7 #include "libbcachefs/checksum.h"
9 #include "libbcachefs.h"
10 #include "tools-util.h"
12 static void unlock_usage(void)
14 puts("bcachefs unlock - unlock an encrypted filesystem so it can be mounted\n"
15 "Usage: bcachefs unlock [OPTION] device\n"
18 " -c Check if a device is encrypted\n"
19 " -k (session|user|user_session)\n"
20 " Keyring to add to (default: user)\n"
21 " -f Keyfile to read from (disables password prompt)\n"
22 " -h Display this help and exit\n"
23 "Report bugs to <linux-bcachefs@vger.kernel.org>");
26 int cmd_unlock(int argc, char *argv[])
28 const char *keyring = "user";
30 const char *key_file_path = NULL;
31 char *passphrase = NULL;
35 while ((opt = getopt(argc, argv, "cf:k:h")) != -1)
41 keyring = strdup(optarg);
44 key_file_path = strdup(optarg);
52 char *dev = arg_pop();
54 die("Please supply a device");
57 die("Too many arguments");
59 struct bch_opts opts = bch2_opts_empty();
61 opt_set(opts, noexcl, true);
62 opt_set(opts, nochanges, true);
64 struct bch_sb_handle sb;
65 int ret = bch2_read_super(dev, &opts, &sb);
67 die("Error opening %s: %s", dev, bch2_err_str(ret));
69 if (!bch2_sb_is_encrypted(sb.sb))
70 die("%s is not encrypted", dev);
75 passphrase = read_file_str(AT_FDCWD, key_file_path);
77 passphrase = read_passphrase("Enter passphrase: ");
80 bch2_add_key(sb.sb, "user", keyring, passphrase);
83 memzero_explicit(passphrase, strlen(passphrase));
88 int cmd_set_passphrase(int argc, char *argv[])
90 struct bch_opts opts = bch2_opts_empty();
94 die("Please supply one or more devices");
96 opt_set(opts, nostart, true);
99 * we use bch2_fs_open() here, instead of just reading the superblock,
100 * to make sure we're opening and updating every component device:
103 c = bch2_fs_open(argv + 1, argc - 1, opts);
105 die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c)));
107 struct bch_sb_field_crypt *crypt = bch2_sb_field_get(c->disk_sb.sb, crypt);
109 die("Filesystem does not have encryption enabled");
111 struct bch_encrypted_key new_key;
112 new_key.magic = BCH_KEY_MAGIC;
114 int ret = bch2_decrypt_sb_key(c, crypt, &new_key.key);
116 die("Error getting current key");
118 char *new_passphrase = read_passphrase_twice("Enter new passphrase: ");
119 struct bch_key passphrase_key = derive_passphrase(crypt, new_passphrase);
121 if (bch2_chacha_encrypt_key(&passphrase_key, __bch2_sb_key_nonce(c->disk_sb.sb),
122 &new_key, sizeof(new_key)))
123 die("error encrypting key");
124 crypt->key = new_key;
126 bch2_revoke_key(c->disk_sb.sb);
132 int cmd_remove_passphrase(int argc, char *argv[])
134 struct bch_opts opts = bch2_opts_empty();
138 die("Please supply one or more devices");
140 opt_set(opts, nostart, true);
141 c = bch2_fs_open(argv + 1, argc - 1, opts);
143 die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c)));
145 struct bch_sb_field_crypt *crypt = bch2_sb_field_get(c->disk_sb.sb, crypt);
147 die("Filesystem does not have encryption enabled");
149 struct bch_encrypted_key new_key;
150 new_key.magic = BCH_KEY_MAGIC;
152 int ret = bch2_decrypt_sb_key(c, crypt, &new_key.key);
154 die("Error getting current key");
156 crypt->key = new_key;