def _create(self, **kwargs): log_method_call(self, device=self.device, type=self.type, status=self.status) super(LUKS, self)._create(**kwargs) # set up the event sync if not self.pbkdf_args and self.luks_version == "luks2": if luks_data.pbkdf_args: self.pbkdf_args = luks_data.pbkdf_args else: mem_limit = crypto.calculate_luks2_max_memory() if mem_limit: self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB))) luks_data.pbkdf_args = self.pbkdf_args log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit) if self.pbkdf_args: pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type, hash=None, max_memory_kb=self.pbkdf_args.max_memory_kb, iterations=self.pbkdf_args.iterations, time_ms=self.pbkdf_args.time_ms) extra = blockdev.CryptoLUKSExtra(pbkdf=pbkdf) else: extra = None blockdev.crypto.luks_format(self.device, passphrase=self.__passphrase, key_file=self._key_file, cipher=self.cipher, key_size=self.key_size, min_entropy=self.min_luks_entropy, luks_version=crypto.LUKS_VERSIONS[self.luks_version], extra=extra)
def test_luks2_format(self): """Verify that formating device as LUKS 2 works""" # no passphrase nor keyfile with self.assertRaises(GLib.GError): BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0) # the simple case with password succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0) self.assertTrue(succ) # create with a keyfile succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0) self.assertTrue(succ) # the simple case with password blob succ = BlockDev.crypto_luks_format_blob(self.loop_dev, "aes-cbc-essiv:sha256", 0, [ord(c) for c in PASSWD], 0) self.assertTrue(succ) # simple case with extra options extra = BlockDev.CryptoLUKSExtra(label="blockdevLUKS") succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, label, _err = run_command("lsblk -oLABEL -n %s" % self.loop_dev) self.assertEqual(label, "blockdevLUKS") # different key derivation function pbkdf = BlockDev.CryptoLUKSPBKDF(type="pbkdf2") extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"PBKDF:\s*(\S+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(m.group(1), "pbkdf2") # different options for argon2 -- all parameters set pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id", max_memory_kb=100 * 1024, iterations=10, parallel_threads=1) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"PBKDF:\s*(\S+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(m.group(1), "argon2id") m = re.search(r"Memory:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) # both iterations and memory is set --> cryptsetup will use exactly max_memory_kb self.assertEqual(int(m.group(1)), 100 * 1024) m = re.search(r"Threads:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 1) m = re.search(r"Time cost:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 10) # different options for argon2 -- only memory set pbkdf = BlockDev.CryptoLUKSPBKDF(max_memory_kb=100 * 1024) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"Memory:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) # only memory is set -> cryptsetup will run a benchmark and use # at most max_memory_kb self.assertLessEqual(int(m.group(1)), 100 * 1024) # different options for argon2 -- only miterations set pbkdf = BlockDev.CryptoLUKSPBKDF(iterations=5) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"Time cost:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 5)