From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wr0-x244.google.com (mail-wr0-x244.google.com
 [IPv6:2a00:1450:400c:c0c::244])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 29 Aug 2017 12:19:29 +0200 (CEST)
Received: by mail-wr0-x244.google.com with SMTP id a47so1970250wra.2
 for <dm-crypt@saout.de>; Tue, 29 Aug 2017 03:19:29 -0700 (PDT)
References: <f1d18fbc-706f-593c-6d77-a5981f7cb8bd@stachelkaktus.net>
From: Milan Broz <gmazyland@gmail.com>
Message-ID: <85c98a26-f67a-21bd-76a6-1ed9ce48b5fa@gmail.com>
Date: Tue, 29 Aug 2017 12:19:27 +0200
MIME-Version: 1.0
In-Reply-To: <f1d18fbc-706f-593c-6d77-a5981f7cb8bd@stachelkaktus.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] luksSuspend for plain dm-crypt
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@stachelkaktus.net, "dm-crypt@saout.de" <dm-crypt@saout.de>

On 08/29/2017 11:37 AM, dm-crypt@stachelkaktus.net wrote:
> I'd like to emulate the functionality of luksSuspend for a plain
> dm-crypt device. I've got lost in the device mapper functions and it
> would be great if somebody can give me a hand.
Hi,

it is quite easy with dmsetup, but unlike LUKS, there is not a way how
you can check that reinstated key is correct (you can resume target with different
key and cause severe data corruption - that's why we do not support it in cryptsetup).

So, if you want to suspend plan dm-crypt device with name "test"

- You need volume key, you can get it from kernel for active device
# dmsetup table test --showkeys | cut -d' ' -f 5

- Suspend and wipe key is two-step process now:

# dmsetup suspend test
# dmsetup message test 0 key wipe

Now you have suspended device with key(s) wiped from memory (like luksSuspend).

Reinstating the key can be done in reverse:

# dmsetup message test 0 key set <volume key in hex format from command above>
# dmsetup resume test

(This is equivalent of luksResume.)

The message command is not accepted if the device is not suspended.
(Suspended means that all IO operations are queued - beware suspending device
you run command from, it will cause deadlock!)

Note that in future we will optionally support activation through kernel keyring,
so you will put key there, not to dmsetup.

Milan