summaryrefslogtreecommitdiffstats
path: root/src/tools/rbd/action/Encryption.cc
blob: ecd4f0cb5109c388fbb8812ad1ee591f943bc003 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#include "include/compat.h"
#include "include/scope_guard.h"
#include "tools/rbd/ArgumentTypes.h"
#include "tools/rbd/Shell.h"
#include "tools/rbd/Utils.h"
#include "common/errno.h"
#include <fstream>
#include <iostream>
#include <boost/program_options.hpp>

namespace rbd {
namespace action {
namespace encryption {

namespace at = argument_types;
namespace po = boost::program_options;

void get_arguments(po::options_description *positional,
                   po::options_description *options) {
  at::add_image_spec_options(positional, options, at::ARGUMENT_MODIFIER_NONE);
  positional->add_options()
    ("format", "encryption format [possible values: luks1, luks2]")
    ("passphrase-file",
      "path of file containing passphrase for unlocking the image");
  options->add_options()
    ("cipher-alg", po::value<at::EncryptionAlgorithm>(),
     "encryption algorithm [possible values: aes-128, aes-256 (default)]");
}

int execute(const po::variables_map &vm,
            const std::vector<std::string> &ceph_global_init_args) {
  size_t arg_index = 0;
  std::string pool_name;
  std::string namespace_name;
  std::string image_name;
  std::string snap_name;
  int r = utils::get_pool_image_snapshot_names(
    vm, at::ARGUMENT_MODIFIER_NONE, &arg_index, &pool_name, &namespace_name,
    &image_name, &snap_name, true, utils::SNAPSHOT_PRESENCE_NONE,
    utils::SPEC_VALIDATION_NONE);
  if (r < 0) {
    return r;
  }

  std::string format_str = utils::get_positional_argument(vm, arg_index++);
  if (format_str.empty()) {
    std::cerr << "rbd: must specify format." << std::endl;
    return -EINVAL;
  }

  std::string passphrase_file =
          utils::get_positional_argument(vm, arg_index++);
  if (passphrase_file.empty()) {
    std::cerr << "rbd: must specify passphrase-file." << std::endl;
    return -EINVAL;
  }

  auto alg = RBD_ENCRYPTION_ALGORITHM_AES256;
  if (vm.count("cipher-alg")) {
    alg = vm["cipher-alg"].as<librbd::encryption_algorithm_t>();
  }

  librados::Rados rados;
  librados::IoCtx io_ctx;
  librbd::Image image;
  r = utils::init_and_open_image(pool_name, namespace_name, image_name, "", "",
                                 false, &rados, &io_ctx, &image);
  if (r < 0) {
    return r;
  }

  std::ifstream file(passphrase_file, std::ios::in | std::ios::binary);
  if (file.fail()) {
    std::cerr << "rbd: unable to open passphrase file '" << passphrase_file
              << "': " << cpp_strerror(errno) << std::endl;
    return -errno;
  }
  std::string passphrase((std::istreambuf_iterator<char>(file)),
                         std::istreambuf_iterator<char>());
  file.close();

  if (format_str == "luks1") {
    librbd::encryption_luks1_format_options_t opts = {
        alg, std::move(passphrase)};
    r = image.encryption_format(
            RBD_ENCRYPTION_FORMAT_LUKS1, &opts, sizeof(opts));
    ceph_memzero_s(opts.passphrase.data(), opts.passphrase.size(),
                   opts.passphrase.size());
  } else if (format_str == "luks2") {
    librbd::encryption_luks2_format_options_t opts = {
        alg, std::move(passphrase)};
    r = image.encryption_format(
            RBD_ENCRYPTION_FORMAT_LUKS2, &opts, sizeof(opts));
    ceph_memzero_s(opts.passphrase.data(), opts.passphrase.size(),
                   opts.passphrase.size());
  } else {
    std::cerr << "rbd: unsupported encryption format" << std::endl;
    return -ENOTSUP;
  }

  if (r < 0) {
    std::cerr << "rbd: encryption format error: " << cpp_strerror(r)
              << std::endl;
  }
  return r;
}

Shell::Action action(
  {"encryption", "format"}, {}, "Format image to an encrypted format.", "",
  &get_arguments, &execute);

} // namespace encryption
} // namespace action
} // namespace rbd