14 files changed, 945 insertions, 0 deletions
diff --git a/debian/scripts/cryptdisks_start b/debian/scripts/cryptdisks_start
new file mode 100644
index 0000000..623423f
--- /dev/null
+++ b/debian/scripts/cryptdisks_start
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# cryptdisks_start - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code and (c) 2007 Jon Dowland <jon@alcopop.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+FORCE_START="yes"
+
+usage() {
+    local rv="${1:-1}"
+    echo "Usage: $0 [-r|--readonly] <name> [.. <name>]" >&2
+    echo >&2
+    echo "reads $TABFILE and starts the mapping corresponding to <name>" >&2
+    exit $rv
+}
+
+CRYPTTAB_EXTRA_OPTIONS=
+while [ $# -gt 0 ]; do
+    case "$1" in
+        -r|--readonly) CRYPTTAB_EXTRA_OPTIONS="${CRYPTTAB_EXTRA_OPTIONS:+$CRYPTTAB_EXTRA_OPTIONS,}readonly";;
+        -h|--help|-\?) usage 0;;
+        --) shift; break;;
+        -*) echo "Error: unknown option '$1'" >&2; usage 1;;
+        *) break;;
+    esac
+    shift
+done
+[ $# -gt 0 ] || usage 1
+
+if [ $(id -u) -ne 0 ]; then
+    log_warning_msg "$0 needs root privileges"
+    exit 1
+fi
+
+log_action_begin_msg "Starting crypto disk"
+mount_fs
+
+rv=0
+for name in "$@"; do
+    if ! crypttab_find_entry --quiet "$name"; then
+        device_msg "$name" "failed, not found in crypttab"
+        rv=1
+    else
+        if [ -n "$CRYPTTAB_EXTRA_OPTIONS" ]; then
+            CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+            _CRYPTTAB_OPTIONS="$_CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+        fi
+        setup_mapping || rv=$?
+    fi
+done
+umount_fs
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/cryptdisks_stop b/debian/scripts/cryptdisks_stop
new file mode 100644
index 0000000..ea0faaf
--- /dev/null
+++ b/debian/scripts/cryptdisks_stop
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# cryptdisks_stop - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code stolen from cryptdisks_start by Jon Dowland <jon@alcopop.org>
+# Copyright (C) 2008 by Jonas Meurer <jonas@freesources.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "usage: $0 <name>" >&2
+    echo >&2
+    echo "reads /etc/crypttab and stops the mapping corresponding to <name>" >&2
+    exit 1
+fi
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+
+if [ $(id -u) -ne 0 ]; then
+    log_warning_msg "$0 needs root privileges"
+    exit 1
+fi
+
+log_action_begin_msg "Stopping crypto disk"
+
+rv=0
+for name in "$@"; do
+    remove_mapping "$name" || rv=$?
+done
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..864e049
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+    echo "$0: must be executed with a crypto device as argument" >&2
+    exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+    if [ "${keys#:}" = "$keys" ]; then
+        printf '%s' "$keys" | tr -d '\n'
+    else
+        echo "$0: device $1 uses the kernel keyring"
+    fi
+elif [ $count -eq 0 ]; then
+    echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+    echo "$0: more than one device match" >&2
+fi
+exit 1
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
new file mode 100644
index 0000000..18ab575
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+decrypt_gpg () {
+	echo "Performing GPG symmetric decryption ..." >&2
+	if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \
+		/usr/bin/gpg -q --batch --no-options  \
+		--no-random-seed-file --no-default-keyring \
+		--keyring /dev/null --secret-keyring /dev/null \
+		--trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
+		return 1
+	fi
+	return 0
+}
+
+if [ ! -x /usr/bin/gpg ]; then
+	echo "$0: /usr/bin/gpg is not available" >&2
+	exit 1
+fi
+
+if [ -z "$1" ]; then
+	echo "$0: missing key as argument" >&2
+	exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc
new file mode 100755
index 0000000..84eb62c
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg-sc
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+if [ -d "/cryptroot/gnupghome" ]; then
+    export GNUPGHOME="/cryptroot/gnupghome"
+fi
+
+run_gpg() {
+    gpg --no-options --trust-model=always "$@"
+}
+decrypt_gpg () {
+    local console _
+    if ! GPG_TTY="$(tty)"; then
+        read console _ </proc/consoles
+        GPG_TTY="/dev/$console"
+    fi
+    export GPG_TTY
+
+    if ! run_gpg --decrypt -- "$1"; then
+        return 1
+    fi
+    return 0
+}
+
+# `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's
+# harder to retrieve the return code
+if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then
+    echo "Please insert OpenPGP SmartCard..." >&2
+    until run_gpg --batch --quiet --no-tty --card-status; do
+        sleep 1
+    done >/dev/null 2>&1
+fi
+
+if [ ! -x /usr/bin/gpg ]; then
+    echo "$0: /usr/bin/gpg is not available" >&2
+    exit 1
+fi
+
+if [ -z "$1" ] || [ ! -f "$1" ]; then
+    echo "$0: missing key as argument" >&2
+    exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl
new file mode 100644
index 0000000..6032db0
--- /dev/null
+++ b/debian/scripts/decrypt_keyctl
@@ -0,0 +1,55 @@
+#!/bin/sh
+# decrypt_keyctl - to use in /etc/crypttab as keyscript
+#  Allows to cache passwords for cryptdevices for 60s
+#  The same password is used for for cryptdevices with the same identifier.
+#  The keyfile parameter, which is the third field from /etc/crypttab, is
+#  used as identifier in this keyscript.
+#
+# sample crypttab entries:
+# test1   /dev/sda1    test_pw         luks,keyscript=decrypt_keyctl
+# test2   /dev/sda2    test_pw         luks,keyscript=decrypt_keyctl
+# test3   /dev/sda3    test_other_pw   luks,keyscript=decrypt_keyctl
+#
+#  test1 and test2 have the same identifier thus test2 does not need a password
+#  typed in manually
+
+die()
+{
+    echo "$@" >&2
+    exit 1
+}
+
+if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+    # store the passphrase in the key name used by systemd-ask-password
+    ID_="cryptsetup"
+else
+    # the keyfile given from crypttab is used as identifier in the keyring
+    # including the prefix "cryptsetup:"
+    ID_="cryptsetup:$CRYPTTAB_KEY"
+fi
+TIMEOUT_='60'
+ASKPASS_='/lib/cryptsetup/askpass'
+PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: "
+
+
+if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
+        [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+    # key not found or wrong, ask the user
+    KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
+    if [ -n "$KID_" ]; then
+        # I have cached wrong password and now i may use either `keyctl update`
+        # to update $KID_ or just unlink old key, and add new. With `update` i
+        # may hit "Key has expired", though. So i'll go "unlink and add" way.
+        keyctl unlink "$KID_" @u
+        KID_=""
+    fi
+    KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
+    [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
+    if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
+        keyctl unlink "$KID_" @u
+        die "Error setting timeout on key ($KID_), removing"
+    fi
+else
+    echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
+fi
+keyctl pipe "$KID_"
diff --git a/debian/scripts/decrypt_opensc b/debian/scripts/decrypt_opensc
new file mode 100644
index 0000000..b06fc98
--- /dev/null
+++ b/debian/scripts/decrypt_opensc
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Why not use "openct-tool rwait" instead of polling opensc-tool exit status?
+# Well openct daemon has to be running which interferes with pcscd since both
+# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't
+# work with the CCID driver in openct, however it does work with pcscd.
+
+# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status?
+# Although opensc-tool --help reports that there is a --wait option, it doesn't
+# seem to be implemented.
+
+check_card() {
+    cardfound=0
+
+    if /usr/bin/opensc-tool -n >/dev/null 2>&1; then
+        cardfound=1
+    fi
+}
+
+wait_card() {
+    check_card
+    if [ $cardfound = 0 ] ; then
+        echo "Waiting for Smart Card..." >&2
+        tries=0
+        while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do
+            sleep 1
+            check_card
+            tries=$(($tries + 1))
+        done
+        if [ $cardfound = 0 ] ; then
+            echo 'Failed to find Smart Card card!' >&2
+            exit 1
+        fi
+    fi
+}
+
+wait_card
+if [ -x /bin/plymouth ] && plymouth --ping; then
+	# Get pin number from plymouth
+	/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \
+		--pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
+else
+	# Get pin number from console
+	/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console
+fi
+exit $?
diff --git a/debian/scripts/decrypt_ssl b/debian/scripts/decrypt_ssl
new file mode 100644
index 0000000..6664001
--- /dev/null
+++ b/debian/scripts/decrypt_ssl
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Script to decrypt the key which is encrypted with openssl.
+# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key.
+#
+
+decrypt_ssl () {
+	echo "" >&2
+	echo "Decrypting ssl key $1..." >&2
+	if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then
+		return 1
+	fi
+	return 0
+}
+
+decrypt_ssl "$1"
+exit $?
diff --git a/debian/scripts/gen-ssl-key b/debian/scripts/gen-ssl-key
new file mode 100644
index 0000000..70a6fb3
--- /dev/null
+++ b/debian/scripts/gen-ssl-key
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# script to generate a keyfile that is encrypted with openssl
+#
+# Written 2005 by Markus Nass <generalstone@gmx.net>
+# Improved 2006 by Jonas Meurer <jonas@freesources.org>
+# Further improved 2006 by Markus Nass <generalstone@gmx.net>
+
+usage() {
+  echo "Usage: $0 <key>"
+  exit 1
+}
+
+if [ -z "${1-}" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  usage
+fi
+
+if [ -x /usr/bin/openssl ]; then
+	dd if=/dev/random bs=1c count=256 | openssl enc -aes-256-cbc -e -salt >"$1"
+else
+	echo "/usr/bin/openssl is not available" && exit 1
+fi
diff --git a/debian/scripts/luksformat b/debian/scripts/luksformat
new file mode 100644
index 0000000..ae17f79
--- /dev/null
+++ b/debian/scripts/luksformat
@@ -0,0 +1,133 @@
+#!/usr/bin/perl -w
+
+# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy
+# creation of an encrypted device.
+#
+# (C) 2005 Canonical Ltd.
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+use Getopt::Long qw(:config pass_through);
+
+BEGIN {
+    eval 'use Locale::gettext';
+    if ($@) {
+        *gettext = sub { shift };
+        *textdomain = sub { "" };
+        *LC_MESSAGES = sub { 5 };
+    }
+    eval {
+        require POSIX;
+        import POSIX qw(setlocale);
+    };
+    if ($@) {
+        *setlocale = sub { return 1 };
+    }
+}
+
+setlocale(LC_MESSAGES, "");
+textdomain("luksformat");
+
+if ($> != 0) {
+    print STDERR gettext("This program needs to be started as root\n");
+    exit 1;
+}
+
+sub usage() {
+    print gettext("luksformat - Create and format an encrypted LUKS device
+Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n\n");
+    exit 1;
+}
+
+# default file system
+$fs = 'vfat';
+exit 1 unless GetOptions ('t|type=s' => \$fs);
+
+GetOptions ('help', \$help);
+if (($#ARGV < 0) || ($help)) {
+    usage();
+}
+
+$device = shift(@ARGV);
+
+open(MOUNTS, "/proc/mounts");
+while (<MOUNTS>) {
+    die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/)
+}
+
+if (-x "/usr/sbin/mkfs.$fs") {
+    $mkfs = "/usr/sbin/mkfs.$fs";
+}
+elsif (-x "/usr/bin/mkfs.$fs") {
+    $mkfs = "/usr/bin/mkfs.$fs";
+}
+elsif (-x "/sbin/mkfs.$fs") {
+    $mkfs = "/sbin/mkfs.$fs";
+}
+elsif (-x "/bin/mkfs.$fs") {
+    $mkfs = "/bin/mkfs.$fs";
+}
+else {
+    printf STDERR (gettext("Error: invalid file system: %s\n"), $fs);
+    exit 1;
+}
+
+# generate temporary mapped device name which is not yet used
+$name = "";
+for ($i = 1; $i < 100; $i++) {
+    if (! -e "/dev/mapper/luksformat$i") {
+	$name = "luksformat$i";
+	last;
+    }
+}
+
+$name or die sprintf(gettext("Error: could not generate temporary mapped device name"));
+
+# we do not need to be overly concerned with race conditions here, cryptsetup
+# will just fail if the name already exists now.
+printf (gettext("Creating encrypted device on %s...\n"), $device);
+if ((system 'cryptsetup', 'luksFormat', $device)) {
+    die sprintf(gettext("Could not create LUKS device %s"), $device);
+}
+
+print gettext("Please enter your passphrase again to verify it\n");
+if ((system 'cryptsetup', 'open', '--type', 'luks', $device, $name) != 0) {
+    print STDERR gettext("The passphrases you entered were not identical\n");
+    exit 1;
+}
+
+$result = system $mkfs, "/dev/mapper/$name", @ARGV;
+print "\n";
+system 'udevadm', 'settle', '--timeout=30';
+system 'cryptsetup', 'luksClose', $name;
+
+die sprintf(gettext("Could not format device with file system %s"), $fs) if $result;
+
+__END__
+
+=head1 NAME
+
+luksformat - Create and format an encrypted LUKS device
+
+=head1 SYNOPSIS
+
+B<luksformat> [B<-t> I<fstype>] I<device> [ mkfs options ]
+
+=head1 DESCRIPTION
+
+B<luksformat> is a wrapper around B<cryptsetup> and B<mkfs> which provides an
+easy interface for creating an encrypted device that follows the LUKS standard
+and for putting a file system onto the encrypted device.
+
+The default file system is B<vfat> since that is most commonly used on
+removable devices. However, you can specify any available file system with the
+B<-t> option.
+
+=head1 SEE ALSO
+
+L<cryptsetup(8)>, L<mkfs(8)>
+
+=head1 AUTHOR
+
+This program was written by Martin Pitt <martin.pitt@ubuntu.com>.
diff --git a/debian/scripts/passdev.c b/debian/scripts/passdev.c
new file mode 100644
index 0000000..845ccae
--- /dev/null
+++ b/debian/scripts/passdev.c
@@ -0,0 +1,286 @@
+/*
+ * passdev.c - waits for a given device to appear, mounts it and reads a
+ *             key from it which is piped to stdout.
+ *
+ * Copyright (C) 2008   David Härdeman <david@hardeman.nu>
+ *
+ * This package is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This package is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this package; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ */
+
+
+#define _DEFAULT_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/mount.h>
+
+static bool do_debug = false;
+
+static void
+debug(const char *fmt, ...)
+{
+	va_list ap;
+
+	if (!do_debug)
+		return;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+}
+
+static bool
+do_mount(const char *device, const char *dir)
+{
+	pid_t pid;
+	int status;
+	char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" };
+	int fsindex;
+
+	if (!device || !dir)
+		return false;
+
+	for (fsindex = 0;
+	     fsindex < (sizeof(fstypes) / sizeof(fstypes[0]));
+	     fsindex++)
+	{
+		pid = fork();
+		if (pid < 0) {
+			/* Error */
+			return false;
+		} else if (pid > 0) {
+			/* We're in the parent process */
+			do {
+				waitpid(pid, &status, 0);
+			} while (!WIFEXITED(status) && !WIFSIGNALED(status));
+			if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS)
+				return true;
+
+			/* Let's try another fstype */
+			continue;
+		} else {
+			/* We're in the child process */
+			debug("Mounting %s at %s\n", device, dir);
+			close(STDIN_FILENO);
+			close(STDOUT_FILENO);
+			close(STDERR_FILENO);
+			open("/dev/null", O_RDONLY, 0);
+			open("/dev/null", O_WRONLY, 0);
+			open("/dev/null", O_WRONLY, 0);
+			execl("/bin/mount", "/bin/mount", "-n", "-t",
+			      fstypes[fsindex],
+			      /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/
+			      "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro",
+			      device, dir, (char *)NULL);
+
+			/* If execl works, we won't end up here */
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	/* We've tried all fstypes with no luck */
+	return false;
+}
+
+int
+main(int argc, char **argv, char **envp)
+{
+	char *debugval;
+	char *devpath;
+	char *filepath;
+	struct stat st;
+	char *tmppath;
+	char tpath[] = "/tmp/passdev.XXXXXX";
+	char *keypath;
+	int fd;
+	size_t toread;
+	size_t bytesread;
+	char *keybuffer;
+	size_t towrite;
+	size_t byteswritten;
+	ssize_t bytes;
+	char *to;
+	int timeout = 0;
+	bool do_timeout = false;
+
+	/* We only take one argument */
+	if (argc != 2) {
+		fprintf(stderr, "Incorrect number of arguments\n");
+		goto error;
+	}
+
+	/* If DEBUG=1 is in the environment, enable debug messages */
+	debugval = getenv("DEBUG");
+	if (debugval && atoi(debugval) > 0)
+		do_debug = true;
+
+	/* Split string into device and path (and timeout) */
+	devpath = argv[1];
+	filepath = strchr(devpath, ':');
+	if (!filepath || !(*filepath) || !(*(filepath + 1))) {
+		fprintf(stderr, "Invalid key path\n");
+		goto error;
+	}
+	*filepath = '\0';
+	filepath++;
+	to = strchr(filepath, ':');
+	if (to && (*to) && (*(to + 1))) {
+		*to = '\0';
+		to++;
+		timeout = atoi(to);
+		if (timeout > 0)
+			do_timeout = true;
+	}
+	debug("Path is %p and filepath is %p\n", devpath, filepath);
+	if (do_timeout)
+		debug("Timeout is %i\n",timeout);
+
+	/* Wait until device is available */
+	if (access(devpath, F_OK)) {
+		debug("Waiting for %s\n", devpath);
+		while(access(devpath, F_OK)) {
+			sleep(1);
+			if (do_timeout) {
+				if (timeout <= 0)
+					break;
+				timeout--;
+			}
+		}
+	}
+
+	/* Make sure device is a blockdev */
+	if (stat(devpath, &st)) {
+		fprintf(stderr, "Unable to stat %s\n", devpath);
+		goto error;
+	} else if (!S_ISBLK(st.st_mode)) {
+		fprintf(stderr, "%s is no block device\n", devpath);
+		goto error;
+	}
+
+	/* Create a tmp dir where we mount the device */
+	tmppath = mkdtemp(tpath);
+	if (!tmppath) {
+		fprintf(stderr, "Failed to create temporary directory\n");
+		goto error;
+	}
+
+	/* Ok, mount it */
+	if (!do_mount(devpath, tmppath)) {
+		fprintf(stderr, "Failed to mount %s\n", devpath);
+		goto error_rmdir;
+	}
+
+	/* Generate the full path to the keyfile */
+	keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1);
+	if (!keypath) {
+		fprintf(stderr, "Failed to allocate memory\n");
+		goto error_umount;
+	}
+	sprintf(keypath, "%s/%s", tmppath, filepath);
+
+	/* Check that the keyfile exists */
+	if (access(keypath, F_OK)) {
+		fprintf(stderr, "Keyfile doesn't exist\n");
+		goto error_free;
+	}
+
+	/* Get the size of the keyfile */
+	if (stat(keypath, &st)) {
+		fprintf(stderr, "Unable to stat keyfile\n");
+		goto error_free;
+	}
+
+	/* Check the size of the keyfile */
+	if (st.st_size < 0) {
+		fprintf(stderr, "Invalid keyfile size\n");
+		goto error_free;
+	}
+	toread = (size_t)st.st_size;
+
+	/* Open the keyfile */
+	if ((fd = open(keypath, O_RDONLY)) < 0) {
+		fprintf(stderr, "Failed to open keyfile\n");
+		goto error_free;
+	}
+
+	/* Allocate a buffer for the keyfile contents */
+	keybuffer = malloc(toread);
+	if (!keybuffer) {
+		fprintf(stderr, "Failed to allocate memory\n");
+		goto error_close;
+		exit(EXIT_FAILURE);
+	}
+
+	/* Read the keyfile */
+	bytesread = 0;
+	while (bytesread < toread) {
+		bytes = read(fd, keybuffer + bytesread, toread - bytesread);
+		if (bytes <= 0) {
+			fprintf(stderr, "Failed to read entire key\n");
+			goto error_keybuffer;
+		}
+		bytesread += bytes;
+	}
+
+	/* Clean up */
+	close(fd);
+	free(keypath);
+	umount(tmppath);
+	rmdir(tmppath);
+
+	/* Write result */
+	byteswritten = 0;
+	towrite = toread;
+	while (byteswritten < towrite) {
+		bytes = write(STDOUT_FILENO, keybuffer + byteswritten,
+			      towrite - byteswritten);
+		if (bytes <= 0) {
+			fprintf(stderr, "Failed to write entire key\n");
+			memset(keybuffer, 0, toread);
+			free(keybuffer);
+			goto error;
+		}
+		byteswritten += bytes;
+	}
+
+	/* Clean up */
+	memset(keybuffer, 0, toread);
+	free(keybuffer);
+
+	/* Done */
+	exit(EXIT_SUCCESS);
+
+	/* Error handling */
+error_keybuffer:
+	memset(keybuffer, 0, toread);
+	free(keybuffer);
+error_close:
+	close(fd);
+error_free:
+	free(keypath);
+error_umount:
+	umount(tmppath);
+error_rmdir:
+	rmdir(tmppath);
+error:
+	exit(EXIT_FAILURE);
+}
+
diff --git a/debian/scripts/po/Makefile b/debian/scripts/po/Makefile
new file mode 100644
index 0000000..9eb8acf
--- /dev/null
+++ b/debian/scripts/po/Makefile
@@ -0,0 +1,39 @@
+XGETTEXT = xgettext
+MSGFMT = msgfmt
+MSGMERGE = msgmerge
+
+LOCALEDIR = /usr/share/locale
+
+.SUFFIXES: .po .mo .pot
+
+%.mo: %.po
+	$(MSGFMT) -o $@ $<
+
+PO = $(wildcard *.po)
+LANG = $(basename $(PO))
+MO = $(addsuffix .mo,$(LANG))
+SOURCES = ../luksformat
+
+all: update $(MO)
+update: luksformat.pot
+	-@for po in $(PO); do \
+	echo -n "Updating $$po"; \
+	$(MSGMERGE) -U $$po luksformat.pot; \
+	done;
+
+luksformat.pot: $(SOURCES)
+	$(XGETTEXT) -c -L Perl -kgtx \
+	--msgid-bugs-address=pkg-cryptsetup-devel@alioth-lists.debian.net \
+	-o $@ $(SOURCES)
+
+install: all
+	for i in $(MO) ; do \
+	  t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\
+	  install -d $$t ;\
+	  install -m 644 $$i $$t/luksformat.mo ;\
+	done
+
+clean:
+	$(RM) $(MO) *~
+
+.PHONY: update
diff --git a/debian/scripts/po/de.po b/debian/scripts/po/de.po
new file mode 100644
index 0000000..76c7f2f
--- /dev/null
+++ b/debian/scripts/po/de.po
@@ -0,0 +1,76 @@
+# German translations for cryptsetup package
+# German messages for luksformat in cryptsetup.
+# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Jonas Meurer <jonas@freesources.org>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-1\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: 2011-03-08 19:40+0100\n"
+"Last-Translator: Jonas Meurer <jonas@freesources.org>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr "Dieses Programm muss als Benutzer root gestartet werden\n"
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+"luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n"
+"Verwendung: luksformat [-t <Dateisystem>] <Partition> [ mkfs Optionen ]\n"
+"\n"
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr "Fehler: Partition ist eingebunden: %s\n"
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr "Fehler: Ungültiges Dateisystem: %s\n"
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr "Fehler: Erstellen einer temporären Partition schlug fehl"
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr "Erstelle verschlüsselte Partition auf %s...\n"
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr "Erstellen der LUKS-Partition %s schlug fehl"
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n"
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr "Die eingegebenen Passwörter waren nicht identisch\n"
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl"
+
+#~ msgid "%s: %s"
+#~ msgstr "%s: %s"
diff --git a/debian/scripts/po/luksformat.pot b/debian/scripts/po/luksformat.pot
new file mode 100644
index 0000000..f6c1e56
--- /dev/null
+++ b/debian/scripts/po/luksformat.pot
@@ -0,0 +1,69 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr ""
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr ""
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr ""
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr ""
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr ""
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr ""
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr ""
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr ""
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr ""