdr->d.version_tc, (int)hdr->d.sector_size,
+ hdr->d.mk_offset, hdr->d.hidden_volume_size, hdr->d.volume_size);
+ log_dbg("TCRYPT: Header cipher %s-%s, key size %zu",
+ params->cipher, params->mode, params->key_size);
+ }
+out:
+ crypt_memzero(pwd, TCRYPT_KEY_POOL_LEN);
+ if (key)
+ crypt_memzero(key, TCRYPT_HDR_KEY_LEN);
+ free(key);
+ return r;
+}
+
+int TCRYPT_read_phdr(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params)
+{
+ struct device *base_device, *device = crypt_metadata_device(cd);
+ ssize_t hdr_size = sizeof(struct tcrypt_phdr);
+ char *base_device_path;
+ int devfd = 0, r, bs;
+
+ assert(sizeof(struct tcrypt_phdr) == 512);
+
+ log_dbg("Reading TCRYPT header of size %zu bytes from device %s.",
+ hdr_size, device_path(device));
+
+ bs = device_block_size(device);
+ if (bs < 0)
+ return bs;
+
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER &&
+ crypt_dev_is_partition(device_path(device))) {
+ base_device_path = crypt_get_base_device(device_path(device));
+
+ log_dbg("Reading TCRYPT system header from device %s.", base_device_path ?: "?");
+ if (!base_device_path)
+ return -EINVAL;
+
+ r = device_alloc(&base_device, base_device_path);
+ free(base_device_path);
+ if (r < 0)
+ return r;
+ devfd = device_open(base_device, O_RDONLY);
+ device_free(base_device);
+ } else
+ devfd = device_open(device, O_RDONLY);
+
+ if (devfd < 0) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(device));
+ return -EINVAL;
+ }
+
+ r = -EIO;
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
+ TCRYPT_HDR_SYSTEM_OFFSET) == hdr_size) {
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ }
+ } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+ if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
+ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
+ TCRYPT_HDR_HIDDEN_OFFSET_BCK) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ } else {
+ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
+ TCRYPT_HDR_HIDDEN_OFFSET) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ if (r && read_lseek_blockwise(devfd, bs, hdr, hdr_size,
+ TCRYPT_HDR_HIDDEN_OFFSET_OLD) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ }
+ } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
+ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
+ TCRYPT_HDR_OFFSET_BCK) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+
+ close(devfd);
+ if (r < 0)
+ memset(hdr, 0, sizeof (*hdr));
+ return r;
+}
+
+static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
+{
+ int i;
+
+ if (!cipher || !mode)
+ return NULL;
+
+ for (i = 0; tcrypt_cipher[i].chain_count; i++)
+ if (!strcmp(tcrypt_cipher[i].long_name, cipher) &&
+ !strcmp(tcrypt_cipher[i].mode, mode))
+ return &tcrypt_cipher[i];
+
+ return NULL;
+}
+
+int TCRYPT_activate(struct crypt_device *cd,
+ const char *name,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params,
+ uint32_t flags)
+{
+ char cipher[MAX_CIPHER_LEN], dm_name[PATH_MAX], dm_dev_name[PATH_MAX];
+ char *part_path;
+ struct device *device = NULL, *part_device = NULL;
+ unsigned int i;
+ int r;
+ uint32_t req_flags;
+ struct tcrypt_algs *algs;
+ enum devcheck device_check;
+ struct crypt_dm_active_device dmd = {
+ .target = DM_CRYPT,
+ .size = 0,
+ .data_device = crypt_data_device(cd),
+ .u.crypt = {
+ .cipher = cipher,
+ .offset = crypt_get_data_offset(cd),
+ .iv_offset = crypt_get_iv_offset(cd),
+ }
+ };
+
+ if (!hdr->d.version) {
+ log_dbg("TCRYPT: this function is not supported without encrypted header load.");
+ return -ENOTSUP;
+ }
+
+ if (hdr->d.sector_size && hdr->d.sector_size != SECTOR_SIZE) {
+ log_err(cd, _("Activation is not supported for %d sector size.\n"),
+ hdr->d.sector_size);
+ return -ENOTSUP;
+ }
+
+ if (strstr(params->mode, "-tcrypt")) {
+ log_err(cd, _("Kernel doesn't support activation for this TCRYPT legacy mode.\n"));
+ return -ENOTSUP;
+ }
+
+ if (strstr(params->mode, "-tcw"))
+ req_flags = DM_TCW_SUPPORTED;
+ else
+ req_flags = DM_PLAIN64_SUPPORTED;
+
+ algs = TCRYPT_get_algs(params->cipher, params->mode);
+ if (!algs)
+ return -EINVAL;
+
+ if (hdr->d.sector_size == 0)
+ return -EINVAL;
+
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+ dmd.size = 0;
+ else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
+ dmd.size = hdr->d.hidden_volume_size / hdr->d.sector_size;
+ else
+ dmd.size = hdr->d.volume_size / hdr->d.sector_size;
+
+ if (dmd.flags & CRYPT_ACTIVATE_SHARED)
+ device_check = DEV_SHARED;
+ else
+ device_check = DEV_EXCL;
+
+ if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
+ !crypt_dev_is_partition(device_path(dmd.data_device))) {
+ part_path = crypt_get_partition_device(device_path(dmd.data_device),
+ dmd.u.crypt.offset, dmd.size);
+ if (part_path) {
+ if (!device_alloc(&part_device, part_path)) {
+ log_verbose(cd, _("Activating TCRYPT system encryption for partition %s.\n"),
+ part_path);
+ dmd.data_device = part_device;
+ dmd.u.crypt.offset = 0;
+ }
+ free(part_path);
+ } else
+ /*
+ * System encryption use the whole device mapping, there can
+ * be active partitions.
+ */
+ device_check = DEV_SHARED;
+ }
+
+ r = device_block_adjust(cd, dmd.data_device, device_check,
+ dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ if (r) {
+ device_free(part_device);
+ return r;
+ }
+
+ /* Frome here, key size for every cipher must be the same */
+ dmd.u.crypt.vk = crypt_alloc_volume_key(algs->cipher[0].key_size +
+ algs->cipher[0].key_extra_size, NULL);
+ if (!dmd.u.crypt.vk) {
+ device_free(part_device);
+ return -ENOMEM;
+ }
+
+ for (i = algs->chain_count; i > 0; i--) {
+ if (i == 1) {
+ dm_name[sizeof(dm_name)-1] = '\0';
+ strncpy(dm_name, name, sizeof(dm_name)-1);
+ dmd.flags = flags;
+ } else {
+ snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
+ dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
+ }
+
+ snprintf(cipher, sizeof(cipher), "%s-%s",
+ algs->cipher[i-1].name, algs->mode);
+
+ TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
+ dmd.u.crypt.vk->key, hdr->d.keys);
+
+ if (algs->chain_count != i) {
+ snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
+ dm_get_dir(), name, i);
+ r = device_alloc(&device, dm_dev_name);
+ if (r)
+ break;
+ dmd.data_device = device;
+ dmd.u.crypt.offset = 0;
+ }
+
+ log_dbg("Trying to activate TCRYPT device %s using cipher %s.",
+ dm_name, dmd.u.crypt.cipher);
+ r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd, 0);
+
+ device_free(device);
+ device = NULL;
+
+ if (r)
+ break;
+ }
+
+ if (r < 0 && !(dm_flags() & req_flags)) {
+ log_err(cd, _("Kernel doesn't support TCRYPT compatible mapping.\n"));
+ r = -ENOTSUP;
+ }
+
+ device_free(part_device);
+ crypt_free_volume_key(dmd.u.crypt.vk);
+ return r;
+}
+
+static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
+ const char *base_uuid, int index)
+{
+ struct crypt_dm_active_device dmd = {};
+ char dm_name[PATH_MAX];
+ int r;
+
+ if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
+ return -ENOMEM;
+
+ r = dm_status_device(cd, dm_name);
+ if (r < 0)
+ return r;
+
+ r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
+ if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
+ r = dm_remove_device(cd, dm_name, 0, 0);
+
+ free(CONST_CAST(void*)dmd.uuid);
+ return r;
+}
+
+int TCRYPT_deactivate(struct crypt_device *cd, const char *name)
+{
+ struct crypt_dm_active_device dmd = {};
+ int r;
+
+ r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
+ if (r < 0)
+ return r;
+ if (!dmd.uuid)
+ return -EINVAL;
+
+ r = dm_remove_device(cd, name, 0, 0);
+ if (r < 0)
+ goto out;
+
+ r = TCRYPT_remove_one(cd, name, dmd.uuid, 1);
+ if (r < 0)
+ goto out;
+
+ r = TCRYPT_remove_one(cd, name, dmd.uuid, 2);
+ if (r < 0)
+ goto out;
+out:
+ free(CONST_CAST(void*)dmd.uuid);
+ return (r == -ENODEV) ? 0 : r;
+}
+
+static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
+ const char *base_uuid, int index,
+ size_t *key_size, char *cipher,
+ uint64_t *data_offset, struct device **device)
+{
+ struct crypt_dm_active_device dmd = {};
+ char dm_name[PATH_MAX], *c;
+ int r;
+
+ if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
+ return -ENOMEM;
+
+ r = dm_status_device(cd, dm_name);
+ if (r < 0)
+ return r;
+
+ r = dm_query_device(cd, dm_name, DM_ACTIVE_DEVICE |
+ DM_ACTIVE_UUID |
+ DM_ACTIVE_CRYPT_CIPHER |
+ DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
+ if (r > 0)
+ r = 0;
+ if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
+ if ((c = strchr(dmd.u.crypt.cipher, '-')))
+ *c = '\0';
+ strcat(cipher, "-");
+ strncat(cipher, dmd.u.crypt.cipher, MAX_CIPHER_LEN);
+ *key_size += dmd.u.crypt.vk->keylength;
+ *data_offset = dmd.u.crypt.offset * SECTOR_SIZE;
+ device_free(*device);
+ *device = dmd.data_device;
+ } else {
+ device_free(dmd.data_device);
+ r = -ENODEV;
+ }
+
+ free(CONST_CAST(void*)dmd.uuid);
+ free(CONST_CAST(void*)dmd.u.crypt.cipher);
+ crypt_free_volume_key(dmd.u.crypt.vk);
+ return r;
+}
+
+int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
+ const struct crypt_dm_active_device *dmd,
+ struct device **device,
+ struct crypt_params_tcrypt *tcrypt_params,
+ struct tcrypt_phdr *tcrypt_hdr)
+{
+ struct tcrypt_algs *algs;
+ char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN+1], *tmp;
+ size_t key_size;
+ int r;
+
+ memset(tcrypt_params, 0, sizeof(*tcrypt_params));
+ memset(tcrypt_hdr, 0, sizeof(*tcrypt_hdr));
+ tcrypt_hdr->d.sector_size = SECTOR_SIZE;
+ tcrypt_hdr->d.mk_offset = dmd->u.crypt.offset * SECTOR_SIZE;
+
+ strncpy(cipher, dmd->u.crypt.cipher, MAX_CIPHER_LEN);
+ tmp = strchr(cipher, '-');
+ if (!tmp)
+ return -EINVAL;
+ *tmp = '\0';
+ mode[MAX_CIPHER_LEN] = '\0';
+ strncpy(mode, ++tmp, MAX_CIPHER_LEN);
+
+ key_size = dmd->u.crypt.vk->keylength;
+ r = TCRYPT_status_one(cd, name, dmd->uuid, 1, &key_size,
+ cipher, &tcrypt_hdr->d.mk_offset, device);
+ if (!r)
+ r = TCRYPT_status_one(cd, name, dmd->uuid, 2, &key_size,
+ cipher, &tcrypt_hdr->d.mk_offset, device);
+
+ if (r < 0 && r != -ENODEV)
+ return r;
+
+ algs = TCRYPT_get_algs(cipher, mode);
+ if (!algs || key_size != algs->chain_key_size)
+ return -EINVAL;
+
+ tcrypt_params->key_size = algs->chain_key_size;
+ tcrypt_params->cipher = algs->long_name;
+ tcrypt_params->mode = algs->mode;
+ return 0;
+}
+
+uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params)
+{
+ uint64_t size;
+
+ /* No real header loaded, initialized by active device */
+ if (!hdr->d.version)
+ goto hdr_offset;
+
+ /* Mapping through whole device, not partition! */
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+ if (crypt_dev_is_partition(device_path(crypt_metadata_device(cd))))
+ return 0;
+ goto hdr_offset;
+ }
+
+ if (params->mode && !strncmp(params->mode, "xts", 3)) {
+ if (hdr->d.version < 3)
+ return 1;
+
+ if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+ if (hdr->d.version > 3)
+ return (hdr->d.mk_offset / hdr->d.sector_size);
+ if (device_size(crypt_metadata_device(cd), &size) < 0)
+ return 0;
+ return (size - hdr->d.hidden_volume_size +
+ (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
+ }
+ goto hdr_offset;
+ }
+
+ if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+ if (device_size(crypt_metadata_device(cd), &size) < 0)
+ return 0;
+ return (size - hdr->d.hidden_volume_size +
+ (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
+ }
+
+hdr_offset:
+ return hdr->d.mk_offset / hdr->d.sector_size;
+}
+
+uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params)
+{
+ uint64_t iv_offset;
+
+ if (params->mode && !strncmp(params->mode, "xts", 3))
+ iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
+ else if (params->mode && !strncmp(params->mode, "lrw", 3))
+ iv_offset = 0;
+ else
+ iv_offset = hdr->d.mk_offset / hdr->d.sector_size;
+
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+ iv_offset += crypt_dev_partition_offset(device_path(crypt_metadata_device(cd)));
+
+ return iv_offset;
+}
+
+int TCRYPT_get_volume_key(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params,
+ struct volume_key **vk)
+{
+ struct tcrypt_algs *algs;
+ unsigned int i, key_index;
+
+ if (!hdr->d.version) {
+ log_err(cd, _("This function is not supported without TCRYPT header load."));
+ return -ENOTSUP;
+ }
+
+ algs = TCRYPT_get_algs(params->cipher, params->mode);
+ if (!algs)
+ return -EINVAL;
+
+ *vk = crypt_alloc_volume_key(params->key_size, NULL);
+ if (!*vk)
+ return -ENOMEM;
+
+ for (i = 0, key_index = 0; i < algs->chain_count; i++) {
+ TCRYPT_copy_key(&algs->cipher[i], algs->mode,
+ &(*vk)->key[key_index], hdr->d.keys);
+ key_index += algs->cipher[i].key_size;
+ }
+
+ return 0;
+}
+
+int TCRYPT_dump(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params)
+{
+ log_std(cd, "%s header information for %s\n",
+ hdr->d.magic[0] == 'T' ? "TCRYPT" : "VERACRYPT",
+ device_path(crypt_metadata_device(cd)));
+ if (hdr->d.version) {
+ log_std(cd, "Version: \t%d\n", hdr->d.version);
+ log_std(cd, "Driver req.:\t%x.%x\n", hdr->d.version_tc >> 8,
+ hdr->d.version_tc & 0xFF);
+
+ log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
+ log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
+ log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
+ }
+ log_std(cd, "Cipher chain:\t%s\n", params->cipher);
+ log_std(cd, "Cipher mode:\t%s\n", params->mode);
+ log_std(cd, "MK bits: \t%zu\n", params->key_size * 8);
+ return 0;
+}
diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h
new file mode 100644
index 0000000..7ad8db3
--- /dev/null
+++ b/lib/tcrypt/tcrypt.h
@@ -0,0 +1,115 @@
+/*
+ * TCRYPT (TrueCrypt-compatible) header defitinion
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "libcryptsetup.h"
+
+#ifndef _CRYPTSETUP_TCRYPT_H
+#define _CRYPTSETUP_TCRYPT_H
+
+#define TCRYPT_HDR_SALT_LEN 64
+#define TCRYPT_HDR_IV_LEN 16
+#define TCRYPT_HDR_LEN 448
+#define TCRYPT_HDR_KEY_LEN 192
+#define TCRYPT_HDR_MAGIC "TRUE"
+#define VCRYPT_HDR_MAGIC "VERA"
+#define TCRYPT_HDR_MAGIC_LEN 4
+
+#define TCRYPT_HDR_HIDDEN_OFFSET_OLD -1536
+#define TCRYPT_HDR_HIDDEN_OFFSET 65536
+
+#define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
+#define TCRYPT_HDR_OFFSET_BCK -131072
+
+#define TCRYPT_HDR_SYSTEM_OFFSET 31744
+
+#define TCRYPT_LRW_IKEY_LEN 16
+#define TCRYPT_KEY_POOL_LEN 64
+#define TCRYPT_KEYFILE_LEN 1048576
+
+#define TCRYPT_HDR_FLAG_SYSTEM (1 << 0)
+#define TCRYPT_HDR_FLAG_NONSYSTEM (1 << 1)
+
+struct tcrypt_phdr {
+ char salt[TCRYPT_HDR_SALT_LEN];
+
+ /* encrypted part, TCRYPT_HDR_LEN bytes */
+ union {
+ struct __attribute__((__packed__)) {
+ char magic[TCRYPT_HDR_MAGIC_LEN];
+ uint16_t version;
+ uint16_t version_tc;
+ uint32_t keys_crc32;
+ uint64_t _reserved1[2]; /* data/header ctime */
+ uint64_t hidden_volume_size;
+ uint64_t volume_size;
+ uint64_t mk_offset;
+ uint64_t mk_size;
+ uint32_t flags;
+ uint32_t sector_size;
+ uint8_t _reserved2[120];
+ uint32_t header_crc32;
+ char keys[256];
+ } d;
+ char e[TCRYPT_HDR_LEN];
+ };
+} __attribute__((__packed__));
+
+struct crypt_dm_active_device;
+struct volume_key;
+struct device;
+
+int TCRYPT_read_phdr(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params);
+
+int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
+ const struct crypt_dm_active_device *dmd,
+ struct device **device,
+ struct crypt_params_tcrypt *tcrypt_params,
+ struct tcrypt_phdr *tcrypt_hdr);
+
+int TCRYPT_activate(struct crypt_device *cd,
+ const char *name,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params,
+ uint32_t flags);
+
+int TCRYPT_deactivate(struct crypt_device *cd,
+ const char *name);
+
+uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params);
+
+uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params);
+
+int TCRYPT_get_volume_key(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params,
+ struct volume_key **vk);
+
+int TCRYPT_dump(struct crypt_device *cd,
+ struct tcrypt_phdr *hdr,
+ struct crypt_params_tcrypt *params);
+
+#endif
diff --git a/lib/utils.c b/lib/utils.c
new file mode 100644
index 0000000..5eaa8e4
--- /dev/null
+++ b/lib/utils.c
@@ -0,0 +1,339 @@
+/*
+ * utils - miscellaneous device utilities for cryptsetup
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/resource.h>
+
+#include "internal.h"
+
+unsigned crypt_getpagesize(void)
+{
+ long r = sysconf(_SC_PAGESIZE);
+ return r < 0 ? DEFAULT_MEM_ALIGNMENT : r;
+}
+
+static size_t get_alignment(int fd)
+{
+ long alignment = DEFAULT_MEM_ALIGNMENT;
+
+#ifdef _PC_REC_XFER_ALIGN
+ alignment = fpathconf(fd, _PC_REC_XFER_ALIGN);
+ if (alignment < 0)
+ alignment = DEFAULT_MEM_ALIGNMENT;
+#endif
+ return (size_t)alignment;
+}
+
+ssize_t read_buffer(int fd, void *buf, size_t count)
+{
+ size_t read_size = 0;
+ ssize_t r;
+
+ if (fd < 0 || !buf)
+ return -EINVAL;
+
+ do {
+ r = read(fd, buf, count - read_size);
+ if (r == -1 && errno != EINTR)
+ return r;
+ if (r == 0)
+ return (ssize_t)read_size;
+ if (r > 0) {
+ read_size += (size_t)r;
+ buf = (uint8_t*)buf + r;
+ }
+ } while (read_size != count);
+
+ return (ssize_t)count;
+}
+
+ssize_t write_buffer(int fd, const void *buf, size_t count)
+{
+ size_t write_size = 0;
+ ssize_t w;
+
+ if (fd < 0 || !buf || !count)
+ return -EINVAL;
+
+ do {
+ w = write(fd, buf, count - write_size);
+ if (w < 0 && errno != EINTR)
+ return w;
+ if (w == 0)
+ return (ssize_t)write_size;
+ if (w > 0) {
+ write_size += (size_t) w;
+ buf = (const uint8_t*)buf + w;
+ }
+ } while (write_size != count);
+
+ return (ssize_t)write_size;
+}
+
+ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
+{
+ void *hangover_buf = NULL, *buf = NULL;
+ int r;
+ size_t alignment, hangover, solid;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !orig_buf || bsize <= 0)
+ return -1;
+
+ hangover = count % bsize;
+ solid = count - hangover;
+ alignment = get_alignment(fd);
+
+ if ((size_t)orig_buf & (alignment - 1)) {
+ if (posix_memalign(&buf, alignment, count))
+ return -1;
+ memcpy(buf, orig_buf, count);
+ } else
+ buf = orig_buf;
+
+ if (solid) {
+ r = write_buffer(fd, buf, solid);
+ if (r < 0 || r != (ssize_t)solid)
+ goto out;
+ }
+
+ if (hangover) {
+ if (posix_memalign(&hangover_buf, alignment, bsize))
+ goto out;
+
+ r = read_buffer(fd, hangover_buf, bsize);
+ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+
+ if (r < bsize)
+ bsize = r;
+
+ if (lseek(fd, -bsize, SEEK_CUR) < 0)
+ goto out;
+
+ memcpy(hangover_buf, (char*)buf + solid, hangover);
+
+ r = write_buffer(fd, hangover_buf, bsize);
+ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+ }
+ ret = count;
+out:
+ free(hangover_buf);
+ if (buf != orig_buf)
+ free(buf);
+ return ret;
+}
+
+ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count)
+{
+ void *hangover_buf = NULL, *buf = NULL;
+ int r;
+ size_t alignment, hangover, solid;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !orig_buf || bsize <= 0)
+ return -1;
+
+ hangover = count % bsize;
+ solid = count - hangover;
+ alignment = get_alignment(fd);
+
+ if ((size_t)orig_buf & (alignment - 1)) {
+ if (posix_memalign(&buf, alignment, count))
+ return -1;
+ } else
+ buf = orig_buf;
+
+ r = read_buffer(fd, buf, solid);
+ if (r < 0 || r != (ssize_t)solid)
+ goto out;
+
+ if (hangover) {
+ if (posix_memalign(&hangover_buf, alignment, bsize))
+ goto out;
+ r = read_buffer(fd, hangover_buf, bsize);
+ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+
+ memcpy((char *)buf + solid, hangover_buf, hangover);
+ }
+ ret = count;
+out:
+ free(hangover_buf);
+ if (buf != orig_buf) {
+ memcpy(orig_buf, buf, count);
+ free(buf);
+ }
+ return ret;
+}
+
+/*
+ * Combines llseek with blockwise write. write_blockwise can already deal with short writes
+ * but we also need a function to deal with short writes at the start. But this information
+ * is implicitly included in the read/write offset, which can not be set to non-aligned
+ * boundaries. Hence, we combine llseek with write.
+ */
+ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
+{
+ void *frontPadBuf = NULL;
+ int r, frontHang;
+ size_t innerCount = 0;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !buf || bsize <= 0)
+ return -1;
+
+ if (offset < 0)
+ offset = lseek(fd, offset, SEEK_END);
+
+ if (offset < 0)
+ return -1;
+
+ frontHang = offset % bsize;
+
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ return -1;
+
+ if (frontHang) {
+ if (posix_memalign(&frontPadBuf, get_alignment(fd), bsize))
+ return -1;
+
+ r = read_buffer(fd, frontPadBuf, bsize);
+ if (r < 0 || r != bsize)
+ goto out;
+
+ innerCount = bsize - frontHang;
+ if (innerCount > count)
+ innerCount = count;
+
+ memcpy(frontPadBuf + frontHang, buf, innerCount);
+
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ goto out;
+
+ r = write_buffer(fd, frontPadBuf, bsize);
+ if (r < 0 || r != bsize)
+ goto out;
+
+ buf = (char*)buf + innerCount;
+ count -= innerCount;
+ }
+
+ ret = count ? write_blockwise(fd, bsize, buf, count) : 0;
+ if (ret >= 0)
+ ret += innerCount;
+out:
+ free(frontPadBuf);
+ return ret;
+}
+
+ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
+{
+ void *frontPadBuf = NULL;
+ int r, frontHang;
+ size_t innerCount = 0;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !buf || bsize <= 0)
+ return -1;
+
+ if (offset < 0)
+ offset = lseek(fd, offset, SEEK_END);
+
+ if (offset < 0)
+ return -1;
+
+ frontHang = offset % bsize;
+
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ return -1;
+
+ if (frontHang) {
+ if (posix_memalign(&frontPadBuf, get_alignment(fd), bsize))
+ return -1;
+
+ r = read_buffer(fd, frontPadBuf, bsize);
+ if (r < 0 || r != bsize)
+ goto out;
+
+ innerCount = bsize - frontHang;
+ if (innerCount > count)
+ innerCount = count;
+
+ memcpy(buf, frontPadBuf + frontHang, innerCount);
+
+ buf = (char*)buf + innerCount;
+ count -= innerCount;
+ }
+
+ ret = read_blockwise(fd, bsize, buf, count);
+ if (ret >= 0)
+ ret += innerCount;
+out:
+ free(frontPadBuf);
+ return ret;
+}
+
+/* MEMLOCK */
+#define DEFAULT_PROCESS_PRIORITY -18
+
+static int _priority;
+static int _memlock_count = 0;
+
+// return 1 if memory is locked
+int crypt_memlock_inc(struct crypt_device *ctx)
+{
+ if (!_memlock_count++) {
+ log_dbg("Locking memory.");
+ if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
+ log_dbg("Cannot lock memory with mlockall.");
+ _memlock_count--;
+ return 0;
+ }
+ errno = 0;
+ if (((_priority = getpriority(PRIO_PROCESS, 0)) == -1) && errno)
+ log_err(ctx, _("Cannot get process priority.\n"));
+ else
+ if (setpriority(PRIO_PROCESS, 0, DEFAULT_PROCESS_PRIORITY))
+ log_dbg("setpriority %d failed: %s",
+ DEFAULT_PROCESS_PRIORITY, strerror(errno));
+ }
+ return _memlock_count ? 1 : 0;
+}
+
+int crypt_memlock_dec(struct crypt_device *ctx)
+{
+ if (_memlock_count && (!--_memlock_count)) {
+ log_dbg("Unlocking memory.");
+ if (munlockall() == -1)
+ log_err(ctx, _("Cannot unlock memory.\n"));
+ if (setpriority(PRIO_PROCESS, 0, _priority))
+ log_dbg("setpriority %d failed: %s", _priority, strerror(errno));
+ }
+ return _memlock_count ? 1 : 0;
+}
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
new file mode 100644
index 0000000..bae40f6
--- /dev/null
+++ b/lib/utils_benchmark.c
@@ -0,0 +1,269 @@
+/*
+ * libcryptsetup - cryptsetup library, cipher bechmark
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+
+#include "internal.h"
+
+/*
+ * This is not simulating storage, so using disk block causes extreme overhead.
+ * Let's use some fixed block size where results are more reliable...
+ */
+#define CIPHER_BLOCK_BYTES 65536
+
+/*
+ * If the measured value is lower, encrypted buffer is probably too small
+ * and calculated values are not reliable.
+ */
+#define CIPHER_TIME_MIN_MS 0.001
+
+/*
+ * The whole test depends on Linux kernel usermode crypto API for now.
+ * (The same implementations are used in dm-crypt though.)
+ */
+
+struct cipher_perf {
+ char name[32];
+ char mode[32];
+ char *key;
+ size_t key_length;
+ char *iv;
+ size_t iv_length;
+ size_t buffer_size;
+};
+
+static int time_ms(struct timespec *start, struct timespec *end, double *ms)
+{
+ double start_ms, end_ms;
+
+ start_ms = start->tv_sec * 1000.0 + start->tv_nsec / (1000.0 * 1000);
+ end_ms = end->tv_sec * 1000.0 + end->tv_nsec / (1000.0 * 1000);
+
+ *ms = end_ms - start_ms;
+ return 0;
+}
+
+static int cipher_perf_one(struct cipher_perf *cp, char *buf,
+ size_t buf_size, int enc)
+{
+ struct crypt_cipher *cipher = NULL;
+ size_t done = 0, block = CIPHER_BLOCK_BYTES;
+ int r;
+
+ if (buf_size < block)
+ block = buf_size;
+
+ r = crypt_cipher_init(&cipher, cp->name, cp->mode, cp->key, cp->key_length);
+ if (r < 0) {
+ log_dbg("Cannot initialise cipher %s, mode %s.", cp->name, cp->mode);
+ return r;
+ }
+
+ while (done < buf_size) {
+ if ((done + block) > buf_size)
+ block = buf_size - done;
+
+ if (enc)
+ r = crypt_cipher_encrypt(cipher, &buf[done], &buf[done],
+ block, cp->iv, cp->iv_length);
+ else
+ r = crypt_cipher_decrypt(cipher, &buf[done], &buf[done],
+ block, cp->iv, cp->iv_length);
+ if (r < 0)
+ break;
+
+ done += block;
+ }
+
+ crypt_cipher_destroy(cipher);
+
+ return r;
+}
+static int cipher_measure(struct cipher_perf *cp, char *buf,
+ size_t buf_size, int encrypt, double *ms)
+{
+ struct timespec start, end;
+ int r;
+
+ /*
+ * Using getrusage would be better here but the precision
+ * is not adequate, so better stick with CLOCK_MONOTONIC
+ */
+ if (clock_gettime(CLOCK_MONOTONIC, &start) < 0)
+ return -EINVAL;
+
+ r = cipher_perf_one(cp, buf, buf_size, encrypt);
+ if (r < 0)
+ return r;
+
+ if (clock_gettime(CLOCK_MONOTONIC, &end) < 0)
+ return -EINVAL;
+
+ r = time_ms(&start, &end, ms);
+ if (r < 0)
+ return r;
+
+ if (*ms < CIPHER_TIME_MIN_MS) {
+ log_dbg("Measured cipher runtime (%1.6f) is too low.", *ms);
+ return -ERANGE;
+ }
+
+ return 0;
+}
+
+static double speed_mbs(unsigned long bytes, double ms)
+{
+ double speed = bytes, s = ms / 1000.;
+
+ return speed / (1024 * 1024) / s;
+}
+
+static int cipher_perf(struct cipher_perf *cp,
+ double *encryption_mbs, double *decryption_mbs)
+{
+ double ms_enc, ms_dec, ms;
+ int r, repeat_enc, repeat_dec;
+ void *buf = NULL;
+
+ if (posix_memalign(&buf, crypt_getpagesize(), cp->buffer_size))
+ return -ENOMEM;
+
+ ms_enc = 0.0;
+ repeat_enc = 1;
+ while (ms_enc < 1000.0) {
+ r = cipher_measure(cp, buf, cp->buffer_size, 1, &ms);
+ if (r < 0) {
+ free(buf);
+ return r;
+ }
+ ms_enc += ms;
+ repeat_enc++;
+ }
+
+ ms_dec = 0.0;
+ repeat_dec = 1;
+ while (ms_dec < 1000.0) {
+ r = cipher_measure(cp, buf, cp->buffer_size, 0, &ms);
+ if (r < 0) {
+ free(buf);
+ return r;
+ }
+ ms_dec += ms;
+ repeat_dec++;
+ }
+
+ free(buf);
+
+ *encryption_mbs = speed_mbs(cp->buffer_size * repeat_enc, ms_enc);
+ *decryption_mbs = speed_mbs(cp->buffer_size * repeat_dec, ms_dec);
+
+ return 0;
+}
+
+int crypt_benchmark(struct crypt_device *cd,
+ const char *cipher,
+ const char *cipher_mode,
+ size_t volume_key_size,
+ size_t iv_size,
+ size_t buffer_size,
+ double *encryption_mbs,
+ double *decryption_mbs)
+{
+ struct cipher_perf cp = {
+ .key_length = volume_key_size,
+ .iv_length = iv_size,
+ .buffer_size = buffer_size,
+ };
+ char *c;
+ int r;
+
+ if (!cipher || !cipher_mode || !volume_key_size)
+ return -EINVAL;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ r = -ENOMEM;
+ if (iv_size) {
+ cp.iv = malloc(iv_size);
+ if (!cp.iv)
+ goto out;
+ crypt_random_get(cd, cp.iv, iv_size, CRYPT_RND_NORMAL);
+ }
+
+ cp.key = malloc(volume_key_size);
+ if (!cp.key)
+ goto out;
+
+ crypt_random_get(cd, cp.key, volume_key_size, CRYPT_RND_NORMAL);
+ strncpy(cp.name, cipher, sizeof(cp.name)-1);
+ strncpy(cp.mode, cipher_mode, sizeof(cp.mode)-1);
+
+ /* Ignore IV generator */
+ if ((c = strchr(cp.mode, '-')))
+ *c = '\0';
+
+ r = cipher_perf(&cp, encryption_mbs, decryption_mbs);
+out:
+ free(cp.key);
+ free(cp.iv);
+ return r;
+}
+
+int crypt_benchmark_kdf(struct crypt_device *cd,
+ const char *kdf,
+ const char *hash,
+ const char *password,
+ size_t password_size,
+ const char *salt,
+ size_t salt_size,
+ uint64_t *iterations_sec)
+{
+ int r, key_length = 0;
+
+ if (!iterations_sec)
+ return -EINVAL;
+
+ r = init_crypto(cd);
+ if (r < 0)
+ return r;
+
+ // FIXME: this should be in KDF check API parameters later
+ if (cd)
+ key_length = crypt_get_volume_key_size(cd);
+
+ if (key_length == 0)
+ key_length = DEFAULT_LUKS1_KEYBITS / 8;
+
+ if (!strncmp(kdf, "pbkdf2", 6))
+ r = crypt_pbkdf_check(kdf, hash, password, password_size,
+ salt, salt_size, key_length, iterations_sec);
+ else
+ r = -EINVAL;
+
+ if (!r)
+ log_dbg("KDF %s, hash %s: %" PRIu64 " iterations per second (%d-bits key).",
+ kdf, hash, *iterations_sec, key_length * 8);
+ return r;
+}
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
new file mode 100644
index 0000000..687894e
--- /dev/null
+++ b/lib/utils_crypt.c
@@ -0,0 +1,350 @@
+/*
+ * utils_crypt - cipher utilities for cryptsetup
+ *
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "libcryptsetup.h"
+#include "nls.h"
+#include "utils_crypt.h"
+
+#define log_dbg(x) crypt_log(NULL, CRYPT_LOG_DEBUG, x)
+#define log_err(cd, x) crypt_log(cd, CRYPT_LOG_ERROR, x)
+
+struct safe_allocation {
+ size_t size;
+ char data[0];
+};
+
+int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
+ char *cipher_mode)
+{
+ if (!s || !cipher || !cipher_mode)
+ return -EINVAL;
+
+ if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]-%" MAX_CIPHER_LEN_STR "s",
+ cipher, cipher_mode) == 2) {
+ if (!strcmp(cipher_mode, "plain"))
+ strncpy(cipher_mode, "cbc-plain", 10);
+ if (key_nums) {
+ char *tmp = strchr(cipher, ':');
+ *key_nums = tmp ? atoi(++tmp) : 1;
+ if (!*key_nums)
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
+ /* Short version for "empty" cipher */
+ if (!strcmp(s, "null")) {
+ strncpy(cipher, "cipher_null", MAX_CIPHER_LEN);
+ strncpy(cipher_mode, "ecb", 9);
+ if (key_nums)
+ *key_nums = 0;
+ return 0;
+ }
+
+ if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]", cipher) == 1) {
+ strncpy(cipher_mode, "cbc-plain", 10);
+ if (key_nums)
+ *key_nums = 1;
+ return 0;
+ }
+
+ return -EINVAL;
+}
+
+/*
+ * Replacement for memset(s, 0, n) on stack that can be optimized out
+ * Also used in safe allocations for explicit memory wipe.
+ */
+void crypt_memzero(void *s, size_t n)
+{
+ volatile uint8_t *p = (volatile uint8_t *)s;
+
+ while(n--)
+ *p++ = 0;
+}
+
+/* safe allocations */
+void *crypt_safe_alloc(size_t size)
+{
+ struct safe_allocation *alloc;
+
+ if (!size || size > (SIZE_MAX - offsetof(struct safe_allocation, data)))
+ return NULL;
+
+ alloc = malloc(size + offsetof(struct safe_allocation, data));
+ if (!alloc)
+ return NULL;
+
+ alloc->size = size;
+ crypt_memzero(&alloc->data, size);
+
+ /* coverity[leaked_storage] */
+ return &alloc->data;
+}
+
+void crypt_safe_free(void *data)
+{
+ struct safe_allocation *alloc;
+
+ if (!data)
+ return;
+
+ alloc = (struct safe_allocation *)
+ ((char *)data - offsetof(struct safe_allocation, data));
+
+ crypt_memzero(data, alloc->size);
+
+ alloc->size = 0x55aa55aa;
+ free(alloc);
+}
+
+void *crypt_safe_realloc(void *data, size_t size)
+{
+ struct safe_allocation *alloc;
+ void *new_data;
+
+ new_data = crypt_safe_alloc(size);
+
+ if (new_data && data) {
+
+ alloc = (struct safe_allocation *)
+ ((char *)data - offsetof(struct safe_allocation, data));
+
+ if (size > alloc->size)
+ size = alloc->size;
+
+ memcpy(new_data, data, size);
+ }
+
+ crypt_safe_free(data);
+ return new_data;
+}
+
+/*
+ * A simple call to lseek(3) might not be possible for some inputs (e.g.
+ * reading from a pipe), so this function instead reads of up to BUFSIZ bytes
+ * at a time until the specified number of bytes. It returns -1 on read error
+ * or when it reaches EOF before the requested number of bytes have been
+ * discarded.
+ */
+static int keyfile_seek(int fd, size_t bytes)
+{
+ char tmp[BUFSIZ];
+ size_t next_read;
+ ssize_t bytes_r;
+ off_t r;
+
+ r = lseek(fd, bytes, SEEK_CUR);
+ if (r > 0)
+ return 0;
+ if (r < 0 && errno != ESPIPE)
+ return -1;
+
+ while (bytes > 0) {
+ /* figure out how much to read */
+ next_read = bytes > sizeof(tmp) ? sizeof(tmp) : bytes;
+
+ bytes_r = read(fd, tmp, next_read);
+ if (bytes_r < 0) {
+ if (errno == EINTR)
+ continue;
+
+ /* read error */
+ return -1;
+ }
+
+ if (bytes_r == 0)
+ /* EOF */
+ break;
+
+ bytes -= bytes_r;
+ }
+
+ return bytes == 0 ? 0 : -1;
+}
+
+int crypt_keyfile_read(struct crypt_device *cd, const char *keyfile,
+ char **key, size_t *key_size_read,
+ size_t keyfile_offset, size_t keyfile_size_max,
+ uint32_t flags)
+{
+ int fd, regular_file, char_read, unlimited_read = 0;
+ int r = -EINVAL, newline;
+ char *pass = NULL;
+ size_t buflen, i, file_read_size;
+ struct stat st;
+
+ *key = NULL;
+ *key_size_read = 0;
+
+ fd = keyfile ? open(keyfile, O_RDONLY) : STDIN_FILENO;
+ if (fd < 0) {
+ log_err(cd, _("Failed to open key file.\n"));
+ return -EINVAL;
+ }
+
+ if (isatty(fd)) {
+ log_err(cd, _("Cannot read keyfile from a terminal.\n"));
+ r = -EINVAL;
+ goto out_err;
+ }
+
+ /* If not requsted otherwise, we limit input to prevent memory exhaustion */
+ if (keyfile_size_max == 0) {
+ keyfile_size_max = DEFAULT_KEYFILE_SIZE_MAXKB * 1024 + 1;
+ unlimited_read = 1;
+ }
+
+ /* use 4k for buffer (page divisor but avoid huge pages) */
+ buflen = 4096 - sizeof(struct safe_allocation);
+ regular_file = 0;
+ if (keyfile) {
+ if(stat(keyfile, &st) < 0) {
+ log_err(cd, _("Failed to stat key file.\n"));
+ goto out_err;
+ }
+ if(S_ISREG(st.st_mode)) {
+ regular_file = 1;
+ file_read_size = (size_t)st.st_size;
+
+ if (keyfile_offset > file_read_size) {
+ log_err(cd, _("Cannot seek to requested keyfile offset.\n"));
+ goto out_err;
+ }
+ file_read_size -= keyfile_offset;
+
+ /* known keyfile size, alloc it in one step */
+ if (file_read_size >= keyfile_size_max)
+ buflen = keyfile_size_max;
+ else if (file_read_size)
+ buflen = file_read_size;
+ }
+ }
+
+ pass = crypt_safe_alloc(buflen);
+ if (!pass) {
+ log_err(cd, _("Out of memory while reading passphrase.\n"));
+ goto out_err;
+ }
+
+ /* Discard keyfile_offset bytes on input */
+ if (keyfile_offset && keyfile_seek(fd, keyfile_offset) < 0) {
+ log_err(cd, _("Cannot seek to requested keyfile offset.\n"));
+ goto out_err;
+ }
+
+ for(i = 0, newline = 0; i < keyfile_size_max; i++) {
+ if(i == buflen) {
+ buflen += 4096;
+ pass = crypt_safe_realloc(pass, buflen);
+ if (!pass) {
+ log_err(cd, _("Out of memory while reading passphrase.\n"));
+ r = -ENOMEM;
+ goto out_err;
+ }
+ }
+
+ char_read = read(fd, &pass[i], 1);
+ if (char_read < 0) {
+ log_err(cd, _("Error reading passphrase.\n"));
+ goto out_err;
+ }
+
+ /* Stop on newline only if not requested read from keyfile */
+ if (char_read == 0)
+ break;
+ if ((flags & CRYPT_KEYFILE_STOP_EOL) && pass[i] == '\n') {
+ newline = 1;
+ pass[i] = '\0';
+ break;
+ }
+ }
+
+ /* Fail if piped input dies reading nothing */
+ if(!i && !regular_file && !newline) {
+ log_dbg("Nothing read on input.");
+ r = -EPIPE;
+ goto out_err;
+ }
+
+ /* Fail if we exceeded internal default (no specified size) */
+ if (unlimited_read && i == keyfile_size_max) {
+ log_err(cd, _("Maximum keyfile size exceeded.\n"));
+ goto out_err;
+ }
+
+ if (!unlimited_read && i != keyfile_size_max) {
+ log_err(cd, _("Cannot read requested amount of data.\n"));
+ goto out_err;
+ }
+
+ *key = pass;
+ *key_size_read = i;
+ r = 0;
+out_err:
+ if(fd != STDIN_FILENO)
+ close(fd);
+
+ if (r)
+ crypt_safe_free(pass);
+ return r;
+}
+
+ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc)
+{
+ char buf[3] = "xx\0", *endp, *bytes;
+ size_t i, len;
+
+ len = strlen(hex);
+ if (len % 2)
+ return -EINVAL;
+ len /= 2;
+
+ bytes = safe_alloc ? crypt_safe_alloc(len) : malloc(len);
+ if (!bytes)
+ return -ENOMEM;
+
+ for (i = 0; i < len; i++) {
+ memcpy(buf, &hex[i * 2], 2);
+ bytes[i] = strtoul(buf, &endp, 16);
+ if (endp != &buf[2]) {
+ safe_alloc ? crypt_safe_free(bytes) : free(bytes);
+ return -EINVAL;
+ }
+ }
+ *result = bytes;
+ return i;
+}
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
new file mode 100644
index 0000000..b7e10b4
--- /dev/null
+++ b/lib/utils_crypt.h
@@ -0,0 +1,45 @@
+/*
+ * utils_crypt - cipher utilities for cryptsetup
+ *
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _UTILS_CRYPT_H
+#define _UTILS_CRYPT_H
+
+#include <unistd.h>
+
+#define MAX_CIPHER_LEN 32
+#define MAX_CIPHER_LEN_STR "31"
+#define MAX_KEYFILES 32
+
+struct crypt_device;
+
+int crypt_parse_name_and_mode(const char *s, char *cipher,
+ int *key_nums, char *cipher_mode);
+
+void *crypt_safe_alloc(size_t size);
+void crypt_safe_free(void *data);
+void *crypt_safe_realloc(void *data, size_t size);
+
+void crypt_memzero(void *s, size_t n);
+
+ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc);
+
+#endif /* _UTILS_CRYPT_H */
diff --git a/lib/utils_device.c b/lib/utils_device.c
new file mode 100644
index 0000000..c98c835
--- /dev/null
+++ b/lib/utils_device.c
@@ -0,0 +1,549 @@
+/*
+ * device backend utilities
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <linux/fs.h>
+#include <unistd.h>
+#include "internal.h"
+
+struct device {
+ char *path;
+
+ char *file_path;
+ int loop_fd;
+
+ int o_direct:1;
+ int init_done:1;
+};
+
+static int device_block_size_fd(int fd, size_t *min_size)
+{
+ struct stat st;
+ int bsize = 0, r = -EINVAL;
+
+ if (fstat(fd, &st) < 0)
+ return -EINVAL;
+
+ if (S_ISREG(st.st_mode)) {
+ r = (int)crypt_getpagesize();
+ bsize = r;
+ }
+ else if (ioctl(fd, BLKSSZGET, &bsize) >= 0)
+ r = bsize;
+ else
+ r = -EINVAL;
+
+ if (r < 0 || !min_size)
+ return r;
+
+ if (S_ISREG(st.st_mode)) {
+ /* file can be empty as well */
+ if (st.st_size > bsize)
+ *min_size = bsize;
+ else
+ *min_size = st.st_size;
+ } else {
+ /* block device must have at least one block */
+ *min_size = bsize;
+ }
+
+ return bsize;
+}
+
+static int device_read_test(int devfd)
+{
+ char buffer[512];
+ int blocksize, r = -EIO;
+ size_t minsize = 0;
+
+ blocksize = device_block_size_fd(devfd, &minsize);
+
+ if (blocksize < 0)
+ return -EINVAL;
+
+ if (minsize == 0)
+ return 0;
+
+ if (minsize > sizeof(buffer))
+ minsize = sizeof(buffer);
+
+ if (read_blockwise(devfd, blocksize, buffer, minsize) == (ssize_t)minsize)
+ r = 0;
+
+ crypt_memzero(buffer, sizeof(buffer));
+ return r;
+}
+
+/*
+ * The direct-io is always preferred. The header is usually mapped to the same
+ * device and can be accessed when the rest of device is mapped to data device.
+ * Using dirct-io encsures that we do not mess with data in cache.
+ * (But proper alignment should prevent this in the first place.)
+ * The read test is needed to detect broken configurations (seen with remote
+ * block devices) that allow open with direct-io but then fails on read.
+ */
+static int device_ready(struct device *device, int check_directio)
+{
+ int devfd = -1, r = 0;
+ struct stat st;
+
+ device->o_direct = 0;
+ if (check_directio) {
+ log_dbg("Trying to open and read device %s with direct-io.",
+ device_path(device));
+ devfd = open(device_path(device), O_RDONLY | O_DIRECT);
+ if (devfd >= 0) {
+ if (device_read_test(devfd) == 0) {
+ device->o_direct = 1;
+ } else {
+ close(devfd);
+ devfd = -1;
+ }
+ }
+ }
+
+ if (devfd < 0) {
+ log_dbg("Trying to open device %s without direct-io.",
+ device_path(device));
+ devfd = open(device_path(device), O_RDONLY);
+ }
+
+ if (devfd < 0) {
+ log_err(NULL, _("Device %s doesn't exist or access denied.\n"),
+ device_path(device));
+ return -EINVAL;
+ }
+
+ if (fstat(devfd, &st) < 0)
+ r = -EINVAL;
+ else if (!S_ISBLK(st.st_mode))
+ r = S_ISREG(st.st_mode) ? -ENOTBLK : -EINVAL;
+
+ close(devfd);
+ return r;
+}
+
+int device_open(struct device *device, int flags)
+{
+ int devfd;
+
+ flags |= O_SYNC;
+ if (device->o_direct)
+ flags |= O_DIRECT;
+
+ devfd = open(device_path(device), flags);
+
+ if (devfd < 0)
+ log_dbg("Cannot open device %s.", device_path(device));
+
+ return devfd;
+}
+
+int device_alloc(struct device **device, const char *path)
+{
+ struct device *dev;
+ int r;
+
+ if (!path) {
+ *device = NULL;
+ return 0;
+ }
+
+ dev = malloc(sizeof(struct device));
+ if (!dev)
+ return -ENOMEM;
+
+ memset(dev, 0, sizeof(struct device));
+ dev->path = strdup(path);
+ if (!dev->path) {
+ free(dev);
+ return -ENOMEM;
+ }
+ dev->loop_fd = -1;
+
+ r = device_ready(dev, 1);
+ if (!r) {
+ dev->init_done = 1;
+ } else if (r == -ENOTBLK) {
+ /* alloc loop later */
+ } else if (r < 0) {
+ free(dev->path);
+ free(dev);
+ return -ENOTBLK;
+ }
+
+ *device = dev;
+ return 0;
+}
+
+void device_free(struct device *device)
+{
+ if (!device)
+ return;
+
+ if (device->loop_fd != -1) {
+ log_dbg("Closed loop %s (%s).", device->path, device->file_path);
+ close(device->loop_fd);
+ }
+
+ free(device->file_path);
+ free(device->path);
+ free(device);
+}
+
+/* Get block device path */
+const char *device_block_path(const struct device *device)
+{
+ if (!device || !device->init_done)
+ return NULL;
+
+ return device->path;
+}
+
+/* Get path to device / file */
+const char *device_path(const struct device *device)
+{
+ if (!device)
+ return NULL;
+
+ if (device->file_path)
+ return device->file_path;
+
+ return device->path;
+}
+
+/* block device topology ioctls, introduced in 2.6.32 */
+#ifndef BLKIOMIN
+#define BLKIOMIN _IO(0x12,120)
+#define BLKIOOPT _IO(0x12,121)
+#define BLKALIGNOFF _IO(0x12,122)
+#endif
+
+void device_topology_alignment(struct device *device,
+ unsigned long *required_alignment, /* bytes */
+ unsigned long *alignment_offset, /* bytes */
+ unsigned long default_alignment)
+{
+ int dev_alignment_offset = 0;
+ unsigned int min_io_size = 0, opt_io_size = 0;
+ unsigned long temp_alignment = 0;
+ int fd;
+
+ *required_alignment = default_alignment;
+ *alignment_offset = 0;
+
+ if (!device || !device->path) //FIXME
+ return;
+
+ fd = open(device->path, O_RDONLY);
+ if (fd == -1)
+ return;
+
+ /* minimum io size */
+ if (ioctl(fd, BLKIOMIN, &min_io_size) == -1) {
+ log_dbg("Topology info for %s not supported, using default offset %lu bytes.",
+ device->path, default_alignment);
+ goto out;
+ }
+
+ /* optimal io size */
+ if (ioctl(fd, BLKIOOPT, &opt_io_size) == -1)
+ opt_io_size = min_io_size;
+
+ /* alignment offset, bogus -1 means misaligned/unknown */
+ if (ioctl(fd, BLKALIGNOFF, &dev_alignment_offset) == -1 || dev_alignment_offset < 0)
+ dev_alignment_offset = 0;
+ *alignment_offset = (unsigned long)dev_alignment_offset;
+
+ temp_alignment = (unsigned long)min_io_size;
+
+ if (temp_alignment < (unsigned long)opt_io_size)
+ temp_alignment = (unsigned long)opt_io_size;
+
+ /* If calculated alignment is multiple of default, keep default */
+ if (temp_alignment && (default_alignment % temp_alignment))
+ *required_alignment = temp_alignment;
+
+ log_dbg("Topology: IO (%u/%u), offset = %lu; Required alignment is %lu bytes.",
+ min_io_size, opt_io_size, *alignment_offset, *required_alignment);
+out:
+ (void)close(fd);
+}
+
+int device_block_size(struct device *device)
+{
+ int fd, r = -EINVAL;
+
+ if (!device)
+ return 0;
+
+ if (device->file_path)
+ return (int)crypt_getpagesize();
+
+ fd = open(device->path, O_RDONLY);
+ if(fd < 0)
+ return -EINVAL;
+
+ r = device_block_size_fd(fd, NULL);
+
+ if (r <= 0)
+ log_dbg("Cannot get block size for device %s.", device_path(device));
+
+ close(fd);
+ return r;
+}
+
+int device_read_ahead(struct device *device, uint32_t *read_ahead)
+{
+ int fd, r = 0;
+ long read_ahead_long;
+
+ if (!device)
+ return 0;
+
+ if ((fd = open(device->path, O_RDONLY)) < 0)
+ return 0;
+
+ r = ioctl(fd, BLKRAGET, &read_ahead_long) ? 0 : 1;
+ close(fd);
+
+ if (r)
+ *read_ahead = (uint32_t) read_ahead_long;
+
+ return r;
+}
+
+/* Get data size in bytes */
+int device_size(struct device *device, uint64_t *size)
+{
+ struct stat st;
+ int devfd, r = -EINVAL;
+
+ devfd = open(device->path, O_RDONLY);
+ if(devfd == -1)
+ return -EINVAL;
+
+ if (fstat(devfd, &st) < 0)
+ goto out;
+
+ if (S_ISREG(st.st_mode)) {
+ *size = (uint64_t)st.st_size;
+ r = 0;
+ } else if (ioctl(devfd, BLKGETSIZE64, size) >= 0)
+ r = 0;
+out:
+ close(devfd);
+ return r;
+}
+
+static int device_info(struct device *device,
+ enum devcheck device_check,
+ int *readonly, uint64_t *size)
+{
+ struct stat st;
+ int fd, r = -EINVAL, flags = 0;
+
+ *readonly = 0;
+ *size = 0;
+
+ if (stat(device->path, &st) < 0)
+ return -EINVAL;
+
+ /* never wipe header on mounted device */
+ if (device_check == DEV_EXCL && S_ISBLK(st.st_mode))
+ flags |= O_EXCL;
+
+ /* Try to open read-write to check whether it is a read-only device */
+ /* coverity[toctou] */
+ fd = open(device->path, O_RDWR | flags);
+ if (fd == -1 && errno == EROFS) {
+ *readonly = 1;
+ fd = open(device->path, O_RDONLY | flags);
+ }
+
+ if (fd == -1 && device_check == DEV_EXCL && errno == EBUSY)
+ return -EBUSY;
+
+ if (fd == -1)
+ return -EINVAL;
+
+ if (S_ISREG(st.st_mode)) {
+ //FIXME: add readonly check
+ *size = (uint64_t)st.st_size;
+ *size >>= SECTOR_SHIFT;
+ } else {
+ /* If the device can be opened read-write, i.e. readonly is still 0, then
+ * check whether BKROGET says that it is read-only. E.g. read-only loop
+ * devices may be openend read-write but are read-only according to BLKROGET
+ */
+ if (*readonly == 0 && (r = ioctl(fd, BLKROGET, readonly)) < 0)
+ goto out;
+
+ if (ioctl(fd, BLKGETSIZE64, size) >= 0) {
+ *size >>= SECTOR_SHIFT;
+ r = 0;
+ goto out;
+ }
+ }
+ r = -EINVAL;
+out:
+ close(fd);
+ return r;
+}
+
+static int device_internal_prepare(struct crypt_device *cd, struct device *device)
+{
+ char *loop_device = NULL, *file_path = NULL;
+ int r, loop_fd, readonly = 0;
+
+ if (device->init_done)
+ return 0;
+
+ if (getuid() || geteuid()) {
+ log_err(cd, _("Cannot use a loopback device, "
+ "running as non-root user.\n"));
+ return -ENOTSUP;
+ }
+
+ log_dbg("Allocating a free loop device.");
+
+ /* Keep the loop open, dettached on last close. */
+ loop_fd = crypt_loop_attach(&loop_device, device->path, 0, 1, &readonly);
+ if (loop_fd == -1) {
+ log_err(cd, _("Attaching loopback device failed "
+ "(loop device with autoclear flag is required).\n"));
+ free(loop_device);
+ return -EINVAL;
+ }
+
+ file_path = device->path;
+ device->path = loop_device;
+
+ r = device_ready(device, device->o_direct);
+ if (r < 0) {
+ device->path = file_path;
+ crypt_loop_detach(loop_device);
+ free(loop_device);
+ return r;
+ }
+
+ device->loop_fd = loop_fd;
+ device->file_path = file_path;
+ device->init_done = 1;
+
+ return 0;
+}
+
+int device_block_adjust(struct crypt_device *cd,
+ struct device *device,
+ enum devcheck device_check,
+ uint64_t device_offset,
+ uint64_t *size,
+ uint32_t *flags)
+{
+ int r, real_readonly;
+ uint64_t real_size;
+
+ if (!device)
+ return -ENOTBLK;
+
+ r = device_internal_prepare(cd, device);
+ if (r)
+ return r;
+
+ r = device_info(device, device_check, &real_readonly, &real_size);
+ if (r < 0) {
+ if (r == -EBUSY)
+ log_err(cd, _("Cannot use device %s which is in use "
+ "(already mapped or mounted).\n"),
+ device->path);
+ else
+ log_err(cd, _("Cannot get info about device %s.\n"),
+ device->path);
+ return r;
+ }
+
+ if (device_offset >= real_size) {
+ log_err(cd, _("Requested offset is beyond real size of device %s.\n"),
+ device->path);
+ return -EINVAL;
+ }
+
+ if (size && !*size) {
+ *size = real_size;
+ if (!*size) {
+ log_err(cd, _("Device %s has zero size.\n"), device->path);
+ return -ENOTBLK;
+ }
+ *size -= device_offset;
+ }
+
+ /* in case of size is set by parameter */
+ if (size && ((real_size - device_offset) < *size)) {
+ log_dbg("Device %s: offset = %" PRIu64 " requested size = %" PRIu64
+ ", backing device size = %" PRIu64,
+ device->path, device_offset, *size, real_size);
+ log_err(cd, _("Device %s is too small.\n"), device->path);
+ return -EINVAL;
+ }
+
+ if (flags && real_readonly)
+ *flags |= CRYPT_ACTIVATE_READONLY;
+
+ if (size)
+ log_dbg("Calculated device size is %" PRIu64" sectors (%s), offset %" PRIu64 ".",
+ *size, real_readonly ? "RO" : "RW", device_offset);
+ return 0;
+}
+
+size_t size_round_up(size_t size, unsigned int block)
+{
+ size_t s = (size + (block - 1)) / block;
+ return s * block;
+}
+
+void device_disable_direct_io(struct device *device)
+{
+ device->o_direct = 0;
+}
+
+int device_is_identical(struct device *device1, struct device *device2)
+{
+ if (device1 == device2)
+ return 1;
+
+ if (!device1 || !device2 || !device_path(device1) || !device_path(device2))
+ return 0;
+
+ /* This should be better check - major/minor for block device etc */
+ if (!strcmp(device_path(device1), device_path(device2)))
+ return 1;
+
+ return 0;
+}
diff --git a/lib/utils_devpath.c b/lib/utils_devpath.c
new file mode 100644
index 0000000..257aa4d
--- /dev/null
+++ b/lib/utils_devpath.c
@@ -0,0 +1,373 @@
+/*
+ * devname - search for device name
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <limits.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#ifdef HAVE_SYS_SYSMACROS_H
+# include <sys/sysmacros.h> /* for major, minor */
+#endif
+#include "internal.h"
+
+static char *__lookup_dev(char *path, dev_t dev, int dir_level, const int max_level)
+{
+ struct dirent *entry;
+ struct stat st;
+ char *ptr;
+ char *result = NULL;
+ DIR *dir;
+ int space;
+
+ /* Ignore strange nested directories */
+ if (dir_level > max_level)
+ return NULL;
+
+ path[PATH_MAX - 1] = '\0';
+ ptr = path + strlen(path);
+ *ptr++ = '/';
+ *ptr = '\0';
+ space = PATH_MAX - (ptr - path);
+
+ dir = opendir(path);
+ if (!dir)
+ return NULL;
+
+ while((entry = readdir(dir))) {
+ if (entry->d_name[0] == '.' ||
+ !strncmp(entry->d_name, "..", 2))
+ continue;
+
+ if (dir_level == 0 &&
+ (!strcmp(entry->d_name, "shm") ||
+ !strcmp(entry->d_name, "fd") ||
+ !strcmp(entry->d_name, "char") ||
+ !strcmp(entry->d_name, "pts")))
+ continue;
+
+ strncpy(ptr, entry->d_name, space);
+ if (stat(path, &st) < 0)
+ continue;
+
+ if (S_ISDIR(st.st_mode)) {
+ result = __lookup_dev(path, dev, dir_level + 1, max_level);
+ if (result)
+ break;
+ } else if (S_ISBLK(st.st_mode)) {
+ /* workaround: ignore dm-X devices, these are internal kernel names */
+ if (dir_level == 0 && dm_is_dm_kernel_name(entry->d_name))
+ continue;
+ if (st.st_rdev == dev) {
+ result = strdup(path);
+ break;
+ }
+ }
+ }
+
+ closedir(dir);
+ return result;
+}
+
+/*
+ * Non-udev systemd need to scan for device here.
+ */
+static char *lookup_dev_old(int major, int minor)
+{
+ dev_t dev;
+ char *result = NULL, buf[PATH_MAX + 1];
+
+ dev = makedev(major, minor);
+ strncpy(buf, "/dev", PATH_MAX);
+ buf[PATH_MAX] = '\0';
+
+ /* First try low level device */
+ if ((result = __lookup_dev(buf, dev, 0, 0)))
+ return result;
+
+ /* If it is dm, try DM dir */
+ if (dm_is_dm_device(major, minor)) {
+ strncpy(buf, dm_get_dir(), PATH_MAX);
+ if ((result = __lookup_dev(buf, dev, 0, 0)))
+ return result;
+ }
+
+ strncpy(buf, "/dev", PATH_MAX);
+ return __lookup_dev(buf, dev, 0, 4);
+}
+
+/*
+ * Returns string pointing to device in /dev according to "major:minor" dev_id
+ */
+char *crypt_lookup_dev(const char *dev_id)
+{
+ int major, minor;
+ char link[PATH_MAX], path[PATH_MAX], *devname, *devpath = NULL;
+ struct stat st;
+ ssize_t len;
+
+ if (sscanf(dev_id, "%d:%d", &major, &minor) != 2)
+ return NULL;
+
+ if (snprintf(path, sizeof(path), "/sys/dev/block/%s", dev_id) < 0)
+ return NULL;
+
+ len = readlink(path, link, sizeof(link) - 1);
+ if (len < 0) {
+ /* Without /sys use old scan */
+ if (stat("/sys/dev/block", &st) < 0)
+ return lookup_dev_old(major, minor);
+ return NULL;
+ }
+
+ link[len] = '\0';
+ devname = strrchr(link, '/');
+ if (!devname)
+ return NULL;
+ devname++;
+
+ if (dm_is_dm_kernel_name(devname))
+ devpath = dm_device_path("/dev/mapper/", major, minor);
+ else if (snprintf(path, sizeof(path), "/dev/%s", devname) > 0)
+ devpath = strdup(path);
+
+ /*
+ * Check that path is correct.
+ */
+ if (devpath && ((stat(devpath, &st) < 0) ||
+ !S_ISBLK(st.st_mode) ||
+ (st.st_rdev != makedev(major, minor)))) {
+ free(devpath);
+ /* Should never happen unless user mangles with dev nodes. */
+ return lookup_dev_old(major, minor);
+ }
+
+ return devpath;
+}
+
+static int _read_uint64(const char *sysfs_path, uint64_t *value)
+{
+ char tmp[64] = {0};
+ int fd, r;
+
+ if ((fd = open(sysfs_path, O_RDONLY)) < 0)
+ return 0;
+ r = read(fd, tmp, sizeof(tmp));
+ close(fd);
+
+ if (r <= 0)
+ return 0;
+
+ if (sscanf(tmp, "%" PRIu64, value) != 1)
+ return 0;
+
+ return 1;
+}
+
+static int _sysfs_get_uint64(int major, int minor, uint64_t *value, const char *attr)
+{
+ char path[PATH_MAX];
+
+ if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d/%s",
+ major, minor, attr) < 0)
+ return 0;
+
+ return _read_uint64(path, value);
+}
+
+static int _path_get_uint64(const char *sysfs_path, uint64_t *value, const char *attr)
+{
+ char path[PATH_MAX];
+
+ if (snprintf(path, sizeof(path), "%s/%s",
+ sysfs_path, attr) < 0)
+ return 0;
+
+ return _read_uint64(path, value);
+}
+
+int crypt_dev_is_rotational(int major, int minor)
+{
+ uint64_t val;
+
+ if (!_sysfs_get_uint64(major, minor, &val, "queue/rotational"))
+ return 1; /* if failed, expect rotational disk */
+
+ return val ? 1 : 0;
+}
+
+int crypt_dev_is_partition(const char *dev_path)
+{
+ uint64_t val;
+ struct stat st;
+
+ if (stat(dev_path, &st) < 0)
+ return 0;
+
+ if (!S_ISBLK(st.st_mode))
+ return 0;
+
+ if (!_sysfs_get_uint64(major(st.st_rdev), minor(st.st_rdev),
+ &val, "partition"))
+ return 0;
+
+ return val ? 1 : 0;
+}
+
+uint64_t crypt_dev_partition_offset(const char *dev_path)
+{
+ uint64_t val;
+ struct stat st;
+
+ if (!crypt_dev_is_partition(dev_path))
+ return 0;
+
+ if (stat(dev_path, &st) < 0)
+ return 0;
+
+ if (!_sysfs_get_uint64(major(st.st_rdev), minor(st.st_rdev),
+ &val, "start"))
+ return 0;
+
+ return val;
+}
+
+/* Try to find partition which match offset and size on top level device */
+char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size)
+{
+ char link[PATH_MAX], path[PATH_MAX], part_path[PATH_MAX], *devname;
+ char *result = NULL;
+ struct stat st;
+ size_t devname_len;
+ ssize_t len;
+ struct dirent *entry;
+ DIR *dir;
+ uint64_t part_offset, part_size;
+
+ if (stat(dev_path, &st) < 0)
+ return NULL;
+
+ if (!S_ISBLK(st.st_mode))
+ return NULL;
+
+ if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d",
+ major(st.st_rdev), minor(st.st_rdev)) < 0)
+ return NULL;
+
+ dir = opendir(path);
+ if (!dir)
+ return NULL;
+
+ len = readlink(path, link, sizeof(link) - 1);
+ if (len < 0) {
+ closedir(dir);
+ return NULL;
+ }
+
+ /* Get top level disk name for sysfs search */
+ link[len] = '\0';
+ devname = strrchr(link, '/');
+ if (!devname) {
+ closedir(dir);
+ return NULL;
+ }
+ devname++;
+
+ /* DM devices do not use kernel partitions. */
+ if (dm_is_dm_kernel_name(devname)) {
+ closedir(dir);
+ return NULL;
+ }
+
+ devname_len = strlen(devname);
+ while((entry = readdir(dir))) {
+ if (strncmp(entry->d_name, devname, devname_len))
+ continue;
+
+ if (snprintf(part_path, sizeof(part_path), "%s/%s",
+ path, entry->d_name) < 0)
+ continue;
+
+ if (stat(part_path, &st) < 0)
+ continue;
+
+ if (S_ISDIR(st.st_mode)) {
+ if (!_path_get_uint64(part_path, &part_offset, "start") ||
+ !_path_get_uint64(part_path, &part_size, "size"))
+ continue;
+ if (part_offset == offset && part_size == size &&
+ snprintf(part_path, sizeof(part_path), "/dev/%s",
+ entry->d_name) > 0) {
+ result = strdup(part_path);
+ break;
+ }
+ }
+ }
+ closedir(dir);
+
+ return result;
+}
+
+/* Try to find base device from partition */
+char *crypt_get_base_device(const char *dev_path)
+{
+ char link[PATH_MAX], path[PATH_MAX], part_path[PATH_MAX], *devname;
+ struct stat st;
+ ssize_t len;
+
+ if (!crypt_dev_is_partition(dev_path))
+ return NULL;
+
+ if (stat(dev_path, &st) < 0)
+ return NULL;
+
+ if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d",
+ major(st.st_rdev), minor(st.st_rdev)) < 0)
+ return NULL;
+
+ len = readlink(path, link, sizeof(link) - 1);
+ if (len < 0)
+ return NULL;
+
+ /* Get top level disk name for sysfs search */
+ link[len] = '\0';
+ devname = strrchr(link, '/');
+ if (!devname)
+ return NULL;
+ *devname = '\0';
+ devname = strrchr(link, '/');
+ if (!devname)
+ return NULL;
+ devname++;
+
+ if (dm_is_dm_kernel_name(devname))
+ return NULL;
+
+ snprintf(part_path, sizeof(part_path), "/dev/%s", devname);
+ return strdup(part_path);
+}
diff --git a/lib/utils_dm.h b/lib/utils_dm.h
new file mode 100644
index 0000000..f150e2f
--- /dev/null
+++ b/lib/utils_dm.h
@@ -0,0 +1,118 @@
+/*
+ * libdevmapper - device-mapper backend for cryptsetup
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _UTILS_DM_H
+#define _UTILS_DM_H
+
+/* device-mapper library helpers */
+#include <inttypes.h>
+
+struct crypt_device;
+struct volume_key;
+struct crypt_params_verity;
+struct device;
+
+/* Device mapper backend - kernel support flags */
+#define DM_KEY_WIPE_SUPPORTED (1 << 0) /* key wipe message */
+#define DM_LMK_SUPPORTED (1 << 1) /* lmk mode */
+#define DM_SECURE_SUPPORTED (1 << 2) /* wipe (secure) buffer flag */
+#define DM_PLAIN64_SUPPORTED (1 << 3) /* plain64 IV */
+#define DM_DISCARDS_SUPPORTED (1 << 4) /* discards/TRIM option is supported */
+#define DM_VERITY_SUPPORTED (1 << 5) /* dm-verity target supported */
+#define DM_TCW_SUPPORTED (1 << 6) /* tcw (TCRYPT CBC with whitening) */
+#define DM_SAME_CPU_CRYPT_SUPPORTED (1 << 7) /* same_cpu_crypt */
+#define DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (1 << 8) /* submit_from_crypt_cpus */
+#define DM_VERITY_ON_CORRUPTION_SUPPORTED (1 << 9) /* ignore/restart_on_corruption, ignore_zero_block */
+#define DM_VERITY_FEC_SUPPORTED (1 << 10) /* Forward Error Correction (FEC) */
+
+uint32_t dm_flags(void);
+
+#define DM_ACTIVE_DEVICE (1 << 0)
+#define DM_ACTIVE_UUID (1 << 1)
+
+#define DM_ACTIVE_CRYPT_CIPHER (1 << 2)
+#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 3)
+#define DM_ACTIVE_CRYPT_KEY (1 << 4)
+
+#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 5)
+#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 6)
+#define DM_ACTIVE_VERITY_PARAMS (1 << 7)
+
+struct crypt_dm_active_device {
+ enum { DM_CRYPT = 0, DM_VERITY } target;
+ uint64_t size; /* active device size */
+ uint32_t flags; /* activation flags */
+ const char *uuid;
+ struct device *data_device;
+ union {
+ struct {
+ const char *cipher;
+
+ /* Active key for device */
+ struct volume_key *vk;
+
+ /* struct crypt_active_device */
+ uint64_t offset; /* offset in sectors */
+ uint64_t iv_offset; /* IV initilisation sector */
+ } crypt;
+ struct {
+ struct device *hash_device;
+ struct device *fec_device;
+
+ const char *root_hash;
+ uint32_t root_hash_size;
+
+ uint64_t hash_offset; /* hash offset in blocks (not header) */
+ uint64_t hash_blocks; /* size of hash device (in hash blocks) */
+ uint64_t fec_offset; /* FEC offset in blocks (not header) */
+ uint64_t fec_blocks; /* size of FEC device (in hash blocks) */
+ struct crypt_params_verity *vp;
+ } verity;
+ } u;
+};
+
+void dm_backend_init(void);
+void dm_backend_exit(void);
+
+int dm_remove_device(struct crypt_device *cd, const char *name,
+ int force, uint64_t size);
+int dm_status_device(struct crypt_device *cd, const char *name);
+int dm_status_suspended(struct crypt_device *cd, const char *name);
+int dm_status_verity_ok(struct crypt_device *cd, const char *name);
+int dm_query_device(struct crypt_device *cd, const char *name,
+ uint32_t get_flags, struct crypt_dm_active_device *dmd);
+int dm_create_device(struct crypt_device *cd, const char *name,
+ const char *type, struct crypt_dm_active_device *dmd,
+ int reload);
+int dm_suspend_and_wipe_key(struct crypt_device *cd, const char *name);
+int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
+ size_t key_size, const char *key);
+
+const char *dm_get_dir(void);
+
+/* These are DM helpers used only by utils_devpath file */
+int dm_is_dm_device(int major, int minor);
+int dm_is_dm_kernel_name(const char *name);
+char *dm_device_path(const char *prefix, int major, int minor);
+
+#endif /* _UTILS_DM_H */
diff --git a/lib/utils_fips.c b/lib/utils_fips.c
new file mode 100644
index 0000000..08728e5
--- /dev/null
+++ b/lib/utils_fips.c
@@ -0,0 +1,46 @@
+/*
+ * FIPS mode utilities
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include "utils_fips.h"
+
+#if !ENABLE_FIPS
+int crypt_fips_mode(void) { return 0; }
+#else
+static int kernel_fips_mode(void)
+{
+ int fd;
+ char buf[1] = "";
+
+ if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+
+ return (buf[0] == '1') ? 1 : 0;
+}
+
+int crypt_fips_mode(void)
+{
+ return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
+}
+#endif /* ENABLE_FIPS */
diff --git a/lib/utils_fips.h b/lib/utils_fips.h
new file mode 100644
index 0000000..6eea3f2
--- /dev/null
+++ b/lib/utils_fips.h
@@ -0,0 +1,26 @@
+/*
+ * FIPS mode utilities
+ *
+ * Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _UTILS_FIPS_H
+#define _UTILS_FIPS_H
+
+int crypt_fips_mode(void);
+
+#endif /* _UTILS_FIPS_H */
diff --git a/lib/utils_loop.c b/lib/utils_loop.c
new file mode 100644
index 0000000..38726bc
--- /dev/null
+++ b/lib/utils_loop.c
@@ -0,0 +1,271 @@
+/*
+ * loopback block device utilities
+ *
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <limits.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#ifdef HAVE_SYS_SYSMACROS_H
+# include <sys/sysmacros.h> /* for major, minor */
+#endif
+#include <linux/loop.h>
+
+#include "utils_loop.h"
+
+#define LOOP_DEV_MAJOR 7
+
+#ifndef LO_FLAGS_AUTOCLEAR
+#define LO_FLAGS_AUTOCLEAR 4
+#endif
+
+#ifndef LOOP_CTL_GET_FREE
+#define LOOP_CTL_GET_FREE 0x4C82
+#endif
+
+#ifndef LOOP_SET_CAPACITY
+#define LOOP_SET_CAPACITY 0x4C07
+#endif
+
+static char *crypt_loop_get_device_old(void)
+{
+ char dev[20];
+ int i, loop_fd;
+ struct loop_info64 lo64 = {0};
+
+ for (i = 0; i < 256; i++) {
+ sprintf(dev, "/dev/loop%d", i);
+
+ loop_fd = open(dev, O_RDONLY);
+ if (loop_fd < 0)
+ return NULL;
+
+ if (ioctl(loop_fd, LOOP_GET_STATUS64, &lo64) &&
+ errno == ENXIO) {
+ close(loop_fd);
+ return strdup(dev);
+ }
+ close(loop_fd);
+ }
+
+ return NULL;
+}
+
+static char *crypt_loop_get_device(void)
+{
+ char dev[64];
+ int i, loop_fd;
+ struct stat st;
+
+ loop_fd = open("/dev/loop-control", O_RDONLY);
+ if (loop_fd < 0)
+ return crypt_loop_get_device_old();
+
+ i = ioctl(loop_fd, LOOP_CTL_GET_FREE);
+ if (i < 0) {
+ close(loop_fd);
+ return NULL;
+ }
+ close(loop_fd);
+
+ if (sprintf(dev, "/dev/loop%d", i) < 0)
+ return NULL;
+
+ if (stat(dev, &st) || !S_ISBLK(st.st_mode))
+ return NULL;
+
+ return strdup(dev);
+}
+
+int crypt_loop_attach(char **loop, const char *file, int offset,
+ int autoclear, int *readonly)
+{
+ struct loop_info64 lo64 = {0};
+ char *lo_file_name;
+ int loop_fd = -1, file_fd = -1, r = 1;
+
+ *loop = NULL;
+
+ file_fd = open(file, (*readonly ? O_RDONLY : O_RDWR) | O_EXCL);
+ if (file_fd < 0 && (errno == EROFS || errno == EACCES) && !*readonly) {
+ *readonly = 1;
+ file_fd = open(file, O_RDONLY | O_EXCL);
+ }
+ if (file_fd < 0)
+ goto out;
+
+ while (loop_fd < 0) {
+ *loop = crypt_loop_get_device();
+ if (!*loop)
+ goto out;
+
+ loop_fd = open(*loop, *readonly ? O_RDONLY : O_RDWR);
+ if (loop_fd < 0)
+ goto out;
+
+ if (ioctl(loop_fd, LOOP_SET_FD, file_fd) < 0) {
+ if (errno != EBUSY)
+ goto out;
+ free(*loop);
+ *loop = NULL;
+
+ close(loop_fd);
+ loop_fd = -1;
+ }
+ }
+
+ lo_file_name = (char*)lo64.lo_file_name;
+ lo_file_name[LO_NAME_SIZE-1] = '\0';
+ strncpy(lo_file_name, file, LO_NAME_SIZE-1);
+ lo64.lo_offset = offset;
+ if (autoclear)
+ lo64.lo_flags |= LO_FLAGS_AUTOCLEAR;
+
+ if (ioctl(loop_fd, LOOP_SET_STATUS64, &lo64) < 0) {
+ (void)ioctl(loop_fd, LOOP_CLR_FD, 0);
+ goto out;
+ }
+
+ /* Verify that autoclear is really set */
+ if (autoclear) {
+ memset(&lo64, 0, sizeof(lo64));
+ if (ioctl(loop_fd, LOOP_GET_STATUS64, &lo64) < 0 ||
+ !(lo64.lo_flags & LO_FLAGS_AUTOCLEAR)) {
+ (void)ioctl(loop_fd, LOOP_CLR_FD, 0);
+ goto out;
+ }
+ }
+
+ r = 0;
+out:
+ if (r && loop_fd >= 0)
+ close(loop_fd);
+ if (file_fd >= 0)
+ close(file_fd);
+ if (r && *loop) {
+ free(*loop);
+ *loop = NULL;
+ }
+ return r ? -1 : loop_fd;
+}
+
+int crypt_loop_detach(const char *loop)
+{
+ int loop_fd = -1, r = 1;
+
+ loop_fd = open(loop, O_RDONLY);
+ if (loop_fd < 0)
+ return 1;
+
+ if (!ioctl(loop_fd, LOOP_CLR_FD, 0))
+ r = 0;
+
+ close(loop_fd);
+ return r;
+}
+
+int crypt_loop_resize(const char *loop)
+{
+ int loop_fd = -1, r = 1;
+
+ loop_fd = open(loop, O_RDONLY);
+ if (loop_fd < 0)
+ return 1;
+
+ if (!ioctl(loop_fd, LOOP_SET_CAPACITY, 0))
+ r = 0;
+
+ close(loop_fd);
+ return r;
+}
+
+static char *_ioctl_backing_file(const char *loop)
+{
+ struct loop_info64 lo64 = {0};
+ int loop_fd;
+
+ loop_fd = open(loop, O_RDONLY);
+ if (loop_fd < 0)
+ return NULL;
+
+ if (ioctl(loop_fd, LOOP_GET_STATUS64, &lo64) < 0) {
+ close(loop_fd);
+ return NULL;
+ }
+
+ lo64.lo_file_name[LO_NAME_SIZE-2] = '*';
+ lo64.lo_file_name[LO_NAME_SIZE-1] = 0;
+
+ close(loop_fd);
+
+ return strdup((char*)lo64.lo_file_name);
+}
+
+static char *_sysfs_backing_file(const char *loop)
+{
+ struct stat st;
+ char buf[PATH_MAX];
+ size_t len;
+ int fd;
+
+ if (stat(loop, &st) || !S_ISBLK(st.st_mode))
+ return NULL;
+
+ snprintf(buf, sizeof(buf), "/sys/dev/block/%d:%d/loop/backing_file",
+ major(st.st_rdev), minor(st.st_rdev));
+
+ fd = open(buf, O_RDONLY);
+ if (fd < 0)
+ return NULL;
+
+ len = read(fd, buf, PATH_MAX);
+ close(fd);
+ if (len < 2)
+ return NULL;
+
+ buf[len - 1] = '\0';
+ return strdup(buf);
+}
+
+char *crypt_loop_backing_file(const char *loop)
+{
+ char *bf = _sysfs_backing_file(loop);
+ return bf ?: _ioctl_backing_file(loop);
+}
+
+int crypt_loop_device(const char *loop)
+{
+ struct stat st;
+
+ if (!loop)
+ return 0;
+
+ if (stat(loop, &st) || !S_ISBLK(st.st_mode) ||
+ major(st.st_rdev) != LOOP_DEV_MAJOR)
+ return 0;
+
+ return 1;
+}
diff --git a/lib/utils_loop.h b/lib/utils_loop.h
new file mode 100644
index 0000000..36da3aa
--- /dev/null
+++ b/lib/utils_loop.h
@@ -0,0 +1,34 @@
+/*
+ * loopback block device utilities
+ *
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _UTILS_LOOP_H
+#define _UTILS_LOOP_H
+
+/* loopback device helpers */
+
+char *crypt_loop_backing_file(const char *loop);
+int crypt_loop_device(const char *loop);
+int crypt_loop_attach(char **loop, const char *file, int offset,
+ int autoclear, int *readonly);
+int crypt_loop_detach(const char *loop);
+int crypt_loop_resize(const char *loop);
+
+#endif /* _UTILS_LOOP_H */
diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
new file mode 100644
index 0000000..d94d5cd
--- /dev/null
+++ b/lib/utils_wipe.c
@@ -0,0 +1,200 @@
+/*
+ * utils_wipe - wipe a device
+ *
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#ifdef HAVE_SYS_SYSMACROS_H
+# include <sys/sysmacros.h> /* for major, minor */
+#endif
+#include <fcntl.h>
+
+#include "libcryptsetup.h"
+#include "internal.h"
+
+#define MAXIMUM_WIPE_BYTES 1024 * 1024 * 32 /* 32 MiB */
+
+static ssize_t _crypt_wipe_zero(int fd, int bsize, char *buffer,
+ uint64_t offset, uint64_t size)
+{
+ memset(buffer, 0, size);
+ return write_lseek_blockwise(fd, bsize, buffer, size, offset);
+}
+
+static ssize_t _crypt_wipe_random(int fd, int bsize, char *buffer,
+ uint64_t offset, uint64_t size)
+{
+ if (crypt_random_get(NULL, buffer, size, CRYPT_RND_NORMAL) < 0)
+ return -EINVAL;
+
+ return write_lseek_blockwise(fd, bsize, buffer, size, offset);
+}
+
+/*
+ * Wipe using Peter Gutmann method described in
+ * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
+ */
+static void wipeSpecial(char *buffer, size_t buffer_size, unsigned int turn)
+{
+ unsigned int i;
+
+ unsigned char write_modes[][3] = {
+ {"\x55\x55\x55"}, {"\xaa\xaa\xaa"}, {"\x92\x49\x24"},
+ {"\x49\x24\x92"}, {"\x24\x92\x49"}, {"\x00\x00\x00"},
+ {"\x11\x11\x11"}, {"\x22\x22\x22"}, {"\x33\x33\x33"},
+ {"\x44\x44\x44"}, {"\x55\x55\x55"}, {"\x66\x66\x66"},
+ {"\x77\x77\x77"}, {"\x88\x88\x88"}, {"\x99\x99\x99"},
+ {"\xaa\xaa\xaa"}, {"\xbb\xbb\xbb"}, {"\xcc\xcc\xcc"},
+ {"\xdd\xdd\xdd"}, {"\xee\xee\xee"}, {"\xff\xff\xff"},
+ {"\x92\x49\x24"}, {"\x49\x24\x92"}, {"\x24\x92\x49"},
+ {"\x6d\xb6\xdb"}, {"\xb6\xdb\x6d"}, {"\xdb\x6d\xb6"}
+ };
+
+ for(i = 0; i < buffer_size / 3; ++i) {
+ memcpy(buffer, write_modes[turn], 3);
+ buffer += 3;
+ }
+}
+
+static ssize_t _crypt_wipe_disk(int fd, int bsize, char *buffer,
+ uint64_t offset, uint64_t size)
+{
+ int r;
+ unsigned int i;
+ ssize_t written;
+
+ for(i = 0; i < 39; ++i) {
+ if (i < 5) {
+ r = crypt_random_get(NULL, buffer, size, CRYPT_RND_NORMAL);
+ } else if(i >= 5 && i < 32) {
+ wipeSpecial(buffer, size, i - 5);
+ r = 0;
+ } else if(i >= 32 && i < 38) {
+ r = crypt_random_get(NULL, buffer, size, CRYPT_RND_NORMAL);
+ } else if(i >= 38 && i < 39) {
+ memset(buffer, 0xFF, size);
+ r = 0;
+ }
+ if (r < 0)
+ return r;
+
+ written = write_lseek_blockwise(fd, bsize, buffer, size, offset);
+ if (written < 0 || written != (ssize_t)size)
+ return written;
+ }
+
+ /* Rewrite it finally with random */
+ return _crypt_wipe_random(fd, bsize, buffer, offset, size);
+}
+
+static ssize_t _crypt_wipe_ssd(int fd, int bsize, char *buffer,
+ uint64_t offset, uint64_t size)
+{
+ // FIXME: for now just rewrite it by random
+ return _crypt_wipe_random(fd, bsize, buffer, offset, size);
+}
+
+int crypt_wipe(struct device *device,
+ uint64_t offset,
+ uint64_t size,
+ crypt_wipe_type type,
+ int exclusive)
+{
+ struct stat st;
+ char *buffer;
+ int devfd, flags, bsize;
+ ssize_t written;
+
+ if (!size || size % SECTOR_SIZE || (size > MAXIMUM_WIPE_BYTES)) {
+ log_dbg("Unsupported wipe size for device %s: %ld.",
+ device_path(device), (unsigned long)size);
+ return -EINVAL;
+ }
+
+ if (stat(device_path(device), &st) < 0) {
+ log_dbg("Device %s not found.", device_path(device));
+ return -EINVAL;
+ }
+
+ if (type == CRYPT_WIPE_DISK && S_ISBLK(st.st_mode)) {
+ if (!crypt_dev_is_rotational(major(st.st_rdev),
+ minor(st.st_rdev))) {
+ type = CRYPT_WIPE_SSD;
+ log_dbg("Non-rotational device, using SSD wipe mode.");
+ } else
+ log_dbg("Rotational device, using normal wipe mode.");
+ }
+
+ bsize = device_block_size(device);
+ if (bsize <= 0)
+ return -EINVAL;
+
+ buffer = malloc(size);
+ if (!buffer)
+ return -ENOMEM;
+
+ flags = O_RDWR;
+
+ /* use O_EXCL only for block devices */
+ if (exclusive && S_ISBLK(st.st_mode))
+ flags |= O_EXCL;
+
+ /* coverity[toctou] */
+ devfd = device_open(device, flags);
+ if (devfd < 0) {
+ free(buffer);
+ return errno ? -errno : -EINVAL;
+ }
+
+ // FIXME: use fixed block size and loop here
+ switch (type) {
+ case CRYPT_WIPE_ZERO:
+ written = _crypt_wipe_zero(devfd, bsize, buffer, offset, size);
+ break;
+ case CRYPT_WIPE_DISK:
+ written = _crypt_wipe_disk(devfd, bsize, buffer, offset, size);
+ break;
+ case CRYPT_WIPE_SSD:
+ written = _crypt_wipe_ssd(devfd, bsize, buffer, offset, size);
+ break;
+ case CRYPT_WIPE_RANDOM:
+ written = _crypt_wipe_random(devfd, bsize, buffer, offset, size);
+ break;
+ default:
+ log_dbg("Unsupported wipe type requested: (%d)", type);
+ written = -1;
+ }
+
+ close(devfd);
+ free(buffer);
+
+ if (written != (ssize_t)size || written < 0)
+ return -EIO;
+
+ return 0;
+}
diff --git a/lib/verity/Makefile.am b/lib/verity/Makefile.am
new file mode 100644
index 0000000..9dce6f9
--- /dev/null
+++ b/lib/verity/Makefile.am
@@ -0,0 +1,17 @@
+moduledir = $(libdir)/cryptsetup
+
+noinst_LTLIBRARIES = libverity.la
+
+libverity_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
+
+libverity_la_SOURCES = \
+ verity_hash.c \
+ verity_fec.c \
+ verity.c \
+ verity.h \
+ rs_encode_char.c \
+ rs.h
+
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/lib/crypto_backend
diff --git a/lib/verity/rs.h b/lib/verity/rs.h
new file mode 100644
index 0000000..5faa81a
--- /dev/null
+++ b/lib/verity/rs.h
@@ -0,0 +1,35 @@
+/*
+ * Reed-Solomon codecs, based on libfec
+ *
+ * Copyright (C) 2004 Phil Karn, KA9Q
+ * libcryptsetup modifications
+ * Copyright (C) 2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _LIBFEC_RS_H
+#define _LIBFEC_RS_H
+
+typedef unsigned char data_t;
+struct rs;
+
+struct rs *init_rs_char(int symsize, int gfpoly, int fcr, int prim, int nroots, int pad);
+void free_rs_char(struct rs *rs);
+
+/* General purpose RS codec, 8-bit symbols */
+void encode_rs_char(struct rs *rs, data_t *data, data_t *parity);
+
+#endif
diff --git a/lib/verity/rs_encode_char.c b/lib/verity/rs_encode_char.c
new file mode 100644
index 0000000..de734cd
--- /dev/null
+++ b/lib/verity/rs_encode_char.c
@@ -0,0 +1,199 @@
+/*
+ * Reed-Solomon encoder, based on libfec
+ *
+ * Copyright (C) 2002, Phil Karn, KA9Q
+ * libcryptsetup modifications
+ * Copyright (C) 2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+#include "rs.h"
+
+/* Special reserved value encoding zero in index form. */
+#define A0 (rs->nn)
+
+/* Reed-Solomon codec control block */
+struct rs {
+ int mm; /* Bits per symbol */
+ int nn; /* Symbols per block (= (1<<mm)-1) */
+ data_t *alpha_to;/* log lookup table */
+ data_t *index_of;/* Antilog lookup table */
+ data_t *genpoly; /* Generator polynomial */
+ int nroots; /* Number of generator roots = number of parity symbols */
+ int fcr; /* First consecutive root, index form */
+ int prim; /* Primitive element, index form */
+ int iprim; /* prim-th root of 1, index form */
+ int pad; /* Padding bytes in shortened block */
+};
+
+static inline int modnn(struct rs *rs, int x)
+{
+ while (x >= rs->nn) {
+ x -= rs->nn;
+ x = (x >> rs->mm) + (x & rs->nn);
+ }
+ return x;
+}
+
+/* Initialize a Reed-Solomon codec
+ * symsize = symbol size, bits
+ * gfpoly = Field generator polynomial coefficients
+ * fcr = first root of RS code generator polynomial, index form
+ * prim = primitive element to generate polynomial roots
+ * nroots = RS code generator polynomial degree (number of roots)
+ * pad = padding bytes at front of shortened block
+ */
+struct rs *init_rs_char(int symsize, int gfpoly, int fcr, int prim, int nroots, int pad)
+{
+ struct rs *rs;
+ int i, j, sr, root, iprim;
+
+ /* Check parameter ranges */
+ if (symsize < 0 || symsize > 8 * (int)sizeof(data_t))
+ return NULL;
+ if (fcr < 0 || fcr >= (1<<symsize))
+ return NULL;
+ if (prim <= 0 || prim >= (1<<symsize))
+ return NULL;
+ if (nroots < 0 || nroots >= (1<<symsize))
+ return NULL; /* Can't have more roots than symbol values! */
+
+ if (pad < 0 || pad >= ((1<<symsize) - 1 - nroots))
+ return NULL; /* Too much padding */
+
+ rs = calloc(1, sizeof(struct rs));
+ if (rs == NULL)
+ return NULL;
+
+ rs->mm = symsize;
+ rs->nn = (1<<symsize) - 1;
+ rs->pad = pad;
+
+ rs->alpha_to = malloc(sizeof(data_t) * (rs->nn + 1));
+ if (rs->alpha_to == NULL) {
+ free(rs);
+ return NULL;
+ }
+ rs->index_of = malloc(sizeof(data_t) * (rs->nn + 1));
+ if (rs->index_of == NULL) {
+ free(rs->alpha_to);
+ free(rs);
+ return NULL;
+ }
+ memset(rs->index_of, 0, sizeof(data_t) * (rs->nn + 1));
+
+ /* Generate Galois field lookup tables */
+ rs->index_of[0] = A0; /* log(zero) = -inf */
+ rs->alpha_to[A0] = 0; /* alpha**-inf = 0 */
+ sr = 1;
+ for (i = 0; i < rs->nn; i++) {
+ rs->index_of[sr] = i;
+ rs->alpha_to[i] = sr;
+ sr <<= 1;
+ if(sr & (1<<symsize))
+ sr ^= gfpoly;
+ sr &= rs->nn;
+ }
+ if (sr != 1) {
+ /* field generator polynomial is not primitive! */
+ free(rs->alpha_to);
+ free(rs->index_of);
+ free(rs);
+ return NULL;
+ }
+
+ /* Form RS code generator polynomial from its roots */
+ rs->genpoly = malloc(sizeof(data_t) * (nroots + 1));
+ if (rs->genpoly == NULL) {
+ free(rs->alpha_to);
+ free(rs->index_of);
+ free(rs);
+ return NULL;
+ }
+
+ rs->fcr = fcr;
+ rs->prim = prim;
+ rs->nroots = nroots;
+
+ /* Find prim-th root of 1, used in decoding */
+ for (iprim = 1; (iprim % prim) != 0; iprim += rs->nn)
+ ;
+ rs->iprim = iprim / prim;
+
+ rs->genpoly[0] = 1;
+ for (i = 0, root = fcr * prim; i < nroots; i++, root += prim) {
+ rs->genpoly[i + 1] = 1;
+
+ /* Multiply rs->genpoly[] by @**(root + x) */
+ for (j = i; j > 0; j--){
+ if (rs->genpoly[j] != 0)
+ rs->genpoly[j] = rs->genpoly[j - 1] ^ rs->alpha_to[modnn(rs, rs->index_of[rs->genpoly[j]] + root)];
+ else
+ rs->genpoly[j] = rs->genpoly[j - 1];
+ }
+ /* rs->genpoly[0] can never be zero */
+ rs->genpoly[0] = rs->alpha_to[modnn(rs, rs->index_of[rs->genpoly[0]] + root)];
+ }
+ /* convert rs->genpoly[] to index form for quicker encoding */
+ for (i = 0; i <= nroots; i++)
+ rs->genpoly[i] = rs->index_of[rs->genpoly[i]];
+
+ return rs;
+}
+
+void free_rs_char(struct rs *rs)
+{
+ if (!rs)
+ return;
+
+ free(rs->alpha_to);
+ free(rs->index_of);
+ free(rs->genpoly);
+ free(rs);
+}
+
+void encode_rs_char(struct rs *rs, data_t *data, data_t *parity)
+{
+ int i, j;
+ data_t feedback;
+
+ memset(parity, 0, rs->nroots * sizeof(data_t));
+
+ for (i = 0; i < rs->nn - rs->nroots - rs->pad; i++) {
+ feedback = rs->index_of[data[i] ^ parity[0]];
+ if (feedback != A0) {
+ /* feedback term is non-zero */
+#ifdef UNNORMALIZED
+ /* This line is unnecessary when GENPOLY[NROOTS] is unity, as it must
+ * always be for the polynomials constructed by init_rs() */
+ feedback = modnn(rs, rs->nn - rs->genpoly[rs->nroots] + feedback);
+#endif
+ for (j = 1; j < rs->nroots; j++)
+ parity[j] ^= rs->alpha_to[modnn(rs, feedback + rs->genpoly[rs->nroots - j])];
+ }
+
+ /* Shift */
+ memmove(&parity[0], &parity[1], sizeof(data_t) * (rs->nroots - 1));
+
+ if (feedback != A0)
+ parity[rs->nroots - 1] = rs->alpha_to[modnn(rs, feedback + rs->genpoly[0])];
+ else
+ parity[rs->nroots - 1] = 0;
+ }
+}
diff --git a/lib/verity/verity.c b/lib/verity/verity.c
new file mode 100644
index 0000000..db8adb8
--- /dev/null
+++ b/lib/verity/verity.c
@@ -0,0 +1,306 @@
+/*
+ * dm-verity volume handling
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <uuid/uuid.h>
+
+#include "libcryptsetup.h"
+#include "verity.h"
+#include "internal.h"
+
+#define VERITY_SIGNATURE "verity\0\0"
+
+/* https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity#verity-superblock-format */
+struct verity_sb {
+ uint8_t signature[8]; /* "verity\0\0" */
+ uint32_t version; /* superblock version */
+ uint32_t hash_type; /* 0 - Chrome OS, 1 - normal */
+ uint8_t uuid[16]; /* UUID of hash device */
+ uint8_t algorithm[32];/* hash algorithm name */
+ uint32_t data_block_size; /* data block in bytes */
+ uint32_t hash_block_size; /* hash block in bytes */
+ uint64_t data_blocks; /* number of data blocks */
+ uint16_t salt_size; /* salt size */
+ uint8_t _pad1[6];
+ uint8_t salt[256]; /* salt */
+ uint8_t _pad2[168];
+} __attribute__((packed));
+
+/* Read verity superblock from disk */
+int VERITY_read_sb(struct crypt_device *cd,
+ uint64_t sb_offset,
+ char **uuid_string,
+ struct crypt_params_verity *params)
+{
+ struct device *device = crypt_metadata_device(cd);
+ int bsize = device_block_size(device);
+ struct verity_sb sb = {};
+ ssize_t hdr_size = sizeof(struct verity_sb);
+ int devfd = 0, sb_version;
+
+ log_dbg("Reading VERITY header of size %zu on device %s, offset %" PRIu64 ".",
+ sizeof(struct verity_sb), device_path(device), sb_offset);
+
+ if (params->flags & CRYPT_VERITY_NO_HEADER) {
+ log_err(cd, _("Verity device %s doesn't use on-disk header.\n"),
+ device_path(device));
+ return -EINVAL;
+ }
+
+ if (sb_offset % 512) {
+ log_err(cd, _("Unsupported VERITY hash offset.\n"));
+ return -EINVAL;
+ }
+
+ devfd = device_open(device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(device));
+ return -EINVAL;
+ }
+
+ if (lseek(devfd, sb_offset, SEEK_SET) < 0 ||
+ read_blockwise(devfd, bsize, &sb, hdr_size) < hdr_size) {
+ close(devfd);
+ return -EIO;
+ }
+ close(devfd);
+
+ if (memcmp(sb.signature, VERITY_SIGNATURE, sizeof(sb.signature))) {
+ log_err(cd, _("Device %s is not a valid VERITY device.\n"),
+ device_path(device));
+ return -EINVAL;
+ }
+
+ sb_version = le32_to_cpu(sb.version);
+ if (sb_version != 1) {
+ log_err(cd, _("Unsupported VERITY version %d.\n"), sb_version);
+ return -EINVAL;
+ }
+ params->hash_type = le32_to_cpu(sb.hash_type);
+ if (params->hash_type > VERITY_MAX_HASH_TYPE) {
+ log_err(cd, _("Unsupported VERITY hash type %d.\n"), params->hash_type);
+ return -EINVAL;
+ }
+
+ params->data_block_size = le32_to_cpu(sb.data_block_size);
+ params->hash_block_size = le32_to_cpu(sb.hash_block_size);
+ if (VERITY_BLOCK_SIZE_OK(params->data_block_size) ||
+ VERITY_BLOCK_SIZE_OK(params->hash_block_size)) {
+ log_err(cd, _("Unsupported VERITY block size.\n"));
+ return -EINVAL;
+ }
+ params->data_size = le64_to_cpu(sb.data_blocks);
+
+ params->hash_name = strndup((const char*)sb.algorithm, sizeof(sb.algorithm));
+ if (!params->hash_name)
+ return -ENOMEM;
+ if (crypt_hash_size(params->hash_name) <= 0) {
+ log_err(cd, _("Hash algorithm %s not supported.\n"),
+ params->hash_name);
+ free(CONST_CAST(char*)params->hash_name);
+ params->hash_name = NULL;
+ return -EINVAL;
+ }
+
+ params->salt_size = le16_to_cpu(sb.salt_size);
+ if (params->salt_size > sizeof(sb.salt)) {
+ log_err(cd, _("VERITY header corrupted.\n"));
+ free(CONST_CAST(char*)params->hash_name);
+ params->hash_name = NULL;
+ return -EINVAL;
+ }
+ params->salt = malloc(params->salt_size);
+ if (!params->salt) {
+ free(CONST_CAST(char*)params->hash_name);
+ params->hash_name = NULL;
+ return -ENOMEM;
+ }
+ memcpy(CONST_CAST(char*)params->salt, sb.salt, params->salt_size);
+
+ if ((*uuid_string = malloc(40)))
+ uuid_unparse(sb.uuid, *uuid_string);
+
+ params->hash_area_offset = sb_offset;
+ return 0;
+}
+
+/* Write verity superblock to disk */
+int VERITY_write_sb(struct crypt_device *cd,
+ uint64_t sb_offset,
+ const char *uuid_string,
+ struct crypt_params_verity *params)
+{
+ struct device *device = crypt_metadata_device(cd);
+ int bsize = device_block_size(device);
+ struct verity_sb sb = {};
+ ssize_t hdr_size = sizeof(struct verity_sb);
+ char *algorithm;
+ uuid_t uuid;
+ int r, devfd = 0;
+
+ log_dbg("Updating VERITY header of size %zu on device %s, offset %" PRIu64 ".",
+ sizeof(struct verity_sb), device_path(device), sb_offset);
+
+ if (!uuid_string || uuid_parse(uuid_string, uuid) == -1) {
+ log_err(cd, _("Wrong VERITY UUID format provided on device %s.\n"),
+ device_path(device));
+ return -EINVAL;
+ }
+
+ if (params->flags & CRYPT_VERITY_NO_HEADER) {
+ log_err(cd, _("Verity device %s doesn't use on-disk header.\n"),
+ device_path(device));
+ return -EINVAL;
+ }
+
+ devfd = device_open(device, O_RDWR);
+ if (devfd < 0) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(device));
+ return -EINVAL;
+ }
+
+ memcpy(&sb.signature, VERITY_SIGNATURE, sizeof(sb.signature));
+ sb.version = cpu_to_le32(1);
+ sb.hash_type = cpu_to_le32(params->hash_type);
+ sb.data_block_size = cpu_to_le32(params->data_block_size);
+ sb.hash_block_size = cpu_to_le32(params->hash_block_size);
+ sb.salt_size = cpu_to_le16(params->salt_size);
+ sb.data_blocks = cpu_to_le64(params->data_size);
+ algorithm = (char *)sb.algorithm;
+ algorithm[sizeof(sb.algorithm)-1] = '\0';
+ strncpy(algorithm, params->hash_name, sizeof(sb.algorithm)-1);
+ memcpy(sb.salt, params->salt, params->salt_size);
+ memcpy(sb.uuid, uuid, sizeof(sb.uuid));
+
+ r = write_lseek_blockwise(devfd, bsize, (char*)&sb, hdr_size, sb_offset) < hdr_size ? -EIO : 0;
+ if (r)
+ log_err(cd, _("Error during update of verity header on device %s.\n"),
+ device_path(device));
+ close(devfd);
+
+ return r;
+}
+
+/* Calculate hash offset in hash blocks */
+uint64_t VERITY_hash_offset_block(struct crypt_params_verity *params)
+{
+ uint64_t hash_offset = params->hash_area_offset;
+
+ if (params->flags & CRYPT_VERITY_NO_HEADER)
+ return hash_offset / params->hash_block_size;
+
+ hash_offset += sizeof(struct verity_sb);
+ hash_offset += params->hash_block_size - 1;
+
+ return hash_offset / params->hash_block_size;
+}
+
+int VERITY_UUID_generate(struct crypt_device *cd, char **uuid_string)
+{
+ uuid_t uuid;
+
+ if (!(*uuid_string = malloc(40)))
+ return -ENOMEM;
+ uuid_generate(uuid);
+ uuid_unparse(uuid, *uuid_string);
+ return 0;
+}
+
+/* Activate verity device in kernel device-mapper */
+int VERITY_activate(struct crypt_device *cd,
+ const char *name,
+ const char *root_hash,
+ size_t root_hash_size,
+ struct device *fec_device,
+ struct crypt_params_verity *verity_hdr,
+ uint32_t activation_flags)
+{
+ struct crypt_dm_active_device dmd;
+ int r;
+
+ log_dbg("Trying to activate VERITY device %s using hash %s.",
+ name ?: "[none]", verity_hdr->hash_name);
+
+ if (verity_hdr->flags & CRYPT_VERITY_CHECK_HASH) {
+ log_dbg("Verification of data in userspace required.");
+ r = VERITY_verify(cd, verity_hdr,
+ root_hash, root_hash_size);
+ if (r < 0)
+ return r;
+ }
+
+ if (!name)
+ return 0;
+
+ dmd.target = DM_VERITY;
+ dmd.data_device = crypt_data_device(cd);
+ dmd.u.verity.hash_device = crypt_metadata_device(cd);
+ dmd.u.verity.fec_device = fec_device;
+ dmd.u.verity.root_hash = root_hash;
+ dmd.u.verity.root_hash_size = root_hash_size;
+ dmd.u.verity.hash_offset = VERITY_hash_offset_block(verity_hdr);
+ dmd.u.verity.fec_offset = verity_hdr->fec_area_offset / verity_hdr->hash_block_size;
+ dmd.u.verity.hash_blocks = VERITY_hash_blocks(cd, verity_hdr);
+ dmd.flags = activation_flags;
+ dmd.size = verity_hdr->data_size * verity_hdr->data_block_size / 512;
+ dmd.uuid = crypt_get_uuid(cd);
+ dmd.u.verity.vp = verity_hdr;
+
+ r = device_block_adjust(cd, dmd.u.verity.hash_device, DEV_OK,
+ 0, NULL, NULL);
+ if (r)
+ return r;
+
+ r = device_block_adjust(cd, dmd.data_device, DEV_EXCL,
+ 0, &dmd.size, &dmd.flags);
+ if (r)
+ return r;
+
+ if (dmd.u.verity.fec_device) {
+ r = device_block_adjust(cd, dmd.u.verity.fec_device, DEV_OK,
+ 0, NULL, NULL);
+ if (r)
+ return r;
+ }
+
+ r = dm_create_device(cd, name, CRYPT_VERITY, &dmd, 0);
+ if (r < 0 && !(dm_flags() & DM_VERITY_SUPPORTED)) {
+ log_err(cd, _("Kernel doesn't support dm-verity mapping.\n"));
+ return -ENOTSUP;
+ }
+ if (r < 0)
+ return r;
+
+ r = dm_status_verity_ok(cd, name);
+ if (r < 0)
+ return r;
+
+ if (!r)
+ log_err(cd, _("Verity device detected corruption after activation.\n"));
+ return 0;
+}
diff --git a/lib/verity/verity.h b/lib/verity/verity.h
new file mode 100644
index 0000000..ea426e0
--- /dev/null
+++ b/lib/verity/verity.h
@@ -0,0 +1,72 @@
+/*
+ * dm-verity volume handling
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _VERITY_H
+#define _VERITY_H
+
+#include <stdint.h>
+
+#define VERITY_MAX_HASH_TYPE 1
+#define VERITY_BLOCK_SIZE_OK(x) ((x) % 512 || (x) < 512 || \
+ (x) > (512 * 1024) || (x) & ((x)-1))
+
+struct crypt_device;
+struct crypt_params_verity;
+struct device;
+
+int VERITY_read_sb(struct crypt_device *cd,
+ uint64_t sb_offset,
+ char **uuid,
+ struct crypt_params_verity *params);
+
+int VERITY_write_sb(struct crypt_device *cd,
+ uint64_t sb_offset,
+ const char *uuid_string,
+ struct crypt_params_verity *params);
+
+int VERITY_activate(struct crypt_device *cd,
+ const char *name,
+ const char *root_hash,
+ size_t root_hash_size,
+ struct device *fec_device,
+ struct crypt_params_verity *verity_hdr,
+ uint32_t activation_flags);
+
+int VERITY_verify(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ const char *root_hash,
+ size_t root_hash_size);
+
+int VERITY_create(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ char *root_hash,
+ size_t root_hash_size);
+
+int VERITY_FEC_create(struct crypt_device *cd,
+ struct crypt_params_verity *params,
+ struct device *fec_device);
+
+uint64_t VERITY_hash_offset_block(struct crypt_params_verity *params);
+
+uint64_t VERITY_hash_blocks(struct crypt_device *cd, struct crypt_params_verity *params);
+
+int VERITY_UUID_generate(struct crypt_device *cd, char **uuid_string);
+
+#endif
diff --git a/lib/verity/verity_fec.c b/lib/verity/verity_fec.c
new file mode 100644
index 0000000..07691fb
--- /dev/null
+++ b/lib/verity/verity_fec.c
@@ -0,0 +1,256 @@
+/*
+ * dm-verity Forward Error Correction (FEC) support
+ *
+ * Copyright (C) 2015, Google, Inc. All rights reserved.
+ * Copyright (C) 2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include "verity.h"
+#include "internal.h"
+#include "rs.h"
+
+/* ecc parameters */
+#define FEC_RSM 255
+#define FEC_MIN_RSN 231
+#define FEC_MAX_RSN 253
+
+#define FEC_INPUT_DEVICES 2
+
+/* parameters to init_rs_char */
+#define FEC_PARAMS(roots) \
+ 8, /* symbol size in bits */ \
+ 0x11d, /* field generator polynomial coefficients */ \
+ 0, /* first root of the generator */ \
+ 1, /* primitive element to generate polynomial roots */ \
+ (roots), /* polynomial degree (number of roots) */ \
+ 0 /* padding bytes at the front of shortened block */
+
+struct fec_input_device {
+ struct device *device;
+ int fd;
+ uint64_t start;
+ uint64_t count;
+};
+
+struct fec_context {
+ int rsn;
+ int roots;
+ uint64_t size;
+ uint64_t blocks;
+ uint64_t rounds;
+ uint32_t block_size;
+ struct fec_input_device *inputs;
+ size_t ninputs;
+};
+
+/* computes ceil(x / y) */
+static inline uint64_t FEC_div_round_up(uint64_t x, uint64_t y)
+{
+ return (x / y) + (x % y > 0 ? 1 : 0);
+}
+
+/* returns a physical offset for the given RS offset */
+static inline uint64_t FEC_interleave(struct fec_context *ctx, uint64_t offset)
+{
+ return (offset / ctx->rsn) +
+ (offset % ctx->rsn) * ctx->rounds * ctx->block_size;
+}
+
+/* returns data for a byte at the specified RS offset */
+static int FEC_read_interleaved(struct fec_context *ctx, uint64_t i,
+ void *output, size_t count)
+{
+ size_t n;
+ uint64_t offset = FEC_interleave(ctx, i);
+
+ /* offsets outside input area are assumed to contain zeros */
+ if (offset >= ctx->size) {
+ memset(output, 0, count);
+ return 0;
+ }
+
+ /* find the correct input device and read from it */
+ for (n = 0; n < ctx->ninputs; ++n) {
+ if (offset >= ctx->inputs[n].count) {
+ offset -= ctx->inputs[n].count;
+ continue;
+ }
+
+ if (lseek(ctx->inputs[n].fd, ctx->inputs[n].start + offset, SEEK_SET) < 0)
+ return -1;
+ return (read_buffer(ctx->inputs[n].fd, output, count) == (ssize_t)count) ? 0 : -1;
+ }
+
+ /* should never be reached */
+ return -1;
+}
+
+/* encodes inputs to fd */
+static int FEC_encode_inputs(struct crypt_device *cd,
+ struct crypt_params_verity *params,
+ struct fec_input_device *inputs,
+ size_t ninputs, int fd)
+{
+ int i, r = 0;
+ struct fec_context ctx;
+ uint32_t b;
+ uint64_t n;
+ uint8_t parity[params->fec_roots];
+ uint8_t rs_block[FEC_RSM];
+ uint8_t *buf = NULL;
+ void *rs;
+
+ /* initialize parameters */
+ ctx.roots = params->fec_roots;
+ ctx.rsn = FEC_RSM - ctx.roots;
+ ctx.block_size = params->data_block_size;
+ ctx.inputs = inputs;
+ ctx.ninputs = ninputs;
+
+ rs = init_rs_char(FEC_PARAMS(ctx.roots));
+ if (!rs) {
+ log_err(cd, _("Failed to allocate RS context.\n"));
+ return -ENOMEM;
+ }
+
+ /* calculate the total area covered by error correction codes */
+ ctx.size = 0;
+ for (n = 0; n < ctx.ninputs; ++n)
+ ctx.size += ctx.inputs[n].count;
+
+ /* each byte in a data block is covered by a different code */
+ ctx.blocks = FEC_div_round_up(ctx.size, ctx.block_size);
+ ctx.rounds = FEC_div_round_up(ctx.blocks, ctx.rsn);
+
+ buf = malloc(ctx.block_size * ctx.rsn);
+ if (!buf) {
+ log_err(cd, _("Failed to allocate buffer.\n"));
+ r = -ENOMEM;
+ goto out;
+ }
+
+ /* encode input */
+ for (n = 0; n < ctx.rounds; ++n) {
+ for (i = 0; i < ctx.rsn; ++i) {
+ if (FEC_read_interleaved(&ctx, n * ctx.rsn * ctx.block_size + i,
+ &buf[i * ctx.block_size], ctx.block_size)) {
+ log_err(cd, _("Failed to read RS block %" PRIu64 " byte %d.\n"), n, i);
+ r = -EIO;
+ goto out;
+ }
+ }
+
+ for (b = 0; b < ctx.block_size; ++b) {
+ for (i = 0; i < ctx.rsn; ++i)
+ rs_block[i] = buf[i * ctx.block_size + b];
+
+ encode_rs_char(rs, rs_block, parity);
+ if (write_buffer(fd, parity, sizeof(parity)) != (ssize_t)sizeof(parity)) {
+ log_err(cd, _("Failed to write parity for RS block %" PRIu64 ".\n"), n);
+ r = -EIO;
+ goto out;
+ }
+ }
+ }
+
+out:
+ free_rs_char(rs);
+ free(buf);
+ return r;
+}
+
+int VERITY_FEC_create(struct crypt_device *cd,
+ struct crypt_params_verity *params,
+ struct device *fec_device)
+{
+ int r;
+ int fd = -1;
+ struct fec_input_device inputs[FEC_INPUT_DEVICES] = {
+ {
+ .device = crypt_data_device(cd),
+ .fd = -1,
+ .start = 0,
+ .count = params->data_size * params->data_block_size
+ },{
+ .device = crypt_metadata_device(cd),
+ .fd = -1,
+ .start = VERITY_hash_offset_block(params) * params->data_block_size
+ }
+ };
+
+ /* validate parameters */
+ if (params->data_block_size != params->hash_block_size) {
+ log_err(cd, _("Block sizes must match for FEC.\n"));
+ return -EINVAL;
+ }
+
+ if (params->fec_roots > FEC_RSM - FEC_MIN_RSN ||
+ params->fec_roots < FEC_RSM - FEC_MAX_RSN) {
+ log_err(cd, _("Invalid number of parity bytes.\n"));
+ return -EINVAL;
+ }
+
+ r = -EIO;
+
+ /* output device */
+ fd = open(device_path(fec_device), O_RDWR);
+ if (fd == -1) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(fec_device));
+ goto out;
+ }
+
+ if (lseek(fd, params->fec_area_offset, SEEK_SET) < 0) {
+ log_dbg("Cannot seek to requested position in FEC device.");
+ goto out;
+ }
+
+ /* input devices */
+ inputs[0].fd = open(device_path(inputs[0].device), O_RDONLY);
+ if (inputs[0].fd == -1) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(inputs[0].device));
+ goto out;
+ }
+ inputs[1].fd = open(device_path(inputs[1].device), O_RDONLY);
+ if (inputs[1].fd == -1) {
+ log_err(cd, _("Cannot open device %s.\n"), device_path(inputs[1].device));
+ goto out;
+ }
+
+ /* cover the entire hash device starting from hash_offset */
+ r = device_size(inputs[1].device, &inputs[1].count);
+ if (r) {
+ log_err(cd, _("Failed to determine size for device %s.\n"),
+ device_path(inputs[1].device));
+ goto out;
+ }
+ inputs[1].count -= inputs[1].start;
+
+ r = FEC_encode_inputs(cd, params, inputs, FEC_INPUT_DEVICES, fd);
+out:
+ if (inputs[0].fd != -1)
+ close(inputs[0].fd);
+ if (inputs[1].fd != -1)
+ close(inputs[1].fd);
+ if (fd != -1)
+ close(fd);
+
+ return r;
+}
diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c
new file mode 100644
index 0000000..e34b896
--- /dev/null
+++ b/lib/verity/verity_hash.c
@@ -0,0 +1,458 @@
+/*
+ * dm-verity volume handling
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include "verity.h"
+#include "internal.h"
+
+#define VERITY_MAX_LEVELS 63
+
+static unsigned get_bits_up(size_t u)
+{
+ unsigned i = 0;
+ while ((1U << i) < u)
+ i++;
+ return i;
+}
+
+static unsigned get_bits_down(size_t u)
+{
+ unsigned i = 0;
+ while ((u >> i) > 1U)
+ i++;
+ return i;
+}
+
+static int verify_zero(struct crypt_device *cd, FILE *wr, size_t bytes)
+{
+ char block[bytes];
+ size_t i;
+
+ if (fread(block, bytes, 1, wr) != 1) {
+ log_dbg("EIO while reading spare area.");
+ return -EIO;
+ }
+ for (i = 0; i < bytes; i++)
+ if (block[i]) {
+ log_err(cd, _("Spare area is not zeroed at position %" PRIu64 ".\n"),
+ ftello(wr) - bytes);
+ return -EPERM;
+ }
+ return 0;
+}
+
+static int verify_hash_block(const char *hash_name, int version,
+ char *hash, size_t hash_size,
+ const char *data, size_t data_size,
+ const char *salt, size_t salt_size)
+{
+ struct crypt_hash *ctx = NULL;
+ int r;
+
+ if (crypt_hash_init(&ctx, hash_name))
+ return -EINVAL;
+
+ if (version == 1 && (r = crypt_hash_write(ctx, salt, salt_size)))
+ goto out;
+
+ if ((r = crypt_hash_write(ctx, data, data_size)))
+ goto out;
+
+ if (version == 0 && (r = crypt_hash_write(ctx, salt, salt_size)))
+ goto out;
+
+ r = crypt_hash_final(ctx, hash, hash_size);
+out:
+ crypt_hash_destroy(ctx);
+ return r;
+}
+
+static int mult_overflow(off_t *u, off_t b, size_t size)
+{
+ *u = (uint64_t)b * size;
+ if ((off_t)(*u / size) != b || (off_t)*u < 0)
+ return 1;
+ return 0;
+}
+
+static int hash_levels(size_t hash_block_size, size_t digest_size,
+ off_t data_file_blocks, off_t *hash_position, int *levels,
+ off_t *hash_level_block, off_t *hash_level_size)
+{
+ size_t hash_per_block_bits;
+ off_t s;
+ int i;
+
+ if (!digest_size)
+ return -EINVAL;
+
+ hash_per_block_bits = get_bits_down(hash_block_size / digest_size);
+ if (!hash_per_block_bits)
+ return -EINVAL;
+
+ *levels = 0;
+ while (hash_per_block_bits * *levels < 64 &&
+ (data_file_blocks - 1) >> (hash_per_block_bits * *levels))
+ (*levels)++;
+
+ if (*levels > VERITY_MAX_LEVELS)
+ return -EINVAL;
+
+ for (i = *levels - 1; i >= 0; i--) {
+ if (hash_level_block)
+ hash_level_block[i] = *hash_position;
+ // verity position of block data_file_blocks at level i
+ s = (data_file_blocks + ((off_t)1 << ((i + 1) * hash_per_block_bits)) - 1) >> ((i + 1) * hash_per_block_bits);
+ if (hash_level_size)
+ hash_level_size[i] = s;
+ if ((*hash_position + s) < *hash_position ||
+ (*hash_position + s) < 0)
+ return -EINVAL;
+ *hash_position += s;
+ }
+
+ return 0;
+}
+
+static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
+ off_t data_block, size_t data_block_size,
+ off_t hash_block, size_t hash_block_size,
+ off_t blocks, int version,
+ const char *hash_name, int verify,
+ char *calculated_digest, size_t digest_size,
+ const char *salt, size_t salt_size)
+{
+ char left_block[hash_block_size];
+ char data_buffer[data_block_size];
+ char read_digest[digest_size];
+ size_t hash_per_block = 1 << get_bits_down(hash_block_size / digest_size);
+ size_t digest_size_full = 1 << get_bits_up(digest_size);
+ off_t blocks_to_write = (blocks + hash_per_block - 1) / hash_per_block;
+ off_t seek_rd, seek_wr;
+ size_t left_bytes;
+ unsigned i;
+ int r;
+
+ if (mult_overflow(&seek_rd, data_block, data_block_size) ||
+ mult_overflow(&seek_wr, hash_block, hash_block_size)) {
+ log_err(cd, _("Device offset overflow.\n"));
+ return -EINVAL;
+ }
+
+ if (fseeko(rd, seek_rd, SEEK_SET)) {
+ log_dbg("Cannot seek to requested position in data device.");
+ return -EIO;
+ }
+
+ if (wr && fseeko(wr, seek_wr, SEEK_SET)) {
+ log_dbg("Cannot seek to requested position in hash device.");
+ return -EIO;
+ }
+
+ memset(left_block, 0, hash_block_size);
+ while (blocks_to_write--) {
+ left_bytes = hash_block_size;
+ for (i = 0; i < hash_per_block; i++) {
+ if (!blocks)
+ break;
+ blocks--;
+ if (fread(data_buffer, data_block_size, 1, rd) != 1) {
+ log_dbg("Cannot read data device block.");
+ return -EIO;
+ }
+
+ if (verify_hash_block(hash_name, version,
+ calculated_digest, digest_size,
+ data_buffer, data_block_size,
+ salt, salt_size))
+ return -EINVAL;
+
+ if (!wr)
+ break;
+ if (verify) {
+ if (fread(read_digest, digest_size, 1, wr) != 1) {
+ log_dbg("Cannot read digest form hash device.");
+ return -EIO;
+ }
+ if (memcmp(read_digest, calculated_digest, digest_size)) {
+ log_err(cd, _("Verification failed at position %" PRIu64 ".\n"),
+ ftello(rd) - data_block_size);
+ return -EPERM;
+ }
+ } else {
+ if (fwrite(calculated_digest, digest_size, 1, wr) != 1) {
+ log_dbg("Cannot write digest to hash device.");
+ return -EIO;
+ }
+ }
+ if (version == 0) {
+ left_bytes -= digest_size;
+ } else {
+ if (digest_size_full - digest_size) {
+ if (verify) {
+ r = verify_zero(cd, wr, digest_size_full - digest_size);
+ if (r)
+ return r;
+ } else if (fwrite(left_block, digest_size_full - digest_size, 1, wr) != 1) {
+ log_dbg("Cannot write spare area to hash device.");
+ return -EIO;
+ }
+ }
+ left_bytes -= digest_size_full;
+ }
+ }
+ if (wr && left_bytes) {
+ if (verify) {
+ r = verify_zero(cd , wr, left_bytes);
+ if (r)
+ return r;
+ } else if (fwrite(left_block, left_bytes, 1, wr) != 1) {
+ log_dbg("Cannot write remaining spare area to hash device.");
+ return -EIO;
+ }
+ }
+ }
+
+ return 0;
+}
+
+static int VERITY_create_or_verify_hash(struct crypt_device *cd,
+ int verify,
+ int version,
+ const char *hash_name,
+ struct device *hash_device,
+ struct device *data_device,
+ size_t hash_block_size,
+ size_t data_block_size,
+ off_t data_blocks,
+ off_t hash_position,
+ char *root_hash,
+ size_t digest_size,
+ const char *salt,
+ size_t salt_size)
+{
+ char calculated_digest[digest_size];
+ FILE *data_file = NULL;
+ FILE *hash_file = NULL, *hash_file_2;
+ off_t hash_level_block[VERITY_MAX_LEVELS];
+ off_t hash_level_size[VERITY_MAX_LEVELS];
+ off_t data_file_blocks;
+ off_t data_device_size = 0, hash_device_size = 0;
+ uint64_t dev_size;
+ int levels, i, r;
+
+ log_dbg("Hash %s %s, data device %s, data blocks %" PRIu64
+ ", hash_device %s, offset %" PRIu64 ".",
+ verify ? "verification" : "creation", hash_name,
+ device_path(data_device), data_blocks,
+ device_path(hash_device), hash_position);
+
+ if (data_blocks < 0 || hash_position < 0) {
+ log_err(cd, _("Invalid size parameters for verity device.\n"));
+ return -EINVAL;
+ }
+
+ if (!data_blocks) {
+ r = device_size(data_device, &dev_size);
+ if (r < 0)
+ return r;
+
+ data_file_blocks = dev_size / data_block_size;
+ } else
+ data_file_blocks = data_blocks;
+
+ if (mult_overflow(&data_device_size, data_blocks, data_block_size)) {
+ log_err(cd, _("Device offset overflow.\n"));
+ return -EINVAL;
+ }
+
+ if (hash_levels(hash_block_size, digest_size, data_file_blocks, &hash_position,
+ &levels, &hash_level_block[0], &hash_level_size[0])) {
+ log_err(cd, _("Hash area overflow.\n"));
+ return -EINVAL;
+ }
+
+ log_dbg("Using %d hash levels.", levels);
+
+ if (mult_overflow(&hash_device_size, hash_position, hash_block_size)) {
+ log_err(cd, _("Device offset overflow.\n"));
+ return -EINVAL;
+ }
+
+ log_dbg("Data device size required: %" PRIu64 " bytes.",
+ data_device_size);
+ data_file = fopen(device_path(data_device), "r");
+ if (!data_file) {
+ log_err(cd, _("Cannot open device %s.\n"),
+ device_path(data_device)
+ );
+ r = -EIO;
+ goto out;
+ }
+
+ log_dbg("Hash device size required: %" PRIu64 " bytes.",
+ hash_device_size);
+ hash_file = fopen(device_path(hash_device), verify ? "r" : "r+");
+ if (!hash_file) {
+ log_err(cd, _("Cannot open device %s.\n"),
+ device_path(hash_device));
+ r = -EIO;
+ goto out;
+ }
+
+ memset(calculated_digest, 0, digest_size);
+
+ for (i = 0; i < levels; i++) {
+ if (!i) {
+ r = create_or_verify(cd, data_file, hash_file,
+ 0, data_block_size,
+ hash_level_block[i], hash_block_size,
+ data_file_blocks, version, hash_name, verify,
+ calculated_digest, digest_size, salt, salt_size);
+ if (r)
+ goto out;
+ } else {
+ hash_file_2 = fopen(device_path(hash_device), "r");
+ if (!hash_file_2) {
+ log_err(cd, _("Cannot open device %s.\n"),
+ device_path(hash_device));
+ r = -EIO;
+ goto out;
+ }
+ r = create_or_verify(cd, hash_file_2, hash_file,
+ hash_level_block[i - 1], hash_block_size,
+ hash_level_block[i], hash_block_size,
+ hash_level_size[i - 1], version, hash_name, verify,
+ calculated_digest, digest_size, salt, salt_size);
+ fclose(hash_file_2);
+ if (r)
+ goto out;
+ }
+ }
+
+ if (levels)
+ r = create_or_verify(cd, hash_file, NULL,
+ hash_level_block[levels - 1], hash_block_size,
+ 0, hash_block_size,
+ 1, version, hash_name, verify,
+ calculated_digest, digest_size, salt, salt_size);
+ else
+ r = create_or_verify(cd, data_file, NULL,
+ 0, data_block_size,
+ 0, hash_block_size,
+ data_file_blocks, version, hash_name, verify,
+ calculated_digest, digest_size, salt, salt_size);
+out:
+ if (verify) {
+ if (r)
+ log_err(cd, _("Verification of data area failed.\n"));
+ else {
+ log_dbg("Verification of data area succeeded.");
+ r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0;
+ if (r)
+ log_err(cd, _("Verification of root hash failed.\n"));
+ else
+ log_dbg("Verification of root hash succeeded.");
+ }
+ } else {
+ if (r == -EIO)
+ log_err(cd, _("Input/output error while creating hash area.\n"));
+ else if (r)
+ log_err(cd, _("Creation of hash area failed.\n"));
+ else {
+ fsync(fileno(hash_file));
+ memcpy(root_hash, calculated_digest, digest_size);
+ }
+ }
+
+ if (data_file)
+ fclose(data_file);
+ if (hash_file)
+ fclose(hash_file);
+ return r;
+}
+
+/* Verify verity device using userspace crypto backend */
+int VERITY_verify(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ const char *root_hash,
+ size_t root_hash_size)
+{
+ return VERITY_create_or_verify_hash(cd, 1,
+ verity_hdr->hash_type,
+ verity_hdr->hash_name,
+ crypt_metadata_device(cd),
+ crypt_data_device(cd),
+ verity_hdr->hash_block_size,
+ verity_hdr->data_block_size,
+ verity_hdr->data_size,
+ VERITY_hash_offset_block(verity_hdr),
+ CONST_CAST(char*)root_hash,
+ root_hash_size,
+ verity_hdr->salt,
+ verity_hdr->salt_size);
+}
+
+/* Create verity hash */
+int VERITY_create(struct crypt_device *cd,
+ struct crypt_params_verity *verity_hdr,
+ char *root_hash,
+ size_t root_hash_size)
+{
+ unsigned pgsize = crypt_getpagesize();
+
+ if (verity_hdr->salt_size > 256)
+ return -EINVAL;
+
+ if (verity_hdr->data_block_size > pgsize)
+ log_err(cd, _("WARNING: Kernel cannot activate device if data "
+ "block size exceeds page size (%u).\n"), pgsize);
+
+ return VERITY_create_or_verify_hash(cd, 0,
+ verity_hdr->hash_type,
+ verity_hdr->hash_name,
+ crypt_metadata_device(cd),
+ crypt_data_device(cd),
+ verity_hdr->hash_block_size,
+ verity_hdr->data_block_size,
+ verity_hdr->data_size,
+ VERITY_hash_offset_block(verity_hdr),
+ root_hash,
+ root_hash_size,
+ verity_hdr->salt,
+ verity_hdr->salt_size);
+}
+
+uint64_t VERITY_hash_blocks(struct crypt_device *cd, struct crypt_params_verity *params)
+{
+ off_t hash_position = 0;
+ int levels = 0;
+
+ if (hash_levels(params->hash_block_size, crypt_get_volume_key_size(cd),
+ params->data_size, &hash_position, &levels, NULL, NULL))
+ return 0;
+
+ return (uint64_t)hash_position;
+}
diff --git a/lib/volumekey.c b/lib/volumekey.c
new file mode 100644
index 0000000..6a6cd2a
--- /dev/null
+++ b/lib/volumekey.c
@@ -0,0 +1,76 @@
+/*
+ * cryptsetup volume key implementation
+ *
+ * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <string.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "internal.h"
+
+struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key)
+{
+ struct volume_key *vk;
+
+ if (keylength > (SIZE_MAX - sizeof(*vk)))
+ return NULL;
+
+ vk = malloc(sizeof(*vk) + keylength);
+ if (!vk)
+ return NULL;
+
+ vk->keylength = keylength;
+
+ /* keylength 0 is valid => no key */
+ if (vk->keylength) {
+ if (key)
+ memcpy(&vk->key, key, keylength);
+ else
+ crypt_memzero(&vk->key, keylength);
+ }
+
+ return vk;
+}
+
+void crypt_free_volume_key(struct volume_key *vk)
+{
+ if (vk) {
+ crypt_memzero(vk->key, vk->keylength);
+ vk->keylength = 0;
+ free(vk);
+ }
+}
+
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength)
+{
+ int r;
+ struct volume_key *vk;
+
+ vk = crypt_alloc_volume_key(keylength, NULL);
+ if (!vk)
+ return NULL;
+
+ r = crypt_random_get(cd, vk->key, keylength, CRYPT_RND_KEY);
+ if(r < 0) {
+ crypt_free_volume_key(vk);
+ return NULL;
+ }
+ return vk;
+}
diff --git a/man/Makefile.am b/man/Makefile.am
new file mode 100644
index 0000000..a364ff3
--- /dev/null
+++ b/man/Makefile.am
@@ -0,0 +1,11 @@
+man8_MANS = cryptsetup.8
+
+if VERITYSETUP
+man8_MANS += veritysetup.8
+endif
+
+if REENCRYPT
+man8_MANS += cryptsetup-reencrypt.8
+endif
+
+EXTRA_DIST = cryptsetup.8 veritysetup.8 cryptsetup-reencrypt.8
diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8
new file mode 100644
index 0000000..5b67919
--- /dev/null
+++ b/man/cryptsetup-reencrypt.8
@@ -0,0 +1,242 @@
+.TH CRYPTSETUP-REENCRYPT "8" "March 2017" "cryptsetup-reencrypt" "Maintenance Commands"
+.SH NAME
+cryptsetup-reencrypt - tool for offline LUKS device re-encryption
+.SH SYNOPSIS
+.B cryptsetup-reencrypt <options> <device>
+.SH DESCRIPTION
+.PP
+Cryptsetup-reencrypt can be used to change reencryption parameters
+which otherwise require full on-disk data change (re-encryption).
+
+You can regenerate \fBvolume key\fR (the real key used in on-disk encryption
+unclocked by passphrase), \fBcipher\fR, \fBcipher mode\fR.
+
+Cryptsetup-reencrypt reencrypts data on LUKS device in-place. During
+reencryption process the LUKS device is marked unavailable.
+
+\fIWARNING\fR: The cryptsetup-reencrypt program is not resistant to hardware
+or kernel failures during reencryption (you can lose you data in this case).
+
+\fIALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.\fR
+.br
+The reencryption can be temporarily suspended (by TERM signal or by
+using ctrl+c) but you need to retain temporary files named LUKS-<uuid>.[log|org|new].
+LUKS device is unavailable until reencryption is finished though.
+
+Current working directory must by writable and temporary
+files created during reencryption must be present.
+
+For more info about LUKS see cryptsetup(8).
+.PP
+.SH OPTIONS
+.TP
+To start (or continue) re-encryption for <device> use:
+.PP
+\fIcryptsetup-reencrypt\fR <device>
+
+\fB<options>\fR can be [\-\-batch-mode, \-\-block-size, \-\-cipher, \-\-debug,
+\-\-device-size, \-\-hash, \-\-iter-time, \-\-use-random | \-\-use-urandom,
+\-\-keep-key, \-\-key-size, \-\-key-file, \-\-key-slot, \-\-keyfile-offset,
+\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log,
+\-\-uuid]
+
+To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR with combination
+with \fI\-\-reduce-device-size\fR.
+
+To remove encryption from device, use \fI\-\-decrypt\fR.
+
+For detailed description of encryption and key file options see \fIcryptsetup(8)\fR
+man page.
+.TP
+.B "\-\-verbose, \-v"
+Print more information on command execution.
+.TP
+.B "\-\-debug"
+Run in debug mode with full diagnostic logs. Debug output
+lines are always prefixed by '#'.
+.TP
+.B "\-\-cipher, \-c" \fI<cipher-spec>\fR
+Set the cipher specification string.
+.TP
+.B "\-\-key-size, \-s \fI<bits>\fR"
+Set key size in bits. The argument has to be a multiple of 8.
+
+The possible key-sizes are limited by the cipher and mode used.
+
+If you are increasing key size, there must be enough space in the LUKS header
+for enlarged keyslots (data offset must be large enough) or reencryption
+cannot be performed.
+
+If there is not enough space for keyslots with new key size,
+you can destructively shrink device with \-\-reduce-device-size option.
+.TP
+.B "\-\-hash, \-h \fI<hash-spec>\fR"
+Specifies the hash used in the LUKS key setup scheme and volume key digest.
+
+\fBNOTE:\fR if this parameter is not specified, default hash algorithm is always used
+for new device header.
+.TP
+.B "\-\-iter-time, \-i \fI<milliseconds>\fR"
+The number of milliseconds to spend with PBKDF2 passphrase processing for the
+new LUKS header.
+.TP
+.B "\-\-use-random"
+.TP
+.B "\-\-use-urandom"
+Define which kernel random number generator will be used to create the volume key.
+.TP
+.B "\-\-key-file, \-d \fIname\fR"
+Read the passphrase from file.
+
+\fBWARNING:\fR \-\-key-file option can be used only if there only one active keyslot,
+or alternatively, also if \-\-key-slot option is specified (then all other keyslots
+will be disabled in new LUKS device).
+
+If this option is not used, cryptsetup-reencrypt will ask for all active keyslot
+passphrases.
+.TP
+.B "\-\-key-slot, \-S <0-7>"
+Specify which key slot is used.
+
+\fBWARNING:\fR All other keyslots will be disabled if this option is used.
+.TP
+.B "\-\-keyfile-offset \fIvalue\fR"
+Skip \fIvalue\fR bytes at the beginning of the key file.
+.TP
+.B "\-\-keyfile-size, \-l"
+Read a maximum of \fIvalue\fR bytes from the key file.
+Default is to read the whole file up to the compiled-in
+maximum.
+.TP
+.B "\-\-keep-key"
+Do not change encryption key, just reencrypt the LUKS header and keyslots.
+
+This option can be combined only with \fI\-\-hash\fR or \fI\-\-iter-time\fR
+options.
+.TP
+.B "\-\-tries, \-T"
+Number of retries for invalid passphrase entry.
+.TP
+.B "\-\-block-size, \-B \fIvalue\fR"
+Use re-encryption block size of <value> in MiB.
+
+Values can be between 1 and 64 MiB.
+.TP
+.B "\-\-device-size \fIsize[units]\fR"
+Instead of real device size, use specified value.
+
+It means that only specified area (from the start of the device
+to the specified size) will be reencrypted.
+
+\fBWARNING:\fR This is destructive operation.
+
+If no unit suffix is specified, the size is in bytes.
+
+Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
+for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
+
+\fBWARNING:\fR This is destructive operation.
+.TP
+.B "\-\-reduce-device-size \fIsize[units]\fR"
+Enlarge data offset to specified value by shrinking device size.
+
+This means that last sectors on the original device will be lost,
+ciphertext data will be effectively shifted by specified
+number of sectors.
+
+It can be useful if you e.g. added some space to underlying
+partition (so last sectors contains no data).
+
+For units suffix see \-\-device-size parameter description.
+
+\fBWARNING:\fR This is destructive operation and cannot be reverted.
+Use with extreme care - shrinked filesystems are usually unrecoverable.
+
+You cannot shrink device more than by 64 MiB (131072 sectors).
+.TP
+.B "\-\-new, \-N"
+Create new header (encrypt not yet encrypted device).
+
+This option must be used together with \-\-reduce-device-size.
+
+\fBWARNING:\fR This is destructive operation and cannot be reverted.
+.TP
+.B "\-\-decrypt"
+Remove encryption (decrypt already encrypted device and remove LUKS header).
+
+\fBWARNING:\fR This is destructive operation and cannot be reverted.
+.TP
+.B "\-\-use-directio"
+Use direct-io (O_DIRECT) for all read/write data operations related
+to block device undergoing reencryption.
+
+Useful if direct-io operations perform better than normal buffered
+operations (e.g. in virtual environments).
+.TP
+.B "\-\-use-fsync"
+Use fsync call after every written block. This applies for reencryption
+log files as well.
+.TP
+.B "\-\-write-log"
+Update log file after every block write. This can slow down reencryption
+but will minimize data loss in the case of system crash.
+.TP
+.B "\-\-uuid" \fI<uuid>\fR
+Use only while resuming an interrupted decryption process (see \-\-decrypt).
+
+To find out what \fI<uuid>\fR to pass look for temporary files LUKS-<uuid>.[|log|org|new]
+of the interrupted decryption process.
+.TP
+.B "\-\-batch-mode, \-q"
+Suppresses all warnings and reencryption progress output.
+.TP
+.B "\-\-version"
+Show the program version.
+.SH RETURN CODES
+Cryptsetup-reencrypt returns 0 on success and a non-zero value on error.
+
+Error codes are: 1 wrong parameters, 2 no permission,
+3 out of memory, 4 wrong device specified, 5 device already exists
+or device is busy.
+.SH EXAMPLES
+.TP
+Reencrypt /dev/sdb1 (change volume key)
+cryptsetup-reencrypt /dev/sdb1
+.TP
+Reencrypt and also change cipher and cipher mode
+cryptsetup-reencrypt /dev/sdb1 \-c aes-xts-plain64
+.TP
+Add LUKS encryption to not yet encrypted device
+
+First, be sure you have space added to disk.
+
+Or alternatively shrink filesystem in advance.
+.br
+Here we need 4096 512-bytes sectors (enough for 2x128 bit key).
+
+fdisk \-u /dev/sdb # move sdb1 partition end + 4096 sectors
+(or use resize2fs or tool for your filesystem and shrink it)
+
+cryptsetup-reencrypt /dev/sdb1 \-\-new \-\-reduce-device-size 4096S
+.TP
+Remove LUKS encryption completely
+
+cryptsetup-reencrypt /dev/sdb1 \-\-decrypt
+
+.SH REPORTING BUGS
+Report bugs, including ones in the documentation, on
+the cryptsetup mailing list at <dm-crypt@saout.de>
+or in the 'Issues' section on LUKS website.
+Please attach the output of the failed command with the
+\-\-debug option added.
+.SH AUTHORS
+Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.
+.SH COPYRIGHT
+Copyright \(co 2012-2017 Milan Broz
+.br
+Copyright \(co 2012-2017 Red Hat, Inc.
+
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+.SH SEE ALSO
+The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
new file mode 100644
index 0000000..53b2a1a
--- /dev/null
+++ b/man/cryptsetup.8
@@ -0,0 +1,1108 @@
+.TH CRYPTSETUP "8" "March 2017" "cryptsetup" "Maintenance Commands"
+.SH NAME
+cryptsetup - manage plain dm-crypt and LUKS encrypted volumes
+.SH SYNOPSIS
+.B cryptsetup <options> <action> <action args>
+.SH DESCRIPTION
+.PP
+cryptsetup is used to conveniently setup dm-crypt managed
+device-mapper mappings. These include plain dm-crypt volumes and
+LUKS volumes. The difference is that LUKS uses a metadata header
+and can hence offer more features than plain dm-crypt. On the other
+hand, the header is visible and vulnerable to damage.
+
+In addition, cryptsetup provides limited support for the use of
+historic loopaes volumes and for TrueCrypt compatible volumes.
+
+.SH PLAIN DM-CRYPT OR LUKS?
+.PP
+Unless you understand the cryptographic background well, use LUKS.
+With plain dm-crypt there are a number of possible user errors
+that massively decrease security. While LUKS cannot fix them
+all, it can lessen the impact for many of them.
+.SH WARNINGS
+.PP
+A lot of good information on the risks of using encrypted storage,
+on handling problems and on security aspects can be found in the
+\fICryptsetup FAQ\fR. Read it. Nonetheless, some risks deserve
+to be mentioned here.
+
+\fBBackup:\fR Storage media die. Encryption has no influence on that.
+Backup is mandatory for encrypted data as well, if the data has any
+worth. See the Cryptsetup FAQ for advice on how to do backup of an
+encrypted volume.
+
+\fBCharacter encoding:\fR If you enter a
+passphrase with special symbols, the passphrase can change
+depending character encoding. Keyboard settings can also change,
+which can make blind input hard or impossible. For
+example, switching from some ASCII 8-bit variant to UTF-8
+can lead to a different binary encoding and hence different
+passphrase seen by cryptsetup, even if what you see on
+the terminal is exactly the same. It is therefore highly
+recommended to select passphrase characters only from 7-bit
+ASCII, as the encoding for 7-bit ASCII stays the same for
+all ASCII variants and UTF-8.
+
+\fBLUKS header:\fR If the header of a LUKS volume gets damaged,
+all data is permanently lost unless you have a header-backup.
+If a key-slot is damaged, it can only be restored from a header-backup
+or if another active key-slot with known passphrase is undamaged.
+Damaging the LUKS header is something people manage to do with
+surprising frequency. This risk is the result of a trade-off
+between security and safety, as LUKS is designed for fast and
+secure wiping by just overwriting header and key-slot area.
+
+\fBPreviously used partitions:\fR If a partition was previously used,
+it is a very good idea to wipe filesystem signatures, data, etc. before
+creating a LUKS or plain dm-crypt container on it.
+For a quick removal of filesystem signatures, use "wipefs". Take care
+though that this may not remove everything. In particular md (RAID)
+signatures at the end of a device may survive. It also does not
+remove data. For a full wipe, overwrite the whole partition before
+container creation. If you do not know how to to that, the
+cryptsetup FAQ describes several options.
+
+.SH BASIC COMMANDS
+The following are valid actions for all supported device types.
+
+\fIopen\fR <device> <name> \-\-type <device_type>
+.IP
+Opens (creates a mapping with) <name> backed by device <device>.
+
+Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR
+or \fItcrypt\fR.
+
+For backward compatibility there are \fBopen\fR command aliases:
+
+\fBcreate\fR (argument-order <name> <device>): open \-\-type plain
+.br
+\fBplainOpen\fR: open \-\-type plain
+.br
+\fBluksOpen\fR: open \-\-type luks
+.br
+\fBloopaesOpen\fR: open \-\-type loopaes
+.br
+\fBtcryptOpen\fR: open \-\-type tcrypt
+
+\fB<options>\fR are type specific and are described below
+for individual device types. For \fBcreate\fR, the order of the <name>
+and <device> options is inverted for historical reasons, all other
+aliases use the standard \fB<device> <name>\fR order.
+.PP
+\fIclose\fR <name>
+.IP
+Removes the existing mapping <name> and wipes the key from kernel memory.
+
+For backward compatibility there are \fBclose\fR command aliases:
+\fBremove\fR, \fBplainClose\fR, \fBluksClose\fR, \fBloopaesClose\fR,
+\fBtcryptClose\fR (all behaves exactly the same, device type is
+determined automatically from active device).
+.PP
+\fIstatus\fR <name>
+.IP
+Reports the status for the mapping <name>.
+.PP
+\fIresize\fR <name>
+.IP
+Resizes an active mapping <name>.
+
+If \-\-size (in sectors) is not specified, the size is computed
+from the underlying device. For LUKS it is the size of the
+underlying device without the area reserved for LUKS header
+(see data payload offset in \fBluksDump\fR command).
+For plain crypt device the whole device size is used.
+
+Note that this does not change the raw device geometry, it just
+changes how many sectors of the raw device are represented
+in the mapped device.
+.SH PLAIN MODE
+Plain dm-crypt encrypts the device sector-by-sector with a
+single, non-salted hash of the passphrase. No checks
+are performed, no metadata is used. There is no formatting operation.
+When the raw device is mapped (opened), the usual device operations
+can be used on the mapped device, including filesystem creation.
+Mapped devices usually reside in /dev/mapper/<name>.
+
+The following are valid plain device type actions:
+
+\fIopen\fR \-\-type plain <device> <name>
+.br
+\fIcreate\fR <name> <device> (\fBOBSOLETE syntax\fR)
+.IP
+Opens (creates a mapping with) <name> backed by device <device>.
+
+\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify-passphrase,
+\-\-key-file, \-\-keyfile-offset, \-\-key-size, \-\-offset, \-\-skip, \-\-size,
+\-\-readonly, \-\-shared, \-\-allow-discards]
+
+Example: 'cryptsetup open \-\-type plain /dev/sda10 e1' maps the raw
+encrypted device /dev/sda10 to the mapped (decrypted) device
+/dev/mapper/e1, which can then be mounted, fsck-ed or have a
+filesystem created on it.
+.SH LUKS EXTENSION
+LUKS, the Linux Unified Key Setup, is a standard for disk encryption.
+It adds a standardized header at the start of the device,
+a key-slot area directly behind the header and the bulk
+data area behind that. The whole set is called a 'LUKS container'.
+The device that a LUKS container resides on is called a 'LUKS device'.
+For most purposes both terms can be used interchangeably. But
+note that when the LUKS header is at a nonzero offset
+in a device, then the device is not a LUKS device anymore, but
+has a LUKS container stored in it at an offset.
+
+LUKS can manage multiple passphrases that can be individually revoked
+or changed and that can be securely scrubbed from persistent
+media due to the use of anti-forensic stripes. Passphrases
+are protected against brute-force and dictionary
+attacks by PBKDF2, which implements hash iteration and salting
+in one function.
+
+Each passphrase, also called a
+.B key
+in this document, is associated with one of 8 key-slots.
+Key operations that do not specify a slot affect the first slot
+that matches the supplied passphrase or the first empty slot if
+a new passphrase is added.
+
+The \fB<device>\fR parameter can be also specified by a LUKS UUID in the
+format UUID=<uuid>. Translation to real device name uses symlinks
+in /dev/disk/by-uuid directory.
+
+To specify a detached header, the \fB\-\-header\fR parameter can be used
+in all LUKS commands and always takes precedence over positional \fB<device>\fR
+parameter.
+
+The following are valid LUKS actions:
+
+\fIluksFormat\fR <device> [<key file>]
+.IP
+Initializes a LUKS partition and sets the initial passphrase
+(for key-slot 0),
+either via prompting or via <key file>. Note that
+if the second argument is present, then the passphrase
+is taken from the file given there, without the need
+to use the \-\-key-file option. Also note that for both forms
+of reading the passphrase from file you can
+give '-' as file name, which results in the passphrase being read
+from stdin and the safety-question being skipped.
+
+You can only call luksFormat on a LUKS device that is not mapped.
+
+\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify\-passphrase,
+\-\-key\-size, \-\-key\-slot,
+\-\-key\-file (takes precedence over optional second argument),
+\-\-keyfile\-offset, \-\-keyfile\-size, \-\-use\-random | \-\-use\-urandom,
+\-\-uuid, \-\-master\-key\-file, \-\-iter\-time, \-\-header,
+\-\-force\-password].
+
+\fBWARNING:\fR Doing a luksFormat on an existing LUKS container will
+make all data the old container permanently irretrievable, unless
+you have a header backup.
+.PP
+\fIopen\fR \-\-type luks <device> <name>
+.br
+\fIluksOpen\fR <device> <name> (\fBold syntax\fR)
+.IP
+Opens the LUKS device <device> and sets up a mapping <name> after
+successful verification of the supplied passphrase.
+If the passphrase is not supplied via \-\-key-file, the command
+prompts for it interactively.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file].
+.PP
+\fIluksSuspend\fR <name>
+.IP
+Suspends an active device (all IO operations will blocked
+and accesses to the device will wait indefinitely)
+and wipes the encryption
+key from kernel memory. Needs kernel 2.6.19 or later.
+
+After this operation you have to use \fIluksResume\fR to reinstate
+the encryption key and unblock the device or \fIclose\fR to remove
+the mapped device.
+
+\fBWARNING:\fR never suspend the device on which the cryptsetup binary resides.
+
+\fB<options>\fR can be [\-\-header].
+.PP
+\fIluksResume\fR <name>
+.IP
+Resumes a suspended device and reinstates the encryption key.
+Prompts interactively for a passphrase if \-\-key-file is not given.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header]
+.PP
+\fIluksAddKey\fR <device> [<key file with new key>]
+.IP
+adds a new passphrase. An existing passphrase must be supplied
+interactively or via \-\-key-file.
+The new passphrase to be added can be specified interactively
+or read from the file given as positional argument.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-new\-keyfile\-offset,
+\-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
+\-\-iter\-time, \-\-force\-password, \-\-header].
+.PP
+\fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
+.IP
+Removes the supplied passphrase from the LUKS device. The
+passphrase to be removed can be specified interactively,
+as positional argument or via \-\-key-file.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-header]
+
+\fBWARNING:\fR If you read the passphrase from stdin
+(without further argument or with '-' as argument
+to \-\-key\-file), batch-mode (\-q) will be implicitly
+switched on and no warning will be given when you remove the
+last remaining passphrase from a LUKS container. Removing
+the last passphrase makes the LUKS container permanently
+inaccessible.
+.PP
+\fIluksChangeKey\fR <device> [<new key file>]
+.IP
+Changes an existing passphrase. The passphrase
+to be changed must be supplied interactively or via \-\-key\-file.
+The new passphrase can be supplied interactively or in
+a file given as positional argument.
+
+If a key-slot is specified (via \-\-key-slot), the passphrase
+for that key-slot must be given and the new passphrase
+will overwrite the specified key-slot. If no key-slot
+is specified and there is still a free key-slot, then
+the new passphrase will be put into a free key-slot before the
+key-slot containing the old passphrase is purged. If there is
+no free key-slot, then the key-slot with the old passphrase is
+overwritten directly.
+
+\fBWARNING:\fR If a key-slot is overwritten, a media failure
+during this operation can cause the overwrite to fail after
+the old passphrase has been wiped and make the LUKS container
+inaccessible.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-new\-keyfile\-offset,
+\-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header].
+.PP
+\fIluksKillSlot\fR <device> <key slot number>
+.IP
+Wipe the key-slot number <key slot> from the LUKS device. Except running
+in batch-mode (\-q) a remaining passphrase must be supplied,
+either interactively or via \-\-key-file.
+This command can remove the last remaining key-slot, but requires
+an interactive confirmation when doing so. Removing the last
+passphrase makes a LUKS container permanently inaccessible.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-header].
+
+\fBWARNING:\fR If you read the passphrase from stdin
+(without further argument or with '-' as argument
+to \-\-key-file), batch-mode (\-q) will be implicitly
+switched on and no warning will be given when you remove the
+last remaining passphrase from a LUKS container. Removing
+the last passphrase makes the LUKS container permanently
+inaccessible.
+
+\fBNOTE:\fR If there is no passphrase provided (on stdin or through
+\-\-key-file argument) and batch-mode (\-q) is active, the
+key-slot is removed without any other warning.
+
+.PP
+\fIerase\fR <device>
+.br
+\fIluksErase\fR <device>
+.IP
+Erase all keyslots and make the LUKS container permanently inaccessible.
+You do not need to provide any password for this operation.
+
+\fBWARNING:\fR This operation is irreversible.
+.PP
+\fIluksUUID\fR <device>
+.IP
+Print the UUID of a LUKS device.
+.br
+Set new UUID if \fI\-\-uuid\fR option is specified.
+.PP
+\fIisLuks\fR <device>
+.IP
+Returns true, if <device> is a LUKS device, false otherwise.
+Use option \-v to get human-readable feedback. 'Command successful.'
+means the device is a LUKS device.
+.PP
+\fIluksDump\fR <device>
+.IP
+Dump the header information of a LUKS device.
+
+If the \-\-dump\-master\-key option is used, the LUKS device master key is
+dumped instead of the keyslot info. Beware that the master key cannot be
+changed and can be used to decrypt the data stored in the LUKS container
+without a passphrase and even without the LUKS header. This means
+that if the master key is compromised, the whole device has to be
+erased to prevent further access. Use this option carefully.
+
+In order to dump the master key, a passphrase has to be supplied,
+either interactively or via \-\-key\-file.
+
+\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
+\-\-keyfile\-offset, \-\-keyfile\-size, \-\-header].
+
+\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
+and the argument to \-\-key\-file is '-', no validation question
+will be asked and no warning given.
+.PP
+\fIluksHeaderBackup\fR <device> \-\-header\-backup\-file <file>
+.IP
+Stores a binary backup of the LUKS header and keyslot area.
+.br
+Note: Using '-' as filename writes the header backup to a file named '-'.
+
+\fBWARNING:\fR This backup file and a passphrase valid
+at the time of backup allows decryption of the
+LUKS data area, even if the passphrase was later changed or
+removed from the LUKS device. Also note that with a header
+backup you lose the ability to securely wipe the LUKS
+device by just overwriting the header and key-slots. You
+either need to securely erase all header backups in
+addition or overwrite the encrypted data area as well.
+The second option is less secure, as some sectors
+can survive, e.g. due to defect management.
+.PP
+\fIluksHeaderRestore\fR <device> \-\-header\-backup\-file <file>
+.IP
+Restores a binary backup of the LUKS header and keyslot area
+from the specified file.
+.br
+Note: Using '-' as filename reads the header backup from a file named '-'.
+
+\fBWARNING:\fR Header and keyslots will be replaced, only
+the passphrases from the backup will work afterwards.
+
+This command requires that the master key size and data offset
+of the LUKS header already on the device and of the header backup
+match. Alternatively, if there is no LUKS header on the device,
+the backup will also be written to it.
+.SH loop-AES EXTENSION
+cryptsetup supports mapping loop-AES encrypted partition using
+a compatibility mode.
+.PP
+\fIopen\fR \-\-type loopaes <device> <name> \-\-key\-file <keyfile>
+.br
+\fIloopaesOpen\fR <device> <name> \-\-key\-file <keyfile> (\fBold syntax\fR)
+.IP
+Opens the loop-AES <device> and sets up a mapping <name>.
+
+If the key file is encrypted with GnuPG, then you have to use
+\-\-key\-file=\- and decrypt it before use, e.g. like this:
+.br
+gpg \-\-decrypt <keyfile> | cryptsetup loopaesOpen \-\-key\-file=\-
+<device> <name>
+
+\fBWARNING:\fR The loop-AES extension cannot use direct input of key file
+on real terminal because the keys are separated by end-of-line and only part
+of the multi-key file would be read.
+.br
+If you need it in script, just use the pipe redirection:
+.br
+echo $keyfile | cryptsetup loopaesOpen \-\-key\-file=\- <device> <name>
+
+Use \fB\-\-keyfile\-size\fR to specify the proper key length if needed.
+
+Use \fB\-\-offset\fR to specify device offset. Note that the units
+need to be specified in number of 512 byte sectors.
+
+Use \fB\-\-skip\fR to specify the IV offset. If the original device
+used an offset and but did not use it in IV sector calculations,
+you have to explicitly use \fB\-\-skip 0\fR in addition to the offset
+parameter.
+
+Use \fB\-\-hash\fR to override the default hash function for
+passphrase hashing (otherwise it is detected according to key
+size).
+
+\fB<options>\fR can be [\-\-key\-file, \-\-key\-size, \-\-offset, \-\-skip,
+\-\-hash, \-\-readonly, \-\-allow\-discards].
+.PP
+See also section 7 of the FAQ and \fBhttp://loop-aes.sourceforge.net\fR
+for more information regarding loop-AES.
+.SH TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION
+cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt
+(with \fB\-\-veracrypt\fR option) encrypted partition
+using a native Linux kernel API.
+Header formatting and TCRYPT header change is not supported, cryptsetup
+never changes TCRYPT header on-device.
+
+TCRYPT extension requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
+
+Because TCRYPT header is encrypted, you have to always provide valid
+passphrase and keyfiles.
+
+Cryptsetup should recognize all header variants, except legacy cipher chains
+using LRW encryption mode with 64 bits encryption block (namely Blowfish
+in LRW mode is not recognized, this is limitation of kernel crypto API).
+
+To recognize a VeraCrypt device use the \fB\-\-veracrypt\fR option.
+VeraCrypt is just extension of TrueCrypt header with increased
+iteration count so unlocking can take quite a lot of time (in comparison
+with TCRYPT device).
+
+To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM)
+value, \fBadditionally to --veracrypt \fR use either the
+\fB--veracrypt-pim=<PIM>\fR option to directly specify the PIM on the command-
+line or use \fB--veracrypt-query-pim\fR to be prompted for the PIM.
+
+The PIM value affects the number of iterations applied during key derivation. Please refer to
+\fBhttps://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20(PIM)\fR
+for more detailed information.
+
+
+
+\fBNOTE:\fR Activation with \fBtcryptOpen\fR is supported only for cipher chains
+using LRW or XTS encryption modes.
+
+The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
+and doesn't require superuser privilege.
+
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt\-system\fR option.
+You can use partition device as the parameter (parameter must be real partition
+device, not image in file), then only this partition is mapped.
+
+If you have whole TCRYPT device as a file image and you want to map multiple
+partition encrypted with system encryption, please create loopback mapping
+with partitions first (\fBlosetup \-P\fR, see \fPlosetup(8)\fR man page for more info),
+and use loop partition as the device parameter.
+
+If you use whole base device as parameter, one device for the whole system
+encryption is mapped. This mode is available only for backward compatibility
+with older cryptsetup versions which mapped TCRYPT system encryption
+using whole device.
+
+To use hidden header (and map hidden device, if available),
+use \fB\-\-tcrypt\-hidden\fR option.
+
+To explicitly use backup (secondary) header, use \fB\-\-tcrypt\-backup\fR
+option.
+
+\fBNOTE:\fR There is no protection for a hidden volume if
+the outer volume is mounted. The reason is that if there
+were any protection, it would require some metadata describing
+what to protect in the outer volume and the hidden volume would
+become detectable.
+
+.PP
+\fIopen\fR \-\-type tcrypt <device> <name>
+.br
+\fItcryptOpen\fR <device> <name> (\fBold syntax\fR)
+.IP
+Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up
+a mapping <name>.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden,
+\-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase,
+\-\-allow-discards].
+
+The keyfile parameter allows combination of file content with the
+passphrase and can be repeated. Note that using keyfiles is compatible
+with TCRYPT and is different from LUKS keyfile logic.
+
+\fBWARNING:\fR Option \fB\-\-allow\-discards\fR cannot be combined with
+option \fB\-\-tcrypt\-hidden\fR. For normal mapping it can cause
+\fBdestruction of hidden volume\fR (hidden volume appears as unused space
+for outer volume so this space can be discarded).
+
+.PP
+\fItcryptDump\fR <device>
+.IP
+Dump the header information of a TCRYPT device.
+
+If the \-\-dump\-master\-key option is used, the TCRYPT device master key
+is dumped instead of TCRYPT header info. Beware that the master key
+(or concatenated master keys if cipher chain is used)
+can be used to decrypt the data stored in the TCRYPT container without
+a passphrase.
+This means that if the master key is compromised, the whole device has
+to be erased to prevent further access. Use this option carefully.
+
+\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
+\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup].
+
+The keyfile parameter allows combination of file content with the
+passphrase and can be repeated.
+.PP
+See also \fBhttps://en.wikipedia.org/wiki/TrueCrypt\fR for more information regarding
+TrueCrypt.
+
+Please note that cryptsetup does not use TrueCrypt code, please report
+all problems related to this compatibility extension to cryptsetup project.
+.SH MISCELLANEOUS
+.PP
+\fIrepair\fR <device>
+.IP
+Tries to repair the device metadata if possible. Currently supported only
+for LUKS device type.
+
+This command is useful to fix some known benign LUKS metadata
+header corruptions. Only basic corruptions of unused keyslot
+are fixable. This command will only change the LUKS header, not
+any key-slot data.
+
+\fBWARNING:\fR Always create a binary backup of the original
+header before calling this command.
+.PP
+\fIbenchmark\fR <options>
+.IP
+Benchmarks ciphers and KDF (key derivation function).
+Without parameters it tries to measure few common configurations.
+
+To benchmark other ciphers or modes, you need to specify \fB\-\-cipher\fR
+and \fB\-\-key\-size\fR options or \fB\-\-hash\fR for KDF test.
+
+\fBNOTE:\fR This benchmark is using memory only and is only informative.
+You cannot directly predict real storage encryption speed from it.
+
+For testing block ciphers, this benchmark requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
+
+\fB<options>\fR can be [\-\-cipher, \-\-key\-size, \-\-hash].
+.SH OPTIONS
+.TP
+.B "\-\-verbose, \-v"
+Print more information on command execution.
+.TP
+.B "\-\-debug"
+Run in debug mode with full diagnostic logs. Debug output
+lines are always prefixed by '#'.
+.TP
+.B "\-\-hash, \-h \fI<hash\-spec>\fR"
+Specifies the passphrase hash for \fIopen\fR (for plain and
+loopaes device types).
+
+Specifies the hash used in the LUKS key setup scheme and volume key digest
+for \fIluksFormat\fR. The specified hash is used as hash-parameter
+for PBKDF2 and for the AF splitter.
+
+The specified hash name is passed to the compiled-in crypto backend.
+Different backends may support different hashes.
+For \fIluksFormat\fR, the hash
+algorithm must provide at least 160 bits of output, which
+excludes, e.g., MD5. Do not use a non-crypto hash like
+\fB"crc32"\fR as this breaks security.
+
+Values compatible with old version of cryptsetup are
+\fB"ripemd160"\fR for \fIopen \-\-type plain\fR and
+\fB"sha1"\fR for \fIluksFormat\fR.
+
+Use \fIcryptsetup \-\-help\fR to show the defaults.
+.TP
+.B "\-\-cipher, \-c \fI<cipher\-spec>\fR"
+Set the cipher specification string.
+
+\fIcryptsetup \-\-help\fR shows the compiled-in defaults.
+The current default in the distributed sources is
+"aes-cbc-essiv:sha256" for plain dm-crypt and
+"aes-xts-plain64" for LUKS.
+
+If a hash is part of the cipher specification, then it is
+used as part of the IV generation. For example, ESSIV
+needs a hash function, while "plain64" does not and
+hence none is specified.
+
+For XTS mode you can optionally set a key size of
+512 bits with the \-s option. Key size for XTS
+mode is twice that for other modes for the same
+security level.
+
+XTS mode requires kernel 2.6.24 or later and plain64 requires
+kernel 2.6.33 or later. More information can be found in the FAQ.
+.TP
+.B "\-\-verify-passphrase, \-y"
+When interactively asking for a passphrase, ask for it twice
+and complain if both inputs do not match. Advised when creating
+a regular mapping for the first time, or when running
+\fIluksFormat\fR. Ignored on input from file or stdin.
+.TP
+.B "\-\-key-file, \-d \fIname\fR"
+Read the passphrase from file.
+
+If the name given is "-", then the passphrase will be read from stdin.
+In this case, reading will not stop at newline characters.
+
+With LUKS, passphrases supplied via \-\-key\-file are always
+the existing passphrases requested by a command, except in
+the case of \fIluksFormat\fR where \-\-key\-file is equivalent
+to the positional key file argument.
+
+If you want to set a new passphrase via key file, you have to
+use a positional argument to \fIluksAddKey\fR.
+
+See section \fBNOTES ON PASSPHRASE PROCESSING\fR for more information.
+.TP
+.B "\-\-keyfile\-offset \fIvalue\fR"
+Skip \fIvalue\fR bytes at the beginning of the key file.
+Works with all commands that accepts key files.
+.TP
+.B "\-\-keyfile\-size, \-l \fIvalue\fR"
+Read a maximum of \fIvalue\fR bytes from the key file.
+Default is to read the whole file up to the compiled-in
+maximum that can be queried with \-\-help. Supplying more
+data than the compiled-in maximum aborts the operation.
+
+This option is useful
+to cut trailing newlines, for example. If \-\-keyfile\-offset
+is also given, the size count starts after the offset.
+Works with all commands that accepts key files.
+.TP
+.B "\-\-new\-keyfile\-offset \fIvalue\fR"
+Skip \fIvalue\fR bytes at the start when
+adding a new passphrase from key file with
+\fIluksAddKey\fR.
+.TP
+.B "\-\-new\-keyfile\-size \fIvalue\fR"
+Read a maximum of \fIvalue\fR bytes when adding
+a new passphrase from key file with \fIluksAddKey\fR.
+Default is to read the whole file up to the compiled-in
+maximum length that can be queried with \-\-help.
+Supplying more than the compiled in maximum aborts the
+operation.
+When \-\-new\-keyfile\-offset is also given, reading starts
+after the offset.
+.TP
+.B "\-\-master\-key\-file"
+Use a master key stored in a file.
+
+For \fIluksFormat\fR this
+allows creating a LUKS header with this specific
+master key. If the master key was taken from an existing
+LUKS header and all other parameters are the same,
+then the new header decrypts the data encrypted with the
+header the master key was taken from.
+
+\fBWARNING:\fR If you create your own master key, you
+need to make sure to do it right. Otherwise you can end
+up with a low-entropy or otherwise partially predictable
+master key which will compromise security.
+
+For \fIluksAddKey\fR this allows adding a new passphrase
+without having to know an exiting one.
+
+For \fIopen\fR this allows one to open the LUKS device
+without giving a passphrase.
+.TP
+.B "\-\-dump\-master\-key"
+For \fIluksDump\fR this option includes the master key in the displayed
+information. Use with care, as the master key can be used to
+bypass the passphrases, see also option \-\-master\-key\-file.
+.TP
+.B "\-\-use\-random"
+.TP
+.B "\-\-use\-urandom"
+For \fIluksFormat\fR these options define which kernel random number
+generator will be used to create the master key (which is a
+long-term key).
+
+See \fBNOTES ON RANDOM NUMBER GENERATORS\fR for more
+information. Use \fIcryptsetup \-\-help\fR
+to show the compiled-in default random number generator.
+
+\fBWARNING:\fR In a low-entropy situation (e.g. in an
+embedded system), both selections are problematic.
+Using /dev/urandom can lead to weak keys.
+Using /dev/random can block a long time, potentially
+forever, if not enough entropy can be harvested by
+the kernel.
+.TP
+.B "\-\-key\-slot, \-S <0\-7>"
+For LUKS operations that add key material, this options allows you
+to specify which key slot is selected for the new key.
+This option can be used for \fIluksFormat\fR,
+and \fIluksAddKey\fR.
+.br
+In addition, for \fIopen\fR, this option selects a
+specific key-slot to compare the passphrase against.
+If the given passphrase would only match a different key-slot,
+the operation fails.
+.TP
+.B "\-\-key\-size, \-s <bits>"
+Sets key size in bits. The argument has to be a multiple of
+8. The possible key-sizes are limited by the cipher and
+mode used.
+
+See /proc/crypto for more information. Note that key-size
+in /proc/crypto is stated in bytes.
+
+This option can be used for \fIopen \-\-type plain\fR or \fIluksFormat\fR.
+All other LUKS actions will use the key-size specified in the LUKS header.
+Use \fIcryptsetup \-\-help\fR to show the compiled-in defaults.
+.TP
+.B "\-\-size, \-b <number of 512 byte sectors>"
+Set the size of the device in sectors of 512 bytes.
+This option is only relevant for the \fIopen\fR and \fIresize\fR
+actions.
+.TP
+.B "\-\-offset, \-o <number of 512 byte sectors>"
+Start offset in the backend device in 512-byte sectors.
+This option is only relevant for the \fIopen\fR action with plain
+or loopaes device types.
+.TP
+.B "\-\-skip, \-p <number of 512 byte sectors>"
+Start offset used in IV calculation in 512-byte sectors
+(how many sectors of the encrypted data to skip at the beginning).
+This option is only relevant for the \fIopen\fR action with plain
+or loopaes device types.
+
+Hence, if \-\-offset \fIn\fR, and \-\-skip \fIs\fR, sector \fIn\fR
+(the first sector of encrypted device) will get a sector number
+of \fIs\fR for the IV calculation.
+.TP
+.B "\-\-readonly, \-r"
+set up a read-only mapping.
+.TP
+.B "\-\-shared"
+Creates an additional mapping for one common
+ciphertext device. Arbitrary mappings are supported.
+This option is only relevant for the
+\fIopen \-\-type plain\fR action. Use \-\-offset, \-\-size and \-\-skip to
+specify the mapped area.
+.TP
+.B "\-\-iter\-time, \-i <number of milliseconds>"
+The number of milliseconds to spend with PBKDF2 passphrase processing.
+This option is only relevant for LUKS operations that set or change
+passphrases, such as \fIluksFormat\fR or \fIluksAddKey\fR.
+Specifying 0 as parameter selects the compiled-in default.
+.TP
+.B "\-\-batch\-mode, \-q"
+Suppresses all confirmation questions. Use with care!
+
+If the \-y option is not specified, this option also switches off
+the passphrase verification for \fIluksFormat\fR.
+.TP
+.B "\-\-timeout, \-t <number of seconds>"
+The number of seconds to wait before timeout on passphrase input
+via terminal. It is relevant every time a passphrase is asked,
+for example for \fIopen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
+It has no effect if used in conjunction with \-\-key-file.
+.br
+This option is useful when the system
+should not stall if the user does not input a passphrase,
+e.g. during boot. The default is a value of 0 seconds,
+which means to wait forever.
+.TP
+.B "\-\-tries, \-T"
+How often the input of the passphrase shall be retried.
+This option is relevant
+every time a passphrase is asked, for example for
+\fIopen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
+The default is 3 tries.
+.TP
+.B "\-\-align\-payload <number of 512 byte sectors>"
+Align payload at a boundary of \fIvalue\fR 512-byte sectors.
+This option is relevant for \fIluksFormat\fR.
+
+If not specified, cryptsetup tries to use the topology info
+provided by kernel for the underlying device to get optimal alignment.
+If not available (or the calculated value is a multiple of the default)
+data is by default aligned to a 1MiB boundary (i.e. 2048 512-byte sectors).
+
+For a detached LUKS header this option specifies the offset on the
+data device. See also the \-\-header option.
+.TP
+.B "\-\-uuid=\fIUUID\fR"
+Use the provided \fIUUID\fR for the \fIluksFormat\fR command
+instead of generating new one. Changes the existing UUID when
+used with the \fIluksUUID\fR command.
+
+The UUID must be provided in the standard UUID format,
+e.g. 12345678-1234-1234-1234-123456789abc.
+.TP
+.B "\-\-allow\-discards\fR"
+Allow the use of discard (TRIM) requests for device.
+This option is only relevant for \fIopen\fR action.
+
+\fBWARNING:\fR This command can have a negative security impact
+because it can make filesystem-level operations visible on
+the physical device. For example, information leaking
+filesystem type, used space, etc. may be extractable from
+the physical device if the discarded blocks can be located
+later. If in doubt, do not use it.
+
+A kernel version of 3.1 or later is needed. For earlier kernels
+this option is ignored.
+.TP
+.B "\-\-perf\-same_cpu_crypt\fR"
+Perform encryption using the same cpu that IO was submitted on.
+The default is to use an unbound workqueue so that encryption work
+is automatically balanced between available CPUs.
+This option is only relevant for \fIopen\fR action.
+
+\fBNOTE:\fR This option is available only for low-level dm-crypt
+performance tuning, use only if you need a change to default dm-crypt
+behaviour. Needs kernel 4.0 or later.
+.TP
+.B "\-\-perf\-submit_from_crypt_cpus\fR"
+Disable offloading writes to a separate thread after encryption.
+There are some situations where offloading write bios from the
+encryption threads to a single thread degrades performance
+significantly. The default is to offload write bios to the same
+thread.
+This option is only relevant for \fIopen\fR action.
+
+\fBNOTE:\fR This option is available only for low-level dm-crypt
+performance tuning, use only if you need a change to default dm-crypt
+behaviour. Needs kernel 4.0 or later.
+.TP
+.B "\-\-test\-passphrase\fR"
+Do not activate device, just verify passphrase.
+This option is only relevant for \fIopen\fR action (the device
+mapping name is not mandatory if this option is used).
+.TP
+.B "\-\-header\fR <device or file storing the LUKS header>"
+Use a detached (separated) metadata device or file where the
+LUKS header is stored. This options allows one to store ciphertext
+and LUKS header on different devices.
+
+This option is only relevant for LUKS devices and can be
+used with the \fIluksFormat\fR, \fIopen\fR, \fIluksSuspend\fR,
+\fIluksResume\fR, \fIstatus\fR and \fIresize\fR commands.
+
+For \fIluksFormat\fR with a file name as argument to \-\-header,
+it has to exist and be large enough to contain the LUKS header.
+See the cryptsetup FAQ for header size calculation.
+
+For other commands that change the LUKS header (e.g. \fIluksAddKey\fR),
+specify the device or file with the LUKS header directly as the
+LUKS device.
+
+If used with \fIluksFormat\fR, the \-\-align\-payload option is taken
+as absolute sector alignment on ciphertext device and can be zero.
+
+\fBWARNING:\fR There is no check whether the ciphertext device specified
+actually belongs to the header given. In fact you can specify an
+arbitrary device as the ciphertext device for \fIopen\fR
+with the \-\-header option. Use with care.
+.TP
+.B "\-\-force\-password\fR"
+Do not use password quality checking for new LUKS passwords.
+
+This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
+\fIluksChangeKey\fR and is ignored if cryptsetup is built without
+password quality checking support.
+
+For more info about password quality check, see manual page
+for \fBpwquality.conf(5)\fR and \fBpasswdqc.conf(5)\fR.
+.TP
+.B "\-\-version"
+Show the program version.
+.TP
+.B "\-\-usage"
+Show short option help.
+.TP
+.B "\-\-help, \-?"
+Show help text and default parameters.
+.SH RETURN CODES
+Cryptsetup returns 0 on success and a non-zero value on error.
+
+Error codes are: 1 wrong parameters, 2 no permission (bad passphrase),
+3 out of memory, 4 wrong device specified, 5 device already exists
+or device is busy.
+.SH NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE
+Note that no iterated hashing or salting is done in plain mode.
+If hashing is done, it is a single direct hash. This means that
+low-entropy passphrases are easy to attack in plain mode.
+
+\fBFrom a terminal\fR: The passphrase is read until the
+first newline, i.e. '\\n'.
+The input without the newline character is processed with
+the default hash or the hash specified with \-\-hash.
+The hash result will be truncated to the key size
+of the used cipher, or the size specified with \-s.
+
+\fBFrom stdin\fR: Reading will continue until a newline (or until
+the maximum input size is reached), with the trailing newline
+stripped. The maximum input size is defined by the same
+compiled-in default as for the maximum key file size and can
+be overwritten using \-\-keyfile-size option.
+
+The data read will be hashed with the default hash
+or the hash specified with \-\-hash.
+The hash result will be truncated to the key size
+of the used cipher, or the size specified with \-s.
+
+Note that if \-\-key-file=- is used for reading the key
+from stdin, trailing newlines are not stripped from the input.
+
+If "plain" is used as argument to \-\-hash, the input
+data will not be hashed. Instead, it will be zero padded (if
+shorter than the key size) or truncated (if longer than the
+key size) and used directly as the binary key. This is useful for
+directly specifying a binary key.
+No warning will be given if the amount of data read from stdin is
+less than the key size.
+
+\fBFrom a key file\fR: It will be truncated to the
+key size of the used cipher or the size given by \-s
+and directly used as binary key.
+
+\fBWARNING\fR: The \-\-hash argument is being ignored.
+The \-\-hash option is usable only for stdin input in plain mode.
+
+If the key file is shorter than the key, cryptsetup
+will quit with an error.
+The maximum input size is defined by the same
+compiled-in default as for the maximum key file size and can
+be overwritten using \-\-keyfile-size option.
+
+
+.SH NOTES ON PASSPHRASE PROCESSING FOR LUKS
+LUKS uses PBKDF2 to protect against dictionary attacks
+and to give some protection to low-entropy passphrases
+(see RFC 2898 and the cryptsetup FAQ).
+
+\fBFrom a terminal\fR: The passphrase is read until the
+first newline and then processed by PBKDF2 without
+the newline character.
+
+\fBFrom stdin\fR:
+LUKS will read passphrases from stdin up to the
+first newline character or the compiled-in
+maximum key file length. If \-\-keyfile\-size is
+given, it is ignored.
+
+\fBFrom key file\fR:
+The complete keyfile is read up to the compiled-in
+maximum size. Newline characters do not terminate the
+input. The \-\-keyfile\-size option can be used to limit
+what is read.
+
+\fBPassphrase processing\fR:
+Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat),
+the user may specify how much the time the passphrase processing
+should consume. The time is used to determine the iteration count
+for PBKDF2 and higher times will offer better protection for
+low-entropy passphrases, but open will take longer to
+complete. For passphrases that have entropy higher than the
+used key length, higher iteration times will not increase security.
+
+The default setting of one second is sufficient for most
+practical cases. The only exception is a low-entropy
+passphrase used on a device with a slow CPU, as this will
+result in a low iteration count. On a slow device it may
+be advisable to increase the iteration time using the
+\-\-iter\-time option in order to obtain a higher
+iteration count. This does slow down all later luksOpen
+operations accordingly.
+.SH INCOHERENT BEHAVIOR FOR INVALID PASSPHRASES/KEYS
+LUKS checks for a valid passphrase when an encrypted partition
+is unlocked. The behavior of plain dm-crypt is different.
+It will always decrypt with the passphrase given. If the
+given passphrase is wrong, the device mapped by plain
+dm-crypt will essentially still contain encrypted data and
+will be unreadable.
+.SH NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES
+The available combinations of ciphers, modes, hashes and key sizes
+depend on kernel support. See /proc/crypto for a list of available
+options. You might need to load additional kernel crypto modules
+in order to get more options.
+
+For the \-\-hash option, if the crypto backend is libgcrypt,
+then all algorithms supported by the gcrypt library are available.
+For other crypto backends some algorithms may be missing.
+.SH NOTES ON PASSPHRASES
+Mathematics can't be bribed. Make sure you keep your passphrases safe.
+There are a few nice tricks for constructing a fallback, when suddenly
+out of the blue, your brain refuses to cooperate.
+These fallbacks need LUKS, as it's only possible with LUKS
+to have multiple passphrases. Still, if your attacker model does
+not prevent it, storing your passphrase in a sealed envelope somewhere
+may be a good idea as well.
+.SH NOTES ON RANDOM NUMBER GENERATORS
+Random Number Generators (RNG) used in cryptsetup are always the
+kernel RNGs without any modifications or additions to data stream
+produced.
+
+There are two types of randomness cryptsetup/LUKS needs. One type
+(which always uses /dev/urandom) is used for salts, the AF splitter
+and for wiping deleted keyslots.
+
+The second type is used for the volume (master) key. You can switch
+between using /dev/random and /dev/urandom here, see
+\fP\-\-use\-random\fR and \fP\-\-use\-urandom\fR
+options. Using /dev/random on a system without enough entropy sources
+can cause \fPluksFormat\fR to block until the requested amount of
+random data is gathered. In a low-entropy situation (embedded system),
+this can take a very long time and potentially forever. At the same
+time, using /dev/urandom in a low-entropy situation will
+produce low-quality keys. This is a serious problem, but solving
+it is out of scope for a mere man-page.
+See \fPurandom(4)\fR for more information.
+.SH NOTES ON LOOPBACK DEVICE USE
+Cryptsetup is usually used directly on a block device (disk
+partition or LVM volume). However, if the device argument is a
+file, cryptsetup tries to allocate a loopback device
+and map it into this file. This mode requires Linux kernel 2.6.25
+or more recent which supports the loop autoclear flag (loop device is
+cleared on last close automatically). Of course, you can
+always map a file to a loop-device manually. See the
+cryptsetup FAQ for an example.
+
+When device mapping is active, you can see the loop backing file in
+the status command output. Also see losetup(8).
+.SH DEPRECATED ACTIONS
+.PP
+The \fIreload\fR action is no longer supported.
+Please use \fIdmsetup(8)\fR if you need to
+directly manipulate with the device mapping table.
+.PP
+The \fIluksDelKey\fR was replaced with \fIluksKillSlot\fR.
+.PP
+.SH REPORTING BUGS
+Report bugs, including ones in the documentation, on
+the cryptsetup mailing list at <dm-crypt@saout.de>
+or in the 'Issues' section on LUKS website.
+Please attach the output of the failed command with the
+\-\-debug option added.
+.SH AUTHORS
+cryptsetup originally written by Jana Saout <jana@saout.de>
+.br
+The LUKS extensions and original man page were written by
+Clemens Fruhwirth <clemens@endorphin.org>.
+.br
+Man page extensions by Milan Broz <gmazyland@gmail.com>.
+.br
+Man page rewrite and extension by Arno Wagner <arno@wagner.name>.
+.SH COPYRIGHT
+Copyright \(co 2004 Jana Saout
+.br
+Copyright \(co 2004-2006 Clemens Fruhwirth
+.br
+Copyright \(co 2009-2017 Red Hat, Inc.
+.br
+Copyright \(co 2009-2017 Milan Broz
+.br
+Copyright \(co 2012-2014 Arno Wagner
+
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+.SH SEE ALSO
+The LUKS website at \fBhttps://gitlab.com/cryptsetup/cryptsetup/\fR
+
+The cryptsetup FAQ, contained in the distribution package and
+online at
+\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions\fR
+
+The cryptsetup mailing list and list archive, see FAQ entry 1.6.
+
+The LUKS on-disk format specification available at
+\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/Specification\fR
diff --git a/man/veritysetup.8 b/man/veritysetup.8
new file mode 100644
index 0000000..f328891
--- /dev/null
+++ b/man/veritysetup.8
@@ -0,0 +1,214 @@
+.TH VERITYSETUP "8" "March 2017" "veritysetup" "Maintenance Commands"
+.SH NAME
+veritysetup - manage dm-verity (block level verification) volumes
+.SH SYNOPSIS
+.B veritysetup <options> <action> <action args>
+.SH DESCRIPTION
+.PP
+Veritysetup is used to configure dm-verity managed device-mapper mappings.
+
+Device-mapper verity target provides read-only transparent integrity
+checking of block devices using kernel crypto API.
+
+The dm-verity devices are always read-only.
+
+Veritysetup supports these operations:
+.PP
+\fIformat\fR <data_device> <hash_device>
+.IP
+Calculates and permanently stores hash verification data for data_device.
+Hash area can be located on the same device after data if specified
+by \-\-hash\-offset option.
+
+Note you need to provide root hash string for device verification
+or activation. Root hash must be trusted.
+
+The data or hash device argument can be block device or file image.
+If hash device path doesn't exist, it will be created as file.
+
+\fB<options>\fR can be [\-\-hash, \-\-no-superblock, \-\-format,
+\-\-data-block-size, \-\-hash-block-size, \-\-data-blocks, \-\-hash-offset,
+\-\-salt, \-\-uuid]
+.PP
+\fIcreate\fR <name> <data_device> <hash_device> <root_hash>
+.IP
+Creates a mapping with <name> backed by device <data_device> and using
+<hash_device> for in-kernel verification.
+
+The <root_hash> is a hexadecimal string.
+
+\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock,
+\-\-ignore-corruption or \-\-restart-on-corruption, \-\-ignore-zero-blocks]
+
+If option \-\-no-superblock is used, you have to use as the same options
+as in initial format operation.
+.PP
+\fIverify\fR <data_device> <hash_device> <root_hash>
+.IP
+Verifies data on data_device with use of hash blocks stored on hash_device.
+
+This command performs userspace verification, no kernel device is created.
+
+The <root_hash> is a hexadecimal string.
+
+\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock]
+
+If option \-\-no-superblock is used, you have to use as the same options
+as in initial format operation.
+.PP
+\fIremove\fR <name>
+.IP
+Removes existing mapping <name>.
+.PP
+\fIstatus\fR <name>
+.IP
+Reports status for the active verity mapping <name>.
+.PP
+\fIdump\fR <hash_device>
+.IP
+Reports parameters of verity device from on-disk stored superblock.
+
+\fB<options>\fR can be [\-\-no-superblock]
+.SH OPTIONS
+.TP
+.B "\-\-verbose, \-v"
+Print more information on command execution.
+.TP
+.B "\-\-debug"
+Run in debug mode with full diagnostic logs. Debug output
+lines are always prefixed by '#'.
+.TP
+.B "\-\-no-superblock"
+Create or use dm-verity without permanent on-disk superblock.
+.TP
+.B "\-\-format=number"
+Specifies the hash version type.
+Format type 0 is original Chrome OS version. Format type 1 is current version.
+.TP
+.B "\-\-data-block-size=bytes"
+Used block size for the data device.
+(Note kernel supports only page-size as maximum here.)
+.TP
+.B "\-\-hash-block-size=bytes"
+Used block size for the hash device.
+(Note kernel supports only page-size as maximum here.)
+.TP
+.B "\-\-data-blocks=blocks"
+Size of data device used in verification.
+If not specified, the whole device is used.
+.TP
+.B "\-\-hash-offset=bytes"
+Offset of hash area/superblock on hash_device.
+Value must be aligned to disk sector offset.
+.TP
+.B "\-\-salt=hex string"
+Salt used for format or verification.
+Format is a hexadecimal string.
+.TP
+.B "\-\-uuid=UUID"
+Use the provided UUID for format command instead of generating new one.
+
+The UUID must be provided in standard UUID format,
+e.g. 12345678-1234-1234-1234-123456789abc.
+.TP
+.B "\-\-ignore-corruption", "\-\-restart-on-corruption"
+Defines what to do if data integrity problem is detected (data corruption).
+
+Without these options kernel fails the IO operation with I/O error.
+With \-\-ignore-corruption option the corruption is only logged.
+With \-\-restart-on-corruption the kernel is restarted immediatelly.
+(You have to provide way how to avoid restart loops.)
+
+\fBWARNING:\fR Use these options only for very specific cases.
+These options are available since Linux kernel version 4.1.
+.TP
+.B "\-\-ignore-zero-blocks"
+Instruct kernel to not verify blocks that are expected to contain zeroes
+and always directly return zeroes instead.
+
+\fBWARNING:\fR Use this option only in very specific cases.
+This option is available since Linux kernel version 4.5.
+.TP
+.B "\-\-hash=hash"
+Hash algorithm for dm-verity. For default see \-\-help option.
+.TP
+.B "\-\-version"
+Show the program version.
+.TP
+.B "\-\-fec-device=fec_device"
+Use forward error correction (FEC) to recover from corruption if hash verification fails.
+Use encoding data from the specified device.
+
+The fec device argument can be block device or file image.
+For format, if fec device path doesn't exist, it will be created as file.
+
+Note: block sizes for data and hash devices must match. Also, if the verity data_device is encrypted the fec_device should be too.
+.TP
+.B "\-\-fec-offset=bytes"
+This is the offset, in bytes, from the start of the FEC device to the beginning of the encoding data.
+.TP
+.B "\-\-fec-roots=num"
+Number of generator roots. This equals to the number of parity bytes in the encoding data.
+In RS(M, N) encoding, the number of roots is M-N. M is 255 and M-N is between 2 and 24 (including).
+.TP
+.SH RETURN CODES
+Veritysetup returns 0 on success and a non-zero value on error.
+
+Error codes are:
+ 1 wrong parameters
+ 2 no permission
+ 3 out of memory
+ 4 wrong device specified
+ 5 device already exists or device is busy.
+
+.SH EXAMPLES
+.B "veritysetup \-\-data-blocks=256 format <data_device> <hash_device>"
+
+Calculates and stores verification data on hash_device for the first 256 blocks (of block-size).
+If hash_device does not exist, it is created (as file image).
+
+.B "veritysetup format <data_device> <hash_device>"
+
+Calculates and stores verification data on hash_device for the whole data_device.
+
+.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 format <device> <device>"
+
+Verification data (hashes) is stored on the same device as data (starting at hash-offset).
+Hash-offset must be greater than number of blocks in data-area.
+
+.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 create test-device <device> <device> <root_hash>"
+
+Acivatees the verity device named test-device. Options \-\-data-blocks and \-\-hash-offset are the same
+as in the format command. The <root_hash> was calculated in format command.
+
+.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 verify <data_device> <hash_device> <root_hash>"
+
+Verifies device without activation (in userspace).
+
+.B "veritysetup \-\-fec-device=<fec_device> \-\-fec-roots=10 format <data_device> <hash_device>"
+
+Calculates and stores verification and encoding data for data_device.
+
+.SH REPORTING BUGS
+Report bugs, including ones in the documentation, on
+the cryptsetup mailing list at <dm-crypt@saout.de>
+or in the 'Issues' section on LUKS website.
+Please attach the output of the failed command with the
+\-\-debug option added.
+.SH AUTHORS
+The first implementation of veritysetup was written by Chrome OS authors.
+
+This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com>
+and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.
+.SH COPYRIGHT
+Copyright \(co 2012-2017 Red Hat, Inc.
+.br
+Copyright \(co 2012-2017 Milan Broz
+
+This is free software; see the source for copying conditions. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+.SH SEE ALSO
+The project website at \fBhttps://gitlab.com/cryptsetup/cryptsetup\fR
+
+The verity on-disk format specification available at
+\fBhttps://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity\fR
diff --git a/misc/11-dm-crypt.rules b/misc/11-dm-crypt.rules
new file mode 100644
index 0000000..dfbb3a0
--- /dev/null
+++ b/misc/11-dm-crypt.rules
@@ -0,0 +1,17 @@
+# Old udev rules historically used in device-mapper.
+# No need to install these until you have some weird configuration.
+# (Code internally set the same flags.)
+
+ACTION!="add|change", GOTO="crypt_end"
+ENV{DM_UDEV_RULES_VSN}!="?*", GOTO="crypt_end"
+
+ENV{DM_UUID}=="CRYPT-TEMP-?*", GOTO="crypt_disable"
+ENV{DM_UUID}!="?*", ENV{DM_NAME}=="temporary-cryptsetup-?*", GOTO="crypt_disable"
+GOTO="crypt_end"
+
+LABEL="crypt_disable"
+ENV{DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG}="1"
+ENV{DM_UDEV_DISABLE_DISK_RULES_FLAG}="1"
+ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}="1"
+
+LABEL="crypt_end"
diff --git a/misc/dict_search/Makefile b/misc/dict_search/Makefile
new file mode 100644
index 0000000..0226c98
--- /dev/null
+++ b/misc/dict_search/Makefile
@@ -0,0 +1,17 @@
+TARGET=crypt_dict
+CFLAGS=-O2 -g -Wall -D_GNU_SOURCE
+LDLIBS=-lcryptsetup
+CC=gcc
+
+SOURCES=$(wildcard *.c)
+OBJECTS=$(SOURCES:.c=.o)
+
+all: $(TARGET)
+
+$(TARGET): $(OBJECTS)
+ $(CC) -o $@ $^ $(LDLIBS)
+
+clean:
+ rm -f *.o *~ core $(TARGET)
+
+.PHONY: clean
diff --git a/misc/dict_search/README b/misc/dict_search/README
new file mode 100644
index 0000000..8f4b1c9
--- /dev/null
+++ b/misc/dict_search/README
@@ -0,0 +1,22 @@
+Simple example how to use libcryptsetup
+for password search.
+
+Run: crypt_dict luks|tcrypt <device|image> <dictionary> [cpus]
+
+luks|tcrypt specified device type (LUKS or TrueCrypt)
+
+<device|image> is LUKS or TrueCrypt device or image
+
+<dictionary> is list of passphrases to try
+(note trailing EOL is stripped)
+
+cpus - number of processes to start in parallel
+
+Format of dictionary file is simple one password per line,
+if first char on line s # it is skiped as comment.
+
+For LUKS, you have it run as root (device-mapper cannot
+create dmcrypt devices as nrmal user. Code need
+to map keyslots as temporary dmcrypt device.)
+
+For TrueCrypt devices root privilege is not required.
diff --git a/misc/dict_search/crypt_dict.c b/misc/dict_search/crypt_dict.c
new file mode 100644
index 0000000..6811662
--- /dev/null
+++ b/misc/dict_search/crypt_dict.c
@@ -0,0 +1,158 @@
+/*
+ * Example of LUKS/TrueCrypt password dictionary search
+ *
+ * Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>
+ *
+ * Run this (for LUKS as root),
+ * e.g. ./crypt_dict test.img /usr/share/john/password.lst 4
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/prctl.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <libcryptsetup.h>
+
+#define MAX_LEN 512
+
+static enum { LUKS, TCRYPT } device_type;
+
+static void check(struct crypt_device *cd, const char *pwd_file, unsigned my_id, unsigned max_id)
+{
+ FILE *f;
+ int len, r = -1;
+ unsigned long line = 0;
+ char pwd[MAX_LEN];
+
+ if (fork())
+ return;
+
+ /* open password file, now in separate process */
+ f = fopen(pwd_file, "r");
+ if (!f) {
+ printf("Cannot open %s.\n", pwd_file);
+ exit(EXIT_FAILURE);
+ }
+
+ while (fgets(pwd, MAX_LEN, f)) {
+
+ /* every process tries N-th line, skip others */
+ if (line++ % max_id != my_id)
+ continue;
+
+ len = strlen(pwd);
+
+ /* strip EOL - this is like a input from tty */
+ if (len && pwd[len - 1] == '\n') {
+ pwd[len - 1] = '\0';
+ len--;
+ }
+
+ /* lines starting "#!comment" are comments */
+ if (len >= 9 && !strncmp(pwd, "#!comment", 9)) {
+ /* printf("skipping %s\n", pwd); */
+ continue;
+ }
+
+ /* printf("%d: checking %s\n", my_id, pwd); */
+ if (device_type == LUKS)
+ r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, pwd, len, 0);
+ else if (device_type == TCRYPT) {
+ struct crypt_params_tcrypt params = {
+ .flags = CRYPT_TCRYPT_LEGACY_MODES,
+ .passphrase = pwd,
+ .passphrase_size = len,
+ };
+ r = crypt_load(cd, CRYPT_TCRYPT, ¶ms);
+ }
+ if (r >= 0) {
+ printf("Found passphrase for slot %d: \"%s\"\n", r, pwd);
+ break;
+ }
+ }
+
+ fclose(f);
+ crypt_free(cd);
+ exit(r >= 0 ? 2 : EXIT_SUCCESS);
+}
+
+int main(int argc, char *argv[])
+{
+ int i, status, procs = 4;
+ struct crypt_device *cd;
+
+ if (argc < 4 || argc > 5) {
+ printf("Use: %s luks|tcrypt <device|file> <password file> [#processes] %d\n", argv[0], argc);
+ exit(EXIT_FAILURE);
+ }
+
+ if (argc == 5 && (sscanf(argv[4], "%i", &procs) != 1 || procs < 1)) {
+ printf("Wrong number of processes.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (!strcmp(argv[1], "luks"))
+ device_type = LUKS;
+ else if (!strcmp(argv[1], "tcrypt"))
+ device_type = TCRYPT;
+ else {
+ printf("Wrong device type %s.\n", argv[1]);
+ exit(EXIT_FAILURE);
+ }
+
+ /* crypt_set_debug_level(CRYPT_DEBUG_ALL); */
+
+ /*
+ * Need to create temporary keyslot device-mapper devices and allocate loop if needed,
+ * so root is requried here.
+ */
+ if (getuid() != 0) {
+ printf("You must be root to run this program.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ /* signal all children if anything happens */
+ prctl(PR_SET_PDEATHSIG, SIGHUP);
+ setpriority(PRIO_PROCESS, 0, -5);
+
+ /* we are not going to modify anything, so common init is ok */
+ if (crypt_init(&cd, argv[2]) ||
+ (device_type == LUKS && crypt_load(cd, CRYPT_LUKS1, NULL))) {
+ printf("Cannot open %s.\n", argv[2]);
+ exit(EXIT_FAILURE);
+ }
+
+ /* run scan in separate processes, it is up to scheduler to assign CPUs inteligently */
+ for (i = 0; i < procs; i++)
+ check(cd, argv[3], i, procs);
+
+ /* wait until at least one finishes with error or status 2 (key found) */
+ while (wait(&status) != -1 && WIFEXITED(status)) {
+ if (WEXITSTATUS(status) == EXIT_SUCCESS)
+ continue;
+ /* kill rest of processes */
+ kill(0, SIGHUP);
+ /* not reached */
+ break;
+ }
+ exit(0);
+}
diff --git a/misc/dracut_90reencrypt/README b/misc/dracut_90reencrypt/README
new file mode 100644
index 0000000..cbfaaf1
--- /dev/null
+++ b/misc/dracut_90reencrypt/README
@@ -0,0 +1,40 @@
+Example of simple dracut module for reencryption of system
+LUKS drive on-the-fly.
+
+Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
+build special intramfs "with dracut -a reencrypt -o crypt".
+Reencrypt module doesn't work (has a conflict) with crypt module as
+of now. After successfull reencryption reboot using original initramfs.
+
+Dracut then recognize argument rd.luks.reencrypt=name:size,
+e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
+will be reencrypted (default is whole device).
+(Name is kernel name of device.)
+
+If there's more than single active keyslot in the target luks device
+you're required to select one keyslot explicitly for reencryption via
+rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
+if you use this option, all other keyslots will get deactivated in the
+process.
+
+Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
+can be used to read password for specific keyslot from device containing
+filesystem with a keyfile (file with a password). If you omit reencrypt_key
+argument, reencryption would work only in case a LUKS container has
+exactly one keyslot activated.
+
+Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not
+mandatory.
+
+Note that reencryption context is stored in ramdisk, any
+fail can mean complete lost of data!
+
+Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>
+
+This copyrighted material is made available to anyone wishing to use,
+modify, copy, or redistribute it subject to the terms and conditions
+of the GNU General Public License v.2.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software Foundation,
+Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/misc/dracut_90reencrypt/check.old b/misc/dracut_90reencrypt/check.old
new file mode 100755
index 0000000..53010b3
--- /dev/null
+++ b/misc/dracut_90reencrypt/check.old
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+which cryptsetup-reencrypt >/dev/null 2>&1 || exit 1
+
+exit 0
diff --git a/misc/dracut_90reencrypt/install.old b/misc/dracut_90reencrypt/install.old
new file mode 100755
index 0000000..6e0523b
--- /dev/null
+++ b/misc/dracut_90reencrypt/install.old
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+inst cryptsetup-reencrypt
+
+inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
+inst "$moddir"/reencrypt.sh /sbin/reencrypt
diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh
new file mode 100755
index 0000000..2ec9953
--- /dev/null
+++ b/misc/dracut_90reencrypt/module-setup.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+check() {
+ [ -x /sbin/cryptsetup-reencrypt ] || return 1
+ return 255
+}
+
+depends() {
+ echo dm rootfs-block
+}
+
+installkernel() {
+ # requires hostonly='' override so that loop module is pulled in initramfs
+ # even if not loaded in actual kernel. dracut bug?
+ hostonly='' instmods dm_crypt =crypto loop
+}
+
+install() {
+ if dracut_module_included crypt; then
+ derror "'reencrypt' can't be installed together with 'crypt'."
+ derror "Add '-o crypt' option to install reencrypt module."
+ return 1
+ fi
+
+ dracut_install cryptsetup-reencrypt
+
+ # moddir variable is assigned in dracut general shell lib
+ # shellcheck disable=SC2154
+ inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
+ inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt
+}
diff --git a/misc/dracut_90reencrypt/parse-reencrypt.sh b/misc/dracut_90reencrypt/parse-reencrypt.sh
new file mode 100755
index 0000000..b8aa0bc
--- /dev/null
+++ b/misc/dracut_90reencrypt/parse-reencrypt.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+REENC=$(getargs rd.luks.reencrypt=)
+REENC_DEV=$(echo $REENC | sed 's/:.*//')
+REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')
+
+REENC_KEY=$(getargs rd.luks.reencrypt_key=)
+if [ -z "$REENC_KEY" ] ; then
+ REENC_KEY=none
+fi
+
+REENC_SLOT=$(getargs rd.luks.reencrypt_keyslot=)
+if [ -z "$REENC_SLOT" ] ; then
+ REENC_SLOT=any
+fi
+
+if [ -n "$REENC_DEV" ] ; then
+{
+ printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
+ printf 'ACTION!="add|change", GOTO="reenc_end"\n'
+ printf 'KERNEL=="%s", ' $REENC_DEV
+ printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
+ --unique --onetime --settled --name crypt-reencrypt-%%k \
+ /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
+
+ printf 'ENV{ID_FS_UUID}=="*%s*", ' $REENC_DEV
+ printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
+ --unique --onetime --settled --name crypt-reencrypt-%%k \
+ /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
+ printf 'LABEL="reenc_end"\n'
+} > /etc/udev/rules.d/69-reencryption.rules
+ initqueue --unique --finished --name crypt-reencrypt-finished-${REENC_DEV} [ -e /tmp/reencrypted ]
+fi
diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
new file mode 100755
index 0000000..e6f87e0
--- /dev/null
+++ b/misc/dracut_90reencrypt/reencrypt.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+#
+# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
+#
+
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
+[ -d /sys/module/loop ] || modprobe loop
+
+[ -f /tmp/reencrypted ] && exit 0
+
+. /lib/dracut-lib.sh
+
+# if device name is /dev/dm-X, convert to /dev/mapper/name
+if [ "${1##/dev/dm-}" != "$1" ]; then
+ device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+else
+ device="$1"
+fi
+
+PARAMS="$device -T 1 --use-fsync -B 32"
+if [ "$3" != "any" ]; then
+ PARAMS="$PARAMS -S $3"
+fi
+
+if [ -n "$4" ]; then
+ PARAMS="$PARAMS --device-size $4"
+fi
+
+reenc_readkey() {
+ local keypath="${1#*:}"
+ local keydev="${1%%:*}"
+
+ local mntp="/tmp/reencrypted-mount-tmp"
+ mkdir "$mntp"
+ mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
+ umount "$mntp"
+ rm -r "$mntp"
+}
+
+reenc_run() {
+ local cwd
+ cwd=$(pwd)
+ local _prompt="LUKS password for REENCRYPTING $device"
+ cd /tmp
+ udevadm settle
+ if [ "$1" = "none" ] ; then
+ if [ "$2" != "any" ]; then
+ _prompt="$_prompt, using keyslot $2"
+ fi
+ /bin/plymouth ask-for-password \
+ --prompt "$_prompt" \
+ --command="/sbin/cryptsetup-reencrypt $PARAMS"
+ else
+ info "REENCRYPT using key $1"
+ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
+ fi
+ _ret=$?
+ cd $cwd
+}
+
+info "REENCRYPT $device requested"
+# flock against other interactive activities
+{ flock -s 9;
+ reenc_run $2 $3
+} 9>/.console_lock
+
+if [ $_ret -eq 0 ]; then
+ # do not ask again
+ >> /tmp/reencrypted
+ warn "Reencryption of device $device has finished successfully. Use previous"
+ warn "initramfs image (without reencrypt module) to boot the system. When"
+ warn "you leave the emergency shell, the system will reboot."
+
+ emergency_shell -n "(reboot)"
+ [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
+ [ -x /sbin/shutdown ] && /sbin/shutdown -r now
+fi
+
+# panic the kernel otherwise
+exit 1
diff --git a/misc/keyslot_checker/Makefile b/misc/keyslot_checker/Makefile
new file mode 100644
index 0000000..3b159fd
--- /dev/null
+++ b/misc/keyslot_checker/Makefile
@@ -0,0 +1,14 @@
+TARGETS=chk_luks_keyslots
+CFLAGS=-O0 -g -Wall -D_GNU_SOURCE
+LDLIBS=-lcryptsetup -lm
+CC=gcc
+
+all: $(TARGETS)
+
+chk_luks_keyslots: chk_luks_keyslots.o
+ $(CC) -o $@ $^ $(LDLIBS)
+
+clean:
+ rm -f *.o *~ core $(TARGETS)
+
+.PHONY: clean
diff --git a/misc/keyslot_checker/README b/misc/keyslot_checker/README
new file mode 100644
index 0000000..cd5bf81
--- /dev/null
+++ b/misc/keyslot_checker/README
@@ -0,0 +1,120 @@
+Purpose
+=======
+
+chk_luks_keyslots is a tool that searches the keyslot area of a
+LUKS container for positions where entropy is low and hence
+there is a high probability of damage from overwrites of parts
+of the key-slot with data such as a RAID superblock or a partition
+table.
+
+
+Installation
+============
+
+1. Install the version of cryptsetup the tool came with.
+2. Compile with "make"
+
+Manual compile can be done with
+ gcc -lm -lcryptsetup chk_luks_keyslots.c -o chk_luks_keyslots
+
+Usage
+=====
+
+Call chk_luks_keyslots without arguments for an option summary.
+
+
+Example of a good keyslot area with keys 0 and 2 in use:
+--------------------------------------------------------
+
+root> ./chk_luks_keyslots /dev/loop0
+
+parameters (commandline and LUKS header):
+ sector size: 512
+ threshold: 0.900000
+
+- processing keyslot 0: start: 0x001000 end: 0x020400
+- processing keyslot 1: keyslot not in use
+- processing keyslot 2: start: 0x041000 end: 0x060400
+- processing keyslot 3: keyslot not in use
+- processing keyslot 4: keyslot not in use
+- processing keyslot 5: keyslot not in use
+- processing keyslot 6: keyslot not in use
+- processing keyslot 7: keyslot not in use
+
+
+Same example of a fault in slot 2 at offset 0x50000:
+----------------------------------------------------
+
+root>./chk_luks_keyslots /dev/loop2
+
+parameters (commandline and LUKS header):
+ sector size: 512
+ threshold: 0.900000
+
+- processing keyslot 0: start: 0x001000 end: 0x020400
+- processing keyslot 1: keyslot not in use
+- processing keyslot 2: start: 0x041000 end: 0x060400
+ low entropy at: 0x050000 entropy: 0.549165
+- processing keyslot 3: keyslot not in use
+- processing keyslot 4: keyslot not in use
+- processing keyslot 5: keyslot not in use
+- processing keyslot 6: keyslot not in use
+- processing keyslot 7: keyslot not in use
+
+
+Same as last, but verbose:
+--------------------------
+root>./chk_luks_keyslots -v /dev/loop2
+
+parameters (commandline and LUKS header):
+ sector size: 512
+ threshold: 0.900000
+
+- processing keyslot 0: start: 0x001000 end: 0x020400
+- processing keyslot 1: keyslot not in use
+- processing keyslot 2: start: 0x041000 end: 0x060400
+ low entropy at: 0x050000 entropy: 0.549165
+ Binary dump:
+ 0x050000 54 68 69 73 20 69 73 20 61 20 74 65 73 74 2D 73 This is a test-s
+ 0x050010 65 63 74 6F 72 20 66 6F 72 20 63 68 6B 5F 6C 75 ector for chk_lu
+ 0x050020 6B 73 5F 6B 65 79 73 6C 6F 74 73 20 74 68 65 20 ks_keyslots the
+ 0x050030 71 75 69 63 6B 20 62 72 6F 77 6E 20 66 6F 78 20 quick brown fox
+ 0x050040 6A 75 6D 70 73 20 6F 76 65 72 20 74 68 65 20 6C jumps over the l
+ 0x050050 61 7A 79 20 64 6F 67 20 74 68 65 20 71 75 69 63 azy dog the quic
+ 0x050060 6B 20 62 72 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 k brown fox jump
+ 0x050070 73 20 6F 76 65 72 20 74 68 65 20 6C 61 7A 79 20 s over the lazy
+ 0x050080 64 6F 67 20 74 68 65 20 71 75 69 63 6B 20 62 72 dog the quick br
+ 0x050090 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 73 20 6F 76 own fox jumps ov
+ 0x0500a0 65 72 20 74 68 65 20 6C 61 7A 79 20 64 6F 67 20 er the lazy dog
+ 0x0500b0 74 68 65 20 71 75 69 63 6B 20 62 72 6F 77 6E 20 the quick brown
+ 0x0500c0 66 6F 78 20 6A 75 6D 70 73 20 6F 76 65 72 20 74 fox jumps over t
+ 0x0500d0 68 65 20 6C 61 7A 79 20 64 6F 67 20 74 68 65 20 he lazy dog the
+ 0x0500e0 71 75 69 63 6B 20 62 72 6F 77 6E 20 66 6F 78 20 quick brown fox
+ 0x0500f0 6A 75 6D 70 73 20 6F 76 65 72 20 74 68 65 20 6C jumps over the l
+ 0x050100 61 7A 79 20 64 6F 67 20 74 68 65 20 71 75 69 63 azy dog the quic
+ 0x050110 6B 20 62 72 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 k brown fox jump
+ 0x050120 73 20 6F 76 65 72 20 74 68 65 20 6C 61 7A 79 20 s over the lazy
+ 0x050130 64 6F 67 20 74 68 65 20 71 75 69 63 6B 20 62 72 dog the quick br
+ 0x050140 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 73 20 6F 76 own fox jumps ov
+ 0x050150 65 72 20 74 68 65 20 6C 61 7A 79 20 64 6F 67 20 er the lazy dog
+ 0x050160 74 68 65 20 71 75 69 63 6B 20 62 72 6F 77 6E 20 the quick brown
+ 0x050170 66 6F 78 20 6A 75 6D 70 73 20 6F 76 65 72 20 74 fox jumps over t
+ 0x050180 68 65 20 6C 61 7A 79 20 64 6F 67 20 74 68 65 20 he lazy dog the
+ 0x050190 71 75 69 63 6B 20 62 72 6F 77 6E 20 66 6F 78 20 quick brown fox
+ 0x0501a0 6A 75 6D 70 73 20 6F 76 65 72 20 74 68 65 20 6C jumps over the l
+ 0x0501b0 61 7A 79 20 64 6F 67 20 74 68 65 20 71 75 69 63 azy dog the quic
+ 0x0501c0 6B 20 62 72 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 k brown fox jump
+ 0x0501d0 73 20 6F 76 65 72 20 74 68 65 20 6C 61 7A 79 20 s over the lazy
+ 0x0501e0 64 6F 67 20 74 68 65 20 71 75 69 63 6B 20 62 72 dog the quick br
+ 0x0501f0 6F 77 6E 20 66 6F 78 20 6A 75 6D 70 73 20 6F 76 own fox jumps ov
+
+- processing keyslot 3: keyslot not in use
+- processing keyslot 4: keyslot not in use
+- processing keyslot 5: keyslot not in use
+- processing keyslot 6: keyslot not in use
+- processing keyslot 7: keyslot not in use
+
+----
+Copyright (C) 2012, Arno Wagner <arno@wagner.name>
+This file is free documentation; the author gives
+unlimited permission to copy, distribute and modify it.
diff --git a/misc/keyslot_checker/chk_luks_keyslots.c b/misc/keyslot_checker/chk_luks_keyslots.c
new file mode 100644
index 0000000..fa284aa
--- /dev/null
+++ b/misc/keyslot_checker/chk_luks_keyslots.c
@@ -0,0 +1,371 @@
+/*
+ * LUKS keyslot entropy tester. Works only for header version 1.
+ *
+ * Functionality: Determines sample entropy (symbols: bytes) for
+ * each (by default) 512B sector in each used keyslot. If it
+ * is lower than a threshold, the sector address is printed
+ * as it is suspected of having non-"random" data in it, indicating
+ * damage by overwriting. This can obviously not find overwriting
+ * with random or random-like data (encrypted, compressed).
+ *
+ * Version history:
+ * v0.1: 09.09.2012 Initial release
+ * v0.2: 08.10.2012 Converted to use libcryptsetup
+ *
+ * Copyright (C) 2012, Arno Wagner <arno@wagner.name>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <math.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <libcryptsetup.h>
+
+const char *help =
+"Version 0.2 [8.10.2012]\n"
+"\n"
+" chk_luks_keyslots [options] luks-device \n"
+"\n"
+"This tool checks all keyslots of a LUKS device for \n"
+"low entropy sections. If any are found, they are reported. \n"
+"This allows to find areas damaged by things like filesystem \n"
+"creation or RAID superblocks. \n"
+"\n"
+"Options: \n"
+" -t <num> Entropy threshold. Possible values 0.0 ... 1.0 \n"
+" Default: 0.90, which works well for 512B sectors.\n"
+" For 512B sectors, you will get frequent misdetections\n"
+" at thresholds around 0.94\n"
+" Higher value: more sensitive but more false detections.\n"
+" -s <num> Sector size. Must divide keyslot-size.\n"
+" Default: 512 Bytes.\n"
+" Values smaller than 128 are generally not very useful.\n"
+" For values smaller than the default, you need to adjust\n"
+" the threshold down to reduce misdetection. For values\n"
+" larger than the default you need to adjust the threshold\n"
+" up to retain sensitivity.\n"
+" -v Print found suspicuous sectors verbosely. \n"
+" -d Print decimal addresses instead of hex ones.\n"
+"\n";
+
+
+/* Config defaults */
+
+static int sector_size = 512;
+static double threshold = 0.90;
+static int print_decimal = 0;
+static int verbose = 0;
+
+/* tools */
+
+/* Calculates and returns sample entropy on byte level for
+ * The argument.
+ */
+static double ent_samp(unsigned char * buf, int len)
+{
+ int freq[256]; /* stores symbol frequencies */
+ int i;
+ double e, f;
+
+ /* 0. Plausibility checks */
+ if (len <= 0)
+ return 0.0;
+
+ /* 1. count all frequencies */
+ for (i = 0; i < 256; i++) {
+ freq[i] = 0.0;
+ }
+
+ for (i = 0; i < len; i ++)
+ freq[buf[i]]++;
+
+ /* 2. calculate sample entropy */
+ e = 0.0;
+ for (i = 0; i < 256; i++) {
+ f = freq[i];
+ if (f > 0) {
+ f = f / (double)len;
+ e += f * log2(f);
+ }
+ }
+
+ if (e != 0.0)
+ e = -1.0 * e;
+
+ e = e / 8.0;
+ return e;
+}
+
+static void print_address(FILE *out, uint64_t value)
+{
+ if (print_decimal) {
+ fprintf(out,"%08" PRIu64 " ", value);
+ } else {
+ fprintf(out,"%#08" PRIx64 " ", value);
+ }
+}
+
+/* uses default "hd" style, i.e. 16 bytes followed by ASCII */
+static void hexdump_line(FILE *out, uint64_t address, unsigned char *buf) {
+ int i;
+ static char tbl[16] = "0123456789ABCDEF";
+
+ fprintf(out," ");
+ print_address(out, address);
+ fprintf(out," ");
+
+ /* hex */
+ for (i = 0; i < 16; i++) {
+ fprintf(out, "%c%c",
+ tbl[(unsigned char)buf[i]>> 4],
+ tbl[(unsigned char)buf[i] & 0x0f]);
+ fprintf(out," ");
+ if (i == 7)
+ fprintf(out," ");
+ }
+
+ fprintf(out," ");
+
+ /* ascii */
+ for (i = 0; i < 16; i++) {
+ if (isprint(buf[i])) {
+ fprintf(out, "%c", buf[i]);
+ } else {
+ fprintf(out, ".");
+ }
+ }
+ fprintf(out, "\n");
+}
+
+static void hexdump_sector(FILE *out, unsigned char *buf, uint64_t address, int len)
+{
+ int done;
+
+ done = 0;
+ while (len - done >= 16) {
+ hexdump_line(out, address + done, buf + done);
+ done += 16;
+ }
+}
+
+static int check_keyslots(FILE *out, struct crypt_device *cd, int f_luks)
+{
+ int i;
+ double ent;
+ off_t ofs;
+ uint64_t start, length, end;
+ crypt_keyslot_info ki;
+ unsigned char buffer[sector_size];
+
+ for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1) ; i++) {
+ fprintf(out, "- processing keyslot %d:", i);
+ ki = crypt_keyslot_status(cd, i);
+ if (ki == CRYPT_SLOT_INACTIVE) {
+ fprintf(out, " keyslot not in use\n");
+ continue;
+ }
+
+ if (ki == CRYPT_SLOT_INVALID) {
+ fprintf(out, "\nError: keyslot invalid.\n");
+ return EXIT_FAILURE;
+ }
+
+ if (crypt_keyslot_area(cd, i, &start, &length) < 0) {
+ fprintf(stderr,"\nError: querying keyslot area failed for slot %d\n", i);
+ perror(NULL);
+ return EXIT_FAILURE;
+ }
+ end = start + length;
+
+ fprintf(out, " start: ");
+ print_address(out, start);
+ fprintf(out, " end: ");
+ print_address(out, end);
+ fprintf(out, "\n");
+
+ /* check whether sector-size divides size */
+ if (length % sector_size != 0) {
+ fprintf(stderr,"\nError: Argument to -s does not divide keyslot size\n");
+ return EXIT_FAILURE;
+ }
+
+ for (ofs = start; (uint64_t)ofs < end; ofs += sector_size) {
+ if (lseek(f_luks, ofs, SEEK_SET) != ofs) {
+ fprintf(stderr,"\nCannot seek to keyslot area.\n");
+ return EXIT_FAILURE;
+ }
+ if (read(f_luks, buffer, sector_size) != sector_size) {
+ fprintf(stderr,"\nCannot read keyslot area.\n");
+ return EXIT_FAILURE;
+ }
+ ent = ent_samp(buffer, sector_size);
+ if (ent < threshold) {
+ fprintf(out, " low entropy at: ");
+ print_address(out, ofs);
+ fprintf(out, " entropy: %f\n", ent);
+ if (verbose) {
+ fprintf(out, " Binary dump:\n");
+ hexdump_sector(out, buffer, (uint64_t)ofs, sector_size);
+ fprintf(out,"\n");
+ }
+ }
+ }
+ }
+
+ return EXIT_SUCCESS;
+}
+
+/* Main */
+int main(int argc, char **argv)
+{
+ /* for option processing */
+ int c, r;
+ char *device;
+
+ /* for use of libcryptsetup */
+ struct crypt_device *cd;
+
+ /* Other vars */
+ int f_luks; /* device file for the luks device */
+ FILE *out;
+
+ /* temporary helper vars */
+ int res;
+
+ /* getopt values */
+ char *s, *end;
+ double tvalue;
+ int svalue;
+
+ /* global initializations */
+ out = stdout;
+
+ /* get commandline parameters */
+ while ((c = getopt (argc, argv, "t:s:vd")) != -1) {
+ switch (c) {
+ case 't':
+ s = optarg;
+ tvalue = strtod(s, &end);
+ if (s == end) {
+ fprintf(stderr, "\nError: Parsing of argument to -t failed.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (tvalue < 0.0 || tvalue > 1.0) {
+ fprintf(stderr,"\nError: Argument to -t must be in 0.0 ... 1.0\n");
+ exit(EXIT_FAILURE);
+ }
+ threshold = tvalue;
+ break;
+ case 's':
+ s = optarg;
+ svalue = strtol(s, &end, 10);
+ if (s == end) {
+ fprintf(stderr, "\nError: Parsing of argument to -s failed.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (svalue < 1) {
+ fprintf(stderr,"\nError: Argument to -s must be >= 1 \n");
+ exit(EXIT_FAILURE);
+ }
+ sector_size = svalue;
+ break;
+ case 'v':
+ verbose = 1;
+ break;
+ case 'd':
+ print_decimal = 1;
+ break;
+ case '?':
+ if (optopt == 't' || optopt == 's')
+ fprintf (stderr,"\nError: Option -%c requires an argument.\n",
+ optopt);
+ else if (isprint (optopt)) {
+ fprintf(stderr,"\nError: Unknown option `-%c'.\n", optopt);
+ fprintf(stderr,"\n\n%s", help);
+ } else {
+ fprintf (stderr, "\nError: Unknown option character `\\x%x'.\n",
+ optopt);
+ fprintf(stderr,"\n\n%s", help);
+ }
+ exit(EXIT_SUCCESS);
+ default:
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ /* parse non-option stuff. Should be exactly one, the device. */
+ if (optind+1 != argc) {
+ fprintf(stderr,"\nError: exactly one non-option argument expected!\n");
+ fprintf(stderr,"\n\n%s", help);
+ exit(EXIT_FAILURE);
+ }
+ device = argv[optind];
+
+ /* test whether we can open and read device */
+ /* This is neded as we are reading the actual data
+ * in the keyslots dirtectly from the LUKS container.
+ */
+ f_luks = open(device, O_RDONLY);
+ if (f_luks == -1) {
+ fprintf(stderr,"\nError: Opening of device %s failed:\n", device);
+ perror(NULL);
+ exit(EXIT_FAILURE);
+ }
+
+ /* now get the parameters we need via libcryptsetup */
+ /* Basically we need all active keyslots and their placement on disk */
+
+ /* first init. This does the following:
+ * - gets us a crypt_device struct with some values filled in
+ * Note: This does some init stuff we do not need, but that
+ * should not cause trouble.
+ */
+
+ res = crypt_init(&cd, device);
+ if (res < 0) {
+ fprintf(stderr, "crypt_init() failed. Maybe not running as root?\n");
+ close(f_luks);
+ exit(EXIT_FAILURE);
+ }
+
+ /* now load LUKS header into the crypt_device
+ * This should also make sure a valid LUKS1 header is on disk
+ * and hence we should be able to skip magic and version checks.
+ */
+ res = crypt_load(cd, CRYPT_LUKS1, NULL);
+ if (res < 0) {
+ fprintf(stderr, "crypt_load() failed. LUKS header too broken/absent?\n");
+ crypt_free(cd);
+ close(f_luks);
+ exit(EXIT_FAILURE);
+ }
+
+ fprintf(out, "\nparameters (commandline and LUKS header):\n");
+ fprintf(out, " sector size: %d\n", sector_size);
+ fprintf(out, " threshold: %0f\n\n", threshold);
+
+ r = check_keyslots(out, cd, f_luks);
+
+ crypt_free(cd);
+ close(f_luks);
+ return r;
+}
diff --git a/misc/luks-header-from-active b/misc/luks-header-from-active
new file mode 100755
index 0000000..a94ad33
--- /dev/null
+++ b/misc/luks-header-from-active
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup.
+#
+# Copyright (C) 2010,2011,2012 Milan Broz <gmazyland@gmail.com>
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions
+# of the GNU General Public License v.2.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+umask 0077
+
+fail() { echo -e $1 ; exit 1 ; }
+field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | sed 's/.*: //' | cut -d' ' -f$1) ; }
+field_uuid() { echo $(dmsetup info $1 --noheadings -c -o uuid) ; }
+field_device() {
+ TEMP=$(readlink /sys/dev/block/$1 | sed -e 's/.*\///')
+ if [ ${TEMP:0:3} = "dm-" -a -e /sys/block/$TEMP/dm/name ] ; then
+ TEMP=/dev/mapper/$(cat /sys/block/$TEMP/dm/name)
+ else
+ TEMP=/dev/$TEMP
+ fi
+ echo $TEMP
+}
+
+which readlink >/dev/null || fail "You need readlink (part of coreutils package)."
+which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."
+
+[ -z "$2" ] && fail "Recover LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name"
+
+DEVICE=$1
+MK_FILE=$2
+
+[ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."
+
+CIPHER=$(field 4)
+OFFSET=$(field 8)
+SYS_DEVICE=$(field 7)
+REAL_DEVICE=$(field_device $SYS_DEVICE)
+KEY=$(field 5)
+KEY_SIZE=$(( ${#KEY} / 2 * 8 ))
+SYS_UUID=$(field_uuid $DEVICE)
+UUID="${SYS_UUID:12:8}-${SYS_UUID:20:4}-${SYS_UUID:24:4}-${SYS_UUID:28:4}-${SYS_UUID:32:12}"
+
+#echo "CIPHER=$CIPHER OFFSET=$OFFSET SYS_DEVICE=$SYS_DEVICE REAL_DEVICE=$REAL_DEVICE KEY_SIZE=$KEY_SIZE KEY=$KEY UUID=$UUID SYS_UUID=$SYS_UUID"
+
+[ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o \
+-z "$KEY" -o -z "$UUID" -o -z "$REAL_DEVICE" -o "${SYS_UUID:0:12}" != "CRYPT-LUKS1-" ] && \
+fail "Incompatible device, sorry."
+
+echo "Generating master key to file $MK_FILE."
+echo -E -n $KEY| xxd -r -p >$MK_FILE
+
+echo "You can now try to reformat LUKS device using:"
+echo " cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE --uuid=$UUID $REAL_DEVICE"
diff --git a/po/LINGUAS b/po/LINGUAS
new file mode 100644
index 0000000..2ca2a7c
--- /dev/null
+++ b/po/LINGUAS
@@ -0,0 +1,16 @@
+cs
+da
+de
+es
+fi
+fr
+id
+it
+nl
+pl
+pt_BR
+sr
+sv
+uk
+vi
+zh_CN
diff --git a/po/Makevars b/po/Makevars
new file mode 100644
index 0000000..d9e17fa
--- /dev/null
+++ b/po/Makevars
@@ -0,0 +1,41 @@
+# Makefile variables for PO directory in any package using GNU gettext.
+
+# Usually the message domain is the same as the package name.
+DOMAIN = $(PACKAGE)
+
+# These two variables depend on the location of this directory.
+subdir = po
+top_builddir = ..
+
+# These options get passed to xgettext.
+XGETTEXT_OPTIONS = --keyword=_ --keyword=N_
+
+# This is the copyright holder that gets inserted into the header of the
+# $(DOMAIN).pot file. Set this to the copyright holder of the surrounding
+# package. (Note that the msgstr strings, extracted from the package's
+# sources, belong to the copyright holder of the package.) Translators are
+# expected to transfer the copyright for their translations to this person
+# or entity, or to disclaim their copyright. The empty string stands for
+# the public domain; in this case the translators are expected to disclaim
+# their copyright.
+COPYRIGHT_HOLDER =
+
+# This is the email address or URL to which the translators shall report
+# bugs in the untranslated strings:
+# - Strings which are not entire sentences, see the maintainer guidelines
+# in the GNU gettext documentation, section 'Preparing Strings'.
+# - Strings which use unclear terms or require additional context to be
+# understood.
+# - Strings which make invalid assumptions about notation of date, time or
+# money.
+# - Pluralisation problems.
+# - Incorrect English spelling.
+# - Incorrect formatting.
+# It can be your email address, or a mailing list address where translators
+# can write to without being subscribed, or the URL of a web page through
+# which the translators can contact you.
+MSGID_BUGS_ADDRESS = dm-crypt@saout.de
+
+# This is the list of locale categories, beyond LC_MESSAGES, for which the
+# message catalogs shall be used. It is usually empty.
+EXTRA_LOCALE_CATEGORIES =
diff --git a/po/POTFILES.in b/po/POTFILES.in
new file mode 100644
index 0000000..f77caa1
--- /dev/null
+++ b/po/POTFILES.in
@@ -0,0 +1,22 @@
+lib/libdevmapper.c
+lib/random.c
+lib/setup.c
+lib/utils.c
+lib/crypt_plain.c
+lib/utils_crypt.c
+lib/utils_loop.c
+lib/utils_fips.c
+lib/utils_device.c
+lib/luks1/af.c
+lib/luks1/keyencryption.c
+lib/luks1/keymanage.c
+lib/loopaes/loopaes.c
+lib/tcrypt/tcrypt.c
+lib/verity/verity.c
+lib/verity/verity_hash.c
+lib/verity/verity_fec.c
+src/cryptsetup.c
+src/veritysetup.c
+src/cryptsetup_reencrypt.c
+src/utils_tools.c
+src/utils_password.c
diff --git a/po/cs.po b/po/cs.po
new file mode 100644
index 0000000..19f7c5c
--- /dev/null
+++ b/po/cs.po
@@ -0,0 +1,1961 @@
+# Czech translation for cryptsetup.
+# Copyright (C) 2010 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Milan Broz <mbroz@redhat.com>, 2010.
+# Petr Pisar <petr.pisar@atlas.cz>, 2010, 2011, 2012, 2013, 2014, 2015, 2016.
+# Petr Pisar <petr.pisar@atlas.cz>, 2017.
+#
+# See `LUKS On-Disk Format Specification' document to clarify some terms.
+#
+# key slot → pozice klíče
+# plain/LUKS1 crypt → šifra plain/LUKS1 („plain“ nepřekládat)
+# resume → probudit
+# suspend → uspat
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 20:43+01:00\n"
+"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
+"Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
+"Language: cs\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Nelze inicializovat device-mapper, nespuštěno superuživatelem.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID pro zařízení %s bylo zkráceno.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Požadované výkonnostní volby dm-cryptu nejsou podporovány.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Požadované volby, jak zacházet s poškozením dat dm-verity, nejsou podporovány.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Během vytváření klíče svazku došla systému entropie.\n"
+"Aby bylo možné nasbírat náhodné události, žádáme uživatele, aby pohyboval\n"
+"myší nebo psal text do jiného okna.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Vytváří se klíč (%d %% hotovo).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Režim FIPS zapnut.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Fatální chyba během přípravy generátoru náhodných čísel.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Požadována neznámá kvalita generátoru náhodných čísel.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Chyba %d při čtení z generátoru náhodných čísel: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Implementaci šifrovacího generátoru náhodných čísel nelze inicializovat.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Implementaci šifrování nelze inicializovat.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Hašovací algoritmus %s není podporován.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Chyba zpracování klíče (za použití haše %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Tato operace je podporována jen u zařízení LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Všechny pozice klíčů jsou obsazeny.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Zadejte heslo pro %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Nalezena hlavička, ale zařízení %s je příliš malé.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Tato operace není na zařízení tohoto typu podporována.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Zařízení %s není aktivní.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Neplatné parametry plain šifry.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Neplatná velikost klíče.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID není na šifře tohoto typu podporováno.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "LUKS nelze bez zařízení naformátovat.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Zařízení %s, které se stále používá, nelze formátovat.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Zařízení %s nelze formátovat, povolení zamítnuto.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Ze zařízení %s nelze odstranit hlavičku.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "LOOPAES nelze bez zařízení naformátovat.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "VERITY nelze bez zařízení naformátovat.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Nepodporovaný druh VERITY haše %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Nepodporovaná velikost bloku VERITY.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Nepodporovaná poloha haše VERITY.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Oblast dat se překrývá s oblastí haše.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Požadován neznámý typ šifrovaného zařízení %s.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Nelze změnit velikost zařízení zpětné smyčky.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Opravdu chcete změnit UUID zařízení?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Svazek %s není aktivní.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Svazek %s je již uspán.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Uspání není na zařízení %s podporováno.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Chyba při uspávání zařízení %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Svazek %s není uspán.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Probuzení není na zařízení %s podporováno.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Chyba při probouzení zařízení %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Zadejte heslo: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr ""
+"Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku\n"
+"nebyl poskytnut.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Zadejte jakékoliv heslo: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Zadejte nové heslo pro pozici klíče: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Pozice klíče %d změněna.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Nahrazeno pozicí klíče %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Záměna novou pozicí klíče se nezdařila.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Heslo svazku neodpovídá svazku.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Pozice klíče %d je neplatná.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Pozice klíče %d není použita.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Zařízení %s již existuje.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Byl zadán neplatný klíč svazku.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "K zařízení VERITY byl zadán neplatný kořenový haš.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Typ zařízení není řádně inicializován.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Zařízení %s se stále používá.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Neplatné zařízení %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "V režimu FIPS není funkce dostupná.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Vyhrazená paměť pro klíč svazku je příliš malá.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Nelze získat klíč svazku pro otevřené zařízení.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Na šifrovaném zařízení %s není tato operace podporována.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Operace výpisu není na zařízení tohoto typu podporována.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Nelze zjistit prioritu procesu.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Paměť nelze odemknout.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Při čtení hesla došla paměť.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Chyba při čtení hesla z terminálu.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Ověřte heslo: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Hesla se neshodují.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Ve vstupu z terminálu nelze měnit polohu.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Soubor s klíčem se nepodařilo otevřít.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "O souboru s klíčem nebylo možné zjistit údaje.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Nelze se přesunout na požadované místo v souboru s klíčem.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Chyba při čtení hesla.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Maximální délka souboru s klíčem překročena.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Požadované množství dat nelze načíst.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Zařízení typu loopback nelze použít, nespuštěno superuživatelem.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr ""
+"Připojení zařízení zpětné smyčky selhalo (požadováno zařízení s příznakem\n"
+"autoclear).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr ""
+"Zařízení %s nelze použít, protože se již používá\n"
+"(již namapováno nebo připojeno).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "O zařízení %s nelze získat údaje.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Požadovaná poloha je za hranicí skutečné velikosti zařízení %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Zařízení %s má nulovou velikost.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Zařízení %s je příliš malé.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Nepodařilo se nastavit mapování klíče v dm-cryptu pro zařízení %s.\n"
+"Zkontrolujte, že jádro podporuje šifru %s (podrobnosti v syslogu).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "V režimu XTS musí být velikost klíče 256 nebo 512 bitů.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Na zařízení %s nelze zapsat, povolení zamítnuto.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Otevření dočasného zařízení s úložištěm klíče selhalo.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Chyba vstupu/výstupu při šifrování pozice klíče.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Chyba vstupu/výstupu při dešifrování pozice klíče.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Zařízení %s je příliš malé. (LUKS vyžaduje alespoň %<PRIu64> bajtů.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Zařízení %s není platným zařízením LUKS.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Požadovaný soubor se zálohou hlavičky %s již existuje.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Soubor se zálohou hlavičky %s nelze vytvořit.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Nelze zapsat soubor %s se zálohou hlavičky.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Nelze otevřít soubor se zálohou hlavičky %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Soubor se zálohou hlavičky %s nelze načíst.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Počátek dat nebo velikost klíče se liší mezi zařízením a zálohou, obnova se nezdařila.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Zařízení %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na daném zařízení."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"POZOR: hlavička ve skutečném zařízení má jiné UUID než záloha!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Zařízení %s nelze otevřít.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Nestandardní velikost klíče, je třeba ruční opravy.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Nestandardní zarovnání pozice klíče, je třeba ruční opravy.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Opravují se pozice klíčů.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Oprava selhala."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Pozice klíče %i: poloha opravena (%u → %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Pozice klíče %i: proklad opraven (%u → %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Pozice klíče %i: chybná značka oddílu.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Pozice klíče %i: sůl vymazána.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Hlavička LUKS se zapisuje na disk.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Nepodporovaná verze LUKS %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Požadovaný haš LUKSu %s není podporován.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "Pozice %u klíče LUKS není platná.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "V hlavičce LUKS nenalezen žádný známý problém.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Chyba při aktualizaci hlavičky LUKS na zařízení %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Chyba při opakovaném čtení hlavičky LUKS po aktualizaci zařízení %s.\n"
+
+# TODO: Pluralize
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Poloha dat u oddělené hlavičky LUKS musí být buď 0, nebo více než velikost hlavičky (sektorů: %d).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Poskytnut UUID LUKSu ve špatném tvaru.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Neslučitelné volby PBKDF2 (při použití hašovacího algoritmu %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Hlavičku LUKS nelze vytvořit: výpočet otisku hlavičky (haš %s) selhal.\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Pozice klíče %d je aktivní, nejprve ji uvolněte.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Pozice klíče %d obsahuje příliš málo útržků. Manipulace s hlavičkou?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Pozice klíče %d odemknuta.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "S tímto heslem není dostupný žádný klíč.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Zařízení %s není možné smazat.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Zjištěn dosud nepodporovaný soubor s klíčem šifrovaný pomocí GPG.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Prosím, použijte gpg --decrypt SOUBOR_S_KLÍČEM | cryptsetup --keyfile=- …\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Zjištěn nekompatibilní soubor s klíčem loop-AES.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Jádro nepodporuje mapování kompatibilní s loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Chyba při čtení souboru s klíčem %s\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Překročena maximální délka hesla TCRYPT (%d).\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Hašovací algoritmus PBKDF2 %s není podporován, přeskakuje se.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Požadované kryptografické rozhraní jádra není dostupné.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Ujistěte se, že jaderný modul algif_skcipher je zaveden.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktivace nad sektory o velikosti %d není podporována.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Jádro nepodporuje aktivaci v tomto zastaralém režimu TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Aktivuje se systémové šifrování TCRYPT pro oddíl %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Zařízení VERITY %s nepoužívá hlavičku uvnitř disku.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Zařízení %s není platným zařízením VERITY.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Nepodporovaná verze VERITY %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Hlavička VERITY je poškozena.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Na zařízení %s poskytnuto UUID VERITY ve špatném tvaru.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Chyba při aktualizaci hlavičky VERITY na zařízení %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Jádro nepodporuje mapování dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Po aktivaci zjistilo zařízení VERITY poškození.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Řídká oblast na pozici %<PRIu64> není vynulována.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Pozice na zařízení přetekla.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Ověření na pozici %<PRIu64> selhalo.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Neplatné parametry velikosti pro zařízení VERITY.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Příliš mnoho úrovní stromu ve svazku VERITY.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Ověření datové oblasti selhalo.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Ověření kořenového haše selhalo.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Při vytváření oblasti haší došlo k chybě na vstupu/výstupu.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Oblast haší se nepodařilo vytvořit.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "POZOR: Jádro nemůže aktivovat zařízení, pokud velikost datového bloku přesahuje velikost stránky (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Se vstupem mimo terminál nelze ověřit heslo.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Nelze určit žádnou známou specifikaci šifry.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "POZOR: Jedná-li se o režim plain a je-li určen soubor s klíčem, parametr --hash se ignoruje.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "POZOR: Přepínač --keyfile-size se ignoruje, velikost pro čtení je stejná jako velikosti šifrovacího klíče.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Je vyžadován přepínač --key-file.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "S tímto heslem není rozpoznatelná žádná hlavička zařízení.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Výpis hlavičky s klíčem svazku je citlivý údaj,\n"
+"který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
+"Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Výsledek hodnocení výkonu není spolehlivý.\n"
+
+# ???: are aproximated?
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testy jsou počítány jen z práce s pamětí (žádné I/O úložiště).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritmus | Klíč | Šifrování | Dešifrování\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Šifra %s není dostupná.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "–"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Soubor s klíčem %s nelze číst.\n"
+
+# FIXME: Pluralize
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Ze souboru s klíčem %2$s nelze přečíst %1$d bajtů.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Opravdu se pokusit opravit hlavičku zařízení LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Toto nevratně přepíše data na %s."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "chyba alokace paměti v action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "%s nelze použít pro hlavičku uvnitř disku.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Zmenšená poloha dat je dovolena jen u oddělené hlavičky LUKS.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Ke smazání vybrán klíč na pozici %d.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Klíč %d není aktivní. Nelze jej odstranit.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr ""
+"Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n"
+"zařízení použít."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Zadejte jakékoliv jiné heslo: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Zadejte heslo, které se má smazat: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Zadejte jakékoliv existující heslo: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Zadejte heslo, které má být změněno: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Zadejte nové heslo: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "U operace isLuks je podporován pouze jeden argument se zařízením.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Je vyžadován přepínač --header-backup-file.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Nerozpoznaná metadata druhu zařízení %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Příkaz vyžaduje jako argumenty zařízení a mapovaný název.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Tento úkon smaže všechny pozice s klíči na zařízení %s.\n"
+"Po jeho dokončení zařízení bude nepoužitelné."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<zařízení> [--type <druh>] [<název>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "otevře zařízení jako mapování <název>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<název>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "zavře zařízení (odstraní mapování)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "změní velikost aktivního zařízení"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "zobrazí stav zařízení"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <šifra>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "zhodnotí výkon šifry"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<zařízení>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "pokusí se opravit metadata uložená na disku"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "smaže všechny pozice s klíči (odstraní šifrovací klíč)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<zařízení> [<soubor_s_novým_klíčem>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "naformátuje zařízení LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "do zařízení LUKS přidá klíč"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<zařízení> [<soubor_s_klíčem>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "změní zadaný klíč nebo soubor s klíčem u zařízení LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<zařízení> <pozice_klíče>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "smaže klíč s číslem <pozice_klíče> ze zařízení LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "zobrazí UUID zařízení LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "otestuje <zařízení> na hlavičku oddílu LUKS"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "vypíše údaje o oddílu LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "vypíše údaje o oddílu TCRYPT"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "probudí uspané zařízení LUKS"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "zálohuje hlavičku zařízení LUKS a jeho pozice s klíči"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "obnoví hlavičku zařízení LUKS a jeho pozice s klíči"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<akce> je jedna z:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Rovněž lze použít starý aliasy zápisu <akce>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<název> je zařízení, které se má vytvořit v %s\n"
+"<zařízení> je zašifrované zařízení\n"
+"<pozice_klíče> je číslo pozice klíče LUKS, který se má upravit\n"
+"<soubor_s_klíčem> je volitelný soubor s novým klíčem pro akci luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Výchozí zakompilované parametry klíče a hesla:\n"
+"\tMaximální velikost souboru s klíčem: %d kB, Maximální délka interaktivního hesla %d (znaků)\n"
+"Výchozí čas opakování PBKDF2 pro LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Výchozí zakompilované parametry šifer zařízení:\n"
+"\tloop-AES: %s, Klíč %d bitů\n"
+"\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n"
+"\tLUKS1: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: vyžaduje %s jako argumenty"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Zobrazí tuto nápovědu"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Zobrazí stručný návod na použití"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Přepínače nápovědy:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Vypíše verzi balíku"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Zobrazuje podrobnější chybové hlášky"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Zobrazuje ladicí hlášky"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Šifra použita k zašifrování disku (vizte /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Haš použit k vytvoření šifrovacího klíče z hesla"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Ověřuje heslo dvojitým dotazem"
+
+# TODO: Remove period
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Klíč načte ze souboru"
+
+# TODO: Remove period
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "(Hlavní) klíč svazku načte ze souboru"
+
+# TODO: Remove period
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Vypíše (hlavní) klíč svazku namísto údajů o pozicích klíčů"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Velikost šifrovacího klíče"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITY"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Omezí čtení ze souboru s klíčem"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "bajty"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Přeskočí daný počet bajtů na začátku souboru s klíčem"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Omezí čtení z nově přidaného souboru s klíčem"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Přeskočí daný počet bajtů na začátku nově přidaného souboru s klíčem"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Číslo pozice pro nový klíč (výchozí je první volná)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Velikost zařízení"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SEKTORY"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Poloha začátku dat v podkladovém zařízení"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Kolik sektorů šifrovaných dat se má na začátku přeskočit"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Vytvoří mapování určené jen pro čtení"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Doba opakování PBKDF2 pro LUKS (v ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "milisekundy"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Nevyžaduje potvrzení"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Časový limit pro interaktivní dotaz na heslo (v sekundách)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "sekundy"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Kolikrát se lze zeptat na heslo"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Zarovnává data na hranici <n> sektorů – pro luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Soubor se zálohou hlavičky LUKS a jejích pozic s klíči"
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Klíče svazku vytvoří z /dev/random."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Klíč svazku vytvoří z /dev/urandom."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Zařízení sdílí s jiným nepřekrývajícím se šifrovaným segmentem."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "Použije zařízení s UUID."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Povolí u daného zařízení požadavky na zahození (TRIM)."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Zařízení nebo soubor s oddělenou hlavičkou LUKS."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Zařízení neaktivuje, jen zkontroluje heslo."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Použije se skrytá hlavička (skryté zařízení TCRYPT)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Zařízení je systémová jednotka TCRYPT (se zavaděčem)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Použije se záložní (druhá) hlavička TCRYPT."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Hledá také zařízení kompatibilní s VeraCrypt."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Druh metadat zařízení: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Vypne kontrolku odolnosti hesla (byla-li zapnuta)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Použije výkonnostně kompatibilní přepínač dmcryptu same_cpu_crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Použije výkonnostně kompatibilní přepínač dmcryptu submit_from_crypt_cpus."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[PŘEPÍNAČ…] <akce> <přepínače_akce>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Chybí argument <akce>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Neznámá akce."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Přepínač --allow-discards je dovolen jen při úkonu otevírání.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Přepínač --key-size je dovolen jen u luksFormat, open a benchmark.\n"
+"Čtení ze souboru s klíčem lze omezit pomocí --keyfile-size=(bajty)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS a TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Velikost klíče musí být násobkem 8 bitů."
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Pozice klíče není platná."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "U přepínače není záporné číslo dovoleno."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Je dovolen pouze jeden argument přepínače --key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Přepínač --use-[u]random je dovolen pouze u luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Přepínač --uuid je dovolen pouze u luksFormat a luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Přepínač --align-payload je dovolen pouze u luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Přepínač --offset je podporován jen při otevírání zařízení plain a loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Přepínač --veracrypt je podporován jen u typu zařízení TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Zadán neplatný řetězec se solí.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Nelze vytvořit obraz hašů %s určený k zápisu.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Zadán neplatný řetězec s kořenovým hašem.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<zařízení_dat> <zařízení_hašů>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "naformátuje zařízení"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<zařízení_dat> <zařízení_hašů> <kořenový_haš>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "ověří zařízení"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<název> <zařízení_dat> <zařízení_hašů> <kořenový_haš>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "vytvoří aktivní zařízení"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "odstraní (deaktivuje) zařízení"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "zobrazí stav aktivního zařízení"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<zařízení_hašů>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "zobrazí údaje z disku"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<název> je zařízení, které bude vytvořeno pod %s\n"
+"<zařízení_dat> je datové zařízení\n"
+"<zařízení_hašů> je zařízení obsahující ověřovací data\n"
+"<kořenový_haš> haš kořenového uzlu na <zařízení_hašů>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Výchozí zakompilované parametry dm-verity:\n"
+"\tHaš: %s, Datový blok (bajty): %u, Blok hašů (bajty): %u, Velikost soli: %u, Formát haše: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Nepoužije superblok verity"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Druh formátu (1 – běžný, 0 – původní z OS Chrome)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "číslo"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Velikost bloku na zařízení dat"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Velikost bloku na zařízení hašů"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Počet bloků v datovém souboru"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "bloky"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Poloha začátku dat v zařízení hašů"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Hašovací algoritmus"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "řetězec"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Sůl"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "šestnáctkový řetězec"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Restartuje jádro, pokud je zjištěno poškození"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignoruje poškození, pouze jej zaznamená"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Neověřuje vynulované bloky"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Přepínače --ignore-corruption, --restart-on-corruption nebo --ignore-zero-blocks jsou dovoleny jen při operaci vytváření.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Přepínače --ignore-corruption a --restart-on-corruption nelze použít najednou.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Alokace zarovnané paměti se nezdařila.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Ze zařízení %s nelze číst.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "LUKS zařízení %s se označuje za nepoužitelné.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Zařízení %s není možné zapsat.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Nelze zapsat soubor s protokolem přešifrování.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Soubor s protokolem přešifrování nelze načíst.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Soubor s protokolem %s existuje, pokračuje se v přerušeném přešifrování.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Aktivuje se dočasné zařízení za pomoci staré hlavičky LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Aktivuje se dočasné zařízení za pomoci nové hlavičky LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Aktivace dočasných zařízení selhala.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Byla vytvořena nová hlavička LUKS zařízení %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Pozice klíče %i aktivována.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Záloha hlavičky LUKS zařízení %s byla vytvořena.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Záložní hlavičky LUKS se nepodařilo vytvořit.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Hlavičku LUKS na zařízení %s nelze obnovit.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Hlavička LUKS na zařízení %s byla obnovena.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Průběh: %5.1f %%, ETA %02llu:%02llu, zapsáno %'4llu MiB, rychlost %'5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Nelze se přesunout na požadované místo v zařízení.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Nelze otevřít dočasné zařízení LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Velikost zařízení nelze zjistit.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Přerušeno signálem.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Chyba vstupu/výstupu během přešifrování.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Poskytnuté UUID není platné.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr ""
+"Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou\n"
+"aktivní pozicí klíče.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Zadejte heslo pro pozici klíče %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Nelze otevřít soubor s protokolem přešifrování.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Žádné dešifrování není rozpracované. Poskytnuté UUID lze použít jen k obnovení pozastaveného procesu dešifrování.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Velikost bloku přešifrování"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Nezmění klíč, oblast s daty se nebude přešifrovávat."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "K zařízením se bude přistupovat pomocí přímého I/O."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Po každém bloku se zavolá fsync."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Po každém bloku se aktualizuje soubor s protokolem."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Použije se pouze tato pozice (ostatní budou zakázány)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Zmenší velikost datového zařízení (posune začátek dat). NEBEZPEČNÉ!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Použije zadanou velikost zařízení (ignoruje zbytek zařízení). NEBEZPEČNÉ!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Vytvoří novou hlavičku na nešifrovaném zařízení."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Natrvalo dešifruje zařízení (odstraní šifrování)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "UUID, které se použije pro obnovení dešifrování."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[PŘEPÍNAČ…] <zařízení>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Přešifrování změní: klíč svazku%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", nastaví haš na "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", nastaví šifru na "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Vyžadován argument."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Velikost bloku při přešifrování může nabývat hodnot pouze mezi 1 a 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Zadána neplatná velikost zařízení."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Maximální velikost zmenšení zařízení je 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Velikost zmenšení musí být násobkem 512bajtových sektorů."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Přepínač --new musí být použit spolu s --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Přepínač --keep-key lze použít jen s přepínači --hash nebo --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Přepínač --new nelze být použit spolu s --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Přepínač --decrypt se neslučuje se zadanými parametry."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Přepínač --uuid lze použít jen spolu s přepínačem --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Chyba při čtení odpovědi z terminálu.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Příkaz úspěšně vykonán.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Příkaz selhal s kódem %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Odolnost hesla nelze prověřit: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Kontrola odolnosti hesla selhala:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Kontrola odolnosti hesla selhala: Špatné heslo (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Nelze najít volné zařízení zpětné smyčky.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Zařízení %s nelze otevřít\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Dokud probíhá dešifrování, předaný UUID nelze použít.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "LUKS zařízení %s se označuje za použitelné.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "POZOR: toto je pokusný kód, může zničit vaše data.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "Ověření kontrolního součtu FIPS selhalo.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "POZOR: zařízení %s je oddíl. U systémového šifrování TCRYPT je obvykle třeba použít cestu k celému blokovému zařízení.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "Jádro nepodporuje inicializační vektor plain64.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Zadejte heslo LUKS: "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Zadejte nové heslo LUKS: "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Zadejte jakékoliv heslo LUKS: "
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Adresář device-mapperu se nepodařilo získat."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Záložní soubor %s neexistuje.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Soubor %s nelze otevřít.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<název> <zařízení>"
+
+#~ msgid "create device"
+#~ msgstr "vytvoří zařízení"
+
+#~ msgid "remove device"
+#~ msgstr "odstraní zařízení"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "odstraní mapování LUKS"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "otevře zařízení loop-AES jako mapování <název>"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "odstraní mapování loop-AES"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "Přepínač --allow-discards je dovolen jen při úkonech luksOpen, loopaesOpen a create.\n"
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Zařízení %s nelze otevřít pro %s%s přístup.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "výlučný "
+
+#~ msgid "writable"
+#~ msgstr "zápisový"
+
+#~ msgid "read-only"
+#~ msgstr "jen pro čtení"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "POZOR!!! Zřejmě nezabezpečená paměť. Jste root?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Není možné zjistit velikost sektoru u %s"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Zápis do úložiště klíče selhal.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Čtení z úložiště klíče selhalo.\n"
+
+#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
+#~ msgstr "Zařízení %s nelze použít (šifrované segmenty se překrývají nebo jsou používány jiným zařízením).\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "Pozice klíče %d ověřena.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "%d není platná velikost klíče.\n"
+
+#~ msgid "Block mode XTS is available since kernel 2.6.24.\n"
+#~ msgstr "Blokový režim XTS je dostupný až od jádra 2.6.24.\n"
+
+#~ msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+#~ msgstr "V režimu LRW musí být velikost klíče 256 nebo 512 bitů.\n"
+
+#~ msgid "Block mode LRW is available since kernel 2.6.20.\n"
+#~ msgstr "Blokový režim LRW je dostupný až od jádra 2.6.20.\n"
+
+#~ msgid "Negative keyfile size not permitted.\n"
+#~ msgstr "Záporná velikost souboru s klíčen není dovolena.\n"
+
+#~ msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+#~ msgstr "Pozor: požadováno úplné čtení, avšak soubor s klíčem není běžný soubor. Funkce se možná nikdy nevrátí.\n"
diff --git a/po/da.po b/po/da.po
new file mode 100644
index 0000000..8a10910
--- /dev/null
+++ b/po/da.po
@@ -0,0 +1,1823 @@
+# Danish translation cryptsetup-1.7.2.da.po.
+# Copyright (C) 2016 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Joe Hansen <joedalton2@yahoo.dk>, 2015, 2016, 2017.
+#
+# Konventioner
+# wipe -> rydde
+# suspended -> suspenderet (skal det være standset i stedet for?)
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup-1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 22:30+0200\n"
+"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
+"Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
+"Language: da\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Kan ikke initialisere enhedsoversætter, kører som ikke-root bruger.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Kan ikke initialisere enhedsoversætter. Er dm_mod-kernemodulet indlæst?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID for enheden %s blev afkortet.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Forespurgte dm-crypt-ydelsestilvalg er ikke understøttede.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Forespurgte dm-verity-håndteringstilvalg for datakorruption er ikke understøttede.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Systemet har ikke nok entropi til oprettelse af diskenhedsnøgle.\n"
+"Flyt venligst musen eller indtast noget tekst i et andet vindue for at samle nogle vilkårlige hændelser.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Opretter nøgle (%d%% færdig).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Kører i FIPS-tilstand.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Fatal fejl under RNG-initialisering.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Der blev anmodt om ukendt RNG-kvalitet.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Fejl %d under læsning fra RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Kan ikke initialisere crypto RNG-motor.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Kan ikke initialisere crypto-motor.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Hashalgoritme %s er ikke understøttet.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Nøglebehandlingsfejl (der bruger hash %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Kan ikke bestemme enhedstype. Er aktivering af enhed ikke kompatibel?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Denne operation er kun understøttet for LUKS-enhed.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Alle nøglepladser er udfyldt.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Nøgleplads %d er ugyldig, vælg venligst mellem 0 og %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Nøgleplads %d er fuld, vælg venligst en anden.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Indtast adgangsfrase for %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Teksthoved detekteret men enheden %s er for lille.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Denne operation er ikke understøttet for denne enhedstype.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Enhed %s er ikke aktiv.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Underliggende enhed for cryptenheden %s forsvandt.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Ugyldige rene crypt-parametre.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Ugyldig nøglestørrelse.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID er ikke understøttet for denne crypttype.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Kan ikke formatere LUKS uden enhed.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Kan ikke formatere enheden %s som stadig er i brug.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Kan ikke formatere enheden %s, tilladelse nægtet.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Kan ikke rydde teksthoved på enheden %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Kan ikke formatere LOOPAES uden enhed.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Kan ikke formatere VERITY uden enhed.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "VERITY-hashtypen %d er ikke understøttet.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "VERITY-blokstørrelse er ikke understøttet.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "VERITY-hashforskydning er ikke understøttet.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Dataområde overlapper med hashområde.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Der blev anmodt om ukendt crypt-enhedstype %s.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Kan ikke ændre størrelse på loop-enhed.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Ønsker du at ændre UUID for enhed?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Diskenheden %s er ikke aktiv.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Diskenheden %s er allerede suspenderet.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Suspension er ikke understøttet for enheden %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Fejl under suspension af enheden %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Diskenheden %s er ikke suspenderet.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Genoptag er ikke understøttet for enheden %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Fejl under genoptagelse af enheden %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Indtast adgangsfrase: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Kan ikke tilføje nøgleplads, alle pladser er deaktiveret og ingen diskenhedsnøgle tilbudt.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Indtast en adgangsfrase: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Indtast ny adgangsfrase for nøgleplads: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Nøglepladsen %d ændret.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Erstattet med nøglepladsen %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Kunne ikke swappe ny nøgleplads.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Diskenhedsnøgle matcher ikke diskenheden.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Nøgleplads %d er ugyldig.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Nøglepladsen %d er ikke brugt.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Enheden %s findes allerede.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Ukorrekt diskenhedsnøgle specificeret for ren enhed.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Ukorrekt roothash specificeret for verity-enhed.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Enhedstype er ikke ordentlig initialiseret.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Enheden %s er stadig i brug.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Ugyldig enhed %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Funkton er ikke tilgængelig i FIPS-tilstand.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Diskenhedsnøglebuffer er for lille.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Kan ikke indhente diskenhedsnøgle for ren enhed.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Denne operation er ikke understøttet for %s crypt-enhed.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Dump-operation er ikke understøttet for denne enhedstype.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Kan ikke indhente procesprioritet.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Kan ikke låse hukommelsen op.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Ikke nok hukommelse under læsning af adgangsfrase.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Kunne ikke læse adgangsfrase fra terminal.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Verificer adgangsfrase: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Adgangsfraser matcher ikke.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Kan ikke bruge forskydning med terminalinddata.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Kunne ikke åbne nøglefil.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Kunne ikke køre stat på nøglefil.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Kan ikke søge til anmodte nøglefilsforskydning.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Der opstod en fejl under læsning af adgangsfrase.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Nøglefilsstørrelsen er over maksimum.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Kan ikke læse den anmodte datamængde.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Enheden %s findes ikke eller adgang nægtet.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Kan ikke bruge en loopback-enhed, kører som ikke-root bruger.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Vedhæftelse af loopback-enhed mislykkedes (loop-enhed med flaget autoclear er krævet).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Kan ikke bruge enheden %s som er i brug (allerede kortlagt eller monteret).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Kan ikke indhente information om enheden %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Anmodt forskydning er mere end den reelle størrelse for enheden %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Enheden %s har nul størrelse.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Enheden %s er for lille.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Kunne ikke opsætte dm-crypt nøgleoversættelse for enhden %s.\n"
+"Kontroller at kernen understøtter krypteringsalgoritmen %s (kontroller syslog for yderligere information).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Nøglestørrelse i XTS-tilstand skal være 256- eller 512-bit.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Kan ikke skrive til enheden %s, tilladelse nægtet.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Kunne ikke åbne midlertidig nøglelagerenhed.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Kunne ikke tilgå midlertidig nøglelagerenhed.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "IO-fejl under kryptering af nøgleplads.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "IO-fejl under dekryptering af nøgleplads.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Enheden %s er for lille. (LUKS kræver mindst %<PRIu64> byte.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Enheden %s er ikke en gyldig LUKS-enhed.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Den anmodte sikkerhedskopifil %s for teksthoveder findes allerede.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Kan ikke oprette sikkerhedskopifilen %s for teksthoveder.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Kan ikke skrive sikkerhedskopifilen %s for teksthoveder.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Sikkerhedskopifilen indeholder ikke gyldige LUKS-teksthoveder.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Kan ikke åbne sikkerhedskopifilen %s for teksthoveder.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Kan ikke læse sikkerhedskopifilen %s for teksthoveder.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Dataforskydning eller nøglestørrelse er forskellige på enhed eller sikkerhedskopi, gendannelse mislykkedes.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Enheden %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "indeholder ikke LUKS-teksthoveder. Erstatning af teksthoved kan ødelægge data på den enhed."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "indeholder allerede LUKS-teksthoveder. Erstatning af teksthoveder vil ødelægge eksisterende nøglepladser."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"ADVARSEL: reel enhedsteksthoved har en anden UUID end sikkerhedskopien!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Kan ikke åbne enheden %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Nøglestørrelsen følger ikke standarden, en manuel reparation er krævet.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Nøglepladsopstillingen følger ikke standarden, en manuel reparation er krævet.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Reparerer nøglepladser.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Reparation mislykkedes."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Nøgleplads %i: forskydning repareret (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Nøgleplads %i: striber (»stripes«) repareret (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Nøgleplads %i: falsk partitionssignatur.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Nøgleplads %i: salt ryddet.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Skriver LUKS-teksthovedet til disken.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "LUKS-version %d er ikke understøttet.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Den anmodte LUKS-hash %s er ikke understøttet.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS-nøgleplads %u er ugyldig.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Ingen kendte problemer detekteret for LUKS-teksthoved.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Fejl under opdatering af LUKS-teksthoved på enhed %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Fejl under genlæsning af LUKS-teksthoved efter opdatering på enhed %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Dataforskydning for frakoblet LUKS-teksthoved skal være enten 0 eller højere end teksthovedstørrelse (%d sektorer).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Forkert LUKS UUID-format anført.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Kan ikke oprette LUKS-teksthoved: læsning af vilkårlig salt mislykkedes.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Ikke kompatible PBKDF2-tilvalg (der bruger hash-algoritme %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Kan ikke oprette LUKS-teksthoved: Teksthovedsammendrag mislykkedes (bruger hash %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Nøgleplads %d aktiv, nulstil (purge) den først.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Nøgleplads %d-materiale inkluderer for mange få striber (»stribes«). Teksthovedmanipulering?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Nøgleplads %d låst op.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Ingen nøgle tilgængelig med denne adgangsfrase.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Nøgleplads %d er ugyldig, vælg nøgleplads mellem 0 og %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Kan ikke rydde enheden %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Detekteret endnu ikke understøttet GPG-krypteret nøglefil.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Brug venligst gpg --decrypt <NØGLEFIL> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Ikke kompatibel loop-AES-nøglefil detekteret.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Kerne understøtter ikke loop-AES-kompatibel oversættelse.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Fejl under læsning af nøglefilen %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Den maksimale længde for TCRYPT-adgangsfrasen (%d) er overskredet.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "PBKDF2-hashalgoritmen %s er ikke tilgængelig, udelader.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Krævet kernegrænseflade for crypto er ikke tilgængelig.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Sikr dig at du har kernemodulet algif_skcipher indlæst.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktivering er endnu ikke understøttet for %d sektorstørrelse.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Kerne understøtter ikke aktivering for denne TCRYPT legacy-tilstand.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Aktivering af TCRYPT-systemkryptering for partition %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Kerne undersøtter ikke TCRYPT-kompatibel oversættelse.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Denne funktion er ikke understøttet uden TCRYPT-teksthovedindlæsning."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Verity-enheden %s bruger ikke on-disk-teksthoved.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Enheden %s er ikke en gyldig VERITY-enhed.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Ikke understøttet VERITY-version %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY-teksthovedet er ødelagt.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Forkert VERITY UUID-format indeholdt på enheden %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Fejl under opdatering af verity-teksthoved på enheden %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Kerne understøtter ikke dm-verity-oversættelse.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Verity-enheden detekterede korruption efter aktivering.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Ledigt område nulstilles ikke (»not zeroed«) på position %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Forskydningsoverløb for enhed.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Verificering mislykkedes på position %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Ugyldig størrelse for parametre for verity-enhed.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "For mange træniveauer for verity-diskenhed.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Verifikation af dataområde mislykkedes.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Verifikation af root-hash mislykkedes.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Inddata/uddata-fejl under oprettelse af hash-område.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Oprettelse af hash-område mislykkedes.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "ADVARSEL: Kerne kan ikke aktivere enhed hvis dataenes blokstørrelse er større end sidestørrelsen (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Kan ikke udføre verificering af adgangsfrase på ikke-tty-inddata.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Ikke kendt specifikationsmønster for krypteringsalgoritme detekteret.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "ADVARSEL: Parameteren --hash bliver ignoreret i ren (plain) tilstand med nøglefil specificeret.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "ADVARSEL: Tilvalget --keyfile-size bliver ignoreret, læsestørrelsen er den samme som størrelsen for krypteringsnøglen.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Tilvalget --key-file er krævet.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Intet enhedsteksthoved detekteret med denne adgangsfrase.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Teksthoveddump med diskenhedsnøgle er sensitiv information\n"
+"som giver adgang til krypteret partition uden adgangsfrase.\n"
+"Dette dump bør altid lagres krypteret et sikkert sted."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Sammenligningens resultat er ikke troværdigt.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Test bruger kun hukommelse omtrentlig (ingen lager-IO).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritme | Nøgle | Kryptering | Dekryptering\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Krypteringsalgoritmen %s er ikke tilgængelig.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "-"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Kan ikke læse nøglefilen %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Kan ikke læse %d byte fra nøglefilen %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Skal LUKS-enhedsteksthovedet forsøges repareres?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Dette vil uigenkaldeligt overskrive data på %s."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "hukommelsesallokeringsfejl i action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Kan ikke bruge %s på on-disk-teksthoved.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Reduceret dataforskydning er kun tilladt for frakoblet LUKS-teksthoved.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Nøgleplads %d valgt for sletning.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Nøglen %d er ikke aktiv. Kan ikke rydde.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Dette er den sidste nøgleplads. Enheden vil blive ubrugelig efter fjernelse af denne nøgle."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Indtast en eventuel tilbageværende adgangsfrase: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Indtast adgangsfrase som skal slettes: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Indtast en eventuel eksisterende adgangsfrase: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Indtast adgangsfrase som skal ændres: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Indtast ny adgangsfrase: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Kun et enhedsargument for isLuks-operation er understøttet.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Tilvalget --header-backup-file er krævet.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Metadataenhedstypen %s blev ikke genkendt.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Kommandoen kræver enhedsnavn og oversat navn som argumenter.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Denne operation vil slette alle nøglepladser på enheden %s.\n"
+"Enheden vil blive ubrugelig efter denne operation."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<enhed> [--type <type>] [<navn>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "åbn enhed som oversættelse <navn>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<navn>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "luk enhed (fjern oversættelse)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "ændr størrelse på aktiv enhed"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "vis enhedsstatus"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <krypteringsalgoritme>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "krypteringsalgoritme for sammenligning"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<enhed>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "prøv at reparere on-disk-metadata"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "slet alle nøglepladser (fjern krypteringsnøgle)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<enhed> [<ny nøglefil>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "formaterer en LUKS-enhed"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "tilføj nøgle til LUKS-enhed"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<enhed> [<nøglefil>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "fjerner leveret nøgle eller nøglefil fra LUKS-enhed"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "ændrer leveret nøgle eller nøglefil for LUKS-enhed"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<enhed> <nøgleplads>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "rydder nøgle med nummer <nøgleplads> fra LUKS-enhed"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "vis UUID for lUKS-enhed"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "tester <enhed> for LUKS-partitionsteksthoved"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "dump LUKS-partitionsinformation"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "dump TCRYPT-enhedsinformation"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Suspender LUKS-enhed og ryd nøgle (alle IO'er fryses fast)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Genoptag suspenderet LUKS-enhed."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Lav sikkerhedskopi af LUKS-enhedsteksthoved og nøglepladser"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Gendan LUKS-teksthoved og nøglepladser"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<handling> er en af:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Du kan også bruge gamle <handling> syntaksaliasser:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<navn> er enheden at oprette under %s\n"
+"<enhed> er den krypterede enhed\n"
+"<nøgleplads> er LUKS-nøglens pladsnummer, der skal ændres\n"
+"<nøglefil> valgfri nøglefil for den nye nøgle for luksAddKey-handling\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Standardindkompileret nøgle og adgangsfraseparametre.\n"
+"\tMaksimal nøglefilsstørrelse: %dkB, Maksimal interaktiv adgangsfraselængde %d (tegn)\n"
+"Standard PBKDF2-iterationstid for LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Standardindkompileret enhedskrypteringsalgoritmeparametre:\n"
+"\tloop-AES: %s, Nøgle %d bit\n"
+"\tplain: %s, Nøgle: %d bit, Adgangskodehashing: %s\n"
+"\tLUKS1: %s, Nøgle: %d bit, LUKS-teksthovedhashing: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: kræver %s som argumenter"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Vis denne hjælpetekst"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Vis en kort brugsmanual"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Hjælpetilvalg:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Vis pakkeversion"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Viser mere detaljerede fejlbeskeder"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Vis fejlsøgningsbeskeder"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Krypteringsalgoritmen brugt til at kryptere disken (se /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Hashen brugt til at oprette krypteringsnøglen fra adgangsfrasen"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verificerer adgangsfrasen ved at anmode om den to gange"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Læs nøglen fra en fil."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Læs diskenhedens (master) nøgle fra fil."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Dump diskenheds (master) nøgle i stedet for information om nøgleplads."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Størrelsen for den krypterede nøgle"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BIT"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Begræns læsningen fra nøglefil"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "byte"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Antallet af byte at udelade i nøglefil"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Begræns læsningnen fra nyligt tilføjet nøglefil"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Antallet af byte at udelade i senest tilføjet nøglefil"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Pladsnummer for ny nøgle (standard er den første ledige)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Størrelse på enheden"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SEKTORER"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Startforskydningen i motorenheden"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Antal sektorer med krypterede data som skal udelades i begyndelsen"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Opret en skrivebeskyttet oversættelse"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2-iteratoinstid for LUKS (i ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Anmod ikke om bekræftelse"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Tidsudløb for interaktiv adgangsfraseprompt (i sekunder)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "sek"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Hvor ofte inddata for adgangsfrasen kan indhentes"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Juster belastning ved <n> sektorgrænser - for luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Fil med LUKS-teksthoved og sikkerhedskopi af nøglepladser."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Brug /dev/random til oprettelse af diskenhedsnøgle."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Brug /dev/urandom til oprettelse af diskenhedsnøgle."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Del enhed med et andet ikkeoverlappende kryptsegment."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID som enheden skal bruge."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Tillader fjernelsesforespørgsler (a.k.a. TRIM) for enhed."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Enhed eller fil med adskilt LUKS-teksthoved."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Aktiver ikke enhed, kontroller bare adgangsfrase."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Brug skjult teksthoved (skjult TCRYPT-enhed)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Enhed er system-TCRYPT-drev (med opstartsindlæser)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Brug sikkerhedskopi (sekundær) TCRYPT-teksthoved."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Skan også for VeraCrypt-kompatibel enhed."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Type for enheds metadata: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Deaktiver kontrol af adgangskodens kvalitet (hvis aktiveret)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Brug tilvalgene dm-crypt og same_cpu_crypt for ydelseskompatibilitet."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Brug tilvalgene dm-crypt og submit_from_crypt_cpus for ydelseskompatibilitet."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[TILVALG...] <handling> <handling-specifik>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Argument <handling> mangler."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Ukendt handling."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Tilvalget --shared er kun tilladt for åbning af en ren enhed.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Tilvalget --allow-discards er kun tilladt for åbne operationer.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Tilvalget --key-size er kun tilladt for luksFormat, open og benchmark.\n"
+"For at begrænse læsning fra nøglefilen bruges --keyfile-size=(bytes)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Tilvalget --test-passphrase er kun tilladt for åbning af LUKS- og TCRYPT-enheder.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Nøglestørrelse skal gå op i 8 bit"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Nøgleplads er ugyldig."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Tilvalget --key-file har forrang over specificeret nøglefilsargument.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Negativ nummer for tilvalg er ikke tilladt."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Kun en parameter for --key-file er tilladt."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Kun et af tilvalgene --use-[u]random er tilladt."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Tilvalget --use-[u]random er kun tilladt for luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Tilvalget --uid er kun tilladt for luksFormat og luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Tilvalget --align-payload er kun tilladt for luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Tilvalget --skip er kun understøttet for åbning af plain- og loopaes-enheder.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Tilvalget --offset er kun understøttet for åbning af plain- og loopaes-enheder.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Tilvalgene --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup er kun understøttet for TCRYPT-enhed.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Tilvaget --tcrypt-hidden kan ikke kombineres med --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Tilvalget --veracrypt er kun understøttet for TCRYPT-enhedstype.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Ugyldig salt-streng specificeret.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Kan ikke oprette hashaftryk %s for skriving.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Ugyldig root-hash-streng specificeret.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<data_enhed> <hash_device>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "formater enhed"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<data_enhed> <hash_enhed> <root_hash>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "verificer enhed"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<navn> <data_enhed> <hash_enhed> <root_hash>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "opret aktiv enhed"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "fjern (deaktiver) enhed"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "vis aktiv enhedsstatus"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<hash_enhed>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "vis on-disk-information"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<navn> er enheden der skal opretttes under %s\n"
+"<data_enhed> er dataenheden\n"
+"<hash_enhed> er enheden indeholdende verifikationsdata\n"
+"<root_hash> hash for root-knuden på <hash_enhed>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Standardindkompilerede dm-verity-parametre:\n"
+"\tHash: %s, Databok (byte): %u, Hashblok (byte): %u, Salt-str.: %u, Hashformat: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Brug ikke verity-superblok"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Formatype (1 - normal, 0 - original Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "nummer"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Blokstørrelse på dataenheden"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Blokstørrelse på hashenheden"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Antallet af blokke i datafilen"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "blokke"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Starter forskydning på hashenheden"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Hashalgoritme"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "streng"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "hex-streng"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Genstart kerne hvis korruption er detekteret"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignorer korruption, log den kun"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Bekræft ikke nulstillede blokke"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Tilvalgene --ignore-corruption, --restart-on-corruption eller --ignore-zero-blocks er kun tilladt for opret-handlingen.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Tilvalgene --ignore-corruption og --restart-on-corruption kan ikke bruges sammen.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Kan ikke eksklusivt åbne %s, enheden er i brug.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Allokering af tilpasset hukommelse mislykkedes.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Kan ikke læse enheden %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Markerer LUKS-enheden %s som ubrugelig.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Kan ikke skrive enhed %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Kan ikke skrive genkrypteringslogfilen.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Kan ikke læse genkrypteringslogfilen.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Logfilen %s findes, genoptager genkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Aktiverer midlertidig enhed via brug af gammel LUKS-teksthoved.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Aktiverer midlertidig enhed via brug af ny LUKS-teksthoved.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Aktivering af midlertidige enheder mislykkedes.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Ny LUKS-teksthoved for enheden %s oprettet.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Aktiveret nøgleplads %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Sikkerhedskopi af LUKS-teksthoved for enheden %s er oprettet.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Oprettelse af LUKS-sikkerhedskopiteksthoveder mislykkedes.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Kan ikke gendanne LUKS-teksthoved på enheden %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "LUKS-teksthoved på enheden %s er gendannet.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Status: %5.1f%%, EAT %02llu:%02llu, %4llu MiB skrevet, hastighed %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Kan ikke søge til enhedsforskydning.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Kan ikke åbne midlertidig LUKS-enhed.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Kan ikke indhente enhedsstørrelse.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Afbrudt af et signal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "IO-fejl under genkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Angivet UUID er ugyldig.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Nøglefil kan kun bruges med --key-slot eller med præcis en aktiv nøgleplads.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Indtast adgangsfrase for nøgleplads %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Kan ikke åbne genkrypteringslogfilen.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Ingen dekryptering i gang, angivet UUID kan kun bruges til at genoptage suspenderet dekrypteringsproces.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Blokstørrelse for genkryptering"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Ændr ikke nøgle, ingen dataområde-genkryptering."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Brug direct-io når enheder tilgås."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Brug fsync efter hver blok."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Opdater logfil efter hver blok."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Brug kun denne plads (andre vil blive deaktiveret)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Reducer dataenhedstørrelse (flyt dataforskydning). FARLIGT!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Brug kun specificeret enhedstørrelse (ignorer resten af enheden). FARLIGT!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Opret nyt teksthoved på ikke krypteret enhed."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Dekrypter enhed permanent (fjern kryptering)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Uuid'en brugt til at genoptage dekryptering."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[TILVALG...] <enhed>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Genkryptering vil ændre: diskenhedsnøgle%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", sæt hash til "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", set krypteringsalgoritme til "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argument krævet."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Kun værdier mellem 1 MiB og 64 MiB tilladt for genkrypteringsblokstørrelsen."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Ugyldig specifikation for enhedsstørrelse."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Maksimal reduceringsstørrelse for enhed er 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Reducer størrelse skal være multiplum af 512 byte sektor."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Tilvalget --new skal bruges sammen med --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Tilvalget --keep-key kan kun bruges med --hash eller --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Tilvalget --new kan ikke bruges sammen med --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Tilvalget --decrypt er ikke kompatibelt med specificerede parametre."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Tilvalget --uuid er kun tilladt sammen med --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Fejl ved læsning af svar fra terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Kommando succesfuld.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Kommando mislykkedes med kode %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Kan ikke kontrollere adganskodekvalitet: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Kontrol af adgangskodens kvalitet mislykkedes:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Kontrol af adgangskodens kvalitet mislykkedes: Ugyldig adgangsfrase (%s)\n"
diff --git a/po/de.po b/po/de.po
new file mode 100644
index 0000000..b24a6f1
--- /dev/null
+++ b/po/de.po
@@ -0,0 +1,1839 @@
+# German translation for the cryptsetup package.
+# Copyright (C) 2010 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Roland Illig <roland.illig@gmx.de>, 2010-2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-03 18:53+0100\n"
+"Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
+"Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 2.0beta3\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden, da das Programm nicht mit Root-Rechten läuft.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden. Ist das Kernelmodul »dm_mod« geladen?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID für Gerät »%s« wurde verkürzt.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Die verlangten dm-crypt-Performance-Optionen werden nicht unterstützt.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Die verlangten dm-verity-Datenbeschädigungs-Optionen werden nicht unterstützt.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Das System hat keine Entropie mehr, um den Laufwerksschlüssel zu generieren.\n"
+"Bitte bewegen Sie die Maus oder tippen Sie etwas Text in ein anderes Fenster, um einige zufällige Ereignisse zu sammeln.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Schlüssel wird generiert (%d %% erledigt).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Laufe im FIPS-Modus.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Fataler Fehler während der Initialisierung des Zufallszahlengenerators.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Unbekannte Qualität des Zufallszahlengenerators verlangt.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Fehler %d beim Einlesen vom Zufallszahlengenerator: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Fehler beim Initialisieren des Krypto-Zufallszahlengenerator-Backends.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Fehler beim Initialisieren des Krypto-Backends.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Hash-Algorithmus »%s« wird nicht unterstützt.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Alle Schlüsselfächer sind voll.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Geben Sie die Passphrase für »%s« ein: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Header gefunden, aber Gerät »%s« ist zu klein.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Diese Operation wird für diese Geräteart nicht unterstützt.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Gerät »%s« ist nicht aktiv.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Zugrundeliegendes Gerät für das Kryptogerät »%s« ist verschwunden.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Ungültige Parameter für Plain-Verschlüsselung.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Ungültige Schlüsselgröße.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID wird für diese Verschlüsselungsart nicht unterstützt.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Ohne Gerät kann LUKS nicht formatiert werden.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Gerät »%s« kann nicht formatiert werden, da es gerade benutzt wird.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Gerät »%s« kann nicht formatiert werden, Zugriff verweigert.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Fehler beim Auslöschen des Headers auf Gerät »%s«.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Ohne Gerät kann LOOPAES nicht formatiert werden.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Ohne Gerät kann VERITY nicht formatiert werden.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Nicht unterstützte VERITY-Hash-Art %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Nicht unterstützte VERITY-Blockgröße.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Nicht unterstützter VERITY-Hash-Offset.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Datenbereich und Hashbereich überlappen sich.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Unbekannte Art des Verschlüsselungsgeräts »%s« verlangt.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Fehler beim Ändern der Größe des Loopback-Geräts.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Wollen Sie wirklich die UUID des Geräts ändern?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Laufwerk »%s« ist nicht aktiv.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Laufwerk »%s« ist bereits im Ruhezustand.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Laufwerk »%s« ist nicht im Ruhezustand.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Passphrase eingeben: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Geben Sie irgendeine Passphrase ein: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Geben Sie die neue Passphrase für das Schlüsselfach ein: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Schlüsselfach %d geändert.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Ersetzt durch Schlüsselfach %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Schlüsselfach %d ist ungültig.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Schlüsselfach %d ist unbenutzt.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Das Gerät »%s« existiert bereits.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Geräteart ist nicht richtig initialisiert.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Gerät »%s« wird gerade benutzt.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Ungültiges Gerät »%s«.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Diese Funktion ist im FIPS-Modus nicht verfügbar.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Laufwerks-Schlüsselpuffer zu klein.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Fehler beim Ermitteln der Prozesspriorität.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Fehler beim Entsperren des Speichers.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Zu wenig Speicher zum Einlesen der Passphrase.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Fehler beim Lesen der Passphrase vom Terminal.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Passphrase bestätigen: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Passphrasen stimmen nicht überein.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Offset kann nicht zusammen mit Terminaleingabe benutzt werden.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Fehler beim Öffnen der Schlüsseldatei.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Fehler beim Öffnen der Schlüsseldatei.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Fehler beim Zugriff auf die Schlüsseldatei.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Fehler beim Einlesen der Passphrase.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Größenbegrenzung für die Schlüsseldatei überschritten.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Die gewünschte Menge an Daten kann nicht eingelesen werden.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Gerät »%s« existiert nicht oder Zugriff verweigert.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Das Loopback-Gerät kann nicht benutzt werden, da das Programm nicht mit Root-Rechten läuft.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Anklemmen des Loopback-Geräts fehlgeschlagen (das Loopback-Gerät benötigt den »autoclear«-Schalter).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Gerät »%s« kann nicht benutzt werden, da es bereits anderweitig benutzt wird.\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Fehler beim Abrufen der Infos über Gerät »%s«.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Der angeforderte Offset ist jenseits der wirklichen Größe des Geräts »%s«.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Gerät »%s« hat die Größe 0.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Gerät »%s« ist zu klein.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Einrichten der dm-crypt-Schlüsselzuordnung für Gerät »%s« fehlgeschlagen.\n"
+"Stellen Sie sicher, dass der Kernel die Verschlüsselung »%s« unterstützt.\n"
+"(Sehen Sie im System-Log nach, ob sich dort Hinweise finden.)\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Schlüsselgröße im XTS-Modus muss entweder 256 oder 512 Bits sein.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Fehler beim Schreiben auf Gerät »%s«, Zugriff verweigert.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Fehler beim Öffnen des temporären Schlüsselspeichergeräts.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Fehler beim Zugriff auf das temporäre Schlüsselspeichergerät.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "E/A-Fehler beim Verschlüsseln des Schlüsselfachs.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "E/A-Fehler beim Entschlüsseln des Schlüsselfachs.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Gerät »%s« ist zu klein. (LUKS benötigt mindestens %<PRIu64> Bytes.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Angeforderte Header-Backupdatei »%s« existiert bereits.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Fehler beim Anlegen der Header-Backupdatei »%s«.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Fehler beim Speichern der Header-Backupdatei »%s«.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Backupdatei enthält keinen gültigen LUKS-Header.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Fehler beim Öffnen der Header-Backupdatei »%s«.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Fehler beim Einlesen der Header-Backupdatei »%s«.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Unterschiedlicher Offset oder Schlüsselgröße zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Gerät »%s« %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "enthält keinen LUKS-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "enthält bereits einen LUKS-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"WARNUNG: Der Header des echten Geräts hat eine andere UUID als das Backup!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Fehler beim Öffnen des Geräts »%s«.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Ungewöhnliche Schlüsselgröße, manuelles Reparieren erforderlich.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Ungewöhnliche Ausrichtung der Schlüsselfächer, manuelles Reparieren erforderlich.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Schlüsselfächer werden repariert.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Fehler beim Reparieren der Schlüsselfächer."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Schlüsselfach %i: Offset repariert (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Schlüsselfach %i: Streifen repariert (%u -> %u).\n"
+
+# XXX
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Schlüsselfach %i: schwindlerische Partitions-Signatur.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Schlüsselfach %i: Salt gelöscht.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "LUKS-Header wird auf den Datenträger geschrieben.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Nicht unterstützte LUKS-Version %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Verlangter LUKS-Hash »%s« wird nicht unterstützt.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS-Schlüsselfach %u ist ungültig.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Keine bekannten Probleme im LUKS-Header erkannt.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Fehler beim Aktualisieren des LUKS-Headers auf Gerät »%s«.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Fehler beim Neueinlesen des LUKS-Headers nach dem Aktualisieren auf Gerät »%s«.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Daten-Offset für separaten LUKS-Header muss entweder 0 sein oder mehr als die Headergröße (%d Sektoren).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Falsches LUKS-UUID-Format angegeben.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Einlesen des zufälligen Salts.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Inkompatible PBKDF2-Optionen (mit Hash-Algorithmus »%s«).\n"
+
+# XXX
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Hashen des Headers (mit Hash-Algorithmus »%s«).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Schlüsselfach %d aktiv, löschen Sie es erst.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Material für Schlüsselfach %d enthält zu wenige Streifen. Manipulation des Headers?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Schlüsselfach %d entsperrt.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Kein Schlüssel mit dieser Passphrase verfügbar.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie ein Schlüsselfach zwischen 0 und %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Gerät »%s« kann nicht ausgelöscht werden.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Noch nicht unterstützte GPG-Schlüsseldatei erkannt.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Bitte benutzen Sie »gpg --decrypt <SCHLÜSSELDATEI> | cryptsetup --keyfile=- …«\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Inkompatible Loop-AES-Schlüsseldatei erkannt.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Kernel unterstützt Loop-AES-kompatibles Mapping nicht.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Maximale Länge der TCRYPT-Passphrase (%d) überschritten.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Der Hash-Algorithmus »%s« für PBKDF2 wird nicht unterstützt, überspringe diesen Teil.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Die benötigte Crypto-Kernel-Schnittstelle ist nicht verfügbar.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Stellen Sie sicher, dass das Kernelmodul »algif_skcipher« geladen ist.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktivierung wird für die Sektorengröße %d nicht unterstützt.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Der Kernel unterstützt die Aktivierung für diesen TCRYPT-Legacymodus nicht.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "TCRYPT-Systemverschlüsselung für Partition »%s« wird aktiviert.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Verity-Gerät »%s« benutzt keinen Header auf dem Datenträger.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Gerät »%s« ist kein gültiges VERITY-Gerät.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Nicht unterstützte VERITY-Version %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY-Header verfälscht.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Falsches VERITY-UUID-Format über Gerät »%s« angegeben.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Fehler beim Aktualisieren des VERITY-Headers auf Gerät »%s«.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Kernel unterstützt dm-verity-Zuordnung nicht.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Verity-Gerät hat eine Verfälschung nach der Aktivierung festgestellt.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Zusätzlicher Platz an Position %<PRIu64> ist nicht ausgenullt.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Überlauf beim Geräte-Offset.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Fehler beim Verifizieren an Position %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Ungültige Größenparameter für Verity-Gerät.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Zu viele Ebenen für Verity-Laufwerk.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Fehler beim Verifizieren des Datenbereichs.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Fehler beim Verifizieren des Root-Hashes.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "E/A-Fehler beim Anlegen des Hash-Bereiches.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Fehler beim Anlegen des Hash-Bereiches.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "WARNUNG: Kernel kann das Gerät nicht aktivieren, wenn die Datenblockgröße die Seitengröße (%u) übersteigt.\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Kein bekanntes Verschlüsselungsmuster entdeckt.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "WARNUNG: Der Parameter --hash wird im Plain-Modus ignoriert, wenn eine Schlüsseldatei angegeben ist.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "WARNUNG: Die Option --keyfile-size wird ignoriert, da die Lesegröße die gleiche ist wie die Verschlüsselungsschlüsselgröße ist.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Die Option »--key-file« muss angegeben werden.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Kein Geräte-Header mit dieser Passphrase gefunden.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Der Headerdump zusammen mit dem Laufwerksschlüssel sind\n"
+"sensible Daten, mit deren Hilfe man ohne Passphrase auf die\n"
+"verschlüsselte Partition zugreifen kann. Dieser Dump sollte\n"
+"daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
+"aufbewahrt werden."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Das Ergebnis des Benchmarks ist nicht zuverlässig.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Die Tests sind nur annähernd genau, da sie nicht auf den Datenträger zugreifen.\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Verschlüsselung »%s« ist nicht verfügbar.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Fehler beim Einlesen von %d Bytes aus der Schlüsseldatei »%s«.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Wirklich versuchen, den LUKS-Geräteheader wiederherzustellen?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Hiermit werden die Daten auf »%s« unwiderruflich überschrieben."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "Speicherproblem in action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Das Gerät »%s« kann nicht als Datenträger-Header benutzt werden.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Verringerter Datenoffset ist nur für separaten LUKS-Header erlaubt.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Schlüsselfach %d zum Löschen ausgewählt.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Schlüssel %d ist nicht aktiv und kann daher nicht ausgelöscht werden.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Dies ist das letzte Schlüsselfach. Wenn Sie diesen Schlüssel löschen, wird das Gerät unbrauchbar."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Geben Sie irgendeine verbleibende Passphrase ein: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Geben Sie die zu löschende Passphrase ein: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Geben Sie irgendeine bestehende Passphrase ein: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Geben Sie die zu ändernde Passphrase ein: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Geben Sie die neue Passphrase ein: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Die Operation »isLuks« unterstützt nur genau ein Geräte-Argument.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Option »--header-backup-file« muss angegeben werden.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Unbekannte Art »%s« des Metadaten-Geräts.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Dieser Befehl benötigt den Gerätenamen und den zugeordneten Namen als Argumente.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Diese Operation wird alle Schlüsselfächer auf Gerät »%s« löschen.\n"
+"Dadurch wird das Gerät unbrauchbar."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<Gerät> [--type <Art>] [<Name>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "Gerät als Zuordnung <Name> öffnen"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<Name>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "Gerät schließen (Zuordnung entfernen)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "Größe des aktiven Geräts ändern"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "Gerätestatus anzeigen"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <Algorithmus>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "Verschlüsselungsalgorithmus benchmarken"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<Gerät>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "Versuchen, die Metadaten auf dem Datenträger zu reparieren"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "Alle Schlüsselfächer löschen (Verschlüsselungsschlüssel entfernen)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<Gerät> [<neue Schlüsseldatei>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "Ein LUKS-Gerät formatieren"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "Schlüssel zu LUKS-Gerät hinzufügen"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<Gerät> [<Schlüsseldatei>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "Entfernt bereitgestellten Schlüssel oder Schlüsseldatei vom LUKS-Gerät"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "Ändert den angegebenen Schlüssel oder die Schlüsseldatei des LUKS-Geräts"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<Gerät> <Schlüsselfach>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "Löscht Schlüssel mit Nummer <Schlüsselfach> vom LUKS-Gerät"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "UUID des LUKS-Geräts ausgeben"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "Testet <Gerät> auf Header einer LUKS-Partition"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "LUKS-Partitionsinformationen ausgeben"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "TCRYPT-Geräteinformationen ausgeben"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "LUKS-Gerät in Ruhezustand versetzen und alle Schlüssel auslöschen (alle IOs werden eingefroren)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "LUKS-Gerät aus dem Ruhezustand aufwecken."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Header und Schlüsselfächer eines LUKS-Geräts sichern"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Header und Schlüsselfächer eines LUKS-Geräts wiederherstellen"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<Aktion> ist eine von:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Sie können auch die alten <Aktion>-Aliase benutzen:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, lookaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<Name> ist das Gerät, das unter »%s« erzeugt wird\n"
+"<Gerät> ist das verschlüsselte Gerät\n"
+"<Schlüsselfach> ist die Nummer des zu verändernden LUKS-Schlüsselfachs\n"
+"<Schlüsseldatei> optionale Schlüsseldatei für den neuen Schlüssel der »luksAddKey«-Aktion\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Vorgabewerte für Schlüssel und Passphrasen:\n"
+"\tMaximale Größe der Schlüsseldatei: %dkB, Maximale Länge der interaktiven Passphrase: %d Zeichen\n"
+"Vorgabe für die Durchlaufzeit für PBKDF2 mit LUKS: %d Millisekunden\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Standard-Verschlüsselungsparameter:\n"
+"\tLoop-AES: %s, Schlüssel %d Bits\n"
+"\tplain: %s, Schlüssel: %d Bits, Passphrase-Hashen: %s\n"
+"\tLUKS1: %s, Schlüssel: %d Bits, LUKS-Header-Hashen: %s, Zufallszahlengenerator: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: Benötigt %s als Argumente"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Diese Hilfe anzeigen"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Kurze Aufrufsyntax anzeigen"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Hilfe-Optionen:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Paketversion ausgeben"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Zeigt detailliertere Fehlermeldungen an"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Zeigt Debugging-Meldungen an"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Der Algorithmus zum Verschlüsseln des Datenträgers (siehe /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Das Hashverfahren, um den Verschlüsselungsschlüssel aus der Passphrase zu erzeugen"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifiziert die Passphrase durch doppeltes Nachfragen"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Schlüssel aus einer Datei lesen."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Laufwerks-(Master-)Schlüssel aus Datei lesen."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Laufwerks-(Master-)schlüssel anstelle der Schlüsselfach-Informationen wegschreiben."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Die Größe des Verschlüsselungsschlüssels"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Begrenzt das Lesen aus der Schlüsseldatei"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "Bytes"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Anzahl der Bytes, die in der Schlüsseldatei übersprungen werden"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Begrenzt das Lesen aus der neu erzeugten Schlüsseldatei"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Anzahl der Bytes, die in der neu erzeugten Schlüsseldatei übersprungen werden"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Fachnummer für den neuen Schlüssel (im Zweifel das nächste freie)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Die Größe des Geräts"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SEKTOREN"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Der Startoffset im Backend-Gerät"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Wieviele Sektoren der verschlüsselten Daten am Anfang übersprungen werden sollen"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Eine schreibgeschützte Zuordnung erzeugen"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2 Iterationszeit for LUKS (in ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "msek"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Nicht nach Bestätigung fragen"
+
+# XXX
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Frist für interaktive Eingabe der Passphrase (in Sekunden)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "sek"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Wie oft die Eingabe der Passphrase wiederholt werden kann"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Nutzdaten an Grenzen von <n> Sektoren ausrichten - für luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Datei mit dem Backup der LUKS-Header und den Schlüsselfächern."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "/dev/random zum Generieren des Laufwerksschlüssels benutzen."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "/dev/urandom zum Generieren des Laufwerksschlüssels benutzen."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Gerät mit einem anderen nicht-überlappenden Kryptosegment teilen."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID für das zu verwendende Gerät."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Auswurf-Anfragen (»TRIM«-Befehl) für das Gerät zulassen."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Gerät oder Datei mit separatem LUKS-Header."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Gerät nicht aktivieren, nur Passphrase überprüfen."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Versteckten Header benutzen (verstecktes TCRYPT-Gerät)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Das Gerät ist das System-TCRYPT-Laufwerk (mit Bootlader)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Backup-(Zweit-)-TCRYPT-Header benutzen."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Auch nach VeryCrypt-kompatiblen Geräten suchen."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Art der Geräte-Metadaten: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Passwort-Qualitätsprüfung deaktivieren (wenn sie aktiviert ist)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Kompatibilitäts-Performance-Option »same_cpu_crypt« für dm-crypt benutzen."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Kompatibilitäts-Performance-Option »submit_from_crypt_cpus« für dm-crypt benutzen."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPTION...] <Aktion> <aktionsabhängig>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Argument <Aktion> fehlt."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Unbekannte Aktion."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Die Option --shared ist nur beim Öffnen eines Plain-Geräts erlaubt.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Die Option --allow-discards ist nur beim Öffnen erlaubt.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Die Option --key-size ist nur für »luksFormat«, »open« und »benchmark« erlaubt.\n"
+"Benutzen Sie stattdessen »--keyfile-size=(Bytes)«, um das Lesen aus der Schlüsseldatei zu begrenzen."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS- und TCRYPT-Geräten erlaubt.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Schlüsselgröße muss ein Vielfaches von 8 Bit sein"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Schlüsselfach ist ungültig."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Die Option --key-file wirkt stärker als das angegebene Schlüsseldatei-Argument.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Negative Zahl für die Option nicht erlaubt."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Die Option --key-file ist nur einmal erlaubt."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Nur eine der Optionen --use-[u]random ist erlaubt."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Die Option --use-[u]random ist nur für luksFormat erlaubt."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Die Option --uuid ist nur für luksFormat und luksUUID erlaubt."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Die Option --align-payload ist nur für luksFormat erlaubt."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Die Option --offset ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Die Option --veracrypt wird nur für TCRYPT-kompatible Geräte unterstützt.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Ungültiger Salt-String angegeben.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Fehler beim Schreiben des Hash-Abbilds »%s«.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Ungültiger Root-Hash-String angegeben.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<Datengerät> <Hash-Gerät>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "Gerät formatieren"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<Datengerät> <Hash-Gerät> <Root-Hash>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "Gerät verifizieren"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<Name> <Datengerät> <Hash-Gerät> <Root-Hash>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "Aktives Gerät anlegen"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "Gerät entfernen (deaktivieren)"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "Status der aktiven Geräte anzeigen"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<Hash-Gerät>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "Auf dem Datenträger gespeicherte Informationen anzeigen"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<Name> ist das Gerät, das unter »%s« angelegt werden soll\n"
+"<Datengerät> ist das Datengerät\n"
+"<Hash-Gerät> ist das Gerät, das die Verifikationsdaten enthält\n"
+"<Root-Hash> ist der Hash des Rootknotens auf <Hash-Gerät>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Einkompilierte Vorgabewerte für dm-verity:\n"
+"\tHash: %s, Datenblock (Bytes): %u, Hashblock (Bytes): %u, Salt-Größe: %u, Hashformat: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Verity-Superblock nicht benutzen"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Format-Art (1 - normal, 0 - originales Chrome-OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "Zahl"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Blockgröße auf dem Datengerät"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Blockgröße auf dem Hash-Gerät"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Die Anzahl der Blöcke in der Datendatei"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "Blöcke"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Start-Offset auf dem Hash-Gerät"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Hash-Algorithmus"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "Zeichenkette"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "Hex-Zeichenkette"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Kernel neustarten wenn Beschädigung festgestellt wird"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Beschädigung ignorieren, nur mitloggen"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Ausgenullte Blöcke nicht überprüfen"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Die Optionen --ignore-corruption, --restart-on-corruption und --ignore-zero-blocks sind nur für die Create-Aktion erlaubt.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Die Optionen --ignore-corruption und --restart-on-corruption können nicht zusammen benutzt werden.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Belegen des ausgerichteten Speichers fehlgeschlagen.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Fehler beim Lesen von Gerät »%s«.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "LUKS-Gerät »%s« wird als unbenutzbar markiert.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Fehler beim Schreiben auf Gerät »%s«.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Fehler beim Speichern der Wiederverschlüsselungs-Logdatei.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Fehler beim Einlesen der Wiederverschlüsselungs-Logdatei.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Logdatei »%s« existiert, Wiederverschlüsselung wird fortgesetzt.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Temporäres Gerät mit dem alten LUKS-Header wird aktiviert.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Temporäres Gerät mit dem neuen LUKS-Header wird aktiviert.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Fehler beim Aktivieren der temporären Geräte.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Neuer LUKS-Header für Gerät »%s« angelegt.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Schlüsselfach %i aktiviert.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "LUKS-Backup-Header von Gerät »%s« angelegt.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Fehler beim Anlegen des LUKS-Backup-Headers.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Fehler beim Wiederherstellen des LUKS-Headers auf Gerät »%s«.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "LUKS-Header auf Gerät »%s« wiederhergestellt.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Fortschritt: %5.1f%%, noch %02llu:%02llu, %4llu MiB geschrieben bei %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Fehler beim Springen zum Gerät-Offset.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Fehler beim Öffnen des temporären LUKS-Geräts.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Fehler beim Ermitteln der Gerätegröße.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Durch ein Signal unterbrochen.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "E/A-Fehler während der Wiederverschlüsselung.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Die angegebene UUID ist ungültig.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Fehler beim Öffnen der Wiederverschlüsselungs-Logdatei.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Derzeit ist keine Entschlüsselung im Gange, die angegebene UUID kann nur benutzt werden, um einen unterbrochenen Entschlüsselungsvorgang fortzusetzen.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Wiederverschlüsselungs-Blockgröße"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Schlüssel nicht ändern, Datenbereich nicht neu verschlüsseln."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Beim Zugriff auf die Geräte direct-io benutzen."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Nach jedem Block fsync aufrufen."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Logdatei nach jedem Block aktualisieren."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Nur dieses Schlüsselfach benutzen (alle anderen werden deaktiviert)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Größe des Datengeräts reduzieren (Datenoffset verschieben). GEFÄHRLICH!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Nur die angegebene Gerätegröße benutzen (Rest des Gerätes ignorieren). GEFÄHRLICH!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Neuen Header auf unverschlüsseltem Gerät anlegen."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Gerät dauerhaft entschlüsseln (Verschlüsselung entfernen)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Die UUID, um das Entschlüsseln fortzusetzen."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPTION...] <Gerät>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Wiederverschlüsselung ändert: Laufwerkskennung%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", Hash auf "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", Verschlüsselung auf "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argument muss angegeben werden."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Für die Wiederverschlüsselungs-Blockgröße sind nur Werte zwischen 1 MiB und 64 MiB erlaubt."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Ungültige Angabe der Gerätegröße."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Die maximale Verkleinerungsgröße ist 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Die verkleinerte Größe muss ein Vielfaches von 512-Byte-Sektoren sein."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Die Option »--new« muss zusammen mit »--reduce-device-size« benutzt werden."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Die Option »--keep-new« kann nur zusammen mit »--hash« oder »--iter-time« benutzt werden."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Die Option »--new« kann nicht zusammen mit »--decrypt« benutzt werden."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Die Option --decrypt verträgt sich nicht mit den angegebenen Parametern."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Die Option »--uuid« kann nur zusammen mit »--decrypt« benutzt werden."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Fehler beim Lesen der Antwort vom Terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Befehl erfolgreich.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Fehler %i beim Ausführen eines Befehls"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Fehler beim Prüfen der Passwortqualität: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Passwort-Qualitätsüberprüfung fehlgeschlagen:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Passwort-Qualitätsüberprüfung fehlgeschlagen: Falsche Passphrase (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Kein freies Loopback-Gerät gefunden.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Fehler beim Öffnen von Gerät »%s«.\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Die angegebene UUID kann nur während dem Entschlüsseln verwendet werden.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "LUKS-Gerät »%s« wird als benutzbar markiert.\n"
diff --git a/po/es.po b/po/es.po
new file mode 100644
index 0000000..df27d24
--- /dev/null
+++ b/po/es.po
@@ -0,0 +1,1906 @@
+# Spanish translations for cryptsetup package
+# Traducciones al español para el paquete cryptsetup.
+# Copyright (C) 2014, 2015, 2016, 2017 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Antonio Ceballos <aceballos@gmail.com>, 2013, 2014, 2015, 2016, 2017
+#
+# ######################################################################
+# Traducciones dudosas:
+# ######################################################################
+#
+# initialize = inicializar
+# kernel = núcleo
+# imperativo - usted
+# % done = % hecho
+# fatal error = error fatal
+# RNG = generador de números aleatorios
+# not supported = no disponible
+# key slot = ranura de claves
+# passphrase = frase contraseña
+# offset = desplazamiento
+# offset = posición
+# suspended = suspendido
+# plain device = dispositivo no cifrado (dispositivo en claro)
+# crypt device = dispositivo cifrado
+# error reading = error al leer
+# keyfile = fichero de claves (¿fichero de la clave?)
+# checksum = suma de comprobación
+# loopback device = dispositivo de bucle invertido (Santiago: dispositivo de bucle)
+# backup file = fichero de copia de seguridad
+# please - omitido, porque ya es suficiente cortesía tratar de usted al usuario
+# wipe = limpiar, borrar
+# interface = (la) interfaz
+# cipher = algoritmo de cifrado
+# default = predefinido
+# default compiled-in = predefinido de fábrica
+# debug = depuración
+# bootloader = cargador de arranque
+# verify = verificar
+# verification = verificación
+# log file = fichero de registro
+# temporary = temporal
+# reencryption = recifrado
+# invalid = no válido, -a
+#
+# #######################################################################
+# Términos no traducidos
+# #######################################################################
+#
+# device mapper
+# backend
+# hash
+# buffer
+# offset
+# bit(s)
+# byte(s)
+# loopaes
+# luks
+# tcrypt
+# salt
+# verity
+#
+# #######################################################################
+# Otras dudas
+# #######################################################################
+#
+# invalid = inválido, -a -> barbarismo -> mejor: no válido
+# on-disk
+#
+# #######################################################################
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 23:28+0100\n"
+"Last-Translator: Antonio Ceballos <aceballos@gmail.com>\n"
+"Language-Team: Spanish <es@tp.org.es>\n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "No se puede inicializar el «device mapper», ejecutando como usuario no administrador.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "No se puede inicializar el «device-mapper». ¿Está cargado el módulo del núcleo dm_mod?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "El DM-UUID del dispositivo %s ha sido truncado.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Las opciones de rendimiento de dm-crypt solicitadas no están disponibles.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Las opciones de manejo de corrupción de datos de dm-verity solicitadas no están disponibles.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"El sistema se ha quedado sin entropía mientras estaba generando la clave del volumen.\n"
+"Por favor, mueva el ratón o pulse alguna tecla en otra ventana para provocar algún evento aleatorio.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Generando la clave (%d%% hecho).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Modo FIPS en funcionamiento.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Error fatal durante la inicialización del generador de números aleatorios.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "La calidad solicitada para el generador de números aleatorios es desconocida.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Error %d leyendo del generador de números aleatorios: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "No se puede inicializar el «backend» del generador de números aleatorios de cifrado.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "No se puede inicializar el «backend» de cifrado.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Algoritmo «hash» %s no disponible.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Error de procesamiento de la clave (usando «hash» %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "No se puede determinar el tipo de dispositivo. ¿Es incompatible la activación del dispositivo?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Esta operación solamente está disponible para dispositivos LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Todas las ranuras de claves están llenas.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "La ranura de claves %d no es válida; seleccione un número entre 0 y %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "La ranura de claves %d está llena; seleccione otra.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Introduzca la frase contraseña de %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Cabecera detectada pero el dispositivo %s es demasiado pequeño.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Esta operación no está disponible para este tipo de dispositivo.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "El dispositivo %s no está activo.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "El dispositivo subyacente asociado al dispositivo cifrado %s ha desaparecido.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Parámetros de cifrado para modo claro no válidos.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Tamaño de clave no válido.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "El UUID no está disponible para este tipo de cifrado.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Imposible dar formato LUKS sin dispositivo.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "No se puede dar formato al dispositivo %s que todavía está en uso.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "No se puede dar formato al dispositivo %s; permiso denegado.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "No se puede limpiar la cabecera del dispositivo %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Imposible dar formato LOOPAES sin dispositivo.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Imposible dar formato VERITY sin dispositivo.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Tipo de «hash» VERITY %d no disponible.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Tamaño de bloque VERITY no disponible.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Desplazamiento «hash» VERITY no disponible.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "La zona de datos se solapa con la zona «hash».\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "El tipo de dispositivo cifrado % solicitado es desconocido.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "No se ha podido cambiar el tamaño del dispositivo de bucle.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "¿Está seguro de que quiere cambiar el UUID del dispositivo?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "El volumen %s no está activo.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "El volumen %s ya está suspendido.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "La suspensión no está disponible para el dispositivo %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Error durante la suspensión del dispositivo %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "EL volumen %s no está suspendido.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "La reanudación no está disponible para el dispositivo %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Error durante la reanudación del dispositivo %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Introduzca la frase contraseña: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Introduzca una frase contraseña cualquiera: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Introduzca una nueva frase contraseña para la ranura de claves: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "LA ranura de claves %d ha cambiado.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Reemplazado con ranura de claves %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "No se ha logrado intercambiar la nueva ranura de claves.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "La clave de volumen no corresponde a este volumen.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "La ranura de claves %d no es válida.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "La ranura de claves %d no se está utilizando.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "El dispositivo %s ya existe.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Clave de volumen incorrecta para dispositivo no cifrado.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "«Hash» raíz incorrecta para dispositivo «verity».\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "El dispositivo %s todavía se está utilizando.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Dispositivo inválido %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Función no disponible en modo FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "El «buffer» de la clave del volumen es demasiado pequeño.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "No se puede recuperar la clave para el dispositivo no cifrado.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Esta operación no está disponible para el dispositivo cifrado %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Operación de volcado no deisponible para este tipo de dispositivo.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "No se puede obtener la prioridad del proceso.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "No se puede desbloquear la memoria.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Memoria agotada mientras se estaba leyendo la frase contraseña.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Error al leer la frase contraseña desde el terminal.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Verifique la frase contraseña: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "La frase contraseña no coincide.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "No se puede usar «offset» con entrada desde terminal.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "No se ha podido abrir el fichero de claves.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "No se ha podido efectuar «stat» sobre el fichero de claves.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "No es posible situarse en la posición solicitada del fichero de claves.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Error al leer la frase contraseña.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Se ha excedido el tamaño máximo de fichero de claves.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "No se puede leer la cantidad de datos solicitada.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "El dispositivo %s no existe o el acceso al mismo ha sido denegado.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "No se puede utilizar un dispositivo de bucle invertido como usuario no administrador.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "No se ha logrado asociar el dispositivo de bucle invertido (hace falta un dispositivo de bucle con marcador de auto-limpieza).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "No se puede usar el dispositivo %s porque ya está en uso (asignado o montado).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "No se puede obtener información del dispositivo %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "El «offset» solicitado está más allá del tamaño real del dispositivo %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "El dispositivo %s tiene tamaño cero.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "El dispositivo %s es demasiado pequeño.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"No se ha podido establecer asignación de clave dm-crypt al dispositivo %s.\n"
+"Compruebe que el núcleo admite el algoritmo de cifrado %s (consulte syslog para más información).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "El tamaño de clave en modo XTS debe ser 256 o 512 bits.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "No se puede escribir en el dispositivo %s; permiso denegado.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "No se ha podido abrir el dispositivo de almacenamiento de claves temporal.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "No se ha podido acceder al dispositivo de almacenamiento de claves temporal.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Error de entrada/salida mientras se cifraba una ranura de claves.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Error de entrada/salida mientras se descifraba una ranura de claves.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "El dispositivo %s es demasiado pequeño. (LUKS necesita %<PRIu64> btyes como mínimo.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "El dispositivo %s no es un dispositivo LUKS válido.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "El fichero de copia de seguridad de cabecera solicitado %s ya existe.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "No se puede crear el fichero de copia de seguridad %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "No se puede escribir en el fichero de copia de seguridad %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "El fichero de copia de seguridad no contiene una cabecera LUKS válida.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "No se puede abrir el fichero de copia de seguridad de cabecerda %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "No se puede leer el fichero de copia de seguridad de cabecerda %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "La posición de los datos o el tamaño de la clave no coinciden en el dispositivo y en la copia de seguridad.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Dispositivo %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "no contiene cabecera LUKS. Reemplazar la cabecera puede destruir los datos en ese dispositivo."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "ya contiene cabecera LUKS. Reemplazar la cabecera destruirá las ranuras de claves existentes."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"ATENCIÓN: ¡la cabecera del dispositivo real tiene un UUID distinto que el de la copia de seguridad!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "No se puede abrir el dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "El tamaño de la clave no es estándar; se requiere una reparación manual.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "El alineamiento de las ranuras de claves no es estándar; se requiere una reparación manual.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Reparando ranuras de claves.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "La reparación ha fallado."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Ranura de claves %i: posición reparada (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Ranura de claves %i: bandas reparadas (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Ranura de claves %i: la firma de la partición es falsa.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Ranura de claves %i: «salt wiped».\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Escribiendo cabecera LUKS en el disco.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Versión LUKS no disponible %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "La «hash» LUKS solicitada %s no está disponible.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "La ranura de claves LUKS %u no es válida.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "No se ha detectado ningún problema en la cabecera LUKS.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Error al actualizar la cabecera LUKS en el dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Error al leer la cabecera LUKS después de actualizarla en el dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "La posición de los datos de una cabecera LUKS separada debe ser 0 o superior al tamaño de la cabecera (%d sectores).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "El formato de UUID LUKS proporcionado es incorrecto.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "No se puede crear la cabecera LUKS: fallo en la lectura «random salt».\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Opciones PBKDF2 no compatibles (usando el algoritmo «hash» %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "No se puede crear la cabecera LUKS: fallo en la cabecera (usando «hash» %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "La ranura de claves %d está activa; primero hay que purgar.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "El material de la ranura de claves %d no tiene suficientes bandas. Quizá se haya manipulado la cabecera.\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Ranura de claves %d desbloqueada.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "No hay ninguna clave disponible con esa frase contraseña.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "La ranura %d no es válida; seleccione una ranura de claves entre 0 y %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "No se puede limpiar el dispositivo %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Se ha detectado un fichero de claves cifrado con GPG que el programa no puede procesar en la actualidad.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Utilice 'gpg --decrypt <FICHERO-DE-CLAVES> | cryptsetup --keyfile=- ...'\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Se ha detectado un fichero de claves incompatible con «loop-AES».\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "El núcleo no admite asignación compatible con «loop-AES».\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Error leyendo el fichero de claves %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Se ha excedido la longitud máxima (%d) de la frase contraseña TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "El algoritmo «hash» %s no está disponible, por lo que se ha ignorado.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "La interfaz de cifrado del núcleo requerida no está disponible.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Asegúrese de que el módulo del núcleo algof_skcipher está cargado.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "No es posible la activación para el tamaño de sector %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "El núcleo no dispone de activación para este modo antiguo TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Activando el sistema de cifrado TCRYPT para la partición %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "El núcleo no admite asignación compatible con TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Esta función no está disponible sin carga de cabecera TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "El dispositivo «verity» %s no utiliza cabecera en disco.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "El dispositivo %s no es un dispositivo VERITY válido.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Versión VERITY %d no disponible.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Cabecera VERITY corrupta.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "El formato UUID VERITY proporcionado en el dispositivo %s es incorrecto.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Error al actualizar la cabecera «verity» en el dispositivo %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "El núcleo no dispone de asignación «dm-verity».\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "El dispositivo «verity» ha detectado algo corrupto después de la activación.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "El área de reserva no tiene ceros en la posición %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Desbordamiento de la posición del dispositivo.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "La verificación ha fallado en la posición %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Parámetros de tamaño inválido para un dispositivo «verity».\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Demasiados niveles de arborescencia en el volumen «verity».\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Fallo en la verificación del área de datos.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Fallo en la verificación de la «hash» raíz.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Error de entrada/salida al crear el área «hash».\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "La creación del área «hash» ha fallado.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "ATENCIÓN: el núcleo no puede activar un dispositivo si el tamaño del bloque de datos excede el tamaño de página (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "No se puede hacer verificación de frase contraseña en entradas no tty.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "ATENCIÓN: No se va a hacer caso del parámetro --hash en modo no cifrado con el fichero de claves especificado.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "ATENCIÓN: No se va a hacer caso de la opción --keyfile-size; el tamaño de lectura es igual al tamaño de la clave de cifrado.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Es necesaria la opción --key-file.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "No se ha detectado ninguna cabecera de dispositivo con esa frase contraseña.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"El volcado de la cabecera con la clave del volumen es información\n"
+"sensible que permite el acceso a una partición cifrada sin frase contraseña.\n"
+"Este volcado debería almacenarse siempre cifrado en un lugar seguro."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "El resultado de la comparativa no es fiable.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Las pruebas son solo aproximadas usando memoria (no hay entrada/salida de almacenadmiento).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritmo | Clave | Cifrado | Descifrado\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "El algoritmo de cifrado %s no está disponible.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "/N/A"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "No se puede leer el fichero de claves %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "No se pueden leer %d «bytes» en el fichero de claves %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "¿Está seguro de que quiere intentar reparar la cabecera del dispositivo LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Esto sobreescribirá los datos en %s de forma irrevocable."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "error de reserva de memoria en action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "No se puede utilizar %s como cabecera en disco.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "La posición de datos reducida está permitida solamente para cabecera LUKS separada.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "La ranura de claves %d se va a borrar.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "La clave %d no está activa. No se puede limpiar.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Esta es la última ranura de claves. El dispositivo quedará inutilizado después de purgar esta clave."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Introduzca cualquier frase contraseña que quede: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Introduzca la frase contraseña que hay que borrar: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Introduzca cualquier frase contraseña que exista: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Introduzca la frase contraseña que hay que cambiar: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Introduzca una nueva frase contraseña: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "La operación isLuks solo admite un argumento de dispositivo.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Es necesaria la opción --header-backup-file.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Tipo de dispositivo de metadatos %s no reconocido.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Esta orden necesita como argumentos el dispositivo y el nombre asociado.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Esta operación borrará todas las ranuras de claves en el dispositivo %s.\n"
+"El dispositivo quedará inutilizable después de esta operación."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<dispositivo> [--type <tipo> [<nombre>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "abrir el dispositivo como asociado a <nombre>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<nombre>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "cerrar dispositivo (eliminar asociación)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "cambiar el tamaño del dispositivo activo"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "mostrar el estado del dispositivo"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cypher <algoritmo_de_cifrador>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "algoritmo de cifrado para pruebas"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<dispositivo>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "intentar reparar metadatos en disco"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "borrar todas las ranuras de claves (eliminar clave de cifrado)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<dispositivo> [<nuevo fichero de claves>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "da formato a un dispositivo LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "añadir clave a un dispositivo LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<dispositivo> [<fichero de claves>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "elimina la clave suministrada o el fichero de claves del dispositivo LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "cambia la clave suministrada o el fichero de claves del dispositivo LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<dispositivo> <ranura de claves>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "borra la clave con el número <ranura de clave> del dispositivo LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "imprimir el UUID del dispositivo LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "comprueba si <dispositivo> tiene cabecera de partición LUKS"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "volcar información sobre la partición LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "volcar información sobre el dispositivo TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Suspender el dispositivo LUKS y limpiar la clave (todas las entradas/salidas congeladas)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Reanudar el dispositivo LUKS suspendido."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Hacer copia de seguridad de la cabecera y de las ranuras de claves del dispositivo LUKS"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Restaurar la cabecera y las ranuras de claves del dispositivo LUKS"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<acción> es una de:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"También se pueden utilizar los alias del tipo <acción> de la antigua sintaxis:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nombre> es el dispositivo que se va a crear en %s\n"
+"<dispositivo> es el dispositivo cifrado\n"
+"<ranura de claves> es el número de la ranura de claves que se va a modificar\n"
+"<fichero de claves> fichero de claves opcional para la nueva clave para la acción 'luksAddKey'\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Parámetros predefinidos de fábrica de clave y de frase contraseña:\n"
+"\tTamaño máximo del fichero de claves: %dk8, Longitud máxima de frase contraseña interactiva: %d (caracteres)\n"
+"Tiempo PBKDF2 de iteración de LUKS predefinido: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Parámetros predefinidos de fábrica del algoritmo de cifrado de dispositivos:\n"
+"\tbucle-AES: %s, Clave %d bits\n"
+"\tsin cifrado: %s, Clave: %d bits, Contraseña «hashing»: %s\n"
+"\tLUKS1: %s, Clave: %d bits, «hashing» de la cabecera LUKS: %s, Generador de números aleatorios: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: necesita %s como argumentos"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Mostrar este mensaje de ayuda"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Mostrar brevemente cómo se usa"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Opciones de ayuda:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Imprimir versión del paquete"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Muestra mensajes de error más detallados"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Mostrar mensajes de depuración"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Algoritmo de cifrado utilizado para cifrar el disco (ver /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Algoritmo «hash» utilizado para crear la clave de cifrado a partir de la frase contraseña"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifica la frase contraseña preguntándola dos veces"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Leer la clave de un fichero."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Leer la clave (maestra) del volumen desde fichero."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Volcar la clave (maestra) del volumen en lugar de la información de las ranuras de claves."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Tamaño de la clave de cifrado"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Limita la lectura desde fichero de claves"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "bytes"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Número de bytes que hay que saltar en el fichero de claves"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Limita la lectura desde un fichero de claves recién añadido"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Número de bytes que hay que saltar en el fichero de claves recién añadido"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Número de ranura para la nueva clave (el primero libre es lo predefinido)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Tamaño del dispositivo"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SECTORES"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "iPosición de comienzo en el dispositivo «backend»"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Cuántos sectores de los datos cifrados hay que saltar al principio"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Crear una asignación alatoria"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Tiempo de iteración PBKDF2 para LUKS (en ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "No pedir confirmación"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Tiempo de espera máximo para petición interactiva de frase contraseña (en segundos)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Con qué frecuencia se puede volver a intentar introducir la frase contraseña"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Alinear los datos a <n> bordes de sector - para luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Fichero con copia de seguridad de cabecera LUKS y de ranuras de clave."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Usar /dev/random para generar la clave del volumen."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Usar /dev/urandom para generar la clave del volumen."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Compartir dispositivo con otro segmento cifrado no solapado."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID del dispositivo que se va a usar."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Permitir solicitudes de descarte (también llamadas TRIM) para el dispositivo."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Dispositivo o fichero con cabecera LUKS separada."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "No activar dispositivo; comprobar frase contraseña solamente."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Utilizar cabecera oculta (dispositivo TCRYPT oculto)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "El dispositivo es una unidad con sistema TCRYPT (con cargador de arranque)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Utilizar la cabecera TCRYPT de respaldo (secundaria)."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Explorar también si es un dispositivo compatible con VeraCrypt."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Tipo de metadatos del dispositivo: «luks», no cifrado, «loopaes», «tcrypt»."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Desactivar la comprobación de la calidad de la contraseña (si estaba activada)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Utilizar la opción de compatibilidad de rendimiento same_cpu_crypt de dm-crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Utilizar la opción de compatibilidad de rendimiento submit_from_crypt_cpus de dm-crypt."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPCIÓN...] <acción> <acción-específica>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "El argumento <acción> no se ha proporcionado."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Acción desconocida."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "La opción --shared solo se permite para abrir dispositivos no cifrados.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "La opción --allow-discards solo se permite para la operación de abrir.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"La opción --key-size solo se permite con luksFormat, open y benchmark.\n"
+"Para limitar la lectura del fichero de claves, utilizar --keyfile-size=(bytes)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS y TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "El tamaño de clave debe ser un múltiplo de 8 bits"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "La ranura de claves no es válida."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "La opción --key-file tiene precedencia sobre el argumento de fichero de claves especificado.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "No se permiten números negativos para esta opción."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Solo se permite un argumento --key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Solo se permite una de las opciones --use-[u]random."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "La opción --use-[u]random solo se permite con luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "La opción --uuid solo se permite con luksFormat luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "La opción --align-payload solo se permite con luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "La opción --skip solo está disponible para abrir dispositivos no cifrados y «loopaes».\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "La opción --offset solo está disponible para abrir dispositivos no cifrados y «loopaes».\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "La opción --tcrypt-hidden o --tcrypt-system o --tcrypt-backup solo está disponible para dispositivos TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "La opción --tcrypt-hidden no puede combinarse con --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "La opción --veracrypt solo está disponible para dispositivos TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "La cadena «salt» especificada no es válida.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "No se puede crear la imagen «hash» %s para escribir.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "La cadena «hash» raíz especificada no es válida.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<dispositivo_de_datos> <dispositivo_«hash»>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "dar formato al dispositivo"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<dispositivo_de_datos> <dispositivo_«hash»> <«hash»_raíz>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "verificar dispositivo"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nombre> <dispositivo_de_datos> <dispositivo_«hash»> <«hash»_raíz>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "crear dispositivo activo"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "eliminar (desactivar) dispositivo"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "mostrar el estado del dispositivo activo"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<dispositivo_«hash»>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "mostrar información sobre el disco"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nombre> es el dispositivo que se va a crear bajo %s\n"
+"<dispositivo_de_datos> es el dispositivo de datos\n"
+"<dispositivo_«hash»> es el dispositivo que contiene los datos de verificación\n"
+"<«hash»_raíz> «hash» del nodo raíz en «dispositivo—«hash»>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Parámetros dm-verity predefinidos de fábrica:\n"
+"\tAlgoritmo «hash»: %s, Bloque de datos (bytes): %u, Bloque «hash» (bytes): %u, Tamaño de «salt»: %u, Formato «hash»: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "No utilizar superbloque «verity»"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Tipo de formato (1 - normal, 0 - Chrome OS original)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "número"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Tamaño de bloque en el dispositivo de datos"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Tamaño de bloque en el dispositivo «hash»"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Número de bloques en el fichero de datos"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "bloques"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Posición inicial en el dispositivo «hash»"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Algoritmo «hash»"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "cadena"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "«Salt»"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "cadena hexadecimal"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Reiniciar el núcleo si se detecta corrupción"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignorar corrupción, tomar nota únicamente"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "No verificar bloques con zeros"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Las opciones --ignore-corruption, --restart-on-corruption y --ignore-zero-blocks solo están permitidas para la operación de crear.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Las opciones --ignore-corruption y --restart-on-corruption no pueden utilizarse juntas.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "No se puede abrir %s en exclusividad; el dispositivo está en uso.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "La reserva de memoria alineada ha fallado.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "No se puede leer el dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Marcando el dispositivo LUKS %s como inutilizable.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "No se puede escribir en el dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "No se puede escribir en el fichero de registro de recifrado.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "No se puede leer el fichero de registro de recifrado.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "El fichero de registro %s ya existe; reanudando el recifrado.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Activando dispositivo temporal utilizando cabecera LUKS antigua.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Activando dispositivo temporal utilizando cabecera LUKS nueva.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Fallo en la activación de los dispositivos temporales.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Se ha creado una nueva cabecera LUKS para el dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Se ha activado la ranura de claves %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Se ha creado una copia de seguridad de la cabecera LUKS del dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Fallo al crear la copia de seguridad de las cabeceras LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "No se puede restaurar la cabecera LUKS en el dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Se ha restaurado la cabecera LUKS en el dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Progreso: %5.1f%%, ETA %02llu:%02llu, %4llu MiB escritos, velocidad %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "No es posible situarse en la posición del dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "No se puede abrir el dispositivo LUKS temporal.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "No se puede obtener el tamaño del dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Interrumpido por una señal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Error de entrada/salida durante el recifrado.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "El UUID proporcionado no es válido.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Introduzca la fase contraseña para la ranura de claves %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "No se puede abrir el fichero de registro de recifrado.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "No hay ningún proceso de descifrado en marcha; el UUID proporcionado solo puede utilizarse para reanudar un proceso de descifrado suspendido.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Tamaño de bloque de recifrado"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "No cambie la clave; no hay recifrado en la zona de datos."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Utilizar entrada/salida directa para acceder a los dispositivos."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Utilizar fsync después de cada bloque."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Actualizar el fichero de registro después de cada bloque."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Utilizar solamente esta ranura (se desactivarán las demás)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Reducir el tamaño del dispositivo de datos (mover la posición de los datos). ¡PELIGROSO!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Utilizar solamente el tamaño especificado de dispositivo (ignorar el resto del dispositivo). ¡PELIGROSO!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Crear nueva cabecera en dispositivo no cifrado."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Descrifrar el dispositivo de forma permanente (eliminar cifrado)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "El uuid utilizado para reanudar el descifrado."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPCIÓN...] <dispositivo>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "El recifrado va a cambiar: clave del volumen%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", nuevo algoritmo «hash»: "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", nuevo algoritmo de cifrado: "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Hace falta argumento."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Solo se permiten valores entre 1 MiB y 64 MiB para el tamaño de bloque de recifrado."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "La especificación del tamaño del dispositivo no es válida."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "El tamaño máximo de reducción del dispositivo es de 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "El tamaño de reducción debe ser múltiplo de sectores de 512 bytes."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "La opción --new debe utilizarse conjuntamente con --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "La opción --keep-key solamente puede utilizarse con --hash o --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "La opción --new no puede utilizarse conjuntamente con --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "La opción --decrypt es incompatible con los parámetros especificados."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "La opción --uuid solo está permitida conjuntamente con --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Error de lectura de la respuesta recibida desde el terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Orden ejecutada correctamente.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "La orden ha fallado con código %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "No se puede comprobar la calidad de la contraseña: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Fallo en la comprobación de la calidad de la contraseña:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Fallo en la comprobación de la calidad de la contraseña: frase contraseña incorrecta (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "No se ha encontrado ningún dispositivo de bucle invertido libre.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "No se puede abrir el dispositivo %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "No se puede utilizar el UUID pasado a menos que haya descifrado en curso.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Marcando el dispositivo LUKS %s como utilizable.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "ATENCIÓN: este código es experimental; puede ser que sus datos queden deteriorados por completo.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "La verificación de suma («checksum») FIPS ha fallado.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "ATENCIÓN: el dispositivo %s es una partición; para el sistema de cifrado TCRYPT normalmente se necesita usar la ruta de un dispositivo de bloque entero.\n"
diff --git a/po/fi.po b/po/fi.po
new file mode 100644
index 0000000..7cfbba4
--- /dev/null
+++ b/po/fi.po
@@ -0,0 +1,1933 @@
+# Finnish messages for cryptsetup.
+# Copyright © 2011, 2012, 2013, 2014, 2015 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# This file is distributed under the same license as the cryptsetup package.
+# Jorma Karvonen <karvonen.jorma@gmail.com>, 2011-2015.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.0\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2015-10-29 13:27+0100\n"
+"PO-Revision-Date: 2015-11-08 12:48+0200\n"
+"Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
+"Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
+"Language: fi\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: lib/libdevmapper.c:253
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Laitekuvaimen alustus epäonnistui, suoritetaan ei-root-käyttäjänä.\n"
+
+#: lib/libdevmapper.c:256
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Laitekuvaimen alustus epäonnistui. Onko dm_mod-käyttöjärjestelmäydinmoduuli ladattu?\n"
+
+#: lib/libdevmapper.c:551
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID laitteelle %s typistettiin.\n"
+
+#: lib/libdevmapper.c:699
+msgid "Requested dmcrypt performance options are not supported.\n"
+msgstr "Pyydetyt dmcrypt-suorituskykyvalitsimet eivät ole tuettuja.\n"
+
+# Entropy viittaa tässä ilmeisesti tiivistettävän tekstin satunnaisuuteen. Mitä satunnaisempi se on, sitä vähemmän sitä voi tiivistää.
+#: lib/random.c:76
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Järjestelmässä ei ole satunnaisuutta taltioavainta tuotettaessa.\n"
+"Siirrä hiirtä tai kirjoita jotain tekstiä toiseen ikkunaan joidenkin satunnaistapahtumien keräämiseksi.\n"
+
+#: lib/random.c:80
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Avainta tuotetaan (%d%% valmis).\n"
+
+#: lib/random.c:166
+msgid "Running in FIPS mode.\n"
+msgstr "Suoritetaan FIPS-tilassa.\n"
+
+#: lib/random.c:172
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Kohtalokas virhe RNG-alustuksen aikana.\n"
+
+#: lib/random.c:209
+msgid "Unknown RNG quality requested.\n"
+msgstr "Tuntematonta RNG-laatua pyydetty.\n"
+
+#: lib/random.c:214
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Virhe %d luettaessa kohteesta RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "RNG-salaustaustaohjelman alustus epäonnistui.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Salaustaustaohjelman alustus epäonnistui.\n"
+
+#: lib/setup.c:237 lib/setup.c:1193 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Tiivistealgoritmia %s ei tueta.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Avainkäsittelyvirhe (käytetään tiivistealgoritmia %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Laitetyypin määritteleminen epäonnistui. Laitteen yhteensopimaton aktivointi?\n"
+
+#: lib/setup.c:289 lib/setup.c:1546
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Tätä toimintoa tuetaan vain LUKS-laitteelle.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Kaikki avainvälit ovat täynnä.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Avainväli %d on virheellinen, valitse väliltä 0 ... %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Avainväli %d on täynnä, valitse joku toinen.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Kirjoita salasanalause kohteelle %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Otsake havaittu, mutta laite %s on liian pieni.\n"
+
+#: lib/setup.c:670 lib/setup.c:1429
+msgid "This operation is not supported for this device type.\n"
+msgstr "Tätä toimintoa ei tueta tälle laitetyypille.\n"
+
+#: lib/setup.c:909 lib/setup.c:1382 lib/setup.c:2273
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Laite %s ei ole aktiivinen.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Salauslaitteen %s perustana oleva laite hävisi.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Virheelliset tavalliset salausparametrit.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Virheellinen avainkoko.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID ei ole tuettu tälle laitetyypille.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Kohteen LUKS pohjustus ilman laitetta epäonnistui.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Laitteen %s pohjustus epäonnistui, koska se on yhä käytössä.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Laitteen %s pohjustus epäonnistui, koska pääsy laitteeseen on kielletty.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Otsakkeen pyyhkiminen pois laitteesta %s epäonnistui.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Kohteen LOOPAES pohjustus ilman laitetta epäonnistui.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Kohteen VERITY pohjustus ilman laitetta epäonnistui.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Tukematon VERITY-tiivistetyyppi %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Tukematon VERITY-lohkokoko.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Tukematon VERITY-tiivistesiirros.\n"
+
+#: lib/setup.c:1286
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Tuntematon salauslaitetyyppi %s pyydetty.\n"
+
+#: lib/setup.c:1396
+msgid "Cannot resize loop device.\n"
+msgstr "Silmukkalaitteen koon muuttaminen epäonnistui.\n"
+
+#: lib/setup.c:1444
+msgid "Do you really want to change UUID of device?"
+msgstr "Haluatko todella vaihtaa laitteen UUID-tunnistetta?"
+
+#: lib/setup.c:1554
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Taltio %s ei ole käytössä.\n"
+
+#: lib/setup.c:1565
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Taltio %s on jo keskeytetty.\n"
+
+#: lib/setup.c:1572
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Keskeyttämistä ei tueta laitetyypille %s.\n"
+
+#: lib/setup.c:1574
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Virhe keskeytettäessä laitetta %s.\n"
+
+#: lib/setup.c:1600 lib/setup.c:1647
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Taltiota %s ei ole keskeytetty.\n"
+
+#: lib/setup.c:1614
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Jatkamista ei tueta laiteelle %s.\n"
+
+#: lib/setup.c:1616 lib/setup.c:1668
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Virhe jatkettaessa laitteella %s.\n"
+
+#: lib/setup.c:1654 lib/setup.c:2089 lib/setup.c:2103 src/cryptsetup.c:183
+#: src/cryptsetup.c:244 src/cryptsetup.c:732 src/cryptsetup.c:1162
+msgid "Enter passphrase: "
+msgstr "Kirjoita salasanalause: "
+
+# Volume key tarkoittaa yleensä äänenvoimakkuussäädintä, ei välttämättä tässä.
+#: lib/setup.c:1716 lib/setup.c:1852
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Avainvälin lisäys epäonnistui, kaikki välit on otettu pois käytöstä ja yhtään taltioavainta ei ole tarjottu.\n"
+
+#: lib/setup.c:1725 lib/setup.c:1858 lib/setup.c:1862
+msgid "Enter any passphrase: "
+msgstr "Kirjoita mikä tahansa salasanalause: "
+
+#: lib/setup.c:1742 lib/setup.c:1875 lib/setup.c:1879 lib/setup.c:1941
+#: src/cryptsetup.c:992 src/cryptsetup.c:1023
+msgid "Enter new passphrase for key slot: "
+msgstr "Kirjoita uusi salasanalause avainvälille: "
+
+#: lib/setup.c:1807
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Avaivälin %d vaihtui.\n"
+
+#: lib/setup.c:1810
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Korvattiin avainvälillä %d.\n"
+
+#: lib/setup.c:1815
+msgid "Failed to swap new key slot.\n"
+msgstr "Uuden avainvälin vaihtaminen epäonnistui.\n"
+
+#: lib/setup.c:1932 lib/setup.c:2193 lib/setup.c:2206 lib/setup.c:2348
+msgid "Volume key does not match the volume.\n"
+msgstr "Taltioavain ei täsmää taltion kanssa.\n"
+
+#: lib/setup.c:1970
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Avainväli %d on virheellinen.\n"
+
+#: lib/setup.c:1975
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Avainväli %d ei ole käytössä.\n"
+
+#: lib/setup.c:2005 lib/setup.c:2077 lib/setup.c:2169
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Laite %s on jo olemassa.\n"
+
+#: lib/setup.c:2180
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Virheellinen taltioavain määritelty tavalliselle laitteelle.\n"
+
+#: lib/setup.c:2213
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Virheellinen root-tiiviste määritelty verity-laitteelle.\n"
+
+#: lib/setup.c:2236
+msgid "Device type is not properly initialised.\n"
+msgstr "Laitetyyppi ei ole alustettu oikein.\n"
+
+#: lib/setup.c:2268
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Laite %s on yhä käytössä.\n"
+
+#: lib/setup.c:2277
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Virheellinen laite %s.\n"
+
+#: lib/setup.c:2298
+msgid "Function not available in FIPS mode.\n"
+msgstr "Funktio ei ole käytettävissä FIPS-tilassa.\n"
+
+#: lib/setup.c:2304
+msgid "Volume key buffer too small.\n"
+msgstr "Taltioavainpuskuri on liian pieni.\n"
+
+#: lib/setup.c:2312
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Taltioavaimen nouto tavalliselle laitteelle epäonnistui.\n"
+
+#: lib/setup.c:2319
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Tätä toimintoa ei tueta %s-salauslaitteelle.\n"
+
+#: lib/setup.c:2515
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Dump-toimintoa ei tueta tälle laitetyypille.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Prosessiprioriteetin hakeminen epäonnistui.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Muistin lukituksen avaus epäonnistui.\n"
+
+#: lib/utils_crypt.c:241 lib/utils_crypt.c:254 lib/utils_crypt.c:401
+#: lib/utils_crypt.c:416
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Muisti loppui luettaessa salasanalausetta.\n"
+
+#: lib/utils_crypt.c:246 lib/utils_crypt.c:261
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Virhe luettaessa salasanalausetta pääteikkunasta.\n"
+
+#: lib/utils_crypt.c:259
+msgid "Verify passphrase: "
+msgstr "Todenna salasanalause: "
+
+#: lib/utils_crypt.c:266
+msgid "Passphrases do not match.\n"
+msgstr "Salasanalauseet eivät täsmää.\n"
+
+#: lib/utils_crypt.c:350
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Siirrososoitteen käyttö pääteikkunasyötteellä epäonnistui.\n"
+
+#: lib/utils_crypt.c:369 lib/tcrypt/tcrypt.c:467
+msgid "Failed to open key file.\n"
+msgstr "Avaintiedoston avaus epäonnistui.\n"
+
+#: lib/utils_crypt.c:378
+msgid "Failed to stat key file.\n"
+msgstr "Avaintiedoston kutsuminen stat-funktiolla epäonnistui.\n"
+
+#: lib/utils_crypt.c:386 lib/utils_crypt.c:407
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Pyydetyn avaintiedostosiirrososoitteen etsintä epäonnistui.\n"
+
+#: lib/utils_crypt.c:424
+msgid "Error reading passphrase.\n"
+msgstr "Virhe luettaessa salasanalausetta.\n"
+
+#: lib/utils_crypt.c:447
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Avaintiedoston enimmäiskoko ylitettiin.\n"
+
+#: lib/utils_crypt.c:452
+msgid "Cannot read requested amount of data.\n"
+msgstr "Pyydetyn tietomäärän lukeminen epäonnistui.\n"
+
+#: lib/utils_device.c:136 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Laite %s ei ole olemassa tai pääsy siihen on kielletty.\n"
+
+#: lib/utils_device.c:430
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Silmukkalaitteen käyttö epäonnistui, suoritetaan ei-root-käyttäjänä.\n"
+
+#: lib/utils_device.c:433
+msgid "Cannot find a free loopback device.\n"
+msgstr "Vapaan silmukkalaiteen löytäminen epäonnistui.\n"
+
+#: lib/utils_device.c:440
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Silmukkalaitteeseen liittyminen epäonnistui (vaaditaan silmukkalaite autoclear-lipulla).\n"
+
+#: lib/utils_device.c:484
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Laitteen %s käyttö epäonnistui, koska se on jo käytössä (jo kuvattu tai liitetty).\n"
+
+#: lib/utils_device.c:488
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Tietojen hakeminen laitteesta %s epäonnistui.\n"
+
+#: lib/utils_device.c:494
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Pyydetty siirrososoite on laitteen %s todellisen koon ulkopuolella.\n"
+
+#: lib/utils_device.c:502
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Laitteen %s koko on nolla.\n"
+
+#: lib/utils_device.c:513
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Laite %s on liian pieni.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Dm-crypt -avainkuvausasetus laitteelle %s epäonnistui.\n"
+"Tarkista, että käyttöjärjestelmäydin tukee %s-salakirjoitusmenetelmää (lisätietoja tarkistamalla syslog).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Avainkoon on oltava XTS-tilassa 256 tai 512 bittiä.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:572 lib/luks1/keymanage.c:1022
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Laitteeseen %s kirjoittaminen epäonnistui, pääsy kielletty.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Tilapäisen avainsäiliön avaaminen epäonnistui.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Pääsy tilapäiseen avainsäiliölaitteeseen epäonnistui.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Siirräntävirhe salattaessa avainväliä.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Siirräntävirhe purettaessa avainvälin salausta.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Laite %s on liian pieni. (LUKS vaatii vähintään %<PRIu64> tavua.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:418
+#: src/cryptsetup_reencrypt.c:1131
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Laite %s ei ole kelvollinen LUKS-laite.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Pyydetty otsakevarmuuskopiotiedosto %s on jo olemassa.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Otsakevarmuuskopiotiedoston %s luominen epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Otsakevarmuuskopiotiedoston %s kirjoittaminen epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:239
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Varmuuskopiotiedosto ei sisällä kelvollista LUKS-otsaketta.\n"
+
+#: lib/luks1/keymanage.c:252 lib/luks1/keymanage.c:496
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Otsakevarmuuskopiotiedoston %s avaus epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:258
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Otsakevarmuuskopiotiedoston %s lukeminen epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Tietosiirrososoite tai avainkoko eroaa laitteessa ja varmuuskopiossa, palautus epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Laite %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "ei sisällä LUKS-otsaketta. Otsakkeen korvaaminen voi tuhota tietoja tuossa laitteessa."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "sisältää jo LUKS-otsakkeen. Otsakkeen korvaaminen tuhoaa olemassaolevat avainvälit."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"VAROITUS: oikealla laiteotsakkeella on eri UUID-tunniste kuin varmuuskopiolla!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:535
+#: lib/luks1/keymanage.c:575 lib/tcrypt/tcrypt.c:624 lib/verity/verity.c:82
+#: lib/verity/verity.c:179 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Laitteen %s avaus epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:329
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Ei-vakio avainkoko, manuaalinen korjaus pyydetty.\n"
+
+#: lib/luks1/keymanage.c:334
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Ei-vakiot avainvälitasaukset, manuaalinen korjaus pyydetty.\n"
+
+#: lib/luks1/keymanage.c:340
+msgid "Repairing keyslots.\n"
+msgstr "Korjataan avainvälit.\n"
+
+#: lib/luks1/keymanage.c:351
+msgid "Repair failed."
+msgstr "Korjaus epäonnistui."
+
+#: lib/luks1/keymanage.c:363
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Avainväli %i: siirrososoite korjattu (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:371
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Avainväli %i: raidat korjattu (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:380
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Avainväli %i: valeosiotunniste.\n"
+
+#: lib/luks1/keymanage.c:385
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Avainväli %i: satunnaisarvosiemen tuhottu.\n"
+
+#: lib/luks1/keymanage.c:396
+msgid "Writing LUKS header to disk.\n"
+msgstr "Kirjoitetaan LUKS-otsake levylle.\n"
+
+#: lib/luks1/keymanage.c:421
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Tukematon LUKS-versio %d.\n"
+
+#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:661
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Pyydetty LUKS-tiiviste %s ei ole tuettu.\n"
+
+#: lib/luks1/keymanage.c:442
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS-avainväli %u on virheellinen.\n"
+
+#: lib/luks1/keymanage.c:456 src/cryptsetup.c:664
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Tuntemattomat pulmat havaittu LUKS-otsakkeelle.\n"
+
+#: lib/luks1/keymanage.c:596
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Virhe LUKS-otsakkeen päivityksen aikana laitteessa %s.\n"
+
+#: lib/luks1/keymanage.c:603
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Virhe luettaessa uudelleen LUKS-otsaketta päivityksen jälkeen laitteessa %s.\n"
+
+#: lib/luks1/keymanage.c:654
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Tietosiirrososoitteen irrotetulle LUKS-otsakkeelle on oltava joko 0 tai suurempi kuin otsakekoko (%d sektoria).\n"
+
+#: lib/luks1/keymanage.c:666 lib/luks1/keymanage.c:757
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Väärä LUKS UUID-muoto tarjottu.\n"
+
+#: lib/luks1/keymanage.c:695
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "LUKS-otsakkeen luominen epäonnistui: satunnaisarvosiemenen lukeminen epäonnistui.\n"
+
+#: lib/luks1/keymanage.c:702 lib/luks1/keymanage.c:798
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Ei ole yhteensopiva PBKDF2-valitsimien kanssa (käytetään tiivitstealgoritmia %s).\n"
+
+#: lib/luks1/keymanage.c:717
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "LUKS-otsakkeen luominen epäonnistui: otsaketiiviste epäonnistui (käytettäen tiivistettä %s).\n"
+
+#: lib/luks1/keymanage.c:782
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Avainväli %d aktiivinen, puhdista ensimmäinen.\n"
+
+#: lib/luks1/keymanage.c:788
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Avainvälin %d materiaali sisältää liian vähän raitoja. Otsaketta on käsitelty?\n"
+
+#: lib/luks1/keymanage.c:955
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Avaivälin %d lukitus avattu.\n"
+
+#: lib/luks1/keymanage.c:990 src/cryptsetup.c:858
+#: src/cryptsetup_reencrypt.c:1020 src/cryptsetup_reencrypt.c:1057
+msgid "No key available with this passphrase.\n"
+msgstr "Tälle salasanalauseelle ei ole saatavissa avainta.\n"
+
+#: lib/luks1/keymanage.c:1008
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Avainväli %d on virheellinen, valitse avainväli välillä 0 ... %d.\n"
+
+#: lib/luks1/keymanage.c:1026
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Laitteen %s pyyhkiminen tyhjäksi epäonnistui.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Havaittu vielä tukematon GPG-salausavaintiedosto.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Käytä gpg --decrypt <AVAINTIEDOSTO> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Yhteensopimaton loop-AES -avaintiedosto havaittu.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Käyttöjärjestelmäydin ei tule loop-AES -yhteensopivaa kuvausta.\n"
+
+#: lib/tcrypt/tcrypt.c:475
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Virhe luettaessa avaintiedostoa %s.\n"
+
+#: lib/tcrypt/tcrypt.c:513
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "TCRYPT-salasanalauseen enimmäispituus (%d) ylitettiin.\n"
+
+#: lib/tcrypt/tcrypt.c:543
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "PBKDF2-tiivistealgoritmi %s ei ole käytettävissä, ohitetaan.\n"
+
+#: lib/tcrypt/tcrypt.c:561 src/cryptsetup.c:617
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Pyydetty ydinsalauskäyttöliittymä ei ole käytettävissä.\n"
+
+#: lib/tcrypt/tcrypt.c:563 src/cryptsetup.c:619
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Varmista, että algif_skcipher-käyttöjärjestelmäydinmoduuli on ladattu.\n"
+
+#: lib/tcrypt/tcrypt.c:707
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktivointia ei tueta sektorikoolle %d.\n"
+
+#: lib/tcrypt/tcrypt.c:713
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Käyttöjärjestelmäydin ei tue aktivointia tälle TCRYPT-perinnetilassa.\n"
+
+#: lib/tcrypt/tcrypt.c:744
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Aktivoidaan TCRYPT-järjestelmäsalaus osiolle %s.\n"
+
+#: lib/tcrypt/tcrypt.c:810
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Käyttöjärjestelmäydin ei tue TCRYPT -yhteensopivaa kuvausta.\n"
+
+#: lib/tcrypt/tcrypt.c:1024
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Tätä toimintoa ei tueta ilman TCRYPT-otsakelatausta."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:172
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Verity-laite %s ei käytä paikallista levyotsaketta.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Laite %s ei ole kelvollinen VERITY-laite.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Tukematon VERITY-versio %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY-otsake rikkinäinen.\n"
+
+#: lib/verity/verity.c:166
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Väärä VERITY UUID-muoto tarjottu laitteessa %s.\n"
+
+#: lib/verity/verity.c:196
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Virhe verity-otsakkeen päivityksen aikana laitteessa %s.\n"
+
+#: lib/verity/verity.c:276
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Käyttöjärjestelmäydin ei tule dm-verity -yhteensopivaa kuvausta.\n"
+
+#: lib/verity/verity.c:287
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Verity-laite havaitsi rikkoutumisen aktivoinnin jälkeen.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Vapaa-aluetta ei ole nollattu sijainnissa %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Laitesiirrososoitteen ylivuoto.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Todennus epäonnistui sijainnissa %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Virheelliset kokoparametrit verity-laitteelle.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Verity-taltiolla liian monta puutasoa.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Data-alueen todentaminen epäonnistui.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Root-tiivisteen todentaminen epäonnistui.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Syöte/tulostevirhe luotaessa tiivistealuetta.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Tiivistealueen luominen epäonnistui.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "VAROITUS: Käyttöjärjestelmäydin ei voi aktivoida laitetta, jos lohkokoko ylittää sivukoon (%u).\n"
+
+#: src/cryptsetup.c:91
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Salasanalauseiden todennus epäonnistui ei-tty-syötteissä.\n"
+
+#: src/cryptsetup.c:132 src/cryptsetup.c:560 src/cryptsetup.c:707
+#: src/cryptsetup_reencrypt.c:523 src/cryptsetup_reencrypt.c:577
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Havaittu tuntematon salakirjoitusmenetelmämäärittelymalli.\n"
+
+#: src/cryptsetup.c:140
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "VAROITUS: Parametri --hash ohitetaan tavallisessa tilassa kun avaintiedosto on määritelty.\n"
+
+#: src/cryptsetup.c:148
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "VAROITUS: Valitsin --keyfile-size ohitetaan , lukukoko on sama kuin salausavaimen koko.\n"
+
+#: src/cryptsetup.c:214
+msgid "Option --key-file is required.\n"
+msgstr "Vaaditaan valitsin --key-file.\n"
+
+#: src/cryptsetup.c:263
+msgid "No device header detected with this passphrase.\n"
+msgstr "Tälle salasanalauseelle ei ole saatavissa laiteotsaketta.\n"
+
+#: src/cryptsetup.c:323 src/cryptsetup.c:1151
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Otsakevedos taltioavaimella on arkaluonteista tietoa,\n"
+"joka sallii pääsyn salatulle osiolle ilman salasanaa.\n"
+"Tämä vedos pitäisi aina tallentaa salattuna turvallisessa paikasssa."
+
+#: src/cryptsetup.c:513
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Suorituskykytestin tulos ei ole luotettava.\n"
+
+#: src/cryptsetup.c:554
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testit käyttävät vain muistia ylimalkaan (ei tallennussiirtos).\n"
+
+#: src/cryptsetup.c:579 src/cryptsetup.c:601
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritmi | Avain | Salaus | Salauksen purku\n"
+
+#: src/cryptsetup.c:583
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Salaus %s ei ole käytettävissä.\n"
+
+#: src/cryptsetup.c:610
+msgid "N/A"
+msgstr "Ei käytössä"
+
+#: src/cryptsetup.c:635
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Avaintiedoston %s lukeminen epäonnistui.\n"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Ei voida lukea %d tavua avaintiedostosta %s.\n"
+
+#: src/cryptsetup.c:668
+msgid "Really try to repair LUKS device header?"
+msgstr "Yritetäänkö todella korjata LUKS-laiteotsake?"
+
+#: src/cryptsetup.c:693
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Tämä korvaa tiedot kohteella %s peruuttamattomasti."
+
+#: src/cryptsetup.c:695
+msgid "memory allocation error in action_luksFormat"
+msgstr "muistivarausvirhe kohteessa action_luksFormat"
+
+#: src/cryptsetup.c:717
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Kohteen %s käyttö paikallisena levyotsakkeena epäonnistui.\n"
+
+#: src/cryptsetup.c:784
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Pienennetty tietosiirrososoite sallitaan vain irrotetulle LUKS-otsakkeelle.\n"
+
+#: src/cryptsetup.c:881 src/cryptsetup.c:937
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Avainväli %d valittu poistoa varten.\n"
+
+#: src/cryptsetup.c:884
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Avain %d ei ole käytössä. Ei voida pyyhkiä pois.\n"
+
+#: src/cryptsetup.c:892 src/cryptsetup.c:940
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Tämä on viimeinen avainväli. Laite tulee käyttökelvottomaksi tämän avaimen poistamisen jälkeen."
+
+#: src/cryptsetup.c:893
+msgid "Enter any remaining passphrase: "
+msgstr "Kirjoita mikä tahansa jäljellä oleva salasanalause: "
+
+#: src/cryptsetup.c:921
+msgid "Enter passphrase to be deleted: "
+msgstr "Kirjoita poistettava salasanalause: "
+
+#: src/cryptsetup.c:1008 src/cryptsetup_reencrypt.c:1095
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Kirjoita mikä tahansa olemassa oleva salasanalause: "
+
+#: src/cryptsetup.c:1063
+msgid "Enter passphrase to be changed: "
+msgstr "Kirjoita vaihdettava salasanalause: "
+
+#: src/cryptsetup.c:1077 src/cryptsetup_reencrypt.c:1080
+msgid "Enter new passphrase: "
+msgstr "Kirjoita uusi salasanalause: "
+
+#: src/cryptsetup.c:1101
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Tuetaan vain yhtä laiteargumenttia isLuks-toiminnolle.\n"
+
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1278
+msgid "Option --header-backup-file is required.\n"
+msgstr "Vaaditaan valitsin --header-backup-file.\n"
+
+#: src/cryptsetup.c:1315
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Tunnistamaton metatietolaitetyyppi %s.\n"
+
+#: src/cryptsetup.c:1318
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Komento vaatii laitteen ja kuvausnimen argumenttina.\n"
+
+#: src/cryptsetup.c:1337
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Tämä toiminto poistaa kaikki avainvälit laitteesta %s.\n"
+"Laite tulee käyttökelvottomaksi tämän toiminnon jälkeen."
+
+#: src/cryptsetup.c:1371
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<laite> [--type <tyyppi>] [<nimi>]"
+
+#: src/cryptsetup.c:1371
+msgid "open device as mapping <name>"
+msgstr "avaa laite kuvauksena <nimi>"
+
+#: src/cryptsetup.c:1372 src/cryptsetup.c:1373 src/cryptsetup.c:1374
+#: src/cryptsetup.c:1375 src/veritysetup.c:311 src/veritysetup.c:312
+msgid "<name>"
+msgstr "<nimi>"
+
+#: src/cryptsetup.c:1372
+msgid "close device (remove mapping)"
+msgstr "sulje laite (poista kuvaus)"
+
+#: src/cryptsetup.c:1373
+msgid "resize active device"
+msgstr "muuta käytössä olevan laitteen kokoa"
+
+#: src/cryptsetup.c:1374
+msgid "show device status"
+msgstr "näytä laitetila"
+
+#: src/cryptsetup.c:1375
+msgid "benchmark cipher"
+msgstr "koestussalaus"
+
+#: src/cryptsetup.c:1376 src/cryptsetup.c:1377 src/cryptsetup.c:1383
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1385 src/cryptsetup.c:1386
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388 src/cryptsetup.c:1389
+#: src/cryptsetup.c:1390
+msgid "<device>"
+msgstr "<laite>"
+
+#: src/cryptsetup.c:1376
+msgid "try to repair on-disk metadata"
+msgstr "yritä korjata levyn sisäiset metatiedot"
+
+#: src/cryptsetup.c:1377
+msgid "erase all keyslots (remove encryption key)"
+msgstr "poista kaikki avainvälit (poista salausavain)"
+
+#: src/cryptsetup.c:1378 src/cryptsetup.c:1379
+msgid "<device> [<new key file>]"
+msgstr "<laite> [<uusi avaintiedosto>]"
+
+#: src/cryptsetup.c:1378
+msgid "formats a LUKS device"
+msgstr "pohjustaa LUKS-laitteen"
+
+#: src/cryptsetup.c:1379
+msgid "add key to LUKS device"
+msgstr "lisää avain LUKS-laitteeseen"
+
+#: src/cryptsetup.c:1380 src/cryptsetup.c:1381
+msgid "<device> [<key file>]"
+msgstr "<laite> [<avaintiedosto>]"
+
+#: src/cryptsetup.c:1380
+msgid "removes supplied key or key file from LUKS device"
+msgstr "poistaa tarjotun avaimen tai avaintiedoston LUKS-laitteesta"
+
+#: src/cryptsetup.c:1381
+msgid "changes supplied key or key file of LUKS device"
+msgstr "vaihtaa LUKS-laitteen tarjotun avaimen tai avaintiedoston"
+
+#: src/cryptsetup.c:1382
+msgid "<device> <key slot>"
+msgstr "<laite> <avainväli>"
+
+#: src/cryptsetup.c:1382
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "pyyhkäisee pois avaimen numerolla <avainväli> LUKS-laitteesta"
+
+#: src/cryptsetup.c:1383
+msgid "print UUID of LUKS device"
+msgstr "tulostaa LUKS-laitteen UUID-tunnuksen"
+
+#: src/cryptsetup.c:1384
+msgid "tests <device> for LUKS partition header"
+msgstr "testaa <laite> LUKS-osio-otsakkeesta"
+
+#: src/cryptsetup.c:1385
+msgid "dump LUKS partition information"
+msgstr "vedosta LUKS-osiotiedot"
+
+#: src/cryptsetup.c:1386
+msgid "dump TCRYPT device information"
+msgstr "vedosta TCRYPT-laitetiedot"
+
+#: src/cryptsetup.c:1387
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Keskeytä LUKS-laite ja pyyhi pois avain (kaikki siirräntäliitännät jäädytetään)."
+
+#: src/cryptsetup.c:1388
+msgid "Resume suspended LUKS device."
+msgstr "Aloita uudelleen pysäytetty LUKS-laite."
+
+#: src/cryptsetup.c:1389
+msgid "Backup LUKS device header and keyslots"
+msgstr "Varmuuskopioi LUKS-laiteotsake ja avainvälit"
+
+#: src/cryptsetup.c:1390
+msgid "Restore LUKS device header and keyslots"
+msgstr "Palauta LUKS-laiteotsake ja avainvälit"
+
+#: src/cryptsetup.c:1407 src/veritysetup.c:328
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<toiminto> on yksi seuraavista:\n"
+
+#: src/cryptsetup.c:1413
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Voit myös käyttää vanhaa <toiminto>-syntaksialiasta:\n"
+"\topen: luo (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: poista (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1417
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nimi> on laite, joka luodaan kohteen %s alaisena\n"
+"<laite> on salaussuojattu laite\n"
+"<avainväli> on LUKS-avainväli muokattavaksi\n"
+"<avaintiedosto> valinnainen avaintiedosto uudelle avaimelle luksAddKey-toimintoa varten\n"
+
+#: src/cryptsetup.c:1424
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Käännetyn avaintiedoston ja salasanan oletusparametrit:\n"
+"\tAvaintiedoston enimmäiskoko: %d kilobittiä, vuorovaikutteisen\n"
+"\tsalasanalauseen enimmäispituus %d (merkkiä)\n"
+"PBKDF2-iteroinnin enimmäisaika LUKS-avainvälille: %d (millisekuntia)\n"
+
+#: src/cryptsetup.c:1431
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Käännetyn laitesalakirjoitusmenetelmän oletusparametrit:\n"
+"\tloop-AES: %s, Avain %d bittiä\n"
+"\tplain-tyyppi: %s, Avain: %d bittiä, Salasanatiivistys: %s\n"
+"\tLUKS1: %s, Avain: %d bittiä, LUKS-otsaketiivistys: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1448 src/veritysetup.c:460
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: vaatii %s argumentteina"
+
+#: src/cryptsetup.c:1481 src/veritysetup.c:368 src/cryptsetup_reencrypt.c:1274
+msgid "Show this help message"
+msgstr "Näytä tämä opastesanoma"
+
+#: src/cryptsetup.c:1482 src/veritysetup.c:369 src/cryptsetup_reencrypt.c:1275
+msgid "Display brief usage"
+msgstr "Näytä lyhyt käyttöopaste"
+
+#: src/cryptsetup.c:1486 src/veritysetup.c:373 src/cryptsetup_reencrypt.c:1279
+msgid "Help options:"
+msgstr "Opastevalitsimet:"
+
+#: src/cryptsetup.c:1487 src/veritysetup.c:374 src/cryptsetup_reencrypt.c:1280
+msgid "Print package version"
+msgstr "Tulosta pakkausversio"
+
+#: src/cryptsetup.c:1488 src/veritysetup.c:375 src/cryptsetup_reencrypt.c:1281
+msgid "Shows more detailed error messages"
+msgstr "Näyttää yksityiskohtaisemmat virheilmoitukset"
+
+#: src/cryptsetup.c:1489 src/veritysetup.c:376 src/cryptsetup_reencrypt.c:1282
+msgid "Show debug messages"
+msgstr "Näytä vianjäljityssanomat"
+
+#: src/cryptsetup.c:1490 src/cryptsetup_reencrypt.c:1284
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Salakirjoitusmenetelmä, jota käytetään salaamaan levy (katso /proc/crypto)"
+
+#: src/cryptsetup.c:1491 src/cryptsetup_reencrypt.c:1286
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Tiivisteavain, jota käytetään salausavaimen luomiseen salasanalauseesta"
+
+#: src/cryptsetup.c:1492
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Todentaa salasanalauseen kysymällä kahdesti"
+
+#: src/cryptsetup.c:1493 src/cryptsetup_reencrypt.c:1288
+msgid "Read the key from a file."
+msgstr "Lue avain tiedostosta."
+
+#: src/cryptsetup.c:1494
+msgid "Read the volume (master) key from file."
+msgstr "Lue taltion (pää)avain tiedostosta."
+
+#: src/cryptsetup.c:1495
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Vedosta taltion (pää)avain eikä avainvälien tiedot."
+
+#: src/cryptsetup.c:1496 src/cryptsetup_reencrypt.c:1285
+msgid "The size of the encryption key"
+msgstr "Salausavaimen koko"
+
+#: src/cryptsetup.c:1496 src/cryptsetup_reencrypt.c:1285
+msgid "BITS"
+msgstr "BITTIÄ"
+
+#: src/cryptsetup.c:1497 src/cryptsetup_reencrypt.c:1299
+msgid "Limits the read from keyfile"
+msgstr "Avaintiedostosta luettavat rajat"
+
+#: src/cryptsetup.c:1497 src/cryptsetup.c:1498 src/cryptsetup.c:1499
+#: src/cryptsetup.c:1500 src/veritysetup.c:379 src/veritysetup.c:380
+#: src/veritysetup.c:382 src/cryptsetup_reencrypt.c:1298
+#: src/cryptsetup_reencrypt.c:1299 src/cryptsetup_reencrypt.c:1300
+#: src/cryptsetup_reencrypt.c:1301
+msgid "bytes"
+msgstr "tavua"
+
+#: src/cryptsetup.c:1498 src/cryptsetup_reencrypt.c:1298
+msgid "Number of bytes to skip in keyfile"
+msgstr "Avaintiedostossa ohitettavien tavujen määrä"
+
+#: src/cryptsetup.c:1499
+msgid "Limits the read from newly added keyfile"
+msgstr "Äskettäin lisätystä avaintiedostosta luetut rajat"
+
+#: src/cryptsetup.c:1500
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Ohitettu tavumäärä äskettäin lisätyssä avaintiedostossa"
+
+#: src/cryptsetup.c:1501
+msgid "Slot number for new key (default is first free)"
+msgstr "Välinumero uudelle avaimelle (oletus on ensimmäinen vapaa)"
+
+#: src/cryptsetup.c:1502
+msgid "The size of the device"
+msgstr "Laitteen koko"
+
+#: src/cryptsetup.c:1502 src/cryptsetup.c:1503 src/cryptsetup.c:1504
+#: src/cryptsetup.c:1510
+msgid "SECTORS"
+msgstr "SEKTORIA"
+
+#: src/cryptsetup.c:1503
+msgid "The start offset in the backend device"
+msgstr "Alkusiirrososoite taustalaitteessa"
+
+#: src/cryptsetup.c:1504
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Kuinka monta salaustietojen sektoria ohitetaan alussa"
+
+#: src/cryptsetup.c:1505
+msgid "Create a readonly mapping"
+msgstr "Luo kirjoitussuojattu kuvaus"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1289
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2-iterointiaika kohteelle LUKS (millisekunneissa)"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1289
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1290
+msgid "Do not ask for confirmation"
+msgstr "Älä pyydä vahvistusta"
+
+#: src/cryptsetup.c:1508
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Aikakatkaisu vuorovaikutteiselle salasanalausekyselylle (sekunteina)"
+
+#: src/cryptsetup.c:1508
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1509 src/cryptsetup_reencrypt.c:1291
+msgid "How often the input of the passphrase can be retried"
+msgstr "Kuinka usein salasanasyötettä voidaan yrittää uudelleen"
+
+#: src/cryptsetup.c:1510
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Tasaa tietosisältö osoitteessa <n> sektorirajoihin - kohdetta luksFormat varten"
+
+#: src/cryptsetup.c:1511
+msgid "File with LUKS header and keyslots backup."
+msgstr "Tiedosto LUKS-otsakkeella ja avainvälien varmuuskopiolla."
+
+#: src/cryptsetup.c:1512 src/cryptsetup_reencrypt.c:1292
+msgid "Use /dev/random for generating volume key."
+msgstr "Käytä /dev/random taltioavaimen synnyttämiseen."
+
+#: src/cryptsetup.c:1513 src/cryptsetup_reencrypt.c:1293
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Käytä /dev/urandom taltioavaimen synnyttämiseen."
+
+#: src/cryptsetup.c:1514
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Jaa laite toisen ei-päällekkäisen salaussegmentin kanssa."
+
+#: src/cryptsetup.c:1515 src/veritysetup.c:385
+msgid "UUID for device to use."
+msgstr "UUID laitteelle käytettäväksi."
+
+#: src/cryptsetup.c:1516
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Salli hylkäys(lempinimeltään TRIM)-pyynnöt laitteelle."
+
+#: src/cryptsetup.c:1517
+msgid "Device or file with separated LUKS header."
+msgstr "Laite tai tiedosto erillisellä LUKS-otsakkeella."
+
+#: src/cryptsetup.c:1518
+msgid "Do not activate device, just check passphrase."
+msgstr "Älä aktivoi laitetta, tarkista vain salasanalauseke."
+
+#: src/cryptsetup.c:1519
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Käytä piilotettua otsaketta (piilotettu TCRYPT-laite)."
+
+#: src/cryptsetup.c:1520
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Laite on järjestelmä-TCRYPT-levyasema (alkulatausohjelmalla)."
+
+#: src/cryptsetup.c:1521
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Käytä (toissijaista) TCRYPT-varmuuskopio-otsaketta."
+
+#: src/cryptsetup.c:1522
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Tutkinta myös VeraCrypt-yhteensopivalle laitteelle."
+
+#: src/cryptsetup.c:1523
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Laitemetatietojen tyyppi: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1524
+msgid "Disable password quality check (if enabled)."
+msgstr "Ota pois käytöstä salasanan laatutarkistus (jos käytössä)."
+
+#: src/cryptsetup.c:1525
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Käytä dm-crypt same_cpu_crypt-suorituskyky-yhteensopivuusvalitsinta."
+
+#: src/cryptsetup.c:1526
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Käytä dm-crypt submit_from_crypt_cpus-suorituskyky-yhteensopivuusvalitsinta."
+
+#: src/cryptsetup.c:1542 src/veritysetup.c:402
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[VALITSIN...] <toiminto> <toimintokohtainen>"
+
+#: src/cryptsetup.c:1589 src/veritysetup.c:439
+msgid "Argument <action> missing."
+msgstr "Argumentti <toiminto> puuttuu."
+
+#: src/cryptsetup.c:1642 src/veritysetup.c:445
+msgid "Unknown action."
+msgstr "Tuntematon toiminto."
+
+#: src/cryptsetup.c:1652
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Valitsin --shared sallitaan vain pelkän laitteen avaukseen.\n"
+
+#: src/cryptsetup.c:1657
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Valitsin --allow-discards sallitaan vain open-toiminnolle.\n"
+
+#: src/cryptsetup.c:1665
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Valitsin --key-size sallitaan vain muodoille luksFormat, open ja benchmark.\n"
+"Käytä avaintiedostosta lukemisen rajoittamiseksi valitsinta --keyfile-size=(tavua)."
+
+#: src/cryptsetup.c:1672
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Valitsin --test-passphrase sallitaan vain LUKS- ja TCRYPT-laitteiden avaamiseen.\n"
+
+#: src/cryptsetup.c:1677 src/cryptsetup_reencrypt.c:1360
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Avainkoon on oltava 8-bitin monikerta"
+
+#: src/cryptsetup.c:1684 src/cryptsetup_reencrypt.c:1365
+msgid "Key slot is invalid."
+msgstr "Avainväli on virheellinen."
+
+#: src/cryptsetup.c:1691
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Valitsin --key-file on ensisijainen määritellylle avaintiedostoargumentille.\n"
+
+#: src/cryptsetup.c:1699 src/veritysetup.c:467 src/cryptsetup_reencrypt.c:1349
+msgid "Negative number for option not permitted."
+msgstr "Valitsimelle ei sallita negatiivista numeroa."
+
+#: src/cryptsetup.c:1703 src/cryptsetup_reencrypt.c:1343
+#: src/cryptsetup_reencrypt.c:1369
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Vain yksi --use-[u]random -valitsin on sallittu."
+
+#: src/cryptsetup.c:1707
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Valitsin --use-[u]random sallitaan vain luksFormat-muodolle."
+
+#: src/cryptsetup.c:1711
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Valitsin --uuid sallitaan vain luksFormat-muodolle ja luksUUID-muodolle."
+
+#: src/cryptsetup.c:1715
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Valitsin --align-payload sallitaan vain luksFormat-muodolle."
+
+#: src/cryptsetup.c:1721
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Valitsinta --skip tuetaan vain plain- ja loopaes-laitteiden avaamiseen.\n"
+
+#: src/cryptsetup.c:1727
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Valitsinta --offset tuetaan vain plain- ja loopaes-laitteiden avaamiseen.\n"
+
+#: src/cryptsetup.c:1733
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Valitsinta --tcrypt-hidden, --tcrypt-system tai --tcrypt-backup tuetaan vain TCRYPT-laiteeelle.\n"
+
+#: src/cryptsetup.c:1738
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Valitsinta --tcrypt-hidden ei voida yhdistää valitsimeen --allow-discards.\n"
+
+#: src/cryptsetup.c:1743
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Valitsinta --veracrypt tuetaan vain TCRYPT-laiteeelle.\n"
+
+#: src/veritysetup.c:58
+msgid "Invalid salt string specified.\n"
+msgstr "Määritelty virheellinen satunnaisarvosiemenmerkkijono.\n"
+
+#: src/veritysetup.c:88
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Tiivistevedoksen %s luominen kirjoittamista varten epäonnistui.\n"
+
+#: src/veritysetup.c:148
+msgid "Invalid root hash string specified.\n"
+msgstr "Virheellinen root-tiivistemerkkijono määritelty.\n"
+
+#: src/veritysetup.c:308
+msgid "<data_device> <hash_device>"
+msgstr "<data_laite> <tiiviste_laite>"
+
+#: src/veritysetup.c:308
+msgid "format device"
+msgstr "pohjusta laite"
+
+#: src/veritysetup.c:309
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<data_laite> <tiiviste_laite> <root_tiiviste>"
+
+#: src/veritysetup.c:309
+msgid "verify device"
+msgstr "todenna laite"
+
+#: src/veritysetup.c:310
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nimi> <data_laite> <tiiviste_laite> <root_tiiviste>"
+
+#: src/veritysetup.c:310
+msgid "create active device"
+msgstr "luo aktiivilaite"
+
+#: src/veritysetup.c:311
+msgid "remove (deactivate) device"
+msgstr "poista (deaktivoi) laite"
+
+#: src/veritysetup.c:312
+msgid "show active device status"
+msgstr "näytä aktiivilaitteen tila"
+
+#: src/veritysetup.c:313
+msgid "<hash_device>"
+msgstr "<tiiviste_laite>"
+
+#: src/veritysetup.c:313
+msgid "show on-disk information"
+msgstr "näytä paikallisen levyn tiedot"
+
+#: src/veritysetup.c:332
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nimi> on kohteen alle %s luotava laite\n"
+"<data_laite> on datalaite\n"
+"<tiiviste_laite> on todennusdataa sisältävä laite\n"
+"<root_tiiviste> root-solmun tiiviste kohteella <tiiviste_laite>\n"
+
+#: src/veritysetup.c:339
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Käännetyt dm-verity oletusparametrit:\n"
+"\tTiiviste: %s, Data-lohko (tavua): %u, Tiivistelohko (tavua): %u, Satunnaislukuarvosiemenen koko: %u, Tiivistemuoto: %u\n"
+
+#: src/veritysetup.c:377
+msgid "Do not use verity superblock"
+msgstr "Älä käytä verity-superlohkoa"
+
+#: src/veritysetup.c:378
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Muototyyppi (1 - normaali, 0 - alkuperäinen Chrome OS)"
+
+#: src/veritysetup.c:378
+msgid "number"
+msgstr "numero"
+
+#: src/veritysetup.c:379
+msgid "Block size on the data device"
+msgstr "Data-laitteen lohkokoko"
+
+#: src/veritysetup.c:380
+msgid "Block size on the hash device"
+msgstr "Tiivistelaitteen lohkokoko"
+
+#: src/veritysetup.c:381
+msgid "The number of blocks in the data file"
+msgstr "Data-tiedoston lohkojen määrä"
+
+#: src/veritysetup.c:381
+msgid "blocks"
+msgstr "lohkoa"
+
+#: src/veritysetup.c:382
+msgid "Starting offset on the hash device"
+msgstr "Tiivistelaitteen alkusiirrososoite"
+
+#: src/veritysetup.c:383
+msgid "Hash algorithm"
+msgstr "Tiivistealgoritmi"
+
+#: src/veritysetup.c:383
+msgid "string"
+msgstr "merkkijono"
+
+#: src/veritysetup.c:384
+msgid "Salt"
+msgstr "Satunnaisarvosiemenluku"
+
+#: src/veritysetup.c:384
+msgid "hex string"
+msgstr "heksadesimaalimerkkijono"
+
+#: src/cryptsetup_reencrypt.c:147
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Kohteen %s avaaminen eksklusiivisesti epäonnistui, laite on käytössä.\n"
+
+#: src/cryptsetup_reencrypt.c:151
+#, c-format
+msgid "Cannot open device %s\n"
+msgstr "Laitteen %s avaus epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:161 src/cryptsetup_reencrypt.c:914
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Tasatun muistin varaaminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:168
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Laitteen %s lukeminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:179
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Merkitään LUKS-laite %s käyttökelvottomaksi.\n"
+
+#: src/cryptsetup_reencrypt.c:184
+#, c-format
+msgid "Marking LUKS device %s usable.\n"
+msgstr "Merkitään LUKS-laite %s käyttökelpoiseksi.\n"
+
+#: src/cryptsetup_reencrypt.c:200
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Laitteelle %s kirjoittaminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Uudelleensalauslokitiedoston kirjoittaminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Uudelleensalauslokitiedoston lukeminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:374
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Lokitiedosto %s on olemassa, aloitetaan salaus uudelleen.\n"
+
+#: src/cryptsetup_reencrypt.c:424
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Aktivoidaan tilapäinen laite käyttäen vanhaa LUKS-otsaketta.\n"
+
+#: src/cryptsetup_reencrypt.c:435
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Aktivoidaan tilapäinen laite käyttäen uutta LUKS-otsaketta.\n"
+
+#: src/cryptsetup_reencrypt.c:445
+msgid "Activation of temporary devices failed.\n"
+msgstr "Tilapäisten laitteiden aktivoiminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:471
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Luotiin uusi LUKS-otsake laitteelle %s.\n"
+
+#: src/cryptsetup_reencrypt.c:479
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Aktivoitiin avainväli %i.\n"
+
+#: src/cryptsetup_reencrypt.c:505
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Laitteen %s LUKS-otsakkeen varmuuskopio luotu.\n"
+
+#: src/cryptsetup_reencrypt.c:553
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "LUKS-varmuuskopio-otsakkeiden luominen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:655
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "LUKS-otsakkeen palautus laitteeseen %s epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:657
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "LUKS-otsake palautettu laitteessa %s.\n"
+
+#: src/cryptsetup_reencrypt.c:690
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Eteneminen: %5.1f%%, ETA %02llu:%02llu, %4llu Mebitavua kirjoitettu, nopeus %5.1f Mebitavua/s%s"
+
+#: src/cryptsetup_reencrypt.c:729 src/cryptsetup_reencrypt.c:805
+#: src/cryptsetup_reencrypt.c:847
+msgid "Cannot seek to device offset.\n"
+msgstr "Laitteen siirrososoitteen etsintä epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:886 src/cryptsetup_reencrypt.c:892
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Tilapäisen LUKS-laitteen avaaminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:897 src/cryptsetup_reencrypt.c:902
+msgid "Cannot get device size.\n"
+msgstr "Laitekoon hakeminen epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:940
+msgid "Interrupted by a signal.\n"
+msgstr "Signaalin keskeyttämä.\n"
+
+#: src/cryptsetup_reencrypt.c:942
+msgid "IO error during reencryption.\n"
+msgstr "Siirräntävirhe uudelleensalauksen aikana.\n"
+
+#: src/cryptsetup_reencrypt.c:1049
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Avaintiedostoa voidaan käyttää vain valitsimen --key-slot kanssa tai täsmälleen yhden avainvälin ollessa aktiivisena.\n"
+
+#: src/cryptsetup_reencrypt.c:1093 src/cryptsetup_reencrypt.c:1108
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Kirjoita salasanalause avainvälille %u: "
+
+#: src/cryptsetup_reencrypt.c:1157
+msgid "Cannot open reencryption log file.\n"
+msgstr "Uudelleensalauslokitiedoston avaus epäonnistui.\n"
+
+#: src/cryptsetup_reencrypt.c:1283
+msgid "Reencryption block size"
+msgstr "Uudelleensalauslohkon koko"
+
+#: src/cryptsetup_reencrypt.c:1283
+msgid "MiB"
+msgstr "Mebitavua"
+
+#: src/cryptsetup_reencrypt.c:1287
+msgid "Do not change key, no data area reencryption."
+msgstr "Älä vaihda avainta, yhtään data-aluetta ei ole salattu uudelleen."
+
+#: src/cryptsetup_reencrypt.c:1294
+msgid "Use direct-io when accessing devices."
+msgstr "Käytä direct-io -siirräntää laitteisiin yhdistettäessä."
+
+#: src/cryptsetup_reencrypt.c:1295
+msgid "Use fsync after each block."
+msgstr "Käytä fsync-komentoa jokaisen lohkon jälkeen."
+
+#: src/cryptsetup_reencrypt.c:1296
+msgid "Update log file after every block."
+msgstr "Päivitä lokitiedosto jokaisen lohkon jälkeen."
+
+#: src/cryptsetup_reencrypt.c:1297
+msgid "Use only this slot (others will be disabled)."
+msgstr "Käytä vain tätä väliä (muut ovat pois käytöstä)."
+
+#: src/cryptsetup_reencrypt.c:1300
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Pienennä datalaitekokoa (siirrä datasiirrososoitetta). VAARALLINEN!"
+
+#: src/cryptsetup_reencrypt.c:1301
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Käytä vain määriteltyä laitekokoa (ohita laitteen loppu). VAARALLINEN!"
+
+#: src/cryptsetup_reencrypt.c:1302
+msgid "Create new header on not encrypted device."
+msgstr "Luo uusi otsake ei-salattuun laitteeseen."
+
+#: src/cryptsetup_reencrypt.c:1303
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Poista laitteen salaus pysyvästi (poista salaus)"
+
+#: src/cryptsetup_reencrypt.c:1319
+msgid "[OPTION...] <device>"
+msgstr "[VALITSIN...] <laite>"
+
+#: src/cryptsetup_reencrypt.c:1333
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Uudelleensalauas muuttuu: taltio key%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1334
+msgid ", set hash to "
+msgstr ", aseta tiivisteeksi "
+
+#: src/cryptsetup_reencrypt.c:1335
+msgid ", set cipher to "
+msgstr ", aseta salaukseksi "
+
+#: src/cryptsetup_reencrypt.c:1339
+msgid "Argument required."
+msgstr "Argumentti vaadittu."
+
+#: src/cryptsetup_reencrypt.c:1355
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Vain arvot välillä 1 mebitavua ja 64 mebitavua ovat sallittuja uudelleensalauslohkokokoja."
+
+#: src/cryptsetup_reencrypt.c:1374 src/cryptsetup_reencrypt.c:1379
+msgid "Invalid device size specification."
+msgstr "Virheellinen laitekokomäärittely."
+
+#: src/cryptsetup_reencrypt.c:1382
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Maksimi laitepienennyskoko on 64 mebitavua."
+
+#: src/cryptsetup_reencrypt.c:1385
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Pienennyskoon on oltava 512-tavuisen sektorin monikerta."
+
+#: src/cryptsetup_reencrypt.c:1389
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Valitsinta --new on käytettävä yhdessä valitsimen --reduce-device-size kanssa."
+
+#: src/cryptsetup_reencrypt.c:1393
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Valitsinta --keep-key voidaan käyttää vain valitsimen --hash tai --iter-time kanssa."
+
+#: src/cryptsetup_reencrypt.c:1397
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Valitsinta --new ei voi käytttää yhdessä valitsimen --decrypt kanssa."
+
+#: src/cryptsetup_reencrypt.c:1401
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Valitsin --decrypt on yhteensopimaton määriteltyjen parametrien kanssa."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Virhe luettaessa vastausta pääteikkunasta.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Komento onnistui.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Komento epäonnistui koodilla %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Salasanan laatutarkistus epäonnistui: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Salasanan laatutarkistus epäonnistui:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Salasanan laatutarkistus epäonnistui: Virheellinen salasana (%s)\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "VAROITUS: tämä on kokeellista koodia, se voi rikkoa tietosi kokonaan.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "FIPS-tarkistussummavarmennus epäonnistui.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "VAROITUS: laite %s on osio, TCRYPT-järjestelmäsalaukselle tarvitaan normaalisti koko lohkolaitepolun käyttö.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "Käyttöjärjestelmäydin ei tule plain64 IV.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Kirjoita LUKS-salasanalause: "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Kirjoita uusi LUKS-salasanalause: "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Kirjoita mikä tahansa LUKS-salasanalause: "
+
+#~ msgid "Cannot check passsword quality: %s\n"
+#~ msgstr "Salasanan laatutarkistus epäonnistui: %s\n"
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Laitekuvaajahakemiston hankkiminen epäonnistui."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Varmuuskopiotiedostoa %s ei ole olemassa.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Tiedoston %s avaus epäonnistui.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<nimi> <laite>"
+
+#~ msgid "create device"
+#~ msgstr "luo laite"
+
+#~ msgid "remove device"
+#~ msgstr "poista laite"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "poista LUKS-kuvaus"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "avaa loop-AES -laitteen kuvauksena <nimi>"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "poista loop-AES -kuvaus"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "Valitsin --allow-discards sallitaan vain luksOpen-, loopaesOpen- ja create-toiminnoille .\n"
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Ei voida avata laitetta %s kohteeseen %s%s pääsyä varten.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "yksinomainen "
+
+#~ msgid "writable"
+#~ msgstr "kirjoitettava"
+
+#~ msgid "read-only"
+#~ msgstr "kirjoitussuojattu"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "VAROITUS!!! Mahdollisesti turvaton muisti. Oletko pääkäyttäjä?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Ei kyetä samaan sektorikokoa kohteelle %s"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Avainsäiliöön kirjoittaminen epäonnistui.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Avainsäiliöstä lukeminen epäonnistui.\n"
+
+#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
+#~ msgstr "Ei voida käyttää laitetta %s (salatut segmentit ovat päällekkäin tai toisen laitteen käyttämiä).\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "Avainväli %d on todennettu.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "Virheellinen avainkoko %d.\n"
+
+#~ msgid "Block mode XTS is available since kernel 2.6.24.\n"
+#~ msgstr "Lohkotila XTS on käytetettävissä käyttöjärjestelmäytimestä 2.6.24 alkaen.\n"
+
+#~ msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+#~ msgstr "Avainkoon on oltava LRW-tilassa 256 tai 512 bittiä.\n"
+
+#~ msgid "Block mode LRW is available since kernel 2.6.20.\n"
+#~ msgstr "Lohkotila LRW on käytettävissä käyttöjärjestelmäytimestä 2.6.20 alkaen.\n"
+
+#~ msgid "Negative keyfile size not permitted.\n"
+#~ msgstr "Negatiivinen avaintiedostokoko ei ole sallittu.\n"
+
+#~ msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+#~ msgstr "Varoitus: uuvuttava luku pyydetty, mutta avaintiedosto ei ole tavallinen tiedosto, funktio ei ehkä koskaan palaa.\n"
+
+#~ msgid "Cannot find compatible device-mapper kernel modules.\n"
+#~ msgstr "Ei voida löytää yhteensopivia laitekuvaimen käyttöjärjestelmäydinmoduuleja.\n"
+
+#~ msgid "Cannot open device: %s\n"
+#~ msgstr "Ei voida avata laitetta: %s\n"
+
+#~ msgid "BLKROGET failed on device %s.\n"
+#~ msgstr "BLKROGET epäonnistui laitteessa %s.\n"
+
+#~ msgid "BLKGETSIZE failed on device %s.\n"
+#~ msgstr "BLKGETSIZE epäonnistui laitteessa %s.\n"
+
+#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
+#~ msgstr "identtinen kohteelle luksKillSlot - VANHENTUNUT - katso man-sivua"
+
+#~ msgid "modify active device - DEPRECATED - see man page"
+#~ msgstr "muokkaa aktiivista laitetta - VANHENTUNUT - katso man-sivua"
+
+#~ msgid ""
+#~ "The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
+#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+#~ msgstr ""
+#~ "Uudelleenlataustoiminto on vanhentunut. Käytä ”dmsetup reload” siinä tapauksessa, että todella tarvitset tätä toiminnallisuutta.\n"
+#~ "VAROITUS: älä käytä uudelleenlatausta koskettamaan LUKS-laitteita. Jos näin on laita, paina nyt näppäimiä Ctrl-C.\n"
+
+#~ msgid "Obsolete option --non-exclusive is ignored.\n"
+#~ msgstr "Vanhentunut valitsin --non-exclusive ohitetaan.\n"
+
+#~ msgid "Read the key from a file (can be /dev/random)"
+#~ msgstr "Lue avain tiedostosta (voi olla /dev/random)"
+
+#~ msgid "(Obsoleted, see man page.)"
+#~ msgstr "(Vanhentunut, katso man-sivu.)"
+
+#~ msgid "%s is not LUKS device.\n"
+#~ msgstr "%s ei ole LUKS-laite.\n"
+
+#~ msgid "%s is not LUKS device."
+#~ msgstr "%s ei ole LUKS-laite."
+
+#~ msgid "Unknown crypto device type %s requesed.\n"
+#~ msgstr "Tuntematon salauslaitetyyppi %s pyydetty.\n"
+
+#~ msgid "Limits to read from keyfile"
+#~ msgstr "Avaintiedostosta luettavat rajat"
diff --git a/po/fr.po b/po/fr.po
new file mode 100644
index 0000000..2ef76d4
--- /dev/null
+++ b/po/fr.po
@@ -0,0 +1,1972 @@
+# Messages français pour cryptsetup.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This file is put in the public domain.
+#
+# Solveig <perso@solveig.org>, 2009.
+# Nicolas Provost <nprovost@quadriv.com>, 2011.
+# Frédéric Marchal <fmarchal@perso.be>, 2017.
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 12:37+0100\n"
+"Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
+"Language-Team: French <traduc@traduc.org>\n"
+"Language: fr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Exécution comme un utilisateur non-root.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Le module noyau dm_mod est-il chargé ?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "Le DM-UUID du périphérique %s a été tronqué.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Les options de performance dm-crypt demandées ne sont pas supportées.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Les options demandées de gestion de corruption des données dm-verity ne sont pas supportées.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Le système a manqué d'entropie lors de la génération de la clef de volume.\n"
+"Veuillez remuer la souris ou taper du texte dans une autre fenêtre pour générer des événements aléatoires.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Génération de la clef (%d%% effectués).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Fonctionne en mode FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Erreur fatale d'initialisation RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "La qualité du générateur aléatoire RNG demandé est inconnue.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Erreur %d en lecture du générateur aléatoire RNG :%s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Impossible d'initialiser le moteur aléatoire RNG pour le chiffrement.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Impossible d'initialiser le moteur de chiffrement.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "L'algorithme de hachage %s n'est pas supporté.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Erreur de traitement de clé (valeur hachage %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Cette opération n'est possible que pour les périphériques LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Tous les emplacements de clés sont utilisés.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0 et %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Saisissez la phrase secrète pour %s : "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "En-tête détecté mais le périphérique %s est trop petit.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Cette opération n'est pas supportée pour ce type de périphérique.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Le périphérique %s n'est pas activé.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Le périphérique sous-jacent pour le périphérique chiffré %s a disparu.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Paramètres de chiffrement non valides.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "La taille de la clé n'est pas valide.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "le UUID n'est pas supporté avec ce type de chiffrement.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Impossible de formater en LUKS sans périphérique.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Impossible de formater le périphérique %s qui est déjà en cours d'utilisation.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Impossible de formater le périphérique %s. Permission refusée.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Impossible d'effacer l'en-tête du périphérique %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Impossible de formater LOOPAES sans périphérique.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Impossible de formater VERITY sans périphérique.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Type de hachage VERITY %d non supporté.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Taille de bloc VERITY non supportée.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Décalage de hachage VERITY non supporté.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "La zone de données recouvre la zone de hachage.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Type de chiffrement de périphérique demandé (%s) inconnu.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Impossible de redimensionner le périphérique loopback.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Voulez vous réellement changer l'UUID du périphérique ?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Le volume %s n'est pas actif.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Le volume %s est déjà suspendu.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Le périphérique %s ne supporte pas la suspension.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Erreur lors de la suspension du périphérique %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Le volume %s n'est pas suspendu.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Le périphérique %s ne supporte pas la remise en service.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Erreur lors de la remise en service du périphérique %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Saisissez la phrase secrète : "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Entrez une phrase secrète : "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Entrez une nouvelle phrase secrète pour l'emplacement de clé : "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Emplacement de clef %d modifié.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Remplacé par l'emplacement de clé %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Nouvel emplacement de clé impossible à échanger.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Ceci n'est pas la clé du volume.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "L'emplacement de clé %d n'est pas valide.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "L'emplacement de clé %d n'est pas utilisé.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Le périphérique %s existe déjà.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Clé de volume incorrecte pour le périphérique en clair.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Hachage racine incorrect spécifié pour le périphérique verity.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Type de périphérique improprement initialisé.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Le périphérique %s est toujours occupé.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Le périphérique %s n'est pas valide.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Fonction pas disponible en mode FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Le tampon de la clé du volume est trop petit.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain ».\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Impossible d'obtenir la priorité du processus.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Impossible de déverrouiller la mémoire.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Plus assez de mémoire lors de la lecture de la phrase secrète.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Erreur de lecture de la phrase secrète depuis la console.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Vérifiez la phrase secrète : "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Les phrases secrètes ne sont pas identiques.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Le décalage n'est pas possible si l'entrée provient de la console.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Impossible d'ouvrir le fichier de clef.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Impossible d'exécuter « stat » sur le fichier de clef.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Impossible de sauter au décalage demandé dans le fichier de clé.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Erreur de lecture de la phrase secrète.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Taille max. de fichier de clé dépassée.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Impossible de lire la quantité de données demandée.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Le périphérique %s n'existe pas ou l'accès y est interdit.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Impossible d'utiliser un périphérique loopback. Fonctionne comme un utilisateur non-root.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Impossible d'associer le périphérique loopback (le drapeau « autoclear » est requis).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Impossible d'utiliser le périphérique %s actuellement utilisé (déjà mappé ou monté).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Impossible d'obtenir des informations au sujet du périphérique %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Le décalage demandé est au delà de la taille réelle du périphérique %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Le périphérique %s a une taille nulle.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Le périphérique %s est trop petit.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Impossible de configurer la correspondance des clés dm-crypt du périphérique %s.\n"
+"Vérifiez que le noyau supporte le chiffrement %s (pour plus d'informations, voir les journaux syslog).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "La taille de la clé en mode XTS doit être un multiple de 256 ou 512 bits.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Impossible d'écrire sur le périphérique %s. Permission refusée.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Échec lors de l'ouverture du périphérique de stockage temporaire de clés.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Impossible d'accéder au périphérique de stockage temporaire de clés.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Erreur E/S pendant le chiffrement de l'emplacement de clé.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Erreur E/S pendant le déchiffrement de l'emplacement de clé.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Le périphérique %s est trop petit (LUKS a besoin d'au moins %<PRIu64> octets).\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "%s n'est pas un périphérique LUKS valide.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Le fichier de sauvegarde d'en-tête demandé %s existe déjà.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Impossible de créer le fichier de sauvegarde d'en-tête %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Impossible d'écrire le fichier de sauvegarde d'en-tête %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Le fichier de sauvegarde ne contient pas d'en-tête LUKS valide.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Impossible d'ouvrir le fichier de sauvegarde d'en-tête %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Impossible de lire le fichier de sauvegarde d'en-tête %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Le décalage des données (« offset ») ou la taille de la clé ne sont pas identiques dans le périphérique et la sauvegarde. La restauration a échouée.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Périphérique %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "ne contient pas d'en-tête LUKS. Remplacer l'en-tête peut détruire les données de ce périphérique."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "contient déjà un en-tête LUKS. Remplacer l'en-tête détruira les emplacements de clés actuels."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"ATTENTION : l'en-tête du périphérique a un UUID différent de celui de la sauvegarde !"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Impossible d'ouvrir le périphérique %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Taille de clé non standard. Réparation manuelle requise.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Alignement non standard des emplacements de clé. Réparation manuelle requise.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Réparation des emplacements de clé.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Échec de la réparation."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Emplacement de clé %i : décalage réparé (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Emplacement de clé %i : bandes réparées (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Emplacement de clé %i : signature de partition contrefaite.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Emplacement de clé %i : aléa effacé.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Écriture de l'en-tête LUKS sur le disque.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "La version %d de LUKS n'est pas supportée.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "L'algorithme de hachage LUKS demandé (%s) n'est pas supporté.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "L'emplacement de clé LUKS %u n'est pas valide.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Aucun problème connu détecté pour l'en-tête LUKS.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Erreur lors de la mise à jour de l'en-tête LUKS sur le périphérique %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Erreur lors de la relecture de l'en-tête LUKS après la mise à jour sur le périphérique %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "L'offset des données d'un en-tête LUKS détaché doit être soit 0 ou soit plus grand que la taille de l'en-tête (%d secteurs).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Mauvais format fourni pour le UUID LUKS.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Impossible de créer un en-tête LUKS : échec lors de la lecture de l'aléa.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Options PBKDF2 incompatibles (en utilisant l'algorithme de hachage %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Impossible de créer un en-tête LUKS : le résumé (« digest ») de l'en-tête a échoué (en utilisant l'algorithme de hachage %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "L'emplacement de clé %d est activé, effacez le d'abord.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Le matériel de l'emplacement de clé %d a trop peu de bandes. L'en-tête a-t-il été modifié ?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Emplacement de clé %d déverrouillé.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Aucune clé disponible avec cette phrase secrète.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "L'emplacement de clé %d n'est pas valide, merci de sélectionner un emplacement entre 0 et %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Impossible d'effacer de façon sécurisée le périphérique %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Fichier de clé GPG chiffré détecté mais pas encore supporté.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "SVP utilisez gpg --decrypt <FICHIER DE CLE> | cryptsetup --keyfile=-...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Fichier de clé incompatible pour boucle « loop-AES ».\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Le noyau ne supporte pas les associations de type boucle « loop-AES ».\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Erreur lors de la lecture du fichier de clé %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Longueur maximum de la phrase secrète TCRYPT (%d) dépassée.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "L'algorithme de hachage PBKDF2 %s n'est pas supporté, ignoré.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "L'interface du noyau requise pour le chiffrement n'est pas disponible.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Vérifiez que le module du noyau algif_skcipher est chargé.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "L'activation n'est pas supportée pour des secteurs de taille %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Le noyau ne supporte pas l'activation pour ce mode TCRYPT historique.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Activation du chiffrement du système TCRYPT sur la partition %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Le noyau ne supporte pas les associations de type TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Le périphérique verity %s n'utilise pas l'en-tête sur le disque.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Le périphérique %s n'est pas un périphérique VERITY valable.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "La version VERITY %d n'est pas supportée.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "En-tête VERITY corrompu.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Mauvais format d'UUID VERITY fourni sur le périphérique %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Erreur lors de la mise à jour de l'en-tête verity sur le périphérique %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Le noyau ne supporte pas les associations de type dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Le périphérique verity a détecté une corruption après l'activation.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "La zone de réserve n'a pas été mise à zéro à la positon %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Débordement du décalage du périphérique.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "La vérification a échoué à la position %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Mauvais paramètres de taille pour le périphérique verity.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Trop de niveaux dans l'arborescence du volume verity.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "La vérification de la zone de données a échoué.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "La vérification du hachage de la racine a échoué.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Erreur d'entrée/sortie lors de la création de la zone de hachage.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "La création de la zone de hachage a échoué.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "ATTENTION : Le kernel ne peut pas activer le périphérique si la taille des blocs de données dépasse la taille d'une page (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Impossible de vérifier une phrase secrète non saisie sur une console.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "ATTENTION: Le paramètre --hash est ignoré en mode non chiffré quand le fichier de clé est spécifié.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "ATTENTION: L'option --keyfile-size est ignorée. La taille de lecture est la même que la taille de la clé de chiffrement.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "L'option --key-file est requise.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Aucun en-tête détecté avec cette phrase secrète sur le périphérique.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Le contenu de l'en-tête avec la clé de volume est une information\n"
+"sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
+"Ce contenu devrait toujours être stocké, chiffré, en lieu sûr."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Le résultat de l'évaluation de performance n'est pas fiable.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Tests approximatifs en utilisant uniquement la mémoire (pas de stockage E/S).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algorithme | Clé | Chiffrement | Déchiffrement\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Le chiffrement %s n'est pas disponible.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/D"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Impossible de lire le fichier de clé %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Échec à la lecture de %d octets du fichier de clé %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Réellement essayer de réparer l'en-tête du périphérique LUKS ?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Cette action écrasera définitivement les données sur %s."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "erreur d'allocation de mémoire dans action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Ne peut utiliser %s comme en-tête sur disque.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Décalage réduit de données est uniquement permis dans un en-tête LUKS détaché.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Emplacement de clé %d sélectionné pour suppression.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "La clé %d n'est pas active. Impossible de l'effacer.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Ceci est le dernier emplacement de clé. Le périphérique sera inutilisable après la suppression de cette clé."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Entrez toute phrase secrète restante : "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Entrez la phrase secrète à effacer : "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Entrez une phrase secrète existante : "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Entrez la phrase secrète à changer : "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Entrez la nouvelle phrase secrète : "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "L'opération isLuks supporte seulement un périphérique en argument.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "L'option --header-backup-file est requise.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Type de métadonnée du périphérique %s non reconnu.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "La commande exige un périphérique et un nom de correspondance comme arguments.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Cette opération va supprimer tous les emplacements de clés du périphérique %s.\n"
+"Le périphérique sera inutilisable après cette opération."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<périphérique> [--type <type>] [<nom>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "ouvrir un périphérique avec <nom> comme « mapping »"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<nom>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "fermeture du périphérique (supprime le « mapping »)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "redimensionner le périphérique actif"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "afficher le statut du périphérique"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <chiffrement>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "chiffrement pour test de performance"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<périphérique>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "essayer de réparer les métadonnées sur le disque"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "supprime tous les emplacements de clés (supprime la clé de chiffrement)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<périphérique> [<fichier de la nouvelle clé>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "formate un périphérique LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "ajouter une clé au périphérique LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<périphérique> [<fichier de clé>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "retire du périphérique LUKS la clé ou le fichier de clé fourni"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "modifie la clé ou le fichier de clé fourni pour le périphérique LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<périphérique> <emplacement de clé>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "efface de façon sécurisée la clé avec le numéro <emplacement de clé> du périphérique LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "afficher l'UUID du périphérique LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "teste si <périphérique> a un en-tête de partition LUKS"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "affiche les informations LUKS de la partition"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "affiche les informations du périphérique TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Suspendre le périphérique LUKS et effacer de façon sécurisée la clé (toutes les entrées/sorties sont suspendues)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Remettre en service le périphérique LUKS suspendu."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Sauvegarder l'en-tête et les emplacements de clés du périphérique LUKS"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Restaurer l'en-tête et les emplacements de clés du périphérique LUKS"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<action> est l'une de :\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Vous pouvez aussi utiliser les alias de l'ancienne syntaxe <action> :\n"
+"\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nom> est le périphérique à créer dans %s\n"
+"<périphérique> est le périphérique chiffré\n"
+"<emplacement> est le numéro de l'emplacement de clé LUKS à modifier\n"
+"<fichier de clé> est un fichier optionnel contenant la nouvelle clé pour l'action luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Clé compilée par défaut et paramètres de phrase secrète :\n"
+"\tTaille max. fichier de clé : %d ko, longueur max. interactive de phrase secrète %d (caractères)\n"
+"Temps d'itération PBKDF2 par défaut pour LUKS : %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Paramètres de chiffrement compilés par défaut :\n"
+"\tloop-AES: %s, Clé %d bits\n"
+"\tplain: %s, Clé: %d bits, Hachage mot de passe: %s\n"
+"\tLUKS1: %s, Clé: %d bits, Hachage en-tête LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s : exige %s comme arguments."
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Afficher ce message d'aide"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Afficher, en résumé, la syntaxe d'invocation"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Options d'aide :"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Afficher la version du paquet"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Afficher des messages d'erreur plus détaillés"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Afficher les messages de débogage"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "L'algorithme de chiffrement utilisé pour chiffrer le disque (voir /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "L'algorithme de hachage utilisé pour créer la clé de chiffrement à partir de la phrase secrète"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Vérifier la phrase secrète en la demandant deux fois"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Lire la clef depuis un fichier."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Lire la clé (maîtresse) du volume depuis un fichier."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Lister les informations de la clé (maîtresse) de volume au lieu des autres emplacements de clefs."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "La taille de la clé de chiffrement"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Limite la lecture d'un fichier de clé"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "octets"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Nombre d'octets à ignorer dans le fichier de clé"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Limite la lecture d'un nouveau fichier de clé ajouté"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Nombre d'octets à ignorer dans le fichier de clé nouvellement ajouté"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Numéro de l'emplacement pour la nouvelle clé (par défaut, le premier disponible)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "La taille du périphérique"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SECTEURS"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Le décalage de départ dans le périphérique sous-jacent"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Combien de secteurs de données chiffrées à ignorer au début"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Crée une association en lecture seule"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Temps d'itération de PBKDF2 pour LUKS (en ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Ne pas demander confirmation"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Délai d'expiration de la demande interactive de phrase secrète (en secondes)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Nombre de tentatives possibles pour entrer la phrase secrète"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Utiliser une limite de <n> secteurs pour aligner les données – pour luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Fichier contenant une sauvegarde de l'en-tête LUKS et des emplacements de clés."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Utiliser /dev/random pour générer la clé de volume."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Utiliser /dev/urandom pour générer la clé de volume."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Partager le périphérique avec un autre segment chiffré sans recouvrement."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID du périphérique à utiliser."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Autoriser les demandes d'abandon (TRIM) pour le périphérique."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Périphérique ou fichier avec un en-tête LUKS séparé."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Ne pas activer le périphérique. Vérifie simplement le phrase secrète."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Utilise l'en-tête caché (périphérique TCRYPT caché)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Le périphérique est un lecteur TCRYPT système (avec secteur d'amorçage)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Utiliser l'en-tête TCRYPT de secours (secondaire)."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Recherche aussi des périphériques compatibles avec VeraCrypt."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Type de métadonnées du périphérique : luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Désactive la vérification de la qualité du mot de passe (si activé)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Utilise l'option de compatibilité de performance dm-crypt same_cpu_crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Utilise l'option de compatibilité de performance dm-crypt submit_from_crypt_cpus."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPTION...] <action> <paramètres de l'action>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Il manque l'argument <action>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Action inconnue."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "L'option --allow-discards est permise uniquement pour une opération d'ouverture.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"L'option --key-size est permise seulement avec luksFormat, open et benchmark.\n"
+"Pour limiter la lecture depuis un fichier de clé, utilisez --keyfile-size=(octets)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS et TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "La taille de la clé doit être un multiple de 8 bits"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Emplacement de clé non valide."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "L'option --key-file est prioritaire par rapport à un fichier de clé spécifié en argument.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Nombre négatif non autorisé pour l'option."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Un seul argument --key-file est autorisé."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Seule une des deux possibilités --use-[u]random est autorisée."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "L'option --use-[u]random est autorisée seulement avec luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "L'option --uuid est autorisée seulement avec luksFormat et luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "L'option --align-payload est autorisée uniquement avec luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "L'option --offset est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "L'option --veracrypt est uniquement supportée pour un périphérique de type TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Chaîne d'aléa spécifiée invalide.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Impossible de créer l'image de hachage %s en écriture.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Chaîne de hachage racine invalide.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<périph_données> <périph_hachage>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "formater le périphérique"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<périph_données> <périph_hachage> <hachage_racine>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "vérifier le périphérique"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nom> <périph_données> <périph_hachage> <hachage_racine>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "créer le périphérique actif"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "supprime (désactive) le périphérique"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "afficher le statut du périphérique actif"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<périph_hachage>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "afficher les informations sur le disque"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nom> est le périphérique à créer sous %s\n"
+"<périph_données> est le périphérique de données\n"
+"<périph_hachage> est le périphérique contenant les données de vérification\n"
+"<hachage_racine> hachage du nœud racine sur <périph_hachage>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Paramètres compilés par défaut dans dm-verity :\n"
+"\tHachage: %s, Bloc données (octets): %u, Bloc hachage (octets): %u, Taille aléa: %u, Format hachage: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Ne pas utiliser le superbloc de verity"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Type de format (1: normal ; 0: Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "nombre"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Taille de bloc sur le périphérique de données"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Taille de bloc sur le périphérique de hachage"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Le nombre de blocs dans le fichier de données"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "blocs"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Décalage de départ dans le périphérique de hachage"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Algorithme de hachage"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "chaîne"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Aléa"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "chaîne hexa"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Redémarrer le noyau si une corruption est détectée"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignore la corruption, elle est seulement enregistrée dans le journal"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Ne pas vérifier les blocs mis à zéro"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "L'option --ignore-corruption, --restart-on-corruption ou --ignore-zero-blocks est seulement permise pour une opération de création.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Les options --ignore-corruption et --restart-on-corruption ne peuvent être utilisées ensembles.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "La réservation de la mémoire alignée a échoué.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Impossible de lire le périphérique %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Marque le périphérique LUKS %s comme inutilisable.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Impossible d'écrire le périphérique %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Impossible d'écrire le journal de re-chiffrement.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Impossible de lire le journal de re-chiffrement.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Fichier journal %s existe. Reprise du re-chiffrement.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Activation du périphérique temporaire en utilisant l'ancien en-tête LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Activation du périphérique temporaire un utilisant le nouvel en-tête LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Échec de l'activation des périphériques temporaires.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Nouvel en-tête LUKS créé pour le périphérique %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Emplacement de clé activé %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Sauvegarde de l'en-tête LUKS du périphérique %s créée.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "La création de la sauvegarde des en-têtes LUKS a échoué.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Impossible de rétablir l'en-tête LUKS sur le périphérique %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "En-tête LUKS rétabli sur le périphérique %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Progression: %5.1f%%, ETA %02llu:%02llu, %4llu MiB écrits, vitesse %5.1f MIB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Impossible de se déplacer au décalage du périphérique.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Impossible d'ouvrir le périphérique LUKS temporaire.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Impossible d'obtenir la taille du périphérique.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Interrompu par un signal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Erreur E/S pendant le re-chiffrement.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Le UUID fourni est invalide.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Impossible d'ouvrir le journal de re-chiffrement.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Pas de déchiffrement en cours. Le UUID fourni ne peut être utilisé que pour reprendre un déchiffrement suspendu.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Taille de bloc de re-chiffrement"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Ne pas changer la clé, pas de re-chiffrement de la zone de donnée."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Utiliser direct-io pour accéder aux périphériques."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Utiliser fsync après chaque bloc."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Mettre le journal à jour après chaque bloc."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Utiliser uniquement cet emplacement (les autres seront désactivés)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Réduire la taille des données du périphérique (déplace le décalage des données). DANGEREUX !"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Utiliser uniquement la taille demandée du périphérique (ignore le reste du périphérique). DANGEREUX !"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Créer un nouvel en-tête sur le périphérique non chiffré."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Déchiffrer le périphérique de manière permanente (supprime le chiffrement)"
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Le uuid utilisé pour poursuivre le déchiffrement."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPTION...] <périph>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Le re-chiffrement va changer : clé de volume%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", change hachage en "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", change chiffrement en "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argument requis."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Seules les valeurs entre 1 MiB et 64 MiB sont permises pour la taille des blocs de re-chiffrement."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "La taille de périphérique spécifiée est invalide."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "La taille maximum réduite pour le périphérique est 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "La taille réduite doit être un multiple d'un secteur de 512 octets."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "L'option --new doit être utilisée avec --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "L'option --keep-key ne peut être utilisée que avec --hash ou --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "L'option --new ne peut pas être utilisée avec --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "L'option --decrypt est incompatible avec les paramètres spécifiés."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "L'option --uuid ne peut être utilisée qu'avec --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Erreur de lecture de la réponse depuis le terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Opération réussie.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "L'opération a échoué avec le code %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Ne peut vérifier la qualité du mot de passe : %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Échec de la vérification de la qualité du mot de passe :\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr ""
+"Échec de la vérification de la qualité du mot de passe :\n"
+" Mauvais mot de passe (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Impossible de trouver un périphérique loopback libre.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Impossible d'ouvrir le périphérique %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Le UUID passé ne peut pas être utilisé à moins qu'un déchiffrement ne soit en cours.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Marque le périphérique LUKS %s comme utilisable.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "ATTENTION : ce code est expérimental. Il peut complètement détruire vos données.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "La vérification de la somme de contrôle FIPS a échoué.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "ATTENTION : le périphérique %s est une partition. Pour le chiffrement de système TCRYPT, vous avez généralement besoin du chemin d'un périphérique bloc entier.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "Le noyau ne supporte pas plain64 IV.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Saisissez la phrase secrète LUKS : "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Entrez la nouvelle phrase secrète LUKS : "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Entrez n'importe quelle phrase secrète LUKS : "
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Impossible d'obtenir le répertoire du gestionnaire « device mapper »."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Le fichier de sauvegarde %s n'existe pas.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Impossible d'ouvrir le fichier %s.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<nom> <périphérique>"
+
+#~ msgid "create device"
+#~ msgstr "créer un périphérique"
+
+#~ msgid "remove device"
+#~ msgstr "retirer le périphérique"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "retire une association LUKS"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "ouvre un périphérique loop-AES avec pour nom associé <nom>"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "enlève une association loop-AES"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "L'option --allow-discards est utilisable uniquement avec les commandes luksOpen, loopaesOpen et create.\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "L'emplacement de clé %d a été vérifié.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "%d n'est pas une taille de clé valide.\n"
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Impossible d'ouvrir le périphérique %s pour un accès %s%s.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "exclusif "
+
+#~ msgid "writable"
+#~ msgstr "en écriture"
+
+#~ msgid "read-only"
+#~ msgstr "en lecture seule"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "ATTENTION !!! La mémoire n'est peut-être pas sécurisée. Êtes-vous super-utilisateur ?\n"
+
+#~ msgid "Negative keyfile size not permitted.\n"
+#~ msgstr "Taille négative de fichier de clé non autorisée.\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Impossible d'obtenir la taille de secteur de %s"
+
+#~ msgid "Block mode XTS is available since kernel 2.6.24.\n"
+#~ msgstr "Le mode \"bloc\" XTS est disponible depuis le noyau 2.6.24.\n"
+
+#~ msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+#~ msgstr "La taille de la clé en mode LRW doit être un multiple de 256 ou 512 bits.\n"
+
+#~ msgid "Block mode LRW is available since kernel 2.6.20.\n"
+#~ msgstr "Le mode \"bloc\" LRW est disponible depuis le noyau 2.6.20.\n"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Échec lors de l'écriture à l'emplacement de stockage de la clé.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Échec lors de la lecture depuis l'emplacement de stockage de la clé.\n"
+
+#~ msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+#~ msgstr "Attention : requête de lecture, mais le fichier de clef n'est pas régulier, la procédure peut rester bloquée.\n"
+
+#~ msgid "Cannot find compatible device-mapper kernel modules.\n"
+#~ msgstr "Impossible de trouver des modules noyau compatibles avec device-mapper.\n"
+
+#~ msgid "Cannot open device: %s\n"
+#~ msgstr "Impossible d'ouvrir le périphérique : %s\n"
+
+#~ msgid "BLKROGET failed on device %s.\n"
+#~ msgstr "BLKROGET a échoué sur le périphérique %s.\n"
+
+#~ msgid "BLKGETSIZE failed on device %s.\n"
+#~ msgstr "BLKGETSIZE a échoué sur le périphérique %s.\n"
+
+#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
+#~ msgstr "identique à luksKillSlot - OBSOLÈTE - voir la page de man"
+
+#~ msgid "modify active device - DEPRECATED - see man page"
+#~ msgstr "modifier le périphérique actif - OBSOLÈTE - voir la page de man"
+
+#~ msgid ""
+#~ "The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
+#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+#~ msgstr ""
+#~ "L'action « reload » est obsolète. Merci d'utiliser « dmsetup reload » si vous avez vraiment besoin de cette fonctionnalité.\n"
+#~ "ATTENTION : n'utilisez pas « reload » sur des périphériques LUKS. Si c'est le cas, tapez Ctrl-C.\n"
+
+#~ msgid "Obsolete option --non-exclusive is ignored.\n"
+#~ msgstr "L'option obsolète --non-exclusive est ignorée.\n"
+
+#~ msgid "Read the key from a file (can be /dev/random)"
+#~ msgstr "Lit la clé depuis un fichier (qui peut être /dev/random)"
+
+#~ msgid "(Obsoleted, see man page.)"
+#~ msgstr "(Obsolète, voir la page de man)."
+
+#~ msgid "%s is not LUKS device.\n"
+#~ msgstr "%s n'est pas un périphérique LUKS.\n"
+
+#~ msgid "%s is not LUKS device."
+#~ msgstr "%s n'est pas un périphérique LUKS."
diff --git a/po/id.po b/po/id.po
new file mode 100644
index 0000000..bd56880
--- /dev/null
+++ b/po/id.po
@@ -0,0 +1,815 @@
+# Pesan bahasa Indonesia untuk cryptsetup.
+# Copyright (C) 2009 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Arif E. Nugroho <arif_endro@yahoo.com>, 2009, 2010.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.1.0-rc4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2009-12-30 20:09+0100\n"
+"PO-Revision-Date: 2010-01-27 07:30+0700\n"
+"Last-Translator: Arif E. Nugroho <arif_endro@yahoo.com>\n"
+"Language-Team: Indonesian <translation-team-id@lists.sourceforge.net>\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: lib/libdevmapper.c:48
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Tidak dapat menginisialisasi pemeta-perangkat. Apakah kernel modul dm_mod telah dimuat?\n"
+
+#: lib/libdevmapper.c:304
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID untuk perangkat %s telah terpotong.\n"
+
+#: lib/setup.c:103
+#, c-format
+msgid "Cannot not read %d bytes from key file %s.\n"
+msgstr "Tidak dapat membaca %d bytes dari berkas kunci %s.\n"
+
+#: lib/setup.c:115
+msgid "Key processing error.\n"
+msgstr "Terjadi kesalahan dalam pengolahan kunci.\n"
+
+#: lib/setup.c:169
+msgid "All key slots full.\n"
+msgstr "Semua slot kunci telah penuh.\n"
+
+#: lib/setup.c:176 lib/setup.c:304 lib/setup.c:778
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Slot kunci %d tidak valid, mohon pilih diantara 0 dan %d.\n"
+
+#: lib/setup.c:182
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Slot kunci %d penuh, mohon pilih yang lain.\n"
+
+#: lib/setup.c:201
+msgid "Enter any remaining LUKS passphrase: "
+msgstr "Masukan kata sandi LUKS yang tersisa: "
+
+#: lib/setup.c:222
+#, c-format
+msgid "Key slot %d verified.\n"
+msgstr "Slot kunci %d telah terverifikasi.\n"
+
+#: lib/setup.c:257
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Tidak dapat mendapatkan informasi mengenai perangkat %s.\n"
+
+#: lib/setup.c:264
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Perangkat %s memiliki ukuran nol.\n"
+
+#: lib/setup.c:268
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Perangkat %s terlalu kecil.\n"
+
+#: lib/setup.c:293
+msgid "Enter LUKS passphrase to be deleted: "
+msgstr "Masukan kata sandi LUKS yang akan dihapus: "
+
+#: lib/setup.c:299
+#, c-format
+msgid "key slot %d selected for deletion.\n"
+msgstr "slot kunci %d terpilih untuk penghapusan.\n"
+
+#: lib/setup.c:310
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Kunci %d tidak aktif. Tidak dapat menghapus.\n"
+
+#: lib/setup.c:316
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Ini adalah slot kunci terakhir. Perangkat mungkin akan menjadi tidak stabil setelah menghapus kunci ini."
+
+#: lib/setup.c:364 lib/setup.c:1651 lib/setup.c:1704 lib/setup.c:1761
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Perangkat %s telah ada.\n"
+
+#: lib/setup.c:369
+#, c-format
+msgid "Invalid key size %d.\n"
+msgstr "Besar kunci %d tidak valid.\n"
+
+#: lib/setup.c:471 lib/setup.c:1656
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Masukan kata sandi untuk %s: "
+
+#: lib/setup.c:600 lib/setup.c:628 lib/setup.c:1365 lib/setup.c:1712
+msgid "Enter passphrase: "
+msgstr "Masukan kata sandi: "
+
+#: lib/setup.c:661 lib/setup.c:1040 lib/setup.c:1803
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Perangkat %s tidak aktif.\n"
+
+#: lib/setup.c:770
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Tidak ada pola spesifikasi cipher yang dikenal terdeteksi.\n"
+
+#: lib/setup.c:784
+msgid "Enter LUKS passphrase: "
+msgstr "Masukan kata sandi LUKS: "
+
+#: lib/setup.c:1060
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Parameter crypt tidak valid.\n"
+
+#: lib/setup.c:1065
+msgid "Invalid key size.\n"
+msgstr "Ukuran kunci tidak valid.\n"
+
+#: lib/setup.c:1097
+msgid "Can't format LUKS without device.\n"
+msgstr "Tidak dapat memformat LUKS tanpat perangkat.\n"
+
+#: lib/setup.c:1112
+#, c-format
+msgid "Can't wipe header on device %s.\n"
+msgstr "Tidak dapat menghapus kepala di perangkat %s.\n"
+
+#: lib/setup.c:1154
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Tipe perangkat sandi %s yang diminta tidak diketahui.\n"
+
+#: lib/setup.c:1187
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Tidak dapat menginisialisasi backend crypto.\n"
+
+#: lib/setup.c:1261
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Volume %s tidak aktif.\n"
+
+#: lib/setup.c:1274
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Volume %s telah disuspend.\n"
+
+#: lib/setup.c:1300 lib/setup.c:1347 lib/setup.c:1406 lib/setup.c:1484
+#: lib/setup.c:1556 lib/setup.c:1601 lib/setup.c:1695 lib/setup.c:1752
+#: lib/setup.c:1873 lib/setup.c:1956 lib/setup.c:2056
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Operasi ini hanya didukunga untuk perangkat LUKS.\n"
+
+#: lib/setup.c:1311 lib/setup.c:1358
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Volume %s tidak disuspend.\n"
+
+#: lib/setup.c:1420 lib/setup.c:1498
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Tidak dapat menambahkan slot kunci, seluruh slot tidak aktif dan tidak ada volume kunci yang disediakan.\n"
+
+#: lib/setup.c:1429 lib/setup.c:1504 lib/setup.c:1507
+msgid "Enter any passphrase: "
+msgstr "Masukan kata sandi: "
+
+#: lib/setup.c:1448 lib/setup.c:1522 lib/setup.c:1526 lib/setup.c:1579
+msgid "Enter new passphrase for key slot: "
+msgstr "Masukan kasa sandi baru untuk slot kunci: "
+
+#: lib/setup.c:1570 lib/setup.c:1772 lib/setup.c:1884
+msgid "Volume key does not match the volume.\n"
+msgstr "Kunci volume tidak cocok dengan volume.\n"
+
+#: lib/setup.c:1607
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Slot kunci %d tidak valid.\n"
+
+#: lib/setup.c:1612
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Slot kunci %d tidak digunakan.\n"
+
+#: lib/setup.c:1799
+#, c-format
+msgid "Device %s is busy.\n"
+msgstr "Perangkat %s sibuk.\n"
+
+#: lib/setup.c:1807
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Perangkat %s tidak valid.\n"
+
+#: lib/setup.c:1831
+msgid "Volume key buffer too small.\n"
+msgstr "Penyangga kunci volume terlalu kecil.\n"
+
+#: lib/setup.c:1839
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Tidak dapat mendapatkan kunci volume untuk perangkat.\n"
+
+#: lib/setup.c:1861
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Operasi ini tidak didukung untuk perangkat crypt %s.\n"
+
+#: lib/utils.c:416
+#, c-format
+msgid "Failed to open key file %s.\n"
+msgstr "Gagal membuka berkas kunci %s.\n"
+
+#: lib/utils.c:436
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Kesalahan dalam pembacaan kata sandi dari terminal.\n"
+
+#: lib/utils.c:441
+msgid "Verify passphrase: "
+msgstr "Memverifikasi kata sandi: "
+
+#: lib/utils.c:443
+msgid "Passphrases do not match.\n"
+msgstr "Kata sandi tidak cocok.\n"
+
+#: lib/utils.c:458
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Tidak dapat melakukan verifikasi kata sandi di masukan bukan tty.\n"
+
+#: lib/utils.c:471
+#, c-format
+msgid "Failed to stat key file %s.\n"
+msgstr "Gagal memperoleh data statistik berkas kunci %s.\n"
+
+#: lib/utils.c:475
+#, c-format
+msgid "Warning: exhausting read requested, but key file %s is not a regular file, function might never return.\n"
+msgstr "Peringatan: pembacaan yang melelahkan diminta, tetapi berkas kunci %s bukan sebuah berkas biasa, fungsi mungkin tidak pernah kembali.\n"
+
+#: lib/utils.c:487
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Kehabisan memori ketika membaca kata sandi.\n"
+
+#: lib/utils.c:494
+msgid "Error reading passphrase.\n"
+msgstr "Kesalahan dalam pembacaan kata sandi.\n"
+
+#: lib/utils.c:531
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Perangkat %s tidak ada atau akses ditolak.\n"
+
+#: lib/utils.c:538
+#, c-format
+msgid "Cannot open device %s for %s%s access.\n"
+msgstr "Tidak dapat membuka perangkat %s untuk akses %s%s.\n"
+
+#: lib/utils.c:539
+msgid "exclusive "
+msgstr "ekslusif "
+
+#: lib/utils.c:540
+msgid "writable"
+msgstr "dapat-ditulis"
+
+#: lib/utils.c:540
+msgid "read-only"
+msgstr "baca-saja"
+
+#: lib/utils.c:547
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Tidak dapat membaca perangkat %s.\n"
+
+#: lib/utils.c:577
+#, c-format
+msgid "Cannot open device: %s\n"
+msgstr "Tidak dapat membuka perangkat: %s\n"
+
+#: lib/utils.c:587
+#, c-format
+msgid "BLKROGET failed on device %s.\n"
+msgstr "BLKROGET gagal di perangkat %s.\n"
+
+#: lib/utils.c:612
+#, c-format
+msgid "BLKGETSIZE failed on device %s.\n"
+msgstr "BLKGETSIZE gagal di perangkat %s.\n"
+
+#: lib/utils.c:660
+msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+msgstr "PERINGATAN!!! Kemungkinan menggunakan memori tidak aman. Apakah anda root?\n"
+
+#: lib/utils.c:666
+msgid "Cannot get process priority.\n"
+msgstr "Tidak dapat mendapatkan prioritas proses.\n"
+
+#: lib/utils.c:669 lib/utils.c:682
+#, c-format
+msgid "setpriority %u failed: %s"
+msgstr "setpriority %u gagal: %s"
+
+#: lib/utils.c:680
+msgid "Cannot unlock memory."
+msgstr "Tidak dapat membuka kunci memori."
+
+#: luks/keyencryption.c:68
+#, c-format
+msgid "Unable to obtain sector size for %s"
+msgstr "Tidak dapat mendapatkan ukuran sektor untuk %s"
+
+#: luks/keyencryption.c:137
+msgid "Failed to obtain device mapper directory."
+msgstr "Gagal untuk memperoleh direktori pemeta-perangkat."
+
+#: luks/keyencryption.c:153
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+"%s"
+msgstr ""
+"Gagal untuk mengkonfigurasi pemetaan kunci dm-crypt untuk perangkat %s.\n"
+"Periksa apakah kernel mendukung cipher %s (periksa syslog untuk informasi lebih lanjut).\n"
+"%s"
+
+#: luks/keyencryption.c:163
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Gagal untuk membuka perangkat penyimpan kunci sementara.\n"
+
+#: luks/keyencryption.c:170
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Gagal untuk mengakses perangkat penyimpan kunci sementara.\n"
+
+#: luks/keymanage.c:91
+#, c-format
+msgid "Requested file %s already exist.\n"
+msgstr "Berkas %s yang diminta telah ada.\n"
+
+#: luks/keymanage.c:111
+#, c-format
+msgid "Device %s is not LUKS device.\n"
+msgstr "Perangkat %s bukan perangkat LUKS.\n"
+
+#: luks/keymanage.c:131
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Tidak dapat menulis berkas cadangan header %s.\n"
+
+#: luks/keymanage.c:158
+#, c-format
+msgid "Backup file %s doesn't exist.\n"
+msgstr "Berkas cadangan %s tidak ada.\n"
+
+#: luks/keymanage.c:166
+msgid "Backup file do not contain valid LUKS header.\n"
+msgstr "Berkas cadangan tidak berisi header LUKS yang valid.\n"
+
+#: luks/keymanage.c:179
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Tidak dapat membuka berkas cadangan header %s.\n"
+
+#: luks/keymanage.c:185
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Tidak dapat membaca berkas cadangan header %s.\n"
+
+#: luks/keymanage.c:196
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Data offset atau ukuran kunci berbeda di perangkat dan cadangan, pengembalian gagal.\n"
+
+#: luks/keymanage.c:204
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Perangkat %s %s%s"
+
+#: luks/keymanage.c:205
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "tidak berisi header LUKS. Mengganti header dapat menghancurkan data di perangkat itu."
+
+#: luks/keymanage.c:206
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "telah berisi header LUKS. Mengganti header dapat mengganti slot kunci yang telah ada."
+
+#: luks/keymanage.c:207
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"PERINGATAN: header perangkat ril memiliki UUID berbeda dengan cadangan!"
+
+#: luks/keymanage.c:222 luks/keymanage.c:319 luks/keymanage.c:354
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Tidak dapat membuka perangkat %s.\n"
+
+#: luks/keymanage.c:254
+#, c-format
+msgid "%s is not LUKS device.\n"
+msgstr "%s bukan perangkat LUKS.\n"
+
+#: luks/keymanage.c:256
+#, c-format
+msgid "%s is not LUKS device."
+msgstr "%s bukan perangkat LUKS."
+
+#: luks/keymanage.c:259
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "versi LUKS %d tidak didukung.\n"
+
+#: luks/keymanage.c:262
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Hash %s LUKS yang diminta tidak didukung.\n"
+
+#: luks/keymanage.c:293
+#, c-format
+msgid "Cannot open file %s.\n"
+msgstr "Tidak dapat membuka berkas %s.\n"
+
+#: luks/keymanage.c:331
+#, c-format
+msgid "LUKS header detected but device %s is too small.\n"
+msgstr "Header LUKS terdeteksi tetapi perangkat %s terlalu kecil.\n"
+
+#: luks/keymanage.c:375
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Error selama memperbarui header LUKS di perangkat %s.\n"
+
+#: luks/keymanage.c:382
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Error membaca-kembali header LUKS setelah memperbarui di perangkat %s.\n"
+
+#: luks/keymanage.c:394
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
+msgstr "Pilihan PBKDF2 tidak kompatibel (menggunakan algoritma hash %s)."
+
+#: luks/keymanage.c:439
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Tidak dapat membuat header LUKS: pembacaan garam acak gagal.\n"
+
+#: luks/keymanage.c:456
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Tidak dapat membuat header LUKS: digest header gagal (menggunakan hash %s).\n"
+
+#: luks/keymanage.c:473
+msgid "Wrong UUID format provided, generating new one.\n"
+msgstr "Format UUID yang disediakan berbeda, membuat yang baru.\n"
+
+#: luks/keymanage.c:500
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Slot kunci %d aktif, hapus terlebih dahulu.\n"
+
+#: luks/keymanage.c:505
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Slot kunci %d material terdapat terlalu sedikit stripes. Manipulasi header?\n"
+
+#: luks/keymanage.c:564
+msgid "Failed to write to key storage.\n"
+msgstr "Gagal untuk menulis di penyimpanan kunci.\n"
+
+#: luks/keymanage.c:641
+msgid "Failed to read from key storage.\n"
+msgstr "Gagal untuk membaca dari penyimpanan kunci.\n"
+
+#: luks/keymanage.c:650
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Slot kunci %d tidak terkunci.\n"
+
+#: luks/keymanage.c:683
+msgid "No key available with this passphrase.\n"
+msgstr "Tidak ada kunci tersedia dengan kata sandi ini.\n"
+
+#: luks/keymanage.c:760
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Slot kunci %d tidak valid, mohon pilih slot kunci diantara 0 dan %d.\n"
+
+#: luks/keymanage.c:772
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Tidak dapat menghapus perangkat %s.\n"
+
+#: src/cryptsetup.c:71 src/cryptsetup.c:89
+msgid "<name> <device>"
+msgstr "<nama> <perangkat>"
+
+#: src/cryptsetup.c:71
+msgid "create device"
+msgstr "buat perangkat"
+
+#: src/cryptsetup.c:72 src/cryptsetup.c:73 src/cryptsetup.c:74
+#: src/cryptsetup.c:82
+msgid "<name>"
+msgstr "<nama>"
+
+#: src/cryptsetup.c:72
+msgid "remove device"
+msgstr "hapus perangkat"
+
+#: src/cryptsetup.c:73
+msgid "resize active device"
+msgstr "ubah ukuran perangkat aktif"
+
+#: src/cryptsetup.c:74
+msgid "show device status"
+msgstr "tampilkan status perangkat"
+
+#: src/cryptsetup.c:75 src/cryptsetup.c:77
+msgid "<device> [<new key file>]"
+msgstr "<perangkat> [<berkas kunci baru>]"
+
+#: src/cryptsetup.c:75
+msgid "formats a LUKS device"
+msgstr "format sebuah perangkat LUKS"
+
+#: src/cryptsetup.c:76
+msgid "<device> <name> "
+msgstr "<perangkat> <nama>"
+
+#: src/cryptsetup.c:76
+msgid "open LUKS device as mapping <name>"
+msgstr "buka perangkat LUKS sebagai pemetaan <nama>"
+
+#: src/cryptsetup.c:77
+msgid "add key to LUKS device"
+msgstr "tambahkan kunci ke perangkat LUKS"
+
+#: src/cryptsetup.c:78
+msgid "<device> [<key file>]"
+msgstr "<perangkat> [<berkas kunci>]"
+
+#: src/cryptsetup.c:78
+msgid "removes supplied key or key file from LUKS device"
+msgstr "hapus kunci yang diberikan atau berkas kunci dari perangkat LUKS"
+
+#: src/cryptsetup.c:79 src/cryptsetup.c:88
+msgid "<device> <key slot>"
+msgstr "<perangkat> <slot kunci>"
+
+#: src/cryptsetup.c:79
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "hapus kunci dengan nomor <slot kunci> dari perangkat LUKS"
+
+#: src/cryptsetup.c:80 src/cryptsetup.c:81 src/cryptsetup.c:83
+#: src/cryptsetup.c:84 src/cryptsetup.c:85 src/cryptsetup.c:86
+#: src/cryptsetup.c:87
+msgid "<device>"
+msgstr "<perangkat>"
+
+#: src/cryptsetup.c:80
+msgid "print UUID of LUKS device"
+msgstr "tampilkan UUID dari perangkat LUKS"
+
+#: src/cryptsetup.c:81
+msgid "tests <device> for LUKS partition header"
+msgstr "periksa <perangkat> untuk header partisi LUKS"
+
+#: src/cryptsetup.c:82
+msgid "remove LUKS mapping"
+msgstr "hapus pemetaan LUKS"
+
+#: src/cryptsetup.c:83
+msgid "dump LUKS partition information"
+msgstr "dump informasi partisi LUKS"
+
+#: src/cryptsetup.c:84
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Hentikan perangkat LUKS dan hapus kunci (semua IO dihentikan)."
+
+#: src/cryptsetup.c:85
+msgid "Resume suspended LUKS device."
+msgstr "Lanjutkan perangkat LUKS yang dihentikan."
+
+#: src/cryptsetup.c:86
+msgid "Backup LUKS device header and keyslots"
+msgstr "Buat cadangan header perangkat LUKS dan slot kunci"
+
+#: src/cryptsetup.c:87
+msgid "Restore LUKS device header and keyslots"
+msgstr "Kembalikan header perangkat LUKS dan slot kunci"
+
+#: src/cryptsetup.c:88
+msgid "identical to luksKillSlot - DEPRECATED - see man page"
+msgstr "identik ke luksKillSlot - DITINGGALKAN - lihat halaman petunjuk penggunaan"
+
+#: src/cryptsetup.c:89
+msgid "modify active device - DEPRECATED - see man page"
+msgstr "modifikasi perangkat aktif - DITINGGALKAN - lihat halaman petunjuk penggunaan"
+
+#: src/cryptsetup.c:180
+msgid "Command successful.\n"
+msgstr "Perintah berhasil.\n"
+
+#: src/cryptsetup.c:194
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Perintah gagal dengan kode %i"
+
+#: src/cryptsetup.c:222
+msgid ""
+"The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
+"WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+msgstr ""
+"Aksi muat kembali telah ditinggalkan. Mohon gunakan \"dmsetup reload\" dalam kasus anda benar benar membutuhkan fungsi ini.\n"
+"PERINGATAN: jangan gunakan muat-kembali untuk menyentuk perangkat LUKS. Jika itu masalahnya, tekan Ctrl-C sekarang.\n"
+
+#: src/cryptsetup.c:390
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Ini akan memaksa menulis data di %s secara permanen."
+
+#: src/cryptsetup.c:391
+msgid "memory allocation error in action_luksFormat"
+msgstr "alokasi memori error dalam action_luksFormat"
+
+#: src/cryptsetup.c:421
+msgid "Obsolete option --non-exclusive is ignored.\n"
+msgstr "Pilihan sudah ditinggalkan --no-exclusive diabaikan.\n"
+
+#: src/cryptsetup.c:581 src/cryptsetup.c:603
+msgid "Option --header-backup-file is required.\n"
+msgstr "Pilihan --header-backup-file dibutuhkan.\n"
+
+#: src/cryptsetup.c:637
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<aksi> adalah salah satu dari:\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nama> adalah perangkat untuk dibuat dibawah %s\n"
+"<perangkat> adalah perangkat terenkripsi\n"
+"<slot kunci> adalah nomor slot kunci LUKS untuk dimodifikasi\n"
+"<berkas kunci> adalah berkas kunci opsional untuk kunci baru untuk aksi luksAddKey\n"
+
+#: src/cryptsetup.c:650
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s\n"
+msgstr ""
+"\n"
+"Parameter baku yang terkompilasi dalam perangkat penyandi:\n"
+"\tterbuka: %s, Kunci: %d bits, Hash kata sandi : %s\n"
+"\tLUKS1 : %s, Kunci: %d bits, Hash kepala LUKS: %s\n"
+
+#: src/cryptsetup.c:697
+msgid "Show this help message"
+msgstr "Tampilkan pesan bantuan ini"
+
+#: src/cryptsetup.c:698
+msgid "Display brief usage"
+msgstr "Tampilkan penggunaan singkat"
+
+#: src/cryptsetup.c:702
+msgid "Help options:"
+msgstr "Pilihan bantuan:"
+
+#: src/cryptsetup.c:703
+msgid "Shows more detailed error messages"
+msgstr "Tampilkan pesan kesalahan secara lebih detail"
+
+#: src/cryptsetup.c:704
+msgid "Show debug messages"
+msgstr "Tampilkan pesan penelusuran"
+
+#: src/cryptsetup.c:705
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Cipher yang digunakan untuk mengenkripsi ke disk (lihat /proc/crypto)"
+
+#: src/cryptsetup.c:706
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Hash yang digunakan untuk membuat kunci enkripsi dari kata sandi"
+
+#: src/cryptsetup.c:707
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifikasi kata sandi dengan menanyakan itu dua kali"
+
+#: src/cryptsetup.c:708
+msgid "Read the key from a file (can be /dev/random)"
+msgstr "Baca kunci dari sebuah berkas (dapat berupa /dev/random)"
+
+#: src/cryptsetup.c:709
+msgid "Read the volume (master) key from file."
+msgstr "Baca volume (master) kunci dari berkas."
+
+#: src/cryptsetup.c:710
+msgid "The size of the encryption key"
+msgstr "Besar dari kunci enkripsi"
+
+#: src/cryptsetup.c:710
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:711
+msgid "Slot number for new key (default is first free)"
+msgstr "Nomor slot untuk kunci baru (baku adalah yang kosong pertama)"
+
+#: src/cryptsetup.c:712
+msgid "The size of the device"
+msgstr "Besar dari perangkat"
+
+#: src/cryptsetup.c:712 src/cryptsetup.c:713 src/cryptsetup.c:714
+#: src/cryptsetup.c:722
+msgid "SECTORS"
+msgstr "SEKTOR"
+
+#: src/cryptsetup.c:713
+msgid "The start offset in the backend device"
+msgstr "Awal ofset dalam perangkat backend"
+
+#: src/cryptsetup.c:714
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Berapa banyak sektor dari data terenkripsi yang dilewatkan di awal"
+
+#: src/cryptsetup.c:715
+msgid "Create a readonly mapping"
+msgstr "Buat pemetaan baca-saja"
+
+#: src/cryptsetup.c:716
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "waktu iterasi PBKDF2 untuk LUKS (dalam mdet)"
+
+#: src/cryptsetup.c:717
+msgid "msecs"
+msgstr "mdetik"
+
+#: src/cryptsetup.c:718
+msgid "Do not ask for confirmation"
+msgstr "Jangan tanya untuk konfirmasi"
+
+#: src/cryptsetup.c:719
+msgid "Print package version"
+msgstr "Tampilkan versi paket"
+
+#: src/cryptsetup.c:720
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Waktu habis untuk pertanyaan interaktif kata sandi (dalam detik)"
+
+#: src/cryptsetup.c:720
+msgid "secs"
+msgstr "detik"
+
+#: src/cryptsetup.c:721
+msgid "How often the input of the passphrase can be retried"
+msgstr "Seberapa sering masukan dari kata sandi dapat dicoba"
+
+#: src/cryptsetup.c:722
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Sesuaikan muatan di batas sektor <n> - untuk luksFormat"
+
+#: src/cryptsetup.c:723
+msgid "(Obsoleted, see man page.)"
+msgstr "(Ditinggalkan, lihat halaman petunjuk penggunaan.)"
+
+#: src/cryptsetup.c:724
+msgid "File with LUKS header and keyslots backup."
+msgstr "Berkas dengan header LUKS dan cadangan slot kunci."
+
+#: src/cryptsetup.c:742
+msgid "[OPTION...] <action> <action-specific>]"
+msgstr "[PILIHAN...] <aksi> <aksi-spesifik>]"
+
+#: src/cryptsetup.c:778
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Kunci harus kelipatan dari 8 bit"
+
+#: src/cryptsetup.c:782
+msgid "Argument <action> missing."
+msgstr "Argumen <aksi> hilang."
+
+#: src/cryptsetup.c:788
+msgid "Unknown action."
+msgstr "Aksi tidak diketahui."
+
+#: src/cryptsetup.c:803
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: membutuhkan %s sebagai argumen"
diff --git a/po/it.po b/po/it.po
new file mode 100644
index 0000000..7e0bbdf
--- /dev/null
+++ b/po/it.po
@@ -0,0 +1,1836 @@
+# Italian translation for cryptsetup.
+# Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015, 2016 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Sergio Zanchetta <primes2h@ubuntu.com>, 2010, 2011, 2012.
+# Milo Casagrande <milo@milo.name>, 2013, 2014, 2015, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup-1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-09 23:36+0100\n"
+"Last-Translator: Milo Casagrande <milo@milo.name>\n"
+"Language-Team: Italian <tp@lists.linux.it>\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=2; plural=(n!=1);\n"
+"X-Generator: Poedit 2.0beta3\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Impossibile inizializzare device-mapper: in esecuzione come utente non-root.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Impossibile inizializzare device-mapper. Forse il modulo kernel dm_mod non è caricato.\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "Il DM-UUID per il dispositivo %s è stato troncato.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Le opzioni di prestazioni richieste per dm-crypt non sono supportate.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Le opzioni di gestione dei dati rovinati richieste per dm-verity non sono supportate.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Il sistema non ha un'entropia sufficiente mentre viene generata la chiave di volume.\n"
+"Muovere il mouse o digitare del testo in un'altra finestra per accumulare più eventi casuali.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Generazione chiave (%d%% completato).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Esecuzione in modalità FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Errore fatale durante l'inizializzazione dell'RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Qualità richiesta per l'RNG sconosciuta.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Errore %d nel leggere dall'RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Impossibile inizializzare il backend crypto RNG.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Impossibile inizializzare il backend crypto.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "L'algoritmo di hash %s non è supportato.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Errore nell'elaborazione della chiave (usando l'hash %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Impossibile determinare il tipo di dispositivo. Attivazione incompatibile del dispositivo?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Questa operazione è supportata solo per il dispositivo LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Tutti gli slot di chiave sono pieni.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Lo slot di chiave %d non è valido, selezionarne uno tra 0 e %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Lo slot di chiave %d è pieno, selezionarne un altro.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Inserire la passphrase per %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Rilevato un leader, ma il dispositivo %s è troppo piccolo.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Questa operazione non è supportata per questo tipo di dispositivo.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Il dispositivo %s non è attivo.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Device sottostante a quello cifrato %s scomparso.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Parametri di cifratura in chiaro non validi.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Dimensione della chiave non valida.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID non è supportato per questo tipo di cifratura.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Impossibile formattare LUKS senza dispositivo.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Impossibile formattare il dispositivo %s che risulta ancora in uso.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Impossibile formattare il dispositivo %s, permessi non concessi.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Impossibile ripulire l'leader sul dispositivo %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Impossibile formattare LOOPAES senza dispositivo.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Impossibile formattare VERITY senza dispositivo.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Tipo di hash %d VERITY non supportato.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Dimensione blocco VERITY non supportata.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Offset hash VERITY non supportato.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "L'area dati si sovrappone a quella di hash.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Richiesto dispositivo cifrato di tipo %s sconosciuto.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Impossibile ridimensionare un dispositivo di loopback.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Cambiare veramente l'UUID del dispositivo?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Il volume %s non è attivo.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Il volume %s è già sospeso.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "La sospensione non è supportata per il dispositivo %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Errore durante la sospensione del dispositivo %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Il volume %s non è sospeso.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Il ripristino non è supportato per il dispositivo %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Errore durante il ripristino del dispositivo %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Inserire la passphrase: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Impossibile aggiungere uno slot di chiave, tutti gli slot sono disabilitati e nessuna chiave di volume è stata fornita.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Inserire una delle passphrase esistenti: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Inserire la nuova passphrase per lo slot di chiave: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Slot di chiave %d cambiato.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Sostituito con lo slot di chiave %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Sostituzione del nuovo slot di chiave non riuscita.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "La chiave di volume non corrisponde al volume.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Lo slot di chiave %d non è valido.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Lo slot di chiave %d non è utilizzato.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Esiste già un dispositivo %s.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Specificata una chiave di volume non corretta per il dispositivo in chiaro.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Specificato un bash root non corretto per il dispositivo verity.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Il tipo di dispositivo non è inizializzato correttamente.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Il dispositivo %s è ancora in uso.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Device %s non valido.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Funzione non disponibile in modalità FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Buffer di chiave del volume troppo piccolo.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Impossibile recuperare la chiave di volume per il dispositivo in chiaro.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Questa operazione non è supportata per il dispositivo cifrato %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "L'operazione di dump non è supportata per questo tipo di dispositivo.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Impossibile ottenere la priorità del processo.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Impossibile sbloccare la memoria.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Memoria esaurita durante la lettura della passphrase.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Errore nel leggere la passphrase dal terminale.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Verifica passphrase: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Le passphrase non corrispondono.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Impossibile usare l'offset con l'input da terminale.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Apertura del file chiave non riuscita.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Stat del file chiave non riuscito.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Impossibile posizionarsi all'offset del file di chiave richiesto.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Errore nel leggere la passphrase.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Dimensione massima del file chiave superata.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Impossibile leggere la quantità richiesta di dati.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Il dispositivo %s non esiste oppure è negato l'accesso.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Impossibile usare un dispositivo di loopback, in esecuzione come utente non root.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Collegamento del dispositivo di loopback non riuscito (è richiesto un dispositivo di loop con flag autoclear).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Impossibile disporre del dispositivo %s il quale è in uso (già mappato o montato).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Impossibile ottenere informazioni sul dispositivo %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "L'offset richiesto è oltre la dimensione reale del dispositivo %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Il dispositivo %s ha dimensione zero.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Il dispositivo %s è troppo piccolo.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Impostazione mappatura di chiave dm-crypt non riuscita per il dispositivo %s.\n"
+"Controllare che il kernel supporti il cifrario %s (controllare il syslog per maggiori informazioni).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "La dimensione della chiave in modalità XTS deve essere 256 o 512 bit.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Impossibile scrivere sul dispositivo %s, permessi non concessi.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Apertura del dispositivo temporaneo di deposito chiavi non riuscita.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Accesso al dispositivo temporaneo di deposito chiavi non riuscito.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Errore di IO durante la cifratura dello slot di chiave.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Errore di IO durante la decifratura dello slot di chiave.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Il dispositivo %s è troppo piccolo (LUKS richiede almeno %<PRIu64> byte).\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Il dispositivo %s non è un dispositivo LUKS valido.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Il file di backup dell'header %s richiesto esiste già.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Impossibile creare il file di backup dell'header %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Impossibile scrivere il file di backup dell'header %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Il file di backup non contiene un header LUKS valido.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Impossibile aprire il file di backup dell'header %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Impossibile leggere il file di backup dell'header %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "L'offset di dati oppure la dimensione della chiave sono diversi tra il dispositivo e il backup, ripristino non riuscito.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Il dispositivo %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "non contiene un header LUKS. La sostituzione dell'header può distruggere i dati in quel dispositivo."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "contiene già un header LUKS. La sostituzione dell'header distruggerà gli slot di chiave esistenti."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"Attenzione: l'header reale del dispositivo ha un UUID diverso da quello di backup."
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Impossibile aprire il dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Dimensione non standard della chiave, è richiesta una riparazione manuale.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Allineamento slot di chiave non standard, richiesta riparazione manuale.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Riparazione degli slot di chiave.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Riparazione non riuscita."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Slot di chiave %i: offset riparato (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Slot di chiave %i: strisce riparate (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Slot di chiave %i: firma della partizione inesistente.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Slot di chiave %i: salt ripulita.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Scrittura dell'header LUKS sul disco.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Versione %d di LUKS non supportata.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "L'hash %s di LUKS richiesto non è supportato.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "Lo slot di chiave LUKS %u non è valido.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Nessun problema conosciuto rilevato per l'header LUKS.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Errore durante l'aggiornamento dell'header LUKS sul dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Errore nel rileggere l'header LUKS dopo l'aggiornamento sul dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "L'offset dei dati per l'header LUKS scollegato deve essere 0 o maggiore della dimensione dell'header (%d settori).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Fornito un formato UUID per LUKS errato.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Impossibile creare l'header LUKS: lettura salt casuale non riuscita.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Opzioni PBKDF2 non compatibili (usando l'algoritmo di hash %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Impossibile creare l'header LUKS: digest dell'header non riuscito (usando l'hash %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Slot di chiave %d attivo, eliminarlo prima.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Il materiale dello slot di chiave %d contiene troppe poche strisce. Manipolazione dell'header?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Slot di chiave %d sbloccato.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Nessuna chiave disponibile con questa passphrase.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Lo slot di chiave %d non è valido, selezionarne uno tra 0 e %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Impossibile ripulire il dispositivo %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Rilevato un file chiave cifrato con GPG non ancora supportato.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Usare gpg --decrypt <FILECHIAVE> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Rilevato file chiave loop-AES non compatibile.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Il kernel non supporta la mappatura compatibile loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Errore nel leggere il file chiave %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Lunghezza massima (%d) della passphrase TCRYPT superata.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "L'algoritmo di hash PBKDF2 %s non è disponibile, viene saltato.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Interfaccia kernel richiesta del cifrario non è disponibile.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Assicurarsi di avere il modulo del kernel algif_skcipher caricato.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Attivazione non supportata per la dimensione del settore di %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Il kernel non supporta l'attivazione per questa modalità legacy TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Attivazione sistema di cifratura TCRYPT per la partizione %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Il kernel non supporta la mappatura compatibile TCYPRT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Questa funzione non è supportata senza l'header TCRYPT caricato."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Il dispositivo verity %s non usa header su disco.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Il dispositivo %s non è un dispositivo VERITY valido.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Versione %d di VERITY non supportata.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Header VERITY danneggiato.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Fornito un formato UUID per VERITY errato sul dispositivo %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Errore durante l'aggiornamento dell'header verity sul dispositivo %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Il kernel non supporta la mappatura dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Il dispositivo verity ha rilevato un'anomalia dopo l'attivazione.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "L'area spare non risulta essere a zero alla posizione %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Overflow offset del dispositivo.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Verifica alla posizione %<PRIu64> non riuscita.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Parametri della dimensione non validi per il dispositivo verity.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Troppi livelli d'albero per il volume verity.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Verifica dell'area dati non riuscita.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Verifica dall'hash root non riuscita.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Errore di input/output nel creare l'area hash.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Creazione dell'area hash non riuscita.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "Attenzione: il kernel non può attivare il dispositivo se la dimensione del blocco dati supera la dimensione di pagina (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Impossibile verificare la passphrase su input non tty.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Non è stato rilevato alcun modello noto di specifica di cifrario.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "Attenzione: il parametro --hash viene ignorato in modalità normale con file di chiave specificato.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "Attenzione: l'opzione --keyfile-size viene ignorata, la dimensione di lettura è la stessa della dimensione della chiave di cifratura.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "È richiesta l'opzione --key-file.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Nessun header di dispositivo rilevato con questa passphrase.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Il dump dell'header con la chiave di volume contiene informazioni\n"
+"confidenziali che permettono di accedere alla partizione cifrata senza passphrase.\n"
+"Questo dump dovrebbe sempre essere salvato in modo cifrato in un luogo sicuro."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Il risultato del benchmark non è attendibile.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# I test sono approssimati usando solo la memoria (nessun IO dall'archivio).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritmo | Chiave | Cifratura | Decrifrazione\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Il cifrario %s non è disponibile.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/D"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Impossibile leggere il file chiave %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Impossibile leggere %d byte dal file chiave %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Provare a riparare l'header del dispositivo LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Ciò sovrascriverà i dati in %s in modo irreversibile."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "errore di allocazione di memoria in action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Impossibile usare %s come header on-disk.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "L'offset di dati ridotti è ammesso solo per l'header LUKS scollegato.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Slot di chiave %d selezionato per l'eliminazione.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Chiave %d non attiva. Impossibile ripulirla.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Questo è l'ultimo slot di chiave. Il dispositivo sarà inutilizzabile dopo aver eliminato questa chiave."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Inserire una delle passphrase rimanenti: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Inserire la passphrase da eliminare: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Inserire una delle passphrase esistenti: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Inserire la passphrase da cambiare: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Inserire la nuova passphrase: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "È supportato un solo argomento dispositivo per ogni operazione isLuks.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "È richiesta l'opzione --header-backup-file.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Tipo di dispositivo meta-data %s non riconosciuto.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Il comando richiede un dispositivo e un nome di mappatura come argomenti.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Questa operazione eliminerà tutti gli slot di chiave sul dispositivo %s.\n"
+"Il dispositivo sarà inutilizzabile dopo questa operazione."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<dispositivo> [--type <tipo>] [<nome>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "Apre il dispositivo come mappatura in <nome>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<nome>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "Chiude il dispositivo (rimuove la mappatura)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "Ridimensiona il dispositivo attivo"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "Mostra lo stato del dispositivo"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <cifrario>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "Esegue benchmark del cifrario"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<dispositivo>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "Prova a riparare i metadati on-disk"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "Elimina tutti gli slot di chiavi (rimuove chiave di cifratura)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<dispositivo> [<nuovo file chiave>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "Formatta un dispositivo LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "Aggiunge la chiave al dispositivo LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<dispositivo> [<file chiave>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "Rimuove la chiave fornita o il file chiave dal dispositivo LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "Cambia la chiave fornita o il file chiave del dispositivo LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<dispositivo> <slot di chiave>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "Ripulisce la chiave con numero <slot di chiave> dal dispositivo LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "Stampa l'UUID del dispositivo LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "Verifica l'header della partizione LUKS di <dispositivo>"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "Esegue il dump delle informazioni sulla partizione LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "Esegue il dump delle informazioni TCRYPT del dispositivo"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Sospende il dispositivo LUKS e ripulisce la chiave (tutti gli I/O sono congelati)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Ripristina il dispositivo LUKS sospeso."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Fa il backup dell'header del dispositivo e degli slot di chiave"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Ripristina l'header del dispositivo LUKS e gli slot di chiave"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<azione> è una tra:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"È possibile usare anche la vecchia sintassi <azione>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nome> è il dispositivo da creare in %s\n"
+"<dispositivo> è il dispositivo cifrato\n"
+"<slot di chiave> è il numero dello slot di chiave LUKS da modificare\n"
+"<file chiave> è il file chiave opzionale per la nuova chiave per l'azione luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Parametri predefiniti compilati di chiave e passphrase:\n"
+"\tdimensione massima del file chiave: %dkB, lunghezza massima della passphrase interattiva %d (caratteri)\n"
+"Tempo d'iterazione PBKDF2 predefinito per LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Parametri predefiniti del cifrario del dispositivo:\n"
+"\tloop-AES: %s, chiave: %d bit\n"
+"\tin chiaro: %s, chiave: %d bit, hash della password: %s\n"
+"\tLUKS1: %s, chiave: %d bit, hash dell'header LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: richiede %s come argomenti"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Mostra questo messaggio d'aiuto"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Mostra il modo d'uso sintetico"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Opzioni di aiuto:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Stampa la versione del pacchetto"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Mostra i messaggi di errore con maggior dettaglio"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Mostra i messaggi di debug"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Il cifrario usato per cifrare il disco (vedere /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "L'hash usato per creare la chiave di cifratura dalla passphrase"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifica la passphrase chiedendola due volte"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Legge la chiave da un file."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Legge la chiave (master) del volume dal file."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Esegue il dump della chiave (master) del volume invece delle informazioni sugli slot di chiave."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "La dimensione della chiave di cifratura"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BIT"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Limita la lettura dal file di chiave"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "byte"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Numero di byte da saltare nel file di chiave"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Limita la lettura dal file di chiave appena aggiunto"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Numero di byte da saltare nel file di chiave appena aggiunto"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Numero dello slot per la nuova chiave (il primo libero è quello predefinito)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "La dimensione del dispositivo"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SETTORI"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "L'offset iniziale del dispositivo di backend"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Quanti settori dei dati cifrati saltare dall'inizio"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Crea una mappatura in sola lettura"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Tempo di iterazione di PBKDF2 per LUKS (in ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "msec"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Non chiede conferma"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Timeout per il prompt interattivo della passphrase (in secondi)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "sec"
+
+# (NDT) Descrizione dell'opzione
+# --tries, indica il numero di tentativi per richiesta
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Quante volte può essere ritentato l'inserimento della passphrase"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Allinea il payload agli estremi del settore <n> - per luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "File con header LUKS e backup degli slot di chiave."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Usa /dev/random per generare la chiave di volume."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Usa /dev/urandom per generare la chiave di volume."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Condivide il dispositivo con un altro segmento cifrato non sovrapposto."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID da usare per il dispositivo."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Ammette le richieste di scarto (funzione TRIM) per il dispositivo."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Device o file con header LUKS separato."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Non attiva il dispositivo, verifica solamente la passphrase"
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Usa header nascosto (dispositivo TCRYPT nascosto)"
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Il dispositivo è l'unità TCRYPT di sistema (con bootloader)"
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Usa header TCRYPT di backup (secondario)"
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Ricerca anche dispositivo compatibili VeraCrypt"
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Metadati del tipo di dispositivo: luks, plain, loopaes, tcrypt"
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Disabilita la verifica della qualità della password (se abilitata)"
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Usa l'opzione compatibile per prestazioni same_cpu_crypt di dm-crypt"
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Usa l'opzione compatibile per prestazioni submit_from_crypt_cpus di dm-crypt"
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPZIONE...] <azione> <azione-specifica>]"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Argomento <azione> mancante."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Azione sconosciuta."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "L'opzione --shared è consentita solo per l'azione open di dispositivo in chiaro.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "L'opzione --allow-discards è consentita solo per l'azione open.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"L'opzione --key-size è consentita solo per luksFormat, open e benchmark.\n"
+"Per limitare la lettura dal file chiave usare --keyfile-size=(byte)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "L'opzione --test-passphrase è consentita solo per l'operazione open di dispositivo LUKS e TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "La dimensione della chiave deve essere un multiplo di 8 bit"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Lo slot di chiave non è valido."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "L'opzione --key-file ha la precedenza sull'argomento specificato per il file chiave.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Non è ammesso un numero negativo per l'opzione."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "È consentito solo un argomento —key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "È consentita solo una tra le opzioni --use-[u]random."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "L'opzione --use-[u]random è consentita solo per luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "L'opzione --uuid è consentita solo per luksFormat e luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "L'opzione --align-payload è consentita solo per luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "L'opzione --skip è supportata solo per l'azione open di dispositivi in chiaro e loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "L'opzione --offset è supportata solo per l'azione open di dispositivi in chiaro e loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "L'opzione --tcrypt-hidden, --tcrypt-system o --tcrypt-backup è supportata solo per dispositivo TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "L'opzione --tcrypt-hidden non può essere utilizzata con --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "L'opzione --veracrypt è supportata solo per dispositivo TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "String salt specificata non valida.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Impossibile creare l'immagine hash %s per la scrittura.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Stringa hash root specificata non valida.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<dispositivo_dati> <dispositivo_hash>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "Formatta il dispositivo"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<dispositivo_dati> <dispositivo_hash> <hash_root>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "Verifica il dispositivo"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nome> <dispositivo_dati> <dispositivo_hash> <hash_root>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "Crea dispositivo attivo"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "Rimuove (disattiva) dispositivo"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "Mostra lo stato del dispositivo attivo"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<dispositivo_hash>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "Mostra informazioni on-disk"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nome> è il dispositivo da creare in %s\n"
+"<dispositivo_dati> è il dispositivo dei dati\n"
+"<dispositivo_hash> è il dispositivo che contiene i dati di verifica\n"
+"<hash_root> è l'hash del nodo radice nel <dispositivo_hash>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Parametri predefiniti compilati in dm-verity:\n"
+"\tHash: %s, Blocco dati (byte): %u, Blocco hash (byte): %u, Dimensione salt: %u, Formato hash: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Non usa il super-blocco verity"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Tipo di formato (1 - normale, 0 - ChromeOS originale)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "numero"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "La dimensione del blocco sul dispositivo dati"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "La dimensione del blocco sul dispositivo hash"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Il numero di blocchi nel file dati"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "blocchi"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "L'offset iniziale del dispositivo di hash"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Algoritmo di hash"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "stringa"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "stringa esadecimale"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Riavvia il kernel se sono rilevati dati rovinati"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignora i dati rovinati, li registra solamente"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Non verifica i blocchi azzerati"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "L'opzione --ignore-corruption, --restart-on-corruption o --ignore-zero-blocks è consentita solo per l'operazione di creazione.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Le opzioni --ignore-corruption e --restart-on-corruption non possono essere utilizzate assieme.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Impossibile aprire esclusivamente il dispositivo %s, già in uso.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Allocazione di memoria allineata non riuscita.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Impossibile leggere il dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Impostazione dispositivo LUKS %s come inutilizzabile.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Impossibile scrivere il dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Impossibile scrivere il file di registro di re-cifratura.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Impossibile leggere il file di registro di re-cifratura.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Il file di registro %s esiste, viene ripristinata la re-cifratura.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Attivazione dispositivo temporaneo usando il vecchio header LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Attivazione dispositivo temporaneo usando il nuovo header LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Attivazione del dispositivo temporaneo non riuscita.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Creato nuovo header LUKS per il dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Slot di chiave %i attivato.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Header LUKS di backup del dispositivo %s creato.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Creazione degli header di backup LUKS non riuscita.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Impossibile ripristinare l'header LUKS sul dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Ripristinato l'header LUKS sul dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Avanzamento: %5.1f%%, ETA %02llu:%02llu, %4llu MiB scritti, velocità %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Impossibile posizionarsi all'offset del dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Impossibile aprire il dispositivo temporaneo LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Impossibile ottenere la dimensione del dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Interrotto dal segnale.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Errore di IO durante la re-cifratura.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Lo UUID fornito non è valido.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Il file chiave può essere usato solamente con --key-slot o con esattamente uno slot di chiave attivo.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Inserire la passphrase per lo slot di chiave %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Impossibile aprire il file di registro di re-cifratura.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Nessuna decifrazione in corso: lo UUID fornito può essere usato solamente per riprendere un processo di decifrazione.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Dimensione blocco re-cifratura"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Non cambia chiave, nessun re-cifratura dei dati."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Usa IO diretto negli accessi ai dispositivo"
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Usa fsync dopo ogni blocco"
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Aggiorna il registro a ogni blocco"
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Usa solo questo slot (gli altri vengono disabilitati)"
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Riduce la dimensione dei dati del dispositivo (muove l'offset dei dati) PERICOLOSO"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Usa solo la dimensione specificata del dispositivo (ignora il resto del dispositivo) PERICOLOSO"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Crea un nuovo header su un dispositivo non cifrato"
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Decifra definitivamente il dispositivo (rimuove la cifratura)"
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Lo UUID utilizzato per riprendere la decifrazione"
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPZIONI...] <dispositivo>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "La re-cifratura modificherà: chiave del volume%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", imposta l'hash a "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", imposta il cifrario a "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argomento richiesto."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Solo valori tra 1 MiB e 64 MiB sono consentiti per la dimensione del blocco di re-cifratura."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Specifica di dimensione del dispositivo non valida."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "La dimensione massima di riduzione del dispositivo è 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "La dimensione di riduzione deve essere un multiplo di 512 byte."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "L'opzione --new deve essere usata con --reduce-dispositivo-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "L'opzione --keep-key può essere usata solo con --hash o --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "L'opzione --new non può essere usata con --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "L'opzione --decrypt non è compatibile con i parametri specificati."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "L'opzione --uuid può essere usata solo con --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Errore nel leggere la risposta dal terminale.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Comando eseguito con successo.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Comando non riuscito con codice %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Impossibile controllare la qualità della password: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Controllo qualità della password non riuscito:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Controllo qualità della password non riuscito: password non valida (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Impossibile trovare un dispositivo di loopback libero.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Impossibile aprire il dispositivo %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Impossibile utilizzare lo UUID fornito se non è in corso una decifratura.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Impostazione device LUKS %s come utilizzabile.\n"
diff --git a/po/nl.po b/po/nl.po
new file mode 100644
index 0000000..854d0d1
--- /dev/null
+++ b/po/nl.po
@@ -0,0 +1,1972 @@
+# Dutch translation of cryptsetup.
+# This file is distributed under the same license as the cryptsetup package.
+# Copyright (C) 2016 Free Software Foundation, Inc.
+# Koen <koen@drunkfelines.com>, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup-1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-03 23:04+0100\n"
+"Last-Translator: Koen <koen@drunkfelines.com>\n"
+"Language-Team: Dutch <vertaling@vrijschrift.org>\n"
+"Language: nl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=utf-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Poedit 1.6.10\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Kan apparaatstoewijzer niet initialiseren, uitvoering als non-root gebruiker.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Kan apparaatstoewijzer niet initialiseren. Is kernelmodule dm_mod geladen?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID voor apparaat %s werd afgekapt.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Aangevraagde prestatie-opties voor dm-crypt worden niet ondersteund.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Aangevraagde opties voor behandeling van datacorruptie van dm-verity worden niet ondersteund.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Systeem heeft niet genoeg willekeurige gegevens om de sleutel tot het opslagmedium verder te genereren.\n"
+"Beweeg de muis of typ wat tekst in een nieuw venster om enkele willekeurige evenementen te verzamelen.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Sleutel wordt gegenereerd (%d%% afgewerkt).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Uitvoering in FIPS-modus.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Fatale fout bij initialisatie van RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Onbekende RNG-kwaliteit aangevraagd.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Fout %d bij lezen uit RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Kan RNG versleutelings-backend niet initialiseren.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Kan versleutelings-backend niet initialiseren.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Aangevraagd hash-algoritme %s wordt niet ondersteund.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Sleutelbehandelingsfout (met hash %s in gebruik).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Apparaatstype kan niet bepaald worden. Incompatibele apparaatsactivering?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Deze operatie wordt enkel ondersteund voor LUKS-apparaten.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Alle sleutelplaatsen zijn vol.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Sleutelplaats %d is ongeldig, selecteer een plaats tussen 0 en %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Sleutelplaats %d is vol, selecteer een andere.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Voer wachtwoord in voor %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Koptekst gevonden maar apparaat %s is te klein.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Deze operatie wordt niet ondersteund voor dit apparaatstype.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Apparaat %s is niet actief.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Onderliggend apparaat van versleutelingsapparaat %s is verdwenen.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Ongeldige normale versleutelingsparameters.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Ongeldige sleutelgrootte.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID wordt niet ondersteund voor dit encryptietype.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Kan LUKS niet formatteren zonder apparaat.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Kan apparaat %s niet formatteren; het is nog steeds actief.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Kan apparaat %s niet formatteren: toestemming geweigerd.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Kan koptekst op apparaat %s niet wissen.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Kan LOOPAES niet formatteren zonder apparaat.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Kan VERITY niet formatteren zonder apparaat.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Niet-ondersteund VERITY-hashtype %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Niet-ondersteunde VERITY-blokgrootte.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Niet-ondersteunde VERITY-hashgegevenspositie.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Overlapping tussen datagedeelte en hashgedeelte.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Onbekend versleutelingsapparaattype %s aangevraagd.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Kan grootte van loopback-apparaat niet aanpassen.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Bent u zeker dat u het UUID van het apparaat wilt wijzigen?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Opslagmedium %s is niet actief.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Opslagmedium %s is reeds geschorst.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Opschorten wordt niet ondersteund voor apparaat %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Fout bij het opschorten van apparaat %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Opslagmedium %s is niet geschorst.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Hervatting wordt niet ondersteund voor apparaat %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Fout bij het hervatten van apparaat %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Voer wachtwoord in: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Kan geen sleutelplaats toevoegen, alle plaatsen zijn uitgeschakeld en er is geen sleutel tot het opslagmedium voorzien.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Voer enig wachtwoord in: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Voer een nieuw wachtwoord in voor de sleutelplaats: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Sleutelplaats %d werd gewijzigd.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Vervangen door sleutelplaats %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Kan nieuwe sleutelplaats niet verwisselen.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Sleutel tot opslagmedium komt niet overeen met het opslagmedium.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Sleutelplaats %d is ongeldig.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Sleutelplaats %d is niet in gebruik.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Apparaat %s bestaat reeds.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Incorrecte sleutel tot het opslagmedium voor normaal apparaat verschaft.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Incorrecte root-hash voor het VERITY-apparaat opgegeven.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Apparaatstype is niet behoorlijk geïnitialiseerd.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Apparaat %s is nog in gebruik.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Ongeldig apparaat %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Functie niet beschikbaar in FIPS-modus.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Sleutelbuffer van het opslagmedium is te klein.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Kan sleutel tot het opslagmedium voor normaal apparaat niet ophalen.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Deze operatie wordt niet ondersteund voor versleutelapparaat %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Dump-operatie wordt niet ondersteund voor dit apparaatstype.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Kan geen procesprioriteit verkrijgen.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Kan geheugen niet ontgrendelen.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Geen geheugen meer beschikbaar bij lezen van wachtwoord.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Fout bij het lezen van het wachtwoord uit de terminal.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Voer wachtwoord nogmaals in: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Wachtwoorden komen niet overeen.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Kan de gegevenspositie niet via terminalinvoer gebruiken.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Kan niet zoeken tot aan het aangevraagde sleutelbestand.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Fout bij lezen van wachtwoord.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Maximum sleutelbestandsgrootte overschreden.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Kan aangevraagde hoeveelheid data niet lezen.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Apparaat %s bestaat niet of toegang is geweigerd.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Kan geen loopback-apparaat gebruiken, uitvoering als non-root gebruiker.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Vastmaken loopback-apparaat gefaald (loop-apparaat met autoclear-vlag is vereist).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Kan apparaat %s niet gebruiken; het is nog actief (reeds toegewezen of aangekoppeld).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Kan geen informatie verkrijgen over apparaat %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "De aangevraagde gegevenspositie valt buiten de werkelijke grootte van apparaat %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Apparaat %s heeft grootte nul.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Apparaat %s is te klein.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Kan dm-crypt sleuteltoewijzing niet instellen voor apparaat %s.\n"
+"Kijk na of de kernel versleutelalgoritme %s ondersteunt (bekijk syslog voor meer informatie).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "In XTS-modus moet de sleutelgrootte 256 of 512 bits zijn.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Kan apparaat %s niet beschrijven: toestemming geweigerd.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Openen van het tijdelijke sleutelopslagapparaat is mislukt.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Invoer/uitvoerfout tijdens het versleutelen van de sleutelplaats.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Invoer/uitvoerfout tijdens het ontsleutelen van de sleutelplaats.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Apparaat %s is te klein. (LUKS vereist minstens %<PRIu64> bytes.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Aangevraagd reservekopiebestand %s van koptekst bestaat reeds.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Kan reservekopiebestand %s van koptekst niet aanmaken.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Kan reservekopiebestand %s van koptekst niet schrijven.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Reservekopiebestand bevat geen geldige LUKS-koptekst.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Kan reservekopiebestand %s van koptekst niet openen.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Kan reservekopiebestand %s van koptekst niet lezen.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Verschillende gegevenspositie of sleutelgrootte in apparaat en reservekopie; herstelling is mislukt.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Apparaat %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "bevat geen LUKS-koptekst. Het vervangen van de koptekst kan gegevens op het apparaat vernietigen."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "bevat reeds een LUKS-koptekst. Het vervangen van de koptekst zal bestaande sleutelplaatsen vernietigen."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"WAARSCHUWING: originele apparaatkoptekst heeft een ander UUID dan de reservekopie!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Kan apparaat %s niet openen.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Niet-standaard sleutelgrootte, handmatige herstelling is vereist.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Niet-standaard sleutelplaatsuitlijning, handmatige herstelling is vereist.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Sleutelplaatsen worden hersteld.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Herstelling is mislukt."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Sleutelplaats %i: gegevenspositie hersteld (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Sleutelplaats %i: fragmenten hersteld (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Sleutelplaats %i: valse partitiehandtekening.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Sleutelplaats %i: salt uitgewist.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "LUKS-koptekst wordt naar schijf geschreven.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Niet-ondersteunde LUKS-versie %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS-sleutelplaats %u is ongeldig.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Geen gekende problemen gevonden bij LUKS-koptekst.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Fout bij het bijwerken van LUKS-koptekst op apparaat %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Fout bij het herlezen van LUKS-koptekst na bijwerken van apparaat %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "De datagegevenspositie voor een aparte LUKS-koptekst moet of 0 zijn, of hoger liggen dan de koptekstgrootte (%d sectoren).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Verkeerd LUKS UUID-formaat verschaft.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Kan LUKS-koptekst niet aanmaken: lezen van random salt is mislukt.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Niet-compatibele PBKDF2-opties (met hash-algoritme %s in gebruik).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Kan LUKS-koptekst niet aanmaken: koptekst-extract is mislukt (met %s-hash).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Sleutelplaats %d is actief; ruim eerst op.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Inhoud van sleutelplaats %d bevat te weinig fragmenten. Koptekstmanipulatie?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Sleutelplaats %d is ontgrendeld.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Geen sleutel beschikbaar met dit wachtwoord.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Sleutelplaats %d is ongeldig, selecteer een sleutelplaats tussen 0 en %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Kan apparaat %s niet wissen.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Nog niet ondersteund GPG-versleuteld sleutelbestand gevonden.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Gebruik gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Onverenigbaar loop-AES-sleutelbestand gevonden.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Toewijzingen compatibel met loop-AES worden niet ondersteund door de kernel.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Fout bij het lezen van sleutelbestand %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Maximum TCRYPT-wachtwoorlengte (%d) overschreden.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "PBKDF2 hash-algoritme %s is niet beschikbaar, wordt overgeslaan.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Benodigde kernel cryptografie-interface is niet beschikbaar.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Kijk na of kernelmodule algif_skcipher geladen is.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Activatie wordt niet ondersteund voor %d sectorgrootte.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Activatie voor deze TCRYPT-legacymodus wordt niet ondersteund door de kernel.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "TCRYPT-systeemversleuteling voor partitie %s wordt geactiveerd.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Toewijzingen compatibel met TCRYPT worden niet ondersteund door de kernel.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Deze functie wordt niet ondersteund zonder TCRYPT-koptekst."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "VERITY-apparaat %s gebruikt geen on-disk koptekst.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Apparaat %s is geen geldig VERITY-apparaat.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Niet-ondersteunde VERITY-versie %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY-koptekst beschadigd.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Verkeerd VERITY UUID-formaat verschaft op apparaat %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Fout bij het bijwerken van VERITY-koptekst op apparaat %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "VERITY-apparaat ontdekte beschadiging na activatie.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Reservegebied is niet ingesteld op positie %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Overloop van apparaatsgegevenspositie.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Controle gefaald op positie %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Ongeldige grootteparameters voor VERITY-apparaat.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Te veel niveau's in de boomstructuur voor een VERITY-volume.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Controle van gegevensgebied gefaald.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Controle van root-hash gefaald.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Invoer/uitvoerfout bij het aanmaken van hash-gebied.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Creatie hash-gebied gefaald.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "WAARSCHUWING: Kernel kan apparaat niet activeren als de gegevensblokgrootte groter is dan de paginagrootte (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Kan geen wachtwoordverificatie uitvoeren op invoer van buiten de terminal.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Geen bekend specificatiepatroon voor het sleutelalgoritme gevonden.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "WAARSCHUWING: In normale modus met opgegeven sleutelbestand wordt de --hash-parameter genegeerd.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "WAARSCHUWING: De optie --keyfile-size wordt genegeerd, de leesgrootte is gelijk aan de encryptiesleutelgrootte.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Optie --key-file is vereist.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Geen apparaatkoptekst beschikbaar met dit wachtwoord.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Dump van koptekst met sleutel tot het opslagmedium bevat gevoelige informatie\n"
+"die zonder wachtwoord toegang verschaft tot versleutelde partities.\n"
+"De dump zou steeds versleuteld en op een veilige plaats bewaard moeten worden."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Benchmarkresultaat is niet betrouwbaar.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Tests zijn bij benadering met enkel geheugen in gebruik (geen opslag-IO).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritme | Sleutel | Versleuteling | Ontsleuteling\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Versleutelalgoritme %s is niet beschikbaar.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Kan sleutelbestand %s niet lezen.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Kan %d bytes uit sleutelbestand %s niet lezen.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Bent u zeker de LUKS-apparaatkoptekst te willen herstellen?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Dit zal data op %s onherroepelijk overschrijven."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "geheugentoewijzingsfout in action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Kan %s niet als on-diskkoptekst gebruiken.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Een verlaagde datagegevenspositie wordt enkel toegestaan voor een vrijstaande LUKS-koptekst.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Sleutelplaats %d geselecteerd voor verwijdering.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Sleutel %d is niet actief. Kan niet wissen.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Dit is de laatste sleutelplaats. Apparaat zal onbruikbaar worden na het verwijderen van deze sleutel."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Voer enig overblijvend wachtwoord in: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Voer het te verwijderen wachtwoord in: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Voer een bestaand wachtwoord in: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Voer het te wijzigen wachtwoord in: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Voer nieuw wachtwoord in: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Voor de isLuks-operatie wordt slechts één apparaatsargument ondersteund.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Optie --header-backup-file is vereist.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Niet-herkende metadata bij apparaatstype %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Opdracht vereist apparaat en toewijzingsnaam als argumenten.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Deze operatie zal alle sleutelplaatsen op apparaat %s wissen.\n"
+"Na deze operatie wordt het apparaat onbruikbaar."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<apparaat> [--type <type>] [<naam>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "apparaat als toewijzing <naam> openen"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<naam>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "apparaat sluiten (toewijzingen verwijderen)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "actief apparaat vergroten of verkleinen"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "apparaatstatus tonen"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <versleutelalgoritme>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "versleutelalgoritme benchmarken"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<apparaat>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "on-disk metadata proberen te herstellen"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "alle sleutelplaatsen wissen (encryptiesleutel verwijderen)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<apparaat> [<nieuw sleutelbestand>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "een LUKS-apparaat formatteren"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "sleutel aan LUKS-apparaat toevoegen"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<apparaat> [<sleutelbestand>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "verschafte sleutel of sleutelbestand van LUKS-apparaat verwijderen"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "wijzigt verschafte sleutel of sleutelbestand van LUKS-apparaat"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<apparaat> <sleutelplaats>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "sleutel met nummer <sleutelplaats> van LUKS-apparaat verwijderen"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "UUID van LUKS-apparaat tonen"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "<apparaat> op een LUKS-partitiekoptekst testen"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "LUKS-partitie-informatie dumpen"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "TCRYPT-apparaatsinformatie dumpen"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "LUKS-apparaat schorsen en sleutel wissen (alle in-/uitvoer wordt bevroren)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Geschorst LUKS-apparaat hervatten."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Reservekopie van LUKS-apparaatkoptekst en -sleutelplaatsen maken"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "LUKS-apparaatkoptekst en -sleutelplaatsen herstellen"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<actie> is één van:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"U kan ook oude <actie>-syntax aliasen gebruiken:\n"
+"\topen: (plainOpen), luksOpen, loopaesOpen, tcryptOpen aanmaken\n"
+"\tclose: (plainClose), luksClose, loopaesClose, tryptClose verwijderen\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<naam> is het onder %s aan te maken apparaat\n"
+"<apparaat> is het versleutelde apparaat\n"
+"<sleutelplaats> is het nummer van de te wijzigen LUKS-sleutelplaats\n"
+"<sleutelbestand> optioneel sleutelbestand voor de nieuwe sleutel voor de luksAddKey-actie\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde sleutel- en wachtwoordparameters:\n"
+"\tMaximum sleutelplaatsgrootte: %dkB, maximum lengte interactief wachtwoord %d (karakters)\n"
+"Standaard PBKDF2-herhalingstijd voor LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde parameters van het apparaatsversleutelingsalgoritme:\n"
+"\tloop-AES: %s, Sleutel: %d bits\n"
+"\tplain: %s, Sleutel: %d bits, Wachtwoordhashing: %s\n"
+"\tLUKS1: %s, Sleutel: %d bits, LUKS-kopteksthashing: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: vereist %s als argumenten"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Deze hulptekst tonen"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Korte gebruikssamenvatting tonen"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Hulpopties:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Pakketversie tonen"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Gedetailleerdere foutboodschappen tonen"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Debug-boodschappen tonen"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Het gebruikte versleutelalgoritme om de schijf te versleutelen (zie /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "De gebruikte hash om de encryptiesleutel uit het wachtwoord aan te maken"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Het wachtwoord controleren door het twee keer te vragen"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "De sleutel uit een bestand lezen."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "De (hoofd)sleutel tot het opslagmedium uit een bestand lezen."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Dump (hoofd)sleutel tot het opslagmedium in plaats van de sleutelplaatsinformatie."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "De grootte van de encryptiesleutel"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Beperkt de lezing uit sleutelbestand"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "bytes"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Aantal bytes over te slaan in sleutelbestand"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Beperkt de lezing uit een nieuw toegevoegd sleutelbestand"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Aantal bytes over te slaan in nieuwste toegevoegde sleutelbestand"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Plaatsnummer voor nieuwe sleutel (standaard is de eerste open plaats)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "De grootte van het apparaat"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SECTOREN"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "De startplaats in het backend-apparaat"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Hoeveel sectoren van de versleutelde gegevens aan het begin over te slaan"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Een alleen-lezen toewijzing aanmaken"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2 herhalingstijd voor LUKS (in ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "milliseconden"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Niet om bevestiging vragen"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Timeout voor interactieve wachtwoordprompt (in seconden)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "seconden"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Hoe vaak de invoering van het wachtwoord opnieuw geprobeerd kan worden"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Payload uitlijnen op meervouden van <n> sectoren – voor luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Bestand met reservekopie van LUKS-koptekst en -sleutelplaatsen."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Gebruik /dev/random om de sleutel tot het opslagmedium te genereren."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Gebruik /dev/urandom om de sleutel tot het opslagmedium te genereren."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Apparaat met een ander, niet-overlappend cryptsegment delen."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID van het te gebruiken apparaat."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Discardaanvragen (alias TRIM) op dit apparaat toelaten."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Apparaat of bestand met verschillende LUKS-koptekst."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Apparaat niet activeren, enkel wachtwoord controleren."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Verborgen koptekst gebruiken (verborgen TCRYPT-apparaat)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Apparaat is TCRYPT-systeemschijf (met bootloader)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Reserve (secundaire) TCRYPT-koptekst gebruiken."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Eveneens naar VeraCrypt-compatibel apparaat scannen."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Soorten apparaat-metadata: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Wachtwoordkwaliteitscontrole uitschakelen (indien ingeschakeld)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "dm-crypt same_cpu_crypt prestatie-compatibiliteitsoptie gebruiken."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "dm-crypt submit_from_crypt_cpus prestatie-compatibiliteitsoptie gebruiken."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPTIE…] <actie> <actie-specifiek>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Argument <actie> ontbreekt."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Onbekende actie."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Optie --shared wordt enkel toegestaan voor open-opdracht op plain-apparaat.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Optie --key-size is enkel toegestaan bij luksFormat, open en benchmark.\n"
+"Om de lezing uit een sleutelbestand te beperken, gebruik --keyfile-size=(bytes)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Optie --test-passphrase is enkel toegestaan bij open van LUKS- en TCRYPT-apparaten.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Sleutelgrootte moet een meervoud zijn van 8 bits"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Sleutelplaats is ongeldig."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Optie --key-file krijgt voorrang over het gespecificeerde sleutelbestandsargument.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Een negatief getal wordt niet toegestaan voor deze optie."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Slechts een enkel gebruik van het --key-file argument is toegestaan."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Slechts een enkel gebruik van de opties --use-[u]random is toegestaan."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "OPtie --use-[u]random is enkel toegestaan bij luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Optie --uuid is enkel toegestaan bij luksFormat en luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Optie --align-payload is enkel toegestaan voor luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Optie --skip wordt enkel ondersteund voor open-opdracht op plain- en loopaes-apparaten.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Optie --offset wordt enkel ondersteund voor open-opdracht op plain- en loopaes-apparaten.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Optie --tcrypt-hidden, --tcrypt-system of --tcrypt-backup wordt enkel ondersteund voor TCRYPT-apparaten.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Optie --tcrypt-hidden kan niet met --allow-discards gecombineerd worden.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Optie --veracrypt wordt enkel ondersteund voor TCRYPT-apparaatstype.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Ongeldige salt-tekenreeks opgegeven.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Kan hashafbeeling %s niet aanmaken voor beschrijving.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Ongeldige root-hash tekenreeks opgegeven.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<gegevensapparaat> <hash-apparaat>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "apparaat formateren"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<gegevensapparaat> <hash-apparaat> <root-hash>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "apparaat controleren"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<naam> <gegevensapparaat> <hash-apparaat> <root-hash>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "actief apparaat aanmaken"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "apparaat verwijderen (deactiveren)"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "status van actief apparaat tonen"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<hash-apparaat>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "on-disk informatie tonen"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<naam> is de naam van het onder %s te creëren apparaat\n"
+"<gegevensapparaat> is het de naam van het gegevensapparaat\n"
+"<hash-apparaat> is de naam van het apparaat dat de verificatiegegevens bevat\n"
+"<root-hash> is de hash van de rootnode op <hash-apparaat>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde dm-verity parameters:\n"
+"\tHash: %s, Datablok (bytes): %u, Hashblock (bytes): %u, Saltgrootte: %u, Hashformaat: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "VERITY-superblok niet gebruiken"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Formaatstype (1 - normaal, 0 - origineel Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "nummer"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Blokgrootte op het gegevensapparaat"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Blokgrootte op het hash-apparaat"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Aantal blokken in het gegevensbestand"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "blokken"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "De startplaats op het hash-apparaat"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Hash-algoritme"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "tekenreeks"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "hex-tekenreeks"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Kernel herstarten bij ontdekking van corruptie"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Datacorruptie negeren, enkel loggen"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Op nul ingestelde blokken niet controleren"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Opties --ignore-corruption, --restart-on-corruption of --ignore-zero-blocks kunnen enkel bij een create-operatie gebruikt worden.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Opties --ignore-corruption en --restart-on-corruption kunnen niet samen gebruikt worden.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Kan %s niet exclusief openen, apparaat wordt gebruikt.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Reservering van uitgelijnd geheugen gefaald.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Kan apparaat niet lezen: %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "LUKS-apparaat %s wordt als onbruikbaar gemarkeerd.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Kan apparaat %s niet beschrijven.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Kan herencryptie-logbestand niet schrijven.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Kan herencryptie-logbestand niet lezen.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Logbestand %s bestaat reeds, herencryptie wordt herstart.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Activatie van tijdelijke apparaat met oude LUKS-koptekst.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Activatie van tijdelijke apparaat met nieuwe LUKS-koptekst.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Activatie van tijdelijke apparaten gefaald.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Nieuwe LUKS-koptekst voor apparaat %s aangemaakt.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Sleutelplaats %d geactiveerd.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Reservekopie van LUKS-koptekst op apparaat %s aangemaakt .\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Creatie van LUKS-reservekopteksten gefaald.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Kan koptekst op apparaat %s niet herstellen.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "LUKS-koptekst op apparaat %s hersteld.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Vooruitgang: %5.1f%%, geschatte voltooiïngstijd %02llu:%02llu, %4llu MB geschreven, snelheid %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Onmogelijk te zoeken tot startplaats van apparaat.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Kan tijdelijk LUKS-apparaat niet openen.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Kan apparaatgrootte niet lezen.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Onderbroken door een signaal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Invoer/uitvoerfout tijdens herencryptie.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Opgegeven UUID is ongeldig.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Sleutelbestand kan enkel gebruikt worden met optie --key-slot of met enkel één actieve sleutelplaats.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Kan herencryptie-logbestand niet openen.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Er is geen ontsleutelingsproces aan de gang. Het opgegeven UUID kan enkel gebruikt worden om een geschorst ontsleutelingsproces opnieuw te starten.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Blokgrootte herencryptie"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Sleutel niet wijzigen; gegevensgebied wordt niet opnieuw versleuteld."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "direct-io gebruiken bij het lezen van apparaten."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "fsync na elk blok gebruiken."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Na elk blok het logbestand bijwerken."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Enkel deze plaats gebruiken (anderen worden uitgeschakeld)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Grootte van gegevensapparaat wijzigen (gegevenspositie wijzigen). GEVAARLIJK!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Enkel ingegeven apparaatsgrootte gebruiken (rest van apparaat wordt genegeerd). GEVAARLIJK!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Nieuwe koptekst op niet-versleuteld apparaat invoeren."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Apparaat permanent ontsleutelen (encryptie verwijderen)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Het UUID om de ontsleuteling te hervatten."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPTIE...] <apparaat>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Herencryptie zal sleutel tot het opslagmedium %s%s%s%s wijzigen.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", stel hash in op "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", stel sleutelalgoritme in op "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argument is vereist."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Enkel waarden tussen 1 MB en 64 MB zijn toegestaan als herencryptieblokgrootte."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Maximum apparaatsverkleiningsgrootte is 64 MB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Verkleiningsgrootte moet een meervoud zijn van de 512 bytes-grote sector."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Optie --new moet samen met --reduce-device-size gebruikt worden."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Optie -- keep-key kan enkel samen met --hash of --iter-time gebruikt worden."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Optie --new kan niet samen met --decrypt gebruikt worden."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Optie --decrypt is niet verenigbaar met de verschafte parameters."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Optie --uuid kan enkel samen met --decrypt gebruikt worden."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Fout bij het lezen van antwoord uit de terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Opdracht succesvol.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Opdracht is mislukt met code %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Kan wachtwoordkwaliteit niet nakijken: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Wachtwoordkwaliteitscontrole gefaald:\n"
+"%s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Wachtwoordkwaliteitscontrole gefaald: Wachtwoord is van slechte kwaliteit (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Kan geen vrij loopback-apparaat vinden.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Kan apparaat %s niet openen.\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Kan doorgegeven UUID niet gebruiken tenzij ontsleuteling al bezig is.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "LUKS-apparaat %s wordt als bruikbaar gemarkeerd.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "Waarschuwing: deze code is nog experimenteel, het kan al uw data volledig vernielen.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "Verificatie van FIPS-controlesom gefaald.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "WAARSCHUWING: apparaat %s is een partitie; bij TCRYPT-systeemversleuteling moet u doorgaans het volledige pad naar het blok-apparaat gebruiken.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "Kernel ondersteunt plain64 IV niet.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Voer LUKS-wachtwoord in: "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Voer nieuw LUKS-wachtwoord in: "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Voer een LUKS-wachtwoord in: "
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Kan apparaat %s niet openen voor %s%s-toegang.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "exclusieve "
+
+#~ msgid "writable"
+#~ msgstr "schrijf"
+
+#~ msgid "read-only"
+#~ msgstr "alleen-lezen"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "WAARSCHUWING!!! Mogelijk onveilig geheugen. Bent u root?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Kan sectorgrootte van %s niet verkrijgen"
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Reservekopiebestand %s bestaat niet.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Kan bestand %s niet openen.\n"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Lezen uit sleutelopslag is mislukt.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<naam> <apparaat>"
+
+#~ msgid "create device"
+#~ msgstr "apparaat aanmaken"
+
+#~ msgid "remove device"
+#~ msgstr "apparaat verwijderen"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "LUKS-toewijzing verwijderen"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "loop-AES-apparaat als toewijzing <naam> openen"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "loop-AES-toewijzing verwijderen"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "Optie --allow-discards wordt enkel ondersteund voor de luksOpen-, loopaesOpen- en create-opdrachten.\n"
+
+#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
+#~ msgstr "Kan apparaat %s niet gebruiken (cryptsegmenten overlappen of worden door een ander apparaat gebruikt).\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "Sleutelplaats %d is geverifieerd.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "Ongeldige sleutelgrootte %d.\n"
+
+#~ msgid "Block mode XTS is available since kernel 2.6.24.\n"
+#~ msgstr "Blokmodus XTS is beschikbaar vanaf kernelversie 2.6.24.\n"
+
+#~ msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+#~ msgstr "In LRW-modus moet de sleutelgrootte 256 of 512 bits zijn.\n"
+
+#~ msgid "Block mode LRW is available since kernel 2.6.20.\n"
+#~ msgstr "Blokmodus LRW is beschikbaar vanaf kernelversie 2.6.20.\n"
+
+#~ msgid "Negative keyfile size not permitted.\n"
+#~ msgstr "Een negatieve sleutelbestandsgrootte is niet toegestaan.\n"
+
+#~ msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+#~ msgstr "Waarschuwing: volledige lezing aangevraagd, maar sleutelbestand is geen regulier bestand, functie zal misschien nooit terugkeren.\n"
+
+#~ msgid "Cannot find compatible device-mapper kernel modules.\n"
+#~ msgstr "Kan geen compatibele kernelmodules voor apparaatstoewijzer vinden.\n"
+
+#~ msgid "Cannot open device: %s\n"
+#~ msgstr "Kan apparaat niet openen: %s\n"
+
+#~ msgid "BLKROGET failed on device %s.\n"
+#~ msgstr "BLKROGET() is mislukt op apparaat %s.\n"
+
+#~ msgid "BLKGETSIZE failed on device %s.\n"
+#~ msgstr "BLKGETSIZE() is mislukt op apparaat %s.\n"
+
+#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
+#~ msgstr "identiek aan luksKillSlot - VEROUDERD - zie man-pagina"
+
+#~ msgid "modify active device - DEPRECATED - see man page"
+#~ msgstr "actief apparaat wijzigen - VEROUDERD - zie man-pagina"
+
+#~ msgid ""
+#~ "The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
+#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+#~ msgstr ""
+#~ "De herlaadactie is verouderd. Gebruik “dmsetup reload” indien u deze functionaliteit echt nodig hebt.\n"
+#~ "WAARSCHUWING: gebruik de herlaadactie niet om LUKS-apparaten te “touchen”. Indien u dat wilt doen, typ nu Ctrl-C.\n"
+
+#~ msgid "Obsolete option --non-exclusive is ignored.\n"
+#~ msgstr "Verouderde optie --non-exclusive wordt genegeerd.\n"
+
+#~ msgid "Read the key from a file (can be /dev/random)"
+#~ msgstr "De sleutel uit een bestand lezen (mag /dev/random zijn)"
+
+#~ msgid "(Obsoleted, see man page.)"
+#~ msgstr "(Verouderd, zie man-pagina.)"
+
+#~ msgid "%s is not LUKS device.\n"
+#~ msgstr "%s is geen LUKS-apparaat.\n"
+
+#~ msgid "%s is not LUKS device."
+#~ msgstr "%s is geen LUKS-apparaat."
diff --git a/po/pl.po b/po/pl.po
new file mode 100644
index 0000000..15a582a
--- /dev/null
+++ b/po/pl.po
@@ -0,0 +1,1825 @@
+# Polish translation for cryptsetup.
+# Copyright (C) 2010 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 15:51+0100\n"
+"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
+"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
+"Language: pl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Nie można zainicjować device-mappera w czasie działania jako nie-root.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Nie można zainicjować device-mappera. Czy moduł jądra dm_mod jest wczytany?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID dla urządzenia %s został skrócony.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Żądane opcje dm-crypta dotyczące wydajności nie są obsługiwane.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Żądane opcje dm-verity dotyczące obsługi uszkodzenia danych nie są obsługiwane.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Entropia w systemie wyczerpała się w trakcie generowania klucza wolumenu.\n"
+"Proszę poruszać myszą albo wpisać trochę tekstu w innym oknie w celu zebrania zdarzeń losowych.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Generowanie klucza (gotowe %d%%).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Działanie w trybie FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Błąd krytyczny w trakcie inicjalizacji RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Nieznane żądanie jakości RNG.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Błąd %d podczas odczytu z RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Nie można zainicjować backendu kryptograficznego RNG.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Nie można zainicjować backendu kryptograficznego.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Algorytm skrótu %s nie jest obsługiwany.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Błąd przetwarzania klucza (użyto algorytmu skrótu %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób aktywacji urządzenia?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Ta operacja jest obsługiwana tylko na urządzeniach LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Wszyskie miejsca na klucze są pełne.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Numer klucza %d jest błędny, proszę wybrać wartość między 0 a %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Miejsce na klucz %d jest pełne, proszę wybrać inne.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Hasło dla %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Wykryto nagłówek, ale urządzenie %s jest zbyt małe.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Ta operacja nie jest obsługiwana dla tego rodzaju urządzenia.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Urządzenie %s nie jest aktywne.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Urzędzenie stojące za urządzeniem szyfrowanym %s znikło.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Błędne parametry szyfru plain.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Błędny rozmiar klucza.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID nie jest obsługiwany dla tego rodzaju szyfrowania.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Nie można sformatować LUKS-a bez urządzenia.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Nie można sformatować urządzenia %s, które jest nadal w użyciu.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Nie można sformatować urządzenia %s, brak uprawnień.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Nie można wyczyścić nagłówka na urządzeniu %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Nie można sformatować urządzenia LUKSAES bez urządzenia.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Nie można sformatować VERITY bez urządzenia.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Nieobsługiwany typ hasza VERITY %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Nieobsługiwany rozmiar bloku VERITY.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Nieobsługiwany offset hasza VERITY.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Obszar danych zachodzi na obszar skrótu.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Nieznany typ żądanego urządzenia szyfrującego %s.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Nie można zmienić rozmiaru urządzenia loopback.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Czy na pewno zmienić UUID urządzenia?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Wolumen %s nie jest aktywny.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Wolumen %s już został wstrzymany.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Wstrzymywanie nie jest obsługiwane dla urządzenia %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Błąd podczas wstrzymywania urządzenia %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Wolumen %s nie jest wstrzymany.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Wznawianie nie jest obsługiwane dla urządzenia %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Błąd podczas wznawiania urządzenia %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Hasło: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Dowolne hasło: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Nowe hasło dla klucza: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Klucz numer %d zmieniony.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Zastąpiono kluczem numer %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Nie udało się podstawić nowego klucza.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Klucz wolumenu nie pasuje do wolumenu.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Numer klucza %d jest nieprawidłowy.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Klucz %d nie jest używany.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Urządzenie %s już istnieje.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Podano niewłaściwy klucz wolumenu dla zwykłego urządzenia.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Typ urządzenia nie został właściwie zainicjalizowany.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Urządzenie %s jest nadal w użyciu.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Błędne urządzenie %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Funkcja nie jest dostępna w trybie FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Bufor klucza wolumenu zbyt mały.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Nie można odtworzyć klucza wolumenu dla zwykłego urządzenia.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Ta operacja nie jest obsługiwana dla urządzenia szyfrującego %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Operacja zrzutu nie jest obsługiwana dla tego rodzaju urządzenia.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Nie można odczytać priorytetu procesu.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Nie można odblokować pamięci.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Brak pamięci podczas odczytu hasła.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Błąd podczas odczytu hasła z terminala.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Weryfikacja hasła: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Hasła nie zgadzają się.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Nie można użyć offsetu, jeśli wejściem jest terminal.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Nie udało się otworzyć pliku klucza.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Nie udało się wykonać stat na pliku klucza.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Nie można przemieścić się do żądanego położenia pliku klucza.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Błąd podczas odczytu hasła.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Przekroczono maksymalny rozmiar pliku klucza.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Nie można odczytać żądanej ilości danych.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Urządzenie %s nie istnieje lub dostęp jest zabroniony.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Nie można użyć urządzenia loopback w czasie działania jako nie-root.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Nie udało się podłączyć urządzenia loopback (wymagane urządzenie loop z flagą autoclear).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Nie można użyć urządzenia %s, które jest w użyciu (już podmapowane lub zamontowane).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Nie można uzyskać informacji o urządzeniu %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Żądany offset jest poza rzeczywistym rozmiarem urządzenia %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Urządzenie %s ma zerowy rozmiar.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Urządzenie %s jest zbyt małe.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Nie udało się ustawić odwzorowania klucza dm-crypt dla urządzenia %s.\n"
+"Proszę sprawdzić, czy jądro obsługuje szyfr %s (więcej informacji w syslogu).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Rozmiar klucza w trybie XTS musi wynosić 256 lub 512 bitów.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Nie można zapisać na urządzenie %s, brak uprawnień.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Nie udało się otworzyć urządzenia do tymczasowego przechowywania kluczy.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Nie udało się uzyskać dostępu do urządzenia do tymczasowego przechowywania kluczy.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Błąd we/wy podczas szyfrowania klucza.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Błąd we/wy podczas odszyfrowywania klucza.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Urządzenie %s jest zbyt małe (LUKS wymaga przynajmniej %<PRIu64> bajtów).\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Żądany plik kopii zapasowej nagłówka %s już istnieje.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Nie można utworzyć pliku kopii zapasowej nagłówka %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Nie można zapisać pliku kopii zapasowej nagłówka %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Plik kopii zapasowej nie zawiera prawidłowego nagłówka LUKS.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Nie można otworzyć pliku kopii zapasowej nagłówka %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Nie można odczytać pliku kopii zapasowej nagłówka %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Offset danych lub rozmiar klucza różnią się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Urządzenie %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "nie zawiera nagłówka LUKS. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "już zawiera nagłówek LUKS. Nadpisanie nagłówka zniszczy istniejące klucze."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"UWAGA: nagłówek prawdziwego urządzenia ma inny UUID niż kopia zapasowa!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Nie można otworzyć urządzenia %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Niestandardowy rozmiar klucza, wymagana ręczna naprawa.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Niestandardowe wyrównanie kluczy, wymagana ręczna naprawa.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Naprawianie kluczy.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Naprawa nie powiodła się."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Klucz %i: naprawiono offset (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Klucz %i: naprawiono pasy (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Klucz %i: błędna sygnatura partycji.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Klucz %i: zarodek wyczyszczony.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Zapis nagłówka LUKS na dysk.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Nieobsługiwana wersja LUKS %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Żądany skrót LUKS %s nie jest obsługiwany.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "Numer klucza LUKS %u jest nieprawidłowy.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "W nagłówku LUKS nie wykryto żadnych znanych problemów.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Błąd podczas uaktualniania nagłówka LUKS na urządzeniu %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Błęd podczas ponownego odczytu nagłówka LUKS po uaktualnieniu na urządzeniu %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Offset danych dla osobnego nagłówka LUKS musi wynosić 0 lub więcej niż rozmiar nagłówka (sektorów: %d).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Podano zły format LUKS UUID.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powiódł się.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Niekompatybilne opcje PBKDF2 (przy użyciu algorytmu skrótu %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Nie można utworzyć nagłówka LUKS: uzyskanie skrótu nagłówka nie powiodło się (przy użyciu algorytmu %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Klucz numer %d jest aktywny, należy go najpierw wyczyścić.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Klucz %d zawiera zbyt mało pasów. Zmieniony nagłówek?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Klucz numer %d odblokowany.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Dla tego hasła nie ma dostępnego klucza.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Numer klucza %d jest błędny, proszę wybrać numer od 0 do %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Nie można wyczyścić urządzenia %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Wykryto jeszcze nie obsługiwany plik klucza szyfrowany GPG.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Proszę użyć gpg --decrypt <PLIK-KLUCZA> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Wykryto niekompatybilny plik klucza loop-AES.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Jądro nie obsługuje odwzorowań zgodnych z loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Błąd odczytu pliku klucza %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Przekroczono maksymalną długość hasła TCRYPT (%d).\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Algorytm skrótu PBKDF2 %s nie jest dostępny, pominięto.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Wymagany interfejs kryptograficzny jądra nie jest dostępny.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Proszę upewnić się, że moduł jądra algif_skcipher został załadowany.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktywacja nie jest obsługiwana dla rozmiaru sektora %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Jądro nie obsługuje aktywacji dla tego starego trybu TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Włączanie szyfrowania systemu TCRYPT dla partycji %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Jądro nie obsługuje odwzorowań zgodnych z TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Ta funkcja nie jest obsługiwana bez załadowanego nagłówka TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Urządzenie Verity %s nie używa nagłówka na dysku.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem VERITY.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Nieobsługiwana wersja VERITY %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Uszkodzony nagłówek VERITY.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Podano zły format UUID-a VERITY na urządzeniu %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Błąd podczas uaktualniania nagłówka VERITY na urządzeniu %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Jądro nie obsługuje odwzorowań dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Urządzenie VERITY wykryło uszkodzenie po uaktywnieniu.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Nie wyzerowane miejsce zapasowe na pozycji %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Przepełnienie offsetu urządzenia.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Weryfikacja nie powiodła się na pozycji %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Błędne parametry rozmiaru dla urządzenia VERITY.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Za dużo poziomów drzewa dla wolumenu VERITY.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Weryfikacja obszaru danych nie powiodła się.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Weryfikacja głównego hasza nie powiodła się.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Błąd wejścia/wyjścia podczas tworzenia obszaru haszy.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Tworzenie obszaru haszy nie powiodło się.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "UWAGA: Jądro nie może uaktywnić urządzenia, jeśli rozmiar bloku danych przekracza rozmiar strony (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Nie wykryto znanego wzorca określającego szyfr.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "UWAGA: Parametr --hash jest ignorowany w trybie zwykłym z podanym plikiem klucza.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "UWAGA: Opcja --keyfile-size jest ignorowana, rozmiar odczytu jest taki sam, jak rozmiar klucza szyfrującego.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Wymagana jest opcja --key-file.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Nie wykryto nagłówka urządzenia z tym hasłem.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Zrzut nagłówka z kluczem wolumenu jest informacją wrażliwą,\n"
+"pozwalającą na dostęp do zaszyfrowanej partycji bez hasła.\n"
+"Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
+"w bezpiecznym miejscu."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Wynik testu wydajności nie jest wiarygodny.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testy są przybliżone tylko z użyciem pamięci (bez we/wy na dysk).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algorytm | Klucz | Szyfrowanie | Odszyfrowywanie\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Szyfr %s nie jest dostępny.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/D"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Nie można odczytać pliku klucza %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Nie można odczytać %d bajtów z pliku klucza %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Naprawdę próbować naprawić nagłówek urządzenia LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "To nieodwołalnie nadpisze dane na %s."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "błąd przydzielania pamięci w action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Nie można użyć %s jako nagłówka na dysku.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Offset zmniejszonych danych jest dozwolony tylko dla osobnego nagłówka LUKS.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "klucz %d wybrany do usunięcia.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Klucz %d nie jest aktywny. Nie można wyczyścić.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "To jest ostatni klucz. Urządzenie stanie się bezużyteczne po usunięciu tego klucza."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Dowolne pozostałe hasło: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Hasło do usunięcia: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Dowolne istniejące hasło: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Hasło, które ma być zmienione: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Nowe hasło: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Dla operacji isLuks obsługiwany jest tylko jeden argument będący urządzeniem.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Wymagana jest opcja --header-backup-file.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Nie rozpoznany typ urządzenia metadanych %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Polecenie wymaga urządzenia i nazwy odwzorowywanej jako argumentów.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Ta operacja usunię wszystkie klucze na urządzeniu %s.\n"
+"Urządzenie po tej operacji stanie się bezużyteczne."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<uządzenie> [--type <typ>] [<nazwa>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "otwarcie urządzenia jako odwzorowania <nazwa>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<nazwa>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "zamknięcie urządzenia (usunięcie odwzorowania)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "zmiana rozmiaru aktywnego urządzenia"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "pokazanie stanu urządzenia"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <szyfr>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "test szybkości szyfru"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<urządzenie>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "próba naprawy metadanych na dysku"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "usunięcie wszystkich kluczy (usunięcie klucza szyfrującego)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<urządzenie> [<nowy plik klucza>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "sformatowanie urządzenia LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "dodanie klucza do urządzenia LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<urządzenie> [<plik klucza>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "usunięcie podanego klucza lub pliku klucza z urządzenia LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "zmiana podanego klucza lub pliku klucza urządzenia LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<urządzenie> <numer klucza>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "wyczyszczenie klucza o numerze <numer klucza> z urządzenia LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "wypisanie UUID-a urządzenia LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "sprawdzenie <urządzenia> pod kątem nagłówka partycji LUKS"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "zrzut informacji o partycji LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "zrzut informacji o urządzeniu TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Wstrzymanie urządzenia LUKS i wyczyszczenie klucza (zamraża wszystkie operacje we/wy)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Wznowienie zatrzymanego urządzenia LUKS."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Kopia zapasowa nagłówka i kluczy urządzenia LUKS"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Odtworzenie nagłówka i kluczy urządzenia LUKS z kopii zapasowej"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<akcja> to jedno z:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Można także używać starych aliasów składni <akcja>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nazwa> to urządzenie do utworzenia wewnątrz %s\n"
+"<urządzenie> to zaszyfrowane urządzenie\n"
+"<numer klucza> to numer klucza LUKS do zmiany\n"
+"<plik klucza> to opcjonalny plik nowego klucza dla akcji luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Domyślne wkompilowane parametry kluczy i haseł:\n"
+"\tMaksymalny rozmiar pliku klucza: %dkB, maksymalna długość hasła interaktywnego %d (znaków)\n"
+"Domyślny czas iteracji PBKDF2 dla LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Domyślne wkompilowane parametry szyfrowania urządzeń:\n"
+"\tloop-AES: %s, bitów klucza: %d\n"
+"\tplain: %s, bitów klucza: %d, skrót hasła: %s\n"
+"\tLUKS1: %s, bitów klucza: %d, skrót nagłówka LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: wymaga %s jako argumentów"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Wyświetlenie tego opisu"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Wyświetlenie krótkiej informacji o składni"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Opcje pomocnicze:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Wypisanie wersji pakietu"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Wyświetlanie bardziej szczegółowych komunikatów błędów"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Wyświetlanie informacji diagnostycznych"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Szyfr używany do zaszyfrowania dysku (p. /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Skrót używany do utworzenia klucza szyfrującego z hasła"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Sprawdzenie poprawności hasła poprzez dwukrotne pytanie"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Odczyt klucza z pliku."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Odczyt klucza wolumenu (klucza głównego) z pliku."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Zrzut (głównego) klucza wolumenu zamiast informacji o kluczach."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Rozmiar klucza szyfrującego"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITÓW"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Ograniczenie odczytu z pliku klucza"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "bajty"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Liczba bajtów do pominięcia w pliku klucza"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Ograniczenie odczytu z nowo dodanego pliku klucza"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Liczba bajtów do pominięcia w nowo dodanym kluczu"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Numer dla nowego klucza (domyślny: pierwszy wolny)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Rozmiar urządzenia"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SEKTORÓW"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Offset początku na urządzeniu przechowującym"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Liczba sektorów zaszyfrowanych danych do pominięcia"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Utworzenie odwzorowania tylko do odczytu"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Czas iteracji PBKDF2 dla LUKS (w milisekundach)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Bez pytań o potwierdzenie"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Limit czasu przy interaktywnym pytaniu o hasło (w sekundach)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Jak często można powtarzać próby wprowadzenia hasła"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Wyrównanie danych do granicy <n> sektorów - dla luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Plik z kopią zapasową nagłówka LUKS i kluczy."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Użycie /dev/random do wygenerowania klucza wolumenu."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Użycie /dev/urandom do wygenerowania klucza wolumenu."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Współdzielenie urządzenia z innym, nie zachodzącym segmentem szyfrowanym."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID dla urządzenia, które ma być użyte."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Zezwolenie na żądania porzucenia (TRIM) dla urządzenia."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Urządzenie lub plik z osobnym nagłówkiem LUKS."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Sprawdzenie hasła bez uaktywniania urządzenia."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Użycie nagłówka ukrytego (ukrytego urządzenia TCRYPT)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Urządzenie jest napędem systemowym TCRYPT (z bootloaderem)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Użycie zapasowego (drugiego) nagłówka TCRYPT."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Wyszukiwanie także urządzeń zgodnych z VeraCryptem."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Typ metadanych urządzenia: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Wyłączenie sprawdzania jakości hasła (jeśli włączone)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Użycie opcji zgodności wydajności dm-crypta same_cpu_crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Użycie opcji zgodności wydajności dm-crypta submit_from_crypt_cpus."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPCJA...] <akcja> <parametry-akcji>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Brak argumentu <akcja>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Nieznana akcja."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Opcja --allow-discards jest dozwolona tylko dla operacji otwarcia.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Opcja --key-size jest dopuszczalna tylko dla operacji luksFormat, open\n"
+"i benchmark.\n"
+"Aby ograniczyć odczyt z pliku klucza, należy użyć --keyfile-size=(bajty)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS i TRCYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Rozmiar klucza musi być wielokrotnością 8 bitów"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Numer klucza jest nieprawidłowy."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Liczba ujemna nie jest dozwolona dla tej opcji."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Dozwolony jest tylko jeden argument --key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Opcja --use-[u]random jest dozwolona tylko dla operacji luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Opcja --uuid jest dozwolona tylko dla operacji luksFormat i luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Opcja --align-payload jest dozwolona tylko dla operacji luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Opcja --offset jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Opcja --veracrypt jest obsługiwana tylko dla typu urządzeń TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Podano błędny łańcuch zarodka.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Nie można utworzyć obrazu hasza %s do zapisu.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Podano błędny łańcuch głównego hasza.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<urządzenie_danych> <urządzenie_haszy>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "sformatowanie urządzenia"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<urządzenie_danych> <urządzenie_haszy> <główny_hasz>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "weryfikacja urządzenia"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nazwa> <urządzenie_danych> <urządzenie_haszy> <główny_hasz>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "utworzenie aktywnego urządzenia"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "usunięcie (deaktywacja) urządzenia"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "pokazanie stanu aktywnego urządzenia"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<urządzenie_haszy>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "wyświetlenie informacji z dysku"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nazwa> to urządzenie do utworzenia pod %s\n"
+"<urządzenie_danych> to urządzenie z danymi\n"
+"<urządzenie_haszy> to urządzenie zawierające dane weryfikacyjne\n"
+"<główny_hasz> to hasz głównego węzła na <urządzeniu_haszy>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Domyślnie wkompilowane parametry dm-verity:\n"
+"\tHasz: %s, blok danych (bajtów): %u, blok haszy (bajtów): %u, rozmiar zarodka: %u, format haszy: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Nieużywanie superbloku VERITY"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Typ formatu (1 - normalny, 0 - oryginalny Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "liczba"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Rozmiar bloku na urządzeniu z danymi"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Rozmiar bloku na urządzeniu z haszami"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Liczba bloków w pliku danych"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "bloki"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Offset początku na urządzeniu z haszami"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Algorytm skrótu"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "łańcuch"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Zarodek"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "Łańcuch szesnastkowy"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Restart jądra po wykryciu uszkodzenia"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Zignotowanie uszkodzenia, jedynie logowanie"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Bez weryfikacji wyzerowanych bloków"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Opcje --ignore-corruption, --restart-on-corruption oraz --ignore-zero-blocks są dozwolone tylko przy operacji tworzenia.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Opcji --ignore-corruption oraz --restart-on-corruption nie można użyć naraz.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Przydzielenie wyrównanego obszaru pamięci nie powiodło się.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Nie można odczytać urządzenia %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Oznaczanie urządzenia LUKS %s jako bezużytecznego.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Nie można zapisać na urządzenie %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Nie można zapisać pliku logu ponownego szyfrowania.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Nie można odczytać pliku logu ponownego szyfrowania.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Plik logu %s istnieje, wznowienie ponownego szyfrowania.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Aktywacja urządzenia tymczasowego przy użyciu starego nagłówka LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Aktywacja urządzenia tymczasowego przy użyciu nowego nagłówka LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Aktywacja urządzeń tymczasowych nie powiodła się.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Utworzono nowy nagłówek LUKS dla urządzenia %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Uaktywniono klucz %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Utworzono kopię zapasową nagłówka LUKS urządzenia %s.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Tworzenie kopii zapasowych nagłówków LUKS nie powiodło się.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Nie można odtworzyć nagłówka LUKS na urządzeniu %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Odtworzono nagłówek LUKS na urządzeniu %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Postęp: %5.1f%%, ETA %02llu:%02llu, zapisano %4llu MiB, szybkość %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Nie można przemieścić się we właściwe położenie urządzenia.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Nie można otworzyć tymczasowego urządzenia LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Nie można pobrać rozmiaru urządzenia.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Przerwano sygnałem.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Błąd we/wy podczas ponownego szyfrowania.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Dostarczony UUID jest nieprawidłowy.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Hasło dla klucza %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Nie można otworzyć pliku logu ponownego szyfrowania.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Nie w trakcie odszyfrowywania; dostarczony UUID może być użyty tylko do wznowienia wstrzymanego procesu odszyfrowywania.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Rozmiar bloku ponownego szyfrowania"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Bez zmiany klucza i ponownego szyfrowania obszaru danych."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Użycie bezpośredniego we/wy przy dostępie do urządzeń."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Użycie fsync po każdym bloku."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Uaktualnianie pliku logu po każdym bloku."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Użycie tylko tego slotu (wyłączenie pozostałych)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Ograniczenie rozmiaru urządzenia danych (przesunięcie położenia danych). NIEBEZPIECZNE!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Użycie tylko określonego rozmiaru urządzenia (zignorowanie pozostałej części). NIEBEZPIECZNE!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Utworzenie nowego nagłówka na nieszyfrowanym urządzeniu."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Trwałe odszyfrowanie urządzenia (usunięcie szyfrowania)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "UUID używany do wznowienia odszyfrowywania."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPCJA...] <urządzenie>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Ponowne szyfrowanie zmieni: klucz wolumenu%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", hasz na "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", szyfr na"
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Wymagany argument."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Jako rozmiar bloku ponownego szyfrowania dozwolone są jedynie wartości od 1 MiB do 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Błędne określenie rozmiaru urządzenia."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 64MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Rozmiar ograniczenia musi być wielokrotnością 512-bajtowego sektora."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Opcja --new musi być użyta wraz z --reduce_device_size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Opcja --keep-key może być użyta tylko z --hash lub --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Opcja --new nie może być użyta wraz z --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Opcja --decrypt jest niezgodna z podanymi parametrami."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Opcja --uuid jest dozwolona tylko wraz z --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Błąd podczas odczytu odpowiedzi z terminala.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Polecenie się powiodło.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Polecenie nie powiodło się z kodem %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Nie można sprawdzić jakości hasła: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Sprawdzenie jakości hasła nie powiodło się:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Sprawdzenie jakości hasła nie powiodło się: błędne hasło (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Nie znaleziono wolnego urządzenia loopback.\n"
diff --git a/po/pt_BR.po b/po/pt_BR.po
new file mode 100644
index 0000000..caa15a6
--- /dev/null
+++ b/po/pt_BR.po
@@ -0,0 +1,1840 @@
+# Brazilian Portuguese translation for cryptsetup
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Rafael Fontenelle <rffontenelle@gmail.com>, 2016, 2017.
+# ##### Terminologia usada #####
+# device mapper = mapeador de dispositivo
+# key slots = slots de chave
+# plain = claro (pois "mensagem plana" é tradução incorreta)
+# passphrase = senha
+# salt = sal # https://pt.wikipedia.org/wiki/Sal_(criptografia)
+# ##############################
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 07:12-0200\n"
+"Last-Translator: Rafael Fontenelle <rffontenelle@gmail.com>\n"
+"Language-Team: Brazilian Portuguese <ldpbr-translation@lists.sourceforge.net>\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+"X-Generator: Virtaal 1.0.0-beta1\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Não foi possível inicializar o mapeador de dispositivo, executando como usuário não-root.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Não foi possível inicializar o mapeador de dispositivo. O módulo de kernel dm_mod está carregado?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID para o dispositivo \"%s\" estava truncada.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Não há suporte às opções de desempenho de dm-crypt requisitadas.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Não há suporte à tratamento de corrompimento de dados de dm-verify requisitada.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"O sistema sem entropia suficiente enquanto gera chave de volume.\n"
+"Por favor mova o mouse ou digite algum texto em outra janela para obter alguns eventos aleatórios.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Gerando chave (%d%% concluído).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Executando no modo FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Erro fatal durante inicialização de RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Qualidade RNG requisitada desconhecida.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Erro na leitura de %d de RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Não foi possível inicializar o backend RNG de criptografia.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Não foi possível inicializar o backend de criptografia.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Não há suporte ao algoritmo hash %s.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Erro de processamento de chave (usando hash %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Não foi possível determinar o tipo do dispositivo. Ativação de dispositivo incompatível?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Há suporte a esta operação apenas para dispositivo LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Todas os slots de chave estão cheios.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Slot de chave %d é inválido, por favor selecione entre 0 e %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Slot de chave %d está cheio, por favor selecione outro.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Digite a senha para %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Cabeçalho detectado, mas o dispositivo %s é muito pequeno.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Não há suporte a esta operação para este tipo de dispositivo.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "O dispositivo \"%s\" não está ativado.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "O dispositivo subjacente para o dispositivo de criptografia %s desapareceu.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Parâmetros de criptografia clara inválidos.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Tamanho de chave inválida.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "Não há suporte ao UUID para este tipo de criptografia.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Não é possível formatar LUKS sem dispositivo.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Não foi possível formatar o dispositivo %s, o qual ainda está em uso.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Não é possível formatar o dispositivo %s, permissão negada.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Não foi possível apagar o cabeçalho no dispositivo %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Não foi possível formatar LOOPAES sem dispositivo.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Não foi possível formatar VERITY sem dispositivo.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Não há suporte ao tipo de hash VERITY %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Não há suporte ao tamanho de bloco VERITY.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Não há suporte à posição de hash VERITY.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Área de dados sobreposta com área de hash.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Tipo de dispositivo de criptografia requisitado %s desconhecido.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Não foi possível redimensionar o dispositivo de loop.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Você realmente deseja alterar o UUID do dispositivo?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "O volume %s não está ativado.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "O volume %s já está suspenso.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "A suspensão não oferece suporte ao dispositivo %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Ocorreu um erro ao suspender o dispositivo %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "O volume %s não estava suspenso.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "O resumo não oferece suporte a este dispositivo %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Ocorreu um erro ao resumir o dispositivo %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Digite a senha: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Não foi possível adicionar slot de chave, todos slots desabilitados ou nenhuma chave de volume fornecida.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Digite uma senha: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Digite uma senha para o slot de chave: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Slot de chave %d alterado.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Substituído com o slot de chave %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Falha ao trocar novo slot de chave.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "A chave de volume não corresponde ao volume.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "O slot de chave %d é inválido.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "O slot de chave %d não está sendo usado.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "O dispositivo %s já existe.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Chave de volume incorreta especificada para dispositivo claro.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Hash raiz incorreta especificada para o dispositivo verity.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "O tipo de dispositivo não foi inicializado corretamente.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "O dispositivo %s ainda está em uso.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Dispositivo inválido %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Função não disponível no modo FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Buffer de chave de volume muito pequena.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Não foi possível obter chave de volume para dispositivo claro.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Não há suporte a esta operação para o dispositivo de criptografia %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Não há suporte à operação de despejo para este tipo de dispositivo.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Não foi possível obter prioridade de processo.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Não foi possível desbloquear memória.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Memória insuficiente para leitura da senha.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Erro ao ler senha do terminal.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Verificar senha: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "As senhas não conferem.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Não foi possível usar posição com a entrada do terminal.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Falha ao abrir arquivo de chave.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Falha ao obter estado do arquivo.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Não foi possível buscar a posição do arquivo de chave requisitado.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Erro ao ler a senha.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Tamanho máximo de arquivo de chave excedido.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Não foi possível ler a quantidade requisitada de dados.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "O dispositivo %s não existe ou acesso negado.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Não foi possível usar um dispositivo de loopback, executando como usuário não-root.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Anexamento de dispositivo loopback falhou (dispositivo de loop com sinalizador autoclear é necessário).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Não foi possível usar o dispositivo %s, o qual está em uso (já mapeado ou montado).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Não foi possível obter informação sobre o dispositivo %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "A posição requisitada está além do tamanho real do dispositivo %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "O dispositivo %s possui tamanho zero.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "O dispositivo %s é muito pequeno.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Falha ao configurar mapeamento de chave dm-crypt para o dispositivo %s.\n"
+"Certifique-se de que o kernel oferece suporte cifra de %s (verifique o syslog para mais informação).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Tamanho de chave no modo XTS deve ser 256 ou 512 bits.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Não foi possível escrever para o dispositivo %s, permissão negada.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Falha ao abrir o dispositivo temporário de armazenamento de chave.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Falha ao acessar o dispositivo temporário de armazenamento de chave.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Erro de E/S ao criptografar slot de chave.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Erro de E/S ao descriptografar slot de chave.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Dispositivo %s é muito pequeno. (LUKS precisa de pelo menos %<PRIu64> bytes.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "O dispositivo %s não é um dispositivo LUKS válido.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "O arquivo de cópia de segurança de cabeçalho requisitado %s já existe.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Não foi possível criar o arquivo de cópia de segurança de cabeçalho %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Não foi possível escrever o arquivo de cópia de segurança de cabeçalho %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Arquivo de cópia de segurança não contém cabeçalho LUKS válido.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Não foi possível abrir o arquivo de cópia de segurança de cabeçalho %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Não foi possível ler o arquivo de cópia de segurança de cabeçalho %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Posição de dados ou tamanho de chave divergem entre dispositivo e cópia de segurança, restauração falhou.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Dispositivo %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "não contém cabeçalho LUKS. A substituição do cabeçalho pode destruir dados naquele dispositivo."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "já contém cabeçalho LUKS. A substituição do cabeçalho vai destruir slots de chave existentes."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"AVISO: o cabeçalho do dispositivo real possui um UUID diferente da cópia de segurança!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Não foi possível abrir o dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Tamanho de chave fora do padrão, correção manual necessária.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Alinhamento de slots de chave fora do padrão, correção manual necessária.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Corrigindo slots de chave.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Correção falhou."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Slot de chave %i: posição corrigida (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Slot de chave %i: barras corrigidas (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Slot de chave %i: assinatura de partição é falsa.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Slot de chave %i: sal apagado.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Escrevendo cabeçalho LUKS para disco.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Não há suporte ao LUKS versão %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Não há suporte ao hash LUKS requisitado %s.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "O slot de chave LUKS %u é inválido.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Nenhum problema conhecido foi detectado no cabeçalho LUKS.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Erro durante atualização de cabeçalho LUKS no dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Erro ao reler cabeçalho LUKS após atualização no dispositivo %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "A posição de dados para cabeçalho LUKS desanexado deve ser 0 ou maior do que o tamanho do cabeçalho (%d setores).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Formato de UUID LUKS incorreto foi fornecido.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Não foi possível criar cabeçalho LUKS: leitura de sal aleatório falhou.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Opções PBKDF2 não compatíveis (sando algoritmo hash %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Não foi possível criar cabeçalho LUKS: resumo de cabeçalho falhou (usando hash %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Slot de chave %d ativado, apagar primeiro.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "O material do slot de chave %d inclui muito poucas barras. Manipulação do cabeçalho?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Slot de chave %d desbloqueado.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Nenhuma chave disponível com esta senha.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Slot de chave %d é inválido, por favor selecione um slot de chave entre 0 e %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Não foi possível apagar o dispositivo %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Detectado arquivo de chave criptografado com GPG ainda sem suporte.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Por favor use gpg --decrypt <ARQUIVO-CHAVE> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Arquivo de chave loop-AES incompatível detectado.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "O kernel não oferece suporte a mapeamento compatível com loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Erro ao ler arquivo de chave %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Tamanho máximo de senha TCRYPT (%d) excedido.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Algoritmo hash PBKDF2 %s não disponível, ignorando.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Interface necessário de criptografia do kernel não disponível.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Certifique-se de que você tenha o módulo de kernel algif_skcipher carregado.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Não há suporte a ativação para o tamanho de setor %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "O kernel não oferece suporte a ativação para este modo legado TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Ativando criptografia de sistema TCRYPT para partição %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "O kernel não oferece suporte a mapeamento compatível com TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Não há suporte a esta função sem carga de cabeçalho TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Dispostivo verity %s não usa cabeçalho em disco.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "O dispositivo %s não é um dispositivo VERITY válido.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Não há suporte ao VERITY versão %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Cabeçalho VERITY corrompido.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Formato de UUID VERITY inválido fornecido no dispositivo %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Erro durante a atualização do cabeçalho verity no dispositivo %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "O kernel não oferece suporte a mapeamento dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "O dispositivo verity detectou corrompimento após ativação.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Área disponível não está zerada na posição %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Excesso na posição do dispositivo.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Verificação falhou na posição %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Parâmetros de tamanho inválido para dispositivo verity.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Número excessivo de níveis de árvore para volume verity.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Verificação da área de dados falhou.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Verificação do hash raiz falhou.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Erro de entrada/saída enquanto criava área de hash.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Criação da área de hash falhou.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "AVISO: O kernel não pode ativar um dispositivo se o tamanho do bloco de dados exceder o tamanho da página (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Não é possível fazer verificação de senha em entradas diferente de tty.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Nenhum padrão de especificação de cifra conhecida foi detectada.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "AVISO: O parâmetro de --hash está sendo ignorado claro com o arquivo de chave especificado.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "AVISO: A opção --keyfile-size está sendo ignorada, o tamanho lido é o mesmo que o tamanho da chave de criptografia.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "A opção --key-file é necessária.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Nenhum cabeçalho de dispositivo detectado com esta senha.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"O despejo de cabeçalho com chave de volume é uma informação sensível\n"
+"que permite acesso a uma partição criptografada sem senha.\n"
+"Este despejo deve sempre ser armazenado criptografado em um local seguro."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "O resultado do teste não é confiável.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testes são aproximados usando apenas memória (sem E/S de armazenamento).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritmo | Chave | Criptografia | Descriptografia\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "A cifra %s não está disponível.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/D"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Não foi possível ler o arquivo de chave %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Não foi possível ler %d bytes do arquivo de chave %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Realmente tentar corrigir o cabeçalho do dispositivo LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Isto vai sobrescrever dados em %s permanentemente."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "erro de alocação de memória em action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Não foi possível usar %s como um cabeçalho em disco.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Posição de dados reduzida é permitido apenas cabeçalho LUKS desanexado.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Slot de chave %d selecionado para exclusão.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Chave %d não ativada. Não é possível apagar.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Este é o último slot de chave. O dispositivo se tornará não usável após apagar esta chave."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Digite qualquer senha remanescente: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Digite a senha para ser excluída: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Digite qualquer senha existente: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Digite a senha para ser alterada: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Digite uma nova senha: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Há suporte apenas a um argumento de dispositivo para a operação isLuks.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "A opção --header-backup-file é necessária.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Tipo de dispositivo de metadados %s não reconhecido.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "O comando requer um dispositivo e nome mapeado como argumentos.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Esta operação vai apagar todos os slots de chave no dispositivo %s.\n"
+"O dispositivo se tornará não usável após esta operação."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<dispositivo> [--type <tipo>] [<nome>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "abre dispositivo como mapeamento <nome>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<nome>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "fecha dispositivo (remove mapeamento)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "redimensiona dispositivo ativado"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "mostra o estado do dispositivo"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <cifra>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "testa a cifra"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<dispositivo>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "tente corrigir os metadados em disco"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "apaga todos os slots de chave (remove a chave de criptografia)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<dispositivo> [<novo arquivo de chave>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "formata um dispositivo LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "adiciona uma chave ao dispositivo LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<dispositivo> [<arquivo de chave >]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "remove a chave ou arquivo chave fornecidos do dispositivo LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "altera a chave ou arquivo chave fornecidos do dispositivo LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<dispositivo> <slot de chave>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "apaga chave com número <slot de chave> do dispositivo LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "emite UUID do dispositivo LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "testa <dispositivo> por cabeçalho de partição LUKS"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "despeja informação da partição LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "despeja informação do dispositivo TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Suspende dispositivo LUKS e apaga chave (todas E/S ficam congeladas)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Resume dispositivo LUKS suspenso."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Faz uma cópia de segurança de slots de chave e cabeçalho de dispositivo LUKS"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Restaura slots de chave e cabeçalho de dispositivo LUKS"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<ação> é um dentre:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Você também pode usar apelidos de sintaxe <ação> antigos:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nome> é o dispositivo a ser criado sob %s\n"
+"<dispositivo> é o dispositivo criptografado\n"
+"<slot de chave> é o número do slot de chave LUKS a ser modificado\n"
+"<arquivo de chave> arquivo de chave opcional para a nova chave para a ação luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Parâmetros padrões de senha e chave compilados internamente:\n"
+"\tTamanho do arquivo chave máximo: %dkB, Tamanho máximo de senha interativa %d (caracteres)\n"
+"Tempo padrão de iteração PBKDF2 para LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Parâmetros de cifra de dispositivo pré-compilados por padrão:\n"
+"\tloop-AES: %s, Chave %d bits\n"
+"\tplain: %s, Chave: %d bits, Hash de senha: %s\n"
+"\tLUKS1: %s, Chave: %d bits, Hash de cabeçalho LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: necessita %s como argumentos"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Mostra essa mensagem de ajuda"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Exibe instrução de uso"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Opções de ajuda:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Emite a versão do pacote"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Mostra mensagens de erro mais detalhadas"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Mostra mensagens de depuração"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "A cifra usada para criptografar o disco (veja /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "A hash usada para criar a chave de criptografia a partir da senha"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifica a senha perguntando-a duas vezes"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Lê a chave de um arquivo."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Lê a chave do volume (mestre) a partir do arquivo."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Despeja a chave de volume (mestre) ao invés da informação de slots de chave."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "O tamanho da chave de criptografia"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Limita a leitura do arquivo de chave"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "bytes"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Número de bytes a ignorar no arquivo de chave"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Limita a leitura do arquivo de chave recém-adicionado"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Número de bytes a ignorar em arquivo de chave recém-adicionado"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Número de slot para a nova chave (padrão é a primeira livre)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "O tamanho do dispositivo"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SETORES"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "A posição inicial do dispositivo de backend"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Quantos setores dos dados criptografados ignorar no começo"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Cria um mapeamento somente leitura"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Iteração PBKDF2 para LUKS (em ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Não solicitar confirmação"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Tempo limite para a solicitação interativa de senha (em segundos)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Com qual frequência a entrada da senha pode ser tentada novamente"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Alinha a carga em <n> limites de setores - para luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Arquivo cópia de segurança de slots de chave e cabeçalho LUKS."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Usa /dev/random para gerar chave de volume."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Usa /dev/urandom para gerar chave de volume."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Compartilha o dispositivo com um outro segmento de criptografia sem sobreposição."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID para dispositivo a ser usado."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Permite requisições de descartes (i.e. TRIM) para dispositivo."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Dispositivo ou arquivo com cabeçalho LUKS separado."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Não ativa o dispositivo, apenas verifica a senha."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Usa cabeçalho oculto (dispositivo TCRYPT oculto)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "O dispositivo é uma unidade TCRYPT de sistema (com carregador de inicialização)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Usa o cabeçalho TRCYPT secundário (cópia de segurança)."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Verifica também por dispositivo compatível com VeraCrypt."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Tipo de metadados de dispositivo: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Desabilita a verificação de qualidade da senha (se habilitada)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Usa a opção de compatibilidade de desempenho same_cpu_crypt do dm-crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Usa a opção de compatibilidade de desempenho submit_from_crypt_cpus do dm-crypt."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[OPÇÃO...] <ação> <ação-específica>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Faltando o argumento de <ação>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Ação desconhecida."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "A opção --shared é permitida apenas para abertura de dispositivo claro.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "A opção --allow-discards é permitida apenas para a operação de abertura.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"A opção --key-size é permitida apenas para luksFormat, abertura e teste.\n"
+"Para limitar a leitura do arquivo de chave, use --keyfile-size=(bytes)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "A opção --test-passphrase é permitida apenas para abertura de dispositivos LUKS e TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Tamanho de chave deve ser um múltiplo de 8 bits"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "O slot de chave é inválido."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "A opção --key-file tem precedência sobre um argumento de arquivo de chave especificado.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Número negativo para opção não permitido."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Apenas um argumento de --key-file é permitido."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Apenas uma das opções --use-[u]random são permitidas."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "A opção --use-[u]random é permitida apenas para luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "A opção --uuid é permitida apenas para luksFormat e luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "A opção --align-payload é permitida apenas para luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Há suporte a --skip apenas para abertura de dispositivos claro e loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Há suporte a --offset apenas para abertura de dispositivos claro e loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Há suporte à opção --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup apenas para dispositivo TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "A opção --tcrypt-hidden não pode ser combinada com --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Há suporte à opção --veracrypt apenas para o tipo de dispositivo TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Uma string salgada inválida foi especificada.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Não foi possível criar imagem hash %s para escrita.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Uma string hash raiz inválida foi especificada.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<dispositivo-dados> <dispositivo-hash>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "formata o dispositivo"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<dispositivo-dados> <dispositivo-hash> <hash-raiz>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "verifica o dispositivo"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<nome> <dispositivo-dados> <dispositivo-hash> <hash-raiz>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "cria um dispositivo ativado"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "remove (desativa) o dispositivo"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "mostra o estado do dispositivo ativado"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<dispositivo-hash>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "mostra informação em disco"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<nome> é o dispositivo a ser criado sob %s\n"
+"<dispositivo-dados> é o dispositivo de dados\n"
+"<dispositivo-hash> é o dispositivo contendo dados de verificação\n"
+"<hash-raiz> hash do nó raiz no <dispositivo-hash>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Parâmetros dm-verity pré-compilados por padrão:\n"
+"\tHash: %s, Bloco de dados (bytes): %u, Bloco de hash (bytes): %u, Tamanho salgado: %u, Formato hash: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Não usa superbloco verity"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Tipo de formato (1 - normal, 0 - Chrome OS original)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "número"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Tamanho de bloco no dispositivo de dados"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Tamanho de bloco no dispositivo de hash"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "O número de blocos no arquivo de dados"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "blocos"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Posição inicial no dispositivo de hash"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Algoritmo hash"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "string"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Sal"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "string hexa"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Reinicia o kernel, se um corrompimento for detectado"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignora corrompimento, apenas registra no log"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Não verifica por blocos zerados"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "O uso da opção --ignore-corruption, --restart-on-corruption ou --ignore-zero-blocks é permitido apenas para operação de criação.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "As opções --ignore-corruption e --restart-on-corruption não podem ser usadas em conjunto.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Não foi possível abrir exclusivamente %s, dispositivo em uso.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "A alocação de memória alinhada falhou.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Não foi possível ler o dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Marcando o dispositivo LUKS %s como não usável.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Não foi possível escrever o dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Não foi possível escrever o arquivo log de recriptografia.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Não foi possível abrir o arquivo log de recriptografia.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Arquivo log %s existe, resumindo recriptografia.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Ativando dispositivo temporário usando antigo cabeçalho LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Ativando dispositivo temporário usando novo cabeçalho LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "A ativação de dispositivos temporários falhou.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Novo cabeçalho LUKS para dispositivo %s criado.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Slot de chave %i ativado.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Cópia de segurança de cabeçalho LUKS de dispositivo %s criada.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "A criação de cópia de segurança de cabeçalhos LUKS falhou.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Não foi possível restaurar o cabeçalho LUKS no dispositivo %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Cabeçalho LUKS no dispositivo %s restaurado.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Progresso: %5.1f%%, ETA %02llu:%02llu, %4llu MB escrito, vel. %5.1f MB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Não foi possível ir à posição do dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Não foi possível abrir o dispositivo LUKS temporário.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Não foi possível obter o tamanho do dispositivo.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Interrompido por um sinal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Erro de E/S durante a recriptografia.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "O UUID fornecido é inválido.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "O arquivo de chave pode ser usado apenas com --key-slot ou com exatamente um slot de chave ativado.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Digite uma senha para o slot de chave %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Não foi possível abrir o arquivo log de recriptografia.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Nenhuma descriptografia em progresso, UUID fornecido pode ser usado apenas para resumir um processo de descriptografia suspendido.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Tamanho do bloco de recriptografia"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Não alterar chave, nenhuma área de dados de recriptografia."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Usa direct-io ao acessar dispositivos."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Usa fsync após cada bloco."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Atualiza o arquivo log após todo bloco."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Usa apenas este slot (outros serão desabilitados)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Reduz tamanho do dispositivo de dados (move opção dos dados). PERIGOSO!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Usa apenas o tamanho de dispositivo especificado (ignora o resto do dispositivo). PERIGOSO!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Cria um novo cabeçalho em dispositivo não criptografado."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Descriptografa permanentemente o dispositivo (remove criptografia)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "A uuid usada para resumir a descriptografia."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[OPÇÃO...] <dispositivo>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Recriptografia vai ser alterada: volume de chave%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", definir hash para "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", definir cifra para "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Argumento necessário."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Apenas valores entre 1 MB e 64 MB são permitidos para tamanho de bloco de recriptografia."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Especificação inválida de tamanho de dispositivo."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Tamanho máximo de redução do dispositivo é 64 MB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Tamanho da redução deve ser múltiplo de 512 bytes (setores)."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "A opção --new deve ser usada junto de --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "A opção --keep-key pode ser usada apenas com --hash ou --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "A opção --new não pode ser usada junto de --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "A opção --decrypt é incompatível com os parâmetros especificados."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "A opção --uuid é permitida apenas junto de --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Erro ao ler resposta do terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Comando executado com sucesso.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "O comando falhou com código %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Não foi possível verificar qualidade da senha: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Verificação de qualidade da senha falhou:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Verificação de qualidade da senha falhou: Senha incorreta (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Não foi possível localizar um dispositivo de loop livre.\n"
+
+# Ponto final acrescentado, pois as mensagens em volta possível, sugerindo ser necessário aqui também.
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Não foi possível abrir o dispositivo %s.\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Não é possível usar o UUID passado a menos que descriptografia estiver em progresso.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Marcando o dispositivo LUKS %s como usável.\n"
diff --git a/po/sr.po b/po/sr.po
new file mode 100644
index 0000000..637b6d0
--- /dev/null
+++ b/po/sr.po
@@ -0,0 +1,1837 @@
+# Serbian translation for cryptsetup.
+# Copyright (C) 2014 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Мирослав Николић <miroslavnikolic@rocketmail.com>, 2014—2017.
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup-1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-04-06 04:22+0200\n"
+"Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
+"Language-Team: Serbian <(nothing)>\n"
+"Language: sr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Не могу да покренем мапера уређаја, радим као обичан корисник.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Не могу да покренем мапера уређаја. Да ли је модул језгра „dm_mod“ учитан?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "ДМ-УЈИБ за уређај „%s“ је скраћен.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Затражене опције перформанси дм-крипта нису подржане.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Затражене опције рада оштећених података дм-веритија нису подржане.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Систем је ван ентропије приликом стварања кључа волумена.\n"
+"Померите миша или откуцајте неки текст у другом прозору да прикупите неке насумичне догађаје.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Стварам кључ (%d %% је урађено).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Ради у ФИПС режиму.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Кобна грешка за време покретања РНГ-а.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Затражен је непознат квалитет РНГ-а.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Грешка %d читања из РНГ-а: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Не могу да покренем РНГ позадинца криптографије.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Не могу да покренем позадинца криптографије.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Хеш алгоритам „%s“ није подржан.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Грешка обраде кључа (користим хеш %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Не могу да одредим врсту уређаја. Несагласно покретање уређаја?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Ова радња је подржана само за ЛУКС уређај.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Сви исеци кључева су пуни.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Исек кључа %d није исправан, изаберите између 0 и %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Исек кључа %d је пун, изаберите неки други.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Унесите пропусну реч за „%s“: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Заглавље је откривено али уређај „%s“ је премали.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Ова радња није подржана за ову врсту уређаја.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Уређај „%s“ није радан.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Основни уређај за криптографски уређај „%s“ је нестао.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Неисправни параметри обичне криптографије.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Неисправна величина кључа.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "УЈИБ није подржан за ову врсту криптографије.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Не могу да обликујем „LUKS“ без уређаја.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Не могу да обликујем уређај „%s“ који је још увек у употреби.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Не могу да обликујем уређај „%s“, овлашћење је одбијено.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Не могу да очистим заглавље на уређају „%s“.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Не могу да обликујем „LOOPAES“ без уређаја.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Не могу да обликујем ТАЧНОСТ без уређаја.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Неподржана врста хеша ТАЧНОСТИ %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Неподржана величина блока ТАЧНОСТИ.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Неподржан померај хеша ТАЧНОСТИ.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Област података се преклапа са облашћу хеша.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Затражена је непозната врста „%s“ криптографског уређаја.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Не могу да променим величину уређаја петље.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Да ли стварно желите да измените УЈИБ уређаја?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Волумен „%s“ није радан.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Волумен „%s“ је већ обустављен.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Обустављање није подржано за уређај „%s“.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Грешка за време обустављања уређаја „%s“.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Волумен „%s“ није обустављен.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Настављање није подржано за уређај „%s“.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Грешка за време настављања уређаја „%s“.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Унесите пропусну реч: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Не могу да додам исек кључа, сви исеци су искључени а није обезбеђен ниједан кључ волумена.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Унесите неку пропусну реч: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Унесите нову пропусну реч за исек кључа: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Исек кључа „%d“ је измењен.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Замењен је исеком кључа „%d“.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Нисам успео да разменим нови исек кључа.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Кључ волумена не одговара волумену.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Исек кључа „%d“ није исправан.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Исек кључа „%d“ није у употреби.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Уређај „%s“ већ постоји.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Наведен је неисправан кључ волумена за обичан уређај.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Наведен је неисправан хеш корена за уређај тачности.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Врста уређаја није исправно покренута.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Уређај „%s“ је још увеку употреби.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Неисправан уређај „%s“.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Функција није доступна у ФИПС режиму.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Међумеморија кључа волумена је премала.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Не могу да довучем кључ волумена за обичан уређај.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Ова радња није подржана за криптографски уређај „%s“.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Радња исписа није подржана за ову врсту уређаја.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Не могу да добавим хитност процеса.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Не могу да откључам меморију.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Нестало је меморије приликом читања пропусне речи.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Грешка читања пропусне речи из терминала.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Провери пропусну реч: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Пропусне речи се не подударају.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Не могу да користим померај са улазом терминала.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Нисам успео да отворим датотеку кључа.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Нисам успео да добавим податке датотеке кључа.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Не могу да премотам на затражени померај датотеке кључа.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Грешка читања пропусне речи.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Премашена је највећа величина датотеке кључа.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Не могу да прочитам затражену количину података.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Уређај „%s“ не постоји или је приступ одбијен.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Не могу да користим уређај повратне петље, радим као обичан корисник.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Прикачињање уређаја повратне петље није успело (потребан је уређај петље са опцијом самочишћења).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Не могу да користим уређај „%s“ који је у употреби (већ мапиран или прикачен).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Не могу да добавим податке о уређају „%s“.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Захтевани померај је изван стварне величине уређаја „%s“.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Уређај „%s“ има нулту величину.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Уређај „%s“ је премали.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Нисам успео да подесим мапирање кључа „dm-crypt“ за уређај %s.\n"
+"Проверите да ли језгро подржава „%s“ шифрера (проверите дневник система за више података).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Величина кључа у „XTS“ режиму мора да буде 256 или 512 бита.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Не могу да пишем на уређај „%s“, овлашћење је одбијено.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Нисам успео да отворим привремени уређај смештаја кључа.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Нисам успео да приступм привременом уређају смештаја кључа.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Грешка УИ приликом шифровања исека кључа.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Грешка УИ приликом дешифровања исека кључа.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Уређај „%s“ је премали. (ЛУКС захтева барем %<PRIu64> бајта.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Уређај „%s“ није исправан ЛУКС уређај.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Затражена датотека резерве заглавља „%s“ већ постоји.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Не могу да направим резервну датотеку заглавља „%s“.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Не могу да запишем резервну датотеку заглавља „%s“.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Датотека резерве не садржи исправно ЛУКС заглавље.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Не могу да отворим резервну датотеку заглавља „%s“.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Не могу да прочитам резервну датотеку заглавља „%s“.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Померај датума или величина кључа се разликују на уређају и резерви, враћање није успело.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Уређај %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "не садржи ЛУКС заглавље. Замена заглавља може да уништи податке на том уређају."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "већ садржи „LUKS“ заглавље. Замена заглавља ће уништити постојеће исеке кључева."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"УПОЗОРЕЊЕ: право заглавље уређаја има другачији УЈИБ од резерве!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Не могу да отворим уређај „%s“.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Неуобичајена величина кључа, потребна је ручна поправка.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Неуобичајено поравнање исека кључева, потребна је ручна поправка.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Поправљам исеке кључева.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Поправканије успела."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Исек кључа %i: померај је оправљен (%u —> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Исек кључа %i: траке су оправљене (%u —> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Исек кључа %i: лажан потпис партиције.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Исек кључа %i: присолак је обрисан.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Записујем ЛУКС заглавље на диск.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Неподржано ЛУКС издање %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Затражени ЛУКС хеш „%s“ није подржан.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "ЛУКС исек кључа „%u“ није исправан.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Нису откривени познати проблеми за ЛУКС заглавље.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Грешка приликом освежавања ЛУКС заглавља на уређају „%s“.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Грешка поновног читања ЛУКС заглавља након освежења на уређају „%s“.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Померај података за откачено ЛУКС заглавље мора бити или 0 или већи од величине заглавља (%d сектора).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Достављен је погрешан запис ЛУКС УЈИБ-а.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Не могу да направим ЛУКС заглавље: није успело читање насумичног присолка.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Нису сагласне ПБКДФ2 опције (користим хеш алгоритам %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Не могу да направим ЛУКС заглавље: није успео преглед заглавља (користим хеш „%s“).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Исек кључа „%d“ је радан, прво прочистите.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Материјал исека кључа „%d“ обухвата премало трака. Да управљам заглављем?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Исек кључа „%d“ је откључан.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Нема доступног кључа са овом пропусном речју.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Исек кључа %d није исправан, изаберите га између 0 и %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Не могу да очистим уређај „%s“.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Откривена је још увек неподржана ГПГ-ом шифрована датотека кључа.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Користите gpg --decrypt <ДАТОТЕКА_КЉУЧА> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Откривена је несагласна датотека кључа АЕС петље.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Језгро не подржава мапирање сагласно са АЕС петљом.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Грешка читања датотеке кључа „%s“.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Премашена је највећа дужина „TCRYPT“ пропусне речи (%d).\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "ПБКДФ2 алгоритам хеша „%s“ није доступан, прескачем.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Није доступно затражено сучеље криптографије језгра.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Уверите се да је учитан модул језгра „algif_skcipher“.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Покретање није подржано за величину %d сектора.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Језгро не подржава покретање за овај стари ТКРИПТ режим.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Покрећем „TCRYPT“ систем шифровања за партицију „%s“.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Језгро не подржава мапирање сагласно са „TCRYPT“-ом.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Ова функција није подржана без учитавања ТКРИПТ заглавља."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Уређај тачности %s не користи заглавље на-диску.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Уређај „%s“ није исправан уређај ТАЧНОСТИ.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Неподржано издање ТАЧНОСТИ %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Заглавље ТАЧНОСТИ је оштећено.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Достављен је погрешан УЈИБ запис ТАЧНОСТИ на уређају „%s“.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Грешка приликом освежавања заглавља тачности на уређају „%s“.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Језгро не подржава мапирање дм-тачности.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Уређај тачности је открио оштећење након покретања.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Сувишна област није нулирана на положају %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Прекорачење помераја уређаја.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Провера није успела на положају %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Неисправни параметри величине за уређај тачности.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Превише нивоа стабла за волумен тачности.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Провера области података није успела.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Провера хеша корена није успела.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Улазно/излазна грешка приликом стварања области хеша.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Стварање области хеша није успело.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "УПОЗОРЕЊЕ: Језгро не може да покрене уређајако величина блока података премашује величину странице (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Не могу да одрадим проверу пропусне речи на не-конзолним улазима.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Није откривен познат образац одреднице шифрера.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "УПОЗОРЕЊЕ: Параметар „--hash“ је занемарен у обичном режиму са наведеном кључном датотеком.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "УПОЗОРЕЊЕ: Опција „--keyfile-size“ је занемарена, величина читања је иста као величина кључа шифровања.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Захтевана је опција „--key-file“.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Није откривено заглавље уређаја са овом пропусном речи.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Избачај заглавља са кључем волумена је осетљив податак\n"
+"који омогућава приступ шифрованој партицији без лозинке.\n"
+"Овај избачај треба увек бити смештен шифрован на безбедном месту."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Резултат тестирања није поуздан.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Пробе су приближне користећи само меморију (без УИ смештаја).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Алгоритам | Кључ | Шифровање | Дешифровање\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Шифрер „%s“ није доступан.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "Недоступно"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Не могу да прочитам датотеку кључа „%s“.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Не могу да прочитам %d бајта из датотеке кључа „%s“.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Стварно да покушам да поправим заглавље ЛУКС уређаја?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Ово ће неповратно да препише податке на „%s“."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "грешка доделе меморије у „action_luksFormat“"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Не могу да користим „%s“ као заглавље на-диску.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Смањени померај података је допуштен само за откачена ЛУКС заглавља.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Исек кључа „%d“ је изабран за брисање.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Кључ „%d“ није радан. Не могу да очистим.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Ово је последњи исек кључа. Уређај ће постати неупотребљив након чишћења овог кључа."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Унесите неку преосталу пропусну реч: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Унесите пропусну реч за брисање: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Унесите неку постојећу пропусну реч: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Унесите пропусну реч за мењање: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Унесите нову пропусну реч: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Подржан је само један аргумент уређаја за радњу „isLuks“.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Захтевана је опција „--header-backup-file“.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Непозната врста уређаја метаподатака „%s“.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Наредба захтева уређај и мапирани назив као аргумент.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Ова радња ће обрисати све исеке кључева на уређају „%s“.\n"
+"Уређај ће постати неупотребљив након ове радње."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<уређај> [--type <врста>] [<назив>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "отвара уређај као <назив> мапирања"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<назив>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "затвара уређај (уклања мапирање)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "мења величину радног уређаја"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "показује стање уређаја"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <шифрер>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "шифрер оцењивања"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<уређај>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "покушава да поправи метаподатке на-диску"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "брише све исеке кључева (уклања кључ шифровања)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<уређај> [<нова датотека кључа>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "форматира ЛУКС уређај"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "додаје кључ у ЛУКС уређај"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<уређај> [<датотека кључа>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "уклања достављени кључ или датотеку кључа из ЛУКС уређаја"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "мења достављени кључ или датотеку кључа ЛУКС уређаја"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<уређај> <исек кључа>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "брише кључ са бројем <исека кључа> са ЛУКС уређаја"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "исписује УЈИБ ЛУКС уређаја"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "испробава <уређај> за заглављем ЛУКС партиције"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "исписује податке ЛУКС партиције"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "исписује податке ТКРИПТ уређаја"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Обуставља ЛУКС уређај и брише кључ (сви УИ су замрзнути)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Наставља са обустављеним ЛУКС уређајем."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Прави резерву заглавља „LUKS“ уређаја и исека кључева"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Враћа заглавље „LUKS“ уређаја и исеке кључева"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<радња> је једна од следећих:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Можете такође да користите старе надимке синтаксе <радње>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<назив> је уређај за стварање под „%s“\n"
+"<уређај> је шифровани уређај\n"
+"<исек кључа> је број „LUKS“ исека кључа за мењање\n"
+"<датотека кључа> изборна датотека кључа за нови кључ за радњу „luksAddKey“\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Основни:\n"
+"\tНајвећа величина датотеке кључа: %d kB, Највећа дужина међудејствене лозинке %d (знакова)\n"
+"Основно време ПБКДФ2 понављања за ЛУКС: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Основни преведени параметри шифрера уређаја:\n"
+"\tпетља-АЕС: %s, Кључ %d бита\n"
+"\tобично: %s, Кључ: %d бита, Хеширање лозинке: %s\n"
+"\tЛУКС1: %s, Кључ: %d бита, Хеширање ЛУКС заглавља: %s, РНГ: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: захтева „%s“ као аргумент"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Приказује ову поруку помоћи"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Прикажите кратку поруку о коришћењу"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Опције помоћи:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Исписује издање пакета"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Приказује опширније поруке о грешкама"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Приказује поруке прочишћавања"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Шифрер коришћен за шифровање диска (видите „/proc/crypto“)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Хеш коришћен за стварање кључа шифровања из лозинке"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Проверава лозинку тражећи је два пута"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Чита кључ из датотеке."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Чита (главни) кључ вочумена из датотеке."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Даје (главни) кључ волумена уместо података исека кључева."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Величина кључа шифровања"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "БИТА"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Ограничава читање из датотеке кључа"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "бајта"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Број бајтова за прескакање у датотеци кључа"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Ограничава читање из новододате датотеке кључа"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Број бајтова за прескакање у новододатој датотеци кључа"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Број исека за нови кључ (основно је први слободан)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Величина уређаја"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "ОДЕЉЦИ"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Почетни померај у позадинском уређају"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Број одељака шифрованих података за прескакање на почетку"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Прави мапирање само за читање"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Време ПБКДФ2 понављања за ЛУКС (у милисекундама)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "милисекунде"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Не тражи потврђивање"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Време за упит међудејствене лозинке (у секундама)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "секунде"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Колико често унос лозинке може бити покушан"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Поравнава утовар на границе <n> одељка — за „luksFormat“"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Датотека са резервом „LUKS“ заглавља и исецима кључева."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Користи „/dev/random“ за стварање кључа волумена."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Користи „/dev/urandom“ за стварање кључа волумена."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Дели уређај са другим не-преклапајућим подеоком шифрера."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "УЈИБ уређаја за коришћење."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Допушта одбацивања (тј. СКРАЋЕЊЕ) захтева за уређај."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Уређај или датотека са одвојеним ЛУКС заглављем."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Не покреће уређај, само проверава лозинку."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Користи скривено заглавље (скривени ТКРИПТ уређај)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Уређај је ТКРИПТ диск система (са подизачем система)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Користи резервно (другоразредно) ТКРИПТ заглавље."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Такође обавља преглед за уређајима сагласним са Веракриптом."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Врста метаподатака уређаја: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Искључује проверу квалитета лозинке (ако је укључена)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Користи опцију сагласности перформансе „same_cpu_crypt“ дм-крипта."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Користи опцију сагласности перформансе „submit_from_crypt_cpus“ дм-крипта."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[ОПЦИЈА...] <радња> <посебност-радње>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Недостаје аргумент <радња>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Непозната радња."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Опција „--shared“ је допуштена само за отварање обичног уређаја.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Опција „--allow-discards“ је допуштена само за радњу отварања.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Опција „--key-size“ је допуштена само за „luksFormat“, отварање и оцењивање.\n"
+"Да ограничите читање из датотеке кључа користите „--keyfile-size=(бајтова)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Опција „--test-passphrase“ је допуштена само за отварање ЛУКС и ТКРИПТ уређаје.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Величина кључа мора бити умножак од 8 бита"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Исек кључа није исправан."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Опција „--key-file“ има првенство над наведеним аргументом датотеке кључа.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Негативан број за опцију није допуштен."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Дозвољен је само један аргумент „--key-file“."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Дозвољена је само једна опција „--use-[u]random“."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Опција „--use-[u]random“ је допуштена само за „luksFormat“."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Опција „--uuid“ је допуштена само за „luksFormat“ и „luksUUID“."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Опција „--align-payload“ је допуштена само за „luksFormat“."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Опција „--skip“ је подржана само за отварање обичних и упетљаних уређаја.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Опција „--offset“ је подржана само за отварање обичних и упетљаних уређаја.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Опција „--tcrypt-hidden“, „--tcrypt-system“ или „--tcrypt-backup“ је подржана само за ТКРИПТ уређај.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Опција „--tcrypt-hidden“ не може бити обједињена са „--allow-discards“.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Опција „--veracrypt“ је подржана само за ТКРИПТ уређај.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Наведена је неисправна ниска присолка.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Не могу да направим хеш слику „%s“ ради уписа.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Наведена је неисправна ниска хеша корена.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<уређај_података> <уређај_хеша>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "форматира уређај"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<уређај_података> <уређај_хеша> <хеш_корена>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "проверава уређај"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<назив> <уређај_података> <уређај_хеша> <хеш_корена>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "прави радни уређај"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "уклања (искључује) уређај"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "показује стање радног уређаја"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<уређај_хеша>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "приказује податке на-диску"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<назив> јесте уређај за стварање под „%s“\n"
+"<уређај_података> јесте уређај података\n"
+"<уређај_хеша> јесте уређај који садржи податке проверавања\n"
+"<хеш_корена> хеш кореног чвора на <уређају_хеша>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Основни преведени параметри дм-тачности:\n"
+"\tХеш: %s, Блок података (бајта): %u, Блок хеша (бајта): %u, Величина присолка: %u, Запис хеша: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Не користи суперблок тачности"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Врста записа (1 — обично, 0 — изворни Хром ОС)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "број"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Величина блока на уређају података"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Величина блока на уређају хеша"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Број блокова у датотеци података"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "блокови"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Почетни померај на уређају хеша"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Алгоритам хеша"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "ниска"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Присолак"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "ниска хеша"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Поново покреће језгро ако је откривено оштећење"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Занемарује оштећење, само га бележи у дневник"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Не проверава нулиране блокове"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Опција „--ignore-corruption“, „--restart-on-corruption“ или „--ignore-zero-blocks“ су дозвољене само за радње стварања.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Опције „--ignore-corruption“ и „--restart-on-corruption“ се не могу користити заједно.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Не могу изричито да отворим „%s“, уређај је у употреби.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Додела поређане меморије није успела.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Не могу да читам уређај „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Означавам ЛУКС уређај „%s“ неупотребљивим.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Не могу да пишем на уређају „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Не могу да запишем датотеку дневника поновног шифровања.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Не могу да прочитам датотеку дневника поновног шифровања.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Датотека дневника „%s“ постоји, настављам поновно шифровање.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Покрећем привремени уређај користећи старо ЛУКС заглавље.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Покрећем привремени уређај користећи ново ЛУКС заглавље.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Покретање привременог уређаја није успело.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Направљено је ново ЛУКС заглавље за уређај „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Покренути исек кључа %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Направљена је резерва ЛУКС заглавља за уређај „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Није успело прављење резерве ЛУКС заглавља.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Не могу да повратим ЛУКС заглавље на уређају „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Повраћено је ЛУКС заглавље на уређају „%s“.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Напредовање: %5.1f%%, ЕТА %02llu:%02llu, %4llu MiB је записано, брзина %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Не могу да премотам на померај уређаја.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Не могу да отворим привремени ЛУКС уређај.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Не могу да добавим величину уређаја.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Прекинуто сигналом.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "УИ грешка за време поновног шифровања.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Достављени УУИД није исправан.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним радним исеком кључа.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Унесите пропусну реч за исек кључа %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Не могу да отворим датотеку дневника поновног шифровања.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Нема описа у напретку, достављени УУИД се може користити само за настављање заустављеног процеса дешифровања.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Величина блока поновног шифровања"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Не мења кључ, нема поновног шифровања области података."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Користи непосредни-уи приликом приступа уређајима."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Користи ф-усаглашавање након сваког блока."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Освежава датотеку дневника након сваког блока."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Користи само овај исек (остали ће бити искључени)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Смањује величину уређаја података (премешта померај података). ОВО ЈЕ ОПАСНО!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Користи само наведену величину уређаја (занемарује остатак уређаја). ОВО ЈЕ ОПСАНО!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Прави ново заглавље на нешифрованом уређају."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Трајно дешифрује уређај (уклања шифровање)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "ууид коришћен за настављање дешифровања."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[ОПЦИЈА...] <уређај>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Поновно шифровање ће изменити: кључ волумена%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", поставља хеш на "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", поставља шифрера на "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Потребан је аргумент."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Само вредности између 1 MiB и 64 MiB су допуштене завеличину блока поновног шифровања."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Неисправна одредба величине уређаја."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Највећа величина смањења уређаја је 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Величина смањивања мора бити умножак одељка од 512 бајта."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Опција „--new“ мора да се користи са „--reduce-device-size“."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Опција „--keep-key“ може да се користи само са „--hash“ или „--iter-time“."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Опција „--new“ не може да се користи са „--decrypt“."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Опција „--decrypt“ није сагласна са наведеним параметрима."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Опција „--uuid“ је дозвољена само заједно са „--decrypt“."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Грешка читања одговора из терминала.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Наредба је успела.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Наредба није успела са кодом %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Не могу да проверим квалитет лозинке: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Провера квалитета лозинке није успела:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Провера квалитета лозинке није успела: Лоша шифра (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Не могу да пронађем слободан уређај повратне петље.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Не могу да отворим уређај „%s“\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Не могу да користим прослеђени УУИД док је дешифровање у току.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Означавам ЛУКС уређај „%s“ употребљивим.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "УПОЗОРЕЊЕ: ово је пробни код, може потпуно да оштети ваше податке.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "Није успела провера ФИПС провере суме.\n"
diff --git a/po/sv.po b/po/sv.po
new file mode 100644
index 0000000..5b9b1c3
--- /dev/null
+++ b/po/sv.po
@@ -0,0 +1,1909 @@
+# Swedish translation for cryptsetup.
+# Copyright © 2009 - 2017 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Daniel Nylander <po@danielnylander.se>, 2009.
+# Josef Andersson <josef.andersson@fripost.org>, 2016, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.3\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2016-10-20 14:43+0200\n"
+"PO-Revision-Date: 2017-02-09 23:13+0100\n"
+"Last-Translator: Josef Andersson <josef.andersson@fripost.org>\n"
+"Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
+"Language: sv\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=utf-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 1.8.9\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Kan inte initiera device-mapper, kör som icke-root-användare.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Kan inte initiera device-mapper. Är kärnmodulen dm_mod inläst?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID för enheten %s förkortades.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Begärda dm-crypt-prestandaalternativ stöds inte.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Begärda dm-verity-hanteringsalternativ för skadad data stöds inte.\n"
+
+#: lib/random.c:76
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Systemet fick slut på entropi under generering av volymnyckeln.\n"
+"Flytta musen eller skriv in text i ett annat fönster för att samla några slumpmässiga händelser.\n"
+
+#: lib/random.c:80
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Genererar nyckel (%d%% done).\n"
+
+#: lib/random.c:166
+msgid "Running in FIPS mode.\n"
+msgstr "Kör i FIPS-läge.\n"
+
+#: lib/random.c:172
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Ödesdigert fel under RNG-initiering.\n"
+
+#: lib/random.c:209
+msgid "Unknown RNG quality requested.\n"
+msgstr "Okänd RNG-kvalitet begärd.\n"
+
+#: lib/random.c:214
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Fel %d vid läsning från RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Kan inte initiera RNG-krypteringsbakände.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Kan inte initiera krypteringsbakände.\n"
+
+#: lib/setup.c:237 lib/setup.c:1193 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Hashalgoritmen %s stöds inte.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Fel vid nyckelbehandling (använder hash %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Kan inte avgöra enhetstyp. Inkompatibel aktivering av enhet?\n"
+
+#: lib/setup.c:289 lib/setup.c:1546
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Denna åtgärd stöds endast för LUKS-enheter.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Alla nyckelplatser är upptagna.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Nyckelplats %d är ogiltig. Välj mellan 0 och %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Nyckelplats %d är full. Välj en annan.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Ange lösenfras för %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Huvud identifierat men enheten %s är för liten.\n"
+
+#: lib/setup.c:670 lib/setup.c:1429
+msgid "This operation is not supported for this device type.\n"
+msgstr "Denna åtgärd stöds inte för denna enhetstyp.\n"
+
+#: lib/setup.c:909 lib/setup.c:1382 lib/setup.c:2273
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Enheten %s är inte aktiv.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Underliggande enhet för krypteringsenheten %s försvann.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Ogiltiga parametrar för vanlig kryptering.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Ogiltig nyckelstorlek.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID stöds inte för denna krypteringstyp.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Kan inte formatera LUKS utan enhet.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Kan inte formatera enheten %s som fortfarande används.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Kan inte formatera enheten %s, behörighet nekad.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Kan inte rensa huvudet på enheten %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Kan inte formatera LOOPAES utan enhet.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Kan inte formatera VERITY utan enhet.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "VERITY-hashtyp %d stöds inte.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "VERITY-blockstorlek som inte stöds.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "VERITY-hashoffset som inte stöds.\n"
+
+#: lib/setup.c:1286
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Okänd typ av krypteringsenhet %s begärd.\n"
+
+#: lib/setup.c:1396
+msgid "Cannot resize loop device.\n"
+msgstr "Kan inte ändra storlek på loop-enhet.\n"
+
+#: lib/setup.c:1444
+msgid "Do you really want to change UUID of device?"
+msgstr "Vill du verkligen ändra UUID för en enhet?"
+
+#: lib/setup.c:1554
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Volymen %s är inte aktiv.\n"
+
+#: lib/setup.c:1565
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Volymen %s är redan i vänteläge.\n"
+
+#: lib/setup.c:1572
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Vänteläge stöds inte för enhet %s.\n"
+
+#: lib/setup.c:1574
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Fel då enheten %s försattes i vänteläge.\n"
+
+#: lib/setup.c:1600 lib/setup.c:1647
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Volymen %s är inte i vänteläge.\n"
+
+#: lib/setup.c:1614
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Att fortsätta stöds inte för enhet %s.\n"
+
+#: lib/setup.c:1616 lib/setup.c:1668
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Fel vid fortsättning av enheten %s.\n"
+
+#: lib/setup.c:1654 lib/setup.c:2089 lib/setup.c:2103 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Ange lösenfras: "
+
+#: lib/setup.c:1716 lib/setup.c:1852
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Kan inte lägga till nyckelplats. Alla platser är inaktiverade och ingen volymnyckel har angivits.\n"
+
+#: lib/setup.c:1725 lib/setup.c:1858 lib/setup.c:1862
+msgid "Enter any passphrase: "
+msgstr "Ange valfri lösenfras: "
+
+#: lib/setup.c:1742 lib/setup.c:1875 lib/setup.c:1879 lib/setup.c:1941
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Ange ny lösenfras för nyckelplats: "
+
+#: lib/setup.c:1807
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Nyckelplats %d är ändrad.\n"
+
+#: lib/setup.c:1810
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Ersätt med nyckelplats %d.\n"
+
+#: lib/setup.c:1815
+msgid "Failed to swap new key slot.\n"
+msgstr "Misslyckades med att byta ny nyckelplats.\n"
+
+#: lib/setup.c:1932 lib/setup.c:2193 lib/setup.c:2206 lib/setup.c:2348
+msgid "Volume key does not match the volume.\n"
+msgstr "Volymnyckeln stämmer inte överens med volymen.\n"
+
+#: lib/setup.c:1970
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Nyckelplats %d är ogiltig.\n"
+
+#: lib/setup.c:1975
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Nyckelplats %d används inte.\n"
+
+#: lib/setup.c:2005 lib/setup.c:2077 lib/setup.c:2169
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Enheten %s finns redan.\n"
+
+#: lib/setup.c:2180
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Felaktig volymnyckel för vanlig enhet.\n"
+
+#: lib/setup.c:2213
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Felaktig rothash angiven för verity-enhet.\n"
+
+#: lib/setup.c:2236
+msgid "Device type is not properly initialised.\n"
+msgstr "Enhetstypen är inte korrekt initierad.\n"
+
+#: lib/setup.c:2268
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Enheten %s används fortfarande.\n"
+
+#: lib/setup.c:2277
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Ogiltig enhet %s.\n"
+
+#: lib/setup.c:2298
+msgid "Function not available in FIPS mode.\n"
+msgstr "Funktion inte tillgänglig i FIPS-läge.\n"
+
+#: lib/setup.c:2304
+msgid "Volume key buffer too small.\n"
+msgstr "Buffert för volymnyckel är för liten.\n"
+
+#: lib/setup.c:2312
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Kan inte hämta volymnyckel för vanlig enhet.\n"
+
+#: lib/setup.c:2319
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Denna åtgärd stöds inte för krypteringsenheter av typen %s.\n"
+
+#: lib/setup.c:2515
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Utskriftsåtgärden stöds inte för denna enhetstyp.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Kan inte få processprioritet.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Kan inte låsa upp minne.\n"
+
+#: lib/utils_crypt.c:241 lib/utils_crypt.c:254 lib/utils_crypt.c:401
+#: lib/utils_crypt.c:416
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Slut på minne vid läsning av lösenfras.\n"
+
+#: lib/utils_crypt.c:246 lib/utils_crypt.c:261
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Fel vid läsning av lösenfras från terminal.\n"
+
+#: lib/utils_crypt.c:259
+msgid "Verify passphrase: "
+msgstr "Verifiera lösenfras: "
+
+#: lib/utils_crypt.c:266
+msgid "Passphrases do not match.\n"
+msgstr "Lösenfraserna stämmer inte överens.\n"
+
+#: lib/utils_crypt.c:350
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Kan inte använda offset med terminalinmatning.\n"
+
+#: lib/utils_crypt.c:369 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Misslyckades med att öppna nyckelfilen.\n"
+
+#: lib/utils_crypt.c:378
+msgid "Failed to stat key file.\n"
+msgstr "Misslyckades med att ta status på nyckelfilen.\n"
+
+#: lib/utils_crypt.c:386 lib/utils_crypt.c:407
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Kan inte söka efter begärd nyckelfilsoffset.\n"
+
+#: lib/utils_crypt.c:424
+msgid "Error reading passphrase.\n"
+msgstr "Fel vid läsning av lösenfras.\n"
+
+#: lib/utils_crypt.c:447
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Högsta nyckelfilsstorlek överskriden.\n"
+
+#: lib/utils_crypt.c:452
+msgid "Cannot read requested amount of data.\n"
+msgstr "Kan inte läsa begärd mängd data.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Enheten %s finns inte eller åtkomst nekas.\n"
+
+#: lib/utils_device.c:432
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Kan inte använda en loopback-enhet, kör som icke-root-användare.\n"
+
+#: lib/utils_device.c:435
+msgid "Cannot find a free loopback device.\n"
+msgstr "Kan inte hitta en ledig loopback-enhet.\n"
+
+#: lib/utils_device.c:442
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Misslyckades med fästa loopback-enhet (kräver loop-enhet med flaggan autoclear).\n"
+
+#: lib/utils_device.c:486
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Kan inte använda enheten %s som redan används (redan mappad eller monterad).\n"
+
+#: lib/utils_device.c:490
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Kan inte hämta information om enheten %s.\n"
+
+#: lib/utils_device.c:496
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Begärd offset är bortom faktiska enhetsstorleken för %s.\n"
+
+#: lib/utils_device.c:504
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Enheten %s har noll storlek.\n"
+
+#: lib/utils_device.c:515
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Enheten %s är för liten.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Misslyckades med att konfigurera nyckelmappning för dm-crypt för\n"
+"enheten %s. Kontrollera att kärnan har stöd för chiffret %s (kontrollera syslog för mer information).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Nyckelstorlek i XTS-läge måste vara en multipel av 256 eller 512 bitar.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Kan inte skriva till enhet %s, behörighet nekad.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Misslyckades med att öppna temporär nyckellagringsenhet.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Misslyckades med att komma åt temporär nyckellagringsenhet.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "In-/utfel vid kryptering av nyckelplats.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "In-/utfel vid dekryptering av nyckelplats.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Enhet %s är för liten. (LUKS kräver minst %<PRIu64> byte)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Enheten %s är inte en giltig LUKS-enhet.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Begärd säkerhetskopia %s av huvud finns redan.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Kan inte skapa säkerhetskopia för huvud %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Kan inte skriva säkerhetskopia för huvud %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Säkerhetskopian innehåller inte något giltigt LUKS-huvud.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Kan inte öppna säkerhetskopia för huvud %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Kan inte läsa säkerhetskopia för huvud %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Dataoffset eller nyckelstorlek skiljer sig på enhet och säkerhetskopia. Återställningen misslyckades.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Enhet %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "innehåller inget LUKS-huvud. Ersättning av huvud kan förstöra data på enheten."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "innehåller redan LUKS-huvud. Ersättningen av huvud kommer att förstöra befintliga nyckelplatser."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"VARNING: verkligt enhetshuvud har annat UUID än säkerhetskopian!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Kan inte öppna enheten %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Ej standardstorlek på nyckel, manuell reparation krävs.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Ej standardjustering på nyckelplatser, manuell reparation krävs.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Reparerar nyckelplatser.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Reparation misslyckades."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Nyckelplats %i: reparerad offset (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Nyckelplats %i: reparerade remsor (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Nyckelplats %i: fejkpartitionssignatur.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Nyckelplats %i: salt borttaget.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Skriver LUKS-huvud till disk.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "LUKS-versionen %d stöds inte.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Begärd LUKS-hash %s stöds inte.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS-nyckelplats %u är ogiltig.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Inga kända problem identifierade för LUKS-huvud.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Fel vid uppdatering av LUKS-huvud på enheten %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Fel vid omläsning av LUKS-huvud efter uppdatering på enheten %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Data-offset för fristående LUKS-huvud måste vara antingen 0 eller större än huvudstorleken (%d sektorer).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Felaktigt LUKS-UUID-format angavs.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Kan inte skapa LUKS-huvud: läsning av slumpmässigt salt misslyckades.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Ej kompatibla PBKDF2-flaggor (använder hash-algoritmen %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Kan inte skapa LUKS-huvud: huvudsammanfattning misslyckades (använder hashen %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Nyckelplats %d är aktiv, rensa först.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Nyckelplats %d material inkluderar för få remsor. Har huvudet manipulerats?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Nyckelplats %d är upplåst.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Ingen nyckel finns tillgänglig med denna lösenfras.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Nyckelplats %d är ogiltig. Välj en nyckelplats mellan 0 och %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Kan inte rensa enheten %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Identifierade en GPG-krypterad nyckelfil som ännu inte stöds.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Använd gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- …\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Identifierade inkompatibel loop-AES-nyckelfil.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Kärnan stöder inte loop-AES-kompatibel mappning.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Fel vid läsning av nyckelfil %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Högsta TCRYPT-lösenfraslängd (%d) överskriden.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "PBKDF2-hashalgoritm %s ej tillgänglig, hoppar över.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Begärt kryptogränssnitt för kärnan inte tillgängligt.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Försäkra dig om att kärnmodulen algif_skcipher är inläst.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Aktivering stöds inte för sektorstorlek %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Kärnan stöder inte aktivering för detta föråldrade TCRYPT-läge.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Aktiverar TCRYPT-systemkryptering för partition %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Kärnan stöder inte TCRYPT-kompatibel mappning.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Denna funktion stöds inte utan inläsning av TCRYPT-huvud."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Verity-enhet %s använder inte huvud på disk.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Enheten %s är inte en giltig VERITY-enhet.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "VERITY-versionen %d stöds inte.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY-huvud är skadat.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Felaktigt VERITY-UUID-format angivet på enhet %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Fel vid uppdatering av verity-huvud på enheten %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Kärnan stöder inte dm-verity-mappning.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Verity-enhet identifierades som skadad efter aktivering.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Ledigt utrymme är inte nollställt vid position %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Enhets-offset spillde över.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Verifiering misslyckades vid %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Ogiltig storlek på parametrar för verity-enhet.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "För många trädnivåer för verity-volym.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Misslyckades med verifiering av dataområde.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Misslyckades med verifiering av rot-hash.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "In-/utdatafel vid skapandet av hashområde.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Misslyckades med skapandet av hashområde.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "VARNING: Kärnan kan inte aktivera enhet om datablockstorleken överskrider sidstorlek (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Kan inte verifiera lösenfras på icke-tty-ingångar.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Inget känt chifferspecifikationsmönster kunde identifieras.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "VARNING: parametern --hash ignoreras i enkelt läge med specificerad nyckelfil.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "VARNING: flaggan --keyfile-size ignoreras, lässtorleken är densamma som storleken för krypteringsnyckeln.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Flaggan --key-file krävs.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Inget enhetshuvud finns tillgängligt med denna lösenfras.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Utskrift av huvudet med volymnyckel är känslig information\n"
+"som tillåter åtkomst till krypterad partition utan lösenfras.\n"
+"Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Resultat från prestandamätningen är inte pålitligt.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Tester är ungefärliga och använder endast minne (ingen lagrings-IO).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Algoritm | Nyckel | Kryptering | Dekryptering\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Chiffret %s är inte tillgängligt.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Kan inte läsa nyckelfilen %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Kan inte läsa %d byte från nyckelfilen %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Vill du verkligen försöka att reparera LUKS-enhetshuvud?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Detta kommer att skriva över data på %s och går inte att ångra."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "minnesallokeringsfel i action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Kan inte använda %s som diskhuvud.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Förminskad dataoffset endast tillåtet för fristående LUKS-huvuden.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Nyckelplats %d markerad för borttagning.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Nyckel %d är inte aktiv. Kan inte rensa.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Detta är sista nyckelplatsen. Enheten kommer att bli oanvändbar efter att denna nyckel tagits bort."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Ange eventuell återstående lösenfras: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Ange lösenfras att ta bort: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Ange valfri existerande lösenfras: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Ange lösenfras att ändra: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Ange ny lösenfras: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Endast ett enhetsargument för operationen isLuks stöds.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Flaggan --header-backup-file krävs.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Okänd metadata för enhetstyp %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Kommandot kräver enhet och mappat namn som argument.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Denna åtgärd kommer att ta bort alla nyckelplatser på enhet %s.\n"
+"Enheten kommer att bli oanvändbar efter denna åtgärd."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<enhet> [--type <typ>] [<namn>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "öppna enhet som mappning <namn>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<namn>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "stäng enhet (ta bort mappning)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "ändra storlek på aktiv enhet"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "visa enhetsstatus"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <chiffer>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "prestandamät chiffer"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<enhet>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "försök att reparera metadata på disken"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "ta bort alla nyckelplatser (ta bort krypteringsnyckeln)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<enhet> [<ny nyckelfil>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "formaterar en LUKS-enhet"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "lägg till nyckel till LUKS-enhet"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<enhet> [<nyckelfil>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "tar bort angiven nyckel eller nyckelfil från LUKS-enhet"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "ändrar angiven nyckel eller nyckelfil för LUKS-enhet"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<enhet> <nyckelplats>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "rensar nyckeln med nummer <nyckelplats> från LUKS-enhet"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "skriv ut UUID för LUKS-enhet"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "testar <enhet> för LUKS-partitionshuvud"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "skriver ut information om LUKS-partition"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "skriver ut information om TCRYPT-partition"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Försätt LUKS-enhet i vänteläge och rensa nyckel (alla in-/ut-åtgärder är frusna)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Återuppta LUKS-enhet i vänteläge."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Säkerhetskopiera huvud och nyckelplatser från LUKS-enhet"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Återställ huvud och nyckelplatser för LUKS-enhet"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<åtgärd> är en av:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Du kan också använda gamla <åtgärd> syntaxalias:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<namn> är enheten att skapa under %s\n"
+"<enhet> är den krypterade enheten\n"
+"<nyckelplats> är numret för LUKS-nyckelplatsen att ändra\n"
+"<nyckelfil> valfri nyckelfil för den nya nyckeln för luksAddKey-åtgärden\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Inkompilerade standardnyckel- och standardlösenfrasparametrar:\n"
+"\tStörsta nyckelfilstorlek: %dkB, Största interaktiv lösenfraslängd %d (tecken)\n"
+"Standard PBKDF2-iterationstid för LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Inkompilerade standardchifferparametrar för enheter:\n"
+"\tloop-AES: %s, Nyckel %d bitar\n"
+"\tplain: %s, Nyckel: %d bitar, Lösenordshashning: %s\n"
+"\tLUKS1: %s, Nyckel: %d bitar, LUKS-lösenordshashning %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: kräver %s som argument"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Visa detta hjälpmeddelande"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Visa kort information om användning"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Hjälpflaggor:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Skriv ut paketversion"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Visar mer detaljerade felmeddelanden"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Visa felsökningsmeddelanden"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Chiffret som används för att kryptera disken (se /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Hashen som används för att skapa krypteringsnyckel från lösenfras"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Verifierar lösenfrasen genom att fråga efter den två gånger"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Läs nyckeln från en fil."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Läs volymnyckeln (master) från fil."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Skriv ut volymnyckel (master) istället för nyckelplatsinfo."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Storleken för krypteringsnyckeln"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BITAR"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Begränsa läsningen från nyckelfil"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "byte"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Antal byte att hoppa över i nyckelfil"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Begränsa läsningen från nyligen tillagd nyckelfil"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Antal byte att hoppa över i nyligen tillagd nyckelfil"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Platsnummer för ny nyckel (standard är första lediga)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Storleken för enheten"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "SEKTORER"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Startoffset i bakändesenheten"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Hur många sektorer av krypterat data som ska hoppas över i början"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Skapa en skrivskyddad mappning"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2-iterationstid för LUKS (i ms)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Fråga inte efter bekräftelse"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Tidsgräns för interaktiv lösenfrasprompt (i sekunder)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Hur många inmatningsförsök av lösenfrasen som kan göras"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Justera nyttolast i <n> sektorgränser - för luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Fil med säkerhetskopior av LUKS-huvud och nyckelplatser."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Använd /dev/random för att generera volymnyckel."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Använd /dev/urandom för att generera volymnyckel."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Dela enhet med ett annat ej överlappande krypteringssegment."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID använda för enheten."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Tillåt avvisningsbegäran (TRIM) för enhet."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Enhet eller fil med separerat LUKS-huvud."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Aktivera inte enhet, kontrollera endast lösenfrasen."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Använd gömt huvud (gömd TCRYPT-enhet)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Enheten är system-TCRYPT-disk (med starthanterare)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Använd säkerhetskopia (sekundär) för TCRYPT-huvud."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Sök också efter VeraCrypt-kompatibel enhet."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Typer av enhetsmetadata: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Inaktivera kvalitetskontroll av lösenord (om aktiverat)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Använd flaggan dm-crypt same_cpu_crypt för prestandakompatibilitet."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Använd flaggan dm-crypt submit_from_crypt_cpus för prestandakompatibilitet."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[FLAGGA…] <åtgärd> <åtgärdsspecifik>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Argumentet <åtgärd> saknas."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Okänd åtgärd."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Flaggan --shared är endast tillåten för öppning för enkel enhet.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Flaggan --allow-discards är endast tillåten för operationen open.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Flaggan --key-size är endast tillåten för luksFormat, open och benchmark.\n"
+"För att begränsa läsning från nyckelfil, använd --keyfile-size=(byte)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Flaggan --test-passphrase är endast tillåten för open för LUKS- och TCRYPT-enheter.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Nyckelstorlek måste vara en multipel av 8 bitar"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Nyckelplatsen är ogiltig."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Flaggan --key-file åsidosätter specificerade nyckelfilsargument.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Negativt tal för flagga ej tillåtet."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Endast ett argument för --key-file är tillåtet."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Endast en av flaggorna --use-[u]random är tillåten."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Flaggan --use-[u]random är endast tillåten för luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Flaggan --uuid är endast tillåten för luksFormat och luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Flaggan --align-payload är endast tillåten för luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Flaggan --skip stöds endast för öppning av vanliga enheter och loopaes-enheter.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Flaggan --offset stöds endast för öppning av vanliga och loopaes-enheter.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Flaggorna --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup stöds endast på TCRYPT-enhet.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Flaggan --tcrypt-hidden kan inte kombineras med --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Flaggan --veracrypt stöds endast för TCRYPT-enhetstyper.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Angav ogiltig saltsträng.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Kan inte skapa hashavbild %s för skrivning.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Angav ogiltig rothashsträng.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<dataenhet> <hashenhet>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "formatera enhet"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<dataenhet> <hashenhet> <rothash>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "verifiera enhet"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<namn> <dataenhet> <hashenhet> <rothash>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "skapa aktiv enhet"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "ta bort (inaktivera) enhet"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "visa statistik för aktiv enhet"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<hash_enhet>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "visa information från disk"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<namn> är enheten att skapa under %s\n"
+"<dataenhet> är dataenheten\n"
+"<hashenhet> är enheten som innehåller verifieringsdata\n"
+"<rothash> hash för rotnoden på <hashenhet>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Inkompilerade standardparametrar för dm-verity:\n"
+"\tHash: %s, Datablock (byte): %u, Hashblock (byte): %u, Saltstorlek: %u, Hashformat: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Använd inte verity superblock"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Formattyp (1 - normal, 0 - ursprungliga Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "antal"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Blockstorlek på dataenheten"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Blockstorlek på hashenheten"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Antalet block i datafilen"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "block"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Startoffset på hashenheten"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Hashalgoritm"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "sträng"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "hexsträng"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Starta om kärna om något skadat identifieras"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ignorera om något är skadat, logga endast"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Verifiera inte nollställda block"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Flaggorna --ignore-corruption, --restart-on-corruption eller --ignore-zero-blocks är endast tillåtna för flaggan create.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Flaggorna --ignore-corruption och --restart-on-corruption kan inte användas tillsammans.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Kan inte öppna %s exklusivt, enheten används.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Misslyckades med allokering av justerat minne.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Kan inte läsa enheten %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Markerar LUKS-enhet %s oanvändbar.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Kan inte skriva till enheten %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Kan inte skriva loggfil för omkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Kan inte läsa loggfil för omkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Loggfilen %s existerar, återupptar kryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Aktiverar temporär enhet användandes gammalt LUKS-huvud.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Aktiverar temporär enhet användandes nytt LUKS-huvud.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Aktivering av temporära enheter misslyckades.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Skapade nytt LUKS-huvud för enhet %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Aktiverade nyckelplats %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Skapade säkerhetskopia av LUKS-huvud på enhet %s.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Misslyckades med att skapa en säkerhetskopia av LUKS-huvuden.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Kan inte återställa LUKS-huvudet på enheten %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Återställde LUKS-huvudet på enheten %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Förlopp: %5.1f%%, ETA %02llu:%02llu, %4llu MiB skrivna, hastighet %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Kan inte söka till enhetsoffset.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Misslyckades med att öppna temporär LUKS-enhet.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Kan inte hämta enhetsstorlek.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Avbruten av en signal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "In-/utfel under återkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Angivet UUID är ogiltigt.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Nyckelfil kan endast användas med --key-slot eller exakt en aktiv nyckelplats.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Ange lösenfras för nyckelplats %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Kan inte öppna loggfilen för omkryptering.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Ingen dekryptering pågår, givet UUID kan endast användas för att återuppta vilande dekrypteringsprocess.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Blockstorlek för omkryptering"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Ändra inte nyckel, ingen omkryptering av dataområde."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Använd direct-io vid enhetsåtkomst."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Använd fsync efter varje block."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Uppdatera loggfilen efter varje block."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Använd endast denna plats (andra kommer att inaktiveras)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Förminska dataenhetsstorleken (flytta dataoffset). FARLIGT!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Använd endast specificerad enhetsstorlek (ignorera resten av enheten). FARLIGT!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Skapa nytt huvud på icke-krypterad enhet."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Dekryptera enheten permanent (ta bort kryptering)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "Det uuid som används för att återuppta kryptering."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[FLAGGA…] <enhet>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Omkryptering kommer att ändra: volymnyckel%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", sätt hash till "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", sätt chiffer till "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Kräver argument."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Endast värden mellan 1 MiB och 64 MiB är tillåtna som blockstorlek för omkryptering."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Ogiltig storlekspecifikation på enhet."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Högsta förminskningsstorlek för enhet är 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Minskningsstorlek måste vara en multipel av 512-bytesektor."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Flaggan --new måste användas tillsammans med --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Flaggan --keep-key kan endast användas med --hash eller --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Flaggan --new kan inte användas tillsammans med --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Flaggan --decrypt är inkompatibel med specificerade parametrar."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Flaggan --uuid är endast tillåten tillsammans med --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Fel vid läsning av svar från terminal.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Kommandot lyckades.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Kommandot misslyckades med kod %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Kan inte kontrollera lösenordskvalitet: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Misslyckades med kvalitetskontroll av lösenord:\n"
+"%s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Misslyckades med kvalitetskontroll av lösenord: Dålig lösenfras (%s)\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Kan inte öppna enheten %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Kan inte använda insänt UUID om inte dekryptering pågår.\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "Nyckelplats %d har verifierats.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "Ogiltig nyckelstorlek %d.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Ange LUKS-lösenfras: "
+
+#~ msgid "Warning: exhausting read requested, but key file %s is not a regular file, function might never return.\n"
+#~ msgstr "Varning: utförlig läsning begärd men nyckelfilen %s är inte en vanlig fil, funktionen kanske aldrig avslutas.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "exklusiv"
+
+#~ msgid "writable"
+#~ msgstr "skrivbar"
+
+#~ msgid "read-only"
+#~ msgstr "skrivskyddad"
+
+#~ msgid "Cannot open device: %s\n"
+#~ msgstr "Kan inte öppna enheten: %s\n"
+
+#~ msgid "BLKROGET failed on device %s.\n"
+#~ msgstr "BLKROGET misslyckades på enheten %s.\n"
+
+#~ msgid "BLKGETSIZE failed on device %s.\n"
+#~ msgstr "BLKGETSIZE misslyckades på enheten %s.\n"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "VARNING!!! Potentiellt osäkert minne. Är du root?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Kunde inte läsa av sektorstorlek för %s"
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Misslyckades med att läsa av katalog för enhetsmappning."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Säkerhetskopian %s finns inte.\n"
+
+#~ msgid "%s is not LUKS device.\n"
+#~ msgstr "%s är inte en LUKS-enhet.\n"
+
+#~ msgid "%s is not LUKS device."
+#~ msgstr "%s är inte en LUKS-enhet."
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Kan inte öppna filen %s.\n"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Misslyckades med att skriva till nyckellagring.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Misslyckades med att läsa från nyckellagring.\n"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "ta bort LUKS-mappning"
+
+#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
+#~ msgstr "identisk med luksKillSlot - FÖRÅLDRAD - se manualsida"
+
+#~ msgid "modify active device - DEPRECATED - see man page"
+#~ msgstr "ändra aktiv enhet - FÖRÅLDRAD - se manualsida"
+
+#~ msgid ""
+#~ "The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
+#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+#~ msgstr ""
+#~ "Omläsningsåtgärden är föråldrad. Använd ”dmsetup reload” om du verkligen behöver denna funktion.\n"
+#~ "VARNING: använd inte omläsning för ”touch” på LUKS-enheter. Om så är fallet, tryck Ctrl-C nu.\n"
+
+#~ msgid "Obsolete option --non-exclusive is ignored.\n"
+#~ msgstr "Föråldrad flagga --non-exclusive ignoreras.\n"
+
+#~ msgid "Read the key from a file (can be /dev/random)"
+#~ msgstr "Läs nyckeln från en fil (kan vara /dev/random)"
+
+#~ msgid "(Obsoleted, see man page.)"
+#~ msgstr "(Föråldrad, se manualsida)"
diff --git a/po/uk.po b/po/uk.po
new file mode 100644
index 0000000..42a25ef
--- /dev/null
+++ b/po/uk.po
@@ -0,0 +1,1913 @@
+# Ukrainian translation for cryptsetup.
+# Copyright (C) 2012 Free Software Foundation, Inc.
+# This file is put in the public domain.
+#
+# Yuri Chornoivan <yurchor@ukr.net>, 2012, 2013, 2014, 2015, 2016, 2017.
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-02 18:44+0200\n"
+"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+"Language-Team: Ukrainian <translation-team-uk@lists.sourceforge.net>\n"
+"Language: uk\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Lokalize 1.5\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Не можна ініціалізувати device-mapper, якщо програму запущено не від імені адміністратора (root).\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Не вдалося ініціалізувати device-mapper. Чи завантажено модуль ядра dm_mod?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID для пристрою %s було обрізано.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Підтримки вказаних параметрів швидкодії dm-crypt не передбачено.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Підтримки вказаних параметрів обробки пошкоджених даних за допомогою dm-verity не передбачено.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Під час створення ключа тому було вичерпано буфер ентропії системи.\n"
+"Будь ласка, пересуньте вказівник миші або наберіть якийсь текст у іншому вікні, щоб зібрати додаткові дані на основі випадкових подій.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Створення ключа (виконано %d%%).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Працюємо у режимі FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Критична помилка під час ініціалізації RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Надійшов запит щодо невідомого RNG якості.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Помилка %d під час читання з RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Не вдалося ініціалізувати допоміжну програму шифрування RNG.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Не вдалося ініціалізувати допоміжну програму шифрування.\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Підтримки алгоритму хешування %s не передбачено.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Помилка під час обробки ключа (на основі хешу %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Не вдалося визначити тип пристрою. Несумісна дія з активації пристрою?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Заповнено всі слоти ключів.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Слот ключа %d є некоректним, будь ласка, виберіть число від 0 до %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Слот ключа %d заповнено, будь ласка, виберіть інший.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Введіть пароль до %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Виявлено заголовок, але об’єм пристрою %s є надто малим.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Підтримки цієї дії для цього типу пристроїв не передбачено.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Пристрій %s є неактивним.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Зник основний пристрій для пристрою для шифрування %s.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Некоректні параметри звичайного шифрування.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Некоректний розмір ключа.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "Підтримки UUID для цього типу шифрування не передбачено.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Форматування LUKS без пристрою неможливе.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Не можна форматувати пристрій %s, недостатні права доступу.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Не можна витирати заголовок на пристрої %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Не можна форматувати LOOPAES без пристрою.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Форматування VERITY без пристрою неможливе.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Непідтримуваний тип хешування VERITY, %d.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Непідтримуваний розмір блоку VERITY.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Непідтримуваний відступ хешу VERITY.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Область даних перекривається із областю хешу.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Надіслано запит щодо невідомого типу пристрою шифрування, %s.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Неможливо змінити розмір петльового пристрою.\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Ви справді хочете змінити UUID пристрою?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Том %s не є активним.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Том %s вже приспано.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Підтримки присипляння для пристрою %s не передбачено.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Помилка під час спроби приспати пристрій %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Том %s не приспано.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Підтримки дії з пробудження для пристрою %s не передбачено.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Помилка під час спроби пробудити пристрій %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Введіть пароль: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Введіть будь-який пароль: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Введіть новий пароль для слота ключа: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Слот ключа %d змінено.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Замінено слотом ключа %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Не вдалося зарезервувати новий слот ключа.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Ключ тому не відповідає тому.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Слот ключа %d є некоректним.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Слот ключа %d не використовується.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Пристрій %s вже існує.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Для пристрою зі звичайним шифруванням вказано помилковий ключ тому.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Для пристрою перевірки вказано помилковий кореневий хеш.\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Тип пристрою не ініціалізовано належним чином.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Пристрій %s все ще використовується.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Некоректний пристрій %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Ця функція недоступна у режимі FIPS.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Буфер ключів тому є занадто малим.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Неможливо отримати ключ тому для пристрою зі звичайним шифруванням.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Підтримки цієї дії для шифрованого пристрою %s не передбачено.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Підтримки дії зі створення дампу для цього типу пристроїв не передбачено.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Не вдалося отримати значення пріоритетності процесу.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Не вдалося розблокувати пам’ять.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Під час читання пароля вичерпано пам’ять.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Помилка під час читання пароля з термінала.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Перевірка пароля: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Паролі не збігаються.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Не можна використовувати відступ у даних, що надходять з термінала.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Не вдалося відкрити файл ключа.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Не вдалося отримати статистичні дані щодо файла ключа.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Не вдалося встановити потрібну позицію у файлі ключа.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Помилка під час читання пароля.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Перевищено максимальний розмір файла ключа.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Не вдалося прочитати бажаний об’єм даних.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Пристрою %s не існує або доступ до цього пристрою заборонено.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Не можна використовувати петльовий пристрій, програму запущено не від імені адміністративного користувача (root).\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Спроба долучення петльового пристрою зазнала невдачі (потрібен петльовий пристрій з встановленим прапорцем автоматичного спорожнення).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Не можна використовувати пристрій %s, оскільки його вже використано (призначено або змонтовано).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Не вдалося отримати дані щодо пристрою %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Бажана точка відступу перебуває за межами об’єму пристрою %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Об’єм пристрою %s є нульовим.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Об’єм пристрою %s є надто малим.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Не вдалося визначити призначення ключа dm-crypt для пристрою %s.\n"
+"Перевірте, чи передбачено у ядрі підтримку шифрування %s (докладніші дані можна знайти у журналі системи (syslog)).\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Розмір ключа у режимі XTS має бути рівним 256 або 512 бітів.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Не вдалося виконати запис на пристрій %s, недостатні права доступу.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Не вдалося відкрити пристрій тимчасового сховища ключів.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Не вдалося отримати доступ до пристрою тимчасового сховища ключів.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Помилка введення-виведення під час шифрування слоту ключів.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Помилка введення-виведення під час розшифрування слоту ключів.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Обсяг пристрою %s є надто малим. (LUKS потрібно принаймні %<PRIu64> байтів.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Пристрій %s не є коректним пристроєм LUKS.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Потрібний вам файл резервної копії заголовка, %s, вже існує.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Не вдалося створити файл резервної копії заголовка, %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Не вдалося записати файл резервної копії заголовка, %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Файл резервної копії не містить коректного заголовка LUKS.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Не вдалося відкрити файл резервної копії заголовка, %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Не вдалося прочитати дані з файла резервної копії заголовка, %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Відступ у даних або розмір ключа на пристрої і у резервній копії є різними. Відновлення неможливе.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Пристрій %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "не містить заголовка LUKS. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "вже містить заголовок LUKS. Заміна заголовка призведе до руйнування вже створених слотів ключів."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"ПОПЕРЕДЖЕННЯ: заголовок, що зберігається на пристрої, має інший UUID, ніж заголовок у резервній копії!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Не вдалося відкрити пристрій %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Нестандартний розмір ключа, слід виправити дані вручну.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Нестандартне вирівнювання слотів ключів, слід виправити дані вручну.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Виправлення слотів ключів.\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Спроба виправлення зазнала невдачі."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Слот ключа %i: виправлено відступ (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Слот ключа %i: виправлено смужки (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Слот ключа %i: зайвий підпис розділу.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Слот ключа %i: дані ініціалізації (сіль) витерто.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Запис заголовка LUKS на диск.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Непідтримувана версія LUKS, %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Підтримки бажаного хешування LUKS, %s, не передбачено.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "Слот ключа LUKS %u є некоректним.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "У заголовку LUKS не виявлено жодних проблем.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Помилка під час оновлення заголовка LUKS на пристрої %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Помилка під час спроби повторного читання заголовка LUKS після оновлення на пристрої %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Відступ даних для від’єднаного заголовка LUKS має бути або рівним нулеві, або перевищувати розмір заголовка (%d секторів).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Вказано UUID LUKS у помилковому форматі.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Не вдалося створити заголовок LUKS: помилка читання випадкових даних для ініціалізації.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Несумісні параметри PBKDF2 (з використанням алгоритму хешування %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Не вдалося створити заголовок LUKS: помилка під час обчислення контрольної суми заголовка (з використанням хешу %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Слот ключа %d є активним. Його слід спочатку спорожнити.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Ентропія даних слота ключа %d є надто низькою. Маніпуляції з заголовком?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Слот ключа %d розблоковано.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Для цього пароля немає відповідного ключа.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Слот ключа %d є некоректним, будь ласка, виберіть слот ключа з номером від 0 до %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Не вдалося витерти пристрій %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Виявлено файл ключа, підтримки шифрування GPG у якому ще не передбачено.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Будь ласка, скористайтеся командою gpg --decrypt <ФАЙЛ_КЛЮЧА> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Виявлено несумісний з loop-AES файл ключа.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "У ядрі не передбачено підтримки призначення, сумісного з loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Помилка під час спроби читання файла ключа %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Перевищено максимальну можливу довжину пароля TCRYPT (%d).\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Засіб створення хешів PBKDF2 за алгоритмом %s недоступний, пропускаємо.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Потрібний для роботи інтерфейс ядра для шифрування недоступний.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Переконайтеся, що завантажено модуль ядра algif_skcipher.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Підтримки активації для розміру сектора %d не передбачено.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "У ядрі не передбачено підтримки вмикання цього застарілого режиму TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Активуємо шифрування системи за допомогою TCRYPT для розділу %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "У ядрі не передбачено підтримки призначення, сумісного з TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Підтримки цієї дії без завантаження заголовка TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "На пристрої VERITY %s не використовується вбудований заголовок.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Пристрій %s не є коректним пристроєм VERITY.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Непідтримувана версія VERITY, %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "Пошкоджено заголовок VERITY.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "На пристрої %s вказано UUID VERITY у помилковому форматі.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Помилка під час оновлення заголовка verity на пристрої %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "У ядрі не передбачено підтримки призначення за dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Виявлено пошкодження даних на пристрої перевірки після активації.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Резервну область не занулено у позиції %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Переповнення відступу на пристрої.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Помилка під час перевірки за позицією %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Некоректні параметри розміру для пристрою перевірки.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Занадто високий рівень вкладеності для тому перевірки.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Не вдалося перевірити область даних.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Не вдалося перевірити кореневий хеш.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Під час створення області хешу сталася помилка введення або виведення даних.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Не вдалося створити область хешу.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "Попередження: ядро не зможе задіяти пристрій, якщо розмір блоку перевищуватиме розмір сторінки (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Не виявлено жодного відомого зразка специфікації шифрування.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "Попередження: параметр --hash у простому режимі із вказаним файлом ключа ігнорується.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "Попередження: параметр --keyfile-size проігноровано, розмір прочитаних даних збігається із розміром ключа шифрування.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Слід вказати параметр --key-file.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Для цього пароля не виявлено заголовка пристрою.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Дамп заголовка з ключем тому є конфіденційними даними,\n"
+"за допомогою яких можна отримати доступ до шифрованого розділу\n"
+"без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
+"у безпечному місці."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Результат тестування є ненадійним.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Наближені значення під час перевірки визначаються лише за допомогою оперативної пам’яті (без запису на диск).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "№ Алгоритм | Ключ | Шифрування | Розшифрування\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Шифрування %s є недоступним.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "н/д"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Не вдалося прочитати файл ключа %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Не вдалося прочитати %d байтів з файла ключа %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Спробувати відновити заголовок пристрою LUKS?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Дані на %s буде перезаписано без можливості відновлення."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "помилка під час отримання області пам’яті у action_luksFormat"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Не можна використовувати %s як заголовок на диску.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Зменшений відступ даних можна використовувати лише для від’єднаних заголовків LUKS.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Слот ключа %d позначено для вилучення.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Ключ %d не є активним. Його не можна витерти.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Це останній слот ключа. Пристрій стане непридатним для використання після спорожнення цього ключа."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Введіть будь-який інший пароль: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Введіть пароль, який слід вилучити: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Введіть будь-який пароль: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Введіть пароль, який слід змінити: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Введіть новий пароль: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "У команді isLuks можна використовувати лише один аргумент назви пристрою.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Слід вказати параметр --header-backup-file.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Нерозпізнаний тип пристрою метаданих, %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Аргументами команди мають бути назва пристрою та призначена до нього назва.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"У результаті виконання цієї операції буде витерто усі слоти ключів на пристрої %s.\n"
+"Після виконання цієї дії пристроєм не можна буде скористатися."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<пристрій> [--type <тип>] [<назва>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "відкрити пристрій як призначення <назва>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<назва>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "закрити пристрій (вилучити призначення)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "змінити розмір активного пристрою"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "показати стан пристрою"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <шифр>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "перевірити швидкодію шифрування"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<пристрій>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "спробувати виправити метадані на диску"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "витерти усі слоти ключів (вилучити ключ шифрування)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<пристрій> [<новий файл ключа>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "форматує пристрій LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "додати ключ до пристрою LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<пристрій> [<файл ключа>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "вилучає наданий ключ або файл ключа з пристрою LUKS"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "змінює наданий ключ або файл ключа пристрою LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<пристрій> <слот ключа>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "вилучає ключ з номером <слот ключа> з пристрою LUKS"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "вивести UUID пристрою LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "виконати спробу виявлення заголовка розділу LUKS на пристрої <пристрій>"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "створити дамп даних щодо розділу LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "створити дамп даних пристрою TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Приспати пристрій LUKS і витерти ключ (роботу всіх каналів введення-виведення буде заморожено)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Відновити роботу приспаного пристрою LUKS."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Створити резервну копію заголовка пристрою LUKS і слотів ключів"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Відновити заголовок пристрою LUKS і слоти ключів"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<дія> є однією з таких:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Ви також можете скористатися застарілими альтернативними\n"
+"синтаксичними конструкціями для запису <дія>:\n"
+"\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<назва> — пристрій для створення у %s\n"
+"<пристрій> — зашифрований пристрій\n"
+"<слот ключа> — номер слота ключа LUKS, який слід змінити\n"
+"<файл ключа> — необов’язковий файл ключа для нового ключа для дії luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Типові вбудовані параметри ключа і пароля:\n"
+"\tМаксимальний розмір файла ключа: %d кБ, максимальна довжина інтерактивного пароля: %d (символів)\n"
+"Типовий час ітерації PBKDF2 для LUKS: %d мс\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Типові вбудовані параметри шифрування на пристрої:\n"
+"\tloop-AES: %s, %d-бітовий ключ\n"
+"\tзвичайне: %s, ключ: %d-бітовий, хешування пароля: %s\n"
+"\tLUKS1: %s, ключ: %d-бітовий, хешування заголовка LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: слід вказати у параметрах %s"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Показати цю довідку"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Показати короткі настанови щодо користування"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Пункти довідки:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Вивести дані щодо версії пакунка"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Показувати докладні повідомлення про помилки"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Показувати повідомлення зневадження"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Шифр, який використано для шифрування даних диска (див. /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Хеш, використаний для створення ключа шифрування на основі пароля"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Перевіряє пароль повторним запитом щодо нього"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Прочитати ключ з файла."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Прочитати ключ тому (основний ключ) з файла."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Створити дамп ключа тому (основного ключа) замість показу даних щодо слотів ключів."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Розмір ключа шифрування"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "БІТИ"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Обмежує читання з файла ключа"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "байти"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Кількість байтів, які слід пропустити у файлі ключа"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Обмежує читання з щойно доданого файла ключа"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Кількість байтів, які слід пропустити у щойно доданому файлі ключа"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Номер слоту для нового ключа (типовим слотом є перший вільний слот)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Розмір пристрою"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "СЕКТОРИ"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Початковий відступ на допоміжному пристрої"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Кількість секторів зашифрованих даних, які слід пропустити на початку"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Створити призначення у режимі лише читання"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Тривалість ітерації PBKDF2 для LUKS (у мс)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "мс"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Не питати про підтвердження"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Час очікування у інтерактивному запиті щодо пароля (у секундах)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "секунди"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Частота повторень спроб отримання вхідних даних пароля"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Вирівняти дані за областями у <n> секторів, для luksFormat"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Файл з заголовком LUKS та резервною копію слотів ключів."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Використовувати для створення ключа тому /dev/random."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Використовувати для створення ключа тому /dev/urandom."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Використовувати пристрій спільно з іншим сегментом шифрування, без перекриття."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID пристрою, який слід використати."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Дозволити запити відкидання (або TRIM) до пристрою."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Пристрій або файл з окремим заголовком LUKS."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Не задіювати пристрій, просто перевірити пароль."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Використовувати прихований заголовок (прихований пристрій TCRYPT)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Пристрій є системним диском TCRYPT (диском з завантажувачем)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Використовувати резервний (вторинний) заголовок TCRYPT."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Виконати також пошук сумісних із VeraCrypt пристроїв."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Типи метаданих пристрою: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Вимкнути перевірку якості пароля (якщо її увімкнено)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Скористатися параметром сумісності швидкодії dm-crypt same_cpu_crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Скористатися параметром сумісності швидкодії dm-crypt submit_from_crypt_cpus."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[ПАРАМЕТР...] <дія> <параметри_дії>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Не вказано аргумент <дія>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Невідома дія."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Параметр --shared можна використовувати лише для дії з відкриття.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Параметр --key-size можна використовувати лише для дій luksFormat, open і benchmark.\n"
+"Щоб обмежити читання з файла ключа, скористайтеся параметром --keyfile-size=(об’єм у байтах)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS та TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Розмір ключа має бути кратним 8 бітам"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Некоректний слот ключа."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Параметр --key-file має пріоритет над вказаним параметром файла ключа.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Не можна використовувати від’ємні значення для параметра."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Можна використовувати лише один аргумент --key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Можна використовувати лише один з параметрів --use-[u]random."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Параметр --use-[u]random можна використовувати лише для дії luksFormat."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Параметр --uuid можна використовувати лише для дій luksFormat і luksUUID."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Параметр --align-payload можна використовувати лише для дії luksFormat."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Підтримку параметра --offset передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Підтримку параметра --veracrypt передбачено лише для пристроїв TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Вказано некоректний рядок солі.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Не вдалося створити образ хешу %s для запису.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Вказано некоректний рядок кореневого хешу.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<пристрій_даних> <пристрій_хешу>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "форматувати пристрій"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<пристрій_даних> <пристрій_хешу> <кореневий_хеш>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "перевірити пристрій"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<назва> <пристрій_даних> <пристрій_хешу> <кореневий_хеш>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "створити активний пристрій"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "вилучити пристрій (скасувати активацію)"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "показати стан активного пристрою"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<пристрій_хешу>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "показати вбудовані дані"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<назва> — назва пристрою, який слід створити у %s\n"
+"<пристрій_даних> — пристрій даних\n"
+"<пристрій_хешу> — пристрій, на якому зберігаються дані для перевірки\n"
+"<кореневий_хеш> — хеш кореневого вузла на пристрої <пристрій_хешу>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Типові вбудовані параметри dm-verity:\n"
+"\tхеш: %s, блок даних (у байтах): %u, блок хешу (у байтах): %u, розмір солі: %u, формат хешування: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Не використовувати суперблок verity"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Тип форматування (1 — звичайне, 0 — початкове Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "номер"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Розмір блоку на пристрої даних"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Розмір блоку на пристрої хешу"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Кількість блоків у файлі даних"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "блоки"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Початковий відступ на пристрої хешу"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Алгоритм хешування"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "рядок"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Сіль"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "шістнадцятковий рядок"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Перезапустити ядро, якщо виявлено пошкодження"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Ігнорувати пошкодження, лише записати повідомлення до журналу"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Не перевіряти занулені блоки"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Параметри --ignore-corruption, --restart-on-corruption та --ignore-zero-blocks можна використовувати лише для дії зі створення (create).\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Параметри --ignore-corruption і --restart-on-corruption не можна використовувати одночасно.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Спроба розподілу вирівняних ділянок пам’яті зазнала невдачі.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Не вдалося виконати читання з пристрою %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Позначаємо пристрій LUKS %s як непридатний.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Не вдалося виконати запис на пристрій %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Не вдалося записати файл журналу повторного шифрування.\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Не вдалося прочитати файл журналу повторного шифрування.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Файл журналу %s вже існує, поновлюємо повторне шифрування.\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Спроба задіяти тимчасовий пристрій за допомогою старого заголовка LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Спроба задіяти тимчасовий пристрій за допомогою нового заголовка LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Спроба задіяти тимчасові пристрої зазнала невдачі.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Створено новий заголовок LUKS для пристрою %s.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Задіяний слот ключа %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Створено резервну копію заголовка LUKS пристрою %s.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Спроба створення заголовків резервних копій LUKS зазнала невдачі.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Не вдалося відновити заголовок LUKS на пристрої %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Відновлено заголовок LUKS на пристрої %s.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Поступ: %5.1f%%, час до завершення: %02llu:%02llu, записано %4llu МіБ, швидкість %5.1f МіБ/с%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Не вдалося встановити вказану позицію на пристрої.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Неможливо відкрити тимчасовий пристрій LUKS.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Не вдалося отримати дані щодо розміру пристрою.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Перервано за сигналом.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Помилка введення-виведення під час повторного шифрування.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "Наданий UUID є некоректним.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Вкажіть пароль для слоту ключа %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Не вдалося відкрити файл журналу повторного шифрування.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Розшифровування не виконується. Наданий UUID можна використовувати лише для відновлення призупиненого процесу розшифровування.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Розмір блоку повторного шифрування"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "МіБ"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Не змінювати ключ, не виконувати повторного шифрування області даних."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Використовувати безпосереднє введення-виведення під час доступу до пристроїв."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Використовувати fsync після кожного блоку."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Оновлювати файл журналу після кожного блоку."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Використовувати лише цей слот (інші буде вимкнено)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Зменшити розмір пристрою зберігання даних (змістити відступ даних). НЕБЕЗПЕЧНО!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Використовувати лише вказаний розмір пристрою (ігнорувати решту об’єму). НЕБЕЗПЕЧНО!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Створити новий заголовок на незашифрованому пристрої."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Остаточно розшифрувати пристрій (скасувати шифрування)"
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "UUID, що використовується для відновлення розшифровування."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[ПАРАМЕТР...] <пристрій>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Повторне шифрування призведе до зміни: ключа тому%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", встановити хеш у значення "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", встановити шифрування "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Слід вказати аргумент."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Розмір блоку повторного шифрування повинен належати діапазону від 1 МіБ до 64 МІБ."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Некоректна специфікація розміру пристрою."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 64 МіБ."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Розмір зменшення має бути кратним до 512-байтового сектора."
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Параметр --new слід використовувати разом з --reduce-device-size."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Параметр --keep-key можна використовувати лише разом з параметром --hash або --iter-time."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Параметр --new не можна використовувати разом з --decrypt."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Параметр --decrypt є несумісним із вказаними параметрами."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Параметр --uuid можна використовувати лише разом із --decrypt."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Помилка під час спроби читання відповіді з термінала.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Команду виконано успішно.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Спроба виконання команди завершилася повідомленням про помилку з кодом %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Не вдалося перевірити якість пароля: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Помилка під час спроби оцінити якість пароля:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Помилка під час спроби оцінити якість пароля: некоректний пароль (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Не вдалося знайти вільний петльовий пристрій.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Не вдалося відкрити пристрій %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Не можна використовувати переданий UUID, якщо не виконується дія з розшифровування.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Позначаємо пристрій LUKS %s як придатний\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "ПОПЕРЕДЖЕННЯ: цей код не перевірено достатнім чином, його використання може призвести до незворотного пошкодження даних.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "Контрольні суми FIPS не збігаються.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "Попередження: пристрій %s є розділом; для шифрування системи за допомогою TCRYPT, зазвичай, вам слід використовувати шлях до цілого блокового пристрою.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "У ядрі не передбачено підтримки plain64 IV.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Введіть пароль LUKS: "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Введіть новий пароль LUKS: "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Введіть довільний пароль LUKS: "
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Не вдалося отримати каталог призначених пристроїв."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Файла резервної копії, %s, не існує.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Не вдалося відкрити файл %s.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<назва> <пристрій>"
+
+#~ msgid "create device"
+#~ msgstr "створити пристрій"
+
+#~ msgid "remove device"
+#~ msgstr "вилучити пристрій"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "вилучити призначення LUKS"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "відкрити пристрій loop-AES як призначення <назва>"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "вилучити призначення loop-AES"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "Параметр --allow-discards можна використовувати лише для дій luksOpen, loopaesOpen і create.\n"
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Не вдалося відкрити пристрій %s для доступу %s%s.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "ексклюзивний "
+
+#~ msgid "writable"
+#~ msgstr "придатний до запису"
+
+#~ msgid "read-only"
+#~ msgstr "тільки читання"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "УВАГА!!! Небезпека доступу до даних у пам’яті. Працюєте від імені адміністратора?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Не вдалося отримати розмір сектора %s"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Не вдалося виконати запис до сховища ключів.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Не вдалося виконати читання даних зі сховища ключів.\n"
+
+#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
+#~ msgstr "Використання пристрою %s неможливе (сегменти шифрування перекриваються або використовуються іншим пристроєм).\n"
diff --git a/po/vi.po b/po/vi.po
new file mode 100644
index 0000000..5656302
--- /dev/null
+++ b/po/vi.po
@@ -0,0 +1,1958 @@
+# Vietnamese translation for CryptSetup.
+# Bản dịch tiếng Việt dành cho cryptsetup.
+# Copyright © 2016 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Clytie Siddall <clytie@riverland.net.au>, 2010.
+# Trần Ngọc Quân <vnwildman@gmail.com>, 2012-2014, 2015, 2016, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.4\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2017-03-02 09:40+0100\n"
+"PO-Revision-Date: 2017-03-05 15:08+0700\n"
+"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
+"Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
+"Language: vi\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Gtranslator 2.91.7\n"
+
+#: lib/libdevmapper.c:262
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "Không thể khởi tạo ánh-xạ-thiết-bị (device-mapper), do không chạy dưới quyền siêu người dùng.\n"
+
+#: lib/libdevmapper.c:265
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr ""
+"Không thể khởi tạo tiến trình ánh xạ thiết bị.\n"
+"Mô-đun hạt nhân “dm_mod” được nạp chưa?\n"
+
+#: lib/libdevmapper.c:581
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "Mã số DM-UUID cho thiết bị %s bị cắt ngắn.\n"
+
+#: lib/libdevmapper.c:729
+msgid "Requested dm-crypt performance options are not supported.\n"
+msgstr "Không hỗ trợ tùy chọn hiệu năng dm-crypt đã yêu cầu.\n"
+
+#: lib/libdevmapper.c:735
+msgid "Requested dm-verity data corruption handling options are not supported.\n"
+msgstr "Không hỗ trợ tùy chọn xử lý dữ liệu sai hỏng dm-verity đã yêu cầu.\n"
+
+#: lib/random.c:80
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Hệ thống bị nằm ngoài en-trô-pi trong khi tạo khóa vùng chứa.\n"
+"Xin hãy di chuyển con chuột hay gõ vài chữ trong cửa sổ khác để thu thập sự kiện ngẫu nhiên.\n"
+
+#: lib/random.c:84
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Đang tạo khóa (xong %d%%).\n"
+
+#: lib/random.c:170
+msgid "Running in FIPS mode.\n"
+msgstr "Đang chạy trong chế độ FIPS.\n"
+
+#: lib/random.c:176
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Gặp lỗi nghiêm trọng trong quá trình khởi tạo RNG.\n"
+
+#: lib/random.c:213
+msgid "Unknown RNG quality requested.\n"
+msgstr "Không hiểu chất lượng RNG đã yêu cầu.\n"
+
+#: lib/random.c:218
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Lỗi %d khi đọc từ RNG: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "Không thể khởi tạo ứng dụng chạy ở phía sau (backend) mã hóa RNG.\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Không thể khởi ứng dụng mã hóa chạy ở phía sau (backend).\n"
+
+#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "Thuật toán băm %s không được hỗ trợ.\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "Lỗi xử lý khóa (dùng mã băm %s).\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "Không thể dò tìm kiểu thiết bị. Phần hoạt hóa của thiết bị không tương thích à?\n"
+
+#: lib/setup.c:289 lib/setup.c:1552
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Thao tác này được hỗ trợ chỉ cho thiết bị LUKS.\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "Mọi khe khóa đều đã đầy.\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Khe khóa %d không đúng, hãy chọn một giá trị trong phạm vi từ 0 đến %d.\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Khe khóa %d bị đầy, hãy chọn một khe khác.\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Nhập cụm từ mật khẩu cho %s: "
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "Phát hiện được phần đầu nhưng mà thiết bị %s quá nhỏ.\n"
+
+#: lib/setup.c:670 lib/setup.c:1435
+msgid "This operation is not supported for this device type.\n"
+msgstr "Thao tác này không được hỗ trợ cho kiểu thiết bị này.\n"
+
+#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Thiết bị %s không hoạt động.\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Thiết bị nằm dưới cho thiết bị crypt %s đã bị biến mất.\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Đặt sai tham số mã hóa bình thường.\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "Kích cỡ khóa không đúng.\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID không hỗ trợ kiểu mã hóa này.\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "Không thể định dạng “LUKS” mà không có thiết bị.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Không thể định dạng thiết bị %s mà nó lại vẫn đang được sử dụng.\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "Không thể định dạng thiết bị %s, không đủ thẩm quyền.\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Không thể tẩy xóa phần đầu trên thiết bị %s.\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "Không thể định dạng “LOOPAES” bên ngoài thiết bị.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "Không thể định dạng “VERITY” mà không có thiết bị.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "Kiểu băm “VERITY” %d không được hỗ trợ.\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "Kích thước khối “VERITY” không được hỗ trợ.\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "Khoảng bù (offset) mã băm “VERITY” không được hỗ trợ.\n"
+
+#: lib/setup.c:1193
+msgid "Data area overlaps with hash area.\n"
+msgstr "Vùng dữ liệu chồng lấn với vùng mã băm.\n"
+
+#: lib/setup.c:1292
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Không rõ kiểu thiết bị mã hóa %s được yêu cầu.\n"
+
+#: lib/setup.c:1402
+msgid "Cannot resize loop device.\n"
+msgstr "Không thể đổi cỡ thiết bị vòng ngược (loopback).\n"
+
+#: lib/setup.c:1450
+msgid "Do you really want to change UUID of device?"
+msgstr "Bạn có thực sự muốn thay đổi UUID cho thiết bị?"
+
+#: lib/setup.c:1560
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Khối tin %s không hoạt động.\n"
+
+#: lib/setup.c:1571
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Khối %s đã bị ngưng.\n"
+
+#: lib/setup.c:1578
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "Tạm dừng không được hỗ trợ cho kiểu thiết bị %s.\n"
+
+#: lib/setup.c:1580
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "Gặp lỗi khi tạm dừng thiết bị %s.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1653
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Vùng %s không bị treo.\n"
+
+#: lib/setup.c:1620
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "Thao tác phục hồi không được hỗ trợ cho kiểu thiết bị %s.\n"
+
+#: lib/setup.c:1622 lib/setup.c:1674
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "Gặp lỗi khi cho hoạt động trở lại thiết bị %s.\n"
+
+#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "Gõ cụm từ mật khẩu: "
+
+#: lib/setup.c:1722 lib/setup.c:1858
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Không thể thêm khe khóa vì mọi khe đều bị tắt và không cung cấp khóa khối tin.\n"
+
+#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
+msgid "Enter any passphrase: "
+msgstr "Nhập bất cứ cụm từ mật khẩu nào: "
+
+#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "Gõ cụm từ mật khẩu mới cho khe khóa: "
+
+#: lib/setup.c:1813
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "Khe khóa %d đã thay đổi.\n"
+
+#: lib/setup.c:1816
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "Đã thay thế với khe khóa %d.\n"
+
+#: lib/setup.c:1821
+msgid "Failed to swap new key slot.\n"
+msgstr "Gặp lỗi khi hoán đổi khe khóa mới.\n"
+
+#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
+msgid "Volume key does not match the volume.\n"
+msgstr "Khóa khối tin không tương ứng với khối tin đó.\n"
+
+#: lib/setup.c:1976
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Khe khóa %d không đúng.\n"
+
+#: lib/setup.c:1981
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Khe khóa %d không được dùng.\n"
+
+#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Thiết bị %s đã sẵn có.\n"
+
+#: lib/setup.c:2186
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Khóa vùng chứa đã chỉ định không đúng cho thiết bị thường.\n"
+
+#: lib/setup.c:2219
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "Mã băm gốc đã chỉ định không đúng cho thiết bị chứng thực (verity).\n"
+
+#: lib/setup.c:2242
+msgid "Device type is not properly initialised.\n"
+msgstr "Kiểu thiết bị gần như chắc chắn là chưa được thiết lập.\n"
+
+#: lib/setup.c:2274
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Thiết bị %s vẫn đang được sử dụng.\n"
+
+#: lib/setup.c:2283
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Thiết bị không đúng %s.\n"
+
+#: lib/setup.c:2304
+msgid "Function not available in FIPS mode.\n"
+msgstr "Chức năng không khả dụng trong chế độ “FIPS”.\n"
+
+#: lib/setup.c:2310
+msgid "Volume key buffer too small.\n"
+msgstr "Vùng đệm khóa khối tin quá nhỏ.\n"
+
+#: lib/setup.c:2318
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Không thể lấy khóa khối tin cho thiết bị bình thường.\n"
+
+#: lib/setup.c:2325
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Thao tác này không được hỗ trợ cho thiết bị mã hóa %s.\n"
+
+#: lib/setup.c:2521
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "Thao tác đổ đống (dump) không được hỗ trợ cho kiểu thiết bị này.\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "Không thể lấy mức ưu tiên của tiến trình.\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "Không thể mở khóa bộ nhớ.\n"
+
+#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
+#: lib/utils_crypt.c:417
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Tràn bộ nhớ trong khi đọc cụm từ mật khẩu.\n"
+
+#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Gặp lỗi khi đọc cụm từ mật khẩu từ thiết bị cuối.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Verify passphrase: "
+msgstr "Nhập lại mật khẩu: "
+
+#: lib/utils_crypt.c:267
+msgid "Passphrases do not match.\n"
+msgstr "Hai cụm từ mật khẩu không trùng nhau.\n"
+
+#: lib/utils_crypt.c:351
+msgid "Cannot use offset with terminal input.\n"
+msgstr "Không thể sử dụng khoảng bù (offset) với đầu vào là thiết bị cuối.\n"
+
+#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
+msgid "Failed to open key file.\n"
+msgstr "Gặp lỗi khi mở tập tin khóa.\n"
+
+#: lib/utils_crypt.c:379
+msgid "Failed to stat key file.\n"
+msgstr "Gặp lỗi khi lấy thông tin tập tin khóa.\n"
+
+#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "Không thể di chuyển vị trí đầu đọc tới vị trí tương đối (offset) tập tin khóa đã yêu cầu.\n"
+
+#: lib/utils_crypt.c:425
+msgid "Error reading passphrase.\n"
+msgstr "Lỗi đọc cụm từ mật khẩu.\n"
+
+#: lib/utils_crypt.c:448
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "Đã vượt quá kích thước tập tin khóa tối đa.\n"
+
+#: lib/utils_crypt.c:453
+msgid "Cannot read requested amount of data.\n"
+msgstr "Không thể đọc đống dữ liệu đã yêu cầu.\n"
+
+#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Thiết bị %s không tồn tại hoặc không đủ quyền truy cập.\n"
+
+#: lib/utils_device.c:429
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "Không thể sử dụng thiết-bị vòng ngược (loopback), do không chạy dưới quyền siêu người dùng.\n"
+
+#: lib/utils_device.c:439
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "Gặp lỗi khi gắn thiết bị vòng ngược (loopback) (thiết bị lặp với cờ autoclear là bắt buộc).\n"
+
+#: lib/utils_device.c:483
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Không thể sử dụng thiết bị %s mà nó lại đang được sử dụng (đang được ánh xạ hoặc gắn).\n"
+
+#: lib/utils_device.c:487
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Không thể lấy thông tin về thiết bị %s.\n"
+
+#: lib/utils_device.c:493
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "Khoảng bù (offset) đã yêu cầu nằm ngoài kích thước thật của thiết bị %s.\n"
+
+#: lib/utils_device.c:501
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Thiết bị %s có kích cỡ là không.\n"
+
+#: lib/utils_device.c:512
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Thiết bị %s có kích cỡ quá nhỏ.\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"Gặp lỗi khi cài đặt ánh xạ khóa dm-crypt cho thiết bị %s.\n"
+"Kiểm tra lại hạt nhân hỗ trợ mật mã %s (kiểu tra sổ theo dõi hệ thống để tìm thêm thông tin.)\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Kích thước khóa trong chế độ “XTS” phải là 256 hay 512 bit.\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "Không thể ghi thiết bị %s, không đủ thẩm quyền.\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Gặp lỗi khi mở thiết bị lưu trữ khóa tạm thời.\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Gl khi truy cập đến thiết bị lưu trữ khóa tạm thời.\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "Lỗi IO (vào/ra) trong quá trình mã hóa khe khóa.\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "Lỗi IO (vào/ra) trong quá trình giải mã khe khóa.\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "Thiết bị %s quá nhỏ. (LUKS cần ít nhất %<PRIu64> byte.)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
+#: src/cryptsetup_reencrypt.c:1152
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Thiết bị %s không phải là một thiết bị kiểu LUKS đúng.\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "Phần đầu tập tin sao lưu dự phòng đã yêu cầu %s đã sẵn có.\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "Không thể tạo phần đầu của tập tin sao lưu dự phòng %s.\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Không thể ghi tập tin sao lưu phần đầu %s.\n"
+
+#: lib/luks1/keymanage.c:238
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "Tập tin sao lưu không chứa phần đầu LUKS hợp lệ.\n"
+
+#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Không mở được tập tin sao lưu phần đầu %s.\n"
+
+#: lib/luks1/keymanage.c:257
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Không đọc được tập tin sao lưu phần đầu %s.\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Khoảng bù dữ liệu hoặc kích cỡ khóa vẫn khác nhau trên thiết bị và bản sao lưu thì chức năng phục hồi bị lỗi.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Thiết bị %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "không chứa phần đầu LUKS. Thay thế phần đầu thì cũng có thể hủy dữ liệu trên thiết bị đó."
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "đã chứa phần đầu LUKS. Thay thế phần đầu thì cũng hủy các khe khóa đã có."
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"CẢNH BÁO: phần đầu thiết bị thật có mã số “UUID” khác với bản sao lưu!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
+#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
+#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#: src/cryptsetup_reencrypt.c:154
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Không thể mở thiết bị %s.\n"
+
+#: lib/luks1/keymanage.c:330
+msgid "Non standard key size, manual repair required.\n"
+msgstr "Kích thước khóa không tiêu chuẩn, yêu cầu sửa chữa bằng tay.\n"
+
+#: lib/luks1/keymanage.c:335
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "Không thể đồng chỉnh các khe khóa (keyslot) tiêu chuẩn, yêu cầu sửa chữa bằng tay.\n"
+
+#: lib/luks1/keymanage.c:341
+msgid "Repairing keyslots.\n"
+msgstr "Đang chuẩn bị các khe khóa (keyslots).\n"
+
+#: lib/luks1/keymanage.c:352
+msgid "Repair failed."
+msgstr "Gặp lỗi khi sửa chữa."
+
+#: lib/luks1/keymanage.c:364
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "Khe-khóa (keyslot) %i: khoảng bù (offset) được sửa chữa (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:372
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "Khe-khóa (keyslot) %i: stripes được sửa chữa (%u -> %u).\n"
+
+#: lib/luks1/keymanage.c:381
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "Khe-khóa (keyslot) %i: chữ ký phân vùng không có thật.\n"
+
+#: lib/luks1/keymanage.c:386
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "Khe-khóa (keyslot) %i: muối bị tẩy xóa.\n"
+
+#: lib/luks1/keymanage.c:397
+msgid "Writing LUKS header to disk.\n"
+msgstr "Đang ghi phần đầu của LUKS lên đĩa.\n"
+
+#: lib/luks1/keymanage.c:422
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Phiên bản LUKS không được hỗ trợ %d.\n"
+
+#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Không hỗ trợ chuỗi duy nhất LUKS %s được yêu cầu.\n"
+
+#: lib/luks1/keymanage.c:443
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "khe-khóa LUKS %u là không hợp lệ.\n"
+
+#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "Không phát hiện thấy vấn đề với phần đầu LUKS.\n"
+
+#: lib/luks1/keymanage.c:607
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Gặp lỗi trong khi cập nhật phần đầu LUKS trên thiết bị %s.\n"
+
+#: lib/luks1/keymanage.c:614
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Gặp lỗi trong khi đọc lại phần đầu LUKS sau khi cập nhật trên thiết bị %s.\n"
+
+#: lib/luks1/keymanage.c:665
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr "Khoảng bù dữ liệu cho phần đầu LUKS tách rời phải hoặc là 0 hoặc là lớn hơn kích thước phần đầu (%d cung từ).\n"
+
+#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Đưa ra định dạng mã số UUID LUKS không đúng.\n"
+
+#: lib/luks1/keymanage.c:706
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Không thể tạo phần đầu LUKS: lỗi đọc salt ngẫu nhiên.\n"
+
+#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Gặp các tùy chọn PBKDF2 không tương thích (dùng thuật toán chuỗi duy nhất %s).\n"
+
+#: lib/luks1/keymanage.c:728
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Không thể tạo phần đầu LUKS: lỗi tạo bản tóm tắt (dùng chuỗi duy nhất %s).\n"
+
+#: lib/luks1/keymanage.c:793
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Khe khóa %d vẫn hoạt động: cần tẩy trước.\n"
+
+#: lib/luks1/keymanage.c:799
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Nguyên liệu khe khóa %d gồm có quá ít sọc. Có nên thao tác phần đầu không?\n"
+
+#: lib/luks1/keymanage.c:966
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Khe khóa %d được mở khóa.\n"
+
+#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
+msgid "No key available with this passphrase.\n"
+msgstr "Không có khóa sẵn sàng dùng với cụm từ mật khẩu này.\n"
+
+#: lib/luks1/keymanage.c:1019
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Khe khóa %d không đúng: hãy chọn khe khóa trong phạm vi 0 đến %d.\n"
+
+#: lib/luks1/keymanage.c:1037
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Không thể tẩy thiết bị %s.\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "Tìm thấy tập tin khóa mã hóa GPG vẫn chưa được hỗ trợ.\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Hãy dùng gpg --decrypt <TẬP-TIN-KHÓA> | cryptsetup --keyfile=- …\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "Tập tin khóa (keyfile) loop-AES không tương thích được tìm thấy.\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "Nhân không hỗ trợ ánh xạ tương thích loop-AES.\n"
+
+#: lib/tcrypt/tcrypt.c:476
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "Gặp lỗi khi đọc tập-tin khóa %s.\n"
+
+#: lib/tcrypt/tcrypt.c:514
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Độ dài cụm từ mật khẩu TCRYPT tối đa (%d) đã bị vượt quá.\n"
+
+#: lib/tcrypt/tcrypt.c:544
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "Thuật toán băm PBKDF2 không khả dụng %s, bỏ qua.\n"
+
+#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "Giao diện mã hóa từ nhân đã yêu cầu không khả dụng.\n"
+
+#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "Bạn cần chắc chắn là mô-đun nhân algif_skcipher đã được tải.\n"
+
+#: lib/tcrypt/tcrypt.c:708
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "Hoạt hóa không được hỗ trợ cho kích thước cung %d.\n"
+
+#: lib/tcrypt/tcrypt.c:714
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "Nhân không hỗ trợ hoạt hóa cho chế độ cũ của TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:748
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "Đang kích hoạt mã hóa hệ thống TCRYPT cho phân vùng %s.\n"
+
+#: lib/tcrypt/tcrypt.c:815
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "Nhân không hỗ trợ ánh xạ tương thích TCRYPT.\n"
+
+#: lib/tcrypt/tcrypt.c:1030
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Chức năng này không được hỗ trợ mà không có phần tải đầu TCRYPT."
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "Thiết bị xác thực %s không sử dụng phần đầu on-disk.\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "Thiết bị %s không phải là thiết bị VERITY thích hợp.\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "Không hỗ trợ phiên bản VERITY %d.\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "phần đầu VERITY sai hỏng.\n"
+
+#: lib/verity/verity.c:167
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "Đưa ra định dạng mã số VERITY không đúng trên thiết bị %s.\n"
+
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "Gặp lỗi trong khi cập nhật phần đầu xác thực trên thiết bị %s.\n"
+
+#: lib/verity/verity.c:279
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "Nhân không hỗ trợ ánh xạ dm-verity.\n"
+
+#: lib/verity/verity.c:290
+msgid "Verity device detected corruption after activation.\n"
+msgstr "Thiết bị xác thực đã được phát hiện sai hỏng sau khi hoạt hóa.\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "Vùng để dành không được điền đầy bằng số không tại vị trí %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "Khoảng bù (offset) thiết bị bị tràn.\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "Thẩm tra gặp lỗi tại vị trí %<PRIu64>.\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "Các tham số kích thước cho thiết bị xác thực không hợp lệ.\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "Có quá nhiều mức cây cho mỗi vùng xác thực.\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "Việc thẩm tra vùng dữ liệu gặp lỗi.\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "Việc thẩm tra mã băm gốc gặp lỗi.\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "Lỗi Vào/Ra trong khi đang tạo vùng băm.\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "Việc tạo vùng dữ liệu băm gặp lỗi.\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "CẢNH BÁO: Nhân (kernel) không thể kích hoạt thiết bị nếu kích thước khối dữ liệu vượt quá kích cỡ trang (%u).\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "Không thể thẩm tra cụm từ mật khẩu trên đầu vào khác TTY.\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Không phát hiện mẫu đặc tả mã hóa đã biết.\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "CẢNH BÁO: Tham số --hash bị bỏ qua trong chế độ thường với tập tin khóa đã cho.\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "CẢNH BÁO: Đang bỏ qua các tùy chọn kích thước tập-tin-khóa --keyfile-size --, kích thước đọc giống với kích thước khóa mã hóa.\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "Cần tùy chọn “--key-file”.\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "Không có phần đầu thiết bị cho cụm từ mật khẩu này.\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Đổ đống phần đầu với khóa vùng chứa là thông tin phân biệt hoa thường\n"
+"cái mà cho phép truy cập phân vùng được mã hóa mà không cần mật khẩu.\n"
+"Việc đổ đống này nên luôn được lưu trữ mã hóa tại một nơi an toàn."
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "Kết quả đo kiểm không đáng tin cậy.\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Các kiểm tra là chỉ ước lượng việc sử dụng bộ nhớ (không tính IO ổ đĩa).\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# Thuật toán| Khóa| Mã hóa | Giải mã\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "Mã hóa kiểu %s không sẵn có.\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr "Không thể đọc tập-tin khóa %s.\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "Không thể đọc %d byte từ tập tin khóa %s.\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "Bạn có thực sự muốn thử sửa chữa phần đầu thiết bị LUKS không?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Thao tác này sẽ ghi đè lên dữ liệu trên thiết bị %s một cách không phục hồi được."
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "gặp lỗi phân cấp vùng nhớ trong“action_luksFormat”"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "Không thể sử dụng %s như là phần đầu on-disk.\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "Giảm khoảng bù (offset) dữ liệu chỉ cho phép khi phần đầu LUKS được tách rời.\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Khe khóa %d đã được chọn để xóa.\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Khóa %d không hoạt động thì không xóa được.\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Đây là khe khóa cuối cùng. Sau khi tẩy khóa này thì thiết bị không dùng được."
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "Gõ cụm từ mật khẩu bất kỳ còn lại: "
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "Gõ cụm từ mật khẩu cần xóa: "
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Hãy nhập mật khẩu bất kỳ sẵn có: "
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "Gõ cụm từ mật khẩu cần được thay đổi: "
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
+msgid "Enter new passphrase: "
+msgstr "Gõ cụm từ mật khẩu mới: "
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "Chỉ hỗ trợ một đối số thiết-bị dành cho thao tác isLuks.\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "Cần tùy chọn“--header-backup-file”.\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "Không nhận ra siêu dữ liệu của kiểu thiết bị %s.\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "Lệnh cần thiết bị và tên ánh xạ như là các tham số.\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Thao tác này sẽ tẩy mọi khe khóa trên thiết bị %s.\n"
+"Thiết bị sẽ không dùng được sau thao tác này."
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<thiết-bị> [--type <kiểu>] [<tên>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "mở thiết bị như là ánh xạ <tên>"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/veritysetup.c:329 src/veritysetup.c:330
+msgid "<name>"
+msgstr "<tên>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "đóng thiết bị (gỡ bỏ ánh xạ)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "thay đổi kích cỡ của thiết bị hoạt động"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "hiển thị trạng thái về thiết bị"
+
+#: src/cryptsetup.c:1384
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <bộ mã hóa>]"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "đo kiểm tốc độ mã hóa"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<thiết_bị>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "thử sửa chữa siêu dữ liệu (metadata) on-disk"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "tẩy mọi khe khóa (gỡ bỏ khóa mã hóa)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<thiết_bị> [<tập_tin_khóa_mới>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "định dạng một thiết bị kiểu LUKS"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "thêm khóa vào thiết bị LUKS"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<thiết_bị> [<tập_tin_khóa>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "gỡ bỏ khỏi thiết bị LUKS khóa hoặc tập tin khóa đưa ra"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "thay đổi khóa hay tập tin khóa đã áp dụng của thiết bị LUKS"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<thiết_bị> <khe_khóa>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "xóa khỏi thiết bị LUKS khóa có số <khe_khóa>"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "in ra mã số UUID của thiết bị LUKS"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "thử <thiết_bị> có phần đầu phân vùng LUKS không"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "đổ thông tin về phân vùng LUKS"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "dump thông tin thiết bị TCRYPT"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Ngưng thiết bị LUKS và tẩy khóa (thì mọi việc V/R đều đông cứng)."
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "Tiếp tục lại sử dụng thiết bị LUKS bị ngưng."
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "Sao lưu phần đầu và các khe khóa của thiết bị LUKS"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "Phục hồi phần đầu và các khe khóa của thiết bị LUKS"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:346
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<thao-tác> là một trong:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"Bạn còn có thể sử dụng cú pháp bí danh <thao-tác> kiểu cũ:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<tên> là thiết bị cần tạo dưới %s\n"
+"<thiết_bị> là thiết bị đã mã hóa\n"
+"<khe_khóa> là số thứ tự khe khóa LUKS cần sửa đổi\n"
+"<tập_tin_khóa> là tập tin khóa tùy chọn cho khóa mới trong thao tác luksAddKey\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"Các tham số mặc định liên quan đến khóa và mật khẩu được biên dịch sẵn:\n"
+"\tĐộ dài tập tin khóa tối đa: %dkB, Độ dài mật khẩu tương tác tối đa %d (ký tự)\n"
+"Thời gian tương tác PBKDF2 mặc định cho LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Các tham số mặc định liên quan đến việc mã hóa được đặt sẵn:\n"
+"\tloop-AES: %s, Khóa %d bit\n"
+"\tdữ liệu thô: %s, Khóa: %d bit, Kiểu băm mật khẩu: %s\n"
+"\tLUKS1: %s, Khóa: %d bit, Kiểu băm cho phần đầu LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: cần thiết %s làm đối số"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
+msgid "Show this help message"
+msgstr "Hiển thị trợ giúp này"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
+msgid "Display brief usage"
+msgstr "Hiển thị thông tin ngắn về cách sử dụng"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
+msgid "Help options:"
+msgstr "Tùy chọn trợ giúp:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
+msgid "Print package version"
+msgstr "Hiển thị phiên bản của gói"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
+msgid "Shows more detailed error messages"
+msgstr "Hiển thị các thông điệp lỗi chi tiết hơn"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
+msgid "Show debug messages"
+msgstr "Hiển thị thông điệp gỡ lỗi"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Mật mã dùng để bảo vệ đĩa (xem “/proc/crypto”)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Chuỗi duy nhất dùng để tạo khóa mã hóa từ cụm từ mật khẩu"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Thẩm tra cụm từ mật khẩu bằng cách yêu cầu nó hai lần"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
+msgid "Read the key from a file."
+msgstr "Đọc khóa từ một tập tin."
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "Đọc khóa khối tin (chủ) từ tập tin."
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Dump (đổ thành đống) khóa vùng chứa (master) thay vì thông tin khe-khóa."
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "The size of the encryption key"
+msgstr "Kích cỡ của khóa mã hóa"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
+msgid "BITS"
+msgstr "BIT"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
+msgid "Limits the read from keyfile"
+msgstr "Giới hạn việc đọc từ tập-tin-khóa"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
+#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
+#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
+#: src/cryptsetup_reencrypt.c:1329
+msgid "bytes"
+msgstr "byte"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
+msgid "Number of bytes to skip in keyfile"
+msgstr "Số lượng byte nhảy qua trong tập tin khóa"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "Giới hạn đọc từ tập tin khóa mới thêm vào"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Số lượng byte để nhảy qua trong tập tin khóa mới thêm"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "Số thứ tự khe cho khóa mới (mặc định là khe trống thứ nhất)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "Kích cỡ của thiết bị"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "CUNG-TỪ"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "Khoảng bù đầu tiên trong thiết bị thật chạy ở phía sau"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Bao nhiêu cung từ dữ liệu mã hóa cần bỏ qua ở đầu"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "Tạo một sự ánh xạ chỉ cho đọc"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Thời gian lặp lại PBKDF2 cho LUKS (theo mili-giây)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
+msgid "msecs"
+msgstr "mili-giây"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+msgid "Do not ask for confirmation"
+msgstr "Không cần xác nhận"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Thời gian chờ gõ cụm từ mật khẩu tối đa (theo giây)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "giây"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+msgid "How often the input of the passphrase can be retried"
+msgstr "Số các lần có cho phép thử gõ lại cụm từ mật khẩu"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Căn chỉnh trọng tải ở <n> biên giới cung từ — cho định dạng “luksFormat”"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "Tập tin chứa bản sao lưu phần đầu và các khe khóa của thiết bị LUKS."
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
+msgid "Use /dev/random for generating volume key."
+msgstr "Dùng /dev/random để tạo khóa volume."
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Dùng /dev/urandom để tạo khóa vùng."
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "Thiết bị chia sẻ với đoạn crypt không-chồng-lên-nhau khác."
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:403
+msgid "UUID for device to use."
+msgstr "UUID dành cho tập tin sử dụng."
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "Cho phép hủy bỏ (được biết đến như là TRIM) các yêu cầu cho thiết bị."
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "Thiết bị hay tập tin với phần đầu LUKS tách nhau."
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "Không kích hoạt thiết bị, chỉ cần kiểm tra mật khẩu."
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "Dùng phần đầu ẩn (thiết bị TCRYPT ẩn)."
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "Thiết bị là ổ đĩa TCRYPT hệ thống (có bootloader)."
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "Dùng phần đầu (thứ cấp) TCRYPT."
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "Cũng quét cho thiết bị tương thích VeraCrypt."
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "Kiểu của siêu dữ liệu thiết bị: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "Tắt chức năng kiểm tra chất lượng mật khẩu (nếu nó đang bật)."
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "Dùng tùy chọn tương thích hiệu năng same_cpu_crypt dm-crypt."
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "Dùng tùy chọn tương thích hiệu năng submit_from_crypt_cpus dm-crypt."
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:423
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[TÙY CHỌN…] <thao-tác> <đặc-tả-thao-tác>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:460
+msgid "Argument <action> missing."
+msgstr "Còn thiếu đối số <thao-tác>."
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:466
+msgid "Unknown action."
+msgstr "Không hiểu thao-tác."
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "Tùy chọn “--shared” chỉ cho phép với thao tác tạo mở của thiết bị thường.\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "Tùy chọn “--allow-discards” chỉ cho phép với thao tác mở.\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Tùy chọn --key-size thì chỉ cho phép với các thao tác luksFormat, mở và đo kiểm.\n"
+"Để giới hạn đọc từ tập-tin-khóa, hãy sử dụng tùy chọn --keyfile-size=(bytes)."
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "Tùy chọn “--test-passphrase” chỉ được phép cho lệnh mở thiết bị LUKS và TCRYPT.\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Kích cỡ khóa phải là bội số của 8 bít"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+msgid "Key slot is invalid."
+msgstr "Khe khóa không đúng."
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Tùy chọn --key-file giữ quyền ưu tiên cao hơn tham số tập tin khóa đã chỉ định.\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+msgid "Negative number for option not permitted."
+msgstr "Tùy chọn không chấp nhận giá trị là số âm."
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "Chỉ cho phép một tùy chọn --key-file."
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
+#: src/cryptsetup_reencrypt.c:1398
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Chỉ cho phép một tùy chọn “--use-[u]random”."
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Tùy chọn “--use-[u]random” chỉ được phép cho “luksFormat”."
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Tùy chọn “--uuid” thì chỉ cho phép với “luksFormat” và “luksUUID”."
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "Tùy chọn “--align-payload” chỉ được phép cho “luksFormat”."
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "Tùy chọn “--skip” chỉ hỗ trợ cho lệnh mở (open) của thiết bị thường và “loopaes”.\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "Tùy chọn “--offset” chỉ hỗ trợ cho lệnh mở (open) của thiết bị thường và “loopaes”.\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "Tùy chọn --tcrypt-hidden, --tcrypt-system hay --tcrypt-backup chỉ được hỗ trợ trên thiết bị TCRYPT.\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "Tùy chọn --tcrypt-hidden không thể được tổ hợp cùng với --allow-discards.\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "Tùy chọn --veracrypt chỉ được hỗ trợ trên thiết bị TCRYPT.\n"
+
+#: src/veritysetup.c:61
+msgid "Invalid salt string specified.\n"
+msgstr "Chuỗi salt (muối) đã cho không hợp lệ.\n"
+
+#: src/veritysetup.c:91
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "Không thể tạo ảnh băm %s để ghi.\n"
+
+#: src/veritysetup.c:158
+msgid "Invalid root hash string specified.\n"
+msgstr "Chuỗi mã băm gốc (thư mục root) đã chỉ ra không hợp lệ.\n"
+
+#: src/veritysetup.c:326
+msgid "<data_device> <hash_device>"
+msgstr "<thiết-bị-dữ-liệu> <thiết-bị-băm>"
+
+#: src/veritysetup.c:326
+msgid "format device"
+msgstr "định dạng thiết bị"
+
+#: src/veritysetup.c:327
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<thiết-bị-dữ-liệu> <thiết-bị-băm> <mã-băm-gốc>"
+
+#: src/veritysetup.c:327
+msgid "verify device"
+msgstr "thẩm tra thiết bị"
+
+#: src/veritysetup.c:328
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<tên> <thiết-bị-dữ-liệu> <thiết-bị-băm> <mã-băm-gốc>"
+
+#: src/veritysetup.c:328
+msgid "create active device"
+msgstr "tạo thiết bị hoạt động"
+
+#: src/veritysetup.c:329
+msgid "remove (deactivate) device"
+msgstr "gỡ bỏ (dừng hoạt động) thiết bị"
+
+#: src/veritysetup.c:330
+msgid "show active device status"
+msgstr "hiển thị trạng thái các thiết bị đang hoạt động"
+
+#: src/veritysetup.c:331
+msgid "<hash_device>"
+msgstr "<thiết_bị_băm>"
+
+#: src/veritysetup.c:331
+msgid "show on-disk information"
+msgstr "hiển thị thông tin trên-đĩa"
+
+#: src/veritysetup.c:350
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<tên> là thiết bị để tạo dưới %s\n"
+"<thiết-bị-dữ-liệu> là thiết bị dữ liệu\n"
+"<thiết-bị-băm> là thiết bị chứa dữ liệu xác thực\n"
+"<mã-băm-gốc> mã băm của nút root (gốc) trên <thiết-bị-băm>\n"
+
+#: src/veritysetup.c:357
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Các tham số dm-verity dựng sẵn mặc định:\n"
+"\tBăm: %s, Khối dữ liệu (bytes): %u, Khối băm (bytes): %u, Kích thước muối: %u, Định dạng băm: %u\n"
+
+#: src/veritysetup.c:395
+msgid "Do not use verity superblock"
+msgstr "Không sử dụng siêu khối thẩm định"
+
+#: src/veritysetup.c:396
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Kiểu định dạng (1 - thông thường, 0 - Chrome OS)"
+
+#: src/veritysetup.c:396
+msgid "number"
+msgstr "số"
+
+#: src/veritysetup.c:397
+msgid "Block size on the data device"
+msgstr "Kích cỡ khối trên thiết bị dữ liệu"
+
+#: src/veritysetup.c:398
+msgid "Block size on the hash device"
+msgstr "Kích cỡ của khối trên thiết bị băm"
+
+#: src/veritysetup.c:399
+msgid "The number of blocks in the data file"
+msgstr "Số lượng khối trong tập tin dữ liệu"
+
+#: src/veritysetup.c:399
+msgid "blocks"
+msgstr "khối"
+
+#: src/veritysetup.c:400
+msgid "Starting offset on the hash device"
+msgstr "Khoảng bù (offset) khởi đầu của thiết bị băm"
+
+#: src/veritysetup.c:401
+msgid "Hash algorithm"
+msgstr "Thuật toán băm"
+
+#: src/veritysetup.c:401
+msgid "string"
+msgstr "chuỗi"
+
+#: src/veritysetup.c:402
+msgid "Salt"
+msgstr "Muối"
+
+#: src/veritysetup.c:402
+msgid "hex string"
+msgstr "chuỗi hex (thập lục phân)"
+
+#: src/veritysetup.c:404
+msgid "Restart kernel if corruption is detected"
+msgstr "Khởi động lại nhân nếu thấy có sai hỏng"
+
+#: src/veritysetup.c:405
+msgid "Ignore corruption, log it only"
+msgstr "Bỏ qua sai hỏng, chỉ ghi nhật ký lại"
+
+#: src/veritysetup.c:406
+msgid "Do not verify zeroed blocks"
+msgstr "Không thẩm tra các khối không"
+
+#: src/veritysetup.c:494
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
+msgstr "Tùy chọn --ignore-corruption, --restart-on-corruption hay --ignore-zero-blocks chỉ được phép dùng cho thao tác tạo.\n"
+
+#: src/veritysetup.c:499
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Không được dùng các tùy chọn --ignore-corruption và --restart-on-corruption cùng một lúc.\n"
+
+#: src/cryptsetup_reencrypt.c:150
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "Không thể mở %s một cách đệ qui, thiết bị vẫn đang được sử dụng.\n"
+
+#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
+msgid "Allocation of aligned memory failed.\n"
+msgstr "Phân bổ bộ nhớ điều chỉnh gặp lỗi.\n"
+
+#: src/cryptsetup_reencrypt.c:171
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Không thể đọc thiết bị %s.\n"
+
+#: src/cryptsetup_reencrypt.c:182
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "Đánh dấu thiết bị LUKS %s là không thể dùng.\n"
+
+#: src/cryptsetup_reencrypt.c:198
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "Không thể ghi thiết bị %s.\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "Không thể ghi tập tin nhật ký reencryption (mã hóa lại).\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "Không đọc được tập tin nhật ký reencryption.\n"
+
+#: src/cryptsetup_reencrypt.c:375
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Tập tin nhật ký %s đã có sẵn rồi, giả định là reencryption (mã hóa lại).\n"
+
+#: src/cryptsetup_reencrypt.c:425
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "Hoạt hóa thiết bị tạm thời sử dụng phần đầu LUKS kiểu cũ.\n"
+
+#: src/cryptsetup_reencrypt.c:436
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "Hoạt hóa thiết bị tạm thời sử dụng phần đầu LUKS kiểu mới.\n"
+
+#: src/cryptsetup_reencrypt.c:446
+msgid "Activation of temporary devices failed.\n"
+msgstr "Việc hoạt hóa các thiết bị tạm thời gặp lỗi.\n"
+
+#: src/cryptsetup_reencrypt.c:472
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "Phần đầu LUKS mới cho thiết bị %s được tạo.\n"
+
+#: src/cryptsetup_reencrypt.c:480
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "Khe-khóa (keyslot) đã được kích hoạt %i.\n"
+
+#: src/cryptsetup_reencrypt.c:506
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "Phần đầu sao lưu LUKS của thiết bị %s được tạo.\n"
+
+#: src/cryptsetup_reencrypt.c:554
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "Việc tạo phần đầu LUKS sao lưu dự phòng gặp lỗi.\n"
+
+#: src/cryptsetup_reencrypt.c:656
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "Không thể phục hồi phần đầu LUKS trên thiết bị %s.\n"
+
+#: src/cryptsetup_reencrypt.c:658
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "Phần đầu LUKS trên thiết bị %s đã được phục hồi.\n"
+
+#: src/cryptsetup_reencrypt.c:693
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "Diễn biến: %5.1f%%, ETA %02llu:%02llu, đã ghi %4llu MiB, tốc độ %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
+#: src/cryptsetup_reencrypt.c:853
+msgid "Cannot seek to device offset.\n"
+msgstr "Không thể di chuyển vị trí tới vị trí tương đối thiết bị.\n"
+
+#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "Không thể r thiết bị LUKS tạm thời.\n"
+
+#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
+msgid "Cannot get device size.\n"
+msgstr "Không thể lấy kích cỡ thiết bị.\n"
+
+#: src/cryptsetup_reencrypt.c:946
+msgid "Interrupted by a signal.\n"
+msgstr "Bị ngắt bởi tín hiệu signal.\n"
+
+#: src/cryptsetup_reencrypt.c:948
+msgid "IO error during reencryption.\n"
+msgstr "Lỗi IO (vào/ra) trong quá trình mã hóa lại.\n"
+
+#: src/cryptsetup_reencrypt.c:978
+msgid "Provided UUID is invalid.\n"
+msgstr "UUID đã cung cấp không hợp lệ.\n"
+
+#: src/cryptsetup_reencrypt.c:1070
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "Tập tin khóa có thể sử dụng với tùy chọn --key-slot hoặc với chính xác một khe khóa hoạt động.\n"
+
+#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Gõ cụm từ mật khẩu cho khe khóa %u: "
+
+#: src/cryptsetup_reencrypt.c:1178
+msgid "Cannot open reencryption log file.\n"
+msgstr "Không mở được tập tin nhật ký reencryption.\n"
+
+#: src/cryptsetup_reencrypt.c:1184
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
+msgstr "Không có quá trình giải mã nào đang xử lý, UUID đã cung cấp có thể chỉ được dùng để phục hồi lại tiến trình giải mã đã tạm dừng.\n"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "Reencryption block size"
+msgstr "Kích thước khối mã hóa lại"
+
+#: src/cryptsetup_reencrypt.c:1311
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1315
+msgid "Do not change key, no data area reencryption."
+msgstr "Khôngười thay đổi khóa, không có mã hóa lại vùng dữ liệu."
+
+#: src/cryptsetup_reencrypt.c:1322
+msgid "Use direct-io when accessing devices."
+msgstr "Sử dụng vào ra trực tiếp khi truy cập các thiết bị."
+
+#: src/cryptsetup_reencrypt.c:1323
+msgid "Use fsync after each block."
+msgstr "Sử dụng fsync sau mỗi khối."
+
+#: src/cryptsetup_reencrypt.c:1324
+msgid "Update log file after every block."
+msgstr "Cập nhật tập tin nhật ký sau mỗi khối."
+
+#: src/cryptsetup_reencrypt.c:1325
+msgid "Use only this slot (others will be disabled)."
+msgstr "Chỉ sử dụng khe này (những cái khác sẽ bị tắt đi)."
+
+#: src/cryptsetup_reencrypt.c:1328
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Giảm kích thước dữ liệu thiết bị (di chuyển offset dữ liệu). NGUY HIỂM!"
+
+#: src/cryptsetup_reencrypt.c:1329
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Chỉ sử dụng kích thước dữ liệu thiết bị (bỏ qua phần còn lại của thiết bị). NGUY HIỂM!"
+
+#: src/cryptsetup_reencrypt.c:1330
+msgid "Create new header on not encrypted device."
+msgstr "Tạo phần đầu mới không trên thiết bị được mã hóa."
+
+#: src/cryptsetup_reencrypt.c:1331
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "Thiết bị mã hóa cố định (gỡ bỏ mã hóa)."
+
+#: src/cryptsetup_reencrypt.c:1332
+msgid "The uuid used to resume decryption."
+msgstr "uuid được dùng để khôi phục việc giải mã."
+
+#: src/cryptsetup_reencrypt.c:1348
+msgid "[OPTION...] <device>"
+msgstr "[TÙY_CHỌN…] <thiết-bị>"
+
+#: src/cryptsetup_reencrypt.c:1362
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "Reencryption sẽ thay đổi: khóa dung lượng%s%s%s%s.\n"
+
+#: src/cryptsetup_reencrypt.c:1363
+msgid ", set hash to "
+msgstr ", đặt kiểu băm thành "
+
+#: src/cryptsetup_reencrypt.c:1364
+msgid ", set cipher to "
+msgstr ", đặt kiểu mã hóa thành "
+
+#: src/cryptsetup_reencrypt.c:1368
+msgid "Argument required."
+msgstr "Cần đối số."
+
+#: src/cryptsetup_reencrypt.c:1384
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "Chỉ những giá trị nằm giữa 1MiB và 64 MiB là cho phép đối với kích thước khối reencryption (mã hóa lại)."
+
+#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
+msgid "Invalid device size specification."
+msgstr "Đặc tả kích thước thiết bị không đúng."
+
+#: src/cryptsetup_reencrypt.c:1411
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "Kích thước thu nhỏ thiết bị tối đa là 64 MiB."
+
+#: src/cryptsetup_reencrypt.c:1414
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Kích cỡ giảm phải là bội số cung từ (sector) 512 byte"
+
+#: src/cryptsetup_reencrypt.c:1418
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "Tùy chọn “--new” phải được sử dụng cùng với “--reduce-device-size”."
+
+#: src/cryptsetup_reencrypt.c:1422
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "Tùy chọn “--keep-key” có thể dùng với “--hash” hoặc “--iter-time”."
+
+#: src/cryptsetup_reencrypt.c:1426
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "Tùy chọn “--new” không được sử dụng cùng với “ --decrypt”."
+
+#: src/cryptsetup_reencrypt.c:1430
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "Tùy chọn --decrypt không tương thích với các đối số đã cho."
+
+#: src/cryptsetup_reencrypt.c:1434
+msgid "Option --uuid is allowed only together with --decrypt."
+msgstr "Tùy chọn “--uuid” chỉ được sử dụng cùng với “ --decrypt”."
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "Gặp lỗi khi đọc phản hồi từ thiết bị cuối.\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "Câu lệnh đã chạy thành công.\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Câu lệnh đã thất bại với mã %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "Không thể kiểm tra chất lượng mật khẩu: %s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"Chất lượng mật khẩu không đạt:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "Gặp lỗi khi kiểm tra chất lượng mật khẩu: mật khẩu sai (%s)\n"
+
+#~ msgid "Cannot find a free loopback device.\n"
+#~ msgstr "Không tìm thấy thiết bị vòng ngược (loopback) nào còn rảnh.\n"
+
+#~ msgid "Cannot open device %s\n"
+#~ msgstr "Không thể mở thiết bị %s\n"
+
+#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
+#~ msgstr "Không thể dùng UUID chuyển qua trừ khi việc giải mã đang được thực hiện.\n"
+
+#~ msgid "Marking LUKS device %s usable.\n"
+#~ msgstr "Đánh dấu thiết bị LUKS %s là có thể dùng.\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "CẢNH BÁO: đây chỉ là mã thử nghiệm, nó có thể phá hoại dữ liệu của bạn.\n"
+
+#~ msgid "FIPS checksum verification failed.\n"
+#~ msgstr "Thẩm tra mã băm FIPS không đạt.\n"
+
+#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
+#~ msgstr "CẢNH BÁO: thiết-bị %s là một phân vùng, với mã hóa hệ thống TCRYPT bạn thường cần phải sử dụng toàn bộ đường dẫn thiết-bị khối.\n"
+
+#~ msgid "Kernel doesn't support plain64 IV.\n"
+#~ msgstr "Nhân không hỗ trợ plain64 IV.\n"
+
+#~ msgid "Enter LUKS passphrase: "
+#~ msgstr "Gõ cụm từ mật khẩu LUKS: "
+
+#~ msgid "Enter new LUKS passphrase: "
+#~ msgstr "Gõ cụm từ mật khẩu LUKS: "
+
+#~ msgid "Enter any LUKS passphrase: "
+#~ msgstr "Nhập mật khẩu LUKS vào: "
+
+#~ msgid "Failed to obtain device mapper directory."
+#~ msgstr "Lỗi lấy thư mục trình ánh xạ thiết bị."
+
+#~ msgid "Backup file %s doesn't exist.\n"
+#~ msgstr "Tập tin sao lưu %s không tồn tại.\n"
+
+#~ msgid "Cannot open file %s.\n"
+#~ msgstr "Không thể mở tập tin %s.\n"
+
+#~ msgid "<name> <device>"
+#~ msgstr "<tên> <thiết_bị>"
+
+#~ msgid "create device"
+#~ msgstr "tạo thiết bị"
+
+#~ msgid "remove device"
+#~ msgstr "gỡ bỏ thiết bị"
+
+#~ msgid "remove LUKS mapping"
+#~ msgstr "gỡ bỏ sự ánh xạ LUKS"
+
+#~ msgid "open loop-AES device as mapping <name>"
+#~ msgstr "mở thiết bị loop-AES như là ánh xạ <tên>"
+
+#~ msgid "remove loop-AES mapping"
+#~ msgstr "gỡ bỏ ánh xạ loop-AES"
+
+#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
+#~ msgstr "Tùy chọn “--allow-discards” thì chỉ cho phép với thao tác “luksOpen”, “loopaesOpen” và tạo (create).\n"
+
+#~ msgid "Cannot open device %s for %s%s access.\n"
+#~ msgstr "Không thể mở thiết bị %s cho truy cập %s%s.\n"
+
+#~ msgid "exclusive "
+#~ msgstr "dành riêng "
+
+#~ msgid "writable"
+#~ msgstr "ghi được"
+
+#~ msgid "read-only"
+#~ msgstr "chỉ đọc"
+
+#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+#~ msgstr "CẢNH BÁO!!! Có thể là vùng nhớ không an toàn. Bạn có đang chạy dưới quyền siêu người dùng (root) không?\n"
+
+#~ msgid "Unable to obtain sector size for %s"
+#~ msgstr "Không thể lấy kích cỡ cung từ cho %s"
+
+#~ msgid "Failed to write to key storage.\n"
+#~ msgstr "Lỗi ghi khóa vào kho lưu khóa.\n"
+
+#~ msgid "Failed to read from key storage.\n"
+#~ msgstr "Lỗi đọc từ kho lưu khóa.\n"
+
+#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
+#~ msgstr "Không thể sử dụng thiết bị %s (các đoạn crypt chồng lên nhau hay đang sử dụng bởi thiết bị khác).\n"
+
+#~ msgid "Cannot find compatible device-mapper kernel modules.\n"
+#~ msgstr "Không tìm thấy mô-đun hạt nhân ánh xạ thiết bị tương thích.\n"
+
+#~ msgid "Key slot %d verified.\n"
+#~ msgstr "Khe khóa %d được thẩm định.\n"
+
+#~ msgid "Invalid key size %d.\n"
+#~ msgstr "Kích cỡ khóa không đúng %d.\n"
+
+#~ msgid "Warning: exhausting read requested, but key file %s is not a regular file, function might never return.\n"
+#~ msgstr "Cảnh báo: yêu cầu một hàm đọc vét kiệt mà tập tin khóa %s không phải là một tập tin thông thường thì có thể là hàm chưa bao giờ trả lại.\n"
+
+#~ msgid "Cannot open device: %s\n"
+#~ msgstr "Không thể mở thiết bị: %s\n"
+
+#~ msgid "BLKROGET failed on device %s.\n"
+#~ msgstr "BLKROGET bị lỗi trên thiết bị %s.\n"
+
+#~ msgid "BLKGETSIZE failed on device %s.\n"
+#~ msgstr "BLKGETSIZE bị lỗi trên thiết bị %s.\n"
+
+#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
+#~ msgstr "trùng với luksKillSlot - BỊ PHẢN ĐỐI - xem trang hướng dẫn"
+
+#~ msgid "modify active device - DEPRECATED - see man page"
+#~ msgstr "sửa đổi thiết bị hoạt động - BỊ PHẢN ĐỐI - xem trang hướng dẫn"
+
+#~ msgid ""
+#~ "The reload action is deprecated. Please use`dmsetup reload' in case you really need this functionality.\n"
+#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
+#~ msgstr ""
+#~ "Thao tác nạp lại bị phản đối. Hãy sử dụng“dmsetup reload” trong trường hợp bạn thực sự yêu cầu chức năng này.\n"
+#~ "CẢNH BÁO: đừng sử dụng chức năng nạp lại để thao tác thiết bị kiểu LUKS. Trong trường hợp đó, bấm tổ hợp phím Ctrl-C ngay bây giờ.\n"
+
+#~ msgid "Obsolete option --non-exclusive is ignored.\n"
+#~ msgstr "Tùy chọn cũ“--non-exclusive” bị bỏ qua.\n"
+
+#~ msgid "Read the key from a file (can be /dev/random)"
+#~ msgstr "Đọc khóa từ một tập tin nào đó (có thể là“/dev/random”)"
+
+#~ msgid "(Obsoleted, see man page.)"
+#~ msgstr "(Bị phản đối, xem trang hướng dẫn.)"
diff --git a/po/zh_CN.po b/po/zh_CN.po
new file mode 100644
index 0000000..a4b7e25
--- /dev/null
+++ b/po/zh_CN.po
@@ -0,0 +1,1790 @@
+# Chinese simplified translation for cryptsetup.
+# Copyright (C) 2015 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Mingcong Bai <jeffbai@aosc.xyz>, 2015.
+# Mingye Wang <arthur200126@gmail.com>, 2015.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.7.1\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2016-02-21 21:24+0100\n"
+"PO-Revision-Date: 2016-04-27 20:38-0400\n"
+"Last-Translator: Mingye Wang (Arthur2e5) <arthur200126@gmail.com>\n"
+"Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
+"Language: zh_CN\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.8.7\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+#: lib/libdevmapper.c:253
+msgid "Cannot initialize device-mapper, running as non-root user.\n"
+msgstr "无法初始化设备映射器,正作为非 root 用户运行。\n"
+
+#: lib/libdevmapper.c:256
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "无法初始化设备映射器。dm_mod 内核模块装载了吗?\n"
+
+#: lib/libdevmapper.c:551
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "设备 %s 的 DM-UUID 被截断。\n"
+
+#: lib/libdevmapper.c:699
+msgid "Requested dmcrypt performance options are not supported.\n"
+msgstr "不支持请求的 dmcrypt 性能选项。\n"
+
+#: lib/random.c:76
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"系统在生成卷密钥时熵不足。\n"
+"请随意移动鼠标或是在别的窗口打字,以便生成随机事件让系统使用。\n"
+
+#: lib/random.c:80
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "正生成密钥(%d%% 已完成)\n"
+
+#: lib/random.c:166
+msgid "Running in FIPS mode.\n"
+msgstr "在 FIPS 模式下运行。\n"
+
+#: lib/random.c:172
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "随机数生成器初始化时发生致命错误。\n"
+
+#: lib/random.c:209
+msgid "Unknown RNG quality requested.\n"
+msgstr "未知的随机数生成器质量请求。\n"
+
+#: lib/random.c:214
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "从 RNG 读取错误 %d: %s\n"
+
+#: lib/setup.c:200
+msgid "Cannot initialize crypto RNG backend.\n"
+msgstr "无法初始化加密随机数生成器后端。\n"
+
+#: lib/setup.c:206
+msgid "Cannot initialize crypto backend.\n"
+msgstr "无法初始化加密后端。\n"
+
+#: lib/setup.c:237 lib/setup.c:1193 lib/verity/verity.c:123
+#, c-format
+msgid "Hash algorithm %s not supported.\n"
+msgstr "不支持哈希算法 %s。\n"
+
+#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#, c-format
+msgid "Key processing error (using hash %s).\n"
+msgstr "密钥处理错误(散列 %s)。\n"
+
+#: lib/setup.c:285
+msgid "Cannot determine device type. Incompatible activation of device?\n"
+msgstr "无法确定设备类型。不兼容的设备激活?\n"
+
+#: lib/setup.c:289 lib/setup.c:1546
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "此操作只适用 LUKS 设备。\n"
+
+#: lib/setup.c:321
+msgid "All key slots full.\n"
+msgstr "密钥槽全都满了。\n"
+
+#: lib/setup.c:328
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "密钥槽 %d 无效,请选择 0 到 %d 间的数字。\n"
+
+#: lib/setup.c:334
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "密钥槽 %d 满了,请选择另一个。\n"
+
+#: lib/setup.c:473
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "输入 %s 的密码:"
+
+#: lib/setup.c:654
+#, c-format
+msgid "Header detected but device %s is too small.\n"
+msgstr "检测到标头但设备 %s 太小。\n"
+
+#: lib/setup.c:670 lib/setup.c:1429
+msgid "This operation is not supported for this device type.\n"
+msgstr "不支持在这类设备上执行此操作。\n"
+
+#: lib/setup.c:909 lib/setup.c:1382 lib/setup.c:2273
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "设备 %s 未激活。\n"
+
+#: lib/setup.c:926
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "加密设备 %s 背后的设备消失了。\n"
+
+#: lib/setup.c:995
+msgid "Invalid plain crypt parameters.\n"
+msgstr "无效的纯加密选项。\n"
+
+#: lib/setup.c:1000 lib/setup.c:1120
+msgid "Invalid key size.\n"
+msgstr "无效的密钥大小。\n"
+
+#: lib/setup.c:1005 lib/setup.c:1125
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "此加密类型不支持 UUID。\n"
+
+#: lib/setup.c:1047
+msgid "Can't format LUKS without device.\n"
+msgstr "无法在没有设备的情况下格式化 LUKS.\n"
+
+#: lib/setup.c:1090
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "无法格式化正在使用的设备 %s。\n"
+
+#: lib/setup.c:1093
+#, c-format
+msgid "Cannot format device %s, permission denied.\n"
+msgstr "无法格式化设备 %s,权限被拒绝。\n"
+
+#: lib/setup.c:1097
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "无法将设备 %s 上的标头擦除。\n"
+
+#: lib/setup.c:1115
+msgid "Can't format LOOPAES without device.\n"
+msgstr "无法在没有设备的情况下格式化 LOOPAES.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format VERITY without device.\n"
+msgstr "无法在没有设备的情况下格式化 VERIFY.\n"
+
+#: lib/setup.c:1161 lib/verity/verity.c:106
+#, c-format
+msgid "Unsupported VERITY hash type %d.\n"
+msgstr "不支持的真理哈希类型 %d。\n"
+
+#: lib/setup.c:1167 lib/verity/verity.c:114
+msgid "Unsupported VERITY block size.\n"
+msgstr "不支持的真理的块大小。\n"
+
+#: lib/setup.c:1172 lib/verity/verity.c:76
+msgid "Unsupported VERITY hash offset.\n"
+msgstr "不支持的真理哈希偏移量。\n"
+
+#: lib/setup.c:1286
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "请求了不支持的加密设备类型 %s。\n"
+
+#: lib/setup.c:1396
+msgid "Cannot resize loop device.\n"
+msgstr "无法改变回环设备大小。\n"
+
+#: lib/setup.c:1444
+msgid "Do you really want to change UUID of device?"
+msgstr "你真的想改变设备的 UUID 吗?"
+
+#: lib/setup.c:1554
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "卷 %s 未激活。\n"
+
+#: lib/setup.c:1565
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "卷 %s 已暂停。\n"
+
+#: lib/setup.c:1572
+#, c-format
+msgid "Suspend is not supported for device %s.\n"
+msgstr "设备 %s 不支持暂停。\n"
+
+#: lib/setup.c:1574
+#, c-format
+msgid "Error during suspending device %s.\n"
+msgstr "暂停设备 %s 时出错。\n"
+
+#: lib/setup.c:1600 lib/setup.c:1647
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "卷 %s 未暂停。\n"
+
+#: lib/setup.c:1614
+#, c-format
+msgid "Resume is not supported for device %s.\n"
+msgstr "设备 %s 不支持恢复。\n"
+
+#: lib/setup.c:1616 lib/setup.c:1668
+#, c-format
+msgid "Error during resuming device %s.\n"
+msgstr "恢复设备 %s 时出错。\n"
+
+#: lib/setup.c:1654 lib/setup.c:2089 lib/setup.c:2103 src/cryptsetup.c:184
+#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
+msgid "Enter passphrase: "
+msgstr "输入密码:"
+
+#: lib/setup.c:1716 lib/setup.c:1852
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "无法添加密钥槽,所有密钥槽已禁用且未提供卷密钥。\n"
+
+#: lib/setup.c:1725 lib/setup.c:1858 lib/setup.c:1862
+msgid "Enter any passphrase: "
+msgstr "输入任意密码:"
+
+#: lib/setup.c:1742 lib/setup.c:1875 lib/setup.c:1879 lib/setup.c:1941
+#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
+msgid "Enter new passphrase for key slot: "
+msgstr "输入密钥槽的新密码:"
+
+#: lib/setup.c:1807
+#, c-format
+msgid "Key slot %d changed.\n"
+msgstr "密钥槽 %d 已改变。\n"
+
+#: lib/setup.c:1810
+#, c-format
+msgid "Replaced with key slot %d.\n"
+msgstr "替换为密钥槽 %d。\n"
+
+#: lib/setup.c:1815
+msgid "Failed to swap new key slot.\n"
+msgstr "交换新密钥槽失败。\n"
+
+#: lib/setup.c:1932 lib/setup.c:2193 lib/setup.c:2206 lib/setup.c:2348
+msgid "Volume key does not match the volume.\n"
+msgstr "卷密钥与卷不匹配。\n"
+
+#: lib/setup.c:1970
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "密钥槽 %d 无效。\n"
+
+#: lib/setup.c:1975
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "密钥槽 %d 未使用。\n"
+
+#: lib/setup.c:2005 lib/setup.c:2077 lib/setup.c:2169
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "设备 %s 已存在。\n"
+
+#: lib/setup.c:2180
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "为普通设备指定的卷密钥有误。\n"
+
+#: lib/setup.c:2213
+msgid "Incorrect root hash specified for verity device.\n"
+msgstr "为真理设备指定的根 hash 不正确。\n"
+
+#: lib/setup.c:2236
+msgid "Device type is not properly initialised.\n"
+msgstr "设备类型不正确初始化。\n"
+
+#: lib/setup.c:2268
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "设备 %s 仍在使用。\n"
+
+#: lib/setup.c:2277
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "设备 %s 无效。\n"
+
+#: lib/setup.c:2298
+msgid "Function not available in FIPS mode.\n"
+msgstr "功能在 FIPS 模式无效。\n"
+
+#: lib/setup.c:2304
+msgid "Volume key buffer too small.\n"
+msgstr "卷密钥缓冲区太小。\n"
+
+#: lib/setup.c:2312
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "无法获取普通设备的卷密钥。\n"
+
+#: lib/setup.c:2319
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "不支持在 %s 加密设备上执行此操作。\n"
+
+#: lib/setup.c:2515
+msgid "Dump operation is not supported for this device type.\n"
+msgstr "不支持在此类设备上执行导出操作。\n"
+
+#: lib/utils.c:244
+msgid "Cannot get process priority.\n"
+msgstr "无法获取进程优先级。\n"
+
+#: lib/utils.c:258
+msgid "Cannot unlock memory.\n"
+msgstr "无法解锁内存。\n"
+
+#: lib/utils_crypt.c:241 lib/utils_crypt.c:254 lib/utils_crypt.c:401
+#: lib/utils_crypt.c:416
+msgid "Out of memory while reading passphrase.\n"
+msgstr "读取密码时内存耗尽。\n"
+
+#: lib/utils_crypt.c:246 lib/utils_crypt.c:261
+msgid "Error reading passphrase from terminal.\n"
+msgstr "从终端读取密码时出错。\n"
+
+#: lib/utils_crypt.c:259
+msgid "Verify passphrase: "
+msgstr "确认密码:"
+
+#: lib/utils_crypt.c:266
+msgid "Passphrases do not match.\n"
+msgstr "密码不匹配。\n"
+
+#: lib/utils_crypt.c:350
+msgid "Cannot use offset with terminal input.\n"
+msgstr "不能将偏移量用于终端输入。\n"
+
+#: lib/utils_crypt.c:369 lib/tcrypt/tcrypt.c:467
+msgid "Failed to open key file.\n"
+msgstr "打开 (open) 密钥文件失败。\n"
+
+# stat() 主要就是出来一个各种文件信息……
+#: lib/utils_crypt.c:378
+msgid "Failed to stat key file.\n"
+msgstr "获取 (stat) 密钥文件统计数据失败。\n"
+
+#: lib/utils_crypt.c:386 lib/utils_crypt.c:407
+msgid "Cannot seek to requested keyfile offset.\n"
+msgstr "无法寻找 (seek) 到请求的密钥文件偏移量。\n"
+
+#: lib/utils_crypt.c:424
+msgid "Error reading passphrase.\n"
+msgstr "读取密码出错。\n"
+
+#: lib/utils_crypt.c:447
+msgid "Maximum keyfile size exceeded.\n"
+msgstr "超出最大密钥文件大小。\n"
+
+#: lib/utils_crypt.c:452
+msgid "Cannot read requested amount of data.\n"
+msgstr "无法读取请求量的数据。\n"
+
+#: lib/utils_device.c:136 lib/luks1/keyencryption.c:90
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "设备 %s 不存在或访问被拒绝。\n"
+
+#: lib/utils_device.c:430
+msgid "Cannot use a loopback device, running as non-root user.\n"
+msgstr "无法使用回环设备,正作为非 root 用户运行。\n"
+
+#: lib/utils_device.c:433
+msgid "Cannot find a free loopback device.\n"
+msgstr "找不到空闲的回环设备。\n"
+
+#: lib/utils_device.c:440
+msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
+msgstr "连接回环设备失败(需要有 autoclear 旗标的回环设备)。\n"
+
+#: lib/utils_device.c:484
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "无法使用正被使用的设备 %s(已被映射或挂载)。\n"
+
+#: lib/utils_device.c:488
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "无法获取有关设备 %s 的信息。\n"
+
+#: lib/utils_device.c:494
+#, c-format
+msgid "Requested offset is beyond real size of device %s.\n"
+msgstr "请求的偏移量超出设备 %s 的真实大小。\n"
+
+#: lib/utils_device.c:502
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "设备 %s 大小为零。\n"
+
+#: lib/utils_device.c:513
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "设备 %s 太小。\n"
+
+#: lib/luks1/keyencryption.c:37
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+msgstr ""
+"为设备 %s 配置 dm-crypt 键映射失败。\n"
+"请确认内核支持 %s 加密(查看系统日志 (syslog) 以获取更多信息)。\n"
+
+#: lib/luks1/keyencryption.c:42
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "XTS 模式的密钥大小必须是 256 或 512 位。\n"
+
+#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
+#: lib/luks1/keymanage.c:572 lib/luks1/keymanage.c:1022
+#, c-format
+msgid "Cannot write to device %s, permission denied.\n"
+msgstr "无法写入到设备 %s,访问被拒绝。\n"
+
+#: lib/luks1/keyencryption.c:111
+msgid "Failed to open temporary keystore device.\n"
+msgstr "打开临时密钥存储设备失败。\n"
+
+#: lib/luks1/keyencryption.c:118
+msgid "Failed to access temporary keystore device.\n"
+msgstr "无法访问临时密钥存储设备。\n"
+
+#: lib/luks1/keyencryption.c:191
+msgid "IO error while encrypting keyslot.\n"
+msgstr "加密密钥槽时发生输入输出错误。\n"
+
+#: lib/luks1/keyencryption.c:256
+msgid "IO error while decrypting keyslot.\n"
+msgstr "解密密钥槽时发生输入输出错误。\n"
+
+#: lib/luks1/keymanage.c:90
+#, c-format
+msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
+msgstr "设备 %s 过小。(LUKS 需要至少 %<PRIu64> 字节。)\n"
+
+#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:418
+#: src/cryptsetup_reencrypt.c:1131
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "%s 不是有效的 LUKS 设备。\n"
+
+#: lib/luks1/keymanage.c:198
+#, c-format
+msgid "Requested header backup file %s already exists.\n"
+msgstr "请求的标头备份文件 %s 已存在。\n"
+
+#: lib/luks1/keymanage.c:200
+#, c-format
+msgid "Cannot create header backup file %s.\n"
+msgstr "无法创建标头备份文件 %s。\n"
+
+#: lib/luks1/keymanage.c:205
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "无法写入标头备份文件 %s。\n"
+
+#: lib/luks1/keymanage.c:239
+msgid "Backup file doesn't contain valid LUKS header.\n"
+msgstr "备份文件不包含有效 LUKS 标头。\n"
+
+#: lib/luks1/keymanage.c:252 lib/luks1/keymanage.c:496
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "无法打开备份标头文件 %s。\n"
+
+#: lib/luks1/keymanage.c:258
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "无法读取标头备份文件 %s。\n"
+
+#: lib/luks1/keymanage.c:269
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "源设备和备份上的数据偏移或密钥大小不符,恢复失败。\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Device %s %s%s"
+msgstr "设备 %s %s%s"
+
+#: lib/luks1/keymanage.c:278
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "不包含 LUKS 标头。替换标头可能损毁设备上的数据。"
+
+#: lib/luks1/keymanage.c:279
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "已包含 LUKS 标头。替换标头将损毁已存在的密钥槽。"
+
+#: lib/luks1/keymanage.c:280
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"警告: 真实设备标头 UUID 和备份不符!"
+
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:535
+#: lib/luks1/keymanage.c:575 lib/tcrypt/tcrypt.c:624 lib/verity/verity.c:82
+#: lib/verity/verity.c:179 lib/verity/verity_hash.c:292
+#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "无法打开设备 %s。\n"
+
+#: lib/luks1/keymanage.c:329
+msgid "Non standard key size, manual repair required.\n"
+msgstr "不标准的密钥大小,需要手动修复。\n"
+
+#: lib/luks1/keymanage.c:334
+msgid "Non standard keyslots alignment, manual repair required.\n"
+msgstr "不标准的密钥槽对齐,需要手动修复。\n"
+
+#: lib/luks1/keymanage.c:340
+msgid "Repairing keyslots.\n"
+msgstr "正在修复密钥槽。\n"
+
+#: lib/luks1/keymanage.c:351
+msgid "Repair failed."
+msgstr "修复失败。"
+
+#: lib/luks1/keymanage.c:363
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u).\n"
+msgstr "密钥槽 %i: 偏移已修复 (%u -> %u)。\n"
+
+#: lib/luks1/keymanage.c:371
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
+msgstr "密钥槽 %i:已修复条带(%u -> %u)。\n"
+
+#: lib/luks1/keymanage.c:380
+#, c-format
+msgid "Keyslot %i: bogus partition signature.\n"
+msgstr "密钥槽 %i:虚假分区签名。\n"
+
+#: lib/luks1/keymanage.c:385
+#, c-format
+msgid "Keyslot %i: salt wiped.\n"
+msgstr "密钥槽 %i: 已清除盐。\n"
+
+#: lib/luks1/keymanage.c:396
+msgid "Writing LUKS header to disk.\n"
+msgstr "正在将 LUKS 标头写入磁盘。\n"
+
+#: lib/luks1/keymanage.c:421
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "不支持的 LUKS 版本 %d。\n"
+
+#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:661
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "不支持请求的 LUKS 哈希 %s。\n"
+
+#: lib/luks1/keymanage.c:442
+#, c-format
+msgid "LUKS keyslot %u is invalid.\n"
+msgstr "LUKS 密钥槽 %u 无效。\n"
+
+#: lib/luks1/keymanage.c:456 src/cryptsetup.c:668
+msgid "No known problems detected for LUKS header.\n"
+msgstr "未在 LUKS 标头发现已知问题。\n"
+
+#: lib/luks1/keymanage.c:596
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "更新设备 %s 上的 LUKS 标头时出错。\n"
+
+#: lib/luks1/keymanage.c:603
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "在更新设备 %s 后重新读取 LUKS 标头失败。\n"
+
+#: lib/luks1/keymanage.c:654
+#, c-format
+msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
+msgstr ""
+
+#: lib/luks1/keymanage.c:666 lib/luks1/keymanage.c:757
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "提供了错误的 LUKS UUID 格式。\n"
+
+#: lib/luks1/keymanage.c:695
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "无法创建 LUKS 标头:读取随机盐失败。\n"
+
+#: lib/luks1/keymanage.c:702 lib/luks1/keymanage.c:798
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "PBKDF2 选项不兼容(正在使用哈希算法 %s)。\n"
+
+#: lib/luks1/keymanage.c:717
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "无法创建 LUKS 标头:标头摘要失败(正在使用哈希值 %s)。\n"
+
+#: lib/luks1/keymanage.c:782
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "密钥槽 %d 已激活,请先清除。\n"
+
+#: lib/luks1/keymanage.c:788
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "密钥槽 %d 条带数过少。标头修改?\n"
+
+#: lib/luks1/keymanage.c:955
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "密钥槽 %d 已解除阻断。\n"
+
+#: lib/luks1/keymanage.c:990 src/cryptsetup.c:867
+#: src/cryptsetup_reencrypt.c:1020 src/cryptsetup_reencrypt.c:1057
+msgid "No key available with this passphrase.\n"
+msgstr "此密码无可用的密钥。\n"
+
+#: lib/luks1/keymanage.c:1008
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "密钥槽 %d 无效,请选择标号 0 到 %d 间的密钥槽。\n"
+
+#: lib/luks1/keymanage.c:1026
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "无法清除设备 %s。\n"
+
+#: lib/loopaes/loopaes.c:146
+msgid "Detected not yet supported GPG encrypted keyfile.\n"
+msgstr "探测到未支持的 GPG 加密密钥文件。\n"
+
+#: lib/loopaes/loopaes.c:147
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "请使用 gpg --decrypt <密钥文件> | cryptsetup --keyfile=- ...\n"
+
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+msgid "Incompatible loop-AES keyfile detected.\n"
+msgstr "探测到不被兼容的 loop-AES 密钥文件。\n"
+
+#: lib/loopaes/loopaes.c:244
+msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+msgstr "内核不支持 loop-AES 兼容映射。\n"
+
+#: lib/tcrypt/tcrypt.c:475
+#, c-format
+msgid "Error reading keyfile %s.\n"
+msgstr "读取密钥文件 %s 失败。\n"
+
+#: lib/tcrypt/tcrypt.c:513
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "超出 TCRYPT 密码长度限制 (%d)。\n"
+
+#: lib/tcrypt/tcrypt.c:543
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
+msgstr "PBKDF2 哈希算法 %s 不可用,准备跳过。\n"
+
+#: lib/tcrypt/tcrypt.c:561 src/cryptsetup.c:621
+msgid "Required kernel crypto interface not available.\n"
+msgstr "无法找到所需的内核加密接口。\n"
+
+#: lib/tcrypt/tcrypt.c:563 src/cryptsetup.c:623
+msgid "Ensure you have algif_skcipher kernel module loaded.\n"
+msgstr "请确定你已载入内核模块 algif_skcipher。\n"
+
+#: lib/tcrypt/tcrypt.c:707
+#, c-format
+msgid "Activation is not supported for %d sector size.\n"
+msgstr "扇区为 %d 时不支持激活。\n"
+
+#: lib/tcrypt/tcrypt.c:713
+msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
+msgstr "内核不支持激活老的 TCRYPT 模式。\n"
+
+#: lib/tcrypt/tcrypt.c:744
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s.\n"
+msgstr "正在为分区 %s 激活 TCRYPT 系统加密。\n"
+
+#: lib/tcrypt/tcrypt.c:810
+msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
+msgstr "内核不支持 TCRYPT 兼容映射。\n"
+
+#: lib/tcrypt/tcrypt.c:1024
+msgid "This function is not supported without TCRYPT header load."
+msgstr "未载入 TCRYPT 标头时不支持此功能。"
+
+#: lib/verity/verity.c:70 lib/verity/verity.c:172
+#, c-format
+msgid "Verity device %s doesn't use on-disk header.\n"
+msgstr "真理设备 %s 未使用磁盘上的标头。\n"
+
+#: lib/verity/verity.c:94
+#, c-format
+msgid "Device %s is not a valid VERITY device.\n"
+msgstr "%s 不是有效的 VERITY 设备。\n"
+
+#: lib/verity/verity.c:101
+#, c-format
+msgid "Unsupported VERITY version %d.\n"
+msgstr "不支持的真理哈希版本 %d。\n"
+
+#: lib/verity/verity.c:131
+msgid "VERITY header corrupted.\n"
+msgstr "VERITY 标头损坏。\n"
+
+#: lib/verity/verity.c:166
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s.\n"
+msgstr "为设备 %s 提供的 VERITY UUID 错误。\n"
+
+#: lib/verity/verity.c:196
+#, c-format
+msgid "Error during update of verity header on device %s.\n"
+msgstr "更新设备 %s 上的 VERITY 标头时出错。\n"
+
+#: lib/verity/verity.c:276
+msgid "Kernel doesn't support dm-verity mapping.\n"
+msgstr "内核不支持 dm-verity 映射。\n"
+
+#: lib/verity/verity.c:287
+msgid "Verity device detected corruption after activation.\n"
+msgstr "在 VERITY 设备激活后探测到损坏。\n"
+
+#: lib/verity/verity_hash.c:59
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+msgstr "备用区位置 %<PRIu64> 未清零。\n"
+
+#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
+#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
+msgid "Device offset overflow.\n"
+msgstr "设备偏移量溢出。\n"
+
+#: lib/verity/verity_hash.c:161
+#, c-format
+msgid "Verification failed at position %<PRIu64>.\n"
+msgstr "在 %<PRIu64> 上发生检验错误。\n"
+
+#: lib/verity/verity_hash.c:235
+msgid "Invalid size parameters for verity device.\n"
+msgstr "为 VERITY 设备提供的大小指标无效。\n"
+
+#: lib/verity/verity_hash.c:266
+msgid "Too many tree levels for verity volume.\n"
+msgstr "VERITY 卷上的目录树层级过多。\n"
+
+#: lib/verity/verity_hash.c:354
+msgid "Verification of data area failed.\n"
+msgstr "数据区检验失败。\n"
+
+#: lib/verity/verity_hash.c:359
+msgid "Verification of root hash failed.\n"
+msgstr "根哈希值检验失败。\n"
+
+#: lib/verity/verity_hash.c:365
+msgid "Input/output error while creating hash area.\n"
+msgstr "创建哈希数据区时发生输入/输出错误。\n"
+
+#: lib/verity/verity_hash.c:367
+msgid "Creation of hash area failed.\n"
+msgstr "创建哈希区失败。\n"
+
+#: lib/verity/verity_hash.c:414
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+msgstr "警告:如数据块大小超过内存分页大小,内核将无法激活设备 (%u)。\n"
+
+#: src/cryptsetup.c:92
+msgid "Can't do passphrase verification on non-tty inputs.\n"
+msgstr "无法从非 TTY 输入验证密码。\n"
+
+#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
+#: src/cryptsetup_reencrypt.c:523 src/cryptsetup_reencrypt.c:577
+msgid "No known cipher specification pattern detected.\n"
+msgstr "未探测到已知的密文特征。\n"
+
+#: src/cryptsetup.c:141
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "警告:在纯文本模式下指定密钥文件时将忽略参数 --hash。\n"
+
+#: src/cryptsetup.c:149
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "警告:将忽略参数 --keyfile-size,读取大小应与加密密钥大小一致。\n"
+
+#: src/cryptsetup.c:215
+msgid "Option --key-file is required.\n"
+msgstr "需要选项 --key-file。\n"
+
+#: src/cryptsetup.c:267
+msgid "No device header detected with this passphrase.\n"
+msgstr "未从此密码中探测到设备标头。\n"
+
+#: src/cryptsetup.c:327 src/cryptsetup.c:1160
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+
+#: src/cryptsetup.c:517
+msgid "Result of benchmark is not reliable.\n"
+msgstr "测试结果不可靠。\n"
+
+#: src/cryptsetup.c:558
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# 测试仅使用内存(无存储 IO)。\n"
+
+#: src/cryptsetup.c:583 src/cryptsetup.c:605
+msgid "# Algorithm | Key | Encryption | Decryption\n"
+msgstr "# 算法 | 密钥 | 加密 | 解密\n"
+
+#: src/cryptsetup.c:587
+#, c-format
+msgid "Cipher %s is not available.\n"
+msgstr "密文 %s 不可用。\n"
+
+#: src/cryptsetup.c:614
+msgid "N/A"
+msgstr "不可用"
+
+#: src/cryptsetup.c:639
+#, c-format
+msgid "Cannot read keyfile %s.\n"
+msgstr ""
+"无法读取密钥文件 %s。\n"
+"\n"
+
+#: src/cryptsetup.c:643
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s.\n"
+msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n"
+
+#: src/cryptsetup.c:672
+msgid "Really try to repair LUKS device header?"
+msgstr "确定要尝试修复 LUKS 设备标头吗?"
+
+#: src/cryptsetup.c:697
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "这将覆盖 %s 上的数据,该动作不可取消。"
+
+#: src/cryptsetup.c:699
+msgid "memory allocation error in action_luksFormat"
+msgstr "在 action_luksFormat 中发生内存分配错误"
+
+#: src/cryptsetup.c:721
+#, c-format
+msgid "Cannot use %s as on-disk header.\n"
+msgstr "无法将 %s 作为磁盘上的标头使用。\n"
+
+#: src/cryptsetup.c:788
+msgid "Reduced data offset is allowed only for detached LUKS header.\n"
+msgstr "仅已脱离的 LUKS 数据头可以使用缩减的数据偏移。\n"
+
+#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "已选中密钥槽 %d 以删除。\n"
+
+#: src/cryptsetup.c:893
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "无法清除未激活的密钥 %d。\n"
+
+#: src/cryptsetup.c:901 src/cryptsetup.c:949
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "这是最后一个密钥槽。设备在清空此密钥后将不可用。"
+
+#: src/cryptsetup.c:902
+msgid "Enter any remaining passphrase: "
+msgstr "输入任意剩余的密码:"
+
+#: src/cryptsetup.c:930
+msgid "Enter passphrase to be deleted: "
+msgstr "输入要移除的密码:"
+
+#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1095
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "输入任意已存在的密码:"
+
+#: src/cryptsetup.c:1072
+msgid "Enter passphrase to be changed: "
+msgstr "输入要更改的密码:"
+
+#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1080
+msgid "Enter new passphrase: "
+msgstr "输入新密码:"
+
+#: src/cryptsetup.c:1110
+msgid "Only one device argument for isLuks operation is supported.\n"
+msgstr "isLuks 操作仅支持一个设备参数。\n"
+
+#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
+msgid "Option --header-backup-file is required.\n"
+msgstr "必须指定 --header-backup-file 选项。\n"
+
+#: src/cryptsetup.c:1324
+#, c-format
+msgid "Unrecognized metadata device type %s.\n"
+msgstr "无法识别的元数据设备类型 %s。\n"
+
+#: src/cryptsetup.c:1327
+msgid "Command requires device and mapped name as arguments.\n"
+msgstr "命令需要设备及映射名作为参数。\n"
+
+#: src/cryptsetup.c:1346
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"该操作将清空设备 %s 上所有的密钥槽。\n"
+"设备在此操作后将不可用。"
+
+#: src/cryptsetup.c:1380
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<设备> [--type <类型>] [<名称>]"
+
+#: src/cryptsetup.c:1380
+msgid "open device as mapping <name>"
+msgstr "以映射 <名称> 打开设备"
+
+#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
+#: src/cryptsetup.c:1384 src/veritysetup.c:311 src/veritysetup.c:312
+msgid "<name>"
+msgstr "<名称>"
+
+#: src/cryptsetup.c:1381
+msgid "close device (remove mapping)"
+msgstr "关闭设备(移除映射)"
+
+#: src/cryptsetup.c:1382
+msgid "resize active device"
+msgstr "改变活动设备大小。"
+
+#: src/cryptsetup.c:1383
+msgid "show device status"
+msgstr "显示设备状态"
+
+#: src/cryptsetup.c:1384
+msgid "benchmark cipher"
+msgstr "测试密文"
+
+#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
+#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
+#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
+#: src/cryptsetup.c:1399
+msgid "<device>"
+msgstr "<设备>"
+
+#: src/cryptsetup.c:1385
+msgid "try to repair on-disk metadata"
+msgstr "尝试修复磁盘上的元数据"
+
+#: src/cryptsetup.c:1386
+msgid "erase all keyslots (remove encryption key)"
+msgstr "清空所有密钥槽(移除加密密钥)"
+
+#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
+msgid "<device> [<new key file>]"
+msgstr "<设备> [<新密钥文件>]"
+
+#: src/cryptsetup.c:1387
+msgid "formats a LUKS device"
+msgstr "格式化一个 LUKS 设备"
+
+#: src/cryptsetup.c:1388
+msgid "add key to LUKS device"
+msgstr "向 LUKS 设备添加密钥"
+
+#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
+msgid "<device> [<key file>]"
+msgstr "<设备> [<密钥文件>]"
+
+#: src/cryptsetup.c:1389
+msgid "removes supplied key or key file from LUKS device"
+msgstr "移除 LUKS 设备中指定的密钥或密钥文件"
+
+#: src/cryptsetup.c:1390
+msgid "changes supplied key or key file of LUKS device"
+msgstr "更改 LUKS 设备中指定的密钥或密钥文件"
+
+#: src/cryptsetup.c:1391
+msgid "<device> <key slot>"
+msgstr "<设备> <密钥槽>"
+
+#: src/cryptsetup.c:1391
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "从 LUKS 设备清理标号为 <key slot> 的密钥"
+
+#: src/cryptsetup.c:1392
+msgid "print UUID of LUKS device"
+msgstr "输出 LUKS 设备的 UUID(唯一标识符)"
+
+#: src/cryptsetup.c:1393
+msgid "tests <device> for LUKS partition header"
+msgstr "从 <device> 探测 LUKS 分区标头"
+
+#: src/cryptsetup.c:1394
+msgid "dump LUKS partition information"
+msgstr "调出 LUKS 分区信息"
+
+#: src/cryptsetup.c:1395
+msgid "dump TCRYPT device information"
+msgstr "调出 TCRYPT 设备信息"
+
+#: src/cryptsetup.c:1396
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "挂起 LUKS 设备并清除密钥(冻结所有 IO 操作)。"
+
+#: src/cryptsetup.c:1397
+msgid "Resume suspended LUKS device."
+msgstr "恢复已暂停的 LUKS 设备。"
+
+#: src/cryptsetup.c:1398
+msgid "Backup LUKS device header and keyslots"
+msgstr "备份 LUKS 设备标头和密钥槽"
+
+#: src/cryptsetup.c:1399
+msgid "Restore LUKS device header and keyslots"
+msgstr "恢复 LUKS 设备标头和密钥槽"
+
+#: src/cryptsetup.c:1416 src/veritysetup.c:328
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<动作> 为其中之一:\n"
+
+#: src/cryptsetup.c:1422
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+msgstr ""
+"\n"
+"你亦可使用老的 <动作> 语法别名:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+
+#: src/cryptsetup.c:1426
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<name> 为要在 %s 创建的设备\n"
+"<device> 为加密设备\n"
+"<key slot> 为需要更改的 LUKS 密钥槽\n"
+"<key file> 提供给 luksAddKey 动作的密钥文件\n"
+
+#: src/cryptsetup.c:1433
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgstr ""
+"\n"
+"默认集成的密钥和密码参数:\n"
+"\t密钥文件的最大大小:%dkB, 交互式密码的最大长度:%d (字符)\n"
+"LUKS 的默认 PBKDF2 迭代时间:%d (毫秒)\n"
+
+#: src/cryptsetup.c:1440
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"默认集成的设备密文参数:\n"
+"\tloop-AES:%s, %d 位密钥\n"
+"\tplain:%s, 密钥:%d 位, 密码哈希:%s\n"
+"\tLUKS1:%s, 密钥:%d bits, LUKS 数据头哈希:%s, RNG:%s\n"
+
+#: src/cryptsetup.c:1457 src/veritysetup.c:460
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: 需要 %s 作为参数"
+
+#: src/cryptsetup.c:1490 src/veritysetup.c:368 src/cryptsetup_reencrypt.c:1274
+msgid "Show this help message"
+msgstr "显示此帮助"
+
+#: src/cryptsetup.c:1491 src/veritysetup.c:369 src/cryptsetup_reencrypt.c:1275
+msgid "Display brief usage"
+msgstr "显示简短用法"
+
+#: src/cryptsetup.c:1495 src/veritysetup.c:373 src/cryptsetup_reencrypt.c:1279
+msgid "Help options:"
+msgstr "帮助选项:"
+
+#: src/cryptsetup.c:1496 src/veritysetup.c:374 src/cryptsetup_reencrypt.c:1280
+msgid "Print package version"
+msgstr "打印软件包版本"
+
+#: src/cryptsetup.c:1497 src/veritysetup.c:375 src/cryptsetup_reencrypt.c:1281
+msgid "Shows more detailed error messages"
+msgstr "显示更详细的错误信息"
+
+#: src/cryptsetup.c:1498 src/veritysetup.c:376 src/cryptsetup_reencrypt.c:1282
+msgid "Show debug messages"
+msgstr "显示调试信息"
+
+#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1284
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "用于加密磁盘的密文(参见 /proc/crypto)"
+
+#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1286
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "用于从密码创建加密密钥的哈希值"
+
+#: src/cryptsetup.c:1501
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "两次询问密码以进行验证"
+
+#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1288
+msgid "Read the key from a file."
+msgstr "从文件读取密钥。"
+
+#: src/cryptsetup.c:1503
+msgid "Read the volume (master) key from file."
+msgstr "从文件读取卷(主)密钥。"
+
+#: src/cryptsetup.c:1504
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "转储卷(主)密钥而不是键槽信息。"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1285
+msgid "The size of the encryption key"
+msgstr "加密密钥大小"
+
+#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1285
+msgid "BITS"
+msgstr "位"
+
+#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1299
+msgid "Limits the read from keyfile"
+msgstr "限制从密钥文件读取"
+
+#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
+#: src/cryptsetup.c:1509 src/veritysetup.c:379 src/veritysetup.c:380
+#: src/veritysetup.c:382 src/cryptsetup_reencrypt.c:1298
+#: src/cryptsetup_reencrypt.c:1299 src/cryptsetup_reencrypt.c:1300
+#: src/cryptsetup_reencrypt.c:1301
+msgid "bytes"
+msgstr "字节"
+
+#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1298
+msgid "Number of bytes to skip in keyfile"
+msgstr "要从密钥文件跳过的字节数"
+
+#: src/cryptsetup.c:1508
+msgid "Limits the read from newly added keyfile"
+msgstr "限制从新增密钥文件的读取"
+
+#: src/cryptsetup.c:1509
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "要从新增密钥文件跳过的字节数"
+
+#: src/cryptsetup.c:1510
+msgid "Slot number for new key (default is first free)"
+msgstr "新密钥的槽号(默认为第一个可用的)"
+
+#: src/cryptsetup.c:1511
+msgid "The size of the device"
+msgstr "设备大小"
+
+#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
+#: src/cryptsetup.c:1519
+msgid "SECTORS"
+msgstr "扇区"
+
+#: src/cryptsetup.c:1512
+msgid "The start offset in the backend device"
+msgstr "后端设备的起始偏移量"
+
+#: src/cryptsetup.c:1513
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "从开头要跳过的加密数据扇区数量"
+
+#: src/cryptsetup.c:1514
+msgid "Create a readonly mapping"
+msgstr "创建只读映射"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1289
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "LUKS 默认 PBKDF2 迭代时间(毫秒)"
+
+#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1289
+msgid "msecs"
+msgstr "毫秒"
+
+#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1290
+msgid "Do not ask for confirmation"
+msgstr "不要请求确认"
+
+#: src/cryptsetup.c:1517
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "交互式密码提示符超时长度(秒)"
+
+#: src/cryptsetup.c:1517
+msgid "secs"
+msgstr "秒"
+
+#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1291
+msgid "How often the input of the passphrase can be retried"
+msgstr "输入密码的最大重试频率"
+
+#: src/cryptsetup.c:1519
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "于 <n> 个扇区边界处对其载荷数据 - 供 luks 格式用"
+
+#: src/cryptsetup.c:1520
+msgid "File with LUKS header and keyslots backup."
+msgstr "带有 LUKS 数据头和密钥槽备份的文件。"
+
+#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1292
+msgid "Use /dev/random for generating volume key."
+msgstr "使用 /dev/random 生成卷密钥。"
+
+#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1293
+msgid "Use /dev/urandom for generating volume key."
+msgstr "使用 /dev/urandom 生成卷密钥。"
+
+#: src/cryptsetup.c:1523
+msgid "Share device with another non-overlapping crypt segment."
+msgstr "与另一个不重合的加密段共享设备。"
+
+#: src/cryptsetup.c:1524 src/veritysetup.c:385
+msgid "UUID for device to use."
+msgstr "设备使用的 UUID 已占用。"
+
+#: src/cryptsetup.c:1525
+msgid "Allow discards (aka TRIM) requests for device."
+msgstr "允许设备的 discard(或称 TRIM)请求。"
+
+#: src/cryptsetup.c:1526
+msgid "Device or file with separated LUKS header."
+msgstr "带有分离 LUKS 数据头的设备或文件。"
+
+#: src/cryptsetup.c:1527
+msgid "Do not activate device, just check passphrase."
+msgstr "不要激活设备,仅检查密码。"
+
+#: src/cryptsetup.c:1528
+msgid "Use hidden header (hidden TCRYPT device)."
+msgstr "使用隐藏数据头(隐藏 TCRYPT 设备)"
+
+#: src/cryptsetup.c:1529
+msgid "Device is system TCRYPT drive (with bootloader)."
+msgstr "设备为系统 TCRYPT 驱动器(带有引导器)。"
+
+#: src/cryptsetup.c:1530
+msgid "Use backup (secondary) TCRYPT header."
+msgstr "使用备份(次级)TCRYPT 标头。"
+
+#: src/cryptsetup.c:1531
+msgid "Scan also for VeraCrypt compatible device."
+msgstr "同时扫描 VeraCrypt 兼容的设备。"
+
+#: src/cryptsetup.c:1532
+msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
+msgstr "设备元数据类型:luks, 纯粹 (plain), loopaes, tcrypt."
+
+#: src/cryptsetup.c:1533
+msgid "Disable password quality check (if enabled)."
+msgstr "禁用密码质量检查 (如果已启用)。"
+
+#: src/cryptsetup.c:1534
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
+msgstr "使用 dm-crypt same_cpu_crypt 性能兼容性选项。"
+
+#: src/cryptsetup.c:1535
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
+msgstr "使用 dm-crypt submit_from_crypt_cpus 性能兼容性选项。"
+
+#: src/cryptsetup.c:1551 src/veritysetup.c:402
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[选项…] <动作> <动作特定参数>"
+
+#: src/cryptsetup.c:1602 src/veritysetup.c:439
+msgid "Argument <action> missing."
+msgstr "缺失参数 <动作>。"
+
+#: src/cryptsetup.c:1655 src/veritysetup.c:445
+msgid "Unknown action."
+msgstr "未知动作。"
+
+#: src/cryptsetup.c:1665
+msgid "Option --shared is allowed only for open of plain device.\n"
+msgstr "选项 --shared 只适用于打开纯设备。\n"
+
+#: src/cryptsetup.c:1670
+msgid "Option --allow-discards is allowed only for open operation.\n"
+msgstr "选项 --allow-discards 只适用于打开操作。\n"
+
+#: src/cryptsetup.c:1678
+msgid ""
+"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"选项 --key-size 只能用于 luksFormat, 打开和性能测试。\n"
+"要限制密钥文件读取请使用 --keyfile-size=(字节数)。"
+
+#: src/cryptsetup.c:1685
+msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+msgstr "选项 --test-passphrase 只能用于打开 LUKS 和 TCRYPT 设备。\n"
+
+#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1360
+msgid "Key size must be a multiple of 8 bits"
+msgstr "密钥尺寸必须是 8 的倍数"
+
+#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1365
+msgid "Key slot is invalid."
+msgstr "密钥槽无效。"
+
+#: src/cryptsetup.c:1704
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "选项 --key-file 优先使用指定的密钥文件参数。\n"
+
+#: src/cryptsetup.c:1712 src/veritysetup.c:467 src/cryptsetup_reencrypt.c:1349
+msgid "Negative number for option not permitted."
+msgstr "不允许在选项中填入负数。"
+
+#: src/cryptsetup.c:1716
+msgid "Only one --key-file argument is allowed."
+msgstr "只允许存在一个 --key-file 选项。"
+
+#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1343
+#: src/cryptsetup_reencrypt.c:1369
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "--use-[u]random 选项只能用一处。"
+
+#: src/cryptsetup.c:1724
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "选项 --use-[u]random 只适用于 luksFormat。"
+
+#: src/cryptsetup.c:1728
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "选项 --uuid 只允许用于 luksFormat 和 luksUUID。"
+
+#: src/cryptsetup.c:1732
+msgid "Option --align-payload is allowed only for luksFormat."
+msgstr "选项 --align-payload 只允许用于 luksFormat。"
+
+#: src/cryptsetup.c:1738
+msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+msgstr "选项 --skip 只适用于打开纯设备和 loopaes 设备。\n"
+
+#: src/cryptsetup.c:1744
+msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+msgstr "选项 --offset 只适用于打开纯设备和 loopaes 设备。\n"
+
+#: src/cryptsetup.c:1750
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+msgstr "选项 --tcrypt-hidden, --tcrypt-system 或 --tcrypt-backup 只支持 TCRYPT 设备。\n"
+
+#: src/cryptsetup.c:1755
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+msgstr "选项 --tcrypt-hidden 不能与 --allow-discards 共用。\n"
+
+#: src/cryptsetup.c:1760
+msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n"
+
+#: src/veritysetup.c:58
+msgid "Invalid salt string specified.\n"
+msgstr "指定了无效的盐字串。\n"
+
+#: src/veritysetup.c:88
+#, c-format
+msgid "Cannot create hash image %s for writing.\n"
+msgstr "无法为创建哈希映像 %s 以供写入。\n"
+
+#: src/veritysetup.c:148
+msgid "Invalid root hash string specified.\n"
+msgstr "指定了无效的根哈希值字串。\n"
+
+#: src/veritysetup.c:308
+msgid "<data_device> <hash_device>"
+msgstr "<数据设备> <哈希设备>"
+
+#: src/veritysetup.c:308
+msgid "format device"
+msgstr "格式化设备"
+
+#: src/veritysetup.c:309
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<数据设备> <哈希设备> <根哈希值>"
+
+#: src/veritysetup.c:309
+msgid "verify device"
+msgstr "验证设备"
+
+#: src/veritysetup.c:310
+msgid "<name> <data_device> <hash_device> <root_hash>"
+msgstr "<名称> <数据设备> <哈希设备> <根哈希值>"
+
+#: src/veritysetup.c:310
+msgid "create active device"
+msgstr "创建已激活的设备"
+
+#: src/veritysetup.c:311
+msgid "remove (deactivate) device"
+msgstr "移除(禁用)设备"
+
+#: src/veritysetup.c:312
+msgid "show active device status"
+msgstr "显示已激活的设备信息"
+
+#: src/veritysetup.c:313
+msgid "<hash_device>"
+msgstr "<哈希设备>"
+
+#: src/veritysetup.c:313
+msgid "show on-disk information"
+msgstr "显示磁盘上的信息"
+
+#: src/veritysetup.c:332
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<名称> 是在 %s 下要创建的设备\n"
+"<数据设备> 就是数据设备\n"
+"<哈希设备> 是含有验证信息的设备\n"
+"<根哈希值> 是 <哈希设备> 根节点的哈希值\n"
+
+#: src/veritysetup.c:339
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"编译时决定的默认 dm-verify 参数:\n"
+"\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n"
+
+#: src/veritysetup.c:377
+msgid "Do not use verity superblock"
+msgstr "不使用真理超级块"
+
+#: src/veritysetup.c:378
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "格式类型 (1 - 正常, 0 - 原版 Chrome OS)"
+
+#: src/veritysetup.c:378
+msgid "number"
+msgstr "数字"
+
+#: src/veritysetup.c:379
+msgid "Block size on the data device"
+msgstr "数据设备的块大小"
+
+#: src/veritysetup.c:380
+msgid "Block size on the hash device"
+msgstr "哈希设备的块大小"
+
+#: src/veritysetup.c:381
+msgid "The number of blocks in the data file"
+msgstr "数据文件的块数量"
+
+#: src/veritysetup.c:381
+msgid "blocks"
+msgstr "块"
+
+#: src/veritysetup.c:382
+msgid "Starting offset on the hash device"
+msgstr "哈希设备开始位置偏移量"
+
+#: src/veritysetup.c:383
+msgid "Hash algorithm"
+msgstr "哈希算法"
+
+#: src/veritysetup.c:383
+msgid "string"
+msgstr "字符串"
+
+#: src/veritysetup.c:384
+msgid "Salt"
+msgstr "盐"
+
+#: src/veritysetup.c:384
+msgid "hex string"
+msgstr "十六进制字符串"
+
+#: src/cryptsetup_reencrypt.c:147
+#, c-format
+msgid "Cannot exclusively open %s, device in use.\n"
+msgstr "无法独占打开 %s,设备正在使用中。\n"
+
+#: src/cryptsetup_reencrypt.c:151
+#, c-format
+msgid "Cannot open device %s\n"
+msgstr "无法打开设备 %s。\n"
+
+#: src/cryptsetup_reencrypt.c:161 src/cryptsetup_reencrypt.c:914
+msgid "Allocation of aligned memory failed.\n"
+msgstr "分配对齐内存失败。\n"
+
+#: src/cryptsetup_reencrypt.c:168
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "无法读取设备 %s.\n"
+
+#: src/cryptsetup_reencrypt.c:179
+#, c-format
+msgid "Marking LUKS device %s unusable.\n"
+msgstr "正将 LUKS 设备 %s 标为不可用。\n"
+
+#: src/cryptsetup_reencrypt.c:184
+#, c-format
+msgid "Marking LUKS device %s usable.\n"
+msgstr "正将 LUKS 设备 %s 标为可用。\n"
+
+#: src/cryptsetup_reencrypt.c:200
+#, c-format
+msgid "Cannot write device %s.\n"
+msgstr "无法写入设备 %s。\n"
+
+#: src/cryptsetup_reencrypt.c:281
+msgid "Cannot write reencryption log file.\n"
+msgstr "无法写入重加密日志文件。\n"
+
+#: src/cryptsetup_reencrypt.c:337
+msgid "Cannot read reencryption log file.\n"
+msgstr "无法读取重加密日志文件。\n"
+
+#: src/cryptsetup_reencrypt.c:374
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "日志文件 %s 存在,继续重加密。\n"
+
+#: src/cryptsetup_reencrypt.c:424
+msgid "Activating temporary device using old LUKS header.\n"
+msgstr "正使用旧 LUKS 标头激活临时设备。\n"
+
+#: src/cryptsetup_reencrypt.c:435
+msgid "Activating temporary device using new LUKS header.\n"
+msgstr "正使用新 LUKS 标头激活临时设备。\n"
+
+#: src/cryptsetup_reencrypt.c:445
+msgid "Activation of temporary devices failed.\n"
+msgstr "激活临时设备失败。\n"
+
+#: src/cryptsetup_reencrypt.c:471
+#, c-format
+msgid "New LUKS header for device %s created.\n"
+msgstr "已创建设备 %s 的新 LUKS 标头。\n"
+
+#: src/cryptsetup_reencrypt.c:479
+#, c-format
+msgid "Activated keyslot %i.\n"
+msgstr "已激活密钥槽 %i。\n"
+
+#: src/cryptsetup_reencrypt.c:505
+#, c-format
+msgid "LUKS header backup of device %s created.\n"
+msgstr "已创建设备 %s 的 LUKS 标头备份。\n"
+
+#: src/cryptsetup_reencrypt.c:553
+msgid "Creation of LUKS backup headers failed.\n"
+msgstr "LUKS 备份标头创建失败。\n"
+
+#: src/cryptsetup_reencrypt.c:655
+#, c-format
+msgid "Cannot restore LUKS header on device %s.\n"
+msgstr "无法在设备 %s 上恢复 LUKS 标头。\n"
+
+#: src/cryptsetup_reencrypt.c:657
+#, c-format
+msgid "LUKS header on device %s restored.\n"
+msgstr "在设备 %s 上的 LUKS 标头已恢复。\n"
+
+#: src/cryptsetup_reencrypt.c:690
+#, c-format
+msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+msgstr "进度:%5.1f%%, 生育 %02llu:%02llu, %4llu MiB 已写入, 速度 %5.1f MiB/s%s"
+
+#: src/cryptsetup_reencrypt.c:729 src/cryptsetup_reencrypt.c:805
+#: src/cryptsetup_reencrypt.c:847
+msgid "Cannot seek to device offset.\n"
+msgstr "无法寻找到设备偏移位置。\n"
+
+#: src/cryptsetup_reencrypt.c:886 src/cryptsetup_reencrypt.c:892
+msgid "Cannot open temporary LUKS device.\n"
+msgstr "无法打开临时 LUKS 设备。\n"
+
+#: src/cryptsetup_reencrypt.c:897 src/cryptsetup_reencrypt.c:902
+msgid "Cannot get device size.\n"
+msgstr "无法获取设备大小。\n"
+
+#: src/cryptsetup_reencrypt.c:940
+msgid "Interrupted by a signal.\n"
+msgstr "被信号中断。\n"
+
+#: src/cryptsetup_reencrypt.c:942
+msgid "IO error during reencryption.\n"
+msgstr "重加密时发生 IO 错误。\n"
+
+#: src/cryptsetup_reencrypt.c:1049
+msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
+msgstr "密钥文件只能在指定 --key-slot 时或有且只有一个槽启用时使用。\n"
+
+#: src/cryptsetup_reencrypt.c:1093 src/cryptsetup_reencrypt.c:1108
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "输入密钥槽 %u 的密码:"
+
+#: src/cryptsetup_reencrypt.c:1157
+msgid "Cannot open reencryption log file.\n"
+msgstr "无法打开重加密日志文件。\n"
+
+#: src/cryptsetup_reencrypt.c:1283
+msgid "Reencryption block size"
+msgstr "重加密块大小"
+
+#: src/cryptsetup_reencrypt.c:1283
+msgid "MiB"
+msgstr "MiB"
+
+#: src/cryptsetup_reencrypt.c:1287
+msgid "Do not change key, no data area reencryption."
+msgstr "不要更改密钥,无数据区重加密。"
+
+#: src/cryptsetup_reencrypt.c:1294
+msgid "Use direct-io when accessing devices."
+msgstr "在访问设备时使用 direct-io。"
+
+#: src/cryptsetup_reencrypt.c:1295
+msgid "Use fsync after each block."
+msgstr "在每个数据块后使用 fsync。"
+
+#: src/cryptsetup_reencrypt.c:1296
+msgid "Update log file after every block."
+msgstr "在每个数据块后更新日志文件。"
+
+#: src/cryptsetup_reencrypt.c:1297
+msgid "Use only this slot (others will be disabled)."
+msgstr "仅使用这个密钥槽(其他的密钥槽将被禁用)。"
+
+#: src/cryptsetup_reencrypt.c:1300
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "减少数据设备大小(移动数据偏移量)。危险!"
+
+#: src/cryptsetup_reencrypt.c:1301
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "只使用指定的设备大小(忽略设备其余部分)。危险!"
+
+#: src/cryptsetup_reencrypt.c:1302
+msgid "Create new header on not encrypted device."
+msgstr "在未加密的设备上创建新的标头。"
+
+#: src/cryptsetup_reencrypt.c:1303
+msgid "Permanently decrypt device (remove encryption)."
+msgstr "永久解密设备(移除加密)。"
+
+#: src/cryptsetup_reencrypt.c:1319
+msgid "[OPTION...] <device>"
+msgstr "[选项...] <设备>"
+
+#: src/cryptsetup_reencrypt.c:1333
+#, c-format
+msgid "Reencryption will change: volume key%s%s%s%s.\n"
+msgstr "重加密会改变:卷密钥 %s%s%s%s。\n"
+
+#: src/cryptsetup_reencrypt.c:1334
+msgid ", set hash to "
+msgstr ",设置哈希值为 "
+
+#: src/cryptsetup_reencrypt.c:1335
+msgid ", set cipher to "
+msgstr ",设定密文为 "
+
+#: src/cryptsetup_reencrypt.c:1339
+msgid "Argument required."
+msgstr "需要参数。"
+
+#: src/cryptsetup_reencrypt.c:1355
+msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
+msgstr "重加密块大小只能是 1 MiB 到 64 MiB 之间的值。"
+
+#: src/cryptsetup_reencrypt.c:1374 src/cryptsetup_reencrypt.c:1379
+msgid "Invalid device size specification."
+msgstr "无效的设备大小指标。"
+
+#: src/cryptsetup_reencrypt.c:1382
+msgid "Maximum device reduce size is 64 MiB."
+msgstr "最大设备缩减大小为 64 MiB。"
+
+#: src/cryptsetup_reencrypt.c:1385
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "缩减大小必须为 512 字节扇区的倍数。"
+
+#: src/cryptsetup_reencrypt.c:1389
+msgid "Option --new must be used together with --reduce-device-size."
+msgstr "选项 --new 必须与 --reduce-device-size 共用。"
+
+#: src/cryptsetup_reencrypt.c:1393
+msgid "Option --keep-key can be used only with --hash or --iter-time."
+msgstr "选项 --keep-key 只能与 --hash 或 --iter-time 共用。"
+
+#: src/cryptsetup_reencrypt.c:1397
+msgid "Option --new cannot be used together with --decrypt."
+msgstr "选项 --new 不可与 --decrypt 共用。"
+
+#: src/cryptsetup_reencrypt.c:1401
+msgid "Option --decrypt is incompatible with specified parameters."
+msgstr "选项 --decrypt 与选定参数不兼容。"
+
+#: src/utils_tools.c:151
+msgid "Error reading response from terminal.\n"
+msgstr "从终端读取回应时失败。\n"
+
+#: src/utils_tools.c:173
+msgid "Command successful.\n"
+msgstr "命令成功。\n"
+
+#: src/utils_tools.c:191
+#, c-format
+msgid "Command failed with code %i"
+msgstr "命令失败,代码 %i"
+
+#: src/utils_password.c:42 src/utils_password.c:74
+#, c-format
+msgid "Cannot check password quality: %s\n"
+msgstr "无法检查密码质量:%s\n"
+
+#: src/utils_password.c:50
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s\n"
+msgstr ""
+"密码质量检查失败:\n"
+" %s\n"
+
+#: src/utils_password.c:82
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)\n"
+msgstr "密码质量检查失败:无效密码 (%s)\n"
+
+#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
+#~ msgstr "警告:此为实验性代码,实验性代码可能完全损毁你的数据。\n"
diff --git a/python/Makefile.am b/python/Makefile.am
new file mode 100644
index 0000000..ab61082
--- /dev/null
+++ b/python/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = -include $(top_srcdir)/config.h -I$(top_srcdir)/lib $(PYTHON_INCLUDES)
+EXTRA_DIST = pycryptsetup-test.py
+CLEANFILES = *.img
+
+if PYTHON_CRYPTSETUP
+TESTS = pycryptsetup-test.py
+
+pyexec_LTLIBRARIES = pycryptsetup.la
+
+pycryptsetup_la_SOURCES = pycryptsetup.c
+pycryptsetup_la_CPPFLAGS = $(AM_CPPFLAGS) $(PYTHON_CPPFLAGS) -fno-strict-aliasing
+pycryptsetup_la_LDFLAGS = -avoid-version -module -shared -export-dynamic
+pycryptsetup_la_LIBADD = $(top_builddir)/lib/libcryptsetup.la $(PYTHON_LIBS)
+else
+all:
+endif
diff --git a/python/pycryptsetup-test.py b/python/pycryptsetup-test.py
new file mode 100755
index 0000000..9288ca5
--- /dev/null
+++ b/python/pycryptsetup-test.py
@@ -0,0 +1,127 @@
+#!/usr/bin/python
+#
+# Python bindings to libcryptsetup test
+#
+# Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
+#
+# This file is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this file; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+from __future__ import print_function
+
+import sys
+import os
+
+sys.path.insert(0, ".libs")
+import pycryptsetup
+
+IMG = "test.img"
+PASSWORD = "password"
+PASSWORD2 = "password2"
+DEVICE = "pycryptsetup_test_dev"
+
+def log(level, txt):
+ if level == pycryptsetup.CRYPT_LOG_ERROR:
+ print(txt,end="")
+ return
+
+def askyes(txt):
+ print("Question:", txt)
+ return 1
+
+def print_status(c):
+ r = c.status()
+ print("status :",end="")
+ if r == pycryptsetup.CRYPT_ACTIVE:
+ print("ACTIVE")
+ elif r == pycryptsetup.CRYPT_INACTIVE:
+ print("INACTIVE")
+ else:
+ print("ERROR")
+ return
+
+if os.geteuid() != 0:
+ print("WARNING: You must be root to run this test, test skipped.")
+ sys.exit(0)
+
+os.system("dd if=/dev/zero of=" + IMG + " bs=1M count=32 >/dev/null 2>&1")
+
+c = pycryptsetup.CryptSetup(
+ device = IMG,
+ name = DEVICE,
+ yesDialog = askyes,
+ logFunc = log)
+
+#c.debugLevel(pycryptsetup.CRYPT_DEBUG_ALL);
+c.debugLevel(pycryptsetup.CRYPT_DEBUG_NONE);
+c.iterationTime(1)
+r = c.isLuks()
+print("isLuks :", r)
+c.askyes(message = "Is there anybody out there?")
+c.log(priority = pycryptsetup.CRYPT_LOG_ERROR, message = "Nobody there...\n")
+c.luksFormat(cipher = "aes", cipherMode= "xts-plain64", keysize = 512, hashMode = "sha256")
+print("isLuks :", c.isLuks())
+print("luksUUID:", c.luksUUID())
+print("addKeyVK:", c.addKeyByVolumeKey(newPassphrase = PASSWORD, slot = 2))
+print("addKeyP :", c.addKeyByPassphrase(passphrase = PASSWORD,
+ newPassphrase = PASSWORD2, slot = 3))
+print("removeP :", c.removePassphrase(passphrase = PASSWORD2))
+print("addKeyP :", c.addKeyByPassphrase(PASSWORD, PASSWORD2))
+# original api required wrong passphrase parameter here
+# print "killSlot:", c.killSlot(passphrase = "xxx", slot = 0)
+print("killSlot:", c.killSlot(slot = 0))
+print("activate:", c.activate(name = DEVICE, passphrase = PASSWORD))
+print("suspend :", c.suspend())
+# os.system("dmsetup info -c " + DEVICE)
+print("resume :", c.resume(passphrase = PASSWORD))
+print_status(c)
+info = c.info()
+print("cipher :", info["cipher"])
+print("cmode :", info["cipher_mode"])
+print("keysize :", info["keysize"])
+print("dir :", info["dir"])
+print("device :", info["device"])
+print("offset :", info["offset"])
+print("name :", info["name"])
+print("uuid :", info["uuid"])
+# os.system("cryptsetup luksDump " + info["device"])
+print("deact. :", c.deactivate())
+
+del c
+
+c = pycryptsetup.CryptSetup(
+ device = IMG,
+ name = DEVICE,
+ yesDialog = askyes,
+ logFunc = log)
+
+print("activate:", c.activate(name = DEVICE, passphrase = PASSWORD))
+
+c2 = pycryptsetup.CryptSetup(
+ name = DEVICE,
+ yesDialog = askyes,
+ logFunc = log)
+
+info = c2.info()
+print("cipher :", info["cipher"])
+print("cmode :", info["cipher_mode"])
+print("keysize :", info["keysize"])
+
+print("deact. :", c.deactivate())
+r = c2.deactivate()
+print("deact. :", r)
+del c
+del c2
+
+os.remove(IMG)
diff --git a/python/pycryptsetup.c b/python/pycryptsetup.c
new file mode 100644
index 0000000..f8dbfe2
--- /dev/null
+++ b/python/pycryptsetup.c
@@ -0,0 +1,728 @@
+/*
+ * Python bindings to libcryptsetup
+ *
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Written by Martin Sivak
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <Python.h>
+#include <structmember.h>
+#include <errno.h>
+
+#include "libcryptsetup.h"
+
+/* Python API use char* where const char* should be used... */
+#define CONST_CAST(x) (x)(uintptr_t)
+
+#if PY_MAJOR_VERSION < 3
+ #define MOD_ERROR_VAL
+ #define MOD_SUCCESS_VAL(val)
+ #define MOD_INIT(name) void init##name(void)
+ #define MOD_DEF(ob, name, doc, methods) \
+ ob = Py_InitModule3(name, methods, doc);
+#else
+ #define PyInt_AsLong PyLong_AsLong
+ #define PyInt_Check PyLong_Check
+ #define MOD_ERROR_VAL NULL
+ #define MOD_SUCCESS_VAL(val) val
+ #define MOD_INIT(name) PyMODINIT_FUNC PyInit_##name(void)
+ #define MOD_DEF(ob, name, doc, methods) \
+ static struct PyModuleDef moduledef = { \
+ PyModuleDef_HEAD_INIT, name, doc, -1, methods, }; \
+ ob = PyModule_Create(&moduledef);
+#endif
+
+MOD_INIT(pycryptsetup);
+
+typedef struct {
+ PyObject_HEAD
+
+ /* Type-specific fields go here. */
+ struct crypt_device *device;
+ char *activated_as;
+
+ /* Callbacks */
+ PyObject *yesDialogCB;
+ PyObject *cmdLineLogCB;
+} CryptSetupObject;
+
+static int yesDialog(const char *msg, void *this)
+{
+ CryptSetupObject *self = this;
+ PyObject *result, *arglist;
+ int r;
+
+ if (self->yesDialogCB){
+ arglist = Py_BuildValue("(s)", msg);
+ if (!arglist)
+ return -ENOMEM;
+
+ result = PyEval_CallObject(self->yesDialogCB, arglist);
+ Py_DECREF(arglist);
+
+ if (!result)
+ return -EINVAL;
+
+ if (!PyArg_Parse(result, "i", &r))
+ r = -EINVAL;
+
+ Py_DECREF(result);
+ return r;
+ }
+
+ return 1;
+}
+
+static void cmdLineLog(int cls, const char *msg, void *this)
+{
+ CryptSetupObject *self = this;
+ PyObject *result, *arglist;
+
+ if(self->cmdLineLogCB) {
+ arglist = Py_BuildValue("(is)", cls, msg);
+ if(!arglist)
+ return;
+
+ result = PyEval_CallObject(self->cmdLineLogCB, arglist);
+ Py_DECREF(arglist);
+ Py_XDECREF(result);
+ }
+}
+
+static void CryptSetup_dealloc(CryptSetupObject* self)
+{
+ /* free the callbacks */
+ Py_XDECREF(self->yesDialogCB);
+ Py_XDECREF(self->cmdLineLogCB);
+
+ free(self->activated_as);
+
+ crypt_free(self->device);
+
+ /* free self */
+ Py_TYPE(self)->tp_free((PyObject*)self);
+}
+
+static PyObject *CryptSetup_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+ CryptSetupObject *self = (CryptSetupObject *)type->tp_alloc(type, 0);
+
+ if (self) {
+ self->yesDialogCB = NULL;
+ self->cmdLineLogCB = NULL;
+ self->activated_as = NULL;
+ }
+
+ return (PyObject *)self;
+}
+
+static PyObject *PyObjectResult(int is)
+{
+ PyObject *result = Py_BuildValue("i", is);
+
+ if (!result)
+ PyErr_SetString(PyExc_RuntimeError, "Error during constructing values for return value");
+
+ return result;
+}
+
+static char
+CryptSetup_HELP[] =
+"CryptSetup object\n\n\
+constructor takes one to four arguments:\n\
+ __init__(device, name, yesDialog, logFunc)\n\n\
+ yesDialog - python function with func(text) signature, \n\
+ which asks the user question text and returns 1\n\
+ of the answer was positive or 0 if not\n\
+ logFunc - python function with func(level, text) signature to log stuff somewhere";
+
+static int CryptSetup_init(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"device", "name", "yesDialog", "logFunc", NULL};
+ PyObject *yesDialogCB = NULL,
+ *cmdLineLogCB = NULL,
+ *tmp = NULL;
+ char *device = NULL, *deviceName = NULL;
+ int r;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOO", CONST_CAST(char**)kwlist, &device, &deviceName,
+ &yesDialogCB, &cmdLineLogCB))
+ return -1;
+
+ if (device) {
+ if (crypt_init(&(self->device), device)) {
+ PyErr_SetString(PyExc_IOError, "Device cannot be opened");
+ return -1;
+ }
+ /* Try to load header form device */
+ r = crypt_load(self->device, NULL, NULL);
+ if (r && r != -EINVAL) {
+ PyErr_SetString(PyExc_RuntimeError, "Cannot initialize device context");
+ return -1;
+ }
+ } else if (deviceName) {
+ if (crypt_init_by_name(&(self->device), deviceName)) {
+ PyErr_SetString(PyExc_IOError, "Device cannot be opened");
+ return -1;
+ }
+ /* Context is initialized automatically from active device */
+ } else {
+ PyErr_SetString(PyExc_RuntimeError, "Either device file or luks name has to be specified");
+ return -1;
+ }
+
+ if(deviceName)
+ self->activated_as = strdup(deviceName);
+
+ if (yesDialogCB) {
+ tmp = self->yesDialogCB;
+ Py_INCREF(yesDialogCB);
+ self->yesDialogCB = yesDialogCB;
+ Py_XDECREF(tmp);
+ crypt_set_confirm_callback(self->device, yesDialog, self);
+ }
+
+ if (cmdLineLogCB) {
+ tmp = self->cmdLineLogCB;
+ Py_INCREF(cmdLineLogCB);
+ self->cmdLineLogCB = cmdLineLogCB;
+ Py_XDECREF(tmp);
+ crypt_set_log_callback(self->device, cmdLineLog, self);
+ }
+
+ return 0;
+}
+
+static char
+CryptSetup_activate_HELP[] =
+"Activate LUKS device\n\n\
+ activate(name)";
+
+static PyObject *CryptSetup_activate(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"name", "passphrase", NULL};
+ char *name = NULL, *passphrase = NULL;
+ int is;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s", CONST_CAST(char**)kwlist, &name, &passphrase))
+ return NULL;
+
+ // FIXME: allow keyfile and \0 in passphrase
+ is = crypt_activate_by_passphrase(self->device, name, CRYPT_ANY_SLOT,
+ passphrase, passphrase ? strlen(passphrase) : 0, 0);
+
+ if (is >= 0) {
+ free(self->activated_as);
+ self->activated_as = strdup(name);
+ }
+
+ return PyObjectResult(is);
+}
+
+static char
+CryptSetup_deactivate_HELP[] =
+"Dectivate LUKS device\n\n\
+ deactivate()";
+
+static PyObject *CryptSetup_deactivate(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ int is = crypt_deactivate(self->device, self->activated_as);
+
+ if (!is) {
+ free(self->activated_as);
+ self->activated_as = NULL;
+ }
+
+ return PyObjectResult(is);
+}
+
+static char
+CryptSetup_askyes_HELP[] =
+"Asks a question using the configured dialog CB\n\n\
+ int askyes(message)";
+
+static PyObject *CryptSetup_askyes(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"message", NULL};
+ PyObject *message = NULL, *result, *arglist;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "O", CONST_CAST(char**)kwlist, &message))
+ return NULL;
+
+ Py_INCREF(message);
+
+ arglist = Py_BuildValue("(O)", message);
+ if (!arglist){
+ PyErr_SetString(PyExc_RuntimeError, "Error during constructing values for internal call");
+ return NULL;
+ }
+
+ result = PyEval_CallObject(self->yesDialogCB, arglist);
+ Py_DECREF(arglist);
+ Py_DECREF(message);
+
+ return result;
+}
+
+static char
+CryptSetup_log_HELP[] =
+"Logs a string using the configured log CB\n\n\
+ log(int level, message)";
+
+static PyObject *CryptSetup_log(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"priority", "message", NULL};
+ PyObject *message = NULL, *priority = NULL, *result, *arglist;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "OO", CONST_CAST(char**)kwlist, &message, &priority))
+ return NULL;
+
+ Py_INCREF(message);
+ Py_INCREF(priority);
+
+ arglist = Py_BuildValue("(OO)", message, priority);
+ if (!arglist){
+ PyErr_SetString(PyExc_RuntimeError, "Error during constructing values for internal call");
+ return NULL;
+ }
+
+ result = PyEval_CallObject(self->cmdLineLogCB, arglist);
+ Py_DECREF(arglist);
+ Py_DECREF(priority);
+ Py_DECREF(message);
+
+ return result;
+}
+
+static char
+CryptSetup_luksUUID_HELP[] =
+"Get UUID of the LUKS device\n\n\
+ luksUUID()";
+
+static PyObject *CryptSetup_luksUUID(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ PyObject *result;
+
+ result = Py_BuildValue("s", crypt_get_uuid(self->device));
+ if (!result)
+ PyErr_SetString(PyExc_RuntimeError, "Error during constructing values for return value");
+
+ return result;
+}
+
+static char
+CryptSetup_isLuks_HELP[] =
+"Is the device LUKS?\n\n\
+ isLuks()";
+
+static PyObject *CryptSetup_isLuks(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ return PyObjectResult(crypt_load(self->device, CRYPT_LUKS1, NULL));
+}
+
+static char
+CryptSetup_Info_HELP[] =
+"Returns dictionary with info about opened device\nKeys:\n\
+ dir\n name\n uuid\n cipher\n cipher_mode\n keysize\n device\n\
+ offset\n size\n skip\n mode\n";
+
+static PyObject *CryptSetup_Info(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ PyObject *result;
+
+ result = Py_BuildValue("{s:s,s:s,s:z,s:s,s:s,s:s,s:i,s:K}",
+ "dir", crypt_get_dir(),
+ "device", crypt_get_device_name(self->device),
+ "name", self->activated_as,
+ "uuid", crypt_get_uuid(self->device),
+ "cipher", crypt_get_cipher(self->device),
+ "cipher_mode", crypt_get_cipher_mode(self->device),
+ "keysize", crypt_get_volume_key_size(self->device) * 8,
+ //"size", co.size,
+ //"mode", (co.flags & CRYPT_FLAG_READONLY) ? "readonly" : "read/write",
+ "offset", crypt_get_data_offset(self->device)
+ );
+
+ if (!result)
+ PyErr_SetString(PyExc_RuntimeError, "Error during constructing values for return value");
+
+ return result;
+}
+
+static char
+CryptSetup_luksFormat_HELP[] =
+"Format device to enable LUKS\n\n\
+ luksFormat(cipher = 'aes', cipherMode = 'cbc-essiv:sha256', keysize = 256, hashMode = 'sha256')\n\n\
+ cipher - cipher specification, e.g. aes, serpent\n\
+ cipherMode - cipher mode specification, e.g. cbc-essiv:sha256, xts-plain64\n\
+ keysize - key size in bits\n\
+ hashMode - hash specification, e.g. sha256";
+
+static PyObject *CryptSetup_luksFormat(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"cipher", "cipherMode", "keysize", "hashMode", NULL};
+ char *cipher_mode = NULL, *cipher = NULL, *hashMode = NULL;
+ int keysize = DEFAULT_LUKS1_KEYBITS;
+ PyObject *keysize_object = NULL;
+ struct crypt_params_luks1 params = {};
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOz", CONST_CAST(char**)kwlist,
+ &cipher, &cipher_mode, &keysize_object,
+ &hashMode))
+ return NULL;
+
+ params.hash = hashMode;
+ if (!keysize_object || keysize_object == Py_None) {
+ /* use default value */
+ } else if (!PyInt_Check(keysize_object)) {
+ PyErr_SetString(PyExc_TypeError, "keysize must be an integer");
+ return NULL;
+ } else if (PyInt_AsLong(keysize_object) % 8) {
+ PyErr_SetString(PyExc_TypeError, "keysize must have integer value dividable by 8");
+ return NULL;
+ } else if (PyInt_AsLong(keysize_object) <= 0) {
+ PyErr_SetString(PyExc_TypeError, "keysize must be positive number bigger than 0");
+ return NULL;
+ } else
+ keysize = PyInt_AsLong(keysize_object);
+
+ return PyObjectResult(crypt_format(self->device, CRYPT_LUKS1,
+ cipher ?: DEFAULT_LUKS1_CIPHER,
+ cipher_mode ?: DEFAULT_LUKS1_MODE,
+ NULL, NULL, keysize / 8, ¶ms));
+}
+
+static char
+CryptSetup_addKeyByPassphrase_HELP[] =
+"Initialize keyslot using passphrase\n\n\
+ addKeyByPassphrase(passphrase, newPassphrase, slot)\n\n\
+ passphrase - string or none to ask the user\n\
+ newPassphrase - passphrase to add\n\
+ slot - which slot to use (optional)";
+
+static PyObject *CryptSetup_addKeyByPassphrase(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"passphrase", "newPassphrase", "slot", NULL};
+ char *passphrase = NULL, *newpassphrase = NULL;
+ size_t passphrase_len = 0, newpassphrase_len = 0;
+ int slot = CRYPT_ANY_SLOT;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "ss|i", CONST_CAST(char**)kwlist, &passphrase, &newpassphrase, &slot))
+ return NULL;
+
+ if(passphrase)
+ passphrase_len = strlen(passphrase);
+
+ if(newpassphrase)
+ newpassphrase_len = strlen(newpassphrase);
+
+ return PyObjectResult(crypt_keyslot_add_by_passphrase(self->device, slot,
+ passphrase, passphrase_len,
+ newpassphrase, newpassphrase_len));
+}
+
+static char
+CryptSetup_addKeyByVolumeKey_HELP[] =
+"Initialize keyslot using cached volume key\n\n\
+ addKeyByVolumeKey(passphrase, newPassphrase, slot)\n\n\
+ newPassphrase - passphrase to add\n\
+ slot - which slot to use (optional)";
+
+static PyObject *CryptSetup_addKeyByVolumeKey(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"newPassphrase", "slot", NULL};
+ char *newpassphrase = NULL;
+ size_t newpassphrase_len = 0;
+ int slot = CRYPT_ANY_SLOT;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|i", CONST_CAST(char**)kwlist, &newpassphrase, &slot))
+ return NULL;
+
+ if (newpassphrase)
+ newpassphrase_len = strlen(newpassphrase);
+
+ return PyObjectResult(crypt_keyslot_add_by_volume_key(self->device, slot,
+ NULL, 0, newpassphrase, newpassphrase_len));
+}
+
+static char
+CryptSetup_removePassphrase_HELP[] =
+"Destroy keyslot using passphrase\n\n\
+ removePassphrase(passphrase)\n\n\
+ passphrase - string or none to ask the user";
+
+static PyObject *CryptSetup_removePassphrase(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"passphrase", NULL};
+ char *passphrase = NULL;
+ size_t passphrase_len = 0;
+ int is;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", CONST_CAST(char**)kwlist, &passphrase))
+ return NULL;
+
+ if (passphrase)
+ passphrase_len = strlen(passphrase);
+
+ is = crypt_activate_by_passphrase(self->device, NULL, CRYPT_ANY_SLOT,
+ passphrase, passphrase_len, 0);
+ if (is < 0)
+ return PyObjectResult(is);
+
+ return PyObjectResult(crypt_keyslot_destroy(self->device, is));
+}
+
+static char
+CryptSetup_killSlot_HELP[] =
+"Destroy keyslot\n\n\
+ killSlot(slot)\n\n\
+ slot - the slot to remove";
+
+static PyObject *CryptSetup_killSlot(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"slot", NULL};
+ int slot = CRYPT_ANY_SLOT;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "i", CONST_CAST(char**)kwlist, &slot))
+ return NULL;
+
+ switch (crypt_keyslot_status(self->device, slot)) {
+ case CRYPT_SLOT_ACTIVE:
+ return PyObjectResult(crypt_keyslot_destroy(self->device, slot));
+ case CRYPT_SLOT_ACTIVE_LAST:
+ PyErr_SetString(PyExc_ValueError, "Last slot, removing it would render the device unusable");
+ break;
+ case CRYPT_SLOT_INACTIVE:
+ PyErr_SetString(PyExc_ValueError, "Inactive slot");
+ break;
+ case CRYPT_SLOT_INVALID:
+ PyErr_SetString(PyExc_ValueError, "Invalid slot");
+ break;
+ }
+
+ return NULL;
+}
+
+static char
+CryptSetup_Status_HELP[] =
+"Status of LUKS device\n\n\
+ luksStatus()";
+
+static PyObject *CryptSetup_Status(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ if (!self->activated_as){
+ PyErr_SetString(PyExc_IOError, "Device has not been activated yet.");
+ return NULL;
+ }
+
+ return PyObjectResult(crypt_status(self->device, self->activated_as));
+}
+
+static char
+CryptSetup_Resume_HELP[] =
+"Resume LUKS device\n\n\
+ luksOpen(passphrase)\n\n\
+ passphrase - string or none to ask the user";
+
+static PyObject *CryptSetup_Resume(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"passphrase", NULL};
+ char* passphrase = NULL;
+ size_t passphrase_len = 0;
+
+ if (!self->activated_as){
+ PyErr_SetString(PyExc_IOError, "Device has not been activated yet.");
+ return NULL;
+ }
+
+ if (! PyArg_ParseTupleAndKeywords(args, kwds, "|s", CONST_CAST(char**)kwlist, &passphrase))
+ return NULL;
+
+ if (passphrase)
+ passphrase_len = strlen(passphrase);
+
+ return PyObjectResult(crypt_resume_by_passphrase(self->device, self->activated_as,
+ CRYPT_ANY_SLOT, passphrase, passphrase_len));
+}
+
+static char
+CryptSetup_Suspend_HELP[] =
+"Suspend LUKS device\n\n\
+ luksSupsend()";
+
+static PyObject *CryptSetup_Suspend(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ if (!self->activated_as){
+ PyErr_SetString(PyExc_IOError, "Device has not been activated yet.");
+ return NULL;
+ }
+
+ return PyObjectResult(crypt_suspend(self->device, self->activated_as));
+}
+
+static char
+CryptSetup_debugLevel_HELP[] =
+"Set debug level\n\n\
+ debugLevel(level)\n\n\
+ level - debug level";
+
+static PyObject *CryptSetup_debugLevel(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"level", NULL};
+ int level = 0;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "i", CONST_CAST(char**)kwlist, &level))
+ return NULL;
+
+ crypt_set_debug_level(level);
+
+ Py_RETURN_NONE;
+}
+
+static char
+CryptSetup_iterationTime_HELP[] =
+"Set iteration time\n\n\
+ iterationTime(time_ms)\n\n\
+ time_ms - time in milliseconds";
+
+static PyObject *CryptSetup_iterationTime(CryptSetupObject* self, PyObject *args, PyObject *kwds)
+{
+ static const char *kwlist[] = {"time_ms", NULL};
+ uint64_t time_ms = 0;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "K", CONST_CAST(char**)kwlist, &time_ms))
+ return NULL;
+
+ crypt_set_iteration_time(self->device, time_ms);
+
+ Py_RETURN_NONE;
+}
+
+static PyMemberDef CryptSetup_members[] = {
+ {CONST_CAST(char*)"yesDialogCB", T_OBJECT_EX, offsetof(CryptSetupObject, yesDialogCB), 0, CONST_CAST(char*)"confirmation dialog callback"},
+ {CONST_CAST(char*)"cmdLineLogCB", T_OBJECT_EX, offsetof(CryptSetupObject, cmdLineLogCB), 0, CONST_CAST(char*)"logging callback"},
+ {NULL}
+};
+
+static PyMethodDef CryptSetup_methods[] = {
+ /* self-test methods */
+ {"log", (PyCFunction)CryptSetup_log, METH_VARARGS|METH_KEYWORDS, CryptSetup_askyes_HELP},
+ {"askyes", (PyCFunction)CryptSetup_askyes, METH_VARARGS|METH_KEYWORDS, CryptSetup_log_HELP},
+
+ /* activation and deactivation */
+ {"deactivate", (PyCFunction)CryptSetup_deactivate, METH_NOARGS, CryptSetup_deactivate_HELP},
+ {"activate", (PyCFunction)CryptSetup_activate, METH_VARARGS|METH_KEYWORDS, CryptSetup_activate_HELP},
+
+ /* cryptsetup info entrypoints */
+ {"luksUUID", (PyCFunction)CryptSetup_luksUUID, METH_NOARGS, CryptSetup_luksUUID_HELP},
+ {"isLuks", (PyCFunction)CryptSetup_isLuks, METH_NOARGS, CryptSetup_isLuks_HELP},
+ {"info", (PyCFunction)CryptSetup_Info, METH_NOARGS, CryptSetup_Info_HELP},
+ {"status", (PyCFunction)CryptSetup_Status, METH_NOARGS, CryptSetup_Status_HELP},
+
+ /* cryptsetup mgmt entrypoints */
+ {"luksFormat", (PyCFunction)CryptSetup_luksFormat, METH_VARARGS|METH_KEYWORDS, CryptSetup_luksFormat_HELP},
+ {"addKeyByPassphrase", (PyCFunction)CryptSetup_addKeyByPassphrase, METH_VARARGS|METH_KEYWORDS, CryptSetup_addKeyByPassphrase_HELP},
+ {"addKeyByVolumeKey", (PyCFunction)CryptSetup_addKeyByVolumeKey, METH_VARARGS|METH_KEYWORDS, CryptSetup_addKeyByVolumeKey_HELP},
+ {"removePassphrase", (PyCFunction)CryptSetup_removePassphrase, METH_VARARGS|METH_KEYWORDS, CryptSetup_removePassphrase_HELP},
+ {"killSlot", (PyCFunction)CryptSetup_killSlot, METH_VARARGS|METH_KEYWORDS, CryptSetup_killSlot_HELP},
+
+ /* suspend resume */
+ {"resume", (PyCFunction)CryptSetup_Resume, METH_VARARGS|METH_KEYWORDS, CryptSetup_Resume_HELP},
+ {"suspend", (PyCFunction)CryptSetup_Suspend, METH_NOARGS, CryptSetup_Suspend_HELP},
+
+ /* misc */
+ {"debugLevel", (PyCFunction)CryptSetup_debugLevel, METH_VARARGS|METH_KEYWORDS, CryptSetup_debugLevel_HELP},
+ {"iterationTime", (PyCFunction)CryptSetup_iterationTime, METH_VARARGS|METH_KEYWORDS, CryptSetup_iterationTime_HELP},
+
+ {NULL} /* Sentinel */
+};
+
+static PyTypeObject CryptSetupType = {
+ PyVarObject_HEAD_INIT(NULL, 0)
+ "pycryptsetup.CryptSetup", /*tp_name*/
+ sizeof(CryptSetupObject), /*tp_basicsize*/
+ 0, /*tp_itemsize*/
+ (destructor)CryptSetup_dealloc, /*tp_dealloc*/
+ 0, /*tp_print*/
+ 0, /*tp_getattr*/
+ 0, /*tp_setattr*/
+ 0, /*tp_compare*/
+ 0, /*tp_repr*/
+ 0, /*tp_as_number*/
+ 0, /*tp_as_sequence*/
+ 0, /*tp_as_mapping*/
+ 0, /*tp_hash */
+ 0, /*tp_call*/
+ 0, /*tp_str*/
+ 0, /*tp_getattro*/
+ 0, /*tp_setattro*/
+ 0, /*tp_as_buffer*/
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /*tp_flags*/
+ CryptSetup_HELP, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ CryptSetup_methods, /* tp_methods */
+ CryptSetup_members, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ (initproc)CryptSetup_init, /* tp_init */
+ 0, /* tp_alloc */
+ CryptSetup_new, /* tp_new */
+};
+
+static PyMethodDef pycryptsetup_methods[] = {
+ {NULL} /* Sentinel */
+};
+
+MOD_INIT(pycryptsetup)
+{
+ PyObject *m;
+
+ if (PyType_Ready(&CryptSetupType) < 0)
+ return MOD_ERROR_VAL;
+
+ MOD_DEF(m, "pycryptsetup", "CryptSetup pythonized API.", pycryptsetup_methods);
+ Py_INCREF(&CryptSetupType);
+
+ PyModule_AddObject(m, "CryptSetup", (PyObject *)&CryptSetupType);
+
+ /* debug constants */
+ PyModule_AddIntConstant(m, "CRYPT_DEBUG_ALL", CRYPT_DEBUG_ALL);
+ PyModule_AddIntConstant(m, "CRYPT_DEBUG_NONE", CRYPT_DEBUG_NONE);
+
+ /* log constants */
+ PyModule_AddIntConstant(m, "CRYPT_LOG_NORMAL", CRYPT_LOG_NORMAL);
+ PyModule_AddIntConstant(m, "CRYPT_LOG_ERROR", CRYPT_LOG_ERROR);
+ PyModule_AddIntConstant(m, "CRYPT_LOG_VERBOSE", CRYPT_LOG_VERBOSE);
+ PyModule_AddIntConstant(m, "CRYPT_LOG_DEBUG", CRYPT_LOG_DEBUG);
+
+ /* status constants */
+ PyModule_AddIntConstant(m, "CRYPT_INVALID", CRYPT_INVALID);
+ PyModule_AddIntConstant(m, "CRYPT_INACTIVE", CRYPT_INACTIVE);
+ PyModule_AddIntConstant(m, "CRYPT_ACTIVE", CRYPT_ACTIVE);
+ PyModule_AddIntConstant(m, "CRYPT_BUSY", CRYPT_BUSY);
+
+ return MOD_SUCCESS_VAL(m);
+}
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000..9524289
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,97 @@
+AM_CPPFLAGS = -include config.h \
+ -I$(top_srcdir) \
+ -I$(top_srcdir)/lib \
+ -DDATADIR=\""$(datadir)"\" \
+ -DLOCALEDIR=\""$(datadir)/locale"\" \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DPREFIX=\""$(prefix)"\" \
+ -DSYSCONFDIR=\""$(sysconfdir)"\" \
+ -DVERSION=\""$(VERSION)"\"
+
+# cryptsetup
+cryptsetup_SOURCES = \
+ $(top_builddir)/lib/utils_crypt.c \
+ $(top_builddir)/lib/utils_loop.c \
+ utils_tools.c \
+ utils_password.c \
+ cryptsetup.c \
+ cryptsetup.h
+
+cryptsetup_LDADD = \
+ $(top_builddir)/lib/libcryptsetup.la \
+ @POPT_LIBS@ \
+ @PWQUALITY_LIBS@ \
+ @PASSWDQC_LIBS@
+
+cryptsetup_CFLAGS = $(AM_CFLAGS) -Wall
+
+sbin_PROGRAMS=cryptsetup
+
+if STATIC_TOOLS
+sbin_PROGRAMS += cryptsetup.static
+cryptsetup_static_SOURCES = $(cryptsetup_SOURCES)
+cryptsetup_static_CFLAGS = $(cryptsetup_CFLAGS)
+cryptsetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
+cryptsetup_static_LDADD = $(cryptsetup_LDADD) \
+ @CRYPTO_STATIC_LIBS@ \
+ @PWQUALITY_STATIC_LIBS@ \
+ @DEVMAPPER_STATIC_LIBS@ \
+ @UUID_LIBS@
+endif
+
+# veritysetup
+if VERITYSETUP
+
+veritysetup_SOURCES = \
+ $(top_builddir)/lib/utils_crypt.c \
+ $(top_builddir)/lib/utils_loop.c \
+ utils_tools.c \
+ veritysetup.c \
+ cryptsetup.h
+
+veritysetup_LDADD = \
+ $(top_builddir)/lib/libcryptsetup.la \
+ @POPT_LIBS@
+
+veritysetup_CFLAGS = $(cryptsetup_CFLAGS)
+
+sbin_PROGRAMS += veritysetup
+
+if STATIC_TOOLS
+sbin_PROGRAMS += veritysetup.static
+veritysetup_static_SOURCES = $(veritysetup_SOURCES)
+veritysetup_static_CFLAGS = $(veritysetup_CFLAGS)
+veritysetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
+veritysetup_static_LDADD = $(veritysetup_LDADD) \
+ @CRYPTO_STATIC_LIBS@ \
+ @DEVMAPPER_STATIC_LIBS@ \
+ @UUID_LIBS@
+endif
+endif
+
+# reencrypt
+if REENCRYPT
+cryptsetup_reencrypt_SOURCES = \
+ $(top_builddir)/lib/utils_crypt.c \
+ utils_tools.c \
+ utils_password.c \
+ cryptsetup_reencrypt.c \
+ cryptsetup.h
+
+cryptsetup_reencrypt_LDADD = $(cryptsetup_LDADD) \
+ @UUID_LIBS@
+cryptsetup_reencrypt_CFLAGS = $(cryptsetup_CFLAGS)
+
+sbin_PROGRAMS += cryptsetup-reencrypt
+
+if STATIC_TOOLS
+sbin_PROGRAMS += cryptsetup-reencrypt.static
+cryptsetup_reencrypt_static_SOURCES = $(cryptsetup_reencrypt_SOURCES)
+cryptsetup_reencrypt_static_CFLAGS = $(cryptsetup_reencrypt_CFLAGS)
+cryptsetup_reencrypt_static_LDFLAGS = $(AM_LDFLAGS) -all-static
+cryptsetup_reencrypt_static_LDADD = $(cryptsetup_reencrypt_LDADD) \
+ @CRYPTO_STATIC_LIBS@ \
+ @DEVMAPPER_STATIC_LIBS@ \
+ @UUID_LIBS@
+endif
+endif
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
new file mode 100644
index 0000000..8920c1e
--- /dev/null
+++ b/src/cryptsetup.c
@@ -0,0 +1,1829 @@
+/*
+ * cryptsetup - setup cryptographic volumes for dm-crypt
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+
+static const char *opt_cipher = NULL;
+static const char *opt_hash = NULL;
+static int opt_verify_passphrase = 0;
+
+static const char *opt_key_file = NULL;
+static const char *opt_keyfile_stdin = NULL;
+static int opt_keyfiles_count = 0;
+static const char *opt_keyfiles[MAX_KEYFILES];
+
+static const char *opt_master_key_file = NULL;
+static const char *opt_header_backup_file = NULL;
+static const char *opt_uuid = NULL;
+static const char *opt_header_device = NULL;
+static const char *opt_type = "luks";
+static int opt_key_size = 0;
+static long opt_keyfile_size = 0;
+static long opt_new_keyfile_size = 0;
+static long opt_keyfile_offset = 0;
+static long opt_new_keyfile_offset = 0;
+static int opt_key_slot = CRYPT_ANY_SLOT;
+static uint64_t opt_size = 0;
+static uint64_t opt_offset = 0;
+static uint64_t opt_skip = 0;
+static int opt_skip_valid = 0;
+static int opt_readonly = 0;
+static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
+static int opt_version_mode = 0;
+static int opt_timeout = 0;
+static int opt_tries = 3;
+static int opt_align_payload = 0;
+static int opt_random = 0;
+static int opt_urandom = 0;
+static int opt_dump_master_key = 0;
+static int opt_shared = 0;
+static int opt_allow_discards = 0;
+static int opt_perf_same_cpu_crypt = 0;
+static int opt_perf_submit_from_crypt_cpus = 0;
+static int opt_test_passphrase = 0;
+static int opt_tcrypt_hidden = 0;
+static int opt_tcrypt_system = 0;
+static int opt_tcrypt_backup = 0;
+static int opt_veracrypt = 0;
+static int opt_veracrypt_pim = -1;
+static int opt_veracrypt_query_pim = 0;
+
+static const char **action_argv;
+static int action_argc;
+static const char *null_action_argv[] = {NULL, NULL};
+
+static const char *uuid_or_device_header(const char **data_device)
+{
+ if (data_device)
+ *data_device = opt_header_device ? action_argv[0] : NULL;
+
+ return uuid_or_device(opt_header_device ?: action_argv[0]);
+}
+
+static int _verify_passphrase(int def)
+{
+ /* Batch mode switch off verify - if not overrided by -y */
+ if (opt_verify_passphrase)
+ def = 1;
+ else if (opt_batch_mode)
+ def = 0;
+
+ /* Non-tty input doesn't allow verify */
+ if (def && !isatty(STDIN_FILENO)) {
+ if (opt_verify_passphrase)
+ log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
+ def = 0;
+ }
+
+ return def;
+}
+
+static void _set_activation_flags(uint32_t *flags)
+{
+ if (opt_readonly)
+ *flags |= CRYPT_ACTIVATE_READONLY;
+
+ if (opt_allow_discards)
+ *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
+
+ if (opt_perf_same_cpu_crypt)
+ *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
+
+ if (opt_perf_submit_from_crypt_cpus)
+ *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
+}
+
+static int action_open_plain(void)
+{
+ struct crypt_device *cd = NULL;
+ char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ struct crypt_params_plain params = {
+ .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
+ .skip = opt_skip,
+ .offset = opt_offset,
+ .size = opt_size,
+ };
+ char *password = NULL;
+ size_t passwordLen, key_size_max;
+ size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
+ uint32_t activate_flags = 0;
+ int r;
+
+ r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
+ cipher, NULL, cipher_mode);
+ if (r < 0) {
+ log_err(_("No known cipher specification pattern detected.\n"));
+ goto out;
+ }
+
+ /* FIXME: temporary hack, no hashing for keyfiles in plain mode */
+ if (opt_key_file && !tools_is_stdin(opt_key_file)) {
+ params.hash = NULL;
+ if (!opt_batch_mode && opt_hash)
+ log_std(_("WARNING: The --hash parameter is being ignored "
+ "in plain mode with keyfile specified.\n"));
+ }
+
+ if (params.hash && !strcmp(params.hash, "plain"))
+ params.hash = NULL;
+
+ if (!opt_batch_mode && !params.hash && opt_key_file && !tools_is_stdin(opt_key_file) && opt_keyfile_size)
+ log_std(_("WARNING: The --keyfile-size option is being ignored, "
+ "the read size is the same as the encryption key size.\n"));
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ r = crypt_format(cd, CRYPT_PLAIN,
+ cipher, cipher_mode,
+ NULL, NULL,
+ key_size,
+ ¶ms);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ if (opt_shared)
+ activate_flags |= CRYPT_ACTIVATE_SHARED;
+
+ _set_activation_flags(&activate_flags);
+
+ if (!tools_is_stdin(opt_key_file)) {
+ /* If no hash, key is read directly, read size is always key_size
+ * (possible opt_keyfile_size is ignored.
+ * If hash is specified, opt_keyfile_size is applied.
+ * The opt_keyfile_offset is applied always.
+ */
+ key_size_max = params.hash ? (size_t)opt_keyfile_size : key_size;
+ r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
+ CRYPT_ANY_SLOT, opt_key_file, key_size_max,
+ opt_keyfile_offset, activate_flags);
+ } else {
+ key_size_max = (opt_key_file && !params.hash) ? key_size : (size_t)opt_keyfile_size;
+ r = tools_get_key(_("Enter passphrase: "),
+ &password, &passwordLen,
+ opt_keyfile_offset, key_size_max,
+ opt_key_file, opt_timeout,
+ _verify_passphrase(0), 0, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_activate_by_passphrase(cd, action_argv[1],
+ CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
+ }
+out:
+ crypt_free(cd);
+ crypt_safe_free(password);
+
+ return r;
+}
+
+static int action_open_loopaes(void)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_loopaes params = {
+ .hash = opt_hash ?: NULL,
+ .offset = opt_offset,
+ .skip = opt_skip_valid ? opt_skip : opt_offset,
+ };
+ unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
+ uint32_t activate_flags = 0;
+ int r;
+
+ if (!opt_key_file) {
+ log_err(_("Option --key-file is required.\n"));
+ return -EINVAL;
+ }
+
+ _set_activation_flags(&activate_flags);
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
+ NULL, NULL, NULL, key_size, ¶ms);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
+ opt_key_file, opt_keyfile_size,
+ opt_keyfile_offset, activate_flags);
+out:
+ crypt_free(cd);
+
+ return r;
+}
+
+static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *params)
+{
+ int r, tries = opt_tries, eperm = 0;
+
+ if (opt_keyfile_stdin)
+ tries = 1;
+
+ do {
+ /* TCRYPT header is encrypted, get passphrase now */
+ r = tools_get_key(_("Enter passphrase: "),
+ CONST_CAST(char**)¶ms->passphrase,
+ ¶ms->passphrase_size, 0, 0, opt_keyfile_stdin, opt_timeout,
+ _verify_passphrase(0), 0, cd);
+ if (r < 0)
+ continue;
+
+ if (opt_veracrypt_query_pim) {
+ char *tmp_pim_nptr = NULL;
+ char *tmp_pim_end = NULL;
+ size_t tmp_pim_size = 0;
+ unsigned long long tmp_pim_ull = 0;
+
+ r = tools_get_key(_("Enter VeraCrypt PIM: "),
+ CONST_CAST(char**)&tmp_pim_nptr,
+ &tmp_pim_size, 0, 0, opt_keyfile_stdin, opt_timeout,
+ _verify_passphrase(0), 0, cd);
+ if (r < 0)
+ continue;
+
+ tmp_pim_ull = strtoull(tmp_pim_nptr, &tmp_pim_end, 10);
+ if (*tmp_pim_nptr == '\0' || !tmp_pim_end || *tmp_pim_end != '\0') {
+ log_err(_("Invalid PIM value: parse error\n"));
+ r = -EINVAL;
+ } else if (tmp_pim_ull == 0) {
+ log_err(_("Invalid PIM value: 0\n"));
+ r = -EINVAL;
+ } else if (tmp_pim_ull > UINT32_MAX) {
+ log_err(_("Invalid PIM value: outside of range\n"));
+ r = -ERANGE;
+ }
+ crypt_safe_free(CONST_CAST(char*)tmp_pim_nptr);
+ if (r < 0)
+ continue;
+
+ params->veracrypt_pim = (uint32_t)tmp_pim_ull;
+ crypt_memzero(&tmp_pim_ull, sizeof(tmp_pim_ull));
+ }
+
+ if (opt_tcrypt_hidden)
+ params->flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
+
+ if (opt_tcrypt_system)
+ params->flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
+ if (opt_tcrypt_backup)
+ params->flags |= CRYPT_TCRYPT_BACKUP_HEADER;
+
+ r = crypt_load(cd, CRYPT_TCRYPT, params);
+
+ if (r == -EPERM) {
+ log_err(_("No device header detected with this passphrase.\n"));
+ eperm = 1;
+ }
+
+ if (r < 0) {
+ crypt_safe_free(CONST_CAST(char*)params->passphrase);
+ params->passphrase = NULL;
+ params->passphrase_size = 0;
+ }
+ check_signal(&r);
+ } while ((r == -EPERM || r == -EINVAL || r == -ERANGE) && (--tries > 0));
+
+ /* Report wrong passphrase if at least one try failed */
+ if (eperm && r == -EPIPE)
+ r = -EPERM;
+
+ return r;
+}
+
+static int action_open_tcrypt(void)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_tcrypt params = {
+ .keyfiles = opt_keyfiles,
+ .keyfiles_count = opt_keyfiles_count,
+ .flags = CRYPT_TCRYPT_LEGACY_MODES |
+ (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0),
+ .veracrypt_pim = (opt_veracrypt_pim > 0) ? opt_veracrypt_pim : 0,
+ };
+ const char *activated_name;
+ uint32_t activate_flags = 0;
+ int r;
+
+ activated_name = opt_test_passphrase ? NULL : action_argv[1];
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ r = tcrypt_load(cd, ¶ms);
+ if (r < 0)
+ goto out;
+
+ _set_activation_flags(&activate_flags);
+
+ if (activated_name)
+ r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, activate_flags);
+out:
+ crypt_free(cd);
+ crypt_safe_free(CONST_CAST(char*)params.passphrase);
+ crypt_memzero(¶ms.veracrypt_pim, sizeof(params.veracrypt_pim));
+ return r;
+}
+
+static int tcryptDump_with_volume_key(struct crypt_device *cd)
+{
+ char *vk = NULL;
+ size_t vk_size;
+ unsigned i;
+ int r;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+ if (!yesDialog(
+ _("Header dump with volume key is sensitive information\n"
+ "which allows access to encrypted partition without passphrase.\n"
+ "This dump should be always stored encrypted on safe place."),
+ NULL))
+ return -EPERM;
+
+ vk_size = crypt_get_volume_key_size(cd);
+ vk = crypt_safe_alloc(vk_size);
+ if (!vk)
+ return -ENOMEM;
+
+ r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size, NULL, 0);
+ if (r < 0)
+ goto out;
+
+ log_std("TCRYPT header information for %s\n", crypt_get_device_name(cd));
+ log_std("Cipher chain: \t%s\n", crypt_get_cipher(cd));
+ log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
+ log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
+ log_std("MK bits: \t%d\n", (int)vk_size * 8);
+ log_std("MK dump:\t");
+
+ for(i = 0; i < vk_size; i++) {
+ if (i && !(i % 16))
+ log_std("\n\t\t");
+ log_std("%02hhx ", (char)vk[i]);
+ }
+ log_std("\n");
+out:
+ crypt_safe_free(vk);
+ return r;
+}
+
+static int action_tcryptDump(void)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_tcrypt params = {
+ .keyfiles = opt_keyfiles,
+ .keyfiles_count = opt_keyfiles_count,
+ .flags = CRYPT_TCRYPT_LEGACY_MODES |
+ (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0),
+ };
+ int r;
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ r = tcrypt_load(cd, ¶ms);
+ if (r < 0)
+ goto out;
+
+ if (opt_dump_master_key)
+ r = tcryptDump_with_volume_key(cd);
+ else
+ r = crypt_dump(cd);
+out:
+ crypt_free(cd);
+ crypt_safe_free(CONST_CAST(char*)params.passphrase);
+ return r;
+}
+
+static int action_close(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ r = crypt_init_by_name(&cd, action_argv[0]);
+ if (r == 0)
+ r = crypt_deactivate(cd, action_argv[0]);
+
+ crypt_free(cd);
+ return r;
+}
+
+static int action_resize(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
+ if (r == 0)
+ r = crypt_resize(cd, action_argv[0], opt_size);
+
+ crypt_free(cd);
+ return r;
+}
+
+static int action_status(void)
+{
+ crypt_status_info ci;
+ struct crypt_active_device cad;
+ struct crypt_device *cd = NULL;
+ char *backing_file;
+ const char *device;
+ int path = 0, r = 0;
+
+ /* perhaps a path, not a dm device name */
+ if (strchr(action_argv[0], '/'))
+ path = 1;
+
+ ci = crypt_status(NULL, action_argv[0]);
+ switch (ci) {
+ case CRYPT_INVALID:
+ r = -EINVAL;
+ break;
+ case CRYPT_INACTIVE:
+ if (path)
+ log_std("%s is inactive.\n", action_argv[0]);
+ else
+ log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
+ r = -ENODEV;
+ break;
+ case CRYPT_ACTIVE:
+ case CRYPT_BUSY:
+ if (path)
+ log_std("%s is active%s.\n", action_argv[0],
+ ci == CRYPT_BUSY ? " and is in use" : "");
+ else
+ log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
+ ci == CRYPT_BUSY ? " and is in use" : "");
+
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
+ if (r < 0)
+ goto out;
+
+ log_std(" type: %s\n", crypt_get_type(cd) ?: "n/a");
+
+ r = crypt_get_active_device(cd, action_argv[0], &cad);
+ if (r < 0)
+ goto out;
+
+ log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
+ log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
+ device = crypt_get_device_name(cd);
+ log_std(" device: %s\n", device);
+ if (crypt_loop_device(device)) {
+ backing_file = crypt_loop_backing_file(device);
+ log_std(" loop: %s\n", backing_file);
+ free(backing_file);
+ }
+ log_std(" offset: %" PRIu64 " sectors\n", cad.offset);
+ log_std(" size: %" PRIu64 " sectors\n", cad.size);
+ if (cad.iv_offset)
+ log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset);
+ log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
+ "readonly" : "read/write");
+ if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS|
+ CRYPT_ACTIVATE_SAME_CPU_CRYPT|
+ CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS))
+ log_std(" flags: %s%s%s\n",
+ (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "",
+ (cad.flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? "same_cpu_crypt " : "",
+ (cad.flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? "submit_from_crypt_cpus" : "");
+ }
+out:
+ crypt_free(cd);
+ if (r == -ENOTSUP)
+ r = 0;
+ return r;
+}
+
+static int action_benchmark_kdf(const char *hash)
+{
+ uint64_t kdf_iters;
+ int r;
+
+ r = crypt_benchmark_kdf(NULL, "pbkdf2", hash, "foo", 3, "bar", 3,
+ &kdf_iters);
+ if (r < 0)
+ log_std("PBKDF2-%-9s N/A\n", hash);
+ else
+ log_std("PBKDF2-%-9s %7" PRIu64 " iterations per second for %d-bit key\n",
+ hash, kdf_iters, DEFAULT_LUKS1_KEYBITS);
+ return r;
+}
+
+static int benchmark_cipher_loop(const char *cipher, const char *cipher_mode,
+ size_t volume_key_size, size_t iv_size,
+ double *encryption_mbs, double *decryption_mbs)
+{
+ int r, buffer_size = 1024 * 1024;
+
+ do {
+ r = crypt_benchmark(NULL, cipher, cipher_mode,
+ volume_key_size, iv_size, buffer_size,
+ encryption_mbs, decryption_mbs);
+ if (r == -ERANGE) {
+ if (buffer_size < 1024 * 1024 * 65)
+ buffer_size *= 2;
+ else {
+ log_err(_("Result of benchmark is not reliable.\n"));
+ r = -ENOENT;
+ }
+ }
+ } while (r == -ERANGE);
+
+ return r;
+}
+
+static int action_benchmark(void)
+{
+ static struct {
+ const char *cipher;
+ const char *mode;
+ size_t key_size;
+ size_t iv_size;
+ } bciphers[] = {
+ { "aes", "cbc", 16, 16 },
+ { "serpent", "cbc", 16, 16 },
+ { "twofish", "cbc", 16, 16 },
+ { "aes", "cbc", 32, 16 },
+ { "serpent", "cbc", 32, 16 },
+ { "twofish", "cbc", 32, 16 },
+ { "aes", "xts", 32, 16 },
+ { "serpent", "xts", 32, 16 },
+ { "twofish", "xts", 32, 16 },
+ { "aes", "xts", 64, 16 },
+ { "serpent", "xts", 64, 16 },
+ { "twofish", "xts", 64, 16 },
+ { NULL, NULL, 0, 0 }
+ };
+ static const char *bkdfs[] = {
+ "sha1", "sha256", "sha512", "ripemd160", "whirlpool", NULL
+ };
+ char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ double enc_mbr = 0, dec_mbr = 0;
+ int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
+ int iv_size = 16, skipped = 0;
+ char *c;
+ int i, r;
+
+ log_std(_("# Tests are approximate using memory only (no storage IO).\n"));
+ if (opt_hash) {
+ r = action_benchmark_kdf(opt_hash);
+ } else if (opt_cipher) {
+ r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
+ if (r < 0) {
+ log_err(_("No known cipher specification pattern detected.\n"));
+ return r;
+ }
+ if ((c = strchr(cipher_mode, '-')))
+ *c = '\0';
+
+ /* FIXME: not really clever :) */
+ if (strstr(cipher, "des") ||
+ strstr(cipher, "blowfish") ||
+ strstr(cipher, "cast5"))
+ iv_size = 8;
+
+ if (!strcmp(cipher_mode, "ecb"))
+ iv_size = 0;
+
+ r = benchmark_cipher_loop(cipher, cipher_mode,
+ key_size / 8, iv_size,
+ &enc_mbr, &dec_mbr);
+ if (!r) {
+ log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
+ log_std("%11s-%s %4db %6.1f MiB/s %6.1f MiB/s\n",
+ cipher, cipher_mode, key_size, enc_mbr, dec_mbr);
+ } else if (r == -ENOENT)
+ log_err(_("Cipher %s is not available.\n"), opt_cipher);
+ } else {
+ for (i = 0; bkdfs[i]; i++) {
+ r = action_benchmark_kdf(bkdfs[i]);
+ check_signal(&r);
+ if (r == -EINTR)
+ break;
+ }
+ for (i = 0; bciphers[i].cipher; i++) {
+ r = benchmark_cipher_loop(bciphers[i].cipher, bciphers[i].mode,
+ bciphers[i].key_size, bciphers[i].iv_size,
+ &enc_mbr, &dec_mbr);
+ check_signal(&r);
+ if (r == -ENOTSUP || r == -EINTR)
+ break;
+ if (r == -ENOENT)
+ skipped++;
+ if (i == 0)
+ log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
+
+ snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
+ bciphers[i].cipher, bciphers[i].mode);
+ if (!r)
+ log_std("%15s %4zub %6.1f MiB/s %6.1f MiB/s\n",
+ cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
+ else
+ log_std("%15s %4zub %13s %13s\n", cipher,
+ bciphers[i].key_size*8, _("N/A"), _("N/A"));
+ }
+ if (skipped && skipped == i)
+ r = -ENOTSUP;
+ }
+
+ if (r == -ENOTSUP) {
+ log_err(_("Required kernel crypto interface not available.\n"));
+#ifdef ENABLE_AF_ALG
+ log_err( _("Ensure you have algif_skcipher kernel module loaded.\n"));
+#endif
+ }
+ return r;
+}
+
+static int _read_mk(const char *file, char **key, int keysize)
+{
+ int fd;
+
+ *key = crypt_safe_alloc(keysize);
+ if (!*key)
+ return -ENOMEM;
+
+ fd = open(file, O_RDONLY);
+ if (fd == -1) {
+ log_err(_("Cannot read keyfile %s.\n"), file);
+ goto fail;
+ }
+ if ((read(fd, *key, keysize) != keysize)) {
+ log_err(_("Cannot read %d bytes from keyfile %s.\n"), keysize, file);
+ close(fd);
+ goto fail;
+ }
+ close(fd);
+ return 0;
+fail:
+ crypt_safe_free(*key);
+ *key = NULL;
+ return -EINVAL;
+}
+
+static int action_luksRepair(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ goto out;
+
+ /* Currently only LUKS1 allows repair */
+ crypt_set_log_callback(cd, quiet_log, NULL);
+ r = crypt_load(cd, CRYPT_LUKS1, NULL);
+ crypt_set_log_callback(cd, tool_log, NULL);
+ if (r == 0) {
+ log_verbose(_("No known problems detected for LUKS header.\n"));
+ goto out;
+ }
+
+ r = yesDialog(_("Really try to repair LUKS device header?"),
+ NULL) ? 0 : -EINVAL;
+ if (r == 0)
+ r = crypt_repair(cd, CRYPT_LUKS1, NULL);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksFormat(void)
+{
+ int r = -EINVAL, keysize;
+ const char *header_device;
+ char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char *password = NULL;
+ size_t passwordLen;
+ struct crypt_device *cd = NULL;
+ struct crypt_params_luks1 params = {
+ .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
+ .data_alignment = opt_align_payload,
+ .data_device = opt_header_device ? action_argv[0] : NULL,
+ };
+
+ header_device = opt_header_device ?: action_argv[0];
+
+ if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
+ header_device) == -1) {
+ log_err(_("memory allocation error in action_luksFormat"));
+ r = -ENOMEM;
+ goto out;
+ }
+ r = yesDialog(msg, NULL) ? 0 : -EINVAL;
+ free(msg);
+ if (r < 0)
+ goto out;
+
+ r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
+ cipher, NULL, cipher_mode);
+ if (r < 0) {
+ log_err(_("No known cipher specification pattern detected.\n"));
+ goto out;
+ }
+
+ /* Never call pwquality if using null cipher */
+ if (tools_is_cipher_null(cipher))
+ opt_force_password = 1;
+
+ if ((r = crypt_init(&cd, header_device))) {
+ if (opt_header_device)
+ log_err(_("Cannot use %s as on-disk header.\n"), header_device);
+ goto out;
+ }
+
+ keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
+
+ if (opt_iteration_time)
+ crypt_set_iteration_time(cd, opt_iteration_time);
+
+ if (opt_random)
+ crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
+ else if (opt_urandom)
+ crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
+
+ r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, _verify_passphrase(1), 1, cd);
+ if (r < 0)
+ goto out;
+
+ if (opt_master_key_file) {
+ r = _read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+ }
+
+ r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
+ opt_uuid, key, keysize, ¶ms);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
+ key, keysize,
+ password, passwordLen);
+out:
+ crypt_free(cd);
+ crypt_safe_free(key);
+ crypt_safe_free(password);
+
+ return r;
+}
+
+static int action_open_luks(void)
+{
+ struct crypt_device *cd = NULL;
+ const char *data_device, *header_device, *activated_name;
+ char *key = NULL;
+ uint32_t activate_flags = 0;
+ int r, keysize;
+ char *password = NULL;
+ size_t passwordLen;
+
+ header_device = uuid_or_device_header(&data_device);
+
+ activated_name = opt_test_passphrase ? NULL : action_argv[1];
+
+ if ((r = crypt_init(&cd, header_device)))
+ goto out;
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ if (data_device &&
+ (r = crypt_set_data_device(cd, data_device)))
+ goto out;
+
+ if (!data_device && (crypt_get_data_offset(cd) < 8)) {
+ log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (opt_iteration_time)
+ crypt_set_iteration_time(cd, opt_iteration_time);
+
+ _set_activation_flags(&activate_flags);
+
+ if (opt_master_key_file) {
+ keysize = crypt_get_volume_key_size(cd);
+ r = _read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+ r = crypt_activate_by_volume_key(cd, activated_name,
+ key, keysize, activate_flags);
+ } else {
+ r = tools_get_key(NULL, &password, &passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, _verify_passphrase(0), 0, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_activate_by_passphrase(cd, activated_name,
+ opt_key_slot, password, passwordLen, activate_flags);
+ }
+out:
+ crypt_safe_free(key);
+ crypt_safe_free(password);
+ crypt_free(cd);
+ return r;
+}
+
+static int verify_keyslot(struct crypt_device *cd, int key_slot,
+ char *msg_last, char *msg_pass,
+ const char *key_file, int keyfile_offset,
+ int keyfile_size)
+{
+ crypt_keyslot_info ki;
+ char *password = NULL;
+ size_t passwordLen;
+ int i, r;
+
+ ki = crypt_keyslot_status(cd, key_slot);
+ if (ki == CRYPT_SLOT_ACTIVE_LAST && !opt_batch_mode && !key_file &&
+ msg_last && !yesDialog(msg_last, NULL))
+ return -EPERM;
+
+ r = tools_get_key(msg_pass, &password, &passwordLen,
+ keyfile_offset, keyfile_size, key_file, opt_timeout,
+ _verify_passphrase(0), 0, cd);
+ if(r < 0)
+ goto out;
+
+ if (ki == CRYPT_SLOT_ACTIVE_LAST) {
+ /* check the last keyslot */
+ r = crypt_activate_by_passphrase(cd, NULL, key_slot,
+ password, passwordLen, 0);
+ } else {
+ /* try all other keyslots */
+ for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
+ if (i == key_slot)
+ continue;
+ ki = crypt_keyslot_status(cd, key_slot);
+ if (ki == CRYPT_SLOT_ACTIVE)
+ r = crypt_activate_by_passphrase(cd, NULL, i,
+ password, passwordLen, 0);
+ if (r == i)
+ break;
+ }
+ }
+
+ /* Handle inactive keyslots the same as bad password here */
+ if (r == -ENOENT)
+ r = -EPERM;
+
+ if (r == -EPERM)
+ log_err(_("No key available with this passphrase.\n"));
+out:
+ crypt_safe_free(password);
+ return r;
+}
+
+static int action_luksKillSlot(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ switch (crypt_keyslot_status(cd, opt_key_slot)) {
+ case CRYPT_SLOT_ACTIVE_LAST:
+ case CRYPT_SLOT_ACTIVE:
+ log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
+ break;
+ case CRYPT_SLOT_INACTIVE:
+ log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
+ case CRYPT_SLOT_INVALID:
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!opt_batch_mode || opt_key_file || !isatty(STDIN_FILENO)) {
+ r = verify_keyslot(cd, opt_key_slot,
+ _("This is the last keyslot. Device will become unusable after purging this key."),
+ _("Enter any remaining passphrase: "),
+ opt_key_file, opt_keyfile_offset, opt_keyfile_size);
+ if (r < 0)
+ goto out;
+ }
+
+ r = crypt_keyslot_destroy(cd, opt_key_slot);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksRemoveKey(void)
+{
+ struct crypt_device *cd = NULL;
+ char *password = NULL;
+ size_t passwordLen;
+ int r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ r = tools_get_key(_("Enter passphrase to be deleted: "),
+ &password, &passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout,
+ _verify_passphrase(0), 0,
+ cd);
+ if(r < 0)
+ goto out;
+
+ r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
+ password, passwordLen, 0);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ opt_key_slot = r;
+ log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
+
+ if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
+ !yesDialog(_("This is the last keyslot. "
+ "Device will become unusable after purging this key."),
+ NULL)) {
+ r = -EPERM;
+ goto out;
+ }
+
+ r = crypt_keyslot_destroy(cd, opt_key_slot);
+out:
+ crypt_safe_free(password);
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksAddKey(void)
+{
+ int r = -EINVAL, keysize = 0;
+ char *key = NULL;
+ const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
+ char *password = NULL, *password_new = NULL;
+ size_t password_size = 0, password_new_size = 0;
+ struct crypt_device *cd = NULL;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ /* Never call pwquality if using null cipher */
+ if (tools_is_cipher_null(crypt_get_cipher(cd)))
+ opt_force_password = 1;
+
+ keysize = crypt_get_volume_key_size(cd);
+ if (opt_iteration_time)
+ crypt_set_iteration_time(cd, opt_iteration_time);
+
+ if (opt_master_key_file) {
+ r = _read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+
+ r = crypt_volume_key_verify(cd, key, keysize);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ r = tools_get_key(_("Enter new passphrase for key slot: "),
+ &password_new, &password_new_size,
+ opt_new_keyfile_offset, opt_new_keyfile_size,
+ opt_new_key_file, opt_timeout,
+ _verify_passphrase(1), 1, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot, key, keysize,
+ password_new, password_new_size);
+ } else if (opt_key_file && !tools_is_stdin(opt_key_file) &&
+ opt_new_key_file && !tools_is_stdin(opt_new_key_file)) {
+ r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
+ opt_key_file, opt_keyfile_size, opt_keyfile_offset,
+ opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
+ } else {
+ r = tools_get_key(_("Enter any existing passphrase: "),
+ &password, &password_size,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, _verify_passphrase(0), 0, cd);
+
+ if (r < 0)
+ goto out;
+
+ /* Check password before asking for new one */
+ r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
+ password, password_size, 0);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ r = tools_get_key(_("Enter new passphrase for key slot: "),
+ &password_new, &password_new_size,
+ opt_new_keyfile_offset, opt_new_keyfile_size, opt_new_key_file,
+ opt_timeout, _verify_passphrase(1), opt_new_key_file ? 0 : 1, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
+ password, password_size,
+ password_new, password_new_size);
+ }
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(password_new);
+ crypt_safe_free(key);
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksChangeKey(void)
+{
+ const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
+ struct crypt_device *cd = NULL;
+ char *password = NULL, *password_new = NULL;
+ size_t password_size = 0, password_new_size = 0;
+ int r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ /* Never call pwquality if using null cipher */
+ if (tools_is_cipher_null(crypt_get_cipher(cd)))
+ opt_force_password = 1;
+
+ if (opt_iteration_time)
+ crypt_set_iteration_time(cd, opt_iteration_time);
+
+ r = tools_get_key(_("Enter passphrase to be changed: "),
+ &password, &password_size,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, _verify_passphrase(0), 0, cd);
+ if (r < 0)
+ goto out;
+
+ /* Check password before asking for new one */
+ r = crypt_activate_by_passphrase(cd, NULL, opt_key_slot,
+ password, password_size, 0);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ r = tools_get_key(_("Enter new passphrase: "),
+ &password_new, &password_new_size,
+ opt_new_keyfile_offset, opt_new_keyfile_size,
+ opt_new_key_file,
+ opt_timeout, _verify_passphrase(1), 1, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_keyslot_change_by_passphrase(cd, opt_key_slot, opt_key_slot,
+ password, password_size, password_new, password_new_size);
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(password_new);
+ crypt_free(cd);
+ return r;
+}
+
+static int action_isLuks(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ /* FIXME: argc > max should be checked for other operations as well */
+ if (action_argc > 1) {
+ log_err(_("Only one device argument for isLuks operation is supported.\n"));
+ return -ENODEV;
+ }
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_log_callback(cd, quiet_log, NULL);
+ r = crypt_load(cd, CRYPT_LUKS1, NULL);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksUUID(void)
+{
+ struct crypt_device *cd = NULL;
+ const char *existing_uuid = NULL;
+ int r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ if (opt_uuid)
+ r = crypt_set_uuid(cd, opt_uuid);
+ else {
+ existing_uuid = crypt_get_uuid(cd);
+ log_std("%s\n", existing_uuid ?: "");
+ r = existing_uuid ? 0 : 1;
+ }
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int luksDump_with_volume_key(struct crypt_device *cd)
+{
+ char *vk = NULL, *password = NULL;
+ size_t passwordLen = 0;
+ size_t vk_size;
+ unsigned i;
+ int r;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+ if (!yesDialog(
+ _("Header dump with volume key is sensitive information\n"
+ "which allows access to encrypted partition without passphrase.\n"
+ "This dump should be always stored encrypted on safe place."),
+ NULL))
+ return -EPERM;
+
+ vk_size = crypt_get_volume_key_size(cd);
+ vk = crypt_safe_alloc(vk_size);
+ if (!vk)
+ return -ENOMEM;
+
+ r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, 0, 0, cd);
+ if (r < 0)
+ goto out;
+
+ r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
+ password, passwordLen);
+ check_signal(&r);
+ if (r < 0)
+ goto out;
+
+ log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
+ log_std("Cipher name: \t%s\n", crypt_get_cipher(cd));
+ log_std("Cipher mode: \t%s\n", crypt_get_cipher_mode(cd));
+ log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
+ log_std("UUID: \t%s\n", crypt_get_uuid(cd));
+ log_std("MK bits: \t%d\n", (int)vk_size * 8);
+ log_std("MK dump:\t");
+
+ for(i = 0; i < vk_size; i++) {
+ if (i && !(i % 16))
+ log_std("\n\t\t");
+ log_std("%02hhx ", (char)vk[i]);
+ }
+ log_std("\n");
+
+out:
+ crypt_safe_free(password);
+ crypt_safe_free(vk);
+ return r;
+}
+
+static int action_luksDump(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ if (opt_dump_master_key)
+ r = luksDump_with_volume_key(cd);
+ else
+ r = crypt_dump(cd);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksSuspend(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device));
+ if (!r)
+ r = crypt_suspend(cd, action_argv[0]);
+
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksResume(void)
+{
+ struct crypt_device *cd = NULL;
+ char *password = NULL;
+ size_t passwordLen;
+ int r;
+
+ if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device))))
+ goto out;
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ r = tools_get_key(NULL, &password, &passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+ opt_timeout, _verify_passphrase(0), 0, cd);
+ if (r)
+ goto out;
+
+ r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT, password, passwordLen);
+out:
+ crypt_safe_free(password);
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksBackup(void)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ if (!opt_header_backup_file) {
+ log_err(_("Option --header-backup-file is required.\n"));
+ return -EINVAL;
+ }
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_luksRestore(void)
+{
+ struct crypt_device *cd = NULL;
+ int r = 0;
+
+ if (!opt_header_backup_file) {
+ log_err(_("Option --header-backup-file is required.\n"));
+ return -EINVAL;
+ }
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+ r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
+out:
+ crypt_free(cd);
+ return r;
+}
+
+static int action_open(void)
+{
+ if (!opt_type)
+ return -EINVAL;
+
+ if (!strcmp(opt_type, "luks") || !strcmp(opt_type, "luks1")) {
+ if (action_argc < 2 && !opt_test_passphrase)
+ goto args;
+ return action_open_luks();
+ } else if (!strcmp(opt_type, "plain")) {
+ if (action_argc < 2)
+ goto args;
+ return action_open_plain();
+ } else if (!strcmp(opt_type, "loopaes")) {
+ if (action_argc < 2)
+ goto args;
+ return action_open_loopaes();
+ } else if (!strcmp(opt_type, "tcrypt")) {
+ if (action_argc < 2 && !opt_test_passphrase)
+ goto args;
+ return action_open_tcrypt();
+ }
+
+ log_err(_("Unrecognized metadata device type %s.\n"), opt_type);
+ return -EINVAL;
+args:
+ log_err(_("Command requires device and mapped name as arguments.\n"));
+ return -EINVAL;
+}
+
+static int action_luksErase(void)
+{
+ struct crypt_device *cd = NULL;
+ crypt_keyslot_info ki;
+ char *msg = NULL;
+ int i, r;
+
+ if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
+ goto out;
+
+ crypt_set_confirm_callback(cd, yesDialog, NULL);
+
+ if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n"
+ "Device will become unusable after this operation."),
+ uuid_or_device_header(NULL)) == -1) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ if (!yesDialog(msg, NULL)) {
+ r = -EPERM;
+ goto out;
+ }
+
+ for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
+ ki = crypt_keyslot_status(cd, i);
+ if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
+ r = crypt_keyslot_destroy(cd, i);
+ if (r < 0)
+ goto out;
+ }
+ }
+out:
+ free(msg);
+ crypt_free(cd);
+ return r;
+}
+
+static struct action_type {
+ const char *type;
+ int (*handler)(void);
+ int required_action_argc;
+ int required_memlock;
+ const char *arg_desc;
+ const char *desc;
+} action_types[] = {
+ { "open", action_open, 1, 1, N_("<device> [--type <type>] [<name>]"),N_("open device as mapping <name>") },
+ { "close", action_close, 1, 1, N_("<name>"), N_("close device (remove mapping)") },
+ { "resize", action_resize, 1, 1, N_("<name>"), N_("resize active device") },
+ { "status", action_status, 1, 0, N_("<name>"), N_("show device status") },
+ { "benchmark", action_benchmark, 0, 0, N_("[--cipher <cipher>]"), N_("benchmark cipher") },
+ { "repair", action_luksRepair, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
+ { "erase", action_luksErase , 1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
+ { "luksFormat", action_luksFormat, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
+ { "luksAddKey", action_luksAddKey, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
+ { "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
+ { "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
+ { "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
+ { "luksUUID", action_luksUUID, 1, 0, N_("<device>"), N_("print UUID of LUKS device") },
+ { "isLuks", action_isLuks, 1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
+ { "luksDump", action_luksDump, 1, 1, N_("<device>"), N_("dump LUKS partition information") },
+ { "tcryptDump", action_tcryptDump, 1, 1, N_("<device>"), N_("dump TCRYPT device information") },
+ { "luksSuspend", action_luksSuspend, 1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
+ { "luksResume", action_luksResume, 1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
+ { "luksHeaderBackup", action_luksBackup,1,1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
+ { "luksHeaderRestore",action_luksRestore,1,1,N_("<device>"), N_("Restore LUKS device header and keyslots") },
+ {}
+};
+
+static void help(poptContext popt_context,
+ enum poptCallbackReason reason __attribute__((unused)),
+ struct poptOption *key,
+ const char *arg __attribute__((unused)),
+ void *data __attribute__((unused)))
+{
+ if (key->shortName == '?') {
+ struct action_type *action;
+
+ log_std("%s\n",PACKAGE_STRING);
+
+ poptPrintHelp(popt_context, stdout, 0);
+
+ log_std(_("\n"
+ "<action> is one of:\n"));
+
+ for(action = action_types; action->type; action++)
+ log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
+
+ log_std(_("\n"
+ "You can also use old <action> syntax aliases:\n"
+ "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
+ "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"));
+ log_std(_("\n"
+ "<name> is the device to create under %s\n"
+ "<device> is the encrypted device\n"
+ "<key slot> is the LUKS key slot number to modify\n"
+ "<key file> optional key file for the new key for luksAddKey action\n"),
+ crypt_get_dir());
+
+ log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
+ "\tMaximum keyfile size: %dkB, "
+ "Maximum interactive passphrase length %d (characters)\n"
+ "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
+ DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
+ DEFAULT_LUKS1_ITER_TIME);
+
+ log_std(_("\nDefault compiled-in device cipher parameters:\n"
+ "\tloop-AES: %s, Key %d bits\n"
+ "\tplain: %s, Key: %d bits, Password hashing: %s\n"
+ "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
+ DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
+ DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
+ DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
+ DEFAULT_RNG);
+ exit(EXIT_SUCCESS);
+ } else
+ usage(popt_context, EXIT_SUCCESS, NULL, NULL);
+}
+
+static void help_args(struct action_type *action, poptContext popt_context)
+{
+ char buf[128];
+
+ snprintf(buf, sizeof(buf), _("%s: requires %s as arguments"), action->type, action->arg_desc);
+ usage(popt_context, EXIT_FAILURE, buf, poptGetInvocationName(popt_context));
+}
+
+static int run_action(struct action_type *action)
+{
+ int r;
+
+ log_dbg("Running command %s.", action->type);
+
+ if (action->required_memlock)
+ crypt_memory_lock(NULL, 1);
+
+ set_int_handler(0);
+ r = action->handler();
+
+ if (action->required_memlock)
+ crypt_memory_lock(NULL, 0);
+
+ /* Some functions returns keyslot # */
+ if (r > 0)
+ r = 0;
+ check_signal(&r);
+
+ show_status(r);
+ return translate_errno(r);
+}
+
+int main(int argc, const char **argv)
+{
+ static char *popt_tmp;
+ static struct poptOption popt_help_options[] = {
+ { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
+ { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
+ { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
+ POPT_TABLEEND
+ };
+ static struct poptOption popt_options[] = {
+ { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
+ { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
+ { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
+ { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
+ { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
+ { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
+ { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL },
+ { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 5, N_("Read the key from a file."), NULL },
+ { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
+ { "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
+ { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
+ { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
+ { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
+ { "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
+ { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset, 0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
+ { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
+ { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
+ { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
+ { "skip", 'p', POPT_ARG_STRING, &popt_tmp, 3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
+ { "readonly", 'r', POPT_ARG_NONE, &opt_readonly, 0, N_("Create a readonly mapping"), NULL },
+ { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
+ { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
+ { "timeout", 't', POPT_ARG_INT, &opt_timeout, 0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
+ { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
+ { "align-payload", '\0', POPT_ARG_INT, &opt_align_payload, 0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
+ { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file, 0, N_("File with LUKS header and keyslots backup."), NULL },
+ { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
+ { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
+ { "shared", '\0', POPT_ARG_NONE, &opt_shared, 0, N_("Share device with another non-overlapping crypt segment."), NULL },
+ { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
+ { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
+ { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
+ { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
+ { "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
+ { "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
+ { "tcrypt-backup", '\0', POPT_ARG_NONE, &opt_tcrypt_backup, 0, N_("Use backup (secondary) TCRYPT header."), NULL },
+ { "veracrypt", '\0', POPT_ARG_NONE, &opt_veracrypt, 0, N_("Scan also for VeraCrypt compatible device."), NULL },
+ { "veracrypt-pim", '\0', POPT_ARG_INT, &opt_veracrypt_pim, 0, N_("Personal Iteration Multiplier for for VeraCrypt compatible device."), NULL },
+ { "veracrypt-query-pim", '\0', POPT_ARG_NONE, &opt_veracrypt_query_pim, 0, N_("Query Personal Iteration Multiplier for for VeraCrypt compatible device."), NULL },
+ { "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
+ { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL },
+ { "perf-same_cpu_crypt",'\0', POPT_ARG_NONE, &opt_perf_same_cpu_crypt, 0, N_("Use dm-crypt same_cpu_crypt performance compatibility option."), NULL },
+ { "perf-submit_from_crypt_cpus",'\0', POPT_ARG_NONE, &opt_perf_submit_from_crypt_cpus,0,N_("Use dm-crypt submit_from_crypt_cpus performance compatibility option."), NULL },
+ POPT_TABLEEND
+ };
+ poptContext popt_context;
+ struct action_type *action;
+ const char *aname;
+ int r, total_keyfiles = 0;
+
+ crypt_set_log_callback(NULL, tool_log, NULL);
+
+ setlocale(LC_ALL, "");
+ bindtextdomain(PACKAGE, LOCALEDIR);
+ textdomain(PACKAGE);
+
+ popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
+ poptSetOtherOptionHelp(popt_context,
+ _("[OPTION...] <action> <action-specific>"));
+
+ while((r = poptGetNextOpt(popt_context)) > 0) {
+ unsigned long long ull_value;
+ char *endp, *kf;
+
+ if (r == 5) {
+ kf = poptGetOptArg(popt_context);
+ if (tools_is_stdin(kf))
+ opt_keyfile_stdin = kf;
+ else if (opt_keyfiles_count < MAX_KEYFILES)
+ opt_keyfiles[opt_keyfiles_count++] = kf;
+ total_keyfiles++;
+ continue;
+ }
+
+ errno = 0;
+ ull_value = strtoull(popt_tmp, &endp, 0);
+ if (*endp || !*popt_tmp ||
+ (errno == ERANGE && ull_value == ULLONG_MAX) ||
+ (errno != 0 && ull_value == 0))
+ r = POPT_ERROR_BADNUMBER;
+
+ switch(r) {
+ case 1:
+ opt_size = ull_value;
+ break;
+ case 2:
+ opt_offset = ull_value;
+ break;
+ case 3:
+ opt_skip = ull_value;
+ opt_skip_valid = 1;
+ break;
+ }
+
+ if (r < 0)
+ break;
+ }
+
+ if (r < -1)
+ usage(popt_context, EXIT_FAILURE, poptStrerror(r),
+ poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
+
+ if (opt_version_mode) {
+ log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
+ poptFreeContext(popt_context);
+ exit(EXIT_SUCCESS);
+ }
+
+ if (!(aname = poptGetArg(popt_context)))
+ usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
+ poptGetInvocationName(popt_context));
+
+ action_argc = 0;
+ action_argv = poptGetArgs(popt_context);
+ /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
+ if(!action_argv)
+ action_argv = null_action_argv;
+
+ /* Count args, somewhat unnice, change? */
+ while(action_argv[action_argc] != NULL)
+ action_argc++;
+
+ /* Handle aliases */
+ if (!strcmp(aname, "create")) {
+ /* create command had historically switched arguments */
+ if (action_argv[0] && action_argv[1]) {
+ const char *tmp = action_argv[0];
+ action_argv[0] = action_argv[1];
+ action_argv[1] = tmp;
+ }
+ aname = "open";
+ opt_type = "plain";
+ } else if (!strcmp(aname, "plainOpen")) {
+ aname = "open";
+ opt_type = "plain";
+ } else if (!strcmp(aname, "luksOpen")) {
+ aname = "open";
+ opt_type = "luks";
+ } else if (!strcmp(aname, "loopaesOpen")) {
+ aname = "open";
+ opt_type = "loopaes";
+ } else if (!strcmp(aname, "tcryptOpen")) {
+ aname = "open";
+ opt_type = "tcrypt";
+ } else if (!strcmp(aname, "tcryptDump")) {
+ opt_type = "tcrypt";
+ } else if (!strcmp(aname, "remove") ||
+ !strcmp(aname, "plainClose") ||
+ !strcmp(aname, "luksClose") ||
+ !strcmp(aname, "loopaesClose") ||
+ !strcmp(aname, "tcryptClose")) {
+ aname = "close";
+ } else if (!strcmp(aname, "luksErase")) {
+ aname = "erase";
+ opt_type = "luks";
+ }
+
+ for(action = action_types; action->type; action++)
+ if (strcmp(action->type, aname) == 0)
+ break;
+
+ if (!action->type)
+ usage(popt_context, EXIT_FAILURE, _("Unknown action."),
+ poptGetInvocationName(popt_context));
+
+ if (action_argc < action->required_action_argc)
+ help_args(action, popt_context);
+
+ /* FIXME: rewrite this from scratch */
+
+ if (opt_shared && (strcmp(aname, "open") || strcmp(opt_type, "plain")) )
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --shared is allowed only for open of plain device.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_allow_discards && strcmp(aname, "open"))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --allow-discards is allowed only for open operation.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_key_size &&
+ strcmp(aname, "luksFormat") &&
+ strcmp(aname, "open") &&
+ strcmp(aname, "benchmark"))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --key-size is allowed only for luksFormat, open and benchmark.\n"
+ "To limit read from keyfile use --keyfile-size=(bytes)."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_test_passphrase && (strcmp(aname, "open") ||
+ (strcmp(opt_type, "luks") && strcmp(opt_type, "tcrypt"))))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_key_size % 8)
+ usage(popt_context, EXIT_FAILURE,
+ _("Key size must be a multiple of 8 bits"),
+ poptGetInvocationName(popt_context));
+
+ if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
+ opt_key_slot = atoi(action_argv[1]);
+ if (opt_key_slot != CRYPT_ANY_SLOT &&
+ (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
+ usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
+ poptGetInvocationName(popt_context));
+
+ if ((!strcmp(aname, "luksRemoveKey") ||
+ !strcmp(aname, "luksFormat")) &&
+ action_argc > 1) {
+ if (opt_key_file)
+ log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
+ else
+ opt_key_file = action_argv[1];
+ }
+
+ if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
+ opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
+ usage(popt_context, EXIT_FAILURE,
+ _("Negative number for option not permitted."),
+ poptGetInvocationName(popt_context));
+
+ if (total_keyfiles > 1 && strcmp(opt_type, "tcrypt"))
+ usage(popt_context, EXIT_FAILURE, _("Only one --key-file argument is allowed."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_random && opt_urandom)
+ usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
+ poptGetInvocationName(popt_context));
+
+ if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
+ usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
+ usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_align_payload && strcmp(aname, "luksFormat"))
+ usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_skip && (strcmp(aname, "open") ||
+ (strcmp(opt_type, "plain") && strcmp(opt_type, "loopaes"))))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --skip is supported only for open of plain and loopaes devices.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_offset && (strcmp(aname, "open") ||
+ (strcmp(opt_type, "plain") && strcmp(opt_type, "loopaes"))))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --offset is supported only for open of plain and loopaes devices.\n"),
+ poptGetInvocationName(popt_context));
+
+ if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") &&
+ (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_tcrypt_hidden && opt_allow_discards)
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --tcrypt-hidden cannot be combined with --allow-discards.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_veracrypt && strcmp(opt_type, "tcrypt"))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --veracrypt is supported only for TCRYPT device type.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_veracrypt_pim != -1) {
+ if (opt_veracrypt_pim < -1) {
+ usage(popt_context, EXIT_FAILURE,
+ _("Invalid argument for parameter --veracrypt-pim supplied.\n"),
+ poptGetInvocationName(popt_context));
+ } else if (!opt_veracrypt) {
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"),
+ poptGetInvocationName(popt_context));
+ }
+ }
+
+ if (opt_veracrypt_query_pim) {
+ if (!opt_veracrypt) {
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"),
+ poptGetInvocationName(popt_context));
+ } else if (opt_veracrypt_pim != -1) {
+ usage(popt_context, EXIT_FAILURE,
+ _("The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"),
+ poptGetInvocationName(popt_context));
+ }
+ }
+
+ if (opt_debug) {
+ opt_verbose = 1;
+ crypt_set_debug_level(-1);
+ dbg_version_and_cmd(argc, argv);
+ }
+
+ r = run_action(action);
+ poptFreeContext(popt_context);
+ return r;
+}
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
new file mode 100644
index 0000000..d05ae69
--- /dev/null
+++ b/src/cryptsetup.h
@@ -0,0 +1,94 @@
+/*
+ * cryptsetup - setup cryptographic volumes for dm-crypt
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef CRYPTSETUP_H
+#define CRYPTSETUP_H
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <errno.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <popt.h>
+#include <sys/stat.h>
+
+#include "lib/nls.h"
+#include "lib/utils_crypt.h"
+#include "lib/utils_loop.h"
+#include "lib/utils_fips.h"
+
+#include "libcryptsetup.h"
+
+#define CONST_CAST(x) (x)(uintptr_t)
+#define DEFAULT_CIPHER(type) (DEFAULT_##type##_CIPHER "-" DEFAULT_##type##_MODE)
+#define SECTOR_SIZE 512
+#define ROUND_SECTOR(x) (((x) + SECTOR_SIZE - 1) / SECTOR_SIZE)
+
+extern int opt_debug;
+extern int opt_verbose;
+extern int opt_batch_mode;
+extern int opt_force_password;
+
+/* Common tools */
+void clogger(struct crypt_device *cd, int level, const char *file, int line,
+ const char *format, ...) __attribute__ ((format (printf, 5, 6)));
+void tool_log(int level, const char *msg, void *usrptr __attribute__((unused)));
+void quiet_log(int level, const char *msg, void *usrptr);
+
+int yesDialog(const char *msg, void *usrptr __attribute__((unused)));
+void show_status(int errcode);
+const char *uuid_or_device(const char *spec);
+__attribute__ ((noreturn)) \
+void usage(poptContext popt_context, int exitcode, const char *error, const char *more);
+void dbg_version_and_cmd(int argc, const char **argv);
+int translate_errno(int r);
+
+extern volatile int quit;
+void set_int_block(int block);
+void set_int_handler(int block);
+void check_signal(int *r);
+int tools_signals_blocked(void);
+
+int tools_get_key(const char *prompt,
+ char **key, size_t *key_size,
+ size_t keyfile_offset, size_t keyfile_size_max,
+ const char *key_file,
+ int timeout, int verify, int pwquality,
+ struct crypt_device *cd);
+int tools_is_stdin(const char *key_file);
+int tools_string_to_size(struct crypt_device *cd, const char *s, uint64_t *size);
+int tools_is_cipher_null(const char *cipher);
+
+/* Log */
+#define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
+#define log_std(x...) clogger(NULL, CRYPT_LOG_NORMAL, __FILE__, __LINE__, x)
+#define log_verbose(x...) clogger(NULL, CRYPT_LOG_VERBOSE, __FILE__, __LINE__, x)
+#define log_err(x...) clogger(NULL, CRYPT_LOG_ERROR, __FILE__, __LINE__, x)
+
+#endif /* CRYPTSETUP_H */
diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
new file mode 100644
index 0000000..c460a8e
--- /dev/null
+++ b/src/cryptsetup_reencrypt.c
@@ -0,0 +1,1442 @@
+/*
+ * cryptsetup-reencrypt - crypt utility for offline re-encryption
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <linux/fs.h>
+#include <arpa/inet.h>
+#include <uuid/uuid.h>
+
+#define PACKAGE_REENC "crypt_reencrypt"
+
+#define NO_UUID "cafecafe-cafe-cafe-cafe-cafecafeeeee"
+#define MAX_BCK_SECTORS 8192
+
+static const char *opt_cipher = NULL;
+static const char *opt_hash = NULL;
+static const char *opt_key_file = NULL;
+static const char *opt_uuid = NULL;
+static long opt_keyfile_size = 0;
+static long opt_keyfile_offset = 0;
+static int opt_iteration_time = 1000;
+static int opt_version_mode = 0;
+static int opt_random = 0;
+static int opt_urandom = 0;
+static int opt_bsize = 4;
+static int opt_directio = 0;
+static int opt_fsync = 0;
+static int opt_write_log = 0;
+static int opt_tries = 3;
+static int opt_key_slot = CRYPT_ANY_SLOT;
+static int opt_key_size = 0;
+static int opt_new = 0;
+static int opt_keep_key = 0;
+static int opt_decrypt = 0;
+
+static const char *opt_reduce_size_str = NULL;
+static uint64_t opt_reduce_size = 0;
+
+static const char *opt_device_size_str = NULL;
+static uint64_t opt_device_size = 0;
+
+static const char **action_argv;
+
+#define MAX_SLOT 8
+struct reenc_ctx {
+ char *device;
+ char *device_uuid;
+ uint64_t device_size; /* overrided by parameter */
+ uint64_t device_size_new_real;
+ uint64_t device_size_org_real;
+ uint64_t device_offset;
+ uint64_t device_shift;
+
+ int stained:1;
+ int in_progress:1;
+ enum { FORWARD = 0, BACKWARD = 1 } reencrypt_direction;
+ enum { REENCRYPT = 0, ENCRYPT = 1, DECRYPT = 2 } reencrypt_mode;
+
+ char header_file_org[PATH_MAX];
+ char header_file_new[PATH_MAX];
+ char log_file[PATH_MAX];
+
+ char crypt_path_org[PATH_MAX];
+ char crypt_path_new[PATH_MAX];
+ int log_fd;
+ char log_buf[SECTOR_SIZE];
+
+ struct {
+ char *password;
+ size_t passwordLen;
+ } p[MAX_SLOT];
+ int keyslot;
+
+ struct timeval start_time, end_time;
+ uint64_t resume_bytes;
+};
+
+char MAGIC[] = {'L','U','K','S', 0xba, 0xbe};
+char NOMAGIC[] = {'L','U','K','S', 0xde, 0xad};
+int MAGIC_L = 6;
+
+typedef enum {
+ MAKE_UNUSABLE,
+ MAKE_USABLE,
+ CHECK_UNUSABLE,
+ CHECK_OPEN,
+} header_magic;
+
+static void _quiet_log(int level, const char *msg, void *usrptr)
+{
+ if (!opt_debug)
+ return;
+ tool_log(level, msg, usrptr);
+}
+
+/* The difference in seconds between two times in "timeval" format. */
+static double time_diff(struct timeval start, struct timeval end)
+{
+ return (end.tv_sec - start.tv_sec)
+ + (end.tv_usec - start.tv_usec) / 1E6;
+}
+
+static int alignment(int fd)
+{
+ int alignment;
+
+ alignment = fpathconf(fd, _PC_REC_XFER_ALIGN);
+ if (alignment < 0)
+ alignment = 4096;
+ return alignment;
+}
+
+static size_t pagesize(void)
+{
+ long r = sysconf(_SC_PAGESIZE);
+ return r < 0 ? 4096 : (size_t)r;
+}
+
+/* Depends on the first two fields of LUKS1 header format, magic and version */
+static int device_check(struct reenc_ctx *rc, header_magic set_magic)
+{
+ char *buf = NULL;
+ int r, devfd;
+ ssize_t s;
+ uint16_t version;
+ size_t buf_size = pagesize();
+
+ devfd = open(rc->device, O_RDWR | O_EXCL | O_DIRECT);
+ if (devfd == -1) {
+ if (errno == EBUSY) {
+ log_err(_("Cannot exclusively open %s, device in use.\n"),
+ rc->device);
+ return -EBUSY;
+ }
+ log_err(_("Cannot open device %s.\n"), rc->device);
+ return -EINVAL;
+ }
+
+ if (set_magic == CHECK_OPEN) {
+ r = 0;
+ goto out;
+ }
+
+ if (posix_memalign((void *)&buf, alignment(devfd), buf_size)) {
+ log_err(_("Allocation of aligned memory failed.\n"));
+ r = -ENOMEM;
+ goto out;
+ }
+
+ s = read(devfd, buf, buf_size);
+ if (s < 0 || s != (ssize_t)buf_size) {
+ log_err(_("Cannot read device %s.\n"), rc->device);
+ r = -EIO;
+ goto out;
+ }
+
+ /* Be sure that we do not process new version of header */
+ memcpy((void*)&version, &buf[MAGIC_L], sizeof(uint16_t));
+ version = ntohs(version);
+
+ if (set_magic == MAKE_UNUSABLE && !memcmp(buf, MAGIC, MAGIC_L) &&
+ version == 1) {
+ log_verbose(_("Marking LUKS device %s unusable.\n"), rc->device);
+ memcpy(buf, NOMAGIC, MAGIC_L);
+ r = 0;
+ } else if (set_magic == CHECK_UNUSABLE && version == 1) {
+ r = memcmp(buf, NOMAGIC, MAGIC_L) ? -EINVAL : 0;
+ if (!r)
+ rc->device_uuid = strndup(&buf[0xa8], 40);
+ goto out;
+ } else
+ r = -EINVAL;
+
+ if (!r) {
+ if (lseek(devfd, 0, SEEK_SET) == -1)
+ goto out;
+ s = write(devfd, buf, buf_size);
+ if (s < 0 || s != (ssize_t)buf_size) {
+ log_err(_("Cannot write device %s.\n"), rc->device);
+ r = -EIO;
+ }
+ if (s > 0 && set_magic == MAKE_UNUSABLE)
+ rc->stained = 1;
+ } else
+ log_dbg("LUKS signature check failed for %s.", rc->device);
+out:
+ if (buf)
+ memset(buf, 0, buf_size);
+ free(buf);
+ close(devfd);
+ return r;
+}
+
+static int create_empty_header(const char *new_file, const char *old_file,
+ uint64_t data_sector)
+{
+ struct stat st;
+ ssize_t size = 0;
+ int fd, r = 0;
+ char *buf;
+
+ /* Never create header > 4MiB */
+ if (data_sector > MAX_BCK_SECTORS)
+ data_sector = MAX_BCK_SECTORS;
+
+ /* new header file of the same size as old backup */
+ if (old_file) {
+ if (stat(old_file, &st) == -1 ||
+ (st.st_mode & S_IFMT) != S_IFREG ||
+ (st.st_size > 16 * 1024 * 1024))
+ return -EINVAL;
+ size = st.st_size;
+ }
+
+ /*
+ * if requesting key size change, try to use offset
+ * here can be enough space to fit new key.
+ */
+ if (opt_key_size)
+ size = data_sector * SECTOR_SIZE;
+
+ /* if reducing size, be sure we have enough space */
+ if (opt_reduce_size)
+ size += opt_reduce_size;
+
+ log_dbg("Creating empty file %s of size %lu.", new_file, (unsigned long)size);
+
+ if (!size || !(buf = malloc(size)))
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ fd = creat(new_file, S_IRUSR|S_IWUSR);
+ if(fd == -1) {
+ free(buf);
+ return -EINVAL;
+ }
+
+ if (write(fd, buf, size) < size)
+ r = -EIO;
+
+ close(fd);
+ free(buf);
+ return r;
+}
+
+static int write_log(struct reenc_ctx *rc)
+{
+ ssize_t r;
+
+ memset(rc->log_buf, 0, SECTOR_SIZE);
+ snprintf(rc->log_buf, SECTOR_SIZE, "# LUKS reencryption log, DO NOT EDIT OR DELETE.\n"
+ "version = %d\nUUID = %s\ndirection = %d\nmode = %d\n"
+ "offset = %" PRIu64 "\nshift = %" PRIu64 "\n# EOF\n",
+ 2, rc->device_uuid, rc->reencrypt_direction, rc->reencrypt_mode,
+ rc->device_offset, rc->device_shift);
+
+ if (lseek(rc->log_fd, 0, SEEK_SET) == -1)
+ return -EIO;
+
+ r = write(rc->log_fd, rc->log_buf, SECTOR_SIZE);
+ if (r < 0 || r != SECTOR_SIZE) {
+ log_err(_("Cannot write reencryption log file.\n"));
+ return -EIO;
+ }
+
+ return 0;
+}
+
+static int parse_line_log(struct reenc_ctx *rc, const char *line)
+{
+ uint64_t u64;
+ int i;
+ char s[64];
+
+ /* whole line is comment */
+ if (*line == '#')
+ return 0;
+
+ if (sscanf(line, "version = %d", &i) == 1) {
+ if (i < 1 || i > 2) {
+ log_dbg("Log: Unexpected version = %i", i);
+ return -EINVAL;
+ }
+ } else if (sscanf(line, "UUID = %40s", s) == 1) {
+ if (!rc->device_uuid || strcmp(rc->device_uuid, s)) {
+ log_dbg("Log: Unexpected UUID %s", s);
+ return -EINVAL;
+ }
+ } else if (sscanf(line, "direction = %d", &i) == 1) {
+ log_dbg("Log: direction = %i", i);
+ rc->reencrypt_direction = i;
+ } else if (sscanf(line, "offset = %" PRIu64, &u64) == 1) {
+ log_dbg("Log: offset = %" PRIu64, u64);
+ rc->device_offset = u64;
+ } else if (sscanf(line, "shift = %" PRIu64, &u64) == 1) {
+ log_dbg("Log: shift = %" PRIu64, u64);
+ rc->device_shift = u64;
+ } else if (sscanf(line, "mode = %d", &i) == 1) { /* added in v2 */
+ log_dbg("Log: mode = %i", i);
+ rc->reencrypt_mode = i;
+ if (rc->reencrypt_mode != REENCRYPT &&
+ rc->reencrypt_mode != ENCRYPT &&
+ rc->reencrypt_mode != DECRYPT)
+ return -EINVAL;
+ } else
+ return -EINVAL;
+
+ return 0;
+}
+
+static int parse_log(struct reenc_ctx *rc)
+{
+ char *start, *end;
+ ssize_t s;
+
+ s = read(rc->log_fd, rc->log_buf, SECTOR_SIZE);
+ if (s == -1) {
+ log_err(_("Cannot read reencryption log file.\n"));
+ return -EIO;
+ }
+
+ rc->log_buf[SECTOR_SIZE - 1] = '\0';
+ start = rc->log_buf;
+ do {
+ end = strchr(start, '\n');
+ if (end) {
+ *end++ = '\0';
+ if (parse_line_log(rc, start)) {
+ log_err("Wrong log format.\n");
+ return -EINVAL;
+ }
+ }
+
+ start = end;
+ } while (start);
+
+ return 0;
+}
+
+static void close_log(struct reenc_ctx *rc)
+{
+ log_dbg("Closing LUKS reencryption log file %s.", rc->log_file);
+ if (rc->log_fd != -1)
+ close(rc->log_fd);
+}
+
+static int open_log(struct reenc_ctx *rc)
+{
+ int flags = opt_fsync ? O_SYNC : 0;
+
+ rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR);
+ if (rc->log_fd != -1) {
+ log_dbg("Created LUKS reencryption log file %s.", rc->log_file);
+ rc->stained = 0;
+ } else if (errno == EEXIST) {
+ log_std(_("Log file %s exists, resuming reencryption.\n"), rc->log_file);
+ rc->log_fd = open(rc->log_file, O_RDWR|flags);
+ rc->in_progress = 1;
+ }
+
+ if (rc->log_fd == -1)
+ return -EINVAL;
+
+ if (!rc->in_progress && write_log(rc) < 0) {
+ close_log(rc);
+ return -EIO;
+ }
+
+ /* Be sure it is correct format */
+ return parse_log(rc);
+}
+
+static int activate_luks_headers(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd = NULL, *cd_new = NULL;
+ const char *pwd_old, *pwd_new, pwd_empty[] = "";
+ size_t pwd_old_len, pwd_new_len;
+ int r;
+
+ log_dbg("Activating LUKS devices from headers.");
+
+ /* Never use real password for empty header processing */
+ if (rc->reencrypt_mode == REENCRYPT) {
+ pwd_old = rc->p[rc->keyslot].password;
+ pwd_old_len = rc->p[rc->keyslot].passwordLen;
+ pwd_new = pwd_old;
+ pwd_new_len = pwd_old_len;
+ } else if (rc->reencrypt_mode == DECRYPT) {
+ pwd_old = rc->p[rc->keyslot].password;
+ pwd_old_len = rc->p[rc->keyslot].passwordLen;
+ pwd_new = pwd_empty;
+ pwd_new_len = 0;
+ } else if (rc->reencrypt_mode == ENCRYPT) {
+ pwd_old = pwd_empty;
+ pwd_old_len = 0;
+ pwd_new = rc->p[rc->keyslot].password;
+ pwd_new_len = rc->p[rc->keyslot].passwordLen;
+ } else
+ return -EINVAL;
+
+ if ((r = crypt_init(&cd, rc->header_file_org)) ||
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL)) ||
+ (r = crypt_set_data_device(cd, rc->device)))
+ goto out;
+
+ log_verbose(_("Activating temporary device using old LUKS header.\n"));
+ if ((r = crypt_activate_by_passphrase(cd, rc->header_file_org,
+ opt_key_slot, pwd_old, pwd_old_len,
+ CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_PRIVATE)) < 0)
+ goto out;
+
+ if ((r = crypt_init(&cd_new, rc->header_file_new)) ||
+ (r = crypt_load(cd_new, CRYPT_LUKS1, NULL)) ||
+ (r = crypt_set_data_device(cd_new, rc->device)))
+ goto out;
+
+ log_verbose(_("Activating temporary device using new LUKS header.\n"));
+ if ((r = crypt_activate_by_passphrase(cd_new, rc->header_file_new,
+ opt_key_slot, pwd_new, pwd_new_len,
+ CRYPT_ACTIVATE_SHARED|CRYPT_ACTIVATE_PRIVATE)) < 0)
+ goto out;
+ r = 0;
+out:
+ crypt_free(cd);
+ crypt_free(cd_new);
+ if (r < 0)
+ log_err(_("Activation of temporary devices failed.\n"));
+ return r;
+}
+
+static int create_new_header(struct reenc_ctx *rc, const char *cipher,
+ const char *cipher_mode, const char *uuid,
+ const char *key, int key_size,
+ struct crypt_params_luks1 *params)
+{
+ struct crypt_device *cd_new = NULL;
+ int i, r;
+
+ if ((r = crypt_init(&cd_new, rc->header_file_new)))
+ goto out;
+
+ if (opt_random)
+ crypt_set_rng_type(cd_new, CRYPT_RNG_RANDOM);
+ else if (opt_urandom)
+ crypt_set_rng_type(cd_new, CRYPT_RNG_URANDOM);
+
+ if (opt_iteration_time)
+ crypt_set_iteration_time(cd_new, opt_iteration_time);
+
+ if ((r = crypt_format(cd_new, CRYPT_LUKS1, cipher, cipher_mode,
+ uuid, key, key_size, params)))
+ goto out;
+ log_verbose(_("New LUKS header for device %s created.\n"), rc->device);
+
+ for (i = 0; i < MAX_SLOT; i++) {
+ if (!rc->p[i].password)
+ continue;
+ if ((r = crypt_keyslot_add_by_volume_key(cd_new, i,
+ NULL, 0, rc->p[i].password, rc->p[i].passwordLen)) < 0)
+ goto out;
+ log_verbose(_("Activated keyslot %i.\n"), r);
+ r = 0;
+ }
+out:
+ crypt_free(cd_new);
+ return r;
+}
+
+static int backup_luks_headers(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_luks1 params = {0};
+ char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char *old_key = NULL;
+ size_t old_key_size;
+ int r;
+
+ log_dbg("Creating LUKS header backup for device %s.", rc->device);
+
+ if ((r = crypt_init(&cd, rc->device)) ||
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL)))
+ goto out;
+
+ if ((r = crypt_header_backup(cd, CRYPT_LUKS1, rc->header_file_org)))
+ goto out;
+ log_verbose(_("LUKS header backup of device %s created.\n"), rc->device);
+
+ /* For decrypt, new header will be fake one, so we are done here. */
+ if (rc->reencrypt_mode == DECRYPT)
+ goto out;
+
+ if ((r = create_empty_header(rc->header_file_new, rc->header_file_org,
+ crypt_get_data_offset(cd))))
+ goto out;
+
+ params.hash = opt_hash ?: DEFAULT_LUKS1_HASH;
+ params.data_alignment = crypt_get_data_offset(cd);
+ params.data_alignment += ROUND_SECTOR(opt_reduce_size);
+ params.data_device = rc->device;
+
+ if (opt_cipher) {
+ r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
+ if (r < 0) {
+ log_err(_("No known cipher specification pattern detected.\n"));
+ goto out;
+ }
+ }
+
+ if (opt_keep_key) {
+ log_dbg("Keeping key from old header.");
+ old_key_size = crypt_get_volume_key_size(cd);
+ old_key = crypt_safe_alloc(old_key_size);
+ if (!old_key) {
+ r = -ENOMEM;
+ goto out;
+ }
+ r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, old_key, &old_key_size,
+ rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen);
+ if (r < 0)
+ goto out;
+ }
+
+ r = create_new_header(rc,
+ opt_cipher ? cipher : crypt_get_cipher(cd),
+ opt_cipher ? cipher_mode : crypt_get_cipher_mode(cd),
+ crypt_get_uuid(cd),
+ old_key,
+ opt_key_size ? opt_key_size / 8 : crypt_get_volume_key_size(cd),
+ ¶ms);
+out:
+ crypt_free(cd);
+ crypt_safe_free(old_key);
+ if (r)
+ log_err(_("Creation of LUKS backup headers failed.\n"));
+ return r;
+}
+
+/* Create fake header for original device */
+static int backup_fake_header(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd_new = NULL;
+ struct crypt_params_luks1 params = {0};
+ char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ const char *header_file_fake;
+ int r;
+
+ log_dbg("Creating fake (cipher_null) header for %s device.",
+ (rc->reencrypt_mode == DECRYPT) ? "new" : "original");
+
+ header_file_fake = (rc->reencrypt_mode == DECRYPT) ? rc->header_file_new : rc->header_file_org;
+
+ if (!opt_key_size)
+ opt_key_size = DEFAULT_LUKS1_KEYBITS;
+
+ if (opt_cipher) {
+ r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
+ if (r < 0) {
+ log_err(_("No known cipher specification pattern detected.\n"));
+ goto out;
+ }
+ }
+
+ r = create_empty_header(header_file_fake, NULL, MAX_BCK_SECTORS);
+ if (r < 0)
+ return r;
+
+ params.hash = opt_hash ?: DEFAULT_LUKS1_HASH;
+ params.data_alignment = 0;
+ params.data_device = rc->device;
+
+ r = crypt_init(&cd_new, header_file_fake);
+ if (r < 0)
+ return r;
+
+ r = crypt_format(cd_new, CRYPT_LUKS1, "cipher_null", "ecb",
+ NO_UUID, NULL, opt_key_size / 8, ¶ms);
+ if (r < 0)
+ goto out;
+
+ r = crypt_keyslot_add_by_volume_key(cd_new, rc->keyslot, NULL, 0,
+ rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen);
+ if (r < 0)
+ goto out;
+
+ /* The real header is backup header created in backup_luks_headers() */
+ if (rc->reencrypt_mode == DECRYPT)
+ goto out;
+
+ r = create_empty_header(rc->header_file_new, rc->header_file_org, 0);
+ if (r < 0)
+ goto out;
+
+ params.data_alignment = ROUND_SECTOR(opt_reduce_size);
+ r = create_new_header(rc,
+ opt_cipher ? cipher : DEFAULT_LUKS1_CIPHER,
+ opt_cipher ? cipher_mode : DEFAULT_LUKS1_MODE,
+ NULL, NULL,
+ (opt_key_size ? opt_key_size : DEFAULT_LUKS1_KEYBITS) / 8,
+ ¶ms);
+out:
+ crypt_free(cd_new);
+ return r;
+}
+
+static void remove_headers(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd = NULL;
+
+ log_dbg("Removing headers.");
+
+ if (crypt_init(&cd, NULL))
+ return;
+ crypt_set_log_callback(cd, _quiet_log, NULL);
+ if (*rc->header_file_org)
+ (void)crypt_deactivate(cd, rc->header_file_org);
+ if (*rc->header_file_new)
+ (void)crypt_deactivate(cd, rc->header_file_new);
+ crypt_free(cd);
+}
+
+static int restore_luks_header(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ log_dbg("Restoring header for %s from %s.", rc->device, rc->header_file_new);
+
+ r = crypt_init(&cd, rc->device);
+ if (r == 0) {
+ r = crypt_header_restore(cd, CRYPT_LUKS1, rc->header_file_new);
+ }
+
+ crypt_free(cd);
+ if (r)
+ log_err(_("Cannot restore LUKS header on device %s.\n"), rc->device);
+ else {
+ log_verbose(_("LUKS header on device %s restored.\n"), rc->device);
+ rc->stained = 0;
+ }
+ return r;
+}
+
+static void print_progress(struct reenc_ctx *rc, uint64_t bytes, int final)
+{
+ unsigned long long mbytes, eta;
+ struct timeval now_time;
+ double tdiff, mib;
+
+ gettimeofday(&now_time, NULL);
+ if (!final && time_diff(rc->end_time, now_time) < 0.5)
+ return;
+
+ rc->end_time = now_time;
+
+ if (opt_batch_mode)
+ return;
+
+ tdiff = time_diff(rc->start_time, rc->end_time);
+ if (!tdiff)
+ return;
+
+ mbytes = (bytes - rc->resume_bytes) / 1024 / 1024;
+ mib = (double)(mbytes) / tdiff;
+ if (!mib)
+ return;
+
+ /* FIXME: calculate this from last minute only and remaining space */
+ eta = (unsigned long long)(rc->device_size / 1024 / 1024 / mib - tdiff);
+
+ /* vt100 code clear line */
+ log_err("\33[2K\r");
+ log_err(_("Progress: %5.1f%%, ETA %02llu:%02llu, "
+ "%4llu MiB written, speed %5.1f MiB/s%s"),
+ (double)bytes / rc->device_size * 100,
+ eta / 60, eta % 60, mbytes, mib,
+ final ? "\n" :"");
+}
+
+static ssize_t read_buf(int fd, void *buf, size_t count)
+{
+ size_t read_size = 0;
+ ssize_t s;
+
+ do {
+ /* This expects that partial read is aligned in buffer */
+ s = read(fd, buf, count - read_size);
+ if (s == -1 && errno != EINTR)
+ return s;
+ if (s == 0)
+ return (ssize_t)read_size;
+ if (s > 0) {
+ if (s != (ssize_t)count)
+ log_dbg("Partial read %zd / %zu.", s, count);
+ read_size += (size_t)s;
+ buf = (uint8_t*)buf + s;
+ }
+ } while (read_size != count);
+
+ return (ssize_t)count;
+}
+
+static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
+ size_t block_size, void *buf, uint64_t *bytes)
+{
+ ssize_t s1, s2;
+
+ log_dbg("Reencrypting in forward direction.");
+
+ if (lseek64(fd_old, rc->device_offset, SEEK_SET) < 0 ||
+ lseek64(fd_new, rc->device_offset, SEEK_SET) < 0) {
+ log_err(_("Cannot seek to device offset.\n"));
+ return -EIO;
+ }
+
+ rc->resume_bytes = *bytes = rc->device_offset;
+
+ if (write_log(rc) < 0)
+ return -EIO;
+
+ while (!quit && rc->device_offset < rc->device_size) {
+ s1 = read_buf(fd_old, buf, block_size);
+ if (s1 < 0 || ((size_t)s1 != block_size &&
+ (rc->device_offset + s1) != rc->device_size)) {
+ log_dbg("Read error, expecting %zu, got %zd.",
+ block_size, s1);
+ return -EIO;
+ }
+
+ /* If device_size is forced, never write more than limit */
+ if ((s1 + rc->device_offset) > rc->device_size)
+ s1 = rc->device_size - rc->device_offset;
+
+ s2 = write(fd_new, buf, s1);
+ if (s2 < 0) {
+ log_dbg("Write error, expecting %zu, got %zd.",
+ block_size, s2);
+ return -EIO;
+ }
+
+ rc->device_offset += s1;
+ if (opt_write_log && write_log(rc) < 0)
+ return -EIO;
+
+ if (opt_fsync && fsync(fd_new) < 0) {
+ log_dbg("Write error, fsync.");
+ return -EIO;
+ }
+
+ *bytes += (uint64_t)s2;
+ print_progress(rc, *bytes, 0);
+ }
+
+ return quit ? -EAGAIN : 0;
+}
+
+static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
+ size_t block_size, void *buf, uint64_t *bytes)
+{
+ ssize_t s1, s2, working_block;
+ off64_t working_offset;
+
+ log_dbg("Reencrypting in backward direction.");
+
+ if (!rc->in_progress) {
+ rc->device_offset = rc->device_size;
+ rc->resume_bytes = 0;
+ *bytes = 0;
+ } else {
+ rc->resume_bytes = rc->device_size - rc->device_offset;
+ *bytes = rc->resume_bytes;
+ }
+
+ if (write_log(rc) < 0)
+ return -EIO;
+
+ /* dirty the device during ENCRYPT mode */
+ rc->stained = 1;
+
+ while (!quit && rc->device_offset) {
+ if (rc->device_offset < block_size) {
+ working_offset = 0;
+ working_block = rc->device_offset;
+ } else {
+ working_offset = rc->device_offset - block_size;
+ working_block = block_size;
+ }
+
+ if (lseek64(fd_old, working_offset, SEEK_SET) < 0 ||
+ lseek64(fd_new, working_offset, SEEK_SET) < 0) {
+ log_err(_("Cannot seek to device offset.\n"));
+ return -EIO;
+ }
+
+ s1 = read_buf(fd_old, buf, working_block);
+ if (s1 < 0 || (s1 != working_block)) {
+ log_dbg("Read error, expecting %zu, got %zd.",
+ block_size, s1);
+ return -EIO;
+ }
+
+ s2 = write(fd_new, buf, working_block);
+ if (s2 < 0) {
+ log_dbg("Write error, expecting %zu, got %zd.",
+ block_size, s2);
+ return -EIO;
+ }
+
+ rc->device_offset -= s1;
+ if (opt_write_log && write_log(rc) < 0)
+ return -EIO;
+
+ if (opt_fsync && fsync(fd_new) < 0) {
+ log_dbg("Write error, fsync.");
+ return -EIO;
+ }
+
+ *bytes += (uint64_t)s2;
+ print_progress(rc, *bytes, 0);
+ }
+
+ return quit ? -EAGAIN : 0;
+}
+
+static void zero_rest_of_device(int fd, size_t block_size, void *buf,
+ uint64_t *bytes, uint64_t offset)
+{
+ ssize_t s1, s2;
+
+ log_dbg("Zeroing rest of device.");
+
+ if (lseek64(fd, offset, SEEK_SET) < 0) {
+ log_dbg(_("Cannot seek to device offset.\n"));
+ return;
+ }
+
+ memset(buf, 0, block_size);
+ s1 = block_size;
+
+ while (!quit && *bytes) {
+ if (*bytes < (uint64_t)s1)
+ s1 = *bytes;
+
+ s2 = write(fd, buf, s1);
+ if (s2 < 0) {
+ log_dbg("Write error, expecting %zu, got %zd.",
+ block_size, s2);
+ return;
+ }
+
+ if (opt_fsync && fsync(fd) < 0) {
+ log_dbg("Write error, fsync.");
+ return;
+ }
+
+ *bytes -= s2;
+ }
+}
+
+static int copy_data(struct reenc_ctx *rc)
+{
+ size_t block_size = opt_bsize * 1024 * 1024;
+ int fd_old = -1, fd_new = -1;
+ int r = -EINVAL;
+ void *buf = NULL;
+ uint64_t bytes = 0;
+
+ log_dbg("Data copy preparation.");
+
+ fd_old = open(rc->crypt_path_org, O_RDONLY | (opt_directio ? O_DIRECT : 0));
+ if (fd_old == -1) {
+ log_err(_("Cannot open temporary LUKS device.\n"));
+ goto out;
+ }
+
+ fd_new = open(rc->crypt_path_new, O_WRONLY | (opt_directio ? O_DIRECT : 0));
+ if (fd_new == -1) {
+ log_err(_("Cannot open temporary LUKS device.\n"));
+ goto out;
+ }
+
+ if (ioctl(fd_old, BLKGETSIZE64, &rc->device_size_org_real) < 0) {
+ log_err(_("Cannot get device size.\n"));
+ goto out;
+ }
+
+ if (ioctl(fd_new, BLKGETSIZE64, &rc->device_size_new_real) < 0) {
+ log_err(_("Cannot get device size.\n"));
+ goto out;
+ }
+
+ if (opt_device_size)
+ rc->device_size = opt_device_size;
+ else if (rc->reencrypt_mode == DECRYPT)
+ rc->device_size = rc->device_size_org_real;
+ else
+ rc->device_size = rc->device_size_new_real;
+
+ if (posix_memalign((void *)&buf, alignment(fd_new), block_size)) {
+ log_err(_("Allocation of aligned memory failed.\n"));
+ r = -ENOMEM;
+ goto out;
+ }
+
+ set_int_handler(0);
+ gettimeofday(&rc->start_time, NULL);
+
+ if (rc->reencrypt_direction == FORWARD)
+ r = copy_data_forward(rc, fd_old, fd_new, block_size, buf, &bytes);
+ else
+ r = copy_data_backward(rc, fd_old, fd_new, block_size, buf, &bytes);
+
+ print_progress(rc, bytes, 1);
+
+ /* Zero (wipe) rest of now plain-only device when decrypting.
+ * (To not leave any sign of encryption here.) */
+ if (!r && rc->reencrypt_mode == DECRYPT &&
+ rc->device_size_new_real > rc->device_size_org_real) {
+ bytes = rc->device_size_new_real - rc->device_size_org_real;
+ zero_rest_of_device(fd_new, block_size, buf, &bytes, rc->device_size_org_real);
+ }
+
+ set_int_block(1);
+
+ if (r == -EAGAIN)
+ log_err(_("Interrupted by a signal.\n"));
+ else if (r < 0)
+ log_err(_("IO error during reencryption.\n"));
+
+ (void)write_log(rc);
+out:
+ if (fd_old != -1)
+ close(fd_old);
+ if (fd_new != -1)
+ close(fd_new);
+ free(buf);
+ return r;
+}
+
+static int initialize_uuid(struct reenc_ctx *rc)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+ uuid_t device_uuid;
+
+ log_dbg("Initialising UUID.");
+
+ if (opt_new) {
+ rc->device_uuid = strdup(NO_UUID);
+ return 0;
+ }
+
+ if (opt_decrypt && opt_uuid) {
+ r = uuid_parse(opt_uuid, device_uuid);
+ if (!r)
+ rc->device_uuid = strdup(opt_uuid);
+ else
+ log_err(_("Provided UUID is invalid.\n"));
+
+ return r;
+ }
+
+ /* Try to load LUKS from device */
+ if ((r = crypt_init(&cd, rc->device)))
+ return r;
+ crypt_set_log_callback(cd, _quiet_log, NULL);
+ r = crypt_load(cd, CRYPT_LUKS1, NULL);
+ if (!r)
+ rc->device_uuid = strdup(crypt_get_uuid(cd));
+ else
+ /* Reencryption already in progress - magic header? */
+ r = device_check(rc, CHECK_UNUSABLE);
+
+ crypt_free(cd);
+ return r;
+}
+
+static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
+ const char *msg, int slot_to_check, int check, int verify)
+{
+ char *password;
+ int r = -EINVAL, retry_count;
+ size_t passwordLen;
+
+ retry_count = opt_tries ?: 1;
+ while (retry_count--) {
+ r = tools_get_key(msg, &password, &passwordLen, 0, 0,
+ NULL /*opt_key_file*/, 0, verify, 0 /*pwquality*/, cd);
+ if (r < 0)
+ return r;
+ if (quit) {
+ crypt_safe_free(password);
+ password = NULL;
+ passwordLen = 0;
+ return -EAGAIN;
+ }
+
+ if (check)
+ r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
+ password, passwordLen, 0);
+ else
+ r = (slot_to_check == CRYPT_ANY_SLOT) ? 0 : slot_to_check;
+
+ if (r < 0) {
+ crypt_safe_free(password);
+ password = NULL;
+ passwordLen = 0;
+ }
+ if (r < 0 && r != -EPERM)
+ return r;
+ if (r >= 0) {
+ rc->keyslot = r;
+ rc->p[r].password = password;
+ rc->p[r].passwordLen = passwordLen;
+ break;
+ }
+ log_err(_("No key available with this passphrase.\n"));
+ }
+
+ password = NULL;
+ passwordLen = 0;
+
+ return r;
+}
+
+static int init_keyfile(struct reenc_ctx *rc, struct crypt_device *cd, int slot_check)
+{
+ char *password;
+ int r;
+ size_t passwordLen;
+
+ r = tools_get_key(NULL, &password, &passwordLen, opt_keyfile_offset,
+ opt_keyfile_size, opt_key_file, 0, 0, 0, cd);
+ if (r < 0)
+ return r;
+
+ r = crypt_activate_by_passphrase(cd, NULL, slot_check, password,
+ passwordLen, 0);
+
+ /*
+ * Allow keyslot only if it is last slot or if user explicitly
+ * specify which slot to use (IOW others will be disabled).
+ */
+ if (r >= 0 && opt_key_slot == CRYPT_ANY_SLOT &&
+ crypt_keyslot_status(cd, r) != CRYPT_SLOT_ACTIVE_LAST) {
+ log_err(_("Key file can be used only with --key-slot or with "
+ "exactly one key slot active.\n"));
+ r = -EINVAL;
+ }
+
+ if (r < 0) {
+ crypt_safe_free(password);
+ if (r == -EPERM)
+ log_err(_("No key available with this passphrase.\n"));
+ } else {
+ rc->keyslot = r;
+ rc->p[r].password = password;
+ rc->p[r].passwordLen = passwordLen;
+ }
+
+ password = NULL;
+ passwordLen = 0;
+
+ return r;
+}
+
+static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
+{
+ struct crypt_device *cd = NULL;
+ crypt_keyslot_info ki;
+ char msg[256];
+ int i, r;
+
+ log_dbg("Passhrases initialization.");
+
+ if (rc->reencrypt_mode == ENCRYPT && !rc->in_progress) {
+ r = init_passphrase1(rc, cd, _("Enter new passphrase: "), opt_key_slot, 0, 1);
+ return r > 0 ? 0 : r;
+ }
+
+ if ((r = crypt_init(&cd, device)) ||
+ (r = crypt_load(cd, CRYPT_LUKS1, NULL)) ||
+ (r = crypt_set_data_device(cd, rc->device))) {
+ crypt_free(cd);
+ return r;
+ }
+
+ if (opt_key_slot != CRYPT_ANY_SLOT)
+ snprintf(msg, sizeof(msg),
+ _("Enter passphrase for key slot %u: "), opt_key_slot);
+ else
+ snprintf(msg, sizeof(msg), _("Enter any existing passphrase: "));
+
+ if (opt_key_file) {
+ r = init_keyfile(rc, cd, opt_key_slot);
+ } else if (rc->in_progress ||
+ opt_key_slot != CRYPT_ANY_SLOT ||
+ rc->reencrypt_mode == DECRYPT) {
+ r = init_passphrase1(rc, cd, msg, opt_key_slot, 1, 0);
+ } else for (i = 0; i < MAX_SLOT; i++) {
+ ki = crypt_keyslot_status(cd, i);
+ if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
+ continue;
+
+ snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), i);
+ r = init_passphrase1(rc, cd, msg, i, 1, 0);
+ if (r < 0)
+ break;
+ }
+
+ crypt_free(cd);
+ return r > 0 ? 0 : r;
+}
+
+static int initialize_context(struct reenc_ctx *rc, const char *device)
+{
+ log_dbg("Initialising reencryption context.");
+
+ rc->log_fd = -1;
+
+ if (!(rc->device = strndup(device, PATH_MAX)))
+ return -ENOMEM;
+
+ if (device_check(rc, CHECK_OPEN) < 0)
+ return -EINVAL;
+
+ if (initialize_uuid(rc)) {
+ log_err(_("Device %s is not a valid LUKS device.\n"), device);
+ return -EINVAL;
+ }
+
+ /* Prepare device names */
+ if (snprintf(rc->log_file, PATH_MAX,
+ "LUKS-%s.log", rc->device_uuid) < 0)
+ return -ENOMEM;
+ if (snprintf(rc->header_file_org, PATH_MAX,
+ "LUKS-%s.org", rc->device_uuid) < 0)
+ return -ENOMEM;
+ if (snprintf(rc->header_file_new, PATH_MAX,
+ "LUKS-%s.new", rc->device_uuid) < 0)
+ return -ENOMEM;
+
+ /* Paths to encrypted devices */
+ if (snprintf(rc->crypt_path_org, PATH_MAX,
+ "%s/%s", crypt_get_dir(), rc->header_file_org) < 0)
+ return -ENOMEM;
+ if (snprintf(rc->crypt_path_new, PATH_MAX,
+ "%s/%s", crypt_get_dir(), rc->header_file_new) < 0)
+ return -ENOMEM;
+
+ remove_headers(rc);
+
+ if (open_log(rc) < 0) {
+ log_err(_("Cannot open reencryption log file.\n"));
+ return -EINVAL;
+ }
+
+ if (!rc->in_progress) {
+ if (opt_uuid) {
+ log_err(_("No decryption in progress, provided UUID can "
+ "be used only to resume suspended decryption process.\n"));
+ return -EINVAL;
+ }
+
+ if (!opt_reduce_size)
+ rc->reencrypt_direction = FORWARD;
+ else {
+ rc->reencrypt_direction = BACKWARD;
+ rc->device_offset = (uint64_t)~0;
+ }
+
+ if (opt_new)
+ rc->reencrypt_mode = ENCRYPT;
+ else if (opt_decrypt)
+ rc->reencrypt_mode = DECRYPT;
+ else
+ rc->reencrypt_mode = REENCRYPT;
+ }
+
+ return 0;
+}
+
+static void destroy_context(struct reenc_ctx *rc)
+{
+ int i;
+
+ log_dbg("Destroying reencryption context.");
+
+ close_log(rc);
+ remove_headers(rc);
+
+ if (!rc->stained) {
+ unlink(rc->log_file);
+ unlink(rc->header_file_org);
+ unlink(rc->header_file_new);
+ }
+
+ for (i = 0; i < MAX_SLOT; i++)
+ crypt_safe_free(rc->p[i].password);
+
+ free(rc->device);
+ free(rc->device_uuid);
+}
+
+static int run_reencrypt(const char *device)
+{
+ int r = -EINVAL;
+ static struct reenc_ctx rc = {
+ .stained = 1
+ };
+
+ if (initialize_context(&rc, device))
+ goto out;
+
+ log_dbg("Running reencryption.");
+
+ if (!rc.in_progress) {
+ if ((r = initialize_passphrase(&rc, rc.device)))
+ goto out;
+
+ if (rc.reencrypt_mode == ENCRYPT) {
+ /* Create fake header for exising device */
+ if ((r = backup_fake_header(&rc)))
+ goto out;
+ } else {
+ if ((r = backup_luks_headers(&rc)))
+ goto out;
+ /* Create fake header for decrypted device */
+ if (rc.reencrypt_mode == DECRYPT &&
+ (r = backup_fake_header(&rc)))
+ goto out;
+ if ((r = device_check(&rc, MAKE_UNUSABLE)))
+ goto out;
+ }
+ } else {
+ if ((r = initialize_passphrase(&rc, opt_decrypt ? rc.header_file_org : rc.header_file_new)))
+ goto out;
+ }
+
+ if (!opt_keep_key) {
+ log_dbg("Running data area reencryption.");
+ if ((r = activate_luks_headers(&rc)))
+ goto out;
+
+ if ((r = copy_data(&rc)))
+ goto out;
+ } else
+ log_dbg("Keeping existing key, skipping data area reencryption.");
+
+ // FIXME: fix error path above to not skip this
+ if (rc.reencrypt_mode != DECRYPT)
+ r = restore_luks_header(&rc);
+ else
+ rc.stained = 0;
+out:
+ destroy_context(&rc);
+ return r;
+}
+
+static void help(poptContext popt_context,
+ enum poptCallbackReason reason __attribute__((unused)),
+ struct poptOption *key,
+ const char *arg __attribute__((unused)),
+ void *data __attribute__((unused)))
+{
+ if (key->shortName == '?') {
+ log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
+ poptPrintHelp(popt_context, stdout, 0);
+ exit(EXIT_SUCCESS);
+ } else
+ usage(popt_context, EXIT_SUCCESS, NULL, NULL);
+}
+
+int main(int argc, const char **argv)
+{
+ static struct poptOption popt_help_options[] = {
+ { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
+ { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
+ { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
+ POPT_TABLEEND
+ };
+ static struct poptOption popt_options[] = {
+ { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
+ { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
+ { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
+ { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
+ { "block-size", 'B', POPT_ARG_INT, &opt_bsize, 0, N_("Reencryption block size"), N_("MiB") },
+ { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
+ { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
+ { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
+ { "keep-key", '\0', POPT_ARG_NONE, &opt_keep_key, 0, N_("Do not change key, no data area reencryption."), NULL },
+ { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
+ { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
+ { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
+ { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
+ { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
+ { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
+ { "use-directio", '\0', POPT_ARG_NONE, &opt_directio, 0, N_("Use direct-io when accessing devices."), NULL },
+ { "use-fsync", '\0', POPT_ARG_NONE, &opt_fsync, 0, N_("Use fsync after each block."), NULL },
+ { "write-log", '\0', POPT_ARG_NONE, &opt_write_log, 0, N_("Update log file after every block."), NULL },
+ { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Use only this slot (others will be disabled)."), NULL },
+ { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
+ { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
+ { "reduce-device-size",'\0', POPT_ARG_STRING, &opt_reduce_size_str, 0, N_("Reduce data device size (move data offset). DANGEROUS!"), N_("bytes") },
+ { "device-size", '\0', POPT_ARG_STRING, &opt_device_size_str, 0, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes") },
+ { "new", 'N', POPT_ARG_NONE, &opt_new, 0, N_("Create new header on not encrypted device."), NULL },
+ { "decrypt", '\0', POPT_ARG_NONE, &opt_decrypt, 0, N_("Permanently decrypt device (remove encryption)."), NULL },
+ { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("The uuid used to resume decryption."), NULL },
+ POPT_TABLEEND
+ };
+ poptContext popt_context;
+ int r;
+
+ crypt_set_log_callback(NULL, tool_log, NULL);
+
+ set_int_block(1);
+
+ setlocale(LC_ALL, "");
+ bindtextdomain(PACKAGE, LOCALEDIR);
+ textdomain(PACKAGE);
+
+ popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
+ poptSetOtherOptionHelp(popt_context,
+ _("[OPTION...] <device>"));
+
+ while((r = poptGetNextOpt(popt_context)) > 0) ;
+ if (r < -1)
+ usage(popt_context, EXIT_FAILURE, poptStrerror(r),
+ poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
+
+ if (opt_version_mode) {
+ log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
+ poptFreeContext(popt_context);
+ exit(EXIT_SUCCESS);
+ }
+
+ if (!opt_batch_mode)
+ log_verbose(_("Reencryption will change: volume key%s%s%s%s.\n"),
+ opt_hash ? _(", set hash to ") : "", opt_hash ?: "",
+ opt_cipher ? _(", set cipher to "): "", opt_cipher ?: "");
+
+ action_argv = poptGetArgs(popt_context);
+ if(!action_argv)
+ usage(popt_context, EXIT_FAILURE, _("Argument required."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_random && opt_urandom)
+ usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_bsize < 0 || opt_key_size < 0 || opt_iteration_time < 0 ||
+ opt_tries < 0 || opt_keyfile_offset < 0 || opt_key_size < 0) {
+ usage(popt_context, EXIT_FAILURE,
+ _("Negative number for option not permitted."),
+ poptGetInvocationName(popt_context));
+ }
+
+ if (opt_bsize < 1 || opt_bsize > 64)
+ usage(popt_context, EXIT_FAILURE,
+ _("Only values between 1 MiB and 64 MiB allowed for reencryption block size."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_key_size % 8)
+ usage(popt_context, EXIT_FAILURE,
+ _("Key size must be a multiple of 8 bits"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_key_slot != CRYPT_ANY_SLOT &&
+ (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
+ usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_random && opt_urandom)
+ usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_device_size_str &&
+ tools_string_to_size(NULL, opt_device_size_str, &opt_device_size))
+ usage(popt_context, EXIT_FAILURE, _("Invalid device size specification."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_reduce_size_str &&
+ tools_string_to_size(NULL, opt_reduce_size_str, &opt_reduce_size))
+ usage(popt_context, EXIT_FAILURE, _("Invalid device size specification."),
+ poptGetInvocationName(popt_context));
+ if (opt_reduce_size > 64 * 1024 * 1024)
+ usage(popt_context, EXIT_FAILURE, _("Maximum device reduce size is 64 MiB."),
+ poptGetInvocationName(popt_context));
+ if (opt_reduce_size % SECTOR_SIZE)
+ usage(popt_context, EXIT_FAILURE, _("Reduce size must be multiple of 512 bytes sector."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_new && !opt_reduce_size)
+ usage(popt_context, EXIT_FAILURE, _("Option --new must be used together with --reduce-device-size."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_keep_key && ((!opt_hash && !opt_iteration_time) || opt_cipher || opt_new))
+ usage(popt_context, EXIT_FAILURE, _("Option --keep-key can be used only with --hash or --iter-time."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_new && opt_decrypt)
+ usage(popt_context, EXIT_FAILURE, _("Option --new cannot be used together with --decrypt."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_decrypt && (opt_cipher || opt_hash || opt_reduce_size || opt_keep_key || opt_device_size))
+ usage(popt_context, EXIT_FAILURE, _("Option --decrypt is incompatible with specified parameters."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_uuid && !opt_decrypt)
+ usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only together with --decrypt."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_debug) {
+ opt_verbose = 1;
+ crypt_set_debug_level(-1);
+ dbg_version_and_cmd(argc, argv);
+ }
+
+ r = run_reencrypt(action_argv[0]);
+
+ poptFreeContext(popt_context);
+
+ return translate_errno(r);
+}
diff --git a/src/utils_password.c b/src/utils_password.c
new file mode 100644
index 0000000..0366b16
--- /dev/null
+++ b/src/utils_password.c
@@ -0,0 +1,294 @@
+/*
+ * Password quality check wrapper
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+#include <termios.h>
+
+int opt_force_password = 0;
+
+#if defined ENABLE_PWQUALITY
+#include <pwquality.h>
+
+static int tools_check_pwquality(const char *password)
+{
+ int r;
+ void *auxerror;
+ pwquality_settings_t *pwq;
+
+ log_dbg("Checking new password using default pwquality settings.");
+ pwq = pwquality_default_settings();
+ if (!pwq)
+ return -EINVAL;
+
+ r = pwquality_read_config(pwq, NULL, &auxerror);
+ if (r) {
+ log_err(_("Cannot check password quality: %s\n"),
+ pwquality_strerror(NULL, 0, r, auxerror));
+ pwquality_free_settings(pwq);
+ return -EINVAL;
+ }
+
+ r = pwquality_check(pwq, password, NULL, NULL, &auxerror);
+ if (r < 0) {
+ log_err(_("Password quality check failed:\n %s\n"),
+ pwquality_strerror(NULL, 0, r, auxerror));
+ r = -EPERM;
+ } else {
+ log_dbg("New password libpwquality score is %d.", r);
+ r = 0;
+ }
+
+ pwquality_free_settings(pwq);
+ return r;
+}
+#elif defined ENABLE_PASSWDQC
+#include <passwdqc.h>
+
+static int tools_check_pwquality(const char *password)
+{
+ passwdqc_params_t params;
+ char *parse_reason;
+ const char *check_reason;
+ const char *config = PASSWDQC_CONFIG_FILE;
+
+ passwdqc_params_reset(¶ms);
+
+ if (*config && passwdqc_params_load(¶ms, &parse_reason, config)) {
+ log_err(_("Cannot check password quality: %s\n"),
+ (parse_reason ? parse_reason : "Out of memory"));
+ free(parse_reason);
+ return -EINVAL;
+ }
+
+ check_reason = passwdqc_check(¶ms.qc, password, NULL, NULL);
+ if (check_reason) {
+ log_err(_("Password quality check failed: Bad passphrase (%s)\n"),
+ check_reason);
+ return -EPERM;
+ }
+
+ return 0;
+}
+#else /* !(ENABLE_PWQUALITY || ENABLE_PASSWDQC) */
+static int tools_check_pwquality(const char *password)
+{
+ return 0;
+}
+#endif /* ENABLE_PWQUALITY || ENABLE_PASSWDQC */
+
+int tools_is_cipher_null(const char *cipher)
+{
+ if (!cipher)
+ return 0;
+
+ return !strcmp(cipher, "cipher_null") ? 1 : 0;
+}
+
+/*
+ * Keyfile - is standard input treated as a binary file (no EOL handling).
+ */
+int tools_is_stdin(const char *key_file)
+{
+ if (!key_file)
+ return 1;
+
+ return strcmp(key_file, "-") ? 0 : 1;
+}
+
+/* Password reading helpers */
+static int untimed_read(int fd, char *pass, size_t maxlen)
+{
+ ssize_t i;
+
+ i = read(fd, pass, maxlen);
+ if (i > 0) {
+ pass[i-1] = '\0';
+ i = 0;
+ } else if (i == 0) { /* EOF */
+ *pass = 0;
+ i = -1;
+ }
+ return i;
+}
+
+static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
+{
+ struct timeval t;
+ fd_set fds = {}; /* Just to avoid scan-build false report for FD_SET */
+ int failed = -1;
+
+ FD_ZERO(&fds);
+ FD_SET(fd, &fds);
+ t.tv_sec = timeout;
+ t.tv_usec = 0;
+
+ if (select(fd+1, &fds, NULL, NULL, &t) > 0)
+ failed = untimed_read(fd, pass, maxlen);
+
+ return failed;
+}
+
+static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
+ long timeout)
+{
+ struct termios orig, tmp;
+ int failed = -1;
+ int infd, outfd;
+
+ if (maxlen < 1)
+ return failed;
+
+ /* Read and write to /dev/tty if available */
+ infd = open("/dev/tty", O_RDWR);
+ if (infd == -1) {
+ infd = STDIN_FILENO;
+ outfd = STDERR_FILENO;
+ } else
+ outfd = infd;
+
+ if (tcgetattr(infd, &orig))
+ goto out_err;
+
+ memcpy(&tmp, &orig, sizeof(tmp));
+ tmp.c_lflag &= ~ECHO;
+
+ if (prompt && write(outfd, prompt, strlen(prompt)) < 0)
+ goto out_err;
+
+ tcsetattr(infd, TCSAFLUSH, &tmp);
+ if (timeout)
+ failed = timed_read(infd, pass, maxlen, timeout);
+ else
+ failed = untimed_read(infd, pass, maxlen);
+ tcsetattr(infd, TCSAFLUSH, &orig);
+
+out_err:
+ if (!failed && write(outfd, "\n", 1)) {};
+
+ if (infd != STDIN_FILENO)
+ close(infd);
+ return failed;
+}
+
+static int crypt_get_key_tty(const char *prompt,
+ char **key, size_t *key_size,
+ int timeout, int verify,
+ struct crypt_device *cd)
+{
+ int key_size_max = DEFAULT_PASSPHRASE_SIZE_MAX;
+ int r = -EINVAL;
+ char *pass = NULL, *pass_verify = NULL;
+
+ *key = NULL;
+ *key_size = 0;
+
+ log_dbg("Interactive passphrase entry requested.");
+
+ pass = crypt_safe_alloc(key_size_max + 1);
+ if (!pass) {
+ log_err( _("Out of memory while reading passphrase.\n"));
+ return -ENOMEM;
+ }
+
+ if (interactive_pass(prompt, pass, key_size_max, timeout)) {
+ log_err(_("Error reading passphrase from terminal.\n"));
+ goto out_err;
+ }
+ pass[key_size_max] = '\0';
+
+ if (verify) {
+ pass_verify = crypt_safe_alloc(key_size_max);
+ if (!pass_verify) {
+ log_err(_("Out of memory while reading passphrase.\n"));
+ r = -ENOMEM;
+ goto out_err;
+ }
+
+ if (interactive_pass(_("Verify passphrase: "),
+ pass_verify, key_size_max, timeout)) {
+ log_err(_("Error reading passphrase from terminal.\n"));
+ goto out_err;
+ }
+
+ if (strncmp(pass, pass_verify, key_size_max)) {
+ log_err(_("Passphrases do not match.\n"));
+ r = -EPERM;
+ goto out_err;
+ }
+ }
+
+ *key = pass;
+ *key_size = strlen(pass);
+ r = 0;
+out_err:
+ crypt_safe_free(pass_verify);
+ if (r)
+ crypt_safe_free(pass);
+ return r;
+}
+
+/*
+ * Note: --key-file=- is interpreted as a read from a binary file (stdin)
+ * key_size_max == 0 means detect maximum according to input type (tty/file)
+ */
+int tools_get_key(const char *prompt,
+ char **key, size_t *key_size,
+ size_t keyfile_offset, size_t keyfile_size_max,
+ const char *key_file,
+ int timeout, int verify, int pwquality,
+ struct crypt_device *cd)
+{
+ int r = -EINVAL, block;
+
+ block = tools_signals_blocked();
+ if (block)
+ set_int_block(0);
+
+ if (tools_is_stdin(key_file)) {
+ if (isatty(STDIN_FILENO)) {
+ if (keyfile_offset) {
+ log_err(_("Cannot use offset with terminal input.\n"));
+ } else {
+ //FIXME:if (!prompt) "Enter passphrase for %s: "
+ if (!prompt)
+ prompt = "Enter passphrase:";
+ r = crypt_get_key_tty(prompt, key, key_size, timeout, verify, cd);
+ }
+ } else {
+ log_dbg("STDIN descriptor passphrase entry requested.");
+ /* No keyfile means STDIN with EOL handling (\n will end input)). */
+ r = crypt_keyfile_read(cd, NULL, key, key_size, keyfile_offset, keyfile_size_max,
+ key_file ? 0 : CRYPT_KEYFILE_STOP_EOL);
+ }
+ } else {
+ log_dbg("File descriptor passphrase entry requested.");
+ r = crypt_keyfile_read(cd, key_file, key, key_size, keyfile_offset, keyfile_size_max, 0);
+ }
+
+ if (block && !quit)
+ set_int_block(1);
+
+ /* Check pwquality for password (not keyfile) */
+ if (pwquality && !opt_force_password && !key_file && !r)
+ r = tools_check_pwquality(*key);
+
+ return r;
+}
diff --git a/src/utils_tools.c b/src/utils_tools.c
new file mode 100644
index 0000000..b11503e
--- /dev/null
+++ b/src/utils_tools.c
@@ -0,0 +1,327 @@
+/*
+ * cryptsetup - setup cryptographic volumes for dm-crypt
+ *
+ * Copyright (C) 2004, Jana Saout <jana@saout.de>
+ * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+#include <signal.h>
+
+int opt_verbose = 0;
+int opt_debug = 0;
+int opt_batch_mode = 0;
+
+/* interrupt handling */
+volatile int quit = 0;
+static int signals_blocked = 0;
+
+static void int_handler(int sig __attribute__((__unused__)))
+{
+ quit++;
+}
+
+int tools_signals_blocked(void)
+{
+ return signals_blocked;
+}
+
+void set_int_block(int block)
+{
+ sigset_t signals_open;
+
+ log_dbg("%slocking interruption on signal.", block ? "B" : "Unb");
+
+ sigemptyset(&signals_open);
+ sigaddset(&signals_open, SIGINT);
+ sigaddset(&signals_open, SIGTERM);
+ sigprocmask(block ? SIG_SETMASK : SIG_UNBLOCK, &signals_open, NULL);
+ signals_blocked = block;
+ quit = 0;
+}
+
+void set_int_handler(int block)
+{
+ struct sigaction sigaction_open;
+
+ log_dbg("Installing SIGINT/SIGTERM handler.");
+ memset(&sigaction_open, 0, sizeof(struct sigaction));
+ sigaction_open.sa_handler = int_handler;
+ sigaction(SIGINT, &sigaction_open, 0);
+ sigaction(SIGTERM, &sigaction_open, 0);
+ set_int_block(block);
+}
+
+void check_signal(int *r)
+{
+ if (quit && !*r)
+ *r = -EINTR;
+}
+
+__attribute__((format(printf, 5, 6)))
+void clogger(struct crypt_device *cd, int level, const char *file, int line,
+ const char *format, ...)
+{
+ va_list argp;
+ char *target = NULL;
+
+ va_start(argp, format);
+
+ if (vasprintf(&target, format, argp) > 0) {
+ if (level >= 0) {
+ crypt_log(cd, level, target);
+#ifdef CRYPT_DEBUG
+ } else if (opt_debug)
+ printf("# %s:%d %s\n", file ?: "?", line, target);
+#else
+ } else if (opt_debug)
+ printf("# %s\n", target);
+#endif
+ }
+
+ va_end(argp);
+ free(target);
+}
+
+void tool_log(int level, const char *msg, void *usrptr __attribute__((unused)))
+{
+ switch(level) {
+
+ case CRYPT_LOG_NORMAL:
+ fputs(msg, stdout);
+ break;
+ case CRYPT_LOG_VERBOSE:
+ if (opt_verbose)
+ fputs(msg, stdout);
+ break;
+ case CRYPT_LOG_ERROR:
+ fputs(msg, stderr);
+ break;
+ case CRYPT_LOG_DEBUG:
+ if (opt_debug)
+ printf("# %s\n", msg);
+ break;
+ default:
+ fprintf(stderr, "Internal error on logging class for msg: %s", msg);
+ break;
+ }
+}
+
+void quiet_log(int level, const char *msg, void *usrptr)
+{
+ if (!opt_verbose && (level == CRYPT_LOG_ERROR || level == CRYPT_LOG_NORMAL))
+ level = CRYPT_LOG_VERBOSE;
+ tool_log(level, msg, usrptr);
+}
+
+int yesDialog(const char *msg, void *usrptr __attribute__((unused)))
+{
+ char *answer = NULL;
+ size_t size = 0;
+ int r = 1, block;
+
+ block = tools_signals_blocked();
+ if (block)
+ set_int_block(0);
+
+ if(isatty(STDIN_FILENO) && !opt_batch_mode) {
+ log_std("\nWARNING!\n========\n");
+ log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
+ fflush(stdout);
+ if(getline(&answer, &size, stdin) == -1) {
+ r = 0;
+ /* Aborted by signal */
+ if (!quit)
+ log_err(_("Error reading response from terminal.\n"));
+ else
+ log_dbg("Query interrupted on signal.");
+ } else if(strcmp(answer, "YES\n"))
+ r = 0;
+ }
+
+ if (block && !quit)
+ set_int_block(1);
+
+ free(answer);
+ return r;
+}
+
+void show_status(int errcode)
+{
+ char *crypt_error;
+
+ if(!opt_verbose)
+ return;
+
+ if(!errcode) {
+ log_std(_("Command successful.\n"));
+ return;
+ }
+
+ if (errcode < 0)
+ errcode = translate_errno(errcode);
+
+ if (errcode == 1)
+ crypt_error = _("wrong or missing parameters");
+ else if (errcode == 2)
+ crypt_error = _("no permission or bad passphrase");
+ else if (errcode == 3)
+ crypt_error = _("out of memory");
+ else if (errcode == 4)
+ crypt_error = _("wrong device or file specified");
+ else if (errcode == 5)
+ crypt_error = _("device already exists or device is busy");
+ else
+ crypt_error = _("unknown error");
+
+ log_std(_("Command failed with code %i (%s).\n"), -errcode, crypt_error);
+}
+
+const char *uuid_or_device(const char *spec)
+{
+ static char device[PATH_MAX];
+ char s, *ptr;
+ int i = 0, uuid_len = 5;
+
+ /* Check if it is correct UUID=<LUKS_UUID> format */
+ if (spec && !strncmp(spec, "UUID=", uuid_len)) {
+ strcpy(device, "/dev/disk/by-uuid/");
+ ptr = &device[strlen(device)];
+ i = uuid_len;
+ while ((s = spec[i++]) && i < (PATH_MAX - 13)) {
+ if (!isxdigit(s) && s != '-')
+ return spec; /* Bail it out */
+ if (isalpha(s))
+ s = tolower(s);
+ *ptr++ = s;
+ }
+ *ptr = '\0';
+ return device;
+ }
+
+ return spec;
+}
+
+__attribute__ ((noreturn)) void usage(poptContext popt_context,
+ int exitcode, const char *error,
+ const char *more)
+{
+ poptPrintUsage(popt_context, stderr, 0);
+ if (error)
+ log_err("%s: %s\n", more, error);
+ poptFreeContext(popt_context);
+ exit(exitcode);
+}
+
+void dbg_version_and_cmd(int argc, const char **argv)
+{
+ int i;
+
+ log_std("# %s %s processing \"", PACKAGE_NAME, PACKAGE_VERSION);
+ for (i = 0; i < argc; i++) {
+ if (i)
+ log_std(" ");
+ log_std("%s", argv[i]);
+ }
+ log_std("\"\n");
+}
+
+/* Translate exit code to simple codes */
+int translate_errno(int r)
+{
+ switch (r) {
+ case 0: r = EXIT_SUCCESS; break;
+ case -EEXIST:
+ case -EBUSY: r = 5; break;
+ case -ENOTBLK:
+ case -ENODEV: r = 4; break;
+ case -ENOMEM: r = 3; break;
+ case -EPERM: r = 2; break;
+ case -EINVAL:
+ case -ENOENT:
+ case -ENOSYS:
+ default: r = EXIT_FAILURE;
+ }
+ return r;
+}
+
+/*
+ * Device size string parsing, suffixes:
+ * s|S - 512 bytes sectors
+ * k |K |m |M |g |G |t |T - 1024 base
+ * kiB|KiB|miB|MiB|giB|GiB|tiB|TiB - 1024 base
+ * kb |KB |mM |MB |gB |GB |tB |TB - 1000 base
+ */
+int tools_string_to_size(struct crypt_device *cd, const char *s, uint64_t *size)
+{
+ char *endp = NULL;
+ size_t len;
+ uint64_t mult_base, mult, tmp;
+
+ *size = strtoull(s, &endp, 10);
+ if (!isdigit(s[0]) ||
+ (errno == ERANGE && *size == ULLONG_MAX) ||
+ (errno != 0 && *size == 0))
+ return -EINVAL;
+
+ if (!endp || !*endp)
+ return 0;
+
+ len = strlen(endp);
+ /* Allow "B" and "iB" suffixes */
+ if (len > 3 ||
+ (len == 3 && (endp[1] != 'i' || endp[2] != 'B')) ||
+ (len == 2 && endp[1] != 'B'))
+ return -EINVAL;
+
+ if (len == 1 || len == 3)
+ mult_base = 1024;
+ else
+ mult_base = 1000;
+
+ mult = 1;
+ switch (endp[0]) {
+ case 's':
+ case 'S': mult = 512;
+ break;
+ case 't':
+ case 'T': mult *= mult_base;
+ /* Fall through */
+ case 'g':
+ case 'G': mult *= mult_base;
+ /* Fall through */
+ case 'm':
+ case 'M': mult *= mult_base;
+ /* Fall through */
+ case 'k':
+ case 'K': mult *= mult_base;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ tmp = *size * mult;
+ if (*size && (tmp / *size) != mult) {
+ log_dbg("Device size overflow.");
+ return -EINVAL;
+ }
+
+ *size = tmp;
+ return 0;
+}
diff --git a/src/veritysetup.c b/src/veritysetup.c
new file mode 100644
index 0000000..fd84636
--- /dev/null
+++ b/src/veritysetup.c
@@ -0,0 +1,549 @@
+/*
+ * veritysetup - setup cryptographic volumes for dm-verity
+ *
+ * Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2017, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+
+#define PACKAGE_VERITY "veritysetup"
+
+static int use_superblock = 1;
+
+static const char *fec_device = NULL;
+static int fec_roots = DEFAULT_VERITY_FEC_ROOTS;
+static const char *hash_algorithm = NULL;
+static int hash_type = 1;
+static int data_block_size = DEFAULT_VERITY_DATA_BLOCK;
+static int hash_block_size = DEFAULT_VERITY_HASH_BLOCK;
+static uint64_t data_blocks = 0;
+static const char *salt_string = NULL;
+static uint64_t hash_offset = 0;
+static uint64_t fec_offset = 0;
+static const char *opt_uuid = NULL;
+static int opt_restart_on_corruption = 0;
+static int opt_ignore_corruption = 0;
+static int opt_ignore_zero_blocks = 0;
+
+static int opt_version_mode = 0;
+
+static const char **action_argv;
+static int action_argc;
+
+static int _prepare_format(struct crypt_params_verity *params,
+ const char *data_device,
+ uint32_t flags)
+{
+ char *salt = NULL;
+ int len;
+
+ params->hash_name = hash_algorithm ?: DEFAULT_VERITY_HASH;
+ params->data_device = data_device;
+ params->fec_device = fec_device;
+ params->fec_roots = fec_roots;
+
+ if (salt_string && !strcmp(salt_string, "-")) {
+ params->salt_size = 0;
+ params->salt = NULL;
+ } else if (salt_string) {
+ len = crypt_hex_to_bytes(salt_string, &salt, 0);
+ if (len < 0) {
+ log_err(_("Invalid salt string specified.\n"));
+ return -EINVAL;
+ }
+ params->salt_size = len;
+ params->salt = salt;
+ } else {
+ params->salt_size = DEFAULT_VERITY_SALT_SIZE;
+ params->salt = NULL;
+ }
+
+ params->data_block_size = data_block_size;
+ params->hash_block_size = hash_block_size;
+ params->data_size = data_blocks;
+ params->hash_area_offset = hash_offset;
+ params->fec_area_offset = fec_offset;
+ params->hash_type = hash_type;
+ params->flags = flags;
+
+ return 0;
+}
+
+static int action_format(int arg)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_verity params = {};
+ uint32_t flags = CRYPT_VERITY_CREATE_HASH;
+ int r;
+
+ /* Try to create hash image if doesn't exist */
+ r = open(action_argv[1], O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
+ if (r < 0 && errno != EEXIST) {
+ log_err(_("Cannot create hash image %s for writing.\n"), action_argv[1]);
+ return -EINVAL;
+ } else if (r >= 0) {
+ log_dbg("Created hash image %s.", action_argv[1]);
+ close(r);
+ }
+ /* Try to create FEC image if doesn't exist */
+ if (fec_device) {
+ r = open(fec_device, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
+ if (r < 0 && errno != EEXIST) {
+ log_err(_("Cannot create FEC image %s for writing.\n"), fec_device);
+ return -EINVAL;
+ } else if (r >= 0) {
+ log_dbg("Created FEC image %s.", fec_device);
+ close(r);
+ }
+ }
+
+ if ((r = crypt_init(&cd, action_argv[1])))
+ goto out;
+
+ if (!use_superblock)
+ flags |= CRYPT_VERITY_NO_HEADER;
+
+ r = _prepare_format(¶ms, action_argv[0], flags);
+ if (r < 0)
+ goto out;
+
+ r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, opt_uuid, NULL, 0, ¶ms);
+ if (!r)
+ crypt_dump(cd);
+out:
+ crypt_free(cd);
+ free(CONST_CAST(char*)params.salt);
+ return r;
+}
+
+static int _activate(const char *dm_device,
+ const char *data_device,
+ const char *hash_device,
+ const char *root_hash,
+ uint32_t flags)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_verity params = {};
+ uint32_t activate_flags = CRYPT_ACTIVATE_READONLY;
+ char *root_hash_bytes = NULL;
+ ssize_t hash_size;
+ int r;
+
+ if ((r = crypt_init(&cd, hash_device)))
+ goto out;
+
+ if (opt_ignore_corruption)
+ activate_flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION;
+ if (opt_restart_on_corruption)
+ activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
+ if (opt_ignore_zero_blocks)
+ activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
+
+ if (use_superblock) {
+ params.flags = flags;
+ params.hash_area_offset = hash_offset;
+ params.fec_area_offset = fec_offset;
+ params.fec_device = fec_device;
+ params.fec_roots = fec_roots;
+ r = crypt_load(cd, CRYPT_VERITY, ¶ms);
+ } else {
+ r = _prepare_format(¶ms, data_device, flags | CRYPT_VERITY_NO_HEADER);
+ if (r < 0)
+ goto out;
+ r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms);
+ }
+ if (r < 0)
+ goto out;
+ r = crypt_set_data_device(cd, data_device);
+ if (r < 0)
+ goto out;
+
+ hash_size = crypt_get_volume_key_size(cd);
+ if (crypt_hex_to_bytes(root_hash, &root_hash_bytes, 0) != hash_size) {
+ log_err(_("Invalid root hash string specified.\n"));
+ r = -EINVAL;
+ goto out;
+ }
+ r = crypt_activate_by_volume_key(cd, dm_device,
+ root_hash_bytes,
+ hash_size,
+ activate_flags);
+out:
+ crypt_free(cd);
+ free(root_hash_bytes);
+ free(CONST_CAST(char*)params.salt);
+ return r;
+}
+
+static int action_create(int arg)
+{
+ return _activate(action_argv[0],
+ action_argv[1],
+ action_argv[2],
+ action_argv[3], 0);
+}
+
+static int action_verify(int arg)
+{
+ return _activate(NULL,
+ action_argv[0],
+ action_argv[1],
+ action_argv[2],
+ CRYPT_VERITY_CHECK_HASH);
+}
+
+static int action_remove(int arg)
+{
+ struct crypt_device *cd = NULL;
+ int r;
+
+ r = crypt_init_by_name(&cd, action_argv[0]);
+ if (r == 0)
+ r = crypt_deactivate(cd, action_argv[0]);
+
+ crypt_free(cd);
+ return r;
+}
+
+static int action_status(int arg)
+{
+ crypt_status_info ci;
+ struct crypt_active_device cad;
+ struct crypt_params_verity vp = {};
+ struct crypt_device *cd = NULL;
+ struct stat st;
+ char *backing_file;
+ unsigned i, path = 0;
+ int r = 0;
+
+ /* perhaps a path, not a dm device name */
+ if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
+ path = 1;
+
+ ci = crypt_status(NULL, action_argv[0]);
+ switch (ci) {
+ case CRYPT_INVALID:
+ r = -EINVAL;
+ break;
+ case CRYPT_INACTIVE:
+ if (path)
+ log_std("%s is inactive.\n", action_argv[0]);
+ else
+ log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
+ r = -ENODEV;
+ break;
+ case CRYPT_ACTIVE:
+ case CRYPT_BUSY:
+ if (path)
+ log_std("%s is active%s.\n", action_argv[0],
+ ci == CRYPT_BUSY ? " and is in use" : "");
+ else
+ log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
+ ci == CRYPT_BUSY ? " and is in use" : "");
+
+ r = crypt_init_by_name_and_header(&cd, action_argv[0], NULL);
+ if (r < 0 || !crypt_get_type(cd))
+ goto out;
+
+ log_std(" type: %s\n", crypt_get_type(cd));
+
+ r = crypt_get_active_device(cd, action_argv[0], &cad);
+ if (r < 0)
+ goto out;
+
+ log_std(" status: %s\n",
+ cad.flags & CRYPT_ACTIVATE_CORRUPTED ? "corrupted" : "verified");
+
+ r = crypt_get_verity_info(cd, &vp);
+ if (r < 0)
+ goto out;
+
+ log_std(" hash type: %u\n", vp.hash_type);
+ log_std(" data block: %u\n", vp.data_block_size);
+ log_std(" hash block: %u\n", vp.hash_block_size);
+ log_std(" hash name: %s\n", vp.hash_name);
+ log_std(" salt: ");
+ if (vp.salt_size)
+ for(i = 0; i < vp.salt_size; i++)
+ log_std("%02hhx", (const char)vp.salt[i]);
+ else
+ log_std("-");
+ log_std("\n");
+
+ log_std(" data device: %s\n", vp.data_device);
+ if (crypt_loop_device(vp.data_device)) {
+ backing_file = crypt_loop_backing_file(vp.data_device);
+ log_std(" data loop: %s\n", backing_file);
+ free(backing_file);
+ }
+ log_std(" size: %" PRIu64 " sectors\n", cad.size);
+ log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
+ "readonly" : "read/write");
+
+ log_std(" hash device: %s\n", vp.hash_device);
+ if (crypt_loop_device(vp.hash_device)) {
+ backing_file = crypt_loop_backing_file(vp.hash_device);
+ log_std(" hash loop: %s\n", backing_file);
+ free(backing_file);
+ }
+ log_std(" hash offset: %" PRIu64 " sectors\n",
+ vp.hash_area_offset * vp.hash_block_size / 512);
+
+ if (vp.fec_device) {
+ log_std(" FEC device: %s\n", vp.fec_device);
+ if (crypt_loop_device(vp.fec_device)) {
+ backing_file = crypt_loop_backing_file(vp.fec_device);
+ log_std(" FEC loop: %s\n", backing_file);
+ free(backing_file);
+ }
+ log_std(" FEC offset: %" PRIu64 " sectors\n",
+ vp.fec_area_offset * vp.hash_block_size / 512);
+ log_std(" FEC roots: %u\n", vp.fec_roots);
+ }
+ if (cad.flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
+ CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
+ CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS))
+ log_std(" flags: %s%s%s\n",
+ (cad.flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? "ignore_corruption " : "",
+ (cad.flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? "restart_on_corruption " : "",
+ (cad.flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? "ignore_zero_blocks" : "");
+ }
+out:
+ crypt_free(cd);
+ if (r == -ENOTSUP)
+ r = 0;
+ return r;
+}
+
+static int action_dump(int arg)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_params_verity params = {};
+ int r;
+
+ if ((r = crypt_init(&cd, action_argv[0])))
+ return r;
+
+ params.hash_area_offset = hash_offset;
+ params.fec_area_offset = fec_offset;
+ r = crypt_load(cd, CRYPT_VERITY, ¶ms);
+ if (!r)
+ crypt_dump(cd);
+ crypt_free(cd);
+ return r;
+}
+
+static struct action_type {
+ const char *type;
+ int (*handler)(int);
+ int required_action_argc;
+ const char *arg_desc;
+ const char *desc;
+} action_types[] = {
+ { "format", action_format, 2, N_("<data_device> <hash_device>"),N_("format device") },
+ { "verify", action_verify, 3, N_("<data_device> <hash_device> <root_hash>"),N_("verify device") },
+ { "create", action_create, 4, N_("<name> <data_device> <hash_device> <root_hash>"),N_("create active device") },
+ { "remove", action_remove, 1, N_("<name>"),N_("remove (deactivate) device") },
+ { "status", action_status, 1, N_("<name>"),N_("show active device status") },
+ { "dump", action_dump, 1, N_("<hash_device>"),N_("show on-disk information") },
+ { NULL, NULL, 0, NULL, NULL }
+};
+
+static void help(poptContext popt_context,
+ enum poptCallbackReason reason __attribute__((unused)),
+ struct poptOption *key,
+ const char *arg __attribute__((unused)),
+ void *data __attribute__((unused)))
+{
+ struct action_type *action;
+
+ if (key->shortName == '?') {
+ log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
+ poptPrintHelp(popt_context, stdout, 0);
+ log_std(_("\n"
+ "<action> is one of:\n"));
+ for(action = action_types; action->type; action++)
+ log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
+ log_std(_("\n"
+ "<name> is the device to create under %s\n"
+ "<data_device> is the data device\n"
+ "<hash_device> is the device containing verification data\n"
+ "<root_hash> hash of the root node on <hash_device>\n"),
+ crypt_get_dir());
+
+ log_std(_("\nDefault compiled-in dm-verity parameters:\n"
+ "\tHash: %s, Data block (bytes): %u, "
+ "Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"),
+ DEFAULT_VERITY_HASH, DEFAULT_VERITY_DATA_BLOCK,
+ DEFAULT_VERITY_HASH_BLOCK, DEFAULT_VERITY_SALT_SIZE,
+ 1);
+ exit(EXIT_SUCCESS);
+ } else
+ usage(popt_context, EXIT_SUCCESS, NULL, NULL);
+}
+
+static int run_action(struct action_type *action)
+{
+ int r;
+
+ log_dbg("Running command %s.", action->type);
+
+ r = action->handler(0);
+
+ show_status(r);
+ return translate_errno(r);
+}
+
+int main(int argc, const char **argv)
+{
+ static char *popt_tmp;
+ static const char *null_action_argv[] = {NULL};
+ static struct poptOption popt_help_options[] = {
+ { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
+ { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
+ { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
+ POPT_TABLEEND
+ };
+ static struct poptOption popt_options[] = {
+ { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
+ { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
+ { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
+ { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
+ { "no-superblock", 0, POPT_ARG_VAL, &use_superblock, 0, N_("Do not use verity superblock"), NULL },
+ { "format", 0, POPT_ARG_INT, &hash_type, 0, N_("Format type (1 - normal, 0 - original Chrome OS)"), N_("number") },
+ { "data-block-size", 0, POPT_ARG_INT, &data_block_size, 0, N_("Block size on the data device"), N_("bytes") },
+ { "hash-block-size", 0, POPT_ARG_INT, &hash_block_size, 0, N_("Block size on the hash device"), N_("bytes") },
+ { "fec-roots", 0, POPT_ARG_INT, &fec_roots, 0, N_("FEC parity bytes"), N_("bytes") },
+ { "data-blocks", 0, POPT_ARG_STRING, &popt_tmp, 1, N_("The number of blocks in the data file"), N_("blocks") },
+ { "fec-device", 0, POPT_ARG_STRING, &fec_device, 0, N_("Path to device with error correction data"), N_("path") },
+ { "hash-offset", 0, POPT_ARG_STRING, &popt_tmp, 2, N_("Starting offset on the hash device"), N_("bytes") },
+ { "fec-offset", 0, POPT_ARG_STRING, &popt_tmp, 3, N_("Starting offset on the FEC device"), N_("bytes") },
+ { "hash", 'h', POPT_ARG_STRING, &hash_algorithm, 0, N_("Hash algorithm"), N_("string") },
+ { "salt", 's', POPT_ARG_STRING, &salt_string, 0, N_("Salt"), N_("hex string") },
+ { "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
+ { "restart-on-corruption", 0,POPT_ARG_NONE,&opt_restart_on_corruption, 0, N_("Restart kernel if corruption is detected"), NULL },
+ { "ignore-corruption", 0, POPT_ARG_NONE, &opt_ignore_corruption, 0, N_("Ignore corruption, log it only"), NULL },
+ { "ignore-zero-blocks", 0, POPT_ARG_NONE, &opt_ignore_zero_blocks, 0, N_("Do not verify zeroed blocks"), NULL },
+ POPT_TABLEEND
+ };
+
+ poptContext popt_context;
+ struct action_type *action;
+ const char *aname;
+ int r;
+
+ crypt_set_log_callback(NULL, tool_log, NULL);
+
+ setlocale(LC_ALL, "");
+ bindtextdomain(PACKAGE, LOCALEDIR);
+ textdomain(PACKAGE);
+
+ popt_context = poptGetContext("verity", argc, argv, popt_options, 0);
+ poptSetOtherOptionHelp(popt_context,
+ _("[OPTION...] <action> <action-specific>"));
+
+ while((r = poptGetNextOpt(popt_context)) > 0) {
+ unsigned long long ull_value;
+ char *endp;
+
+ errno = 0;
+ ull_value = strtoull(popt_tmp, &endp, 10);
+ if (*endp || !*popt_tmp || !isdigit(*popt_tmp) ||
+ (errno == ERANGE && ull_value == ULLONG_MAX) ||
+ (errno != 0 && ull_value == 0))
+ r = POPT_ERROR_BADNUMBER;
+
+ switch(r) {
+ case 1:
+ data_blocks = ull_value;
+ break;
+ case 2:
+ hash_offset = ull_value;
+ break;
+ case 3:
+ fec_offset = ull_value;
+ break;
+ }
+
+ if (r < 0)
+ break;
+ }
+
+ if (r < -1)
+ usage(popt_context, EXIT_FAILURE, poptStrerror(r),
+ poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
+
+ if (opt_version_mode) {
+ log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
+ poptFreeContext(popt_context);
+ exit(EXIT_SUCCESS);
+ }
+
+ if (!(aname = poptGetArg(popt_context)))
+ usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
+ poptGetInvocationName(popt_context));
+ for(action = action_types; action->type; action++)
+ if (strcmp(action->type, aname) == 0)
+ break;
+ if (!action->type)
+ usage(popt_context, EXIT_FAILURE, _("Unknown action."),
+ poptGetInvocationName(popt_context));
+
+ action_argc = 0;
+ action_argv = poptGetArgs(popt_context);
+ /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
+ if(!action_argv)
+ action_argv = null_action_argv;
+
+ /* Count args, somewhat unnice, change? */
+ while(action_argv[action_argc] != NULL)
+ action_argc++;
+
+ if(action_argc < action->required_action_argc) {
+ char buf[128];
+ snprintf(buf, 128,_("%s: requires %s as arguments"), action->type, action->arg_desc);
+ usage(popt_context, EXIT_FAILURE, buf,
+ poptGetInvocationName(popt_context));
+ }
+
+ if (data_block_size < 0 || hash_block_size < 0 || hash_type < 0) {
+ usage(popt_context, EXIT_FAILURE,
+ _("Negative number for option not permitted."),
+ poptGetInvocationName(popt_context));
+ }
+
+ if ((opt_ignore_corruption || opt_restart_on_corruption || opt_ignore_zero_blocks) && strcmp(aname, "create"))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_ignore_corruption && opt_restart_on_corruption)
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"),
+ poptGetInvocationName(popt_context));
+
+ if (opt_debug) {
+ opt_verbose = 1;
+ crypt_set_debug_level(-1);
+ dbg_version_and_cmd(argc, argv);
+ }
+
+ r = run_action(action);
+ poptFreeContext(popt_context);
+ return r;
+}
diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 0000000..862e0f0
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,59 @@
+TESTS = api-test \
+ compat-test \
+ loopaes-test \
+ align-test \
+ discards-test \
+ mode-test \
+ password-hash-test \
+ tcrypt-compat-test \
+ luks1-compat-test \
+ device-test
+
+if VERITYSETUP
+TESTS += verity-compat-test
+endif
+
+if REENCRYPT
+TESTS += reencryption-compat-test
+endif
+
+EXTRA_DIST = compatimage.img.bz2 compatv10image.img.bz2 \
+ img_fs_ext4.img.bz2 img_fs_vfat.img.bz2 img_fs_xfs.img.bz2 \
+ valid_header_file.bz2 \
+ evil_hdr-payload_overwrite.bz2 \
+ evil_hdr-stripes_payload_dmg.bz2 \
+ evil_hdr-luks_hdr_damage.bz2 \
+ evil_hdr-small_luks_device.bz2 \
+ tcrypt-images.tar.bz2 \
+ luks1-images.tar.bz2 \
+ compat-test loopaes-test align-test discards-test mode-test password-hash-test \
+ verity-compat-test \
+ reencryption-compat-test \
+ tcrypt-compat-test \
+ luks1-compat-test \
+ device-test \
+ cryptsetup-valg-supps valg.sh valg-api.sh
+
+CLEANFILES = cryptsetup-tst* valglog*
+clean-local:
+ -rm -rf tcrypt-images luks1-images
+
+differ_SOURCES = differ.c
+differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
+
+api_test_SOURCES = api-test.c $(top_srcdir)/lib/utils_loop.c
+api_test_LDADD = ../lib/libcryptsetup.la
+api_test_LDFLAGS = $(AM_LDFLAGS) -static
+api_test_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
+api_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
+
+check_PROGRAMS = api-test differ
+
+compatimage.img:
+ @bzip2 -k -d compatimage.img.bz2
+
+valgrind-check: api-test differ
+ @VALG=1 ./compat-test
+ @INFOSTRING="api-test-000" ./valg-api.sh ./api-test
+
+.PHONY: valgrind-check
diff --git a/tests/align-test b/tests/align-test
new file mode 100755
index 0000000..6e657f8
--- /dev/null
+++ b/tests/align-test
@@ -0,0 +1,228 @@
+#!/bin/bash
+
+CRYPTSETUP="../src/cryptsetup"
+DEV=""
+DEV_STACKED="luks0xbabe"
+MNT_DIR="./mnt_luks"
+PWD1="93R4P4pIqAH8"
+PWD2="mymJeD8ivEhE"
+
+cleanup() {
+ udevadm settle >/dev/null 2>&1
+ if [ -d "$MNT_DIR" ] ; then
+ umount -f $MNT_DIR 2>/dev/null
+ rmdir $MNT_DIR 2>/dev/null
+ fi
+ [ -b /dev/mapper/$DEV_STACKED ] && dmsetup remove $DEV_STACKED >/dev/null 2>&1
+ # FIXME scsi_debug sometimes in-use here
+ sleep 1
+ rmmod scsi_debug 2>/dev/null
+ sleep 1
+}
+
+fail()
+{
+ if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi
+ cleanup
+ exit 100
+}
+
+skip()
+{
+ echo "TEST SKIPPED: $1"
+ cleanup
+ exit 0
+}
+
+add_device() {
+ modprobe scsi_debug $@
+ if [ $? -ne 0 ] ; then
+ echo "This kernel seems to not support proper scsi_debug module, test skipped."
+ exit 0
+ fi
+
+ sleep 2
+ DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+
+ if [ ! -e /sys/block/$DEV/alignment_offset ] ; then
+ echo "This kernel seems to not support topology info, test skipped."
+ cleanup
+ exit 0
+ fi
+
+ DEV="/dev/$DEV"
+ [ -b $DEV ] || fail "Cannot find $DEV."
+}
+
+format() # key_bits expected [forced]
+{
+ if [ -z "$3" ] ; then
+ echo -n "Formatting using topology info ($1 bits key)..."
+ echo $PWD1 | $CRYPTSETUP luksFormat $DEV -q -i1 -c aes-cbc-essiv:sha256 -s $1
+ else
+ echo -n "Formatting using forced sector alignment $3 ($1 bits key)..."
+ echo $PWD1 | $CRYPTSETUP luksFormat $DEV -q -i1 -s $1 -c aes-cbc-essiv:sha256 --align-payload=$2
+ fi
+
+ ALIGN=$($CRYPTSETUP luksDump $DEV |grep "Payload offset" | sed -e s/.*\\t//)
+ #echo "ALIGN = $ALIGN"
+
+ [ -z "$ALIGN" ] && fail
+ [ $ALIGN -ne $2 ] && fail "Expected alignment differs: expected $2 != detected $ALIGN"
+
+ # test some operation, just in case
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV -i1 --key-slot 1
+ [ $? -ne 0 ] && fail "Keyslot add failed."
+
+ $CRYPTSETUP -q luksKillSlot $DEV 1
+ [ $? -ne 0 ] && fail "Keyslot removal failed."
+
+ echo "PASSED"
+}
+
+get_offsets()
+{
+ $CRYPTSETUP luksDump $DEV | grep "$1" | cut -s -d ':' -f 2 | sed -e 's/\s//g' -e :a -e N -e 's/\n/:/g' -e 's/\s//g' -e ta
+}
+
+format_null()
+{
+ if [ $3 -eq 0 ] ; then
+ echo -n "Formatting using topology info ($1 bits key) [slot 0"
+ echo | $CRYPTSETUP luksFormat $DEV -q -i1 -c null -s $1
+ else
+ echo -n "Formatting using forced sector alignment $3 ($1 bits key) [slot 0"
+ echo | $CRYPTSETUP luksFormat $DEV -q -i1 -c null -s $1 --align-payload=$3
+ fi
+
+ POFF=$(get_offsets "Payload offset")
+ [ -z "$POFF" ] && fail
+ [ $POFF != $2 ] && fail "Expected data offset differs: expected $2 != detected $POFF"
+ if [ -n "$4" ] ; then
+ for j in 1 2 3 4 5 6 7 ; do
+ echo -e "\n" | $CRYPTSETUP luksAddKey $DEV -q -i1 --key-slot $j -c null $PARAMS
+ echo -n $j
+ [ $? -ne 0 ] && fail
+ done
+
+ KOFF=$(get_offsets "Key material offset")
+ [ -z "$KOFF" ] && fail
+ [ $KOFF != $4 ] && fail "Expected keyslots offsets differ: expected $4 != detected $KOFF"
+ fi
+
+ echo "]...PASSED"
+}
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run this test, test skipped."
+ exit 0
+fi
+
+modprobe --dry-run scsi_debug || exit 0
+cleanup
+
+echo "# Create desktop-class 4K drive"
+echo "# (logical_block_size=512, physical_block_size=4096, alignment_offset=0)"
+add_device dev_size_mb=16 sector_size=512 physblk_exp=3 num_tgts=1
+format 256 4096
+format 256 2112 8
+format 128 2048
+format 128 1088 8
+format 256 8192 8192
+format 128 8192 8192
+cleanup
+
+echo "# Create desktop-class 4K drive w/ 63-sector DOS partition compensation"
+echo "# (logical_block_size=512, physical_block_size=4096, alignment_offset=3584)"
+add_device dev_size_mb=16 sector_size=512 physblk_exp=3 lowest_aligned=7 num_tgts=1
+format 256 4103
+format 256 2119 8
+format 128 2055
+format 128 1095 8
+cleanup
+
+echo "# Create enterprise-class 4K drive"
+echo "# (logical_block_size=4096, physical_block_size=4096, alignment_offset=0)"
+add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
+format 256 4096
+format 256 2560 8
+format 128 2048
+format 128 1536 8
+cleanup
+
+echo "# Create classic 512B drive and stack dm-linear"
+echo "# (logical_block_size=512, physical_block_size=512, alignment_offset=0)"
+add_device dev_size_mb=16 sector_size=512 num_tgts=1
+DEV2=$DEV
+DEV=/dev/mapper/$DEV_STACKED
+dmsetup create $DEV_STACKED --table "0 32768 linear $DEV2 0"
+format 256 4096
+format 256 2112 8
+format 128 2048
+format 128 1088 8
+format 128 8192 8192
+cleanup
+
+echo "# Offset check: 512B sector drive"
+add_device dev_size_mb=16 sector_size=512 num_tgts=1
+# |k| expO reqO expected slot offsets
+format_null 64 2048 0 8:72:136:200:264:328:392:456
+format_null 64 520 1
+format_null 64 520 8
+format_null 64 640 128
+format_null 64 2048 2048
+format_null 128 2048 0 8:136:264:392:520:648:776:904
+format_null 128 1032 1
+format_null 128 1032 8
+format_null 128 1152 128
+format_null 128 2048 2048
+format_null 256 4096 0 8:264:520:776:1032:1288:1544:1800
+format_null 256 2056 1
+format_null 256 2056 8
+format_null 256 2176 128
+format_null 256 4096 2048
+format_null 512 4096 0 8:512:1016:1520:2024:2528:3032:3536
+format_null 512 4040 1
+format_null 512 4040 8
+format_null 512 4096 128
+format_null 512 4096 2048
+cleanup
+
+echo "# Offset check: 4096B sector drive"
+add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
+format_null 64 2048 0 8:72:136:200:264:328:392:456
+format_null 64 520 1
+format_null 64 520 8
+format_null 64 640 128
+format_null 64 2048 2048
+format_null 128 2048 0 8:136:264:392:520:648:776:904
+format_null 128 1032 1
+format_null 128 1032 8
+format_null 128 1152 128
+format_null 128 2048 2048
+format_null 256 4096 0 8:264:520:776:1032:1288:1544:1800
+format_null 256 2056 1
+format_null 256 2056 8
+format_null 256 2176 128
+format_null 256 4096 2048
+format_null 512 4096 0 8:512:1016:1520:2024:2528:3032:3536
+format_null 512 4040 1
+format_null 512 4040 8
+format_null 512 4096 128
+format_null 512 4096 2048
+cleanup
+
+echo "# Create enterprise-class 4K drive with fs and LUKS images."
+# loop device here presents 512 block but images have 4k block
+# cryptsetup should properly use 4k block on direct-io
+add_device dev_size_mb=16 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64
+for file in $(ls img_fs_*.img.bz2) ; do
+ echo "Format using fs image $file."
+ bzip2 -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
+ [ ! -d $MNT_DIR ] && mkdir $MNT_DIR
+ mount $DEV $MNT_DIR || skip "Mounting image is not available."
+ echo $PWD1 | $CRYPTSETUP luksFormat -i 1 $MNT_DIR/luks.img || fail
+ echo $PWD2 | $CRYPTSETUP luksFormat -i 1 $MNT_DIR/luks.img --header $MNT_DIR/luks_header.img || fail
+ umount $MNT_DIR
+done
+cleanup
diff --git a/tests/api-test.c b/tests/api-test.c
new file mode 100644
index 0000000..bf44dd2
--- /dev/null
+++ b/tests/api-test.c
@@ -0,0 +1,1949 @@
+/*
+ * cryptsetup library API check functions
+ *
+ * Copyright (C) 2009-2013 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2014, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <linux/fs.h>
+#include <errno.h>
+#include <assert.h>
+#include <signal.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <libdevmapper.h>
+
+#include "luks.h"
+#include "libcryptsetup.h"
+#include "utils_loop.h"
+
+#define DMDIR "/dev/mapper/"
+
+#define DEVICE_1_UUID "28632274-8c8a-493f-835b-da802e1c576b"
+#define DEVICE_EMPTY_name "crypt_zero"
+#define DEVICE_EMPTY DMDIR DEVICE_EMPTY_name
+#define DEVICE_ERROR_name "crypt_error"
+#define DEVICE_ERROR DMDIR DEVICE_ERROR_name
+
+#define CDEVICE_1 "ctest1"
+#define CDEVICE_2 "ctest2"
+#define CDEVICE_WRONG "O_o"
+#define H_DEVICE "head_ok"
+#define H_DEVICE_WRONG "head_wr"
+#define L_DEVICE_1S "luks_onesec"
+#define L_DEVICE_0S "luks_zerosec"
+#define L_DEVICE_WRONG "luks_wr"
+#define L_DEVICE_OK "luks_ok"
+#define EVL_HEADER_1 "evil_hdr-luks_hdr_damage"
+#define EVL_HEADER_2 "evil_hdr-payload_overwrite"
+#define EVL_HEADER_3 "evil_hdr-stripes_payload_dmg"
+#define EVL_HEADER_4 "evil_hdr-small_luks_device"
+#define VALID_HEADER "valid_header_file"
+#define BACKUP_FILE "csetup_backup_file"
+#define IMAGE1 "compatimage.img"
+#define IMAGE_EMPTY "empty.img"
+
+#define KEYFILE1 "key1.file"
+#define KEY1 "compatkey"
+
+#define KEYFILE2 "key2.file"
+#define KEY2 "0123456789abcdef"
+
+#define PASSPHRASE "blabla"
+
+#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+
+#define DEVICE_WRONG "/dev/Ooo_"
+#define DEVICE_CHAR "/dev/zero"
+#define THE_LFILE_TEMPLATE "cryptsetup-tstlp.XXXXXX"
+
+#define SECTOR_SHIFT 9L
+#define SECTOR_SIZE 512
+#define TST_LOOP_FILE_SIZE (((1<<20)*50)>>SECTOR_SHIFT)
+#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
+#define DIV_ROUND_UP_MODULO(n,d) (DIV_ROUND_UP(n,d)*(d))
+#define LUKS_PHDR_SIZE_B 1024
+
+static int _debug = 0;
+static int _verbose = 1;
+static int _fips_mode = 0;
+
+static int _quit = 0;
+
+static char global_log[4096];
+static char last_error[256];
+static int global_lines = 0;
+
+static char *DEVICE_1 = NULL;
+static char *DEVICE_2 = NULL;
+static char *DEVICE_3 = NULL;
+static char *THE_LOOP_DEV = NULL;
+
+static char *tmp_file_1 = NULL;
+static char *test_loop_file = NULL;
+static uint64_t t_dev_offset = 0;
+
+static int _system(const char*, int);
+
+// Helpers
+
+static int device_size(const char *device, uint64_t *size)
+{
+ int devfd, r = 0;
+
+ devfd = open(device, O_RDONLY);
+ if(devfd == -1)
+ return -EINVAL;
+
+ if (ioctl(devfd, BLKGETSIZE64, size) < 0)
+ r = -EINVAL;
+ close(devfd);
+ return r;
+}
+
+static int fips_mode(void)
+{
+ int fd;
+ char buf = 0;
+
+ fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+ if (fd < 0)
+ return 0;
+
+ if (read(fd, &buf, 1) != 1)
+ buf = '0';
+
+ close(fd);
+
+ return (buf == '1');
+}
+
+static int get_luks_offsets(int metadata_device,
+ size_t keylength,
+ unsigned int alignpayload_sec,
+ unsigned int alignoffset_sec,
+ uint64_t *r_header_size,
+ uint64_t *r_payload_offset)
+{
+ int i;
+ uint64_t current_sector;
+ uint32_t sectors_per_stripes_set;
+
+ if (!keylength)
+ return -1;
+
+ sectors_per_stripes_set = DIV_ROUND_UP(keylength*LUKS_STRIPES, SECTOR_SIZE);
+ printf("sectors_per_stripes %" PRIu32 "\n", sectors_per_stripes_set);
+ current_sector = DIV_ROUND_UP_MODULO(DIV_ROUND_UP(LUKS_PHDR_SIZE_B, SECTOR_SIZE),
+ LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
+ for(i=0;i < (LUKS_NUMKEYS - 1);i++)
+ current_sector = DIV_ROUND_UP_MODULO(current_sector + sectors_per_stripes_set,
+ LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
+ if (r_header_size)
+ *r_header_size = current_sector + sectors_per_stripes_set;
+
+ current_sector = DIV_ROUND_UP_MODULO(current_sector + sectors_per_stripes_set,
+ LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
+
+ if (r_payload_offset) {
+ if (metadata_device)
+ *r_payload_offset = alignpayload_sec;
+ else
+ *r_payload_offset = DIV_ROUND_UP_MODULO(current_sector, alignpayload_sec)
+ + alignoffset_sec;
+ }
+
+ return 0;
+}
+
+/*
+ * Creates dm-linear target over the test loop device. Offset is held in
+ * global variables so that size can be tested whether it fits into remaining
+ * size of the loop device or not
+ */
+static int create_dmdevice_over_loop(const char *dm_name, const uint64_t size)
+{
+ char cmd[128];
+ int r;
+ uint64_t r_size;
+
+ if(device_size(THE_LOOP_DEV, &r_size) < 0 || r_size <= t_dev_offset || !size)
+ return -1;
+ if ((r_size - t_dev_offset) < size) {
+ printf("No enough space on backing loop device\n.");
+ return -2;
+ }
+ snprintf(cmd, sizeof(cmd),
+ "dmsetup create %s --table \"0 %" PRIu64 " linear %s %" PRIu64 "\"",
+ dm_name, size, THE_LOOP_DEV, t_dev_offset);
+ if (!(r = _system(cmd, 1))) {
+ t_dev_offset += size;
+ }
+ return r;
+}
+
+// TODO some utility to remove dmdevice over the loop file
+
+// Get key from kernel dm mapping table using dm-ioctl
+static int _get_key_dm(const char *name, char *buffer, unsigned int buffer_size)
+{
+ struct dm_task *dmt;
+ struct dm_info dmi;
+ uint64_t start, length;
+ char *target_type, *key, *params;
+ void *next = NULL;
+ int r = -EINVAL;
+
+ if (!(dmt = dm_task_create(DM_DEVICE_TABLE)))
+ goto out;
+ if (!dm_task_set_name(dmt, name))
+ goto out;
+ if (!dm_task_run(dmt))
+ goto out;
+ if (!dm_task_get_info(dmt, &dmi))
+ goto out;
+ if (!dmi.exists)
+ goto out;
+
+ next = dm_get_next_target(dmt, next, &start, &length, &target_type, ¶ms);
+ if (!target_type || strcmp(target_type, "crypt") != 0)
+ goto out;
+
+ (void)strsep(¶ms, " "); /* rcipher */
+ key = strsep(¶ms, " ");
+
+ if (buffer_size <= strlen(key))
+ goto out;
+
+ strncpy(buffer, key, buffer_size);
+ r = 0;
+out:
+ if (dmt)
+ dm_task_destroy(dmt);
+
+ return r;
+}
+
+static int _prepare_keyfile(const char *name, const char *passphrase, int size)
+{
+ int fd, r;
+
+ fd = open(name, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR|S_IWUSR);
+ if (fd != -1) {
+ r = write(fd, passphrase, size);
+ close(fd);
+ } else
+ r = 0;
+
+ return r == size ? 0 : 1;
+}
+
+static void _remove_keyfiles(void)
+{
+ remove(KEYFILE1);
+ remove(KEYFILE2);
+}
+
+// Decode key from its hex representation
+static int crypt_decode_key(char *key, const char *hex, unsigned int size)
+{
+ char buffer[3];
+ char *endp;
+ unsigned int i;
+
+ buffer[2] = '\0';
+
+ for (i = 0; i < size; i++) {
+ buffer[0] = *hex++;
+ buffer[1] = *hex++;
+
+ key[i] = (unsigned char)strtoul(buffer, &endp, 16);
+
+ if (endp != &buffer[2])
+ return -1;
+ }
+
+ if (*hex != '\0')
+ return -1;
+
+ return 0;
+}
+
+static void global_log_callback(int level, const char *msg, void *usrptr)
+{
+ int len;
+
+ if (_debug)
+ printf("LOG: %s", msg);
+ strncat(global_log, msg, sizeof(global_log) - strlen(global_log));
+ global_lines++;
+ if (level == CRYPT_LOG_ERROR) {
+ len = strlen(msg);
+ if (len > sizeof(last_error))
+ len = sizeof(last_error);
+ strncpy(last_error, msg, sizeof(last_error));
+ last_error[len-1] = '\0';
+ }
+}
+
+static void reset_log(void)
+{
+ memset(global_log, 0, sizeof(global_log));
+ memset(last_error, 0, sizeof(last_error));
+ global_lines = 0;
+}
+
+static int _system(const char *command, int warn)
+{
+ int r;
+ if (_debug)
+ printf("Running system: %s\n", command);
+ if ((r=system(command)) < 0 && warn)
+ printf("System command failed: %s", command);
+ return r;
+}
+
+static void _cleanup_dmdevices(void)
+{
+ struct stat st;
+
+ if (!stat(DMDIR H_DEVICE, &st)) {
+ _system("dmsetup remove " H_DEVICE, 0);
+ }
+ if (!stat(DMDIR H_DEVICE_WRONG, &st)) {
+ _system("dmsetup remove " H_DEVICE_WRONG, 0);
+ }
+ if (!stat(DMDIR L_DEVICE_0S, &st)) {
+ _system("dmsetup remove " L_DEVICE_0S, 0);
+ }
+ if (!stat(DMDIR L_DEVICE_1S, &st)) {
+ _system("dmsetup remove " L_DEVICE_1S, 0);
+ }
+ if (!stat(DMDIR L_DEVICE_WRONG, &st)) {
+ _system("dmsetup remove " L_DEVICE_WRONG, 0);
+ }
+ if (!stat(DMDIR L_DEVICE_OK, &st)) {
+ _system("dmsetup remove " L_DEVICE_OK, 0);
+ }
+
+ t_dev_offset = 0;
+}
+
+static void _cleanup(void)
+{
+ struct stat st;
+
+ //_system("udevadm settle", 0);
+
+ if (!stat(DMDIR CDEVICE_1, &st))
+ _system("dmsetup remove " CDEVICE_1, 0);
+
+ if (!stat(DMDIR CDEVICE_2, &st))
+ _system("dmsetup remove " CDEVICE_2, 0);
+
+ if (!stat(DEVICE_EMPTY, &st))
+ _system("dmsetup remove " DEVICE_EMPTY_name, 0);
+
+ if (!stat(DEVICE_ERROR, &st))
+ _system("dmsetup remove " DEVICE_ERROR_name, 0);
+
+ _cleanup_dmdevices();
+
+ if (crypt_loop_device(THE_LOOP_DEV))
+ crypt_loop_detach(THE_LOOP_DEV);
+
+ if (crypt_loop_device(DEVICE_1))
+ crypt_loop_detach(DEVICE_1);
+
+ if (crypt_loop_device(DEVICE_2))
+ crypt_loop_detach(DEVICE_2);
+
+ if (crypt_loop_device(DEVICE_3))
+ crypt_loop_detach(DEVICE_3);
+
+ _system("rm -f " IMAGE_EMPTY, 0);
+ _system("rm -f " IMAGE1, 0);
+
+ remove(test_loop_file);
+ remove(tmp_file_1);
+
+ remove(EVL_HEADER_1);
+ remove(EVL_HEADER_2);
+ remove(EVL_HEADER_3);
+ remove(EVL_HEADER_4);
+ remove(VALID_HEADER);
+ remove(BACKUP_FILE);
+
+ _remove_keyfiles();
+
+ free(tmp_file_1);
+ free(test_loop_file);
+ free(THE_LOOP_DEV);
+ free(DEVICE_1);
+ free(DEVICE_2);
+ free(DEVICE_3);
+}
+
+static int _setup(void)
+{
+ int fd, ro = 0;
+ char cmd[128];
+
+ test_loop_file = strdup(THE_LFILE_TEMPLATE);
+ if ((fd=mkstemp(test_loop_file)) == -1) {
+ printf("cannot create temporary file with template %s\n", test_loop_file);
+ return 1;
+ }
+ close(fd);
+ snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ test_loop_file, SECTOR_SIZE, TST_LOOP_FILE_SIZE);
+ if (_system(cmd, 1))
+ return 1;
+
+ fd = crypt_loop_attach(&THE_LOOP_DEV, test_loop_file, 0, 0, &ro);
+ close(fd);
+
+ tmp_file_1 = strdup(THE_LFILE_TEMPLATE);
+ if ((fd=mkstemp(tmp_file_1)) == -1) {
+ printf("cannot create temporary file with template %s\n", tmp_file_1);
+ return 1;
+ }
+ close(fd);
+ snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=%s bs=%d count=%d 2>/dev/null",
+ tmp_file_1, SECTOR_SIZE, 10);
+ if (_system(cmd, 1))
+ return 1;
+
+ _system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\"", 1);
+ _system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\"", 1);
+
+ _system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2", 1);
+ fd = crypt_loop_attach(&DEVICE_1, IMAGE1, 0, 0, &ro);
+ close(fd);
+
+ _system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4 2>/dev/null", 1);
+ fd = crypt_loop_attach(&DEVICE_2, IMAGE_EMPTY, 0, 0, &ro);
+ close(fd);
+
+ /* Keymaterial offset is less than 8 sectors */
+ _system(" [ ! -e " EVL_HEADER_1 " ] && bzip2 -dk " EVL_HEADER_1 ".bz2", 1);
+ /* keymaterial offset aims into payload area */
+ _system(" [ ! -e " EVL_HEADER_2 " ] && bzip2 -dk " EVL_HEADER_2 ".bz2", 1);
+ /* keymaterial offset is valid, number of stripes causes payload area to be overwriten */
+ _system(" [ ! -e " EVL_HEADER_3 " ] && bzip2 -dk " EVL_HEADER_3 ".bz2", 1);
+ /* luks device header for data and header on same device. payloadOffset is greater than
+ * device size (crypt_load() test) */
+ _system(" [ ! -e " EVL_HEADER_4 " ] && bzip2 -dk " EVL_HEADER_4 ".bz2", 1);
+ /* valid header: payloadOffset=4096, key_size=32,
+ * volume_key = bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a */
+ _system(" [ ! -e " VALID_HEADER " ] && bzip2 -dk " VALID_HEADER ".bz2", 1);
+
+ /* Prepare tcrypt images */
+ _system(" [ ! -d tcrypt-images ] && tar xjf tcrypt-images.tar.bz2 2>/dev/null", 1);
+
+ _system("modprobe dm-crypt", 0);
+ _system("modprobe dm-verity", 0);
+
+ _fips_mode = fips_mode();
+ if (_debug)
+ printf("FIPS MODE: %d\n", _fips_mode);
+
+ /* Use default log callback */
+ crypt_set_log_callback(NULL, &global_log_callback, NULL);
+
+ return 0;
+}
+
+static void check_ok(int status, int line, const char *func)
+{
+ if (status) {
+ printf("FAIL line %d [%s]: code %d, %s\n", line, func, status, last_error);
+ _cleanup();
+ exit(-1);
+ }
+}
+
+static void check_ko(int status, int line, const char *func)
+{
+ if (status >= 0) {
+ printf("FAIL line %d [%s]: code %d, %s\n", line, func, status, last_error);
+ _cleanup();
+ exit(-1);
+ } else if (_verbose)
+ printf(" => errno %d, errmsg: %s\n", status, last_error);
+}
+
+static void check_equal(int line, const char *func, int64_t x, int64_t y)
+{
+ printf("FAIL line %d [%s]: expected equal values differs: %"
+ PRIi64 " != %" PRIi64 "\n", line, func, x, y);
+ _cleanup();
+ exit(-1);
+}
+
+static void xlog(const char *msg, const char *tst, const char *func, int line, const char *txt)
+{
+ if (_verbose) {
+ if (txt)
+ printf(" [%s,%s:%d] %s [%s]\n", msg, func, line, tst, txt);
+ else
+ printf(" [%s,%s:%d] %s\n", msg, func, line, tst);
+ }
+ if (_quit) {
+ if (_verbose)
+ printf("Interrupted by a signal.\n");
+ _cleanup();
+ exit(-1);
+ }
+}
+
+/* crypt_device context must be "cd" to parse error properly here */
+#define OK_(x) do { xlog("(success)", #x, __FUNCTION__, __LINE__, NULL); \
+ check_ok((x), __LINE__, __FUNCTION__); \
+ } while(0)
+#define FAIL_(x, y) do { xlog("(fail) ", #x, __FUNCTION__, __LINE__, y); \
+ check_ko((x), __LINE__, __FUNCTION__); \
+ } while(0)
+#define EQ_(x, y) do { int64_t _x = (x), _y = (y); \
+ xlog("(equal) ", #x " == " #y, __FUNCTION__, __LINE__, NULL); \
+ if (_x != _y) check_equal(__LINE__, __FUNCTION__, _x, _y); \
+ } while(0)
+#define RUN_(x, y) do { reset_log(); \
+ printf("%s: %s\n", #x, (y)); x(); \
+ } while (0)
+
+static void AddDevicePlain(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_plain params = {
+ .hash = "sha1",
+ .skip = 0,
+ .offset = 0,
+ .size = 0
+ };
+ int fd;
+ char key[128], key2[128], path[128];
+
+ const char *passphrase = PASSPHRASE;
+ // hashed hex version of PASSPHRASE
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+
+ uint64_t size, r_size;
+
+ crypt_decode_key(key, mk_hex, key_size);
+ FAIL_(crypt_init(&cd, ""), "empty device string");
+ FAIL_(crypt_init(&cd, DEVICE_WRONG), "nonexistent device name ");
+ FAIL_(crypt_init(&cd, DEVICE_CHAR), "character device as backing device");
+ OK_(crypt_init(&cd, tmp_file_1));
+ crypt_free(cd);
+
+ // test crypt_format, crypt_get_cipher, crypt_get_cipher_mode, crypt_get_volume_key_size
+ OK_(crypt_init(&cd,DEVICE_1));
+ params.skip = 3;
+ params.offset = 42;
+ FAIL_(crypt_format(cd,CRYPT_PLAIN,NULL,cipher_mode,NULL,NULL,key_size,¶ms),"cipher param is null");
+ FAIL_(crypt_format(cd,CRYPT_PLAIN,cipher,NULL,NULL,NULL,key_size,¶ms),"cipher_mode param is null");
+ OK_(crypt_format(cd,CRYPT_PLAIN,cipher,cipher_mode,NULL,NULL,key_size,¶ms));
+ OK_(strcmp(cipher_mode,crypt_get_cipher_mode(cd)));
+ OK_(strcmp(cipher,crypt_get_cipher(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ EQ_(params.skip, crypt_get_iv_offset(cd));
+ EQ_(params.offset, crypt_get_data_offset(cd));
+ params.skip = 0;
+ params.offset = 0;
+
+ // crypt_set_uuid()
+ FAIL_(crypt_set_uuid(cd,DEVICE_1_UUID),"can't set uuid to plain device");
+
+ crypt_free(cd);
+
+ // default is "plain" hash - no password hash
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, NULL));
+ FAIL_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0), "cannot verify key with plain");
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // test boundaries in offset parameter
+ device_size(DEVICE_1,&size);
+ params.hash = NULL;
+ // zero sectors length
+ params.offset = size >> SECTOR_SHIFT;
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ EQ_(crypt_get_data_offset(cd),params.offset);
+ // device size is 0 sectors
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0), "invalid device size (0 blocks)");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ // data part of crypt device is of 1 sector size
+ params.offset = (size >> SECTOR_SHIFT) - 1;
+ crypt_free(cd);
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1);
+ if (device_size(path, &r_size) >= 0)
+ EQ_(r_size>>SECTOR_SHIFT, 1);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // size > device_size
+ params.offset = 0;
+ params.size = (size >> SECTOR_SHIFT) + 1;
+ crypt_init(&cd, DEVICE_1);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),"Device too small");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // offset == device_size (autodetect size)
+ params.offset = (size >> SECTOR_SHIFT);
+ params.size = 0;
+ crypt_init(&cd, DEVICE_1);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),"Device too small");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // offset == device_size (user defined size)
+ params.offset = (size >> SECTOR_SHIFT);
+ params.size = 123;
+ crypt_init(&cd, DEVICE_1);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),"Device too small");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // offset+size > device_size
+ params.offset = 42;
+ params.size = (size >> SECTOR_SHIFT) - params.offset + 1;
+ crypt_init(&cd, DEVICE_1);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),"Offset and size are beyond device real size");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // offset+size == device_size
+ params.offset = 42;
+ params.size = (size >> SECTOR_SHIFT) - params.offset;
+ crypt_init(&cd, DEVICE_1);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ if (!device_size(path, &r_size))
+ EQ_((r_size >> SECTOR_SHIFT),params.size);
+ OK_(crypt_deactivate(cd,CDEVICE_1));
+
+ crypt_free(cd);
+ params.hash = "sha1";
+ params.offset = 0;
+ params.size = 0;
+ params.skip = 0;
+
+ // Now use hashed password
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ FAIL_(crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),
+ "cannot verify passphrase with plain" );
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+
+ // device status check
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1);
+ fd = open(path, O_RDONLY);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_BUSY);
+ FAIL_(crypt_deactivate(cd, CDEVICE_1), "Device is busy");
+ close(fd);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // crypt_init_by_name_and_header
+ OK_(crypt_init(&cd,DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ crypt_free(cd);
+
+ FAIL_(crypt_init_by_name_and_header(&cd, CDEVICE_1, H_DEVICE),"can't init plain device by header device");
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ OK_(strcmp(cipher_mode,crypt_get_cipher_mode(cd)));
+ OK_(strcmp(cipher,crypt_get_cipher(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ EQ_(params.skip, crypt_get_iv_offset(cd));
+ EQ_(params.offset, crypt_get_data_offset(cd));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ OK_(crypt_init(&cd,DEVICE_1));
+ OK_(crypt_format(cd,CRYPT_PLAIN,cipher,cipher_mode,NULL,NULL,key_size,¶ms));
+ params.size = 0;
+ params.offset = 0;
+
+ // crypt_set_data_device
+ FAIL_(crypt_set_data_device(cd,H_DEVICE),"can't set data device for plain device");
+
+ // crypt_get_type
+ OK_(strcmp(crypt_get_type(cd),CRYPT_PLAIN));
+
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+
+ // crypt_resize()
+ OK_(crypt_resize(cd,CDEVICE_1,size>>SECTOR_SHIFT)); // same size
+ if (!device_size(path,&r_size))
+ EQ_(r_size, size);
+
+ // size overlaps
+ FAIL_(crypt_resize(cd, CDEVICE_1, (uint64_t)-1),"Backing device is too small");
+ FAIL_(crypt_resize(cd, CDEVICE_1, (size>>SECTOR_SHIFT)+1),"crypt device overlaps backing device");
+
+ // resize ok
+ OK_(crypt_resize(cd,CDEVICE_1, 123));
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, 123);
+ OK_(crypt_resize(cd,CDEVICE_1,0)); // full size (autodetect)
+ if (!device_size(path,&r_size))
+ EQ_(r_size, size);
+ OK_(crypt_deactivate(cd,CDEVICE_1));
+ EQ_(crypt_status(cd,CDEVICE_1),CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // offset tests
+ OK_(crypt_init(&cd,DEVICE_1));
+ params.offset = 42;
+ params.size = (size>>SECTOR_SHIFT) - params.offset - 10;
+ OK_(crypt_format(cd,CRYPT_PLAIN,cipher,cipher_mode,NULL,NULL,key_size,¶ms));
+ OK_(crypt_activate_by_volume_key(cd,CDEVICE_1,key,key_size,0));
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, params.size);
+ // resize to fill remaining capacity
+ OK_(crypt_resize(cd,CDEVICE_1,params.size + 10));
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, params.size + 10);
+
+ // 1 sector beyond real size
+ FAIL_(crypt_resize(cd,CDEVICE_1,params.size + 11), "new device size overlaps backing device"); // with respect to offset
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, params.size + 10);
+ EQ_(crypt_status(cd,CDEVICE_1),CRYPT_ACTIVE);
+ fd = open(path, O_RDONLY);
+ close(fd);
+ OK_(fd < 0);
+
+ // resize to minimal size
+ OK_(crypt_resize(cd,CDEVICE_1, 1)); // minimal device size
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, 1);
+ // use size of backing device (autodetect with respect to offset)
+ OK_(crypt_resize(cd,CDEVICE_1,0));
+ if (!device_size(path,&r_size))
+ EQ_(r_size>>SECTOR_SHIFT, (size >> SECTOR_SHIFT)- 42);
+ OK_(crypt_deactivate(cd,CDEVICE_1));
+ crypt_free(cd);
+
+ params.size = 0;
+ params.offset = 0;
+ OK_(crypt_init(&cd,DEVICE_1));
+ OK_(crypt_format(cd,CRYPT_PLAIN,cipher,cipher_mode,NULL,NULL,key_size,¶ms));
+ OK_(crypt_activate_by_volume_key(cd,CDEVICE_1,key,key_size,0));
+
+ // suspend/resume tests
+ FAIL_(crypt_suspend(cd,CDEVICE_1),"cannot suspend plain device");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ FAIL_(crypt_resume_by_passphrase(cd,CDEVICE_1,CRYPT_ANY_SLOT,passphrase, strlen(passphrase)),"cannot resume plain device");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+
+ // retrieve volume key check
+ if (!_fips_mode) {
+ memset(key2, 0, key_size);
+ key_size--;
+ // small buffer
+ FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
+ key_size++;
+ OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+
+ OK_(memcmp(key, key2, key_size));
+ }
+ OK_(strcmp(cipher, crypt_get_cipher(cd)));
+ OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ EQ_(0, crypt_get_data_offset(cd));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ // now with keyfile
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
+ OK_(_prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
+ FAIL_(crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE1, 0, 0), "cannot verify key with plain");
+ EQ_(0, crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ FAIL_(crypt_activate_by_keyfile_offset(cd, NULL, CRYPT_ANY_SLOT, KEYFILE1, 0, strlen(KEY1) + 1, 0), "cannot seek");
+ EQ_(0, crypt_activate_by_keyfile_offset(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0, 0));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ _remove_keyfiles();
+ crypt_free(cd);
+
+ OK_(crypt_init(&cd,DEVICE_1));
+ OK_(crypt_format(cd,CRYPT_PLAIN,cipher,cipher_mode,NULL,NULL,key_size,¶ms));
+
+ // crypt_keyslot_*()
+ FAIL_(crypt_keyslot_add_by_passphrase(cd,CRYPT_ANY_SLOT,passphrase,strlen(passphrase),passphrase,strlen(passphrase)), "can't add keyslot to plain device");
+ FAIL_(crypt_keyslot_add_by_volume_key(cd,CRYPT_ANY_SLOT ,key,key_size,passphrase,strlen(passphrase)),"can't add keyslot to plain device");
+ FAIL_(crypt_keyslot_add_by_keyfile(cd,CRYPT_ANY_SLOT,KEYFILE1,strlen(KEY1),KEYFILE2,strlen(KEY2)),"can't add keyslot to plain device");
+ FAIL_(crypt_keyslot_destroy(cd,1),"can't manipulate keyslots on plain device");
+ EQ_(crypt_keyslot_status(cd, 0), CRYPT_SLOT_INVALID);
+ _remove_keyfiles();
+
+ crypt_free(cd);
+}
+
+static int new_messages = 0;
+static void new_log(int level, const char *msg, void *usrptr)
+{
+ if (level == CRYPT_LOG_ERROR)
+ new_messages++;
+ global_log_callback(level, msg, usrptr);
+}
+
+static void CallbacksTest(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_plain params = {
+ .hash = "sha1",
+ .skip = 0,
+ .offset = 0,
+ };
+
+ size_t key_size = 256 / 8;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ const char *passphrase = PASSPHRASE;
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ new_messages = 0;
+ crypt_set_log_callback(cd, &new_log, NULL);
+ EQ_(new_messages, 0);
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ EQ_(new_messages, 0);
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0), "already exists");
+ EQ_(new_messages, 1);
+ crypt_set_log_callback(cd, NULL, NULL);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+}
+
+static void UseLuksDevice(void)
+{
+ struct crypt_device *cd;
+ char key[128];
+ size_t key_size;
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ OK_(crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
+ FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0), "already open");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ FAIL_(crypt_deactivate(cd, CDEVICE_1), "no such device");
+
+ key_size = 16;
+ OK_(strcmp("aes", crypt_get_cipher(cd)));
+ OK_(strcmp("cbc-essiv:sha256", crypt_get_cipher_mode(cd)));
+ OK_(strcmp(DEVICE_1_UUID, crypt_get_uuid(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ EQ_(1032, crypt_get_data_offset(cd));
+
+ if (!_fips_mode) {
+ EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+ OK_(crypt_volume_key_verify(cd, key, key_size));
+ OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ key[1] = ~key[1];
+ FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+ }
+ crypt_free(cd);
+}
+
+static void SuspendDevice(void)
+{
+ int suspend_status;
+ struct crypt_device *cd;
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
+
+ suspend_status = crypt_suspend(cd, CDEVICE_1);
+ if (suspend_status == -ENOTSUP) {
+ printf("WARNING: Suspend/Resume not supported, skipping test.\n");
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+ return;
+ }
+
+ OK_(suspend_status);
+ FAIL_(crypt_suspend(cd, CDEVICE_1), "already suspended");
+
+ FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)-1), "wrong key");
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
+ FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)), "not suspended");
+
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
+ OK_(crypt_suspend(cd, CDEVICE_1));
+ FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1 "blah", 0), "wrong keyfile");
+ FAIL_(crypt_resume_by_keyfile_offset(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 1, 0), "wrong key");
+ OK_(crypt_resume_by_keyfile_offset(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+ FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0), "not suspended");
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ /* create LUKS device with detached header */
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DEVICE_2));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
+ crypt_free(cd);
+
+ /* Should be able to suspend but not resume if not header specified */
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ OK_(crypt_suspend(cd, CDEVICE_1));
+ FAIL_(crypt_suspend(cd, CDEVICE_1), "already suspended");
+ FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)-1), "no header");
+ crypt_free(cd);
+
+ OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, DEVICE_1));
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
+
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ _remove_keyfiles();
+}
+
+static void AddDeviceLuks(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048, // 4M, data offset will be 4096
+ .data_device = DEVICE_2
+ };
+ char key[128], key2[128];
+
+ const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset, r_header_size, r_size_1;
+
+ crypt_decode_key(key, mk_hex, key_size);
+
+ // init test devices
+ OK_(get_luks_offsets(1, key_size, 0, 0, &r_header_size, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
+ OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1));
+
+ // format
+ OK_(crypt_init(&cd, DMDIR H_DEVICE_WRONG));
+ params.data_alignment = 0;
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms), "Not enough space for keyslots material");
+ crypt_free(cd);
+
+ // test payload_offset = 0 for encrypted device with external header device
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ EQ_(crypt_get_data_offset(cd), 0);
+ crypt_free(cd);
+
+ params.data_alignment = 0;
+ params.data_device = NULL;
+
+ // test payload_offset = 0. format() should look up alignment offset from device topology
+ OK_(crypt_init(&cd, DEVICE_2));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(!(crypt_get_data_offset(cd) > 0));
+ crypt_free(cd);
+
+ /*
+ * test limit values for backing device size
+ */
+ params.data_alignment = 4096;
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(L_DEVICE_0S, r_payload_offset));
+ OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1));
+ //OK_(create_dmdevice_over_loop(L_DEVICE_WRONG, r_payload_offset - 1));
+ OK_(create_dmdevice_over_loop(L_DEVICE_WRONG, 2050 - 1)); //FIXME last keyslot - 1 sector
+
+ // 1 sector less than required
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_WRONG));
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms), "Device too small");
+ crypt_free(cd);
+
+ // 0 sectors for encrypted area
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_0S));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "Encrypted area too small");
+ crypt_free(cd);
+
+ // 1 sector for encrypted area
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ EQ_(crypt_get_data_offset(cd), params.data_alignment);
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(device_size(DMDIR CDEVICE_1, &r_size_1));
+ EQ_(r_size_1, SECTOR_SIZE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ // restrict format only to empty context
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms), "Context is already formated");
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, NULL), "Context is already formated");
+ // change data device to wrong one
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_0S));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "Device too small");
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_1S));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ params.data_alignment = 0;
+ params.data_device = DEVICE_2;
+
+ // generate keyslot material at the end of luks header
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 7, passphrase, strlen(passphrase) ,0), 7);
+ crypt_free(cd);
+ OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, DMDIR H_DEVICE));
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms), "Context is already formated");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ crypt_free(cd);
+ // check active status without header
+ OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, NULL));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(!!crypt_get_type(cd));
+ OK_(strcmp(cipher, crypt_get_cipher(cd)));
+ OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ params.data_alignment = 2048;
+ params.data_device = NULL;
+
+ // test uuid mismatch and _init_by_name_and_header
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ crypt_free(cd);
+ params.data_alignment = 0;
+ params.data_device = DEVICE_2;
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ crypt_free(cd);
+ // there we've got uuid mismatch
+ OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, DMDIR H_DEVICE));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(!!crypt_get_type(cd));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "Device is active");
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ params.data_device = NULL;
+
+ OK_(crypt_init(&cd, DEVICE_2));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+
+ // even with no keyslots defined it can be activated by volume key
+ OK_(crypt_volume_key_verify(cd, key, key_size));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+
+ // now with keyslot
+ EQ_(7, crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)));
+ EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 7));
+ EQ_(7, crypt_activate_by_passphrase(cd, CDEVICE_2, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+
+ crypt_set_iteration_time(cd, 1);
+ EQ_(1, crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, KEY1, strlen(KEY1)));
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
+ OK_(_prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
+ EQ_(2, crypt_keyslot_add_by_keyfile(cd, 2, KEYFILE1, 0, KEYFILE2, 0));
+ FAIL_(crypt_keyslot_add_by_keyfile_offset(cd, 3, KEYFILE1, 0, 1, KEYFILE2, 0, 1), "wrong key");
+ EQ_(3, crypt_keyslot_add_by_keyfile_offset(cd, 3, KEYFILE1, 0, 0, KEYFILE2, 0, 1));
+ EQ_(4, crypt_keyslot_add_by_keyfile_offset(cd, 4, KEYFILE2, 0, 1, KEYFILE1, 0, 1));
+ FAIL_(crypt_activate_by_keyfile(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, strlen(KEY2)-1, 0), "key mismatch");
+ EQ_(2, crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE2, 0, 0));
+ EQ_(3, crypt_activate_by_keyfile_offset(cd, NULL, CRYPT_ANY_SLOT, KEYFILE2, 0, 1, 0));
+ EQ_(4, crypt_activate_by_keyfile_offset(cd, NULL, CRYPT_ANY_SLOT, KEYFILE1, 0, 1, 0));
+ FAIL_(crypt_activate_by_keyfile_offset(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, strlen(KEY2), 2, 0), "not enough data");
+ FAIL_(crypt_activate_by_keyfile_offset(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, 0, strlen(KEY2) + 1, 0), "cannot seek");
+ FAIL_(crypt_activate_by_keyfile_offset(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, 0, 2, 0), "wrong key");
+ EQ_(2, crypt_activate_by_keyfile(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, 0, 0));
+ OK_(crypt_keyslot_destroy(cd, 1));
+ OK_(crypt_keyslot_destroy(cd, 2));
+ OK_(crypt_keyslot_destroy(cd, 3));
+ OK_(crypt_keyslot_destroy(cd, 4));
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+ _remove_keyfiles();
+
+ FAIL_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), "slot used");
+ key[1] = ~key[1];
+ FAIL_(crypt_keyslot_add_by_volume_key(cd, 6, key, key_size, passphrase, strlen(passphrase)), "key mismatch");
+ key[1] = ~key[1];
+ EQ_(6, crypt_keyslot_add_by_volume_key(cd, 6, key, key_size, passphrase, strlen(passphrase)));
+ EQ_(CRYPT_SLOT_ACTIVE, crypt_keyslot_status(cd, 6));
+
+ FAIL_(crypt_keyslot_destroy(cd, 8), "invalid keyslot");
+ FAIL_(crypt_keyslot_destroy(cd, CRYPT_ANY_SLOT), "invalid keyslot");
+ FAIL_(crypt_keyslot_destroy(cd, 0), "keyslot not used");
+ OK_(crypt_keyslot_destroy(cd, 7));
+ EQ_(CRYPT_SLOT_INACTIVE, crypt_keyslot_status(cd, 7));
+ EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 6));
+
+ EQ_(7, crypt_keyslot_change_by_passphrase(cd, 6, 7, passphrase, strlen(passphrase), passphrase2, strlen(passphrase2)));
+ EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 7));
+ EQ_(7, crypt_activate_by_passphrase(cd, NULL, 7, passphrase2, strlen(passphrase2), 0));
+ EQ_(6, crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 6, passphrase2, strlen(passphrase2), passphrase, strlen(passphrase)));
+
+ if (!_fips_mode) {
+ EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+ OK_(crypt_volume_key_verify(cd, key2, key_size));
+
+ OK_(memcmp(key, key2, key_size));
+ }
+ OK_(strcmp(cipher, crypt_get_cipher(cd)));
+ OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
+ EQ_((int)key_size, crypt_get_volume_key_size(cd));
+ EQ_(4096, crypt_get_data_offset(cd));
+ OK_(strcmp(DEVICE_2, crypt_get_device_name(cd)));
+
+ reset_log();
+ OK_(crypt_dump(cd));
+ OK_(!(global_lines != 0));
+ reset_log();
+
+ FAIL_(crypt_set_uuid(cd, "blah"), "wrong UUID format");
+ OK_(crypt_set_uuid(cd, DEVICE_TEST_UUID));
+ OK_(strcmp(DEVICE_TEST_UUID, crypt_get_uuid(cd)));
+
+ FAIL_(crypt_deactivate(cd, CDEVICE_2), "not active");
+ crypt_free(cd);
+ _cleanup_dmdevices();
+}
+
+static void UseTempVolumes(void)
+{
+ struct crypt_device *cd;
+ char tmp[256];
+
+ // Tepmporary device without keyslot but with on-disk LUKS header
+ OK_(crypt_init(&cd, DEVICE_2));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "not yet formatted");
+ OK_(crypt_format(cd, CRYPT_LUKS1, "aes", "cbc-essiv:sha256", NULL, NULL, 16, NULL));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0));
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ crypt_free(cd);
+
+ OK_(crypt_init_by_name(&cd, CDEVICE_2));
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+ crypt_free(cd);
+
+ // Dirty checks: device without UUID
+ // we should be able to remove it but not manuipulate with it
+ snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ "0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
+ "%s 2048\"", CDEVICE_2, DEVICE_2);
+ _system(tmp, 1);
+ OK_(crypt_init_by_name(&cd, CDEVICE_2));
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "No known device type");
+ crypt_free(cd);
+
+ // Dirty checks: device with UUID but LUKS header key fingerprint must fail)
+ snprintf(tmp, sizeof(tmp), "dmsetup create %s --table \""
+ "0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
+ "%s 2048\" -u CRYPT-LUKS1-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-ctest1",
+ CDEVICE_2, DEVICE_2);
+ _system(tmp, 1);
+ OK_(crypt_init_by_name(&cd, CDEVICE_2));
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "wrong volume key");
+ crypt_free(cd);
+
+ // No slots
+ OK_(crypt_init(&cd, DEVICE_2));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "volume key is lost");
+ crypt_free(cd);
+
+ // Plain device
+ OK_(crypt_init(&cd, DEVICE_2));
+ OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, NULL));
+ FAIL_(crypt_activate_by_volume_key(cd, NULL, "xxx", 3, 0), "cannot verify key with plain");
+ FAIL_(crypt_volume_key_verify(cd, "xxx", 3), "cannot verify key with plain");
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, "xxx", 3, 0), "wrong key lenght");
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, "volumekeyvolumek", 16, 0));
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_2));
+ crypt_free(cd);
+}
+
+static void LuksHeaderRestore(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048, // 4M, data offset will be 4096
+ };
+ struct crypt_params_plain pl_params = {
+ .hash = "sha1",
+ .skip = 0,
+ .offset = 0,
+ .size = 0
+ };
+ char key[128], key2[128], cmd[256];
+
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset;
+
+ crypt_decode_key(key, mk_hex, key_size);
+
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
+
+ // do not restore header over plain device
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, &pl_params));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ FAIL_(crypt_header_restore(cd, CRYPT_PLAIN, VALID_HEADER), "Cannot restore header to PLAIN type device");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER), "Cannot restore header over PLAIN type device");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // invalid headers
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_1), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_2), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_3), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_4), "Header too small");
+ OK_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER));
+ // wipe valid luks header
+ snprintf(cmd, sizeof(cmd), "dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=512 count=%" PRIu64 " 2>/dev/null", r_payload_offset);
+ OK_(_system(cmd, 1));
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_1), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_2), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_3), "Header corrupted");
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, EVL_HEADER_4), "Header too small");
+ OK_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // volume key_size mismatch
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ memcpy(key2, key, key_size / 2);
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key2, key_size / 2, ¶ms));
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER), "Volume keysize mismatch");
+ crypt_free(cd);
+
+ // payload offset mismatch
+ params.data_alignment = 8192;
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ FAIL_(crypt_header_restore(cd, CRYPT_LUKS1, VALID_HEADER), "Payload offset mismatch");
+ //_system("dmsetup table;sleep 1",1);
+ crypt_free(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void LuksHeaderLoad(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048,
+ };
+ struct crypt_params_plain pl_params = {
+ .hash = "sha1",
+ .skip = 0,
+ .offset = 0,
+ .size = 0
+ };
+ char key[128], cmd[256];
+
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset, r_header_size;
+
+ crypt_decode_key(key, mk_hex, key_size);
+
+ // prepare test env
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, &r_header_size, &r_payload_offset));
+ // external header device
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
+ // prepared header on a device too small to contain header and payload
+ //OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1));
+ OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, 2050 - 1)); //FIXME
+ //snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%" PRIu64, r_payload_offset - 1);
+ snprintf(cmd, sizeof(cmd), "dd if=" EVL_HEADER_4 " of=" DMDIR H_DEVICE_WRONG " bs=512 count=%d 2>/dev/null", 2050 - 1);
+ OK_(_system(cmd, 1));
+ // some device
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
+ // 1 sector device
+ OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1));
+ // 0 sectors device for payload
+ OK_(create_dmdevice_over_loop(L_DEVICE_0S, r_payload_offset));
+
+ // valid metadata and device size
+ params.data_alignment = 0;
+ params.data_device = DMDIR L_DEVICE_OK;
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ crypt_free(cd);
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // bad header: device too small (payloadOffset > device_size)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE_WRONG));
+ FAIL_(crypt_load(cd, CRYPT_LUKS1, NULL), "Device too small");
+ OK_(!!crypt_get_type(cd));
+ crypt_free(cd);
+
+ // 0 secs for encrypted data area
+ params.data_alignment = 2048;
+ params.data_device = NULL;
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_0S));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ crypt_free(cd);
+ // load should be ok
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_0S));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "Device too small");
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ crypt_free(cd);
+
+ // damaged header
+ OK_(_system("dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=512 count=8 2>/dev/null", 1));
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ FAIL_(crypt_load(cd, CRYPT_LUKS1, NULL), "Header not found");
+ crypt_free(cd);
+
+ // plain device
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ FAIL_(crypt_load(cd, CRYPT_PLAIN, NULL), "Can't load nonLUKS device type");
+ crypt_free(cd);
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, key, key_size, &pl_params));
+ FAIL_(crypt_load(cd, CRYPT_LUKS1, NULL), "Can't load over nonLUKS device type");
+ crypt_free(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void LuksHeaderBackup(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048,
+ };
+ char key[128];
+ int fd, ro = O_RDONLY;
+
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset;
+
+ const char *passphrase = PASSPHRASE;
+
+ crypt_decode_key(key, mk_hex, key_size);
+
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
+
+ // create LUKS device and backup the header
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 0, key, key_size, passphrase, strlen(passphrase)), 0);
+ OK_(crypt_header_backup(cd, CRYPT_LUKS1, BACKUP_FILE));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // restore header from backup
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_header_restore(cd, CRYPT_LUKS1, BACKUP_FILE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // exercise luksOpen using backup header in file
+ OK_(crypt_init(&cd, BACKUP_FILE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_OK));
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, passphrase, strlen(passphrase), 0), 0);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ OK_(crypt_init(&cd, BACKUP_FILE));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_OK));
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 7, passphrase, strlen(passphrase), 0), 7);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // exercise luksOpen using backup header on block device
+ fd = crypt_loop_attach(&DEVICE_3, BACKUP_FILE, 0, 0, &ro);
+ close(fd);
+ OK_(fd < 0);
+ OK_(crypt_init(&cd, DEVICE_3));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_OK));
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, passphrase, strlen(passphrase), 0), 0);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ OK_(crypt_init(&cd, DEVICE_3));
+ OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+ OK_(crypt_set_data_device(cd, DMDIR L_DEVICE_OK));
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 7, passphrase, strlen(passphrase), 0), 7);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void ResizeDeviceLuks(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {
+ .hash = "sha512",
+ .data_alignment = 2048,
+ };
+ char key[128];
+
+ const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(mk_hex) / 2;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ uint64_t r_payload_offset, r_header_size, r_size;
+
+ crypt_decode_key(key, mk_hex, key_size);
+
+ // prepare env
+ OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
+ OK_(get_luks_offsets(1, key_size, 0, 0, &r_header_size, NULL));
+ OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
+ OK_(create_dmdevice_over_loop(L_DEVICE_0S, 1000));
+
+ // test header and encrypted payload all in one device
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_resize(cd, CDEVICE_1, 42));
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(42, r_size >> SECTOR_SHIFT);
+ // autodetect encrypted device area size
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1000, r_size >> SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1000, r_size >> SECTOR_SHIFT);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ params.data_alignment = 0;
+ params.data_device = DMDIR L_DEVICE_0S;
+ // test case for external header
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_resize(cd, CDEVICE_1, 666));
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(666, r_size >> SECTOR_SHIFT);
+ // autodetect encrypted device size
+ OK_(crypt_resize(cd, CDEVICE_1, 0));
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1000, r_size >> SECTOR_SHIFT);
+ FAIL_(crypt_resize(cd, CDEVICE_1, 1001), "Device too small");
+ if (!device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(1000, r_size >> SECTOR_SHIFT);
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ _cleanup_dmdevices();
+}
+
+static void HashDevicePlain(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_plain params = {
+ .hash = NULL,
+ .skip = 0,
+ .offset = 0,
+ };
+
+ size_t key_size;
+ const char *mk_hex, *keystr;
+ char key[256];
+
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
+
+ // hash PLAIN, short key
+ OK_(_prepare_keyfile(KEYFILE1, "tooshort", 8));
+ FAIL_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 16, 0), "not enough data in keyfile");
+ _remove_keyfiles();
+
+ // hash PLAIN, exact key
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ mk_hex = "caffeecaffeecaffeecaffeecaffee88";
+ key_size = 16;
+ crypt_decode_key(key, mk_hex, key_size);
+ OK_(_prepare_keyfile(KEYFILE1, key, key_size));
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, mk_hex));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ // Limit plain key
+ mk_hex = "caffeecaffeecaffeecaffeeca000000";
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size - 3, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, mk_hex));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ _remove_keyfiles();
+
+ // hash PLAIN, long key
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ mk_hex = "caffeecaffeecaffeecaffeecaffee88babebabe";
+ key_size = 16;
+ crypt_decode_key(key, mk_hex, key_size);
+ OK_(_prepare_keyfile(KEYFILE1, key, strlen(mk_hex) / 2));
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ FAIL_(strcmp(key, mk_hex), "only key length used");
+ OK_(strncmp(key, mk_hex, key_size));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+
+ // Now without explicit limit
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ FAIL_(strcmp(key, mk_hex), "only key length used");
+ OK_(strncmp(key, mk_hex, key_size));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ _remove_keyfiles();
+
+ // hash sha256
+ params.hash = "sha256";
+ OK_(crypt_init(&cd, DEVICE_1));
+ OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
+
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ mk_hex = "c62e4615bd39e222572f3a1bf7c2132e";
+ keystr = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
+ key_size = strlen(keystr); // 32
+ OK_(_prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, mk_hex));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ // Read full keyfile
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, mk_hex));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ _remove_keyfiles();
+
+ // Limit keyfile read
+ keystr = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAAAAAAAA";
+ OK_(_prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, mk_hex));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ // Full keyfile
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
+ OK_(strcmp(key, "0e49cb34a1dee1df33f6505e4de44a66"));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ _remove_keyfiles();
+
+ // FIXME: add keyfile="-" tests somehow
+
+ crypt_free(cd);
+}
+
+static void VerityTest(void)
+{
+ struct crypt_device *cd;
+ const char *salt_hex = "20c28ffc129c12360ba6ceea2b6cf04e89c2b41cfe6b8439eb53c1897f50df7b";
+ const char *root_hex = "ab018b003a967fc782effb293b6dccb60b4f40c06bf80d16391acf686d28b5d6";
+ char salt[256], root_hash[256];
+ struct crypt_active_device cad;
+ struct crypt_params_verity params = {
+ .data_device = DEVICE_EMPTY,
+ .salt = salt,
+ .data_size = 0, /* whole device */
+ .hash_area_offset = 0,
+ .flags = CRYPT_VERITY_CREATE_HASH,
+ };
+
+ crypt_decode_key(salt, salt_hex, strlen(salt_hex) / 2);
+ crypt_decode_key(root_hash, root_hex, strlen(root_hex) / 2);
+
+ /* Format */
+ OK_(crypt_init(&cd, DEVICE_2));
+
+ /* block size */
+ params.data_block_size = 333;
+ FAIL_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms),
+ "Unsupppored block size.");
+ params.data_block_size = 4096;
+ params.hash_block_size = 333;
+ FAIL_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms),
+ "Unsupppored block size.");
+ params.hash_block_size = 4096;
+
+ /* salt size */
+ params.salt_size = 257;
+ FAIL_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms),
+ "Too large salt.");
+ params.salt_size = 32;
+
+ /* hash_type */
+ params.hash_type = 3;
+ FAIL_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms),
+ "Unsupported hash type.");
+ params.hash_type = 1;
+ params.hash_name = "blah";
+ FAIL_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms),
+ "Unsupported hash name.");
+ params.hash_name = "sha256";
+
+ OK_(crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms));
+ crypt_free(cd);
+
+ /* Verify */
+ OK_(crypt_init(&cd, DEVICE_2));
+ memset(¶ms, 0, sizeof(params));
+ params.data_device = DEVICE_EMPTY;
+ params.flags = CRYPT_VERITY_CHECK_HASH;
+ OK_(crypt_load(cd, CRYPT_VERITY, ¶ms));
+
+ /* check verity params */
+ EQ_(crypt_get_volume_key_size(cd), 32);
+ OK_(strcmp(CRYPT_VERITY, crypt_get_type(cd)));
+ memset(¶ms, 0, sizeof(params));
+ OK_(crypt_get_verity_info(cd, ¶ms));
+ OK_(strcmp("sha256", params.hash_name));
+ EQ_(strlen(salt_hex) / 2, params.salt_size);
+ OK_(memcmp(salt, params.salt, params.salt_size));
+ EQ_(4096, params.data_block_size);
+ EQ_(4096, params.hash_block_size);
+ EQ_(1, params.hash_type);
+ EQ_(crypt_get_volume_key_size(cd), 32);
+
+ OK_(crypt_activate_by_volume_key(cd, NULL, root_hash, 32, 0));
+ OK_(crypt_set_data_device(cd, DEVICE_1));
+ FAIL_(crypt_activate_by_volume_key(cd, NULL, root_hash, 32, 0), "Data corrupted");;
+
+ OK_(crypt_set_data_device(cd, DEVICE_EMPTY));
+ if (crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32,
+ CRYPT_ACTIVATE_READONLY) == -ENOTSUP) {
+ printf("WARNING: kernel dm-verity not supported, skipping test.\n");
+ crypt_free(cd);
+ return;
+ }
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(CRYPT_ACTIVATE_READONLY, cad.flags);
+ crypt_free(cd);
+
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ /* hash fail */
+ root_hash[1] = ~root_hash[1];
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32, CRYPT_ACTIVATE_READONLY));
+ /* Be sure there was some read activity to mark device corrupted. */
+ _system("blkid " DMDIR CDEVICE_1, 0);
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_CORRUPTED, cad.flags);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ root_hash[1] = ~root_hash[1];
+
+ /* data fail */
+ OK_(crypt_set_data_device(cd, DEVICE_1));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32, CRYPT_ACTIVATE_READONLY));
+ _system("blkid " DMDIR CDEVICE_1, 0);
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_CORRUPTED, cad.flags);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ crypt_free(cd);
+}
+
+static void TcryptTest(void)
+{
+ struct crypt_device *cd = NULL;
+ struct crypt_active_device cad;
+ const char *passphrase = "aaaaaaaaaaaa";
+ const char *kf1 = "tcrypt-images/keyfile1";
+ const char *kf2 = "tcrypt-images/keyfile2";
+ const char *keyfiles[] = { kf1, kf2 };
+ struct crypt_params_tcrypt params = {
+ .passphrase = passphrase,
+ .passphrase_size = strlen(passphrase),
+ .keyfiles = keyfiles,
+ .keyfiles_count = 2,
+ };
+ double enc_mbr = 0, dec_mbr = 0;
+ const char *tcrypt_dev = "tcrypt-images/tck_5-sha512-xts-aes";
+ const char *tcrypt_dev2 = "tcrypt-images/tc_5-sha512-xts-serpent-twofish-aes";
+ size_t key_size = 64;
+ char key[key_size], key_def[key_size];
+ const char *key_hex =
+ "98dee64abe44bbf41d171c1f7b3e8eacda6d6b01f459097459a167f8c2872a96"
+ "3979531d1cdc18af62757cf22286f16f8583d848524f128d7594ac2082668c73";
+ int r;
+
+ crypt_decode_key(key_def, key_hex, strlen(key_hex) / 2);
+
+ // First ensure we can use af_alg skcipher interface
+ r = crypt_benchmark(NULL, "aes", "xts", 512, 16, 1024, &enc_mbr, &dec_mbr);
+ if (r == -ENOTSUP || r == -ENOENT) {
+ printf("WARNING: algif_skcipher interface not present, skipping test.\n");
+ return;
+ }
+
+ OK_(crypt_init(&cd, tcrypt_dev));
+ params.passphrase_size--;
+ FAIL_(crypt_load(cd, CRYPT_TCRYPT, ¶ms), "Wrong passphrase");
+ params.passphrase_size++;
+ OK_(crypt_load(cd, CRYPT_TCRYPT, ¶ms));
+
+ // check params after load
+ OK_(strcmp("xts-plain64", crypt_get_cipher_mode(cd)));
+ OK_(strcmp("aes", crypt_get_cipher(cd)));
+ EQ_(key_size, crypt_get_volume_key_size(cd));
+ EQ_(256, crypt_get_iv_offset(cd));
+ EQ_(256, crypt_get_data_offset(cd));
+
+ memset(key, 0, key_size);
+ if (!_fips_mode) {
+ key_size--;
+ // small buffer
+ FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
+ key_size++;
+ OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
+ OK_(memcmp(key, key_def, key_size));
+ }
+
+ reset_log();
+ OK_(crypt_dump(cd));
+ OK_(!(global_lines != 0));
+ reset_log();
+
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, CRYPT_ACTIVATE_READONLY));
+ crypt_free(cd);
+
+ OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, NULL));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+
+ FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "Need crypt_load");
+
+ // check params after init_by_name
+ OK_(strcmp("xts-plain64", crypt_get_cipher_mode(cd)));
+ OK_(strcmp("aes", crypt_get_cipher(cd)));
+ EQ_(key_size, crypt_get_volume_key_size(cd));
+ EQ_(256, crypt_get_iv_offset(cd));
+ EQ_(256, crypt_get_data_offset(cd));
+
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ EQ_(CRYPT_ACTIVATE_READONLY, cad.flags);
+ EQ_(256, cad.offset);
+ EQ_(256, cad.iv_offset);
+ EQ_(72, cad.size);
+
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ crypt_free(cd);
+
+ // Following test uses non-FIPS algorithms in the cipher chain
+ if(_fips_mode)
+ return;
+
+ OK_(crypt_init(&cd, tcrypt_dev2));
+ params.keyfiles = NULL;
+ params.keyfiles_count = 0;
+ OK_(crypt_load(cd, CRYPT_TCRYPT, ¶ms));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, CRYPT_ACTIVATE_READONLY));
+ crypt_free(cd);
+
+ // Deactivate the whole chain
+ EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_BUSY);
+ OK_(crypt_deactivate(NULL, CDEVICE_1));
+ EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_INACTIVE);
+}
+
+// Check that gcrypt is properly initialised in format
+static void NonFIPSAlg(void)
+{
+ struct crypt_device *cd;
+ struct crypt_params_luks1 params = {0};
+ char key[128] = "";
+ size_t key_size = 128 / 8;
+ const char *cipher = "aes";
+ const char *cipher_mode = "cbc-essiv:sha256";
+ int ret;
+
+ OK_(crypt_init(&cd, DEVICE_2));
+ params.hash = "sha256";
+ OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms),
+ "Already formatted.");
+ crypt_free(cd);
+
+ params.hash = "whirlpool";
+ OK_(crypt_init(&cd, DEVICE_2));
+ ret = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms);
+ if (ret < 0) {
+ printf("WARNING: whirlpool not supported, skipping test.\n");
+ crypt_free(cd);
+ return;
+ }
+ crypt_free(cd);
+
+ params.hash = "md5";
+ OK_(crypt_init(&cd, DEVICE_2));
+ FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms),
+ "MD5 unsupported, too short");
+ crypt_free(cd);
+}
+
+static void int_handler(int sig __attribute__((__unused__)))
+{
+ _quit++;
+}
+
+int main(int argc, char *argv[])
+{
+ struct sigaction sa = { .sa_handler = int_handler };
+ int i;
+
+ if (getuid() != 0) {
+ printf("You must be root to run this test.\n");
+ exit(0);
+ }
+
+ for (i = 1; i < argc; i++) {
+ if (!strcmp("-v", argv[i]) || !strcmp("--verbose", argv[i]))
+ _verbose = 1;
+ else if (!strcmp("--debug", argv[i]))
+ _debug = _verbose = 1;
+ }
+
+ /* Handle interrupt properly */
+ sigaction(SIGINT, &sa, NULL);
+ sigaction(SIGTERM, &sa, NULL);
+
+ _cleanup();
+ if (_setup())
+ goto out;
+
+ crypt_set_debug_level(_debug ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
+
+ RUN_(NonFIPSAlg, "Crypto is properly initialised in format"); //must be the first!
+ RUN_(AddDevicePlain, "plain device API creation exercise");
+ RUN_(HashDevicePlain, "plain device API hash test");
+ RUN_(AddDeviceLuks, "Format and use LUKS device");
+ RUN_(LuksHeaderLoad, "test header load");
+ RUN_(LuksHeaderRestore, "test LUKS header restore");
+ RUN_(LuksHeaderBackup, "test LUKS header backup");
+ RUN_(ResizeDeviceLuks, "Luks device resize tests");
+ RUN_(UseLuksDevice, "Use pre-formated LUKS device");
+ RUN_(SuspendDevice, "Suspend/Resume test");
+ RUN_(UseTempVolumes, "Format and use temporary encrypted device");
+ RUN_(CallbacksTest, "API callbacks test");
+ RUN_(VerityTest, "DM verity test");
+ RUN_(TcryptTest, "Tcrypt API test");
+out:
+ _cleanup();
+ return 0;
+}
diff --git a/tests/compat-test b/tests/compat-test
new file mode 100755
index 0000000..32b63a0
--- /dev/null
+++ b/tests/compat-test
@@ -0,0 +1,594 @@
+#!/bin/bash
+
+PS4='$LINENO:'
+CRYPTSETUP=../src/cryptsetup
+
+CRYPTSETUP_VALGRIND=../src/.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../lib/.libs
+
+DEV_NAME=dummy
+DEV_NAME2=dummy2
+DEV_NAME3=dummy3
+ORIG_IMG=luks-test-orig
+IMG=luks-test
+IMG10=luks-test-v10
+HEADER_IMG=luks-header
+KEY1=key1
+KEY2=key2
+KEY5=key5
+KEYE=keye
+PWD0="compatkey"
+PWD1="93R4P4pIqAH8"
+PWD2="mymJeD8ivEhE"
+PWD3="ocMakf3fAcQO"
+PWDW="rUkL4RUryBom"
+
+LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591"
+KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255"
+KEY_MATERIAL0="R4096-68096"
+KEY_MATERIAL0_EXT="R4096-68096"
+
+KEY_SLOT1="S256-259 S260-263 R264-295 A296-299 A300-303"
+KEY_MATERIAL1="R69632-133632"
+KEY_MATERIAL1_EXT="S69632-133632"
+
+KEY_SLOT5="S448-451 S452-455 R456-487 A488-491 A492-495"
+KEY_MATERIAL5="R331776-395264"
+KEY_MATERIAL5_EXT="S331776-395264"
+
+TEST_UUID="12345678-1234-1234-1234-123456789abc"
+
+LOOPDEV=$(losetup -f 2>/dev/null)
+[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove $DEV_NAME3
+ [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ losetup -d $LOOPDEV >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG >/dev/null 2>&1
+}
+
+function force_uevent()
+{
+ DNAME=$(echo $LOOPDEV | cut -f3 -d /)
+ echo "change" >/sys/block/$DNAME/uevent
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ remove_mapping
+ echo "FAILED"
+ exit 2
+}
+
+function can_fail_fips()
+{
+ # Ignore this fail if running in FIPS mode
+ [ -z "$FIPS_MODE" -o "$FIPS_MODE" -eq 0 ] && fail $1
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ remove_mapping
+ exit 0
+}
+
+function prepare()
+{
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+
+ case "$2" in
+ wipe)
+ remove_mapping
+ dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
+ sync
+ losetup $LOOPDEV $IMG
+ ;;
+ new)
+ remove_mapping
+ bzip2 -cd compatimage.img.bz2 > $IMG
+ # FIXME: switch to internal loop (no losetup at all)
+ echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
+ grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
+ losetup $LOOPDEV $IMG
+ bzip2 -cd compatv10image.img.bz2 > $IMG10
+ ;;
+ reuse | *)
+ if [ ! -e $IMG ]; then
+ bzip2 -cd compatimage.img.bz2 > $IMG
+ losetup $LOOPDEV $IMG
+ fi
+ [ ! -e $IMG10 ] && bzip2 -cd compatv10image.img.bz2 > $IMG10
+ ;;
+ esac
+
+ if [ ! -e $KEY1 ]; then
+ dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
+ fi
+
+ if [ ! -e $KEY2 ]; then
+ dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
+ fi
+
+ if [ ! -e $KEY5 ]; then
+ dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
+ fi
+
+ if [ ! -e $KEYE ]; then
+ touch $KEYE
+ fi
+
+ cp $IMG $ORIG_IMG
+ [ -n "$1" ] && echo "CASE: $1"
+}
+
+function check()
+{
+ sync
+ [ -z "$1" ] && return
+ ./differ $ORIG_IMG $IMG $1 || fail
+}
+
+function check_exists()
+{
+ [ -b /dev/mapper/$DEV_NAME ] || fail
+ check $1
+}
+
+function valgrind_setup()
+{
+ which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
+
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
+
+# LUKS tests
+
+prepare "[1] open - compat image - acceptance check" new
+echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+check_exists
+ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+# Check it can be opened from header backup as well
+$CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
+echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
+check_exists
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# Check restore
+$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
+
+# Repeat for V1.0 header - not aligned first keyslot
+echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
+check_exists
+ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+[ "$ORG_SHA1" = 51b48c2471a7593ceaf14dc5e66bca86ed05f6cc ] || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+rm -f $HEADER_IMG
+$CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
+echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
+check_exists
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+prepare "[2] open - compat image - denial check" new
+echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+echo $PWDW | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME 2>/dev/null && fail
+check
+
+# All headers items and first key material section must change
+prepare "[3] format" wipe
+echo $PWD1 | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail
+check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
+
+prepare "[4] format using hash sha512" wipe
+echo $PWD1 | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail
+check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
+
+prepare "[5] open"
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
+echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+check_exists
+
+# Key Slot 1 and key material section 1 must change, the rest must not.
+prepare "[6] add key"
+echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV || fail
+check "$KEY_SLOT1 $KEY_MATERIAL1"
+echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+
+# Unsuccessful Key Delete - nothing may change
+prepare "[7] unsuccessful delete"
+echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
+$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
+$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
+check
+
+# Delete Key Test
+# Key Slot 1 and key material section 1 must change, the rest must not
+prepare "[8] successful delete"
+$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
+check "$KEY_SLOT1 $KEY_MATERIAL1_EXT"
+echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+
+# Key Slot 1 and key material section 1 must change, the rest must not
+prepare "[9] add key test for key files"
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV $KEY1 || fail
+check "$KEY_SLOT1 $KEY_MATERIAL1"
+$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
+
+# Key Slot 1 and key material section 1 must change, the rest must not
+prepare "[10] delete key test with key1 as remaining key"
+$CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
+check "$KEY_SLOT0 $KEY_MATERIAL0_EXT"
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+
+# Delete last slot
+prepare "[11] delete last key" wipe
+echo $PWD1 | $CRYPTSETUP luksFormat $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+
+# Format test for ESSIV, and some other parameters.
+prepare "[12] parameter variation test" wipe
+$CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV $KEY1 || fail
+check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
+$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
+
+prepare "[13] open/close - stacked devices" wipe
+echo $PWD1 | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat /dev/mapper/$DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
+$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+prepare "[14] format/open - passphrase on stdin & new line" wipe
+# stdin defined by "-" must take even newline
+#echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q --key-file=- luksFormat $LOOPDEV || fail
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+# now also try --key-file
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q luksFormat $LOOPDEV --key-file=- || fail
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# process newline if from stdin
+echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q luksFormat $LOOPDEV || fail
+echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+prepare "[15] UUID - use and report provided UUID" wipe
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid blah $LOOPDEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid $TEST_UUID $LOOPDEV || fail
+tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
+[ "$tst"x = "$TEST_UUID"x ] || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 $LOOPDEV || fail
+$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
+tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
+[ "$tst"x = "$TEST_UUID"x ] || fail
+
+prepare "[16] luksFormat" wipe
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# open by UUID
+force_uevent # some systems do not update loop by-uuid
+$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# empty keyfile
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEYE || fail
+$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# open by volume key
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 -s 256 --master-key-file $KEY1 $LOOPDEV || fail
+$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+prepare "[17] AddKey volume key, passphrase and keyfile" wipe
+# masterkey
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
+echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
+$CRYPTSETUP luksAddKey -i1 $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
+$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
+
+# special "-" handling
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 3 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d $KEY1 - || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d - $KEY2 || fail
+$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
+
+# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 3 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
+# keyfile/keyfile
+$CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY1 $KEY2 --key-slot 4 || fail
+$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
+# passphrase/keyfile
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d $KEY1 --key-slot 0 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
+# passphrase/passphrase
+echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -i1 $LOOPDEV --key-slot 1 || fail
+echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+# keyfile/passphrase
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -i1 $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+
+prepare "[18] RemoveKey passphrase and keyfile" reuse
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
+# if password or keyfile is provided, batch mode must not suppress it
+echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
+echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
+echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
+echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+# kill slot using passphrase from 1
+echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
+# remove key0 / slot 0
+echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
+# last keyslot, in batch mode no passphrase needed...
+$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
+
+prepare "[19] create & status & resize" wipe
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
+$CRYPTSETUP -q resize $DEV_NAME --size 100 || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q resize $DEV_NAME || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
+# Resize underlying loop device as well
+truncate -s 16M $IMG || fail
+$CRYPTSETUP -q resize $DEV_NAME || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+# verify is ignored on non-tty input
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+
+prepare "[20] Disallow open/create if already mapped." wipe
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $LOOPDEV 2>/dev/null && fail
+$CRYPTSETUP remove $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+
+prepare "[21] luksDump" wipe
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
+echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
+
+prepare "[22] remove disappeared device" wipe
+dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
+echo $PWD1 | $CRYPTSETUP -q -i1 luksFormat /dev/mapper/$DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
+# underlying device now returns error but node is still present
+dmsetup load $DEV_NAME --table "0 5000 error" || fail
+dmsetup resume $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
+dmsetup remove $DEV_NAME || fail
+
+prepare "[23] ChangeKey passphrase and keyfile" wipe
+# [0]$KEY1 [1]key0
+$CRYPTSETUP -q luksFormat $LOOPDEV $KEY1 -i1 --key-slot 0 || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY1 --key-slot 1 || fail
+# keyfile [0] / keyfile [0]
+$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 --key-slot 0 || fail
+# passphrase [1] / passphrase [1]
+echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV -i1 --key-slot 1 || fail
+# keyfile [0] / keyfile [new]
+$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY2 $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
+# passphrase [1] / passphrase [new]
+echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey -i1 $LOOPDEV || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
+# use all slots
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
+# still allows replace
+$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 || fail
+$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 2>/dev/null && fail
+
+prepare "[24] Keyfile limit" wipe
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
+$CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i1 -l 13 --new-keyfile-size 12 || fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
+$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
+$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
+$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -i1 -l 13 || fail
+# -l is ignored for stdin if _only_ passphrase is used
+echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 -i1 || fail
+# this is stupid, but expected
+echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
+echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
+echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
+# offset
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
+$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
+$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
+$CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+
+prepare "[25] Create shared segments" wipe
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
+$CRYPTSETUP -q remove $DEV_NAME2 || fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+
+prepare "[26] Suspend/Resume" wipe
+# only LUKS is supported
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP -q remove $DEV_NAME || fail
+$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
+# LUKS
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksSuspend $DEV_NAME || fail
+$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
+echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME -T 1 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME || fail
+
+prepare "[27] luksOpen with specified key slot number" wipe
+# first, let's try passphrase option
+echo $PWD3 | $CRYPTSETUP luksFormat -i1 -S 5 $LOOPDEV || fail
+check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
+echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
+[ -b /dev/mapper/$DEV_NAME ] && fail
+echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
+check_exists
+$CRYPTSETUP luksClose $DEV_NAME || fail
+echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -i1 -S 0 $LOOPDEV || fail
+check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
+echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME && fail
+[ -b /dev/mapper/$DEV_NAME ] && fail
+echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME && fail
+[ -b /dev/mapper/$DEV_NAME ] && fail
+# second, try it with keyfiles
+$CRYPTSETUP luksFormat -q -S 5 -d $KEY5 $LOOPDEV || fail
+check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
+$CRYPTSETUP luksAddKey -i1 -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
+$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
+check_exists
+$CRYPTSETUP luksClose $DEV_NAME || fail
+$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME && fail
+[ -b /dev/mapper/$DEV_NAME ] && fail
+$CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME && fail
+[ -b /dev/mapper/$DEV_NAME ] && fail
+
+prepare "[28] Detached LUKS header" wipe
+dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG || fail
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
+$CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
+$CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
+$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
+echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey -i1 -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
+$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
+$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
+$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
+
+prepare "[29] Repair metadata" wipe
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 || fail
+# second sector overwrite should corrupt keyslot 6+7
+dd if=/dev/urandom of=$LOOPDEV bs=512 seek=1 count=1 >/dev/null 2>&1
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
+$CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+
+prepare "[30] LUKS erase" wipe
+$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY5 --key-slot 5 || fail
+$CRYPTSETUP luksAddKey -i1 -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
+$CRYPTSETUP luksErase -q $LOOPDEV || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail
+
+remove_mapping
+exit 0
diff --git a/tests/compatimage.img.bz2 b/tests/compatimage.img.bz2
new file mode 100644
index 0000000..b351cc6
--- /dev/null
+++ b/tests/compatimage.img.bz2
Binary files differ
diff --git a/tests/compatv10image.img.bz2 b/tests/compatv10image.img.bz2
new file mode 100644
index 0000000..be6aeca
--- /dev/null
+++ b/tests/compatv10image.img.bz2
Binary files differ
diff --git a/tests/cryptsetup-valg-supps b/tests/cryptsetup-valg-supps
new file mode 100644
index 0000000..3370ace
--- /dev/null
+++ b/tests/cryptsetup-valg-supps
@@ -0,0 +1,36 @@
+# Supresion file for valgrind
+
+# known problem in libgcrypt
+{
+ leak_in_libgcrypt_00
+ Memcheck:Leak
+ fun:malloc
+ obj:/lib64/libgcrypt.so*
+ ...
+ obj:/lib64/libgcrypt.so*
+ fun:crypt_backend_init
+ fun:init_crypto
+ ...
+}
+# following leaks/errors are addressed to libpopt...
+{
+ popt_read_error
+ Memcheck:Addr4
+ obj:/lib*/libpopt.so*
+ fun:poptGetNextOpt
+ fun:main
+}
+{
+ popt_leak_poptGetNextOpt_00
+ Memcheck:Leak
+ fun:realloc
+ fun:poptGetNextOpt
+ fun:main
+}
+{
+ popt_leak_poptGetNextOpt_01
+ Memcheck:Leak
+ fun:malloc
+ fun:poptGetNextOpt
+ fun:main
+}
diff --git a/tests/device-test b/tests/device-test
new file mode 100755
index 0000000..1a6c8d2
--- /dev/null
+++ b/tests/device-test
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+CRYPTSETUP="../src/cryptsetup"
+MNT_DIR="./mnt_luks"
+DEV_NAME="dummy"
+PWD1="93R4P4pIqAH8"
+PWD2="mymJeD8ivEhE"
+
+cleanup() {
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ udevadm settle >/dev/null 2>&1
+ if [ -d "$MNT_DIR" ] ; then
+ umount -f $MNT_DIR 2>/dev/null
+ rmdir $MNT_DIR 2>/dev/null
+ fi
+ sleep 2
+}
+
+fail()
+{
+ if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi
+ cleanup
+ exit 100
+}
+
+skip()
+{
+ echo "TEST SKIPPED: $1"
+ cleanup
+ exit 0
+}
+
+format() # key_bits expected [forced]
+{
+ dd if=/dev/zero of=$DEV bs=1M count=5 >/dev/null 2>&1
+
+ echo $PWD1 | $CRYPTSETUP luksFormat $DEV -q -i1 -c aes-cbc-essiv:sha256
+ [ $? -ne 0 ] && fail "Format failed."
+
+ # test some operation, just in case
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV -i1 --key-slot 1
+ [ $? -ne 0 ] && fail "Keyslot add failed."
+
+ $CRYPTSETUP -q luksKillSlot $DEV 1
+ [ $? -ne 0 ] && fail "Keyslot removal failed."
+}
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run this test, test skipped."
+ exit 0
+fi
+
+[ ! -d $MNT_DIR ] && mkdir $MNT_DIR
+
+echo "[1] Using tmpfs for image"
+DEV="$MNT_DIR/test.img"
+mount -t tmpfs none $MNT_DIR || skip "Mounting tmpfs not available."
+format
+
+echo "[2] Kernel dmcrypt performace options"
+echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt >/dev/null 2>&1
+if [ $? -ne 0 ] ; then
+ echo "TEST SKIPPED: dmcrypt options not available"
+else
+ $CRYPTSETUP close $DEV_NAME || fail
+ # plain
+ echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q discards || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ # LUKS
+ echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
+ $CRYPTSETUP status $DEV_NAME | grep -q discards || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+fi
+
+cleanup
diff --git a/tests/differ.c b/tests/differ.c
new file mode 100644
index 0000000..d4b1b37
--- /dev/null
+++ b/tests/differ.c
@@ -0,0 +1,166 @@
+/*
+ * cryptsetup file differ check (rewritten Clemens' fileDiffer in Python)
+ *
+ * Copyright (C) 2010-2012 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+struct ffile {
+ char *name;
+ int fd;
+ unsigned char *addr;
+ size_t size;
+};
+
+enum df { OK , FAIL };
+
+static void print_diff(off_t from, int max,
+ const unsigned char *o,
+ const unsigned char *n)
+{
+ int i, len = max;
+
+ if (len > 16)
+ len = 16;
+
+ printf("OLD:");
+ for (i = 0; i < len; i++)
+ printf(" %02x", o[from + i]);
+ printf("%s\n ", max != len ? " ..." : "");
+ for (i = 0; i < len; i++)
+ printf(" %2c", o[from + i] > ' ' ? o[from + i]: '.');
+ printf("\nNEW:");
+ for (i = 0; i < len; i++)
+ printf(" %02x", n[from + i]);
+ printf("%s\n ", max != len ? " ..." : "");
+ for (i = 0; i < len; i++)
+ printf(" %2c", n[from + i] > ' ' ? n[from + i]: '.');
+ printf("\n");
+}
+
+/*
+ * Xfrom-to (e.g. R10-15)
+ * A - change allowed
+ * S - change required, semantic
+ * R - change required, random
+ * F - change forbidden
+ */
+static enum df check(const char *range, unsigned char *o, unsigned char *n)
+{
+ char strict;
+ unsigned long long from, to;
+ enum df ret;
+
+ if (sscanf(range, "%c%llu-%llu", &strict, &from, &to) != 3) {
+ printf("Unknown range format %s.\n", range);
+ return FAIL;
+ }
+
+ switch (toupper(strict)) {
+ case 'A':
+ ret = OK;
+ break;
+ case 'S':
+ ret = memcmp(&o[from], &n[from], to - from + 1) != 0 ? OK : FAIL;
+ break;
+ case 'R': /* FIXME - random test */
+ ret = memcmp(&o[from], &n[from], to - from + 1) != 0 ? OK : FAIL;
+ break;
+ case 'F':
+ ret = memcmp(&o[from], &n[from], to - from + 1) == 0 ? OK : FAIL;
+ break;
+ default:
+ ret = FAIL;
+ break;
+ }
+
+ if (ret == FAIL)
+ print_diff(from, to - from + 1, o, n);
+
+ return ret;
+}
+
+static int open_mmap(struct ffile *f)
+{
+ struct stat st;
+
+ f->fd = open(f->name, O_RDONLY);
+ if (f->fd == -1 || fstat(f->fd, &st) == -1)
+ return 0;
+
+ f->size = st.st_size;
+ f->addr = mmap(NULL, f->size, PROT_READ, MAP_PRIVATE, f->fd, 0);
+
+ return (f->addr == MAP_FAILED) ? 0 : 1;
+}
+
+static void close_mmap(struct ffile *f)
+{
+ if (f->addr != MAP_FAILED && !munmap(f->addr, f->size))
+ f->addr = MAP_FAILED;
+
+ if (f->fd != -1 && !close(f->fd))
+ f->fd = -1;
+}
+
+int main(int argc, char *argv[])
+{
+ int i, r = 1;
+ struct ffile file_old = {
+ .fd = -1,
+ .addr = MAP_FAILED,
+ };
+ struct ffile file_new = {
+ .fd = -1,
+ .addr = MAP_FAILED,
+ };
+
+ if (argc < 3) {
+ printf("Use: differ old_file new_file change_list.\n");
+ goto bad;
+ }
+
+ file_old.name = argv[1];
+ if (!open_mmap(&file_old))
+ goto bad;
+
+ file_new.name = argv[2];
+ if (!open_mmap(&file_new))
+ goto bad;
+
+ for (i = 3; i < argc; i++)
+ if (check(argv[i], file_old.addr, file_new.addr) == FAIL) {
+ printf ("FAILED for %s\n", argv[i]);
+ r = 1;
+ goto bad;
+ }
+
+ r = 0;
+bad:
+ close_mmap(&file_new);
+ close_mmap(&file_old);
+
+ return r;
+}
diff --git a/tests/discards-test b/tests/discards-test
new file mode 100755
index 0000000..a8c4bc6
--- /dev/null
+++ b/tests/discards-test
@@ -0,0 +1,82 @@
+#!/bin/bash
+
+CRYPTSETUP="../src/cryptsetup"
+DEV_NAME="discard-t3st"
+DEV=""
+PWD1="93R4P4pIqAH8"
+
+cleanup() {
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ udevadm settle >/dev/null 2>&1
+ rmmod scsi_debug 2>/dev/null
+ sleep 2
+}
+
+fail()
+{
+ echo "FAILED"
+ cleanup
+ exit 100
+}
+
+add_device() {
+ modprobe scsi_debug $@
+ if [ $? -ne 0 ] ; then
+ echo "This kernel seems to not support proper scsi_debug module, test skipped."
+ exit 0
+ fi
+
+ sleep 2
+ DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+
+ DEV="/dev/$DEV"
+ [ -b $DEV ] || fail "Cannot find $DEV."
+}
+
+function check_version()
+{
+ VER_STR=$(dmsetup targets | grep crypt | cut -f 2 -dv)
+ VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+ VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+
+ # option supported in 1.11
+ test $VER_MAJ -gt 1 && return 0
+ test $VER_MIN -ge 11 && return 0
+ return 1
+}
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run this test, test skipped."
+ exit 0
+fi
+
+modprobe --dry-run scsi_debug || exit 0
+modprobe dm-crypt >/dev/null 2>&1
+if ! check_version ; then
+ echo "Probably old kernel, test skipped."
+ exit 0
+fi
+
+add_device dev_size_mb=16 sector_size=512 num_tgts=1 lbpu=1
+
+# FIXME test hash of device (unmap -> zero)
+# for now just check that flag is enabled
+
+echo "[1] Allowing discards for LUKS device"
+echo $PWD1 | $CRYPTSETUP luksFormat $DEV -q -i1 || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $DEV $DEV_NAME --allow-discards || fail
+$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
+$CRYPTSETUP resize $DEV_NAME --size 100 || fail
+$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
+dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+
+echo "[2] Allowing discards for plain device"
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
+$CRYPTSETUP resize $DEV_NAME --size 100 || fail
+$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
+dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
+$CRYPTSETUP remove $DEV_NAME || fail
+
+cleanup
diff --git a/tests/evil_hdr-luks_hdr_damage.bz2 b/tests/evil_hdr-luks_hdr_damage.bz2
new file mode 100644
index 0000000..b4970be
--- /dev/null
+++ b/tests/evil_hdr-luks_hdr_damage.bz2
Binary files differ
diff --git a/tests/evil_hdr-payload_overwrite.bz2 b/tests/evil_hdr-payload_overwrite.bz2
new file mode 100644
index 0000000..c27a78c
--- /dev/null
+++ b/tests/evil_hdr-payload_overwrite.bz2
Binary files differ
diff --git a/tests/evil_hdr-small_luks_device.bz2 b/tests/evil_hdr-small_luks_device.bz2
new file mode 100644
index 0000000..4d77530
--- /dev/null
+++ b/tests/evil_hdr-small_luks_device.bz2
Binary files differ
diff --git a/tests/evil_hdr-stripes_payload_dmg.bz2 b/tests/evil_hdr-stripes_payload_dmg.bz2
new file mode 100644
index 0000000..d1b7daa
--- /dev/null
+++ b/tests/evil_hdr-stripes_payload_dmg.bz2
Binary files differ
diff --git a/tests/img_fs_ext4.img.bz2 b/tests/img_fs_ext4.img.bz2
new file mode 100644
index 0000000..5faa3e7
--- /dev/null
+++ b/tests/img_fs_ext4.img.bz2
Binary files differ
diff --git a/tests/img_fs_vfat.img.bz2 b/tests/img_fs_vfat.img.bz2
new file mode 100644
index 0000000..a87683b
--- /dev/null
+++ b/tests/img_fs_vfat.img.bz2
Binary files differ
diff --git a/tests/img_fs_xfs.img.bz2 b/tests/img_fs_xfs.img.bz2
new file mode 100644
index 0000000..3e21a8a
--- /dev/null
+++ b/tests/img_fs_xfs.img.bz2
Binary files differ
diff --git a/tests/loopaes-test b/tests/loopaes-test
new file mode 100755
index 0000000..5b26b42
--- /dev/null
+++ b/tests/loopaes-test
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+CRYPTSETUP=../src/cryptsetup
+
+# try to validate using loop-AES losetup/kernel if available
+LOSETUP_AES=/losetup-aes.old
+
+LOOP_DD_PARAM="bs=1k count=10000"
+DEV_NAME=dummy
+IMG=loopaes.img
+KEYv1=key_v1
+KEYv2=key_v2
+KEYv3=key_v3
+LOOPDEV=$(losetup -f 2>/dev/null)
+
+function dmremove() { # device
+ udevadm settle >/dev/null 2>&1
+ dmsetup remove $1 >/dev/null 2>&1
+}
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$DEV_NAME2 ] && dmremove $DEV_NAME2
+ [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+ losetup -d $LOOPDEV >/dev/null 2>&1
+ rm -f $IMG $KEYv1 $KEYv2 $KEYv3 >/dev/null 2>&1
+}
+
+function fail()
+{
+ remove_mapping
+ echo "FAILED"
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ exit 0
+}
+
+function prepare()
+{
+ remove_mapping
+ dd if=/dev/zero of=$IMG $LOOP_DD_PARAM >/dev/null 2>&1
+ sync
+ losetup $LOOPDEV $IMG
+
+ # Prepare raw key: v1 - one key, v2 - 64 keys, v3 - 64 + one IV
+ if [ ! -e $KEYv3 ]; then
+ head -c 3705 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65 >$KEYv3
+ head -n 1 $KEYv3 > $KEYv1
+ head -n 64 $KEYv3 > $KEYv2
+ fi
+ [ -n "$1" ] && echo -n "$1 "
+}
+
+function check_exists()
+{
+ [ -b /dev/mapper/$DEV_NAME ] || fail
+}
+
+function get_offset_params() # $offset
+{
+ offset=$1
+ if [ "${offset:0:1}" = "@" ] ; then
+ echo "-o $((${offset:1} / 512)) -p 0"
+ else
+ echo "-o $((offset / 512))"
+ fi
+}
+
+function get_expsum() # $offset
+{
+ case $1 in
+ 0)
+ echo "31e00e0e4c233c89051cd748122fde2c98db0121ca09ba93a3820817ea037bc5"
+ ;;
+ @8192 | 8192)
+ echo "bfd94392d1dd8f5d477251d21b3c736e177a4945cd4937847fc7bace82996aed"
+ ;;
+ @8388608 | 8388608)
+ echo "33838fe36928a929bd7971bed7e82bd426c88193fcd692c2e6f1b9c9bfecd4d6"
+ ;;
+ *) fail
+ ;;
+ esac
+}
+
+function check_sum() # $key $keysize $offset
+{
+ # Fill device with zeroes and reopen it
+ dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1k $LOOP_DD_PARAM >/dev/null 2>&1
+ sync
+ dmremove $DEV_NAME
+
+ EXPSUM=$(get_expsum $3)
+ $CRYPTSETUP loopaesOpen $LOOPDEV $DEV_NAME -s $2 --key-file $1 $(get_offset_params $3) >/dev/null 2>&1
+ ret=$?
+ VSUM=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
+ if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then
+ echo -n "[OK]"
+ else
+ echo "[FAIL]"
+ echo " Expecting $EXPSUM got $VSUM."
+ fail
+ fi
+}
+
+function check_sum_losetup() # $key $alg
+{
+ [ ! -x $LOSETUP_AES ] && echo && return
+
+ echo -n " Verification using loop-AES: "
+
+ losetup -d $LOOPDEV >/dev/null 2>&1
+ cat $1 | $LOSETUP_AES -p 0 -e $2 -o $3 $LOOPDEV $IMG
+ ret=$?
+ VSUM=$(sha256sum $LOOPDEV | cut -d' ' -f 1)
+ if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then
+ echo "[OK]"
+ else
+ echo "[FAIL]"
+ echo " Expecting $EXPSUM got $VSUM (loop-AES)."
+ fail
+ fi
+ losetup -d $LOOPDEV >/dev/null 2>&1
+}
+
+function check_version()
+{
+ VER_STR=$(dmsetup version | grep Driver)
+ VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+ VER_PATCH=$(echo $VER_STR | cut -f 3 -d.)
+
+ test $VER_MIN -lt 19 && return 1
+ test $VER_MIN -eq 19 -a $VER_PATCH -ge 6 && return 1 # RHEL
+ return 0
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+[ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped."
+which uuencode >/dev/null || skip "WARNING: test require uuencode binary, test skipped."
+check_version || skip "Probably old kernel, test skipped."
+
+# loop-AES tests
+KEY_SIZES="128 256"
+KEY_FILES="$KEYv1 $KEYv2 $KEYv3"
+DEV_OFFSET="0 8192 @8192 8388608 @8388608"
+
+for key_size in $KEY_SIZES ; do
+ for key in $KEY_FILES ; do
+ for offset in $DEV_OFFSET ; do
+ prepare "Open loop-AES $key / AES-$key_size / offset $offset"
+ $CRYPTSETUP loopaesOpen $LOOPDEV $DEV_NAME \
+ -s $key_size --key-file $key $(get_offset_params $offset) \
+ 2>/dev/null
+ [ $? -ne 0 ] && echo "[SKIPPED]" && continue
+ check_exists
+ check_sum $key $key_size $offset
+ $CRYPTSETUP loopaesClose $DEV_NAME || fail
+ check_sum_losetup $key AES$key_size $offset
+ done
+ done
+done
+
+remove_mapping
+exit 0
diff --git a/tests/luks1-compat-test b/tests/luks1-compat-test
new file mode 100755
index 0000000..9f7963c
--- /dev/null
+++ b/tests/luks1-compat-test
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# check luks1 images parsing
+
+# NOTE: if image with whirlpool hash fails, check
+# that you are not using old gcrypt with flawed whirlpool
+# (see cryptsetup debug output)
+
+CRYPTSETUP=../src/cryptsetup
+TST_DIR=luks1-images
+MAP=luks1tst
+KEYFILE=keyfile1
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$MAP ] && dmsetup remove $MAP
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ echo " [FAILED]"
+ remove_mapping
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "Test skipped."
+ exit 0
+}
+
+function test_one()
+{
+ $CRYPTSETUP benchmark -c "$1" -s "$2" | grep -v "#" || skip
+}
+
+function test_required()
+{
+ which lsblk >/dev/null 2>&1 || skip "WARNING: lsblk tool required."
+
+ echo "REQUIRED KDF TEST"
+ $CRYPTSETUP benchmark -h whirlpool | grep "N/A" && skip
+
+ echo "REQUIRED CIPHERS TEST"
+ echo "# Algorithm | Key | Encryption | Decryption"
+
+ test_one aes-xts 256
+ test_one twofish-xts 256
+ test_one serpent-xts 256
+ test_one aes-cbc 256
+ test_one aes-lrw 256
+}
+
+export LANG=C
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run activation part of test, test skipped."
+ exit 0
+fi
+
+test_required
+[ ! -d $TST_DIR ] && tar xjf luks1-images.tar.bz2 --no-same-owner
+
+echo "ACTIVATION FS UUID CHECK"
+for file in $(ls $TST_DIR/luks1_*) ; do
+ echo -n " $file"
+ $CRYPTSETUP luksOpen -d $TST_DIR/$KEYFILE $file $MAP 2>/dev/null
+ ret=$?
+ # ignore missing whirlpool (pwd failed is exit code 2)
+ [ $ret -eq 1 ] && (echo $file | grep -q -e "whirlpool") && echo " [N/A]" && continue
+ # ignore flawed whirlpool (pwd failed is exit code 2)
+ [ $ret -eq 2 ] && (echo $file | grep -q -e "whirlpool") && \
+ ($CRYPTSETUP luksDump $file --debug | grep -q -e "flawed whirlpool") && \
+ echo " [IGNORED (flawed Whirlpool library)]" && continue
+ [ $ret -ne 0 ] && fail
+ $CRYPTSETUP status $MAP >/dev/null || fail
+ $CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
+ UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ $CRYPTSETUP remove $MAP || fail
+ [ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
+ echo " [OK]"
+done
diff --git a/tests/luks1-images.tar.bz2 b/tests/luks1-images.tar.bz2
new file mode 100644
index 0000000..86de8a5
--- /dev/null
+++ b/tests/luks1-images.tar.bz2
Binary files differ
diff --git a/tests/mode-test b/tests/mode-test
new file mode 100755
index 0000000..46fbf95
--- /dev/null
+++ b/tests/mode-test
@@ -0,0 +1,157 @@
+#!/bin/bash
+#
+# Test mode compatibility, check input + kernel and cryptsetup cipher status
+#
+CRYPTSETUP=../src/cryptsetup
+DEV_NAME=dmc_test
+HEADER_IMG=mode-test.img
+PASSWORD=3xrododenron
+PASSWORD1=$PASSWORD
+
+# cipher-chainmode-ivopts:ivmode
+CIPHERS="aes twofish serpent"
+MODES="cbc lrw xts"
+IVMODES="null benbi plain plain64 essiv:sha256"
+
+LOOPDEV=$(losetup -f 2>/dev/null)
+
+dmremove() { # device
+ udevadm settle >/dev/null 2>&1
+ dmsetup remove $1 >/dev/null 2>&1
+}
+
+cleanup() {
+ for dev in $(dmsetup status --target crypt | sed s/\:\ .*// | grep "^$DEV_NAME"_); do
+ dmremove $dev
+ done
+ sleep 2
+ [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+ losetup -d $LOOPDEV >/dev/null 2>&1
+ rm -f $HEADER_IMG >/dev/null 2>&1
+}
+
+fail()
+{
+ [ -n "$1" ] && echo "$1"
+ cleanup
+ exit 100
+}
+
+skip()
+{
+ [ -n "$1" ] && echo "$1"
+ exit 0
+}
+
+add_device() {
+ dd if=/dev/zero of=$HEADER_IMG bs=1M count=6 >/dev/null 2>&1
+ sync
+ losetup $LOOPDEV $HEADER_IMG >/dev/null 2>&1
+ dmsetup create $DEV_NAME --table "0 10240 linear $LOOPDEV 8" >/dev/null 2>&1
+}
+
+dmcrypt_check() # device outstring
+{
+ X=$(dmsetup table $1 2>/dev/null | sed 's/.*: //' | cut -d' ' -f 4)
+ if [ "$X" = $2 ] ; then
+ echo -n "[table OK]"
+ else
+ echo "[table FAIL]"
+ echo " Expecting $2 got $X."
+ fail
+ fi
+
+ X=$($CRYPTSETUP status $1 | grep cipher: | sed s/\.\*cipher:\\s*//)
+ if [ $X = $2 ] ; then
+ echo -n "[status OK]"
+ else
+ echo "[status FAIL]"
+ echo " Expecting $2 got \"$X\"."
+ fail
+ fi
+
+ dmremove $1
+}
+
+dmcrypt_check_sum() # cipher device outstring
+{
+ EXPSUM="c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29"
+ # Fill device with zeroes and reopen it
+ dd if=/dev/zero of=/dev/mapper/$2 bs=1M count=6 >/dev/null 2>&1
+ sync
+ dmremove $2
+
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 $2 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ ret=$?
+ VSUM=$(sha256sum /dev/mapper/$2 | cut -d' ' -f 1)
+ if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then
+ echo -n "[OK]"
+ else
+ echo "[FAIL]"
+ echo " Expecting $EXPSUM got $VSUM."
+ fail
+ fi
+
+ dmremove $2
+}
+
+dmcrypt()
+{
+ OUT=$2
+ [ -z "$OUT" ] && OUT=$1
+ printf "%-25s" "$1"
+
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_"$1" /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ if [ $? -eq 0 ] ; then
+ echo -n -e "PLAIN:"
+ dmcrypt_check "$DEV_NAME"_"$1" $OUT
+ else
+ echo -n "[n/a]"
+ fi
+
+ echo $PASSWORD | $CRYPTSETUP luksFormat -i 1 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ if [ $? -eq 0 ] ; then
+ echo -n -e " LUKS:"
+ echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_"$1" >/dev/null 2>&1
+ dmcrypt_check "$DEV_NAME"_"$1" $OUT
+ fi
+
+ # repeated device creation must return the same checksum
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_"$1" /dev/mapper/$DEV_NAME >/dev/null 2>&1
+ if [ $? -eq 0 ] ; then
+ echo -n -e " CHECKSUM:"
+ dmcrypt_check_sum "$1" "$DEV_NAME"_"$1"
+ fi
+ echo
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+[ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped."
+
+add_device
+
+# compatibility modes
+dmcrypt aes aes-cbc-plain
+dmcrypt aes-plain aes-cbc-plain
+
+# empty cipher
+PASSWORD=""
+dmcrypt null cipher_null-ecb
+dmcrypt cipher_null cipher_null-cbc-plain
+dmcrypt cipher_null-ecb
+
+PASSWORD=$PASSWORD1
+# codebook doesn't support IV at all
+for cipher in $CIPHERS ; do
+ dmcrypt "$cipher-ecb"
+done
+
+for cipher in $CIPHERS ; do
+ for mode in $MODES ; do
+ for ivmode in $IVMODES ; do
+ dmcrypt "$cipher-$mode-$ivmode"
+ done
+ done
+done
+
+cleanup
diff --git a/tests/password-hash-test b/tests/password-hash-test
new file mode 100755
index 0000000..a03af50
--- /dev/null
+++ b/tests/password-hash-test
@@ -0,0 +1,171 @@
+#!/bin/bash
+
+# check hash processing in create command
+
+CRYPTSETUP=../src/cryptsetup
+DEV_NAME=dmc_test
+KEY_FILE=keyfile
+
+DEV2=$DEV_NAME"_x"
+
+dmremove() { # device
+ udevadm settle >/dev/null 2>&1
+ dmsetup remove $1 >/dev/null 2>&1
+}
+
+cleanup() {
+ [ -b /dev/mapper/$DEV2 ] && dmremove $DEV2
+ [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+ rm -f $KEY_FILE
+ exit $1
+}
+
+function fail()
+{
+ echo " $1 [FAILED]"
+ cleanup 2
+}
+
+crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
+{
+ DEV2=$DEV_NAME"_x"
+ LIMIT=""
+ MODE=aes-cbc-essiv:sha256
+ [ $2 -gt 256 ] && MODE=aes-xts-plain
+ [ -n "$6" ] && LIMIT="-l $6"
+ [ -n "$7" ] && LIMIT="$LIMIT --keyfile-offset $7"
+
+ echo -n "HASH: $1 KSIZE: $2 / $3"
+ case "$3" in
+ pwd)
+ echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ std-)
+ echo -e -n "$4" | $CRYPTSETUP create -c $MODE -d "-" -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ stdin)
+ echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ cat)
+ cat $4 | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ cat-)
+ cat $4 | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 -d - /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ file)
+ $CRYPTSETUP create -q -c $MODE -d $4 -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+ ret=$?
+ ;;
+ failpwd)
+ echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null && fail "Expecting failure"
+ echo " [OK]"
+ return
+ ;;
+ *)
+ fail ""
+ ;;
+ esac
+
+ # ignore these cases, not all libs/kernel supports it
+ if [ "$1" == "ripemd160" -o $2 -gt 256 ] ; then
+ if [ $ret -ne 0 ] ; then
+ echo " [N/A] ($ret, SKIPPED)"
+ return
+ fi
+ fi
+
+ VKEY=$(dmsetup table $DEV2 --showkeys 2>/dev/null | sed 's/.*: //' | cut -d' ' -f 5)
+ if [ "$VKEY" != "$5" ] ; then
+ echo " [FAILED]"
+ echo "expected: $5"
+ echo "real key: $VKEY"
+ cleanup 100
+ else
+ echo " [OK]"
+ fi
+
+ dmremove $DEV2
+}
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run this test, test skipped."
+ exit 0
+fi
+
+dmsetup create $DEV_NAME --table "0 10240 zero" >/dev/null 2>&1
+
+crypt_key ripemd160 0 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
+crypt_key ripemd160 256 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
+crypt_key ripemd160 128 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f
+crypt_key sha1 256 pwd "xxx" b60d121b438a380c343d5ec3c2037564b82ffef30b1e0a6ad9af7a73aa91c197
+crypt_key sha1 128 pwd "xxx" b60d121b438a380c343d5ec3c2037564
+crypt_key sha256 256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+crypt_key sha256 128 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7
+
+crypt_key sha256 0 std- "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+crypt_key sha256 256 std- "xxx\n" 042aea10a0f14f2d391373599be69d53a75dde9951fc3d3cd10b6100aa7a9f24
+crypt_key sha256 128 std- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" \
+ 2a42b97084779dcedf2c66405c5d296c
+crypt_key sha256 256 stdin "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+crypt_key sha256 0 stdin "xxx\n" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+
+# with keyfile, hash is ignored
+crypt_key ripemd160 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
+crypt_key sha256 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
+crypt_key unknown* 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
+
+# limiting key
+crypt_key sha256:20 256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b4580588000000000000000000000000
+crypt_key sha256:32 256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+
+crypt_key sha256: 256 failpwd "xxx" x
+crypt_key sha256:xx 256 failpwd "xxx" x
+
+# key file, 80 chars
+echo -n -e "0123456789abcdef\n\x01\x00\x03\xff\xff\r\xff\xff\n\r" \
+ "2352j3rkjhadcfasc823rqaw7e1 3dq sdq3d 2dkjqw3h2=====" >$KEY_FILE
+KEY_FILE_HEX="303132333435363738396162636465660a010003ffff0dffff0a0d20323335326a33726b6a686164636661736338323372716177376531203364712073647133"
+
+# ignore hash if keyfile is specified
+crypt_key ripemd160 256 file $KEY_FILE ${KEY_FILE_HEX:0:64}
+crypt_key sha256 256 file $KEY_FILE ${KEY_FILE_HEX:0:64}
+crypt_key sha256 128 file $KEY_FILE ${KEY_FILE_HEX:0:32}
+crypt_key sha256 512 file $KEY_FILE $KEY_FILE_HEX
+
+# stdin can be limited
+crypt_key plain 128 cat /dev/zero 00000000000000000000000000000000 16
+crypt_key plain 128 cat /dev/zero 00000000000000000000000000000000 17
+
+# read key only up to \n
+crypt_key plain 128 cat $KEY_FILE ${KEY_FILE_HEX:0:28}0000 14
+
+# read full key, ignore keyfile length
+crypt_key plain 128 cat- $KEY_FILE ${KEY_FILE_HEX:0:32}
+crypt_key plain 128 cat- $KEY_FILE ${KEY_FILE_HEX:0:32} 14
+
+# but do not ignore hash if keysgfile is "-"
+crypt_key sha256 128 cat- $KEY_FILE f3b827c8a6f159ad8c8ed5bd5ab3f8c5
+crypt_key sha256 128 cat- $KEY_FILE f3b827c8a6f159ad8c8ed5bd5ab3f8c5 0
+crypt_key sha256 128 cat- $KEY_FILE f3b827c8a6f159ad8c8ed5bd5ab3f8c5 80
+crypt_key sha256 128 cat- $KEY_FILE a82c9227cc54c7475620ce85ba1fca1e 14
+crypt_key sha256 128 cat- $KEY_FILE 7df3f4a41a33805596be85c781cac3b4 14 2
+crypt_key sha256 128 cat- $KEY_FILE ebbe65a178e886ddbb778e0a5538db72 40 40
+
+# limiting plain (no hash)
+crypt_key plain 256 pwd "xxxxxxxx" 7878787878787878000000000000000000000000000000000000000000000000
+crypt_key plain:2 256 pwd "xxxxxxxx" 7878000000000000000000000000000000000000000000000000000000000000
+crypt_key plain:9 256 failpwd "xxxxxxxx" x
+
+crypt_key sha256 128 cat $KEY_FILE a82c9227cc54c7475620ce85ba1fca1e 14
+crypt_key sha256:14 128 cat $KEY_FILE a82c9227cc54c7475620ce85ba1f0000 14
+
+crypt_key sha256 128 pwd "0123456789abcdef" 9f9f5111f7b27a781f1f1ddde5ebc2dd 16
+crypt_key sha256 128 pwd "0123456789abcdef" 1be2e452b46d7a0d9656bbb1f768e824 4
+crypt_key sha256 128 pwd "0123" 1be2e452b46d7a0d9656bbb1f768e824 4
+
+cleanup 0
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
new file mode 100755
index 0000000..a3f9e4a
--- /dev/null
+++ b/tests/reencryption-compat-test
@@ -0,0 +1,328 @@
+#!/bin/bash
+
+CRYPTSETUP=../src/cryptsetup
+REENC=../src/cryptsetup-reencrypt
+
+DEV_NAME=reenc9768
+DEV_NAME2=reenc1273
+IMG=reenc-data
+ORIG_IMG=reenc-data-orig
+KEY1=key1
+PWD1="93R4P4pIqAH8"
+PWD2="1cND4319812f"
+PWD3="1-9Qu5Ejfnqv"
+
+MNT_DIR=./mnt_luks
+START_DIR=$(pwd)
+
+function del_scsi_device()
+{
+ rmmod scsi_debug 2>/dev/null
+ sleep 2
+}
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
+ rm -f $IMG $ORIG_IMG $KEY1 >/dev/null 2>&1
+ umount $MNT_DIR > /dev/null 2>&1
+ rmdir $MNT_DIR > /dev/null 2>&1
+ LOOPDEV1=""
+ del_scsi_device
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "FAILED"
+ cd $START_DIR
+ remove_mapping
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ exit 0
+}
+
+function add_scsi_device() {
+ del_scsi_device
+ modprobe scsi_debug $@
+ if [ $? -ne 0 ] ; then
+ echo "This kernel seems to not support proper scsi_debug module, test skipped."
+ exit 0
+ fi
+
+ sleep 2
+ SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+ [ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
+}
+
+function open_crypt()
+{
+ if [ -n "$1" ] ; then
+ echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME || fail
+ else
+ $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV1 $DEV_NAME || fail
+ fi
+}
+
+function wipe_dev() # $1 dev
+{
+ dd if=/dev/zero of=$1 bs=256k >/dev/null 2>&1
+}
+
+function wipe() # $1 pass
+{
+ open_crypt $1
+ wipe_dev /dev/mapper/$DEV_NAME
+ udevadm settle >/dev/null 2>&1
+ $CRYPTSETUP luksClose $DEV_NAME || fail
+}
+
+function prepare() # $1 dev1_siz
+{
+ remove_mapping
+
+ dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
+ LOOPDEV1=$(losetup -f 2>/dev/null)
+ [ -z "$LOOPDEV1" ] && fail "No free loop device"
+ losetup $LOOPDEV1 $IMG
+
+ if [ ! -e $KEY1 ]; then
+ dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
+ fi
+}
+
+function check_hash_dev() # $1 dev, $2 hash
+{
+ HASH=$(sha256sum $1 | cut -d' ' -f 1)
+ [ $HASH != "$2" ] && fail "HASH differs ($HASH)"
+}
+
+function check_hash() # $1 pwd, $2 hash
+{
+ open_crypt $1
+ check_hash_dev /dev/mapper/$DEV_NAME $2
+ $CRYPTSETUP remove $DEV_NAME || fail
+}
+
+function backup_orig()
+{
+ sync
+ losetup -d $LOOPDEV1
+ cp $IMG $ORIG_IMG
+ losetup $LOOPDEV1 $IMG
+}
+
+function rollback()
+{
+ sync
+ losetup -d $LOOPDEV1
+ cp $ORIG_IMG $IMG
+ losetup $LOOPDEV1 $IMG
+}
+
+function check_slot() #space separeted list of ENABLED key slots
+{
+ local _KS0=DISABLED
+ local _KS1=$_KS0 _KS2=$_KS0 _KS3=$_KS0 _KS4=$_KS0 _KS5=$_KS0 _KS6=$_KS0 _KS7=$_KS0
+ local _tmp
+
+ for _tmp in $*; do
+ eval _KS$_tmp=ENABLED
+ done
+
+ local _out=$($CRYPTSETUP luksDump $LOOPDEV1 | grep -e "Key Slot" | cut -d ' ' -f 4)
+
+ local _i=0
+ for _tmp in $_out; do
+ eval local _orig="\${_KS${_i}}"
+ if [ "$_tmp" != "$_orig" ]; then
+ echo "Keyslot $_i is $_tmp, expected result: $_orig"
+ return 1
+ fi
+ _i=$[_i+1]
+ done
+
+ return 0
+}
+
+function simple_scsi_reenc()
+{
+ echo -n "$1"
+ echo $PWD1 | $CRYPTSETUP luksFormat -i1 $SCSI_DEV || fail
+
+ echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
+ HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
+ $CRYPTSETUP luksClose $DEV_NAME || fail
+
+ echo $PWD1 | $REENC -q -i 1 $SCSI_DEV || fail
+
+ echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
+ check_hash_dev /dev/mapper/$DEV_NAME $HASH
+ $CRYPTSETUP luksClose $DEV_NAME || fail
+}
+
+function mount_and_test() {
+ test -d $MNT_DIR || mkdir -p $MNT_DIR
+ mount $@ $MNT_DIR 2>/dev/null || {
+ echo -n "failed to mount [SKIP]"
+ return 0
+ }
+ rm $MNT_DIR/* 2>/dev/null
+ cd $MNT_DIR
+ echo $PWD2 | $START_DIR/$REENC $LOOPDEV1 -q --use-fsync --use-directio --write-log || return 1
+ cd $START_DIR
+ umount $MNT_DIR
+ echo -n [OK]
+}
+
+function test_logging_tmpfs() {
+ echo -n "[tmpfs]"
+ mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
+ echo
+}
+
+function test_logging() {
+ echo -n "$1:"
+ for img in $(ls img_fs*img.bz2) ; do
+ wipefs -a $SCSI_DEV > /dev/null
+ echo -n "[${img%.img.bz2}]"
+ bzip2 -d -c $img | dd of=$SCSI_DEV >/dev/null 2>&1
+ mount_and_test $SCSI_DEV || return 1
+ done
+ echo
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
+which wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
+
+# REENCRYPTION tests
+
+HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
+HASH2=d85ef2a08aeac2812a648deb875485a6e3848fc3d43ce4aa380937f08199f86b
+HASH3=e4e5749032a5163c45125eccf3e8598ba5ed840df442c97e1d5ad4ad84359605
+HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
+
+echo "[1] Reencryption"
+prepare 8192
+echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain -i 1 --align-payload 4096 $LOOPDEV1 || fail
+wipe $PWD1
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 256
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q --use-directio
+check_hash $PWD1 $HASH1
+
+echo "[2] Reencryption with data shift"
+echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 -i 1 --align-payload 2048 $LOOPDEV1 || fail
+wipe $PWD1
+echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024S || fail
+check_hash $PWD1 $HASH2
+echo $PWD1 | $REENC $LOOPDEV1 -q -i 1 || fail
+check_hash $PWD1 $HASH2
+
+echo "[3] Reencryption with keyfile"
+echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 -i 1 --align-payload 4096 $LOOPDEV1 || fail
+wipe
+check_hash "" $HASH1
+echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 || fail
+$REENC $LOOPDEV1 -d $KEY1 -i 1 -q 2>/dev/null && fail
+$REENC $LOOPDEV1 -d $KEY1 -S 0 -i 1 -q || fail
+check_hash "" $HASH1
+check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+$REENC $LOOPDEV1 -d $KEY1 -i 1 -q || fail
+# FIXME echo $PWD1 | $REENC ...
+
+echo "[4] Encryption of not yet encrypted device"
+# well, movin' zeroes :-)
+OFFSET=2048
+SIZE=$(blockdev --getsz $LOOPDEV1)
+wipe_dev $LOOPDEV1
+dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
+check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
+dmsetup remove $DEV_NAME2 || fail
+echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q
+check_hash $PWD1 $HASH3
+
+echo "[5] Reencryption using specific keyslot"
+echo $PWD2 | $CRYPTSETUP -q luksFormat -i 1 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey -i 1 -S 1 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey -i 1 -S 2 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey -i 1 -S 3 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey -i 1 -S 4 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey -i 1 -S 5 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey -i 1 -S 6 $LOOPDEV1 || fail
+echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey -i 1 -S 7 $LOOPDEV1 || fail
+backup_orig
+echo $PWD2 | $REENC -i 1 -S 0 -q $LOOPDEV1 || fail
+check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+wipe $PWD2
+rollback
+echo $PWD1 | $REENC -i 1 -S 1 -q $LOOPDEV1 || fail
+check_slot 1 || fail "Only keyslot 1 expected to be enabled"
+wipe $PWD1
+rollback
+echo $PWD2 | $REENC -i 1 -S 6 -q $LOOPDEV1 || fail
+check_slot 6 || fail "Only keyslot 6 expected to be enabled"
+wipe $PWD2
+rollback
+echo $PWD3 | $REENC -i 1 -S 7 -q $LOOPDEV1 || fail
+check_slot 7 || fail "Only keyslot 7 expected to be enabled"
+wipe $PWD3
+rollback
+
+echo "[6] Reencryption using all active keyslots"
+echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $LOOPDEV1 || fail
+check_slot 0 1 2 3 4 5 6 7 || fail "All keyslots expected to be enabled"
+
+echo "[7] Reencryption of block devices with different block size"
+add_scsi_device sector_size=512 dev_size_mb=8
+simple_scsi_reenc "[512 sector]"
+add_scsi_device sector_size=4096 dev_size_mb=8
+simple_scsi_reenc "[4096 sector]"
+add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8
+simple_scsi_reenc "[4096/512 sector]"
+echo "[OK]"
+
+echo "[8] Header only reencryption (hash and iteration time)"
+echo $PWD1 | $CRYPTSETUP -q luksFormat --hash sha1 $LOOPDEV1 || fail
+wipe $PWD1
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --iter-time 1
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha512
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --iter-time 1
+check_hash $PWD1 $HASH1
+
+echo "[9] Test log I/Os on various underlaying block devices"
+prepare 8192
+echo $PWD2 | $CRYPTSETUP -q luksFormat -i 1 $LOOPDEV1 || fail
+add_scsi_device sector_size=512 dev_size_mb=25
+test_logging "[512 sector]" || fail
+add_scsi_device sector_size=4096 dev_size_mb=25
+test_logging "[4096 sector]" || fail
+add_scsi_device sector_size=512 dev_size_mb=25 physblk_exp=3
+test_logging "[4096/512 sector]" || fail
+test_logging_tmpfs || fail
+
+echo "[10] Removal of encryption"
+prepare 8192
+echo $PWD1 | $CRYPTSETUP -q luksFormat -i 1 $LOOPDEV1 || fail
+wipe $PWD1
+check_hash $PWD1 $HASH1
+echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt
+check_hash_dev $LOOPDEV1 $HASH4
+
+remove_mapping
+exit 0
diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test
new file mode 100755
index 0000000..a181f74
--- /dev/null
+++ b/tests/tcrypt-compat-test
@@ -0,0 +1,127 @@
+#!/bin/bash
+
+# check tcrypt images parsing
+
+CRYPTSETUP=../src/cryptsetup
+TST_DIR=tcrypt-images
+MAP=tctst
+PASSWORD="aaaaaaaaaaaa"
+PASSWORD_HIDDEN="bbbbbbbbbbbb"
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$MAP ] && dmsetup remove $MAP
+ [ -b /dev/mapper/"$MAP"_1 ] && dmsetup remove "$MAP"_1
+ [ -b /dev/mapper/"$MAP"_2 ] && dmsetup remove "$MAP"_2
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ echo " [FAILED]"
+ remove_mapping
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "Test skipped."
+ exit 0
+}
+
+function test_one()
+{
+ $CRYPTSETUP benchmark -c "$1" -s "$2" | grep -v "#" || skip
+}
+
+function test_required()
+{
+ which lsblk >/dev/null 2>&1 || skip "WARNING: lsblk tool required."
+
+ echo "REQUIRED KDF TEST"
+ $CRYPTSETUP benchmark -h ripemd160 | grep "N/A" && skip
+ $CRYPTSETUP benchmark -h whirlpool | grep "N/A" && skip
+
+ echo "REQUIRED CIPHERS TEST"
+ echo "# Algorithm | Key | Encryption | Decryption"
+
+ test_one aes-cbc 256
+ test_one aes-lrw 384
+ test_one aes-xts 512
+
+ test_one twofish-cbc 256
+ test_one twofish-lrw 384
+ test_one twofish-xts 512
+
+ test_one serpent-cbc 256
+ test_one serpent-lrw 384
+ test_one serpent-xts 512
+
+ test_one blowfish-cbc 256
+
+ test_one des3_ede-cbc 192
+ test_one cast5 128
+}
+
+test_required
+export LANG=C
+
+[ ! -d $TST_DIR ] && tar xjf tcrypt-images.tar.bz2 --no-same-owner
+
+echo "HEADER CHECK"
+for file in $(ls $TST_DIR/[tv]c_*) ; do
+ echo -n " $file"
+ echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt $file >/dev/null || fail
+ echo " [OK]"
+done
+
+echo "HEADER CHECK (HIDDEN)"
+for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
+ echo -n " $file (hidden)"
+ echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden --veracrypt $file >/dev/null || fail
+ echo " [OK]"
+done
+
+echo "HEADER KEYFILES CHECK"
+for file in $(ls $TST_DIR/[tv]ck_*) ; do
+ echo -n " $file"
+ echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
+ echo " [OK]"
+done
+
+
+if [ $(id -u) != 0 ]; then
+ echo "WARNING: You must be root to run activation part of test, test skipped."
+ exit 0
+fi
+
+echo "ACTIVATION FS UUID CHECK"
+for file in $(ls $TST_DIR/[tv]c_*) ; do
+ echo -n " $file"
+ out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen --veracrypt -r $file $MAP 2>&1)
+ ret=$?
+ [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
+ [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
+ [ $ret -ne 0 ] && fail
+ $CRYPTSETUP status $MAP >/dev/null || fail
+ $CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
+ UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ $CRYPTSETUP remove $MAP || fail
+ [ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
+ echo " [OK]"
+done
+
+echo "ACTIVATION FS UUID (HIDDEN) CHECK"
+for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
+ echo -n " $file"
+ out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen --veracrypt -r $file $MAP --tcrypt-hidden 2>&1)
+ ret=$?
+ [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
+ [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
+ [ $ret -ne 0 ] && fail
+ UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
+ $CRYPTSETUP remove $MAP || fail
+ [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
+ echo " [OK]"
+done
diff --git a/tests/tcrypt-images.tar.bz2 b/tests/tcrypt-images.tar.bz2
new file mode 100644
index 0000000..4ca5473
--- /dev/null
+++ b/tests/tcrypt-images.tar.bz2
Binary files differ
diff --git a/tests/valg-api.sh b/tests/valg-api.sh
new file mode 100755
index 0000000..e27a269
--- /dev/null
+++ b/tests/valg-api.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+SUP="--suppressions=./cryptsetup-valg-supps"
+CHILD="--trace-children=no --child-silent-after-fork=yes"
+MALLOC="--malloc-fill=aa"
+FREE="--free-fill=21"
+STACK="--max-stackframe=300000"
+EXTRAS="--read-var-info=yes --show-reachable=yes"
+LOGFILE="--log-file=./valglog.$(date +%s)_${INFOSTRING}"
+LEAKCHECK="--leak-check=full --track-origins=yes"
+
+exec valgrind $SUP $GETSUP $CHILD $MALLOC $FREE $STACK $EXTRAS $LOGFILE $LEAKCHECK "$@"
diff --git a/tests/valg.sh b/tests/valg.sh
new file mode 100755
index 0000000..82a7e06
--- /dev/null
+++ b/tests/valg.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+SUP="--suppressions=./cryptsetup-valg-supps"
+CHILD="--trace-children=yes --child-silent-after-fork=yes"
+MALLOC="--malloc-fill=aa"
+FREE="--free-fill=21"
+STACK="--max-stackframe=300000"
+EXTRAS="--read-var-info=yes --show-reachable=yes"
+LOGFILE="--log-file=./valglog.$(date +%s)_${INFOSTRING}"
+LEAKCHECK="--leak-check=full --track-origins=yes"
+
+exec valgrind $SUP $GETSUP $CHILD $MALLOC $FREE $STACK $EXTRAS $LOGFILE $LEAKCHECK "$@"
diff --git a/tests/valid_header_file.bz2 b/tests/valid_header_file.bz2
new file mode 100644
index 0000000..5a59428
--- /dev/null
+++ b/tests/valid_header_file.bz2
Binary files differ
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
new file mode 100755
index 0000000..ebd253a
--- /dev/null
+++ b/tests/verity-compat-test
@@ -0,0 +1,362 @@
+#!/bin/bash
+
+VERITYSETUP=../src/veritysetup
+
+DEV_NAME=verity3273
+DEV_OUT="$DEV_NAME.out"
+IMG=verity-data
+IMG_HASH=verity-hash
+IMG_TMP=tst-dev
+FEC_DEV=tst_fec123
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME >/dev/null 2>&1
+ [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
+ rm -f $IMG $IMG_HASH $DEV_OUT $FEC_DEV $IMG_TMP >/dev/null 2>&1
+ LOOPDEV1=""
+ LOOPDEV2=""
+}
+
+function fail()
+{
+ [ -n "$1" ] && echo "$1"
+ echo "FAILED"
+ [ -f $DEV_OUT ] && cat $DEV_OUT
+ remove_mapping
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ exit 0
+}
+
+function prepare() # $1 dev1_siz [$2 dev2_size]
+{
+ remove_mapping
+
+ dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
+ LOOPDEV1=$(losetup -f 2>/dev/null)
+ [ -z "$LOOPDEV1" ] && fail "No free loop device"
+ losetup $LOOPDEV1 $IMG
+
+ [ -z "$2" ] && return
+ LOOPDEV2=$IMG_HASH
+}
+
+function wipe()
+{
+ dd if=/dev/zero of=$LOOPDEV1 bs=256k >/dev/null 2>&1
+ rm -f $IMG_HASH $DEV_OUT >/dev/null 2>&1
+}
+
+function check_exists()
+{
+ [ -b /dev/mapper/$DEV_NAME ] || fail
+}
+
+function check_version()
+{
+ VER_STR=$(dmsetup targets | grep verity | cut -f 3 -dv)
+ VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+ VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+
+ # option supported in 1.3
+ test $VER_MAJ -gt 1 && return 0
+ test $VER_MIN -ge 3 && return 0
+ return 1
+}
+
+function compare_out() # $1 what, $2 expected
+{
+ OPT=$(grep -v "^#" $DEV_OUT | grep -i "$1" | sed -e s/.*\:\ // )
+ [ -z "$OPT" ] && fail
+ [ $OPT != $2 ] && fail "$1 differs ($2)"
+}
+
+function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
+{
+ if [ -z "$LOOPDEV2" ] ; then
+ BLOCKS=$(($6 / $1))
+ DEV_PARAMS="$LOOPDEV1 $LOOPDEV1 \
+ --hash-offset $6 \
+ --data-blocks=$BLOCKS --debug"
+ else
+ DEV_PARAMS="$LOOPDEV1 $LOOPDEV2"
+ fi
+
+ for sb in yes no; do
+ FORMAT_PARAMS="--format=$4 --data-block-size=$1 --hash-block-size=$1 --hash=$5 --salt=$3"
+ if [ $sb == yes ] ; then
+ VERIFY_PARAMS=""
+ else
+ FORMAT_PARAMS="$FORMAT_PARAMS --no-superblock"
+ VERIFY_PARAMS=$FORMAT_PARAMS
+ fi
+
+ for fail in data hash; do
+ wipe
+ echo -n "V$4(sb=$sb) $5 block size $1: "
+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
+
+ echo -n "[root hash]"
+ compare_out "root hash" $2
+ compare_out "salt" "$3"
+
+ $VERITYSETUP verify $DEV_PARAMS $VERIFY_PARAMS $2 >>$DEV_OUT 2>&1 || fail
+ echo -n "[verify]"
+
+ $VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $2 >>$DEV_OUT 2>&1 || fail
+ check_exists
+ echo -n "[activate]"
+
+ dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
+ dmsetup status $DEV_NAME | grep "verity V" >/dev/null || fail
+ echo -n "[in-kernel verify]"
+
+ $VERITYSETUP remove $DEV_NAME >/dev/null 2>&1 || fail
+
+ case $fail in
+ data)
+ dd if=/dev/urandom of=$LOOPDEV1 bs=1 seek=3456 count=8 conv=notrunc 2>/dev/null
+ TXT="data_dev"
+ ;;
+ hash)
+ if [ -z "$LOOPDEV2" ] ; then
+ dd if=/dev/urandom of=$LOOPDEV1 bs=1 seek=$((8193 + $4)) count=8 conv=notrunc 2>/dev/null
+ else
+ dd if=/dev/urandom of=$LOOPDEV2 bs=1 seek=8193 count=8 conv=notrunc 2>/dev/null
+ fi
+ TXT="hash_dev"
+ ;;
+ esac
+
+ $VERITYSETUP verify $DEV_PARAMS $VERIFY_PARAMS $2 >>$DEV_OUT 2>&1 && \
+ fail "userspace check for $TXT corruption"
+ $VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $2 >>$DEV_OUT 2>&1 || \
+ fail "activation"
+ dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
+ dmsetup status $DEV_NAME | grep "verity V" >/dev/null && \
+ fail "in-kernel check for $TXT corruption"
+ $VERITYSETUP remove $DEV_NAME >/dev/null 2>&1 || fail "deactivation"
+ echo "[$TXT corruption]"
+ done
+ done
+}
+
+function corrupt_device() # $1 device, $2 device_size(in bytes), $3 #{corrupted_bytes}
+{
+ ARR=(`seq 0 $(($2 - 1)) | shuf`)
+ CORRUPT=$3
+
+ while [ "$CORRUPT" -gt 0 ]; do
+ echo "1" | dd of=$1 bs=1 count=1 seek=${ARR[$CORRUPT]} conv=notrunc > /dev/null 2>&1
+ CORRUPT=$(($CORRUPT - 1))
+ done
+}
+
+# $1 data_device, $2 hash_device, $3 fec_device, $4 data/hash_block_size(in bytes),
+# $5 data_size(in blocks), $6 device_size(in blocks), $7 hash_offset(in bytes),
+# $8 fec_offset(in bytes), $9 fec_roots, ${10} corrupted_bytes, [${11} superblock(y/n), ${12} salt]
+function check_fec()
+{
+ INDEX=25
+ dd if=/dev/zero of=$1 bs=$4 count=$6 > /dev/null 2>&1
+
+ echo -n "Block_size: $4, Data_size: $(($4 * $5))B, FEC_roots: $9, Corrupted_bytes: ${10} "
+
+ PARAMS=" --data-block-size=$4 --hash-block-size=$4 "
+ if [ "$5" -ne "$6" ]; then
+ PARAMS="$PARAMS --data-blocks=$5"
+ fi
+
+ if [ "$7" -ne 0 ]; then
+ PARAMS="$PARAMS --hash-offset=$7"
+ fi
+
+ if [ "$8" -ne 0 ]; then
+ PARAMS="$PARAMS --fec-offset=$8"
+ fi
+
+ if [ "${11}" == "n" ]; then
+ INDEX=24
+ echo -n "[no-superblock]"
+ PARAMS="$PARAMS --no-superblock -s=${12}"
+ elif [ -n "${12}" ]; then
+ PARAMS="$PARAMS -s=${12}"
+ fi
+
+ if [[ "$1" == "$2" && "$1" == "$3" ]]; then
+ echo -n "[one_device_test]"
+ dd if=/dev/zero of=$IMG_TMP bs=$4 count=$5 > /dev/null 2>&1
+ ARR=(`sha256sum $IMG_TMP`)
+ HASH_ORIG=${ARR[0]}
+ else
+ ARR=(`sha256sum $1`)
+ HASH_ORIG=${ARR[0]}
+ fi
+
+ ARR=(`$VERITYSETUP format $1 $2 --fec-device=$3 $PARAMS`)
+ SALT=${ARR[$INDEX]}
+ ROOT_HASH=${ARR[$(($INDEX+3))]}
+
+ corrupt_device $1 $(($5 * $4)) ${10}
+
+ $VERITYSETUP create $DEV_NAME $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS > /dev/null 2>&1
+ if [ "$?" -ne "0" ] ; then
+ echo "[N/A, test skipped]"
+ return 3
+ fi
+
+ udevadm settle
+
+ dd if=/dev/mapper/$DEV_NAME of=$IMG_TMP > /dev/null 2>&1
+ ARR=(`sha256sum $IMG_TMP`)
+
+ HASH_REPAIRED=${ARR[0]}
+
+ $VERITYSETUP remove $DEV_NAME
+ rm $1 $2 $3 $IMG_TMP > /dev/null 2>&1
+
+ if [ "$HASH_ORIG" != "$HASH_REPAIRED" ]; then
+ echo -n "[correction failed]"
+ return 1
+ fi
+
+ echo "[file was repaired][OK]"
+}
+
+function check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 CLI option, $7 status option
+{
+ DEV_PARAMS="$LOOPDEV1 $LOOPDEV2"
+ FORMAT_PARAMS="--format=$4 --data-block-size=$1 --hash-block-size=$1 --hash=$5 --salt=$3"
+
+ echo -n "Option $6 "
+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >/dev/null 2>&1 || fail
+ $VERITYSETUP create $DEV_NAME $DEV_PARAMS $2 $6 >/dev/null 2>&1 || fail
+ check_exists
+ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep flags | grep -q $7 || fail
+ dmsetup table $DEV_NAME 2>/dev/null | grep -q $7 || fail
+ $VERITYSETUP remove $DEV_NAME >/dev/null 2>&1 || fail
+ echo "[OK]"
+}
+
+function valgrind_setup()
+{
+ which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ #export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${VERITYSETUP} "$@"
+}
+
+function checkOffsetBug() # $1 size, $2 hash-offset, $3 data-blocks
+{
+ echo -n "Size :: $1 B | Hash-offset :: $2 blocks | Data-blocks :: $3 "
+ dd if=/dev/zero of=$IMG bs=1 count=0 seek=$1 >/dev/null 2>&1
+ $VERITYSETUP --data-blocks=$3 --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 || fail "Test [hash-offset greater than 2G] failed"
+ echo "[OK]"
+ remove_mapping
+}
+
+function checkOverlapBug() # $1 size, $2 hash-offset, $3 data-blocks
+{
+ echo -n "Size :: $1 B | Hash-offset :: $2 blocks | "
+
+ dd if=/dev/zero of=$IMG bs=1 count=0 seek=$1 >/dev/null 2>&1
+ if [ -z $3 ] ; then
+ # veritysetup must fail
+ $VERITYSETUP --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 && fail "Test [overlap with option \"--data-blocks\" not entered] failed"
+ else
+ $VERITYSETUP --data-blocks=$3 --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 || fail "Test [overlap with option \"--data-blocks\" entered] failed"
+ RET=$?
+ [ "$3" -gt "$(($2 / 4096))" ] && [ "$RET" -eq "0" ] && fail "Test [overlap - hash-offset in data area] failed"
+ fi
+ echo "[OK]"
+ remove_mapping
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+[ ! -x "$VERITYSETUP" ] && skip "Cannot find $VERITYSETUP, test skipped."
+
+[ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run
+modprobe dm-verity >/dev/null 2>&1
+dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped."
+
+# VERITYSETUP tests
+
+SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
+
+echo "Verity tests [separate devices]"
+prepare 8192 1024
+check_root_hash 512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256
+check_root_hash 1024 54d92778750495d1f80832b486ebd007617d746271511bbf0e295e143da2b3df $SALT 1 sha256
+check_root_hash 4096 e522df0f97da4febb882ac40f30b37dc0b444bf6df418929463fa25280f09d5c $SALT 1 sha256
+# version 0
+check_root_hash 4096 cbbf4ebd004ef65e29b935bb635a39cf754d677f3fa10b0126da725bbdf10f7d $SALT 0 sha256
+# no salt
+check_root_hash 4096 ef29c902d87350f1da4bfa536e16cebc162a909bf89abe448b81ec500d4fb9bf - 1 sha256
+# sha1
+check_root_hash 1024 d0e9163ca8844aaa2e88fe5265a8c5d9ee494a99 $SALT 1 sha1
+check_root_hash 1024 73509e8e868be6b8ac939817a98a3d35121413b2 dadada 1 sha1
+
+echo "Verity tests [one device offset]"
+prepare $((8192 + 1024))
+check_root_hash 512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256 8388608
+check_root_hash 1024 54d92778750495d1f80832b486ebd007617d746271511bbf0e295e143da2b3df $SALT 1 sha256 8388608
+check_root_hash 4096 e522df0f97da4febb882ac40f30b37dc0b444bf6df418929463fa25280f09d5c $SALT 1 sha256 8388608
+# version 0
+check_root_hash 4096 cbbf4ebd004ef65e29b935bb635a39cf754d677f3fa10b0126da725bbdf10f7d $SALT 0 sha256 8388608
+# no salt
+check_root_hash 4096 ef29c902d87350f1da4bfa536e16cebc162a909bf89abe448b81ec500d4fb9bf - 1 sha256 8388608
+# sha1
+check_root_hash 1024 d0e9163ca8844aaa2e88fe5265a8c5d9ee494a99 $SALT 1 sha1 8388608
+check_root_hash 1024 73509e8e868be6b8ac939817a98a3d35121413b2 dadada 1 sha1 8388608
+
+if check_version ; then
+ echo "Verity data corruption options test."
+ SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
+ HASH=9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174
+ prepare 8192 1024
+ check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption" "ignore_corruption"
+ check_option 512 $HASH $SALT 1 sha256 "--restart-on-corruption" "restart_on_corruption"
+ check_option 512 $HASH $SALT 1 sha256 "--ignore-zero-blocks" "ignore_zero_blocks"
+ check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption --ignore-zero-blocks" "ignore_corruption"
+fi
+
+echo "Veritysetup [hash-offset bigger than 2G works] "
+checkOffsetBug 3000000000 2499997696 256
+checkOffsetBug 10000000000 8000000000 128
+
+echo "Veritysetup [overlap-detection] "
+checkOverlapBug 2097152 1433600
+checkOverlapBug 2097152 1433600 350
+
+if check_version ; then
+ echo "Veritysetup [FEC tests]"
+ command -v shuf >/dev/null 2>&1 || skip "WARNING: shuf tool required."
+
+ for INDEX in {1..4}; do
+ # in the first iteration check if we can usae FEC (it can be compiled-out)
+ (check_fec $IMG $IMG $IMG 4096 30 150 163840 409600 $(($RANDOM % 23 + 2)) $(($INDEX * 4)) )
+ RET=$?
+ [ "$RET" -eq "3" ] && break
+ [ "$RET" -eq "0" ] || fail "FEC repair failed"
+
+ (check_fec $IMG $IMG_HASH $FEC_DEV 4096 30 30 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4)) 'n' $SALT) || fail "FEC repair failed"
+ (check_fec $IMG $IMG_HASH $FEC_DEV 4096 35 35 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4))) || fail "FEC repair failed"
+ (check_fec $IMG $IMG_HASH $FEC_DEV 512 2000 2000 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4))) || fail "FEC repair failed"
+ (check_fec $IMG $IMG_HASH $FEC_DEV 1024 2000 2000 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4))) || fail "FEC repair failed"
+ # this test should fail
+ (check_fec $IMG $IMG_HASH $FEC_DEV 4096 30 30 0 0 $(($RANDOM % 23 + 2)) $(($RANDOM % 200 + 200))) && fail "FEC repair must fail"
+ echo "[OK]"
+ done
+fi
+
+remove_mapping
+exit 0
