使用libcryptsetup打开一个普通的加密分区

Question

我有一个已部署的信息亭系统，该系统会在启动时使用crytpsetup和磁盘上的密钥文件来安装加密分区：

cryptsetup open --type plain --key-file /root/key.bin /dev/sda3 sda3

这将产生一个/ dev / mapper / sda3设备，然后可以将其安装以进行数据访问。

我要将密钥移到智能卡上，并希望使用libcryptsetup打开分区，以便密钥不会在命令行上公开。不幸的是，cryptsetup源代码中给出的唯一示例是针对LUKS的。

我试图对cryptsetup源进行反向工程，以获取正确的库调用，但由于选项的复杂性而感到沮丧。

是否有其他项目示例使用该库进行简单加密，或者是否可能需要复制命令行调用操作的库调用框架？

Answer 1

使用cryptsetup库复制命令行上的操作以打开加密分区所需的库调用的基本顺序如下

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <inttypes.h>
#include <sys/types.h>
#include <libcryptsetup.h>

int activate_and_check_status(const char *path, const char *device_name)
{
        struct crypt_device *cd;
        struct crypt_active_device cad;
        int r;
        /*
         * LUKS device activation example.
         * It's sequence of sub-steps: device initialization, LUKS header load
         * and the device activation itself.
         */
        r = crypt_init(&cd, path);
        if (r < 0 ) {
                printf("crypt_init() failed for %s.\n", path);
                return r;
        }
        /*
         * crypt_load() is used to load the LUKS header from block device
         * into crypt_device context.
         */
        r = crypt_load(cd,              /* crypt context */
                       CRYPT_LUKS1,     /* requested type */
                       NULL);           /* additional parameters (not used) */
        if (r < 0) {
                printf("crypt_load() failed on device %s.\n", crypt_get_device_name(cd));
                crypt_free(cd);
                return r;
        }
        /*
         * Device activation creates device-mapper devie mapping with name device_name.
         */
        r = crypt_activate_by_passphrase(cd,            /* crypt context */
                                         device_name,   /* device name to activate */
                                         CRYPT_ANY_SLOT,/* which slot use (ANY - try all) */
                                         "foo", 3,      /* passphrase */
                                         CRYPT_ACTIVATE_READONLY); /* flags */
        if (r < 0) {
                printf("Device %s activation failed.\n", device_name);
                crypt_free(cd);
                return r;
        }
        printf("LUKS device %s/%s is active.\n", crypt_get_dir(), device_name);
        printf("\tcipher used: %s\n", crypt_get_cipher(cd));
        printf("\tcipher mode: %s\n", crypt_get_cipher_mode(cd));
        printf("\tdevice UUID: %s\n", crypt_get_uuid(cd));
        /*
         * Get info about active device (query DM backend)
         */
        r = crypt_get_active_device(cd, device_name, &cad);
        if (r < 0) {
                printf("Get info about active device %s failed.\n", device_name);
                crypt_deactivate(cd, device_name);
                crypt_free(cd);
                return r;
        }
        printf("Active device parameters for %s:\n"
                "\tDevice offset (in sectors): %" PRIu64 "\n"
                "\tIV offset (in sectors)    : %" PRIu64 "\n"
                "\tdevice size (in sectors)  : %" PRIu64 "\n"
                "\tread-only flag            : %s\n",
                device_name, cad.offset, cad.iv_offset, cad.size,
                cad.flags & CRYPT_ACTIVATE_READONLY ? "1" : "0");
        crypt_free(cd);
        return 0;
}

以下链接提供了luks格式的API参考，包括cryptsetup的打开，激活和停用功能： cryptsetup API