From 8909d83a3ed226e4a7c962261217cb2c14ff2ec9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:35:42 +0200 Subject: Merging upstream version 2:2.7.0. Signed-off-by: Daniel Baumann --- .codeql-config.yml | 31 + .github/workflows/cibuild-setup-ubuntu.sh | 2 +- .github/workflows/cibuild.yml | 2 +- .github/workflows/codeql.yml | 50 + .github/workflows/coverity.yml | 2 +- .gitlab/ci/annocheck.yml | 4 +- .gitlab/ci/cibuild-setup-ubuntu.sh | 4 +- .gitlab/ci/clang-Wall | 3 +- .gitlab/ci/compilation-clang.gitlab-ci.yml | 3 + .gitlab/ci/compilation-gcc.gitlab-ci.yml | 3 + .gitlab/ci/compilation-various-disables.yml | 31 +- .gitlab/ci/csmock.yml | 10 +- .gitlab/ci/debian.yml | 50 +- .gitlab/ci/gcc-Wall | 2 +- .gitlab/ci/gitlab-shared-docker.yml | 5 +- .lgtm.yml | 11 - Makefile.am | 15 +- README.md | 81 +- configure.ac | 96 +- docs/Keyring.txt | 51 +- docs/LUKS2-locking.txt | 66 +- docs/doxyfile | 46 +- docs/examples/crypt_log_usage.c | 2 +- docs/examples/crypt_luks_usage.c | 2 +- docs/on-disk-format-luks2.pdf | Bin 382277 -> 372980 bytes docs/v2.7.0-ReleaseNotes | 437 ++ lib/Makemodule.am | 2 + lib/bitlk/bitlk.c | 17 +- lib/bitlk/bitlk.h | 6 +- lib/crypt_plain.c | 4 +- lib/crypto_backend/argon2/meson.build | 28 + lib/crypto_backend/argon2_generic.c | 39 +- lib/crypto_backend/base64.c | 2 +- lib/crypto_backend/cipher_check.c | 4 +- lib/crypto_backend/cipher_generic.c | 5 +- lib/crypto_backend/crc32.c | 4 +- lib/crypto_backend/crypto_backend.h | 6 +- lib/crypto_backend/crypto_backend_internal.h | 4 +- lib/crypto_backend/crypto_cipher_kernel.c | 7 +- lib/crypto_backend/crypto_gcrypt.c | 150 +- lib/crypto_backend/crypto_kernel.c | 6 +- lib/crypto_backend/crypto_nettle.c | 4 +- lib/crypto_backend/crypto_nss.c | 4 +- lib/crypto_backend/crypto_openssl.c | 90 +- lib/crypto_backend/crypto_storage.c | 2 +- lib/crypto_backend/meson.build | 40 + lib/crypto_backend/pbkdf2_generic.c | 4 +- lib/crypto_backend/pbkdf_check.c | 4 +- lib/crypto_backend/utf8.c | 2 +- lib/integrity/integrity.c | 121 +- lib/integrity/integrity.h | 5 +- lib/internal.h | 31 +- lib/keyslot_context.c | 364 +- lib/keyslot_context.h | 52 +- lib/libcryptsetup.h | 288 +- lib/libcryptsetup.sym | 15 + lib/libcryptsetup_macros.h | 4 +- lib/libcryptsetup_symver.h | 2 +- lib/libdevmapper.c | 39 +- lib/loopaes/loopaes.c | 4 +- lib/loopaes/loopaes.h | 4 +- lib/luks1/af.c | 2 +- lib/luks1/af.h | 2 +- lib/luks1/keyencryption.c | 4 +- lib/luks1/keymanage.c | 4 +- lib/luks1/luks.h | 2 +- lib/luks2/hw_opal/hw_opal.c | 1089 +++++ lib/luks2/hw_opal/hw_opal.h | 71 + lib/luks2/luks2.h | 46 +- lib/luks2/luks2_digest.c | 18 +- lib/luks2/luks2_digest_pbkdf2.c | 16 +- lib/luks2/luks2_disk_metadata.c | 25 +- lib/luks2/luks2_internal.h | 37 +- lib/luks2/luks2_json_format.c | 227 +- lib/luks2/luks2_json_metadata.c | 303 +- lib/luks2/luks2_keyslot.c | 35 +- lib/luks2/luks2_keyslot_luks2.c | 40 +- lib/luks2/luks2_keyslot_reenc.c | 21 +- lib/luks2/luks2_luks1_convert.c | 43 +- lib/luks2/luks2_reencrypt.c | 428 +- lib/luks2/luks2_reencrypt_digest.c | 22 +- lib/luks2/luks2_segment.c | 244 +- lib/luks2/luks2_token.c | 295 +- lib/luks2/luks2_token_keyring.c | 13 +- lib/meson.build | 116 + lib/random.c | 2 +- lib/setup.c | 2621 ++++++++--- lib/tcrypt/tcrypt.c | 8 +- lib/tcrypt/tcrypt.h | 4 +- lib/utils.c | 69 +- lib/utils_benchmark.c | 13 +- lib/utils_blkid.c | 170 +- lib/utils_blkid.h | 2 +- lib/utils_crypt.c | 21 +- lib/utils_crypt.h | 7 +- lib/utils_device.c | 32 +- lib/utils_device_locking.c | 30 +- lib/utils_device_locking.h | 5 +- lib/utils_devpath.c | 33 +- lib/utils_dm.h | 7 +- lib/utils_io.c | 4 +- lib/utils_io.h | 4 +- lib/utils_keyring.c | 433 +- lib/utils_keyring.h | 39 +- lib/utils_loop.c | 6 +- lib/utils_loop.h | 4 +- lib/utils_pbkdf.c | 32 +- lib/utils_safe_memory.c | 4 +- lib/utils_storage_wrappers.c | 2 +- lib/utils_storage_wrappers.h | 2 +- lib/utils_wipe.c | 76 +- lib/verity/rs.h | 2 +- lib/verity/rs_decode_char.c | 2 +- lib/verity/rs_encode_char.c | 2 +- lib/verity/verity.c | 140 +- lib/verity/verity.h | 15 +- lib/verity/verity_fec.c | 2 +- lib/verity/verity_hash.c | 2 +- lib/volumekey.c | 4 +- man/Makemodule.am | 2 + man/common_options.adoc | 85 +- man/cryptsetup-erase.8.adoc | 10 +- man/cryptsetup-luksAddKey.8.adoc | 16 +- man/cryptsetup-luksChangeKey.8.adoc | 4 +- man/cryptsetup-luksDump.8.adoc | 2 +- man/cryptsetup-luksFormat.8.adoc | 4 +- man/cryptsetup-luksResume.8.adoc | 3 +- man/cryptsetup-luksSuspend.8.adoc | 4 + man/cryptsetup-open.8.adoc | 16 +- man/cryptsetup-reencrypt.8.adoc | 4 +- man/cryptsetup-resize.8.adoc | 2 +- man/cryptsetup-token.8.adoc | 2 +- man/cryptsetup.8.adoc | 56 +- man/integritysetup.8.adoc | 4 + man/meson.build | 256 ++ man/meson_dist_convert.sh | 27 + meson.build | 748 +++ meson_options.txt | 57 + misc/fedora/cryptsetup.spec | 6 +- po/POTFILES.in | 1 + po/cryptsetup.pot | 1649 ++++--- po/cs.po | 1634 ++++--- po/de.po | 1627 ++++--- po/es.po | 3097 ++++++++----- po/fr.po | 1623 ++++--- po/ja.po | 1611 ++++--- po/meson.build | 7 + po/pl.po | 1727 ++++--- po/ro.po | 1643 ++++--- po/ru.po | 12 +- po/sr.po | 1399 +++--- po/uk.po | 1624 ++++--- po/zh_CN.po | 5119 ++++++++++++++------- scripts/meson.build | 7 + src/cryptsetup.c | 637 ++- src/cryptsetup.h | 4 +- src/cryptsetup_arg_list.h | 56 +- src/cryptsetup_args.h | 43 +- src/integritysetup.c | 30 +- src/integritysetup_arg_list.h | 34 +- src/integritysetup_args.h | 17 +- src/meson.build | 77 + src/utils_arg_macros.h | 4 +- src/utils_arg_names.h | 11 +- src/utils_args.c | 4 +- src/utils_blockdev.c | 18 +- src/utils_luks.c | 9 +- src/utils_luks.h | 6 +- src/utils_password.c | 5 +- src/utils_progress.c | 4 +- src/utils_reencrypt.c | 43 +- src/utils_reencrypt_luks1.c | 4 +- src/utils_tools.c | 17 +- src/veritysetup.c | 7 +- src/veritysetup_arg_list.h | 4 +- src/veritysetup_args.h | 6 +- tests/Makefile.am | 24 +- tests/align-test | 18 +- tests/align-test2 | 15 +- tests/all-symbols-test.c | 6 +- tests/api-test-2.c | 931 +++- tests/api-test.c | 6 +- tests/api_test.h | 10 +- tests/bitlk-compat-test | 16 +- tests/blockwise-compat-test | 2 +- tests/compat-args-test | 13 +- tests/compat-test | 62 +- tests/compat-test-opal | 1329 ++++++ tests/compat-test2 | 370 +- tests/crypto-vectors.c | 105 +- tests/device-test | 66 +- tests/differ.c | 2 +- tests/discards-test | 19 +- tests/fake_systemd_tpm_path.c | 4 +- tests/fake_token_path.c | 6 - tests/fuzz/LUKS2.proto | 6 +- tests/fuzz/LUKS2_plain_JSON.proto | 4 +- tests/fuzz/crypt2_load_fuzz.cc | 111 +- tests/fuzz/crypt2_load_proto_fuzz.cc | 4 +- tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc | 4 +- tests/fuzz/meson.build | 127 + tests/fuzz/oss-fuzz-build.sh | 20 +- tests/fuzz/plain_json_proto_to_luks2.cc | 4 +- tests/fuzz/plain_json_proto_to_luks2_converter.cc | 19 +- tests/fuzz/plain_json_proto_to_luks2_converter.h | 4 +- tests/fuzz/proto_to_luks2.cc | 4 +- tests/fuzz/proto_to_luks2_converter.cc | 4 +- tests/fuzz/proto_to_luks2_converter.h | 4 +- tests/fvault2-compat-test | 13 +- tests/integrity-compat-test | 13 +- tests/keyring-compat-test | 15 +- tests/loopaes-test | 13 +- tests/luks1-compat-test | 13 +- tests/luks2-integrity-test | 30 +- tests/luks2-reencryption-mangle-test | 13 +- tests/luks2-reencryption-test | 119 +- tests/luks2-validation-test | 13 +- tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes tests/meson.build | 482 ++ tests/mode-test | 23 +- tests/password-hash-test | 13 +- tests/reencryption-compat-test | 17 +- tests/run-all-symbols | 6 +- tests/ssh-test-plugin | 41 +- tests/systemd-test-plugin | 66 +- tests/tcrypt-compat-test | 28 +- tests/tcrypt-images.tar.xz | Bin 308700 -> 325760 bytes tests/test_utils.c | 36 +- tests/unit-utils-crypt.c | 2 +- tests/unit-utils-io.c | 2 +- tests/unit-wipe-test | 2 +- tests/unit-wipe.c | 2 +- tests/verity-compat-test | 14 +- tokens/meson.build | 8 + tokens/ssh/cryptsetup-ssh.c | 28 +- tokens/ssh/libcryptsetup-token-ssh.c | 4 +- tokens/ssh/meson.build | 39 + tokens/ssh/ssh-utils.c | 4 +- tokens/ssh/ssh-utils.h | 9 +- 239 files changed, 27419 insertions(+), 11370 deletions(-) create mode 100644 .codeql-config.yml create mode 100644 .github/workflows/codeql.yml delete mode 100644 .lgtm.yml create mode 100644 docs/v2.7.0-ReleaseNotes create mode 100644 lib/crypto_backend/argon2/meson.build create mode 100644 lib/crypto_backend/meson.build create mode 100644 lib/luks2/hw_opal/hw_opal.c create mode 100644 lib/luks2/hw_opal/hw_opal.h create mode 100644 lib/meson.build create mode 100644 man/meson.build create mode 100755 man/meson_dist_convert.sh create mode 100644 meson.build create mode 100644 meson_options.txt create mode 100644 po/meson.build create mode 100644 scripts/meson.build create mode 100644 src/meson.build create mode 100755 tests/compat-test-opal delete mode 100644 tests/fake_token_path.c create mode 100644 tests/fuzz/meson.build create mode 100644 tests/luks2_invalid_cipher.img.xz create mode 100644 tests/meson.build create mode 100644 tokens/meson.build create mode 100644 tokens/ssh/meson.build diff --git a/.codeql-config.yml b/.codeql-config.yml new file mode 100644 index 0000000..1311657 --- /dev/null +++ b/.codeql-config.yml @@ -0,0 +1,31 @@ +name: "Cryptsetup CodeQL config" + +query-filters: +- exclude: + id: cpp/fixme-comment +- exclude: + id: cpp/empty-block +- exclude: + id: cpp/poorly-documented-function +- exclude: + id: cpp/loop-variable-changed +- exclude: + id: cpp/empty-if +- exclude: + id: cpp/long-switch +- exclude: + id: cpp/complex-condition +- exclude: + id: cpp/commented-out-code + +# These produce many false positives +- exclude: + id: cpp/uninitialized-local +- exclude: + id: cpp/path-injection +- exclude: + id: cpp/missing-check-scanf + +# CodeQL should understand coverity [toctou] comments +- exclude: + id: cpp/toctou-race-condition diff --git a/.github/workflows/cibuild-setup-ubuntu.sh b/.github/workflows/cibuild-setup-ubuntu.sh index 2c0adb2..e689084 100755 --- a/.github/workflows/cibuild-setup-ubuntu.sh +++ b/.github/workflows/cibuild-setup-ubuntu.sh @@ -7,7 +7,7 @@ PACKAGES=( gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass - asciidoctor + asciidoctor meson ninja-build ) COMPILER="${COMPILER:?}" diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml index 2698389..b97bae1 100644 --- a/.github/workflows/cibuild.yml +++ b/.github/workflows/cibuild.yml @@ -17,7 +17,7 @@ jobs: fail-fast: false matrix: env: - - { COMPILER: "gcc", COMPILER_VERSION: "11", RUN_SSH_PLUGIN_TEST: "1" } + - { COMPILER: "gcc", COMPILER_VERSION: "13", RUN_SSH_PLUGIN_TEST: "1" } env: ${{ matrix.env }} steps: - name: Repository checkout diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..f1e22ce --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,50 @@ +name: "CodeQL" + +on: + push: + branches: + - 'main' + - 'wip-luks2' + - 'v2.3.x' + - 'v2.4.x' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + if: github.repository == 'mbroz/cryptsetup' + concurrency: + group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} + cancel-in-progress: true + permissions: + actions: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-extended,security-and-quality + config-file: .codeql-config.yml + + - name: Install dependencies + run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh + env: { COMPILER: "gcc", COMPILER_VERSION: "13", RUN_SSH_PLUGIN_TEST: "1" } + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index edc88e8..eace134 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -17,7 +17,7 @@ jobs: run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh env: COMPILER: "gcc" - COMPILER_VERSION: "11" + COMPILER_VERSION: "13" - name: Install Coverity run: | wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=mbroz/cryptsetup" -O cov-analysis-linux64.tar.gz diff --git a/.gitlab/ci/annocheck.yml b/.gitlab/ci/annocheck.yml index 5b3a715..7501180 100644 --- a/.gitlab/ci/annocheck.yml +++ b/.gitlab/ci/annocheck.yml @@ -14,6 +14,4 @@ test-main-commit-job-annocheck: when: never - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ script: - - /opt/build-rpm-script.sh > /dev/null 2>&1 - - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9 - - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8 + - sudo /opt/run-annocheck.sh diff --git a/.gitlab/ci/cibuild-setup-ubuntu.sh b/.gitlab/ci/cibuild-setup-ubuntu.sh index 07b0990..00e37eb 100755 --- a/.gitlab/ci/cibuild-setup-ubuntu.sh +++ b/.gitlab/ci/cibuild-setup-ubuntu.sh @@ -6,8 +6,8 @@ PACKAGES=( git make autoconf automake autopoint pkg-config libtool libtool-bin gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev - sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass - asciidoctor + sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client + sshpass asciidoctor ) COMPILER="${COMPILER:?}" diff --git a/.gitlab/ci/clang-Wall b/.gitlab/ci/clang-Wall index d09e154..52c2dad 100755 --- a/.gitlab/ci/clang-Wall +++ b/.gitlab/ci/clang-Wall @@ -25,10 +25,9 @@ EXTRA="\ -Wswitch \ -Wmissing-format-attribute \ -Winit-self \ - -Wdeclaration-after-statement \ -Wold-style-definition \ -Wno-missing-field-initializers \ - -Wno-unused-parameter \ + -Wunused-parameter \ -Wno-long-long" exec $CLANG $PEDANTIC $CONVERSION \ diff --git a/.gitlab/ci/compilation-clang.gitlab-ci.yml b/.gitlab/ci/compilation-clang.gitlab-ci.yml index 6f5cd42..cf54b8b 100644 --- a/.gitlab/ci/compilation-clang.gitlab-ci.yml +++ b/.gitlab/ci/compilation-clang.gitlab-ci.yml @@ -3,6 +3,7 @@ test-clang-compilation: - .gitlab-shared-clang script: - export CFLAGS="-Wall -Werror" + - ./autogen.sh - ./configure - make -j - make -j check-programs @@ -13,6 +14,7 @@ test-clang-Wall-script: script: - export CFLAGS="-g -O0" - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall" + - ./autogen.sh - ./configure - make -j CFLAGS="-g -O0 -Werror" - make -j CFLAGS="-g -O0 -Werror" check-programs @@ -21,6 +23,7 @@ test-scan-build: extends: - .gitlab-shared-clang script: + - ./autogen.sh - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" - make clean - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j diff --git a/.gitlab/ci/compilation-gcc.gitlab-ci.yml b/.gitlab/ci/compilation-gcc.gitlab-ci.yml index 00fae36..c4a10c3 100644 --- a/.gitlab/ci/compilation-gcc.gitlab-ci.yml +++ b/.gitlab/ci/compilation-gcc.gitlab-ci.yml @@ -3,6 +3,7 @@ test-gcc-compilation: - .gitlab-shared-gcc script: - export CFLAGS="-Wall -Werror" + - ./autogen.sh - ./configure - make -j - make -j check-programs @@ -13,6 +14,7 @@ test-gcc-Wall-script: script: - export CFLAGS="-g -O0" - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall" + - ./autogen.sh - ./configure - make -j CFLAGS="-g -O0 -Werror" - make -j CFLAGS="-g -O0 -Werror" check-programs @@ -22,6 +24,7 @@ test-gcc-fanalyzer: - .gitlab-shared-gcc script: - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" + - ./autogen.sh - ./configure - make -j - make -j check-programs diff --git a/.gitlab/ci/compilation-various-disables.yml b/.gitlab/ci/compilation-various-disables.yml index 1414f9e..1c9fb3d 100644 --- a/.gitlab/ci/compilation-various-disables.yml +++ b/.gitlab/ci/compilation-various-disables.yml @@ -4,18 +4,29 @@ test-gcc-disable-compiles: parallel: matrix: - DISABLE_FLAGS: [ - "--disable-keyring", - "--disable-external-tokens --disable-ssh-token", - "--disable-luks2-reencryption", - "--disable-cryptsetup --disable-veritysetup --disable-integritysetup", - "--disable-kernel_crypto", - "--disable-selinux", - "--disable-udev", - "--disable-internal-argon2", - "--disable-blkid" + "keyring", + "external-tokens ssh-token", + "luks2-reencryption", + "cryptsetup veritysetup integritysetup", + "kernel_crypto", + "udev", + "internal-argon2", + "blkid" ] + artifacts: + name: "meson-build-logs-$CI_COMMIT_REF_NAME" + paths: + - meson_builddir/meson-logs script: + - DEBIAN_FRONTEND=noninteractive apt-get -yq install meson ninja-build - export CFLAGS="-Wall -Werror" - - ./configure $DISABLE_FLAGS + - ./autogen.sh + - echo "Configuring with --disable-$DISABLE_FLAGS" + - ./configure $(for i in $DISABLE_FLAGS; do echo "--disable-$i"; done) - make -j - make -j check-programs + - git checkout -f && git clean -xdf + - meson -v + - echo "Configuring with -D$DISABLE_FLAGS=false" + - meson setup meson_builddir $(for i in $DISABLE_FLAGS; do [ "$i" == "internal-argon2" ] && echo "-Dargon-implementation=internal" || echo "-D$i=false"; done) + - ninja -C meson_builddir diff --git a/.gitlab/ci/csmock.yml b/.gitlab/ci/csmock.yml index 72b53ed..a1cd985 100644 --- a/.gitlab/ci/csmock.yml +++ b/.gitlab/ci/csmock.yml @@ -3,7 +3,7 @@ test-commit-job-csmock: - .dump_kernel_log tags: - libvirt - - rhel7-csmock + - rhel9-csmock stage: test interruptible: true allow_failure: true @@ -14,4 +14,10 @@ test-commit-job-csmock: when: never - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event" script: - - /opt/csmock-run-script.sh + - sudo /opt/run-csmock.sh + artifacts: + # Upload artifacts when a crash makes the job fail. + when: always + paths: + - cryptsetup-csmock-results.tar.xz + - cryptsetup-csmock-results diff --git a/.gitlab/ci/debian.yml b/.gitlab/ci/debian.yml index fad9d97..6a17533 100644 --- a/.gitlab/ci/debian.yml +++ b/.gitlab/ci/debian.yml @@ -2,16 +2,17 @@ extends: - .dump_kernel_log before_script: + - sudo apt-get -y update - > [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] || sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2 - gperf libcap-dev tpm2-tss-engine-dev libmount-dev swtpm-tools + gperf libcap-dev libtss2-dev libmount-dev swtpm-tools - > sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect - keyutils netcat passwd openssh-client sshpass asciidoctor + keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor - sudo apt-get -y build-dep cryptsetup - sudo -E git clean -xdf - ./autogen.sh @@ -22,7 +23,7 @@ test-mergerq-job-debian: - .debian-prep tags: - libvirt - - debian11 + - debian12 stage: test interruptible: true variables: @@ -41,7 +42,7 @@ test-main-commit-job-debian: - .debian-prep tags: - libvirt - - debian11 + - debian12 stage: test interruptible: true variables: @@ -54,3 +55,44 @@ test-main-commit-job-debian: - make -j - make -j -C tests check-programs - sudo -E make check + +# meson tests +test-mergerq-job-debian-meson: + extends: + - .debian-prep + tags: + - libvirt + - debian12 + stage: test + interruptible: true + variables: + RUN_SSH_PLUGIN_TEST: "1" + rules: + - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup" + when: never + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + script: + - sudo apt-get -y install -y -qq meson ninja-build + - meson setup build + - ninja -C build + - cd build && sudo -E meson test --verbose --print-errorlogs + +test-main-commit-job-debian-meson: + extends: + - .debian-prep + tags: + - libvirt + - debian12 + stage: test + interruptible: true + variables: + RUN_SSH_PLUGIN_TEST: "1" + rules: + - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup" + when: never + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ + script: + - sudo apt-get -y install -y -qq meson ninja-build + - meson setup build + - ninja -C build + - cd build && sudo -E meson test --verbose --print-errorlogs diff --git a/.gitlab/ci/gcc-Wall b/.gitlab/ci/gcc-Wall index 6669504..860a8fb 100755 --- a/.gitlab/ci/gcc-Wall +++ b/.gitlab/ci/gcc-Wall @@ -31,7 +31,7 @@ EXTRA="-Wextra \ -Wunsafe-loop-optimizations \ -Wold-style-definition \ -Wno-missing-field-initializers \ - -Wno-unused-parameter \ + -Wunused-parameter \ -Wno-long-long \ -Wmaybe-uninitialized \ -Wvla \ diff --git a/.gitlab/ci/gitlab-shared-docker.yml b/.gitlab/ci/gitlab-shared-docker.yml index 1edacc8..b625ee0 100644 --- a/.gitlab/ci/gitlab-shared-docker.yml +++ b/.gitlab/ci/gitlab-shared-docker.yml @@ -1,5 +1,5 @@ .gitlab-shared-docker: - image: ubuntu:focal + image: ubuntu:lunar tags: - gitlab-org-docker stage: test @@ -12,7 +12,6 @@ - .gitlab/ci/cibuild-setup-ubuntu.sh - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}" - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}" - - ./autogen.sh .gitlab-shared-gcc: extends: @@ -27,5 +26,5 @@ - .gitlab-shared-docker variables: COMPILER: "clang" - COMPILER_VERSION: "13" + COMPILER_VERSION: "17" RUN_SSH_PLUGIN_TEST: "1" diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 64d9cc8..0000000 --- a/.lgtm.yml +++ /dev/null @@ -1,11 +0,0 @@ -queries: - - exclude: cpp/fixme-comment - - exclude: cpp/empty-block -# symver attribute detection cannot be used, disable it for lgtm -extraction: - cpp: - configure: - command: - - "./autogen.sh" - - "./configure --enable-external-tokens --enable-ssh-token" - - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h" diff --git a/Makefile.am b/Makefile.am index fb7cb18..f7f6d16 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,17 @@ -EXTRA_DIST = README.md COPYING.LGPL FAQ.md docs misc autogen.sh +EXTRA_DIST = README.md SECURITY.md COPYING.LGPL FAQ.md docs misc autogen.sh +EXTRA_DIST += meson_options.txt \ + meson.build \ + lib/crypto_backend/argon2/meson.build \ + lib/crypto_backend/meson.build \ + lib/meson.build \ + man/meson.build \ + po/meson.build \ + scripts/meson.build \ + src/meson.build \ + tests/meson.build \ + tokens/meson.build \ + tokens/ssh/meson.build + SUBDIRS = po tests tests/fuzz CLEANFILES = DISTCLEAN_TARGETS = diff --git a/README.md b/README.md index daec8f7..0003832 100644 --- a/README.md +++ b/README.md @@ -21,13 +21,12 @@ block integrity kernel module. LUKS Design ----------- -**LUKS** is the standard for Linux disk encryption. By providing a standard on-disk format, -it does not only facilitate compatibility among distributions, but also provides secure management +**LUKS** is the standard for Linux disk encryption. By providing a standardized on-disk format, +it not only facilitate compatibility among distributions, but also enables secure management of multiple user passwords. LUKS stores all necessary setup information in the partition header, -enabling to transport or migrate data seamlessly. +which enables users to transport or migrate data seamlessly. ### Specification and documentation - * The latest version of the [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs). * The latest version of the @@ -37,18 +36,18 @@ enabling to transport or migrate data seamlessly. Download -------- -All release tarballs and release notes are hosted on +Release notes and tarballs are available at [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/). -**The latest stable cryptsetup release version is 2.6.1** - * [cryptsetup-2.6.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) - * Signature [cryptsetup-2.6.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) +**The latest stable cryptsetup release version is 2.7.0** + * [cryptsetup-2.7.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.xz) + * Signature [cryptsetup-2.7.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.sign) _(You need to decompress file first to check signature.)_ - * [Cryptsetup 2.6.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.1-ReleaseNotes). + * [Cryptsetup 2.7.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes). Previous versions - * [Version 2.5.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz) - - [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign) - + * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) - + [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) - [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes). * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) - [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) - @@ -56,27 +55,24 @@ Previous versions Source and API documentation ---------------------------- -For development version code, please refer to -[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page, -mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or +For development version code, please refer to the +[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page, with mirrors +at [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) and [GitHub](https://github.com/mbroz/cryptsetup). For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page. -The libcryptsetup API/ABI changes are tracked in -[compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/). - NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html). Required packages ----------------- -All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, -some packages are required for compilation. -Please always prefer distro specific build tools to manually configuring cryptsetup. +All major Linux distributions provide cryptsetup as a bundled package. If you need +to compile cryptsetup yourself, various additional packages are required. +Any distribution-specific build tools are preferred when manually configuring cryptsetup. -Here is the list of packages needed for the compilation of project for particular distributions: +Below are the packages needed to build for certain Linux distributions: **For Fedora**: ``` @@ -102,47 +98,48 @@ To run the internal testsuite (make check) you also need to install sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass ``` -Note that the list could change as the distributions evolve. +Note that the list may change as Linux distributions evolve. Compilation ----------- -The cryptsetup project uses **automake** and **autoconf** system to generate all needed files -for compilation. If you check it from the git snapshot, use **./autogen.sh && ./configure && make** -to compile the project. If you use downloaded released **tar.xz** archive, the configure script -is already pre-generated (no need to run **autoconf.sh**). -See **./configure --help** and use **--disable-[feature]** and **--enable-[feature]** options. +The cryptsetup project uses **automake** and **autoconf** system to generate all files needed to build. +When building from a git snapshot,, use **./autogen.sh && ./configure && make** +to compile the project. When building from a release **tar.xz** tarball, the configure script +is pre-generated (no need to run **autoconf.sh**). +See **./configure --help** and use the **--disable-[feature]** and **--enable-[feature]** options. -For running the test suite that come with the project, type **make check**. -Note that most tests will need root user privileges and run many dangerous storage fail simulations. -Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug -kernel module to be available. +To run the test suite that come with the project, type **make check**. +Note that most tests will need root user privileges and will run dangerous storage failure simulations. +Do **not** run tests with root privilege on production systems! Some tests will need the **scsi_debug** +kernel module to be installed. -For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html) -and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals. +For more details, please refer to the +[automake](https://www.gnu.org/software/automake/manual/automake.html) and +[autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) documentation. Help! ----- ### Documentation -Please read the following documentation before posting questions in the mailing list... -You will be able to ask better questions and better understand the answers. +Please read the following before posting questions to the mailing list so that +you can ask better questions and better understand answers. * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions), * [LUKS Specifications](#specification-and-documentation), and * manuals (aka man page, man pages, man-page) -The FAQ is online and in the source code for the project. The Specifications are referenced above -in this document. The man pages are in source and should be available after installation using -standard man commands, e.g. **man cryptsetup**. +The FAQ is available online and in the source code for the project. The specifications are +referenced above in this document. The man pages live within the source tree and should be +available after installation using standard man commands, e.g. **man cryptsetup**. ### Mailing List - For cryptsetup and LUKS related questions, please use the cryptsetup mailing list [cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev), hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html). -To subscribe send an empty mail to +To subscribe send an empty email message to [cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev). You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/). -News (NNTP), Atom feed and git access to public inbox is available through [lore.kernel.org](https://lore.kernel.org) service. +USEnet News (NNTP), Atom feed and git access to the public inbox is available through +[lore.kernel.org](https://lore.kernel.org) service. -The former dm-crypt [list archive](https://lore.kernel.org/dm-crypt/) is also available. +The former **dm-crypt** [list archive](https://lore.kernel.org/dm-crypt/) is also available. diff --git a/configure.ac b/configure.ac index ccf2112..84cef4b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,9 +1,9 @@ AC_PREREQ([2.67]) -AC_INIT([cryptsetup],[2.6.1]) +AC_INIT([cryptsetup],[2.7.0]) dnl library version from ..[-] LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-) -LIBCRYPTSETUP_VERSION_INFO=21:0:9 +LIBCRYPTSETUP_VERSION_INFO=22:0:10 AM_SILENT_RULES([yes]) AC_CONFIG_SRCDIR(src/cryptsetup.c) @@ -128,7 +128,6 @@ if test "x$enable_largefile" = "xno"; then AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.]) fi -AC_C_CONST AC_C_BIGENDIAN AC_TYPE_OFF_T AC_SYS_LARGEFILE @@ -267,6 +266,9 @@ AC_DEFUN([CONFIGURE_GCRYPT], [ GCRYPT_REQ_VERSION=1.1.42 fi + use_internal_pbkdf2=0 + use_internal_argon2=1 + dnl libgcrypt rejects to use pkgconfig, use AM_PATH_LIBGCRYPT from gcrypt-devel here. dnl Do not require gcrypt-devel if other crypto backend is used. m4_ifdef([AM_PATH_LIBGCRYPT],[ @@ -290,7 +292,24 @@ AC_DEFUN([CONFIGURE_GCRYPT], [ NO_FIPS([]) fi + m4_ifdef([AM_PATH_LIBGCRYPT],[ + AC_ARG_ENABLE([gcrypt-argon2], + dnl Check if we can use gcrypt Argon2 (1.11.0 supports empty password) + AS_HELP_STRING([--disable-gcrypt-argon2], [force disable internal gcrypt Argon2]), + [], + [AM_PATH_LIBGCRYPT([1.11.0], [use_internal_argon2=0], [use_internal_argon2=1])]) + AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])], + AC_MSG_ERROR([Missing support for gcrypt: install gcrypt and regenerate configure.])) + + AC_MSG_CHECKING([if internal cryptsetup Argon2 is compiled-in]) + if test $use_internal_argon2 = 0; then + AC_MSG_RESULT([no]) + else + AC_MSG_RESULT([yes]) + fi + AC_CHECK_DECLS([GCRY_CIPHER_MODE_XTS], [], [], [#include ]) + AC_CHECK_DECLS([GCRY_KDF_ARGON2], [], [], [#include ]) if test "x$enable_static_cryptsetup" = "xyes"; then saved_LIBS=$LIBS @@ -310,19 +329,25 @@ AC_DEFUN([CONFIGURE_GCRYPT], [ ]) AC_DEFUN([CONFIGURE_OPENSSL], [ - PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],, + PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 0.9.8],, AC_MSG_ERROR([You need openssl library.])) - CRYPTO_CFLAGS=$OPENSSL_CFLAGS - CRYPTO_LIBS=$OPENSSL_LIBS + CRYPTO_CFLAGS=$LIBCRYPTO_CFLAGS + CRYPTO_LIBS=$LIBCRYPTO_LIBS use_internal_pbkdf2=0 + use_internal_argon2=1 if test "x$enable_static_cryptsetup" = "xyes"; then saved_PKG_CONFIG=$PKG_CONFIG PKG_CONFIG="$PKG_CONFIG --static" - PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl]) - CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS + PKG_CHECK_MODULES([LIBCRYPTO_STATIC], [libcrypto]) + CRYPTO_STATIC_LIBS=$LIBCRYPTO_STATIC_LIBS PKG_CONFIG=$saved_PKG_CONFIG fi + + saved_LIBS=$LIBS + AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include ]) + AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [], [], [#include ]) + LIBS=$saved_LIBS ]) AC_DEFUN([CONFIGURE_NSS], [ @@ -343,6 +368,7 @@ AC_DEFUN([CONFIGURE_NSS], [ CRYPTO_CFLAGS=$NSS_CFLAGS CRYPTO_LIBS=$NSS_LIBS use_internal_pbkdf2=1 + use_internal_argon2=1 NO_FIPS([]) ]) @@ -353,6 +379,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [ # [AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])], # [#include ]) use_internal_pbkdf2=1 + use_internal_argon2=1 NO_FIPS([]) ]) @@ -369,6 +396,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [ CRYPTO_STATIC_LIBS=$CRYPTO_LIBS use_internal_pbkdf2=0 + use_internal_argon2=1 NO_FIPS([]) ]) @@ -493,7 +521,15 @@ AC_ARG_ENABLE([internal-argon2], AC_ARG_ENABLE([libargon2], AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)])) -if test "x$enable_libargon2" = "xyes" ; then +if test $use_internal_argon2 = 0 -o "x$enable_internal_argon2" = "xno" ; then + if test "x$enable_internal_argon2" = "xyes" -o "x$enable_libargon" = "xyes"; then + AC_MSG_WARN([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.]) + fi + enable_internal_argon2=no + enable_internal_sse_argon2=no + enable_libargon2=no + use_internal_argon2=0 +elif test "x$enable_libargon2" = "xyes" ; then AC_CHECK_HEADERS(argon2.h,, [AC_MSG_ERROR([You need libargon2 development library installed.])]) AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include ]) @@ -517,11 +553,10 @@ else fi fi -if test "x$enable_internal_argon2" = "xyes"; then - AC_DEFINE(USE_INTERNAL_ARGON2, 1, [Use internal Argon2]) -fi AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test "x$enable_internal_argon2" = "xyes") AM_CONDITIONAL(CRYPTO_INTERNAL_SSE_ARGON2, test "x$enable_internal_sse_argon2" = "xyes") +dnl If libargon is in use, we have defined HAVE_ARGON2_H +AC_DEFINE_UNQUOTED(USE_INTERNAL_ARGON2, [$use_internal_argon2], [Use internal Argon2]) dnl Link with blkid to check for other device types AC_ARG_ENABLE([blkid], @@ -556,6 +591,27 @@ AM_CONDITIONAL(HAVE_BLKID, test "x$enable_blkid" = "xyes") AM_CONDITIONAL(HAVE_BLKID_WIPE, test "x$enable_blkid_wipe" = "xyes") AM_CONDITIONAL(HAVE_BLKID_STEP_BACK, test "x$enable_blkid_step_back" = "xyes") +AC_ARG_ENABLE([hw-opal], + AS_HELP_STRING([--disable-hw-opal], [disable use of hardware-backed OPAL for device encryption]), + [], + [enable_hw_opal=yes]) + +if test "x$enable_hw_opal" = "xyes"; then + have_opal=yes + AC_CHECK_DECLS([ OPAL_FL_SUM_SUPPORTED, + IOC_OPAL_GET_LR_STATUS, + IOC_OPAL_GET_GEOMETRY + ], + [], + [have_opal=no], + [#include ]) + if test "x$have_opal" = "xyes"; then + AC_DEFINE([HAVE_HW_OPAL], 1, [Define to 1 to enable OPAL support.]) + else + AC_MSG_WARN([Can not compile with OPAL support, kernel headers are too old, requires v6.4.]) + fi +fi + dnl Magic for cryptsetup.static build. if test "x$enable_static_cryptsetup" = "xyes"; then saved_PKG_CONFIG=$PKG_CONFIG @@ -634,16 +690,16 @@ dnl Set Requires.private for libcryptsetup.pc dnl pwquality is used only by tools PKGMODULES="uuid devmapper json-c" case $with_crypto_backend in - gcrypt) PKGMODULES+=" libgcrypt" ;; - openssl) PKGMODULES+=" openssl" ;; - nss) PKGMODULES+=" nss" ;; - nettle) PKGMODULES+=" nettle" ;; + gcrypt) PKGMODULES="$PKGMODULES libgcrypt" ;; + openssl) PKGMODULES="$PKGMODULES openssl" ;; + nss) PKGMODULES="$PKGMODULES nss" ;; + nettle) PKGMODULES="$PKGMODULES nettle" ;; esac if test "x$enable_libargon2" = "xyes"; then - PKGMODULES+=" libargon2" + PKGMODULES="$PKGMODULES libargon2" fi if test "x$enable_blkid" = "xyes"; then - PKGMODULES+=" blkid" + PKGMODULES="$PKGMODULES blkid" fi AC_SUBST([PKGMODULES]) dnl ========================================================================== @@ -681,9 +737,9 @@ AC_DEFUN([CS_ABSPATH], [ ]) dnl ========================================================================== -CS_STR_WITH([plain-hash], [password hashing function for plain mode], [ripemd160]) +CS_STR_WITH([plain-hash], [password hashing function for plain mode], [sha256]) CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes]) -CS_STR_WITH([plain-mode], [cipher mode for plain mode], [cbc-essiv:sha256]) +CS_STR_WITH([plain-mode], [cipher mode for plain mode], [xts-plain64]) CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256]) CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha256]) diff --git a/docs/Keyring.txt b/docs/Keyring.txt index bdcc838..afe071a 100644 --- a/docs/Keyring.txt +++ b/docs/Keyring.txt @@ -12,30 +12,53 @@ no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the feature is available). -Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in -the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in -thread keyring (before passing the reference to dm-crypt target) so that the key +Currently, cryptsetup loads VK in 'logon' type kernel key so that VK is passed in +the kernel and can't be read from userspace afterwards. Also, cryptsetup loads VK in +the thread keyring (before passing the reference to dm-crypt target) so that the key lifetime is directly bound to the process that performs the dm-crypt setup. When -cryptsetup process exits (for whatever reason) the key gets unlinked in kernel +cryptsetup process exits (for whatever reason) the key gets unlinked in the kernel automatically. In summary, the key description visible in dm-crypt table line is a reference to VK that usually no longer exists in kernel keyring service if you -used cryptsetup to for device activation. +used cryptsetup for device activation. Using this feature dm-crypt no longer maintains a direct key copy (but there's -always at least one copy in kernel crypto layer). +always at least one copy in the kernel crypto layer). + +Additionally, libcryptsetup supports the linking of volume keys to +user-specified kernel keyring with crypt_set_keyring_to_link(). The user may +specify keyring name, key type ('user' or 'logon') and key description where +libcryptsetup should link the verified volume key upon subsequent device +activation (or key verification alone). + +The volume key(s) (provided the key type is 'user') linked in the user keyring +can be later used to activate the device via crypt_activate_by_keyslot_context() +with CRYPT_KC_TYPE_VK_KEYRING type keyslot context +(acquired by crypt_keyslot_context_init_by_vk_in_keyring()). + +Example of how to use volume key linked in custom user keyring from cryptsetup +utility: + +1) Open the device and store the volume key to the session keyring: +# cryptsetup open --link-vk-to-keyring "@s::%user:testkey" tst + +2) Add a keyslot using the stored volume key in a keyring: +# cryptsetup luksAddKey --volume-key-keyring "%user:testkey" + +3) Activate the device using the volume key cached in a keyring ('user' type key) +# cryptsetup open --volume-key-keyring "testkey" II) Keyslot passphrase The second use case for kernel keyring is to allow cryptsetup reading the keyslot -passphrase stored in kernel keyring instead. The user may load passphrase in kernel +passphrase stored in kernel keyring instead. The user may load the passphrase in the kernel keyring and notify cryptsetup to read it from there later. Currently, cryptsetup cli supports kernel keyring for passphrase only via LUKS2 internal token -(luks2-keyring). Library also provides a general method for device activation by -reading passphrase from keyring: crypt_activate_by_keyring(). The key type +(luks2-keyring). The library also provides a general method for device activation by +reading the passphrase from the keyring: crypt_activate_by_keyring(). The key type for use case II) must always be 'user' since we need to read the actual key -data from userspace unlike with VK in I). Ability to read keyslot passphrase -from kernel keyring also allows easily auto-activate LUKS2 devices. +data from userspace unlike with VK in I). The ability to read keyslot passphrases +from kernel keyring also allows easy auto-activate LUKS2 devices. -Simple example how to use kernel keyring for keyslot passphrase: +Simple example of how to use kernel keyring for keyslot passphrase: 1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image) cryptsetup token add --key-description my:key -S 0 /dev/device @@ -43,7 +66,7 @@ cryptsetup token add --key-description my:key -S 0 /dev/device 2) Load keyslot passphrase in user keyring read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u -3) Activate device using passphrase stored in kernel keyring +3) Activate the device using the passphrase stored in the kernel keyring cryptsetup open /dev/device my_unlocked_device 4a) unlink the key when no longer needed by @@ -52,5 +75,5 @@ keyctl unlink %user:my:key @u 4b) or revoke it immediately by keyctl revoke %user:my:key -If cryptsetup asks for passphrase in step 3) something went wrong with keyring +If cryptsetup asks for a passphrase in step 3) something went wrong with keyring activation. See --debug output then. diff --git a/docs/LUKS2-locking.txt b/docs/LUKS2-locking.txt index e401b61..ccc80d8 100644 --- a/docs/LUKS2-locking.txt +++ b/docs/LUKS2-locking.txt @@ -5,7 +5,7 @@ Why ~~~ LUKS2 format keeps two identical copies of metadata stored consecutively -at the head of metadata device (file or bdev). The metadata +at the head of the metadata device (file or bdev). The metadata area (both copies) must be updated in a single atomic operation to avoid header corruption during concurrent write. @@ -15,17 +15,17 @@ locking with legacy format was not so obvious as it is with the LUKSv2 format. With LUKS2 the boundary between read-only and read-write is blurry and what used to be the exclusively read-only operation (i.e., cryptsetup open command) may -easily become read-update operation silently without user's knowledge. -Major feature of LUKS2 format is resilience against accidental +easily become read-update operation silently without the user's knowledge. +A major feature of the LUKS2 format is resilience against accidental corruption of metadata (i.e., partial header overwrite by parted or cfdisk -while creating partition on mistaken block device). -Such header corruption is detected early on header read and auto-recovery +while creating a partition on a mistaken block device). +Such header corruption is detected early on the header read and the auto-recovery procedure takes place (the corrupted header with checksum mismatch is being replaced by the secondary one if that one is intact). -On current Linux systems header load operation may be triggered without user -direct intervention for example by udev rule or from systemd service. -Such clash of header read and auto-recovery procedure could have severe -consequences with the worst case of having LUKS2 device unaccessible or being +On current Linux systems header load operation may be triggered without the user +direct intervention for example by an udev rule or from a systemd service. +Such a clash of header read and auto-recovery procedure could have severe +consequences with the worst case of having a LUKS2 device inaccessible or being broken beyond repair. The whole locking of LUKSv2 device headers split into two categories depending @@ -36,17 +36,17 @@ I) block device We perform flock() on file descriptors of files stored in a private directory (by default /run/lock/cryptsetup). The file name is derived -from major:minor couple of affected block device. Note we recommend -that access to private locking directory is supposed to be limited -to superuser only. For this method to work the distribution needs +from major:minor couple of the affected block device. Note we recommend +that access to the private locking directory is supposed to be limited +to the superuser only. For this method to work the distribution needs to install the locking directory with appropriate access rights. II) regular files ~~~~~~~~~~~~~~~~~ -First notable difference between headers stored in a file +A first notable difference between headers stored in a file vs. headers stored in a block device is that headers in a file may be -manipulated by the regular user unlike headers on block devices. Therefore +manipulated by the regular user, unlike headers on block devices. Therefore we perform flock() protection on file with the luks2 header directly. Limitations @@ -58,4 +58,40 @@ while locking is enabled. We do not suppress any other negative effect that two or more concurrent writers of the same header may cause. -b) The locking is not cluster aware in any way. +b) The locking is not cluster-aware in any way. + +Additional LUKS2 locks +====================== + +LUKS2 reencryption device lock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Device in LUKS2 reencryption is protected by an exclusive lock placed in the default +locking directory. The lock's purpose is to exclude multiple processes from +performing reencryption on the same device (identified by LUKS uuid). The lock +is taken no matter the LUKS2 reencryption mode (online or offline). + +LUKS2 memory hard global lock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +An optional global lock that makes libcryptsetup serialize memory hard +pbkdf function when deriving a key encryption key from passphrase on unlocking +LUKS2 keyslot. The lock has to be enabled via the CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF +flag. The lock is placed in the default locking directory. + +LUKS2 OPAL lock +~~~~~~~~~~~~~~~ + +Exclusive per device lock taken when manipulating LUKS2 device configured for use with +SED OPAL2 locking range. + +Lock ordering +============= + +To avoid a deadlock following rules must apply: + +- LUKS2 reencrytpion lock must be taken before LUKS2 OPAL lock. + +- LUKS2 OPAL lock must be taken before LUKS2 metadata lock. + +- LUKS2 memory hard global lock can not be used with other locks. diff --git a/docs/doxyfile b/docs/doxyfile index 0943772..86cbdb0 100644 --- a/docs/doxyfile +++ b/docs/doxyfile @@ -1,4 +1,4 @@ -# Doxyfile 1.9.1 +# Doxyfile 1.9.8 #--------------------------------------------------------------------------- # Project related configuration options @@ -10,9 +10,9 @@ PROJECT_BRIEF = "Public cryptsetup API" PROJECT_LOGO = OUTPUT_DIRECTORY = doxygen_api_docs CREATE_SUBDIRS = NO +CREATE_SUBDIRS_LEVEL = 8 ALLOW_UNICODE_NAMES = NO OUTPUT_LANGUAGE = English -OUTPUT_TEXT_DIRECTION = None BRIEF_MEMBER_DESC = YES REPEAT_BRIEF = YES ABBREVIATE_BRIEF = @@ -39,6 +39,7 @@ OPTIMIZE_OUTPUT_SLICE = NO EXTENSION_MAPPING = MARKDOWN_SUPPORT = YES TOC_INCLUDE_HEADINGS = 5 +MARKDOWN_ID_STYLE = DOXYGEN AUTOLINK_SUPPORT = YES BUILTIN_STL_SUPPORT = NO CPP_CLI_SUPPORT = NO @@ -52,6 +53,7 @@ INLINE_SIMPLE_STRUCTS = NO TYPEDEF_HIDES_STRUCT = YES LOOKUP_CACHE_SIZE = 0 NUM_PROC_THREADS = 1 +TIMESTAMP = NO #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- @@ -72,6 +74,7 @@ INTERNAL_DOCS = NO CASE_SENSE_NAMES = YES HIDE_SCOPE_NAMES = NO HIDE_COMPOUND_REFERENCE= NO +SHOW_HEADERFILE = YES SHOW_INCLUDE_FILES = YES SHOW_GROUPED_MEMB_INC = NO FORCE_LOCAL_INCLUDES = NO @@ -101,9 +104,12 @@ QUIET = NO WARNINGS = YES WARN_IF_UNDOCUMENTED = YES WARN_IF_DOC_ERROR = YES +WARN_IF_INCOMPLETE_DOC = YES WARN_NO_PARAMDOC = NO +WARN_IF_UNDOC_ENUM_VAL = NO WARN_AS_ERROR = NO WARN_FORMAT = "$file:$line: $text" +WARN_LINE_FORMAT = "at line $line of file $file" WARN_LOGFILE = #--------------------------------------------------------------------------- # Configuration options related to the input files @@ -111,6 +117,7 @@ WARN_LOGFILE = INPUT = doxygen_index.h \ ../lib/libcryptsetup.h INPUT_ENCODING = UTF-8 +INPUT_FILE_ENCODING = FILE_PATTERNS = RECURSIVE = NO EXCLUDE = @@ -126,6 +133,7 @@ FILTER_PATTERNS = FILTER_SOURCE_FILES = NO FILTER_SOURCE_PATTERNS = USE_MDFILE_AS_MAINPAGE = +FORTRAN_COMMENT_AFTER = 72 #--------------------------------------------------------------------------- # Configuration options related to source browsing #--------------------------------------------------------------------------- @@ -158,15 +166,17 @@ HTML_FOOTER = HTML_STYLESHEET = HTML_EXTRA_STYLESHEET = HTML_EXTRA_FILES = +HTML_COLORSTYLE = AUTO_LIGHT HTML_COLORSTYLE_HUE = 220 HTML_COLORSTYLE_SAT = 100 HTML_COLORSTYLE_GAMMA = 80 -HTML_TIMESTAMP = YES HTML_DYNAMIC_MENUS = YES HTML_DYNAMIC_SECTIONS = NO +HTML_CODE_FOLDING = YES HTML_INDEX_NUM_ENTRIES = 100 GENERATE_DOCSET = NO DOCSET_FEEDNAME = "Doxygen generated docs" +DOCSET_FEEDURL = DOCSET_BUNDLE_ID = org.doxygen.Project DOCSET_PUBLISHER_ID = org.doxygen.Publisher DOCSET_PUBLISHER_NAME = Publisher @@ -177,6 +187,7 @@ GENERATE_CHI = NO CHM_INDEX_ENCODING = BINARY_TOC = NO TOC_EXPAND = NO +SITEMAP_URL = GENERATE_QHP = NO QCH_FILE = QHP_NAMESPACE = org.doxygen.Project @@ -189,14 +200,16 @@ GENERATE_ECLIPSEHELP = NO ECLIPSE_DOC_ID = org.doxygen.Project DISABLE_INDEX = NO GENERATE_TREEVIEW = NO +FULL_SIDEBAR = NO ENUM_VALUES_PER_LINE = 4 TREEVIEW_WIDTH = 250 EXT_LINKS_IN_WINDOW = NO +OBFUSCATE_EMAILS = YES HTML_FORMULA_FORMAT = png FORMULA_FONTSIZE = 10 -FORMULA_TRANSPARENT = YES FORMULA_MACROFILE = USE_MATHJAX = NO +MATHJAX_VERSION = MathJax_2 MATHJAX_FORMAT = HTML-CSS MATHJAX_RELPATH = http://www.mathjax.org/mathjax MATHJAX_EXTENSIONS = @@ -227,9 +240,7 @@ PDF_HYPERLINKS = YES USE_PDFLATEX = YES LATEX_BATCHMODE = NO LATEX_HIDE_INDICES = NO -LATEX_SOURCE_CODE = NO LATEX_BIB_STYLE = plain -LATEX_TIMESTAMP = NO LATEX_EMOJI_DIRECTORY = #--------------------------------------------------------------------------- # Configuration options related to the RTF output @@ -240,7 +251,6 @@ COMPACT_RTF = NO RTF_HYPERLINKS = NO RTF_STYLESHEET_FILE = RTF_EXTENSIONS_FILE = -RTF_SOURCE_CODE = NO #--------------------------------------------------------------------------- # Configuration options related to the man page output #--------------------------------------------------------------------------- @@ -261,12 +271,17 @@ XML_NS_MEMB_FILE_SCOPE = NO #--------------------------------------------------------------------------- GENERATE_DOCBOOK = NO DOCBOOK_OUTPUT = docbook -DOCBOOK_PROGRAMLISTING = NO #--------------------------------------------------------------------------- # Configuration options for the AutoGen Definitions output #--------------------------------------------------------------------------- GENERATE_AUTOGEN_DEF = NO #--------------------------------------------------------------------------- +# Configuration options related to Sqlite3 output +#--------------------------------------------------------------------------- +GENERATE_SQLITE3 = NO +SQLITE3_OUTPUT = sqlite3 +SQLITE3_RECREATE_DB = YES +#--------------------------------------------------------------------------- # Configuration options related to the Perl module output #--------------------------------------------------------------------------- GENERATE_PERLMOD = NO @@ -294,15 +309,14 @@ ALLEXTERNALS = NO EXTERNAL_GROUPS = YES EXTERNAL_PAGES = YES #--------------------------------------------------------------------------- -# Configuration options related to the dot tool +# Configuration options related to diagram generator tools #--------------------------------------------------------------------------- -CLASS_DIAGRAMS = YES -DIA_PATH = HIDE_UNDOC_RELATIONS = YES HAVE_DOT = NO DOT_NUM_THREADS = 0 -DOT_FONTNAME = Helvetica -DOT_FONTSIZE = 10 +DOT_COMMON_ATTR = "fontname=Helvetica,fontsize=10" +DOT_EDGE_ATTR = "labelfontname=Helvetica,labelfontsize=10" +DOT_NODE_ATTR = "shape=box,height=0.2,width=0.4" DOT_FONTPATH = CLASS_GRAPH = YES COLLABORATION_GRAPH = YES @@ -318,18 +332,20 @@ CALL_GRAPH = NO CALLER_GRAPH = NO GRAPHICAL_HIERARCHY = YES DIRECTORY_GRAPH = YES +DIR_GRAPH_MAX_DEPTH = 1 DOT_IMAGE_FORMAT = png INTERACTIVE_SVG = NO DOT_PATH = DOTFILE_DIRS = -MSCFILE_DIRS = +DIA_PATH = DIAFILE_DIRS = PLANTUML_JAR_PATH = PLANTUML_CFG_FILE = PLANTUML_INCLUDE_PATH = DOT_GRAPH_MAX_NODES = 50 MAX_DOT_GRAPH_DEPTH = 0 -DOT_TRANSPARENT = NO DOT_MULTI_TARGETS = NO GENERATE_LEGEND = YES DOT_CLEANUP = YES +MSCGEN_TOOL = +MSCFILE_DIRS = diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c index 3d08c34..4d4cb92 100644 --- a/docs/examples/crypt_log_usage.c +++ b/docs/examples/crypt_log_usage.c @@ -1,7 +1,7 @@ /* * libcryptsetup API log example * - * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c index d7779bd..b690378 100644 --- a/docs/examples/crypt_luks_usage.c +++ b/docs/examples/crypt_luks_usage.c @@ -1,7 +1,7 @@ /* * libcryptsetup API - using LUKS device example * - * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/docs/on-disk-format-luks2.pdf b/docs/on-disk-format-luks2.pdf index d89bcef..e5a8f05 100644 Binary files a/docs/on-disk-format-luks2.pdf and b/docs/on-disk-format-luks2.pdf differ diff --git a/docs/v2.7.0-ReleaseNotes b/docs/v2.7.0-ReleaseNotes new file mode 100644 index 0000000..6af199b --- /dev/null +++ b/docs/v2.7.0-ReleaseNotes @@ -0,0 +1,437 @@ +Cryptsetup 2.7.0 Release Notes +============================== +Stable release with new features and bug fixes. + +Changes since version 2.6.1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Introduce support for hardware OPAL disk encryption. + + Some SATA and NVMe devices support hardware encryption through OPAL2 + TCG interface (SEDs - self-encrypting drives). Using hardware disk + encryption is controversial as you must trust proprietary hardware. + + On the other side, using both software and hardware encryption + layers increases the security margin by adding an additional layer + of protection. There is usually no performance drop if OPAL encryption + is used (the drive always operates with full throughput), and it does + not add any utilization to the main CPU. + + LUKS2 now supports hardware encryption through the Linux kernel + SED OPAL interface (CONFIG_BLK_SED_OPAL Linux kernel option must be + enabled). Cryptsetup OPAL is never enabled by default; you have to use + luksFormat parameters to use it. OPAL support can be disabled during + the build phase with --disable-hw-opal configure option. + + LUKS2 OPAL encryption is configured the same way as software encryption + - it stores metadata in the LUKS2 header and activates encryption for + the data area on the disk (configured OPAL locking range). + LUKS2 header metadata must always be visible (thus not encrypted). + The key stored in LUKS2 keyslots contains two parts - volume key + for software (dm-crypt) encryption and unlocking key for OPAL. + OPAL unlocking key is independent of the dm-crypt volume key and is + always 256 bits long. Cryptsetup does not support full drive OPAL + encryption; only a specific locking range is always used. + + If the OPAL device is in its initial factory state (after factory + reset), cryptsetup needs to configure the OPAL admin user and password. + If the OPAL admin user is already set, the OPAL password must be + provided during luksFormat. + The provided password is needed only to configure or reset the OPAL + locking range; LUKS device activation requires LUKS passphrase only. + LUKS passphrase should be different from OPAL password (OPAL admin user + is configured inside OPAL hardware while LUKS unlocking passphrase + unlocks LUKS keyslot). + + OPAL encryption can be used in combination with software (dm-crypt) + encryption (--hw-opal option) or without the software layer + (--hw-opal-only option). + You can see the configured segment parameters in the luksDump command. + LUKS2 devices with OPAL segments set a new requirement flag in + the LUKS2 header to prevent older cryptsetup metadata manipulation. + Do not use hardware-only encryption if you do not fully trust your + hardware vendor. + + Compatibility notes: + - Linux kernel SED interface does NOT work through USB external + adapters due to the missing compatibility layer in Linux USB storage + drivers (even if USB hardware itself can support OPAL commands). + - other TCG security subsystems like Ruby or Pyrite are not + supported. Note that many drives support only Pyrite subsystem that + does NOT encrypt data (it provides only authentication). + - compatibility among OPAL-enabled drives is often very problematic, + specifically for older drives. Many drives have bugs in the firmware + that make the Linux kernel interface unusable. + - if you forget the OPAL admin password, the only way to recover is + the full drive factory reset through the PSID key (usually printed + on the drive itself) that wipes all data on the drive (not only the + LUKS area). + - cryptsetup reencryption is not supported for LUKS2 OPAL-enabled + devices + - most OPAL drives use AES-XTS cipher mode (older drives can use + AES-CBC). This information is not available through kernel SED API. + - locked OPAL locking ranges return IO errors while reading; this + can produce a lot of scary messages in the log if some tools (like + blkid) try to read the locked area. + + Examples: + + * Formatting the drive + Use --hw-opal with luksFormat (or --hw-opal-only for hardware only + encryption): + + # cryptsetup luksFormat --hw-opal + Enter passphrase for : *** + Enter OPAL Admin password: *** + + * Check configuration with luksDump. + Note "hw-opal-crypt" segment that uses both dm-crypt and OPAL + encryption - keyslot stores 768 bits key (512 sw + 256 bits OPAL key). + + # cryptsetup luksDump + LUKS header information + Version: 2 + ... + Data segments: + 0: hw-opal-crypt + offset: 16777216 [bytes] + length: ... [bytes] + cipher: aes-xts-plain64 + sector: 512 [bytes] + HW OPAL encryption: + OPAL segment number: 1 + OPAL key: 256 bits + OPAL segment length: ... [bytes] + Keyslots: + 0: luks2 + Key: 768 bits + ... + + For devices with OPAL encryption ONLY (only 256 bits OPAL unlocking + key is stored): + LUKS header information + Version: 2 + ... + + Data segments: + 0: hw-opal + offset: 16777216 [bytes] + length: ... [bytes] + cipher: (no SW encryption) + HW OPAL encryption: + OPAL segment number: 1 + OPAL key: 256 bits + OPAL segment length: ... [bytes] + Keyslots: + 0: luks2 + Key: 256 bits + ... + + * Activation and deactivation (open, close, luksSuspend, luksResume) + with OPAL works the same as for the LUKS2 device. + + * Erase LUKS metadata (keyslots) and remove OPAL locking range: + # cryptsetup luksErase + Enter OPAL Admin password: *** + + The LUKS header is destroyed (unlike in normal LUKS luksErase) as + data are no longer accessible even with previous volume key knowledge. + + * Factory reset OPAL drive (if you do not know the Admin password). + You need the PSID (physical presence security ID), which is usually + printed on the device label. Note this will reset the device to + factory state, erasing all data on it (not only LUKS). + + # cryptsetup luksErase --hw-opal-factory-reset + Enter OPAL PSID: *** + +* plain mode: Set default cipher to aes-xts-plain64 and password hashing + to sha256. + + NOTE: this is a backward incompatible change for plain mode (if you + rely on defaults). It is not relevant for LUKS devices. + + The default plain encryption mode was CBC for a long time, with many + performance problems. Using XTS mode aligns it with LUKS defaults. + + The hash algorithm for plain mode was ripemd160, which is considered + deprecated, so the new default is sha256. + + The default key size remains 256 bits (it means using AES-128 as XTS + requires two keys). + + Always specify cipher, hash, and key size for plain mode (or even + better, use LUKS as it stores all options in its metadata on disk). + As we need to upgrade algorithms from time to time because of security + reasons, cryptsetup now warns users to specify these options explicitly + in the open cryptsetup command if plain mode is used. + Cryptsetup does not block using any legacy encryption type; just it + must be specified explicitly on the cryptsetup command line. + + You can configure these defaults during build time if you need to + enforce backward compatibility. + To get the backward-compatible setting, use: + --with-plain-hash=ripemd160 --with-plain-cipher=aes + --with-plain-mode=cbc-essiv:sha256 + + Compiled-in defaults are visible in cryptsetup --help output. + +* Allow activation (open), luksResume, and luksAddKey to use the volume + key stored in a keyring. +* Allow to store volume key to a user-specified keyring in open and + luksResume commands. + + These options are intended to be used for integration with other + systems for automation. + + Users can now use the volume key (not passphrase) stored in arbitrary + kernel keyring and directly use it in particular cryptsetup commands + with --volume-key-keyring option. The keyring can use various policies + (set outside of the cryptsetup scope, for example, by keyctl). + + The --volume-key-keyring option takes a key description in + keyctl-compatible syntax and can either be a numeric key ID or + a string name in the format [%:]. + The default key type is "user". + + To store the volume key in a keyring, you can use cryptsetup with + --link-vk-to-keyring option that is available for open and luksResume + cryptsetup command. The option argument has a more complex format: + ::. + The contains the existing kernel keyring + description (numeric id or keyctl format). The + may be optionally prefixed with "%:" or "%keyring:". The string "::" is + a delimiter that separates keyring and key descriptions. + The has the same syntax as used in the + --volume-key-keyring option. + + Example: + + Open the device and store the volume key to the keyring: + # cryptsetup open --link-vk-to-keyring "@s::%user:testkey" tst + + Add keyslot using the stored key in a keyring: + # cryptsetup luksAddKey --volume-key-keyring "%user:testkey" + +* Do not flush IO operations if resize grows the device. + This can help performance in specific cases where the encrypted device + is extended automatically while running many IO operations. + +* Use only half of detected free memory for Argon2 PBKDF on systems + without swap (for LUKS2 new keyslot or format operations). + + This should avoid out-of-memory crashes on low-memory systems without + swap. The benchmark for memory-hard KDF during format is tricky, and + it seems that relying on the maximum half of physical memory is not + enough; relying on free memory should bring the needed security margin + while still using Argon2. + There is no change for systems with active swap. + Note, for very-low memory-constrained systems, a user should avoid + memory-hard PBKDF completely (manually select legacy PBKDF2 instead + of Argon2); cryptsetup does not change PBKDF automatically. + +* Add the possibility to specify a directory for external LUKS2 token + handlers (plugins). + + Use --external-tokens-path parameter in cryptsetup or + crypt_token_set_external_path API call. The parameter is required to be + an absolute path, and it is set per process context. This parameter is + intended mainly for testing and developing new tokens. + +* Do not allow reencryption/decryption on LUKS2 devices with + authenticated encryption or hardware (OPAL) encryption. + + The operation fails later anyway; cryptsetup now detects incompatible + parameters early. + +* Do not fail LUKS format if the operation was interrupted on subsequent + device wipe. + + Device wipe (used with authenticated encryption) is an optional + operation and can be interrupted; not yet wiped part of the device will + only report integrity errors (until overwritten with new data). + +* Fix the LUKS2 keyslot option to be used while activating the device + by a token. + + It can also be used to check if a specific token (--token-id) can + unlock a specific keyslot (--key-slot option) when --test-passphrase + option is specified. + +* Properly report if the dm-verity device cannot be activated due to + the inability to verify the signed root hash (ENOKEY). + +* Fix to check passphrase for selected keyslot only when adding + new keyslot. + + If the user specifies the exact keyslot to unlock, cryptsetup no longer + checks other keyslots. + +* Fix to not wipe the keyslot area before in-place overwrite. + + If the LUKS2 keyslot area has to be overwritten (due to lack of free + space for keyslot swap), cryptsetup does not wipe the affected area as + the first step (it will be overwritten later anyway). + Previously, there was an unnecessary risk of losing the keyslot data + if the code crashed before adding the new keyslot. + + If there is enough space in the keyslot area, cryptsetup never + overwrites the older keyslot before the new one is written correctly + (even if the keyslot number remains the same). + +* bitlk: Fix segfaults when attempting to verify the volume key. + + Also, clarify that verifying the volume key is impossible without + providing a passphrase or recovery key. + +* Add --disable-blkid command line option to avoid blkid device check. + +* Add support for the meson build system. + + All basic operations are supported (compile, test, and dist) with some + minor exceptions; please see the meson manual for more info. + + The Meson build system will completely replace autotools in some future + major release. Both autotools and meson build systems are supported, + and the release archive is built with autotools. + +* Fix wipe operation that overwrites the whole device if used for LUKS2 + header with no keyslot area. + + Formatting a LUKS2 device with no defined keyslots area is a very + specific operation, and the code now properly recognizes such + configuration. + +* Fix luksErase to work with detached LUKS header. + +* Disallow the use of internal kernel crypto driver names in "capi" + specification. + + The common way to specify cipher mode in cryptsetup is to use + cipher-mode-iv notation (like aes-xts-plain64). + With the introduction of authenticated ciphers, we also allow + "capi:" notation that is directly used by dm-crypt + (e.g., capi:xts(aes)-plain64). + + CAPI specification was never intended to be used directly in the LUKS + header; unfortunately, the code allowed it until now. + Devices with CAPI specification in metadata can no longer be activated; + header repair is required. + + CAPI specification could allow attackers to change the cipher + specification to enforce loading some specific kernel crypto driver + (for example, load driver with known side-channel issues). + This can be problematic, specifically in a cloud environment + (modifying LUKS2 metadata in container image). + + Thanks to Jan Wichelmann, Luca Wilke, and Thomas Eisenbarth from + University of Luebeck for noticing the problems with this code. + +* Fix reencryption to fail early for unknown cipher. + +* tcrypt: Support new Blake2 hash for VeraCrypt. + + VeraCrypt introduces support for Blake2 PRF for PBKDF2; also support it + in cryptsetup compatible tcrypt format. + +* tcrypt: use hash values as substring for limiting KDF check. + + This allows the user to specify --hash sha or --hash blake2 to limit + the KDF scan without the need to specify the full algorithm name + (similar to cipher where we already use substring match). + +* Add Aria cipher support and block size info. + + Aria cipher is similar to AES and is supported in Linux kernel crypto + API in recent releases. + It can be now used also for LUKS keyslot encryption. + +* Do not decrease PBKDF parameters if the user forces them. + + If a user explicitly specifies PBKDF parameters (like iterations, + used memory, or threads), do not limit them, even if it can cause + resource exhaustion. + The force options were mostly used for decreasing parameters, but it + should work even opposite - despite the fact it can mean an + out-of-memory crash. + + The only limits are hard limits per the PBKDF algorithm. + +* Support OpenSSL 3.2 Argon2 implementation. + + Argon2 is now available directly in OpenSSL, so the code no longer + needs to use libargon implementation. + Configure script should detect this automatically. + +* Add support for Argon2 from libgcrypt + (requires yet unreleased gcrypt 1.11). + + Argon2 has been available since version 1.10, but we need version 1.11, + which will allow empty passwords. + +* Used Argon2 PBKDF implementation is now reported in debug mode + in the cryptographic backend version. For native support in + OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed. + If libargon2 is used, "cryptsetup libargon2" (for embedded + library) or "external libargon2" is displayed. + +* Link only libcrypto from OpenSSL. + + This reduces dependencies as other OpenSSL libraries are not needed. + +* Disable reencryption for Direct-Access (DAX) devices. + + Linux kernel device-mapper cannot stack DAX/non-DAX devices in + the mapping table, so online reencryption cannot work. Detect DAX + devices and warn users during LUKS format. Also, DAX or persistent + memory devices do not provide atomic sector updates; any single + modification can corrupt the whole encryption block. + +* Print a warning message if the device is not aligned to sector size. + + If a partition is resized after format, activation could fail when + the device is not multiple of a sector size. Print at least a warning + here, as the activation error message is visible only in kernel syslog. + +* Fix sector size and integrity fields display for non-LUKS2 crypt + devices for the status command. + +* Fix suspend for LUKS2 with authenticated encryption (also suspend + dm-integrity device underneath). + + This should stop the dm-integrity device from issuing journal updates + and possibly corrupt data if the user also tries to modify the + underlying device. + +* Update keyring and locking documentation and LUKS2 specification + for OPAL2 support. + +Libcryptsetup API extensions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The libcryptsetup API is backward compatible for all existing symbols. + +New symbols: + crypt_activate_by_keyslot_context + crypt_format_luks2_opal + crypt_get_hw_encryption_type + crypt_get_hw_encryption_key_size + crypt_keyslot_context_init_by_keyring + crypt_keyslot_context_init_by_vk_in_keyring + crypt_keyslot_context_init_by_signed_key + crypt_resume_by_keyslot_context + crypt_token_set_external_path + crypt_set_keyring_to_link + crypt_wipe_hw_opal + +New defines (hw encryption status): + CRYPT_SW_ONLY + CRYPT_OPAL_HW_ONLY + CRYPT_SW_AND_OPAL_HW + +New keyslot context types: + CRYPT_KC_TYPE_KEYRING + CRYPT_KC_TYPE_VK_KEYRING + CRYPT_KC_TYPE_SIGNED_KEY + +New requirement flag: + CRYPT_REQUIREMENT_OPAL diff --git a/lib/Makemodule.am b/lib/Makemodule.am index 2e60a90..ae5fab9 100644 --- a/lib/Makemodule.am +++ b/lib/Makemodule.am @@ -103,6 +103,8 @@ libcryptsetup_la_SOURCES = \ lib/luks2/luks2_token.c \ lib/luks2/luks2_internal.h \ lib/luks2/luks2.h \ + lib/luks2/hw_opal/hw_opal.c \ + lib/luks2/hw_opal/hw_opal.h \ lib/utils_blkid.c \ lib/utils_blkid.h \ lib/bitlk/bitlk.h \ diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c index de7bcea..ae533e5 100644 --- a/lib/bitlk/bitlk.c +++ b/lib/bitlk/bitlk.c @@ -1,9 +1,9 @@ /* * BITLK (BitLocker-compatible) volume handling * - * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2019-2023 Milan Broz - * Copyright (C) 2019-2023 Vojtech Trefny + * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2019-2024 Milan Broz + * Copyright (C) 2019-2024 Vojtech Trefny * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -735,6 +735,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta { struct volume_key *vk_p; struct bitlk_vmk *vmk_p; + char time[32]; int next_id = 0; int i = 0; @@ -743,7 +744,8 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta log_std(cd, "GUID: \t%s\n", params->guid); log_std(cd, "Sector size: \t%u [bytes]\n", params->sector_size); log_std(cd, "Volume size: \t%" PRIu64 " [bytes]\n", params->volume_size); - log_std(cd, "Created: \t%s", ctime((time_t *)&(params->creation_time))); + if (ctime_r((time_t *)¶ms->creation_time, time)) + log_std(cd, "Created: \t%s", time); log_std(cd, "Description: \t%s\n", params->description); log_std(cd, "Cipher name: \t%s\n", params->cipher); log_std(cd, "Cipher mode: \t%s\n", params->cipher_mode); @@ -982,8 +984,7 @@ static int get_startup_key(struct crypt_device *cd, } } -static int bitlk_kdf(struct crypt_device *cd, - const char *password, +static int bitlk_kdf(const char *password, size_t passwordLen, bool recovery, const uint8_t *salt, @@ -1120,7 +1121,7 @@ int BITLK_get_volume_key(struct crypt_device *cd, next_vmk = params->vmks; while (next_vmk) { if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) { - r = bitlk_kdf(cd, password, passwordLen, false, next_vmk->salt, &vmk_dec_key); + r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key); if (r) { /* something wrong happened, but we still want to check other key slots */ next_vmk = next_vmk->next; @@ -1140,7 +1141,7 @@ int BITLK_get_volume_key(struct crypt_device *cd, continue; } log_dbg(cd, "Trying to use given password as a recovery key."); - r = bitlk_kdf(cd, recovery_key->key, recovery_key->keylength, + r = bitlk_kdf(recovery_key->key, recovery_key->keylength, true, next_vmk->salt, &vmk_dec_key); crypt_free_volume_key(recovery_key); if (r) diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h index 54d3dc7..7eb7321 100644 --- a/lib/bitlk/bitlk.h +++ b/lib/bitlk/bitlk.h @@ -1,9 +1,9 @@ /* * BITLK (BitLocker-compatible) header definition * - * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2019-2023 Milan Broz - * Copyright (C) 2019-2023 Vojtech Trefny + * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2019-2024 Milan Broz + * Copyright (C) 2019-2024 Vojtech Trefny * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c index c839b09..99155e8 100644 --- a/lib/crypt_plain.c +++ b/lib/crypt_plain.c @@ -2,8 +2,8 @@ * cryptsetup plain device helper functions * * Copyright (C) 2004 Jana Saout - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/crypto_backend/argon2/meson.build b/lib/crypto_backend/argon2/meson.build new file mode 100644 index 0000000..bb68516 --- /dev/null +++ b/lib/crypto_backend/argon2/meson.build @@ -0,0 +1,28 @@ +libargon2_sources = files( + 'blake2/blake2b.c', + 'argon2.c', + 'core.c', + 'encoding.c', + 'thread.c', +) + +if use_internal_sse_argon2 + libargon2_sources += files( + 'opt.c', + ) +else + libargon2_sources += files( + 'ref.c', + ) +endif + +libargon2 = static_library('argon2', + libargon2_sources, + override_options : ['c_std=c89', 'optimization=3'], + build_by_default : false, + include_directories: include_directories( + 'blake2', + ), + dependencies : [ + threads, + ]) diff --git a/lib/crypto_backend/argon2_generic.c b/lib/crypto_backend/argon2_generic.c index 0ce67da..eca575b 100644 --- a/lib/crypto_backend/argon2_generic.c +++ b/lib/crypto_backend/argon2_generic.c @@ -1,8 +1,8 @@ /* * Argon2 PBKDF2 library wrapper * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -29,14 +29,12 @@ #define CONST_CAST(x) (x)(uintptr_t) +#if USE_INTERNAL_ARGON2 || HAVE_ARGON2_H int argon2(const char *type, const char *password, size_t password_length, const char *salt, size_t salt_length, char *key, size_t key_length, uint32_t iterations, uint32_t memory, uint32_t parallel) { -#if !USE_INTERNAL_ARGON2 && !HAVE_ARGON2_H - return -EINVAL; -#else argon2_type atype; argon2_context context = { .flags = ARGON2_DEFAULT_FLAGS, @@ -54,6 +52,9 @@ int argon2(const char *type, const char *password, size_t password_length, }; int r; + /* This code must not be run if crypt backend library natively supports Argon2 */ + assert(!(crypt_backend_flags() & CRYPT_BACKEND_ARGON2)); + if (!strcmp(type, "argon2i")) atype = Argon2_i; else if(!strcmp(type, "argon2id")) @@ -75,5 +76,33 @@ int argon2(const char *type, const char *password, size_t password_length, } return r; +} + +#else /* USE_INTERNAL_ARGON2 || HAVE_ARGON2_H */ +#pragma GCC diagnostic ignored "-Wunused-parameter" + +int argon2(const char *type, const char *password, size_t password_length, + const char *salt, size_t salt_length, + char *key, size_t key_length, + uint32_t iterations, uint32_t memory, uint32_t parallel) +{ + return -EINVAL; +} + +#endif + +/* Additional string for crypt backend version */ +const char *crypt_argon2_version(void) +{ + const char *version = ""; + + if (crypt_backend_flags() & CRYPT_BACKEND_ARGON2) + return version; + +#if HAVE_ARGON2_H /* this has priority over internal argon2 */ + version = " [external libargon2]"; +#elif USE_INTERNAL_ARGON2 + version = " [cryptsetup libargon2]"; #endif + return version; } diff --git a/lib/crypto_backend/base64.c b/lib/crypto_backend/base64.c index 42f70cb..92e558a 100644 --- a/lib/crypto_backend/base64.c +++ b/lib/crypto_backend/base64.c @@ -4,7 +4,7 @@ * Copyright (C) 2010 Lennart Poettering * * cryptsetup related changes - * Copyright (C) 2021-2023 Milan Broz + * Copyright (C) 2021-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/cipher_check.c b/lib/crypto_backend/cipher_check.c index 98ec1a5..25200a4 100644 --- a/lib/crypto_backend/cipher_check.c +++ b/lib/crypto_backend/cipher_check.c @@ -1,8 +1,8 @@ /* * Cipher performance check * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Milan Broz + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/cipher_generic.c b/lib/crypto_backend/cipher_generic.c index b3a4407..746cfcf 100644 --- a/lib/crypto_backend/cipher_generic.c +++ b/lib/crypto_backend/cipher_generic.c @@ -1,8 +1,8 @@ /* * Linux kernel cipher generic utilities * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Milan Broz + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -51,6 +51,7 @@ static const struct cipher_alg cipher_algs[] = { { "xchacha12,aes", "adiantum", 32, false }, { "xchacha20,aes", "adiantum", 32, false }, { "sm4", NULL, 16, false }, + { "aria", NULL, 16, false }, { NULL, NULL, 0, false } }; diff --git a/lib/crypto_backend/crc32.c b/lib/crypto_backend/crc32.c index 9009b02..7a12a8e 100644 --- a/lib/crypto_backend/crc32.c +++ b/lib/crypto_backend/crc32.c @@ -158,7 +158,7 @@ static const uint32_t crc32c_tab[] = { * whatever they need. */ static uint32_t compute_crc32( - const uint32_t *crc32_tab, + const uint32_t *crc32_table, uint32_t seed, const unsigned char *buf, size_t len) @@ -167,7 +167,7 @@ static uint32_t compute_crc32( const unsigned char *p = buf; while(len-- > 0) - crc = crc32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8); + crc = crc32_table[(crc ^ *p++) & 0xff] ^ (crc >> 8); return crc; } diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h index 88562e9..15ed745 100644 --- a/lib/crypto_backend/crypto_backend.h +++ b/lib/crypto_backend/crypto_backend.h @@ -1,8 +1,8 @@ /* * crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -43,9 +43,11 @@ void crypt_backend_destroy(void); #define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */ #define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */ +#define CRYPT_BACKEND_ARGON2 (1 << 2) /* Backend provides native Argon2 implementation */ uint32_t crypt_backend_flags(void); const char *crypt_backend_version(void); +const char *crypt_argon2_version(void); /* HASH */ int crypt_hash_size(const char *name); diff --git a/lib/crypto_backend/crypto_backend_internal.h b/lib/crypto_backend/crypto_backend_internal.h index 9b1cc69..539f11a 100644 --- a/lib/crypto_backend/crypto_backend_internal.h +++ b/lib/crypto_backend/crypto_backend_internal.h @@ -1,8 +1,8 @@ /* * crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c index 3460717..77b3643 100644 --- a/lib/crypto_backend/crypto_cipher_kernel.c +++ b/lib/crypto_backend/crypto_cipher_kernel.c @@ -1,8 +1,8 @@ /* * Linux kernel userspace API crypto backend implementation (skcipher) * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -109,6 +109,7 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name, } /* The in/out should be aligned to page boundary */ +/* coverity[ -taint_source : arg-3 ] */ static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx, const char *in, size_t in_length, char *out, size_t out_length, @@ -312,6 +313,8 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length, } #else /* ENABLE_AF_ALG */ +#pragma GCC diagnostic ignored "-Wunused-parameter" + int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name, const char *mode, const void *key, size_t key_length) { diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c index e974aa8..8e3f14e 100644 --- a/lib/crypto_backend/crypto_gcrypt.c +++ b/lib/crypto_backend/crypto_gcrypt.c @@ -1,8 +1,8 @@ /* * GCRYPT crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -23,6 +23,7 @@ #include #include #include +#include #include "crypto_backend_internal.h" static int crypto_backend_initialised = 0; @@ -126,10 +127,11 @@ int crypt_backend_init(bool fips __attribute__((unused))) crypto_backend_initialised = 1; crypt_hash_test_whirlpool_bug(); - r = snprintf(version, sizeof(version), "gcrypt %s%s%s", + r = snprintf(version, sizeof(version), "gcrypt %s%s%s%s", gcry_check_version(NULL), crypto_backend_secmem ? "" : ", secmem disabled", - crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : ""); + crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "", + crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? ", argon2" : ""); if (r < 0 || (size_t)r >= sizeof(version)) return -EINVAL; @@ -151,7 +153,11 @@ const char *crypt_backend_version(void) uint32_t crypt_backend_flags(void) { - return 0; + uint32_t flags = 0; +#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2 + flags |= CRYPT_BACKEND_ARGON2; +#endif + return flags; } static const char *crypt_hash_compat_name(const char *name, unsigned int *flags) @@ -266,7 +272,6 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length) void crypt_hash_destroy(struct crypt_hash *ctx) { gcry_md_close(ctx->hd); - memset(ctx, 0, sizeof(*ctx)); free(ctx); } @@ -341,7 +346,6 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length) void crypt_hmac_destroy(struct crypt_hmac *ctx) { gcry_md_close(ctx->hd); - memset(ctx, 0, sizeof(*ctx)); free(ctx); } @@ -386,6 +390,130 @@ static int pbkdf2(const char *hash, #endif /* USE_INTERNAL_PBKDF2 */ } +#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2 +struct gcrypt_thread_job +{ + pthread_t thread; + struct job_thread_param { + gcry_kdf_job_fn_t job; + void *p; + } work; +}; + +struct gcrypt_threads +{ + pthread_attr_t attr; + unsigned int num_threads; + unsigned int max_threads; + struct gcrypt_thread_job *jobs_ctx; +}; + +static void *gcrypt_job_thread(void *p) +{ + struct job_thread_param *param = p; + param->job(param->p); + pthread_exit(NULL); +} + +static int gcrypt_wait_all_jobs(void *ctx) +{ + unsigned int i; + struct gcrypt_threads *threads = ctx; + + for (i = 0; i < threads->num_threads; i++) { + pthread_join(threads->jobs_ctx[i].thread, NULL); + threads->jobs_ctx[i].thread = 0; + } + + threads->num_threads = 0; + return 0; +} + +static int gcrypt_dispatch_job(void *ctx, gcry_kdf_job_fn_t job, void *p) +{ + struct gcrypt_threads *threads = ctx; + + if (threads->num_threads >= threads->max_threads) + return -1; + + threads->jobs_ctx[threads->num_threads].work.job = job; + threads->jobs_ctx[threads->num_threads].work.p = p; + + if (pthread_create(&threads->jobs_ctx[threads->num_threads].thread, &threads->attr, + gcrypt_job_thread, &threads->jobs_ctx[threads->num_threads].work)) + return -1; + + threads->num_threads++; + return 0; +} + +static int gcrypt_argon2(const char *type, + const char *password, size_t password_length, + const char *salt, size_t salt_length, + char *key, size_t key_length, + uint32_t iterations, uint32_t memory, uint32_t parallel) +{ + gcry_kdf_hd_t hd; + int atype, r = -EINVAL; + unsigned long param[4]; + struct gcrypt_threads threads = { + .max_threads = parallel, + .num_threads = 0 + }; + const gcry_kdf_thread_ops_t ops = { + .jobs_context = &threads, + .dispatch_job = gcrypt_dispatch_job, + .wait_all_jobs = gcrypt_wait_all_jobs + }; + + if (!strcmp(type, "argon2i")) + atype = GCRY_KDF_ARGON2I; + else if (!strcmp(type, "argon2id")) + atype = GCRY_KDF_ARGON2ID; + else + return -EINVAL; + + param[0] = key_length; + param[1] = iterations; + param[2] = memory; + param[3] = parallel; + + if (gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4, + password, password_length, salt, salt_length, + NULL, 0, NULL, 0)) { + free(threads.jobs_ctx); + return -EINVAL; + } + + if (parallel == 1) { + /* Do not use threads here */ + if (gcry_kdf_compute(hd, NULL)) + goto out; + } else { + threads.jobs_ctx = calloc(threads.max_threads, + sizeof(struct gcrypt_thread_job)); + if (!threads.jobs_ctx) + goto out; + + if (pthread_attr_init(&threads.attr)) + goto out; + + if (gcry_kdf_compute(hd, &ops)) + goto out; + } + + if (gcry_kdf_final(hd, key_length, key)) + goto out; + r = 0; +out: + gcry_kdf_close(hd); + pthread_attr_destroy(&threads.attr); + free(threads.jobs_ctx); + + return r; +} +#endif + /* PBKDF */ int crypt_pbkdf(const char *kdf, const char *hash, const char *password, size_t password_length, @@ -400,8 +528,13 @@ int crypt_pbkdf(const char *kdf, const char *hash, return pbkdf2(hash, password, password_length, salt, salt_length, key, key_length, iterations); else if (!strncmp(kdf, "argon2", 6)) +#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2 + return gcrypt_argon2(kdf, password, password_length, salt, salt_length, + key, key_length, iterations, memory, parallel); +#else return argon2(kdf, password, password_length, salt, salt_length, key, key_length, iterations, memory, parallel); +#endif return -EINVAL; } @@ -565,6 +698,9 @@ bool crypt_fips_mode(void) if (fips_checked) return fips_mode; + if (crypt_backend_init(false /* ignored */)) + return false; + fips_mode = gcry_fips_mode_active(); fips_checked = true; diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c index 8493c0a..be6051a 100644 --- a/lib/crypto_backend/crypto_kernel.c +++ b/lib/crypto_backend/crypto_kernel.c @@ -1,8 +1,8 @@ /* * Linux kernel userspace API crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -245,7 +245,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx) close(ctx->tfmfd); if (ctx->opfd >= 0) close(ctx->opfd); - memset(ctx, 0, sizeof(*ctx)); free(ctx); } @@ -324,7 +323,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx) close(ctx->tfmfd); if (ctx->opfd >= 0) close(ctx->opfd); - memset(ctx, 0, sizeof(*ctx)); free(ctx); } diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c index 086e4fc..f08db74 100644 --- a/lib/crypto_backend/crypto_nettle.c +++ b/lib/crypto_backend/crypto_nettle.c @@ -1,8 +1,8 @@ /* * Nettle crypto backend implementation * - * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2011-2023 Milan Broz + * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c index c154812..6b390a4 100644 --- a/lib/crypto_backend/crypto_nss.c +++ b/lib/crypto_backend/crypto_nss.c @@ -1,8 +1,8 @@ /* * NSS crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c index 607ec38..4e85384 100644 --- a/lib/crypto_backend/crypto_openssl.c +++ b/lib/crypto_backend/crypto_openssl.c @@ -1,8 +1,8 @@ /* * OPENSSL crypto backend implementation * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2010-2023 Milan Broz + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -44,9 +44,20 @@ static OSSL_PROVIDER *ossl_legacy = NULL; static OSSL_PROVIDER *ossl_default = NULL; static OSSL_LIB_CTX *ossl_ctx = NULL; static char backend_version[256] = "OpenSSL"; + +#define MAX_THREADS 8 +#if !HAVE_DECL_OSSL_GET_MAX_THREADS +static int OSSL_set_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused)), + uint64_t max_threads __attribute__((unused))) { return 0; } +static uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused))) { return 0; } +#else +#include +#endif + #endif #define CONST_CAST(x) (x)(uintptr_t) +#define UNUSED(x) (void)(x) static int crypto_backend_initialised = 0; @@ -162,6 +173,7 @@ static int openssl_backend_init(bool fips) */ #if OPENSSL_VERSION_MAJOR >= 3 int r; + bool ossl_threads = false; /* * In FIPS mode we keep default OpenSSL context & global config @@ -181,16 +193,24 @@ static int openssl_backend_init(bool fips) ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0); } - r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s", + if (OSSL_set_max_threads(ossl_ctx, MAX_THREADS) == 1 && + OSSL_get_max_threads(ossl_ctx) == MAX_THREADS) + ossl_threads = true; + + r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s%s%s", OpenSSL_version(OPENSSL_VERSION), ossl_default ? "[default]" : "", ossl_legacy ? "[legacy]" : "", - fips ? "[fips]" : ""); + fips ? "[fips]" : "", + ossl_threads ? "[threads]" : "", + crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? "[argon2]" : ""); if (r < 0 || (size_t)r >= sizeof(backend_version)) { openssl_backend_exit(); return -EINVAL; } +#else + UNUSED(fips); #endif return 0; } @@ -232,11 +252,14 @@ void crypt_backend_destroy(void) uint32_t crypt_backend_flags(void) { -#if OPENSSL_VERSION_MAJOR >= 3 - return 0; -#else - return CRYPT_BACKEND_PBKDF2_INT; + uint32_t flags = 0; +#if OPENSSL_VERSION_MAJOR < 3 + flags |= CRYPT_BACKEND_PBKDF2_INT; +#endif +#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION + flags |= CRYPT_BACKEND_ARGON2; #endif + return flags; } const char *crypt_backend_version(void) @@ -281,6 +304,8 @@ static void hash_id_free(const EVP_MD *hash_id) { #if OPENSSL_VERSION_MAJOR >= 3 EVP_MD_free(CONST_CAST(EVP_MD*)hash_id); +#else + UNUSED(hash_id); #endif } @@ -297,6 +322,8 @@ static void cipher_type_free(const EVP_CIPHER *cipher_type) { #if OPENSSL_VERSION_MAJOR >= 3 EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type); +#else + UNUSED(cipher_type); #endif } @@ -391,7 +418,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx) { hash_id_free(ctx->hash_id); EVP_MD_CTX_free(ctx->md); - memset(ctx, 0, sizeof(*ctx)); free(ctx); } @@ -527,7 +553,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx) hash_id_free(ctx->hash_id); HMAC_CTX_free(ctx->md); #endif - memset(ctx, 0, sizeof(*ctx)); free(ctx); } @@ -593,8 +618,53 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor const char *salt, size_t salt_length, char *key, size_t key_length, uint32_t iterations, uint32_t memory, uint32_t parallel) { +#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION + EVP_KDF_CTX *ctx; + EVP_KDF *argon2; + unsigned int threads = parallel; + int r; + OSSL_PARAM params[] = { + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, + CONST_CAST(void*)password, password_length), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, + CONST_CAST(void*)salt, salt_length), + OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, &iterations), + OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads), + OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, ¶llel), + OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory), + OSSL_PARAM_END + }; + + if (OSSL_get_max_threads(ossl_ctx) == 0) + threads = 1; + + argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL); + if (!argon2) + return -EINVAL; + + ctx = EVP_KDF_CTX_new(argon2); + if (!ctx) { + EVP_KDF_free(argon2); + return -EINVAL;; + } + + if (EVP_KDF_CTX_set_params(ctx, params) != 1) { + EVP_KDF_CTX_free(ctx); + EVP_KDF_free(argon2); + return -EINVAL; + } + + r = EVP_KDF_derive(ctx, (unsigned char*)key, key_length, NULL /*params*/); + + EVP_KDF_CTX_free(ctx); + EVP_KDF_free(argon2); + + /* _derive() returns 0 or negative value on error, 1 on success */ + return r == 1 ? 0 : -EINVAL; +#else return argon2(type, password, password_length, salt, salt_length, key, key_length, iterations, memory, parallel); +#endif } /* PBKDF */ diff --git a/lib/crypto_backend/crypto_storage.c b/lib/crypto_backend/crypto_storage.c index 13479dd..6c8f991 100644 --- a/lib/crypto_backend/crypto_storage.c +++ b/lib/crypto_backend/crypto_storage.c @@ -2,7 +2,7 @@ * Generic wrapper for storage encryption modes and Initial Vectors * (reimplementation of some functions from Linux dm-crypt kernel) * - * Copyright (C) 2014-2023 Milan Broz + * Copyright (C) 2014-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/meson.build b/lib/crypto_backend/meson.build new file mode 100644 index 0000000..d6c31fd --- /dev/null +++ b/lib/crypto_backend/meson.build @@ -0,0 +1,40 @@ +if use_internal_argon2 + subdir('argon2') +endif + +libcrypto_backend_dependencies = [ + crypto_backend_library, + clock_gettime, +] +libcrypto_backend_link_with = [] + +libcrypto_backend_sources = files( + 'argon2_generic.c', + 'base64.c', + 'cipher_check.c', + 'cipher_generic.c', + 'crc32.c', + 'crypto_cipher_kernel.c', + 'crypto_storage.c', + 'pbkdf_check.c', + 'utf8.c', +) + +crypto_backend = get_option('crypto-backend') +libcrypto_backend_sources += files('crypto_@0@.c'.format(crypto_backend)) + +if use_internal_pbkdf2 + libcrypto_backend_sources += files('pbkdf2_generic.c') +endif + +if use_internal_argon2 and get_option('argon-implementation') == 'internal' + libcrypto_backend_link_with += libargon2 +elif get_option('argon-implementation') == 'libargon2' + libcrypto_backend_dependencies += libargon2_external +endif + +libcrypto_backend = static_library('crypto_backend', + libcrypto_backend_sources, + include_directories: includes_lib, + dependencies: libcrypto_backend_dependencies, + link_with: libcrypto_backend_link_with) diff --git a/lib/crypto_backend/pbkdf2_generic.c b/lib/crypto_backend/pbkdf2_generic.c index 9e87e19..f7fe5bc 100644 --- a/lib/crypto_backend/pbkdf2_generic.c +++ b/lib/crypto_backend/pbkdf2_generic.c @@ -4,8 +4,8 @@ * Copyright (C) 2004 Free Software Foundation * * cryptsetup related changes - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/crypto_backend/pbkdf_check.c b/lib/crypto_backend/pbkdf_check.c index 53a2da9..54d6a34 100644 --- a/lib/crypto_backend/pbkdf_check.c +++ b/lib/crypto_backend/pbkdf_check.c @@ -1,7 +1,7 @@ /* * PBKDF performance check - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * Copyright (C) 2016-2020 Ondrej Mosnacek * * This file is free software; you can redistribute it and/or diff --git a/lib/crypto_backend/utf8.c b/lib/crypto_backend/utf8.c index 24e0d8d..c13e953 100644 --- a/lib/crypto_backend/utf8.c +++ b/lib/crypto_backend/utf8.c @@ -4,7 +4,7 @@ * Copyright (C) 2010 Lennart Poettering * * cryptsetup related changes - * Copyright (C) 2021-2023 Vojtech Trefny + * Copyright (C) 2021-2024 Vojtech Trefny * Parts of the original systemd implementation are based on the GLIB utf8 * validation functions. diff --git a/lib/integrity/integrity.c b/lib/integrity/integrity.c index aeadc82..ac2f0d0 100644 --- a/lib/integrity/integrity.c +++ b/lib/integrity/integrity.c @@ -1,7 +1,7 @@ /* * Integrity volume handling * - * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2016-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -335,13 +335,62 @@ int INTEGRITY_activate(struct crypt_device *cd, return r; } +static int _create_reduced_device(struct crypt_device *cd, + const char *name, + uint64_t device_size_sectors, + struct device **ret_device) +{ + int r; + char path[PATH_MAX]; + struct device *dev; + + struct crypt_dm_active_device dmd = { + .size = device_size_sectors, + .flags = CRYPT_ACTIVATE_PRIVATE, + }; + + assert(cd); + assert(name); + assert(device_size_sectors); + assert(ret_device); + + r = snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name); + if (r < 0 || (size_t)r >= sizeof(path)) + return -EINVAL; + + r = device_block_adjust(cd, crypt_data_device(cd), DEV_OK, + crypt_get_data_offset(cd), &device_size_sectors, &dmd.flags); + if (r) + return r; + + log_dbg(cd, "Activating reduced helper device %s.", name); + + r = dm_linear_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), crypt_get_data_offset(cd)); + if (!r) + r = dm_create_device(cd, name, CRYPT_SUBDEV, &dmd); + dm_targets_free(cd, &dmd); + if (r < 0) + return r; + + r = device_alloc(cd, &dev, path); + if (!r) { + *ret_device = dev; + return 0; + } + + dm_remove_device(cd, name, CRYPT_DEACTIVATE_FORCE); + + return r; +} + int INTEGRITY_format(struct crypt_device *cd, const struct crypt_params_integrity *params, struct volume_key *journal_crypt_key, - struct volume_key *journal_mac_key) + struct volume_key *journal_mac_key, + uint64_t backing_device_sectors) { uint32_t dmi_flags; - char tmp_name[64], tmp_uuid[40]; + char reduced_device_name[70], tmp_name[64], tmp_uuid[40]; struct crypt_dm_active_device dmdi = { .size = 8, .flags = CRYPT_ACTIVATE_PRIVATE, /* We always create journal but it can be unused later */ @@ -349,6 +398,8 @@ int INTEGRITY_format(struct crypt_device *cd, struct dm_target *tgt = &dmdi.segment; int r; uuid_t tmp_uuid_bin; + uint64_t data_offset_sectors; + struct device *p_metadata_device, *p_data_device, *reduced_device = NULL; struct volume_key *vk = NULL; uuid_generate(tmp_uuid_bin); @@ -358,18 +409,42 @@ int INTEGRITY_format(struct crypt_device *cd, if (r < 0 || (size_t)r >= sizeof(tmp_name)) return -EINVAL; + p_metadata_device = INTEGRITY_metadata_device(cd); + + if (backing_device_sectors) { + r = snprintf(reduced_device_name, sizeof(reduced_device_name), + "temporary-cryptsetup-reduced-%s", tmp_uuid); + if (r < 0 || (size_t)r >= sizeof(reduced_device_name)) + return -EINVAL; + + /* + * Creates reduced dm-linear mapping over data device starting at + * crypt_data_offset(cd) and backing_device_sectors in size. + */ + r = _create_reduced_device(cd, reduced_device_name, + backing_device_sectors, &reduced_device); + if (r < 0) + return r; + + data_offset_sectors = 0; + p_data_device = reduced_device; + if (p_metadata_device == crypt_data_device(cd)) + p_metadata_device = reduced_device; + } else { + data_offset_sectors = crypt_get_data_offset(cd); + p_data_device = crypt_data_device(cd); + } + /* There is no data area, we can actually use fake zeroed key */ if (params && params->integrity_key_size) vk = crypt_alloc_volume_key(params->integrity_key_size, NULL); - r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, INTEGRITY_metadata_device(cd), - crypt_data_device(cd), crypt_get_integrity_tag_size(cd), - crypt_get_data_offset(cd), crypt_get_sector_size(cd), vk, + r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, p_metadata_device, + p_data_device, crypt_get_integrity_tag_size(cd), + data_offset_sectors, crypt_get_sector_size(cd), vk, journal_crypt_key, journal_mac_key, params); - if (r < 0) { - crypt_free_volume_key(vk); - return r; - } + if (r < 0) + goto err; log_dbg(cd, "Trying to format INTEGRITY device on top of %s, tmp name %s, tag size %d.", device_path(tgt->data_device), tmp_name, tgt->u.integrity.tag_size); @@ -379,24 +454,26 @@ int INTEGRITY_format(struct crypt_device *cd, log_err(cd, _("Kernel does not support dm-integrity mapping.")); r = -ENOTSUP; } - if (r) { - dm_targets_free(cd, &dmdi); - return r; - } + if (r) + goto err; if (tgt->u.integrity.meta_device) { r = device_block_adjust(cd, tgt->u.integrity.meta_device, DEV_EXCL, 0, NULL, NULL); - if (r) { - dm_targets_free(cd, &dmdi); - return r; - } + if (r) + goto err; } r = dm_create_device(cd, tmp_name, CRYPT_INTEGRITY, &dmdi); - crypt_free_volume_key(vk); - dm_targets_free(cd, &dmdi); if (r) - return r; + goto err; - return dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE); + r = dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE); +err: + dm_targets_free(cd, &dmdi); + crypt_free_volume_key(vk); + if (reduced_device) { + dm_remove_device(cd, reduced_device_name, CRYPT_DEACTIVATE_FORCE); + device_free(cd, reduced_device); + } + return r; } diff --git a/lib/integrity/integrity.h b/lib/integrity/integrity.h index 2883ef8..55c7148 100644 --- a/lib/integrity/integrity.h +++ b/lib/integrity/integrity.h @@ -1,7 +1,7 @@ /* * Integrity header definition * - * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2016-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -75,7 +75,8 @@ int INTEGRITY_hash_tag_size(const char *integrity); int INTEGRITY_format(struct crypt_device *cd, const struct crypt_params_integrity *params, struct volume_key *journal_crypt_key, - struct volume_key *journal_mac_key); + struct volume_key *journal_mac_key, + uint64_t backing_device_sectors); int INTEGRITY_activate(struct crypt_device *cd, const char *name, diff --git a/lib/internal.h b/lib/internal.h index b5cb4e3..3a0d6e6 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -53,6 +53,7 @@ #define MAX_DM_DEPS 32 #define CRYPT_SUBDEV "SUBDEV" /* prefix for sublayered devices underneath public crypt types */ +#define CRYPT_LUKS2_HW_OPAL "LUKS2-OPAL" /* dm uuid prefix used for any HW OPAL enabled LUKS2 device */ #ifndef O_CLOEXEC #define O_CLOEXEC 0 @@ -89,6 +90,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, struct crypt_pbkdf_type *pbkdf, size_t volume_key_size); const char *crypt_get_cipher_spec(struct crypt_device *cd); +uint32_t pbkdf_adjusted_phys_memory_kb(void); /* Device backend */ struct device; @@ -113,6 +115,7 @@ void device_release_excl(struct crypt_device *cd, struct device *device); void device_disable_direct_io(struct device *device); int device_is_identical(struct device *device1, struct device *device2); int device_is_rotational(struct device *device); +int device_is_dax(struct device *device); size_t device_alignment(struct device *device); int device_direct_io(const struct device *device); int device_fallocate(struct device *device, uint64_t size); @@ -153,21 +156,31 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char * struct device *crypt_metadata_device(struct crypt_device *cd); struct device *crypt_data_device(struct crypt_device *cd); +uint64_t crypt_get_metadata_size_bytes(struct crypt_device *cd); +uint64_t crypt_get_keyslots_size_bytes(struct crypt_device *cd); +uint64_t crypt_get_data_offset_sectors(struct crypt_device *cd); +int crypt_opal_supported(struct crypt_device *cd, struct device *opal_device); + int crypt_confirm(struct crypt_device *cd, const char *msg); char *crypt_lookup_dev(const char *dev_id); int crypt_dev_is_rotational(int major, int minor); +int crypt_dev_is_dax(int major, int minor); int crypt_dev_is_partition(const char *dev_path); char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size); +int crypt_dev_get_partition_number(const char *dev_path); char *crypt_get_base_device(const char *dev_path); uint64_t crypt_dev_partition_offset(const char *dev_path); int lookup_by_disk_id(const char *dm_uuid); int lookup_by_sysfs_uuid_field(const char *dm_uuid); int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid); +int crypt_uuid_type_cmp(const char *dm_uuid, const char *type); size_t crypt_getpagesize(void); unsigned crypt_cpusonline(void); uint64_t crypt_getphysmemory_kb(void); +uint64_t crypt_getphysmemoryfree_kb(void); +bool crypt_swapavailable(void); int init_crypto(struct crypt_device *ctx); @@ -202,7 +215,7 @@ void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt * struct luks2_reencrypt *crypt_get_luks2_reencrypt(struct crypt_device *cd); int onlyLUKS2(struct crypt_device *cd); -int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask); +int onlyLUKS2reencrypt(struct crypt_device *cd); int crypt_wipe_device(struct crypt_device *cd, struct device *device, @@ -221,6 +234,14 @@ int crypt_get_integrity_tag_size(struct crypt_device *cd); int crypt_key_in_keyring(struct crypt_device *cd); void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring); int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk); +int crypt_keyring_get_user_key(struct crypt_device *cd, + const char *key_description, + char **key, + size_t *key_size); +int crypt_keyring_get_key_by_name(struct crypt_device *cd, + const char *key_description, + char **key, + size_t *key_size); int crypt_use_keyring_for_vk(struct crypt_device *cd); void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype); void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks); @@ -250,4 +271,8 @@ static inline bool uint64_mult_overflow(uint64_t *u, uint64_t b, size_t size) return false; } +#define KEY_NOT_VERIFIED -2 +#define KEY_EXTERNAL_VERIFICATION -1 +#define KEY_VERIFIED 0 + #endif /* INTERNAL_H */ diff --git a/lib/keyslot_context.c b/lib/keyslot_context.c index 89bd433..5860247 100644 --- a/lib/keyslot_context.c +++ b/lib/keyslot_context.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup, keyslot unlock helpers * - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2022-2023 Ondrej Kozina + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -173,7 +173,7 @@ static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd, return r; } -static int get_key_by_key(struct crypt_device *cd, +static int get_key_by_key(struct crypt_device *cd __attribute__((unused)), struct crypt_keyslot_context *kc, int keyslot __attribute__((unused)), int segment __attribute__((unused)), @@ -204,19 +204,73 @@ static int get_volume_key_by_key(struct crypt_device *cd, return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk); } +static int get_generic_volume_key_by_key(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + struct volume_key **r_vk) +{ + return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk); +} + +static int get_generic_signed_key_by_key(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + struct volume_key **r_vk, + struct volume_key **r_signature) +{ + struct volume_key *vk, *vk_sig; + + assert(kc && ((kc->type == CRYPT_KC_TYPE_KEY) || + (kc->type == CRYPT_KC_TYPE_SIGNED_KEY))); + assert(r_vk); + assert(r_signature); + + /* return key with no signature */ + if (kc->type == CRYPT_KC_TYPE_KEY) { + *r_signature = NULL; + return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk); + } + + if (!kc->u.ks.volume_key || !kc->u.ks.signature) { + kc->error = -EINVAL; + return kc->error; + } + + vk = crypt_alloc_volume_key(kc->u.ks.volume_key_size, kc->u.ks.volume_key); + if (!vk) { + kc->error = -ENOMEM; + return kc->error; + } + + vk_sig = crypt_alloc_volume_key(kc->u.ks.signature_size, kc->u.ks.signature); + if (!vk_sig) { + crypt_free_volume_key(vk); + kc->error = -ENOMEM; + return kc->error; + } + + *r_vk = vk; + *r_signature = vk_sig; + + return 0; +} + static int get_luks2_key_by_token(struct crypt_device *cd, struct crypt_keyslot_context *kc, - int keyslot __attribute__((unused)), + int keyslot, int segment, struct volume_key **r_vk) { int r; + struct luks2_hdr *hdr; assert(cd); assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN); assert(r_vk); - r = LUKS2_token_unlock_key(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id, kc->u.t.type, + hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + if (!hdr) + return -EINVAL; + + r = LUKS2_token_unlock_key(cd, hdr, keyslot, kc->u.t.id, kc->u.t.type, kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk); if (r < 0) kc->error = r; @@ -226,10 +280,10 @@ static int get_luks2_key_by_token(struct crypt_device *cd, static int get_luks2_volume_key_by_token(struct crypt_device *cd, struct crypt_keyslot_context *kc, - int keyslot __attribute__((unused)), + int keyslot, struct volume_key **r_vk) { - return get_luks2_key_by_token(cd, kc, -2 /* unused */, CRYPT_DEFAULT_SEGMENT, r_vk); + return get_luks2_key_by_token(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk); } static int get_passphrase_by_token(struct crypt_device *cd, @@ -261,6 +315,136 @@ static int get_passphrase_by_token(struct crypt_device *cd, return kc->u.t.id; } +static int get_passphrase_by_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + const char **r_passphrase, + size_t *r_passphrase_size) +{ + int r; + + assert(cd); + assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING); + assert(r_passphrase); + assert(r_passphrase_size); + + if (!kc->i_passphrase) { + r = crypt_keyring_get_user_key(cd, kc->u.kr.key_description, + &kc->i_passphrase, &kc->i_passphrase_size); + if (r < 0) { + log_err(cd, _("Failed to read passphrase from keyring.")); + kc->error = -EINVAL; + return -EINVAL; + } + } + + *r_passphrase = kc->i_passphrase; + *r_passphrase_size = kc->i_passphrase_size; + + return 0; +} + +static int get_luks2_key_by_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + int keyslot, + int segment, + struct volume_key **r_vk) +{ + int r; + + assert(cd); + assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING); + assert(r_vk); + + r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase, + &kc->i_passphrase_size); + if (r < 0) { + log_err(cd, _("Failed to read passphrase from keyring.")); + kc->error = -EINVAL; + return -EINVAL; + } + + r = LUKS2_keyslot_open(cd, keyslot, segment, kc->i_passphrase, kc->i_passphrase_size, r_vk); + if (r < 0) + kc->error = r; + + return 0; +} + +static int get_luks2_volume_key_by_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + int keyslot, + struct volume_key **r_vk) +{ + return get_luks2_key_by_keyring(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk); +} + +static int get_luks1_volume_key_by_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + int keyslot, + struct volume_key **r_vk) +{ + int r; + + assert(cd); + assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE); + assert(r_vk); + + r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase, + &kc->i_passphrase_size); + if (r < 0) { + log_err(cd, _("Failed to read passphrase from keyring.")); + kc->error = -EINVAL; + return -EINVAL; + } + + r = LUKS_open_key_with_hdr(keyslot, kc->i_passphrase, kc->i_passphrase_size, + crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd); + if (r < 0) + kc->error = r; + + return r; +} + +static int get_key_by_vk_in_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + int keyslot __attribute__((unused)), + int segment __attribute__((unused)), + struct volume_key **r_vk) +{ + char *key; + size_t key_size; + int r; + + assert(cd); + assert(kc && kc->type == CRYPT_KC_TYPE_VK_KEYRING); + assert(r_vk); + + r = crypt_keyring_get_key_by_name(cd, kc->u.vk_kr.key_description, + &key, &key_size); + if (r < 0) { + log_err(cd, _("Failed to read volume key candidate from keyring.")); + kc->error = -EINVAL; + return -EINVAL; + } + + *r_vk = crypt_alloc_volume_key(key_size, key); + crypt_safe_free(key); + if (!*r_vk) { + kc->error = -ENOMEM; + return kc->error; + } + + return 0; +} + +static int get_volume_key_by_vk_in_keyring(struct crypt_device *cd, + struct crypt_keyslot_context *kc, + int keyslot __attribute__((unused)), + struct volume_key **r_vk) +{ + return get_key_by_vk_in_keyring(cd, kc, -2 /* unused */, -2 /* unused */, r_vk); +} + static void unlock_method_init_internal(struct crypt_keyslot_context *kc) { assert(kc); @@ -270,6 +454,26 @@ static void unlock_method_init_internal(struct crypt_keyslot_context *kc) kc->i_passphrase_size = 0; } +void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc, + const char *key_description) +{ + assert(kc); + + kc->type = CRYPT_KC_TYPE_KEYRING; + kc->u.kr.key_description = key_description; + + kc->get_luks2_key = get_luks2_key_by_keyring; + kc->get_luks2_volume_key = get_luks2_volume_key_by_keyring; + kc->get_luks1_volume_key = get_luks1_volume_key_by_keyring; + kc->get_passphrase = get_passphrase_by_keyring; + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = NULL; + kc->get_integrity_volume_key = NULL; + unlock_method_init_internal(kc); +} + void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc, const char *volume_key, size_t volume_key_size) @@ -283,6 +487,36 @@ void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc, kc->get_luks2_volume_key = get_volume_key_by_key; kc->get_luks1_volume_key = get_volume_key_by_key; kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */ + kc->get_plain_volume_key = get_generic_volume_key_by_key; + kc->get_bitlk_volume_key = get_generic_volume_key_by_key; + kc->get_fvault2_volume_key = get_generic_volume_key_by_key; + kc->get_verity_volume_key = get_generic_signed_key_by_key; + kc->get_integrity_volume_key = get_generic_volume_key_by_key; + unlock_method_init_internal(kc); +} + +void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc, + const char *volume_key, + size_t volume_key_size, + const char *signature, + size_t signature_size) +{ + assert(kc); + + kc->type = CRYPT_KC_TYPE_SIGNED_KEY; + kc->u.ks.volume_key = volume_key; + kc->u.ks.volume_key_size = volume_key_size; + kc->u.ks.signature = signature; + kc->u.ks.signature_size = signature_size; + kc->get_luks2_key = NULL; + kc->get_luks2_volume_key = NULL; + kc->get_luks1_volume_key = NULL; + kc->get_passphrase = NULL; + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = get_generic_signed_key_by_key; + kc->get_integrity_volume_key = NULL; unlock_method_init_internal(kc); } @@ -299,6 +533,11 @@ void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_conte kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase; kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase; kc->get_passphrase = get_passphrase_by_passphrase; + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = NULL; + kc->get_integrity_volume_key = NULL; unlock_method_init_internal(kc); } @@ -317,6 +556,11 @@ void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile; kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile; kc->get_passphrase = get_passphrase_by_keyfile; + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = NULL; + kc->get_integrity_volume_key = NULL; unlock_method_init_internal(kc); } @@ -339,9 +583,35 @@ void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *k kc->get_luks2_volume_key = get_luks2_volume_key_by_token; kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */ kc->get_passphrase = get_passphrase_by_token; + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = NULL; + kc->get_integrity_volume_key = NULL; unlock_method_init_internal(kc); } +void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc, + const char *key_description) +{ + assert(kc); + + kc->type = CRYPT_KC_TYPE_VK_KEYRING; + kc->u.vk_kr.key_description = key_description; + + kc->get_luks2_key = get_key_by_vk_in_keyring; + kc->get_luks2_volume_key = get_volume_key_by_vk_in_keyring; + kc->get_luks1_volume_key = NULL; + kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */ + kc->get_plain_volume_key = NULL; + kc->get_bitlk_volume_key = NULL; + kc->get_fvault2_volume_key = NULL; + kc->get_verity_volume_key = NULL; + kc->get_integrity_volume_key = NULL; + unlock_method_init_internal(kc); +} + + void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc) { if (!kc) @@ -358,7 +628,7 @@ void crypt_keyslot_context_free(struct crypt_keyslot_context *kc) free(kc); } -int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd, +int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd __attribute__((unused)), const char *passphrase, size_t passphrase_size, struct crypt_keyslot_context **kc) @@ -379,7 +649,7 @@ int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd, return 0; } -int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd, +int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd __attribute__((unused)), const char *keyfile, size_t keyfile_size, uint64_t keyfile_offset, @@ -401,7 +671,7 @@ int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd, return 0; } -int crypt_keyslot_context_init_by_token(struct crypt_device *cd, +int crypt_keyslot_context_init_by_token(struct crypt_device *cd __attribute__((unused)), int token, const char *type, const char *pin, size_t pin_size, @@ -424,7 +694,7 @@ int crypt_keyslot_context_init_by_token(struct crypt_device *cd, return 0; } -int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd, +int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd __attribute__((unused)), const char *volume_key, size_t volume_key_size, struct crypt_keyslot_context **kc) @@ -445,12 +715,76 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd, return 0; } +int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd __attribute__((unused)), + const char *volume_key, + size_t volume_key_size, + const char *signature, + size_t signature_size, + struct crypt_keyslot_context **kc) +{ + struct crypt_keyslot_context *tmp; + + if (!kc) + return -EINVAL; + + tmp = malloc(sizeof(*tmp)); + if (!tmp) + return -ENOMEM; + + crypt_keyslot_unlock_by_signed_key_init_internal(tmp, volume_key, volume_key_size, + signature, signature_size); + + *kc = tmp; + + return 0; +} + +int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd __attribute__((unused)), + const char *key_description, + struct crypt_keyslot_context **kc) +{ + struct crypt_keyslot_context *tmp; + + if (!kc) + return -EINVAL; + + tmp = malloc(sizeof(*tmp)); + if (!tmp) + return -ENOMEM; + + crypt_keyslot_unlock_by_keyring_internal(tmp, key_description); + + *kc = tmp; + + return 0; +} + +int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd __attribute__((unused)), + const char *key_description, + struct crypt_keyslot_context **kc) +{ + struct crypt_keyslot_context *tmp; + + if (!kc) + return -EINVAL; + + tmp = malloc(sizeof(*tmp)); + if (!tmp) + return -ENOMEM; + + crypt_keyslot_unlock_by_vk_in_keyring_internal(tmp, key_description); + + *kc = tmp; + + return 0; +} + int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc) { return kc ? kc->error : -EINVAL; } -int crypt_keyslot_context_set_pin(struct crypt_device *cd, +int crypt_keyslot_context_set_pin(struct crypt_device *cd __attribute__((unused)), const char *pin, size_t pin_size, struct crypt_keyslot_context *kc) { @@ -482,6 +816,12 @@ const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc) return "token"; case CRYPT_KC_TYPE_KEY: return "key"; + case CRYPT_KC_TYPE_KEYRING: + return "keyring"; + case CRYPT_KC_TYPE_VK_KEYRING: + return "volume key in keyring"; + case CRYPT_KC_TYPE_SIGNED_KEY: + return "signed key"; default: return ""; } diff --git a/lib/keyslot_context.h b/lib/keyslot_context.h index 7ca7428..fd15159 100644 --- a/lib/keyslot_context.h +++ b/lib/keyslot_context.h @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup, keyslot unlock helpers * - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2022-2023 Ondrej Kozina + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -40,6 +40,17 @@ typedef int (*keyslot_context_get_volume_key) ( int keyslot, struct volume_key **r_vk); +typedef int (*keyslot_context_get_generic_volume_key) ( + struct crypt_device *cd, + struct crypt_keyslot_context *kc, + struct volume_key **r_vk); + +typedef int (*keyslot_context_get_generic_signed_key) ( + struct crypt_device *cd, + struct crypt_keyslot_context *kc, + struct volume_key **r_vk, + struct volume_key **r_signature); + typedef int (*keyslot_context_get_passphrase) ( struct crypt_device *cd, struct crypt_keyslot_context *kc, @@ -71,6 +82,18 @@ struct crypt_keyslot_context { const char *volume_key; size_t volume_key_size; } k; + struct { + const char *volume_key; + size_t volume_key_size; + const char *signature; + size_t signature_size; + } ks; + struct { + const char *key_description; + } kr; + struct { + const char *key_description; + } vk_kr; } u; int error; @@ -78,10 +101,15 @@ struct crypt_keyslot_context { char *i_passphrase; size_t i_passphrase_size; - keyslot_context_get_key get_luks2_key; - keyslot_context_get_volume_key get_luks1_volume_key; - keyslot_context_get_volume_key get_luks2_volume_key; - keyslot_context_get_passphrase get_passphrase; + keyslot_context_get_key get_luks2_key; + keyslot_context_get_volume_key get_luks1_volume_key; + keyslot_context_get_volume_key get_luks2_volume_key; + keyslot_context_get_generic_volume_key get_plain_volume_key; + keyslot_context_get_generic_volume_key get_bitlk_volume_key; + keyslot_context_get_generic_volume_key get_fvault2_volume_key; + keyslot_context_get_generic_signed_key get_verity_volume_key; + keyslot_context_get_generic_volume_key get_integrity_volume_key; + keyslot_context_get_passphrase get_passphrase; }; void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method); @@ -90,6 +118,12 @@ void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc, const char *volume_key, size_t volume_key_size); +void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc, + const char *volume_key, + size_t volume_key_size, + const char *signature, + size_t signature_size); + void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc, const char *passphrase, size_t passphrase_size); @@ -106,6 +140,12 @@ void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *k size_t pin_size, void *usrptr); +void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc, + const char *key_description); + +void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc, + const char *key_description); + const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc); #endif /* KEYSLOT_CONTEXT_H */ diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index e899829..82d042f 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -273,7 +273,7 @@ struct crypt_pbkdf_type { /** Iteration time set by crypt_set_iteration_time(), for compatibility only. */ #define CRYPT_PBKDF_ITER_TIME_SET (UINT32_C(1) << 0) -/** Never run benchmarks, use pre-set value or defaults. */ +/** Never run benchmarks or limit by system resources, use pre-set values or defaults. */ #define CRYPT_PBKDF_NO_BENCHMARK (UINT32_C(1) << 1) /** PBKDF2 according to RFC2898, LUKS1 legacy */ @@ -450,6 +450,34 @@ const char *crypt_get_type(struct crypt_device *cd); */ const char *crypt_get_default_type(void); +/** + * @defgroup crypt-hw-encryption-types HW encryption type + * @addtogroup crypt-hw-encryption-types + * @{ + */ +/** SW encryption, no OPAL encryption in place (default) */ +#define CRYPT_SW_ONLY INT16_C(0) +/** OPAL HW encryption only (no SW encryption!) */ +#define CRYPT_OPAL_HW_ONLY INT16_C(1) +/** SW encryption stacked over OPAL HW encryption */ +#define CRYPT_SW_AND_OPAL_HW INT16_C(2) +/** @} */ + +/** + * Get HW encryption type + * + * @return HW encryption type (see @link crypt-hw-encryption-types @endlink) + * or negative errno otherwise. + */ +int crypt_get_hw_encryption_type(struct crypt_device *cd); + +/** + * Get HW encryption (like OPAL) key size (in bytes) + * + * @return key size or 0 if no HW encryption is used. + */ +int crypt_get_hw_encryption_key_size(struct crypt_device *cd); + /** * * Structure used as parameter for PLAIN device type. @@ -609,6 +637,18 @@ struct crypt_params_luks2 { const char *label; /**< header label or @e NULL*/ const char *subsystem; /**< header subsystem label or @e NULL*/ }; + +/** + * Structure used as parameter for OPAL (HW encrypted) device type. + * + * @see crypt_format_luks2_opal + * + */ +struct crypt_params_hw_opal { + const char *admin_key; /**< admin key */ + size_t admin_key_size; /**< admin key size in bytes */ + size_t user_key_size; /**< user authority key size part in bytes */ +}; /** @} */ /** @@ -648,6 +688,34 @@ int crypt_format(struct crypt_device *cd, size_t volume_key_size, void *params); +/** + * Create (format) new LUKS2 crypt device over HW OPAL device but do not activate it. + * + * @pre @e cd contains initialized and not formatted device context (device type must @b not be set) + * + * @param cd crypt device handle + * @param cipher for SW encryption (e.g. "aes") or NULL for HW encryption only + * @param cipher_mode including IV specification (e.g. "xts-plain") or NULL for HW encryption only + * @param uuid requested UUID or @e NULL if it should be generated + * @param volume_keys pre-generated volume keys or @e NULL if it should be generated (only for LUKS2 SW encryption) + * @param volume_keys_size size of volume keys in bytes (only for SW encryption). + * @param params LUKS2 crypt type specific parameters (see @link crypt-type @endlink) + * @param opal_params OPAL specific parameters + * + * @returns @e 0 on success or negative errno value otherwise. + * + * @note Note that crypt_format_luks2_opal does not create LUKS keyslot. + * To create keyslot call any crypt_keyslot_add_* function. + */ +int crypt_format_luks2_opal(struct crypt_device *cd, + const char *cipher, + const char *cipher_mode, + const char *uuid, + const char *volume_keys, + size_t volume_keys_size, + struct crypt_params_luks2 *params, + struct crypt_params_hw_opal *opal_params); + /** * Set format compatibility flags. * @@ -941,6 +1009,23 @@ int crypt_resume_by_token_pin(struct crypt_device *cd, const char *pin, size_t pin_size, void *usrptr); + +/** + * Resume crypt device using keyslot context. + * + * @param cd crypt device handle + * @param name name of device to resume + * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is + * ignored for unlock methods not based on passphrase + * @param kc keyslot context providing volume key or passphrase. + * + * @return unlocked key slot number for passphrase-based unlock, zero for other + * unlock methods (e.g. volume key context) or negative errno on error. + */ +int crypt_resume_by_keyslot_context(struct crypt_device *cd, + const char *name, + int keyslot, + struct crypt_keyslot_context *kc); /** @} */ /** @@ -1099,7 +1184,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd, * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption! * By doing so you will most probably destroy your ciphertext data device. It's supposed * to be used only in wrapped keys scheme for key refresh process where real (inner) volume - * key stays untouched. It may be involed on active @e keyslot which makes the (previously + * key stays untouched. It may be involved on active @e keyslot which makes the (previously * unbound) keyslot new regular keyslot. */ int crypt_keyslot_add_by_key(struct crypt_device *cd, @@ -1194,6 +1279,59 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd, size_t volume_key_size, struct crypt_keyslot_context **kc); +/** + * Initialize keyslot context via signed key. + * + * @param cd crypt device handle initialized to device context + * + * @param volume_key provided volume key + * @param volume_key_size size of volume_key + * @param signature buffer with signature for the key + * @param signature_size bsize of signature buffer + * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY + * + * @return zero on success or negative errno otherwise. + * + * @note currently supported only with VERITY devices. + */ +int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd, + const char *volume_key, + size_t volume_key_size, + const char *signature, + size_t signature_size, + struct crypt_keyslot_context **kc); + +/** + * Initialize keyslot context via passphrase stored in a keyring. + * + * @param cd crypt device handle initialized to LUKS device context + * + * @param key_description kernel keyring key description library should look + * for passphrase in + * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING + * + * @return zero on success or negative errno otherwise. + */ +int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd, + const char *key_description, + struct crypt_keyslot_context **kc); + +/** + * Initialize keyslot context via volume key stored in a keyring. + * + * @param cd crypt device handle initialized to LUKS device context + * + * @param key_description kernel keyring key description library should look + * for passphrase in. The key can be passed either as number in ASCII, + * or a text representation in the form "%:" + * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING + * + * @return zero on success or negative errno otherwise. + */ +int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd, + const char *key_description, + struct crypt_keyslot_context **kc); + /** * Get error code per keyslot context from last failed call. * @@ -1225,7 +1363,7 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd, struct crypt_keyslot_context *kc); /** - * @defgroup crypt-keyslot-context-types Crypt keyslot context + * @defgroup crypt-keyslot-context-types Crypt keyslot context types * @addtogroup crypt-keyslot-context-types * @{ */ @@ -1237,6 +1375,16 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd, #define CRYPT_KC_TYPE_TOKEN INT16_C(3) /** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */ #define CRYPT_KC_TYPE_KEY INT16_C(4) +/** keyslot context initialized by description of a keyring key + * (@link crypt_keyslot_context_init_by_keyring @endlink) + */ +#define CRYPT_KC_TYPE_KEYRING INT16_C(5) +/** keyslot context initialized by description of a keyring key containing the volume key + * (@link crypt_keyslot_context_init_by_vk_in_keyring @endlink) + */ +#define CRYPT_KC_TYPE_VK_KEYRING INT16_C(6) +/** keyslot context initialized by signed key (@link crypt_keyslot_context_init_by_signed_key @endlink) */ +#define CRYPT_KC_TYPE_SIGNED_KEY INT16_C(7) /** @} */ /** @@ -1281,7 +1429,7 @@ int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc); * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption! * By doing so you will most probably destroy your ciphertext data device. It's supposed * to be used only in wrapped keys scheme for key refresh process where real (inner) volume - * key stays untouched. It may be involed on active @e keyslot which makes the (previously + * key stays untouched. It may be involved on active @e keyslot which makes the (previously * unbound) keyslot new regular keyslot. */ int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd, @@ -1420,6 +1568,8 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd, #define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT (UINT32_C(1) << 0) /** Online reencryption in-progress */ #define CRYPT_REQUIREMENT_ONLINE_REENCRYPT (UINT32_C(1) << 1) +/** Device configured with OPAL support */ +#define CRYPT_REQUIREMENT_OPAL (UINT32_C(1) << 2) /** unknown requirement in header (output only) */ #define CRYPT_REQUIREMENT_UNKNOWN (UINT32_C(1) << 31) @@ -1473,6 +1623,39 @@ int crypt_persistent_flags_get(struct crypt_device *cd, * @{ */ +/** + * Activate device or check using keyslot context. In some cases (device under + * reencryption), more than one keyslot context is required (e.g. one for the old + * volume key and one for the new volume key). The order of the keyslot + * contexts does not matter. When less keyslot contexts are supplied than + * required to unlock the device an -ESRCH error code is returned and you + * should call the function again with an additional keyslot context specified. + * + * NOTE: the API at the moment fully works for single keyslot context only, + * the additional keyslot context currently works only with + * @e CRYPT_KC_TYPE_VK_KEYRING or @e CRYPT_KC_TYPE_KEY contexts. + * + * @param cd crypt device handle + * @param name name of device to create, if @e NULL only check passphrase + * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is + * ignored for unlock methods not based on passphrase + * @param kc keyslot context providing volume key or passphrase. + * @param additional_keyslot requested additional keyslot to check or @e CRYPT_ANY_SLOT + * @param additional_kc keyslot context providing additional volume key or + * passphrase (e.g. old volume key for device under reencryption). + * @param flags activation flags + * + * @return unlocked key slot number for passphrase-based unlock, zero for other + * unlock methods (e.g. volume key context) or negative errno on error. + */ +int crypt_activate_by_keyslot_context(struct crypt_device *cd, + const char *name, + int keyslot, + struct crypt_keyslot_context *kc, + int additional_keyslot, + struct crypt_keyslot_context *additional_kc, + uint32_t flags); + /** * Activate device or check passphrase. * @@ -1553,6 +1736,9 @@ int crypt_activate_by_keyfile(struct crypt_device *cd, * CRYPT_ACTIVATE_READONLY flag always. * @note For TCRYPT the volume key should be always NULL * the key from decrypted header is used instead. + * @note For BITLK the name cannot be @e NULL checking volume key is not + * supported for BITLK, the device will be activated even if the + * provided key is not correct. */ int crypt_activate_by_volume_key(struct crypt_device *cd, const char *name, @@ -2259,6 +2445,36 @@ int crypt_wipe(struct crypt_device *cd, /** Use direct-io */ #define CRYPT_WIPE_NO_DIRECT_IO (UINT32_C(1) << 0) + +enum { + CRYPT_LUKS2_SEGMENT = -2, + CRYPT_NO_SEGMENT = -1, +}; + +/** + * Safe erase of a partition or an entire OPAL device. WARNING: ALL DATA ON + * PARTITION/DISK WILL BE LOST. If the CRYPT_NO_SEGMENT is passed as the segment + * parameter, the entire device will be wiped, not just what is included in the + * LUKS2 device/partition. + * + * @param cd crypt device handle + * @param segment the segment number to wipe (0..8), or CRYPT_LUKS2_SEGMENT + * to wipe the segment configured in the LUKS2 header, or CRYPT_NO_SEGMENT + * to wipe the entire device via a factory reset. + * @param password admin password/PSID (for factory reset) to wipe the + * partition/device + * @param password_size length of password/PSID + * @param flags (currently unused) + * + * @return @e 0 on success or negative errno value otherwise. + */ +int crypt_wipe_hw_opal(struct crypt_device *cd, + int segment, /* 0..8, CRYPT_LUKS2_SEGMENT -2, CRYPT_NO_SEGMENT -1 */ + const char *password, /* Admin1 PIN or PSID */ + size_t password_size, + uint32_t flags /* currently unused */ +); + /** @} */ /** @@ -2566,6 +2782,17 @@ int crypt_token_register(const crypt_token_handler *handler); */ const char *crypt_token_external_path(void); +/** + * Override configured external token handlers path for the library. + * + * @param path Absolute path (starts with '/') to new external token handlers directory or @e NULL. + * + * @note if @e path is @e NULL the external token path is reset to default path. + * + * @return @e 0 on success or negative errno value otherwise. + */ +int crypt_token_set_external_path(const char *path); + /** * Disable external token handlers (plugins) support * If disabled, it cannot be enabled again. @@ -2875,6 +3102,55 @@ void crypt_safe_memzero(void *data, size_t size); /** @} */ +/** + * @defgroup crypt-keyring Kernel keyring manipulation + * @addtogroup crypt-keyring + * @{ + */ + +/** + * Link the volume key to the specified kernel keyring. + * + * The volume can have one or two keys. Normally, the device has one key. + * However if reencryption was started and not finished yet, the volume will + * have two volume keys (the new VK for the already reencrypted segment and old + * VK for the not yet reencrypted segment). + * + * The @e old_key_description argument is required only for + * devices that are in re-encryption and have two volume keys at the same time + * (old and new). You can set the @e old_key_description to NULL, + * but if you supply number of keys less than required, the function will + * return -ESRCH. In that case you need to call the function again and set + * the missing key description. When supplying just one key description, make + * sure to supply it in the @e key_description. + * + * @param cd crypt device handle + * @param key_description the key description of the volume key linked in desired keyring. + * @param old_key_description the key description of the old volume key linked in desired keyring + * (for devices in re-encryption). + * @param key_type_desc the key type used for the volume key. Currently only "user" and "logon" types are + * supported. if @e NULL is specified the default "user" type is applied. + * @param keyring_to_link_vk the keyring description of the keyring in which volume key should + * be linked, if @e NULL is specified, linking will be disabled. + * + * @note keyring_to_link_vk may be passed in various string formats: + * It can be kernel key numeric id of existing keyring written as a string, + * keyring name prefixed optionally be either "%:" or "%keyring:" substrings or keyctl + * special values for keyrings "@t", "@p", "@s" and so on. See keyctl(1) man page, + * section KEY IDENTIFIERS for more information. All other prefixes starting "%:" + * are ignored. + * + * @note key_description "%:" prefixes are ignored. Type is applied based on key_type parameter + * value. + */ +int crypt_set_keyring_to_link(struct crypt_device* cd, + const char* key_description, + const char* old_key_description, + const char* key_type_desc, + const char* keyring_to_link_vk); + +/** @} */ + #ifdef __cplusplus } #endif diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym index d0f0d98..89d6468 100644 --- a/lib/libcryptsetup.sym +++ b/lib/libcryptsetup.sym @@ -165,3 +165,18 @@ CRYPTSETUP_2.6 { crypt_keyslot_add_by_keyslot_context; crypt_volume_key_get_by_keyslot_context; } CRYPTSETUP_2.5; + +CRYPTSETUP_2.7 { + global: + crypt_activate_by_keyslot_context; + crypt_format_luks2_opal; + crypt_get_hw_encryption_type; + crypt_get_hw_encryption_key_size; + crypt_keyslot_context_init_by_keyring; + crypt_keyslot_context_init_by_vk_in_keyring; + crypt_keyslot_context_init_by_signed_key; + crypt_resume_by_keyslot_context; + crypt_token_set_external_path; + crypt_set_keyring_to_link; + crypt_wipe_hw_opal; +} CRYPTSETUP_2.6; diff --git a/lib/libcryptsetup_macros.h b/lib/libcryptsetup_macros.h index 55187ab..89c1e10 100644 --- a/lib/libcryptsetup_macros.h +++ b/lib/libcryptsetup_macros.h @@ -1,8 +1,8 @@ /* * Definitions of common constant and generic macros of libcryptsetup * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/libcryptsetup_symver.h b/lib/libcryptsetup_symver.h index a5aa8f9..3ea31bf 100644 --- a/lib/libcryptsetup_symver.h +++ b/lib/libcryptsetup_symver.h @@ -1,7 +1,7 @@ /* * Helpers for defining versioned symbols * - * Copyright (C) 2021-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c index 9c5fc0c..ebee542 100644 --- a/lib/libdevmapper.c +++ b/lib/libdevmapper.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -602,7 +602,8 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags) hexkey = crypt_safe_alloc(keystr_len); if (!hexkey) goto out; - r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key_description); + r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength, + tgt->u.crypt.vk->key_description); if (r < 0 || r >= keystr_len) goto out; } else @@ -1330,7 +1331,15 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch goto out; if (!dm_task_run(dmt)) { - r = dm_status_device(cd, name);; + + r = -dm_task_get_errno(dmt); + if (r == -ENOKEY || r == -EKEYREVOKED || r == -EKEYEXPIRED) { + /* propagate DM errors around key management as such */ + r = -ENOKEY; + goto out; + } + + r = dm_status_device(cd, name); if (r >= 0) r = -EEXIST; if (r != -EEXIST && r != -ENODEV) @@ -1663,6 +1672,11 @@ int dm_create_device(struct crypt_device *cd, const char *name, log_err(cd, _("Requested sector_size option is not supported.")); r = -EINVAL; } + if (dmd->segment.u.crypt.sector_size > SECTOR_SIZE && + dmd->size % dmd->segment.u.crypt.sector_size) { + log_err(cd, _("The device size is not multiple of the requested sector size.")); + r = -EINVAL; + } } if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) && @@ -2829,7 +2843,7 @@ static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_ int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix, char **names, size_t names_length) { - struct dm_task *dmt; + struct dm_task *dmt = NULL; struct dm_info dmi; struct dm_deps *deps; int r = -EINVAL; @@ -2989,7 +3003,8 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name, } if (vk->key_description) { - r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, vk->key_description); + r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, + vk->key_description); } else { key = crypt_bytes_to_hex(vk->keylength, vk->key); if (!key) { @@ -3026,6 +3041,18 @@ const char *dm_get_dir(void) return dm_dir(); } +int dm_get_iname(const char *name, char **iname, bool with_path) +{ + int r; + + if (with_path) + r = asprintf(iname, "%s/%s_dif", dm_get_dir(), name); + else + r = asprintf(iname, "%s_dif", name); + + return r < 0 ? -ENOMEM : 0; +} + int dm_is_dm_device(int major) { return dm_is_dm_major((uint32_t)major); diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c index 224d3d0..4ff4fc9 100644 --- a/lib/loopaes/loopaes.c +++ b/lib/loopaes/loopaes.c @@ -1,8 +1,8 @@ /* * loop-AES compatible volume handling * - * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2011-2023 Milan Broz + * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/loopaes/loopaes.h b/lib/loopaes/loopaes.h index a921694..fe9e71c 100644 --- a/lib/loopaes/loopaes.h +++ b/lib/loopaes/loopaes.h @@ -1,8 +1,8 @@ /* * loop-AES compatible volume handling * - * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2011-2023 Milan Broz + * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/luks1/af.c b/lib/luks1/af.c index 76afeac..cafa468 100644 --- a/lib/luks1/af.c +++ b/lib/luks1/af.c @@ -2,7 +2,7 @@ * AFsplitter - Anti forensic information splitter * * Copyright (C) 2004 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. * * AFsplitter diffuses information over a large stripe of data, * therefore supporting secure data destruction. diff --git a/lib/luks1/af.h b/lib/luks1/af.h index 8a2bceb..efc1133 100644 --- a/lib/luks1/af.h +++ b/lib/luks1/af.h @@ -2,7 +2,7 @@ * AFsplitter - Anti forensic information splitter * * Copyright (C) 2004 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. * * AFsplitter diffuses information over a large stripe of data, * therefore supporting secure data destruction. diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c index c1c8201..64fdf2d 100644 --- a/lib/luks1/keyencryption.c +++ b/lib/luks1/keyencryption.c @@ -2,8 +2,8 @@ * LUKS - Linux Unified Key Setup * * Copyright (C) 2004-2006 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c index fe49a00..24ab160 100644 --- a/lib/luks1/keymanage.c +++ b/lib/luks1/keymanage.c @@ -2,8 +2,8 @@ * LUKS - Linux Unified Key Setup * * Copyright (C) 2004-2006 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2013-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2013-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/luks1/luks.h b/lib/luks1/luks.h index 9c3f386..74cb7a7 100644 --- a/lib/luks1/luks.h +++ b/lib/luks1/luks.h @@ -2,7 +2,7 @@ * LUKS - Linux Unified Key Setup * * Copyright (C) 2004-2006 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/luks2/hw_opal/hw_opal.c b/lib/luks2/hw_opal/hw_opal.c new file mode 100644 index 0000000..31ef87e --- /dev/null +++ b/lib/luks2/hw_opal/hw_opal.c @@ -0,0 +1,1089 @@ +/* + * OPAL utilities + * + * Copyright (C) 2022-2023 Luca Boccassi + * 2023 Ondrej Kozina + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +# include /* for major, minor */ +#endif + +#include "internal.h" +#include "libcryptsetup.h" +#include "luks2/hw_opal/hw_opal.h" +#include "utils_device_locking.h" + +#if HAVE_HW_OPAL + +#include + +/* Error codes are defined in the specification: + * TCG_Storage_Architecture_Core_Spec_v2.01_r1.00 + * Section 5.1.5: Method Status Codes + * Names and values from table 166 */ +typedef enum OpalStatus { + OPAL_STATUS_SUCCESS, + OPAL_STATUS_NOT_AUTHORIZED, + OPAL_STATUS_OBSOLETE0, /* Undefined but possible return values are called 'obsolete' */ + OPAL_STATUS_SP_BUSY, + OPAL_STATUS_SP_FAILED, + OPAL_STATUS_SP_DISABLED, + OPAL_STATUS_SP_FROZEN, + OPAL_STATUS_NO_SESSIONS_AVAILABLE, + OPAL_STATUS_UNIQUENESS_CONFLICT, + OPAL_STATUS_INSUFFICIENT_SPACE, + OPAL_STATUS_INSUFFICIENT_ROWS, + OPAL_STATUS_INVALID_PARAMETER, + OPAL_STATUS_OBSOLETE1, + OPAL_STATUS_OBSOLETE2, + OPAL_STATUS_TPER_MALFUNCTION, + OPAL_STATUS_TRANSACTION_FAILURE, + OPAL_STATUS_RESPONSE_OVERFLOW, + OPAL_STATUS_AUTHORITY_LOCKED_OUT, + OPAL_STATUS_FAIL = 0x3F, /* As defined by specification */ + _OPAL_STATUS_MAX, + _OPAL_STATUS_INVALID = -EINVAL, +} OpalStatus; + +static const char* const opal_status_table[_OPAL_STATUS_MAX] = { + [OPAL_STATUS_SUCCESS] = "success", + [OPAL_STATUS_NOT_AUTHORIZED] = "not authorized", + [OPAL_STATUS_OBSOLETE0] = "obsolete", + [OPAL_STATUS_SP_BUSY] = "SP busy", + [OPAL_STATUS_SP_FAILED] = "SP failed", + [OPAL_STATUS_SP_DISABLED] = "SP disabled", + [OPAL_STATUS_SP_FROZEN] = "SP frozen", + [OPAL_STATUS_NO_SESSIONS_AVAILABLE] = "no sessions available", + [OPAL_STATUS_UNIQUENESS_CONFLICT] = "uniqueness conflict", + [OPAL_STATUS_INSUFFICIENT_SPACE] = "insufficient space", + [OPAL_STATUS_INSUFFICIENT_ROWS] = "insufficient rows", + [OPAL_STATUS_INVALID_PARAMETER] = "invalid parameter", + [OPAL_STATUS_OBSOLETE1] = "obsolete", + [OPAL_STATUS_OBSOLETE2] = "obsolete", + [OPAL_STATUS_TPER_MALFUNCTION] = "TPer malfunction", + [OPAL_STATUS_TRANSACTION_FAILURE] = "transaction failure", + [OPAL_STATUS_RESPONSE_OVERFLOW] = "response overflow", + [OPAL_STATUS_AUTHORITY_LOCKED_OUT] = "authority locked out", + [OPAL_STATUS_FAIL] = "unknown failure", +}; + +static const char *opal_status_to_string(int t) +{ + if (t < 0) + return strerror(-t); + + if (t >= _OPAL_STATUS_MAX) + return "unknown error"; + + return opal_status_table[t]; +} + +static const char *opal_ioctl_to_string(unsigned long rq) +{ + switch(rq) { + case IOC_OPAL_GET_STATUS: return "GET_STATUS"; + case IOC_OPAL_GET_GEOMETRY: return "GET_GEOMETRY"; + case IOC_OPAL_GET_LR_STATUS: return "GET_LR_STATUS"; + case IOC_OPAL_TAKE_OWNERSHIP: return "TAKE_OWNERSHIP"; + case IOC_OPAL_ACTIVATE_USR: return "ACTIVATE_USR"; + case IOC_OPAL_ACTIVATE_LSP: return "ACTIVATE_LSP"; + case IOC_OPAL_ERASE_LR: return "ERASE_LR"; + case IOC_OPAL_SECURE_ERASE_LR: return "SECURE_ERASE_LR"; + case IOC_OPAL_ADD_USR_TO_LR: return "ADD_USR_TO_LR"; + case IOC_OPAL_SET_PW: return "SET_PW"; + case IOC_OPAL_LR_SETUP: return "LR_SETUP"; + case IOC_OPAL_LOCK_UNLOCK: return "LOCK_UNLOCK"; + case IOC_OPAL_SAVE: return "SAVE"; + case IOC_OPAL_PSID_REVERT_TPR: return "PSID_REVERT_TPR"; + } + + assert(false && "unknown OPAL ioctl"); + return NULL; +} + +static void opal_ioctl_debug(struct crypt_device *cd, + unsigned long rq, + void *args, + bool post, + int ret) +{ + const char *cmd = opal_ioctl_to_string(rq); + + if (ret) { + log_dbg(cd, "OPAL %s failed: %s", cmd, opal_status_to_string(ret)); + return; + } + + if (post) switch(rq) { + case IOC_OPAL_GET_STATUS: { /* OUT */ + struct opal_status *st = args; + log_dbg(cd, "OPAL %s: flags:%" PRIu32, cmd, st->flags); + }; + break; + case IOC_OPAL_GET_GEOMETRY: { /* OUT */ + struct opal_geometry *geo = args; + log_dbg(cd, "OPAL %s: align:%" PRIu8 ", lb_size:%" PRIu32 ", gran:%" PRIu64 ", lowest_lba:%" PRIu64, + cmd, geo->align, geo->logical_block_size, geo->alignment_granularity, geo->lowest_aligned_lba); + }; + break; + case IOC_OPAL_GET_LR_STATUS: { /* OUT */ + struct opal_lr_status *lrs = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8 + ", start:%" PRIu64 ", length:%" PRIu64 ", rle:%" PRIu32 ", rwe:%" PRIu32 ", state:%" PRIu32, + cmd, lrs->session.sum, lrs->session.who, lrs->session.opal_key.lr, + lrs->range_start, lrs->range_length, lrs->RLE, lrs->WLE, lrs->l_state); + }; + break; + } else switch (rq) { + case IOC_OPAL_TAKE_OWNERSHIP: { /* IN */ + log_dbg(cd, "OPAL %s", cmd); + }; + break; + case IOC_OPAL_ACTIVATE_USR: { /* IN */ + struct opal_session_info *ui = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8, + cmd, ui->sum, ui->who, ui->opal_key.lr); + }; + break; + case IOC_OPAL_ACTIVATE_LSP: { /* IN */ + struct opal_lr_act *act = args; + log_dbg(cd, "OPAL %s: k.lr:%" PRIu8 ", sum:%" PRIu32 ", num_lrs:%" PRIu8 ", lr:" + "%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8"|%"PRIu8, + cmd, act->key.lr, act->sum, act->num_lrs, + act->lr[0], act->lr[1], act->lr[2], act->lr[3], act->lr[4], + act->lr[5], act->lr[6], act->lr[7], act->lr[8]); + }; + break; + case IOC_OPAL_ERASE_LR: { /* IN */ + struct opal_session_info *ui = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8, + cmd, ui->sum, ui->who, ui->opal_key.lr); + }; + break; + case IOC_OPAL_SECURE_ERASE_LR: { /* IN */ + struct opal_session_info *ui = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8, + cmd, ui->sum, ui->who, ui->opal_key.lr); + }; + break; + case IOC_OPAL_ADD_USR_TO_LR: { /* IN */ + struct opal_lock_unlock *lu = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8 + ", l_state:%" PRIu32 ", flags:%" PRIu16, + cmd, lu->session.sum, lu->session.who, lu->session.opal_key.lr, + lu->l_state, lu->flags); + }; + break; + case IOC_OPAL_SET_PW: { /* IN */ + struct opal_new_pw *pw = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8, + cmd, pw->session.sum, pw->session.who, pw->session.opal_key.lr); + }; + break; + case IOC_OPAL_LR_SETUP: { /* IN */ + struct opal_user_lr_setup *lrs = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8 + ", start:%" PRIu64 ", length:%" PRIu64 ", rle:%" PRIu32 ", rwe:%" PRIu32, + cmd, lrs->session.sum, lrs->session.who, lrs->session.opal_key.lr, + lrs->range_start, lrs->range_length, lrs->RLE, lrs->WLE); + }; + break; + case IOC_OPAL_LOCK_UNLOCK: { /* IN */ + struct opal_lock_unlock *lu = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8 + ", l_state:%" PRIu32 ", flags:%" PRIu16, + cmd, lu->session.sum, lu->session.who, lu->session.opal_key.lr, + lu->l_state, lu->flags); + }; + break; + case IOC_OPAL_SAVE: { /* IN */ + struct opal_lock_unlock *lu = args; + log_dbg(cd, "OPAL %s: sum:%" PRIu32 ", who:%" PRIu32 ", lr:%" PRIu8 + ", l_state:%" PRIu32 ", flags:%" PRIu16, + cmd, lu->session.sum, lu->session.who, lu->session.opal_key.lr, + lu->l_state, lu->flags); + }; + break; + case IOC_OPAL_PSID_REVERT_TPR: { /* IN */ + struct opal_key *key = args; + log_dbg(cd, "OPAL %s: lr:%" PRIu8, + cmd, key->lr); + }; + break; + } +} + +static int opal_ioctl(struct crypt_device *cd, int fd, unsigned long rq, void *args) +{ + int r; + + opal_ioctl_debug(cd, rq, args, false, 0); + r = ioctl(fd, rq, args); + opal_ioctl_debug(cd, rq, args, true, r); + + return r; +} + +static int opal_geometry_fd(struct crypt_device *cd, + int fd, + bool *ret_align, + uint32_t *ret_block_size, + uint64_t *ret_alignment_granularity_blocks, + uint64_t *ret_lowest_lba_blocks) +{ + int r; + struct opal_geometry geo; + + assert(fd >= 0); + + r = opal_ioctl(cd, fd, IOC_OPAL_GET_GEOMETRY, &geo); + if (r != OPAL_STATUS_SUCCESS) + return r; + + if (ret_align) + *ret_align = (geo.align == 1); + if (ret_block_size) + *ret_block_size = geo.logical_block_size; + if (ret_alignment_granularity_blocks) + *ret_alignment_granularity_blocks = geo.alignment_granularity; + if (ret_lowest_lba_blocks) + *ret_lowest_lba_blocks = geo.lowest_aligned_lba; + + return r; +} + +static int opal_range_check_attributes_fd(struct crypt_device *cd, + int fd, + uint32_t segment_number, + const struct volume_key *vk, + const uint64_t *check_offset_sectors, + const uint64_t *check_length_sectors, + bool *check_read_locked, + bool *check_write_locked, + bool *ret_read_locked, + bool *ret_write_locked) +{ + int r; + struct opal_lr_status *lrs; + uint32_t opal_block_bytes = 0; + uint64_t offset, length; + bool read_locked, write_locked; + + assert(fd >= 0); + assert(cd); + assert(vk); + + if (check_offset_sectors || check_length_sectors) { + r = opal_geometry_fd(cd, fd, NULL, &opal_block_bytes, NULL, NULL); + if (r != OPAL_STATUS_SUCCESS) + return -EINVAL; + } + + lrs = crypt_safe_alloc(sizeof(*lrs)); + if (!lrs) + return -ENOMEM; + + *lrs = (struct opal_lr_status) { + .session = { + .who = segment_number + 1, + .opal_key = { + .key_len = vk->keylength, + .lr = segment_number + } + } + }; + memcpy(lrs->session.opal_key.key, vk->key, vk->keylength); + + r = opal_ioctl(cd, fd, IOC_OPAL_GET_LR_STATUS, lrs); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to get locking range status on device '%s'.", + crypt_get_device_name(cd)); + r = -EINVAL; + goto out; + } + + r = 0; + + if (check_offset_sectors) { + offset = lrs->range_start * opal_block_bytes / SECTOR_SIZE; + if (offset != *check_offset_sectors) { + log_err(cd, _("OPAL range %d offset %" PRIu64 " does not match expected values %" PRIu64 "."), + segment_number, offset, *check_offset_sectors); + r = -EINVAL; + } + } + + if (check_length_sectors) { + length = lrs->range_length * opal_block_bytes / SECTOR_SIZE; + if (length != *check_length_sectors) { + log_err(cd, _("OPAL range %d length %" PRIu64" does not match device length %" PRIu64 "."), + segment_number, length, *check_length_sectors); + r = -EINVAL; + } + } + + if (!lrs->RLE || !lrs->WLE) { + log_err(cd, _("OPAL range %d locking is disabled."), segment_number); + r = -EINVAL; + } + + read_locked = (lrs->l_state == OPAL_LK); + write_locked = !!(lrs->l_state & (OPAL_RO | OPAL_LK)); + + if (check_read_locked && (read_locked != *check_read_locked)) { + log_dbg(cd, "OPAL range %d read lock is %slocked.", + segment_number, *check_read_locked ? "" : "not "); + log_err(cd, _("Unexpected OPAL range %d lock state."), segment_number); + r = -EINVAL; + } + + if (check_write_locked && (write_locked != *check_write_locked)) { + log_dbg(cd, "OPAL range %d write lock is %slocked.", + segment_number, *check_write_locked ? "" : "not "); + log_err(cd, _("Unexpected OPAL range %d lock state."), segment_number); + r = -EINVAL; + } + + if (ret_read_locked) + *ret_read_locked = read_locked; + if (ret_write_locked) + *ret_write_locked = write_locked; +out: + crypt_safe_free(lrs); + + return r; +} + +static int opal_query_status(struct crypt_device *cd, struct device *dev, unsigned expected) +{ + struct opal_status st = { }; + int fd, r; + + assert(cd); + assert(dev); + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + r = opal_ioctl(cd, fd, IOC_OPAL_GET_STATUS, &st); + + return r < 0 ? -EINVAL : (st.flags & expected) ? 1 : 0; +} + +static int opal_enabled(struct crypt_device *cd, struct device *dev) +{ + return opal_query_status(cd, dev, OPAL_FL_LOCKING_ENABLED); +} + +/* requires opal lock */ +int opal_setup_ranges(struct crypt_device *cd, + struct device *dev, + const struct volume_key *vk, + uint64_t range_start, + uint64_t range_length, + uint32_t segment_number, + const void *admin_key, + size_t admin_key_len) +{ + struct opal_lr_act *activate = NULL; + struct opal_session_info *user_session = NULL; + struct opal_lock_unlock *user_add_to_lr = NULL, *lock = NULL; + struct opal_new_pw *new_pw = NULL; + struct opal_user_lr_setup *setup = NULL; + int r, fd; + + assert(cd); + assert(dev); + assert(vk); + assert(admin_key); + assert(vk->keylength <= OPAL_KEY_MAX); + + if (admin_key_len > OPAL_KEY_MAX) + return -EINVAL; + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + r = opal_enabled(cd, dev); + if (r < 0) + return r; + + /* If OPAL has never been enabled, we need to take ownership and do basic setup first */ + if (r == 0) { + activate = crypt_safe_alloc(sizeof(struct opal_lr_act)); + if (!activate) { + r = -ENOMEM; + goto out; + } + *activate = (struct opal_lr_act) { + .key = { + .key_len = admin_key_len, + }, + .num_lrs = 8, + /* A max of 9 segments are supported, enable them all as there's no reason not to + * (0 is whole-volume) + */ + .lr = { 1, 2, 3, 4, 5, 6, 7, 8 }, + }; + memcpy(activate->key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_TAKE_OWNERSHIP, &activate->key); + if (r < 0) { + r = -ENOTSUP; + log_dbg(cd, "OPAL not supported on this kernel version, refusing."); + goto out; + } + if (r == OPAL_STATUS_NOT_AUTHORIZED) /* We'll try again with a different key. */ { + r = -EPERM; + log_dbg(cd, "Failed to take ownership of OPAL device '%s': permission denied", + crypt_get_device_name(cd)); + goto out; + } + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to take ownership of OPAL device '%s': %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_LSP, activate); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to activate OPAL device '%s': %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + } else { + /* If it is already enabled, wipe the locking range first */ + user_session = crypt_safe_alloc(sizeof(struct opal_session_info)); + if (!user_session) { + r = -ENOMEM; + goto out; + } + *user_session = (struct opal_session_info) { + .who = OPAL_ADMIN1, + .opal_key = { + .lr = segment_number, + .key_len = admin_key_len, + }, + }; + memcpy(user_session->opal_key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_ERASE_LR, user_session); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to reset (erase) OPAL locking range %u on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + } + } + + crypt_safe_free(user_session); + + user_session = crypt_safe_alloc(sizeof(struct opal_session_info)); + if (!user_session) { + r = -ENOMEM; + goto out; + } + *user_session = (struct opal_session_info) { + .who = segment_number + 1, + .opal_key = { + .key_len = admin_key_len, + }, + }; + memcpy(user_session->opal_key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_USR, user_session); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to activate OPAL user on device '%s': %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + user_add_to_lr = crypt_safe_alloc(sizeof(struct opal_lock_unlock)); + if (!user_add_to_lr) { + r = -ENOMEM; + goto out; + } + *user_add_to_lr = (struct opal_lock_unlock) { + .session = { + .who = segment_number + 1, + .opal_key = { + .lr = segment_number, + .key_len = admin_key_len, + }, + }, + .l_state = OPAL_RO, + }; + memcpy(user_add_to_lr->session.opal_key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to add OPAL user to locking range %u (RO) on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + user_add_to_lr->l_state = OPAL_RW; + r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to add OPAL user to locking range %u (RW) on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + new_pw = crypt_safe_alloc(sizeof(struct opal_new_pw)); + if (!new_pw) { + r = -ENOMEM; + goto out; + } + *new_pw = (struct opal_new_pw) { + .session = { + .who = OPAL_ADMIN1, + .opal_key = { + .lr = segment_number, + .key_len = admin_key_len, + }, + }, + .new_user_pw = { + .who = segment_number + 1, + .opal_key = { + .key_len = vk->keylength, + .lr = segment_number, + }, + }, + }; + memcpy(new_pw->new_user_pw.opal_key.key, vk->key, vk->keylength); + memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_SET_PW, new_pw); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to set OPAL user password on device '%s': (%d) %s", + crypt_get_device_name(cd), r, opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + setup = crypt_safe_alloc(sizeof(struct opal_user_lr_setup)); + if (!setup) { + r = -ENOMEM; + goto out; + } + *setup = (struct opal_user_lr_setup) { + .range_start = range_start, + .range_length = range_length, + /* Some drives do not enable Locking Ranges on setup. This have some + * interesting consequences: Lock command called later below will pass, + * but locking range will _not_ be locked at all. + */ + .RLE = 1, + .WLE = 1, + .session = { + .who = OPAL_ADMIN1, + .opal_key = { + .key_len = admin_key_len, + .lr = segment_number, + }, + }, + }; + memcpy(setup->session.opal_key.key, admin_key, admin_key_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to setup locking range of length %llu at offset %llu on OPAL device '%s': %s", + setup->range_length, setup->range_start, crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + /* After setup an OPAL device is unlocked, but the expectation with cryptsetup is that it needs + * to be activated separately, so lock it immediately. */ + lock = crypt_safe_alloc(sizeof(struct opal_lock_unlock)); + if (!lock) { + r = -ENOMEM; + goto out; + } + *lock = (struct opal_lock_unlock) { + .l_state = OPAL_LK, + .session = { + .who = segment_number + 1, + .opal_key = { + .key_len = vk->keylength, + .lr = segment_number, + }, + } + }; + memcpy(lock->session.opal_key.key, vk->key, vk->keylength); + + r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, lock); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to lock OPAL device '%s': %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + /* Double check the locking range is locked and the ranges are set up as configured */ + r = opal_range_check_attributes_fd(cd, fd, segment_number, vk, &range_start, + &range_length, &(bool) {true}, &(bool){true}, + NULL, NULL); +out: + crypt_safe_free(activate); + crypt_safe_free(user_session); + crypt_safe_free(user_add_to_lr); + crypt_safe_free(new_pw); + crypt_safe_free(setup); + crypt_safe_free(lock); + + return r; +} + +static int opal_lock_unlock(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk, + bool lock) +{ + struct opal_lock_unlock unlock = { + .l_state = lock ? OPAL_LK : OPAL_RW, + .session = { + .who = segment_number + 1, + .opal_key = { + .lr = segment_number, + }, + }, + }; + int r, fd; + + if (opal_supported(cd, dev) <= 0) + return -ENOTSUP; + if (!lock && !vk) + return -EINVAL; + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + if (!lock) { + assert(vk->keylength <= OPAL_KEY_MAX); + + unlock.session.opal_key.key_len = vk->keylength; + memcpy(unlock.session.opal_key.key, vk->key, vk->keylength); + } + + r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, &unlock); + if (r < 0) { + r = -ENOTSUP; + log_dbg(cd, "OPAL not supported on this kernel version, refusing."); + goto out; + } + if (r == OPAL_STATUS_NOT_AUTHORIZED) /* We'll try again with a different key. */ { + r = -EPERM; + log_dbg(cd, "Failed to %slock OPAL device '%s': permission denied", + lock ? "" : "un", crypt_get_device_name(cd)); + goto out; + } + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to %slock OPAL device '%s': %s", + lock ? "" : "un", crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + /* If we are unlocking, also tell the kernel to automatically unlock when resuming + * from suspend, otherwise the drive will be locked and everything will go up in flames. + * Also set the flag to allow locking without having to pass the key again. + * But do not error out if this fails, as the device will already be unlocked. + * + * On a lock path we have to overwrite the cached key from kernel otherwise the locking range + * gets unlocked automatically after system resume even when cryptsetup previously locked it + * on purpose (crypt_deactivate* or crypt_suspend) + */ + if (!lock) + unlock.flags = OPAL_SAVE_FOR_LOCK; + + r = opal_ioctl(cd, fd, IOC_OPAL_SAVE, &unlock); + if (r != OPAL_STATUS_SUCCESS) { + if (!lock) + log_std(cd, "Failed to prepare OPAL device '%s' for sleep resume, be aware before suspending: %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + else + log_std(cd, "Failed to erase OPAL key for device '%s' from kernel: %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = 0; + } +out: + if (!lock) + crypt_safe_memzero(unlock.session.opal_key.key, unlock.session.opal_key.key_len); + + return r; +} + +/* requires opal lock */ +int opal_lock(struct crypt_device *cd, struct device *dev, uint32_t segment_number) +{ + return opal_lock_unlock(cd, dev, segment_number, NULL, /* lock= */ true); +} + +/* requires opal lock */ +int opal_unlock(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk) +{ + return opal_lock_unlock(cd, dev, segment_number, vk, /* lock= */ false); +} + +/* + * It does not require opal lock. This completely destroys + * data on whole OPAL block device. Serialization does not + * make sense here. + */ +int opal_factory_reset(struct crypt_device *cd, + struct device *dev, + const char *password, + size_t password_len) +{ + struct opal_key reset = { + .key_len = password_len, + }; + int r, fd; + + assert(cd); + assert(dev); + assert(password); + + if (password_len > OPAL_KEY_MAX) + return -EINVAL; + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + memcpy(reset.key, password, password_len); + + r = opal_ioctl(cd, fd, IOC_OPAL_PSID_REVERT_TPR, &reset); + if (r < 0) { + r = -ENOTSUP; + log_dbg(cd, "OPAL not supported on this kernel version, refusing."); + goto out; + } + if (r == OPAL_STATUS_NOT_AUTHORIZED) /* We'll try again with a different key. */ { + r = -EPERM; + log_dbg(cd, "Failed to reset OPAL device '%s', incorrect PSID?", + crypt_get_device_name(cd)); + goto out; + } + if (r != OPAL_STATUS_SUCCESS) { + r = -EINVAL; + log_dbg(cd, "Failed to reset OPAL device '%s' with PSID: %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + goto out; + } +out: + crypt_safe_memzero(reset.key, reset.key_len); + + return r; +} + +/* requires opal lock */ +int opal_reset_segment(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const char *password, + size_t password_len) +{ + struct opal_session_info *user_session = NULL; + struct opal_user_lr_setup *setup = NULL; + int r, fd; + + assert(cd); + assert(dev); + assert(password); + + if (password_len > OPAL_KEY_MAX) + return -EINVAL; + + if (opal_enabled(cd, dev) <= 0) + return -EINVAL; + + user_session = crypt_safe_alloc(sizeof(struct opal_session_info)); + if (!user_session) + return -ENOMEM; + *user_session = (struct opal_session_info) { + .who = OPAL_ADMIN1, + .opal_key = { + .lr = segment_number, + .key_len = password_len, + }, + }; + memcpy(user_session->opal_key.key, password, password_len); + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) { + r = -EIO; + goto out; + } + + r = opal_ioctl(cd, fd, IOC_OPAL_ERASE_LR, user_session); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to reset (erase) OPAL locking range %u on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s", + segment_number, crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + + /* Unlike IOC_OPAL_ERASE_LR, IOC_OPAL_SECURE_ERASE_LR does not disable the locking range, + * we have to do that by hand. + */ + setup = crypt_safe_alloc(sizeof(struct opal_user_lr_setup)); + if (!setup) { + r = -ENOMEM; + goto out; + } + *setup = (struct opal_user_lr_setup) { + .range_start = 0, + .range_length = 0, + .session = { + .who = OPAL_ADMIN1, + .opal_key = user_session->opal_key, + }, + }; + + r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup); + if (r != OPAL_STATUS_SUCCESS) { + log_dbg(cd, "Failed to disable locking range on OPAL device '%s': %s", + crypt_get_device_name(cd), opal_status_to_string(r)); + r = -EINVAL; + goto out; + } + } +out: + crypt_safe_free(user_session); + crypt_safe_free(setup); + + return r; +} + +/* + * Does not require opal lock (immutable). + */ +int opal_supported(struct crypt_device *cd, struct device *dev) +{ + return opal_query_status(cd, dev, OPAL_FL_SUPPORTED|OPAL_FL_LOCKING_SUPPORTED); +} + +/* + * Does not require opal lock (immutable). + */ +int opal_geometry(struct crypt_device *cd, + struct device *dev, + bool *ret_align, + uint32_t *ret_block_size, + uint64_t *ret_alignment_granularity_blocks, + uint64_t *ret_lowest_lba_blocks) +{ + int fd; + + assert(cd); + assert(dev); + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + return opal_geometry_fd(cd, fd, ret_align, ret_block_size, + ret_alignment_granularity_blocks, ret_lowest_lba_blocks); +} + +/* requires opal lock */ +int opal_range_check_attributes_and_get_lock_state(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk, + const uint64_t *check_offset_sectors, + const uint64_t *check_length_sectors, + bool *ret_read_locked, + bool *ret_write_locked) +{ + int fd; + + assert(cd); + assert(dev); + assert(vk); + + fd = device_open(cd, dev, O_RDONLY); + if (fd < 0) + return -EIO; + + return opal_range_check_attributes_fd(cd, fd, segment_number, vk, + check_offset_sectors, check_length_sectors, NULL, + NULL, ret_read_locked, ret_write_locked); +} + +static int opal_lock_internal(struct crypt_device *cd, struct device *opal_device, struct crypt_lock_handle **opal_lock) +{ + char *lock_resource; + int devfd, r; + struct stat st; + + if (!crypt_metadata_locking_enabled()) { + *opal_lock = NULL; + return 0; + } + + /* + * This also asserts we do not hold any metadata lock on the same device to + * avoid deadlock (OPAL lock must be taken first) + */ + devfd = device_open(cd, opal_device, O_RDONLY); + if (devfd < 0) + return -EINVAL; + + if (fstat(devfd, &st) || !S_ISBLK(st.st_mode)) + return -EINVAL; + + r = asprintf(&lock_resource, "OPAL_%d:%d", major(st.st_rdev), minor(st.st_rdev)); + if (r < 0) + return -ENOMEM; + + r = crypt_write_lock(cd, lock_resource, true, opal_lock); + + free(lock_resource); + + return r; +} + +int opal_exclusive_lock(struct crypt_device *cd, struct device *opal_device, struct crypt_lock_handle **opal_lock) +{ + if (!cd || !opal_device || (crypt_get_type(cd) && strcmp(crypt_get_type(cd), CRYPT_LUKS2))) + return -EINVAL; + + return opal_lock_internal(cd, opal_device, opal_lock); +} + +void opal_exclusive_unlock(struct crypt_device *cd, struct crypt_lock_handle *opal_lock) +{ + crypt_unlock_internal(cd, opal_lock); +} + +#else +#pragma GCC diagnostic ignored "-Wunused-parameter" + +int opal_setup_ranges(struct crypt_device *cd, + struct device *dev, + const struct volume_key *vk, + uint64_t range_start, + uint64_t range_length, + uint32_t segment_number, + const void *admin_key, + size_t admin_key_len) +{ + return -ENOTSUP; +} + +int opal_lock(struct crypt_device *cd, struct device *dev, uint32_t segment_number) +{ + return -ENOTSUP; +} + +int opal_unlock(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk) +{ + return -ENOTSUP; +} + +int opal_supported(struct crypt_device *cd, struct device *dev) +{ + return -ENOTSUP; +} + +int opal_factory_reset(struct crypt_device *cd, + struct device *dev, + const char *password, + size_t password_len) +{ + return -ENOTSUP; +} + +int opal_reset_segment(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const char *password, + size_t password_len) +{ + return -ENOTSUP; +} + +int opal_geometry(struct crypt_device *cd, + struct device *dev, + bool *ret_align, + uint32_t *ret_block_size, + uint64_t *ret_alignment_granularity_blocks, + uint64_t *ret_lowest_lba_blocks) +{ + return -ENOTSUP; +} + +int opal_range_check_attributes_and_get_lock_state(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk, + const uint64_t *check_offset_sectors, + const uint64_t *check_length_sectors, + bool *ret_read_locked, + bool *ret_write_locked) +{ + return -ENOTSUP; +} + +int opal_exclusive_lock(struct crypt_device *cd, struct device *opal_device, struct crypt_lock_handle **opal_lock) +{ + return -ENOTSUP; +} + +void opal_exclusive_unlock(struct crypt_device *cd, struct crypt_lock_handle *opal_lock) +{ +} + +#endif diff --git a/lib/luks2/hw_opal/hw_opal.h b/lib/luks2/hw_opal/hw_opal.h new file mode 100644 index 0000000..f1823bf --- /dev/null +++ b/lib/luks2/hw_opal/hw_opal.h @@ -0,0 +1,71 @@ +/* + * OPAL utilities + * + * Copyright (C) 2022-2023 Luca Boccassi + * 2023 Ondrej Kozina + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef _UTILS_OPAL +#define _UTILS_OPAL + +#include "internal.h" + +struct crypt_lock_handle; + +int opal_setup_ranges(struct crypt_device *cd, + struct device *dev, + const struct volume_key *vk, + uint64_t range_start, + uint64_t range_length, + uint32_t segment_number, + const void *admin_key, + size_t admin_key_len); +int opal_lock(struct crypt_device *cd, struct device *dev, uint32_t segment_number); +int opal_unlock(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk); +int opal_supported(struct crypt_device *cd, struct device *dev); +int opal_factory_reset(struct crypt_device *cd, + struct device *dev, + const char *password, + size_t password_len); +int opal_reset_segment(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const char *password, + size_t password_len); +int opal_geometry(struct crypt_device *cd, + struct device *dev, + bool *ret_align, + uint32_t *ret_block_size, + uint64_t *ret_alignment_granularity_blocks, + uint64_t *ret_lowest_lba_blocks); +int opal_range_check_attributes_and_get_lock_state(struct crypt_device *cd, + struct device *dev, + uint32_t segment_number, + const struct volume_key *vk, + const uint64_t *check_offset_sectors, + const uint64_t *check_length_sectors, + bool *ret_read_locked, + bool *ret_write_locked); +int opal_exclusive_lock(struct crypt_device *cd, + struct device *opal_device, + struct crypt_lock_handle **opal_lock); +void opal_exclusive_unlock(struct crypt_device *cd, struct crypt_lock_handle *opal_lock); + +#endif diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h index dfccf02..25ae1dd 100644 --- a/lib/luks2/luks2.h +++ b/lib/luks2/luks2.h @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2 * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -224,8 +224,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd, int LUKS2_keyslot_wipe(struct crypt_device *cd, struct luks2_hdr *hdr, - int keyslot, - int wipe_area_only); + int keyslot); crypt_keyslot_priority LUKS2_keyslot_priority_get(struct luks2_hdr *hdr, int keyslot); @@ -277,6 +276,7 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd, int LUKS2_token_open_and_activate(struct crypt_device *cd, struct luks2_hdr *hdr, + int keyslot, int token, const char *name, const char *type, @@ -287,6 +287,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd, int LUKS2_token_unlock_key(struct crypt_device *cd, struct luks2_hdr *hdr, + int keyslot, int token, const char *type, const char *pin, @@ -359,7 +360,8 @@ int LUKS2_digest_create(struct crypt_device *cd, */ int LUKS2_activate(struct crypt_device *cd, const char *name, - struct volume_key *vk, + struct volume_key *crypt_key, + struct volume_key *opal_key, uint32_t flags); int LUKS2_activate_multi(struct crypt_device *cd, @@ -378,16 +380,23 @@ int LUKS2_generate_hdr( struct crypt_device *cd, struct luks2_hdr *hdr, const struct volume_key *vk, - const char *cipherName, - const char *cipherMode, + const char *cipher_spec, const char *integrity, const char *uuid, unsigned int sector_size, uint64_t data_offset, - uint64_t align_offset, - uint64_t required_alignment, - uint64_t metadata_size, - uint64_t keyslots_size); + uint64_t metadata_size_bytes, + uint64_t keyslots_size_bytes, + uint64_t device_size_bytes, + uint32_t opal_segment_number, + uint32_t opal_key_size); + +int LUKS2_hdr_get_storage_params(struct crypt_device *cd, + uint64_t alignment_offset_bytes, + uint64_t alignment_bytes, + uint64_t *ret_metadata_size_bytes, + uint64_t *ret_keyslots_size_bytes, + uint64_t *ret_data_offset_bytes); int LUKS2_check_metadata_area_size(uint64_t metadata_size); int LUKS2_check_keyslots_area_size(uint64_t keyslots_size); @@ -414,6 +423,12 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr, uint64_t *length); int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf); +int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd, + struct luks2_hdr *hdr, + const struct volume_key *vk, + struct volume_key **ret_crypt_key, + struct volume_key **ret_opal_key); + /* * Permanent activation flags stored in header */ @@ -457,6 +472,9 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd, size_t passphrase_size, struct volume_key **vks); +int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd, + struct volume_key *vks); + void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh); @@ -479,9 +497,13 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, - bool activation, + bool device_exclusive_check, bool dynamic); +void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, + struct luks2_hdr *hdr, + struct volume_key *vk); + int LUKS2_reencrypt_digest_verify(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks); diff --git a/lib/luks2/luks2_digest.c b/lib/luks2/luks2_digest.c index 933b059..293df3e 100644 --- a/lib/luks2/luks2_digest.c +++ b/lib/luks2/luks2_digest.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, digest handling * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -157,7 +157,7 @@ int LUKS2_digest_dump(struct crypt_device *cd, int digest) } int LUKS2_digest_any_matching(struct crypt_device *cd, - struct luks2_hdr *hdr, + struct luks2_hdr *hdr __attribute__((unused)), const struct volume_key *vk) { int digest; @@ -174,6 +174,18 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd, int segment, const struct volume_key *vk) { + int r = -EINVAL; + unsigned s; + + if (segment == CRYPT_ANY_SEGMENT) { + for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) { + if ((r = LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, s), vk)) >= 0) + return r; + } + + return -EPERM; + } + return LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, segment), vk); } diff --git a/lib/luks2/luks2_digest_pbkdf2.c b/lib/luks2/luks2_digest_pbkdf2.c index 1009cfb..e8fd00d 100644 --- a/lib/luks2/luks2_digest_pbkdf2.c +++ b/lib/luks2/luks2_digest_pbkdf2.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible) * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -147,6 +147,9 @@ static int PBKDF2_digest_store(struct crypt_device *cd, json_object_object_get_ex(hdr->jobj, "digests", &jobj_digests); } + if (!jobj_digest) + return -ENOMEM; + json_object_object_add(jobj_digest, "type", json_object_new_string("pbkdf2")); json_object_object_add(jobj_digest, "keyslots", json_object_new_array()); json_object_object_add(jobj_digest, "segments", json_object_new_array()); @@ -169,8 +172,13 @@ static int PBKDF2_digest_store(struct crypt_device *cd, json_object_object_add(jobj_digest, "digest", json_object_new_string(base64_str)); free(base64_str); - if (jobj_digests) - json_object_object_add_by_uint(jobj_digests, digest, jobj_digest); + if (jobj_digests) { + r = json_object_object_add_by_uint(jobj_digests, digest, jobj_digest); + if (r < 0) { + json_object_put(jobj_digest); + return r; + } + } JSON_DBG(cd, jobj_digest, "Digest JSON:"); return 0; diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c index e995959..d7f360c 100644 --- a/lib/luks2/luks2_disk_metadata.c +++ b/lib/luks2/luks2_disk_metadata.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2 * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -256,6 +256,7 @@ static int hdr_read_disk(struct crypt_device *cd, if (read_lseek_blockwise(devfd, device_block_size(cd, device), device_alignment(device), hdr_disk, LUKS2_HDR_BIN_LEN, offset) != LUKS2_HDR_BIN_LEN) { + memset(hdr_disk, 0, LUKS2_HDR_BIN_LEN); return -EIO; } @@ -537,11 +538,20 @@ static int validate_luks2_json_object(struct crypt_device *cd, json_object *jobj } static json_object *parse_and_validate_json(struct crypt_device *cd, - const char *json_area, uint64_t max_length) + const char *json_area, uint64_t hdr_size) { int json_len, r; - json_object *jobj = parse_json_len(cd, json_area, max_length, &json_len); + json_object *jobj; + uint64_t max_length; + + if (hdr_size <= LUKS2_HDR_BIN_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) { + log_dbg(cd, "LUKS2 header JSON has bogus size 0x%04" PRIx64 ".", hdr_size); + return NULL; + } + + max_length = hdr_size - LUKS2_HDR_BIN_LEN; + jobj = parse_json_len(cd, json_area, max_length, &json_len); if (!jobj) return NULL; @@ -635,7 +645,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, state_hdr1 = HDR_FAIL; r = hdr_read_disk(cd, device, &hdr_disk1, &json_area1, 0, 0); if (r == 0) { - jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size) - LUKS2_HDR_BIN_LEN); + jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size)); state_hdr1 = jobj_hdr1 ? HDR_OK : HDR_OBSOLETE; } else if (r == -EIO) state_hdr1 = HDR_FAIL_IO; @@ -647,7 +657,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, if (state_hdr1 != HDR_FAIL && state_hdr1 != HDR_FAIL_IO) { r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, be64_to_cpu(hdr_disk1.hdr_size), 1); if (r == 0) { - jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size) - LUKS2_HDR_BIN_LEN); + jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size)); state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE; } else if (r == -EIO) state_hdr2 = HDR_FAIL_IO; @@ -655,11 +665,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, /* * No header size, check all known offsets. */ + hdr_disk2.hdr_size = 0; for (r = -EINVAL,i = 0; r < 0 && i < ARRAY_SIZE(hdr2_offsets); i++) r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, hdr2_offsets[i], 1); if (r == 0) { - jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size) - LUKS2_HDR_BIN_LEN); + jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size)); state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE; } else if (r == -EIO) state_hdr2 = HDR_FAIL_IO; diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h index b564a48..aacc75e 100644 --- a/lib/luks2/luks2_internal.h +++ b/lib/luks2/luks2_internal.h @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2 * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -62,6 +62,7 @@ uint32_t crypt_jobj_get_uint32(json_object *jobj); json_object *crypt_jobj_new_uint64(uint64_t value); int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val); +int json_object_object_add_by_uint_by_ref(json_object *jobj, unsigned key, json_object **jobj_val_ref); void json_object_object_del_by_uint(json_object *jobj, unsigned key); int json_object_copy(json_object *jobj_src, json_object **jobj_dst); @@ -295,13 +296,24 @@ uint64_t json_segment_get_iv_offset(json_object *jobj_segment); uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise); const char *json_segment_get_cipher(json_object *jobj_segment); uint32_t json_segment_get_sector_size(json_object *jobj_segment); +int json_segment_get_opal_segment_id(json_object *jobj_segment, uint32_t *ret_opal_segment_id); +int json_segment_get_opal_key_size(json_object *jobj_segment, size_t *ret_key_size); bool json_segment_is_backup(json_object *jobj_segment); json_object *json_segments_get_segment(json_object *jobj_segments, int segment); unsigned json_segments_count(json_object *jobj_segments); void json_segment_remove_flag(json_object *jobj_segment, const char *flag); uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise); json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption); -json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption); +json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, + const char *cipher, const char *integrity, + uint32_t sector_size, unsigned reencryption); +json_object *json_segment_create_opal(uint64_t offset, const uint64_t *length, + uint32_t segment_number, uint32_t key_size); +json_object *json_segment_create_opal_crypt(uint64_t offset, const uint64_t *length, + uint32_t segment_number, uint32_t key_size, + uint64_t iv_offset, const char *cipher, + const char *integrity, uint32_t sector_size, + unsigned reencryption); int json_segments_segment_in_reencrypt(json_object *jobj_segments); bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2); bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len); @@ -338,10 +350,26 @@ uint64_t LUKS2_segment_size(struct luks2_hdr *hdr, int segment, unsigned blockwise); +bool LUKS2_segment_set_size(struct luks2_hdr *hdr, + int segment, + const uint64_t *segment_size_bytes); + +uint64_t LUKS2_opal_segment_size(struct luks2_hdr *hdr, + int segment, + unsigned blockwise); + int LUKS2_segment_is_type(struct luks2_hdr *hdr, int segment, const char *type); +bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment); +bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment); +bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment); + +int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment, + uint32_t *ret_opal_segment_number); +int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment); + int LUKS2_segment_by_type(struct luks2_hdr *hdr, const char *type); @@ -350,8 +378,11 @@ int LUKS2_last_segment_by_type(struct luks2_hdr *hdr, int LUKS2_get_default_segment(struct luks2_hdr *hdr); +bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr); + int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr); int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr); +unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr); int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise); /* diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c index 4456358..100e026 100644 --- a/lib/luks2/luks2_json_format.c +++ b/lib/luks2/luks2_json_format.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, LUKS2 header format code * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -204,76 +204,33 @@ int LUKS2_generate_hdr( struct crypt_device *cd, struct luks2_hdr *hdr, const struct volume_key *vk, - const char *cipherName, - const char *cipherMode, + const char *cipher_spec, const char *integrity, const char *uuid, unsigned int sector_size, /* in bytes */ uint64_t data_offset, /* in bytes */ - uint64_t align_offset, /* in bytes */ - uint64_t required_alignment, - uint64_t metadata_size, - uint64_t keyslots_size) + uint64_t metadata_size_bytes, + uint64_t keyslots_size_bytes, + uint64_t device_size_bytes, + uint32_t opal_segment_number, + uint32_t opal_key_size) { - struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config; - char cipher[128]; + struct json_object *jobj_segment, *jobj_keyslots, *jobj_segments, *jobj_config; uuid_t partitionUuid; int r, digest; - uint64_t mdev_size; - if (!metadata_size) - metadata_size = LUKS2_HDR_16K_LEN; - hdr->hdr_size = metadata_size; + assert(cipher_spec || (opal_key_size > 0 && device_size_bytes)); - if (data_offset && data_offset < get_min_offset(hdr)) { - log_err(cd, _("Requested data offset is too small.")); - return -EINVAL; - } - - /* Increase keyslot size according to data offset */ - if (!keyslots_size && data_offset) - keyslots_size = data_offset - get_min_offset(hdr); - - /* keyslots size has to be 4 KiB aligned */ - keyslots_size -= (keyslots_size % 4096); - - if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE) - keyslots_size = LUKS2_MAX_KEYSLOTS_SIZE; - - if (!keyslots_size) { - assert(LUKS2_DEFAULT_HDR_SIZE > 2 * LUKS2_HDR_OFFSET_MAX); - keyslots_size = LUKS2_DEFAULT_HDR_SIZE - get_min_offset(hdr); - /* Decrease keyslots_size due to metadata device being too small */ - if (!device_size(crypt_metadata_device(cd), &mdev_size) && - ((keyslots_size + get_min_offset(hdr)) > mdev_size) && - device_fallocate(crypt_metadata_device(cd), keyslots_size + get_min_offset(hdr)) && - (get_min_offset(hdr) <= mdev_size)) - keyslots_size = mdev_size - get_min_offset(hdr); - } - - /* Decrease keyslots_size if we have smaller data_offset */ - if (data_offset && (keyslots_size + get_min_offset(hdr)) > data_offset) { - keyslots_size = data_offset - get_min_offset(hdr); - log_dbg(cd, "Decreasing keyslot area size to %" PRIu64 - " bytes due to the requested data offset %" - PRIu64 " bytes.", keyslots_size, data_offset); - } - - /* Data offset has priority */ - if (!data_offset && required_alignment) { - data_offset = size_round_up(get_min_offset(hdr) + keyslots_size, - (size_t)required_alignment); - data_offset += align_offset; - } + hdr->hdr_size = metadata_size_bytes; log_dbg(cd, "Formatting LUKS2 with JSON metadata area %" PRIu64 " bytes and keyslots area %" PRIu64 " bytes.", - metadata_size - LUKS2_HDR_BIN_LEN, keyslots_size); + metadata_size_bytes - LUKS2_HDR_BIN_LEN, keyslots_size_bytes); - if (keyslots_size < (LUKS2_HDR_OFFSET_MAX - 2*LUKS2_HDR_16K_LEN)) + if (keyslots_size_bytes < (LUKS2_HDR_OFFSET_MAX - 2*LUKS2_HDR_16K_LEN)) log_std(cd, _("WARNING: keyslots area (%" PRIu64 " bytes) is very small," " available LUKS2 keyslot count is very limited.\n"), - keyslots_size); + keyslots_size_bytes); hdr->seqid = 1; hdr->version = 2; @@ -291,54 +248,81 @@ int LUKS2_generate_hdr( uuid_unparse(partitionUuid, hdr->uuid); - if (*cipherMode != '\0') - r = snprintf(cipher, sizeof(cipher), "%s-%s", cipherName, cipherMode); - else - r = snprintf(cipher, sizeof(cipher), "%s", cipherName); - if (r < 0 || (size_t)r >= sizeof(cipher)) - return -EINVAL; - hdr->jobj = json_object_new_object(); + if (!hdr->jobj) { + r = -ENOMEM; + goto err; + } jobj_keyslots = json_object_new_object(); + if (!jobj_keyslots) { + r = -ENOMEM; + goto err; + } + json_object_object_add(hdr->jobj, "keyslots", jobj_keyslots); json_object_object_add(hdr->jobj, "tokens", json_object_new_object()); jobj_segments = json_object_new_object(); + if (!jobj_segments) { + r = -ENOMEM; + goto err; + } + json_object_object_add(hdr->jobj, "segments", jobj_segments); json_object_object_add(hdr->jobj, "digests", json_object_new_object()); jobj_config = json_object_new_object(); + if (!jobj_config) { + r = -ENOMEM; + goto err; + } + json_object_object_add(hdr->jobj, "config", jobj_config); digest = LUKS2_digest_create(cd, "pbkdf2", hdr, vk); - if (digest < 0) + if (digest < 0) { + r = -EINVAL; goto err; + } - if (LUKS2_digest_segment_assign(cd, hdr, 0, digest, 1, 0) < 0) + if (LUKS2_digest_segment_assign(cd, hdr, 0, digest, 1, 0) < 0) { + r = -EINVAL; goto err; + } - jobj_segment = json_segment_create_crypt(data_offset, 0, NULL, cipher, sector_size, 0); - if (!jobj_segment) - goto err; + if (!opal_key_size) + jobj_segment = json_segment_create_crypt(data_offset, 0, + NULL, cipher_spec, + integrity, sector_size, + 0); + else if (opal_key_size && cipher_spec) + jobj_segment = json_segment_create_opal_crypt(data_offset, &device_size_bytes, + opal_segment_number, opal_key_size, 0, + cipher_spec, integrity, + sector_size, 0); + else + jobj_segment = json_segment_create_opal(data_offset, &device_size_bytes, + opal_segment_number, opal_key_size); - if (integrity) { - jobj_integrity = json_object_new_object(); - json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity)); - json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none")); - json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none")); - json_object_object_add(jobj_segment, "integrity", jobj_integrity); + if (!jobj_segment) { + r = -EINVAL; + goto err; } - json_object_object_add_by_uint(jobj_segments, 0, jobj_segment); + if (json_object_object_add_by_uint(jobj_segments, 0, jobj_segment)) { + json_object_put(jobj_segment); + r = -ENOMEM; + goto err; + } - json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN)); - json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size)); + json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size_bytes - LUKS2_HDR_BIN_LEN)); + json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size_bytes)); JSON_DBG(cd, hdr->jobj, "Header JSON:"); return 0; err: json_object_put(hdr->jobj); hdr->jobj = NULL; - return -EINVAL; + return r; } int LUKS2_wipe_header_areas(struct crypt_device *cd, @@ -379,6 +363,14 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd, offset = get_min_offset(hdr); length = LUKS2_keyslots_size(hdr); + /* + * Skip keyslots area wipe in case it is not defined. + * Otherwise we would wipe whole data device (length == 0) + * starting at offset get_min_offset(hdr). + */ + if (!length) + return 0; + log_dbg(cd, "Wiping keyslots area (0x%06" PRIx64 " - 0x%06" PRIx64") with random data.", offset, length + offset); @@ -409,3 +401,80 @@ int LUKS2_set_keyslots_size(struct luks2_hdr *hdr, uint64_t data_offset) json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size)); return 0; } + +int LUKS2_hdr_get_storage_params(struct crypt_device *cd, + uint64_t alignment_offset_bytes, + uint64_t alignment_bytes, + uint64_t *ret_metadata_size_bytes, + uint64_t *ret_keyslots_size_bytes, + uint64_t *ret_data_offset_bytes) +{ + uint64_t data_offset_bytes, keyslots_size_bytes, metadata_size_bytes, mdev_size_bytes; + + assert(cd); + assert(ret_metadata_size_bytes); + assert(ret_keyslots_size_bytes); + assert(ret_data_offset_bytes); + + metadata_size_bytes = crypt_get_metadata_size_bytes(cd); + keyslots_size_bytes = crypt_get_keyslots_size_bytes(cd); + data_offset_bytes = crypt_get_data_offset_sectors(cd) * SECTOR_SIZE; + + if (!metadata_size_bytes) + metadata_size_bytes = LUKS2_HDR_16K_LEN; + + if (data_offset_bytes && data_offset_bytes < 2 * metadata_size_bytes) { + log_err(cd, _("Requested data offset is too small.")); + return -EINVAL; + } + + /* Increase keyslot size according to data offset */ + if (!keyslots_size_bytes && data_offset_bytes) + keyslots_size_bytes = data_offset_bytes - 2 * metadata_size_bytes; + + /* keyslots size has to be 4 KiB aligned */ + keyslots_size_bytes -= (keyslots_size_bytes % 4096); + + if (keyslots_size_bytes > LUKS2_MAX_KEYSLOTS_SIZE) + keyslots_size_bytes = LUKS2_MAX_KEYSLOTS_SIZE; + + if (!keyslots_size_bytes) { + assert(LUKS2_DEFAULT_HDR_SIZE > 2 * LUKS2_HDR_OFFSET_MAX); + keyslots_size_bytes = LUKS2_DEFAULT_HDR_SIZE - 2 * metadata_size_bytes; + /* Decrease keyslots_size due to metadata device being too small */ + if (!device_size(crypt_metadata_device(cd), &mdev_size_bytes) && + ((keyslots_size_bytes + 2 * metadata_size_bytes) > mdev_size_bytes) && + device_fallocate(crypt_metadata_device(cd), keyslots_size_bytes + 2 * metadata_size_bytes) && + ((2 * metadata_size_bytes) <= mdev_size_bytes)) + keyslots_size_bytes = mdev_size_bytes - 2 * metadata_size_bytes; + } + + /* Decrease keyslots_size if we have smaller data_offset */ + if (data_offset_bytes && (keyslots_size_bytes + 2 * metadata_size_bytes) > data_offset_bytes) { + keyslots_size_bytes = data_offset_bytes - 2 * metadata_size_bytes; + log_dbg(cd, "Decreasing keyslot area size to %" PRIu64 + " bytes due to the requested data offset %" + PRIu64 " bytes.", keyslots_size_bytes, data_offset_bytes); + } + + /* Data offset has priority */ + if (!data_offset_bytes && alignment_bytes) { + data_offset_bytes = size_round_up(2 * metadata_size_bytes + keyslots_size_bytes, + (size_t)alignment_bytes); + data_offset_bytes += alignment_offset_bytes; + } + + if (crypt_get_metadata_size_bytes(cd) && (crypt_get_metadata_size_bytes(cd) != metadata_size_bytes)) + log_std(cd, _("WARNING: LUKS2 metadata size changed to %" PRIu64 " bytes.\n"), + metadata_size_bytes); + + if (crypt_get_keyslots_size_bytes(cd) && (crypt_get_keyslots_size_bytes(cd) != keyslots_size_bytes)) + log_std(cd, _("WARNING: LUKS2 keyslots area size changed to %" PRIu64 " bytes.\n"), + keyslots_size_bytes); + + *ret_metadata_size_bytes = metadata_size_bytes; + *ret_keyslots_size_bytes = keyslots_size_bytes; + *ret_data_offset_bytes = data_offset_bytes; + + return 0; +} diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c index 4771f04..22f3e3d 100644 --- a/lib/luks2/luks2_json_metadata.c +++ b/lib/luks2/luks2_json_metadata.c @@ -1,9 +1,9 @@ /* * LUKS - Linux Unified Key Setup v2 * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz - * Copyright (C) 2015-2023 Ondrej Kozina + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz + * Copyright (C) 2015-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -21,6 +21,7 @@ */ #include "luks2_internal.h" +#include "luks2/hw_opal/hw_opal.h" #include "../integrity/integrity.h" #include #include @@ -88,6 +89,9 @@ struct json_object *LUKS2_array_remove(struct json_object *array, const char *nu /* Create new array without jobj_removing. */ array_new = json_object_new_array(); + if (!array_new) + return NULL; + for (i = 0; i < (int) json_object_array_length(array); i++) { jobj1 = json_object_array_get_idx(array, i); if (jobj1 != jobj_removing) @@ -478,6 +482,9 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj json = json_object_to_json_string_ext(hdr_jobj, JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE); + if (!json) + return 1; + json_area_size = crypt_jobj_get_uint64(jobj1); json_size = (uint64_t)strlen(json); @@ -637,6 +644,11 @@ static int reqs_reencrypt_online(uint32_t reqs) return reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT; } +static int reqs_opal(uint32_t reqs) +{ + return reqs & CRYPT_REQUIREMENT_OPAL; +} + /* * Config section requirements object must be valid. * Also general segments section must be validated first. @@ -697,7 +709,7 @@ static int validate_reencrypt_segments(struct crypt_device *cd, json_object *hdr static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) { json_object *jobj_segments, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags, *jobj; - uint64_t offset, size; + uint64_t offset, size, opal_segment_size; int i, r, count, first_backup = -1; struct interval *intervals = NULL; @@ -777,6 +789,32 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) if (!strcmp(json_object_get_string(jobj_type), "crypt") && hdr_validate_crypt_segment(cd, val, key, jobj_digests, size)) return 1; + + /* opal */ + if (!strncmp(json_object_get_string(jobj_type), "hw-opal", 7)) { + if (!size) { + log_dbg(cd, "segment type %s does not support dynamic size.", + json_object_get_string(jobj_type)); + return 1; + } + if (!json_contains(cd, val, key, "Segment", "opal_segment_number", json_type_int) || + !json_contains(cd, val, key, "Segment", "opal_key_size", json_type_int) || + !(jobj_size = json_contains_string(cd, val, key, "Segment", "opal_segment_size"))) + return 1; + if (!numbered(cd, "opal_segment_size", json_object_get_string(jobj_size))) + return 1; + if (!json_str_to_uint64(jobj_size, &opal_segment_size) || !opal_segment_size) { + log_dbg(cd, "Illegal OPAL segment size value."); + return 1; + } + if (size > opal_segment_size) { + log_dbg(cd, "segment size overflows OPAL locking range size."); + return 1; + } + if (!strcmp(json_object_get_string(jobj_type), "hw-opal-crypt") && + hdr_validate_crypt_segment(cd, val, key, jobj_digests, size)) + return 1; + } } if (first_backup == 0) { @@ -1575,6 +1613,8 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3 return 0; jobj_flags = json_object_new_array(); + if (!jobj_flags) + return -ENOMEM; for (i = 0; persistent_flags[i].description; i++) { if (flags & persistent_flags[i].flag) { @@ -1615,6 +1655,7 @@ static const struct requirement_flag requirements_flags[] = { { CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 2, "online-reencrypt-v2" }, { CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 3, "online-reencrypt-v3" }, { CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1, "online-reencrypt" }, + { CRYPT_REQUIREMENT_OPAL, 1, "opal" }, { 0, 0, NULL } }; @@ -1707,7 +1748,7 @@ int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version) return -ENOENT; } -static const struct requirement_flag *stored_requirement_name_by_id(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id) +static const struct requirement_flag *stored_requirement_name_by_id(struct luks2_hdr *hdr, uint32_t req_id) { json_object *jobj_mandatory, *jobj; int i, len; @@ -1786,7 +1827,7 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr req_id = reqs & requirements_flags[i].flag; if (req_id) { /* retain already stored version of requirement flag */ - req = stored_requirement_name_by_id(cd, hdr, req_id); + req = stored_requirement_name_by_id(hdr, req_id); if (req) jobj = json_object_new_string(req->description); else @@ -2090,6 +2131,8 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj) if (json_object_object_get_ex(jobj_segment, "encryption", &jobj1)) log_std(cd, "\tcipher: %s\n", json_object_get_string(jobj1)); + else + log_std(cd, "\tcipher: (no SW encryption)\n"); if (json_object_object_get_ex(jobj_segment, "sector_size", &jobj1)) log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", crypt_jobj_get_uint32(jobj1)); @@ -2109,6 +2152,18 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj) log_std(cd, "\n"); } + json_object_object_get_ex(jobj_segment, "type", &jobj1); + if (!strncmp(json_object_get_string(jobj1), "hw-opal", 7)) { + log_std(cd, "\tHW OPAL encryption:\n"); + json_object_object_get_ex(jobj_segment, "opal_segment_number", &jobj1); + log_std(cd, "\t\tOPAL segment number: %" PRIu32 "\n", crypt_jobj_get_uint32(jobj1)); + json_object_object_get_ex(jobj_segment, "opal_key_size", &jobj1); + log_std(cd, "\t\tOPAL key: %" PRIu32 " bits\n", crypt_jobj_get_uint32(jobj1) * 8); + json_object_object_get_ex(jobj_segment, "opal_segment_size", &jobj1); + json_str_to_uint64(jobj1, &value); + log_std(cd, "\t\tOPAL segment length: %" PRIu64 " [bytes]\n", value); + } + log_std(cd, "\n"); } } @@ -2584,26 +2639,104 @@ int LUKS2_activate_multi(struct crypt_device *cd, int LUKS2_activate(struct crypt_device *cd, const char *name, - struct volume_key *vk, + struct volume_key *crypt_key, + struct volume_key *opal_key, uint32_t flags) { int r; + bool dynamic, read_lock, write_lock, opal_lock_on_error = false; + uint32_t opal_segment_number; + uint64_t range_offset_sectors, range_length_sectors, device_length_bytes; struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2); struct crypt_dm_active_device dmdi = {}, dmd = { .uuid = crypt_get_uuid(cd) }; + struct crypt_lock_handle *opal_lh = NULL; /* do not allow activation when particular requirements detected */ - if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0))) + if ((r = LUKS2_unmet_requirements(cd, hdr, CRYPT_REQUIREMENT_OPAL, 0))) return r; - r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), - vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd), - crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none", - crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd)); - if (r < 0) + /* Check that cipher is in compatible format */ + if (!crypt_get_cipher(cd)) { + log_err(cd, _("No known cipher specification pattern detected in LUKS2 header.")); + return -EINVAL; + } + + if ((r = LUKS2_get_data_size(hdr, &device_length_bytes, &dynamic))) return r; + if (dynamic && opal_key) { + log_err(cd, _("OPAL device must have static device size.")); + return -EINVAL; + } + + if (!dynamic) + dmd.size = device_length_bytes / SECTOR_SIZE; + + if (opal_key) { + r = crypt_opal_supported(cd, crypt_data_device(cd)); + if (r < 0) + return r; + + r = LUKS2_get_opal_segment_number(hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number); + if (r < 0) + return -EINVAL; + + range_length_sectors = LUKS2_opal_segment_size(hdr, CRYPT_DEFAULT_SEGMENT, 1); + + if (crypt_get_integrity_tag_size(cd)) { + if (dmd.size >= range_length_sectors) { + log_err(cd, _("Encrypted OPAL device with integrity must be smaller than locking range.")); + return -EINVAL; + } + } else { + if (range_length_sectors != dmd.size) { + log_err(cd, _("OPAL device must have same size as locking range.")); + return -EINVAL; + } + } + + range_offset_sectors = crypt_get_data_offset(cd) + crypt_dev_partition_offset(device_path(crypt_data_device(cd))); + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + return -EINVAL; + } + + r = opal_range_check_attributes_and_get_lock_state(cd, crypt_data_device(cd), opal_segment_number, + opal_key, &range_offset_sectors, &range_length_sectors, + &read_lock, &write_lock); + if (r < 0) + goto out; + + opal_lock_on_error = read_lock && write_lock; + if (!opal_lock_on_error && !(flags & CRYPT_ACTIVATE_REFRESH)) + log_std(cd, _("OPAL device is %s already unlocked.\n"), + device_path(crypt_data_device(cd))); + + r = opal_unlock(cd, crypt_data_device(cd), opal_segment_number, opal_key); + if (r < 0) + goto out; + } + + if (LUKS2_segment_is_type(hdr, CRYPT_DEFAULT_SEGMENT, "crypt") || + LUKS2_segment_is_type(hdr, CRYPT_DEFAULT_SEGMENT, "hw-opal-crypt")) { + r = dm_crypt_target_set(&dmd.segment, 0, + dmd.size, crypt_data_device(cd), + crypt_key, crypt_get_cipher_spec(cd), + crypt_get_iv_offset(cd), crypt_get_data_offset(cd), + crypt_get_integrity(cd) ?: "none", + crypt_get_integrity_tag_size(cd), + crypt_get_sector_size(cd)); + } else + r = dm_linear_target_set(&dmd.segment, 0, + dmd.size, crypt_data_device(cd), + crypt_get_data_offset(cd)); + + if (r < 0) + goto out; + /* Add persistent activation flags */ if (!(flags & CRYPT_ACTIVATE_IGNORE_PERSISTENT)) LUKS2_config_get_flags(cd, hdr, &dmd.flags); @@ -2613,29 +2746,47 @@ int LUKS2_activate(struct crypt_device *cd, if (crypt_get_integrity_tag_size(cd)) { if (!LUKS2_integrity_compatible(hdr)) { log_err(cd, _("Unsupported device integrity configuration.")); - return -EINVAL; + r = -EINVAL; + goto out; } if (dmd.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) { log_err(cd, _("Discard/TRIM is not supported.")); - return -EINVAL; + r = -EINVAL; + goto out; } r = INTEGRITY_create_dmd_device(cd, NULL, NULL, NULL, NULL, &dmdi, dmd.flags, 0); if (r) - return r; + goto out; + + if (!dynamic && dmdi.size != dmd.size) { + log_err(cd, _("Underlying dm-integrity device with unexpected provided data sectors.")); + r = -EINVAL; + goto out; + } dmdi.flags |= CRYPT_ACTIVATE_PRIVATE; dmdi.uuid = dmd.uuid; dmd.segment.u.crypt.offset = 0; - dmd.segment.size = dmdi.segment.size; + if (dynamic) + dmd.segment.size = dmdi.segment.size; - r = create_or_reload_device_with_integrity(cd, name, CRYPT_LUKS2, &dmd, &dmdi); + r = create_or_reload_device_with_integrity(cd, name, + opal_key ? CRYPT_LUKS2_HW_OPAL : CRYPT_LUKS2, + &dmd, &dmdi); } else - r = create_or_reload_device(cd, name, CRYPT_LUKS2, &dmd); + r = create_or_reload_device(cd, name, + opal_key ? CRYPT_LUKS2_HW_OPAL : CRYPT_LUKS2, + &dmd); dm_targets_free(cd, &dmd); dm_targets_free(cd, &dmdi); +out: + if (r < 0 && opal_lock_on_error) + opal_lock(cd, crypt_data_device(cd), opal_segment_number); + + opal_exclusive_unlock(cd, opal_lh); return r; } @@ -2665,13 +2816,15 @@ static bool contains_reencryption_helper(char **names) int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr *hdr, struct crypt_dm_active_device *dmd, uint32_t flags) { + bool dm_opal_uuid; int r, ret; struct dm_target *tgt; crypt_status_info ci; struct crypt_dm_active_device dmdc; + uint32_t opal_segment_number; char **dep, deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = { 0 }; const char *namei = NULL; - struct crypt_lock_handle *reencrypt_lock = NULL; + struct crypt_lock_handle *reencrypt_lock = NULL, *opal_lh = NULL; if (!dmd || !dmd->uuid || strncmp(CRYPT_LUKS2, dmd->uuid, sizeof(CRYPT_LUKS2)-1)) return -EINVAL; @@ -2684,6 +2837,11 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr if (r < 0 || (size_t)r != (sizeof(deps_uuid_prefix) - 1)) return -EINVAL; + /* check if active device has LUKS2-OPAL dm uuid prefix */ + dm_opal_uuid = !crypt_uuid_type_cmp(dmd->uuid, CRYPT_LUKS2_HW_OPAL); + if (dm_opal_uuid && hdr && !LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT)) + return -EINVAL; + tgt = &dmd->segment; /* TODO: We have LUKS2 dependencies now */ @@ -2726,7 +2884,8 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr tgt = &dmdc.segment; while (tgt) { if (tgt->type == DM_CRYPT) - crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, LOGON_KEY); + crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, + LOGON_KEY); tgt = tgt->next; } } @@ -2761,7 +2920,8 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr tgt = &dmdc.segment; while (tgt) { if (tgt->type == DM_CRYPT) - crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, LOGON_KEY); + crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, + LOGON_KEY); tgt = tgt->next; } } @@ -2773,7 +2933,35 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr r = ret; } + if (!r && dm_opal_uuid) { + if (hdr) { + if (LUKS2_get_opal_segment_number(hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number)) { + log_err(cd, _("Device %s was deactivated but hardware OPAL device cannot be locked."), + name); + r = -EINVAL; + goto out; + } + } else { + /* Guess OPAL range number for LUKS2-OPAL device with missing header */ + opal_segment_number = 1; + ret = crypt_dev_get_partition_number(device_path(crypt_data_device(cd))); + if (ret > 0) + opal_segment_number = ret; + } + + if (crypt_data_device(cd)) { + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + goto out; + } + } + + if (!crypt_data_device(cd) || opal_lock(cd, crypt_data_device(cd), opal_segment_number)) + log_err(cd, _("Device %s was deactivated but hardware OPAL device cannot be locked."), name); + } out: + opal_exclusive_unlock(cd, opal_lh); LUKS2_reencrypt_unlock(cd, reencrypt_lock); dep = deps; while (*dep) @@ -2807,6 +2995,8 @@ int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uin log_err(cd, _("Operation incompatible with device marked for legacy reencryption. Aborting.")); if (reqs_reencrypt_online(reqs) && !quiet) log_err(cd, _("Operation incompatible with device marked for LUKS2 reencryption. Aborting.")); + if (reqs_opal(reqs) && !quiet) + log_err(cd, _("Operation incompatible with device using OPAL. Aborting.")); /* any remaining unmasked requirement fails the check */ return reqs ? -EINVAL : 0; @@ -2859,6 +3049,20 @@ int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object #endif } +int json_object_object_add_by_uint_by_ref(json_object *jobj, unsigned key, json_object **jobj_val_ref) +{ + int r; + + assert(jobj); + assert(jobj_val_ref); + + r = json_object_object_add_by_uint(jobj, key, *jobj_val_ref); + if (!r) + *jobj_val_ref = NULL; + + return r; +} + /* jobj_dst must contain pointer initialized to NULL (see json-c json_object_deep_copy API) */ int json_object_copy(json_object *jobj_src, json_object **jobj_dst) { @@ -2872,3 +3076,58 @@ int json_object_copy(json_object *jobj_src, json_object **jobj_dst) return *jobj_dst ? 0 : -1; #endif } + +int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd __attribute__((unused)), + struct luks2_hdr *hdr, + const struct volume_key *vk, + struct volume_key **ret_crypt_key, + struct volume_key **ret_opal_key) +{ + int r; + uint32_t opal_segment_number; + size_t opal_user_key_size; + json_object *jobj_segment; + struct volume_key *opal_key, *crypt_key; + + assert(vk); + assert(ret_crypt_key); + assert(ret_opal_key); + + jobj_segment = LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT); + if (!jobj_segment) + return -EINVAL; + + r = json_segment_get_opal_segment_id(jobj_segment, &opal_segment_number); + if (r < 0) + return -EINVAL; + + r = json_segment_get_opal_key_size(jobj_segment, &opal_user_key_size); + if (r < 0) + return -EINVAL; + + if (vk->keylength < opal_user_key_size) + return -EINVAL; + + /* OPAL SEGMENT only */ + if (vk->keylength == opal_user_key_size) { + *ret_crypt_key = NULL; + *ret_opal_key = NULL; + return 0; + } + + opal_key = crypt_alloc_volume_key(opal_user_key_size, vk->key); + if (!opal_key) + return -ENOMEM; + + crypt_key = crypt_alloc_volume_key(vk->keylength - opal_user_key_size, + vk->key + opal_user_key_size); + if (!crypt_key) { + crypt_free_volume_key(opal_key); + return -ENOMEM; + } + + *ret_opal_key = opal_key; + *ret_crypt_key = crypt_key; + + return 0; +} diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c index 5cf4b83..40816eb 100644 --- a/lib/luks2/luks2_keyslot.c +++ b/lib/luks2/luks2_keyslot.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, keyslot handling * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -578,6 +578,8 @@ int LUKS2_keyslot_open(struct crypt_device *cd, int r_prio, r = -EINVAL; hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + if (!hdr) + return -EINVAL; if (keyslot == CRYPT_ANY_SLOT) { r_prio = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER, @@ -676,8 +678,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd, int LUKS2_keyslot_wipe(struct crypt_device *cd, struct luks2_hdr *hdr, - int keyslot, - int wipe_area_only) + int keyslot) { struct device *device = crypt_metadata_device(cd); uint64_t area_offset, area_length; @@ -694,9 +695,6 @@ int LUKS2_keyslot_wipe(struct crypt_device *cd, if (!jobj_keyslot) return -ENOENT; - if (wipe_area_only) - log_dbg(cd, "Wiping keyslot %d area only.", keyslot); - r = LUKS2_device_write_lock(cd, hdr, device); if (r) return r; @@ -720,9 +718,6 @@ int LUKS2_keyslot_wipe(struct crypt_device *cd, } } - if (wipe_area_only) - goto out; - /* Slot specific wipe */ if (h) { r = h->wipe(cd, keyslot); @@ -803,6 +798,9 @@ int placeholder_keyslot_alloc(struct crypt_device *cd, return -EINVAL; jobj_keyslot = json_object_new_object(); + if (!jobj_keyslot) + return -ENOMEM; + json_object_object_add(jobj_keyslot, "type", json_object_new_string("placeholder")); /* * key_size = -1 makes placeholder keyslot impossible to pass validation. @@ -813,11 +811,19 @@ int placeholder_keyslot_alloc(struct crypt_device *cd, /* Area object */ jobj_area = json_object_new_object(); + if (!jobj_area) { + json_object_put(jobj_keyslot); + return -ENOMEM; + } + json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset)); json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length)); json_object_object_add(jobj_keyslot, "area", jobj_area); - json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); + if (json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot)) { + json_object_put(jobj_keyslot); + return -EINVAL; + } return 0; } @@ -899,7 +905,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj) return 0; } -void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots) +void LUKS2_keyslots_repair(struct crypt_device *cd __attribute__((unused)), json_object *jobj_keyslots) { const keyslot_handler *h; json_object *jobj_type; @@ -964,14 +970,17 @@ int LUKS2_keyslot_swap(struct crypt_device *cd, struct luks2_hdr *hdr, json_object_object_del_by_uint(jobj_keyslots, keyslot); r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot2); if (r < 0) { + json_object_put(jobj_keyslot2); log_dbg(cd, "Failed to swap keyslot %d.", keyslot); return r; } json_object_object_del_by_uint(jobj_keyslots, keyslot2); r = json_object_object_add_by_uint(jobj_keyslots, keyslot2, jobj_keyslot); - if (r < 0) + if (r < 0) { + json_object_put(jobj_keyslot); log_dbg(cd, "Failed to swap keyslot2 %d.", keyslot2); + } return r; } diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c index 491dcad..2c1f400 100644 --- a/lib/luks2/luks2_keyslot_luks2.c +++ b/lib/luks2/luks2_keyslot_luks2.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -307,7 +307,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, char *volume_key, size_t volume_key_len) { struct volume_key *derived_key = NULL; - struct crypt_pbkdf_type pbkdf; + struct crypt_pbkdf_type pbkdf, *cd_pbkdf; char *AfKey = NULL; size_t AFEKSize; const char *af_hash = NULL; @@ -360,6 +360,16 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, goto out; } + /* + * Print warning when keyslot requires more memory than available + * (if maximum memory was adjusted - no swap, not enough memory), + * but be silent if user set keyslot memory cost above default limit intentionally. + */ + cd_pbkdf = crypt_get_pbkdf(cd); + if (cd_pbkdf->max_memory_kb && pbkdf.max_memory_kb > cd_pbkdf->max_memory_kb && + pbkdf.max_memory_kb <= DEFAULT_LUKS2_MEMORY_KB) + log_std(cd, _("Warning: keyslot operation could fail as it requires more than available memory.\n")); + /* * If requested, serialize unlocking for memory-hard KDF. Usually NOOP. */ @@ -512,23 +522,42 @@ static int luks2_keyslot_alloc(struct crypt_device *cd, } jobj_keyslot = json_object_new_object(); + if (!jobj_keyslot) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_keyslot, "type", json_object_new_string("luks2")); json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(volume_key_len)); /* AF object */ jobj_af = json_object_new_object(); + if (!jobj_af) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_af, "type", json_object_new_string("luks1")); json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af.luks1.stripes)); json_object_object_add(jobj_keyslot, "af", jobj_af); /* Area object */ jobj_area = json_object_new_object(); + if (!jobj_area) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_area, "type", json_object_new_string("raw")); json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset)); json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length)); json_object_object_add(jobj_keyslot, "area", jobj_area); - json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); + r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); + if (r) { + json_object_put(jobj_keyslot); + return r; + } r = luks2_keyslot_update_json(cd, jobj_keyslot, params); @@ -541,6 +570,9 @@ static int luks2_keyslot_alloc(struct crypt_device *cd, json_object_object_del_by_uint(jobj_keyslots, keyslot); return r; +err: + json_object_put(jobj_keyslot); + return r; } static int luks2_keyslot_open(struct crypt_device *cd, diff --git a/lib/luks2/luks2_keyslot_reenc.c b/lib/luks2/luks2_keyslot_reenc.c index 4291d0c..e847673 100644 --- a/lib/luks2/luks2_keyslot_reenc.c +++ b/lib/luks2/luks2_keyslot_reenc.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -145,7 +145,12 @@ static int reenc_keyslot_alloc(struct crypt_device *cd, else json_object_object_add(jobj_keyslot, "direction", json_object_new_string("backward")); - json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); + r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); + if (r) { + json_object_put(jobj_keyslot); + return r; + } + if (LUKS2_check_json_size(cd, hdr)) { log_dbg(cd, "New keyslot too large to fit in free metadata space."); json_object_object_del_by_uint(jobj_keyslots, keyslot); @@ -371,8 +376,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key return 0; } -static int reenc_keyslot_update_needed(struct crypt_device *cd, - json_object *jobj_keyslot, +static int reenc_keyslot_update_needed(json_object *jobj_keyslot, const struct crypt_params_reencrypt *params, size_t alignment) { @@ -537,8 +541,7 @@ static int reenc_keyslot_load_resilience(struct crypt_device *cd, return reenc_keyslot_load_resilience_secondary(cd, type, jobj_area, area_length, rp); } -static bool reenc_keyslot_update_is_valid(struct crypt_device *cd, - json_object *jobj_area, +static bool reenc_keyslot_update_is_valid(json_object *jobj_area, const struct crypt_params_reencrypt *params) { const char *type; @@ -589,7 +592,7 @@ static int reenc_keyslot_update(struct crypt_device *cd, if (!params || !params->resilience) jobj_area_new = reencrypt_keyslot_area_jobj_update_block_size(cd, jobj_area, alignment); else { - if (!reenc_keyslot_update_is_valid(cd, jobj_area, params)) { + if (!reenc_keyslot_update_is_valid(jobj_area, params)) { log_err(cd, _("Invalid reencryption resilience mode change requested.")); return -EINVAL; } @@ -661,7 +664,7 @@ int LUKS2_keyslot_reencrypt_update_needed(struct crypt_device *cd, strcmp(json_object_get_string(jobj_type), "reencrypt")) return -EINVAL; - r = reenc_keyslot_update_needed(cd, jobj_keyslot, params, alignment); + r = reenc_keyslot_update_needed(jobj_keyslot, params, alignment); if (!r) log_dbg(cd, "No update of reencrypt keyslot needed."); diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c index 6d3fa1e..9513217 100644 --- a/lib/luks2/luks2_luks1_convert.c +++ b/lib/luks2/luks2_luks1_convert.c @@ -1,9 +1,9 @@ /* * LUKS - Linux Unified Key Setup v2, LUKS1 conversion code * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Ondrej Kozina - * Copyright (C) 2015-2023 Milan Broz + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Ondrej Kozina + * Copyright (C) 2015-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -67,11 +67,21 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc int r; keyslot_obj = json_object_new_object(); + if (!keyslot_obj) { + r = -ENOMEM; + goto err; + } + json_object_object_add(keyslot_obj, "type", json_object_new_string("luks2")); json_object_object_add(keyslot_obj, "key_size", json_object_new_int64(hdr_v1->keyBytes)); /* KDF */ jobj_kdf = json_object_new_object(); + if (!jobj_kdf) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_kdf, "type", json_object_new_string(CRYPT_KDF_PBKDF2)); json_object_object_add(jobj_kdf, "hash", json_object_new_string(hdr_v1->hashSpec)); json_object_object_add(jobj_kdf, "iterations", json_object_new_int64(hdr_v1->keyblock[keyslot].passwordIterations)); @@ -89,6 +99,11 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc /* AF */ jobj_af = json_object_new_object(); + if (!jobj_af) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_af, "type", json_object_new_string("luks1")); json_object_object_add(jobj_af, "hash", json_object_new_string(hdr_v1->hashSpec)); /* stripes field ignored, fixed to LUKS_STRIPES (4000) */ @@ -97,6 +112,11 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc /* Area */ jobj_area = json_object_new_object(); + if (!jobj_area) { + r = -ENOMEM; + goto err; + } + json_object_object_add(jobj_area, "type", json_object_new_string("raw")); /* encryption algorithm field */ @@ -124,6 +144,9 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc *keyslot_object = keyslot_obj; return 0; +err: + json_object_put(keyslot_obj); + return r; } static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_object **keyslots_object) @@ -143,7 +166,12 @@ static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_objec json_object_put(keyslot_obj); return r; } - json_object_object_add_by_uint(keyslot_obj, keyslot, field); + r = json_object_object_add_by_uint(keyslot_obj, keyslot, field); + if (r) { + json_object_put(field); + json_object_put(keyslot_obj); + return r; + } } *keyslots_object = keyslot_obj; @@ -238,7 +266,12 @@ static int json_luks1_segments(const struct luks_phdr *hdr_v1, struct json_objec json_object_put(segments_obj); return r; } - json_object_object_add_by_uint(segments_obj, 0, field); + r = json_object_object_add_by_uint(segments_obj, 0, field); + if (r) { + json_object_put(field); + json_object_put(segments_obj); + return r; + } *segments_object = segments_obj; return 0; diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c index b0dcd6d..b7af206 100644 --- a/lib/luks2/luks2_reencrypt.c +++ b/lib/luks2/luks2_reencrypt.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, reencryption helpers * - * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2015-2023 Ondrej Kozina + * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2015-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -162,6 +162,7 @@ static uint64_t reencrypt_get_data_offset_old(struct luks2_hdr *hdr) return reencrypt_data_offset(hdr, 0); } #endif + static int reencrypt_digest(struct luks2_hdr *hdr, unsigned new) { int segment = LUKS2_get_segment_id_by_flag(hdr, new ? "backup-final" : "backup-previous"); @@ -182,6 +183,21 @@ int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr) return reencrypt_digest(hdr, 0); } +unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr) +{ + int digest_old, digest_new; + unsigned vks_count = 0; + + if ((digest_new = LUKS2_reencrypt_digest_new(hdr)) >= 0) + vks_count++; + if ((digest_old = LUKS2_reencrypt_digest_old(hdr)) >= 0) { + if (digest_old != digest_new) + vks_count++; + } + + return vks_count; +} + /* none, checksums, journal or shift */ static const char *reencrypt_resilience_type(struct luks2_hdr *hdr) { @@ -224,7 +240,7 @@ static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr) static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh, uint64_t data_offset) { int reenc_seg, i = 0; - json_object *jobj_copy, *jobj_seg_new = NULL, *jobj_segs_post = json_object_new_object(); + json_object *jobj, *jobj_copy = NULL, *jobj_seg_new = NULL, *jobj_segs_post = json_object_new_object(); uint64_t tmp; if (!rh->jobj_segs_hot || !jobj_segs_post) @@ -239,17 +255,21 @@ static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh, while (i < reenc_seg) { jobj_copy = json_segments_get_segment(rh->jobj_segs_hot, i); - if (!jobj_copy) + if (!jobj_copy || json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy))) goto err; - json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy)); } + jobj_copy = NULL; - if (json_object_copy(json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1), &jobj_seg_new)) { - if (json_object_copy(json_segments_get_segment(rh->jobj_segs_hot, reenc_seg), &jobj_seg_new)) + jobj = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1); + if (!jobj) { + jobj = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg); + if (!jobj || json_object_copy(jobj, &jobj_seg_new)) goto err; json_segment_remove_flag(jobj_seg_new, "in-reencryption"); tmp = rh->length; } else { + if (json_object_copy(jobj, &jobj_seg_new)) + goto err; json_object_object_add(jobj_seg_new, "offset", crypt_jobj_new_uint64(rh->offset + data_offset)); json_object_object_add(jobj_seg_new, "iv_tweak", crypt_jobj_new_uint64(rh->offset >> SECTOR_SHIFT)); tmp = json_segment_get_size(jobj_seg_new, 0) + rh->length; @@ -257,10 +277,12 @@ static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh, /* alter size of new segment, reenc_seg == 0 we're finished */ json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? crypt_jobj_new_uint64(tmp) : json_object_new_string("dynamic")); - json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new); + if (!json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new)) + return jobj_segs_post; - return jobj_segs_post; err: + json_object_put(jobj_seg_new); + json_object_put(jobj_copy); json_object_put(jobj_segs_post); return NULL; } @@ -271,7 +293,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr * { int sg, crypt_seg, i = 0; uint64_t segment_size; - json_object *jobj_seg_shrunk, *jobj_seg_new, *jobj_copy, *jobj_enc_seg = NULL, + json_object *jobj_seg_shrunk = NULL, *jobj_seg_new = NULL, *jobj_copy = NULL, *jobj_enc_seg = NULL, *jobj_segs_hot = json_object_new_object(); if (!jobj_segs_hot) @@ -290,38 +312,41 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr * rh->offset >> SECTOR_SHIFT, &rh->length, reencrypt_segment_cipher_new(hdr), + NULL, /* integrity */ reencrypt_get_sector_size_new(hdr), 1); while (i < sg) { jobj_copy = LUKS2_get_segment_jobj(hdr, i); - if (!jobj_copy) + if (!jobj_copy || json_object_object_add_by_uint(jobj_segs_hot, i++, json_object_get(jobj_copy))) goto err; - json_object_object_add_by_uint(jobj_segs_hot, i++, json_object_get(jobj_copy)); } + jobj_copy = NULL; segment_size = LUKS2_segment_size(hdr, sg, 0); if (segment_size > rh->length) { - jobj_seg_shrunk = NULL; if (json_object_copy(LUKS2_get_segment_jobj(hdr, sg), &jobj_seg_shrunk)) goto err; json_object_object_add(jobj_seg_shrunk, "size", crypt_jobj_new_uint64(segment_size - rh->length)); - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_seg_shrunk); + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_seg_shrunk)) + goto err; } - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_enc_seg); - jobj_enc_seg = NULL; /* see err: label */ + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_enc_seg)) + goto err; /* first crypt segment after encryption ? */ if (crypt_seg >= 0) { jobj_seg_new = LUKS2_get_segment_jobj(hdr, crypt_seg); - if (!jobj_seg_new) + if (!jobj_seg_new || json_object_object_add_by_uint(jobj_segs_hot, sg, json_object_get(jobj_seg_new))) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg, json_object_get(jobj_seg_new)); } return jobj_segs_hot; err: + json_object_put(jobj_copy); + json_object_put(jobj_seg_new); + json_object_put(jobj_seg_shrunk); json_object_put(jobj_enc_seg); json_object_put(jobj_segs_hot); @@ -343,6 +368,7 @@ static json_object *reencrypt_make_segment_new(struct crypt_device *cd, crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT), segment_length, reencrypt_segment_cipher_new(hdr), + NULL, /* integrity */ reencrypt_get_sector_size_new(hdr), 0); case CRYPT_REENCRYPT_DECRYPT: return json_segment_create_linear(data_offset + segment_offset, segment_length, 0); @@ -357,7 +383,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd uint64_t data_offset) { int reenc_seg; - json_object *jobj_new_seg_after, *jobj_old_seg, *jobj_old_seg_copy = NULL, + json_object *jobj_old_seg, *jobj_new_seg_after = NULL, *jobj_old_seg_copy = NULL, *jobj_segs_post = json_object_new_object(); uint64_t fixed_length = rh->offset + rh->length; @@ -366,7 +392,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd reenc_seg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot); if (reenc_seg < 0) - return NULL; + goto err; jobj_old_seg = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1); @@ -375,24 +401,26 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd * Set size to 'dynamic' again. */ jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, jobj_old_seg ? &fixed_length : NULL); - if (!jobj_new_seg_after) + if (!jobj_new_seg_after || json_object_object_add_by_uint_by_ref(jobj_segs_post, 0, &jobj_new_seg_after)) goto err; - json_object_object_add_by_uint(jobj_segs_post, 0, jobj_new_seg_after); if (jobj_old_seg) { if (rh->fixed_length) { if (json_object_copy(jobj_old_seg, &jobj_old_seg_copy)) goto err; - jobj_old_seg = jobj_old_seg_copy; fixed_length = rh->device_size - fixed_length; - json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(fixed_length)); + json_object_object_add(jobj_old_seg_copy, "size", crypt_jobj_new_uint64(fixed_length)); } else - json_object_get(jobj_old_seg); - json_object_object_add_by_uint(jobj_segs_post, 1, jobj_old_seg); + jobj_old_seg_copy = json_object_get(jobj_old_seg); + + if (json_object_object_add_by_uint_by_ref(jobj_segs_post, 1, &jobj_old_seg_copy)) + goto err; } return jobj_segs_post; err: + json_object_put(jobj_new_seg_after); + json_object_put(jobj_old_seg_copy); json_object_put(jobj_segs_post); return NULL; } @@ -405,7 +433,7 @@ static json_object *reencrypt_make_post_segments_backward(struct crypt_device *c int reenc_seg; uint64_t fixed_length; - json_object *jobj_new_seg_after, *jobj_old_seg, + json_object *jobj_new_seg_after = NULL, *jobj_old_seg = NULL, *jobj_segs_post = json_object_new_object(); if (!rh->jobj_segs_hot || !jobj_segs_post) @@ -413,22 +441,26 @@ static json_object *reencrypt_make_post_segments_backward(struct crypt_device *c reenc_seg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot); if (reenc_seg < 0) - return NULL; + goto err; jobj_old_seg = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg - 1); - if (jobj_old_seg) - json_object_object_add_by_uint(jobj_segs_post, reenc_seg - 1, json_object_get(jobj_old_seg)); + if (jobj_old_seg) { + json_object_get(jobj_old_seg); + if (json_object_object_add_by_uint_by_ref(jobj_segs_post, reenc_seg - 1, &jobj_old_seg)) + goto err; + } + if (rh->fixed_length && rh->offset) { fixed_length = rh->device_size - rh->offset; jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset, rh->offset, &fixed_length); } else jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset, rh->offset, NULL); - if (!jobj_new_seg_after) - goto err; - json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_new_seg_after); - return jobj_segs_post; + if (jobj_new_seg_after && !json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_new_seg_after)) + return jobj_segs_post; err: + json_object_put(jobj_new_seg_after); + json_object_put(jobj_old_seg); json_object_put(jobj_segs_post); return NULL; } @@ -448,6 +480,7 @@ static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd, crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT), segment_length, reencrypt_segment_cipher_new(hdr), + NULL, /* integrity */ reencrypt_get_sector_size_new(hdr), 1); case CRYPT_REENCRYPT_DECRYPT: return json_segment_create_linear(data_offset + segment_offset, segment_length, 1); @@ -472,6 +505,7 @@ static json_object *reencrypt_make_segment_old(struct crypt_device *cd, crypt_get_iv_offset(cd) + (segment_offset >> SECTOR_SHIFT), segment_length, reencrypt_segment_cipher_old(hdr), + NULL, /* integrity */ reencrypt_get_sector_size_old(hdr), 0); break; @@ -488,38 +522,40 @@ static json_object *reencrypt_make_hot_segments_forward(struct crypt_device *cd, uint64_t device_size, uint64_t data_offset) { - json_object *jobj_segs_hot, *jobj_reenc_seg, *jobj_old_seg, *jobj_new_seg; uint64_t fixed_length, tmp = rh->offset + rh->length; + json_object *jobj_segs_hot = json_object_new_object(), *jobj_reenc_seg = NULL, + *jobj_old_seg = NULL, *jobj_new_seg = NULL; unsigned int sg = 0; - jobj_segs_hot = json_object_new_object(); if (!jobj_segs_hot) return NULL; if (rh->offset) { jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, &rh->offset); - if (!jobj_new_seg) + if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_new_seg); } jobj_reenc_seg = reencrypt_make_segment_reencrypt(cd, hdr, rh, data_offset, rh->offset, rh->offset, &rh->length); if (!jobj_reenc_seg) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg); + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg)) + goto err; if (tmp < device_size) { fixed_length = device_size - tmp; jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh, data_offset + data_shift_value(&rh->rp), rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL); - if (!jobj_old_seg) + if (!jobj_old_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_old_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg); } return jobj_segs_hot; err: + json_object_put(jobj_reenc_seg); + json_object_put(jobj_old_seg); + json_object_put(jobj_new_seg); json_object_put(jobj_segs_hot); return NULL; } @@ -528,29 +564,31 @@ static json_object *reencrypt_make_hot_segments_decrypt_shift(struct crypt_devic struct luks2_hdr *hdr, struct luks2_reencrypt *rh, uint64_t device_size, uint64_t data_offset) { - json_object *jobj_segs_hot, *jobj_reenc_seg, *jobj_old_seg, *jobj_new_seg; uint64_t fixed_length, tmp = rh->offset + rh->length, linear_length = rh->progress; + json_object *jobj, *jobj_segs_hot = json_object_new_object(), *jobj_reenc_seg = NULL, + *jobj_old_seg = NULL, *jobj_new_seg = NULL; unsigned int sg = 0; - jobj_segs_hot = json_object_new_object(); if (!jobj_segs_hot) return NULL; if (rh->offset) { - jobj_new_seg = LUKS2_get_segment_jobj(hdr, 0); - if (!jobj_new_seg) + jobj = LUKS2_get_segment_jobj(hdr, 0); + if (!jobj) + goto err; + + jobj_new_seg = json_object_get(jobj); + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg)); if (linear_length) { jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, - json_segment_get_size(jobj_new_seg, 0), + json_segment_get_size(jobj, 0), 0, &linear_length); - if (!jobj_new_seg) + if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_new_seg); } } @@ -558,27 +596,29 @@ static json_object *reencrypt_make_hot_segments_decrypt_shift(struct crypt_devic rh->offset, rh->offset, &rh->length); - if (!jobj_reenc_seg) + if (!jobj_reenc_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg); - - if (!rh->offset && (jobj_new_seg = LUKS2_get_segment_jobj(hdr, 1)) && - !json_segment_is_backup(jobj_new_seg)) - json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg)); - else if (tmp < device_size) { + if (!rh->offset && (jobj = LUKS2_get_segment_jobj(hdr, 1)) && + !json_segment_is_backup(jobj)) { + jobj_new_seg = json_object_get(jobj); + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg)) + goto err; + } else if (tmp < device_size) { fixed_length = device_size - tmp; jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh, data_offset + data_shift_value(&rh->rp), rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL); - if (!jobj_old_seg) + if (!jobj_old_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_old_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg); } return jobj_segs_hot; err: + json_object_put(jobj_reenc_seg); + json_object_put(jobj_old_seg); + json_object_put(jobj_new_seg); json_object_put(jobj_segs_hot); return NULL; } @@ -589,7 +629,7 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd, uint64_t data_offset) { int reenc_seg, i = 0; - json_object *jobj_copy, *jobj_seg_old, *jobj_seg_new, + json_object *jobj_seg_old, *jobj_copy = NULL, *jobj_seg_old_copy = NULL, *jobj_seg_new = NULL, *jobj_segs_post = json_object_new_object(); unsigned segs; uint64_t tmp; @@ -607,9 +647,8 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd, if (reenc_seg == 0) { jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, NULL); - if (!jobj_seg_new) + if (!jobj_seg_new || json_object_object_add_by_uint(jobj_segs_post, 0, jobj_seg_new)) goto err; - json_object_object_add_by_uint(jobj_segs_post, 0, jobj_seg_new); return jobj_segs_post; } @@ -617,22 +656,29 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd, jobj_copy = json_segments_get_segment(rh->jobj_segs_hot, 0); if (!jobj_copy) goto err; - json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy)); + json_object_get(jobj_copy); + if (json_object_object_add_by_uint_by_ref(jobj_segs_post, i++, &jobj_copy)) + goto err; - jobj_seg_old = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1); + if ((jobj_seg_old = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1))) + jobj_seg_old_copy = json_object_get(jobj_seg_old); tmp = rh->length + rh->progress; jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset, json_segment_get_size(rh->jobj_segment_moved, 0), data_shift_value(&rh->rp), jobj_seg_old ? &tmp : NULL); - json_object_object_add_by_uint(jobj_segs_post, i++, jobj_seg_new); + if (!jobj_seg_new || json_object_object_add_by_uint_by_ref(jobj_segs_post, i++, &jobj_seg_new)) + goto err; - if (jobj_seg_old) - json_object_object_add_by_uint(jobj_segs_post, i, json_object_get(jobj_seg_old)); + if (jobj_seg_old_copy && json_object_object_add_by_uint(jobj_segs_post, i, jobj_seg_old_copy)) + goto err; return jobj_segs_post; err: + json_object_put(jobj_copy); + json_object_put(jobj_seg_old_copy); + json_object_put(jobj_seg_new); json_object_put(jobj_segs_post); return NULL; } @@ -643,10 +689,10 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd uint64_t device_size, uint64_t data_offset) { - json_object *jobj_reenc_seg, *jobj_new_seg, *jobj_old_seg = NULL, + uint64_t fixed_length, tmp = rh->offset + rh->length; + json_object *jobj_reenc_seg = NULL, *jobj_new_seg = NULL, *jobj_old_seg = NULL, *jobj_segs_hot = json_object_new_object(); int sg = 0; - uint64_t fixed_length, tmp = rh->offset + rh->length; if (!jobj_segs_hot) return NULL; @@ -656,26 +702,27 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd goto err; json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(rh->offset)); - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_old_seg); + if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_old_seg)) + goto err; } jobj_reenc_seg = reencrypt_make_segment_reencrypt(cd, hdr, rh, data_offset, rh->offset, rh->offset, &rh->length); - if (!jobj_reenc_seg) + if (!jobj_reenc_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg); - if (tmp < device_size) { fixed_length = device_size - tmp; jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset + rh->length, rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL); - if (!jobj_new_seg) + if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_new_seg)) goto err; - json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_new_seg); } return jobj_segs_hot; err: + json_object_put(jobj_reenc_seg); + json_object_put(jobj_new_seg); + json_object_put(jobj_old_seg); json_object_put(jobj_segs_hot); return NULL; } @@ -733,6 +780,7 @@ static int reencrypt_make_post_segments(struct crypt_device *cd, return rh->jobj_segs_post ? 0 : -EINVAL; } #endif + static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr) { json_object *jobj_keyslot, *jobj_area, *jobj_data_shift; @@ -847,13 +895,13 @@ void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh) free(rh); } -int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd, +#if USE_LUKS2_REENCRYPTION +int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd __attribute__((unused)), struct luks2_hdr *hdr, const struct reenc_protection *rp, int reencrypt_keyslot, uint64_t *r_length) { -#if USE_LUKS2_REENCRYPTION int r; uint64_t dummy, area_length; @@ -886,11 +934,8 @@ int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd, } return -EINVAL; -#else - return -ENOTSUP; -#endif } -#if USE_LUKS2_REENCRYPTION + static size_t reencrypt_get_alignment(struct crypt_device *cd, struct luks2_hdr *hdr) { @@ -971,7 +1016,6 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j } static int reencrypt_offset_forward_moved(struct luks2_hdr *hdr, - json_object *jobj_segments, uint64_t data_shift, uint64_t *offset) { @@ -1049,7 +1093,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr, if (di == CRYPT_REENCRYPT_FORWARD) { if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_DECRYPT && LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0) { - r = reencrypt_offset_forward_moved(hdr, jobj_segments, data_shift, offset); + r = reencrypt_offset_forward_moved(hdr, data_shift, offset); if (!r && *offset > device_size) *offset = device_size; return r; @@ -1386,7 +1430,7 @@ static int reencrypt_init_storage_wrappers(struct crypt_device *cd, static int reencrypt_context_set_names(struct luks2_reencrypt *rh, const char *name) { - if (!rh | !name) + if (!rh || !name) return -EINVAL; if (*name == '/') { @@ -1964,9 +2008,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd, crypt_reencrypt_direction_info di) { int r; - uint64_t first_segment_offset, first_segment_length, - second_segment_offset, second_segment_length, - data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT; + uint64_t data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT; json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments; if (di == CRYPT_REENCRYPT_BACKWARD) @@ -1976,47 +2018,49 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd, * future data_device layout: * [encrypted first segment (max data shift size)][gap (data shift size)][second encrypted data segment] */ - first_segment_offset = 0; - first_segment_length = moved_segment_length; - if (dev_size > moved_segment_length) { - second_segment_offset = data_offset + first_segment_length; - second_segment_length = 0; - } - jobj_segments = json_object_new_object(); if (!jobj_segments) return -ENOMEM; r = -EINVAL; - jobj_segment_first = json_segment_create_crypt(first_segment_offset, - crypt_get_iv_offset(cd), &first_segment_length, - crypt_get_cipher_spec(cd), crypt_get_sector_size(cd), 0); + jobj_segment_first = json_segment_create_crypt(0, crypt_get_iv_offset(cd), + &moved_segment_length, crypt_get_cipher_spec(cd), + NULL, crypt_get_sector_size(cd), 0); if (!jobj_segment_first) { log_dbg(cd, "Failed generate 1st segment."); - return r; + goto err; } + r = json_object_object_add_by_uint_by_ref(jobj_segments, 0, &jobj_segment_first); + if (r) + goto err; + if (dev_size > moved_segment_length) { - jobj_segment_second = json_segment_create_crypt(second_segment_offset, - crypt_get_iv_offset(cd) + (first_segment_length >> SECTOR_SHIFT), - second_segment_length ? &second_segment_length : NULL, + jobj_segment_second = json_segment_create_crypt(data_offset + moved_segment_length, + crypt_get_iv_offset(cd) + (moved_segment_length >> SECTOR_SHIFT), + NULL, crypt_get_cipher_spec(cd), + NULL, /* integrity */ crypt_get_sector_size(cd), 0); if (!jobj_segment_second) { - json_object_put(jobj_segment_first); + r = -EINVAL; log_dbg(cd, "Failed generate 2nd segment."); - return r; + goto err; } - } - - json_object_object_add(jobj_segments, "0", jobj_segment_first); - if (jobj_segment_second) - json_object_object_add(jobj_segments, "1", jobj_segment_second); - r = LUKS2_segments_set(cd, hdr, jobj_segments, 0); + r = json_object_object_add_by_uint_by_ref(jobj_segments, 1, &jobj_segment_second); + if (r) + goto err; + } - return r ?: LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0); + if (!(r = LUKS2_segments_set(cd, hdr, jobj_segments, 0))) + return LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0); +err: + json_object_put(jobj_segment_first); + json_object_put(jobj_segment_second); + json_object_put(jobj_segments); + return r; } static int reencrypt_make_targets(struct crypt_device *cd, @@ -2429,6 +2473,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, uint64_t data_offset, const struct crypt_params_reencrypt *params) { + const char *type; int r, segment, moved_segment = -1, digest_old = -1, digest_new = -1; json_object *jobj_tmp, *jobj_segment_new = NULL, *jobj_segment_old = NULL, *jobj_segment_bcp = NULL; uint32_t sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE; @@ -2460,9 +2505,17 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, if (r) goto err; moved_segment = segment++; - json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), moved_segment, jobj_segment_bcp); - if (!strcmp(json_segment_type(jobj_segment_bcp), "crypt")) - LUKS2_digest_segment_assign(cd, hdr, moved_segment, digest_old, 1, 0); + r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), moved_segment, &jobj_segment_bcp); + if (r) + goto err; + + if (!(type = json_segment_type(LUKS2_get_segment_jobj(hdr, moved_segment)))) { + r = -EINVAL; + goto err; + } + + if (!strcmp(type, "crypt") && ((r = LUKS2_digest_segment_assign(cd, hdr, moved_segment, digest_old, 1, 0)))) + goto err; } /* FIXME: Add detection for case (digest old == digest new && old segment == new segment) */ @@ -2478,6 +2531,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, json_segment_get_iv_offset(jobj_tmp), device_size ? &device_size : NULL, json_segment_get_cipher(jobj_tmp), + NULL, /* integrity */ json_segment_get_sector_size(jobj_tmp), 0); } else { @@ -2505,10 +2559,14 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, r = LUKS2_segment_set_flag(jobj_segment_old, "backup-previous"); if (r) goto err; - json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), segment, jobj_segment_old); - jobj_segment_old = NULL; - if (digest_old >= 0) - LUKS2_digest_segment_assign(cd, hdr, segment, digest_old, 1, 0); + + r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), segment, &jobj_segment_old); + if (r) + goto err; + + if (digest_old >= 0 && (r = LUKS2_digest_segment_assign(cd, hdr, segment, digest_old, 1, 0))) + goto err; + segment++; if (digest_new >= 0) { @@ -2520,7 +2578,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, } jobj_segment_new = json_segment_create_crypt(segment_offset, crypt_get_iv_offset(cd), - NULL, cipher, sector_size, 0); + NULL, cipher, NULL, sector_size, 0); } else if (params->mode == CRYPT_REENCRYPT_DECRYPT) { segment_offset = data_offset; if (modify_offset(&segment_offset, data_shift, params->direction)) { @@ -2538,10 +2596,13 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, r = LUKS2_segment_set_flag(jobj_segment_new, "backup-final"); if (r) goto err; - json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), segment, jobj_segment_new); - jobj_segment_new = NULL; - if (digest_new >= 0) - LUKS2_digest_segment_assign(cd, hdr, segment, digest_new, 1, 0); + + r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), segment, &jobj_segment_new); + if (r) + goto err; + + if (digest_new >= 0 && (r = LUKS2_digest_segment_assign(cd, hdr, segment, digest_new, 1, 0))) + goto err; /* FIXME: also check occupied space by keyslot in shrunk area */ if (params->direction == CRYPT_REENCRYPT_FORWARD && data_shift && @@ -2556,6 +2617,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd, err: json_object_put(jobj_segment_new); json_object_put(jobj_segment_old); + json_object_put(jobj_segment_bcp); return r; } @@ -2590,7 +2652,6 @@ static int reencrypt_verify_keys(struct crypt_device *cd, } static int reencrypt_upload_single_key(struct crypt_device *cd, - struct luks2_hdr *hdr, int digest, struct volume_key *vks) { @@ -2615,11 +2676,11 @@ static int reencrypt_upload_keys(struct crypt_device *cd, return 0; if (digest_new >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_new(hdr)) && - (r = reencrypt_upload_single_key(cd, hdr, digest_new, vks))) + (r = reencrypt_upload_single_key(cd, digest_new, vks))) return r; if (digest_old >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr)) && - (r = reencrypt_upload_single_key(cd, hdr, digest_old, vks))) { + (r = reencrypt_upload_single_key(cd, digest_old, vks))) { crypt_drop_keyring_key(cd, vks); return r; } @@ -3256,7 +3317,17 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr, return 0; } +#else +int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd __attribute__((unused)), + struct luks2_hdr *hdr __attribute__((unused)), + const struct reenc_protection *rp __attribute__((unused)), + int reencrypt_keyslot __attribute__((unused)), + uint64_t *r_length __attribute__((unused))) +{ + return -ENOTSUP; +} #endif + static int reencrypt_lock_internal(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock) { int r; @@ -3705,7 +3776,7 @@ out: return r; } -#endif + static int reencrypt_init_by_passphrase(struct crypt_device *cd, const char *name, const char *passphrase, @@ -3716,7 +3787,6 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd, const char *cipher_mode, const struct crypt_params_reencrypt *params) { -#if USE_LUKS2_REENCRYPTION int r; crypt_reencrypt_info ri; struct volume_key *vks = NULL; @@ -3778,11 +3848,22 @@ out: crypt_drop_keyring_key(cd, vks); crypt_free_volume_key(vks); return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt"); +} #else +static int reencrypt_init_by_passphrase(struct crypt_device *cd, + const char *name __attribute__((unused)), + const char *passphrase __attribute__((unused)), + size_t passphrase_size __attribute__((unused)), + int keyslot_old __attribute__((unused)), + int keyslot_new __attribute__((unused)), + const char *cipher __attribute__((unused)), + const char *cipher_mode __attribute__((unused)), + const struct crypt_params_reencrypt *params __attribute__((unused))) +{ log_err(cd, _("This operation is not supported for this device type.")); return -ENOTSUP; -#endif } +#endif int crypt_reencrypt_init_by_keyring(struct crypt_device *cd, const char *name, @@ -3797,14 +3878,20 @@ int crypt_reencrypt_init_by_keyring(struct crypt_device *cd, char *passphrase; size_t passphrase_size; - if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT) || !passphrase_description) + if (onlyLUKS2reencrypt(cd) || !passphrase_description) return -EINVAL; if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY)) return -EINVAL; - r = keyring_get_passphrase(passphrase_description, &passphrase, &passphrase_size); + if (device_is_dax(crypt_data_device(cd)) > 0) { + log_err(cd, _("Reencryption is not supported for DAX (persistent memory) devices.")); + return -EINVAL; + } + + r = crypt_keyring_get_user_key(cd, passphrase_description, &passphrase, &passphrase_size); if (r < 0) { - log_err(cd, _("Failed to read passphrase from keyring (error %d)."), r); + log_dbg(cd, "crypt_keyring_get_user_key failed (error %d)", r); + log_err(cd, _("Failed to read passphrase from keyring.")); return -EINVAL; } @@ -3826,11 +3913,16 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd, const char *cipher_mode, const struct crypt_params_reencrypt *params) { - if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT) || !passphrase) + if (onlyLUKS2reencrypt(cd) || !passphrase) return -EINVAL; if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY)) return -EINVAL; + if (device_is_dax(crypt_data_device(cd)) > 0) { + log_err(cd, _("Reencryption is not supported for DAX (persistent memory) devices.")); + return -EINVAL; + } + return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params); } @@ -4112,14 +4204,12 @@ static int reencrypt_teardown(struct crypt_device *cd, struct luks2_hdr *hdr, return r; } -#endif int crypt_reencrypt_run( struct crypt_device *cd, int (*progress)(uint64_t size, uint64_t offset, void *usrptr), void *usrptr) { -#if USE_LUKS2_REENCRYPTION int r; crypt_reencrypt_info ri; struct luks2_hdr *hdr; @@ -4127,7 +4217,7 @@ int crypt_reencrypt_run( reenc_status_t rs; bool quit = false; - if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT)) + if (onlyLUKS2reencrypt(cd)) return -EINVAL; hdr = crypt_get_hdr(cd, CRYPT_LUKS2); @@ -4180,19 +4270,9 @@ int crypt_reencrypt_run( r = reencrypt_teardown(cd, hdr, rh, rs, quit, progress, usrptr); return r; -#else - log_err(cd, _("This operation is not supported for this device type.")); - return -ENOTSUP; -#endif } -int crypt_reencrypt( - struct crypt_device *cd, - int (*progress)(uint64_t size, uint64_t offset, void *usrptr)) -{ - return crypt_reencrypt_run(cd, progress, NULL); -} -#if USE_LUKS2_REENCRYPTION + static int reencrypt_recovery(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t device_size, @@ -4228,7 +4308,27 @@ out: return r; } +#else /* USE_LUKS2_REENCRYPTION */ +int crypt_reencrypt_run( + struct crypt_device *cd, + int (*progress)(uint64_t size, uint64_t offset, void *usrptr), + void *usrptr) +{ + UNUSED(progress); + UNUSED(usrptr); + + log_err(cd, _("This operation is not supported for this device type.")); + return -ENOTSUP; +} #endif + +int crypt_reencrypt( + struct crypt_device *cd, + int (*progress)(uint64_t size, uint64_t offset, void *usrptr)) +{ + return crypt_reencrypt_run(cd, progress, NULL); +} + /* * use only for calculation of minimal data device size. * The real data offset is taken directly from segments! @@ -4246,7 +4346,7 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise) /* internal only */ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, - uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic) + uint64_t check_size, uint64_t *dev_size, bool device_exclusive_check, bool dynamic) { int r; uint64_t data_offset, real_size = 0; @@ -4255,7 +4355,8 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr (LUKS2_get_segment_by_flag(hdr, "backup-moved-segment") || dynamic)) check_size += reencrypt_data_shift(hdr); - r = device_check_access(cd, crypt_data_device(cd), activation ? DEV_EXCL : DEV_OK); + r = device_check_access(cd, crypt_data_device(cd), + device_exclusive_check ? DEV_EXCL : DEV_OK); if (r) return r; @@ -4333,6 +4434,39 @@ out: return r < 0 ? r : keyslot; } + +int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd, + struct volume_key *vks) +{ + uint64_t minimal_size, device_size; + int r = -EINVAL; + struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + struct volume_key *vk = NULL; + + log_dbg(cd, "Entering reencryption crash recovery."); + + if (LUKS2_get_data_size(hdr, &minimal_size, NULL)) + return r; + + if (crypt_use_keyring_for_vk(cd)) + vk = vks; + while (vk) { + r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk)); + if (r < 0) + goto out; + vk = crypt_volume_key_next(vk); + } + + if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false)) + goto out; + + r = reencrypt_recovery(cd, hdr, device_size, vks); + +out: + if (r < 0) + crypt_drop_keyring_key(cd, vks); + return r; +} #endif crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr, struct crypt_params_reencrypt *params) diff --git a/lib/luks2/luks2_reencrypt_digest.c b/lib/luks2/luks2_reencrypt_digest.c index bc86f54..fcdad12 100644 --- a/lib/luks2/luks2_reencrypt_digest.c +++ b/lib/luks2/luks2_reencrypt_digest.c @@ -1,9 +1,9 @@ /* * LUKS - Linux Unified Key Setup v2, reencryption digest helpers * - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2022-2023 Ondrej Kozina - * Copyright (C) 2022-2023 Milan Broz + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Ondrej Kozina + * Copyright (C) 2022-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -375,6 +375,22 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd, return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0); } +void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vk) +{ + int digest_old, digest_new; + + digest_old = LUKS2_reencrypt_digest_old(hdr); + digest_new = LUKS2_reencrypt_digest_new(hdr); + + while (vk) { + if (digest_old >= 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old) + crypt_volume_key_set_id(vk, digest_old); + if (digest_new >= 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new) + crypt_volume_key_set_id(vk, digest_new); + vk = vk->next; + } +} + int LUKS2_reencrypt_digest_verify(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks) diff --git a/lib/luks2/luks2_segment.c b/lib/luks2/luks2_segment.c index 63e7c14..af87f4f 100644 --- a/lib/luks2/luks2_segment.c +++ b/lib/luks2/luks2_segment.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, internal segment handling * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -91,6 +91,33 @@ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise) return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj); } +static uint64_t json_segment_get_opal_size(json_object *jobj_segment, unsigned blockwise) +{ + json_object *jobj; + + if (!jobj_segment || + !json_object_object_get_ex(jobj_segment, "opal_segment_size", &jobj)) + return 0; + + return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj); +} + +static bool json_segment_set_size(json_object *jobj_segment, const uint64_t *size_bytes) +{ + json_object *jobj; + + if (!jobj_segment) + return false; + + jobj = size_bytes ? crypt_jobj_new_uint64(*size_bytes) : json_object_new_string("dynamic"); + if (!jobj) + return false; + + json_object_object_add(jobj_segment, "size", jobj); + + return true; +} + const char *json_segment_get_cipher(json_object *jobj_segment) { json_object *jobj; @@ -116,6 +143,37 @@ uint32_t json_segment_get_sector_size(json_object *jobj_segment) return i < 0 ? SECTOR_SIZE : i; } +int json_segment_get_opal_segment_id(json_object *jobj_segment, uint32_t *ret_opal_segment_id) +{ + json_object *jobj_segment_id; + + assert(ret_opal_segment_id); + + if (!json_object_object_get_ex(jobj_segment, "opal_segment_number", &jobj_segment_id)) + return -EINVAL; + + *ret_opal_segment_id = json_object_get_int(jobj_segment_id); + + return 0; +} + +int json_segment_get_opal_key_size(json_object *jobj_segment, size_t *ret_key_size) +{ + json_object *jobj_key_size; + + assert(ret_key_size); + + if (!jobj_segment) + return -EINVAL; + + if (!json_object_object_get_ex(jobj_segment, "opal_key_size", &jobj_key_size)) + return -EINVAL; + + *ret_key_size = json_object_get_int(jobj_key_size); + + return 0; +} + static json_object *json_segment_get_flags(json_object *jobj_segment) { json_object *jobj; @@ -245,24 +303,94 @@ json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, return jobj; } +static bool json_add_crypt_fields(json_object *jobj_segment, uint64_t iv_offset, + const char *cipher, const char *integrity, + uint32_t sector_size, unsigned reencryption) +{ + json_object *jobj_integrity; + + assert(cipher); + + json_object_object_add(jobj_segment, "iv_tweak", crypt_jobj_new_uint64(iv_offset)); + json_object_object_add(jobj_segment, "encryption", json_object_new_string(cipher)); + json_object_object_add(jobj_segment, "sector_size", json_object_new_int(sector_size)); + + if (integrity) { + jobj_integrity = json_object_new_object(); + if (!jobj_integrity) + return false; + + json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity)); + json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none")); + json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none")); + json_object_object_add(jobj_segment, "integrity", jobj_integrity); + } + + if (reencryption) + LUKS2_segment_set_flag(jobj_segment, "in-reencryption"); + + return true; +} + json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, - const char *cipher, uint32_t sector_size, - unsigned reencryption) + const char *cipher, const char *integrity, + uint32_t sector_size, unsigned reencryption) { json_object *jobj = _segment_create_generic("crypt", offset, length); + if (!jobj) return NULL; - json_object_object_add(jobj, "iv_tweak", crypt_jobj_new_uint64(iv_offset)); - json_object_object_add(jobj, "encryption", json_object_new_string(cipher)); - json_object_object_add(jobj, "sector_size", json_object_new_int(sector_size)); - if (reencryption) - LUKS2_segment_set_flag(jobj, "in-reencryption"); + if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption)) + return jobj; + + json_object_put(jobj); + return NULL; +} + +static void json_add_opal_fields(json_object *jobj_segment, const uint64_t *length, + uint32_t segment_number, uint32_t key_size) +{ + assert(jobj_segment); + assert(length); + + json_object_object_add(jobj_segment, "opal_segment_number", json_object_new_int(segment_number)); + json_object_object_add(jobj_segment, "opal_key_size", json_object_new_int(key_size)); + json_object_object_add(jobj_segment, "opal_segment_size", crypt_jobj_new_uint64(*length)); +} + +json_object *json_segment_create_opal(uint64_t offset, const uint64_t *length, + uint32_t segment_number, uint32_t key_size) +{ + json_object *jobj = _segment_create_generic("hw-opal", offset, length); + if (!jobj) + return NULL; + + json_add_opal_fields(jobj, length, segment_number, key_size); return jobj; } +json_object *json_segment_create_opal_crypt(uint64_t offset, const uint64_t *length, + uint32_t segment_number, uint32_t key_size, + uint64_t iv_offset, const char *cipher, + const char *integrity, uint32_t sector_size, + unsigned reencryption) +{ + json_object *jobj = _segment_create_generic("hw-opal-crypt", offset, length); + if (!jobj) + return NULL; + + json_add_opal_fields(jobj, length, segment_number, key_size); + + if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption)) + return jobj; + + json_object_put(jobj); + return NULL; +} + uint64_t LUKS2_segment_offset(struct luks2_hdr *hdr, int segment, unsigned blockwise) { return json_segment_get_offset(LUKS2_get_segment_jobj(hdr, segment), blockwise); @@ -288,11 +416,85 @@ uint64_t LUKS2_segment_size(struct luks2_hdr *hdr, int segment, unsigned blockwi return json_segment_get_size(LUKS2_get_segment_jobj(hdr, segment), blockwise); } +uint64_t LUKS2_opal_segment_size(struct luks2_hdr *hdr, int segment, unsigned blockwise) +{ + return json_segment_get_opal_size(LUKS2_get_segment_jobj(hdr, segment), blockwise); +} + +bool LUKS2_segment_set_size(struct luks2_hdr *hdr, int segment, const uint64_t *segment_size_bytes) +{ + return json_segment_set_size(LUKS2_get_segment_jobj(hdr, segment), segment_size_bytes); +} + int LUKS2_segment_is_type(struct luks2_hdr *hdr, int segment, const char *type) { return !strcmp(json_segment_type(LUKS2_get_segment_jobj(hdr, segment)) ?: "", type); } +static bool json_segment_is_hw_opal_only(json_object *jobj_segment) +{ + const char *type = json_segment_type(jobj_segment); + + if (!type) + return false; + + return !strcmp(type, "hw-opal"); +} + +static bool json_segment_is_hw_opal_crypt(json_object *jobj_segment) +{ + const char *type = json_segment_type(jobj_segment); + + if (!type) + return false; + + return !strcmp(type, "hw-opal-crypt"); +} + +static bool json_segment_is_hw_opal(json_object *jobj_segment) +{ + return json_segment_is_hw_opal_crypt(jobj_segment) || + json_segment_is_hw_opal_only(jobj_segment); +} + +bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment) +{ + return json_segment_is_hw_opal_only(LUKS2_get_segment_jobj(hdr, segment)); +} + +bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment) +{ + return json_segment_is_hw_opal_crypt(LUKS2_get_segment_jobj(hdr, segment)); +} + +bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment) +{ + return json_segment_is_hw_opal(LUKS2_get_segment_jobj(hdr, segment)); +} + +int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment, uint32_t *ret_opal_segment_number) +{ + json_object *jobj_segment = LUKS2_get_segment_jobj(hdr, segment); + + assert(ret_opal_segment_number); + + if (!json_segment_is_hw_opal(jobj_segment)) + return -ENOENT; + + return json_segment_get_opal_segment_id(jobj_segment, ret_opal_segment_number); +} + +int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment) +{ + size_t key_size = 0; + json_object *jobj_segment = LUKS2_get_segment_jobj(hdr, segment); + + if (json_segment_get_opal_key_size(jobj_segment, &key_size) < 0) + return 0; + + return key_size; +} + int LUKS2_last_segment_by_type(struct luks2_hdr *hdr, const char *type) { json_object *jobj_segments; @@ -424,3 +626,27 @@ bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2) return true; } + +bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr) +{ + json_object *jobj_segments, *jobj_size; + + assert(hdr); + + jobj_segments = LUKS2_get_segments_jobj(hdr); + if (!jobj_segments) + return false; + + json_object_object_foreach(jobj_segments, key, val) { + UNUSED(key); + + if (json_segment_is_backup(val)) + continue; + + if (json_object_object_get_ex(val, "size", &jobj_size) && + !strcmp(json_object_get_string(jobj_size), "dynamic")) + return true; + } + + return false; +} diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c index 5f65918..9c09be2 100644 --- a/lib/luks2/luks2_token.c +++ b/lib/luks2/luks2_token.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, token handling * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -25,7 +25,9 @@ #include "luks2_internal.h" #if USE_EXTERNAL_TOKENS +#define TOKENS_PATH_MAX PATH_MAX static bool external_tokens_enabled = true; +static char external_tokens_path[TOKENS_PATH_MAX] = EXTERNAL_LUKS2_TOKENS_PATH; #else static bool external_tokens_enabled = false; #endif @@ -51,31 +53,37 @@ void crypt_token_external_disable(void) const char *crypt_token_external_path(void) { - return external_tokens_enabled ? EXTERNAL_LUKS2_TOKENS_PATH : NULL; +#if USE_EXTERNAL_TOKENS + return external_tokens_enabled ? external_tokens_path : NULL; +#else + return NULL; +#endif } #if USE_EXTERNAL_TOKENS -static void *token_dlvsym(struct crypt_device *cd, - void *handle, - const char *symbol, - const char *version) +int crypt_token_set_external_path(const char *path) { - char *error; - void *sym; + int r; + char tokens_path[TOKENS_PATH_MAX]; -#ifdef HAVE_DLVSYM - log_dbg(cd, "Loading symbol %s@%s.", symbol, version); - sym = dlvsym(handle, symbol, version); -#else - log_dbg(cd, "Loading default version of symbol %s.", symbol); - sym = dlsym(handle, symbol); -#endif - error = dlerror(); + if (!path) + path = EXTERNAL_LUKS2_TOKENS_PATH; + else if (*path != '/') + return -EINVAL; - if (error) - log_dbg(cd, "%s", error); + r = snprintf(tokens_path, sizeof(tokens_path), "%s", path); + if (r < 0 || (size_t)r >= sizeof(tokens_path)) + return -EINVAL; - return sym; + (void)strcpy(external_tokens_path, tokens_path); + + return 0; +} +#else +#pragma GCC diagnostic ignored "-Wunused-parameter" +int crypt_token_set_external_path(const char *path) +{ + return -ENOTSUP; } #endif @@ -98,6 +106,29 @@ static bool token_validate_v1(struct crypt_device *cd, const crypt_token_handler } #if USE_EXTERNAL_TOKENS +static void *token_dlvsym(struct crypt_device *cd, + void *handle, + const char *symbol, + const char *version) +{ + char *error; + void *sym; + +#ifdef HAVE_DLVSYM + log_dbg(cd, "Loading symbol %s@%s.", symbol, version); + sym = dlvsym(handle, symbol, version); +#else + log_dbg(cd, "Loading default version of symbol %s.", symbol); + sym = dlsym(handle, symbol); +#endif + error = dlerror(); + + if (error) + log_dbg(cd, "%s", error); + + return sym; +} + static bool token_validate_v2(struct crypt_device *cd, const struct crypt_token_handler_internal *h) { if (!h) @@ -127,12 +158,10 @@ static bool external_token_name_valid(const char *name) return true; } -#endif static int crypt_token_load_external(struct crypt_device *cd, const char *name, struct crypt_token_handler_internal *ret) { -#if USE_EXTERNAL_TOKENS struct crypt_token_handler_v2 *token; void *h; char buf[PATH_MAX]; @@ -192,11 +221,40 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp ret->version = 2; return 0; -#else +} + +void crypt_token_unload_external_all(struct crypt_device *cd) +{ + int i; + + for (i = LUKS2_TOKENS_MAX - 1; i >= 0; i--) { + if (token_handlers[i].version < 2) + continue; + + log_dbg(cd, "Unloading %s token handler.", token_handlers[i].u.v2.name); + + free(CONST_CAST(void *)token_handlers[i].u.v2.name); + + if (dlclose(CONST_CAST(void *)token_handlers[i].u.v2.dlhandle)) + log_dbg(cd, "%s", dlerror()); + } +} + +#else /* USE_EXTERNAL_TOKENS */ + +static int crypt_token_load_external(struct crypt_device *cd __attribute__((unused)), + const char *name __attribute__((unused)), + struct crypt_token_handler_internal *ret __attribute__((unused))) +{ return -ENOTSUP; -#endif } +void crypt_token_unload_external_all(struct crypt_device *cd __attribute__((unused))) +{ +} + +#endif + static int is_builtin_candidate(const char *type) { return !strncmp(type, LUKS2_BUILTIN_TOKEN_PREFIX, LUKS2_BUILTIN_TOKEN_PREFIX_LEN); @@ -243,25 +301,6 @@ int crypt_token_register(const crypt_token_handler *handler) return 0; } -void crypt_token_unload_external_all(struct crypt_device *cd) -{ -#if USE_EXTERNAL_TOKENS - int i; - - for (i = LUKS2_TOKENS_MAX - 1; i >= 0; i--) { - if (token_handlers[i].version < 2) - continue; - - log_dbg(cd, "Unloading %s token handler.", token_handlers[i].u.v2.name); - - free(CONST_CAST(void *)token_handlers[i].u.v2.name); - - if (dlclose(CONST_CAST(void *)token_handlers[i].u.v2.dlhandle)) - log_dbg(cd, "%s", dlerror()); - } -#endif -} - static const void *LUKS2_token_handler_type(struct crypt_device *cd, const char *type) { @@ -423,12 +462,12 @@ static const char *token_json_to_string(json_object *jobj_token) JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE); } -static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int segment, +static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int keyslot, int segment, crypt_keyslot_priority minimal_priority, bool requires_keyslot) { crypt_keyslot_priority keyslot_priority; json_object *jobj_array; - int i, keyslot, len, r = -ENOENT; + int i, slot, len, r = -ENOENT; if (!jobj_token) return -EINVAL; @@ -451,16 +490,19 @@ static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int s return -ENOENT; for (i = 0; i < len; i++) { - keyslot = atoi(json_object_get_string(json_object_array_get_idx(jobj_array, i))); + slot = atoi(json_object_get_string(json_object_array_get_idx(jobj_array, i))); + + if (keyslot != CRYPT_ANY_SLOT && slot != keyslot) + continue; - keyslot_priority = LUKS2_keyslot_priority_get(hdr, keyslot); + keyslot_priority = LUKS2_keyslot_priority_get(hdr, slot); if (keyslot_priority == CRYPT_SLOT_PRIORITY_INVALID) return -EINVAL; if (keyslot_priority < minimal_priority) continue; - r = LUKS2_keyslot_for_segment(hdr, keyslot, segment); + r = LUKS2_keyslot_for_segment(hdr, slot, segment); if (r != -ENOENT) return r; } @@ -480,6 +522,7 @@ static int translate_errno(struct crypt_device *cd, int ret_val, const char *typ static int token_open(struct crypt_device *cd, struct luks2_hdr *hdr, + int keyslot, int token, json_object *jobj_token, const char *type, @@ -507,7 +550,7 @@ static int token_open(struct crypt_device *cd, return -ENOENT; } - r = token_is_usable(hdr, jobj_token, segment, priority, requires_keyslot); + r = token_is_usable(hdr, jobj_token, keyslot, segment, priority, requires_keyslot); if (r < 0) { if (r == -ENOENT) log_dbg(cd, "Token %d unusable for segment %d with desired keyslot priority %d.", @@ -569,32 +612,22 @@ static void update_return_errno(int r, int *stored) *stored = r; } -static int LUKS2_keyslot_open_by_token(struct crypt_device *cd, +static int try_token_keyslot_unlock(struct crypt_device *cd, struct luks2_hdr *hdr, + const char *type, + json_object *jobj_token_keyslots, int token, int segment, crypt_keyslot_priority priority, const char *buffer, size_t buffer_len, - struct volume_key **vk) + struct volume_key **r_vk) { + json_object *jobj; crypt_keyslot_priority keyslot_priority; - json_object *jobj_token, *jobj_token_keyslots, *jobj_type, *jobj; - unsigned int num = 0; int i, r = -ENOENT, stored_retval = -ENOENT; + unsigned int num = 0; - jobj_token = LUKS2_get_token_jobj(hdr, token); - if (!jobj_token) - return -EINVAL; - - if (!json_object_object_get_ex(jobj_token, "type", &jobj_type)) - return -EINVAL; - - json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots); - if (!jobj_token_keyslots) - return -EINVAL; - - /* Try to open keyslot referenced in token */ for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots) && r < 0; i++) { jobj = json_object_array_get_idx(jobj_token_keyslots, i); num = atoi(json_object_get_string(jobj)); @@ -604,8 +637,8 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd, if (keyslot_priority < priority) continue; log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).", - num, token, json_object_get_string(jobj_type)); - r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, vk); + num, token, type); + r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, r_vk); /* short circuit on fatal error */ if (r < 0 && r != -EPERM && r != -ENOENT) return r; @@ -620,6 +653,53 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd, return num; } +static int LUKS2_keyslot_open_by_token(struct crypt_device *cd, + struct luks2_hdr *hdr, + int keyslot, + int token, + int segment, + crypt_keyslot_priority min_priority, + const char *buffer, + size_t buffer_len, + struct volume_key **vk) +{ + json_object *jobj_token, *jobj_token_keyslots, *jobj_type; + crypt_keyslot_priority priority = CRYPT_SLOT_PRIORITY_PREFER; + int r = -ENOENT, stored_retval = -ENOENT; + + jobj_token = LUKS2_get_token_jobj(hdr, token); + if (!jobj_token) + return -EINVAL; + + if (!json_object_object_get_ex(jobj_token, "type", &jobj_type)) + return -EINVAL; + + json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots); + if (!jobj_token_keyslots) + return -EINVAL; + + /* with specific keyslot just ignore priorities and unlock */ + if (keyslot != CRYPT_ANY_SLOT) { + log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).", + keyslot, token, json_object_get_string(jobj_type)); + return LUKS2_keyslot_open(cd, keyslot, segment, buffer, buffer_len, vk); + } + + /* Try to open keyslot referenced in token */ + while (priority >= min_priority) { + r = try_token_keyslot_unlock(cd, hdr, json_object_get_string(jobj_type), + jobj_token_keyslots, token, segment, + priority, buffer, buffer_len, vk); + if (r == -EINVAL || r >= 0) + return r; + if (r == -EPERM) + stored_retval = r; + priority--; + } + + return stored_retval; +} + static bool token_is_blocked(int token, uint32_t *block_list) { /* it is safe now, but have assert in case LUKS2_TOKENS_MAX grows */ @@ -640,6 +720,7 @@ static int token_open_priority(struct crypt_device *cd, struct luks2_hdr *hdr, json_object *jobj_tokens, const char *type, + int keyslot, int segment, crypt_keyslot_priority priority, const char *pin, @@ -660,9 +741,10 @@ static int token_open_priority(struct crypt_device *cd, token = atoi(slot); if (token_is_blocked(token, block_list)) continue; - r = token_open(cd, hdr, token, val, type, segment, priority, pin, pin_size, &buffer, &buffer_size, usrptr, true); + r = token_open(cd, hdr, keyslot, token, val, type, segment, priority, pin, pin_size, + &buffer, &buffer_size, usrptr, true); if (!r) { - r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, priority, + r = LUKS2_keyslot_open_by_token(cd, hdr, keyslot, token, segment, priority, buffer, buffer_size, vk); LUKS2_token_buffer_free(cd, token, buffer, buffer_size); } @@ -679,8 +761,9 @@ static int token_open_priority(struct crypt_device *cd, return *stored_retval; } -static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type, int segment, - const char *pin, size_t pin_size, void *usrptr, struct volume_key **vk) +static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type, + int keyslot, int segment, const char *pin, size_t pin_size, void *usrptr, + struct volume_key **vk) { json_object *jobj_tokens; int r, retval = -ENOENT; @@ -692,17 +775,22 @@ static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const if (!type) usrptr = NULL; - r = token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_PREFER, + if (keyslot != CRYPT_ANY_SLOT) + return token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_IGNORE, + pin, pin_size, usrptr, &retval, &blocked, vk); + + r = token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_PREFER, pin, pin_size, usrptr, &retval, &blocked, vk); if (break_loop_retval(r)) return r; - return token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_NORMAL, + return token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_NORMAL, pin, pin_size, usrptr, &retval, &blocked, vk); } int LUKS2_token_unlock_key(struct crypt_device *cd, struct luks2_hdr *hdr, + int keyslot, int token, const char *type, const char *pin, @@ -714,6 +802,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd, char *buffer; size_t buffer_size; json_object *jobj_token; + crypt_keyslot_priority min_priority; int r = -ENOENT; assert(vk); @@ -724,13 +813,27 @@ int LUKS2_token_unlock_key(struct crypt_device *cd, if (segment < 0 && segment != CRYPT_ANY_SEGMENT) return -EINVAL; + if (keyslot != CRYPT_ANY_SLOT || token != CRYPT_ANY_TOKEN) + min_priority = CRYPT_SLOT_PRIORITY_IGNORE; + else + min_priority = CRYPT_SLOT_PRIORITY_NORMAL; + + if (keyslot != CRYPT_ANY_SLOT) { + r = LUKS2_keyslot_for_segment(hdr, keyslot, segment); + if (r < 0) { + if (r == -ENOENT) + log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment); + return r; + } + } + if (token >= 0 && token < LUKS2_TOKENS_MAX) { if ((jobj_token = LUKS2_get_token_jobj(hdr, token))) { - r = token_open(cd, hdr, token, jobj_token, type, segment, CRYPT_SLOT_PRIORITY_IGNORE, + r = token_open(cd, hdr, keyslot, token, jobj_token, type, segment, min_priority, pin, pin_size, &buffer, &buffer_size, usrptr, true); if (!r) { - r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, CRYPT_SLOT_PRIORITY_IGNORE, - buffer, buffer_size, vk); + r = LUKS2_keyslot_open_by_token(cd, hdr, keyslot, token, segment, + min_priority, buffer, buffer_size, vk); LUKS2_token_buffer_free(cd, token, buffer, buffer_size); } } @@ -745,7 +848,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd, * success (>= 0) or any other negative errno short-circuits token activation loop * immediately */ - r = token_open_any(cd, hdr, type, segment, pin, pin_size, usrptr, vk); + r = token_open_any(cd, hdr, type, keyslot, segment, pin, pin_size, usrptr, vk); else r = -EINVAL; @@ -754,6 +857,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd, int LUKS2_token_open_and_activate(struct crypt_device *cd, struct luks2_hdr *hdr, + int keyslot, int token, const char *name, const char *type, @@ -763,15 +867,15 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd, void *usrptr) { bool use_keyring; - int keyslot, r, segment; - struct volume_key *vk = NULL; + int r, segment; + struct volume_key *p_crypt, *p_opal, *crypt_key = NULL, *opal_key = NULL, *vk = NULL; if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) segment = CRYPT_ANY_SEGMENT; else segment = CRYPT_DEFAULT_SEGMENT; - r = LUKS2_token_unlock_key(cd, hdr, token, type, pin, pin_size, segment, usrptr, &vk); + r = LUKS2_token_unlock_key(cd, hdr, keyslot, token, type, pin, pin_size, segment, usrptr, &vk); if (r < 0) return r; @@ -779,23 +883,39 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd, keyslot = r; - if (!crypt_use_keyring_for_vk(cd)) + if (LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT)) { + r = LUKS2_split_crypt_and_opal_keys(cd, hdr, vk, &crypt_key, &opal_key); + if (r < 0) { + crypt_free_volume_key(vk); + return r; + } + + p_crypt = crypt_key; + p_opal = opal_key ?: vk; + } else { + p_crypt = vk; + p_opal = NULL; + } + + if (!crypt_use_keyring_for_vk(cd) || !p_crypt) use_keyring = false; else use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) || (flags & CRYPT_ACTIVATE_KEYRING_KEY)); if (use_keyring) { - if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, vk, keyslot))) + if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, p_crypt, keyslot))) flags |= CRYPT_ACTIVATE_KEYRING_KEY; } if (r >= 0 && name) - r = LUKS2_activate(cd, name, vk, flags); + r = LUKS2_activate(cd, name, p_crypt, p_opal, flags); if (r < 0) - crypt_drop_keyring_key(cd, vk); + crypt_drop_keyring_key(cd, p_crypt); crypt_free_volume_key(vk); + crypt_free_volume_key(crypt_key); + crypt_free_volume_key(opal_key); return r < 0 ? r : keyslot; } @@ -995,8 +1115,9 @@ int LUKS2_token_unlock_passphrase(struct crypt_device *cd, if (token >= 0 && token < LUKS2_TOKENS_MAX) { if ((jobj_token = LUKS2_get_token_jobj(hdr, token))) - r = token_open(cd, hdr, token, jobj_token, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE, - pin, pin_size, &buffer, &buffer_size, usrptr, false); + r = token_open(cd, hdr, CRYPT_ANY_SLOT, token, jobj_token, type, + CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE, pin, pin_size, + &buffer, &buffer_size, usrptr, false); } else if (token == CRYPT_ANY_TOKEN) { json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens); @@ -1005,7 +1126,7 @@ int LUKS2_token_unlock_passphrase(struct crypt_device *cd, json_object_object_foreach(jobj_tokens, slot, val) { token = atoi(slot); - r = token_open(cd, hdr, token, val, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE, + r = token_open(cd, hdr, CRYPT_ANY_SLOT, token, val, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE, pin, pin_size, &buffer, &buffer_size, usrptr, false); /* diff --git a/lib/luks2/luks2_token_keyring.c b/lib/luks2/luks2_token_keyring.c index ad18798..1d141b9 100644 --- a/lib/luks2/luks2_token_keyring.c +++ b/lib/luks2/luks2_token_keyring.c @@ -1,8 +1,8 @@ /* * LUKS - Linux Unified Key Setup v2, kernel keyring token * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -40,14 +40,11 @@ int keyring_open(struct crypt_device *cd, json_object_object_get_ex(jobj_token, "key_description", &jobj_key); - r = keyring_get_passphrase(json_object_get_string(jobj_key), buffer, buffer_len); - if (r == -ENOTSUP) { - log_dbg(cd, "Kernel keyring features disabled."); + r = crypt_keyring_get_user_key(cd, json_object_get_string(jobj_key), buffer, buffer_len); + if (r == -ENOTSUP) return -ENOENT; - } else if (r < 0) { - log_dbg(cd, "keyring_get_passphrase failed (error %d)", r); + else if (r < 0) return -EPERM; - } return 0; } diff --git a/lib/meson.build b/lib/meson.build new file mode 100644 index 0000000..9f503b6 --- /dev/null +++ b/lib/meson.build @@ -0,0 +1,116 @@ +subdir('crypto_backend') +lib_build_dir = meson.current_build_dir() + +libutils_io = static_library('utils_io', + files( + 'utils_io.c', + )) + +libcryptsetup_sym_path = join_paths(meson.current_source_dir(), 'libcryptsetup.sym') + +libcryptsetup_deps = [ + uuid, + devmapper, + libargon2_external, + jsonc, + blkid, + dl, +] + +libcryptsetup_sources = files( + 'bitlk/bitlk.c', + 'fvault2/fvault2.c', + 'integrity/integrity.c', + 'loopaes/loopaes.c', + 'luks1/af.c', + 'luks1/keyencryption.c', + 'luks1/keymanage.c', + 'luks2/hw_opal/hw_opal.c', + 'luks2/luks2_digest.c', + 'luks2/luks2_digest_pbkdf2.c', + 'luks2/luks2_disk_metadata.c', + 'luks2/luks2_json_format.c', + 'luks2/luks2_json_metadata.c', + 'luks2/luks2_keyslot.c', + 'luks2/luks2_keyslot_luks2.c', + 'luks2/luks2_keyslot_reenc.c', + 'luks2/luks2_luks1_convert.c', + 'luks2/luks2_reencrypt.c', + 'luks2/luks2_reencrypt_digest.c', + 'luks2/luks2_segment.c', + 'luks2/luks2_token.c', + 'luks2/luks2_token_keyring.c', + 'tcrypt/tcrypt.c', + 'verity/rs_decode_char.c', + 'verity/rs_encode_char.c', + 'verity/verity.c', + 'verity/verity_fec.c', + 'verity/verity_hash.c', + 'crypt_plain.c', + 'keyslot_context.c', + 'libdevmapper.c', + 'random.c', + 'setup.c', + 'utils.c', + 'utils_benchmark.c', + 'utils_blkid.c', + 'utils_crypt.c', + 'utils_device.c', + 'utils_device_locking.c', + 'utils_devpath.c', + 'utils_keyring.c', + 'utils_loop.c', + 'utils_pbkdf.c', + 'utils_safe_memory.c', + 'utils_storage_wrappers.c', + 'utils_wipe.c', + 'volumekey.c', +) + +if enable_static + libcryptsetup = static_library('cryptsetup', + libcryptsetup_sources, + dependencies: libcryptsetup_deps, + link_with: [ + libcrypto_backend, + libutils_io, + ], + install: true) +else + libcryptsetup = library('cryptsetup', + libcryptsetup_sources, + dependencies: libcryptsetup_deps, + version: libcryptsetup_version, + link_args: [ + '-Wl,--version-script=' + + libcryptsetup_sym_path, + ], + link_with: [ + libcrypto_backend, + libutils_io, + ], + install: true) +endif + +lib_tools_files = files( + 'utils_blkid.c', + 'utils_crypt.c', + 'utils_io.c', + 'utils_loop.c', +) +lib_utils_crypt_files = files( + 'utils_crypt.c', +) +lib_ssh_token_files = files( + 'utils_io.c', + 'utils_loop.c', +) + +install_headers( + 'libcryptsetup.h', +) +pkgconfig.generate( + libcryptsetup, + name: 'libcryptsetup', + version: PACKAGE_VERSION, + description: 'cryptsetup library') diff --git a/lib/random.c b/lib/random.c index 0dfcff9..c86492d 100644 --- a/lib/random.c +++ b/lib/random.c @@ -1,7 +1,7 @@ /* * cryptsetup kernel RNG access functions * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/setup.c b/lib/setup.c index 1c9d47d..ff84292 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -31,6 +31,7 @@ #include "libcryptsetup.h" #include "luks1/luks.h" #include "luks2/luks2.h" +#include "luks2/luks2_internal.h" #include "loopaes/loopaes.h" #include "verity/verity.h" #include "tcrypt/tcrypt.h" @@ -40,6 +41,7 @@ #include "utils_device_locking.h" #include "internal.h" #include "keyslot_context.h" +#include "luks2/hw_opal/hw_opal.h" #define CRYPT_CD_UNRESTRICTED (1 << 0) #define CRYPT_CD_QUIET (1 << 1) @@ -58,6 +60,12 @@ struct crypt_device { /* global context scope settings */ unsigned key_in_keyring:1; + bool link_vk_to_keyring; + int32_t keyring_to_link_vk; + const char *user_key_name1; + const char *user_key_name2; + key_type_t keyring_key_type; + uint64_t data_offset; uint64_t metadata_size; /* Used in LUKS2 format */ uint64_t keyslots_size; /* Used in LUKS2 format */ @@ -122,8 +130,10 @@ struct crypt_device { /* buffers, must refresh from kernel on every query */ char cipher_spec[MAX_CIPHER_LEN*2+1]; char cipher[MAX_CIPHER_LEN]; + char integrity_spec[MAX_INTEGRITY_LEN]; const char *cipher_mode; unsigned int key_size; + uint32_t sector_size; } none; } u; @@ -221,6 +231,45 @@ struct device *crypt_data_device(struct crypt_device *cd) return cd->device; } +uint64_t crypt_get_metadata_size_bytes(struct crypt_device *cd) +{ + assert(cd); + return cd->metadata_size; +} + +uint64_t crypt_get_keyslots_size_bytes(struct crypt_device *cd) +{ + assert(cd); + return cd->keyslots_size; +} + +uint64_t crypt_get_data_offset_sectors(struct crypt_device *cd) +{ + assert(cd); + return cd->data_offset; +} + +int crypt_opal_supported(struct crypt_device *cd, struct device *opal_device) +{ + int r; + + assert(cd); + assert(opal_device); + + r = opal_supported(cd, opal_device); + if (r <= 0) { + if (r == -ENOTSUP) + log_err(cd, _("OPAL support is disabled in libcryptsetup.")); + else + log_err(cd, _("Device %s or kernel does not support OPAL encryption."), + device_path(opal_device)); + r = -EINVAL; + } else + r = 0; + + return r; +} + int init_crypto(struct crypt_device *ctx) { struct utsname uts; @@ -237,8 +286,9 @@ int init_crypto(struct crypt_device *ctx) log_err(ctx, _("Cannot initialize crypto backend.")); if (!r && !_crypto_logged) { - log_dbg(ctx, "Crypto backend (%s) initialized in cryptsetup library version %s.", - crypt_backend_version(), PACKAGE_VERSION); + log_dbg(ctx, "Crypto backend (%s%s) initialized in cryptsetup library version %s.", + crypt_backend_version(), crypt_argon2_version(), PACKAGE_VERSION); + if (!uname(&uts)) log_dbg(ctx, "Detected kernel %s %s %s.", uts.sysname, uts.release, uts.machine); @@ -333,7 +383,7 @@ static int isFVAULT2(const char *type) return (type && !strcmp(CRYPT_FVAULT2, type)); } -static int _onlyLUKS(struct crypt_device *cd, uint32_t cdflags) +static int _onlyLUKS(struct crypt_device *cd, uint32_t cdflags, uint32_t mask) { int r = 0; @@ -352,12 +402,22 @@ static int _onlyLUKS(struct crypt_device *cd, uint32_t cdflags) if (r || (cdflags & CRYPT_CD_UNRESTRICTED) || isLUKS1(cd->type)) return r; - return LUKS2_unmet_requirements(cd, &cd->u.luks2.hdr, 0, cdflags & CRYPT_CD_QUIET); + return LUKS2_unmet_requirements(cd, &cd->u.luks2.hdr, mask, cdflags & CRYPT_CD_QUIET); +} + +static int onlyLUKSunrestricted(struct crypt_device *cd) +{ + return _onlyLUKS(cd, CRYPT_CD_UNRESTRICTED, 0); +} + +static int onlyLUKSnoRequirements(struct crypt_device *cd) +{ + return _onlyLUKS(cd, 0, 0); } static int onlyLUKS(struct crypt_device *cd) { - return _onlyLUKS(cd, 0); + return _onlyLUKS(cd, 0, CRYPT_REQUIREMENT_OPAL); } static int _onlyLUKS2(struct crypt_device *cd, uint32_t cdflags, uint32_t mask) @@ -382,16 +442,21 @@ static int _onlyLUKS2(struct crypt_device *cd, uint32_t cdflags, uint32_t mask) return LUKS2_unmet_requirements(cd, &cd->u.luks2.hdr, mask, cdflags & CRYPT_CD_QUIET); } +static int onlyLUKS2unrestricted(struct crypt_device *cd) +{ + return _onlyLUKS2(cd, CRYPT_CD_UNRESTRICTED, 0); +} + /* Internal only */ int onlyLUKS2(struct crypt_device *cd) { - return _onlyLUKS2(cd, 0, 0); + return _onlyLUKS2(cd, 0, CRYPT_REQUIREMENT_OPAL); } /* Internal only */ -int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask) +int onlyLUKS2reencrypt(struct crypt_device *cd) { - return _onlyLUKS2(cd, 0, mask); + return _onlyLUKS2(cd, 0, CRYPT_REQUIREMENT_ONLINE_REENCRYPT); } static void crypt_set_null_type(struct crypt_device *cd) @@ -461,6 +526,10 @@ int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid) if (!dm_uuid || !hdr_uuid) return -EINVAL; + /* skip beyond LUKS2_HW_OPAL prefix */ + if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL))) + dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL); + str = strchr(dm_uuid, '-'); if (!str) return -EINVAL; @@ -481,33 +550,55 @@ int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid) } /* - * compares type of active device to provided string (only if there is no explicit type) + * compares two UUIDs returned by device-mapper (striped by cryptsetup) + * used for stacked LUKS2 & INTEGRITY devices */ -static int crypt_uuid_type_cmp(struct crypt_device *cd, const char *type) +static int crypt_uuid_integrity_cmp(const char *dm_uuid, const char *dmi_uuid) { - struct crypt_dm_active_device dmd; - size_t len; - int r; + int i; + char *str, *stri; - /* Must use header-on-disk if we know the type here */ - if (cd->type || !cd->u.none.active_name) + if (!dm_uuid || !dmi_uuid) return -EINVAL; - log_dbg(cd, "Checking if active device %s without header has UUID type %s.", - cd->u.none.active_name, type); + /* skip beyond LUKS2_HW_OPAL prefix */ + if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL))) + dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL); - r = dm_query_device(cd, cd->u.none.active_name, DM_ACTIVE_UUID, &dmd); - if (r < 0) - return r; + str = strchr(dm_uuid, '-'); + if (!str) + return -EINVAL; + + stri = strchr(dmi_uuid, '-'); + if (!stri) + return -EINVAL; + + for (i = 1; str[i] && str[i] != '-'; i++) { + if (!stri[i]) + return -EINVAL; + + if (str[i] != stri[i]) + return -EINVAL; + } + + return 0; +} + +/* + * compares type of active device to provided string + */ +int crypt_uuid_type_cmp(const char *dm_uuid, const char *type) +{ + size_t len; + + assert(type); - r = -ENODEV; len = strlen(type); - if (dmd.uuid && strlen(dmd.uuid) > len && - !strncmp(dmd.uuid, type, len) && dmd.uuid[len] == '-') - r = 0; + if (dm_uuid && strlen(dm_uuid) > len && + !strncmp(dm_uuid, type, len) && dm_uuid[len] == '-') + return 0; - free(CONST_CAST(void*)dmd.uuid); - return r; + return -ENODEV; } int PLAIN_activate(struct crypt_device *cd, @@ -763,9 +854,12 @@ static int _crypt_load_luks2(struct crypt_device *cd, int reload, int repair) if (r) return r; - if (!reload && !(type = strdup(CRYPT_LUKS2))) { - r = -ENOMEM; - goto out; + if (!reload) { + type = strdup(CRYPT_LUKS2); + if (!type) { + r = -ENOMEM; + goto out; + } } if (verify_pbkdf_params(cd, &cd->pbkdf)) { @@ -1188,6 +1282,17 @@ static int _init_by_name_crypt_none(struct crypt_device *cd) } } + if (!r && tgt->u.crypt.integrity) { + r = snprintf(cd->u.none.integrity_spec, sizeof(cd->u.none.integrity_spec), + "%s", tgt->u.crypt.integrity); + if (r < 0 || (size_t)r >= sizeof(cd->u.none.integrity_spec)) + r = -EINVAL; + else + r = 0; + } + + cd->u.none.sector_size = tgt->u.crypt.sector_size; + dm_targets_free(cd, &dmd); return r; } @@ -1245,7 +1350,13 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, &key_nums, cipher_mode); if (r < 0) { - log_dbg(cd, "Cannot parse cipher and mode from active device."); + /* Allow crypt null context with unknown cipher string */ + if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) { + crypt_set_null_type(cd); + r = 0; + goto out; + } + log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); goto out; } @@ -1260,10 +1371,13 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) r = -EINVAL; goto out; } - if (!cd->metadata_device) { - device_free(cd, cd->device); - MOVE_REF(cd->device, tgti->data_device); - } + + /* + * Data device for crypt with integrity is not dm-integrity device, + * but always the device underlying dm-integrity. + */ + device_free(cd, cd->device); + MOVE_REF(cd->device, tgti->data_device); } /* do not try to lookup LUKS2 header in detached header mode */ @@ -1717,6 +1831,9 @@ static int _crypt_format_luks1(struct crypt_device *cd, return -ENOMEM; } + if (device_is_dax(crypt_data_device(cd)) > 0) + log_std(cd, _("WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n")); + if (params && cd->metadata_device) { /* For detached header the alignment is used directly as data offset */ if (!cd->data_offset) @@ -1772,6 +1889,116 @@ static int _crypt_format_luks1(struct crypt_device *cd, return 0; } +static int LUKS2_check_encryption_params(struct crypt_device *cd, + const char *cipher, + const char *cipher_mode, + const char *integrity, + size_t volume_key_size, + const struct crypt_params_luks2 *params, + const char **ret_integrity) +{ + int r, integrity_key_size = 0; + + assert(cipher); + assert(cipher_mode); + assert(ret_integrity); + + if (integrity) { + if (params->integrity_params) { + /* Standalone dm-integrity must not be used */ + if (params->integrity_params->integrity || + params->integrity_params->integrity_key_size) + return -EINVAL; + /* FIXME: journal encryption and MAC is here not yet supported */ + if (params->integrity_params->journal_crypt || + params->integrity_params->journal_integrity) + return -ENOTSUP; + } + if (!INTEGRITY_tag_size(integrity, cipher, cipher_mode)) { + /* merge "none" string into NULL to make branching logic is easier */ + if (!strcmp(integrity, "none")) + integrity = NULL; + else + return -EINVAL; + } + integrity_key_size = INTEGRITY_key_size(integrity); + if ((integrity_key_size < 0) || (integrity_key_size >= (int)volume_key_size)) { + log_err(cd, _("Volume key is too small for encryption with integrity extensions.")); + return -EINVAL; + } + } + + /* FIXME: allow this later also for normal ciphers (check AF_ALG availability. */ + if (integrity && !integrity_key_size) { + r = crypt_cipher_check_kernel(cipher, cipher_mode, integrity, volume_key_size); + if (r < 0) { + log_err(cd, _("Cipher %s-%s (key size %zd bits) is not available."), + cipher, cipher_mode, volume_key_size * 8); + return r; + } + } + + if ((!integrity || integrity_key_size) && !crypt_cipher_wrapped_key(cipher, cipher_mode) && + !INTEGRITY_tag_size(NULL, cipher, cipher_mode)) { + r = LUKS_check_cipher(cd, volume_key_size - integrity_key_size, + cipher, cipher_mode); + if (r < 0) + return r; + } + + *ret_integrity = integrity; + + return 0; +} + +static int LUKS2_check_encryption_sector(struct crypt_device *cd, uint64_t device_size_bytes, + uint64_t data_offset_bytes, uint32_t sector_size, bool modify_sector_size, + bool verify_data_area_alignment, uint32_t *ret_sector_size) +{ + uint32_t dmc_flags; + + assert(ret_sector_size); + + if (sector_size < SECTOR_SIZE || sector_size > MAX_SECTOR_SIZE || + NOTPOW2(sector_size)) { + log_err(cd, _("Unsupported encryption sector size.")); + return -EINVAL; + } + + if (sector_size != SECTOR_SIZE && !dm_flags(cd, DM_CRYPT, &dmc_flags) && + !(dmc_flags & DM_SECTOR_SIZE_SUPPORTED)) { + if (modify_sector_size) { + log_dbg(cd, "dm-crypt does not support encryption sector size option. Reverting to 512 bytes."); + sector_size = SECTOR_SIZE; + } else + log_std(cd, _("WARNING: The device activation will fail, dm-crypt is missing " + "support for requested encryption sector size.\n")); + } + + if (modify_sector_size) { + if (data_offset_bytes && MISALIGNED(data_offset_bytes, sector_size)) { + log_dbg(cd, "Data offset not aligned to sector size. Reverting to 512 bytes."); + sector_size = SECTOR_SIZE; + } else if (MISALIGNED(device_size_bytes - data_offset_bytes, sector_size)) { + /* underflow does not affect misalignment checks */ + log_dbg(cd, "Device size is not aligned to sector size. Reverting to 512 bytes."); + sector_size = SECTOR_SIZE; + } + } + + /* underflow does not affect misalignment checks */ + if (verify_data_area_alignment && + sector_size > SECTOR_SIZE && + MISALIGNED(device_size_bytes - data_offset_bytes, sector_size)) { + log_err(cd, _("Device size is not aligned to requested sector size.")); + return -EINVAL; + } + + *ret_sector_size = sector_size; + + return 0; +} + static int _crypt_format_luks2(struct crypt_device *cd, const char *cipher, const char *cipher_mode, @@ -1781,13 +2008,13 @@ static int _crypt_format_luks2(struct crypt_device *cd, struct crypt_params_luks2 *params, bool sector_size_autodetect) { - int r, integrity_key_size = 0; + int r; unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT; unsigned long alignment_offset = 0; unsigned int sector_size; + char cipher_spec[2*MAX_CAPI_ONE_LEN]; const char *integrity = params ? params->integrity : NULL; - uint64_t dev_size; - uint32_t dmc_flags; + uint64_t data_offset_bytes, dev_size, metadata_size_bytes, keyslots_size_bytes; cd->u.luks2.hdr.jobj = NULL; cd->u.luks2.keyslot_cipher = NULL; @@ -1819,6 +2046,9 @@ static int _crypt_format_luks2(struct crypt_device *cd, return -ENOMEM; } + if (device_is_dax(crypt_data_device(cd)) > 0) + log_std(cd, _("WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n")); + if (sector_size_autodetect) { sector_size = device_optimal_encryption_sector_size(cd, crypt_data_device(cd)); log_dbg(cd, "Auto-detected optimal encryption sector size for device %s is %d bytes.", @@ -1826,45 +2056,6 @@ static int _crypt_format_luks2(struct crypt_device *cd, } else sector_size = params ? params->sector_size : SECTOR_SIZE; - if (sector_size < SECTOR_SIZE || sector_size > MAX_SECTOR_SIZE || - NOTPOW2(sector_size)) { - log_err(cd, _("Unsupported encryption sector size.")); - return -EINVAL; - } - if (sector_size != SECTOR_SIZE && !dm_flags(cd, DM_CRYPT, &dmc_flags) && - !(dmc_flags & DM_SECTOR_SIZE_SUPPORTED)) { - if (sector_size_autodetect) { - log_dbg(cd, "dm-crypt does not support encryption sector size option. Reverting to 512 bytes."); - sector_size = SECTOR_SIZE; - } else - log_std(cd, _("WARNING: The device activation will fail, dm-crypt is missing " - "support for requested encryption sector size.\n")); - } - - if (integrity) { - if (params->integrity_params) { - /* Standalone dm-integrity must not be used */ - if (params->integrity_params->integrity || - params->integrity_params->integrity_key_size) - return -EINVAL; - /* FIXME: journal encryption and MAC is here not yet supported */ - if (params->integrity_params->journal_crypt || - params->integrity_params->journal_integrity) - return -ENOTSUP; - } - if (!INTEGRITY_tag_size(integrity, cipher, cipher_mode)) { - if (!strcmp(integrity, "none")) - integrity = NULL; - else - return -EINVAL; - } - integrity_key_size = INTEGRITY_key_size(integrity); - if ((integrity_key_size < 0) || (integrity_key_size >= (int)volume_key_size)) { - log_err(cd, _("Volume key is too small for encryption with integrity extensions.")); - return -EINVAL; - } - } - r = device_check_access(cd, crypt_metadata_device(cd), DEV_EXCL); if (r < 0) return r; @@ -1901,67 +2092,45 @@ static int _crypt_format_luks2(struct crypt_device *cd, &required_alignment, &alignment_offset, DEFAULT_DISK_ALIGNMENT); + r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity, + volume_key_size, params, &integrity); + if (r < 0) + goto out; + r = device_size(crypt_data_device(cd), &dev_size); if (r < 0) goto out; - if (sector_size_autodetect) { - if (cd->data_offset && MISALIGNED(cd->data_offset, sector_size)) { - log_dbg(cd, "Data offset not aligned to sector size. Reverting to 512 bytes."); - sector_size = SECTOR_SIZE; - } else if (MISALIGNED(dev_size - (uint64_t)required_alignment - (uint64_t)alignment_offset, sector_size)) { - /* underflow does not affect misalignment checks */ - log_dbg(cd, "Device size is not aligned to sector size. Reverting to 512 bytes."); - sector_size = SECTOR_SIZE; - } - } + r = LUKS2_hdr_get_storage_params(cd, alignment_offset, required_alignment, + &metadata_size_bytes, &keyslots_size_bytes, &data_offset_bytes); + if (r < 0) + goto out; - /* FIXME: allow this later also for normal ciphers (check AF_ALG availability. */ - if (integrity && !integrity_key_size) { - r = crypt_cipher_check_kernel(cipher, cipher_mode, integrity, volume_key_size); - if (r < 0) { - log_err(cd, _("Cipher %s-%s (key size %zd bits) is not available."), - cipher, cipher_mode, volume_key_size * 8); - goto out; - } - } + r = LUKS2_check_encryption_sector(cd, dev_size, data_offset_bytes, sector_size, + sector_size_autodetect, integrity == NULL, + §or_size); + if (r < 0) + goto out; - if ((!integrity || integrity_key_size) && !crypt_cipher_wrapped_key(cipher, cipher_mode) && - !INTEGRITY_tag_size(NULL, cipher, cipher_mode)) { - r = LUKS_check_cipher(cd, volume_key_size - integrity_key_size, - cipher, cipher_mode); - if (r < 0) - goto out; + if (*cipher_mode != '\0') + r = snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode); + else + r = snprintf(cipher_spec, sizeof(cipher_spec), "%s", cipher); + if (r < 0 || (size_t)r >= sizeof(cipher_spec)) { + r = -EINVAL; + goto out; } r = LUKS2_generate_hdr(cd, &cd->u.luks2.hdr, cd->volume_key, - cipher, cipher_mode, + cipher_spec, integrity, uuid, sector_size, - cd->data_offset * SECTOR_SIZE, - alignment_offset, - required_alignment, - cd->metadata_size, cd->keyslots_size); + data_offset_bytes, + metadata_size_bytes, keyslots_size_bytes, + 0, 0, 0); if (r < 0) goto out; - if (cd->metadata_size && (cd->metadata_size != LUKS2_metadata_size(&cd->u.luks2.hdr))) - log_std(cd, _("WARNING: LUKS2 metadata size changed to %" PRIu64 " bytes.\n"), - LUKS2_metadata_size(&cd->u.luks2.hdr)); - - if (cd->keyslots_size && (cd->keyslots_size != LUKS2_keyslots_size(&cd->u.luks2.hdr))) - log_std(cd, _("WARNING: LUKS2 keyslots area size changed to %" PRIu64 " bytes.\n"), - LUKS2_keyslots_size(&cd->u.luks2.hdr)); - - if (!integrity && sector_size > SECTOR_SIZE) { - dev_size -= (crypt_get_data_offset(cd) * SECTOR_SIZE); - if (dev_size % sector_size) { - log_err(cd, _("Device size is not aligned to requested sector size.")); - r = -EINVAL; - goto out; - } - } - if (params && (params->label || params->subsystem)) { r = LUKS2_hdr_labels(cd, &cd->u.luks2.hdr, params->label, params->subsystem, 0); @@ -2000,7 +2169,7 @@ static int _crypt_format_luks2(struct crypt_device *cd, goto out; } - r = INTEGRITY_format(cd, params ? params->integrity_params : NULL, NULL, NULL); + r = INTEGRITY_format(cd, params ? params->integrity_params : NULL, NULL, NULL, 0); if (r) log_err(cd, _("Cannot format integrity for device %s."), data_device_path(cd)); @@ -2039,6 +2208,464 @@ out: return 0; } +static int opal_topology_alignment(struct crypt_device *cd, + uint64_t partition_offset_sectors, + uint64_t data_offset_sectors, + uint64_t required_alignment_sectors, + uint64_t default_alignment_bytes, + uint64_t *ret_alignment_offset_bytes, + uint64_t *ret_alignment_bytes, + uint32_t *ret_opal_block_bytes, + uint64_t *ret_opal_alignment_granularity_blocks) +{ + bool opal_align; + int r; + uint32_t opal_block_bytes; + uint64_t opal_alignment_granularity_blocks, opal_lowest_lba_blocks; + + assert(cd); + assert(ret_alignment_offset_bytes); + assert(ret_alignment_bytes); + assert(ret_opal_block_bytes); + assert(ret_opal_alignment_granularity_blocks); + + r = opal_geometry(cd, crypt_data_device(cd), &opal_align, &opal_block_bytes, + &opal_alignment_granularity_blocks, &opal_lowest_lba_blocks); + if (r) { + log_err(cd, _("Cannot get OPAL alignment parameters.")); + return -EINVAL; + } + + log_dbg(cd, "OPAL geometry: alignment: '%c', logical block size: %" PRIu32 + ", alignment granularity: %" PRIu64 ", lowest aligned LBA: %" PRIu64, + opal_align ? 'y' : 'n', opal_block_bytes, opal_alignment_granularity_blocks, opal_lowest_lba_blocks); + + if (opal_block_bytes < SECTOR_SIZE || NOTPOW2(opal_block_bytes)) { + log_err(cd, _("Bogus OPAL logical block size.")); + return -EINVAL; + } + + if (data_offset_sectors && + MISALIGNED(data_offset_sectors + partition_offset_sectors, opal_block_bytes / SECTOR_SIZE)) { + log_err(cd, _("Requested data offset is not compatible with OPAL block size.")); + return -EINVAL; + } + + /* Data offset has priority over data alignment parameter */ + if (!data_offset_sectors && + MISALIGNED(required_alignment_sectors, opal_block_bytes / SECTOR_SIZE)) { + log_err(cd, _("Requested data alignment is not compatible with OPAL alignment.")); + return -EINVAL; + } + + if (!opal_align) { + /* For detached header the alignment is used directly as data offset */ + if (required_alignment_sectors || cd->metadata_device) + *ret_alignment_bytes = required_alignment_sectors * SECTOR_SIZE; + else + *ret_alignment_bytes = default_alignment_bytes; + *ret_alignment_offset_bytes = 0; + *ret_opal_block_bytes = opal_block_bytes; + *ret_opal_alignment_granularity_blocks = 1; + return 0; + } + + if (data_offset_sectors) { + if (MISALIGNED((((data_offset_sectors + partition_offset_sectors) * SECTOR_SIZE) / opal_block_bytes) - opal_lowest_lba_blocks, + opal_alignment_granularity_blocks)) { + // FIXME: Add hint to user on how to fix it + log_err(cd, _("Data offset does not satisfy OPAL alignment requirements.")); + return -EINVAL; + } + + *ret_alignment_offset_bytes = 0; + *ret_alignment_bytes = 0; + *ret_opal_block_bytes = opal_block_bytes; + *ret_opal_alignment_granularity_blocks = opal_alignment_granularity_blocks; + + return 0; + } + + if (MISALIGNED(required_alignment_sectors * SECTOR_SIZE, opal_block_bytes * opal_alignment_granularity_blocks)) { + log_err(cd, _("Requested data alignment does not satisfy locking range alignment requirements.")); + return -EINVAL; + } + + /* For detached header the alignment is used directly as data offset */ + if (required_alignment_sectors || cd->metadata_device) + *ret_alignment_bytes = required_alignment_sectors * SECTOR_SIZE; + else + *ret_alignment_bytes = size_round_up(default_alignment_bytes, opal_block_bytes * opal_alignment_granularity_blocks); + + /* data offset is not set, calculate proper alignment */ + *ret_alignment_offset_bytes = (partition_offset_sectors * SECTOR_SIZE) % (opal_block_bytes * opal_alignment_granularity_blocks); + if (*ret_alignment_offset_bytes) + *ret_alignment_offset_bytes = opal_block_bytes * opal_alignment_granularity_blocks - *ret_alignment_offset_bytes; + + if (*ret_alignment_offset_bytes) + log_dbg(cd, "Compensating misaligned partition offset by %" PRIu64 "bytes.", + *ret_alignment_offset_bytes); + + *ret_alignment_offset_bytes += (opal_lowest_lba_blocks * opal_block_bytes); + *ret_opal_block_bytes = opal_block_bytes; + *ret_opal_alignment_granularity_blocks = opal_alignment_granularity_blocks; + + log_dbg(cd, "OPAL alignment (%" PRIu32 "/%" PRIu64 "), offset = %" PRIu64 ". Required alignment is %" PRIu64 ".", + opal_block_bytes, opal_alignment_granularity_blocks, *ret_alignment_offset_bytes, *ret_alignment_bytes); + + return 0; +} + +int crypt_format_luks2_opal(struct crypt_device *cd, + const char *cipher, + const char *cipher_mode, + const char *uuid, + const char *volume_keys, + size_t volume_keys_size, + struct crypt_params_luks2 *params, + struct crypt_params_hw_opal *opal_params) +{ + bool opal_range_reset = false, subsystem_overridden = false, sector_size_autodetect = cipher != NULL; + int r; + char cipher_spec[128]; + const char *integrity = params ? params->integrity : NULL; + uint32_t sector_size, opal_block_bytes, opal_segment_number = 1; /* We'll use the partition number if available later */ + uint64_t alignment_offset_bytes, data_offset_bytes, device_size_bytes, opal_alignment_granularity_blocks, + partition_offset_sectors, range_offset_blocks, range_size_bytes, + required_alignment_bytes, metadata_size_bytes, keyslots_size_bytes, + provided_data_sectors; + struct volume_key *user_key = NULL; + struct crypt_lock_handle *opal_lh = NULL; + + if (!cd || !params || !opal_params || + !opal_params->admin_key || !opal_params->admin_key_size || !opal_params->user_key_size) + return -EINVAL; + + if (cd->type) { + log_dbg(cd, "Context already formatted as %s.", cd->type); + return -EINVAL; + } + + log_dbg(cd, "Formatting device %s as type LUKS2 with OPAL HW encryption.", mdata_device_path(cd) ?: "(none)"); + + if (volume_keys_size < opal_params->user_key_size) + return -EINVAL; + + if (cipher && (volume_keys_size == opal_params->user_key_size)) + return -EINVAL; + + if (!crypt_metadata_device(cd)) { + log_err(cd, _("Can't format LUKS without device.")); + return -EINVAL; + } + + if (params->data_alignment && + MISALIGNED(cd->data_offset, params->data_alignment)) { + log_err(cd, _("Requested data alignment is not compatible with data offset.")); + return -EINVAL; + } + + if (params->data_device) { + if (!cd->metadata_device) + cd->metadata_device = cd->device; + else + device_free(cd, cd->device); + cd->device = NULL; + if (device_alloc(cd, &cd->device, params->data_device) < 0) + return -ENOMEM; + } + + r = crypt_opal_supported(cd, crypt_data_device(cd)); + if (r < 0) + return r; + + if (params->sector_size) + sector_size_autodetect = false; + + partition_offset_sectors = crypt_dev_partition_offset(device_path(crypt_data_device(cd))); + + r = device_check_access(cd, crypt_metadata_device(cd), DEV_EXCL); + if (r < 0) + return r; + + /* + * Check both data and metadata devices for exclusive access since + * we don't want to setup locking range on already used partition. + */ + if (crypt_metadata_device(cd) != crypt_data_device(cd)) { + r = device_check_access(cd, crypt_data_device(cd), DEV_EXCL); + if (r < 0) + return r; + } + + if (!(cd->type = strdup(CRYPT_LUKS2))) + return -ENOMEM; + + if (volume_keys) + cd->volume_key = crypt_alloc_volume_key(volume_keys_size, volume_keys); + else + cd->volume_key = crypt_generate_volume_key(cd, volume_keys_size); + + if (!cd->volume_key) { + r = -ENOMEM; + goto out; + } + + if (cipher) { + user_key = crypt_alloc_volume_key(opal_params->user_key_size, cd->volume_key->key); + if (!user_key) { + r = -ENOMEM; + goto out; + } + } + + r = 0; + if (params->pbkdf) + r = crypt_set_pbkdf_type(cd, params->pbkdf); + else if (verify_pbkdf_params(cd, &cd->pbkdf)) + r = init_pbkdf_type(cd, NULL, CRYPT_LUKS2); + + if (r < 0) + goto out; + + if (cd->metadata_device && !cd->data_offset) + /* For detached header the alignment is used directly as data offset */ + cd->data_offset = params->data_alignment; + + r = opal_topology_alignment(cd, partition_offset_sectors, + cd->data_offset, params->data_alignment, + DEFAULT_DISK_ALIGNMENT, &alignment_offset_bytes, &required_alignment_bytes, + &opal_block_bytes, &opal_alignment_granularity_blocks); + if (r < 0) + goto out; + + if (sector_size_autodetect) { + sector_size = device_optimal_encryption_sector_size(cd, crypt_data_device(cd)); + if ((opal_block_bytes * opal_alignment_granularity_blocks) > sector_size) + sector_size = opal_block_bytes * opal_alignment_granularity_blocks; + if (sector_size > MAX_SECTOR_SIZE) + sector_size = MAX_SECTOR_SIZE; + log_dbg(cd, "Auto-detected optimal encryption sector size for device %s is %d bytes.", + device_path(crypt_data_device(cd)), sector_size); + } else + sector_size = params->sector_size; + + /* To ensure it is obvious and explicit that OPAL is being used, set the + * subsystem tag if the user hasn't passed one. */ + if (!params->subsystem) { + params->subsystem = "HW-OPAL"; + subsystem_overridden = true; + } + + /* We need to give the drive a segment number - use the partition number if there is + * one, otherwise the first valid (1) number if it's a single-volume setup */ + r = crypt_dev_get_partition_number(device_path(crypt_data_device(cd))); + if (r > 0) + opal_segment_number = r; + + if (cipher) { + r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity, + volume_keys_size - opal_params->user_key_size, + params, &integrity); + if (r < 0) + goto out; + } + + r = device_size(crypt_data_device(cd), &device_size_bytes); + if (r < 0) + goto out; + + r = LUKS2_hdr_get_storage_params(cd, alignment_offset_bytes, required_alignment_bytes, + &metadata_size_bytes, &keyslots_size_bytes, &data_offset_bytes); + if (r < 0) + goto out; + + r = -EINVAL; + if (device_size_bytes < data_offset_bytes && !cd->metadata_device) { + log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd))); + goto out; + } + + device_size_bytes -= data_offset_bytes; + range_size_bytes = device_size_bytes - (device_size_bytes % (opal_block_bytes * opal_alignment_granularity_blocks)); + if (!range_size_bytes) + goto out; + + if (device_size_bytes != range_size_bytes) + log_err(cd, _("Compensating device size by %" PRIu64 " sectors to align it with OPAL alignment granularity."), + (device_size_bytes - range_size_bytes) / SECTOR_SIZE); + + if (cipher) { + r = LUKS2_check_encryption_sector(cd, device_size_bytes, data_offset_bytes, sector_size, + sector_size_autodetect, integrity == NULL, + §or_size); + if (r < 0) + goto out; + + if (*cipher_mode != '\0') + r = snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode); + else + r = snprintf(cipher_spec, sizeof(cipher_spec), "%s", cipher); + if (r < 0 || (size_t)r >= sizeof(cipher_spec)) { + r = -EINVAL; + goto out; + } + } + + r = LUKS2_generate_hdr(cd, &cd->u.luks2.hdr, cd->volume_key, + cipher ? cipher_spec : NULL, integrity, uuid, + sector_size, + data_offset_bytes, + metadata_size_bytes, keyslots_size_bytes, + device_size_bytes, + opal_segment_number, + opal_params->user_key_size); + if (r < 0) + goto out; + + log_dbg(cd, "Adding LUKS2 OPAL requirement flag."); + r = LUKS2_config_set_requirement_version(cd, &cd->u.luks2.hdr, CRYPT_REQUIREMENT_OPAL, 1, false); + if (r < 0) + goto out; + + if (params->label || params->subsystem) { + r = LUKS2_hdr_labels(cd, &cd->u.luks2.hdr, + params->label, params->subsystem, 0); + if (r < 0) + goto out; + } + + device_set_block_size(crypt_data_device(cd), sector_size); + + r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr, cd->metadata_device != NULL); + if (r < 0) { + log_err(cd, _("Cannot wipe header on device %s."), + mdata_device_path(cd)); + if (device_size_bytes < LUKS2_hdr_and_areas_size(&cd->u.luks2.hdr)) + log_err(cd, _("Device %s is too small."), device_path(crypt_metadata_device(cd))); + goto out; + } + + range_offset_blocks = (data_offset_bytes + partition_offset_sectors * SECTOR_SIZE) / opal_block_bytes; + + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + goto out; + } + + r = opal_setup_ranges(cd, crypt_data_device(cd), user_key ?: cd->volume_key, + range_offset_blocks, range_size_bytes / opal_block_bytes, + opal_segment_number, opal_params->admin_key, opal_params->admin_key_size); + if (r < 0) { + if (r == -EPERM) + log_err(cd, _("Incorrect OPAL Admin key.")); + else + log_err(cd, _("Cannot setup OPAL segment.")); + goto out; + } + + opal_range_reset = true; + + /* integrity metadata goes in unlocked OPAL locking range */ + if (crypt_get_integrity_tag_size(cd)) { + r = opal_unlock(cd, crypt_data_device(cd), opal_segment_number, user_key ?: cd->volume_key); + if (r < 0) + goto out; + + r = crypt_wipe_device(cd, crypt_data_device(cd), CRYPT_WIPE_ZERO, + crypt_get_data_offset(cd) * SECTOR_SIZE, + 8 * SECTOR_SIZE, 8 * SECTOR_SIZE, NULL, NULL); + if (r < 0) { + if (r == -EBUSY) + log_err(cd, _("Cannot format device %s in use."), + data_device_path(cd)); + else if (r == -EACCES) { + log_err(cd, _("Cannot format device %s, permission denied."), + data_device_path(cd)); + r = -EINVAL; + } else + log_err(cd, _("Cannot wipe header on device %s."), + data_device_path(cd)); + + goto out; + } + + r = INTEGRITY_format(cd, params->integrity_params, NULL, NULL, + /* + * Create reduced dm-integrity device only if locking range size does + * not match device size. + */ + device_size_bytes != range_size_bytes ? range_size_bytes / SECTOR_SIZE : 0); + if (r) + log_err(cd, _("Cannot format integrity for device %s."), + data_device_path(cd)); + if (r < 0) + goto out; + + r = INTEGRITY_data_sectors(cd, crypt_data_device(cd), + crypt_get_data_offset(cd) * SECTOR_SIZE, + &provided_data_sectors); + if (r < 0) + goto out; + + if (!LUKS2_segment_set_size(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, + &(uint64_t) {provided_data_sectors * SECTOR_SIZE})) { + r = -EINVAL; + goto out; + } + + r = opal_lock(cd, crypt_data_device(cd), opal_segment_number); + if (r < 0) + goto out; + } + + /* override sequence id check with format */ + r = LUKS2_hdr_write_force(cd, &cd->u.luks2.hdr); + if (r < 0) { + if (r == -EBUSY) + log_err(cd, _("Cannot format device %s in use."), + mdata_device_path(cd)); + else if (r == -EACCES) { + log_err(cd, _("Cannot format device %s, permission denied."), + mdata_device_path(cd)); + r = -EINVAL; + } else if (r == -EIO) { + log_err(cd, _("Cannot format device %s, OPAL device seems to be fully write-protected now."), + mdata_device_path(cd)); + log_err(cd, _("This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery.")); + } else + log_err(cd, _("Cannot format device %s."), + mdata_device_path(cd)); + } + +out: + crypt_free_volume_key(user_key); + + if (subsystem_overridden) + params->subsystem = NULL; + + if (r >= 0) { + opal_exclusive_unlock(cd, opal_lh); + return 0; + } + + if (opal_range_reset && + (opal_reset_segment(cd, crypt_data_device(cd), opal_segment_number, + opal_params->admin_key, opal_params->admin_key_size) < 0)) + log_err(cd, _("Locking range %d reset on device %s failed."), + opal_segment_number, device_path(crypt_data_device(cd))); + + opal_exclusive_unlock(cd, opal_lh); + LUKS2_hdr_free(cd, &cd->u.luks2.hdr); + + crypt_set_null_type(cd); + crypt_free_volume_key(cd->volume_key); + cd->volume_key = NULL; + + return r; +} + static int _crypt_format_loopaes(struct crypt_device *cd, const char *cipher, const char *uuid, @@ -2329,7 +2956,7 @@ static int _crypt_format_integrity(struct crypt_device *cd, cd->u.integrity.params.journal_integrity = journal_integrity; cd->u.integrity.params.journal_crypt = journal_crypt; - r = INTEGRITY_format(cd, params, cd->u.integrity.journal_crypt_key, cd->u.integrity.journal_mac_key); + r = INTEGRITY_format(cd, params, cd->u.integrity.journal_crypt_key, cd->u.integrity.journal_mac_key, 0); if (r) log_err(cd, _("Cannot format integrity for device %s."), mdata_device_path(cd)); @@ -2674,7 +3301,7 @@ int crypt_compare_dm_devices(struct crypt_device *cd, } static int _reload_device(struct crypt_device *cd, const char *name, - struct crypt_dm_active_device *sdmd) + struct crypt_dm_active_device *sdmd, uint32_t dmflags) { int r; struct crypt_dm_active_device tdmd; @@ -2742,7 +3369,7 @@ static int _reload_device(struct crypt_device *cd, const char *name, tdmd.flags = sdmd->flags; tgt->size = tdmd.size = sdmd->size; - r = dm_reload_device(cd, name, &tdmd, 0, 1); + r = dm_reload_device(cd, name, &tdmd, dmflags, 1); out: dm_targets_free(cd, &tdmd); free(CONST_CAST(void*)tdmd.uuid); @@ -2925,15 +3552,10 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size) struct crypt_dm_active_device dmdq, dmd = {}; struct dm_target *tgt = &dmdq.segment; struct crypt_params_integrity params = {}; - uint32_t supported_flags = 0; + uint32_t supported_flags = 0, dmflags = 0; uint64_t old_size; int r; - /* - * FIXME: Also with LUKS2 we must not allow resize when there's - * explicit size stored in metadata (length != "dynamic") - */ - /* Device context type must be initialized */ if (!cd || !cd->type || !name) return -EINVAL; @@ -2943,7 +3565,15 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size) return -ENOTSUP; } - log_dbg(cd, "Resizing device %s to %" PRIu64 " sectors.", name, new_size); + if (isLUKS2(cd->type) && !LUKS2_segments_dynamic_size(&cd->u.luks2.hdr)) { + log_err(cd, _("Can not resize LUKS2 device with static size.")); + return -EINVAL; + } + + if (new_size) + log_dbg(cd, "Resizing device %s to %" PRIu64 " sectors.", name, new_size); + else + log_dbg(cd, "Resizing device %s to underlying device size.", name); r = dm_query_device(cd, name, DM_ACTIVE_CRYPT_KEYSIZE | DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_INTEGRITY_PARAMS | DM_ACTIVE_JOURNAL_CRYPT_KEY | @@ -3011,7 +3641,8 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size) tgt->u.integrity.journal_integrity_key, ¶ms); if (r) goto out; - r = _reload_device(cd, name, &dmd); + /* Backend device cannot be smaller here, device_block_adjust() will fail if so. */ + r = _reload_device(cd, name, &dmd, DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH); if (r) goto out; @@ -3079,8 +3710,13 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size) r = -ENOTSUP; else if (isLUKS2(cd->type)) r = LUKS2_unmet_requirements(cd, &cd->u.luks2.hdr, 0, 0); - if (!r) - r = _reload_device(cd, name, &dmd); + + if (!r) { + /* Skip flush and lockfs if extending device */ + if (new_size > dmdq.size) + dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH; + r = _reload_device(cd, name, &dmd, dmflags); + } if (r && tgt->type == DM_INTEGRITY && !dm_flags(cd, tgt->type, &supported_flags) && @@ -3271,6 +3907,8 @@ void crypt_free(struct crypt_device *cd) free(CONST_CAST(void*)cd->pbkdf.type); free(CONST_CAST(void*)cd->pbkdf.hash); + free(CONST_CAST(void*)cd->user_key_name1); + free(CONST_CAST(void*)cd->user_key_name2); /* Some structures can contain keys (TCRYPT), wipe it */ crypt_safe_memzero(cd, sizeof(*cd)); @@ -3298,38 +3936,85 @@ static char *crypt_get_device_key_description(struct crypt_device *cd, const cha int crypt_suspend(struct crypt_device *cd, const char *name) { - char *key_desc; + bool dm_opal_uuid; crypt_status_info ci; int r; - uint32_t dmflags = DM_SUSPEND_WIPE_KEY; - - /* FIXME: check context uuid matches the dm-crypt device uuid (onlyLUKS branching) */ + struct crypt_dm_active_device dmd, dmdi = {}; + uint32_t opal_segment_number = 1, dmflags = DM_SUSPEND_WIPE_KEY; + struct dm_target *tgt = &dmd.segment; + char *key_desc = NULL, *iname = NULL; + struct crypt_lock_handle *opal_lh = NULL; if (!cd || !name) return -EINVAL; log_dbg(cd, "Suspending volume %s.", name); - if (cd->type) - r = onlyLUKS(cd); - else { - r = crypt_uuid_type_cmp(cd, CRYPT_LUKS1); - if (r < 0) - r = crypt_uuid_type_cmp(cd, CRYPT_LUKS2); - if (r < 0) - log_err(cd, _("This operation is supported only for LUKS device.")); - } - - if (r < 0) + if (cd->type && ((r = onlyLUKS(cd)) < 0)) return r; - ci = crypt_status(NULL, name); + ci = crypt_status(cd, name); if (ci < CRYPT_ACTIVE) { log_err(cd, _("Volume %s is not active."), name); return -EINVAL; } - dm_backend_init(cd); + r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd); + if (r < 0) + return r; + + log_dbg(cd, "Checking if active device %s has UUID type LUKS.", name); + + r = crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2); + if (r < 0) + r = crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1); + + if (r < 0) { + log_err(cd, _("This operation is supported only for LUKS device.")); + goto out; + } + + r = -EINVAL; + + if (isLUKS2(cd->type) && crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2)) { + log_dbg(cd, "LUKS device header type: %s mismatches DM device type.", cd->type); + goto out; + } + + if (isLUKS1(cd->type) && crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1)) { + log_dbg(cd, "LUKS device header type: %s mismatches DM device type.", cd->type); + goto out; + } + + /* check if active device has LUKS2-OPAL dm uuid prefix */ + dm_opal_uuid = !crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2_HW_OPAL); + + if (!dm_opal_uuid && isLUKS2(cd->type) && + LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) + goto out; + + if (cd->type && (r = crypt_uuid_cmp(dmd.uuid, LUKS_UUID(cd))) < 0) { + log_dbg(cd, "LUKS device header uuid: %s mismatches DM returned uuid %s", + LUKS_UUID(cd), dmd.uuid); + goto out; + } + + /* check UUID of integrity device underneath crypt device */ + if (crypt_get_integrity_tag_size(cd)) { + r = dm_get_iname(name, &iname, false); + if (r) + goto out; + + r = dm_query_device(cd, iname, DM_ACTIVE_UUID, &dmdi); + if (r < 0) + goto out; + + r = crypt_uuid_integrity_cmp(dmd.uuid, dmdi.uuid); + if (r < 0) { + log_dbg(cd, "Integrity device uuid: %s mismatches crypt device uuid %s", dmdi.uuid, dmd.uuid); + goto out; + } + } r = dm_status_suspended(cd, name); if (r < 0) @@ -3343,76 +4028,311 @@ int crypt_suspend(struct crypt_device *cd, key_desc = crypt_get_device_key_description(cd, name); - /* we can't simply wipe wrapped keys */ - if (crypt_cipher_wrapped_key(crypt_get_cipher(cd), crypt_get_cipher_mode(cd))) + if (dm_opal_uuid && crypt_data_device(cd)) { + if (isLUKS2(cd->type)) { + r = LUKS2_get_opal_segment_number(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number); + if (r < 0) + goto out; + } else { + /* Guess OPAL range number for LUKS2-OPAL device with missing header */ + r = crypt_dev_get_partition_number(device_path(crypt_data_device(cd))); + if (r > 0) + opal_segment_number = r; + } + } + + /* we can't simply wipe wrapped keys. HW OPAL only encryption does not use dm-crypt target */ + if (crypt_cipher_wrapped_key(crypt_get_cipher(cd), crypt_get_cipher_mode(cd)) || + (dm_opal_uuid && tgt->type == DM_LINEAR)) dmflags &= ~DM_SUSPEND_WIPE_KEY; r = dm_suspend_device(cd, name, dmflags); - if (r == -ENOTSUP) - log_err(cd, _("Suspend is not supported for device %s."), name); - else if (r) - log_err(cd, _("Error during suspending device %s."), name); - else - crypt_drop_keyring_key_by_description(cd, key_desc, LOGON_KEY); - free(key_desc); + if (r) { + if (r == -ENOTSUP) + log_err(cd, _("Suspend is not supported for device %s."), name); + else + log_err(cd, _("Error during suspending device %s."), name); + goto out; + } + + /* Suspend integrity device underneath; keep crypt suspended if it fails */ + if (crypt_get_integrity_tag_size(cd)) { + r = dm_suspend_device(cd, iname, 0); + if (r) + log_err(cd, _("Error during suspending device %s."), iname); + } + + crypt_drop_keyring_key_by_description(cd, key_desc, cd->keyring_key_type); + + if (dm_opal_uuid && crypt_data_device(cd)) { + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + goto out; + } + } + + if (dm_opal_uuid && (!crypt_data_device(cd) || opal_lock(cd, crypt_data_device(cd), opal_segment_number))) + log_err(cd, _("Device %s was suspended but hardware OPAL device cannot be locked."), name); out: - dm_backend_exit(cd); + opal_exclusive_unlock(cd, opal_lh); + free(key_desc); + free(iname); + dm_targets_free(cd, &dmd); + dm_targets_free(cd, &dmdi); + free(CONST_CAST(void*)dmd.uuid); + free(CONST_CAST(void*)dmdi.uuid); return r; } -/* key must be properly verified */ -static int resume_by_volume_key(struct crypt_device *cd, +static int resume_luks1_by_volume_key(struct crypt_device *cd, struct volume_key *vk, const char *name) { - int digest, r; + int r; struct volume_key *zerokey = NULL; + assert(vk && crypt_volume_key_get_id(vk) == 0); + assert(name); + if (crypt_is_cipher_null(crypt_get_cipher_spec(cd))) { zerokey = crypt_alloc_volume_key(0, NULL); if (!zerokey) return -ENOMEM; vk = zerokey; - } else if (crypt_use_keyring_for_vk(cd)) { - /* LUKS2 path only */ - digest = LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT); - if (digest < 0) + } + + r = dm_resume_and_reinstate_key(cd, name, vk); + + if (r == -ENOTSUP) + log_err(cd, _("Resume is not supported for device %s."), name); + else if (r) + log_err(cd, _("Error during resuming device %s."), name); + + crypt_free_volume_key(zerokey); + + return r; +} + +static void crypt_unlink_key_from_custom_keyring(struct crypt_device *cd, key_serial_t kid) +{ + assert(cd); + assert(cd->keyring_to_link_vk); + + log_dbg(cd, "Unlinking volume key (id: %" PRIi32 ") from kernel keyring (id: %" PRIi32 ").", + kid, cd->keyring_to_link_vk); + + if (!keyring_unlink_key_from_keyring(kid, cd->keyring_to_link_vk)) + return; + + log_dbg(cd, "keyring_unlink_key_from_keyring failed with errno %d.", errno); + log_err(cd, _("Failed to unlink volume key from user specified keyring.")); +} + +static key_serial_t crypt_single_volume_key_load_in_user_keyring(struct crypt_device *cd, struct volume_key *vk, const char *user_key_name) +{ + key_serial_t kid; + const char *type_name; + + assert(cd); + assert(cd->link_vk_to_keyring); + + if (!vk || !(type_name = key_type_name(cd->keyring_key_type))) + return -EINVAL; + + log_dbg(cd, "Linking volume key (type %s, name %s) to the specified keyring", + type_name, user_key_name); + + kid = keyring_add_key_to_custom_keyring(cd->keyring_key_type, user_key_name, vk->key, vk->keylength, cd->keyring_to_link_vk); + if (kid <= 0) { + log_dbg(cd, "The keyring_link_key_to_keyring function failed (error %d).", errno); + } + + return kid; +} + +static int crypt_volume_key_load_in_user_keyring(struct crypt_device *cd, struct volume_key *vk, key_serial_t *kid1_out, key_serial_t *kid2_out) +{ + key_serial_t kid1, kid2 = 0; + + assert(cd); + assert(cd->link_vk_to_keyring); + assert(cd->user_key_name1); + + if (!vk || !key_type_name(cd->keyring_key_type)) + return -EINVAL; + + kid1 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name1); + if (kid1 <= 0) + return -EINVAL; + + vk = vk->next; + if (vk) { + assert(cd->user_key_name2); + kid2 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name2); + if (kid2 <= 0) { + crypt_unlink_key_from_custom_keyring(cd, kid1); return -EINVAL; - r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, digest); + } + } + + *kid2_out = kid2; + *kid1_out = kid1; + return 0; +} + +static int resume_luks2_by_volume_key(struct crypt_device *cd, + int digest, + struct volume_key *vk, + const char *name) +{ + bool use_keyring; + int r, enc_type; + uint32_t opal_segment_number; + struct volume_key *p_crypt = vk, *p_opal = NULL, *zerokey = NULL, *crypt_key = NULL, *opal_key = NULL; + char *iname = NULL; + struct crypt_lock_handle *opal_lh = NULL; + key_serial_t kid1 = 0, kid2 = 0; + + assert(digest >= 0); + assert(vk && crypt_volume_key_get_id(vk) == digest); + assert(name); + + enc_type = crypt_get_hw_encryption_type(cd); + if (enc_type < 0) + return enc_type; + + use_keyring = crypt_use_keyring_for_vk(cd); + + if (enc_type == CRYPT_OPAL_HW_ONLY || enc_type == CRYPT_SW_AND_OPAL_HW) { + r = LUKS2_get_opal_segment_number(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, + &opal_segment_number); if (r < 0) return r; + + r = LUKS2_split_crypt_and_opal_keys(cd, &cd->u.luks2.hdr, + vk, &crypt_key, + &opal_key); + if (r < 0) + return r; + + p_crypt = crypt_key; + p_opal = opal_key ?: vk; } - r = dm_resume_and_reinstate_key(cd, name, vk); + if (enc_type != CRYPT_OPAL_HW_ONLY && crypt_is_cipher_null(crypt_get_cipher_spec(cd))) { + zerokey = crypt_alloc_volume_key(0, NULL); + if (!zerokey) { + r = -ENOMEM; + goto out; + } + p_crypt = zerokey; + use_keyring = false; + } + + if (use_keyring) { + if (p_crypt) { + r = LUKS2_volume_key_load_in_keyring_by_digest(cd, p_crypt, digest); + if (r < 0) + goto out; + } + + /* upload volume key in custom keyring if requested */ + if (cd->link_vk_to_keyring) { + r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2); + if (r < 0) { + log_err(cd, _("Failed to link volume key in user defined keyring.")); + goto out; + } + } + } + + if (p_opal) { + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + goto out; + } + + r = opal_unlock(cd, crypt_data_device(cd), opal_segment_number, p_opal); + if (r < 0) { + p_opal = NULL; /* do not lock on error path */ + goto out; + } + } + + if (crypt_get_integrity_tag_size(cd)) { + r = dm_get_iname(name, &iname, false); + if (r) + goto out; + + r = dm_resume_device(cd, iname, 0); + if (r) + log_err(cd, _("Error during resuming device %s."), iname); + } + + if (enc_type == CRYPT_OPAL_HW_ONLY) + r = dm_resume_device(cd, name, 0); + else + r = dm_resume_and_reinstate_key(cd, name, p_crypt); if (r == -ENOTSUP) log_err(cd, _("Resume is not supported for device %s."), name); else if (r) log_err(cd, _("Error during resuming device %s."), name); - if (r < 0) - crypt_drop_keyring_key(cd, vk); +out: + if (r < 0) { + crypt_drop_keyring_key(cd, p_crypt); + if (cd->link_vk_to_keyring && kid1) + crypt_unlink_key_from_custom_keyring(cd, kid1); + if (cd->link_vk_to_keyring && kid2) + crypt_unlink_key_from_custom_keyring(cd, kid2); + } + if (r < 0 && p_opal) + opal_lock(cd, crypt_data_device(cd), opal_segment_number); + + opal_exclusive_unlock(cd, opal_lh); crypt_free_volume_key(zerokey); + crypt_free_volume_key(opal_key); + crypt_free_volume_key(crypt_key); + free(iname); + + return r; +} + +/* key must be properly verified */ +static int resume_by_volume_key(struct crypt_device *cd, + struct volume_key *vk, + const char *name) +{ + assert(cd); + + if (isLUKS2(cd->type)) + return resume_luks2_by_volume_key(cd, + LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT), + vk, name); + + if (isLUKS1(cd->type)) + return resume_luks1_by_volume_key(cd, vk, name); - return r; + return -EINVAL; } -int crypt_resume_by_passphrase(struct crypt_device *cd, +int crypt_resume_by_keyslot_context(struct crypt_device *cd, const char *name, int keyslot, - const char *passphrase, - size_t passphrase_size) + struct crypt_keyslot_context *kc) { - struct volume_key *vk = NULL; int r; + struct volume_key *vk = NULL; + int unlocked_keyslot = -EINVAL; - /* FIXME: check context uuid matches the dm-crypt device uuid */ - - if (!passphrase || !name) + if (!name) return -EINVAL; - log_dbg(cd, "Resuming volume %s.", name); + log_dbg(cd, "Resuming volume %s [keyslot %d] using %s.", name, keyslot, keyslot_context_type_string(kc)); if ((r = onlyLUKS(cd))) return r; @@ -3426,21 +4346,50 @@ int crypt_resume_by_passphrase(struct crypt_device *cd, return -EINVAL; } - if (isLUKS1(cd->type)) - r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size, - &cd->u.luks1.hdr, &vk, cd); + if (isLUKS1(cd->type) && kc->get_luks1_volume_key) + r = kc->get_luks1_volume_key(cd, kc, keyslot, &vk); + else if (isLUKS2(cd->type) && kc->get_luks2_volume_key) + r = kc->get_luks2_volume_key(cd, kc, keyslot, &vk); else - r = LUKS2_keyslot_open(cd, keyslot, CRYPT_DEFAULT_SEGMENT, passphrase, passphrase_size, &vk); - - if (r < 0) - return r; + r = -EINVAL; + if (r < 0) + goto out; + unlocked_keyslot = r; - keyslot = r; + if (isLUKS1(cd->type)) { + r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk); + crypt_volume_key_set_id(vk, 0); + } else if (isLUKS2(cd->type)) { + r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk); + crypt_volume_key_set_id(vk, r); + } else + r = -EINVAL; + if (r < 0) + goto out; r = resume_by_volume_key(cd, vk, name); crypt_free_volume_key(vk); - return r < 0 ? r : keyslot; + return r < 0 ? r : unlocked_keyslot; +out: + crypt_free_volume_key(vk); + return r; +} + +int crypt_resume_by_passphrase(struct crypt_device *cd, + const char *name, + int keyslot, + const char *passphrase, + size_t passphrase_size) +{ + int r; + struct crypt_keyslot_context kc; + + crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size); + r = crypt_resume_by_keyslot_context(cd, name, keyslot, &kc); + crypt_keyslot_context_destroy_internal(&kc); + + return r; } int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd, @@ -3450,53 +4399,14 @@ int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd, size_t keyfile_size, uint64_t keyfile_offset) { - struct volume_key *vk = NULL; - char *passphrase_read = NULL; - size_t passphrase_size_read; int r; + struct crypt_keyslot_context kc; - /* FIXME: check context uuid matches the dm-crypt device uuid */ - - if (!name || !keyfile) - return -EINVAL; - - log_dbg(cd, "Resuming volume %s.", name); - - if ((r = onlyLUKS(cd))) - return r; - - r = dm_status_suspended(cd, name); - if (r < 0) - return r; - - if (!r) { - log_err(cd, _("Volume %s is not suspended."), name); - return -EINVAL; - } - - r = crypt_keyfile_device_read(cd, keyfile, - &passphrase_read, &passphrase_size_read, - keyfile_offset, keyfile_size, 0); - if (r < 0) - return r; - - if (isLUKS1(cd->type)) - r = LUKS_open_key_with_hdr(keyslot, passphrase_read, passphrase_size_read, - &cd->u.luks1.hdr, &vk, cd); - else - r = LUKS2_keyslot_open(cd, keyslot, CRYPT_DEFAULT_SEGMENT, - passphrase_read, passphrase_size_read, &vk); - - crypt_safe_free(passphrase_read); - if (r < 0) - return r; - - keyslot = r; - - r = resume_by_volume_key(cd, vk, name); + crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset); + r = crypt_resume_by_keyslot_context(cd, name, keyslot, &kc); + crypt_keyslot_context_destroy_internal(&kc); - crypt_free_volume_key(vk); - return r < 0 ? r : keyslot; + return r; } int crypt_resume_by_keyfile(struct crypt_device *cd, @@ -3525,43 +4435,16 @@ int crypt_resume_by_volume_key(struct crypt_device *cd, const char *volume_key, size_t volume_key_size) { - struct volume_key *vk = NULL; int r; + struct crypt_keyslot_context kc; - if (!name || !volume_key) - return -EINVAL; - - log_dbg(cd, "Resuming volume %s by volume key.", name); - - if ((r = onlyLUKS(cd))) - return r; - - r = dm_status_suspended(cd, name); - if (r < 0) - return r; - - if (!r) { - log_err(cd, _("Volume %s is not suspended."), name); - return -EINVAL; - } - - vk = crypt_alloc_volume_key(volume_key_size, volume_key); - if (!vk) - return -ENOMEM; + crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size); + r = crypt_resume_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc); + crypt_keyslot_context_destroy_internal(&kc); - if (isLUKS1(cd->type)) - r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk); - else if (isLUKS2(cd->type)) - r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk); - else - r = -EINVAL; if (r == -EPERM || r == -ENOENT) log_err(cd, _("Volume key does not match the volume.")); - if (r >= 0) - r = resume_by_volume_key(cd, vk, name); - - crypt_free_volume_key(vk); return r; } @@ -3569,35 +4452,14 @@ int crypt_resume_by_token_pin(struct crypt_device *cd, const char *name, const char *type, int token, const char *pin, size_t pin_size, void *usrptr) { - struct volume_key *vk = NULL; - int r, keyslot; - - if (!name) - return -EINVAL; - - log_dbg(cd, "Resuming volume %s by token (%s type) %d.", - name, type ?: "any", token); - - if ((r = _onlyLUKS2(cd, CRYPT_CD_QUIET, 0))) - return r; - - r = dm_status_suspended(cd, name); - if (r < 0) - return r; - - if (!r) { - log_err(cd, _("Volume %s is not suspended."), name); - return -EINVAL; - } + int r; + struct crypt_keyslot_context kc; - r = LUKS2_token_unlock_key(cd, &cd->u.luks2.hdr, token, type, - pin, pin_size, CRYPT_DEFAULT_SEGMENT, usrptr, &vk); - keyslot = r; - if (r >= 0) - r = resume_by_volume_key(cd, vk, name); + crypt_keyslot_unlock_by_token_init_internal(&kc, token, type, pin, pin_size, usrptr); + r = crypt_resume_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc); + crypt_keyslot_context_destroy_internal(&kc); - crypt_free_volume_key(vk); - return r < 0 ? r : keyslot; + return r; } /* @@ -3635,7 +4497,8 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd, const char *new_passphrase, size_t new_passphrase_size) { - int digest = -1, r, keyslot_new_orig = keyslot_new; + bool keyslot_swap = false; + int digest = -1, r; struct luks2_keyslot_params params; struct volume_key *vk = NULL; @@ -3670,13 +4533,21 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd, } keyslot_old = r; - if (keyslot_new == CRYPT_ANY_SLOT) { - if (isLUKS1(cd->type)) - keyslot_new = LUKS_keyslot_find_empty(&cd->u.luks1.hdr); - else if (isLUKS2(cd->type)) + if (isLUKS2(cd->type)) { + /* If there is a free keyslot (both id and binary area) avoid in-place keyslot area overwrite */ + if (keyslot_new == CRYPT_ANY_SLOT || keyslot_new == keyslot_old) { keyslot_new = LUKS2_keyslot_find_empty(cd, &cd->u.luks2.hdr, vk->keylength); - if (keyslot_new < 0) - keyslot_new = keyslot_old; + if (keyslot_new < 0) + keyslot_new = keyslot_old; + else + keyslot_swap = true; + } + } else if (isLUKS1(cd->type)) { + if (keyslot_new == CRYPT_ANY_SLOT) { + keyslot_new = LUKS_keyslot_find_empty(&cd->u.luks1.hdr); + if (keyslot_new < 0) + keyslot_new = keyslot_old; + } } log_dbg(cd, "Key change, old slot %d, new slot %d.", keyslot_old, keyslot_new); @@ -3699,16 +4570,8 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd, r = LUKS2_token_assignment_copy(cd, &cd->u.luks2.hdr, keyslot_old, keyslot_new, 0); if (r < 0) goto out; - } else { + } else log_dbg(cd, "Key slot %d is going to be overwritten.", keyslot_old); - /* FIXME: improve return code so that we can detect area is damaged */ - r = LUKS2_keyslot_wipe(cd, &cd->u.luks2.hdr, keyslot_old, 1); - if (r) { - /* (void)crypt_keyslot_destroy(cd, keyslot_old); */ - r = -EINVAL; - goto out; - } - } r = LUKS2_keyslot_store(cd, &cd->u.luks2.hdr, keyslot_new, new_passphrase, @@ -3717,7 +4580,7 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd, goto out; /* Swap old & new so the final keyslot number remains */ - if (keyslot_new_orig == CRYPT_ANY_SLOT && keyslot_old != keyslot_new) { + if (keyslot_swap && keyslot_old != keyslot_new) { r = LUKS2_keyslot_swap(cd, &cd->u.luks2.hdr, keyslot_old, keyslot_new); if (r < 0) goto out; @@ -3827,7 +4690,7 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot) log_dbg(cd, "Destroying keyslot %d.", keyslot); - if ((r = _onlyLUKS(cd, CRYPT_CD_UNRESTRICTED))) + if ((r = onlyLUKSunrestricted(cd))) return r; ki = crypt_keyslot_status(cd, keyslot); @@ -3844,7 +4707,7 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot) return LUKS_del_key(keyslot, &cd->u.luks1.hdr, cd); } - return LUKS2_keyslot_wipe(cd, &cd->u.luks2.hdr, keyslot, 0); + return LUKS2_keyslot_wipe(cd, &cd->u.luks2.hdr, keyslot); } static int _check_header_data_overlap(struct crypt_device *cd, const char *name) @@ -3960,12 +4823,14 @@ int create_or_reload_device(struct crypt_device *cd, const char *name, int r; enum devcheck device_check; struct dm_target *tgt; + uint64_t offset; + uint32_t dmflags = 0; if (!type || !name || !single_segment(dmd)) return -EINVAL; tgt = &dmd->segment; - if (tgt->type != DM_CRYPT && tgt->type != DM_INTEGRITY) + if (tgt->type != DM_CRYPT && tgt->type != DM_INTEGRITY && tgt->type != DM_LINEAR) return -EINVAL; /* drop CRYPT_ACTIVATE_REFRESH flag if any device is inactive */ @@ -3973,14 +4838,18 @@ int create_or_reload_device(struct crypt_device *cd, const char *name, if (r) return r; - if (dmd->flags & CRYPT_ACTIVATE_REFRESH) - r = _reload_device(cd, name, dmd); - else { - if (tgt->type == DM_CRYPT) { + if (dmd->flags & CRYPT_ACTIVATE_REFRESH) { + /* Refresh and recalculate means increasing dm-integrity device */ + if (tgt->type == DM_INTEGRITY && dmd->flags & CRYPT_ACTIVATE_RECALCULATE) + dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;; + r = _reload_device(cd, name, dmd, dmflags); + } else { + if (tgt->type == DM_CRYPT || tgt->type == DM_LINEAR) { device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL; + offset = tgt->type == DM_CRYPT ? tgt->u.crypt.offset : tgt->u.linear.offset; r = device_block_adjust(cd, tgt->data_device, device_check, - tgt->u.crypt.offset, &dmd->size, &dmd->flags); + offset, &dmd->size, &dmd->flags); if (!r) { tgt->size = dmd->size; r = dm_create_device(cd, name, type, dmd); @@ -4009,15 +4878,18 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char * struct crypt_dm_active_device *dmdi) { int r; - const char *iname = NULL; - char *ipath = NULL; + char *iname = NULL, *ipath = NULL; if (!type || !name || !dmd || !dmdi) return -EINVAL; - if (asprintf(&ipath, "%s/%s_dif", dm_get_dir(), name) < 0) - return -ENOMEM; - iname = ipath + strlen(dm_get_dir()) + 1; + r = dm_get_iname(name, &iname, false); + if (r) + goto out; + + r = dm_get_iname(name, &ipath, true); + if (r) + goto out; /* drop CRYPT_ACTIVATE_REFRESH flag if any device is inactive */ r = check_devices(cd, name, iname, &dmd->flags); @@ -4030,6 +4902,7 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char * r = _create_device_with_integrity(cd, type, name, iname, ipath, dmd, dmdi); out: free(ipath); + free(iname); return r; } @@ -4043,7 +4916,8 @@ static int _open_and_activate(struct crypt_device *cd, { bool use_keyring; int r; - struct volume_key *vk = NULL; + struct volume_key *p_crypt = NULL, *p_opal = NULL, *crypt_key = NULL, *opal_key = NULL, *vk = NULL; + key_serial_t kid1 = 0, kid2 = 0; r = LUKS2_keyslot_open(cd, keyslot, (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ? @@ -4053,6 +4927,22 @@ static int _open_and_activate(struct crypt_device *cd, return r; keyslot = r; + /* split the key only if we do activation */ + if (name && LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) { + r = LUKS2_split_crypt_and_opal_keys(cd, &cd->u.luks2.hdr, + vk, &crypt_key, + &opal_key); + if (r < 0) + goto out; + + /* copy volume key digest id in crypt subkey */ + crypt_volume_key_set_id(crypt_key, crypt_volume_key_get_id(vk)); + + p_crypt = crypt_key; + p_opal = opal_key ?: vk; + } else + p_crypt = vk; + if (!crypt_use_keyring_for_vk(cd)) use_keyring = false; else @@ -4060,25 +4950,44 @@ static int _open_and_activate(struct crypt_device *cd, (flags & CRYPT_ACTIVATE_KEYRING_KEY)); if (use_keyring) { - r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, - &cd->u.luks2.hdr, vk, keyslot); - if (r < 0) - goto out; - flags |= CRYPT_ACTIVATE_KEYRING_KEY; + /* upload dm-crypt part of volume key in thread keyring if requested */ + if (p_crypt) { + r = LUKS2_volume_key_load_in_keyring_by_digest(cd, p_crypt, + crypt_volume_key_get_id(p_crypt)); + if (r < 0) + goto out; + flags |= CRYPT_ACTIVATE_KEYRING_KEY; + } + + /* upload the volume key in custom user keyring if requested */ + if (cd->link_vk_to_keyring) { + r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2); + if (r < 0) { + log_err(cd, _("Failed to link volume key in user defined keyring.")); + goto out; + } + } } if (name) - r = LUKS2_activate(cd, name, vk, flags); + r = LUKS2_activate(cd, name, p_crypt, p_opal, flags); out: - if (r < 0) - crypt_drop_keyring_key(cd, vk); + if (r < 0) { + crypt_drop_keyring_key(cd, p_crypt); + if (cd->link_vk_to_keyring && kid1) + crypt_unlink_key_from_custom_keyring(cd, kid1); + if (cd->link_vk_to_keyring && kid2) + crypt_unlink_key_from_custom_keyring(cd, kid2); + } crypt_free_volume_key(vk); + crypt_free_volume_key(crypt_key); + crypt_free_volume_key(opal_key); return r < 0 ? r : keyslot; } #if USE_LUKS2_REENCRYPTION -static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks) +static int load_all_keys(struct crypt_device *cd, struct volume_key *vks) { int r; struct volume_key *vk = vks; @@ -4129,7 +5038,7 @@ static int _open_all_keys(struct crypt_device *cd, keyslot = r; if (r >= 0 && (flags & CRYPT_ACTIVATE_KEYRING_KEY)) - r = load_all_keys(cd, hdr, _vks); + r = load_all_keys(cd, _vks); if (r >= 0 && vks) MOVE_REF(*vks, _vks); @@ -4138,7 +5047,108 @@ static int _open_all_keys(struct crypt_device *cd, crypt_drop_keyring_key(cd, _vks); crypt_free_volume_key(_vks); - return r < 0 ? r : keyslot; + return r < 0 ? r : keyslot; +} + +static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd, + struct luks2_hdr *hdr, + const char *name, + struct volume_key *vks, + uint32_t flags) +{ + bool dynamic_size; + crypt_reencrypt_info ri; + uint64_t minimal_size, device_size; + int r = 0; + struct crypt_lock_handle *reencrypt_lock = NULL; + key_serial_t kid1 = 0, kid2 = 0; + struct volume_key *vk; + + if (!vks) + return -EINVAL; + + if (crypt_use_keyring_for_vk(cd)) + flags |= CRYPT_ACTIVATE_KEYRING_KEY; + + r = LUKS2_reencrypt_lock(cd, &reencrypt_lock); + if (r) { + if (r == -EBUSY) + log_err(cd, _("Reencryption in-progress. Cannot activate device.")); + else + log_err(cd, _("Failed to get reencryption lock.")); + return r; + } + + if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) + goto out; + + ri = LUKS2_reencrypt_status(hdr); + + if (ri == CRYPT_REENCRYPT_CRASH) { + r = LUKS2_reencrypt_locked_recovery_by_vks(cd, vks); + if (r < 0) { + log_err(cd, _("LUKS2 reencryption recovery using volume key(s) failed.")); + goto out; + } + + ri = LUKS2_reencrypt_status(hdr); + } + /* recovery finished reencryption or it's already finished */ + if (ri == CRYPT_REENCRYPT_NONE) { + vk = crypt_volume_key_by_id(vks, LUKS2_digest_by_segment(hdr, CRYPT_DEFAULT_SEGMENT)); + if (!vk) { + r = -EPERM; + goto out; + } + + r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk); + if (r == -EPERM || r == -ENOENT) + log_err(cd, _("Volume key does not match the volume.")); + if (r >= 0 && cd->link_vk_to_keyring) { + kid1 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name1); + if (kid1 <= 0) + r = -EINVAL; + } + if (r >= 0) + r = LUKS2_activate(cd, name, vk, NULL, flags); + goto out; + } + if (ri > CRYPT_REENCRYPT_CLEAN) { + r = -EINVAL; + goto out; + } + + if ((flags & CRYPT_ACTIVATE_KEYRING_KEY)) { + r = load_all_keys(cd, vks); + if (r < 0) + goto out; + } + + if ((r = LUKS2_get_data_size(hdr, &minimal_size, &dynamic_size))) + goto out; + + r = LUKS2_reencrypt_digest_verify(cd, hdr, vks); + if (r < 0) + goto out; + + log_dbg(cd, "Entering clean reencryption state mode."); + + r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, dynamic_size); + if (r < 0) + goto out; + if (cd->link_vk_to_keyring) { + r = crypt_volume_key_load_in_user_keyring(cd, vks, &kid1, &kid2); + if (r < 0) { + log_err(cd, _("Failed to link volume keys in user defined keyring.")); + goto out; + } + } + r = LUKS2_activate_multi(cd, name, vks, device_size >> SECTOR_SHIFT, flags); +out: + LUKS2_reencrypt_unlock(cd, reencrypt_lock); + crypt_drop_keyring_key(cd, vks); + + return r; } static int _open_and_activate_reencrypt_device(struct crypt_device *cd, @@ -4155,6 +5165,7 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd, struct volume_key *vks = NULL; int r = 0; struct crypt_lock_handle *reencrypt_lock = NULL; + key_serial_t kid1 = 0, kid2 = 0; if (crypt_use_keyring_for_vk(cd)) flags |= CRYPT_ACTIVATE_KEYRING_KEY; @@ -4215,15 +5226,31 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd, log_dbg(cd, "Entering clean reencryption state mode."); + if (cd->link_vk_to_keyring) { + r = crypt_volume_key_load_in_user_keyring(cd, vks, &kid1, &kid2); + if (r < 0) { + log_err(cd, _("Failed to link volume keys in user defined keyring.")); + goto out; + } + } + if (r >= 0) - r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, dynamic_size); + r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, + !(flags & CRYPT_ACTIVATE_SHARED), + dynamic_size); if (r >= 0) r = LUKS2_activate_multi(cd, name, vks, device_size >> SECTOR_SHIFT, flags); out: LUKS2_reencrypt_unlock(cd, reencrypt_lock); - if (r < 0) + if (r < 0) { crypt_drop_keyring_key(cd, vks); + if (cd->link_vk_to_keyring && kid1) + crypt_unlink_key_from_custom_keyring(cd, kid1); + if (cd->link_vk_to_keyring && kid2) + crypt_unlink_key_from_custom_keyring(cd, kid2); + } + crypt_free_volume_key(vks); return r < 0 ? r : keyslot; @@ -4269,6 +5296,43 @@ static int _open_and_activate_luks2(struct crypt_device *cd, return r; } + +static int _activate_luks2_by_volume_key(struct crypt_device *cd, + const char *name, + struct volume_key *vk, + struct volume_key *external_key, + uint32_t flags) +{ + int r; + crypt_reencrypt_info ri; + int digest_new, digest_old; + struct volume_key *vk_old = NULL, *vk_new = NULL; + ri = LUKS2_reencrypt_status(&cd->u.luks2.hdr); + if (ri == CRYPT_REENCRYPT_INVALID) + return -EINVAL; + + if (ri > CRYPT_REENCRYPT_NONE) { + digest_new = LUKS2_reencrypt_digest_new(&cd->u.luks2.hdr); + digest_old = LUKS2_reencrypt_digest_old(&cd->u.luks2.hdr); + + if (digest_new >= 0) { + vk_new = crypt_volume_key_by_id(vk, digest_new); + assert(vk_new); + assert(crypt_volume_key_get_id(vk_new) == digest_new); + } + if (digest_old >= 0) { + vk_old = crypt_volume_key_by_id(vk, digest_old); + assert(vk_old); + assert(crypt_volume_key_get_id(vk_old) == digest_old); + } + r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags); + } else { + assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)); + r = LUKS2_activate(cd, name, vk, external_key, flags); + } + + return r; +} #else static int _open_and_activate_luks2(struct crypt_device *cd, int keyslot, @@ -4290,6 +5354,29 @@ static int _open_and_activate_luks2(struct crypt_device *cd, return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags); } + +static int _activate_luks2_by_volume_key(struct crypt_device *cd, + const char *name, + struct volume_key *vk, + struct volume_key *external_key, + uint32_t flags) +{ + int r; + crypt_reencrypt_info ri; + ri = LUKS2_reencrypt_status(&cd->u.luks2.hdr); + if (ri == CRYPT_REENCRYPT_INVALID) + return -EINVAL; + + if (ri > CRYPT_REENCRYPT_NONE) { + log_err(cd, _("This operation is not supported for this device type.")); + r = -ENOTSUP; + } else { + assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)); + r = LUKS2_activate(cd, name, vk, external_key, flags); + } + + return r; +} #endif static int _activate_by_passphrase(struct crypt_device *cd, @@ -4364,16 +5451,23 @@ out: static int _activate_loopaes(struct crypt_device *cd, const char *name, - char *buffer, + const char *buffer, size_t buffer_size, uint32_t flags) { int r; unsigned int key_count = 0; struct volume_key *vk = NULL; + char *buffer_copy; + + buffer_copy = crypt_safe_alloc(buffer_size); + if (!buffer_copy) + return -ENOMEM; + memcpy(buffer_copy, buffer, buffer_size); r = LOOPAES_parse_keyfile(cd, &vk, cd->u.loopaes.hdr.hash, &key_count, - buffer, buffer_size); + buffer_copy, buffer_size); + crypt_safe_free(buffer_copy); if (!r && name) r = LOOPAES_activate(cd, name, cd->u.loopaes.cipher, key_count, @@ -4408,66 +5502,352 @@ static int _activate_check_status(struct crypt_device *cd, const char *name, uns return r; } -// activation/deactivation of device mapping -int crypt_activate_by_passphrase(struct crypt_device *cd, +static int _verify_key(struct crypt_device *cd, + int segment, + struct volume_key *vk) +{ + int r = -EINVAL; + crypt_reencrypt_info ri; + struct luks2_hdr *hdr = &cd->u.luks2.hdr; + + assert(cd); + + if (isPLAIN(cd->type)) { + if (vk && vk->keylength == cd->u.plain.key_size) { + r = KEY_VERIFIED; + } else + log_err(cd, _("Incorrect volume key specified for plain device.")); + } else if (isLUKS1(cd->type)) { + r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk); + if (r == -EPERM) + log_err(cd, _("Volume key does not match the volume.")); + } else if (isLUKS2(cd->type)) { + ri = LUKS2_reencrypt_status(hdr); + if (ri == CRYPT_REENCRYPT_INVALID) + return -EINVAL; + + if (ri > CRYPT_REENCRYPT_NONE) { + LUKS2_reencrypt_lookup_key_ids(cd, hdr, vk); + r = LUKS2_reencrypt_digest_verify(cd, hdr, vk); + if (r == -EPERM || r == -ENOENT || r == -EINVAL) + log_err(cd, _("Reencryption volume keys do not match the volume.")); + return r; + } + + if (segment == CRYPT_ANY_SEGMENT) + r = LUKS2_digest_any_matching(cd, &cd->u.luks2.hdr, vk); + else { + r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, segment, vk); + if (r == -EPERM || r == -ENOENT) + log_err(cd, _("Volume key does not match the volume.")); + } + } else if (isVERITY(cd->type)) + r = KEY_VERIFIED; + else if (isTCRYPT(cd->type)) + r = KEY_VERIFIED; + else if (isINTEGRITY(cd->type)) + r = KEY_VERIFIED; + else if (isBITLK(cd->type)) + r = KEY_VERIFIED; + else + log_err(cd, _("Device type is not properly initialized.")); + + if (r >= KEY_VERIFIED) + crypt_volume_key_set_id(vk, r); + + return r > 0 ? 0 : r; +} + +/* activation/deactivation of device mapping */ +static int _activate_by_volume_key(struct crypt_device *cd, const char *name, - int keyslot, - const char *passphrase, - size_t passphrase_size, + struct volume_key *vk, + struct volume_key *external_key, uint32_t flags) { int r; - if (!cd || !passphrase || (!name && (flags & CRYPT_ACTIVATE_REFRESH))) - return -EINVAL; - - log_dbg(cd, "%s volume %s [keyslot %d] using passphrase.", - name ? "Activating" : "Checking", name ?: "passphrase", - keyslot); + assert(cd); + assert(name); - r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); + r = _check_header_data_overlap(cd, name); if (r < 0) return r; - return _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags); + /* use key directly, no hash */ + if (isPLAIN(cd->type)) { + assert(!external_key); + assert(crypt_volume_key_get_id(vk) == KEY_VERIFIED); + + r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags); + } else if (isLUKS1(cd->type)) { + assert(!external_key); + assert(crypt_volume_key_get_id(vk) == KEY_VERIFIED); + + r = LUKS1_activate(cd, name, vk, flags); + } else if (isLUKS2(cd->type)) { + r = _activate_luks2_by_volume_key(cd, name, vk, external_key, flags); + } else if (isVERITY(cd->type)) { + assert(crypt_volume_key_get_id(vk) == KEY_VERIFIED); + r = VERITY_activate(cd, name, vk, external_key, cd->u.verity.fec_device, + &cd->u.verity.hdr, flags); + } else if (isTCRYPT(cd->type)) { + assert(!external_key); + r = TCRYPT_activate(cd, name, &cd->u.tcrypt.hdr, + &cd->u.tcrypt.params, flags); + } else if (isINTEGRITY(cd->type)) { + assert(!external_key); + assert(!vk || crypt_volume_key_get_id(vk) == KEY_VERIFIED); + r = INTEGRITY_activate(cd, name, &cd->u.integrity.params, vk, + cd->u.integrity.journal_crypt_key, + cd->u.integrity.journal_mac_key, flags, + cd->u.integrity.sb_flags); + } else if (isBITLK(cd->type)) { + assert(!external_key); + r = BITLK_activate_by_volume_key(cd, name, vk->key, vk->keylength, + &cd->u.bitlk.params, flags); + } else { + log_err(cd, _("Device type is not properly initialized.")); + r = -EINVAL; + } + + return r; } -int crypt_activate_by_keyfile_device_offset(struct crypt_device *cd, - const char *name, +int crypt_activate_by_keyslot_context(struct crypt_device *cd, +const char *name, int keyslot, - const char *keyfile, - size_t keyfile_size, - uint64_t keyfile_offset, + struct crypt_keyslot_context *kc, + int additional_keyslot, + struct crypt_keyslot_context *additional_kc, uint32_t flags) { - char *passphrase_read = NULL; - size_t passphrase_size_read; - int r; + bool use_keyring; + struct volume_key *p_ext_key, *crypt_key = NULL, *opal_key = NULL, *vk = NULL, + *vk_sign = NULL, *p_crypt = NULL; + size_t passphrase_size; + const char *passphrase = NULL; + int unlocked_keyslot, required_keys, unlocked_keys = 0, r = -EINVAL; + key_serial_t kid1 = 0, kid2 = 0; + struct luks2_hdr *hdr = &cd->u.luks2.hdr; - if (!cd || !keyfile || - ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd))) + if (!cd || !kc) return -EINVAL; - log_dbg(cd, "%s volume %s [keyslot %d] using keyfile %s.", - name ? "Activating" : "Checking", name ?: "passphrase", keyslot, keyfile); - + log_dbg(cd, "%s volume %s [keyslot %d] using %s.", + name ? "Activating" : "Checking", name ?: "passphrase", keyslot, keyslot_context_type_string(kc)); + if (!name && (flags & CRYPT_ACTIVATE_REFRESH)) + return -EINVAL; + if ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd)) + return -EINVAL; + if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name) + return -EINVAL; + if ((kc->type == CRYPT_KC_TYPE_KEYRING) && !kernel_keyring_support()) { + log_err(cd, _("Kernel keyring is not supported by the kernel.")); + return -EINVAL; + } + if ((kc->type == CRYPT_KC_TYPE_SIGNED_KEY) && !kernel_keyring_support()) { + log_err(cd, _("Kernel keyring missing: required for passing signature to kernel.")); + return -EINVAL; + } + r = _check_header_data_overlap(cd, name); + if (r < 0) + return r; r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); if (r < 0) return r; - r = crypt_keyfile_device_read(cd, keyfile, - &passphrase_read, &passphrase_size_read, - keyfile_offset, keyfile_size, 0); + /* for TCRYPT and token skip passphrase activation */ + if (kc->get_passphrase && kc->type != CRYPT_KC_TYPE_TOKEN && !isTCRYPT(cd->type)) { + r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size); + if (r < 0) + return r; + /* TODO: Only loopaes should by activated by passphrase method */ + if (passphrase) { + if (isLOOPAES(cd->type)) + return _activate_loopaes(cd, name, passphrase, passphrase_size, flags); + else + return _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags); + } + } + /* only passphrase unlock is supported with loopaes */ + if (isLOOPAES(cd->type)) + return -EINVAL; + + /* activate by volume key */ + r = -EINVAL; + if (isLUKS1(cd->type)) { + if (kc->get_luks1_volume_key) + r = kc->get_luks1_volume_key(cd, kc, keyslot, &vk); + } else if (isLUKS2(cd->type)) { + required_keys = LUKS2_reencrypt_vks_count(hdr); + + if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY && kc->get_luks2_key) + r = kc->get_luks2_key(cd, kc, keyslot, CRYPT_ANY_SEGMENT, &vk); + else if (kc->get_luks2_volume_key) + r = kc->get_luks2_volume_key(cd, kc, keyslot, &vk); + if (r >= 0) { + unlocked_keys++; + + if (required_keys > 1 && vk && additional_kc) { + if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY && additional_kc->get_luks2_key) + r = additional_kc->get_luks2_key(cd, additional_kc, additional_keyslot, CRYPT_ANY_SEGMENT, &vk->next); + else if (additional_kc->get_luks2_volume_key) + r = additional_kc->get_luks2_volume_key(cd, additional_kc, additional_keyslot, &vk->next); + if (r >= 0) + unlocked_keys++; + } + + if (unlocked_keys < required_keys) + r = -ESRCH; + } + } else if (isTCRYPT(cd->type)) { + r = 0; + } else if (name && isPLAIN(cd->type)) { + if (kc->get_plain_volume_key) + r = kc->get_plain_volume_key(cd, kc, &vk); + } else if (name && isBITLK(cd->type)) { + if (kc->get_bitlk_volume_key) + r = kc->get_bitlk_volume_key(cd, kc, &vk); + } else if (isFVAULT2(cd->type)) { + if (kc->get_fvault2_volume_key) + r = kc->get_fvault2_volume_key(cd, kc, &vk); + } else if (isVERITY(cd->type) && (name || kc->type != CRYPT_KC_TYPE_SIGNED_KEY)) { + if (kc->get_verity_volume_key) + r = kc->get_verity_volume_key(cd, kc, &vk, &vk_sign); + if (r >= 0) + r = VERITY_verify_params(cd, &cd->u.verity.hdr, vk_sign != NULL, + cd->u.verity.fec_device, vk); + + free(CONST_CAST(void*)cd->u.verity.root_hash); + cd->u.verity.root_hash = NULL; + flags |= CRYPT_ACTIVATE_READONLY; + } else if (isINTEGRITY(cd->type)) { + if (kc->get_integrity_volume_key) + r = kc->get_integrity_volume_key(cd, kc, &vk); + } + if (r < 0 && (r != -ENOENT || kc->type == CRYPT_KC_TYPE_TOKEN)) + goto out; + unlocked_keyslot = r; + + if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) { + vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key); + r = vk ? 0 : -ENOMEM; + } + if (r == -ENOENT && isINTEGRITY(cd->type)) + r = 0; + if (r < 0) goto out; - if (isLOOPAES(cd->type)) - r = _activate_loopaes(cd, name, passphrase_read, passphrase_size_read, flags); - else - r = _activate_by_passphrase(cd, name, keyslot, passphrase_read, passphrase_size_read, flags); + r = _verify_key(cd, + flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY ? CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT, + vk); + if (r < 0) + goto out; + + if (isLUKS2(cd->type)) { + /* split the key only if we do activation */ + if (name && LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) { + r = LUKS2_split_crypt_and_opal_keys(cd, &cd->u.luks2.hdr, + vk, &crypt_key, + &opal_key); + if (r < 0) + goto out; + + /* copy volume key digest id in crypt subkey */ + crypt_volume_key_set_id(crypt_key, crypt_volume_key_get_id(vk)); + + p_crypt = crypt_key; + p_ext_key = opal_key ?: vk; + } else { + p_crypt = vk; + p_ext_key = NULL; + } + + if (!crypt_use_keyring_for_vk(cd)) + use_keyring = false; + else + use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) || + (flags & CRYPT_ACTIVATE_KEYRING_KEY); + + if (use_keyring) { + /* upload dm-crypt part of volume key in thread keyring if requested */ + if (p_crypt) { + r = LUKS2_volume_key_load_in_keyring_by_digest(cd, p_crypt, crypt_volume_key_get_id(p_crypt)); + if (r < 0) + goto out; + flags |= CRYPT_ACTIVATE_KEYRING_KEY; + } + + /* upload the volume key in custom user keyring if requested */ + if (cd->link_vk_to_keyring) { + r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2); + if (r < 0) { + log_err(cd, _("Failed to link volume key in user defined keyring.")); + goto out; + } + } + } + } else { + p_crypt = vk; + p_ext_key = vk_sign; + } + + if (name) + r = _activate_by_volume_key(cd, name, p_crypt, p_ext_key, flags); + if (r >= 0 && unlocked_keyslot >= 0) + r = unlocked_keyslot; out: - crypt_safe_free(passphrase_read); + if (r < 0) { + crypt_drop_keyring_key(cd, vk); + crypt_drop_keyring_key(cd, p_crypt); + if (cd->link_vk_to_keyring && kid1) + crypt_unlink_key_from_custom_keyring(cd, kid1); + if (cd->link_vk_to_keyring && kid2) + crypt_unlink_key_from_custom_keyring(cd, kid2); + } + + crypt_free_volume_key(vk); + crypt_free_volume_key(crypt_key); + crypt_free_volume_key(opal_key); + crypt_free_volume_key(vk_sign); + return r; +} + +int crypt_activate_by_passphrase(struct crypt_device *cd, + const char *name, + int keyslot, + const char *passphrase, + size_t passphrase_size, + uint32_t flags) +{ + int r; + struct crypt_keyslot_context kc; + + crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); + + return r; +} + +int crypt_activate_by_keyfile_device_offset(struct crypt_device *cd, + const char *name, + int keyslot, + const char *keyfile, + size_t keyfile_size, + uint64_t keyfile_offset, + uint32_t flags) +{ + int r; + struct crypt_keyslot_context kc; + + crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); + return r; } @@ -4493,135 +5873,19 @@ int crypt_activate_by_keyfile_offset(struct crypt_device *cd, return crypt_activate_by_keyfile_device_offset(cd, name, keyslot, keyfile, keyfile_size, keyfile_offset, flags); } + int crypt_activate_by_volume_key(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags) { - bool use_keyring; - struct volume_key *vk = NULL; int r; + struct crypt_keyslot_context kc; - if (!cd || - ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd))) - return -EINVAL; - - log_dbg(cd, "%s volume %s by volume key.", name ? "Activating" : "Checking", - name ?: ""); - - r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); - if (r < 0) - return r; - - r = _check_header_data_overlap(cd, name); - if (r < 0) - return r; - - /* use key directly, no hash */ - if (isPLAIN(cd->type)) { - if (!name) - return -EINVAL; - - if (!volume_key || !volume_key_size || volume_key_size != cd->u.plain.key_size) { - log_err(cd, _("Incorrect volume key specified for plain device.")); - return -EINVAL; - } - - vk = crypt_alloc_volume_key(volume_key_size, volume_key); - if (!vk) - return -ENOMEM; - - r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags); - } else if (isLUKS1(cd->type)) { - /* If key is not provided, try to use internal key */ - if (!volume_key) { - if (!cd->volume_key) { - log_err(cd, _("Volume key does not match the volume.")); - return -EINVAL; - } - volume_key_size = cd->volume_key->keylength; - volume_key = cd->volume_key->key; - } - - vk = crypt_alloc_volume_key(volume_key_size, volume_key); - if (!vk) - return -ENOMEM; - r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk); - - if (r == -EPERM) - log_err(cd, _("Volume key does not match the volume.")); - - if (!r && name) - r = LUKS1_activate(cd, name, vk, flags); - } else if (isLUKS2(cd->type)) { - /* If key is not provided, try to use internal key */ - if (!volume_key) { - if (!cd->volume_key) { - log_err(cd, _("Volume key does not match the volume.")); - return -EINVAL; - } - volume_key_size = cd->volume_key->keylength; - volume_key = cd->volume_key->key; - } - - vk = crypt_alloc_volume_key(volume_key_size, volume_key); - if (!vk) - return -ENOMEM; - - r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk); - if (r == -EPERM || r == -ENOENT) - log_err(cd, _("Volume key does not match the volume.")); - if (r > 0) - r = 0; - - if (!crypt_use_keyring_for_vk(cd)) - use_keyring = false; - else - use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) || - (flags & CRYPT_ACTIVATE_KEYRING_KEY); - - if (!r && use_keyring) { - r = LUKS2_key_description_by_segment(cd, - &cd->u.luks2.hdr, vk, CRYPT_DEFAULT_SEGMENT); - if (!r) - r = crypt_volume_key_load_in_keyring(cd, vk); - if (!r) - flags |= CRYPT_ACTIVATE_KEYRING_KEY; - } - - if (!r && name) - r = LUKS2_activate(cd, name, vk, flags); - } else if (isVERITY(cd->type)) { - r = crypt_activate_by_signed_key(cd, name, volume_key, volume_key_size, NULL, 0, flags); - } else if (isTCRYPT(cd->type)) { - if (!name) - return 0; - r = TCRYPT_activate(cd, name, &cd->u.tcrypt.hdr, - &cd->u.tcrypt.params, flags); - } else if (isINTEGRITY(cd->type)) { - if (!name) - return 0; - if (volume_key) { - vk = crypt_alloc_volume_key(volume_key_size, volume_key); - if (!vk) - return -ENOMEM; - } - r = INTEGRITY_activate(cd, name, &cd->u.integrity.params, vk, - cd->u.integrity.journal_crypt_key, - cd->u.integrity.journal_mac_key, flags, - cd->u.integrity.sb_flags); - } else if (isBITLK(cd->type)) { - r = BITLK_activate_by_volume_key(cd, name, volume_key, volume_key_size, - &cd->u.bitlk.params, flags); - } else { - log_err(cd, _("Device type is not properly initialized.")); - r = -EINVAL; - } - - if (r < 0) - crypt_drop_keyring_key(cd, vk); - crypt_free_volume_key(vk); + crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size); + r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); return r; } @@ -4634,8 +5898,8 @@ int crypt_activate_by_signed_key(struct crypt_device *cd, size_t signature_size, uint32_t flags) { - char description[512]; int r; + struct crypt_keyslot_context kc; if (!cd || !isVERITY(cd->type)) return -EINVAL; @@ -4645,57 +5909,13 @@ int crypt_activate_by_signed_key(struct crypt_device *cd, return -EINVAL; } - if (name) - log_dbg(cd, "Activating volume %s by %skey.", name, signature ? "signed " : ""); - else - log_dbg(cd, "Checking volume by key."); - - if (cd->u.verity.hdr.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE && !signature) { - log_err(cd, _("Root hash signature required.")); - return -EINVAL; - } - - r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); - if (r < 0) - return r; - - if (signature && !kernel_keyring_support()) { - log_err(cd, _("Kernel keyring missing: required for passing signature to kernel.")); - return -EINVAL; - } - - /* volume_key == root hash */ - free(CONST_CAST(void*)cd->u.verity.root_hash); - cd->u.verity.root_hash = NULL; - - if (signature) { - r = snprintf(description, sizeof(description)-1, "cryptsetup:%s%s%s", - crypt_get_uuid(cd) ?: "", crypt_get_uuid(cd) ? "-" : "", name); - if (r < 0) - return -EINVAL; - - log_dbg(cd, "Adding signature into keyring %s", description); - r = keyring_add_key_in_thread_keyring(USER_KEY, description, signature, signature_size); - if (r) { - log_err(cd, _("Failed to load key in kernel keyring.")); - return r; - } - } - - r = VERITY_activate(cd, name, volume_key, volume_key_size, - signature ? description : NULL, - cd->u.verity.fec_device, - &cd->u.verity.hdr, flags | CRYPT_ACTIVATE_READONLY); - - if (!r) { - cd->u.verity.root_hash_size = volume_key_size; - cd->u.verity.root_hash = malloc(volume_key_size); - if (cd->u.verity.root_hash) - memcpy(CONST_CAST(void*)cd->u.verity.root_hash, volume_key, volume_key_size); - } - if (signature) - crypt_drop_keyring_key_by_description(cd, description, USER_KEY); + crypt_keyslot_unlock_by_signed_key_init_internal(&kc, volume_key, volume_key_size, + signature, signature_size); + else + crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size); + r = crypt_activate_by_keyslot_context(cd, name, -2 /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); return r; } @@ -4723,6 +5943,17 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t cd = fake_cd; } + if (flags & (CRYPT_DEACTIVATE_DEFERRED | CRYPT_DEACTIVATE_DEFERRED_CANCEL)) { + struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + if (hdr) { + json_object *jobj = json_segments_get_segment(LUKS2_get_segments_jobj(hdr), 0); + if (jobj && !strcmp(json_segment_type(jobj), "hw-opal")) { + log_err(cd, _("OPAL does not support deferred deactivation.")); + return -EINVAL; + } + } + } + /* skip holders detection and early abort when some flags raised */ if (flags & (CRYPT_DEACTIVATE_FORCE | CRYPT_DEACTIVATE_DEFERRED | CRYPT_DEACTIVATE_DEFERRED_CANCEL)) get_flags &= ~DM_ACTIVE_HOLDERS; @@ -4986,7 +6217,7 @@ int crypt_volume_key_verify(struct crypt_device *cd, struct volume_key *vk; int r; - if ((r = _onlyLUKS(cd, CRYPT_CD_UNRESTRICTED))) + if ((r = onlyLUKSunrestricted(cd))) return r; vk = crypt_alloc_volume_key(volume_key_size, volume_key); @@ -5031,6 +6262,9 @@ int crypt_get_rng_type(struct crypt_device *cd) int crypt_memory_lock(struct crypt_device *cd, int lock) { + UNUSED(cd); + UNUSED(lock); + return 0; } @@ -5264,6 +6498,9 @@ const char *crypt_get_integrity(struct crypt_device *cd) if (isLUKS2(cd->type)) return LUKS2_get_integrity(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT); + if (!cd->type && *cd->u.none.integrity_spec) + return cd->u.none.integrity_spec; + return NULL; } @@ -5272,10 +6509,7 @@ int crypt_get_integrity_key_size(struct crypt_device *cd) { int key_size = 0; - if (isINTEGRITY(cd->type)) - key_size = INTEGRITY_key_size(crypt_get_integrity(cd)); - - if (isLUKS2(cd->type)) + if (isINTEGRITY(cd->type) || isLUKS2(cd->type) || !cd->type) key_size = INTEGRITY_key_size(crypt_get_integrity(cd)); return key_size > 0 ? key_size : 0; @@ -5287,7 +6521,7 @@ int crypt_get_integrity_tag_size(struct crypt_device *cd) if (isINTEGRITY(cd->type)) return cd->u.integrity.params.tag_size; - if (isLUKS2(cd->type)) + if (isLUKS2(cd->type) || !cd->type) return INTEGRITY_tag_size(crypt_get_integrity(cd), crypt_get_cipher(cd), crypt_get_cipher_mode(cd)); @@ -5308,6 +6542,9 @@ int crypt_get_sector_size(struct crypt_device *cd) if (isLUKS2(cd->type)) return LUKS2_get_sector_size(&cd->u.luks2.hdr); + if (!cd->type && cd->u.none.sector_size) + return cd->u.none.sector_size; + return SECTOR_SIZE; } @@ -5403,6 +6640,14 @@ int crypt_get_volume_key_size(struct crypt_device *cd) return 0; } +int crypt_get_hw_encryption_key_size(struct crypt_device *cd) +{ + if (!cd || !isLUKS2(cd->type)) + return 0; + + return LUKS2_get_opal_key_size(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT); +} + int crypt_keyslot_get_key_size(struct crypt_device *cd, int keyslot) { if (!cd || !isLUKS(cd->type)) @@ -5466,6 +6711,12 @@ const char *crypt_keyslot_get_encryption(struct crypt_device *cd, int keyslot, s return cd->u.luks2.keyslot_cipher; } + if (LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) { + /* Fallback to default LUKS2 keyslot encryption */ + *key_size = DEFAULT_LUKS2_KEYSLOT_KEYBITS / 8; + return DEFAULT_LUKS2_KEYSLOT_CIPHER; + } + /* Try to reuse volume encryption parameters */ cipher = LUKS2_get_cipher(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT); if (!LUKS2_keyslot_cipher_incompatible(cd, cipher)) { @@ -5606,7 +6857,7 @@ uint64_t crypt_get_iv_offset(struct crypt_device *cd) crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot) { - if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED) < 0) + if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0) < 0) return CRYPT_SLOT_INVALID; if (isLUKS1(cd->type)) @@ -5633,7 +6884,7 @@ int crypt_keyslot_area(struct crypt_device *cd, uint64_t *offset, uint64_t *length) { - if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED) || !offset || !length) + if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0) || !offset || !length) return -EINVAL; if (isLUKS2(cd->type)) @@ -5644,7 +6895,7 @@ int crypt_keyslot_area(struct crypt_device *cd, crypt_keyslot_priority crypt_keyslot_get_priority(struct crypt_device *cd, int keyslot) { - if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED)) + if (_onlyLUKS(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0)) return CRYPT_SLOT_PRIORITY_INVALID; if (keyslot < 0 || keyslot >= crypt_keyslot_max(cd->type)) @@ -5684,6 +6935,21 @@ const char *crypt_get_default_type(void) return DEFAULT_LUKS_FORMAT; } +int crypt_get_hw_encryption_type(struct crypt_device *cd) +{ + if (!cd) + return -EINVAL; + + if (isLUKS2(cd->type)) { + if (LUKS2_segment_is_hw_opal_crypt(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) + return CRYPT_SW_AND_OPAL_HW; + else if (LUKS2_segment_is_hw_opal_only(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) + return CRYPT_OPAL_HW_ONLY; + } + + return CRYPT_SW_ONLY; +} + int crypt_get_verity_info(struct crypt_device *cd, struct crypt_params_verity *vp) { @@ -5753,6 +7019,11 @@ int crypt_get_integrity_info(struct crypt_device *cd, ip->journal_crypt_key_size = 0; ip->journal_crypt_key = NULL; return 0; + } else if (!cd->type) { + memset(ip, 0, sizeof(*ip)); + ip->integrity = crypt_get_integrity(cd); + ip->integrity_key_size = crypt_get_integrity_key_size(cd); + ip->tag_size = crypt_get_integrity_tag_size(cd); } return -ENOTSUP; @@ -5771,7 +7042,7 @@ int crypt_convert(struct crypt_device *cd, log_dbg(cd, "Converting LUKS device to type %s", type); - if ((r = onlyLUKS(cd))) + if ((r = onlyLUKSnoRequirements(cd))) return r; if (isLUKS1(cd->type) && isLUKS2(type)) @@ -5797,6 +7068,10 @@ int crypt_convert(struct crypt_device *cd, /* Internal access function to header pointer */ void *crypt_get_hdr(struct crypt_device *cd, const char *type) { + /* One type can be OPAL */ + if (isLUKS2(type) && isLUKS2(cd->type)) + return &cd->u.luks2.hdr; + /* If requested type differs, ignore it */ if (strcmp(cd->type, type)) return NULL; @@ -5807,9 +7082,6 @@ void *crypt_get_hdr(struct crypt_device *cd, const char *type) if (isLUKS1(cd->type)) return &cd->u.luks1.hdr; - if (isLUKS2(cd->type)) - return &cd->u.luks2.hdr; - if (isLOOPAES(cd->type)) return &cd->u.loopaes; @@ -5842,26 +7114,13 @@ int crypt_activate_by_token_pin(struct crypt_device *cd, const char *name, void *usrptr, uint32_t flags) { int r; + struct crypt_keyslot_context kc; - log_dbg(cd, "%s volume %s using token (%s type) %d.", - name ? "Activating" : "Checking", name ?: "passphrase", - type ?: "any", token); - - if ((r = _onlyLUKS2(cd, CRYPT_CD_QUIET | CRYPT_CD_UNRESTRICTED, 0))) - return r; - - if ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd)) - return -EINVAL; - - if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name) - return -EINVAL; - - r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); - if (r < 0) - return r; + crypt_keyslot_unlock_by_token_init_internal(&kc, token, type, pin, pin_size, usrptr); + r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); - return LUKS2_token_open_and_activate(cd, &cd->u.luks2.hdr, token, name, type, - pin, pin_size, flags, usrptr); + return r; } int crypt_activate_by_token(struct crypt_device *cd, @@ -5879,7 +7138,7 @@ int crypt_token_json_get(struct crypt_device *cd, int token, const char **json) log_dbg(cd, "Requesting JSON for token %d.", token); - if ((r = _onlyLUKS2(cd, CRYPT_CD_UNRESTRICTED, 0))) + if ((r = onlyLUKS2unrestricted(cd))) return r; return LUKS2_token_json_get(&cd->u.luks2.hdr, token, json) ?: token; @@ -5926,7 +7185,7 @@ int crypt_token_luks2_keyring_get(struct crypt_device *cd, log_dbg(cd, "Requesting LUKS2 keyring token %d.", token); - if ((r = _onlyLUKS2(cd, CRYPT_CD_UNRESTRICTED, 0))) + if ((r = onlyLUKS2unrestricted(cd))) return r; token_info = LUKS2_token_status(cd, &cd->u.luks2.hdr, token, &type); @@ -6041,7 +7300,7 @@ int crypt_persistent_flags_get(struct crypt_device *cd, crypt_flags_type type, u if (!flags) return -EINVAL; - if ((r = _onlyLUKS2(cd, CRYPT_CD_UNRESTRICTED, 0))) + if ((r = onlyLUKS2unrestricted(cd))) return r; if (type == CRYPT_FLAGS_ACTIVATION) @@ -6404,10 +7663,9 @@ int crypt_volume_key_keyring(struct crypt_device *cd __attribute__((unused)), in /* internal only */ int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk) { - int r; - const char *type_name = key_type_name(LOGON_KEY); + key_serial_t kid; - if (!vk || !cd || !type_name) + if (!vk || !cd) return -EINVAL; if (!vk->key_description) { @@ -6415,15 +7673,83 @@ int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key return -EINVAL; } - log_dbg(cd, "Loading key (%zu bytes, type %s) in thread keyring.", vk->keylength, type_name); + log_dbg(cd, "Loading key (type logon, name %s) in thread keyring.", vk->key_description); - r = keyring_add_key_in_thread_keyring(LOGON_KEY, vk->key_description, vk->key, vk->keylength); - if (r) { - log_dbg(cd, "keyring_add_key_in_thread_keyring failed (error %d)", r); + kid = keyring_add_key_in_thread_keyring(LOGON_KEY, vk->key_description, vk->key, vk->keylength); + if (kid < 0) { + log_dbg(cd, "keyring_add_key_in_thread_keyring failed (error %d)", errno); log_err(cd, _("Failed to load key in kernel keyring.")); } else crypt_set_key_in_keyring(cd, 1); + return kid < 0 ? -EINVAL : 0; +} + +/* internal only */ +int crypt_keyring_get_user_key(struct crypt_device *cd, + const char *key_description, + char **key, + size_t *key_size) +{ + int r; + key_serial_t kid; + + if (!key_description || !key || !key_size) + return -EINVAL; + + log_dbg(cd, "Requesting key %s (user type)", key_description); + + kid = keyring_request_key_id(USER_KEY, key_description); + if (kid == -ENOTSUP) { + log_dbg(cd, "Kernel keyring features disabled."); + return -ENOTSUP; + } else if (kid < 0) { + log_dbg(cd, "keyring_request_key_id failed with errno %d.", errno); + return -EINVAL; + } + + log_dbg(cd, "Reading content of kernel key (id %" PRIi32 ").", kid); + + r = keyring_read_key(kid, key, key_size); + if (r < 0) + log_dbg(cd, "keyring_read_key failed with errno %d.", errno); + + return r; +} + +/* internal only */ +int crypt_keyring_get_key_by_name(struct crypt_device *cd, + const char *key_description, + char **key, + size_t *key_size) +{ + int r; + key_serial_t kid; + + if (!key_description || !key || !key_size) + return -EINVAL; + + log_dbg(cd, "Searching for key by name %s.", key_description); + + kid = keyring_find_key_id_by_name(key_description); + if (kid == -ENOTSUP) { + log_dbg(cd, "Kernel keyring features disabled."); + return -ENOTSUP; + } else if (kid < 0) { + log_dbg(cd, "keyring_find_key_id_by_name failed with errno %d.", errno); + return -EINVAL; + } + else if (kid == 0) { + log_dbg(cd, "keyring_find_key_id_by_name failed with errno %d.", ENOENT); + return -ENOENT; + } + + log_dbg(cd, "Reading content of kernel key (id %" PRIi32 ").", kid); + + r = keyring_read_key(kid, key, key_size); + if (r < 0) + log_dbg(cd, "keyring_read_key failed with errno %d.", errno); + return r; } @@ -6445,18 +7771,96 @@ void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring) /* internal only */ void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype) { - int r; + key_serial_t kid; const char *type_name = key_type_name(ktype); if (!key_description || !type_name) return; - log_dbg(cd, "Requesting keyring %s key for revoke and unlink.", type_name); + log_dbg(cd, "Requesting kernel key %s (type %s) for unlink from thread keyring.", key_description, type_name); - r = keyring_revoke_and_unlink_key(ktype, key_description); - if (r) - log_dbg(cd, "keyring_revoke_and_unlink_key failed (error %d)", r); crypt_set_key_in_keyring(cd, 0); + + kid = keyring_request_key_id(ktype, key_description); + if (kid == -ENOTSUP) { + log_dbg(cd, "Kernel keyring features disabled."); + return; + } else if (kid < 0) { + log_dbg(cd, "keyring_request_key_id failed with errno %d.", errno); + return; + } + + log_dbg(cd, "Unlinking volume key (id: %" PRIi32 ") from thread keyring.", kid); + + if (!keyring_unlink_key_from_thread_keyring(kid)) + return; + + log_dbg(cd, "keyring_unlink_key_from_thread_keyring failed with errno %d.", errno); + log_err(cd, _("Failed to unlink volume key from thread keyring.")); + +} + +int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description, + const char *old_key_description, + const char *key_type_desc, const char *keyring_to_link_vk) +{ + key_type_t key_type = USER_KEY; + const char *name1 = NULL, *name2 = NULL; + int32_t id = 0; + int r, ri; + struct luks2_hdr *hdr; + unsigned user_descriptions_count, vks_count = 1; + + if (!cd || ((!key_description && !old_key_description) && (keyring_to_link_vk || key_type_desc)) || + ((key_description || old_key_description) && !keyring_to_link_vk)) + return -EINVAL; + + hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + + /* if only one key description is supplied, force it to be the first one */ + if (!key_description && old_key_description) + return -EINVAL; + + if ((r = _onlyLUKS2(cd, 0, CRYPT_REQUIREMENT_OPAL | CRYPT_REQUIREMENT_ONLINE_REENCRYPT))) + return r; + + if (key_type_desc) + key_type = key_type_by_name(key_type_desc); + if (key_type != LOGON_KEY && key_type != USER_KEY) + return -EINVAL; + + ri = crypt_reencrypt_status(cd, NULL); + if (ri > CRYPT_REENCRYPT_NONE && ri < CRYPT_REENCRYPT_INVALID) + vks_count = LUKS2_reencrypt_vks_count(hdr); + + user_descriptions_count = (key_description ? 1 : 0) + (old_key_description ? 1 : 0); + if (user_descriptions_count != 0 && vks_count > user_descriptions_count) + return -ESRCH; + + if (keyring_to_link_vk) { + id = keyring_find_keyring_id_by_name(keyring_to_link_vk); + if (id == 0) { + log_err(cd, _("Could not find keyring described by \"%s\"."), keyring_to_link_vk); + return -EINVAL; + } + if (key_description && !(name1 = strdup(key_description))) + return -ENOMEM; + if (old_key_description && !(name2 = strdup(old_key_description))) { + free(CONST_CAST(void*)name1); + return -ENOMEM; + } + } + + cd->keyring_key_type = key_type; + + free(CONST_CAST(void*)cd->user_key_name1); + free(CONST_CAST(void*)cd->user_key_name2); + cd->user_key_name1 = name1; + cd->user_key_name2 = name2; + cd->keyring_to_link_vk = id; + cd->link_vk_to_keyring = id != 0; + + return 0; } /* internal only */ @@ -6476,34 +7880,15 @@ int crypt_activate_by_keyring(struct crypt_device *cd, int keyslot, uint32_t flags) { - char *passphrase; - size_t passphrase_size; int r; + struct crypt_keyslot_context kc; if (!cd || !key_description) return -EINVAL; - log_dbg(cd, "%s volume %s [keyslot %d] using passphrase in keyring.", - name ? "Activating" : "Checking", name ?: "passphrase", keyslot); - - if (!kernel_keyring_support()) { - log_err(cd, _("Kernel keyring is not supported by the kernel.")); - return -EINVAL; - } - - r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH); - if (r < 0) - return r; - - r = keyring_get_passphrase(key_description, &passphrase, &passphrase_size); - if (r < 0) { - log_err(cd, _("Failed to read passphrase from keyring (error %d)."), r); - return -EINVAL; - } - - r = _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags); - - crypt_safe_free(passphrase); + crypt_keyslot_unlock_by_keyring_internal(&kc, key_description); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); + crypt_keyslot_context_destroy_internal(&kc); return r; } diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c index 60e4966..9ae7aaa 100644 --- a/lib/tcrypt/tcrypt.c +++ b/lib/tcrypt/tcrypt.c @@ -1,8 +1,8 @@ /* * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -47,6 +47,8 @@ static const struct { { 0, 1, "pbkdf2", "whirlpool", 500000, 15000, 1000 }, { 0, 1, "pbkdf2", "sha256", 500000, 15000, 1000 }, // VeraCrypt 1.0f { 0, 1, "pbkdf2", "sha256", 200000, 0, 2048 }, // boot only + { 0, 1, "pbkdf2", "blake2s-256", 500000, 15000, 1000 }, // VeraCrypt 1.26.2 + { 0, 1, "pbkdf2", "blake2s-256", 200000, 0, 2048 }, // boot only { 0, 1, "pbkdf2", "ripemd160", 655331, 15000, 1000 }, { 0, 1, "pbkdf2", "ripemd160", 327661, 0, 2048 }, // boot only { 0, 1, "pbkdf2", "stribog512",500000, 15000, 1000 }, @@ -572,7 +574,7 @@ static int TCRYPT_init_hdr(struct crypt_device *cd, pwd[i] += params->passphrase[i]; for (i = 0; tcrypt_kdf[i].name; i++) { - if (params->hash_name && strcmp(params->hash_name, tcrypt_kdf[i].hash)) + if (params->hash_name && !strstr(tcrypt_kdf[i].hash, params->hash_name)) continue; if (!(params->flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_kdf[i].legacy) continue; diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h index b95d74d..1e8765a 100644 --- a/lib/tcrypt/tcrypt.h +++ b/lib/tcrypt/tcrypt.h @@ -1,8 +1,8 @@ /* * TCRYPT (TrueCrypt-compatible) header definition * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/utils.c b/lib/utils.c index bfcf60d..cf86816 100644 --- a/lib/utils.c +++ b/lib/utils.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -45,20 +45,77 @@ unsigned crypt_cpusonline(void) uint64_t crypt_getphysmemory_kb(void) { long pagesize, phys_pages; - uint64_t phys_memory_kb; + uint64_t phys_memory_kb, page_size_kb; pagesize = sysconf(_SC_PAGESIZE); phys_pages = sysconf(_SC_PHYS_PAGES); - if (pagesize < 0 || phys_pages < 0) + if (pagesize <= 0 || phys_pages <= 0) return 0; - phys_memory_kb = pagesize / 1024; - phys_memory_kb *= phys_pages; + page_size_kb = pagesize / 1024; + phys_memory_kb = page_size_kb * phys_pages; + /* sanity check for overflow */ + if (phys_memory_kb / phys_pages != page_size_kb) + return 0; + + /* coverity[return_overflow:FALSE] */ return phys_memory_kb; } +uint64_t crypt_getphysmemoryfree_kb(void) +{ + long pagesize, phys_pages; + uint64_t phys_memoryfree_kb, page_size_kb; + + pagesize = sysconf(_SC_PAGESIZE); + phys_pages = sysconf(_SC_AVPHYS_PAGES); + + if (pagesize <= 0 || phys_pages <= 0) + return 0; + + page_size_kb = pagesize / 1024; + phys_memoryfree_kb = page_size_kb * phys_pages; + + /* sanity check for overflow */ + if (phys_memoryfree_kb / phys_pages != page_size_kb) + return 0; + + /* coverity[return_overflow:FALSE] */ + return phys_memoryfree_kb; +} + +bool crypt_swapavailable(void) +{ + int fd; + ssize_t size; + char buf[4096], *p; + uint64_t total; + + if ((fd = open("/proc/meminfo", O_RDONLY)) < 0) + return true; + + size = read(fd, buf, sizeof(buf)); + close(fd); + if (size < 1) + return true; + + if (size < (ssize_t)sizeof(buf)) + buf[size] = 0; + else + buf[sizeof(buf) - 1] = 0; + + p = strstr(buf, "SwapTotal:"); + if (!p) + return true; + + if (sscanf(p, "SwapTotal: %" PRIu64 " kB", &total) != 1) + return true; + + return total > 0; +} + void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise) { int _priority, new_priority; diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c index 728e4df..6f2077c 100644 --- a/lib/utils_benchmark.c +++ b/lib/utils_benchmark.c @@ -1,8 +1,8 @@ /* * libcryptsetup - cryptsetup library, cipher benchmark * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -101,6 +101,7 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd, { int r, priority; const char *kdf_opt; + uint32_t memory_kb; if (!pbkdf || (!password && password_size)) return -EINVAL; @@ -113,6 +114,14 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd, log_dbg(cd, "Running %s(%s) benchmark.", pbkdf->type, kdf_opt); + memory_kb = pbkdf_adjusted_phys_memory_kb(); + if (memory_kb < pbkdf->max_memory_kb) { + log_dbg(cd, "Not enough physical memory detected, " + "PBKDF max memory decreased from %dkB to %dkB.", + pbkdf->max_memory_kb, memory_kb); + pbkdf->max_memory_kb = memory_kb; + } + crypt_process_priority(cd, &priority, true); r = crypt_pbkdf_perf(pbkdf->type, pbkdf->hash, password, password_size, salt, salt_size, volume_key_size, pbkdf->time_ms, diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c index 5a848a1..230dcab 100644 --- a/lib/utils_blkid.c +++ b/lib/utils_blkid.c @@ -1,7 +1,7 @@ /* * blkid probe utilities * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -29,6 +29,7 @@ #include "utils_io.h" #ifdef HAVE_BLKID + #include /* make bad checksums flag optional */ #ifndef BLKID_SUBLKS_BADCSUM @@ -45,11 +46,9 @@ static size_t crypt_getpagesize(void) return r <= 0 ? 4096 : (size_t)r; } #endif -#endif void blk_set_chains_for_wipes(struct blkid_handle *h) { -#ifdef HAVE_BLKID blkid_probe_enable_partitions(h->pr, 1); blkid_probe_set_partitions_flags(h->pr, 0 #ifdef HAVE_BLKID_WIPE @@ -65,7 +64,6 @@ void blk_set_chains_for_wipes(struct blkid_handle *h) BLKID_SUBLKS_VERSION | BLKID_SUBLKS_MAGIC | BLKID_SUBLKS_BADCSUM); -#endif } void blk_set_chains_for_full_print(struct blkid_handle *h) @@ -75,25 +73,19 @@ void blk_set_chains_for_full_print(struct blkid_handle *h) void blk_set_chains_for_superblocks(struct blkid_handle *h) { -#ifdef HAVE_BLKID blkid_probe_enable_superblocks(h->pr, 1); blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE); -#endif } void blk_set_chains_for_fast_detection(struct blkid_handle *h) { -#ifdef HAVE_BLKID blkid_probe_enable_partitions(h->pr, 1); blkid_probe_set_partitions_flags(h->pr, 0); blk_set_chains_for_superblocks(h); -#endif } int blk_init_by_path(struct blkid_handle **h, const char *path) { - int r = -ENOTSUP; -#ifdef HAVE_BLKID struct blkid_handle *tmp = malloc(sizeof(*tmp)); if (!tmp) return -ENOMEM; @@ -107,16 +99,11 @@ int blk_init_by_path(struct blkid_handle **h, const char *path) } *h = tmp; - - r = 0; -#endif - return r; + return 0; } int blk_init_by_fd(struct blkid_handle **h, int fd) { - int r = -ENOTSUP; -#ifdef HAVE_BLKID struct blkid_handle *tmp = malloc(sizeof(*tmp)); if (!tmp) return -ENOMEM; @@ -136,13 +123,9 @@ int blk_init_by_fd(struct blkid_handle **h, int fd) tmp->fd = fd; *h = tmp; - - r = 0; -#endif - return r; + return 0; } -#ifdef HAVE_BLKID static int blk_superblocks_luks(struct blkid_handle *h, bool enable) { char luks[] = "crypto_LUKS"; @@ -154,47 +137,34 @@ static int blk_superblocks_luks(struct blkid_handle *h, bool enable) enable ? BLKID_FLTR_ONLYIN : BLKID_FLTR_NOTIN, luks_filter); } -#endif int blk_superblocks_filter_luks(struct blkid_handle *h) { - int r = -ENOTSUP; -#ifdef HAVE_BLKID - r = blk_superblocks_luks(h, false); -#endif - return r; + return blk_superblocks_luks(h, false); } int blk_superblocks_only_luks(struct blkid_handle *h) { - int r = -ENOTSUP; -#ifdef HAVE_BLKID - r = blk_superblocks_luks(h, true); -#endif - return r; + return blk_superblocks_luks(h, true); } blk_probe_status blk_probe(struct blkid_handle *h) { blk_probe_status pr = PRB_FAIL; -#ifdef HAVE_BLKID + int r = blkid_do_probe(h->pr); if (r == 0) pr = PRB_OK; else if (r == 1) pr = PRB_EMPTY; -#endif + return pr; } blk_probe_status blk_safeprobe(struct blkid_handle *h) { - int r = -1; -#ifdef HAVE_BLKID - r = blkid_do_safeprobe(h->pr); -#endif - switch (r) { + switch (blkid_do_safeprobe(h->pr)) { case -2: return PRB_AMBIGUOUS; case 1: @@ -208,43 +178,30 @@ blk_probe_status blk_safeprobe(struct blkid_handle *h) int blk_is_partition(struct blkid_handle *h) { - int r = 0; -#ifdef HAVE_BLKID - r = blkid_probe_has_value(h->pr, "PTTYPE"); -#endif - return r; + return blkid_probe_has_value(h->pr, "PTTYPE"); } int blk_is_superblock(struct blkid_handle *h) { - int r = 0; -#ifdef HAVE_BLKID - r = blkid_probe_has_value(h->pr, "TYPE"); -#endif - return r; + return blkid_probe_has_value(h->pr, "TYPE");; } const char *blk_get_partition_type(struct blkid_handle *h) { const char *value = NULL; -#ifdef HAVE_BLKID (void) blkid_probe_lookup_value(h->pr, "PTTYPE", &value, NULL); -#endif return value; } const char *blk_get_superblock_type(struct blkid_handle *h) { const char *value = NULL; -#ifdef HAVE_BLKID (void) blkid_probe_lookup_value(h->pr, "TYPE", &value, NULL); -#endif return value; } void blk_free(struct blkid_handle *h) { -#ifdef HAVE_BLKID if (!h) return; @@ -252,10 +209,8 @@ void blk_free(struct blkid_handle *h) blkid_free_probe(h->pr); free(h); -#endif } -#ifdef HAVE_BLKID #ifndef HAVE_BLKID_WIPE static int blk_step_back(struct blkid_handle *h) { @@ -268,11 +223,9 @@ static int blk_step_back(struct blkid_handle *h) #endif } #endif /* not HAVE_BLKID_WIPE */ -#endif /* HAVE_BLKID */ int blk_do_wipe(struct blkid_handle *h) { -#ifdef HAVE_BLKID #ifdef HAVE_BLKID_WIPE return blkid_do_wipe(h->pr, 0); #else @@ -319,29 +272,110 @@ int blk_do_wipe(struct blkid_handle *h) return -EIO; #endif -#else /* HAVE_BLKID */ - return -ENOTSUP; -#endif } int blk_supported(void) { - int r = 0; -#ifdef HAVE_BLKID - r = 1; -#endif - return r; + return 1; } unsigned blk_get_block_size(struct blkid_handle *h) { unsigned block_size = 0; -#ifdef HAVE_BLKID const char *data; if (!blk_is_superblock(h) || !blkid_probe_has_value(h->pr, "BLOCK_SIZE") || blkid_probe_lookup_value(h->pr, "BLOCK_SIZE", &data, NULL) || sscanf(data, "%u", &block_size) != 1) block_size = 0; -#endif + return block_size; } + +#else /* HAVE_BLKID */ +#pragma GCC diagnostic ignored "-Wunused-parameter" + +void blk_set_chains_for_wipes(struct blkid_handle *h) +{ +} + +void blk_set_chains_for_full_print(struct blkid_handle *h) +{ +} + +void blk_set_chains_for_superblocks(struct blkid_handle *h) +{ +} + +void blk_set_chains_for_fast_detection(struct blkid_handle *h) +{ +} + +int blk_init_by_path(struct blkid_handle **h, const char *path) +{ + return -ENOTSUP; +} + +int blk_init_by_fd(struct blkid_handle **h, int fd) +{ + return -ENOTSUP; +} + +int blk_superblocks_filter_luks(struct blkid_handle *h) +{ + return -ENOTSUP; +} + +int blk_superblocks_only_luks(struct blkid_handle *h) +{ + return -ENOTSUP; +} + +blk_probe_status blk_probe(struct blkid_handle *h) +{ + return PRB_FAIL; +} + +blk_probe_status blk_safeprobe(struct blkid_handle *h) +{ + return PRB_FAIL; +} + +int blk_is_partition(struct blkid_handle *h) +{ + return 0; +} + +int blk_is_superblock(struct blkid_handle *h) +{ + return 0; +} + +const char *blk_get_partition_type(struct blkid_handle *h) +{ + return NULL; +} + +const char *blk_get_superblock_type(struct blkid_handle *h) +{ + return NULL; +} + +void blk_free(struct blkid_handle *h) +{ +} + +int blk_do_wipe(struct blkid_handle *h) +{ + return -ENOTSUP; +} + +int blk_supported(void) +{ + return 0; +} + +unsigned blk_get_block_size(struct blkid_handle *h) +{ + return 0; +} +#endif diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h index 3ee1434..7e005f0 100644 --- a/lib/utils_blkid.h +++ b/lib/utils_blkid.h @@ -1,7 +1,7 @@ /* * blkid probe utilities * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c index 0b7dc37..1e97610 100644 --- a/lib/utils_crypt.c +++ b/lib/utils_crypt.c @@ -2,8 +2,8 @@ * utils_crypt - cipher utilities for cryptsetup * * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums, cipher, cipher_mode) == 2) { if (!strcmp(cipher_mode, "plain")) strcpy(cipher_mode, "cbc-plain"); - if (key_nums) { + if (!strncmp(cipher, "capi:", 5)) { + /* CAPI must not use internal cipher driver names with dash */ + if (strchr(cipher_mode, ')')) + return -EINVAL; + if (key_nums) + *key_nums = 1; + } else if (key_nums) { char *tmp = strchr(cipher, ':'); *key_nums = tmp ? atoi(++tmp) : 1; if (!*key_nums) @@ -300,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha if (i != 2) return -EINVAL; + /* non-cryptsetup compatible mode (generic driver with dash?) */ + if (strrchr(iv, ')')) { + if (i_dm) + return -EINVAL; + if (!(*org_c = strdup(c_dm))) + return -ENOMEM; + return 0; + } + len = strlen(tmp); if (len < 2) return -EINVAL; diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h index 92e0705..0a4b5d6 100644 --- a/lib/utils_crypt.h +++ b/lib/utils_crypt.h @@ -2,8 +2,8 @@ * utils_crypt - cipher utilities for cryptsetup * * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -30,9 +30,12 @@ struct crypt_device; #define MAX_CIPHER_LEN 32 #define MAX_CIPHER_LEN_STR "31" #define MAX_KEYFILES 32 +#define MAX_KEYRING_LINKS 2 +#define MAX_VK_IN_KEYRING 2 #define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN #define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */ #define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */ +#define MAX_INTEGRITY_LEN 64 int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums, char *cipher_mode); diff --git a/lib/utils_device.c b/lib/utils_device.c index d80ea62..8bc329d 100644 --- a/lib/utils_device.c +++ b/lib/utils_device.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -178,6 +178,7 @@ static int device_ready(struct crypt_device *cd, struct device *device) int devfd = -1, r = 0; struct stat st; size_t tmp_size; + const char *dm_name; if (!device) return -EINVAL; @@ -188,7 +189,12 @@ static int device_ready(struct crypt_device *cd, struct device *device) device->o_direct = 0; devfd = open(device_path(device), O_RDONLY | O_DIRECT); if (devfd >= 0) { - if (device_read_test(devfd) == 0) { + /* skip check for suspended DM devices */ + dm_name = device_dm_name(device); + if (dm_name && dm_status_suspended(cd, dm_name)) { + close(devfd); + devfd = -1; + } else if (device_read_test(devfd) == 0) { device->o_direct = 1; } else { close(devfd); @@ -470,7 +476,7 @@ void device_free(struct crypt_device *cd, struct device *device) /* Get block device path */ const char *device_block_path(const struct device *device) { - if (!device || !device->init_done) + if (!device) return NULL; return device->path; @@ -482,7 +488,7 @@ const char *device_dm_name(const struct device *device) const char *dmdir = dm_get_dir(); size_t dmdir_len = strlen(dmdir); - if (!device || !device->init_done) + if (!device) return NULL; if (strncmp(device->path, dmdir, dmdir_len)) @@ -985,6 +991,22 @@ int device_is_rotational(struct device *device) return crypt_dev_is_rotational(major(st.st_rdev), minor(st.st_rdev)); } +int device_is_dax(struct device *device) +{ + struct stat st; + + if (!device) + return -EINVAL; + + if (stat(device_path(device), &st) < 0) + return -EINVAL; + + if (!S_ISBLK(st.st_mode)) + return 0; + + return crypt_dev_is_dax(major(st.st_rdev), minor(st.st_rdev)); +} + size_t device_alignment(struct device *device) { int devfd; diff --git a/lib/utils_device_locking.c b/lib/utils_device_locking.c index e18ea77..ef3f6b4 100644 --- a/lib/utils_device_locking.c +++ b/lib/utils_device_locking.c @@ -1,8 +1,8 @@ /* * Metadata on-disk locking for processes serialization * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -134,7 +134,7 @@ static int open_resource(struct crypt_device *cd, const char *res) return -EINVAL; log_dbg(cd, "Opening lock resource file %s/%s", DEFAULT_LUKS2_LOCK_PATH, res); - r = openat(lockdir_fd, res, O_CREAT | O_NOFOLLOW | O_RDWR | O_CLOEXEC, 0777); + r = openat(lockdir_fd, res, O_CREAT|O_NOFOLLOW|O_RDWR|O_CLOEXEC, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); err = errno; close(lockdir_fd); @@ -405,30 +405,6 @@ int device_write_lock_internal(struct crypt_device *cd, struct device *device) return 1; } -int crypt_read_lock(struct crypt_device *cd, const char *resource, bool blocking, struct crypt_lock_handle **lock) -{ - int r; - struct crypt_lock_handle *h; - - if (!resource) - return -EINVAL; - - log_dbg(cd, "Acquiring %sblocking read lock for resource %s.", blocking ? "" : "non", resource); - - r = acquire_and_verify(cd, NULL, resource, LOCK_SH | (blocking ? 0 : LOCK_NB), &h); - if (r < 0) - return r; - - h->type = DEV_LOCK_READ; - h->refcnt = 1; - - log_dbg(cd, "READ lock for resource %s taken.", resource); - - *lock = h; - - return 0; -} - int crypt_write_lock(struct crypt_device *cd, const char *resource, bool blocking, struct crypt_lock_handle **lock) { int r; diff --git a/lib/utils_device_locking.h b/lib/utils_device_locking.h index b73f15d..3fa09a5 100644 --- a/lib/utils_device_locking.h +++ b/lib/utils_device_locking.h @@ -1,8 +1,8 @@ /* * Metadata on-disk locking for processes serialization * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -37,7 +37,6 @@ void device_unlock_internal(struct crypt_device *cd, struct device *device); int device_locked_verify(struct crypt_device *cd, int fd, struct crypt_lock_handle *h); -int crypt_read_lock(struct crypt_device *cd, const char *name, bool blocking, struct crypt_lock_handle **lock); int crypt_write_lock(struct crypt_device *cd, const char *name, bool blocking, struct crypt_lock_handle **lock); void crypt_unlock_internal(struct crypt_device *cd, struct crypt_lock_handle *h); diff --git a/lib/utils_devpath.c b/lib/utils_devpath.c index dc5a5bb..5e7e13e 100644 --- a/lib/utils_devpath.c +++ b/lib/utils_devpath.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -210,6 +210,24 @@ static int _path_get_uint64(const char *sysfs_path, uint64_t *value, const char return _read_uint64(path, value); } +int crypt_dev_get_partition_number(const char *dev_path) +{ + uint64_t partno; + struct stat st; + + if (stat(dev_path, &st) < 0) + return 0; + + if (!S_ISBLK(st.st_mode)) + return 0; + + if (!_sysfs_get_uint64(major(st.st_rdev), minor(st.st_rdev), + &partno, "partition")) + return -EINVAL; + + return (int)partno; +} + int crypt_dev_is_rotational(int major, int minor) { uint64_t val; @@ -220,6 +238,16 @@ int crypt_dev_is_rotational(int major, int minor) return val ? 1 : 0; } +int crypt_dev_is_dax(int major, int minor) +{ + uint64_t val; + + if (!_sysfs_get_uint64(major, minor, &val, "queue/dax")) + return 0; /* if failed, expect non-DAX device */ + + return val ? 1 : 0; +} + int crypt_dev_is_partition(const char *dev_path) { uint64_t val; @@ -253,6 +281,7 @@ uint64_t crypt_dev_partition_offset(const char *dev_path) &val, "start")) return 0; + /* coverity[tainted_data_return:FALSE] */ return val; } diff --git a/lib/utils_dm.h b/lib/utils_dm.h index 79212a2..dbbd470 100644 --- a/lib/utils_dm.h +++ b/lib/utils_dm.h @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -72,7 +72,7 @@ static inline uint32_t act2dmflags(uint32_t act_flags) #define DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */ #define DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/ #define DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption */ -#define DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt suppot for bypassing workqueues */ +#define DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt support for bypassing workqueues */ #define DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */ #define DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */ #define DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */ @@ -234,6 +234,7 @@ int dm_clear_device(struct crypt_device *cd, const char *name); int dm_cancel_deferred_removal(const char *name); const char *dm_get_dir(void); +int dm_get_iname(const char *name, char **iname, bool with_path); int lookup_dm_dev_by_uuid(struct crypt_device *cd, const char *uuid, const char *type); diff --git a/lib/utils_io.c b/lib/utils_io.c index a5bc501..1c6b456 100644 --- a/lib/utils_io.c +++ b/lib/utils_io.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/utils_io.h b/lib/utils_io.h index f8b3f00..ce6a6ed 100644 --- a/lib/utils_io.h +++ b/lib/utils_io.h @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/utils_keyring.c b/lib/utils_keyring.c index a0c4db1..6bd3c48 100644 --- a/lib/utils_keyring.c +++ b/lib/utils_keyring.c @@ -1,8 +1,8 @@ /* * kernel keyring utilities * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -19,9 +19,14 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#include +#include #include +#include #include +#include #include +#include #include #include @@ -29,11 +34,6 @@ #include "libcryptsetup_macros.h" #include "utils_keyring.h" -#ifndef HAVE_KEY_SERIAL_T -#define HAVE_KEY_SERIAL_T -typedef int32_t key_serial_t; -#endif - #ifdef KERNEL_KEYRING static const struct { @@ -42,6 +42,9 @@ static const struct { } key_types[] = { { LOGON_KEY, "logon" }, { USER_KEY, "user" }, + { BIG_KEY, "big_key" }, + { TRUSTED_KEY, "trusted" }, + { ENCRYPTED_KEY, "encrypted" }, }; #include @@ -65,16 +68,22 @@ static key_serial_t add_key(const char *type, return syscall(__NR_add_key, type, description, payload, plen, keyring); } +/* keyctl_describe */ +static long keyctl_describe(key_serial_t id, char *buffer, size_t buflen) +{ + return syscall(__NR_keyctl, KEYCTL_DESCRIBE, id, buffer, buflen); +} + /* keyctl_read */ static long keyctl_read(key_serial_t key, char *buffer, size_t buflen) { return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen); } -/* keyctl_revoke */ -static long keyctl_revoke(key_serial_t key) +/* keyctl_link */ +static long keyctl_link(key_serial_t key, key_serial_t keyring) { - return syscall(__NR_keyctl, KEYCTL_REVOKE, key); + return syscall(__NR_keyctl, KEYCTL_LINK, key, keyring); } /* keyctl_unlink */ @@ -82,156 +91,380 @@ static long keyctl_unlink(key_serial_t key, key_serial_t keyring) { return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring); } -#endif -int keyring_check(void) +/* inspired by keyutils written by David Howells (dhowells@redhat.com) */ +static key_serial_t keyring_process_proc_keys_line(char *line, const char *type, const char *desc, + key_serial_t destringid) { -#ifdef KERNEL_KEYRING - /* logon type key descriptions must be in format "prefix:description" */ - return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS; -#else + char typebuf[41], rdesc[1024], *kdesc, *cp; + int ndesc, n; + key_serial_t id; + int dlen; + + assert(desc); + dlen = strlen(desc); + cp = line + strlen(line); + + ndesc = 0; + n = sscanf(line, "%x %*s %*u %*s %*x %*d %*d %40s %n", + &id, typebuf, &ndesc); + if (n == 2 && ndesc > 0 && ndesc <= cp - line) { + if (strcmp(typebuf, type) != 0) + return 0; + kdesc = line + ndesc; + if (memcmp(kdesc, desc, dlen) != 0) + return 0; + if (kdesc[dlen] != ':' && + kdesc[dlen] != '\0' && + kdesc[dlen] != ' ') + return 0; + kdesc[dlen] = '\0'; + + /* The key type appends extra stuff to the end of the + * description after a colon in /proc/keys. Colons, + * however, are allowed in descriptions, so we need to + * make a further check. */ + n = keyctl_describe(id, rdesc, sizeof(rdesc) - 1); + if (n < 0) + return 0; + if ((size_t)n >= sizeof(rdesc) - 1) + return 0; + rdesc[n] = '\0'; + + cp = strrchr(rdesc, ';'); + if (!cp) + return 0; + cp++; + if (strcmp(cp, desc) != 0) + return 0; + + + if (destringid && keyctl_link(id, destringid) == -1) + return 0; + + return id; + } + return 0; -#endif } -int keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size) -{ -#ifdef KERNEL_KEYRING - key_serial_t kid; - const char *type_name = key_type_name(ktype); +/* inspired by keyutils written by David Howells (dhowells@redhat.com), returns 0 ID on failure */ - if (!type_name || !key_desc) - return -EINVAL; +static key_serial_t find_key_by_type_and_desc(const char *type, const char *desc, key_serial_t destringid) +{ + key_serial_t id; + int f; + char buf[1024]; + char *newline; + size_t buffer_len = 0; + + int n; + + do { + id = request_key(type, desc, NULL, 0); + } while (id < 0 && errno == EINTR); + if (id >= 0 || errno == ENOMEM) + return id; + + f = open("/proc/keys", O_RDONLY); + if (f < 0) + return 0; - kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING); - if (kid < 0) - return -errno; + while ((n = read(f, buf + buffer_len, sizeof(buf) - buffer_len - 1)) > 0) { + buffer_len += n; + buf[buffer_len] = '\0'; + newline = strchr(buf, '\n'); + while (newline != NULL && buffer_len != 0) { + *newline = '\0'; + + if ((id = keyring_process_proc_keys_line(buf, type, desc, destringid))) { + close(f); + return id; + } + + buffer_len -= newline - buf + 1; + assert(buffer_len <= sizeof(buf) - 1); + memmove(buf, newline + 1, buffer_len); + buf[buffer_len] = '\0'; + newline = strchr(buf, '\n'); + } + } + close(f); return 0; -#else - return -ENOTSUP; -#endif } -/* currently used in client utilities only */ -int keyring_add_key_in_user_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size) +int keyring_check(void) +{ + /* logon type key descriptions must be in format "prefix:description" */ + return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS; +} + +static key_serial_t keyring_add_key_in_keyring(key_type_t ktype, + const char *key_desc, + const void *key, + size_t key_size, + key_serial_t keyring) { -#ifdef KERNEL_KEYRING const char *type_name = key_type_name(ktype); - key_serial_t kid; if (!type_name || !key_desc) return -EINVAL; - kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_USER_KEYRING); - if (kid < 0) - return -errno; - - return 0; -#else - return -ENOTSUP; -#endif + return add_key(type_name, key_desc, key, key_size, keyring); } -/* alias for the same code */ -int keyring_get_key(const char *key_desc, - char **key, - size_t *key_size) +key_serial_t keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size) { - return keyring_get_passphrase(key_desc, key, key_size); + return keyring_add_key_in_keyring(ktype, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING); } -int keyring_get_passphrase(const char *key_desc, - char **passphrase, - size_t *passphrase_len) +key_serial_t keyring_request_key_id(key_type_t key_type, + const char *key_description) { -#ifdef KERNEL_KEYRING - int err; key_serial_t kid; - long ret; + + do { + kid = request_key(key_type_name(key_type), key_description, NULL, 0); + } while (kid < 0 && errno == EINTR); + + return kid; +} + +int keyring_read_key(key_serial_t kid, + char **key, + size_t *key_size) +{ + long r; char *buf = NULL; size_t len = 0; - do - kid = request_key(key_type_name(USER_KEY), key_desc, NULL, 0); - while (kid < 0 && errno == EINTR); - - if (kid < 0) - return -errno; + assert(key); + assert(key_size); /* just get payload size */ - ret = keyctl_read(kid, NULL, 0); - if (ret > 0) { - len = ret; + r = keyctl_read(kid, NULL, 0); + if (r > 0) { + len = r; buf = crypt_safe_alloc(len); if (!buf) return -ENOMEM; /* retrieve actual payload data */ - ret = keyctl_read(kid, buf, len); + r = keyctl_read(kid, buf, len); } - if (ret < 0) { - err = errno; + if (r < 0) { crypt_safe_free(buf); - return -err; + return -EINVAL; } - *passphrase = buf; - *passphrase_len = len; + *key = buf; + *key_size = len; return 0; -#else - return -ENOTSUP; -#endif } -static int keyring_revoke_and_unlink_key_type(const char *type_name, const char *key_desc) +int keyring_unlink_key_from_keyring(key_serial_t kid, key_serial_t keyring_id) { -#ifdef KERNEL_KEYRING - key_serial_t kid; + return keyctl_unlink(kid, keyring_id) < 0 ? -EINVAL : 0; +} - if (!type_name || !key_desc) - return -EINVAL; +int keyring_unlink_key_from_thread_keyring(key_serial_t kid) +{ + return keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING) < 0 ? -EINVAL : 0; +} + +const char *key_type_name(key_type_t type) +{ + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(key_types); i++) + if (type == key_types[i].type) + return key_types[i].type_name; + + return NULL; +} + +key_serial_t keyring_find_key_id_by_name(const char *key_name) +{ + key_serial_t id = 0; + char *end; + char *name_copy, *name_copy_p; - do - kid = request_key(type_name, key_desc, NULL, 0); - while (kid < 0 && errno == EINTR); + assert(key_name); + + if (key_name[0] == '@') { + if (strcmp(key_name, "@t" ) == 0) return KEY_SPEC_THREAD_KEYRING; + if (strcmp(key_name, "@p" ) == 0) return KEY_SPEC_PROCESS_KEYRING; + if (strcmp(key_name, "@s" ) == 0) return KEY_SPEC_SESSION_KEYRING; + if (strcmp(key_name, "@u" ) == 0) return KEY_SPEC_USER_KEYRING; + if (strcmp(key_name, "@us") == 0) return KEY_SPEC_USER_SESSION_KEYRING; + if (strcmp(key_name, "@g" ) == 0) return KEY_SPEC_GROUP_KEYRING; + if (strcmp(key_name, "@a" ) == 0) return KEY_SPEC_REQKEY_AUTH_KEY; - if (kid < 0) return 0; + } - if (keyctl_revoke(kid)) - return -errno; + /* handle a lookup-by-name request "%:", eg: "%keyring:_ses" */ + name_copy = strdup(key_name); + if (!name_copy) + goto out; + name_copy_p = name_copy; + + if (name_copy_p[0] == '%') { + const char *type; + + name_copy_p++; + if (!*name_copy_p) + goto out; + + if (*name_copy_p == ':') { + type = "keyring"; + name_copy_p++; + } else { + type = name_copy_p; + name_copy_p = strchr(name_copy_p, ':'); + if (!name_copy_p) + goto out; + *(name_copy_p++) = '\0'; + } + + if (!*name_copy_p) + goto out; + + id = find_key_by_type_and_desc(type, name_copy_p, 0); + goto out; + } + + id = strtoul(key_name, &end, 0); + if (*end) + id = 0; - /* - * best effort only. the key could have been linked - * in some other keyring and its payload is now - * revoked anyway. - */ - keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING); - keyctl_unlink(kid, KEY_SPEC_PROCESS_KEYRING); - keyctl_unlink(kid, KEY_SPEC_USER_KEYRING); +out: + if (name_copy) + free(name_copy); + + return id; +} + +static bool numbered(const char *str) +{ + char *endp; + + errno = 0; + (void) strtol(str, &endp, 0); + if (errno == ERANGE) + return false; + + return *endp == '\0' ? true : false; +} + +key_serial_t keyring_find_keyring_id_by_name(const char *keyring_name) +{ + assert(keyring_name); + + /* "%:" is abbreviation for the type keyring */ + if ((keyring_name[0] == '@' && keyring_name[1] != 'a') || + strstr(keyring_name, "%:") || strstr(keyring_name, "%keyring:") || + numbered(keyring_name)) + return keyring_find_key_id_by_name(keyring_name); return 0; -#else - return -ENOTSUP; -#endif } -const char *key_type_name(key_type_t type) +key_type_t key_type_by_name(const char *name) { -#ifdef KERNEL_KEYRING unsigned int i; for (i = 0; i < ARRAY_SIZE(key_types); i++) - if (type == key_types[i].type) - return key_types[i].type_name; -#endif + if (!strcmp(key_types[i].type_name, name)) + return key_types[i].type; + + return INVALID_KEY; +} + +key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype, + const char *key_desc, + const void *key, + size_t key_size, + key_serial_t keyring_to_link) +{ + const char *type_name = key_type_name(ktype); + + if (!type_name || !key_desc) + return -EINVAL; + + return add_key(type_name, key_desc, key, key_size, keyring_to_link); +} + +#else /* KERNEL_KEYRING */ +#pragma GCC diagnostic ignored "-Wunused-parameter" + +int keyring_check(void) +{ + return 0; +} + +key_serial_t keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size) +{ + return -ENOTSUP; +} + +key_serial_t keyring_request_key_id(key_type_t key_type, + const char *key_description) +{ + return -ENOTSUP; +} + +int keyring_read_key(key_serial_t kid, + char **key, + size_t *key_size) +{ + return -ENOTSUP; +} + +int keyring_read_by_id(const char *key_desc, char **passphrase, size_t *passphrase_len) +{ + return -ENOTSUP; +} + +const char *key_type_name(key_type_t type) +{ return NULL; } -int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc) +key_serial_t keyring_find_key_id_by_name(const char *key_name) { - return keyring_revoke_and_unlink_key_type(key_type_name(ktype), key_desc); + return 0; } + +key_serial_t keyring_find_keyring_id_by_name(const char *keyring_name) +{ + return 0; +} + +key_type_t key_type_by_name(const char *name) +{ + return INVALID_KEY; +} + +key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype, + const char *key_desc, + const void *key, + size_t key_size, + key_serial_t keyring_to_link) +{ + return -ENOTSUP; +} + +int keyring_unlink_key_from_keyring(key_serial_t kid, key_serial_t keyring_id) +{ + return -ENOTSUP; +} + +int keyring_unlink_key_from_thread_keyring(key_serial_t kid) +{ + return -ENOTSUP; +} +#endif diff --git a/lib/utils_keyring.h b/lib/utils_keyring.h index 0248862..896f8d8 100644 --- a/lib/utils_keyring.h +++ b/lib/utils_keyring.h @@ -1,8 +1,8 @@ /* * kernel keyring syscall wrappers * - * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -23,33 +23,38 @@ #define _UTILS_KEYRING #include +#include -typedef enum { LOGON_KEY = 0, USER_KEY } key_type_t; +#ifndef HAVE_KEY_SERIAL_T +#define HAVE_KEY_SERIAL_T +typedef int32_t key_serial_t; +#endif + +typedef enum { LOGON_KEY = 0, USER_KEY, BIG_KEY, TRUSTED_KEY, ENCRYPTED_KEY, INVALID_KEY } key_type_t; const char *key_type_name(key_type_t ktype); +key_type_t key_type_by_name(const char *name); +key_serial_t keyring_find_key_id_by_name(const char *key_name); +key_serial_t keyring_find_keyring_id_by_name(const char *keyring_name); int keyring_check(void); -int keyring_get_key(const char *key_desc, - char **key, - size_t *key_size); +key_serial_t keyring_request_key_id(key_type_t key_type, + const char *key_description); -int keyring_get_passphrase(const char *key_desc, - char **passphrase, - size_t *passphrase_len); - -int keyring_add_key_in_thread_keyring( - key_type_t ktype, - const char *key_desc, - const void *key, - size_t key_size); +int keyring_read_key(key_serial_t kid, + char **key, + size_t *key_size); -int keyring_add_key_in_user_keyring( +key_serial_t keyring_add_key_in_thread_keyring( key_type_t ktype, const char *key_desc, const void *key, size_t key_size); -int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc); +key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype, const char *key_desc, const void *key, + size_t key_size, key_serial_t keyring_to_link); +int keyring_unlink_key_from_keyring(key_serial_t kid, key_serial_t keyring_id); +int keyring_unlink_key_from_thread_keyring(key_serial_t kid); #endif diff --git a/lib/utils_loop.c b/lib/utils_loop.c index 9b31603..092ebfc 100644 --- a/lib/utils_loop.c +++ b/lib/utils_loop.c @@ -1,8 +1,8 @@ /* * loopback block device utilities * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -282,7 +282,7 @@ static char *_sysfs_backing_file(const char *loop) { struct stat st; char buf[PATH_MAX]; - size_t len; + ssize_t len; int fd; if (stat(loop, &st) || !S_ISBLK(st.st_mode)) diff --git a/lib/utils_loop.h b/lib/utils_loop.h index c1f6356..17a78aa 100644 --- a/lib/utils_loop.h +++ b/lib/utils_loop.h @@ -1,8 +1,8 @@ /* * loopback block device utilities * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c index 4d7e18d..4341e91 100644 --- a/lib/utils_pbkdf.c +++ b/lib/utils_pbkdf.c @@ -1,8 +1,8 @@ /* * utils_pbkdf - PBKDF settings for libcryptsetup * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -61,9 +61,9 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ return NULL; } -static uint32_t adjusted_phys_memory(void) +uint32_t pbkdf_adjusted_phys_memory_kb(void) { - uint64_t memory_kb = crypt_getphysmemory_kb(); + uint64_t free_kb, memory_kb = crypt_getphysmemory_kb(); /* Ignore bogus value */ if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX) @@ -75,6 +75,22 @@ static uint32_t adjusted_phys_memory(void) */ memory_kb /= 2; + /* + * Never use more that half of available free memory on system without swap. + */ + if (!crypt_swapavailable()) { + free_kb = crypt_getphysmemoryfree_kb(); + + /* + * Using exactly free memory causes OOM too, use only half of the value. + * Ignore small values (< 64MB), user should use PBKDF2 in such environment. + */ + free_kb /= 2; + + if (free_kb > (64 * 1024) && free_kb < memory_kb) + return free_kb; + } + return memory_kb; } @@ -238,7 +254,8 @@ int init_pbkdf_type(struct crypt_device *cd, cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel; } - if (cd_pbkdf->parallel_threads) { + /* Do not limit threads by online CPUs if user forced values (no benchmark). */ + if (cd_pbkdf->parallel_threads && !(cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) { cpus = crypt_cpusonline(); if (cd_pbkdf->parallel_threads > cpus) { log_dbg(cd, "Only %u active CPUs detected, " @@ -248,8 +265,9 @@ int init_pbkdf_type(struct crypt_device *cd, } } - if (cd_pbkdf->max_memory_kb) { - memory_kb = adjusted_phys_memory(); + /* Do not limit by available physical memory if user forced values (no benchmark). */ + if (cd_pbkdf->max_memory_kb && !(cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) { + memory_kb = pbkdf_adjusted_phys_memory_kb(); if (cd_pbkdf->max_memory_kb > memory_kb) { log_dbg(cd, "Not enough physical memory detected, " "PBKDF max memory decreased from %dkB to %dkB.", diff --git a/lib/utils_safe_memory.c b/lib/utils_safe_memory.c index b161369..753842d 100644 --- a/lib/utils_safe_memory.c +++ b/lib/utils_safe_memory.c @@ -1,8 +1,8 @@ /* * utils_safe_memory - safe memory helpers * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/lib/utils_storage_wrappers.c b/lib/utils_storage_wrappers.c index 6ff5afa..4a3aae3 100644 --- a/lib/utils_storage_wrappers.c +++ b/lib/utils_storage_wrappers.c @@ -2,7 +2,7 @@ * Generic wrapper for storage functions * (experimental only) * - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Ondrej Kozina * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/utils_storage_wrappers.h b/lib/utils_storage_wrappers.h index f7781e8..272c5c1 100644 --- a/lib/utils_storage_wrappers.h +++ b/lib/utils_storage_wrappers.h @@ -2,7 +2,7 @@ * Generic wrapper for storage functions * (experimental only) * - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Ondrej Kozina * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c index 1df46c1..368e6dc 100644 --- a/lib/utils_wipe.c +++ b/lib/utils_wipe.c @@ -2,8 +2,8 @@ * utils_wipe - wipe a device * * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -26,6 +26,8 @@ #include #include #include "internal.h" +#include "luks2/luks2_internal.h" +#include "luks2/hw_opal/hw_opal.h" /* block device zeroout ioctls, introduced in Linux kernel 3.7 */ #ifndef BLKZEROOUT @@ -309,3 +311,73 @@ int crypt_wipe(struct crypt_device *cd, return r; } + +int crypt_wipe_hw_opal(struct crypt_device *cd, + int segment, + const char *password, + size_t password_size, + uint32_t flags) +{ + int r; + struct luks2_hdr *hdr; + uint32_t opal_segment_number; + struct crypt_lock_handle *opal_lh = NULL; + + UNUSED(flags); + + if (!cd) + return -EINVAL; + + if (!password) + return -EINVAL; + + if (segment < CRYPT_LUKS2_SEGMENT || segment > 8) + return -EINVAL; + + r = crypt_opal_supported(cd, crypt_data_device(cd)); + if (r < 0) + return r; + + if (segment == CRYPT_NO_SEGMENT) { + r = opal_factory_reset(cd, crypt_data_device(cd), password, password_size); + if (r == -EPERM) + log_err(cd, _("Incorrect OPAL PSID.")); + else if (r < 0) + log_err(cd, _("Cannot erase OPAL device.")); + return r; + } + + if (onlyLUKS2(cd) < 0) + return -EINVAL; + + hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + if (!hdr) + return -EINVAL; + + if (segment == CRYPT_LUKS2_SEGMENT) { + r = LUKS2_get_opal_segment_number(hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number); + if (r < 0) { + log_dbg(cd, "Can not get OPAL segment number."); + return r; + } + } else + opal_segment_number = segment; + + r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh); + if (r < 0) { + log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd))); + return -EINVAL; + } + + r = opal_reset_segment(cd, + crypt_data_device(cd), + opal_segment_number, + password, + password_size); + + opal_exclusive_unlock(cd, opal_lh); + if (r < 0) + return r; + + return LUKS2_wipe_header_areas(cd, hdr, crypt_header_is_detached(cd)); +} diff --git a/lib/verity/rs.h b/lib/verity/rs.h index 7638924..34785aa 100644 --- a/lib/verity/rs.h +++ b/lib/verity/rs.h @@ -3,7 +3,7 @@ * * Copyright (C) 2004 Phil Karn, KA9Q * libcryptsetup modifications - * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/verity/rs_decode_char.c b/lib/verity/rs_decode_char.c index 4473202..94c8523 100644 --- a/lib/verity/rs_decode_char.c +++ b/lib/verity/rs_decode_char.c @@ -3,7 +3,7 @@ * * Copyright (C) 2002, Phil Karn, KA9Q * libcryptsetup modifications - * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/verity/rs_encode_char.c b/lib/verity/rs_encode_char.c index 55b502a..a520562 100644 --- a/lib/verity/rs_encode_char.c +++ b/lib/verity/rs_encode_char.c @@ -3,7 +3,7 @@ * * Copyright (C) 2002, Phil Karn, KA9Q * libcryptsetup modifications - * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/verity/verity.c b/lib/verity/verity.c index 0d7a8f5..b3dd1b3 100644 --- a/lib/verity/verity.c +++ b/lib/verity/verity.c @@ -1,7 +1,7 @@ /* * dm-verity volume handling * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -251,91 +251,133 @@ int VERITY_UUID_generate(char **uuid_string) return 0; } +int VERITY_verify_params(struct crypt_device *cd, + struct crypt_params_verity *hdr, + bool signed_root_hash, + struct device *fec_device, + struct volume_key *root_hash) +{ + bool userspace_verification; + int v, r; + unsigned int fec_errors = 0; + + assert(cd); + assert(hdr); + assert(root_hash); + + log_dbg(cd, "Verifying VERITY device using hash %s.", + hdr->hash_name); + + userspace_verification = hdr->flags & CRYPT_VERITY_CHECK_HASH; + + if (userspace_verification && signed_root_hash) { + log_err(cd, _("Root hash signature verification is not supported.")); + return -EINVAL; + } + + if ((hdr->flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE) && !signed_root_hash) { + log_err(cd, _("Root hash signature required.")); + return -EINVAL; + } + + if (!userspace_verification) + return 0; + + log_dbg(cd, "Verification of VERITY data in userspace required."); + r = VERITY_verify(cd, hdr, root_hash->key, root_hash->keylength); + + if ((r == -EPERM || r == -EFAULT) && fec_device) { + v = r; + log_dbg(cd, "Verification failed, trying to repair with FEC device."); + r = VERITY_FEC_process(cd, hdr, fec_device, 1, &fec_errors); + if (r < 0) + log_err(cd, _("Errors cannot be repaired with FEC device.")); + else if (fec_errors) { + log_err(cd, _("Found %u repairable errors with FEC device."), + fec_errors); + /* If root hash failed, we cannot be sure it was properly repaired */ + } + if (v == -EFAULT) + r = -EPERM; + } + + return r; +} + /* Activate verity device in kernel device-mapper */ int VERITY_activate(struct crypt_device *cd, const char *name, - const char *root_hash, - size_t root_hash_size, - const char *signature_description, + struct volume_key *root_hash, + struct volume_key *signature, struct device *fec_device, struct crypt_params_verity *verity_hdr, uint32_t activation_flags) { uint32_t dmv_flags; - unsigned int fec_errors = 0; - int r, v; - struct crypt_dm_active_device dmd = { - .size = verity_hdr->data_size * verity_hdr->data_block_size / 512, - .flags = activation_flags, - .uuid = crypt_get_uuid(cd), - }; - - log_dbg(cd, "Trying to activate VERITY device %s using hash %s.", - name ?: "[none]", verity_hdr->hash_name); - - if (verity_hdr->flags & CRYPT_VERITY_CHECK_HASH) { - if (signature_description) { - log_err(cd, _("Root hash signature verification is not supported.")); - return -EINVAL; - } + int r; + key_serial_t kid; + char *description = NULL; + struct crypt_dm_active_device dmd = { 0 }; - log_dbg(cd, "Verification of data in userspace required."); - r = VERITY_verify(cd, verity_hdr, root_hash, root_hash_size); - - if ((r == -EPERM || r == -EFAULT) && fec_device) { - v = r; - log_dbg(cd, "Verification failed, trying to repair with FEC device."); - r = VERITY_FEC_process(cd, verity_hdr, fec_device, 1, &fec_errors); - if (r < 0) - log_err(cd, _("Errors cannot be repaired with FEC device.")); - else if (fec_errors) { - log_err(cd, _("Found %u repairable errors with FEC device."), - fec_errors); - /* If root hash failed, we cannot be sure it was properly repaired */ - } - if (v == -EFAULT) - r = -EPERM; - } + assert(name); + assert(root_hash); + assert(verity_hdr); + + dmd.size = verity_hdr->data_size * verity_hdr->data_block_size / 512; + dmd.flags = activation_flags; + dmd.uuid = crypt_get_uuid(cd); + + log_dbg(cd, "Activating VERITY device %s using hash %s.", + name, verity_hdr->hash_name); + if (signature) { + r = asprintf(&description, "cryptsetup:%s%s%s", + crypt_get_uuid(cd) ?: "", crypt_get_uuid(cd) ? "-" : "", name); if (r < 0) - return r; - } + return -EINVAL; - if (!name) - return 0; + log_dbg(cd, "Adding signature %s (type user) into thread keyring.", description); + kid = keyring_add_key_in_thread_keyring(USER_KEY, description, signature->key, signature->keylength); + if (kid < 0) { + log_dbg(cd, "keyring_add_key_in_thread_keyring failed with errno %d.", errno); + log_err(cd, _("Failed to load key in kernel keyring.")); + free(description); + return -EINVAL; + } + } r = device_block_adjust(cd, crypt_metadata_device(cd), DEV_OK, 0, NULL, NULL); if (r) - return r; + goto out; r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL, 0, &dmd.size, &dmd.flags); if (r) - return r; + goto out; if (fec_device) { r = device_block_adjust(cd, fec_device, DEV_OK, 0, NULL, NULL); if (r) - return r; + goto out; } r = dm_verity_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), - crypt_metadata_device(cd), fec_device, root_hash, - root_hash_size, signature_description, + crypt_metadata_device(cd), fec_device, root_hash->key, + root_hash->keylength, description, VERITY_hash_offset_block(verity_hdr), VERITY_FEC_blocks(cd, fec_device, verity_hdr), verity_hdr); if (r) - return r; + goto out; r = dm_create_device(cd, name, CRYPT_VERITY, &dmd); if (r < 0 && (dm_flags(cd, DM_VERITY, &dmv_flags) || !(dmv_flags & DM_VERITY_SUPPORTED))) { log_err(cd, _("Kernel does not support dm-verity mapping.")); r = -ENOTSUP; } - if (r < 0 && signature_description && !(dmv_flags & DM_VERITY_SIGNATURE_SUPPORTED)) { + if (r < 0 && signature && !(dmv_flags & DM_VERITY_SIGNATURE_SUPPORTED)) { log_err(cd, _("Kernel does not support dm-verity signature option.")); r = -ENOTSUP; } @@ -351,6 +393,8 @@ int VERITY_activate(struct crypt_device *cd, r = 0; out: + crypt_drop_keyring_key_by_description(cd, description, USER_KEY); + free(description); dm_targets_free(cd, &dmd); return r; } diff --git a/lib/verity/verity.h b/lib/verity/verity.h index afc411e..00e9867 100644 --- a/lib/verity/verity.h +++ b/lib/verity/verity.h @@ -1,7 +1,7 @@ /* * dm-verity volume handling * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -23,6 +23,7 @@ #include #include +#include #define VERITY_MAX_HASH_TYPE 1 #define VERITY_BLOCK_SIZE_OK(x) ((x) % 512 || (x) < 512 || \ @@ -31,6 +32,7 @@ struct crypt_device; struct crypt_params_verity; struct device; +struct volume_key; int VERITY_read_sb(struct crypt_device *cd, uint64_t sb_offset, @@ -44,13 +46,18 @@ int VERITY_write_sb(struct crypt_device *cd, int VERITY_activate(struct crypt_device *cd, const char *name, - const char *root_hash, - size_t root_hash_size, - const char *signature_description, + struct volume_key *root_hash, + struct volume_key *signature, struct device *fec_device, struct crypt_params_verity *verity_hdr, uint32_t activation_flags); +int VERITY_verify_params(struct crypt_device *cd, + struct crypt_params_verity *hdr, + bool signed_root_hash, + struct device *fec_device, + struct volume_key *root_hash); + int VERITY_verify(struct crypt_device *cd, struct crypt_params_verity *verity_hdr, const char *root_hash, diff --git a/lib/verity/verity_fec.c b/lib/verity/verity_fec.c index 2dbf59e..15608fd 100644 --- a/lib/verity/verity_fec.c +++ b/lib/verity/verity_fec.c @@ -2,7 +2,7 @@ * dm-verity Forward Error Correction (FEC) support * * Copyright (C) 2015 Google, Inc. All rights reserved. - * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c index f33b737..0e351aa 100644 --- a/lib/verity/verity_hash.c +++ b/lib/verity/verity_hash.c @@ -1,7 +1,7 @@ /* * dm-verity volume handling * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/volumekey.c b/lib/volumekey.c index 00791ac..3de7f76 100644 --- a/lib/volumekey.c +++ b/lib/volumekey.c @@ -2,7 +2,7 @@ * cryptsetup volume key implementation * * Copyright (C) 2004-2006 Clemens Fruhwirth - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -39,7 +39,7 @@ struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key) vk->key_description = NULL; vk->keylength = keylength; - vk->id = -1; + vk->id = KEY_NOT_VERIFIED; vk->next = NULL; /* keylength 0 is valid => no key */ diff --git a/man/Makemodule.am b/man/Makemodule.am index 41e21da..03beb7a 100644 --- a/man/Makemodule.am +++ b/man/Makemodule.am @@ -107,6 +107,8 @@ if SSHPLUGIN_TOKEN MANPAGES += $(SSHPLUGIN_MANPAGES) endif +EXTRA_DIST += man/meson_dist_convert.sh + if ENABLE_ASCIIDOC EXTRA_DIST += $(MANPAGES_ALL) man8_MANS += $(MANPAGES) $(MANLINKS) diff --git a/man/common_options.adoc b/man/common_options.adoc index 56a6e29..497d7fd 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -131,8 +131,14 @@ ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY[] The passphrase supplied via --key-file is always the passphrase for existing keyslot requested by the command. + +ifdef::ACTION_LUKSADDKEY[] If you want to set a new passphrase via key file, you have to use a positional argument or parameter --new-keyfile. +endif::[] +ifdef::ACTION_LUKSCHANGEKEY[] +If you want to set a new passphrase via key file, you have to use a +positional argument. +endif::[] + endif::[] ifdef::ACTION_OPEN[] @@ -153,6 +159,16 @@ If this option is not used, cryptsetup will ask for all active keyslot passphrases. endif::[] endif::[] +ifdef::ACTION_ERASE[] +*--key-file, -d* _name_ *(LUKS2 with HW OPAL only)*:: + +Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file +depending on options used. ++ +If the name given is "-", then the secret will be read from stdin. +In this case, reading will not stop at newline characters. ++ +endif::[] ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[] *--keyfile-offset* _value_:: @@ -229,6 +245,19 @@ partially predictable volume key which will compromise security. endif::[] endif::[] +ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[] +*--volume-key-keyring* __:: +Use a volume key stored in a keyring. +This allows one to open _luks_ and device types without giving a passphrase. +The key and associated type has to be readable from userspace so that volume +key digest may be verified in before activation. ++ +The __ uses keyctl-compatible syntax. This can either be a +numeric key ID or a string name in the format _%:_. See +also *KEY IDENTIFIERS* section of *keyctl*(1). When no _%:_ prefix +is specified we assume the key type is _user_ (default type). +endif::[] + ifdef::ACTION_LUKSDUMP[] *--dump-json-metadata*:: For _luksDump_ (LUKS2 only) this option prints content of LUKS2 header @@ -476,7 +505,8 @@ You can see all PBKDF parameters for particular LUKS2 keyslot with *NOTE:* If you do not want to use benchmark and want to specify all parameters directly, use _--pbkdf-force-iterations_ with _--pbkdf-memory_ and _--pbkdf-parallel_. This will override the values -without benchmarking. Note it can cause extremely long unlocking time. +without benchmarking. Note it can cause extremely long unlocking time +or cause out-of-memory conditions with unconditional process termination. Use only in specific cases, for example, if you know that the formatted device will be used on some small embedded system. + @@ -670,7 +700,7 @@ endif::[] ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP[] *--header *:: -ifndef::ACTION_OPEN[] +ifndef::ACTION_OPEN,ACTION_ERASE[] Use a detached (separated) metadata device or file where the LUKS header is stored. This option allows one to store ciphertext and LUKS header on different devices. @@ -693,7 +723,7 @@ FAQ for header size calculation. The --align-payload option is taken as absolute sector alignment on ciphertext device and can be zero. endif::[] -ifndef::ACTION_LUKSFORMAT,ACTION_OPEN[] +ifndef::ACTION_LUKSFORMAT,ACTION_OPEN,ACTION_ERASE[] For commands that change the LUKS header (e.g. _luksAddKey_), specify the device or file with the LUKS header directly as the LUKS device. @@ -713,6 +743,9 @@ decryption operation continues as if the ordinary detached header was passed. *WARNING:* Never put exported header file in a filesystem on top of device you are about to decrypt! It would cause a deadlock. endif::[] +ifdef::ACTION_ERASE[] +Use to specify detached LUKS2 header when erasing HW OPAL enabled data device. +endif::[] endif::[] ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[] @@ -720,6 +753,19 @@ ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[] Specify file with header backup file. endif::[] +ifdef::ACTION_LUKSFORMAT[] +*--hw-opal*:: +Format LUKS2 device with dm-crypt encryption stacked on top HW based encryption configured +on SED OPAL locking range. This option enables both SW and HW based data encryption. +endif::[] + +ifdef::ACTION_LUKSFORMAT[] +*--hw-opal-only*:: +Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2 +format only manages locking range unlock key. This option enables HW based data encryption managed +by SED OPAL drive only. +endif::[] + ifdef::ACTION_REENCRYPT[] *--force-offline-reencrypt (LUKS2 only)*:: Bypass active device auto-detection and enforce offline reencryption. @@ -757,6 +803,11 @@ Removes a previously configured deferred device removal in _close_ command. endif::[] +ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[] +*--disable-blkid*:: +Disable use of blkid library for checking and wiping on-disk signatures. +endif::[] + ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[] *--disable-external-tokens*:: Disable loading of plugins for external LUKS2 tokens. @@ -789,6 +840,26 @@ ifdef::ACTION_TOKEN[] Set key description in keyring for use with _token_ command. endif::[] +ifdef::ACTION_OPEN,ACTION_LUKSRESUME[] +*--link-vk-to-keyring* _::_:: +Link volume key in a keyring with specified key name. The volume key is linked only +if requested action is successfully finished. ++ +__ string has to contain existing kernel keyring +description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions. +Or, the keyring may also be specified directly by numeric key id. Also special keyring notations +starting with "@" may be used to select existing predefined kernel keyrings. ++ +The string "::" is delimiter used to separate keyring description and key description. ++ +__ part describes key type and key name of volume key linked in the keyring +described in __. The type may be specified by adding "%:" prefix in front of +key name. If type is missing default _user_ type is applied. If the key of same name and same type already exists (already linked in the keyring) +it will get replaced in the process. ++ +See also *KEY IDENTIFIERS* section of *keyctl*(1). +endif::[] + ifdef::ACTION_CONFIG[] *--priority *:: Set a priority for LUKS2 keyslot. The _prefer_ priority marked slots @@ -800,7 +871,7 @@ endif::[] ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY[] *--token-id*:: ifndef::ACTION_TOKEN,ACTION_LUKSADDKEY[] -Specify what token to use and allow token PIN prompt to take precedence over interative +Specify what token to use and allow token PIN prompt to take precedence over interactive keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN) will be checked before proceeding further with passphrase prompt. endif::[] @@ -1163,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size. You cannot shrink device more than by 64 MiB (131072 sectors). endif::[] +ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[] +*--external-tokens-path* _absolute_path_:: +Override system directory path where cryptsetup searches for external token +handlers (or token plugins). It must be absolute path (starting with '/' character). +endif::[] + ifdef::COMMON_OPTIONS[] *--batch-mode, -q*:: Suppresses all confirmation questions. Use with care! diff --git a/man/cryptsetup-erase.8.adoc b/man/cryptsetup-erase.8.adoc index 97a13aa..6ad7eca 100644 --- a/man/cryptsetup-erase.8.adoc +++ b/man/cryptsetup-erase.8.adoc @@ -18,11 +18,17 @@ cryptsetup-erase, cryptsetup-luksErase - erase all keyslots == DESCRIPTION Erase all keyslots and make the LUKS container permanently inaccessible. -You do not need to provide any password for this operation. +Unless the device is configured with HW OPAL support you do not need to +provide any password for this operation. *WARNING:* This operation is irreversible. -** can be [--header, --disable-locks]. +*WARNING:* with *--hw-opal-factory-reset* ALL data is lost on the device, +regardless of the partition it is ran on, if any, and regardless of any LUKS2 +header backup, and does not require a valid LUKS2 header to be present on the +device to run. + +** can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-luksAddKey.8.adoc b/man/cryptsetup-luksAddKey.8.adoc index 9686a1d..306ef64 100644 --- a/man/cryptsetup-luksAddKey.8.adoc +++ b/man/cryptsetup-luksAddKey.8.adoc @@ -19,9 +19,9 @@ cryptsetup-luksAddKey - add a new passphrase Adds a keyslot protected by a new passphrase. An existing passphrase must be supplied interactively, via --key-file or LUKS2 token (plugin). Alternatively to existing passphrase user may pass directly volume key -(via --volume-key-file). The new passphrase to be added can be specified -interactively, read from the file given as the positional argument (also -via --new-keyfile parameter) or via LUKS2 token. +(via --volume-key-file or --volume-key-keyring). The new passphrase to be added +can be specified interactively, read from the file given as the positional +argument (also via --new-keyfile parameter) or via LUKS2 token. *NOTE:* with --unbound option the action creates new unbound LUKS2 keyslot. The keyslot cannot be used for device activation. If you don't @@ -34,11 +34,11 @@ algorithm is always the same for all keyslots. ** can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot, ---new-key-slot, --volume-key-file, --force-password, --hash, --header, ---disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, ---pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher, ---keyslot-key-size, --key-size, --timeout, --token-id, --token-type, ---token-only, --new-token-id, --verify-passphrase]. +--new-key-slot, --volume-key-file, --volume-key-keyring, --force-password, +--hash, --header, --disable-locks, --iter-time, --pbkdf, +--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, +--keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, +--token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path]. include::man/common_options.adoc[] diff --git a/man/cryptsetup-luksChangeKey.8.adoc b/man/cryptsetup-luksChangeKey.8.adoc index 7dd5f3b..23376c0 100644 --- a/man/cryptsetup-luksChangeKey.8.adoc +++ b/man/cryptsetup-luksChangeKey.8.adoc @@ -30,7 +30,9 @@ overwritten directly. *WARNING:* If a key-slot is overwritten, a media failure during this operation can cause the overwrite to fail after the old passphrase has -been wiped and make the LUKS container inaccessible. +been wiped and make the LUKS container inaccessible. LUKS2 mitigates +that by never overwriting existing keyslot area as long as there's +a free space in keyslots area at least for one more LUKS2 keyslot. *NOTE:* some parameters are effective only if used with LUKS2 format that supports per-keyslot parameters. For LUKS1, PBKDF type and hash diff --git a/man/cryptsetup-luksDump.8.adoc b/man/cryptsetup-luksDump.8.adoc index f9f3910..b1b3907 100644 --- a/man/cryptsetup-luksDump.8.adoc +++ b/man/cryptsetup-luksDump.8.adoc @@ -40,7 +40,7 @@ use --dump-json-metadata option. ** can be [--dump-volume-key, --dump-json-metadata, --key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, ---volume-key-file, --type, --unbound, --key-slot, --timeout]. +--volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path]. *WARNING:* If --dump-volume-key is used with --key-file and the argument to --key-file is '-', no validation question will be asked and no diff --git a/man/cryptsetup-luksFormat.8.adoc b/man/cryptsetup-luksFormat.8.adoc index be241f8..c9c3565 100644 --- a/man/cryptsetup-luksFormat.8.adoc +++ b/man/cryptsetup-luksFormat.8.adoc @@ -29,6 +29,8 @@ in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The device or filesystem has to be un-mounted in order to call luksFormat. To use specific version of LUKS format, use _--type luks1_ or _type luks2_. +To use OPAL hardware encryption on a self-encrypting drive, use +_--hw-opal_ or _--hw-opal-only_. ** can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), @@ -41,7 +43,7 @@ For LUKS2, additional ** can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, ---keyslot-key-size, --integrity-legacy-padding]. +--keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only]. *WARNING:* Doing a luksFormat on an existing LUKS container will make all data in the old container permanently irretrievable unless you have a diff --git a/man/cryptsetup-luksResume.8.adoc b/man/cryptsetup-luksResume.8.adoc index 9d81cbc..ba9f690 100644 --- a/man/cryptsetup-luksResume.8.adoc +++ b/man/cryptsetup-luksResume.8.adoc @@ -23,7 +23,8 @@ interactively for a passphrase if no token is usable (LUKS2 only) or ** can be [--key-file, --keyfile-size, --keyfile-offset, --key-slot, --header, --disable-keyring, --disable-locks, --token-id, --token-only, --token-type, --disable-external-tokens, --type, --tries, ---timeout, --verify-passphrase]. +--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring, +--external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-luksSuspend.8.adoc b/man/cryptsetup-luksSuspend.8.adoc index ed20681..c5f90ce 100644 --- a/man/cryptsetup-luksSuspend.8.adoc +++ b/man/cryptsetup-luksSuspend.8.adoc @@ -20,6 +20,10 @@ Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory. Needs kernel 2.6.19 or later. +While the _luksSuspend_ operation wipes encryption keys from memory, +it does not remove possible plaintext data in various caches or in-kernel +metadata for mounted filesystems. + After this operation, you have to use _luksResume_ to reinstate the encryption key and unblock the device or _close_ to remove the mapped device. diff --git a/man/cryptsetup-open.8.adoc b/man/cryptsetup-open.8.adoc index 5e8e7a6..73a5dc5 100644 --- a/man/cryptsetup-open.8.adoc +++ b/man/cryptsetup-open.8.adoc @@ -35,18 +35,22 @@ is inverted for historical reasons, all other aliases use the standard * * order. === PLAIN -*open --type plain * + +*open --type plain * --cipher --key-size --hash + plainOpen (*old syntax*) + create (*OBSOLETE syntax*) Opens (creates a mapping with) backed by device . +*WARNING:* You should always specify options *--cipher*, *--key-size* and +(if no keyfile is used) then also *--hash* to avoid incompatibility as +default values can be different in older cryptsetup versions. + + ** can be [--hash, --cipher, --verify-passphrase, --sector-size, --key-file, --keyfile-size, --keyfile-offset, --key-size, --offset, --skip, --device-size, --size, --readonly, --shared, --allow-discards, --refresh, --timeout, --verify-passphrase, --iv-large-sectors]. -Example: 'cryptsetup open --type plain /dev/sda10 e1' maps the raw +Example: 'cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 /dev/sda10 e1' maps the raw encrypted device /dev/sda10 to the mapped (decrypted) device /dev/mapper/e1, which can then be mounted, fsck-ed or have a filesystem created on it. @@ -74,7 +78,8 @@ matching PIN protected token. --volume-key-file, --token-id, --token-only, --token-type, --disable-external-tokens, --disable-keyring, --disable-locks, --type, --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout, ---verify-passphrase, --persistent]. +--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring, +--external-tokens-path]. === loopAES *open --type loopaes --key-file * + @@ -150,6 +155,11 @@ Opens the BITLK (a BitLocker compatible) and sets up a mapping --readonly, --test-passphrase, --allow-discards --volume-key-file, --tries, --timeout, --verify-passphrase]. +Note that *--test-passphrase* doesn't work with *--volume-key-file* because +we cannot check whether the provided volume key is correct for this device +or not. When using *--volume-key-file* the device will be opened even if +the provided key is not correct. + === FileVault2 *open --type fvault2 * + fvault2Open (*old syntax*) diff --git a/man/cryptsetup-reencrypt.8.adoc b/man/cryptsetup-reencrypt.8.adoc index 154a469..387b0a9 100644 --- a/man/cryptsetup-reencrypt.8.adoc +++ b/man/cryptsetup-reencrypt.8.adoc @@ -31,7 +31,7 @@ which otherwise require full on-disk data change (re-encryption). The _reencrypt_ action reencrypts data on LUKS device in-place. You can regenerate *volume key* (the real key used in on-disk encryption -unclocked by passphrase), *cipher*, *cipher mode* or *encryption sector size* +unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size* (LUKS2 only). Reencryption process may be safely interrupted by a user via SIGINT @@ -43,7 +43,7 @@ options available for _luksFormat_ action for respective LUKS version (see cryptsetup-luksFormat man page for more details). See *cryptsetup-luksFormat*(8). *NOTE* that for encrypt and decrypt mode, the whole device must be -treated as unencrypted -- there are no quarantees of confidentiality as +treated as unencrypted -- there are no guarantees of confidentiality as part of the device contains plaintext. *ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.* diff --git a/man/cryptsetup-resize.8.adoc b/man/cryptsetup-resize.8.adoc index 4cff482..b9a5502 100644 --- a/man/cryptsetup-resize.8.adoc +++ b/man/cryptsetup-resize.8.adoc @@ -36,7 +36,7 @@ keyring is used by default for LUKS2 devices. ** can be [--size, --device-size, --token-id, --token-only, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring, ---verify-passphrase, --timeout]. +--verify-passphrase, --timeout, --external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc index 7a3a069..5fa6af8 100644 --- a/man/cryptsetup-token.8.adoc +++ b/man/cryptsetup-token.8.adoc @@ -49,7 +49,7 @@ replace the existing token. ** can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, ---json-file, --token-replace, --unbound]. +--json-file, --token-replace, --unbound, --external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup.8.adoc b/man/cryptsetup.8.adoc index ddd3a12..442012d 100644 --- a/man/cryptsetup.8.adoc +++ b/man/cryptsetup.8.adoc @@ -21,7 +21,8 @@ features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage. In addition, cryptsetup provides limited support for the use of loop-AES -volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes. +volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes, +and for hardware-based encryption on OPAL capable drives. For more information about specific cryptsetup action see *cryptsetup-*(8), where ** is the name of the @@ -423,15 +424,44 @@ Opens the FVAULT2 (a FileVault2-compatible) (usually the second partition on the device) and sets up a mapping . + See *cryptsetup-open*(8). -=== DUMP -*fvault2Dump * +== SED (Self Encrypting Drive) OPAL EXTENSION + +cryptsetup supports using native hardware encryption on drives that provide an +*OPAL* interface, both nested with *dm-crypt* and standalone. Passphrases, +tokens and metadata are stored using the LUKS2 header format, and are thus +compatible with any software or system that uses LUKS2 (e.g.: tokens). + +*WARNING:* this support is new and experimental, and requires at least kernel +v6.4. Resizing devices is not supported. + +*--hw-opal* can be specified for OPAL + dm-crypt, and +*--hw-opal-only* can be specified to use OPAL only, without a dm-crypt layer. + +Opening, closing and enrolling tokens work in the same way as with LUKS2 and +dm-crypt. The new parameters are only necessary when formatting, the LUKS2 +metadata will ensure the right setup is performed when opening or closing. If +no *subsystem* is specified, it will be automatically set to *HW-OPAL* so that +it is immediately apparent when a device uses OPAL. -Dump the header information of an FVAULT2 device. + -See *cryptsetup-fvault2Dump*(8). +=== FORMAT +*luksFormat --type luks2 --hw-opal []* + +Additionally specify *--hw-opal-only* instead of *--hw-opal* to avoid the +dm-crypt layer. Other than the usual passphrase, an admin password will have +to be specified when formatting the first partition of the drive, and will have +to be re-supplied when formatting any other partition until a factory reset +is performed. + +=== ERASE +*erase * -Note that cryptsetup does not use any macOS code or proprietary -specifications. Please report all problems related to this compatibility -extension to the cryptsetup project. +Securely erase a partition or device. Requires admin password. +Additionally specify *--hw-opal-factory-reset* for a FULL factory reset of the +drive, using the drive's *PSID* (typically printed on the label) instead of the +admin password. +*WARNING*: a factory reset will cause ALL data on the device to be lost, +regardless of the partition it is ran on, if any, and regardless of any LUKS2 +header backup. == MISCELLANEOUS ACTIONS @@ -671,11 +701,13 @@ The dm-crypt device then resides on top of such a dm-integrity device. All activation and deactivation of this device stack is performed by cryptsetup, there is no difference in using *luksOpen* for integrity protected devices. If you want to format LUKS2 device with data -integrity protection, use *--integrity* option. +integrity protection, use *--integrity* option (see *cryptsetup-luksFormat(8)*). -Since dm-integrity doesn't support discards (TRIM), dm-crypt device on -top of it inherits this, so integrity protection mode doesn't support -discards either. +Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices, +*cryptsetup(8)* can't offer support for discards (TRIM) in authenticated +encryption mode, because the underlying dm-crypt kernel module does not support +this functionality when dm-integrity is used as auth tag space allocator +(see *--allow-discards* in *cryptsetup-luksFormat(8)*). Some integrity modes requires two independent keys (key for encryption and for authentication). Both these keys are stored in one LUKS keyslot. diff --git a/man/integritysetup.8.adoc b/man/integritysetup.8.adoc index 2aec1a6..e89b0f7 100644 --- a/man/integritysetup.8.adoc +++ b/man/integritysetup.8.adoc @@ -44,6 +44,10 @@ create (*OBSOLETE syntax*) Open a mapping with backed by device . +If the integrity algorithm of the device is non-default, +then the algorithm should be specified with the *--integrity* option. +This will not be detected from the device. + ** can be [--data-device, --batch-mode, --journal-watermark, --journal-commit-time, --buffer-sectors, --integrity, --integrity-key-size, --integrity-key-file, --integrity-no-journal, diff --git a/man/meson.build b/man/meson.build new file mode 100644 index 0000000..5013093 --- /dev/null +++ b/man/meson.build @@ -0,0 +1,256 @@ +fs = import('fs') + +adocfiles_common = [ + 'common_options.adoc', + 'common_footer.adoc', +] + +manpage_tuples_to_build = [] +manpage_tuples_all = [] + +# tuple with adoc file and generated aliases +cryptsetup_manpages = [ + [ + 'cryptsetup.8.adoc', + [], + ], + [ + 'cryptsetup-open.8.adoc', + [ + 'cryptsetup-create.8', + 'cryptsetup-plainOpen.8', + 'cryptsetup-luksOpen.8', + 'cryptsetup-loopaesOpen.8', + 'cryptsetup-tcryptOpen.8', + 'cryptsetup-bitlkOpen.8', + ], + ], + [ + 'cryptsetup-close.8.adoc', + [], + ], + [ + 'cryptsetup-reencrypt.8.adoc', + [], + ], + [ + 'cryptsetup-status.8.adoc', + [], + ], + [ + 'cryptsetup-resize.8.adoc', + [], + ], + [ + 'cryptsetup-refresh.8.adoc', + [], + ], + [ + 'cryptsetup-luksFormat.8.adoc', + [], + ], + [ + 'cryptsetup-luksSuspend.8.adoc', + [], + ], + [ + 'cryptsetup-luksResume.8.adoc', + [], + ], + [ + 'cryptsetup-luksAddKey.8.adoc', + [], + ], + [ + 'cryptsetup-luksRemoveKey.8.adoc', + [], + ], + [ + 'cryptsetup-luksConvertKey.8.adoc', + [], + ], + [ + 'cryptsetup-luksKillSlot.8.adoc', + [], + ], + [ + 'cryptsetup-luksChangeKey.8.adoc', + [], + ], + [ + 'cryptsetup-erase.8.adoc', + [ + 'cryptsetup-luksErase.8', + ], + ], + [ + 'cryptsetup-luksUUID.8.adoc', + [], + ], + [ + 'cryptsetup-isLuks.8.adoc', + [], + ], + [ + 'cryptsetup-luksDump.8.adoc', + [], + ], + [ + 'cryptsetup-luksHeaderBackup.8.adoc', + [], + ], + [ + 'cryptsetup-luksHeaderRestore.8.adoc', + [], + ], + [ + 'cryptsetup-token.8.adoc', + [], + ], + [ + 'cryptsetup-convert.8.adoc', + [], + ], + [ + 'cryptsetup-config.8.adoc', + [], + ], + [ + 'cryptsetup-tcryptDump.8.adoc', + [], + ], + [ + 'cryptsetup-bitlkDump.8.adoc', + [], + ], + [ + 'cryptsetup-fvault2Dump.8.adoc', + [], + ], + [ + 'cryptsetup-repair.8.adoc', + [], + ], + [ + 'cryptsetup-benchmark.8.adoc', + [], + ], +] + +veritysetup_manpages = [ + [ + 'veritysetup.8.adoc', + [], + ], +] +integritysetup_manpages = [ + [ + 'integritysetup.8.adoc', + [], + ], +] +sshplugin_manpages = [ + [ + 'cryptsetup-ssh.8.adoc', + [], + ], +] + +if get_option('cryptsetup') + manpage_tuples_to_build += cryptsetup_manpages +endif +manpage_tuples_all += cryptsetup_manpages +if get_option('veritysetup') + manpage_tuples_to_build += veritysetup_manpages +endif +manpage_tuples_all += veritysetup_manpages +if get_option('integritysetup') + manpage_tuples_to_build += integritysetup_manpages +endif +manpage_tuples_all += integritysetup_manpages +if get_option('ssh-token') + manpage_tuples_to_build += sshplugin_manpages +endif +manpage_tuples_all += sshplugin_manpages + +adocfiles_all = [] +foreach tuple : manpage_tuples_all + adocfiles_all += tuple[0] +endforeach + +prebuilt_manpages_exist = true +foreach manpage_tuple : manpage_tuples_to_build + adocfile = manpage_tuple[0] + aliases = manpage_tuple[1] + manfile = fs.replace_suffix(adocfile, '') + + prebuilt_manpages_exist = prebuilt_manpages_exist and fs.exists(manfile) + + foreach alias : aliases + prebuilt_manpages_exist = prebuilt_manpages_exist and fs.exists(alias) + endforeach +endforeach + +built_manpages = [] + +if use_asciidoc + meson.add_dist_script(find_program('meson_dist_convert.sh'), + asciidoc, meson.project_version(), adocfiles_all) + + foreach manpage_tuple : manpage_tuples_to_build + adocfile = manpage_tuple[0] + aliases = manpage_tuple[1] + + mandir = join_paths(get_option('prefix'), get_option('mandir'), 'man8') + manfile = fs.replace_suffix(adocfile, '') + + built_manpages += custom_target(manfile, + command: [ + asciidoc, + '-b', 'manpage', + '--failure-level', 'ERROR', + '-a', 'release-version=@0@'.format( + meson.project_version(), + ), + '-o', '@BASENAME@', + '@INPUT@', + '--destination-dir=@0@'.format( + meson.current_build_dir(), + ), + '--base-dir=@SOURCE_ROOT@', + ], + input: adocfile, + depend_files: adocfiles_common, + install: true, + install_dir: mandir, + output: [ + manfile, + ] + aliases, + ) + endforeach +else + # use_asciidoc == false + if prebuilt_manpages_exist + message('Using prebuilt manpages.') + foreach manpage_tuple : manpage_tuples_to_build + adocfile = manpage_tuple[0] + aliases = manpage_tuple[1] + manfile = fs.replace_suffix(adocfile, '') + + install_man(manfile) + foreach alias : aliases + install_man(alias) + endforeach + endforeach + else + warning('Neither asciidoctor nor prebuilt manual pages found. Skipping manpage installation') + endif +endif + +man = custom_target( + 'man', + output: 'man', + depends: built_manpages, + command: [ + nop_command, + ]) diff --git a/man/meson_dist_convert.sh b/man/meson_dist_convert.sh new file mode 100755 index 0000000..3b55d05 --- /dev/null +++ b/man/meson_dist_convert.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# generates manpages from AsciiDoc files when building dist tarball +# run asciidoctor in parallel on `nproc` cores + +set -e + +[ -z "$MESON_DIST_ROOT" ] && echo "This script is meant to be run only from meson while generating dist tarball." && exit 1 + +if [ $# -lt 3 ]; then + echo "Usage: $0 " + exit 1 +fi + +ASCIIDOCTOR="$1" +RELEASE_VERSION="$2" +shift 2 + +cd $MESON_DIST_ROOT/man +i=1 +N=$(nproc) +for adocfile in "$@" +do + $ASCIIDOCTOR -b manpage --failure-level ERROR -a release-version=$RELEASE_VERSION --base-dir=$MESON_DIST_ROOT $adocfile & + if [ $(( $i % $N )) -eq 0 ]; then wait; fi + i=$((i+1)) +done diff --git a/meson.build b/meson.build new file mode 100644 index 0000000..b26c71c --- /dev/null +++ b/meson.build @@ -0,0 +1,748 @@ +project('cryptsetup', + 'c', + default_options: [ 'prefix=/usr' ], + meson_version: '>=0.64', + version: '2.7.0') + +libcryptsetup_version = '12.10.0' + +includes_root = include_directories('.') +includes_lib = include_directories('lib') +includes_tools = [ + includes_root, + includes_lib, +] + +warning('meson build system support for cryptsetup is considered experimental at the moment ') + +pkgconfig = import('pkgconfig') +cc = meson.get_compiler('c') +nop_command = find_program('echo') +conf = configuration_data() + +PACKAGE_VERSION = meson.project_version() +conf.set_quoted('PACKAGE_VERSION', PACKAGE_VERSION) +conf.set_quoted('PACKAGE_NAME', meson.project_name()) +conf.set_quoted('PACKAGE', meson.project_name()) +conf.set('_GNU_SOURCE', true) + +default_string_options = [ + 'default-loopaes-cipher', + 'default-luks1-cipher', + 'default-luks1-hash', + 'default-luks1-mode', + 'default-luks2-external-tokens-path', + 'default-luks2-keyslot-cipher', + 'default-luks2-lock-path', + 'default-luks2-pbkdf', + 'default-plain-cipher', + 'default-plain-hash', + 'default-plain-mode', + 'default-verity-hash', +] + +default_int_options = [ + 'default-integrity-keyfile-size-maxkb', + 'default-keyfile-size-maxkb', + 'default-loopaes-keybits', + 'default-luks1-iter-time', + 'default-luks1-keybits', + 'default-luks2-iter-time', + 'default-luks2-keyslot-keybits', + 'default-luks2-lock-dir-perms', + 'default-luks2-memory-kb', + 'default-luks2-parallel-threads', + 'default-passphrase-size-max', + 'default-plain-keybits', + 'default-verity-data-block', + 'default-verity-fec-roots', + 'default-verity-hash-block', + 'default-verity-salt-size', +] + +foreach default_option : (default_string_options) + conf.set_quoted(default_option.underscorify().to_upper(), get_option(default_option)) +endforeach + +foreach default_option : (default_int_options) + conf.set(default_option.underscorify().to_upper(), get_option(default_option)) +endforeach + +sanitizer = get_option('b_sanitize') +sanitizer_enabled = sanitizer != '' and sanitizer != 'none' + +enable_static = get_option('enable-static') +if get_option('static-cryptsetup') + if not enable_static + warning('Requested static cryptsetup build, enabling static library.') + enable_static = true + endif + + conf.set10('STATIC_TOOLS', true) +endif +link_args = [] +if enable_static == true + if not sanitizer_enabled + link_args += '--static' + else + warning('Turning off statically linked binaries as they are not compatible with sanitizer build. Will keep preferring static external dependencies.') + endif +endif + +required_headers = [ + 'byteswap.h', + 'ctype.h', + 'endian.h', + 'fcntl.h', + 'inttypes.h', + 'locale.h', + 'malloc.h', + 'stdint.h', + 'sys/ioctl.h', + 'sys/mman.h', + 'sys/statvfs.h', + 'sys/sysmacros.h', + 'uchar.h', + 'unistd.h', +] +foreach header : required_headers + conf.set10('HAVE_' + header.underscorify().to_upper(), cc.has_header(header)) +endforeach + +fcntl_header = conf.get('HAVE_FCNTL_H') == 1 ? 'fcntl.h' : 'stdio.h' +if cc.has_header_symbol(fcntl_header, 'O_CLOEXEC') + conf.set10('HAVE_DECL_O_CLOEXEC', true) +else + message('O_CLOEXEC not provided, setting to 0') + conf.set10('O_CLOEXEC', false, + description: 'Defined to 0 if not provided') +endif + +# ========================================================================== +# AsciiDoc manual pages + +asciidoc = find_program('asciidoctor', required: false) +opt_asciidoc = get_option('asciidoc') +if opt_asciidoc.enabled() and not asciidoc.found() + error('Building man pages requires asciidoctor installed.') +endif +use_asciidoc = asciidoc.found() and not opt_asciidoc.disabled() + +# ========================================================================== +# keyring + +if get_option('keyring') + assert(cc.has_header('linux/keyctl.h'), + 'You need Linux kernel headers with kernel keyring service compiled.') + assert(cc.has_header_symbol('syscall.h', '__NR_add_key',), + 'The kernel is missing add_key syscall.') + assert(cc.has_header_symbol('syscall.h', '__NR_keyctl'), + 'The kernel is missing keyctl syscall.') + assert(cc.has_header_symbol('syscall.h', '__NR_request_key',), + 'The kernel is missing request_key syscall.') + conf.set10('KERNEL_KEYRING', true, + description: 'Enable kernel keyring service support') +endif + +if build_machine.endian() == 'big' + conf.set10('WORDS_BIGENDIAN', true) +endif + +# ========================================================================== + +uuid = dependency('uuid', + static: enable_static) +assert(cc.has_function('uuid_clear', + prefix: '#include ', dependencies: uuid), + 'You need the uuid library.') + +# ========================================================================== + +# AC_SEARCH_LIBS([clock_gettime],[rt posix4]) + +clock_gettime = [] +if not cc.has_function('clock_gettime', + prefix: '#include ') + clock_gettime = cc.find_library('rt') + + if not cc.has_function('clock_gettime', + prefix: '#include ', dependencies: clock_gettime) + clock_gettime = cc.find_library('posix4') + + if not cc.has_function('clock_gettime', + prefix: '#include ', dependencies: clock_gettime) + error('clock_gettime not found') + endif + endif +endif + +foreach function : [ + 'posix_memalign', + 'posix_fallocate', + 'explicit_bzero', +] + conf.set10('HAVE_' + function.underscorify().to_upper(), cc.has_function(function)) +endforeach + +# no need to enable large file support, as it is on be default in meson +# https://github.com/mesonbuild/meson/commit/853634a48da025c59eef70161dba0d150833f60d + +# ========================================================================== +# LUKS2 external tokens + +# dl is also required by all-symbols-test +dl = [] +if not cc.has_function('dlsym', + prefix: '#include ') + dl = cc.find_library('dl') + + if not cc.has_function('dlsym', + prefix: '#include ', dependencies: dl) + error('dlsym not found') + endif +endif +if cc.has_function('dlvsym', + dependencies: dl) + conf.set10('HAVE_DLVSYM', true) +endif + +if get_option('external-tokens') + assert(conf.has('HAVE_DLVSYM') and conf.get('HAVE_DLVSYM') == 1, + 'dl library has no dlvsym function') + conf.set10('USE_EXTERNAL_TOKENS', true, + description: 'Use external tokens') +endif + +# SSH external tokens +if not get_option('external-tokens') and get_option('ssh-token') + error('Requested LUKS2 ssh-token build, but external tokens are disabled.') +endif + +if get_option('luks2-reencryption') + conf.set10('USE_LUKS2_REENCRYPTION', true, + description: 'Use LUKS2 online reencryption extension') +endif + +# ========================================================================== + +popt = cc.find_library('popt', + static: enable_static) +assert(cc.has_function('poptConfigFileToString', + dependencies: popt), + 'You need popt 1.7 or newer to compile.') + +# ========================================================================== +# FIPS extensions + +if get_option('fips') + if enable_static + error('Static build is not compatible with FIPS.') + endif + + conf.set10('ENABLE_FIPS', true, + description: 'Enable FIPS mode restrictions') +endif + +# ========================================================================== +# pwquality library (cryptsetup CLI only) + +pwquality = [] +if get_option('pwquality') + pwquality = dependency('pwquality', + version: '>= 1.0.0', + static: enable_static) + conf.set10('ENABLE_PWQUALITY', true) +endif + +# ========================================================================== +# fuzzers, it requires own static library compilation later + +if get_option('fuzz-targets') + assert(sanitizer_enabled, + 'Fuzz targets are only supported with sanitizer enabled. Please set -Db_sanitize') + add_languages('cpp') + + if get_option('fuzzing-engine') == '' + fuzzing_engine = meson.get_compiler('cpp').find_library('Fuzzer', required: false) + if fuzzing_engine.found() + add_project_arguments('-fsanitize-coverage=trace-pc-guard,trace-cmp', + language: [ 'c', 'cpp' ]) + elif cc.has_argument( '-fsanitize=fuzzer-no-link',) and cc.has_argument( '-fsanitize=fuzzer',) + message('Using -fsanitize=fuzzer engine') + fuzzing_engine = declare_dependency(link_args: ['-fsanitize=fuzzer']) + add_project_arguments('-fsanitize=fuzzer-no-link', + language: [ 'c', 'cpp' ]) + else + error('Looks like neither libFuzzer nor -fsanitize=fuzzer-no-link is supported') + endif + else + fuzzing_engine = declare_dependency(link_args: get_option('fuzzing-engine').split()) + endif + + protobuf = dependency('protobuf', + required: false) + protoc = find_program('protoc', + required: false) + if not protoc.found() + protoc = find_program('tests/fuzz/build/static_lib_deps/bin/protoc', + required: false) + endif + if not protoc.found() or not protobuf.found() + error('protoc tool and/or protobuf pkg-config dependency not found') + endif + + libprotobuf_mutator = dependency('libprotobuf-mutator', + required: false) + if not libprotobuf_mutator.found() + error('libprotobuf-mutator not found') + endif + + protoc_generator = generator(protoc, + output: [ + '@BASENAME@.pb.cc', + '@BASENAME@.pb.h', + ], + arguments: [ + '--proto_path=@CURRENT_SOURCE_DIR@', + '--cpp_out=@BUILD_DIR@', + '@INPUT@', + ]) +endif + +# ========================================================================== +# passwdqc library (cryptsetup CLI only) + +passwdqc_config = '' +use_passwdqc = false +if get_option('passwdqc') == 'true' + use_passwdqc = true +elif get_option('passwdqc') == 'false' + use_passwdqc = false +elif get_option('passwdqc').startswith('/') + use_passwdqc = true + passwdqc_config = get_option('passwdqc') +else + error('Unrecognized passwdqc parameter "@0@" (supported options are true, false or absolute path).' + .format(get_option('passwdqc'))) +endif + +passwdqc = [] +conf.set_quoted('PASSWDQC_CONFIG_FILE', passwdqc_config, + description: 'passwdqc library config file') +if use_passwdqc + conf.set10('ENABLE_PASSWDQC', true, + description: 'Enable password quality checking using passwdqc library') + #passwdqc = dependency('passwdqc', required : false) + passwdqc = cc.find_library('passwdqc', + required: false, + static: enable_static) + assert(cc.has_function('passwdqc_check', + prefix: '#include ', dependencies: passwdqc), + 'failed to find passwdqc_check from the passwdqc library') + + assert(cc.has_function('passwdqc_params_free', + prefix: '#include ', dependencies: passwdqc), + 'failed to find passwdqc_params_free from the passwdqc library') + + conf.set10('HAVE_PASSWDQC_PARAMS_FREE', cc.has_function('passwdqc_params_free', + prefix: '#include ', dependencies: passwdqc)) +endif + +if use_passwdqc and get_option('pwquality') + error('pwquality and passwdqc are mutually incompatible.') +endif + +# ========================================================================== +# libdevmapper + +devmapper = dependency('devmapper', + version: '>= 1.02.03', + required: false, + static: enable_static) +if not devmapper.found() + message('devmapper not found using pkgconf') + devmapper = cc.find_library('devmapper', + static: enable_static) + assert(cc.has_function('dm_task_set_name', + prefix: '#include ', dependencies: devmapper), + 'You need the device-mapper library.') + + assert(cc.has_function('dm_task_set_message', + prefix: '#include ', dependencies: devmapper), + 'The device-mapper library on your system is too old.') +endif + +foreach function : [ + 'dm_device_get_name', + 'dm_device_has_holders', + 'dm_device_has_mounted_fs', + 'dm_task_deferred_remove', + 'dm_task_retry_remove', + 'dm_task_secure_data', +] + has_function = cc.has_function(function, + prefix: '#include ', dependencies: devmapper) + conf.set10('HAVE_DECL_' + function.underscorify().to_upper(), has_function) +endforeach + +foreach symbol : [ + 'DM_DEVICE_GET_TARGET_VERSION', + 'DM_UDEV_DISABLE_DISK_RULES_FLAG', +] + has_symbol = cc.has_header_symbol('libdevmapper.h', symbol, + dependencies: devmapper) + conf.set10('HAVE_DECL_' + symbol.underscorify().to_upper(), has_symbol) +endforeach + +if cc.has_header_symbol('libdevmapper.h', 'DM_UDEV_DISABLE_DISK_RULES_FLAG', + dependencies: devmapper) + conf.set10('USE_UDEV', true, + description: 'Try to use udev synchronisation?') +else + warning('The device-mapper library on your system has no udev support, udev support disabled.') +endif + +# ========================================================================== +# Check for JSON-C used in LUKS2 + +jsonc = dependency('json-c', + static: enable_static) +foreach function : [ + 'json_object_object_add_ex', + 'json_object_deep_copy', +] + has_function = cc.has_function(function, + prefix: '#include ', dependencies: jsonc) + conf.set10('HAVE_DECL_' + function.underscorify().to_upper(), has_function) +endforeach + +# ========================================================================== +# Check for libssh and argp for SSH plugin + +if get_option('ssh-token') + argp = [] + + if not cc.has_function('argp_parse', prefix: '#include ', dependencies: argp) + argp = cc.find_library('argp', + static: enable_static) + endif + + libssh = dependency('libssh') + conf.set10('HAVE_DECL_SSH_SESSION_IS_KNOWN_SERVER', + cc.has_function('ssh_session_is_known_server', + prefix: '#include ', dependencies: libssh)) +endif + +# ========================================================================== +# Crypto backend configuration. + +if get_option('kernel_crypto') + assert(cc.has_header('linux/if_alg.h'), + 'You need Linux kernel headers with userspace crypto interface. (Or use --disable-kernel_crypto.') + conf.set10('ENABLE_AF_ALG', true, + description: 'Enable using of kernel userspace crypto') +endif + +crypto_backend_library = [] +use_internal_pbkdf2 = false +use_internal_argon2 = true + +if get_option('crypto-backend') == 'gcrypt' + req_version = '1.1.42' + if get_option('fips') + req_version = '1.4.5' + endif + + if get_option('gcrypt-pbkdf2').auto() + # Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password) + gcrypt_with_empty_password = dependency('libgcrypt', + version: '>=1.6.1', + required: false, + static: enable_static) + if gcrypt_with_empty_password.found() + req_version = '1.6.1' + use_internal_pbkdf2 = false + else + use_internal_pbkdf2 = true + endif + else + use_internal_pbkdf2 = get_option('gcrypt-pbkdf2').disabled() + endif + + if use_internal_pbkdf2 and get_option('fips') + error('Using internal cryptsetup PBKDF2 is not compatible with FIPS.') + endif + + if get_option('gcrypt-argon2').auto() + # Check if we can use gcrypt Argon2 (1.11.0 supports empty password) + gcrypt_with_empty_password = dependency('libgcrypt', + version: '>=1.11.0', + required: false, + static: enable_static) + if gcrypt_with_empty_password.found() + req_version = '1.11.0' + use_internal_argon2 = false + else + use_internal_argon2 = true + endif + else + use_internal_argon2 = get_option('gcrypt-argon2').disabled() + endif + + crypto_backend_library = dependency('libgcrypt', + version: '>=@0@'.format(req_version), + static: enable_static) + conf.set10('HAVE_DECL_GCRY_CIPHER_MODE_XTS', + cc.has_header_symbol('gcrypt.h', 'GCRY_CIPHER_MODE_XTS', + dependencies: crypto_backend_library)) + conf.set10('HAVE_DECL_GCRY_KDF_ARGON2', + cc.has_header_symbol('gcrypt.h', 'GCRY_KDF_ARGON2', + dependencies: crypto_backend_library)) + conf.set_quoted('GCRYPT_REQ_VERSION', req_version, + description: 'Requested gcrypt version') +elif get_option('crypto-backend') == 'openssl' + use_internal_pbkdf2 = false + use_internal_argon2 = true + crypto_backend_library = dependency('libcrypto', + version: '>=0.9.8', + static: enable_static) + conf.set10('HAVE_DECL_OSSL_GET_MAX_THREADS', + cc.has_header_symbol('openssl/thread.h', 'OSSL_get_max_threads', + dependencies: crypto_backend_library)) + conf.set10('HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION', + cc.has_header_symbol('openssl/core_names.h', 'OSSL_KDF_PARAM_ARGON2_VERSION', + dependencies: crypto_backend_library)) +elif get_option('crypto-backend') == 'nss' + if get_option('fips') + error('nss crypto backend is not supported with FIPS enabled') + endif + if enable_static + error('Static build of cryptsetup is not supported with NSS.') + endif + + warning('NSS backend does NOT provide backward compatibility (missing ripemd160 hash).') + use_internal_pbkdf2 = true + use_internal_argon2 = true + + crypto_backend_library = dependency('nss', + static: enable_static) + conf.set10('HAVE_DECL_NSS_GETVERSION', + cc.has_header_symbol('nss.h', 'NSS_GetVersion', + dependencies: crypto_backend_library)) +elif get_option('crypto-backend') == 'kernel' + if get_option('fips') + error('kernel crypto backend is not supported with FIPS enabled') + endif + use_internal_pbkdf2 = true + use_internal_argon2 = true + assert(cc.has_header('linux/if_alg.h'), + 'You need Linux kernel headers with userspace crypto interface.') +elif get_option('crypto-backend') == 'nettle' + if get_option('fips') + error('nettle crypto backend is not supported with FIPS enabled') + endif + assert(cc.has_header('nettle/sha.h'), + 'You need Nettle cryptographic library.') + conf.set10('HAVE_NETTLE_VERSION_H', cc.has_header('nettle/version.h')) + + crypto_backend_library = dependency('nettle', + static: enable_static) + use_internal_pbkdf2 = false + use_internal_argon2 = true + assert(cc.has_function('nettle_pbkdf2_hmac_sha256', + dependencies: crypto_backend_library), + 'You need Nettle library version 2.6 or more recent.') +endif +conf.set10('USE_INTERNAL_PBKDF2', use_internal_pbkdf2) + +libargon2_external = [] +threads = [] +use_internal_sse_argon2 = false +if not use_internal_argon2 or get_option('argon-implementation') == 'none' + if get_option('argon-implementation') == 'internal' or get_option('argon-implementation') == 'libargon2' + warning('Argon2 in crypto library is used; internal Argon2 options are ignored.') + endif + conf.set10('USE_INTERNAL_ARGON2', false, + description: 'Use internal Argon2.') +elif get_option('argon-implementation') == 'internal' + warning('Argon2 bundled (slow) reference implementation will be used, please consider using system library with -Dargon-implementation=libargon2') + + if get_option('internal-sse-argon2') + use_internal_sse_argon2 = cc.links( + '''#include + __m128i testfunc(__m128i *a, __m128i *b) { + return _mm_xor_si128(_mm_loadu_si128(a), _mm_loadu_si128(b)); + } + int main(int argc, char **argv) { return 0; }''', + name: 'Argon2 SSE optimization can be used') + + if not use_internal_sse_argon2 + warning('Argon2 SSE optimization cannot be used, disabling.') + endif + endif + conf.set10('USE_INTERNAL_ARGON2', true, + description: 'Use internal Argon2.') + + threads = dependency('threads') +elif get_option('argon-implementation') == 'libargon2' + libargon2_external = dependency('libargon2', + static: enable_static) + assert(cc.has_header('argon2.h', + dependencies: libargon2_external), + 'You need libargon2 development library installed.') + assert(cc.has_header_symbol( + 'argon2.h', + 'Argon2_id', + dependencies: libargon2_external), + 'You need more recent Argon2 library with support for Argon2id.') + conf.set10('USE_INTERNAL_ARGON2', false, + description: 'Use internal Argon2.') + conf.set10('HAVE_ARGON2_H', true) +endif + +# ========================================================================== +# Link with blkid to check for other device types + +blkid = [] +if get_option('blkid') + blkid = dependency('blkid', + static: enable_static) + assert(cc.has_header('blkid/blkid.h', + dependencies: blkid), + 'You need blkid development library installed.') + + conf.set10('HAVE_BLKID', true, + description: 'Define to 1 to use blkid for detection of disk signatures.') + conf.set10('HAVE_BLKID_WIPE', + cc.has_function('blkid_do_wipe', + prefix: '#include ', dependencies: blkid), + description: 'Define to 1 to use blkid_do_wipe.') + conf.set10('HAVE_BLKID_STEP_BACK', + cc.has_function('blkid_probe_step_back', + prefix: '#include ', dependencies: blkid), + description: 'Define to 1 to use blkid_probe_step_back.') + + foreach header : [ + 'blkid_reset_probe', + 'blkid_probe_set_device', + 'blkid_probe_filter_superblocks_type', + 'blkid_do_safeprobe', + 'blkid_do_probe', + 'blkid_probe_lookup_value', + ] + assert(cc.has_function(header, + prefix: '#include ', dependencies: blkid), + 'Can not compile with blkid support, disable it by -Dblkid=false') + endforeach +endif + +have = get_option('hw-opal') +if have + if cc.has_header('linux/sed-opal.h') + foreach symbol : [ + 'OPAL_FL_SUM_SUPPORTED', + 'IOC_OPAL_GET_LR_STATUS', + 'IOC_OPAL_GET_GEOMETRY', + ] + if not cc.has_header_symbol('linux/sed-opal.h', symbol) + have = false + warning('OPAL support disabled, linux/sed-opal.h does not define ' + symbol) + endif + endforeach + + else + have = false + warning('OPAL support disabled, linux/sed-opal.h not found, requires kernel v6.4.') + endif +endif +conf.set10('HAVE_HW_OPAL', have, description: 'Define to 1 to enable OPAL support.') + + +# ========================================================================== +# Check compiler support for symver function attribute + +if cc.links( + '''void _test_sym(void); + + __attribute__((__symver__("sym@VERSION_4.2"))) void _test_sym(void) {} + int main(int argc, char **argv) { return 0; }''', + args: ['-O0', '-Werror' ], + name: 'for symver attribute support') + conf.set10('HAVE_ATTRIBUTE_SYMVER', true, + description: 'Define to 1 to use __attribute__((symver))') +endif + +# ========================================================================== + +if get_option('dev-random') + conf.set_quoted('DEFAULT_RNG', '/dev/random') +else + conf.set_quoted('DEFAULT_RNG', '/dev/urandom') +endif + +tmpfilesdir = get_option('tmpfilesdir') +if tmpfilesdir == '' + systemd = dependency('systemd', + method: 'pkg-config', + required: false) + if systemd.found() + tmpfilesdir = systemd.get_variable(pkgconfig: 'tmpfilesdir', default_value: '') + endif +endif + +if tmpfilesdir != '' + assert(tmpfilesdir.startswith('/',), + 'tmpfilesdir has to be an absolute path') +endif + +# ========================================================================== + +if get_option('luks_adjust_xts_keysize') + conf.set10('ENABLE_LUKS_ADJUST_XTS_KEYSIZE', true, + description: 'XTS mode - double default LUKS keysize if needed') +endif + +assert(get_option('default-luks2-lock-path').startswith('/'), + 'default-luks2-lock-path has to be an absolute path') + +luks2_external_tokens_path = get_option('default-luks2-external-tokens-path') +if luks2_external_tokens_path == 'LIBDIR/cryptsetup' + luks2_external_tokens_path = join_paths(get_option('prefix'), get_option('libdir'), 'cryptsetup') +endif +assert(luks2_external_tokens_path.startswith('/'), + 'default-luks2-external-tokens-path has to be an absolute path') +conf.set_quoted('EXTERNAL_LUKS2_TOKENS_PATH', luks2_external_tokens_path, + description: 'path to directory with LUKSv2 external token handlers (plugins)') + +if get_option('default-luks-format') == 'LUKS1' + conf.set('DEFAULT_LUKS_FORMAT', 'CRYPT_LUKS1') +elif get_option('default-luks-format') == 'LUKS2' + conf.set('DEFAULT_LUKS_FORMAT', 'CRYPT_LUKS2') +else + error('Unknown default LUKS format. Use LUKS1 or LUKS2 only.') +endif + +# ========================================================================== + +if get_option('nls') + conf.set10('ENABLE_NLS', true) + assert(find_program('gettext').found(), + 'You need gettext binary to build translations.') +endif + +# ========================================================================== + +configure_file( + output: 'config.h', + configuration: conf, +) +add_project_arguments('-include', 'config.h', + language: 'c') + +subdir('lib') +subdir('man') +subdir('po') +subdir('src') +subdir('scripts') +subdir('tokens') +subdir('tests') diff --git a/meson_options.txt b/meson_options.txt new file mode 100644 index 0000000..7f22cd4 --- /dev/null +++ b/meson_options.txt @@ -0,0 +1,57 @@ +option('argon-implementation', type : 'combo', choices : ['none', 'internal', 'libargon2'], description : 'which implementation of Argon2 PBKDF shall be used (cryptsetup internal, external libargon2 (PHC) or disable Argon2 support)', value : 'internal') +option('asciidoc', type : 'feature', description : 'generate man pages from asciidoc', value : 'enabled') +option('blkid', type : 'boolean', description : 'use of blkid for device signature detection and wiping', value : true) +option('crypto-backend', type : 'combo', choices : ['gcrypt', 'openssl', 'nss', 'kernel', 'nettle'], description : 'crypto backend', value : 'openssl') +option('cryptsetup', type : 'boolean', description : 'cryptsetup support', value : true) +option('default-integrity-keyfile-size-maxkb', type : 'integer', description : 'maximum integritysetup keyfile size (in KiB)', value : 4) +option('default-keyfile-size-maxkb', type : 'integer', description : 'maximum keyfile size (in KiB)', value : 8192) +option('default-loopaes-cipher', type : 'string', description : 'cipher for loop-AES mode', value : 'aes') +option('default-loopaes-keybits', type : 'integer', description : 'key length in bits for loop-AES mode', value : 256) +option('default-luks1-cipher', type : 'string', description : 'cipher for LUKS1', value : 'aes') +option('default-luks1-hash', type : 'string', description : 'hash function for LUKS1 header', value : 'sha256') +option('default-luks1-iter-time', type : 'integer', description : 'PBKDF2 iteration time for LUKS1 (in ms)', value : 2000) +option('default-luks1-keybits', type : 'integer', description : 'key length in bits for LUKS1', value : 256) +option('default-luks1-mode', type : 'string', description : 'cipher mode for LUKS1', value : 'xts-plain64') +option('default-luks2-external-tokens-path', type : 'string', description : 'path to directory with LUKSv2 external token handlers (plugins)', value : 'LIBDIR/cryptsetup') +option('default-luks2-iter-time', type : 'integer', description : 'Argon2 PBKDF iteration time for LUKS2 (in ms)', value : 2000) +option('default-luks2-keyslot-cipher', type : 'string', description : 'fallback cipher for LUKS2 keyslot (if data encryption is incompatible)', value : 'aes-xts-plain64') +option('default-luks2-keyslot-keybits', type : 'integer', description : 'fallback key size for LUKS2 keyslot (if data encryption is incompatible)', value : 512) +option('default-luks2-lock-dir-perms', type : 'integer', description : 'default luks2 locking directory permissions', value : 0o700) +option('default-luks2-lock-path', type : 'string', description : 'path to directory for LUKSv2 locks', value : '/run/cryptsetup') +option('default-luks2-memory-kb', type : 'integer', description : 'Argon2 PBKDF memory cost for LUKS2 (in kB)', value : 1048576) +option('default-luks2-parallel-threads', type : 'integer', description : 'Argon2 PBKDF max parallel cost for LUKS2 (if CPUs available)', value : 4) +option('default-luks2-pbkdf', type : 'string', description : 'Default PBKDF algorithm (pbkdf2 or argon2i/argon2id) for LUKS2', value : 'argon2id') +option('default-luks-format', type : 'combo', choices : ['LUKS1', 'LUKS2'], description : 'default LUKS format version', value : 'LUKS2') +option('default-passphrase-size-max', type : 'integer', description : 'maximum passphrase size (in characters)', value : 512) +option('default-plain-cipher', type : 'string', description : 'cipher for plain mode', value : 'aes') +option('default-plain-hash', type : 'string', description : 'cipher for plain mode', value : 'sha256') +option('default-plain-keybits', type : 'integer', description : 'key length in bits for plain mode', value : 256) +option('default-plain-mode', type : 'string', description : 'cipher mode for plain mode', value : 'xts-plain64') +option('default-verity-data-block', type : 'integer', description : 'data block size for verity mode', value : 4096) +option('default-verity-fec-roots', type : 'integer', description : 'parity bytes for verity FEC', value : 2) +option('default-verity-hash-block', type : 'integer', description : 'hash block size for verity mode', value : 4096) +option('default-verity-hash', type : 'string', description : 'hash function for verity mode', value : 'sha256') +option('default-verity-salt-size', type : 'integer', description : 'salt size for verity mode', value : 32) +option('dev-random', type : 'boolean', description : 'use /dev/random by default for key generation (use /dev/urandom when set to false)', value : false) +option('enable-static', type : 'boolean', description : 'build static libraries', value : false) +option('external-tokens', type : 'boolean', description : 'external LUKS2 tokens', value : true) +option('fips', type : 'boolean', description : 'enable FIPS mode restrictions', value : false) +option('fuzzing-engine', type : 'string', description : 'specify LDFLAGS for linking with fuzzing engine (in OSS-Fuzz, LIB_FUZZING_ENGINE variable should be passed via this argument)') +option('fuzz-targets', type : 'boolean', description : 'enable building fuzz targets', value : false) +option('gcrypt-pbkdf2', type : 'feature', description : 'enable internal gcrypt PBKDF2', value : 'auto') +option('gcrypt-argon2', type : 'feature', description : 'enable internal gcrypt Argon2', value : 'auto') +option('hw-opal', type : 'boolean', description : 'support LUKS2 extension for SED OPAL HW encryption', value : true) +option('integritysetup', type : 'boolean', description : 'integritysetup Support', value : true) +option('internal-sse-argon2', type : 'boolean', description : 'use internal SSE implementation of Argon2 PBKDF', value : false) +option('kernel_crypto', type : 'boolean', description : 'kernel userspace crypto (no benchmark and tcrypt)', value : true) +option('keyring', type : 'boolean', description : 'kernel keyring support and builtin kernel keyring token', value : true) +option('luks2-reencryption', type : 'boolean', description : 'LUKS2 online reencryption extension', value : true) +option('luks_adjust_xts_keysize', type : 'boolean', description : 'XTS mode requires two keys, double default LUKS keysize if needed', value : true) +option('nls', type : 'boolean', description : 'use Native Language Support', value : true) +option('passwdqc', type : 'string', description : 'enable password quality checking using passwdqc library (optionally with CONFIG_PATH)', value : 'false') +option('pwquality', type : 'boolean', description : 'password quality checking using pwquality library', value : false) +option('ssh-token', type : 'boolean', description : 'LUKS2 ssh-token', value : true) +option('static-cryptsetup', type : 'boolean', description : 'enable build of static version of tools', value : false) +option('tmpfilesdir', type : 'string', description : 'override default path to directory with systemd temporary files') +option('udev', type : 'boolean', description : 'udev support', value : true) +option('veritysetup', type : 'boolean', description : 'veritysetup support', value : true) diff --git a/misc/fedora/cryptsetup.spec b/misc/fedora/cryptsetup.spec index d635d45..44cde6e 100644 --- a/misc/fedora/cryptsetup.spec +++ b/misc/fedora/cryptsetup.spec @@ -2,9 +2,9 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup -Version: 2.5.0 +Version: 2.7.0 Release: 1%{?dist} -License: GPLv2+ and LGPLv2+ +License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: autoconf, automake, libtool, gettext-devel, BuildRequires: openssl-devel, popt-devel, device-mapper-devel @@ -18,7 +18,7 @@ Obsoletes: %{name}-reencrypt <= %{version} Provides: %{name}-reencrypt = %{version} %global upstream_version %{version_no_tilde} -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-%{upstream_version}.tar.xz +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz %description The cryptsetup package contains a utility for setting up diff --git a/po/POTFILES.in b/po/POTFILES.in index ed9ebfe..7e22598 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -41,6 +41,7 @@ lib/luks2/luks2_reencrypt_digest.c lib/luks2/luks2_segment.c lib/luks2/luks2_token.c lib/luks2/luks2_token_keyring.c +lib/luks2/hw_opal/hw_opal.c src/cryptsetup.c src/veritysetup.c src/integritysetup.c diff --git a/po/cryptsetup.pot b/po/cryptsetup.pot index 8c1423d..b3804b0 100644 --- a/po/cryptsetup.pot +++ b/po/cryptsetup.pot @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" +"POT-Creation-Date: 2024-01-24 09:44+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -24,58 +24,62 @@ msgstr "" msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "" -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "" -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "" -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "" -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "" -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "" -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "" -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "" -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "" -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "" + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "" -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "" -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "" -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "" @@ -108,662 +112,769 @@ msgstr "" msgid "Error reading from RNG." msgstr "" -#: lib/setup.c:231 +#: lib/setup.c:262 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "" + +#: lib/setup.c:264 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "" + +#: lib/setup.c:280 msgid "Cannot initialize crypto RNG backend." msgstr "" -#: lib/setup.c:237 +#: lib/setup.c:286 msgid "Cannot initialize crypto backend." msgstr "" -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:318 lib/setup.c:2778 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "" -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:321 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "" -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:392 lib/setup.c:429 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:398 lib/setup.c:3973 msgid "This operation is supported only for LUKS device." msgstr "" -#: lib/setup.c:375 +#: lib/setup.c:435 msgid "This operation is supported only for LUKS2 device." msgstr "" -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:492 lib/luks2/luks2_reencrypt.c:3071 msgid "All key slots full." msgstr "" -#: lib/setup.c:438 +#: lib/setup.c:503 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "" -#: lib/setup.c:444 +#: lib/setup.c:509 #, c-format msgid "Key slot %d is full, please select another one." msgstr "" -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:620 lib/setup.c:3673 msgid "Device size is not aligned to device logical block size." msgstr "" -#: lib/setup.c:627 +#: lib/setup.c:718 #, c-format msgid "Header detected but device %s is too small." msgstr "" -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:759 lib/setup.c:3564 lib/setup.c:5351 lib/setup.c:5371 +#: lib/luks2/luks2_reencrypt.c:3863 lib/luks2/luks2_reencrypt.c:4320 msgid "This operation is not supported for this device type." msgstr "" -#: lib/setup.c:673 +#: lib/setup.c:764 msgid "Illegal operation with reencryption in-progress." msgstr "" -#: lib/setup.c:802 +#: lib/setup.c:896 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "" -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:983 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1878 +#: src/cryptsetup.c:2059 src/cryptsetup.c:2114 src/cryptsetup.c:2319 +#: src/cryptsetup.c:2489 src/cryptsetup.c:2770 src/cryptsetup.c:3078 +#: src/cryptsetup.c:3146 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "" -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:986 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "" -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1359 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "" + +#: lib/setup.c:1605 lib/setup.c:3318 lib/setup.c:3400 lib/setup.c:3412 +#: lib/setup.c:3582 lib/setup.c:5995 #, c-format msgid "Device %s is not active." msgstr "" -#: lib/setup.c:1508 +#: lib/setup.c:1622 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "" -#: lib/setup.c:1590 +#: lib/setup.c:1704 msgid "Invalid plain crypt parameters." msgstr "" -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1709 lib/setup.c:2681 msgid "Invalid key size." msgstr "" -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1714 lib/setup.c:2686 lib/setup.c:2889 msgid "UUID is not supported for this crypt type." msgstr "" -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1719 lib/setup.c:2691 msgid "Detached metadata device is not supported for this crypt type." msgstr "" -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1729 lib/setup.c:1964 lib/luks2/luks2_reencrypt.c:3027 +#: src/cryptsetup.c:1475 src/cryptsetup.c:3847 msgid "Unsupported encryption sector size." msgstr "" -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1737 lib/setup.c:1993 lib/setup.c:3667 msgid "Device size is not aligned to requested sector size." msgstr "" -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1789 lib/setup.c:2026 lib/setup.c:2358 msgid "Can't format LUKS without device." msgstr "" -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1795 lib/setup.c:2032 lib/setup.c:2364 msgid "Requested data alignment is not compatible with data offset." msgstr "" -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1835 lib/setup.c:2050 +msgid "" +"WARNING: DAX device can corrupt data as it does not guarantee atomic sector " +"updates.\n" +msgstr "" + +#: lib/setup.c:1873 lib/setup.c:2145 lib/setup.c:2166 lib/setup.c:2542 +#: lib/setup.c:2588 lib/setup.c:2901 #, c-format msgid "Cannot wipe header on device %s." msgstr "" -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1886 lib/setup.c:2205 #, c-format msgid "" "Device %s is too small for activation, there is no remaining space for " "data.\n" msgstr "" -#: lib/setup.c:1840 +#: lib/setup.c:1926 +msgid "Volume key is too small for encryption with integrity extensions." +msgstr "" + +#: lib/setup.c:1935 +#, c-format +msgid "Cipher %s-%s (key size %zd bits) is not available." +msgstr "" + +#: lib/setup.c:1974 msgid "" "WARNING: The device activation will fail, dm-crypt is missing support for " "requested encryption sector size.\n" msgstr "" -#: lib/setup.c:1863 -msgid "Volume key is too small for encryption with integrity extensions." +#: lib/setup.c:2148 lib/setup.c:2485 lib/setup.c:2545 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3095 +#: lib/luks2/luks2_reencrypt.c:4380 +#, c-format +msgid "Device %s is too small." msgstr "" -#: lib/setup.c:1923 +#: lib/setup.c:2159 lib/setup.c:2185 lib/setup.c:2581 lib/setup.c:2627 #, c-format -msgid "Cipher %s-%s (key size %zd bits) is not available." +msgid "Cannot format device %s in use." msgstr "" -#: lib/setup.c:1949 +#: lib/setup.c:2162 lib/setup.c:2188 lib/setup.c:2584 lib/setup.c:2630 #, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgid "Cannot format device %s, permission denied." msgstr "" -#: lib/setup.c:1953 +#: lib/setup.c:2174 lib/setup.c:2601 lib/setup.c:2961 #, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgid "Cannot format integrity for device %s." msgstr "" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2192 lib/setup.c:2638 #, c-format -msgid "Device %s is too small." +msgid "Cannot format device %s." +msgstr "" + +#: lib/setup.c:2235 +msgid "Cannot get OPAL alignment parameters." +msgstr "" + +#: lib/setup.c:2244 +msgid "Bogus OPAL logical block size." +msgstr "" + +#: lib/setup.c:2250 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "" + +#: lib/setup.c:2257 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "" + +#: lib/setup.c:2277 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "" + +#: lib/setup.c:2290 +msgid "" +"Requested data alignment does not satisfy locking range alignment " +"requirements." msgstr "" -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2495 #, c-format -msgid "Cannot format device %s in use." +msgid "" +"Compensating device size by % sectors to align it with OPAL " +"alignment granularity." msgstr "" -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2553 lib/setup.c:4070 lib/setup.c:4253 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 #, c-format -msgid "Cannot format device %s, permission denied." +msgid "Failed to acquire OPAL lock on device %s." +msgstr "" + +#: lib/setup.c:2562 +msgid "Incorrect OPAL Admin key." +msgstr "" + +#: lib/setup.c:2564 +msgid "Cannot setup OPAL segment." msgstr "" -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2634 #, c-format -msgid "Cannot format integrity for device %s." +msgid "" +"Cannot format device %s, OPAL device seems to be fully write-protected now." msgstr "" -#: lib/setup.c:2023 +#: lib/setup.c:2636 +msgid "" +"This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for " +"recovery." +msgstr "" + +#: lib/setup.c:2656 #, c-format -msgid "Cannot format device %s." +msgid "Locking range %d reset on device %s failed." msgstr "" -#: lib/setup.c:2049 +#: lib/setup.c:2676 msgid "Can't format LOOPAES without device." msgstr "" -#: lib/setup.c:2094 +#: lib/setup.c:2721 msgid "Can't format VERITY without device." msgstr "" -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2732 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "" -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2738 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "" -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2743 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "" -#: lib/setup.c:2121 +#: lib/setup.c:2748 msgid "Unsupported VERITY FEC offset." msgstr "" -#: lib/setup.c:2145 +#: lib/setup.c:2772 msgid "Data area overlaps with hash area." msgstr "" -#: lib/setup.c:2170 +#: lib/setup.c:2797 msgid "Hash area overlaps with FEC area." msgstr "" -#: lib/setup.c:2177 +#: lib/setup.c:2804 msgid "Data area overlaps with FEC area." msgstr "" -#: lib/setup.c:2313 +#: lib/setup.c:2940 #, c-format msgid "" "WARNING: Requested tag size %d bytes differs from %s size output (%d " "bytes).\n" msgstr "" -#: lib/setup.c:2392 +#: lib/setup.c:3019 #, c-format msgid "Unknown crypt device type %s requested." msgstr "" -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3326 lib/setup.c:3405 lib/setup.c:3418 #, c-format msgid "Unsupported parameters on device %s." msgstr "" -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3332 lib/setup.c:3425 lib/luks2/luks2_reencrypt.c:2923 +#: lib/luks2/luks2_reencrypt.c:3160 lib/luks2/luks2_reencrypt.c:3555 #, c-format msgid "Mismatching parameters on device %s." msgstr "" -#: lib/setup.c:2822 +#: lib/setup.c:3449 msgid "Crypt devices mismatch." msgstr "" -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3486 lib/setup.c:3491 lib/luks2/luks2_reencrypt.c:2405 +#: lib/luks2/luks2_reencrypt.c:2939 lib/luks2/luks2_reencrypt.c:4124 #, c-format msgid "Failed to reload device %s." msgstr "" -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3497 lib/setup.c:3503 lib/luks2/luks2_reencrypt.c:2376 +#: lib/luks2/luks2_reencrypt.c:2383 lib/luks2/luks2_reencrypt.c:2953 #, c-format msgid "Failed to suspend device %s." msgstr "" -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3509 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2974 lib/luks2/luks2_reencrypt.c:4037 +#: lib/luks2/luks2_reencrypt.c:4128 #, c-format msgid "Failed to resume device %s." msgstr "" -#: lib/setup.c:2897 +#: lib/setup.c:3524 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "" -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3527 lib/setup.c:3529 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "" -#: lib/setup.c:2984 +#: lib/setup.c:3569 +msgid "Can not resize LUKS2 device with static size." +msgstr "" + +#: lib/setup.c:3614 msgid "Cannot resize loop device." msgstr "" -#: lib/setup.c:3027 +#: lib/setup.c:3658 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "" -#: lib/setup.c:3088 +#: lib/setup.c:3724 msgid "Resize failed, the kernel doesn't support it." msgstr "" -#: lib/setup.c:3120 +#: lib/setup.c:3756 msgid "Do you really want to change UUID of device?" msgstr "" -#: lib/setup.c:3212 +#: lib/setup.c:3848 msgid "Header backup file does not contain compatible LUKS header." msgstr "" -#: lib/setup.c:3328 +#: lib/setup.c:3958 #, c-format msgid "Volume %s is not active." msgstr "" -#: lib/setup.c:3339 +#: lib/setup.c:4024 #, c-format msgid "Volume %s is already suspended." msgstr "" -#: lib/setup.c:3352 +#: lib/setup.c:4052 #, c-format msgid "Suspend is not supported for device %s." msgstr "" -#: lib/setup.c:3354 +#: lib/setup.c:4054 lib/setup.c:4062 #, c-format msgid "Error during suspending device %s." msgstr "" -#: lib/setup.c:3389 +#: lib/setup.c:4076 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "" + +#: lib/setup.c:4108 lib/setup.c:4280 #, c-format msgid "Resume is not supported for device %s." msgstr "" -#: lib/setup.c:3391 +#: lib/setup.c:4110 lib/setup.c:4271 lib/setup.c:4282 #, c-format msgid "Error during resuming device %s." msgstr "" -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4129 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "" + +#: lib/setup.c:4244 lib/setup.c:4966 lib/setup.c:5787 +msgid "Failed to link volume key in user defined keyring." +msgstr "" + +#: lib/setup.c:4345 src/cryptsetup.c:2852 #, c-format msgid "Volume %s is not suspended." msgstr "" -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4446 lib/setup.c:5106 lib/setup.c:5523 lib/setup.c:5542 +#: lib/setup.c:7416 lib/setup.c:7438 lib/setup.c:7487 src/cryptsetup.c:2362 msgid "Volume key does not match the volume." msgstr "" -#: lib/setup.c:3737 +#: lib/setup.c:4600 msgid "Failed to swap new key slot." msgstr "" -#: lib/setup.c:3835 +#: lib/setup.c:4698 #, c-format msgid "Key slot %d is invalid." msgstr "" -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4704 src/cryptsetup.c:2072 src/cryptsetup.c:2564 +#: src/cryptsetup.c:3246 src/cryptsetup.c:3306 #, c-format msgid "Keyslot %d is not active." msgstr "" -#: lib/setup.c:3860 +#: lib/setup.c:4723 msgid "Device header overlaps with data area." msgstr "" -#: lib/setup.c:4165 +#: lib/setup.c:5076 lib/setup.c:5176 msgid "Reencryption in-progress. Cannot activate device." msgstr "" -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5078 lib/setup.c:5178 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3661 msgid "Failed to get reencryption lock." msgstr "" -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5090 +msgid "LUKS2 reencryption recovery using volume key(s) failed." +msgstr "" + +#: lib/setup.c:5142 lib/setup.c:5232 +msgid "Failed to link volume keys in user defined keyring." +msgstr "" + +#: lib/setup.c:5191 lib/luks2/luks2_reencrypt.c:3680 msgid "LUKS2 reencryption recovery failed." msgstr "" -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5439 lib/setup.c:5553 lib/setup.c:5610 msgid "Device type is not properly initialized." msgstr "" -#: lib/setup.c:4400 +#: lib/setup.c:5494 #, c-format msgid "Device %s already exists." msgstr "" -#: lib/setup.c:4407 +#: lib/setup.c:5501 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "" -#: lib/setup.c:4527 +#: lib/setup.c:5519 msgid "Incorrect volume key specified for plain device." msgstr "" -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." +#: lib/setup.c:5533 +msgid "Reencryption volume keys do not match the volume." msgstr "" -#: lib/setup.c:4654 -msgid "Root hash signature required." +#: lib/setup.c:5646 +msgid "Kernel keyring is not supported by the kernel." msgstr "" -#: lib/setup.c:4663 +#: lib/setup.c:5650 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "" -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." +#: lib/setup.c:5908 +msgid "Incorrect root hash specified for verity device." msgstr "" -#: lib/setup.c:4736 +#: lib/setup.c:5951 +msgid "OPAL does not support deferred deactivation." +msgstr "" + +#: lib/setup.c:5967 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "" -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5974 lib/setup.c:5990 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "" -#: lib/setup.c:4768 +#: lib/setup.c:5999 #, c-format msgid "Invalid device %s." msgstr "" -#: lib/setup.c:4908 +#: lib/setup.c:6139 msgid "Volume key buffer too small." msgstr "" -#: lib/setup.c:4925 +#: lib/setup.c:6156 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "" -#: lib/setup.c:4934 +#: lib/setup.c:6165 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "" -#: lib/setup.c:4944 +#: lib/setup.c:6175 msgid "Cannot retrieve volume key for plain device." msgstr "" -#: lib/setup.c:4952 +#: lib/setup.c:6183 msgid "Cannot retrieve root hash for verity device." msgstr "" -#: lib/setup.c:4959 +#: lib/setup.c:6190 msgid "Cannot retrieve volume key for BITLK device." msgstr "" -#: lib/setup.c:4964 +#: lib/setup.c:6195 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "" -#: lib/setup.c:4966 +#: lib/setup.c:6197 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "" -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6381 lib/setup.c:6392 msgid "Dump operation is not supported for this device type." msgstr "" -#: lib/setup.c:5500 +#: lib/setup.c:6751 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "" -#: lib/setup.c:5788 +#: lib/setup.c:7059 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "" -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7357 lib/setup.c:7496 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "" -#: lib/setup.c:6122 +#: lib/setup.c:7381 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "" -#: lib/setup.c:6128 +#: lib/setup.c:7387 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "" -#: lib/setup.c:6353 +#: lib/setup.c:7612 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "" -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." +#: lib/setup.c:7681 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." msgstr "" -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7799 +msgid "Failed to unlink volume key from thread keyring." +msgstr "" + +#: lib/setup.c:7843 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." +msgid "Could not find keyring described by \"%s\"." msgstr "" -#: lib/setup.c:6523 +#: lib/setup.c:7908 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "" -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:215 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "" -#: lib/utils.c:163 +#: lib/utils.c:220 msgid "Cannot read keyfile from a terminal." msgstr "" -#: lib/utils.c:179 +#: lib/utils.c:236 msgid "Failed to stat key file." msgstr "" -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:244 lib/utils.c:265 msgid "Cannot seek to requested keyfile offset." msgstr "" -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:259 lib/utils.c:274 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "" -#: lib/utils.c:237 +#: lib/utils.c:294 msgid "Error reading passphrase." msgstr "" -#: lib/utils.c:254 +#: lib/utils.c:311 msgid "Nothing to read on input." msgstr "" -#: lib/utils.c:261 +#: lib/utils.c:318 msgid "Maximum keyfile size exceeded." msgstr "" -#: lib/utils.c:266 +#: lib/utils.c:323 msgid "Cannot read requested amount of data." msgstr "" -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "" -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "" -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "" -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "" -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "" -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "" -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "" -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "" -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "" "Attaching loopback device failed (loop device with autoclear flag is " "required)." msgstr "" -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "" -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "" -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "" -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "" -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "" -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "" -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "" -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "" -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "" -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "" "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "" -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "" -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "" -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "" -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "" -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "" -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "" @@ -780,16 +891,24 @@ msgid "" "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "" -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "" -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "" +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "" + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "" + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -807,7 +926,7 @@ msgstr "" #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "" @@ -821,17 +940,17 @@ msgid "Failed to access temporary keystore device." msgstr "" #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "" #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -853,32 +972,32 @@ msgstr "" msgid "LUKS keyslot %u is invalid." msgstr "" -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "" -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "" -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "" -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "" #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "" -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "" @@ -904,7 +1023,7 @@ msgid "" "keyslots." msgstr "" -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -976,7 +1095,7 @@ msgstr "" msgid "LUKS hash %s is invalid." msgstr "" -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1360 msgid "No known problems detected for LUKS header." msgstr "" @@ -996,8 +1115,8 @@ msgid "" msgstr "" #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "" @@ -1034,7 +1153,7 @@ msgstr "" msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "" -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "" @@ -1055,48 +1174,48 @@ msgstr "" msgid "Kernel does not support loop-AES compatible mapping." msgstr "" -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "" -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "" -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "" -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1235 msgid "Required kernel crypto interface not available." msgstr "" -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1237 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "" -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "" -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "" -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "" -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "" -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "" @@ -1160,81 +1279,81 @@ msgstr "" msgid "Failed to convert BITLK volume description" msgstr "" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "" -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "" -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "" -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "" -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "" -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "" -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "" -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "" -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "" -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "" "WARNING: BitLocker volume size % does not match the underlying " "device size %" msgstr "" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "" "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "" -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "" "Cannot activate device, kernel dm-crypt is missing support for BITLK " "Elephant diffuser." msgstr "" -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "" "Cannot activate device, kernel dm-crypt is missing support for large sector " "size." msgstr "" -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "" @@ -1272,28 +1391,32 @@ msgstr "" msgid "Error during update of verity header on device %s." msgstr "" -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "" -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "" + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "" -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "" -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "" -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "" -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "" @@ -1389,7 +1512,7 @@ msgstr "" msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "" -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "" @@ -1403,141 +1526,186 @@ msgid "" "activation options to override)." msgstr "" -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:392 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "" -#: lib/luks2/luks2_disk_metadata.c:400 +#: lib/luks2/luks2_disk_metadata.c:401 msgid "" "Detected attempt for concurrent LUKS2 metadata update. Aborting operation." msgstr "" -#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720 +#: lib/luks2/luks2_disk_metadata.c:710 lib/luks2/luks2_disk_metadata.c:731 msgid "" "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" "Please run \"cryptsetup repair\" for recovery." msgstr "" -#: lib/luks2/luks2_json_format.c:229 -msgid "Requested data offset is too small." -msgstr "" - -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:231 #, c-format msgid "" "WARNING: keyslots area (% bytes) is very small, available LUKS2 " "keyslot count is very limited.\n" msgstr "" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_format.c:427 +msgid "Requested data offset is too small." +msgstr "" + +#: lib/luks2/luks2_json_format.c:468 +#, c-format +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "" "Binary header with keyslot areas size differ on device and backup, restore " "failed." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "" "does not contain LUKS2 header. Replacing header can destroy data on that " "device." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "" "already contains LUKS2 header. Replacing header will destroy existing " "keyslots." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" "Replacing header with backup may corrupt the data on that device!" msgstr "" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" "Replacing header with backup may corrupt data." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2105 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2119 msgid "Failed to set dm-crypt segment." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2125 msgid "Failed to set dm-linear segment." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "" +"Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4174 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "" "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "" -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "" "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "" -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "" + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "" -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "" @@ -1546,523 +1714,592 @@ msgstr "" msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "" -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2729 #, c-format msgid "Hash algorithm %s is not available." msgstr "" -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "" +"Warning: keyslot operation could fail as it requires more than available " +"memory.\n" +msgstr "" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "" -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "" -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "" "Can not update resilience type. New type only provides % bytes, " "required space is: % bytes." msgstr "" -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3810 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "" "Cannot convert to LUKS1 format - default segment encryption sector size is " "not 512 bytes." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "" "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "" "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still " "active." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1196 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1201 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1408 lib/luks2/luks2_reencrypt.c:1595 +#: lib/luks2/luks2_reencrypt.c:1678 lib/luks2/luks2_reencrypt.c:1720 +#: lib/luks2/luks2_reencrypt.c:3969 msgid "Failed to initialize old segment storage wrapper." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1422 lib/luks2/luks2_reencrypt.c:1573 msgid "Failed to initialize new segment storage wrapper." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1549 lib/luks2/luks2_reencrypt.c:3981 msgid "Failed to initialize hotzone protection." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1622 msgid "Failed to read checksums for current hotzone." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1629 lib/luks2/luks2_reencrypt.c:3995 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1648 #, c-format msgid "Failed to decrypt sector %zu." msgstr "" -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1654 #, c-format msgid "Failed to recover sector %zu." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2218 #, c-format msgid "" "Source and target device sizes don't match. Source %, target: " "%." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2316 #, c-format msgid "Failed to activate hotzone device %s." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2333 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2340 #, c-format msgid "Failed to load new mapping for device %s." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2411 msgid "Failed to refresh reencryption devices stack." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2611 msgid "Failed to set new keyslots area size." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2747 #, c-format msgid "" "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2784 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2821 msgid "Moved segment size can not be greater than data shift value." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2863 msgid "Invalid reencryption resilience parameters." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2885 #, c-format msgid "" "Moved segment too large. Requested size %, available space for: " "%." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2972 msgid "Failed to clear table." msgstr "" -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3058 msgid "Reduced data size is larger than real device size." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3065 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3099 #, c-format msgid "" "Data shift (% sectors) is less than future data offset (% " "sectors)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3106 lib/luks2/luks2_reencrypt.c:3604 +#: lib/luks2/luks2_reencrypt.c:3625 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3295 msgid "Device not marked for LUKS2 reencryption." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3312 lib/luks2/luks2_reencrypt.c:4286 msgid "Failed to load LUKS2 reencryption context." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3402 msgid "Failed to get reencryption state." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3406 lib/luks2/luks2_reencrypt.c:3720 msgid "Device is not in reencryption." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3413 lib/luks2/luks2_reencrypt.c:3727 msgid "Reencryption process is already running." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3415 lib/luks2/luks2_reencrypt.c:3729 msgid "Failed to acquire reencryption lock." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3433 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3568 msgid "Active device size and requested reencryption size don't match." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3582 msgid "Illegal device size requested in reencryption parameters." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3659 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3827 msgid "LUKS2 reencryption already initialized in metadata." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3834 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3887 lib/luks2/luks2_reencrypt.c:3922 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3894 +msgid "Failed to read passphrase from keyring." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3951 msgid "Failed to set device segments for next reencryption hotzone." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:4003 msgid "Failed to write reencryption resilience metadata." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:4010 msgid "Decryption failed." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4015 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4020 msgid "Failed to sync data." msgstr "" -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4028 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4117 msgid "Failed to write LUKS2 metadata." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4140 msgid "Failed to wipe unused data device area." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4146 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4156 msgid "Failed to remove reencryption keyslot." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4166 #, c-format msgid "" "Fatal error while reencrypting chunk starting at %, % " "sectors long." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4170 msgid "Online reencryption failed." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4175 msgid "Do not resume the device unless replaced with error target manually." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4227 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4233 msgid "Missing or invalid reencrypt context." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4240 msgid "Failed to initialize reencryption device stack." msgstr "" -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4262 lib/luks2/luks2_reencrypt.c:4299 msgid "Failed to update reencryption context." msgstr "" -#: lib/luks2/luks2_reencrypt_digest.c:405 +#: lib/luks2/luks2_reencrypt_digest.c:421 msgid "Reencryption metadata is invalid." msgstr "" -#: src/cryptsetup.c:85 +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "" +"OPAL range %d offset % does not match expected values %." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "" + +#: src/cryptsetup.c:93 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "" -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:136 src/cryptsetup.c:2242 #, c-format msgid "Enter token PIN: " msgstr "" -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:138 src/cryptsetup.c:2244 #, c-format msgid "Enter token %d PIN: " msgstr "" -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:196 src/cryptsetup.c:1182 src/cryptsetup.c:1523 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "" -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:206 +#, c-format +msgid "" +"WARNING: Using default options for cipher (%s-%s, key size %u bits) that " +"could be incompatible with older versions." +msgstr "" + +#: src/cryptsetup.c:211 +#, c-format +msgid "" +"WARNING: Using default options for hash (%s) that could be incompatible with " +"older versions." +msgstr "" + +#: src/cryptsetup.c:215 +msgid "" +"For plain mode, always use options --cipher, --key-size and if no keyfile is " +"used, then also --hash." +msgstr "" + +#: src/cryptsetup.c:221 msgid "" "WARNING: The --hash parameter is being ignored in plain mode with keyfile " "specified.\n" msgstr "" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:229 msgid "" "WARNING: The --keyfile-size option is being ignored, the read size is the " "same as the encryption key size.\n" msgstr "" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:266 src/cryptsetup.c:1368 src/cryptsetup.c:1566 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "" + +#: src/cryptsetup.c:272 #, c-format msgid "" "Detected device signature(s) on %s. Proceeding further may damage existing " "data." msgstr "" -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:278 src/cryptsetup.c:1256 src/cryptsetup.c:1304 +#: src/cryptsetup.c:1375 src/cryptsetup.c:1500 src/cryptsetup.c:1578 +#: src/cryptsetup.c:2622 src/cryptsetup.c:3049 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:351 msgid "Option --key-file is required." msgstr "" -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:402 msgid "Enter VeraCrypt PIM: " msgstr "" -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:411 msgid "Invalid PIM value: parse error." msgstr "" -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:414 msgid "Invalid PIM value: 0." msgstr "" -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:417 msgid "Invalid PIM value: outside of range." msgstr "" -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:440 msgid "No device header detected with this passphrase." msgstr "" -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:513 src/cryptsetup.c:689 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "" -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:521 msgid "" "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "" -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:563 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" "This dump should be always stored encrypted on safe place." msgstr "" -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:630 src/cryptsetup.c:711 src/cryptsetup.c:2647 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" "This dump should be stored encrypted in a safe place." msgstr "" -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:766 src/cryptsetup.c:796 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "" -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:804 msgid "" "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "" -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:858 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:892 src/cryptsetup.c:1903 src/cryptsetup.c:2177 +#: src/cryptsetup.c:2331 src/cryptsetup.c:2778 src/cryptsetup.c:2860 +#: src/cryptsetup.c:3387 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "" + +#: src/cryptsetup.c:901 msgid "" "Resize of active device requires volume key in keyring but --disable-keyring " "option is set." msgstr "" -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1061 msgid "Benchmark interrupted." msgstr "" -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1082 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1084 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1098 #, c-format msgid "%-10s N/A\n" msgstr "" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1100 #, c-format msgid "" "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit " "key (requested %u ms time)\n" msgstr "" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1124 msgid "Result of benchmark is not reliable." msgstr "" -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1174 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1194 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1198 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1217 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1228 msgid "N/A" msgstr "" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1253 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the " "reencryption operation is desirable (see luksDump output)\n" @@ -2070,580 +2307,623 @@ msgid "" "genuine." msgstr "" -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1259 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "" -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1303 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1312 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "" -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1314 msgid "Enter passphrase for reencryption recovery: " msgstr "" -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1374 msgid "Really try to repair LUKS device header?" msgstr "" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1398 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." msgstr "" -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1403 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will " "contain invalid checksum).\n" msgstr "" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1425 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "" -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1480 msgid "Integrity option can be used only for LUKS2 format." msgstr "" -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1485 src/cryptsetup.c:1550 msgid "Unsupported LUKS2 metadata size options." msgstr "" -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1490 +msgid "OPAL is supported only for LUKS2 format." +msgstr "" + +#: src/cryptsetup.c:1499 msgid "Header file does not exist, do you want to create it?" msgstr "" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1507 #, c-format msgid "Cannot create header file %s." msgstr "" -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1530 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "" -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1543 #, c-format msgid "Cannot use %s as on-disk header." msgstr "" -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1572 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "" -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1609 +msgid "OPAL Admin password cannot be empty." +msgstr "" + +#: src/cryptsetup.c:1623 src/cryptsetup.c:2194 src/cryptsetup.c:2344 +#: src/cryptsetup.c:2504 src/cryptsetup.c:2570 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "" -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1755 +msgid "" +"Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "" + +#: src/cryptsetup.c:1820 +msgid "Key types have to be the same for both volume keys." +msgstr "" + +#: src/cryptsetup.c:1825 +msgid "Both volume keys have to be linked to the same keyring." +msgstr "" + +#: src/cryptsetup.c:1835 +msgid "You need to supply more key names." +msgstr "" + +#: src/cryptsetup.c:1839 +msgid "Invalid --link-vk-to-keyring value." +msgstr "" + +#: src/cryptsetup.c:1884 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "" -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1891 #, c-format msgid "" "LUKS file container %s is too small for activation, there is no remaining " "space for data." msgstr "" -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1918 src/cryptsetup.c:2350 msgid "" "Cannot determine volume key size for LUKS without keyslots, please use --key-" "size option." msgstr "" -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1985 msgid "Device activated but cannot make flags persistent." msgstr "" -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:2069 src/cryptsetup.c:2137 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "" -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:2081 src/cryptsetup.c:2141 msgid "" "This is the last keyslot. Device will become unusable after purging this key." msgstr "" -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:2082 msgid "Enter any remaining passphrase: " msgstr "" -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:2083 src/cryptsetup.c:2143 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2119 msgid "Enter passphrase to be deleted: " msgstr "" -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2169 src/cryptsetup.c:2553 src/cryptsetup.c:3211 +#: src/cryptsetup.c:3378 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "" -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2208 src/cryptsetup.c:2427 msgid "Enter new passphrase for key slot: " msgstr "" -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2310 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2383 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "" -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2508 msgid "Enter passphrase to be changed: " msgstr "" -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2524 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "" -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2574 msgid "Enter passphrase for keyslot to be converted: " msgstr "" -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2598 msgid "Only one device argument for isLuks operation is supported." msgstr "" -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2706 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "" -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2711 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." msgstr "" -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2806 src/cryptsetup.c:2843 #, c-format msgid "%s is not active %s device name." msgstr "" -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2838 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "" -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2916 src/cryptsetup.c:2935 msgid "Option --header-backup-file is required." msgstr "" -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2966 #, c-format msgid "%s is not cryptsetup managed device." msgstr "" -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2977 #, c-format msgid "Refresh is not supported for device type %s" msgstr "" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:3027 #, c-format msgid "Unrecognized metadata device type %s." msgstr "" -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:3029 msgid "Command requires device and mapped name as arguments." msgstr "" -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:3039 +msgid "Enter OPAL PSID: " +msgstr "" + +#: src/cryptsetup.c:3039 +msgid "Enter OPAL Admin password: " +msgstr "" + +#: src/cryptsetup.c:3048 +msgid "" +"WARNING: WHOLE disk will be factory reset and all data will be lost! " +"Continue?" +msgstr "" + +#: src/cryptsetup.c:3091 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" "Device will become unusable after this operation." msgstr "" -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3098 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3137 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "" -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3153 #, c-format msgid "Device is already %s type." msgstr "" -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3160 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3163 msgid "Operation aborted, device was NOT converted.\n" msgstr "" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3203 msgid "Option --priority, --label or --subsystem is missing." msgstr "" -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3237 src/cryptsetup.c:3277 src/cryptsetup.c:3297 #, c-format msgid "Token %d is invalid." msgstr "" -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3240 src/cryptsetup.c:3300 #, c-format msgid "Token %d in use." msgstr "" -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3252 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "" -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3263 src/cryptsetup.c:3326 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "" -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3280 #, c-format msgid "Token %d is not in use." msgstr "" -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3317 msgid "Failed to import token from file." msgstr "" -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3342 #, c-format msgid "Failed to get token %d for export." msgstr "" -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3355 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "" -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3357 src/cryptsetup.c:3364 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "" -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3423 msgid "" "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only " "for TCRYPT device." msgstr "" -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3426 msgid "" "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT " "device type." msgstr "" -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3429 msgid "" "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "" -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3433 msgid "" "Option --veracrypt-query-pim is supported only for VeraCrypt compatible " "devices." msgstr "" -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3435 msgid "" "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "" -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3444 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "" -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3447 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "" -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3450 msgid "Option --shared is allowed only for open of plain device." msgstr "" -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3453 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "" -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3456 msgid "" "Option --offset with open action is only supported for plain and loopaes " "devices." msgstr "" -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3459 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "" -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3463 msgid "" "Sector size option with open action is supported only for plain devices." msgstr "" -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3467 msgid "" "Large IV sectors option is supported only for opening plain type device with " "sector size larger than 512 bytes." msgstr "" -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3472 msgid "" "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and " "FVAULT2 devices." msgstr "" -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3475 src/cryptsetup.c:3498 msgid "Options --device-size and --size cannot be combined." msgstr "" -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3478 msgid "Option --unbound is allowed only for open of luks device." msgstr "" -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3481 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "" -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3490 src/veritysetup.c:671 src/integritysetup.c:767 msgid "" "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "" -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." +#: src/cryptsetup.c:3506 +msgid "Options --reduce-device-size and --device-size cannot be combined." msgstr "" -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3509 msgid "Option --active-name can be set only for LUKS2 device." msgstr "" -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3512 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "" -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3520 src/cryptsetup.c:3550 msgid "Keyslot specification is required." msgstr "" -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3528 msgid "Options --align-payload and --offset cannot be combined." msgstr "" -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3531 msgid "" "Option --integrity-no-wipe can be used only for format action with integrity " "extension." msgstr "" -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3534 msgid "Only one of --use-[u]random options is allowed." msgstr "" -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3542 msgid "Key size is required with --unbound option." msgstr "" -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3562 msgid "Invalid token action." msgstr "" -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3565 msgid "--key-description parameter is mandatory for token add action." msgstr "" -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3569 src/cryptsetup.c:3582 msgid "Action requires specific token. Use --token-id parameter." msgstr "" -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3573 msgid "Option --unbound is valid only with token add action." msgstr "" -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3575 msgid "Options --key-slot and --unbound cannot be combined." msgstr "" -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3580 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "" -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3596 msgid " [--type ] []" msgstr "" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3596 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "" -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3597 src/cryptsetup.c:3598 src/cryptsetup.c:3599 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3597 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3598 src/integritysetup.c:548 msgid "resize active device" msgstr "" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3599 msgid "show device status" msgstr "" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3600 msgid "[--cipher ]" msgstr "" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3600 msgid "benchmark cipher" msgstr "" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3601 src/cryptsetup.c:3602 src/cryptsetup.c:3603 +#: src/cryptsetup.c:3604 src/cryptsetup.c:3605 src/cryptsetup.c:3612 +#: src/cryptsetup.c:3613 src/cryptsetup.c:3614 src/cryptsetup.c:3615 +#: src/cryptsetup.c:3616 src/cryptsetup.c:3617 src/cryptsetup.c:3618 +#: src/cryptsetup.c:3619 src/cryptsetup.c:3620 src/cryptsetup.c:3621 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3601 msgid "try to repair on-disk metadata" msgstr "" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3602 msgid "reencrypt LUKS2 device" msgstr "" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3603 msgid "erase all keyslots (remove encryption key)" msgstr "" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3604 msgid "convert LUKS from/to LUKS2 format" msgstr "" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3605 msgid "set permanent configuration options for LUKS2" msgstr "" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3606 src/cryptsetup.c:3607 msgid " []" msgstr "" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3606 msgid "formats a LUKS device" msgstr "" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3607 msgid "add key to LUKS device" msgstr "" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610 msgid " []" msgstr "" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3608 msgid "removes supplied key or key file from LUKS device" msgstr "" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3609 msgid "changes supplied key or key file of LUKS device" msgstr "" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3610 msgid "converts a key to new pbkdf parameters" msgstr "" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3611 msgid " " msgstr "" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3611 msgid "wipes key with number from LUKS device" msgstr "" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3612 msgid "print UUID of LUKS device" msgstr "" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3613 msgid "tests for LUKS partition header" msgstr "" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3614 msgid "dump LUKS partition information" msgstr "" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3615 msgid "dump TCRYPT device information" msgstr "" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3616 msgid "dump BITLK device information" msgstr "" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3617 msgid "dump FVAULT2 device information" msgstr "" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3618 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3619 msgid "Resume suspended LUKS device" msgstr "" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3620 msgid "Backup LUKS device header and keyslots" msgstr "" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3621 msgid "Restore LUKS device header and keyslots" msgstr "" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3622 msgid " " msgstr "" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3622 msgid "Manipulate LUKS2 tokens" msgstr "" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3641 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" msgstr "" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3647 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2653,7 +2933,7 @@ msgid "" "bitlkClose, fvault2Close\n" msgstr "" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3651 #, c-format msgid "" "\n" @@ -2663,34 +2943,31 @@ msgid "" " optional key file for the new key for luksAddKey action\n" msgstr "" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3658 #, c-format msgid "" "\n" "Default compiled-in metadata format is %s (for luksFormat action).\n" msgstr "" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3663 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" -msgstr "" - -#: src/cryptsetup.c:3223 -msgid "compiled-in" +"LUKS2 external token plugin support is enabled.\n" msgstr "" -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3664 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "" -#: src/cryptsetup.c:3226 -msgid "disabled" +#: src/cryptsetup.c:3666 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" msgstr "" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3670 #, c-format msgid "" "\n" @@ -2702,7 +2979,7 @@ msgid "" "\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n" msgstr "" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3681 #, c-format msgid "" "\n" @@ -2712,99 +2989,113 @@ msgid "" "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n" msgstr "" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3690 msgid "" "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3708 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3748 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "" -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3776 msgid "Device size must be multiple of 512 bytes sector." msgstr "" -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3781 msgid "Invalid max reencryption hotzone size specification." msgstr "" -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3795 src/cryptsetup.c:3807 msgid "Key size must be a multiple of 8 bits" msgstr "" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3814 +#, c-format +msgid "At most %d volume key specifications can be supplied." +msgstr "" + +#: src/cryptsetup.c:3826 +#, c-format +msgid "At most %d keyring link specifications can be supplied." +msgstr "" + +#: src/cryptsetup.c:3835 msgid "Maximum device reduce size is 1 GiB." msgstr "" -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3838 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "" -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3855 msgid "Option --priority can be only ignore/normal/prefer." msgstr "" -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3874 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3875 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3876 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3887 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3910 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "" -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3919 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "" -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3998 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "" -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:4016 msgid "Option --key-file takes precedence over specified key file argument." msgstr "" -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:4022 msgid "Only one --key-file argument is allowed." msgstr "" -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:4027 msgid "" "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/" "argon2id." msgstr "" -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:4032 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "" -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:4037 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "" + +#: src/cryptsetup.c:4048 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "" -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:4056 msgid "No action taken. Invoked with --test-args option.\n" msgstr "" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:4069 msgid "Cannot disable metadata locking." msgstr "" @@ -2869,7 +3160,7 @@ msgstr "" msgid " " msgstr "" -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "" @@ -2885,7 +3176,7 @@ msgstr "" msgid " []" msgstr "" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "" @@ -2893,7 +3184,7 @@ msgstr "" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "" @@ -2916,13 +3207,13 @@ msgid "" "Hash format: %u\n" msgstr "" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "" "Option --ignore-corruption and --restart-on-corruption cannot be used " "together." msgstr "" -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "" "Option --panic-on-corruption and --restart-on-corruption cannot be used " "together." @@ -2936,31 +3227,31 @@ msgid "" "integrity-recalculate)." msgstr "" -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "" "Setting recalculate flag is not supported, you may consider using --wipe " "instead." msgstr "" -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "" -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr "" -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2968,7 +3259,7 @@ msgid "" " is the device containing data with integrity tags\n" msgstr "" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2977,45 +3268,45 @@ msgid "" "\tMaximum keyfile size: %dkB\n" msgstr "" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "" -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "" -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "" -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "" "Journal integrity algorithm must be specified if journal integrity key is " "used." msgstr "" -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "" "Both journal encryption key file and key size options must be specified." msgstr "" -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "" "Journal encryption algorithm must be specified if journal encryption key is " "used." msgstr "" -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "" -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "" -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "" @@ -3220,75 +3511,75 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "" -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "" -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "" -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "" -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "" -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "" -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "" -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "" -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "" -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "" -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "" -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." msgstr "" -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "" -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." msgstr "" -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "" @@ -3357,199 +3648,203 @@ msgid "" "initialised operation?" msgstr "" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "" -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "" + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "" -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" "(block size: % bytes) detected on device %s." msgstr "" -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "" "Encryption without detached header (--header) is not possible without data " "device size reduction (--reduce-device-size)." msgstr "" -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "" "Requested data offset must be less than or equal to half of --reduce-device-" "size parameter." msgstr "" -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "" "Adjusting --reduce-device-size value to twice the --offset % " "(sectors).\n" msgstr "" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "" -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "" -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "" -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "" -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "" -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "" -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "" -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "" "Header file %s does not exist. Do you want to initialize LUKS2 decryption of " "device %s and export LUKS2 header to file %s?" msgstr "" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "" -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "" -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "" "LUKS2 decryption is supported with detached header device only (with data " "offset set to 0)." msgstr "" -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "" -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "" "Key file can be used only with --key-slot or with exactly one key slot " "active." msgstr "" -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "" -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "" -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "" -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option " "(dangerous!)." msgstr "" -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" "Reencryption interrupted." msgstr "" -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "" -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "" -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "" -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "" -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "" -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "" -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "" -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "" -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "" -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "" -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "" -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "" @@ -3687,35 +3982,35 @@ msgstr "" msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "" -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "" -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "" -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "" -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "" -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "" -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "" @@ -3730,11 +4025,11 @@ msgstr "" msgid "Option --%s is not allowed with %s action." msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token " "connected to an SSH server\vThis plugin currently allows only adding a token " @@ -3749,107 +4044,111 @@ msgid "" "user and paths) will be stored in the LUKS2 header in plaintext." msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "" "Keyslot to assign the token to. If not specified, token will be assigned to " "the first keyslot matching provided passphrase." msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "" diff --git a/po/cs.po b/po/cs.po index ed39d10..ba220a7 100644 --- a/po/cs.po +++ b/po/cs.po @@ -4,6 +4,7 @@ # Milan Broz , 2010. # Petr Pisar , 2010, 2011, 2012, 2013, 2014, 2015, 2016. # Petr Pisar , 2017, 2018, 2019, 2020, 2021, 2022, 2023. +# Petr Pisar , 2024. # # See `LUKS On-Disk Format Specification' document to clarify some terms. # @@ -17,6 +18,7 @@ # key slot → pozice klíče # keyring → klíčenka # online mode → (režim) za běhu +# OPAL → Opal (správný zápis je takto) # plain/LUKS1 crypt → šifra plain/LUKS1 („plain“ nepřekládat) # (reencryption) recover → obnova (jedná se o činnost před samotným navázáním # rozdělaného přešifrování, obvykle po výpadku napájení). @@ -29,10 +31,10 @@ # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 18:11+01:00\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2024-01-06 14:50+01:00\n" "Last-Translator: Petr Pisar \n" "Language-Team: Czech \n" "Language: cs\n" @@ -50,58 +52,62 @@ msgstr "Nelze inicializovat device-mapper, nespuštěno superuživatelem." msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Požadovaný příznak odložení není podporován." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "DM-UUID pro zařízení %s bylo zkráceno." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Neznámý druh cíle DM." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Požadované výkonnostní volby dm-cryptu nejsou podporovány." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Požadované volby, jak zacházet s poškozením dat dm-verity, nejsou podporovány." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "Požadovaná volba taskletu dm-cryptu není podporována." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Požadované FEC volby dm-cryptu nejsou podporovány." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Požadované volby integrity dat nejsou podporovány." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "Požadované volby sector_size není podporována." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "Velikost zařízení není násobkem požadované velikosti sektoru." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Požadovaný automatický přepočet značek integrity není podporován." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Zahazování (TRIM) není podporováno." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Požadovaný režim bitmapy integrity DM není podporován." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Dotaz na část dm-%s selhal." @@ -136,657 +142,748 @@ msgstr "Požadována neznámá kvalita generátoru náhodných čísel." msgid "Error reading from RNG." msgstr "Chyba při čtení z generátoru náhodných čísel." -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "Podpora pro Opal je v libcryptsetup vypnuta." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Zařízení %s nebo jádro nepodporuje šifrování Opal." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Implementaci šifrovacího generátoru náhodných čísel nelze inicializovat." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Implementaci šifrování nelze inicializovat." -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Hašovací algoritmus %s není podporován." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Chyba zpracování klíče (za použití haše %s)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Tato operace je podporována jen u zařízení LUKS." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Tato operace je podporována jen u zařízení LUKS2." -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Všechny pozice klíčů jsou obsazeny." -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d." -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou." -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru zařízení." -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Nalezena hlavička, ale zařízení %s je příliš malé." -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Tato operace není na zařízení tohoto typu podporována." -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Zakázaná operace spolu s probíhajícím přešifrování." -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Nahrání původních metadat LUKS2 do paměti selhalo." -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Zařízení %s není platným zařízením LUKS." -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Nepodporovaná verze LUKS %d." -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Na aktivním zařízení %s nebyl nalezen žádný známý vzorek určující šifrování." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Zařízení %s není aktivní." -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo." -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Neplatné parametry plain šifry." -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Neplatná velikost klíče." -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "UUID není na šifře tohoto typu podporováno." -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Zařízení s oddělenými metadaty není na šifře tohoto typu podporováno." -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Nepodporovaná velikost šifrovaného sektoru." -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "Velikost zařízení není zarovnaná na požadovanou velikost sektoru." -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "LUKS nelze bez zařízení naformátovat." -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "Požadované zarovnání dat není slučitelné s polohou dat." -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "POZOR: Zařízené DAX může poškodit data, protože nezaručuje atomické aktualizace sektorů.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Ze zařízení %s nelze odstranit hlavičku." -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Zařízení %s je na aktivaci příliš malé. Nezbývá žádné místo pro data.\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "POZOR: Aktivace zařízení selže, dm-crypt nepodporuje požadovanou velikost šifrovaného sektoru.\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Klíč svazku je příliš malý na šifrovaní s rozšířeními pro integritu." -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Šifra %s-%s (velikost klíče %zd bitů) není dostupná." -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "POZOR: Metadata LUKS2 změnila velikost na % bajtů.\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "POZOR: Oblast s pozicemi klíčů pro LUKS2 změnila velikost na % bajtů.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "POZOR: Aktivace zařízení selže, dm-crypt nepodporuje požadovanou velikost šifrovaného sektoru.\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Zařízení %s je příliš malé." -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Zařízení %s, které se používá, nelze formátovat." -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Zařízení %s nelze formátovat, povolení zamítnuto." # FIXME "format integrity" is nonsense -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Zařízení %s není možné formátovat integritu." -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Zařízení %s nelze formátovat." -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Parametry zarovnání Opal nelze získat." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Chybná velikost logického bloku Opal." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "Požadovaná poloha dat není slučitelná s velikostí bloku Opal." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "Požadované zarovnání dat není slučitelné se zarovnáním Opal." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "Poloha dat nesplňuje požadavky Opal na zarovnání." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "Požadované zarovnání dat nesplňuje požadavky na zarovnání uzamykatelné oblasti." + +# TODO: Pluralize +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Velikost zařízení byla dorovnána % sektory, aby lícovala s granularitou zarovnání Opal." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Získání zámku Opal na zařízení %s selhalo." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Nesprávný klíč správce Opal." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Část Opal nelze nastavit." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Zařízení %s nelze formátovat, zařízení Opal je asi zcela chráněno proti zápisu." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Toto je snad chyba ve firmwaru. Resetujte Opal zařízení pomocí PSID a znovu jej zapojte." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "Reset uzamykatelné oblasti %d na zařízení %s selhal." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "LOOPAES nelze bez zařízení naformátovat." -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "VERITY nelze bez zařízení naformátovat." -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Nepodporovaný druh VERITY haše %d." -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Nepodporovaná velikost bloku VERITY." -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Nepodporovaná poloha haše VERITY." -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Nepodporovaná poloha VERITY FEC." -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "Oblast dat se překrývá s oblastí haše." -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "Oblast FEC se překrývá s oblastí haše." -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "Oblast dat se překrývá s oblastí FEC." -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "POZOR: Požadovaná velikost značky %d bajtů se liší od výstupu velikosti %s (%d bajtů).\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Požadován neznámý typ šifrovaného zařízení %s." -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Nepodporované parametry na zařízení %s." -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." -msgstr "Neodpovídající parametry an za zařízení %s." +msgstr "Neodpovídající parametry na zařízení %s." -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Zařízení dmcryptu si neodpovídají." -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Zařízení %s nebylo možné znovu zavést." -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Zařízení %s nebylo možné pozastavit." -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Zařízení %s nebylo možné probudit." -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Nepřekonatelná chyba při zavádění zařízení %s (nad zařízením %s)." -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Zařízení %s nebylo možné přepnout do dm-error." -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Zařízení LUKS2 se statickou velikostí nelze změnit velikost." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." -msgstr "Nelze změnit velikost zařízení zpětné smyčky." +msgstr "Zařízení zpětné smyčky nelze změnit velikost." -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "" "POZOR: Maximální velikost je již nastavena nebo změna velikosti není jádrem\n" "podporována.\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Změna velikosti selhala, jádro ji nepodporuje." -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Opravdu chcete změnit UUID zařízení?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Soubor se zálohou hlavičky neobsahuje kompatibilní hlavičku LUKS." -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Svazek %s není aktivní." -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Svazek %s je již uspán." -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Uspání není na zařízení %s podporováno." -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Chyba při uspávání zařízení %s." -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Zařízení %s bylo uspáno, ale hardwarové zařízení Opal nelze uzamknout." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Probuzení není na zařízení %s podporováno." -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Chyba při probouzení zařízení %s." -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Do zadané klíčenky se nepodařilo připojit klíč." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Z klíčenky zadané uživatelem se nepodařilo odpojit klíč svazku." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Do uživatelem zadané klíčenky se nepodařilo přidat klíč svazku." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Svazek %s není uspán." -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Heslo svazku neodpovídá svazku." -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Záměna novou pozicí klíče se nezdařila." -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "Pozice klíče %d je neplatná." -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "Pozice klíče %d není aktivní." -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "Hlavička zařízení se překrývá s datovou oblastí." -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Přešifrování již probíhá. Zařízení nelze aktivovat." -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Získání zámku pro přešifrování selhalo." -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "Obnova přešifrování LUKS2 selhalo." -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Typ zařízení není řádně inicializován." -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Zařízení %s již existuje." -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Zařízení %s nelze použít. Název není platný nebo zařízení se stále používá." -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Byl zadán neplatný klíč svazku." -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "K zařízení VERITY byl zadán neplatný kořenový haš." - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "Je potřeba podpis kořenového otisku." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "Jaderná klíčenka není jádrem podporována." -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Jaderná klíčenka chybí: je potřeba pro předání podpisu do jádra." -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "Klíč se nepodařilo přidat do jaderné klíčenky." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "K zařízení VERITY byl zadán neplatný kořenový haš." + +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "Opal nepodporuje odloženou deaktivaci." -#: lib/setup.c:4736 +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Odložené odebrání zařízení %s nebylo možné zrušit." -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Zařízení %s se stále používá." -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Neplatné zařízení %s." -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Vyhrazená paměť pro klíč svazku je příliš malá." -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Nelze získat klíč svazku pro zařízení LUKS2." -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Nelze získat klíč svazku pro zařízení LUKS1." -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Nelze získat klíč svazku pro otevřené zařízení." -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "K zařízení VERITY nelze získat kořenový otisk." -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Nelze získat klíč svazku pro zařízení BITLK." -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Nelze získat klíč svazku pro zařízení FVAULT2." -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Na šifrovaném zařízení %s není tato operace podporována." -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Operace výpisu není na zařízení tohoto typu podporována." -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Počátek dat není násobkem %u bajtů." -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Zařízení %s, které se stále používá, nelze konvertovat." -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Přiřazení pozice klíče %u jakožto nového klíče svazku se nezdařilo." -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Inicializace parametrů výchozí pozice klíče LUKS2 selhala." -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Přiřazení pozice klíče %d k otisku se nezdařilo." -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut." -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "Jaderná klíčenka není jádrem podporována." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Klíč se nepodařilo přidat do jaderné klíčenky." + +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Klíč se nepodařilo odstranit z klíčenky vlákna." -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Čtení hesla z klíčenky selhalo (chyba %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Klíčenku zadanou jako „%s“ nebylo možné nalézt." -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Získání zámku pro tvrdý přístup do globální paměti selhalo." -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Soubor s klíčem se nepodařilo otevřít." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Soubor s klíčem nelze z terminálu přečíst." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "O souboru s klíčem nebylo možné zjistit údaje." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Nelze se přesunout na požadované místo v souboru s klíčem." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Při čtení hesla došla paměť." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Chyba při čtení hesla." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Na vstupu není nic k přečtení." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Maximální délka souboru s klíčem překročena." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Požadované množství dat nelze načíst." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Zařízení %s není kompatibilní." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "U zařízení s daty se ignoruje chybná optimální velikost I/O (%u bajtů)." # TODO: Pluralize -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Zařízení %s je příliš malé. Je třeba alespoň % bajtů." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Zařízení %s nelze použít, protože se již používá (již namapováno nebo připojeno)." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Zařízení %s nelze použít, povolení zamítnuto." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "O zařízení %s nelze získat údaje." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Zařízení typu loopback nelze použít, nespuštěno superuživatelem." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Připojení zařízení zpětné smyčky selhalo (požadováno zařízení s příznakem autoclear)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Požadovaná poloha je za hranicí skutečné velikosti zařízení %s." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Zařízení %s má nulovou velikost." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Požadovaný cílový čas PBKDF nemůže být nula." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Neznámý druh PBKDF %s." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "Požadovaný haš %s není podporován." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Požadovaný druh PBKDF není podporován formátem LUKS1." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "Při PBKDF2 nesmí být nastavena maximální paměť pro PBKDF nebo počet souběžných vláken." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Vynucený počet opakování je pro %s příliš nízký (minimum je %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Vynucená cena paměti je pro %s příliš nízká (minimum je %u kilobajtů)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Požadovaná maximální cena PBKDF paměti je příliš vysoká (maximum je %d kilobajtů)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "Požadované maximum paměti PBKDF nemůže být nula." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Požadovaný počet souběžných vláken PBKDF nemůže být nula." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "V režimu FIPS je podporován jen PBKDF2." -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "Porovnání výkonu PBKDF je zakázáno, ale počet iterací není nastaven." -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Neslučitelné volby PBKDF2 (při použití hašovacího algoritmu %s)." -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Neslučitelné volby PBKDF." @@ -800,16 +897,24 @@ msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (není adre msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (%s není adresářem)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Nelze se přesunout na požadované místo v zařízení." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Chyba při čištění zařízení na pozici %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "Chybné PSID systému Opal." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Zařízení Opal nelze vymazat." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -829,7 +934,7 @@ msgstr "Zápis šifry by měl být ve tvaru [šifra]-[režim]-[iv]." #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Na zařízení %s nelze zapsat, povolení zamítnuto." @@ -843,17 +948,17 @@ msgid "Failed to access temporary keystore device." msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal." #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Chyba vstupu/výstupu při šifrování pozice klíče." #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -875,32 +980,32 @@ msgstr "Zařízení %s je příliš malé. (LUKS1 vyžaduje alespoň % b msgid "LUKS keyslot %u is invalid." msgstr "Pozice %u klíče LUKS není platná." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Požadovaný soubor se zálohou hlavičky %s již existuje." -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Soubor se zálohou hlavičky %s nelze vytvořit." -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Nelze zapsat soubor %s se zálohou hlavičky." -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS." #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Nelze otevřít soubor se zálohou hlavičky %s." -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Soubor se zálohou hlavičky %s nelze načíst." @@ -922,7 +1027,7 @@ msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na d msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči." -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -996,7 +1101,7 @@ msgstr "Režim LUKS šifry %s není platný." msgid "LUKS hash %s is invalid." msgstr "LUKS haš %s není platný." -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "V hlavičce LUKS nenalezen žádný známý problém." @@ -1016,8 +1121,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Poloha dat u hlavičky LUKS musí být buď 0 nebo více než velikost hlavičky." #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Poskytnut UUID LUKSu ve špatném tvaru." @@ -1054,7 +1159,7 @@ msgstr "Pozici s klíčem nezle otevřít (za použití haše %s)." msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d." -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Zařízení %s není možné smazat." @@ -1075,48 +1180,48 @@ msgstr "Zjištěn nekompatibilní soubor s klíčem loop-AES." msgid "Kernel does not support loop-AES compatible mapping." msgstr "Jádro nepodporuje mapování kompatibilní s loop-AES." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Chyba při čtení souboru s klíčem %s" -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Překročena maximální délka hesla TCRYPT (%zu)." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "Hašovací algoritmus PBKDF2 %s není podporován, přeskakuje se." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "Požadované kryptografické rozhraní jádra není dostupné." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Ujistěte se, že jaderný modul algif_skcipher je zaveden." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Aktivace nad sektory o velikosti %d není podporována." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Jádro nepodporuje aktivaci v tomto zastaralém režimu TCRYPT." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Aktivuje se systémové šifrování TCRYPT pro oddíl %s." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována." @@ -1175,74 +1280,74 @@ msgstr "Z %s nebylo možné načíst položky metadat BITLK." msgid "Failed to convert BITLK volume description" msgstr "Převod popisu svazku BITLK se nezdařil" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Při rozboru externího klíče byla v metadatech nalezena položka nečekaného typu „%u“." -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "GUID „%s“ souboru BEK neodpovídá GUID svazku." -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Při rozboru externího klíče byla v metadatech nalezena položka s nečekanou hodnotou „%u“." -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Nepodporovaná metadata BEK verze %." -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Nečekaná velikost metadat BEK % neodpovídá délce souboru BEK" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Při rozboru startovacího klíče byla v metadatech nalezena nečekaná položka." -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Tato operace není podporována." -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Nečekaná velikost údajů o klíči." -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Toto zařízení BITLK je v nepodporovaném stavu a nelze jej aktivovat." -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Zařízení BITLK s typem „%s“ nelze aktivovat." -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Aktivace částečně dešifrovaného zařízení BITLK není podporována." -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "POZOR: Velikost svazku BitLockeru % neodpovídá velikosti zařízení ve zpod %" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu inicializačního vektoru BITLK." -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu difuzéru Elephant BITLK." -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu velikostí velkých sektorů." -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Zařízení nelze aktivovat. Chybí jaderný modul dm-zero." @@ -1281,29 +1386,33 @@ msgstr "Na zařízení %s poskytnuto UUID VERITY ve špatném tvaru." msgid "Error during update of verity header on device %s." msgstr "Chyba při aktualizaci hlavičky VERITY na zařízení %s." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "Ověření podpisu kořenového otisku není podporováno." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Je potřeba podpis kořenového otisku." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Chyby v zařízení FEC nelze opravit." # TODO: Pluralize -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "Nalezeno %u opravitelných chyb v zařízení FEC." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "Jádro nepodporuje mapování dm-verity." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "Jádro nepodporuje volbu pro podpis dm-verity." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Po aktivaci zjistilo zařízení VERITY poškození." @@ -1397,7 +1506,7 @@ msgstr "Velikost zařízení %s se nepodařilo určit." msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Neslučitelná metadata jaderného dm-integrity (verze %u) byla nalezena na %s." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "Jádro nepodporuje mapování dm-integrity." @@ -1411,8 +1520,8 @@ msgstr "Jádro nepodporuje drobné zarovnání metadat dm-integrity." msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Jádro odmítá aktivovat volbu nebezpečného přepočtu (pro přebití vizte zastaralé volby aktivace)" -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Získání zámku pro zápis do zařízení %s selhalo." @@ -1429,50 +1538,60 @@ msgstr "" "Zařízení obsahuje nejednoznačný vzorec. LUKS2 nelze automaticky obnovit.\n" "Prosím, spusťte obnovu příkazem „cryptsetup repair“." -#: lib/luks2/luks2_json_format.c:229 -msgid "Requested data offset is too small." -msgstr "Požadovaná poloha dat je příliš nízká." - # TODO: Pluralize -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:231 #, c-format msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" msgstr "POZOR: oblast s pozicemi klíčů (% bajtů) je příliš malá, dostupný počet pozic klíčů LUKS2 je značně omezen.\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_format.c:427 +msgid "Requested data offset is too small." +msgstr "Požadovaná poloha dat je příliš nízká." + +#: lib/luks2/luks2_json_format.c:468 +#, c-format +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "POZOR: Metadata LUKS2 změnila velikost na % bajtů.\n" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "POZOR: Oblast s pozicemi klíčů pro LUKS2 změnila velikost na % bajtů.\n" + +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Získání zámku pro čtení ze zařízení %s selhalo." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "V záloze %s byly zjištěny zakázané požadavky na LUKS2." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Počátek dat se liší mezi zařízením a zálohou, obnova se nezdařila." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Velikost binární hlavičky s oblastí pro pozice klíčů se liší mezi zařízením a zálohou, obnova se nezdařila." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Zařízení %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "neobsahuje hlavičku LUKS2. Nahrazení hlavičky může zničit data na daném zařízení." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "již obsahuje hlavičku LUKS2. Nahrazení hlavičky zničí existující pozice s klíči." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1482,7 +1601,7 @@ msgstr "" "POZOR: Ve skutečné hlavičce zařízení byly objeveny neznámé požadavky na LUKS2!\n" "Nahrazení hlavičky zálohou může zničit data na zařízení!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1492,58 +1611,92 @@ msgstr "" "POZOR: Na zařízení bylo objeveno nedokončené offline přešifrování!\n" "Nahrazení hlavičky zálohou může zničit data." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Neznámý příznak %s ignorován." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Chybí klíč pro dm-crypt část %u." -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Nastavení části dm-crypt selhalo." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Nastavení části dm-linear selhalo." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "V hlavičce LUKS2 nebyl nalezen žádný známý vzorek určující šifru." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "Zařízení Opal musí mít statickou velikost zařízení." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Šifrované zařízení Opal zajišťující neporušenost musí být menší než uzamykatelná oblast." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "Zařízení Opal musí mít stejnou velikost jako uzamykatelná oblast." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Opal zařízení %s je již odemknuto.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Nepodporovaná konfigurace integrity zařízení." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Dm-integrity zařízení nižší úrovně poskytlo nečekané datové sektory." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Probíhá přešifrování. Zařízení nelze deaktivovat." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Výměna pozastaveného zařízení %s za cíl dm-error selhala." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Zařízení %s bylo deaktivováno, avšak hardwarové zařízené Opal nelze uzamknout." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Čtení požadavků na LUKS2 selhalo." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Zjištěny nesplněné požadavky na LUKS2." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Operace se neslučuje se zařízením označeným pro zastaralé přešifrování. Operace se ruší." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Operace se neslučuje se zařízením označeným pro přešifrování LUKS2. Operace se ruší." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Operace se neslučuje se zařízením používajícím Opal. Operace se ruší." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Nedostatek paměti pro otevření pozice s klíčem." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Otevření pozice s klíčem selhalo." @@ -1552,331 +1705,343 @@ msgstr "Otevření pozice s klíčem selhalo." msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Šifru %s-%s nelze použít pro pozici s klíčem." -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "Hašovací algoritmus %s není dostupný." -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Pozor: operace s pozicí klíče by mohla selhat, protože potřebuje více paměti, než je k dispozici.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Pro novou pozicí klíče není místo." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "Požadována neplatná změna režimu odolnosti při přešifrování." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Druh odolnosti nelze zaktualizovat. Nový druh poskytuje pouze % bajtů, požadovaná velikost je % bajtů." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Ověřovací otisk přešifrování se nepodařilo obnovit." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Nelze zjistit stav zařízení s UUID: %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Hlavičky s dodatečnými metadaty LUKSMETA nelze převést." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "LUKS2 neumožňuje použít šifru zadanou jako %s-%s." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Oblast s pozicemi klíčů nelze přesunout. Nedostatek místa." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Nelze převést do formátu LUKS2 – neplatná metadata." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Oblast s pozicemi klíčů nelze přesunout. Oblast s pozicemi klíčů LUKS2 je příliš malá." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Oblast s pozicemi klíčů nelze přesunout." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Nelze převést do formátu LUKS1 – výchozí velikost sektoru šifrování části není 512 bajtů." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Nelze převést do formátu LUKS1 – otisky v pozicích s klíči nejsou slučitelné s LUKS1." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Nelze převést do formátu LUKS1 – zařízení používá šifru se zabaleným klíčem %s." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Nelze převést do formátu LUKS1 – zařízení používá více částí." # TODO: Pluralize -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Nelze převést do formátu LUKS1 – hlavička LUKS2 obsahuje %u token(ů)." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u je v nesprávném stavu." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u (nad maximem pozic) je stále aktivní." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u není slučitelná s LUKS1." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Velikost horké zóny musí být násobek vypočteného zarovnání zóny (%zu bajtů)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Velikost zařízení musí být násobek vypočteného zarovnání zóny (%zu bajtů)." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Obálku pro starou část úložiště se nepodařilo inicializovat." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Obálku pro novou část úložiště se nepodařilo inicializovat." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Ochranu horké zóny se nepodařilo inicializovat." -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Kontrolní součty pro aktuální horkou zónu se nepodařilo přečíst." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Čtení oblasti s horkou zónou počínaje na % selhalo." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Sektor %zu nebylo možné rozšifrovat." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Sektor %zu nebylo možné obnovit." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Velikosti zdrojového a cílového zařízení se neshodují. Zdroj %, cíl %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Aktivace zařízení horké zóny %s selhala." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Aktivace překryvného zařízení %s se skutečnou tabulkou původu selhala." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Zavedení nového mapování pro zařízení %s selhalo." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Zásobník zařízení k přešifrování se nepodařilo obnovit." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Nastavení velikosti nové oblasti s pozicemi klíčů selhalo." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Hodnota posunu dat není zarovnána s velikostí šifrovaného sektoru (% bajtů)." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Nepodporovaný režim odolnosti %s" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "Velikost přesunované oblasti nemůže být větší než hodnota posunu dat." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Neplatné parametry režimu odolnosti při přešifrování." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Přesunovaná oblast je příliš velká. Požadovaná velikost %, dostupné místo %." -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Vyprázdnění tabulky selhalo." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "Zmenšená velikost dat je větší než velikost skutečného zařízení" -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Zařízení s daty není zarovnáno na velikost šifrovaného sektoru (% bajtů)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Posun dat (% sektorů) je menší než budoucí poloha dat (% sektorů)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Zařízení %s nebylo možné otevřít ve výlučném režimu (již namapováno nebo připojeno)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Zařízení není označeno pro přešifrování LUKS2." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Načtení kontextu přešifrování LUKS2 selhalo." -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Stavu přešifrování se nepodařilo zjistit." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Zařízení se nepřešifrovává." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Proces přešifrování již běží." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Získání zámku pro přešifrování selhalo." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "V přešifrování nelze pokračovat. Spusťte nejprve obnovu přešifrování." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "Aktivní velikost zařízení a velikost požadovaná k přešifrování si neodpovídají." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "V parametrech přešifrování je požadována zakázaná velikost zařízení." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Probíhá přešifrování. Obnovu nelze provést." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "V metadatech je přešifrování LUKS2 již inicializováno." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Inicializace přešifrování LUKS2 v metadatech selhala." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Na zařízeních DAX (trvalá paměť) není přešifrování podporováno." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Čtení hesla z klíčenky selhalo." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Nastavení segmentů zařízení pro další horkou zónu přešifrování selhalo." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Metadata pro odolnost při přešifrování se nepodařilo zapsat." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Rozšifrování selhalo." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Zápis oblasti s horkou zónou počínaje na % selhal." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Synchronizace dat selhala." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Po dokončení přešifrování aktuální horké zóny se nepodařilo aktualizovat metadata." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Zápis metadat LUKS2 selhal." -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Vyčištění oblasti zařízení s nepoužívanými daty selhalo." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Odstranění nepoužívané (nepřiřazené) pozice s klíčem %d selhalo." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Odstranění pozice s klíčem přešifrování selhalo." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Nepřekonatelná chyba při přešifrování bloku na pozici % dlouhého % sektorů." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Přešifrování za běhu selhalo." -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Zařízení neprobouzejte, dokud jej ručně nenahradíte chybovým cílem." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "V přešifrování nelze pokračovat. Přešifrování se nachází v nečekaném stavu." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Chybějící nebo neplatný kontext přešifrování." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Zásobník zařízení k přešifrování se nepodařilo inicializovat." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Kontext přešifrování se nepodařilo aktualizovat." @@ -1884,80 +2049,121 @@ msgstr "Kontext přešifrování se nepodařilo aktualizovat." msgid "Reencryption metadata is invalid." msgstr "Metadata o přešifrování jsou neplatná." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "Opal oblast %d na pozici % neodpovídá očekávaným hodnotám %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "Délka %2$ Opal oblasti %1$d neodpovídá velikosti zařízení %3$" + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "Uzamykaní Opal oblasti %d je vypnuto." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Nečekaný status uzamykání Opal oblasti %d" + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Parametry pro šifrování pozice s klíčem lze nastavit jen u zařízení LUKS2." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Zadejte PIN k tokenu: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Zadejte PIN k tokenu %d: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Nelze najít žádný známý vzorek se specifikaci šifry." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "POZOR: Pro šifru se použijí výchozí volby (%s-%s, velikost klíče %u bitů), což může být neslučitelné se staršími verzemi." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "POZOR: Pro haš se použijí výchozí volby (%s), což by mohlo být neslučitelné se staršími verzemi." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "Pro režim plain vždy použijte volby --cipher a --key-size a není-li zadán soubor s klíčem, rovněž --hash." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "POZOR: Jedná-li se o režim plain a je-li určen soubor s klíčem, parametr --hash se ignoruje.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "POZOR: Přepínač --keyfile-size se ignoruje, velikost pro čtení je stejná jako velikosti šifrovacího klíče.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "Prohledávání blkid selhalo u %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Na %s byla nalezen vzorec zařízení. Pokračování může poškodit existující data." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Operace zrušena.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Je vyžadován přepínač --key-file." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Zadejte PIM VeraCryptu: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Neplatná hodnota VIM: chyba rozboru" -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Neplatná hodnota PIM: 0" -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Neplatná hodnota PIM: mimo rozsah" -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "S tímto heslem není rozpoznatelná žádná hlavička zařízení." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Zařízení %s není platným zařízením BITLK." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Nelze určit velikost BITLK klíče svazku. Prosím, použijte přepínač --key-size." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1967,7 +2173,7 @@ msgstr "" "který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n" "Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1977,78 +2183,85 @@ msgstr "" "který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n" "Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Zařízení %s není platným zařízením FVAULT2." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Nelze určit velikost klíče svazku pro FVAULT2. Prosím, použijte přepínač --key-size." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Zařízení %s je stále aktivní a naplánováno pro odložené odstranění.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Cestu k externím tokenům %s se nepodařilo nastavit." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Změna velikosti aktivního zařízení vyžaduje klíč svazku v klíčence. Byl však použit přepínač --disable-keyring." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Hodnocení výkonu přerušeno." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s –\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u iterací za sekundu pro %zubitový klíč\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s –\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u iterací, %5u paměti, %1u souběžných vláken (procesorů) pro %zubitový klíč (požadován čas %u ms)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Výsledek hodnocení výkonu není spolehlivý." # ???: are aproximated? -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Testy jsou počítány jen z práce s pamětí (žádné I/O úložiště).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*sAlgoritmus | Klíč | Šifrování | Dešifrování\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Šifra %s (s %ibitovým klíčem) není dostupná." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algoritmus | Klíč | Šifrování | Dešifrování\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "–" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2057,27 +2270,27 @@ msgstr "" "přešifrování je žádoucí (vizte výstup luksDump) a pokračujte (zvýšení verze\n" "metadat) pouze, když poznáte, že operace je chtěná." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Zadejte heslo pro ochránění metadat o přešifrování a pro zvýšení jejich verze: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Opravdu pokračovat s obnovou přešifrování LUKS2?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Zadejte heslo pro ověření otisku metadat o přešifrování: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Zadejte heslo pro obnovení přešifrování: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Opravdu se pokusit opravit hlavičku zařízení LUKS?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2085,7 +2298,7 @@ msgstr "" "\n" "Výmaz přerušen." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2094,130 +2307,146 @@ msgstr "" "Lze přerušit pomocí Ctrl+C (zbytek nesmazaného zařízení bude obsahovat\n" "neplatné součty).\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Dočasné zařízení %s nelze deaktivovat." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "Volby integrity lze použít jen při formátu LUKS2." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Nepodporované volby velikosti metadat LUKS2." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "Opal je podporován jen s formátem LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Soubor s hlavičkou neexistuje. Chcete jej vytvořit?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Soubor s hlavičkou %s nelze vytvořit." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Nelze najít žádný známý vzorek se specifikací integrity." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "%s nelze použít pro hlavičku uvnitř disku." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Toto nevratně přepíše data na %s." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Heslo správce Opal nemůže být prázdné." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Nastavení parametrů PBKDF selhalo." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "Určení typu v přepínači --link-vk-to-keyring pro zadání klíčenky se ignoruje." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Neplatná hodnota --link-vk-to-keyring." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Zmenšená poloha dat je dovolena jen u oddělené hlavičky LUKS." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "Souborový kontejner LUKS %s je na aktivaci příliš malý. Nezbývá žádné místo pro data." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Bez pozic pro klíče nelze určit velikost LUKS klíče svazku. Prosím, použijte přepínač --key-size." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Zařízení aktivováno, ale příznaky nelze učinit trvalými." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Ke smazání vybrán klíč na pozici %d." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "" "Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n" "zařízení použít." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Zadejte jakékoliv jiné heslo: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Operace zrušena, pozice klíče NEBYLA vymazána.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Zadejte heslo, které se má smazat: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Zařízení %s není platným zařízením LUKS2." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Zadejte nové heslo pro pozici klíče: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "POZOR: Parametr --key-slot se použije pro číslo nové pozice klíče.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Zadejte jakékoliv existující heslo: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Zadejte heslo, které má být změněno: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Zadejte nové heslo: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Zadejte heslo pro pozici klíče, který má být převeden: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "U operace isLuks je podporován pouze jeden argument se zařízením." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Pozice klíče %d neobsahuje nepřiřazený klíč." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2225,40 +2454,52 @@ msgstr "" "Výpis hlavičky s nepřiřazeným klíčem je citlivý údaj.\n" "Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s není název aktivního zařízení %s." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s není název aktivního zařízení LUKS nebo mu chybí hlavička." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Je vyžadován přepínač --header-backup-file." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s není zařízení spravované nástrojem cryptsetup." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Reaktivace není na zařízení typu %s podporována" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Nerozpoznaná metadata druhu zařízení %s." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Příkaz vyžaduje jako argumenty zařízení a mapovaný název." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Zadejte Opal PSID: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Zadejte heslo správce Opal: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "POZOR: CELÝ disk bude uveden do továrního nastavení a všechna data budou ztracena! Pokračovat?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2267,356 +2508,356 @@ msgstr "" "Tento úkon smaže všechny pozice s klíči na zařízení %s.\n" "Po jeho dokončení zařízení bude nepoužitelné." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Operace zrušena, pozice s klíči NEBYLY smazány.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Neplatný druh formátu LUKS. Podporován je pouze LUKS1 a LUKS2." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Zařízení je již druhu %s." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Tato operace převede formát %s na %s.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Operace zrušena, zařízení NEBYLO převedeno.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Chybí přepínač --priority, --label nebo --subsystem." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Token %d je neplatný." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Token %d se používá." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Přidání tokenu %d klíčenky LUKS2 selhalo." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Přiřazení tokenu %d do pozice s klíčem %d selhalo." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Token %d se nepoužívá." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Import tokenu ze souboru selhal." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Získání tokenu %d za účelem exportu selhalo." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Token %d není přiřazen pozici s klíčem %d." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Zrušení přiřazení tokenu %d k pozici s klíčem %d selhalo." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Přepínače --veracrypt a --disable-veracrypt jsou podporovány jen u typu zařízení TCRYPT." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Přepínač --veracrypt-pim je podporován jen u zařízení kompatibilním s VeraCrypt." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Přepínač --veracrypt-query-pim je podporován jen u zařízení kompatibilním s VeraCrypt." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Přepínače --veracrypt-pim a --veracrypt-query-pim se vzájemně vylučují." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Přepínač --persistent není dovolen současně s --test-passphrase." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Přepínače --refresh a --test-passphrase se vzájemně vylučují." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Při otevírání je přepínač --offset podporován jen u zařízení plain a loopaes." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "Otevírání s přepínačem velikosti sektoru je podporován jen u zařízení plain." # FIXME: "Large IV sectors" should read "IV large sectors". -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Volba inicializačního vektoru s velkými sektory je podporována jen při otevírání zařízení typu plain s velikostí sektoru větší než 512 bajtů." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS, TCRYPT, BITLK a FVAULT2." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Přepínače --device-size a --size nelze kombinovat." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "Přepínač --unbound je dovolen jen při otevírání zařízení LUKS." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Přepínač --unbound není dovolen současně s --test-passphrase." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Přepínače --cancel-deferred a --deferred se vzájemně vylučují." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Přepínače --reduce-device-size a --data-size nelze kombinovat." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Přepínače --reduce-device-size a --device-size nelze kombinovat." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Přepínač --active-name lze použít jen u zařízení LUKS2." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Přepínače --active-name a --force-offline-reencrypt nelze kombinovat." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Je nutné určit pozici s klíčem." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Přepínače --align-payload a --offset nelze kombinovat." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Přepínač --integrity-no-wipe smí být použit jen při formátování s rozšířením integrity." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "Přepínač --unbound vyžaduje velikost klíče." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "Neplatná operace tokenu." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Parametr --key-description je při přidávání tokenu povinný." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "Akce vyžaduje určitý token. Použijte parametr --token-id." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "Přepínač --unbound lze použít pouze s akcí přidání." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Přepínače --key-slot a --unbound nelze kombinovat." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "Akce vyžaduje určitou pozici klíče. Použijte parametr --key-slot." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type ] []" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "otevře zařízení jako " -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "zavře zařízení (odstraní mapování)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "změní velikost aktivního zařízení" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "zobrazí stav zařízení" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher <šifra>]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "zhodnotí výkon šifry" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "pokusí se opravit metadata uložená na disku" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "přešifruje zařízení LUKS2" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "smaže všechny pozice s klíči (odstraní šifrovací klíč)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "převede formát LUKS do/z formátu LUKS2" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "nastaví trvalé volby konfigurace pro LUKS2" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "naformátuje zařízení LUKS" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "do zařízení LUKS přidá klíč" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "změní zadaný klíč nebo soubor s klíčem u zařízení LUKS" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "převede klíč do nových parametrů PBKDF" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "smaže klíč s číslem ze zařízení LUKS" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "zobrazí UUID zařízení LUKS" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "otestuje na hlavičku oddílu LUKS" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "vypíše údaje o oddílu LUKS" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "vypíše údaje o oddílu TCRYPT" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "vypíše údaje o zařízení BITLK" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "vypíše údaje o zařízení FVAULT2" # TODO: not consistent with previous line -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)" # TODO: not consistent with previous line -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Probudí uspané zařízení LUKS" # TODO: not consistent with previous line -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Zálohuje hlavičku zařízení LUKS a jeho pozice s klíči" # TODO: not consistent with previous line -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Obnoví hlavičku zařízení LUKS a jeho pozice s klíči" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Zachází s tokeny LUKS2" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2624,7 +2865,7 @@ msgstr "" "\n" " je jedna z:\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2636,7 +2877,7 @@ msgstr "" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2651,7 +2892,7 @@ msgstr "" " je číslo pozice klíče LUKS, který se má upravit\n" " je volitelný soubor s novým klíčem pro akci luksAddKey\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2660,30 +2901,28 @@ msgstr "" "\n" "Výchozí zakompilovaný formát metadat (pro akci luksFormat) je %s.\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Podpora pro zásuvný modul externího tokenu LUKS2 je %s.\n" +"Podpora pro zásuvný modul externího tokenu LUKS2 je zapnuta.\n" -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "zakompilována" - -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Cesta k zásuvnému modulu externího tokenu LUKS2: %s.\n" -# Support is %s -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "vypnuta" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Podpora pro zásuvný modul externího tokenu LUKS2 je vypnuta.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2700,7 +2939,7 @@ msgstr "" "Výchozí PBKDF pro LUKS2: %s\n" "\tDoba iterací: %d, nutná paměť: %d kB, souběžná vlákna: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2715,96 +2954,100 @@ msgstr "" "\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n" "\tLUKS: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: V režimu XTS (dva vnitřní klíče) bude výchozí velikost klíče zdvojnásobena.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: vyžaduje %s jako argumenty" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Pozice klíče není platná." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "Velikost zařízení musí být násobkem 512bajtových sektorů." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "Zadána neplatná maximální velikost horké zóny při přešifrování." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "Velikost klíče musí být násobkem 8 bitů." -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "Maximální velikost zmenšení zařízení je 1 GiB." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Velikost zmenšení musí být násobkem 512bajtových sektorů." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Přepínač --priority smí mít pouze argument ignore, normal a prefer." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Zobrazí tuto nápovědu" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Zobrazí stručný návod na použití" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Vypíše verzi balíku" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Přepínače nápovědy:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[PŘEPÍNAČ…] " -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Chybí argument ." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Neznámá akce." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Je dovolen pouze jeden argument přepínače --key-file." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Funkce pro odvození klíče na základě hesla (PBKDF) smí být pouze pbkdf2 nebo argon2i/argon2id." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Vynucené iterace PBKDF nelze kombinovat s volnou doby iterací." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Je-li klíčenka vypnuta, klíč svazku nelze do klíčenky přidat." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Přepínače --keyslot-cipher a --keyslot-key-size musí být použity spolu." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Žádný úkon nebude proveden. Zavoláno s přepínačem --test-args.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Zamykání metadata nelze vypnout." @@ -2869,7 +3112,7 @@ msgstr "Příkaz vyžaduje argument nebo přepínač --root-ha msgid " " msgstr " " -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "naformátuje zařízení" @@ -2885,7 +3128,7 @@ msgstr "ověří zařízení" msgid " []" msgstr " []" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "zobrazí stav aktivního zařízení" @@ -2893,7 +3136,7 @@ msgstr "zobrazí stav aktivního zařízení" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "zobrazí údaje z disku" @@ -2923,11 +3166,11 @@ msgstr "" "Výchozí zakompilované parametry dm-verity:\n" "\tHaš: %s, Datový blok (bajty): %u, Blok hašů (bajty): %u, Velikost soli: %u, Formát haše: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Přepínače --ignore-corruption a --restart-on-corruption nelze použít najednou." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Přepínač --panic-on-corruption a --restart-on-corruption nelze použít najednou." @@ -2941,29 +3184,29 @@ msgstr "" "Pro zachování datového zařízení použije přepínač --no-wipe (a pak jej\n" "aktivujte pomocí --integrity-recalculate)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Formátováno s velikostí značky %u, vnitřní integrita %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Nastavení příznaku přepočtu není podporováno, místo toho zvažte použití --wipe." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Zařízení %s není platným zařízením INTEGRITY." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2974,7 +3217,7 @@ msgstr "" " je zařízení, které bude vytvořeno pod %s\n" " je zařízení obsahující data se značkami integrity\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2988,40 +3231,40 @@ msgstr "" "\tMaximální velikost souboru s klíčem: %d kB\n" # TODO: Pluralize -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Neplatná velikost --%s. Maximální je %u bajtů." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Musí být zadány oba přepínače pro soubor s klíčem a velikostí klíče." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Musí být zadány oba přepínače pro soubor s klíčem žurnálu a velikostí klíče." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Je-li použit klíč integrity žurnálu, musí být zadán algoritmus integrity žurnálu." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Musí být zadány oba přepínače pro soubor s šifrovacím klíčem žurnálu a velikostí klíče." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Je-li použit šifrovací klíč žurnálu, musí být zadán algoritmus šifrování žurnálu." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Přepínače režimu bitmapy a obnovení se vzájemně vylučují." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Přepínače žurnálu nelze použití spolu s režimem bitmapy." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Přepínače bitmapy lze použít jen při režimu bitmapy." @@ -3235,58 +3478,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Kontrola odolnosti hesla selhala: Špatné heslo (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Chyba při čtení hesla z terminálu." -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Ověřte heslo: " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Hesla se neshodují." -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Ve vstupu z terminálu nelze měnit polohu." -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Zadejte heslo: " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Zadejte heslo pro %s: " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "S tímto heslem není dostupný žádný klíč." -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Nejsou dostupné žádné použitelné pozice s klíči." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Se vstupem mimo terminál nelze ověřit heslo." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Soubor %s se nepodařilo otevřít pouze pro čtení." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Poskytněte JSON s platným tokenem LUKS2:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "Soubor s dokumentem JSON se nepodařilo přečíst." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3294,12 +3537,12 @@ msgstr "" "\n" "Čtení přerušeno." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Otevření souboru %s pro zápis selhalo." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3307,7 +3550,7 @@ msgstr "" "\n" "Zápis přerušen." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "Zapsaní souboru s dokumentem JSON selhalo." @@ -3375,15 +3618,19 @@ msgstr "Zařízení vyžaduje obnovu přešifrování. Spusťte nejprve opravu." msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Zařízení %s je již ve stavu přešifrování LUKS2. Přejete si dokončit dříve zahájenou operaci?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Zastaralé přešifrování LUKS2 již není podporováno." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Zařízení LUKS2 nastavené k používání Opal nelze přešifrovat." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Přešifrování zařízení s profilem integrity není podporováno." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3392,103 +3639,103 @@ msgstr "" "Požadovaný --sector-size % není slučitelný se superblokem %s\n" "(velikost bloku % bajtů) nalezeném na zařízení %s." -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Přešifrování bez oddělené hlavičky (--header) není možné bez zmenšení velikosti datového zařízení (--reduce-device-size)." -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Požadovaný počátek dat musí být menší nebo roven polovině parametru --reduce-device-size" -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Upravuje se hodnota --reduce-device-size na dvojnásobek --offset % (v sektorech).\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Dočasný soubor s hlavičkou %s již existuje. Operace se ruší." -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Dočasný soubor s hlavičkou %s nelze vytvořit." -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Velikost metadat LUKS2 je větší než hodnota posunu dat." -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Umístění nové hlavičky na začátek zařízení %s selhalo." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu.\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Aktivní zařízení %s není LUKS2." -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Obnovuje se původní hlavička LUKS2." -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Obnovení původní hlavičky LUKS2 selhalo." -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Soubor s hlavičkou %s neexistuje. Přejete si zahájit dešifrování LUKS2 zařízení %s a export hlavičku LUKS2 do souboru %s?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Přidání práv na čtení/zápis souboru s hlavičkou selhalo." -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Inicializace přešifrování selhala. Záloha hlavičky je dostupná v %s." -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "Dešifrování LUKS2 je podporováno jen u zařízení s oddělenou hlavičkou (počátek dat na 0)." -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Nedostatek pozic s klíči pro přešifrování." -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče." -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Zadejte heslo pro pozici klíče %d: " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Zadejte heslo pro pozici klíče %u: " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Přepíná se algoritmus šifrování dat na %s.\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Žádné parametry oblasti s daty nebyly změněny. Přešifrování zrušeno." -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3497,7 +3744,7 @@ msgstr "" "podporováno. Nejprve zařízení aktivujte, nebo použijte přepínač\n" "--force-offline-reencrypt (nebezpečné!)." -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3506,62 +3753,62 @@ msgstr "" "\n" "Přešifrování přerušeno." -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Dokončuje se přešifrování LUKS ve vynuceném režimu offline.\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Zařízení %s obsahuje porušená metadata LUKS. Operace se ruší." -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Zařízení %s je již zařízením LUKS. Operace se ruší." -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Zařízení %s je již ve stavu přešifrování LUKS. Operace se ruší." -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "Dešifrování LUKS2 vyžaduje přepínač --header." -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "Příkaz vyžaduje jako argument zařízení." -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Neslučitelné verze. Zařízení %s je LUKS1." -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS1." -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Neslučitelné verze. Zařízení %s je LUKS2." -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS2." -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Přešifrování LUKS2 je již inicializováno. Operace se ruší." -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Neprobíhá žádné přešifrování zařízení." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá." @@ -3697,35 +3944,35 @@ msgstr "POZOR: Zařízení %s již obsahuje vzorec oddílu „%s“.\n" msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "POZOR: Zařízení %s již obsahuje vzorec superbloku „%s“.\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Sondu vzorců zařízení se nepodařilo inicializovat." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "O zařízení %s nebylo možné zjistit údaje." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Soubor %s nebylo možné otevřít pro čtení i zápis." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "Existující vzorec oddílu „%s“ na zařízení %s bude vymazán." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "Existující vzorec superbloku „%s“ na zařízení %s bude vymazán." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Odstranění vzorce ze zařízení selhalo." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Otestování zařízení %s na vzorce selhalo." @@ -3740,11 +3987,11 @@ msgstr "Zadána neplatná velikost v parametru --%s." msgid "Option --%s is not allowed with %s action." msgstr "Přepínač --%s není dovolen s akcí %s." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Zapsaní dokumentu JSON pro token SSH selhalo." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3760,105 +4007,109 @@ msgstr "" "\n" "Poznámka: Údaje poskytnuté při přidávání tokenu (adresa SSH serveru, uživatel a cesta) budou uloženy do hlavičky LUKS2 v nešifrované podobě." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Přepínače pro akci „add“:" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "IP adresa / URL vzdáleného serveru pro tento token" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Uživatelské jméno ke vzdálenému serveru" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Cesta k souboru s klíčem na vzdáleném serveru" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Cesta ke klíči SSH pro připojení ke vzdálenému serveru" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Cesta k adresáři obsahujícímu externí tokeny pro libcryptsetup" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Pozice klíče, ke které se má přiřadit token. Nebude-li určeno, token bude přiřazen k první pozici odpovídající poskytnutému heslu." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Obecné přepínače:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Zobrazuje podrobnější chybové hlášky" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Zobrazuje ladicí hlášky" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Zobrazuje ladicí hlášky včetně metadat JSON" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Otevření a import soukromého klíče selhalo:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Import soukromého klíče selhal (chráněný heslem?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Heslo pro %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Rozbor argumentů selhal.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Je třeba zadat akci\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Pro akci „%s“ je třeba zadat zařízení.\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Pro akci „%s“ je třeba zadat SSH server.\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Pro akci „%s“ je třeba zadat uživatele SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Pro akci „%s“ je třeba zadat SSH cestu.\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Pro akci „%s“ je třeba zadat cestu ke klíči SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Otevření %s pomocí zadaných přihlašovacích údajů selhalo.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "V současnosti je tímto modulem podporována pouze akce „add“.\n" @@ -3903,6 +4154,13 @@ msgstr "Na stroji není povolena autentizace veřejným klíčem.\n" msgid "Public key authentication error: " msgstr "Chyba při autentizaci veřejným klíčem: " +#~ msgid "compiled-in" +#~ msgstr "zakompilována" + +# Support is %s +#~ msgid "disabled" +#~ msgstr "vypnuta" + #~ msgid "WARNING: Data offset is outside of currently available data device.\n" #~ msgstr "POZOR: Poloha dat je mimo nyní dostupné zařízení s daty.\n" @@ -3927,9 +4185,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: " #~ msgid "Failed to disable reencryption requirement flag." #~ msgstr "Vypnutí příznaku požadavku na přešifrování selhalo." -#~ msgid "Encryption is supported only for LUKS2 format." -#~ msgstr "Šifrování je podporováno jen s formátem LUKS2." - #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" #~ msgstr "Na %s zjištěno zařízeno LUKS. Přejete si toto zařízení LUKS znovu zašifrovat?" @@ -3996,9 +4251,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: " #~ msgid "No free token slot." #~ msgstr "Žádná volná pozice s tokenem" -#~ msgid "Failed to create builtin token %s." -#~ msgstr "Vestavěný token %s nebylo možné vytvořit" - #~ msgid "Invalid LUKS device type." #~ msgstr "Neplatný druh zařízení LUKS." diff --git a/po/de.po b/po/de.po index b3b84fb..9f0a5fb 100644 --- a/po/de.po +++ b/po/de.po @@ -5,10 +5,10 @@ # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 22:57+0100\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-29 00:11+0100\n" "Last-Translator: Roland Illig \n" "Language-Team: German \n" "Language: de\n" @@ -17,7 +17,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" "X-Bugs: Report translation errors to the Language-Team address.\n" -"X-Generator: Poedit 3.2.2\n" +"X-Generator: Poedit 3.4.2\n" #: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." @@ -27,58 +27,62 @@ msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden, da da msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden. Ist das Kernelmodul »dm_mod« geladen?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Verlangter »deferred«-Schalter wird nicht unterstützt." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "DM-UUID für Gerät »%s« wurde verkürzt." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Unbekannte Art des dm-Ziels." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Die verlangten dm-crypt-Performance-Optionen werden nicht unterstützt." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Die verlangten dm-verity-Datenbeschädigungs-Optionen werden nicht unterstützt." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "Die verlangte dm-verity-Tasklet-Option wird nicht unterstützt." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Die verlangten dm-verity-FEC-Optionen werden nicht unterstützt." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Die verlangten Datenintegritäts-Optionen werden nicht unterstützt." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "Die verlangte sector_size-Option wird nicht unterstützt." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "Gerätegröße ist kein Vielfaches der gewünschten Sektorgröße." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Die verlangte automatische Berechnung der Integritätsangaben wird nicht unterstützt." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "»Discard/TRIM« wird nicht unterstützt." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Der verlangte Bitmap-Modus für dm-Integrität wird nicht unterstützt." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Fehler beim Abfragen des »dm-%s«-Segments." @@ -112,653 +116,743 @@ msgstr "Unbekannte Qualität des Zufallszahlengenerators verlangt." msgid "Error reading from RNG." msgstr "Fehler beim Einlesen vom Zufallszahlengenerator." -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "OPAL-Unterstützung ist in libcryptsetup deaktiviert." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Gerät »%s« oder Kernel unterstützt OPAL-Verschlüsselung nicht." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Fehler beim Initialisieren des Krypto-Zufallszahlengenerator-Backends." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Fehler beim Initialisieren des Krypto-Backends." -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Hash-Algorithmus »%s« wird nicht unterstützt." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Diese Operation wird nur für LUKS2-Geräte unterstützt." -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Alle Schlüsselfächer sind voll." -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %d." -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes." -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet." -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Header gefunden, aber Gerät »%s« ist zu klein." -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Diese Operation wird für diese Geräteart nicht unterstützt." -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Ungültige Operation, während die Wiederverschlüsselung läuft." -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Fehler beim Rückabwickeln der LUKS2-Metadaten im Speicher." -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät." -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Nicht unterstützte LUKS-Version %d." -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Kein bekanntes Verschlüsselungsmuster für aktives Gerät »%s« entdeckt." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Gerät »%s« ist nicht aktiv." -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Zugrundeliegendes Gerät für das Kryptogerät »%s« ist verschwunden." -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Ungültige Parameter für Plain-Verschlüsselung." -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Ungültige Schlüsselgröße." -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "UUID wird für diese Verschlüsselungsart nicht unterstützt." -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Gerät für separierte Metadaten wird für diese Verschlüsselungsart nicht unterstützt." -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung." -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "Gerätegröße ist nicht an verlangter Sektorgröße ausgerichtet." -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Ohne Gerät kann LUKS nicht formatiert werden." -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "Die angeforderte Datenausrichtung ist nicht mit dem Datenoffset kompatibel." -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "Warnung: DAX-Gerät kann Daten beschädigen, da es nicht garantiert, dass Sektoren atomar aktualisiert werden.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Fehler beim Auslöschen des Headers auf Gerät »%s«." -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Gerät %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden.\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "WARNUNG: Die Geräteaktivierung wird fehlschlagen, dm-crypt fehlt die Unterstützung für die angeforderte Verschlüsselungsgröße.\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Laufwerksschlüssel ist zu klein für die Verschlüsselung mit Integritätserweiterungen." -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Verschlüsselung »%s-%s« (Schlüsselgröße %zd Bits) ist nicht verfügbar." -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "Warnung: Größe der LUKS2-Metadaten wurde auf % geändert.\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "Warnung: Größe des LUKS2-Schlüsselfachbereichs wurde auf % Bytes geändert.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "WARNUNG: Die Geräteaktivierung wird fehlschlagen, dm-crypt fehlt die Unterstützung für die angeforderte Verschlüsselungsgröße.\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Gerät »%s« ist zu klein." -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Gerät »%s« kann nicht formatiert werden, da es gerade benutzt wird." -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Gerät »%s« kann nicht formatiert werden, Zugriff verweigert." -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Fehler beim Formatieren der Integrität auf Gerät »%s«." -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Gerät »%s« kann nicht formatiert werden." -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Fehler beim Ermitteln der OPAL-Ausrichtungs-Parameter." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Falsche Größe für logischen OPAL-Block." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "Der gewünschte Datenoffset ist nicht mit der OPAL-Blockgröße kompatibel." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "Die gewünschte Datenausrichtung ist nicht mit der OPAL-Ausrichtung kompatibel." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "Der Datenoffset erfüllt die OPAL-Ausrichtungsbedingungen nicht." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "Die gewünschte Datenausrichtung erfüllt die Anforderungen an die Ausrichtung des Sperrbereichs nicht." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Gerätegröße wird um % Sektoren angepasst, um zur Granularität der OPAL-Ausrichtung zu passen." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Fehler beim Zugriff auf die OPAL-Sperre für das Gerät »%s«." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Falscher OPAL-Admin-Schlüssel." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Fehler beim Einrichten des OPAL-Segments." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Gerät »%s« kann nicht formatiert werden, OPAL-Gerät scheint jetzt komplett schreibgeschützt zu sein." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Das könnte ein Fehler in der Firmware sein. Lassen Sie »OPAL PSID reset und reconnect« zur Wiederherstellung." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "Fehler beim Zurücksetzen des Sperrbereichs %d auf Gerät »%s«." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Ohne Gerät kann LOOPAES nicht formatiert werden." -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Ohne Gerät kann VERITY nicht formatiert werden." -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Nicht unterstützte VERITY-Hash-Art %d." -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Nicht unterstützte VERITY-Blockgröße." -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Nicht unterstützter VERITY-Hash-Offset." -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Nicht unterstützter VERITY-FEC-Offset." -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "Datenbereich und Hashbereich überlappen sich." -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "Hashbereich und FEC-Bereich überlappen sich." -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "Datenbereich und FEC-Bereich überlappen sich." -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "WARNUNG: Angeforderte Taggröße mit %d Bytes unterscheidet sich von der Ausgabe der Größe %s (%d Bytes).\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Unbekannte Art des Verschlüsselungsgeräts »%s« verlangt." -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Nicht unterstützte Parameter für Gerät %s." -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Parameter für Gerät %s sind durcheinander." -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Verschlüsselungsgeräte passen nicht zusammen." -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Gerät »%s« konnte nicht neugeladen werden." -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Gerät »%s« konnte nicht stillgelegt werden." -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Gerät »%s« konnte nicht fortgesetzt werden." -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Schwerwiegender Fehler beim Neuladen von Gerät »%s« (über Gerät »%s«)." -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Gerät »%s« konnte nicht auf dm-error umgeschaltet werden." -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Größe des LUKS2-Geräts kann nicht geändert werden, da sie statisch ist." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "Fehler beim Ändern der Größe des Loopback-Geräts." -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "WARNUNG: Die maximale Größe ist bereits eingestellt oder der Kernel unterstützt die Größenänderung nicht.\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Fehler bei Größenänderung, der Kernel unterstützt sie nicht." -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Wollen Sie wirklich die UUID des Geräts ändern?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Header-Backupdatei enthält keinen kompatiblen LUKS-Header." -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Laufwerk »%s« ist nicht aktiv." -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Laufwerk »%s« ist bereits im Ruhezustand." -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand." -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden." -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Gerät »%s« ist im Ruhezustand, aber das Hardware-OPAL-Gerät kann nicht gesperrt werden." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden." -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand." -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Fehler beim Verknüpfen des Schlüssels zum angegebenen Schlüsselbund." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Fehler beim Ablösen des Laufwerkschlüssels vom benutzerspezifischen Schlüsselbund." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Fehler beim Verknüpfen des Laufwerkschlüssels im benutzerspezifischen Schlüsselbund." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Laufwerk »%s« ist nicht im Ruhezustand." -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk." -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden." -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "Schlüsselfach %d ist ungültig." -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "Schlüsselfach %d ist nicht aktiv." -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "Geräteheader und Datenbereich überlappen sich." -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Wiederverschlüsselung läuft bereits. Das Gerät kann nicht aktiviert werden." -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Fehler beim Zugriff auf die Sperre zur Wiederverschlüsselung." -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung." -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Geräteart ist nicht richtig initialisiert." -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Das Gerät »%s« existiert bereits." -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Gerät »%s« kann nicht verwendet werden, da es gerade benutzt wird oder der Name ungültig ist." -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben." -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben." - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "Signatur des Stammhashes erforderlich." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt." -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Der Kernel-Schlüsselbund fehlt. Wird benötigt, um die Signatur zum Kernel zu übergeben." -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben." + +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL unterstützt verzögertes Deaktivieren nicht." -#: lib/setup.c:4736 +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Fehler beim Abbrechen des verzögerten Löschens von Gerät »%s«." -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Gerät »%s« wird gerade benutzt." -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Ungültiges Gerät »%s«." -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Laufwerks-Schlüsselpuffer zu klein." -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS2-Gerät." -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS1-Gerät." -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät." -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "Root-Hash für Verity-Gerät kann nicht ermittelt werden." -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für BITLK-Gerät." -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für FVAULT2-Gerät." -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt." -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt." -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Datenoffset ist kein Vielfaches von %u Bytes." -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Gerät »%s« kann nicht konvertiert werden, da es gerade benutzt wird." -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Schlüsselfach %u konnte nicht dem Laufwerksschlüssel zugeordnet werden." -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Fehler beim Initialisieren der LUKS2-Schlüsselfach-Parameter." -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Schlüsselfach %d konnte nicht dem Digest zugeordnet werden." -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde." -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund." + +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Fehler beim Loslösen des Laufwerkschlüssels vom Thread-Schlüsselbund." -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund (Fehler %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Schlüsselbund mit der Beschreibung »%s« nicht gefunden." -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Globale Speicherzugriffsserialisierungssperre konnte nicht angefordert werden." -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Fehler beim Öffnen der Schlüsseldatei." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Fehler beim Einlesen der Schlüsseldatei »%s« vom Terminal." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "Fehler beim Öffnen der Schlüsseldatei." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Fehler beim Zugriff auf die Schlüsseldatei." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Zu wenig Speicher zum Einlesen der Passphrase." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Fehler beim Einlesen der Passphrase." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Nichts zu lesen in der Eingabe." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Größenbegrenzung für die Schlüsseldatei überschritten." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Die gewünschte Menge an Daten kann nicht eingelesen werden." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Gerät »%s« existiert nicht oder Zugriff verweigert." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Gerät »%s« ist nicht kompatibel." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Merkwürdige Optimale-Datenübertragungs-Größe für Datengerät (%u Bytes) wird ignoriert." -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Gerät »%s« ist zu klein. Mindestens % Bytes erforderlich." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Gerät »%s« kann nicht benutzt werden, da es bereits anderweitig benutzt wird." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Gerät »%s« kann nicht verwendet werden, Zugriff verweigert." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "Fehler beim Abrufen der Infos über Gerät »%s«." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Das Loopback-Gerät kann nicht benutzt werden, da das Programm nicht mit Root-Rechten läuft." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Anklemmen des Loopback-Geräts fehlgeschlagen (das Loopback-Gerät benötigt den »autoclear«-Schalter)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Der angeforderte Offset ist jenseits der wirklichen Größe des Geräts »%s«." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Gerät »%s« hat die Größe 0." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Verlangte Vorgabezeit für PBKDF darf nicht 0 sein." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Unbekannte PBKDF, Typ »%s«." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "Verlangter Hash »%s« wird nicht unterstützt." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Verlangter PBKDF-Typ wird von LUKS1 nicht unterstützt." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "Für pbkdf2 dürfen weder das Speichermaximum noch die Anzahl der Threads angegeben werden." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Anzahl der verlangten Durchläufe ist zu gering für %s (Minimum ist %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Verlangte Speicherkosten sind zu gering für %s (Minimum sind %u Kilobyte)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Das verlangte Speicherkosten-Maximum ist zu hoch (maximal %d Kilobyte)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "Der verlangte PBKDF-Speicherbedarf darf nicht 0 sein." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Die Anzahl der verlangten parallelen Threads für PBKDF darf nicht 0 sein." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "Im FIPS-Modus wird ausschließlich PBKDF2 unterstützt." -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "PBKDF-Benchmark deaktiviert, aber Anzahl der Iterationen nicht angegeben." -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Inkompatible PBKDF2-Optionen (mit Hash-Algorithmus »%s«)." -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Inkompatible PBKDF2-Optionen." @@ -772,16 +866,24 @@ msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (kein Verzeichn msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (%s ist kein Verzeichnis)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Fehler beim Springen zum Gerät-Offset." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Fehler beim gründlichen Löschen des Geräts, an Offset %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "Falsche OPAL-PSID." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Fehler beim Leeren des OPAL-Geräts." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -802,7 +904,7 @@ msgstr "Verschlüsselungsverfahren sollte im Format [Verfahren]-[Modus]-[IV] sei #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Fehler beim Schreiben auf Gerät »%s«, Zugriff verweigert." @@ -816,17 +918,17 @@ msgid "Failed to access temporary keystore device." msgstr "Fehler beim Zugriff auf das temporäre Schlüsselspeichergerät." #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "E/A-Fehler beim Verschlüsseln des Schlüsselfachs." #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -848,32 +950,32 @@ msgstr "Gerät »%s« ist zu klein. (LUKS1 benötigt mindestens % Bytes. msgid "LUKS keyslot %u is invalid." msgstr "LUKS-Schlüsselfach %u ist ungültig." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Angeforderte Header-Backupdatei »%s« existiert bereits." -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Fehler beim Anlegen der Header-Backupdatei »%s«." -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Fehler beim Speichern der Header-Backupdatei »%s«." -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Backupdatei enthält keinen gültigen LUKS-Header." #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Fehler beim Öffnen der Header-Backupdatei »%s«." -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Fehler beim Einlesen der Header-Backupdatei »%s«." @@ -895,7 +997,7 @@ msgstr "enthält keinen LUKS-Header. Das Ersetzen des Headers kann Daten auf dem msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "enthält bereits einen LUKS-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören." -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -970,7 +1072,7 @@ msgstr "LUKS-Verschlüsselungsmodus %s ist ungültig." msgid "LUKS hash %s is invalid." msgstr "LUKS-Hash %s ist ungültig." -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "Keine bekannten Probleme im LUKS-Header erkannt." @@ -989,8 +1091,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Daten-Offset für LUKS-Header muss entweder 0 sein oder mehr als die Headergröße." #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Falsches LUKS-UUID-Format angegeben." @@ -1028,7 +1130,7 @@ msgstr "Schlüsselfach kann nicht geöffnet werden (mit Hash-Algorithmus »%s«) msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie ein Schlüsselfach zwischen 0 und %d." -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Gerät »%s« kann nicht ausgelöscht werden." @@ -1049,48 +1151,48 @@ msgstr "Inkompatible Loop-AES-Schlüsseldatei erkannt." msgid "Kernel does not support loop-AES compatible mapping." msgstr "Kernel unterstützt Loop-AES-kompatibles Mapping nicht." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«." -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Maximale Länge der TCRYPT-Passphrase (%zu) überschritten." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "Der Hash-Algorithmus »%s« für PBKDF2 wird nicht unterstützt, überspringe diesen Teil." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "Die benötigte Crypto-Kernel-Schnittstelle ist nicht verfügbar." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Stellen Sie sicher, dass das Kernelmodul »algif_skcipher« geladen ist." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Aktivierung wird für die Sektorengröße %d nicht unterstützt." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Der Kernel unterstützt die Aktivierung für diesen TCRYPT-Legacymodus nicht." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "TCRYPT-Systemverschlüsselung für Partition »%s« wird aktiviert." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header." @@ -1149,74 +1251,74 @@ msgstr "Fehler beim Lesen der BITLK-Metadaten von »%s«." msgid "Failed to convert BITLK volume description" msgstr "Fehler beim Konvertieren der BITLK-Volumenbeschreibung" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des externen Schlüssels gefunden." -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "Die GUID der BEK-Datei »%s« stimmt nicht mit der GUID des Laufwerks überein." -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Unerwarteter Metadaten-Eintrag »%u« beim Einlesen des externen Schlüssels gefunden." -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Nicht unterstützte BEK-Metadatenversion %" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Unerwartete BEK-Metadatengröße % stimmt nicht mit BEK-Dateilänge überein" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Einlesen des Startschlüssels gefunden." -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Diese Operation wird nicht unterstützt." -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Unerwartete Größe des Datenschlüssels." -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Dieses BITLK-Gerät ist in einem nicht unterstützten Zustand und kann daher nicht aktiviert werden." -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "BITLK-Geräte der Art »%s« können nicht aktiviert werden." -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Aktivieren eines teilweise entschlüsselten BITLK-Geräts wird nicht unterstützt." -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "WARNUNG: BitLocker-Datenträgergröße % stimmt nicht mit der zugrunde liegenden Gerätegröße % überein" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für BITLK-IV." -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Gerät kann nicht aktiviert werden, da dem Kernelmodul dm-crypt die Unterstützung für BITLK-Elephant-Verschleierer fehlt." -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für große Sektoren." -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Gerät kann nicht aktiviert werden, das Kernelmodul dm-crypt existiert nicht." @@ -1254,28 +1356,32 @@ msgstr "Falsches VERITY-UUID-Format über Gerät »%s« angegeben." msgid "Error during update of verity header on device %s." msgstr "Fehler beim Aktualisieren des VERITY-Headers auf Gerät »%s«." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "Verifikation der Stammhash-Signatur wird nicht unterstützt." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Signatur des Stammhashes erforderlich." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Fehler können mit einem FEC-Gerät nicht repariert werden." -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "%u reparierbare Fehler mit FEC-Gerät gefunden." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "Kernel unterstützt dm-verity-Zuordnung nicht." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "Kernel unterstützt Signatur-Option für dm-verity nicht." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Verity-Gerät hat eine Verfälschung nach der Aktivierung festgestellt." @@ -1369,7 +1475,7 @@ msgstr "Fehler beim Ermitteln der Größe von Gerät »%s«." msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Inkompatible Metadaten des Kernelmoduls dm-integrity (Version %u) auf %s entdeckt." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "Kernel unterstützt dm-integrity-Zuordnung nicht." @@ -1381,8 +1487,8 @@ msgstr "Kernel unterstützt feste Ausrichtung der Metadaten für dm-integrity ni msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Der Kernel weigert sich, die unsichere Neuberechnungs-Option zu aktivieren. Um dies zu übersteuern, können Sie die veralteten Aktivierungsoptionen nutzen." -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Fehler beim exklusiven Schreibzugriff auf Gerät »%s«." @@ -1399,49 +1505,59 @@ msgstr "" "Gerät enthält mehrdeutige Signaturen, LUKS2 kann nicht automatisch wiederhergestellt werden.\n" "Bitte führen Sie \"cryptsetup repair\" zur Wiederherstellung aus." -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "WARNING: Der Schlüsselfach-Bereich (% Bytes) ist sehr klein, die LUKS2-Schlüsselfachanzahl ist sehr begrenzt.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "Verlangter Daten-Offset ist zu klein." -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "WARNING: Der Schlüsselfach-Bereich (% Bytes) ist sehr klein, die LUKS2-Schlüsselfachanzahl ist sehr begrenzt.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "Warnung: Größe der LUKS2-Metadaten wurde auf % geändert.\n" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "Warnung: Größe des LUKS2-Schlüsselfachbereichs wurde auf % Bytes geändert.\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Fehler beim Zugriff auf die Lesesperre für das Gerät »%s«." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Verbotene LUKS2-Anforderungen in Backup »%s« entdeckt." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Unterschiedliche Datenoffsets auf Gerät und Backup. Wiederherstellung fehlgeschlagen." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Unterschiedliche Größe der Binärheader mit Schlüsselfach-Bereichen zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Gerät »%s« %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "enthält keinen LUKS2-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "enthält bereits einen LUKS2-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1451,7 +1567,7 @@ msgstr "" "WARNUNG: Unbekannte LUKS2-Anforderungen im echten Geräteheader entdeckt!\n" "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1461,58 +1577,92 @@ msgstr "" "WARNUNG: Unvollendete Offline-Wiederverschlüsselung auf dem Gerät entdeckt!\n" "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Unbekannter Schalter »%s« wird ignoriert." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Fehlender Schlüssel für dm-crypt-Segment %u" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Fehler beim Festlegen des »dm-crypt«-Segments." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Fehler beim Festlegen des »dm-linear«-Segments." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "Kein bekanntes Verschlüsselungsmuster in LUKS2-Kopfbereich entdeckt." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "OPAL-Gerät muss statische Gerätegröße haben." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Verschlüsseltes OPAL-Gerät mit Integrität muss kleiner als der Sperrbereich sein." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "OPAL-Gerät muss dieselbe Größe wie der Sperrbereich haben." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Das OPAL-Gerät »%s« ist bereits entsperrt.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Nicht unterstützte Konfiguration für Geräteintegrität." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Das zugrundeliegende dm-integrity-Gerät hat unerwartete Datensektoren bereitgestellt." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Wiederverschlüsselung läuft gerade. Das Gerät kann nicht deaktiviert werden." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Das stillgelegte Gerät »%s« mit dm-error-Ziel konnte nicht in den Fehlerzustand gesetzt werden." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Gerät »%s« wurde deaktiviert, aber das Hardware-OPAL-Gerät kann nicht gesperrt werden." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Fehler beim Lesen der LUKS2-Anforderungen." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Unerfüllte LUKS2-Anforderungen entdeckt." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für Altlasten-Wiederverschlüsselung markiert ist. Wird abgebrochen." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für LUKS2-Wiederverschlüsselung markiert ist. Wird abgebrochen." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das OPAL verwendet. Wird abgebrochen." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Nicht genügend Speicher, um ein Schlüsselfach zu öffnen." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Fehler beim Öffnen des Schlüsselfachs." @@ -1521,330 +1671,342 @@ msgstr "Fehler beim Öffnen des Schlüsselfachs." msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Der Algorithmus %s-%s kann nicht für Schlüsselfach-Verschlüsselung verwendet werden." -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "Der Hash-Algorithmus »%s« ist nicht verfügbar." -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Warnung: Schlüsselbund-Vorgang könnte fehlschlagen, da er mehr Speicher benötigt als verfügbar ist.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Nicht genug Speicherplatz für neues Schlüsselfach." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "Ungültige Änderung des Modus für die robuste Wiederverschlüsselung angefordert." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Die Art der Robustheit kann nicht geändert werden. Die neue Art bietet nur % Bytes, der erforderliche Platz ist jedoch % Bytes." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Fehler beim Auffrischen des Zusammenfassungswerts der Prüfung der Wiederverschlüsselung." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Fehler beim Prüfen des Zustands von Gerät mit der UUID %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Fehler beim Konvertieren des Headers mit zusätzlichen LUKSMETA-Metadaten." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Die Chiffrierspezifikation %s-%s kann für LUKS2 nicht verwendet werden." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Nicht genug Speicherplatz." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Fehler beim Konvertieren ins LUKS2-Format: ungültige Metadaten." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Bereich für die LUKS2-Schlüsselfächer ist zu klein." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Fehler beim Konvertieren in LUKS1-Format: Standardgröße für Verschlüsselungssektoren ist nicht 512 Bytes." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach-Digeste sind nicht zu LUKS1 kompatibel." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Fehler beim Konvertieren in LUKS1-Format: Gerät verwendet eingepacktes Verschlüsselungsverfahren %s." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Fehler beim Konvertieren ins LUKS1-Format: Gerät verwendet mehr Segmente." -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Fehler beim Konvertieren in LUKS1-Format: LUKS2-Header enthält %u Token." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist in ungültigem Zustand." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u (über Maximalfach) ist noch aktiv." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist nicht zu LUKS1 kompatibel." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Die Größe der Hotzone muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Gerätegröße muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher alter Segmente." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher neuer Segmente." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Fehler beim Initialisieren des Hotzone-Schutzes." -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Fehler beim Lesen der Prüfsummen für die aktuelle Hotzone." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Fehler beim Lesen des Hotzone-Bereichs, der bei % beginnt." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Fehler beim Entschlüsseln von Sektor %zu." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Fehler beim Wiederherstellen von Sektor %zu." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Die Größe der Quell- und Zielgeräte stimmt nicht überein. Quelle %, Ziel: %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Fehler beim Aktivieren des Hotzone-Geräts »%s«." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Fehler beim Aktivieren des Überlagerungsgeräts »%s« mit der tatsächlichen Ursprungstabelle." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Fehler beim Laden der neuen Zuordnung für Gerät »%s«." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Fehler beim Auffrischen des Gerätestapels für Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Fehler beim Festlegen der neuen Bereichsgröße für Schlüsselfächer." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Datenverschiebung ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (% Bytes) ausgerichtet." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Nicht unterstützter Modus »%s« für Widerstandsfähigkeit" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "Die Größe des verschobenen Segments kann nicht größer als der Wert der Datenverschiebung sein." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Ungültige Parameter für die robuste Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Das verschobene Segment ist zu groß. Angeforderte Größe %, verfügbarer Platz %." -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Fehler beim Leeren der Tabelle." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "Die reduzierte Datengröße ist größer als die tatsächliche Gerätegröße." -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Datengerät ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (% Bytes) ausgerichtet." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Datenverschiebung (% Sektoren) ist weniger als der zukünftige Datenoffset (% Sektoren)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Fehler beim exklusiven Öffnen von »%s« (wird bereits anderweitig benutzt)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Das Gerät ist nicht für LUKS2-Wiederverschlüsselung markiert." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Fehler beim Laden des LUKS2-Wiederverschlüsselungs-Kontextes." -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Fehler beim Einlesen des Wiederverschlüsselungs-Zustands." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Das Gerät befindet sich nicht in der Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Der Wiederverschlüsselungs-Vorgang läuft bereits." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Fehler beim Zugriff auf die Schreibsperre für die Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Führen Sie zuerst die Wiederverschlüsselungs-Wiederherstellung durch." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "Aktive Gerätegröße und angeforderte Wiederverschlüsselungsgröße passen nicht zusammen." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "Ungültige Gerätegröße wurde in den Wiederverschlüsselungsparametern angefordert." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Wiederverschlüsselung läuft bereits. Wiederherstellung ist nicht möglich." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "LUKS2-Wiederverschlüsselung ist in den Metadaten bereits initialisiert." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "LUKS2-Wiederverschlüsselung konnte in den Metadaten nicht initialisiert werden." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Wiederverschlüsselung wird für DAX-Geräte (persistenten Speicher) nicht unterstützt." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Fehler beim Festlegen der Gerätesegmente für die nächste Wiederverschlüsselungs-Hotzone." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Fehler beim Schreiben der Metadaten für robuste Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Fehler beim Entschlüsseln." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Fehler beim Schreiben des Hotzone-Bereichs, der bei % beginnt." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Fehler beim Synchronisieren von Daten." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Fehler beim Aktualisieren der Metadaten, nachdem die aktuelle Wiederverschlüsselungs-Hotzone beendet wurde." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Fehler beim Schreiben der LUKS2-Metadaten." -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Fehler beim gründlichen Löschen des ungenutzten Bereichs auf dem Gerät." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Fehler beim Entfernen des ungenutzten (ungebundenen) Schlüsselfachs %d." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Fehler beim Entfernen des Schlüsselfachs zur Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Schwerwiegender Fehler beim Wiederverschlüsseln des Blocks bei %, % Sektoren lang." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Fehler bei Online-Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Das Gerät nicht fortsetzen, außer es wird manuell durch das Fehlerziel ersetzt." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Unerwarteter Zustand der Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Fehlender oder ungültiger Wiederverschlüsselungs-Kontext." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Fehler beim Initialisieren des Gerätestapels für Wiederverschlüsselung." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Fehler beim Aktualisieren des Wiederverschlüsselungskontexts." @@ -1852,80 +2014,121 @@ msgstr "Fehler beim Aktualisieren des Wiederverschlüsselungskontexts." msgid "Reencryption metadata is invalid." msgstr "Die Metadaten für die Wiederverschlüsselung sind ungültig." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "OPAL-Bereich %d mit Offset % entspricht nicht dem erwarteten Wert %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "OPAL-Bereich %d mit Länge % entspricht nicht der Gerätegröße %." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "In OPAL-Bereich %d ist das Sperren deaktiviert." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Unerwarteter Sperrzustand in OPAL-Bereich %d." + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Verschlüsselungsparameter für Schlüsselfach wird nur für LUKS2-Geräte unterstützt." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Geben Sie die PIN des Tokens ein: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Geben Sie die PIN des Tokens %d ein: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Kein bekanntes Verschlüsselungsmuster entdeckt." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "Warnung: Für den Verschlüsselungsalgorithmus werden die Standardeinstellungen (%s-%s, Schlüsselgröße %u Bit) verwendet, das kann inkompatibel zu älteren Versionen sein." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "Warnung: Für den Hashalgorithmus werden die Standardeinstellungen (%s) verwendet, das kann inkompatibel zu älteren Versionen sein." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "Im einfachen Modus stets die Optionen --cipher, --key-size und (wenn keine Schlüsseldatei verwendet wird) auch --hash nutzen." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "WARNUNG: Der Parameter --hash wird im Plain-Modus ignoriert, wenn eine Schlüsseldatei angegeben ist.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "WARNUNG: Die Option --keyfile-size wird ignoriert, da die Lesegröße die gleiche ist wie die Verschlüsselungsschlüsselgröße ist.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "Fehler beim Blkid-Scan für %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Gerätesignaturen auf »%s« erkannt. Wenn Sie fortfahren, könnte das bestehende Daten beschädigen." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Vorgang abgebrochen.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Die Option »--key-file« muss angegeben werden." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "VeraCrypt-PIM eingeben: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Ungültiger PIM-Wert: Formatfehler." -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Ungültiger PIM-Wert: 0." -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Ungültiger PIM-Wert: außerhalb des gültigen Bereichs." -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "Kein Geräte-Header mit dieser Passphrase gefunden." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Gerät »%s« ist kein gültiges BITLK-Gerät." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Die Größe des Laufwerksschlüssels für BITLK kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1937,7 +2140,7 @@ msgstr "" "daher ausschließlich an einem sicheren Ort und verschlüsselt\n" "aufbewahrt werden." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1949,65 +2152,73 @@ msgstr "" "daher ausschließlich an einem sicheren Ort und verschlüsselt\n" "aufbewahrt werden." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Gerät »%s« ist kein gültiges FVAULT2-Gerät." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Die Größe des Laufwerksschlüssels für FVAULT2 kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Gerät »%s« ist noch aktiv und zum verzögerten Entfernen eingeplant.\n" -#: src/cryptsetup.c:835 +# upstream: period missing +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Fehler beim Festlegen des externen Tokenpfads »%s«." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Um die Größe von aktiven Geräten zu öndern, muss der Laufwerksschlüssel im Schlüsselbund sein, aber die Option --disable-keyring wurde angegeben." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Benchmark unterbrochen." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s (nicht zutreffend)\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u Iterationen pro Sekunde für %zu-Bit-Schlüssel\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s (nicht zutreffend)\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u Iterationen, %5u Speicher, %1u parallele Threads (CPUs) für %zu-Bit-Schlüssel (Zieldauer %u Millisekunden)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Das Ergebnis des Benchmarks ist nicht zuverlässig." -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Die Tests sind nur annähernd genau, da sie nicht auf den Datenträger zugreifen.\n" # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption". # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators. #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfügbar." @@ -2015,15 +2226,15 @@ msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfü # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption". # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators. #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "N/A" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2031,27 +2242,27 @@ msgstr "" "Ungeschützte LUKS2-Metadaten für die Wiederverschlüsselung entdeckt. Bitte überprüfen Sie, ob die Wiederverschlüsselungsoperation erwünscht ist (siehe luksDump-Ausgabe)\n" "und fahren Sie nur fort (Upgrade der Metadaten), wenn Sie den Vorgang als echt anerkennen." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Geben Sie die Passphrase für den Schutz und das Aktualisieren der Metadaten für die Wiederverschlüsselung ein: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Wirklich mit der Wiederherstellung der LUKS2-Wiederverschlüsselung fortfahren?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Geben Sie die Passphrase für das Prüfen der Metadaten für die Wiederverschlüsselung ein: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Geben Sie die Passphrase für die Wiederherstellung der Wiederverschlüsselung ein: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Wirklich versuchen, den LUKS-Geräteheader wiederherzustellen?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2059,7 +2270,7 @@ msgstr "" "\n" "Gründlich löschen unterbrochen." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2068,128 +2279,144 @@ msgstr "" "Sie können diesen Vorgang mit Strg+C unterbrechen (der nicht gesäuberte Bereich des Geräts wird dann ungültige Prüfsummen haben).\n" # upstream: it is boring that I have to translate the newline at the end of each of these messages. Translating strings without newlines is much easier and faster. Since it is redundant anyway (all calls to log_err have a trailing newline), this newline should be written implicitly. -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Fehler beim Deaktivieren des temporären Geräts »%s«." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "Die Integritätsoption kann nur für das LUKS2-Format verwendet werden." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Nicht unterstützte Optionen für Größe der LUKS-Metadaten." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL wird nur für das LUKS2-Format unterstützt." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Die Headerdatei existiert nicht, soll sie angelegt werden?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Fehler beim Anlegen der Headerdatei »%s«." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Kein bekanntes Integritätsspezifikationsmuster entdeckt." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Das Gerät »%s« kann nicht als Datenträger-Header benutzt werden." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Hiermit werden die Daten auf »%s« unwiderruflich überschrieben." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Das OPAL-Admin-Passwort darf nicht leer sein." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Fehler beim Festlegen der PBKDF-Parameter." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "Die Typangabe in --link-vk-to-keyring wird ignoriert." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Ungültiger Wert für --link-vk-to-keyring." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Verringerter Datenoffset ist nur für separaten LUKS-Header erlaubt." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "LUKS-Datei-Container %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Die Größe des Laufwerksschlüssels erfordert Schlüsselfächer, bitte nutzen Sie dazu die Option »--key-size«." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Gerät aktiviert, aber die Schalter können nicht dauerhaft gespeichert werden." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Schlüsselfach %d zum Löschen ausgewählt." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Dies ist das letzte Schlüsselfach. Wenn Sie diesen Schlüssel löschen, wird das Gerät unbrauchbar." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Geben Sie irgendeine verbleibende Passphrase ein: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Vorgang abgebrochen, das Schlüsselfach wurde NICHT gesäubert.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Geben Sie die zu löschende Passphrase ein: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Gerät »%s« ist kein gültiges LUKS2-Gerät." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Geben Sie die neue Passphrase für das Schlüsselfach ein: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "WARNUNG: Der Parameter --key-slot wird für die neue Nummer des Schlüsselfachs verwendet.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Geben Sie irgendeine bestehende Passphrase ein: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Geben Sie die zu ändernde Passphrase ein: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Geben Sie die neue Passphrase ein: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Geben Sie die Passphrase für das umzuwandelnde Schlüsselfach ein: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "Die Operation »isLuks« unterstützt nur genau ein Geräte-Argument." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Schlüsselfach %d enthält keinen unverbundenen Schlüssel." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2198,40 +2425,52 @@ msgstr "" "Dieser Dump sollte daher ausschließlich an einem sicheren Ort und\n" "verschlüsselt aufbewahrt werden." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s ist kein aktives %s-Gerät." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s ist kein aktives LUKS-Gerät, oder der Header fehlt." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Option »--header-backup-file« muss angegeben werden." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s ist kein von cryptsetup verwaltetes Gerät." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Die Geräteart »%s« kann nicht aufgefrischt werden" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Unbekannte Art »%s« des Metadaten-Geräts." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Dieser Befehl benötigt den Gerätenamen und den zugeordneten Namen als Argumente." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Geben Sie die OPAL-PSID ein: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Geben Sie das OPAL-Admin-Passwort ein: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "Warnung: Der GESAMTE Datenträger wird auf die Werkseinstellungen zurückgesetzt, und alle Daten gehen verloren. Fortsetzen?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2240,351 +2479,351 @@ msgstr "" "Diese Operation wird alle Schlüsselfächer auf Gerät »%s« löschen.\n" "Dadurch wird das Gerät unbrauchbar." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Vorgang abgebrochen, die Schlüsselfächer wurden NICHT gesäubert.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Invalid LUKS type, only luks1 and luks2 are supported." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Das Gerät hat bereits den Typ »%s«." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Diese Operation wird für »%s« ins Format »%s« umwandeln.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Vorgang abgebrochen, das Gerät wurde NICHT konvertiert.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Die Option --priority, --label oder --subsystem fehlt." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Token %d ist ungültig." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Token %d ist in Benutzung." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Fehler beim Hinzufügen des LUKS2-Schlüsselring-Tokens %d." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Token %d kann nicht dem Schlüsselfach %d zugeordnet werden." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Token %d wird gerade nicht verwendet." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Token konnte nicht aus der Datei importiert werden." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Auf Token %d kann nicht für den Export zugegriffen werden." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Token %d ist nicht dem Schlüsselfach %d zugeordnet." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Token %d kann nicht vom Schlüsselfach %d losgelöst werden." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Die Optionen --veracrypt und --disable-veracrypt werden nur für TCRYPT-kompatible Geräte unterstützt." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Die Option --veracrypt-pim wird nur für VeraCrypt-kompatible Geräte unterstützt." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Die Option --veracrypt-query-pim wird nur für VeraCrypt-kompatible Geräte unterstützt." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Die Optionen --veracrypt-pim und --veracrypt-query-pim schließen sich gegenseitig aus." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Die Option --persistent ist nicht mit --test-passphrase kombinierbar." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Die Optionen --refresh und --test-passphrase schließen sich gegenseitig aus." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "Die Option --shared ist nur beim beim »open«-Befehl eines Plain-Gerätes erlaubt." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Die Option --offset mit der Aktion Öffnen wird nur für einfache und loopaes-Geräte unterstützt." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "Die Option \"Sektorgröße\" mit der Aktion \"Öffnen\" wird nur für einfache Geräte unterstützt." -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Die Option für große IV-Sektoren wird nur unterstützt, wenn das geöffnete Gerät Sektoren größer als 512 Bytes hat." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS-, TCRYPT-, BITLK- und FVAULT2-Geräten erlaubt." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Die Optionen --device-size und --size können nicht kombiniert werden." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "Die Option »--unbound« ist nur beim »open«-Befehl eines LUKS-Gerätes erlaubt." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Die Option »--unbound« kann nur in Kombination mit »--test-passphrase« verwendet werden." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Die Optionen --cancel-deferred und --deferred können nicht kombiniert werden." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Die Optionen --reduce-device-size und --data-size können nicht kombiniert werden." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Die Optionen --reduce-device-size und --device-size können nicht kombiniert werden." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Die Option »--active-name« ist nur auf LUKS2-Geräte anwendbar." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Die Optionen »--active-name« und »--force-offline-reencrypt« können nicht kombiniert werden." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Das Schlüsselfach muss angegeben werden." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Die Optionen --align-payload und --offset können nicht kombiniert werden." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Die Option --integrity-no-wipe ist nur für die »format«-Aktion mit Integritätserweiterung erlaubt." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Nur eine der Optionen --use-[u]random ist erlaubt." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "Die Option »--unbound« erfordert die Schlüsselgröße." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "Ungültige Token-Aktion." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Der Parameter --key-description ist Pflicht für die Aktion »token add«." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "Die Aktion erfordert ein bestimmtes Token. Verwenden Sie den Parameter --token-id." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "Die Option »--unbound« kann nur zusammen mit der Aktion zum Hinzufügen eines Tokens verwendet werden." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Die Optionen --key-slot und --unbound können nicht kombiniert werden." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "Die Aktion erfordert ein bestimmtes Schlüsselfach. Verwenden Sie den Parameter --key-slot." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type ] []" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "Gerät als öffnen" -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "Gerät schließen (Zuordnung entfernen)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "Größe des aktiven Geräts ändern" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "Gerätestatus anzeigen" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher ]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "Verschlüsselungsalgorithmus benchmarken" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "Versuchen, die Metadaten auf dem Datenträger zu reparieren" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "LUKS2-Gerät wiederverschlüsseln" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "Alle Schlüsselfächer löschen (Verschlüsselungsschlüssel entfernen)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "Zwischen den Formaten LUKS und LUKS2 umwandeln" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "Permanente Konfigurationsoptionen für LUKS2 festlegen" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "Ein LUKS-Gerät formatieren" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "Schlüssel zu LUKS-Gerät hinzufügen" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "Entfernt bereitgestellten Schlüssel oder Schlüsseldatei vom LUKS-Gerät" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "Ändert den angegebenen Schlüssel oder die Schlüsseldatei des LUKS-Geräts" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "Wandelt einen Schlüssel in neue PBKDF-Parameter um" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "Löscht Schlüssel mit Nummer vom LUKS-Gerät" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "UUID des LUKS-Geräts ausgeben" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "Testet auf Header einer LUKS-Partition" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "LUKS-Partitionsinformationen ausgeben" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "TCRYPT-Geräteinformationen ausgeben" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "BITLK-Geräteinformationen ausgeben" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "VFAULT2-Geräteinformationen ausgeben" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "LUKS-Gerät in Ruhezustand versetzen und alle Schlüssel auslöschen (alle IOs werden eingefroren)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "LUKS-Gerät aus dem Ruhezustand aufwecken" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Header und Schlüsselfächer eines LUKS-Geräts sichern" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Header und Schlüsselfächer eines LUKS-Geräts wiederherstellen" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "LUKS2-Token manipulieren" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2592,7 +2831,7 @@ msgstr "" "\n" " ist eine von:\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2604,7 +2843,7 @@ msgstr "" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2619,7 +2858,7 @@ msgstr "" " ist die Nummer des zu verändernden LUKS-Schlüsselfachs\n" " optionale Schlüsseldatei für den neuen Schlüssel der »luksAddKey«-Aktion\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2628,29 +2867,28 @@ msgstr "" "\n" "Vorgegebenes festeingebautes Metadatenformat ist %s (für luksFormat-Aktion).\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Die Unterstützung des externen Token-Plugins LUKS2 ist %s.\n" - -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "integriert" +"Die Plugin-Unterstützung für externe LUKS2-Tokens ist aktiviert.\n" -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Pfad des Plugins für externe LUKS2-Token: %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "deaktiviert" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Die Plugin-Unterstützung für externe LUKS2-Tokens ist deaktiviert.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2667,7 +2905,7 @@ msgstr "" "Vorgabe-PBKDF für LUKS2: %s\n" "\tIterationszeit: %d, benötigter Speicher: %d kB, parallele Threads: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2682,96 +2920,100 @@ msgstr "" "\tplain: %s, Schlüssel: %d Bits, Passphrase-Hashen: %s\n" "\tLUKS: %s, Schlüssel: %d Bits, LUKS-Header-Hashen: %s, Zufallszahlengenerator: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: Standard-Schlüsselgröße mit XTS-Modus (zwei interne Schlüssel) wird verdoppelt.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: Benötigt %s als Argumente" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Schlüsselfach ist ungültig." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "Die Gerätegröße muss ein Vielfaches von 512-Byte-Sektoren sein." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "Ungültige Angabe der Maximalgröße für die Wiederverschlüsselungs-Hotzone." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "Schlüsselgröße muss ein Vielfaches von 8 Bit sein" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "Die maximale Verkleinerungsgröße ist 1 GiB." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Die verkleinerte Größe muss ein Vielfaches von 512-Byte-Sektoren sein." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Die Option --priority kann nur »ignore/normal/prefer« sein." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Diese Hilfe anzeigen" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Kurze Aufrufsyntax anzeigen" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Paketversion ausgeben" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Hilfe-Optionen:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[OPTION...] " -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Argument fehlt." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Unbekannte Aktion." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Die Option --key-file wirkt stärker als das angegebene Schlüsseldatei-Argument." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Die Option --key-file ist nur einmal erlaubt." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Passwortbasierte Schlüsselableitungsfunktion (PBKDF) kann nur »pbkdf2« oder »argon2i/argon2id« sein." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Bei PBKDF darf nur entweder die Anzahl der Durchläufe oder die Zeitbegrenzung angegeben werden." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Laufwerkschlüssel kann nicht mit einem Schlüsselbund verbunden werden, solange der Schlüsselbund deaktiviert ist." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Die Optionen --keyslot-cipher und --keyslot-keysize können nur zusammen benutzt werden." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Es wird keine Aktion ausgeführt. Aufgerufen mit der Option --test-args.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Fehler beim Deaktivieren der Metadaten-Dateisperre." @@ -2836,7 +3078,7 @@ msgstr "Der Befehl erfordert die Option oder --root-hash-file als Ar msgid " " msgstr " " -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "Gerät formatieren" @@ -2852,7 +3094,7 @@ msgstr "Gerät verifizieren" msgid " []" msgstr " []" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "Status der aktiven Geräte anzeigen" @@ -2860,7 +3102,7 @@ msgstr "Status der aktiven Geräte anzeigen" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "Auf dem Datenträger gespeicherte Informationen anzeigen" @@ -2890,11 +3132,11 @@ msgstr "" "Einkompilierte Vorgabewerte für dm-verity:\n" "\tHash: %s, Datenblock (Bytes): %u, Hashblock (Bytes): %u, Salt-Größe: %u, Hashformat: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Die Optionen --ignore-corruption und --restart-on-corruption können nicht zusammen benutzt werden." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Die Optionen --panic-on-corruption und --restart-on-corruption können nicht zusammen benutzt werden." @@ -2907,29 +3149,29 @@ msgstr "" "Dadurch werden Daten auf %s und %s unwiderruflich überschrieben.\n" "Um Daten auf dem Gerät zu bewahren, verwenden Sie die Option »--no-wipe« (und aktivieren Sie sie dann mit »--integrity-recalculate«)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Formatiert mit Etikettgröße %u und interner Integrität %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Das Setzen der Option »recalculate« wird nicht unterstützt, Sie können stattdessen »--wipe« erwägen." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Gerät »%s« ist kein gültiges INTEGRITY-Gerät." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2940,7 +3182,7 @@ msgstr "" " ist das Gerät, das unter »%s« angelegt werden soll\n" " ist das Gerät, das die Daten mit Integritätsangaben enthält\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2953,40 +3195,40 @@ msgstr "" "\tPrüfalgorithmus: %s\n" "\tMaximalgröße der Schlüsseldatei: %d kB\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Ungültige Größe für --%s. Maximum ist %u Bytes." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen angegeben werden." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen für die Journalintegrität angegeben werden." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Wenn ein Integritätsschlüssel für das Journal verwendet wird, muss auch der Integritätsalgorithmus angegeben werden." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Sowohl der Verschlüsselungsschlüssel als auch die Schlüsselgröße müssen für die Journalverschlüsselung angegeben werden." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Wenn ein Verschlüsselungsschlüssel für das Journal verwendet wird, muss auch der Verschlüsselungsalgorithmus angegeben werden." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Die Modi Wiederherstellung und Bitmap schließen sich gegenseitig aus." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Die Journal-Optionen können nicht im Bitmap-Modus verwendet werden." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Die Bitmapoptionen können nur im Bitmapmodus verwendet werden." @@ -3198,58 +3440,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Passwort-Qualitätsüberprüfung fehlgeschlagen: Falsche Passphrase (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Fehler beim Lesen der Passphrase vom Terminal." -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Passphrase bestätigen: " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Passphrasen stimmen nicht überein." -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Offset kann nicht zusammen mit Terminaleingabe benutzt werden." -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Passphrase eingeben: " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Geben Sie die Passphrase für »%s« ein: " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "Kein Schlüssel mit dieser Passphrase verfügbar." -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Es ist kein nutzbares Schlüsselfach verfügbar." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Datei %s konnte nicht im Nur-Lese-Modus geöffnet werden." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Geben Sie gültiges LUKS2-Token-JSON an:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "JSON-Datei konnte nicht gelesen werden." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3257,12 +3499,12 @@ msgstr "" "\n" "Lesen unterbrochen." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Datei %s konnte nicht im Schreibmodus geöffnet werden." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3270,7 +3512,7 @@ msgstr "" "\n" "Schreiben unterbrochen." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "JSON-Datei konnte nicht geschrieben werden." @@ -3337,15 +3579,19 @@ msgstr "Das Gerät erfordert die Wiederherstellung der Wiederverschlüsselung. F msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Gerät %s befindet sich bereits in der LUKS2-Neuverschlüsselung. Möchten Sie den zuvor begonnenen Vorgang fortsetzen?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Die veraltete LUKS2-Wiederverschlüsselung wird nicht mehr unterstützt." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Auf einem Gerät, das für OPAL konfiguriert ist, kann die LUKS2-Wiederverschlüsselung nicht durchgeführt werden." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Wiederverschlüsselung von Geräten mit Integritätsprofil wird nicht unterstützt." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3354,103 +3600,103 @@ msgstr "" "Angeforderte --sector-size % ist nicht kompatibel mit dem %s-Superblock\n" "(Blockgröße: %Bytes), der auf dem Gerät %s erkannt wurde." -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Verschlüsselung ohne separaten Kopfbereich (--header) ist nur möglich, wenn die Größe des Hauptgeräts reduziert wird (--reduce-device-size)." -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Der angeforderte Datenoffset darf maximal die Hälfte des Parameters --reduce-device-size betragen." -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Der Wert von --reduce-device-size wird auf das Doppelte von --offset % (in Sektoren) angepasst.\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Temporäre Headerdatei »%s« existiert bereits. Wird abgebrochen." -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Fehler beim Anlegen der temporären Headerdatei »%s«." -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Die Größe der LUKS2-Metadaten ist größer als der Wert der Datenverschiebung." -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Der neue Header konnte nicht am Kopf des Geräts %s platziert werden." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung.\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Das aktive Gerät »%s« ist kein LUKS2-Gerät." -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Wiederherstellung des ursprünglichen LUKS2-Headers." -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Fehler beim Wiederherstellen des ursprünglichen LUKS2-Headers." -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Die Header-Datei %s existiert nicht. Möchten Sie die LUKS2-Entschlüsselung von Gerät %s initialisieren und LUKS2-Header in Datei %s exportieren?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Fehler beim Hinzufügen der Lese-/Schreibberechtigung für die exportierte Header-Datei." -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Fehler beim Initialisieren der Wiederverschlüsselung. Eine Sicherungskopie des Headers befindet sich in %s." -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "LUKS2-Entschlüsselung wird nur mit losgelöstem Headergerät unterstützt (mit Datenoffset auf 0 gesetzt)." -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Nicht genügend freie Schlüsselfächer für Wiederverschlüsselung." -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden." -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Geben Sie die Passphrase für Schlüsselfach %d ein: " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Der Verschlüsselungsalgorithmus wird auf %s geändert.\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Keine Datensegmentparameter geändert. Wiederverschlüsselung abgebrochen." -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3458,7 +3704,7 @@ msgstr "" "Die Zunahme der Größe des Verschlüsselungssektors auf einem Offline-Gerät wird nicht unterstützt.\n" "Aktivieren Sie das Gerät zuerst oder verwenden Sie die Option »--force-offline-reencrypt« (gefährlich!)." -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3467,62 +3713,62 @@ msgstr "" "\n" "Wiederverschlüsselung unterbrochen." -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "LUKS-Wiederverschlüsselung wird im erzwungenen Offline-Modus fortgesetzt.\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Das Gerät %s enthält fehlerhafte LUKS-Metadaten. Vorgang wird abgebrochen." -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Gerät %s ist bereits ein LUKS-Gerät. Vorgang wird abgebrochen." -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Gerät %s befindet sich bereits in der LUKS-Wiederverschlüsselung. Vorgang wird abgebrochen." -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "LUKS2-Entschlüsselung erfordert die Option »--header«." -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "Dieser Befehl benötigt den Gerätenamen als Argument." -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS1." -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in der LUKS1-Wiederverschlüsselung." -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS2." -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in LUKS2-Wiederverschlüsselung." -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Die LUKS2-Wiederverschlüsselung wurde bereits begonnen. Die Operation wird abgebrochen." -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Derzeit läuft keine Wiederverschlüsselung." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird." @@ -3658,35 +3904,35 @@ msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Partitionssignatur.\n" msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Superblock-Signatur.\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Fehler beim Initialisieren der Gerätesignatursonden." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "Gerät %s konnte nicht gefunden werden." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Datei %s konnte nicht im Lese-/Schreibmodus geöffnet werden." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "Die bestehende »%s«-Partitionssignatur auf Gerät %s wird gelöscht." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "Die bestehende »%s«-Superblocksignatur auf Gerät %s wird gelöscht." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Fehler beim Löschen der Gerätesignatur." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Gerät %s konnte nicht auf eine Signatur geprüft werden." @@ -3701,11 +3947,11 @@ msgstr "Ungültige Größenangabe in Parameter --%s." msgid "Option --%s is not allowed with %s action." msgstr "Die Option --%s ist nicht mit der Aktion %s kombinierbar." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Fehler beim Schreiben des SSH-Tokens im JSON-Format." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3722,105 +3968,109 @@ msgstr "" "\n" "Hinweis: Die beim Hinzufügen des Tokens angegebenen Informationen (SSH-Server-Adresse, Benutzer und Pfade) werden im LUKS2-Header im Klartext gespeichert." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Optionen für die Aktion \"add\" (Hinzufügen):" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "IP-Adresse/URL des entfernten Servers für dieses Token" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Benutzername, der für den entfernten Server verwendet wird" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Pfad zur Schlüsseldatei auf dem entfernten Server" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Pfad zum SSH-Schlüssel für die Verbindung zum entfernten Server" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Pfad zum Verzeichnis, das die externen Tokens für libcryptsetup enthält" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Schlüsselfach, dem das Token zugewiesen werden soll. Wenn nicht angegeben, wird das Token dem ersten Schlüsselfach zugewiesen, das zur angegebenen Passphrase passt." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Allgemeine Optionen:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Zeigt detailliertere Fehlermeldungen an" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Zeigt Debugging-Meldungen an" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Debugging-Meldungen anzeigen, inclusive JSON-Metadaten" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Öffnen und Importieren des privaten Schlüssels fehlgeschlagen:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Der Import des privaten Schlüssels (passwortgeschützt?) ist fehlgeschlagen.\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Passwort von %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Das Parsen der Argumente ist fehlgeschlagen.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Es muss eine Aktion angegeben werden\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Für die Aktion '%s' muss ein Gerät angegeben werden.\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Für die Aktion '%s' muss ein SSH-Server angegeben werden.\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Für die Aktion '%s' muss ein SSH-Benutzer angegeben werden.\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Für die Aktion '%s' muss ein SSH-Pfad angegeben werden.\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Für die Aktion '%s' muss ein SSH-Schlüsselpfad angegeben werden.\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Öffnen von %s mit den angegebenen Anmeldeinformationen fehlgeschlagen.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "Nur die Aktion \"add\" (Hinzufügen) wird derzeit von diesem Plugin unterstützt.\n" @@ -3865,6 +4115,12 @@ msgstr "Authentifizierung mit öffentlichem Schlüssel ist auf dem Host nicht er msgid "Public key authentication error: " msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: " +#~ msgid "compiled-in" +#~ msgstr "integriert" + +#~ msgid "disabled" +#~ msgstr "deaktiviert" + #~ msgid "WARNING: Data offset is outside of currently available data device.\n" #~ msgstr "WARNING: Der Datenoffset ist außerhalb des derzeit verfügbaren Datengeräts.\n" @@ -3889,9 +4145,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: " #~ msgid "Failed to disable reencryption requirement flag." #~ msgstr "Fehler beim Deaktivieren der Wiederverschlüsselungsanforderung." -#~ msgid "Encryption is supported only for LUKS2 format." -#~ msgstr "Verschlüsselung wird nur für das LUKS2-Format unterstützt." - #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" #~ msgstr "LUKS-Gerät auf »%s« erkannt. Möchten Sie dieses LUKS-Gerät erneut verschlüsseln?" @@ -3958,10 +4211,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: " #~ msgid "No free token slot." #~ msgstr "Kein freies Fach für Token." -# upstream: period missing -#~ msgid "Failed to create builtin token %s." -#~ msgstr "Fehler beim Erzeugen des eingebauten Tokens »%s«." - #~ msgid "Invalid LUKS device type." #~ msgstr "Ungültige LUKS-Geräteart." diff --git a/po/es.po b/po/es.po index 2a4d9f4..1a9bb55 100644 --- a/po/es.po +++ b/po/es.po @@ -2,7 +2,7 @@ # Traducciones al español para el paquete cryptsetup. # Copyright (C) 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Free Software Foundation, Inc. # This file is put in the public domain. -# Antonio Ceballos , 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 +# Antonio Ceballos , 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2023, 2024 # # ###################################################################### # Traducciones dudosas: @@ -73,10 +73,10 @@ # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.4.2-rc0\n" -"Report-Msgid-Bugs-To: dm-crypt@saout.de\n" -"POT-Creation-Date: 2021-11-11 19:08+0100\n" -"PO-Revision-Date: 2021-12-12 11:49+0100\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" +"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2024-01-13 17:04+0100\n" "Last-Translator: Antonio Ceballos \n" "Language-Team: Spanish \n" "Language: es\n" @@ -86,67 +86,75 @@ msgstr "" "X-Bugs: Report translation errors to the Language-Team address.\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -#: lib/libdevmapper.c:396 +#: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." msgstr "No se puede inicializar el «device mapper», ejecutando como usuario no administrador." -#: lib/libdevmapper.c:399 +#: lib/libdevmapper.c:422 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "No se puede inicializar el «device-mapper». ¿Está cargado el módulo del núcleo dm_mod?" -#: lib/libdevmapper.c:1170 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "El indicador diferido solicitado no está disponible." -#: lib/libdevmapper.c:1239 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "El DM-UUID del dispositivo %s ha sido truncado." -#: lib/libdevmapper.c:1567 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Tipo de objetivo dm desconocido." -#: lib/libdevmapper.c:1688 lib/libdevmapper.c:1693 lib/libdevmapper.c:1757 -#: lib/libdevmapper.c:1760 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Las opciones de rendimiento de dm-crypt solicitadas no están disponibles." -#: lib/libdevmapper.c:1700 lib/libdevmapper.c:1704 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Las opciones de manejo de corrupción de datos de dm-verity solicitadas no están disponibles." -#: lib/libdevmapper.c:1708 +#: lib/libdevmapper.c:1650 +msgid "Requested dm-verity tasklets option is not supported." +msgstr "La opción «tasklets» de dm-verity solicitada no está disponible." + +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Las opciones FEC de dm-verity solicitadas no están disponibles." -#: lib/libdevmapper.c:1712 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Las opciones de integridad de datos solicitadas no están disponibles." -#: lib/libdevmapper.c:1714 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "La opción sector_size solicitada no está disponible." -#: lib/libdevmapper.c:1719 lib/libdevmapper.c:1723 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "El tamaño del dispositivo no es múltiplo del tamaño de sector solicitado." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "El recómputo automático de las etiquetas de integridad solicitado no está disponible." -#: lib/libdevmapper.c:1727 lib/libdevmapper.c:1763 lib/libdevmapper.c:1766 -#: lib/luks2/luks2_json_metadata.c:2204 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Descartar/TRIM no disponible." -#: lib/libdevmapper.c:1731 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "El modo de mapa de bits de dm-integrity solicitado no está disponible." -#: lib/libdevmapper.c:2705 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "No se ha podido consultar el segmento de dm-%s." -#: lib/random.c:75 +#: lib/random.c:73 msgid "" "System is out of entropy while generating volume key.\n" "Please move mouse or type some text in another window to gather some random events.\n" @@ -154,667 +162,795 @@ msgstr "" "El sistema se ha quedado sin entropía mientras estaba generando la clave del volumen.\n" "Por favor, mueva el ratón o pulse alguna tecla en otra ventana para provocar algún evento aleatorio.\n" -#: lib/random.c:79 +#: lib/random.c:77 #, c-format msgid "Generating key (%d%% done).\n" msgstr "Generando la clave (%d%% hecho).\n" -#: lib/random.c:165 +#: lib/random.c:163 msgid "Running in FIPS mode." msgstr "Modo FIPS en funcionamiento." -#: lib/random.c:171 +#: lib/random.c:169 msgid "Fatal error during RNG initialisation." msgstr "Error fatal durante la inicialización del generador de números aleatorios." -#: lib/random.c:208 +#: lib/random.c:207 msgid "Unknown RNG quality requested." msgstr "La calidad solicitada para el generador de números aleatorios es desconocida." -#: lib/random.c:213 +#: lib/random.c:212 msgid "Error reading from RNG." msgstr "Error leyendo del generador de números aleatorios." -#: lib/setup.c:226 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "El soporte de OPAL está desactivado en libcryptsetup." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "El dispositivo %s o el núcleo no disponen de cifrado OPAL." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "No se puede inicializar el «backend» del generador de números aleatorios de cifrado." -#: lib/setup.c:232 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "No se puede inicializar el «backend» de cifrado." -#: lib/setup.c:263 lib/setup.c:2079 lib/verity/verity.c:119 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Algoritmo «hash» %s no disponible." -#: lib/setup.c:266 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Error de procesamiento de la clave (usando «hash» %s)." -#: lib/setup.c:332 lib/setup.c:359 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "No se puede determinar el tipo de dispositivo. ¿Es incompatible la activación del dispositivo?" -#: lib/setup.c:338 lib/setup.c:3142 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Esta operación solamente está disponible para dispositivos LUKS." -#: lib/setup.c:365 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Esta operación solamente está disponible para dispositivos LUKS2." -#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2440 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Todas las ranuras de claves están llenas." -#: lib/setup.c:431 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "La ranura de claves %d no es válida; seleccione un número entre 0 y %d." -#: lib/setup.c:437 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "La ranura de claves %d está llena; seleccione otra." -#: lib/setup.c:522 lib/setup.c:2900 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "El tamaño del dispositivo no está alineado con el tamaño de bloque lógico del dispositivo." -#: lib/setup.c:620 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Cabecera detectada pero el dispositivo %s es demasiado pequeño." -#: lib/setup.c:661 lib/setup.c:2845 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Esta operación no está disponible para este tipo de dispositivo." -#: lib/setup.c:666 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Operación con recifrado en curso no válida." -#: lib/setup.c:834 lib/luks1/keymanage.c:527 +#: lib/setup.c:895 +msgid "Failed to rollback LUKS2 metadata in memory." +msgstr "No se han podido echar atrás los metadatos de LUKS2 en memoria." + +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 +#, c-format +msgid "Device %s is not a valid LUKS device." +msgstr "El dispositivo %s no es un dispositivo LUKS válido." + +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Versión LUKS no disponible %d." -#: lib/setup.c:1430 lib/setup.c:2610 lib/setup.c:2683 lib/setup.c:2695 -#: lib/setup.c:2853 lib/setup.c:4643 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado para el dispositivo activo %s." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "El dispositivo %s no está activo." -#: lib/setup.c:1447 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "El dispositivo subyacente asociado al dispositivo cifrado %s ha desaparecido." -#: lib/setup.c:1527 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Parámetros de cifrado para modo claro no válidos." -#: lib/setup.c:1532 lib/setup.c:1982 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Tamaño de clave no válido." -#: lib/setup.c:1537 lib/setup.c:1987 lib/setup.c:2190 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "El UUID no está disponible para este tipo de cifrado." -#: lib/setup.c:1542 lib/setup.c:1992 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "El dispositivo de metadatos separado no está disponible para este tipo de cifrado." -#: lib/setup.c:1552 lib/setup.c:1754 lib/luks2/luks2_reencrypt.c:2401 -#: src/cryptsetup.c:1358 src/cryptsetup.c:3723 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Tamaño de sector de cifrado no admitido." -#: lib/setup.c:1560 lib/setup.c:1895 lib/setup.c:2894 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "El tamaño del dispositivo no está alineado con el tamaño del sector solicitado." -#: lib/setup.c:1612 lib/setup.c:1732 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Imposible dar formato LUKS sin dispositivo." -#: lib/setup.c:1618 lib/setup.c:1738 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "El alineamiento de datos solicitado no es compatible con el desplazamiento de los datos." -#: lib/setup.c:1686 lib/setup.c:1882 -msgid "WARNING: Data offset is outside of currently available data device.\n" -msgstr "ATENCIÓN: El desplazamiento de los datos está fuera del dispositivo de datos actualmente disponible.\n" +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "ATENCIÓN: El dispositivo DAX puede corromper datos ya que no garantiza actualizaciones de sector atómicas.\n" -#: lib/setup.c:1696 lib/setup.c:1912 lib/setup.c:1933 lib/setup.c:2202 +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "No se puede limpiar la cabecera del dispositivo %s." -#: lib/setup.c:1763 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "ATENCIÓN: La activación del dispositivo va a fallar; dm-crypt no admite el tamaño de sector de cifrado solicitado.\n" +#: lib/setup.c:1885 lib/setup.c:2204 +#, c-format +msgid "Device %s is too small for activation, there is no remaining space for data.\n" +msgstr "El dispositivo %s es demasiado pequeño para ser activado; no queda espacio para los datos.\n" -#: lib/setup.c:1786 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "La clave del volumen es demasiado pequeña para cifrado con extensiones de integridad." -#: lib/setup.c:1856 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "El algoritmo de cifrado %s-%s (tamaño de clave %zd bits) no está disponible." -#: lib/setup.c:1885 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "ATENCIÓN: el tamaño de los metadatos LUKS2 ha cambiado a % bytes.\n" - -#: lib/setup.c:1889 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "ATENCIÓN: el tamaño de la zona de ranuras de claves LUKS2 ha cambiado a % bytes.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "ATENCIÓN: La activación del dispositivo va a fallar; dm-crypt no admite el tamaño de sector de cifrado solicitado.\n" -#: lib/setup.c:1915 lib/utils_device.c:909 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:2451 lib/luks2/luks2_reencrypt.c:3488 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "El dispositivo %s es demasiado pequeño." -#: lib/setup.c:1926 lib/setup.c:1952 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "No se puede dar formato al dispositivo %s en uso." -#: lib/setup.c:1929 lib/setup.c:1955 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "No se puede dar formato al dispositivo %s; permiso denegado." -#: lib/setup.c:1941 lib/setup.c:2262 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "No se puede dar formato a la integridad del dispositivo %s." -#: lib/setup.c:1959 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "No se puede dar formato al dispositivo %s." -#: lib/setup.c:1977 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "No se pueden obtener los parámetros de alineamiento OPAL." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Tamaño de bloque lógico OPAL falso." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "El desplazamiento de datos solicitado no es compatible con el tamaño de bloque OPAL." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "El alineamiento de datos solicitado no es compatible con el alineamiento OPAL." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "El desplazamiento de datos no satisface los requisitos de alineamiento OPAL." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "El alineamiento de datos solicitado no satisface los requisitos de alineamiento del rango de bloqueo." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Compensando el tamaño de dispositivo con % sectores para alinearlo con la granularidad de alienamiento OPAL." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "No se ha podido adquirir el bloqueo OPAL para el dispositivo %s." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Clave de administrador de OPAL incorrecta." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "No se puede configurar el segmento de OPAL." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "No se puede dar formato al dispositivo %s; parece que el dispositivo OPAL está completamente protegido contra escritura actualmente." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Quizá esto sea un error del firmware. Ejecute un reinicio PSID OPAL y reconecte para recuperar." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "El reinicio del rango %d de bloqueo del dispositivo %s ha fallado." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Imposible dar formato LOOPAES sin dispositivo." -#: lib/setup.c:2022 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Imposible dar formato VERITY sin dispositivo." -#: lib/setup.c:2033 lib/verity/verity.c:102 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Tipo de «hash» VERITY %d no disponible." -#: lib/setup.c:2039 lib/verity/verity.c:110 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Tamaño de bloque VERITY no disponible." -#: lib/setup.c:2044 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Desplazamiento «hash» VERITY no disponible." -#: lib/setup.c:2049 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Desplazamiento FEC VERITY no disponible." -#: lib/setup.c:2073 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "La zona de datos se solapa con la zona «hash»." -#: lib/setup.c:2098 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "La zona «hash» se solapa con la zona FEC." -#: lib/setup.c:2105 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "La zona de datos se solapa con la zona FEC." -#: lib/setup.c:2241 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "ATENCIÓN: El tamaño de etiqueta de %d bytes solicitado difiere del tamaño de salida de %s (%d bytes).\n" -#: lib/setup.c:2320 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "El tipo de dispositivo cifrado % solicitado es desconocido." -#: lib/setup.c:2616 lib/setup.c:2688 lib/setup.c:2701 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Parámetros no admitidos para el dispositivo %s." -#: lib/setup.c:2622 lib/setup.c:2708 lib/luks2/luks2_reencrypt.c:2503 -#: lib/luks2/luks2_reencrypt.c:2847 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Parámetros discordantes en el dispositivo %s." -#: lib/setup.c:2728 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Los dispositivos de cifrado no concuerdan." -#: lib/setup.c:2765 lib/setup.c:2770 lib/luks2/luks2_reencrypt.c:2143 -#: lib/luks2/luks2_reencrypt.c:3255 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "No se ha podido recargar el dispositivo %s." -#: lib/setup.c:2776 lib/setup.c:2782 lib/luks2/luks2_reencrypt.c:2114 -#: lib/luks2/luks2_reencrypt.c:2121 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "No se ha podido suspender el dispositivo %s." -#: lib/setup.c:2788 lib/luks2/luks2_reencrypt.c:2128 -#: lib/luks2/luks2_reencrypt.c:3190 lib/luks2/luks2_reencrypt.c:3259 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "No se ha podido reanudar el dispositivo %s." -#: lib/setup.c:2803 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Error grave durante la recarga del dispositivo %s (por encima del dispositivo %s)." -#: lib/setup.c:2806 lib/setup.c:2808 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "No se ha podido conmutar el dispositivo %s a dm-error." -#: lib/setup.c:2885 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "No se ha podido cambiar el tamaño del dispositivo LUKS2 con un tamaño estático." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "No se ha podido cambiar el tamaño del dispositivo de bucle." -#: lib/setup.c:2958 +#: lib/setup.c:3657 +msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" +msgstr "ATENCIÓN: ya se ha puesto el tamaño máximo o el núcleo no permite cambiarlo.\n" + +#: lib/setup.c:3723 +msgid "Resize failed, the kernel doesn't support it." +msgstr "El cambio de tamaño ha fallado; el núcleo no admite el cambio." + +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "¿Está seguro de que quiere cambiar el UUID del dispositivo?" -#: lib/setup.c:3034 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "El fichero de copia de seguridad de la cabecera no contiene una cabecera LUKS compatible." -#: lib/setup.c:3150 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "El volumen %s no está activo." -#: lib/setup.c:3161 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "El volumen %s ya está suspendido." -#: lib/setup.c:3174 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "La suspensión no está disponible para el dispositivo %s." -#: lib/setup.c:3176 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Error durante la suspensión del dispositivo %s." -#: lib/setup.c:3212 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Se ha suspendido el dispositivo %s pero el dispositivo OPAL hardware no puede bloquearse." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "La reanudación no está disponible para el dispositivo %s." -#: lib/setup.c:3214 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Error durante la reanudación del dispositivo %s." -#: lib/setup.c:3248 lib/setup.c:3296 lib/setup.c:3366 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "No se ha podido vincular la clave al llavero especificado." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "No se ha podido desvincular la clave del volumen del llavero de usuario especificado." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "No se ha podido vincular la clave del volumne en el llavero de usuario especificado." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "EL volumen %s no está suspendido." -#: lib/setup.c:3381 lib/setup.c:3750 lib/setup.c:4423 lib/setup.c:4436 -#: lib/setup.c:4444 lib/setup.c:4457 lib/setup.c:4826 lib/setup.c:6008 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "La clave de volumen no corresponde a este volumen." -#: lib/setup.c:3428 lib/setup.c:3633 -msgid "Cannot add key slot, all slots disabled and no volume key provided." -msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen." - -#: lib/setup.c:3585 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "No se ha logrado intercambiar la nueva ranura de claves." -#: lib/setup.c:3771 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "La ranura de claves %d no es válida." -#: lib/setup.c:3777 src/cryptsetup.c:1701 src/cryptsetup.c:2041 -#: src/cryptsetup.c:2632 src/cryptsetup.c:2689 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "La ranura de claves %d no está activa." -#: lib/setup.c:3796 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "La cabecera del dispositivo se solapa con la zona de datos." -#: lib/setup.c:4089 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Recifrado en curso. No se puede activar el dispositivo." -#: lib/setup.c:4091 lib/luks2/luks2_json_metadata.c:2287 -#: lib/luks2/luks2_reencrypt.c:2946 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "No se ha podido conseguir el bloqueo de recifrado." -#: lib/setup.c:4104 lib/luks2/luks2_reencrypt.c:2965 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "La recuperación del recifrado LUKS2 ha fallado." -#: lib/setup.c:4235 lib/setup.c:4500 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente." -#: lib/setup.c:4283 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "El dispositivo %s ya existe." -#: lib/setup.c:4290 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "No se puede utilizar el dispositivo %s; el nombre no es válido o todavía está en uso." -#: lib/setup.c:4410 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Clave de volumen incorrecta para dispositivo no cifrado." -#: lib/setup.c:4526 -msgid "Incorrect root hash specified for verity device." -msgstr "«Hash» raíz incorrecta para dispositivo «verity»." - -#: lib/setup.c:4533 -msgid "Root hash signature required." -msgstr "Se requiere la firma «hash» raíz." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "El llavero de núcleo no está admitido en el núcleo." -#: lib/setup.c:4542 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "El llavero de núcleo está ausente: se necesita para pasar la firma al núcleo." -#: lib/setup.c:4559 lib/setup.c:6084 -msgid "Failed to load key in kernel keyring." -msgstr "No se ha podido cargar la clave en el llavero del núcleo." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "«Hash» raíz incorrecta para dispositivo «verity»." + +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL no dispone de desactivación diferida." -#: lib/setup.c:4615 +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "No se ha podido cancelar la eliminación diferida en el dispositivo %s." -#: lib/setup.c:4622 lib/setup.c:4638 lib/luks2/luks2_json_metadata.c:2340 -#: src/cryptsetup.c:2785 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 +#: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "El dispositivo %s todavía se está utilizando." -#: lib/setup.c:4647 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Dispositivo inválido %s." -#: lib/setup.c:4763 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "El «buffer» de la clave del volumen es demasiado pequeño." -#: lib/setup.c:4771 +#: lib/setup.c:5916 +msgid "Cannot retrieve volume key for LUKS2 device." +msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS2." + +#: lib/setup.c:5925 +msgid "Cannot retrieve volume key for LUKS1 device." +msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS1." + +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "No se puede recuperar la clave para el dispositivo no cifrado." -#: lib/setup.c:4788 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "No se puede recuperar el «hash» raíz para dispositivo «verity»." -#: lib/setup.c:4792 +#: lib/setup.c:5950 +msgid "Cannot retrieve volume key for BITLK device." +msgstr "No se puede recuperar la clave del volumen para el dispositivo BITLK." + +#: lib/setup.c:5955 +msgid "Cannot retrieve volume key for FVAULT2 device." +msgstr "No se puede recuperar la clave del volumen para el dispositivo FVAULT2." + +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Esta operación no está disponible para el dispositivo cifrado %s." -#: lib/setup.c:4998 lib/setup.c:5009 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Operación de volcado no deisponible para este tipo de dispositivo." -#: lib/setup.c:5337 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "El desplazamiento de datos no es múltiplo de %u bytes." -#: lib/setup.c:5622 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "No se puede convertir el dispositivo %s que todavía está en uso." -#: lib/setup.c:5941 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "No se ha logrado asignar la ranura de claves %u como nueva clave del volumen." -#: lib/setup.c:6014 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "No se han podido inicializar los parámetros predefinidos de la ranura de claves LUKS2." -#: lib/setup.c:6020 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "No se ha logrado asignar la ranura de claves %d al resumen." -#: lib/setup.c:6151 -msgid "Kernel keyring is not supported by the kernel." -msgstr "El llavero de núcleo no está admitido en el núcleo." +#: lib/setup.c:7372 +msgid "Cannot add key slot, all slots disabled and no volume key provided." +msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen." + +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "No se ha podido cargar la clave en el llavero del núcleo." + +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "No se ha podido desvincular la clave del volumen del llavero del hilo." -#: lib/setup.c:6161 lib/luks2/luks2_reencrypt.c:3062 +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "No se ha podido leer la frase contraseña desde el llavero (error %d)" +msgid "Could not find keyring described by \"%s\"." +msgstr "No se ha podido encontrar el llavero descrito por «%s»." -#: lib/setup.c:6185 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "No se ha podido adquirir el bloqueo de la serialización de acceso duro de memoria global." -#: lib/utils.c:80 -msgid "Cannot get process priority." -msgstr "No se puede obtener la prioridad del proceso." - -#: lib/utils.c:94 -msgid "Cannot unlock memory." -msgstr "No se puede desbloquear la memoria." - -#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "No se ha podido abrir el fichero de claves." -#: lib/utils.c:173 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "No se puede leer el fichero de claves desde un terminal." -#: lib/utils.c:189 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "No se ha podido efectuar «stat» sobre el fichero de claves." -#: lib/utils.c:197 lib/utils.c:218 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "No es posible situarse en la posición solicitada del fichero de claves." -#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:219 -#: src/utils_password.c:231 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Memoria agotada mientras se estaba leyendo la frase contraseña." -#: lib/utils.c:247 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Error al leer la frase contraseña." -#: lib/utils.c:264 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "No hay nada para leer en la entrada." -#: lib/utils.c:271 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Se ha excedido el tamaño máximo de fichero de claves." -#: lib/utils.c:276 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "No se puede leer la cantidad de datos solicitada." -#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "El dispositivo %s no existe o el acceso al mismo ha sido denegado." -#: lib/utils_device.c:218 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "El dispositivo %s no es compatible." -#: lib/utils_device.c:562 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Se ignorará por falso el tamaño de optimal-io para el dispositivo de datos (%u bytes)." -#: lib/utils_device.c:720 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "El dispositivo %s es demasiado pequeño. Se necesitan % bytes como mínimo." -#: lib/utils_device.c:801 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "No se puede usar el dispositivo %s porque ya está en uso (asignado o montado)." -#: lib/utils_device.c:805 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "No se puede utilizar el dispositivo %s; permiso denegado." -#: lib/utils_device.c:808 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "No se puede obtener información del dispositivo %s." -#: lib/utils_device.c:831 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "No se puede utilizar un dispositivo de bucle invertido como usuario no administrador." -#: lib/utils_device.c:842 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "No se ha logrado asociar el dispositivo de bucle invertido (hace falta un dispositivo de bucle con marcador de auto-limpieza)." -#: lib/utils_device.c:890 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "El «offset» solicitado está más allá del tamaño real del dispositivo %s." -#: lib/utils_device.c:898 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "El dispositivo %s tiene tamaño cero." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "El tiempo objetivo máximo de PBKDF no puede ser cero." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Tipo de PBKDF %s desconocido." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "La «hash» solicitada %s no está disponible." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "El tipo de PBKDF solicitado no está disponible para LUKS1." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "No se pueden establecer la memoria máxima de PBKDF ni los hilos paralelos con pbkdf2." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "El número de iteraciones forzadas es demasiado pequeño para %s (el mínimo es %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "El coste de la memoria forzada es demasiado bajo para %s (el mínimo es %u kilobytes)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "El coste de la memoria máxima solicitada de PBKDF es demasiado alto (el máximo es %d kilobytes)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "La memoria máxima solicitada de PBKDF no puede ser cero." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Los hilos paralelos solicitados de PBKDF no pueden ser cero." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "Solo se admite PBKDF2 en el modo FIPS." -#: lib/utils_benchmark.c:172 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "Banco de pruebas PBKDF desactivado pero las iteraciones no están establecidas." -#: lib/utils_benchmark.c:191 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Opciones PBKDF2 no compatibles (usando el algoritmo «hash» %s)." -#: lib/utils_benchmark.c:211 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Opciones PBKDF no compatibles." -#: lib/utils_device_locking.c:102 +#: lib/utils_device_locking.c:101 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)." msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (o no es un directorio o no existe)." -#: lib/utils_device_locking.c:109 -#, c-format -msgid "Locking directory %s/%s will be created with default compiled-in permissions." -msgstr "El directorio de bloqueo %s/%s se creará con los permisos predeterminados al compilar." - -#: lib/utils_device_locking.c:119 +#: lib/utils_device_locking.c:118 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (%s no es un directorio)." -#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:922 -#: src/cryptsetup_reencrypt.c:1010 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 +#: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "No es posible situarse en la posición del dispositivo." -#: lib/utils_wipe.c:208 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Error al limpiar el dispositivo, desplazamiento %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "PSID OPAL incorrecto." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "No se ha podido borrar el dispositivo OPAL." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -833,9 +969,9 @@ msgstr "El tamaño de clave en modo XTS debe ser 256 o 512 bits." msgid "Cipher specification should be in [cipher]-[mode]-[iv] format." msgstr "La especificación de cifrado debería estar en formato [cipher]-[mode]-[iv]." -#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364 -#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125 -#: lib/luks2/luks2_json_metadata.c:1276 lib/luks2/luks2_keyslot.c:740 +#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 +#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "No se puede escribir en el dispositivo %s; permiso denegado." @@ -848,23 +984,24 @@ msgstr "No se ha podido abrir el dispositivo de almacenamiento de claves tempora msgid "Failed to access temporary keystore device." msgstr "No se ha podido acceder al dispositivo de almacenamiento de claves temporal." -#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60 -#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134 +#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Error de entrada/salida mientras se cifraba una ranura de claves." -#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367 -#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:677 -#: lib/verity/verity.c:80 lib/verity/verity.c:193 lib/verity/verity_hash.c:320 -#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349 -#: lib/verity/verity_fec.c:251 lib/verity/verity_fec.c:263 -#: lib/verity/verity_fec.c:268 lib/luks2/luks2_json_metadata.c:1279 -#: src/cryptsetup_reencrypt.c:177 src/cryptsetup_reencrypt.c:189 +#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 +#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 +#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 +#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 +#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 +#: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." msgstr "No se puede abrir el dispositivo %s." -#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137 +#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139 msgid "IO error while decrypting keyslot." msgstr "Error de entrada/salida mientras se descifraba una ranura de claves." @@ -880,65 +1017,54 @@ msgstr "El dispositivo %s es demasiado pequeño. (LUKS1 necesita % btyes msgid "LUKS keyslot %u is invalid." msgstr "La ranura de claves LUKS %u no es válida." -#: lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524 -#: lib/luks2/luks2_json_metadata.c:1107 src/cryptsetup.c:1557 -#: src/cryptsetup.c:1688 src/cryptsetup.c:1743 src/cryptsetup.c:1798 -#: src/cryptsetup.c:1863 src/cryptsetup.c:1966 src/cryptsetup.c:2030 -#: src/cryptsetup.c:2259 src/cryptsetup.c:2472 src/cryptsetup.c:2532 -#: src/cryptsetup.c:2597 src/cryptsetup.c:2741 src/cryptsetup.c:3423 -#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1373 -#, c-format -msgid "Device %s is not a valid LUKS device." -msgstr "El dispositivo %s no es un dispositivo LUKS válido." - -#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1124 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "El fichero de copia de seguridad de cabecera solicitado %s ya existe." -#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1126 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "No se puede crear el fichero de copia de seguridad %s." -#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1133 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "No se puede escribir en el fichero de copia de seguridad %s." -#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1185 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "El fichero de copia de seguridad no contiene una cabecera LUKS válida." -#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590 -#: lib/luks2/luks2_json_metadata.c:1206 +#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "No se puede abrir el fichero de copia de seguridad de cabecerda %s." -#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1214 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "No se puede leer el fichero de copia de seguridad de cabecerda %s." -#: lib/luks1/keymanage.c:337 +#: lib/luks1/keymanage.c:339 msgid "Data offset or key size differs on device and backup, restore failed." msgstr "La posición de los datos o el tamaño de la clave no coinciden en el dispositivo y en la copia de seguridad." -#: lib/luks1/keymanage.c:345 +#: lib/luks1/keymanage.c:347 #, c-format msgid "Device %s %s%s" msgstr "Dispositivo %s %s%s" -#: lib/luks1/keymanage.c:346 +#: lib/luks1/keymanage.c:348 msgid "does not contain LUKS header. Replacing header can destroy data on that device." msgstr "no contiene cabecera LUKS. Reemplazar la cabecera puede destruir los datos en ese dispositivo." -#: lib/luks1/keymanage.c:347 +#: lib/luks1/keymanage.c:349 msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "ya contiene cabecera LUKS. Reemplazar la cabecera destruirá las ranuras de claves existentes." -#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1248 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -946,126 +1072,130 @@ msgstr "" "\n" "ATENCIÓN: ¡la cabecera del dispositivo real tiene un UUID distinto que el de la copia de seguridad!" -#: lib/luks1/keymanage.c:395 +#: lib/luks1/keymanage.c:398 msgid "Non standard key size, manual repair required." msgstr "El tamaño de la clave no es estándar; se requiere una reparación manual." -#: lib/luks1/keymanage.c:405 +#: lib/luks1/keymanage.c:408 msgid "Non standard keyslots alignment, manual repair required." msgstr "El alineamiento de las ranuras de claves no es estándar; se requiere una reparación manual." -#: lib/luks1/keymanage.c:414 +#: lib/luks1/keymanage.c:417 #, c-format msgid "Cipher mode repaired (%s -> %s)." msgstr "Modo de cifrado reparado (%s -> %s)." -#: lib/luks1/keymanage.c:425 +#: lib/luks1/keymanage.c:428 #, c-format msgid "Cipher hash repaired to lowercase (%s)." msgstr "«Hash» de cifrado reparado a minúsculas (%s)." -#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533 -#: lib/luks1/keymanage.c:789 +#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536 +#: lib/luks1/keymanage.c:792 #, c-format msgid "Requested LUKS hash %s is not supported." msgstr "La «hash» LUKS solicitada %s no está disponible." -#: lib/luks1/keymanage.c:441 +#: lib/luks1/keymanage.c:444 msgid "Repairing keyslots." msgstr "Reparando ranuras de claves." -#: lib/luks1/keymanage.c:460 +#: lib/luks1/keymanage.c:463 #, c-format msgid "Keyslot %i: offset repaired (%u -> %u)." msgstr "Ranura de claves %i: posición reparada (%u -> %u)." -#: lib/luks1/keymanage.c:468 +#: lib/luks1/keymanage.c:471 #, c-format msgid "Keyslot %i: stripes repaired (%u -> %u)." msgstr "Ranura de claves %i: bandas reparadas (%u -> %u)." -#: lib/luks1/keymanage.c:477 +#: lib/luks1/keymanage.c:480 #, c-format msgid "Keyslot %i: bogus partition signature." msgstr "Ranura de claves %i: la firma de la partición es falsa." -#: lib/luks1/keymanage.c:482 +#: lib/luks1/keymanage.c:485 #, c-format msgid "Keyslot %i: salt wiped." msgstr "Ranura de claves %i: «salt wiped»." -#: lib/luks1/keymanage.c:499 +#: lib/luks1/keymanage.c:502 msgid "Writing LUKS header to disk." msgstr "Escribiendo cabecera LUKS en el disco." -#: lib/luks1/keymanage.c:504 +#: lib/luks1/keymanage.c:507 msgid "Repair failed." msgstr "La reparación ha fallado." -#: lib/luks1/keymanage.c:559 +#: lib/luks1/keymanage.c:562 #, c-format msgid "LUKS cipher mode %s is invalid." msgstr "El modo de cifrado LUKS %s no es válido." -#: lib/luks1/keymanage.c:564 +#: lib/luks1/keymanage.c:567 #, c-format msgid "LUKS hash %s is invalid." msgstr "El «hash» LUKS %s no es válido." -#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1243 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "No se ha detectado ningún problema en la cabecera LUKS." -#: lib/luks1/keymanage.c:699 +#: lib/luks1/keymanage.c:702 #, c-format msgid "Error during update of LUKS header on device %s." msgstr "Error al actualizar la cabecera LUKS en el dispositivo %s." -#: lib/luks1/keymanage.c:707 +#: lib/luks1/keymanage.c:710 #, c-format msgid "Error re-reading LUKS header after update on device %s." msgstr "Error al leer la cabecera LUKS después de actualizarla en el dispositivo %s." -#: lib/luks1/keymanage.c:783 +#: lib/luks1/keymanage.c:786 msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "La posición de los datos de una cabecera LUKS debe ser 0 o superior al tamaño de la cabecera." -#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863 -#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1015 -#: src/cryptsetup.c:2904 +#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "El formato de UUID LUKS proporcionado es incorrecto." -#: lib/luks1/keymanage.c:816 +#: lib/luks1/keymanage.c:819 msgid "Cannot create LUKS header: reading random salt failed." msgstr "No se puede crear la cabecera LUKS: fallo en la lectura «random salt»." -#: lib/luks1/keymanage.c:842 +#: lib/luks1/keymanage.c:845 #, c-format msgid "Cannot create LUKS header: header digest failed (using hash %s)." msgstr "No se puede crear la cabecera LUKS: fallo en la cabecera (usando «hash» %s)." -#: lib/luks1/keymanage.c:886 +#: lib/luks1/keymanage.c:889 #, c-format msgid "Key slot %d active, purge first." msgstr "La ranura de claves %d está activa; primero hay que purgar." -#: lib/luks1/keymanage.c:892 +#: lib/luks1/keymanage.c:895 #, c-format msgid "Key slot %d material includes too few stripes. Header manipulation?" msgstr "El material de la ranura de claves %d no tiene suficientes bandas. Quizá se haya manipulado la cabecera." -#: lib/luks1/keymanage.c:1033 +#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270 +msgid "PBKDF2 iteration value overflow." +msgstr "Desbordamiento del valor de iteración PBKDF2." + +#: lib/luks1/keymanage.c:1040 #, c-format msgid "Cannot open keyslot (using hash %s)." msgstr "No se puede abrir la ranura de claves (usando «hash» %s)." -#: lib/luks1/keymanage.c:1111 +#: lib/luks1/keymanage.c:1118 #, c-format msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "La ranura %d no es válida; seleccione una ranura de claves entre 0 y %d." -#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:744 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "No se puede limpiar el dispositivo %s." @@ -1086,12 +1216,12 @@ msgstr "Se ha detectado un fichero de claves incompatible con «loop-AES»." msgid "Kernel does not support loop-AES compatible mapping." msgstr "El núcleo no admite asignación compatible con «loop-AES»." -#: lib/tcrypt/tcrypt.c:509 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Error leyendo el fichero de claves %s." -#: lib/tcrypt/tcrypt.c:559 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Se ha excedido la longitud máxima (%zu) de la frase contraseña TCRYPT." @@ -1101,102 +1231,102 @@ msgstr "Se ha excedido la longitud máxima (%zu) de la frase contraseña TCRYPT. msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "El algoritmo «hash» %s no está disponible, por lo que se ha ignorado." -#: lib/tcrypt/tcrypt.c:618 src/cryptsetup.c:1110 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "La interfaz de cifrado del núcleo requerida no está disponible." -#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1112 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Asegúrese de que el módulo del núcleo algof_skcipher está cargado." -#: lib/tcrypt/tcrypt.c:760 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "No es posible la activación para el tamaño de sector %d." -#: lib/tcrypt/tcrypt.c:766 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "El núcleo no dispone de activación para este modo antiguo TCRYPT." -#: lib/tcrypt/tcrypt.c:797 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Activando el sistema de cifrado TCRYPT para la partición %s." -#: lib/tcrypt/tcrypt.c:875 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "El núcleo no admite asignación compatible con TCRYPT." -#: lib/tcrypt/tcrypt.c:1088 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Esta función no está disponible sin carga de cabecera TCRYPT." -#: lib/bitlk/bitlk.c:350 +#: lib/bitlk/bitlk.c:278 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key." msgstr "El tipo de entrada de metadatos '%u' no esperado se ha encontrado mientras se analizaba la clave maestra del volumen soportado." -#: lib/bitlk/bitlk.c:397 +#: lib/bitlk/bitlk.c:337 msgid "Invalid string found when parsing Volume Master Key." msgstr "Se ha encontrado una cadena no válida mientras se analizaba la clave maestra del volumen." -#: lib/bitlk/bitlk.c:402 +#: lib/bitlk/bitlk.c:341 #, c-format msgid "Unexpected string ('%s') found when parsing supported Volume Master Key." msgstr "Se ha encontrado una cadena no esperada ('%s') mientras se analizaba la clave maestra del volumen soportado." -#: lib/bitlk/bitlk.c:419 +#: lib/bitlk/bitlk.c:358 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key." msgstr "El valor de entrada de metadatos '%u' no esperado se ha encontrado mientras se analizaba la clave maestra del volumen soportado." -#: lib/bitlk/bitlk.c:502 -#, c-format -msgid "Failed to read BITLK signature from %s." -msgstr "No se ha podido leer la firma BITLK de %s." - -#: lib/bitlk/bitlk.c:514 -msgid "Invalid or unknown signature for BITLK device." -msgstr "Firma no válida o desconocida para el dispositivo BITLK" - -#: lib/bitlk/bitlk.c:520 +#: lib/bitlk/bitlk.c:460 msgid "BITLK version 1 is currently not supported." msgstr "BITLK versión 1 no está admitido actualmente." -#: lib/bitlk/bitlk.c:526 +#: lib/bitlk/bitlk.c:466 msgid "Invalid or unknown boot signature for BITLK device." msgstr "Firma de arranque no válida o desconocida para el dispositivo BITLK" -#: lib/bitlk/bitlk.c:538 +#: lib/bitlk/bitlk.c:478 #, c-format msgid "Unsupported sector size %." msgstr "Tamaño de sector no admitido %." -#: lib/bitlk/bitlk.c:546 +#: lib/bitlk/bitlk.c:486 #, c-format msgid "Failed to read BITLK header from %s." msgstr "No se ha podido leer la cabecera BITLK de %s." -#: lib/bitlk/bitlk.c:571 +#: lib/bitlk/bitlk.c:511 #, c-format msgid "Failed to read BITLK FVE metadata from %s." msgstr "No se han podido leer los metadatos BITLK FVE de %s." -#: lib/bitlk/bitlk.c:622 +#: lib/bitlk/bitlk.c:562 msgid "Unknown or unsupported encryption type." msgstr "Tipo de cifrado desconocido o no admitido." -#: lib/bitlk/bitlk.c:655 +#: lib/bitlk/bitlk.c:602 #, c-format msgid "Failed to read BITLK metadata entries from %s." msgstr "No se han podido leer las entradas de los metadatos BITLK de %s." -#: lib/bitlk/bitlk.c:897 +#: lib/bitlk/bitlk.c:719 +msgid "Failed to convert BITLK volume description" +msgstr "No se ha podido convertir el descifrado del volumen BITLK" + +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Tipo de entrada de metadatos '%u' encontrado inesperadamente mientras se analizaba clave externa." -#: lib/bitlk/bitlk.c:912 +#: lib/bitlk/bitlk.c:907 +#, c-format +msgid "BEK file GUID '%s' does not match GUID of the volume." +msgstr "El GUID '%s' del fichero BEK no coincide con el GUID del volumen." + +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Valor de entrada de metadatos '%u' encontrado inesperadamente mientras se analizaba clave externa." @@ -1211,90 +1341,112 @@ msgstr "Versión % de metadatos BEK no admitida." msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Tamaño % de metadatos BEK no esperado, no coincide con la longitud del fichero BEK" -#: lib/bitlk/bitlk.c:980 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Entrada de metadatos encontrada inesperadamente mientras se analizaba clave de inicio." -#: lib/bitlk/bitlk.c:1071 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Esta operación no está disponible." -#: lib/bitlk/bitlk.c:1079 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Tamaño de datos de la clave no esperado." -#: lib/bitlk/bitlk.c:1205 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Este dispositivo BITLK se encuentra en un estado en el que no puede activarse." -#: lib/bitlk/bitlk.c:1210 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Los dispositivos BITLK con tipo '%s' no puede activarse." -#: lib/bitlk/bitlk.c:1217 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "La activación de un dispositivo BITLK parcialmente descifrado no puede hacerse." -#: lib/bitlk/bitlk.c:1380 +#: lib/bitlk/bitlk.c:1263 +#, c-format +msgid "WARNING: BitLocker volume size % does not match the underlying device size %" +msgstr "ATENCIÓN: el tamaño del volumen «bitlocker» % no coincide con el tamaño del dispositivo subyacente %" + +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para BITLK IV." -#: lib/bitlk/bitlk.c:1384 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para difusor BITLK «Elephant»." -#: lib/verity/verity.c:68 lib/verity/verity.c:179 +#: lib/bitlk/bitlk.c:1398 +msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." +msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para tamaño de sector grande." + +#: lib/bitlk/bitlk.c:1402 +msgid "Cannot activate device, kernel dm-zero module is missing." +msgstr "No se puede activar el dispositivo; falta el módulo dm-zero del núcleo." + +#: lib/fvault2/fvault2.c:542 #, c-format -msgid "Verity device %s does not use on-disk header." -msgstr "El dispositivo «verity» %s no utiliza cabecera en disco." +msgid "Could not read %u bytes of volume header." +msgstr "No se han podido leer %u «bytes» de la cabecera del volumen." -#: lib/verity/verity.c:90 +#: lib/fvault2/fvault2.c:554 #, c-format -msgid "Device %s is not a valid VERITY device." -msgstr "El dispositivo %s no es un dispositivo VERITY válido." +msgid "Unsupported FVAULT2 version %." +msgstr "Versión de FVAULT2 no admitida %." + +#: lib/verity/verity.c:68 lib/verity/verity.c:182 +#, c-format +msgid "Verity device %s does not use on-disk header." +msgstr "El dispositivo «verity» %s no utiliza cabecera en disco." -#: lib/verity/verity.c:97 +#: lib/verity/verity.c:96 #, c-format msgid "Unsupported VERITY version %d." msgstr "Versión VERITY %d no disponible." -#: lib/verity/verity.c:128 +#: lib/verity/verity.c:131 msgid "VERITY header corrupted." msgstr "Cabecera VERITY corrupta." -#: lib/verity/verity.c:173 +#: lib/verity/verity.c:176 #, c-format msgid "Wrong VERITY UUID format provided on device %s." msgstr "El formato UUID VERITY proporcionado en el dispositivo %s es incorrecto." -#: lib/verity/verity.c:217 +#: lib/verity/verity.c:220 #, c-format msgid "Error during update of verity header on device %s." msgstr "Error al actualizar la cabecera «verity» en el dispositivo %s." -#: lib/verity/verity.c:275 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "La verificación de firma «hash» raíz solicitada no está disponible." -#: lib/verity/verity.c:287 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Se requiere la firma «hash» raíz." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Los errores no pueden repararse con dispositivo FEC." -#: lib/verity/verity.c:289 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "Se han encontrado %u errores reparables con dispositivo FEC." -#: lib/verity/verity.c:332 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "El núcleo no dispone de asignación «dm-verity»." -#: lib/verity/verity.c:336 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "El núcleo no dispone de opción de firma «dm-verity»." -#: lib/verity/verity.c:347 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "El dispositivo «verity» ha detectado algo corrupto después de la activación." @@ -1366,46 +1518,51 @@ msgstr "No se ha podido reparar la paridad para el bloque %." msgid "Failed to write parity for RS block %." msgstr "No se ha podido escribir la paridad para el bloque RS %." -#: lib/verity/verity_fec.c:228 +#: lib/verity/verity_fec.c:208 msgid "Block sizes must match for FEC." msgstr "Los tamaños de bloque deben coincidir para FEC." -#: lib/verity/verity_fec.c:234 +#: lib/verity/verity_fec.c:214 msgid "Invalid number of parity bytes." msgstr "Número no válido de bytes de paridad." -#: lib/verity/verity_fec.c:239 +#: lib/verity/verity_fec.c:248 msgid "Invalid FEC segment length." msgstr "Longitud de segmento FEC no válida." -#: lib/verity/verity_fec.c:303 +#: lib/verity/verity_fec.c:316 #, c-format msgid "Failed to determine size for device %s." msgstr "No se ha podido determinar el tamaño para el dispositivo %s." -#: lib/integrity/integrity.c:272 lib/integrity/integrity.c:355 +#: lib/integrity/integrity.c:57 +#, c-format +msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." +msgstr "Metadatos dm-integrity del núcleo incompatibles (versión %u) detectados en %s." + +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "El núcleo no dispone de asociación «dm-integrity»." -#: lib/integrity/integrity.c:278 +#: lib/integrity/integrity.c:283 msgid "Kernel does not support dm-integrity fixed metadata alignment." msgstr "El núcleo no dispone de alineamiento de metadatos fijo «dm-integrity»." -#: lib/integrity/integrity.c:287 +#: lib/integrity/integrity.c:292 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "El núcleo rehúsa activar la opción de recálculo inseguro (véanse las opciones de activación antiguas para cambiar ese funcionamiento)." -#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:973 -#: lib/luks2/luks2_json_metadata.c:1268 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "No se ha podido adquirir el bloqueo de escritura del dispositivo %s." -#: lib/luks2/luks2_disk_metadata.c:402 +#: lib/luks2/luks2_disk_metadata.c:400 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation." msgstr "Se ha detectado un intento de actualizar los metadatos LUKS2 concurrentemente. Se aborta la operación." -#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722 +#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720 msgid "" "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" "Please run \"cryptsetup repair\" for recovery." @@ -1413,49 +1570,59 @@ msgstr "" "El dispositivo contiene firmas ambiguas; no se puede autorecuperar LUKS2.\n" "Por favor, ejecute \"cryptsetup repair\" para recuperación." -#: lib/luks2/luks2_json_format.c:230 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "ATENCIÓN: la zona de ranuras de claves (% bytes) es muy pequeña; el número de ranuras de claves LUKS2 disponibles es muy limitado.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "El desplazamiento de datos solicitado es demasiado pequeño." -#: lib/luks2/luks2_json_format.c:275 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "ATENCIÓN: la zona de ranuras de claves (% bytes) es muy pequeña; el número de ranuras de claves LUKS2 disponibles es muy limitado.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "ATENCIÓN: el tamaño de los metadatos LUKS2 ha cambiado a % bytes.\n" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "ATENCIÓN: el tamaño de la zona de ranuras de claves LUKS2 ha cambiado a % bytes.\n" -#: lib/luks2/luks2_json_metadata.c:960 lib/luks2/luks2_json_metadata.c:1098 -#: lib/luks2/luks2_json_metadata.c:1174 lib/luks2/luks2_keyslot_luks2.c:92 -#: lib/luks2/luks2_keyslot_luks2.c:114 +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "No se ha podido adquirir el bloqueo de lectura para el dispositivo %s." -#: lib/luks2/luks2_json_metadata.c:1191 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Se han detectado requisitos prohibidos para LUKS2 en la copia de seguridad %s." -#: lib/luks2/luks2_json_metadata.c:1232 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "La posición de los datos no coinciden en el dispositivo y en la copia de seguridad; ha fallado la restauración." -#: lib/luks2/luks2_json_metadata.c:1238 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "La cabecera binaria con el tamaño de las áreas de ranuras de claves no coinciden en el dispositivo y en la copia de seguridad; la restauración ha fallado." -#: lib/luks2/luks2_json_metadata.c:1245 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Dispositivo %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1246 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "no contiene cabecera LUKS2. Reemplazar la cabecera puede destruir los datos en ese dispositivo." -#: lib/luks2/luks2_json_metadata.c:1247 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "ya contiene cabecera LUKS2. Reemplazar la cabecera destruirá las ranuras de claves existentes." -#: lib/luks2/luks2_json_metadata.c:1249 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1466,7 +1633,7 @@ msgstr "" "dispositivo real! Reemplazar la cabecera con la copia de seguridad puede\n" "corromper los datos en ese dispositivo!" -#: lib/luks2/luks2_json_metadata.c:1251 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1476,409 +1643,559 @@ msgstr "" "ATENCIÓN: ¡Se ha detectado recifrado «offline» no terminado en el dispositivo!\n" "¡Reemplazar la cabecera con la copia de seguridad puede corromper los datos!" -#: lib/luks2/luks2_json_metadata.c:1349 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Se hará caso omiso del indicador desconocido %s." -#: lib/luks2/luks2_json_metadata.c:2054 lib/luks2/luks2_reencrypt.c:1843 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Falta la clave para el segmento dm-crypt %u" -#: lib/luks2/luks2_json_metadata.c:2066 lib/luks2/luks2_reencrypt.c:1857 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "No se ha podido establecer el segmento de dm-crypt." -#: lib/luks2/luks2_json_metadata.c:2072 lib/luks2/luks2_reencrypt.c:1863 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "No se ha podido establecer el segmento de dm-linear." -#: lib/luks2/luks2_json_metadata.c:2199 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado en la cabecera LUKS2." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "El dispositivo OPAL debe tener tamaño de dispositivo estático." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "El dispositivo OPAL con integridad cifrado debe ser más pequeño que el rango de bloqueo." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "El dispositivo OPAL debe tener el mismo tamaño que el rango de bloqueo." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "El dispositivo OPAL es %s ya desbloqueado.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Configuración de integridad de dispositivo no admitida." -#: lib/luks2/luks2_json_metadata.c:2285 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "El dispositivo «dm-integrity» subyacente presenta sectores de datos inesperados." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Recifrado en curso. No se puede desactivar el dispositivo." -#: lib/luks2/luks2_json_metadata.c:2296 lib/luks2/luks2_reencrypt.c:3300 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "No se ha podido reemplazar el dispositivo suspendido %s con el objetivo dm-error." -#: lib/luks2/luks2_json_metadata.c:2376 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "El dispositivo %s ya se ha desactivado pero el dispositivo OPAL hardware no puede bloquearse." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "No se ha podido leer los requisitos LUKS2." -#: lib/luks2/luks2_json_metadata.c:2383 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Se han detectado requisitos LUKS2 no satisfechos." -#: lib/luks2/luks2_json_metadata.c:2391 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Operación incompatible con dispositivo marcado para recifrado obsoleto. Se aborta." -#: lib/luks2/luks2_json_metadata.c:2393 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Operación incompatible con dispositivo marcado para recifrado LUKS2. Se aborta." -#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Operación incompatible con dispositivo que utiliza OPAL. Se aborta." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "No hay memoria disponible suficiente para abrir una ranura de claves." -#: lib/luks2/luks2_keyslot.c:556 lib/luks2/luks2_keyslot.c:593 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Fallo al abrir la ranura de claves." -#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108 +#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110 #, c-format msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "No se puede utilizar el algoritmo de cifrado %s-%s para el cifrado de ranuras de clave." -#: lib/luks2/luks2_keyslot_luks2.c:485 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 +#, c-format +msgid "Hash algorithm %s is not available." +msgstr "El algoritmo «hash» %s no está disponible." + +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "ATENCIÓN: la operación de ranura de claves podría fallar porque requiere más memoria de la que está disponible.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "No hay espacio para la nueva ranura de claves." -#: lib/luks2/luks2_luks1_convert.c:482 +#: lib/luks2/luks2_keyslot_reenc.c:596 +msgid "Invalid reencryption resilience mode change requested." +msgstr "La petición de cambio de modo de resiliencia de recifrado es incorrecta." + +#: lib/luks2/luks2_keyslot_reenc.c:717 +#, c-format +msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." +msgstr "No se puede actualizar el tipo de resiliencia. El nuevo tipo solo ofrece % «bytes»; el espacio que hace falta es: % «bytes»." + +#: lib/luks2/luks2_keyslot_reenc.c:727 +msgid "Failed to refresh reencryption verification digest." +msgstr "No se ha podido refrescar el resumen de verificación del recifrado." + +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "No se puede comprobar el estado del dispositivo con uuid: %s." -#: lib/luks2/luks2_luks1_convert.c:508 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Imposible convertir cabecera con metadatos adicionales LUKSMETA." -#: lib/luks2/luks2_luks1_convert.c:548 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 +#, c-format +msgid "Unable to use cipher specification %s-%s for LUKS2." +msgstr "Imposible utilizar la especificación de cifrado %s-%s para LUKS2." + +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Imposible mover el área de la ranura de claves. No hay suficiente espacio." -#: lib/luks2/luks2_luks1_convert.c:599 +#: lib/luks2/luks2_luks1_convert.c:652 +msgid "Cannot convert to LUKS2 format - invalid metadata." +msgstr "No se puede convertir a formato LUKS2 - los metadatos no son válidos." + +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Imposible mover el área de la ranura de claves. Área de ranuras de clave LUKS2 demasiado pequeña." -#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:889 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Imposible mover el área de la ranura de claves." -#: lib/luks2/luks2_luks1_convert.c:697 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "No se puede convertir a formato LUKS1 - el tamaño predefinido de sector de cifrado del segmento no es 512 bytes." -#: lib/luks2/luks2_luks1_convert.c:705 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "No se puede convertir a formato LUKS1 - los resúmenes de rarunas de claves no son compatibles con LUKS1." -#: lib/luks2/luks2_luks1_convert.c:717 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "No se puede convertir a formato LUKS1 - el dispositivo utiliza el cifrado de clave encapsulado %s." -#: lib/luks2/luks2_luks1_convert.c:725 +#: lib/luks2/luks2_luks1_convert.c:790 +msgid "Cannot convert to LUKS1 format - device uses more segments." +msgstr "No se puede convertir a formato LUKS1 - el dispositivo utiliza más segmentos." + +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "No se puede convertir a formato LUKS1 - la cabecera LUKS2 contiene %u «token(s)»." -#: lib/luks2/luks2_luks1_convert.c:739 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u está en un estado no válido." -#: lib/luks2/luks2_luks1_convert.c:744 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "No se puede convertir a formato LUKS1 - la ranura %u (sobre las ranuras máximas) todavía está activa." -#: lib/luks2/luks2_luks1_convert.c:749 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u no es compatible con LUKS1." -#: lib/luks2/luks2_reencrypt.c:993 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "El tamaño de la zona activa debe ser múltiplo del alineamiento de zona calculado (%zu bytes)." -#: lib/luks2/luks2_reencrypt.c:998 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "El tamaño del dispositivo debe ser múltiplo del alineamiento de zona calculado (%zu bytes)." -#: lib/luks2/luks2_reencrypt.c:1042 -#, c-format -msgid "Unsupported resilience mode %s" -msgstr "Modo de resiliencia %s no admitido." - -#: lib/luks2/luks2_reencrypt.c:1259 lib/luks2/luks2_reencrypt.c:1414 -#: lib/luks2/luks2_reencrypt.c:1497 lib/luks2/luks2_reencrypt.c:1531 -#: lib/luks2/luks2_reencrypt.c:3140 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "No se ha podido inicializar la envoltura antigua de almacenamiento del segmento." -#: lib/luks2/luks2_reencrypt.c:1273 lib/luks2/luks2_reencrypt.c:1392 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "No se ha podido inicializar la envoltura nueva de almacenamiento del segmento." -#: lib/luks2/luks2_reencrypt.c:1441 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 +msgid "Failed to initialize hotzone protection." +msgstr "No se ha podido inicializar la protección de la zona caliente." + +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "No se han podido leer las sumas de comprobación para la zona activa actual." -#: lib/luks2/luks2_reencrypt.c:1448 lib/luks2/luks2_reencrypt.c:3148 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "No se ha podido leer la zona activa que comienza en %." -#: lib/luks2/luks2_reencrypt.c:1467 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "No se ha podido descifrar el sector %zu." -#: lib/luks2/luks2_reencrypt.c:1473 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "No se ha podido recuperar el sector %zu." -#: lib/luks2/luks2_reencrypt.c:1956 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Los tamaños de los dispositivos origen y destino no coinciden. Origen %, destino: %." -#: lib/luks2/luks2_reencrypt.c:2054 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "No se ha podido activar el dispositivo con zona activa %s." -#: lib/luks2/luks2_reencrypt.c:2071 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "No se ha podido activar el dispositivo de superposición %s con la tabla de orígenes actual." -#: lib/luks2/luks2_reencrypt.c:2078 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "No se ha podido cargar el nuevo mapa para el dispositivo %s." -#: lib/luks2/luks2_reencrypt.c:2149 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "No se ha podido refrescar la pila del dispositivo de recifrado." -#: lib/luks2/luks2_reencrypt.c:2309 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "No se ha logrado establecer el tamaño de las nuevas ranuras de claves." -#: lib/luks2/luks2_reencrypt.c:2413 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format -msgid "Data shift is not aligned to requested encryption sector size (% bytes)." -msgstr "El desplazamiento de datos no está alineado con el tamaño del sector de cifrado solicitado (% bytes)." +msgid "Data shift value is not aligned to encryption sector size (% bytes)." +msgstr "El valor del desplazamiento de datos no está alineado con el tamaño del sector de cifrado (% bytes)." -#: lib/luks2/luks2_reencrypt.c:2434 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format -msgid "Data device is not aligned to requested encryption sector size (% bytes)." -msgstr "El dispositivo de datos no está alineado con el tamaño del sector de cifrado solicitado (% bytes)." +msgid "Unsupported resilience mode %s" +msgstr "Modo de resiliencia %s no admitido." + +#: lib/luks2/luks2_reencrypt.c:2806 +msgid "Moved segment size can not be greater than data shift value." +msgstr "El tamaño del segmento movido no puede ser mayor que el valor del desplazamiento de los datos." + +#: lib/luks2/luks2_reencrypt.c:2848 +msgid "Invalid reencryption resilience parameters." +msgstr "Parámetros de resiliencia de recifrado no válidos." + +#: lib/luks2/luks2_reencrypt.c:2870 +#, c-format +msgid "Moved segment too large. Requested size %, available space for: %." +msgstr "Segmento movido demasiado grande. Tamaño solicitado %, espacio disponible para: %." + +#: lib/luks2/luks2_reencrypt.c:2957 +msgid "Failed to clear table." +msgstr "No se ha podido limpiar la tabla." + +#: lib/luks2/luks2_reencrypt.c:3043 +msgid "Reduced data size is larger than real device size." +msgstr "El tamaño de los datos reducidos es mayor que el tamaño del dispositivo real." -#: lib/luks2/luks2_reencrypt.c:2455 +#: lib/luks2/luks2_reencrypt.c:3050 +#, c-format +msgid "Data device is not aligned to encryption sector size (% bytes)." +msgstr "El dispositivo de datos no está alineado con el tamaño del sector de cifrado (% bytes)." + +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "El desplazamiento de datos (% sectores) es menor que el desplazamiento de datos futuros (% sectores)." -#: lib/luks2/luks2_reencrypt.c:2461 lib/luks2/luks2_reencrypt.c:2889 -#: lib/luks2/luks2_reencrypt.c:2910 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "No se ha podido abrir %s en modo exclusivo (ya está asignado o montado)." -#: lib/luks2/luks2_reencrypt.c:2629 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "El dispositivo no está marcado para recifrado LUKS2." -#: lib/luks2/luks2_reencrypt.c:2635 lib/luks2/luks2_reencrypt.c:3415 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "No se ha podido cargar el contexto del recifrado LUKS2." -#: lib/luks2/luks2_reencrypt.c:2715 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "No se ha podido obtener el estado del recifrado." -#: lib/luks2/luks2_reencrypt.c:2719 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "El dispositivo no está en recifrado." -#: lib/luks2/luks2_reencrypt.c:2726 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "El proceso de recifrado ya está en marcha." -#: lib/luks2/luks2_reencrypt.c:2728 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "No se ha podido adquirir el bloqueo de recifrado." -#: lib/luks2/luks2_reencrypt.c:2746 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "No se puede proceder con el recifrado. Ejecute primero la recuperación de recifrado." -#: lib/luks2/luks2_reencrypt.c:2860 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "El tamaño del dispositivo activo y el tamaño de recifrado solicitado no coinciden." -#: lib/luks2/luks2_reencrypt.c:2874 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "El tamaño de dispositivo solicitado en los parámetros de recifrado no es válido." -#: lib/luks2/luks2_reencrypt.c:2944 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Recifrado en proceso. No se puede llevar a cabo una recuperación." -#: lib/luks2/luks2_reencrypt.c:3016 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "Recifrado LUKS2 ya inicializado en los metadatos." -#: lib/luks2/luks2_reencrypt.c:3023 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "No se ha podido inicializar el recifrado LUKS2 en los metadatos." -#: lib/luks2/luks2_reencrypt.c:3114 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "El recifrado no está disponible para dispositivo DAX (memoria persistente)." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "No se ha podido leer la frase contraseña desde el llavero." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "No se han podido establecer los segmentos del dispositivo para la siguiente zona activa de recifrado." -#: lib/luks2/luks2_reencrypt.c:3156 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "No se han podido escribir los metadatos de resiliencia de recifrado." -#: lib/luks2/luks2_reencrypt.c:3163 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "El descifrado ha fallado." -#: lib/luks2/luks2_reencrypt.c:3168 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "No se ha podido escribir la zona activa que comienza en %." -#: lib/luks2/luks2_reencrypt.c:3173 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "No se han podido sincronizar los datos." -#: lib/luks2/luks2_reencrypt.c:3181 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "No se han podido actualizar los metadatos tras completar la zona activa de recifrado actual." -#: lib/luks2/luks2_reencrypt.c:3248 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "No se han podido escribir los metadatos de LUKS2." -#: lib/luks2/luks2_reencrypt.c:3271 -msgid "Failed to wipe backup segment data." -msgstr "No se han podido limpiar los datos de segmentos de respaldo." +#: lib/luks2/luks2_reencrypt.c:4125 +msgid "Failed to wipe unused data device area." +msgstr "No se ha podido limpiar el área no utilizada del dispositivo de datos." -#: lib/luks2/luks2_reencrypt.c:3284 -msgid "Failed to disable reencryption requirement flag." -msgstr "No se ha podido desactivar el indicador del requisito de descifrado." +#: lib/luks2/luks2_reencrypt.c:4131 +#, c-format +msgid "Failed to remove unused (unbound) keyslot %d." +msgstr "No se ha logrado borrar la ranura de claves (independiente) %d no utilizada." + +#: lib/luks2/luks2_reencrypt.c:4141 +msgid "Failed to remove reencryption keyslot." +msgstr "No se ha podido borrar la ranura de claves de recifrado." -#: lib/luks2/luks2_reencrypt.c:3292 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Error fatal mientras se recifraba una porción que comienza en %, de % sectores de longitud." -#: lib/luks2/luks2_reencrypt.c:3296 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "El recifrado «online» ha fallado." # No sé cómo traducir 'error target'. -#: lib/luks2/luks2_reencrypt.c:3301 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "No reanudar el dispositivo a menos que se reemplace con «error target» manualmente." -#: lib/luks2/luks2_reencrypt.c:3353 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "No se puede proceder con el recifrado. Estado de recifrado inesperado." -#: lib/luks2/luks2_reencrypt.c:3359 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Contexto de recifrado ausente o no válido." -#: lib/luks2/luks2_reencrypt.c:3366 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "No se ha podido inicializar la pila del dispositivo de recifrado." -#: lib/luks2/luks2_reencrypt.c:3385 lib/luks2/luks2_reencrypt.c:3428 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "No se ha podido actualizar el contexto de recifrado." -#: src/cryptsetup.c:108 -msgid "Can't do passphrase verification on non-tty inputs." -msgstr "No se puede hacer verificación de frase contraseña en entradas no tty." +#: lib/luks2/luks2_reencrypt_digest.c:405 +msgid "Reencryption metadata is invalid." +msgstr "Los metadatos de recifrado no son válidos." -#: src/cryptsetup.c:171 +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "El rango OPAL %d desplazamiento % no coincide con los valores esperados %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "El rango OPAL %d longitud % no coincide con la longitud esperada %." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "El bloqueo del rango OPAL %d está desactivado." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Estado de bloqueo del rango OPAL %d inesperado." + +#: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Los parámetros de cifrado de ranura de claves solo pueden configurarse para dispositivos LUKS2." -#: src/cryptsetup.c:198 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format -msgid "Enter token PIN:" -msgstr "Introduzca el PIN del «token»:" +msgid "Enter token PIN: " +msgstr "Introduzca el PIN del «token»: " -#: src/cryptsetup.c:200 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format -msgid "Enter token %d PIN:" -msgstr "Introduzca el PIN del «token» %d:" +msgid "Enter token %d PIN: " +msgstr "Introduzca el PIN del «token» %d: " -#: src/cryptsetup.c:245 src/cryptsetup.c:1057 src/cryptsetup.c:1401 -#: src/cryptsetup.c:3288 src/cryptsetup_reencrypt.c:700 -#: src/cryptsetup_reencrypt.c:770 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 +#: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado." -#: src/cryptsetup.c:253 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "ATENCIÓN: Se están utilizando opciones predeterminadas de cifrado (%s-%s, tamaño de clave %u bits) que podrían ser incompatibles con versiones anteriores." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "ATENCIÓN: Se están utilizando opciones predeterminadas de «hash» (%s) que podrían ser incompatibles con versiones anteriores." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "Para modo sin cifrado, utlice siempre las opciones --cipher, --key-size y, si no se utiliza fichero de claves, también --hash." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" -msgstr "ATENCIÓN: No se va a hacer caso del parámetro --hash en modo no cifrado con el fichero de claves especificado.\n" +msgstr "ATENCIÓN: No se va a hacer caso del parámetro --hash en modo sin cifrado con el fichero de claves especificado.\n" -#: src/cryptsetup.c:261 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "ATENCIÓN: No se va a hacer caso de la opción --keyfile-size; el tamaño de lectura es igual al tamaño de la clave de cifrado.\n" -#: src/cryptsetup.c:301 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "La exploración de Blkid ha fallado para %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Se ha(n) detectado firma(s) de dispositivo en %s. Si se prosigue, pueden dañarse los datos existentes." -#: src/cryptsetup.c:307 src/cryptsetup.c:1197 src/cryptsetup.c:1253 -#: src/cryptsetup.c:1378 src/cryptsetup.c:1451 src/cryptsetup.c:2099 -#: src/cryptsetup.c:2805 src/cryptsetup.c:2927 src/integritysetup.c:176 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Operación abortada.\n" -#: src/cryptsetup.c:375 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Es necesaria la opción --key-file." -#: src/cryptsetup.c:426 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Introduzca PIM de VeraCrypt: " -#: src/cryptsetup.c:435 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Valor de PIM no válido: error de análisis." -#: src/cryptsetup.c:438 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Valor de PIM no válido: 0." -#: src/cryptsetup.c:441 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Valor de PIM no válido: fuera de rango." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "No se ha detectado ninguna cabecera de dispositivo con esa frase contraseña." -#: src/cryptsetup.c:537 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "El dispositivo %s no es un dispositivo BITLK válido." -#: src/cryptsetup.c:545 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "No se puede determinar el tamaño de la clave del volumen para BITLK; utilice la opción --key-size." -#: src/cryptsetup.c:588 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1888,7 +2205,7 @@ msgstr "" "sensible que permite el acceso a una partición cifrada sin frase contraseña.\n" "Este volcado debería almacenarse siempre cifrado en un lugar seguro." -#: src/cryptsetup.c:661 src/cryptsetup.c:2125 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1898,88 +2215,120 @@ msgstr "" "sensible que permite el acceso a una partición cifrada sin frase contraseña.\n" "Este volcado debería almacenarse cifrado en un lugar seguro." -#: src/cryptsetup.c:756 src/veritysetup.c:318 src/integritysetup.c:313 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 +#, c-format +msgid "Device %s is not a valid FVAULT2 device." +msgstr "El dispositivo %s no es un dispositivo FVAULT2 válido." + +#: src/cryptsetup.c:796 +msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." +msgstr "No se puede determinar el tamaño de la clave del volumen para FVAULT2; utilice la opción --key-size." + +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "El dispositivo %s todavía está activo y programado para borrado diferido.\n" -#: src/cryptsetup.c:790 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "No se ha podido establecer la ruta de «tokens» externa %s." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "El cambio de tamaño del dispositivo activo requiere clave de volumen en el llavero pero la opción --disable-keyring está puesta." -#: src/cryptsetup.c:936 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Comparativa interrumpida." -#: src/cryptsetup.c:957 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s N/A\n" -#: src/cryptsetup.c:959 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u iteraciones por segundo para clave de %zu bits\n" -#: src/cryptsetup.c:973 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s N/A\n" -#: src/cryptsetup.c:975 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u iteraciones, %5u memora, %1u hilos paralelos (CPUs) para clave de %zu bits (tiempo solicitado %u ms)\n" -#: src/cryptsetup.c:999 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "El resultado de la comparativa no es fiable." -#: src/cryptsetup.c:1049 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Las pruebas son solo aproximadas usando memoria (no hay entrada/salida de almacenadmiento).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1069 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algoritmo | Clave | Cifrado | Descifrado\n" -#: src/cryptsetup.c:1073 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "El algoritmo de cifrado %s (con clave de %i bits) no está disponible." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1092 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algoritmo | Clave | Cifrado | Descifrado\n" -#: src/cryptsetup.c:1103 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "/N/A" -#: src/cryptsetup.c:1190 +#: src/cryptsetup.c:1245 msgid "" -"Seems device does not require reencryption recovery.\n" -"Do you want to proceed anyway?" +"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" +"and continue (upgrade metadata) only if you acknowledge the operation as genuine." msgstr "" -"Parece que el dispositivo no necesita recuperación del recifrado.\n" -"¿Desea continuar de todos modos?" +"Se han detectado metadatos de recifrado LUKS2 no protegidos. Verifique que la operación de recifrado es deseable (consulte\n" +"la salida de luksDump) y continúe (actualización de los metadatos) únicamente si reconoce la operación como auténtica." -#: src/cryptsetup.c:1196 +#: src/cryptsetup.c:1251 +msgid "Enter passphrase to protect and upgrade reencryption metadata: " +msgstr "Introduzca la frase contraseña para proteger y actualizar los metadatos del recifrado: " + +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "¿Está seguro de proceder con la recuperación del recifrado LUKS2?" -#: src/cryptsetup.c:1204 +#: src/cryptsetup.c:1304 +msgid "Enter passphrase to verify reencryption metadata digest: " +msgstr "Introduzca la frase contraseña para verificar el resumen de los metadatos del recifrado: " + +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Introduzca la frase contraseña para la recuperación del recifrado: " -#: src/cryptsetup.c:1252 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "¿Está seguro de que quiere intentar reparar la cabecera del dispositivo LUKS?" -#: src/cryptsetup.c:1277 src/integritysetup.c:90 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 +msgid "" +"\n" +"Wipe interrupted." +msgstr "" +"\n" +"Limpieza interrumpida." + +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -1987,113 +2336,144 @@ msgstr "" "Limpieza de dispositivo para inicializar la suma de comprobación de integridad.\n" "Puede interrumpirse pulsando CTRL+c (el resto de dispositivo no limpiado contendrá sumas de comprobación no válidas.\n" -#: src/cryptsetup.c:1299 src/integritysetup.c:112 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "No se puede desactivar el dispositivo temporal %s." -#: src/cryptsetup.c:1363 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "La opción de integridad solo puede utilizarse para formato LUKS2." -#: src/cryptsetup.c:1368 src/cryptsetup.c:1428 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Opciones de tamaño de metadatos LUKS2 no admitidas." -#: src/cryptsetup.c:1377 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL solo está disponible para formato LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "No existe el fichero de cabecera; ¿desea crearlo?" -#: src/cryptsetup.c:1385 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "No se puede crear el fichero de cabecera %s." -#: src/cryptsetup.c:1408 src/integritysetup.c:138 src/integritysetup.c:146 -#: src/integritysetup.c:155 src/integritysetup.c:230 src/integritysetup.c:238 -#: src/integritysetup.c:248 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "No se ha detectado ningún patrón conocido de especificación de integridad." -#: src/cryptsetup.c:1421 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "No se puede utilizar %s como cabecera en disco." -#: src/cryptsetup.c:1445 src/integritysetup.c:170 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Esto sobreescribirá los datos en %s de forma irrevocable." -#: src/cryptsetup.c:1478 src/cryptsetup.c:1814 src/cryptsetup.c:1879 -#: src/cryptsetup.c:1981 src/cryptsetup.c:2047 src/cryptsetup_reencrypt.c:530 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "La contraseña de administrador de OPAL no puede estar vacía." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "No se han podido establecer los parámetros pbkdf." -#: src/cryptsetup.c:1563 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "La especificación del tipo en la especificación de llavero de --link-vk-to-keyring se ignorará." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Valor de --link-vk-to-keyring no válido." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "La posición de datos reducida está permitida solamente para cabecera LUKS separada." -#: src/cryptsetup.c:1574 src/cryptsetup.c:1885 +#: src/cryptsetup.c:1812 +#, c-format +msgid "LUKS file container %s is too small for activation, there is no remaining space for data." +msgstr "El contenedor de ficheros LUKS %s is demasiado pequeño para activarlo; no queda espacio para los datos." + +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "No se puede determinar el tamaño de la clave del volumen para LUKS2 sin ranuras de claves; utilice la opción --key-size." -#: src/cryptsetup.c:1619 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Dispositivo activado pero los indicadores no pueden hacerse persistentes." -#: src/cryptsetup.c:1698 src/cryptsetup.c:1766 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "La ranura de claves %d se va a borrar." -#: src/cryptsetup.c:1710 src/cryptsetup.c:1770 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Esta es la última ranura de claves. El dispositivo quedará inutilizado después de purgar esta clave." -#: src/cryptsetup.c:1711 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Introduzca cualquier frase contraseña que quede: " -#: src/cryptsetup.c:1712 src/cryptsetup.c:1772 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Operación abortada; la ranura de claves NO estaba limpia.\n" -#: src/cryptsetup.c:1748 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Introduzca la frase contraseña que hay que borrar: " -#: src/cryptsetup.c:1828 src/cryptsetup.c:1900 src/cryptsetup.c:1934 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 +#, c-format +msgid "Device %s is not a valid LUKS2 device." +msgstr "El dispositivo %s no es un dispositivo LUKS2 válido." + +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Introduzca una nueva frase contraseña para la ranura de claves: " -#: src/cryptsetup.c:1917 src/cryptsetup_reencrypt.c:1328 +#: src/cryptsetup.c:2213 +msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" +msgstr "ATENCIÓN: Se utiliza el parámetro --key-slot para el número de una ranura de claves nueva.\n" + +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Introduzca cualquier frase contraseña que exista: " -#: src/cryptsetup.c:1985 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Introduzca la frase contraseña que hay que cambiar: " -#: src/cryptsetup.c:2001 src/cryptsetup_reencrypt.c:1314 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Introduzca una nueva frase contraseña: " -#: src/cryptsetup.c:2051 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Introduzca la frase contraseña para la ranura de claves que se va a convertir: " -#: src/cryptsetup.c:2075 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "La operación isLuks solo admite un argumento de dispositivo." -#: src/cryptsetup.c:2190 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "La ranura de claves %d no contiene clave independiente." -#: src/cryptsetup.c:2195 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2101,40 +2481,52 @@ msgstr "" "El volcado de la cabecera con clave independiente del volumen es información\n" "sensible. Este volcado debería almacenarse cifrado en un lugar seguro." -#: src/cryptsetup.c:2286 src/cryptsetup.c:2314 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s no es un nombre de dispositivo %s activo." -#: src/cryptsetup.c:2309 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s no es un nombre de dispositivo LUKS activo o falta la cabecera." -#: src/cryptsetup.c:2347 src/cryptsetup.c:2366 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Es necesaria la opción --header-backup-file." -#: src/cryptsetup.c:2397 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s no es un dispositivo gestionable por cryptsetup." -#: src/cryptsetup.c:2408 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "El refresco no está disponible para el tipo de dispositivo %s" -#: src/cryptsetup.c:2454 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Tipo de dispositivo de metadatos %s no reconocido." -#: src/cryptsetup.c:2456 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Esta orden necesita como argumentos el dispositivo y el nombre asociado." -#: src/cryptsetup.c:2477 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Introduzca el PSID de OPAL: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Introduzca la contraseña de administrador de OPAL: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "ATENCIÓN: ¡El disco ENTERO será restituido a la configuración de fábrica y todos los datos se perderán! ¿Continuar?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2143,336 +2535,351 @@ msgstr "" "Esta operación borrará todas las ranuras de claves en el dispositivo %s.\n" "El dispositivo quedará inutilizable después de esta operación." -#: src/cryptsetup.c:2484 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Operación abortada; las ranuras de claves NO estaban limpias.\n" -#: src/cryptsetup.c:2523 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Tipo LUKS no válido; solo se admiten luks1 y luks2." -#: src/cryptsetup.c:2539 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "El dispositivo ya es de tipo %s." -#: src/cryptsetup.c:2546 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Esta operación convertirá el formato %s a %s.\n" -#: src/cryptsetup.c:2549 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Operación abortada; el dispositivo NO estaba convertido.\n" -#: src/cryptsetup.c:2589 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Falta la opción --priority, --label o --subsystem." -#: src/cryptsetup.c:2623 src/cryptsetup.c:2660 src/cryptsetup.c:2680 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "El «token» %d no es válido." -#: src/cryptsetup.c:2626 src/cryptsetup.c:2683 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "El «token» %d está en uso." -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "No se ha podido añadir el «token» %d al llavero luks." -#: src/cryptsetup.c:2646 src/cryptsetup.c:2709 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "No se ha logrado asignar el «token» %d a la ranura de claves %d." -#: src/cryptsetup.c:2663 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "El «token» %d no está en uso." -#: src/cryptsetup.c:2700 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "No se ha podido importar el «token» del fichero." -#: src/cryptsetup.c:2725 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "No se ha logrado obtener el «token» %d para exportar." -#: src/cryptsetup.c:2789 +#: src/cryptsetup.c:3258 #, c-format -msgid "Auto-detected active dm device '%s' for data device %s.\n" -msgstr "Se ha detectado automáticamente el dispositivo dm activo '%s' para el dispositivo de datos %s.\n" +msgid "Token %d is not assigned to keyslot %d." +msgstr "El «token» %d no se ha asignado a la ranura de claves %d." -#: src/cryptsetup.c:2793 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format -msgid "Device %s is not a block device.\n" -msgstr "El dispositivo %s no es un dispositivo de bloques.\n" +msgid "Failed to unassign token %d from keyslot %d." +msgstr "No se ha logrado desasignar el «token» %d de la ranura de claves %d." -#: src/cryptsetup.c:2795 -#, c-format -msgid "Failed to auto-detect device %s holders." -msgstr "No se han podido detectar automáticamente los propietarios del dispositivo %s." +#: src/cryptsetup.c:3326 +msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." +msgstr "La opción --tcrypt-hidden o --tcrypt-system o --tcrypt-backup solo está disponible para dispositivos TCRYPT." -#: src/cryptsetup.c:2799 -#, c-format -msgid "" -"Unable to decide if device %s is activated or not.\n" -"Are you sure you want to proceed with reencryption in offline mode?\n" -"It may lead to data corruption if the device is actually activated.\n" -"To run reencryption in online mode, use --active-name parameter instead.\n" -msgstr "" -"Imposible decidir si el dispositivo %s está activado o no.\n" -"¿Está seguro de que desea proceder con el recifrado en modo «offline»?\n" -"Puede provocarse corrupción de datos si el dispositivo está realmente\n" -"activado. Para realizar recifrado en modo «online», utilice en su lugar\n" -"el parámetro --active-name.\n" +#: src/cryptsetup.c:3329 +msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." +msgstr "Las opciones --veracrypt y --disable-veracrypt solo están disponibles para dispositivos de tipo TCRYPT." -#: src/cryptsetup.c:2881 -msgid "Encryption is supported only for LUKS2 format." -msgstr "El cifrado solo puede hacerse con formato LUKS2." +#: src/cryptsetup.c:3332 +msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." +msgstr "La opción --veracrypt-pim solo está disponible para dispositivos compatibles con VeraCrypt." -#: src/cryptsetup.c:2886 -msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." -msgstr "El cifrado sin cabecera separada (--header) no es posible sin reducción del tamaño del dispositivo de datos (--reduce-device-size)." +#: src/cryptsetup.c:3336 +msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." +msgstr "La opción --veracrypt-query-pim solo está disponible para dispositivos compatibles con VeraCrypt." -#: src/cryptsetup.c:2891 -msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." -msgstr "El desplazamiento de datos solicitado debe ser menor o igual que la mitad del parámetro --reduce-device-size." +#: src/cryptsetup.c:3338 +msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." +msgstr "Las opciones --veracrypt-pim y --veracrypt-query-pim son mutuamente excluyentes." -#: src/cryptsetup.c:2900 -#, c-format -msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" -msgstr "Ajustando el valor de --reduce-device-size al doble de --offset % (sectores).\n" +#: src/cryptsetup.c:3347 +msgid "Option --persistent is not allowed with --test-passphrase." +msgstr "La opción --persistent no se permite con --test-passphrase." -#: src/cryptsetup.c:2923 -#, c-format -msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" -msgstr "Se ha detectado un dispositivo LUKS en %s. ¿Desea cifrar de nuevo ese dispositivo LUKS?" +#: src/cryptsetup.c:3350 +msgid "Options --refresh and --test-passphrase are mutually exclusive." +msgstr "Las opciones --refresh y --test-passphrase son mutuamente excluyentes." -#: src/cryptsetup.c:2941 -#, c-format -msgid "Temporary header file %s already exists. Aborting." -msgstr "El fichero de cabecera temporal %s ya existe. Se aborta." +#: src/cryptsetup.c:3353 +msgid "Option --shared is allowed only for open of plain device." +msgstr "La opción --shared solo se permite para abrir dispositivos no cifrados." -#: src/cryptsetup.c:2943 src/cryptsetup.c:2950 -#, c-format -msgid "Cannot create temporary header file %s." -msgstr "No se puede crear el fichero de cabecera temporal %s." +#: src/cryptsetup.c:3356 +msgid "Option --skip is supported only for open of plain and loopaes devices." +msgstr "La opción --skip solo está disponible para abrir dispositivos no cifrados y «loopaes»." -#: src/cryptsetup.c:2975 -msgid "LUKS2 metadata size is larger than data shift value." -msgstr "El tamaño de los metadatos LUKS2 es mayor que el valor del desplazamiento de los datos." +#: src/cryptsetup.c:3359 +msgid "Option --offset with open action is only supported for plain and loopaes devices." +msgstr "La opción --offset con acción de apertura solo está disponible para abrir dispositivos no cifrados y «loopaes»." -#: src/cryptsetup.c:3007 -#, c-format -msgid "Failed to place new header at head of device %s." -msgstr "No se ha podido colocar la nueva cabecera en la cabeza del dispositivo %s." +#: src/cryptsetup.c:3362 +msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." +msgstr "La opción --tcrypt-hidden no puede combinarse con --allow-discards." -#: src/cryptsetup.c:3018 -#, c-format -msgid "%s/%s is now active and ready for online encryption.\n" -msgstr "%s/%s ahora está activo y preparado para cifrado «online».\n" +#: src/cryptsetup.c:3366 +msgid "Sector size option with open action is supported only for plain devices." +msgstr "La opción de tamaño de sector con acción de apertura solamente está disponible para dispositivos no cifrados." -#: src/cryptsetup.c:3055 -msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." -msgstr "El descifrado LUKS2 solo admite dispositivo con cabecera separada (con desplazamiento de datos puesto a 0)." +#: src/cryptsetup.c:3370 +msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." +msgstr "La opción de sectores IV grandes solo se admite para abrir dispositivo de tipo plano con tamaño de sector mayor de 512 bytes." -#: src/cryptsetup.c:3189 src/cryptsetup.c:3195 -msgid "Not enough free keyslots for reencryption." -msgstr "No hay suficientes ranuras de claves para el recifrado." +#: src/cryptsetup.c:3375 +msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." +msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS, TCRYPT, BITLK y FVAULT2." -#: src/cryptsetup.c:3215 src/cryptsetup_reencrypt.c:1279 -msgid "Key file can be used only with --key-slot or with exactly one key slot active." -msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente." +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 +msgid "Options --device-size and --size cannot be combined." +msgstr "Las opciones --device-size y --size no pueden combinarse." -#: src/cryptsetup.c:3224 src/cryptsetup_reencrypt.c:1326 -#: src/cryptsetup_reencrypt.c:1337 -#, c-format -msgid "Enter passphrase for key slot %d: " -msgstr "Introduzca la frase contraseña para la ranura de claves %d: " +#: src/cryptsetup.c:3381 +msgid "Option --unbound is allowed only for open of luks device." +msgstr "La opción --unbound solo se permite para abrir dispositivos luks." -#: src/cryptsetup.c:3233 -#, c-format -msgid "Enter passphrase for key slot %u: " -msgstr "Introduzca la frase contraseña para la ranura de claves %u: " +#: src/cryptsetup.c:3384 +msgid "Option --unbound cannot be used without --test-passphrase." +msgstr "La opción --unbound no se puede utilizar sin --test-passphrase." -#: src/cryptsetup.c:3278 -#, c-format -msgid "Switching data encryption cipher to %s.\n" -msgstr "Cambiando el algoritmo de cifrado de datos a %s.\n" +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 +msgid "Options --cancel-deferred and --deferred cannot be used at the same time." +msgstr "Las opciones --cancel-deferred y --deferred no pueden utilizarse a la vez." + +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Las opciones --reduce-device-size y --device-size no pueden combinarse." + +#: src/cryptsetup.c:3412 +msgid "Option --active-name can be set only for LUKS2 device." +msgstr "La opción --active-name solo puede utilizarse para dispositivos LUKS2." #: src/cryptsetup.c:3415 -msgid "Command requires device as argument." -msgstr "Esta orden necesita un dispositivo como argumento." +msgid "Options --active-name and --force-offline-reencrypt cannot be combined." +msgstr "Las opciones --active-name y --force-offline-reencrypt no pueden combinarse." + +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 +msgid "Keyslot specification is required." +msgstr "Se requiere especificación de ranura de claves." + +#: src/cryptsetup.c:3431 +msgid "Options --align-payload and --offset cannot be combined." +msgstr "Las opciones --align-payload y --offset no pueden combinarse." + +#: src/cryptsetup.c:3434 +msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." +msgstr "La opción --integrity-no-wipe solo puede usarse para la acción de formato con extensión de integridad." #: src/cryptsetup.c:3437 -msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1." -msgstr "Actualmente solo se admite el formato LUKS2. Utilice la herramienta cryptsetup-reencrypt para LUKS1." +msgid "Only one of --use-[u]random options is allowed." +msgstr "Solo se permite una de las opciones --use-[u]random." -#: src/cryptsetup.c:3449 -msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility." -msgstr "Ya hay un recifrado «offline» heredado en proceso. Utilice la utilidad cryptsetup-reencrypt." +#: src/cryptsetup.c:3445 +msgid "Key size is required with --unbound option." +msgstr "El tamaño de la clave es requerido con la opción --unbound." -#: src/cryptsetup.c:3459 src/cryptsetup_reencrypt.c:155 -msgid "Reencryption of device with integrity profile is not supported." -msgstr "El recifrado de dispositivo con perfil de integridad no está admitido." +#: src/cryptsetup.c:3465 +msgid "Invalid token action." +msgstr "Acción de «token» no válida." -#: src/cryptsetup.c:3467 -msgid "LUKS2 reencryption already initialized. Aborting operation." -msgstr "El recifrado LUKS2 ya está inicializado. Se aborta la operación." +#: src/cryptsetup.c:3468 +msgid "--key-description parameter is mandatory for token add action." +msgstr "El parámetro --key-description es obligatorio para la acción de añadir «token»." + +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 +msgid "Action requires specific token. Use --token-id parameter." +msgstr "La acción requiere un «token» específico. Utilice el parámetro --token-id." + +#: src/cryptsetup.c:3476 +msgid "Option --unbound is valid only with token add action." +msgstr "La opción --unbound solo es válida con la acción de añadir «token»." -#: src/cryptsetup.c:3471 -msgid "LUKS2 device is not in reencryption." -msgstr "El dispositivo LUKS2 no está en recifrado." +#: src/cryptsetup.c:3478 +msgid "Options --key-slot and --unbound cannot be combined." +msgstr "Las opciones --key-slot y --unbound no pueden combinarse." -#: src/cryptsetup.c:3498 +#: src/cryptsetup.c:3483 +msgid "Action requires specific keyslot. Use --key-slot parameter." +msgstr "La acción requiere una ranura de claves específica. Utilice el parámetro --key-slot." + +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type []" -#: src/cryptsetup.c:3498 src/veritysetup.c:480 src/integritysetup.c:446 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "abrir el dispositivo como " -#: src/cryptsetup.c:3499 src/cryptsetup.c:3500 src/cryptsetup.c:3501 -#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:447 -#: src/integritysetup.c:448 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3499 src/veritysetup.c:481 src/integritysetup.c:447 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "cerrar dispositivo (eliminar asociación)" -#: src/cryptsetup.c:3500 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "cambiar el tamaño del dispositivo activo" -#: src/cryptsetup.c:3501 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "mostrar el estado del dispositivo" -#: src/cryptsetup.c:3502 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cypher ]" -#: src/cryptsetup.c:3502 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "algoritmo de cifrado para pruebas" -#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505 -#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3514 -#: src/cryptsetup.c:3515 src/cryptsetup.c:3516 src/cryptsetup.c:3517 -#: src/cryptsetup.c:3518 src/cryptsetup.c:3519 src/cryptsetup.c:3520 -#: src/cryptsetup.c:3521 src/cryptsetup.c:3522 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3503 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "intentar reparar metadatos en disco" -#: src/cryptsetup.c:3504 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "recifrar dispositivo LUKS2" -#: src/cryptsetup.c:3505 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "borrar todas las ranuras de claves (eliminar clave de cifrado)" -#: src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "convertir formato LUKS de/en LUKS2" -#: src/cryptsetup.c:3507 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "establecer opciones de configuración permanentes para LUKS2" -#: src/cryptsetup.c:3508 src/cryptsetup.c:3509 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3508 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "da formato a un dispositivo LUKS" -#: src/cryptsetup.c:3509 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "añadir clave a un dispositivo LUKS" -#: src/cryptsetup.c:3510 src/cryptsetup.c:3511 src/cryptsetup.c:3512 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3510 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "elimina la clave suministrada o el fichero de claves del dispositivo LUKS" -#: src/cryptsetup.c:3511 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "cambia la clave suministrada o el fichero de claves del dispositivo LUKS" -#: src/cryptsetup.c:3512 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "convierte una clave a los nuevos parámetros pbkdf" -#: src/cryptsetup.c:3513 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3513 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "borra la clave con el número del dispositivo LUKS" -#: src/cryptsetup.c:3514 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "imprimir el UUID del dispositivo LUKS" -#: src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "comprueba si tiene cabecera de partición LUKS" -#: src/cryptsetup.c:3516 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "volcar información sobre la partición LUKS" -#: src/cryptsetup.c:3517 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "volcar información sobre el dispositivo TCRYPT" -#: src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "volcar información sobre el dispositivo BITLK" -#: src/cryptsetup.c:3519 +#: src/cryptsetup.c:3520 +msgid "dump FVAULT2 device information" +msgstr "volcar información sobre el dispositivo FVAULT2" + +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Suspender el dispositivo LUKS y limpiar la clave (todas las entradas/salidas congeladas)." -#: src/cryptsetup.c:3520 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Reanudar el dispositivo LUKS suspendido." -#: src/cryptsetup.c:3521 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Hacer copia de seguridad de la cabecera y de las ranuras de claves del dispositivo LUKS" -#: src/cryptsetup.c:3522 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Restaurar la cabecera y las ranuras de claves del dispositivo LUKS" -#: src/cryptsetup.c:3523 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3523 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Manipular «tokens» LUKS2" -#: src/cryptsetup.c:3543 src/veritysetup.c:498 src/integritysetup.c:464 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2480,19 +2887,19 @@ msgstr "" "\n" " es una de:\n" -#: src/cryptsetup.c:3549 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" -"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n" -"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n" +"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" +"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" msgstr "" "\n" "También se pueden utilizar los alias del tipo de la antigua sintaxis:\n" -"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n" -"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n" +"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" +"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3553 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2507,7 +2914,7 @@ msgstr "" " es el número de la ranura de claves que se va a modificar\n" " fichero de claves opcional para la nueva clave para la acción 'luksAddKey'\n" -#: src/cryptsetup.c:3560 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2516,29 +2923,28 @@ msgstr "" "\n" "El formato de metadatos predefinido de fábrica es %s (para la acción luksFormat).\n" -#: src/cryptsetup.c:3565 src/cryptsetup.c:3568 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"El soporte del «plugin» del «token» externo LUKS2 es %s.\n" - -#: src/cryptsetup.c:3565 -msgid "compiled-in" -msgstr "integrado en la compilación" +"El soporte del «plugin» del «token» externo LUKS2 está activado.\n" -#: src/cryptsetup.c:3566 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "ruta del «plugin» del «token» externo LUKS2: %s.\n" -#: src/cryptsetup.c:3568 -msgid "disabled" -msgstr "desactivado" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"El soporte del «plugin» del «token» externo LUKS2 está desactivado.\n" -#: src/cryptsetup.c:3572 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2555,7 +2961,7 @@ msgstr "" "PBKDF predefinido para LUKS2: %s\n" "\tTiempo de iteración: %d, Memoria requerida: %dkB, hilos en paralelo: %d\n" -#: src/cryptsetup.c:3583 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2570,206 +2976,100 @@ msgstr "" "\tsin cifrado: %s, Clave: %d bits, Contraseña «hashing»: %s\n" "\tLUKS: %s, Clave: %d bits, «hashing» de la cabecera LUKS: %s, Generador de números aleatorios: %s\n" -#: src/cryptsetup.c:3592 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: El tamaño de clave predefinido con modo XTS (dos claves internas) va a ser duplicado.\n" -#: src/cryptsetup.c:3610 src/veritysetup.c:637 src/integritysetup.c:620 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: necesita %s como argumentos" -#: src/cryptsetup.c:3648 src/cryptsetup_reencrypt.c:1379 -#: src/cryptsetup_reencrypt.c:1704 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "La ranura de claves no es válida." -#: src/cryptsetup.c:3675 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "El tamaño del dispositivo debe ser múltiplo de sectores de 512 bytes." -#: src/cryptsetup.c:3680 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "La especificación del tamaño máximo de zona activa del dispositivo no es válida." -#: src/cryptsetup.c:3694 src/cryptsetup.c:3706 src/cryptsetup_reencrypt.c:1623 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "El tamaño de clave debe ser un múltiplo de 8 bits" -#: src/cryptsetup.c:3711 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "El tamaño máximo de reducción del dispositivo es de 1 GiB." -#: src/cryptsetup.c:3714 src/cryptsetup_reencrypt.c:1631 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "El tamaño de reducción debe ser múltiplo de sectores de 512 bytes." -#: src/cryptsetup.c:3731 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "La opción --priority solo puede ser ignore/normal/prefer." -#: src/cryptsetup.c:3741 src/veritysetup.c:561 src/integritysetup.c:543 -#: src/cryptsetup_reencrypt.c:1641 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Mostrar este mensaje de ayuda" -#: src/cryptsetup.c:3742 src/veritysetup.c:562 src/integritysetup.c:544 -#: src/cryptsetup_reencrypt.c:1642 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Mostrar brevemente cómo se usa" -#: src/cryptsetup.c:3743 src/veritysetup.c:563 src/integritysetup.c:545 -#: src/cryptsetup_reencrypt.c:1643 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Imprimir versión del paquete" -#: src/cryptsetup.c:3754 src/veritysetup.c:574 src/integritysetup.c:556 -#: src/cryptsetup_reencrypt.c:1654 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Opciones de ayuda:" -#: src/cryptsetup.c:3771 src/veritysetup.c:592 src/integritysetup.c:573 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[OPCIÓN...] " -#: src/cryptsetup.c:3780 src/veritysetup.c:601 src/integritysetup.c:584 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "El argumento no se ha proporcionado." -#: src/cryptsetup.c:3850 src/veritysetup.c:632 src/integritysetup.c:615 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Acción desconocida." -#: src/cryptsetup.c:3861 -msgid "Options --refresh and --test-passphrase are mutually exclusive." -msgstr "Las opciones --refresh y --test-passphrase son mutuamente excluyentes." - -#: src/cryptsetup.c:3866 src/veritysetup.c:656 src/integritysetup.c:663 -msgid "Options --cancel-deferred and --deferred cannot be used at the same time." -msgstr "Las opciones --cancel-deferred y --deferred no pueden utilizarse a la vez." - -#: src/cryptsetup.c:3872 -msgid "Option --shared is allowed only for open of plain device." -msgstr "La opción --shared solo se permite para abrir dispositivos no cifrados." - -#: src/cryptsetup.c:3877 -msgid "Option --persistent is not allowed with --test-passphrase." -msgstr "La opción --persistent no se permite con --test-passphrase." - -#: src/cryptsetup.c:3882 -msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." -msgstr "La opción --integrity-no-wipe solo puede usarse para la acción de formato con extensión de integridad." - -#: src/cryptsetup.c:3889 -msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices." -msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS, TCRYPT y BITLK." - -#: src/cryptsetup.c:3901 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "La opción --key-file tiene precedencia sobre el argumento de fichero de claves especificado." -#: src/cryptsetup.c:3907 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Solo se permite un argumento --key-file." -#: src/cryptsetup.c:3911 src/cryptsetup_reencrypt.c:1689 -#: src/cryptsetup_reencrypt.c:1708 -msgid "Only one of --use-[u]random options is allowed." -msgstr "Solo se permite una de las opciones --use-[u]random." - -#: src/cryptsetup.c:3915 -msgid "Options --align-payload and --offset cannot be combined." -msgstr "Las opciones --align-payload y --offset no pueden combinarse." - -#: src/cryptsetup.c:3921 -msgid "Option --skip is supported only for open of plain and loopaes devices." -msgstr "La opción --skip solo está disponible para abrir dispositivos no cifrados y «loopaes»." - -#: src/cryptsetup.c:3927 -msgid "Option --offset with open action is only supported for plain and loopaes devices." -msgstr "La opción --offset con acción de apertura solo está disponible para abrir dispositivos no cifrados y «loopaes»." - -#: src/cryptsetup.c:3933 -msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." -msgstr "La opción --tcrypt-hidden o --tcrypt-system o --tcrypt-backup solo está disponible para dispositivos TCRYPT." - -#: src/cryptsetup.c:3938 -msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." -msgstr "La opción --tcrypt-hidden no puede combinarse con --allow-discards." - -#: src/cryptsetup.c:3943 -msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." -msgstr "Las opciones --veracrypt y --disable-veracrypt solo están disponibles para dispositivos de tipo TCRYPT." - -#: src/cryptsetup.c:3948 -msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." -msgstr "La opción --veracrypt-pim solo está disponible para dispositivos compatibles con VeraCrypt." - -#: src/cryptsetup.c:3954 -msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." -msgstr "La opción --veracrypt-query-pim solo está disponible para dispositivos compatibles con VeraCrypt." - -#: src/cryptsetup.c:3958 -msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." -msgstr "Las opciones --veracrypt-pim y --veracrypt-query-pim son mutuamente excluyentes." - -#: src/cryptsetup.c:3966 src/cryptsetup.c:4002 -msgid "Keyslot specification is required." -msgstr "Se requiere especificación de ranura de claves." - -#: src/cryptsetup.c:3971 src/cryptsetup_reencrypt.c:1694 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "La función de derivación de clave basada en contraseña (PBKDF) solo puede ser pbkdf2 o argon2i/argon2id." -#: src/cryptsetup.c:3976 src/cryptsetup_reencrypt.c:1699 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Las iteraciones forzadas de PBKDF no pueden combinarse con la opción de tiempo de iteración." -#: src/cryptsetup.c:3983 -msgid "Sector size option with open action is supported only for plain devices." -msgstr "La opción de tamaño de sector con acción de apertura solamente está disponible para dispositivos no cifrados." - -#: src/cryptsetup.c:3990 -msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." -msgstr "La opción de sectores IV grandes solo se admite para abrir dispositivo de tipo plano con tamaño de sector mayor de 512 bytes." - -#: src/cryptsetup.c:3996 -msgid "Key size is required with --unbound option." -msgstr "El tamaño de la clave es requerido con la opción --unbound." - -#: src/cryptsetup.c:4012 -msgid "LUKS2 decryption requires option --header." -msgstr "El descifrado LUKS2 requiere la opción --header." - -#: src/cryptsetup.c:4016 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Las opciones --reduce-device-size y --data-size no pueden combinarse." - -#: src/cryptsetup.c:4020 -msgid "Options --device-size and --size cannot be combined." -msgstr "Las opciones --device-size y --size no pueden combinarse." +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "No se puede vincular la clave del volumen a un llavero cuando el llavero está desactivado." -#: src/cryptsetup.c:4024 +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Las opciones --keyslot-cipher y --keyslot-key-size deben utilizarse juntas." -#: src/cryptsetup.c:4028 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "No se ha realizado ninguna acción. Invocado con la opción --test-args.\n" -#: src/cryptsetup.c:4040 -msgid "Invalid token action." -msgstr "Acción de «token» no válida." - -#: src/cryptsetup.c:4045 -msgid "--key-description parameter is mandatory for token add action." -msgstr "El parámetro --key-description es obligatorio para la acción de añadir «token»." - -#: src/cryptsetup.c:4051 -msgid "Action requires specific token. Use --token-id parameter." -msgstr "La acción requiere un «token» específico. Utilice el parámetro --token-id." - -#: src/cryptsetup.c:4062 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "No se puede desactivar el bloqueo de metadatos." @@ -2797,67 +3097,72 @@ msgstr "No se puede crear el fichero «hash» raíz %s para escribir." msgid "Cannot write to root hash file %s." msgstr "No se puede escribir en el fichero «hash» raíz %s." -#: src/veritysetup.c:210 src/veritysetup.c:227 +#: src/veritysetup.c:198 src/veritysetup.c:476 +#, c-format +msgid "Device %s is not a valid VERITY device." +msgstr "El dispositivo %s no es un dispositivo VERITY válido." + +#: src/veritysetup.c:215 src/veritysetup.c:232 #, c-format msgid "Cannot read root hash file %s." msgstr "No se puede leer el fichero «hash» raíz %s." -#: src/veritysetup.c:215 +#: src/veritysetup.c:220 #, c-format msgid "Invalid root hash file %s." msgstr "El fichero «hash» raíz %s no es válido." -#: src/veritysetup.c:236 +#: src/veritysetup.c:241 msgid "Invalid root hash string specified." msgstr "La cadena «hash» raíz especificada no es válida." -#: src/veritysetup.c:244 +#: src/veritysetup.c:249 #, c-format msgid "Invalid signature file %s." msgstr "Fichero de firmas inválido %s." -#: src/veritysetup.c:251 +#: src/veritysetup.c:256 #, c-format msgid "Cannot read signature file %s." msgstr "No se puede leer el fichero de firmas %s." -#: src/veritysetup.c:274 src/veritysetup.c:288 +#: src/veritysetup.c:279 src/veritysetup.c:293 msgid "Command requires or --root-hash-file option as argument." msgstr "Esta orden necesita <«hash»_raíz> o la opción --root-hash-file como argumento." -#: src/veritysetup.c:478 +#: src/veritysetup.c:489 msgid " " msgstr " " -#: src/veritysetup.c:478 src/integritysetup.c:445 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "dar formato al dispositivo" -#: src/veritysetup.c:479 +#: src/veritysetup.c:490 msgid " []" msgstr " [<«hash»_raíz>]" -#: src/veritysetup.c:479 +#: src/veritysetup.c:490 msgid "verify device" msgstr "verificar dispositivo" -#: src/veritysetup.c:480 +#: src/veritysetup.c:491 msgid " []" msgstr " [<«hash»_raíz>]" -#: src/veritysetup.c:482 src/integritysetup.c:448 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "mostrar el estado del dispositivo activo" -#: src/veritysetup.c:483 +#: src/veritysetup.c:494 msgid "" msgstr "" -#: src/veritysetup.c:483 src/integritysetup.c:449 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "mostrar información sobre el disco" -#: src/veritysetup.c:502 +#: src/veritysetup.c:513 #, c-format msgid "" "\n" @@ -2872,7 +3177,7 @@ msgstr "" " es el dispositivo que contiene los datos de verificación\n" "<«hash»_raíz> «hash» del nodo raíz en «dispositivo—«hash»>\n" -#: src/veritysetup.c:509 +#: src/veritysetup.c:520 #, c-format msgid "" "\n" @@ -2883,28 +3188,46 @@ msgstr "" "Parámetros dm-verity predefinidos de fábrica:\n" "\tAlgoritmo «hash»: %s, Bloque de datos (bytes): %u, Bloque «hash» (bytes): %u, Tamaño de «salt»: %u, Formato «hash»: %u\n" -#: src/veritysetup.c:646 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Las opciones --ignore-corruption y --restart-on-corruption no pueden utilizarse juntas." -#: src/veritysetup.c:651 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Las opciones --panic-on-corruption y --restart-on-corruption no pueden utilizarse juntas." -#: src/integritysetup.c:201 +#: src/integritysetup.c:177 +#, c-format +msgid "" +"This will overwrite data on %s and %s irrevocably.\n" +"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)." +msgstr "" +"Esto sobreescribirá los datos en %s y %s irrevocablemente.\n" +"Para preservar el dispositivo de datos utilice la opción --no-wipe (y luego actívelo con --integrity-recalculate)." + +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Formato dado con tamaño de etiqueta %u, integridad interna %s.\n" -#: src/integritysetup.c:445 src/integritysetup.c:449 +#: src/integritysetup.c:298 +msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." +msgstr "No se puede poner la opción de recalcular; valore la alternativa de utilizar --wipe." + +#: src/integritysetup.c:373 src/integritysetup.c:530 +#, c-format +msgid "Device %s is not a valid INTEGRITY device." +msgstr "El dispositivo %s no es un dispositivo INTEGRITY válido." + +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:446 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:468 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2915,7 +3238,7 @@ msgstr "" " es el dispositivo que se va a crear bajo %s\n" " es el dispositivo que contiene datos con etiquetas de integridad\n" -#: src/integritysetup.c:473 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2928,376 +3251,518 @@ msgstr "" "\tAlgoritmo de la suma de comprobación: %s\n" "\tTamaño máximo del fichero de claves: %dkB\n" -#: src/integritysetup.c:530 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Tamaño de --%s no válido. El máximo es %u bytes." -#: src/integritysetup.c:628 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Deben especificarse las opciones tanto de fichero de claves como tamaño de clave." -#: src/integritysetup.c:632 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Deben especificarse la opción del fichero de clave de integridad del diario y la del tamaño de la clave." -#: src/integritysetup.c:635 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Debe especificarse el algoritmo de integridad del diario si va a utilizarse la clave de integridad del diario." -#: src/integritysetup.c:639 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Deben especificarse la opción del fichero de la clave de cifrado del diario y la del tamaño de la clave." -#: src/integritysetup.c:642 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Debe especificarse el algoritmo de cifrado del diario si va a utilizarse la clave de cifrado del diario." -#: src/integritysetup.c:646 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Las opciones de recuperación y de modo mapa de bits son mutuamente excluyentes." -#: src/integritysetup.c:653 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Las opciones de diario no pueden utilizarse en modo mapa de bits." -#: src/integritysetup.c:658 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Las opciones de mapa de bits solo pueden utilizarse en el modo mapa de bits." -#: src/cryptsetup_reencrypt.c:149 -msgid "Reencryption already in-progress." -msgstr "Recifrado ya en curso." +#: src/utils_tools.c:118 +msgid "" +"\n" +"WARNING!\n" +"========\n" +msgstr "" +"\n" +"¡ATENCIÓN!\n" +"==========\n" -#: src/cryptsetup_reencrypt.c:185 +#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word. +#: src/utils_tools.c:120 #, c-format -msgid "Cannot exclusively open %s, device in use." -msgstr "No se puede abrir %s en exclusividad; el dispositivo está en uso." +msgid "" +"%s\n" +"\n" +"Are you sure? (Type 'yes' in capital letters): " +msgstr "" +"%s\n" +"\n" +"¿Está seguro? (Teclee 'yes' en mayúsculas): " -#: src/cryptsetup_reencrypt.c:199 src/cryptsetup_reencrypt.c:1120 -msgid "Allocation of aligned memory failed." -msgstr "La reserva de memoria alineada ha fallado." +#: src/utils_tools.c:126 +msgid "Error reading response from terminal." +msgstr "Error de lectura de la respuesta recibida desde el terminal." -#: src/cryptsetup_reencrypt.c:206 -#, c-format -msgid "Cannot read device %s." -msgstr "No se puede leer el dispositivo %s." +#: src/utils_tools.c:158 +msgid "Command successful." +msgstr "Orden ejecutada correctamente." -#: src/cryptsetup_reencrypt.c:217 -#, c-format -msgid "Marking LUKS1 device %s unusable." -msgstr "Marcando el dispositivo LUKS1 %s como inutilizable." +#: src/utils_tools.c:166 +msgid "wrong or missing parameters" +msgstr "parámetros incorrectos u omisos" + +#: src/utils_tools.c:168 +msgid "no permission or bad passphrase" +msgstr "sin permiso o frase de paso mala" + +#: src/utils_tools.c:170 +msgid "out of memory" +msgstr "sin memoria" + +#: src/utils_tools.c:172 +msgid "wrong device or file specified" +msgstr "se ha especificado un dispositivo o fichero incorrecto" + +#: src/utils_tools.c:174 +msgid "device already exists or device is busy" +msgstr "el dispositivo ya existe o está ocupado" -#: src/cryptsetup_reencrypt.c:221 +#: src/utils_tools.c:176 +msgid "unknown error" +msgstr "error desconocido" + +#: src/utils_tools.c:178 #, c-format -msgid "Setting LUKS2 offline reencrypt flag on device %s." -msgstr "Estableciendo el indicador de recifrado fuera de línea LUKS2 en el dispositivo %s." +msgid "Command failed with code %i (%s)." +msgstr "La orden ha fallado con código %i (%s)." -#: src/cryptsetup_reencrypt.c:238 +#: src/utils_tools.c:256 #, c-format -msgid "Cannot write device %s." -msgstr "No se puede escribir en el dispositivo %s." +msgid "Key slot %i created." +msgstr "Ranura de claves %i creada." -#: src/cryptsetup_reencrypt.c:286 -msgid "Cannot write reencryption log file." -msgstr "No se puede escribir en el fichero de registro de recifrado." +#: src/utils_tools.c:258 +#, c-format +msgid "Key slot %i unlocked." +msgstr "Ranura de claves %i desbloqueada." -#: src/cryptsetup_reencrypt.c:342 -msgid "Cannot read reencryption log file." -msgstr "No se puede leer el fichero de registro de recifrado." +#: src/utils_tools.c:260 +#, c-format +msgid "Key slot %i removed." +msgstr "Ranura de claves %i eliminada." -#: src/cryptsetup_reencrypt.c:353 -msgid "Wrong log format." -msgstr "Formato del fichero de registro incorrecto." +#: src/utils_tools.c:269 +#, c-format +msgid "Token %i created." +msgstr "«Token» %i creado." -#: src/cryptsetup_reencrypt.c:380 +#: src/utils_tools.c:271 #, c-format -msgid "Log file %s exists, resuming reencryption.\n" -msgstr "El fichero de registro %s ya existe; reanudando el recifrado.\n" +msgid "Token %i removed." +msgstr "«Token» %i eliminado." -#: src/cryptsetup_reencrypt.c:429 -msgid "Activating temporary device using old LUKS header." -msgstr "Activando dispositivo temporal utilizando cabecera LUKS antigua." +#: src/utils_tools.c:281 +msgid "No token could be unlocked with this PIN." +msgstr "No se ha podido desbloquear ningún «token» con este PIN." -#: src/cryptsetup_reencrypt.c:439 -msgid "Activating temporary device using new LUKS header." -msgstr "Activando dispositivo temporal utilizando cabecera LUKS nueva." +#: src/utils_tools.c:283 +#, c-format +msgid "Token %i requires PIN." +msgstr "El «token» %i requiere PIN." -#: src/cryptsetup_reencrypt.c:449 -msgid "Activation of temporary devices failed." -msgstr "Fallo en la activación de los dispositivos temporales." +#: src/utils_tools.c:285 +#, c-format +msgid "Token (type %s) requires PIN." +msgstr "El «token» (tipo %s) requiere PIN." -#: src/cryptsetup_reencrypt.c:536 -msgid "Failed to set data offset." -msgstr "No se ha podido establecer el desplazamiento de los datos." +#: src/utils_tools.c:288 +#, c-format +msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." +msgstr "El «token» %i no puede desbloquear ranura(s) de clave asignada(s) (frase contraseña incorrecta)." -#: src/cryptsetup_reencrypt.c:542 -msgid "Failed to set metadata size." -msgstr "No se ha podido establecer el tamaño de los metadatos." +#: src/utils_tools.c:290 +#, c-format +msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." +msgstr "El «token» (tipo %s) no puede desbloquear ranura(s) de clave asignada(s) (frase contraseña incorrecta)." -#: src/cryptsetup_reencrypt.c:550 +#: src/utils_tools.c:293 #, c-format -msgid "New LUKS header for device %s created." -msgstr "Se ha creado una nueva cabecera LUKS para el dispositivo %s." +msgid "Token %i requires additional missing resource." +msgstr "El «token» %i requiere un recurso adicional que no está presente." -#: src/cryptsetup_reencrypt.c:610 +#: src/utils_tools.c:295 #, c-format -msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s." -msgstr "Esta versión de cryptsetup-reencrypt no sabe manejar el nuevo tipo de «token» interno %s." +msgid "Token (type %s) requires additional missing resource." +msgstr "El «token» (tipo %s) requiere un recurso adicional que no está presente." -#: src/cryptsetup_reencrypt.c:632 -msgid "Failed to read activation flags from backup header." -msgstr "No se ha podido leer los indicadores de activación en la cabecera de respaldo." +#: src/utils_tools.c:298 +#, c-format +msgid "No usable token (type %s) is available." +msgstr "Ningún «token» utilizable (tipo %s) está disponible." -#: src/cryptsetup_reencrypt.c:636 -msgid "Failed to write activation flags to new header." -msgstr "No se ha podido escribir los indicadores de activación en la nueva cabecera." +#: src/utils_tools.c:300 +msgid "No usable token is available." +msgstr "Ningún «token» utilizable está disponible." -#: src/cryptsetup_reencrypt.c:640 src/cryptsetup_reencrypt.c:644 -msgid "Failed to read requirements from backup header." -msgstr "No se ha podido leer los requisitos en la cabecera de respaldo." +#: src/utils_tools.c:393 +#, c-format +msgid "Cannot read keyfile %s." +msgstr "No se puede leer el fichero de claves %s." -#: src/cryptsetup_reencrypt.c:682 +#: src/utils_tools.c:398 #, c-format -msgid "%s header backup of device %s created." -msgstr "Se ha creado una copia de seguridad de la cabecera %s del dispositivo %s." +msgid "Cannot read %d bytes from keyfile %s." +msgstr "No se pueden leer %d «bytes» en el fichero de claves %s." -#: src/cryptsetup_reencrypt.c:745 -msgid "Creation of LUKS backup headers failed." -msgstr "No se ha podido crear la copia de seguridad de las cabeceras LUKS." +#: src/utils_tools.c:423 +#, c-format +msgid "Cannot open keyfile %s for write." +msgstr "No se puede abrir el fichero de claves %s para escritura." -#: src/cryptsetup_reencrypt.c:878 +#: src/utils_tools.c:430 #, c-format -msgid "Cannot restore %s header on device %s." -msgstr "No se puede restaurar la cabecera %s en el dispositivo %s." +msgid "Cannot write to keyfile %s." +msgstr "No se puede escribir en el fichero de claves %s." -#: src/cryptsetup_reencrypt.c:880 +#: src/utils_progress.c:74 #, c-format -msgid "%s header on device %s restored." -msgstr "Se ha restaurado la cabecera %s en el dispositivo %s." +msgid "%02m%02s" +msgstr "%02m%02s" -#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1098 -msgid "Cannot open temporary LUKS device." -msgstr "No se puede abrir el dispositivo LUKS temporal." +#: src/utils_progress.c:76 +#, c-format +msgid "%02h%02m%02s" +msgstr "%02h%02m%02s" -#: src/cryptsetup_reencrypt.c:1103 src/cryptsetup_reencrypt.c:1108 -msgid "Cannot get device size." -msgstr "No se puede obtener el tamaño del dispositivo." +#: src/utils_progress.c:78 +#, c-format +msgid "%02 days" +msgstr "%02 días" -#: src/cryptsetup_reencrypt.c:1143 -msgid "IO error during reencryption." -msgstr "Error de entrada/salida durante el recifrado." +#: src/utils_progress.c:105 src/utils_progress.c:138 +#, c-format +msgid "%4 %s written" +msgstr "%4 %s escrito(s)" -#: src/cryptsetup_reencrypt.c:1174 -msgid "Provided UUID is invalid." -msgstr "El UUID proporcionado no es válido." +#: src/utils_progress.c:109 src/utils_progress.c:142 +#, c-format +msgid "speed %5.1f %s/s" +msgstr "velocidad %5.1f %s/s" -#: src/cryptsetup_reencrypt.c:1408 -msgid "Cannot open reencryption log file." -msgstr "No se puede abrir el fichero de registro de recifrado." +#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed +#. to get translated as well. 'eol' is always new-line or empty. +#. See above. +#. +#: src/utils_progress.c:118 +#, c-format +msgid "Progress: %5.1f%%, ETA %s, %s, %s%s" +msgstr "Progreso: %5.1f%%, Final estimado %s, %s, %s%s" -#: src/cryptsetup_reencrypt.c:1414 -msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process." -msgstr "No hay ningún proceso de descifrado en marcha; el UUID proporcionado solo puede utilizarse para reanudar un proceso de descifrado suspendido." +#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed +#. to get translated as well. See above +#. +#: src/utils_progress.c:150 +#, c-format +msgid "Finished, time %s, %s, %s\n" +msgstr "Finalizado; tiempo %s, %s, %s\n" -#: src/cryptsetup_reencrypt.c:1489 +#: src/utils_password.c:41 src/utils_password.c:72 #, c-format -msgid "Changed pbkdf parameters in keyslot %i." -msgstr "Se han cambiado los parámetros pbkdf en la ranura de claves %i." +msgid "Cannot check password quality: %s" +msgstr "No se puede comprobar la calidad de la contraseña: %s" -#: src/cryptsetup_reencrypt.c:1614 -msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size." -msgstr "Solo se permiten valores entre 1 MiB y 64 MiB para el tamaño de bloque de recifrado." +#: src/utils_password.c:49 +#, c-format +msgid "" +"Password quality check failed:\n" +" %s" +msgstr "" +"Fallo en la comprobación de la calidad de la contraseña:\n" +" %s" -#: src/cryptsetup_reencrypt.c:1628 -msgid "Maximum device reduce size is 64 MiB." -msgstr "El tamaño máximo de reducción del dispositivo es de 64 MiB." +#: src/utils_password.c:79 +#, c-format +msgid "Password quality check failed: Bad passphrase (%s)" +msgstr "Fallo en la comprobación de la calidad de la contraseña: frase contraseña incorrecta (%s)" -#: src/cryptsetup_reencrypt.c:1669 -msgid "[OPTION...] " -msgstr "[OPCIÓN...] " +#: src/utils_password.c:231 src/utils_password.c:245 +msgid "Error reading passphrase from terminal." +msgstr "Error al leer la frase contraseña desde el terminal." -#: src/cryptsetup_reencrypt.c:1677 -#, c-format -msgid "Reencryption will change: %s%s%s%s%s%s." -msgstr "El recifrado va a cambiar: %s%s%s%s%s%s." +#: src/utils_password.c:243 +msgid "Verify passphrase: " +msgstr "Verifique la frase contraseña: " -#: src/cryptsetup_reencrypt.c:1678 -msgid "volume key" -msgstr "clave del volumen" +#: src/utils_password.c:250 +msgid "Passphrases do not match." +msgstr "La frase contraseña no coincide." -#: src/cryptsetup_reencrypt.c:1680 -msgid "set hash to " -msgstr "nuevo algoritmo «hash» " +#: src/utils_password.c:288 +msgid "Cannot use offset with terminal input." +msgstr "No se puede usar «offset» con entrada desde terminal." -#: src/cryptsetup_reencrypt.c:1681 -msgid ", set cipher to " -msgstr ", nuevo algoritmo de cifrado: " +#: src/utils_password.c:292 +#, c-format +msgid "Enter passphrase: " +msgstr "Introduzca la frase contraseña: " -#: src/cryptsetup_reencrypt.c:1685 -msgid "Argument required." -msgstr "Hace falta argumento." +#: src/utils_password.c:295 +#, c-format +msgid "Enter passphrase for %s: " +msgstr "Introduzca la frase contraseña de %s: " -#: src/cryptsetup_reencrypt.c:1712 -msgid "Option --new must be used together with --reduce-device-size or --header." -msgstr "La opción --new debe utilizarse conjuntamente con --reduce-device-size o --header." +#: src/utils_password.c:329 +msgid "No key available with this passphrase." +msgstr "No hay ninguna clave disponible con esa frase contraseña." -#: src/cryptsetup_reencrypt.c:1716 -msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations." -msgstr "La opción --keep-key solamente puede utilizarse con --hash, --iter-time o --pbkdf-force-iterations." +#: src/utils_password.c:331 +msgid "No usable keyslot is available." +msgstr "No hay niguna ranura de claves utilizable disponible." -#: src/cryptsetup_reencrypt.c:1720 -msgid "Option --new cannot be used together with --decrypt." -msgstr "La opción --new no puede utilizarse conjuntamente con --decrypt." +#: src/utils_luks.c:68 +msgid "Can't do passphrase verification on non-tty inputs." +msgstr "No se puede hacer verificación de frase contraseña en entradas no tty." -#: src/cryptsetup_reencrypt.c:1726 -msgid "Option --decrypt is incompatible with specified parameters." -msgstr "La opción --decrypt es incompatible con los parámetros especificados." +#: src/utils_luks.c:183 +#, c-format +msgid "Failed to open file %s in read-only mode." +msgstr "No se ha podido abrir el fichero %s para solo lectura." -#: src/cryptsetup_reencrypt.c:1730 -msgid "Option --uuid is allowed only together with --decrypt." -msgstr "La opción --uuid solo está permitida conjuntamente con --decrypt." +#: src/utils_luks.c:196 +msgid "Provide valid LUKS2 token JSON:\n" +msgstr "Proporciona «token» LUKS2 válido en JSON:\n" -#: src/cryptsetup_reencrypt.c:1734 -msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'." -msgstr "Tipo de luks no válido. Utilice uno de estos: 'luks', 'luks1' o 'luks2'." +#: src/utils_luks.c:203 +msgid "Failed to read JSON file." +msgstr "No se ha podido leer el fichero JSON." -#: src/utils_tools.c:119 +#: src/utils_luks.c:208 msgid "" "\n" -"WARNING!\n" -"========\n" +"Read interrupted." msgstr "" "\n" -"¡ATENCIÓN!\n" -"==========\n" +"Lectura interrumpida." -#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word. -#: src/utils_tools.c:121 +#: src/utils_luks.c:249 #, c-format +msgid "Failed to open file %s in write mode." +msgstr "No se ha podido abrir el fichero %s para escritura." + +#: src/utils_luks.c:258 msgid "" -"%s\n" "\n" -"Are you sure? (Type 'yes' in capital letters): " +"Write interrupted." msgstr "" -"%s\n" "\n" -"¿Está seguro? (Teclee 'yes' en mayúsculas): " +"Escritura interrumpida." -#: src/utils_tools.c:127 -msgid "Error reading response from terminal." -msgstr "Error de lectura de la respuesta recibida desde el terminal." +#: src/utils_luks.c:262 +msgid "Failed to write JSON file." +msgstr "No se ha podido escribir el fichero JSON." -#: src/utils_tools.c:159 -msgid "Command successful." -msgstr "Orden ejecutada correctamente." +#: src/utils_reencrypt.c:120 +#, c-format +msgid "Auto-detected active dm device '%s' for data device %s.\n" +msgstr "Se ha detectado automáticamente el dispositivo dm activo '%s' para el dispositivo de datos %s.\n" -#: src/utils_tools.c:167 -msgid "wrong or missing parameters" -msgstr "parámetros incorrectos u omisos" +#: src/utils_reencrypt.c:124 +#, c-format +msgid "Failed to auto-detect device %s holders." +msgstr "No se han podido detectar automáticamente los propietarios del dispositivo %s." -#: src/utils_tools.c:169 -msgid "no permission or bad passphrase" -msgstr "sin permiso o frase de paso mala" +#: src/utils_reencrypt.c:130 +#, c-format +msgid "Device %s is not a block device.\n" +msgstr "El dispositivo %s no es un dispositivo de bloques.\n" -#: src/utils_tools.c:171 -msgid "out of memory" -msgstr "sin memoria" +#: src/utils_reencrypt.c:132 +#, c-format +msgid "" +"Unable to decide if device %s is activated or not.\n" +"Are you sure you want to proceed with reencryption in offline mode?\n" +"It may lead to data corruption if the device is actually activated.\n" +"To run reencryption in online mode, use --active-name parameter instead.\n" +msgstr "" +"Imposible decidir si el dispositivo %s está activado o no.\n" +"¿Está seguro de que desea proceder con el recifrado en modo «offline»?\n" +"Puede provocarse corrupción de datos si el dispositivo está realmente\n" +"activado. Para realizar recifrado en modo «online», utilice en su lugar\n" +"el parámetro --active-name.\n" -#: src/utils_tools.c:173 -msgid "wrong device or file specified" -msgstr "se ha especificado un dispositivo o fichero incorrecto" +#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274 +#, c-format +msgid "" +"Device %s is not a block device. Can not auto-detect if it is active or not.\n" +"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)." +msgstr "" +"El dispositivo %s no es un dispositivo de bloques. No puede autodetectar si está activo o no.\n" +"Utilice --force-offline-reencrypt para saltar la comprobación y operar en modo «offline» (¡peligroso!)." -#: src/utils_tools.c:175 -msgid "device already exists or device is busy" -msgstr "el dispositivo ya existe o está ocupado" +#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221 +#: src/utils_reencrypt.c:231 +msgid "Requested --resilience option cannot be applied to current reencryption operation." +msgstr "La opción --resilience solicitada no puede aplicarse a la operación de recifrado actual." -#: src/utils_tools.c:177 -msgid "unknown error" -msgstr "error desconocido" +#: src/utils_reencrypt.c:203 +msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt." +msgstr "El dispositivo no está en cifrado LUKS2. Opción conflictiva --encrypt." + +#: src/utils_reencrypt.c:208 +msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt." +msgstr "El dispositivo no está en descifrado LUKS2. Opción conflictiva --decrypt." + +#: src/utils_reencrypt.c:215 +msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied." +msgstr "El dispositivo está en recifrado utilizando resiliencia ante desplazamiento de datos. No se puede aplicar la opción -resilience solicitada." + +#: src/utils_reencrypt.c:293 +msgid "Device requires reencryption recovery. Run repair first." +msgstr "El dispositivo necesita recuperación del recifrado. Primero ejecute una reparación." + +#: src/utils_reencrypt.c:307 +#, c-format +msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" +msgstr "El dispositivo %s ya está en recifrado LUKS2. ¿Desea reanudar la operación iniciada anteriormente?" + +#: src/utils_reencrypt.c:416 +msgid "Legacy LUKS2 reencryption is no longer supported." +msgstr "Ya no se admite el recifrado LUKS2 antiguo." + +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "No se puede recifrar el dispositivo LUKS2 configurado para utilizar OPAL." + +#: src/utils_reencrypt.c:427 +msgid "Reencryption of device with integrity profile is not supported." +msgstr "El recifrado de dispositivo con perfil de integridad no está admitido." + +#: src/utils_reencrypt.c:464 +#, c-format +msgid "" +"Requested --sector-size % is incompatible with %s superblock\n" +"(block size: % bytes) detected on device %s." +msgstr "" +"La solicitud --sector-size % es incompatible con el superbloque %s\n" +"(tamaño de bloque: % «bytes») detectado en el dispositivo %s." + +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 +msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." +msgstr "El cifrado sin cabecera separada (--header) no es posible sin reducción del tamaño del dispositivo de datos (--reduce-device-size)." + +#: src/utils_reencrypt.c:540 +msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." +msgstr "El desplazamiento de datos solicitado debe ser menor o igual que la mitad del parámetro --reduce-device-size." + +#: src/utils_reencrypt.c:550 +#, c-format +msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" +msgstr "Ajustando el valor de --reduce-device-size al doble de --offset % (sectores).\n" -#: src/utils_tools.c:179 +#: src/utils_reencrypt.c:580 #, c-format -msgid "Command failed with code %i (%s)." -msgstr "La orden ha fallado con código %i (%s)." +msgid "Temporary header file %s already exists. Aborting." +msgstr "El fichero de cabecera temporal %s ya existe. Se aborta." -#: src/utils_tools.c:257 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format -msgid "Key slot %i created." -msgstr "Ranura de claves %i creada." +msgid "Cannot create temporary header file %s." +msgstr "No se puede crear el fichero de cabecera temporal %s." -#: src/utils_tools.c:259 -#, c-format -msgid "Key slot %i unlocked." -msgstr "Ranura de claves %i desbloqueada." +#: src/utils_reencrypt.c:614 +msgid "LUKS2 metadata size is larger than data shift value." +msgstr "El tamaño de los metadatos LUKS2 es mayor que el valor del desplazamiento de los datos." -#: src/utils_tools.c:261 +#: src/utils_reencrypt.c:651 #, c-format -msgid "Key slot %i removed." -msgstr "Ranura de claves %i eliminada." +msgid "Failed to place new header at head of device %s." +msgstr "No se ha podido colocar la nueva cabecera en la cabeza del dispositivo %s." -#: src/utils_tools.c:270 +#: src/utils_reencrypt.c:661 #, c-format -msgid "Token %i created." -msgstr "«Token» %i creado." +msgid "%s/%s is now active and ready for online encryption.\n" +msgstr "%s/%s ahora está activo y preparado para cifrado «online».\n" -#: src/utils_tools.c:272 +#: src/utils_reencrypt.c:697 #, c-format -msgid "Token %i removed." -msgstr "«Token» %i eliminado." +msgid "Active device %s is not LUKS2." +msgstr "El dispositivo activo %s no es LUKS2." -#: src/utils_tools.c:282 -msgid "No token could be unlocked with this PIN." -msgstr "No se ha podido desbloquear ningún «token» con este PIN." +#: src/utils_reencrypt.c:725 +msgid "Restoring original LUKS2 header." +msgstr "Restaurando la cabecera LUKS2 original." -#: src/utils_tools.c:284 -#, c-format -msgid "Token %i requires PIN." -msgstr "El «token» %i requiere PIN." +#: src/utils_reencrypt.c:733 +msgid "Original LUKS2 header restore failed." +msgstr "La restauración de la cabecera LUKS2 original ha fallado." -#: src/utils_tools.c:286 +#: src/utils_reencrypt.c:759 #, c-format -msgid "Token (type %s) requires PIN." -msgstr "El «token» (tipo %s) requiere PIN." +msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" +msgstr "El fichero de cabecera %s no existe. ¿Dese inicializar descifrado LUKS2 del dispositivo %s y exportar la cabecera LUKS2 al fichero %s?" -#: src/utils_tools.c:289 -#, c-format -msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." -msgstr "El «token» %i no puede desbloquear ranura(s) de clave asignada(s) (frase contraseña incorrecta)." +#: src/utils_reencrypt.c:807 +msgid "Failed to add read/write permissions to exported header file." +msgstr "No se ha podido añadir permisos de lectura/escritura al fichero de cabecera exportado." -#: src/utils_tools.c:291 +#: src/utils_reencrypt.c:860 #, c-format -msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." -msgstr "El «token» (tipo %s) no puede desbloquear ranura(s) de clave asignada(s) (frase contraseña incorrecta)." +msgid "Reencryption initialization failed. Header backup is available in %s." +msgstr "La inicialización del recifrado ha fallado. La copia de seguridad de la cabecera está disponible en %s." + +#: src/utils_reencrypt.c:888 +msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." +msgstr "El descifrado LUKS2 solo admite dispositivo con cabecera separada (con desplazamiento de datos puesto a 0)." + +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 +msgid "Not enough free keyslots for reencryption." +msgstr "No hay suficientes ranuras de claves para el recifrado." + +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 +msgid "Key file can be used only with --key-slot or with exactly one key slot active." +msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente." -#: src/utils_tools.c:294 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt_luks1.c:1158 #, c-format -msgid "Token %i requires additional missing resource." -msgstr "El «token» %i requiere un recurso adicional que no está presente." +msgid "Enter passphrase for key slot %d: " +msgstr "Introduzca la frase contraseña para la ranura de claves %d: " -#: src/utils_tools.c:296 +#: src/utils_reencrypt.c:1074 #, c-format -msgid "Token (type %s) requires additional missing resource." -msgstr "El «token» (tipo %s) requiere un recurso adicional que no está presente." +msgid "Enter passphrase for key slot %u: " +msgstr "Introduzca la frase contraseña para la ranura de claves %u: " -#: src/utils_tools.c:299 +#: src/utils_reencrypt.c:1126 #, c-format -msgid "No usable token (type %s) is available." -msgstr "Ningún «token» utilizable (tipo %s) está disponible." +msgid "Switching data encryption cipher to %s.\n" +msgstr "Cambiando el algoritmo de cifrado de datos a %s.\n" -#: src/utils_tools.c:301 -msgid "No usable token is available." -msgstr "Ningún «token» utilizable está disponible." +#: src/utils_reencrypt.c:1180 +msgid "No data segment parameters changed. Reencryption aborted." +msgstr "No ha cambiado ningún parámetro del segmento de datos. Recifrado abortado." -#: src/utils_tools.c:463 +#: src/utils_reencrypt.c:1282 msgid "" -"\n" -"Wipe interrupted." +"Encryption sector size increase on offline device is not supported.\n" +"Activate the device first or use --force-offline-reencrypt option (dangerous!)." msgstr "" -"\n" -"Limpieza interrumpida." +"No se admite incrementar el tamaño de sector de cifrado en dispositivo «offline».\n" +"Primero active el dispositivo o utilice la opción --force-offline-reencrypt (¡peligroso!)" -#: src/utils_tools.c:492 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt_luks1.c:798 msgid "" "\n" "Reencryption interrupted." @@ -3305,161 +3770,226 @@ msgstr "" "\n" "Recifrado interrumpido." -#: src/utils_tools.c:511 +#: src/utils_reencrypt.c:1327 +msgid "Resuming LUKS reencryption in forced offline mode.\n" +msgstr "Reanudando recifrado LUKS en modo «offline» forzado.\n" + +#: src/utils_reencrypt.c:1350 #, c-format -msgid "Cannot read keyfile %s." -msgstr "No se puede leer el fichero de claves %s." +msgid "Device %s contains broken LUKS metadata. Aborting operation." +msgstr "El dispositivo %s contiene metadatos LUKS deteriorados. Se aborta la operación." -#: src/utils_tools.c:516 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format -msgid "Cannot read %d bytes from keyfile %s." -msgstr "No se pueden leer %d «bytes» en el fichero de claves %s." +msgid "Device %s is already LUKS device. Aborting operation." +msgstr "El dispositivo %s ya es un dispositivo LUKS. Se aborta la operación." -#: src/utils_tools.c:541 +#: src/utils_reencrypt.c:1394 #, c-format -msgid "Cannot open keyfile %s for write." -msgstr "No se puede abrir el fichero de claves %s para escritura." +msgid "Device %s is already in LUKS reencryption. Aborting operation." +msgstr "El dispositivo %s ya está en recifrado LUKS. Se aborta la operación." + +#: src/utils_reencrypt.c:1476 +msgid "LUKS2 decryption requires --header option." +msgstr "El descifrado LUKS2 requiere la opción --header." -#: src/utils_tools.c:548 +#: src/utils_reencrypt.c:1524 +msgid "Command requires device as argument." +msgstr "Esta orden necesita un dispositivo como argumento." + +#: src/utils_reencrypt.c:1537 #, c-format -msgid "Cannot write to keyfile %s." -msgstr "No se puede escribir en el fichero de claves %s." +msgid "Conflicting versions. Device %s is LUKS1." +msgstr "Versiones en conflicto. El dispositivo %s es LUKS1." -#: src/utils_password.c:41 src/utils_password.c:74 +#: src/utils_reencrypt.c:1543 #, c-format -msgid "Cannot check password quality: %s" -msgstr "No se puede comprobar la calidad de la contraseña: %s" +msgid "Conflicting versions. Device %s is in LUKS1 reencryption." +msgstr "Versiones en conflicto. El dispositivo %s está en recifrado LUKS1." -#: src/utils_password.c:49 +#: src/utils_reencrypt.c:1549 #, c-format -msgid "" -"Password quality check failed:\n" -" %s" -msgstr "" -"Fallo en la comprobación de la calidad de la contraseña:\n" -" %s" +msgid "Conflicting versions. Device %s is LUKS2." +msgstr "Versiones en conflicto. El dispositivo %s es LUKS2." -#: src/utils_password.c:81 +#: src/utils_reencrypt.c:1555 #, c-format -msgid "Password quality check failed: Bad passphrase (%s)" -msgstr "Fallo en la comprobación de la calidad de la contraseña: frase contraseña incorrecta (%s)" +msgid "Conflicting versions. Device %s is in LUKS2 reencryption." +msgstr "Versiones en conflicto. El dispositivo %s está en recifrado LUKS2." -#: src/utils_password.c:224 src/utils_password.c:238 -msgid "Error reading passphrase from terminal." -msgstr "Error al leer la frase contraseña desde el terminal." +#: src/utils_reencrypt.c:1561 +msgid "LUKS2 reencryption already initialized. Aborting operation." +msgstr "El recifrado LUKS2 ya está inicializado. Se aborta la operación." -#: src/utils_password.c:236 -msgid "Verify passphrase: " -msgstr "Verifique la frase contraseña: " +#: src/utils_reencrypt.c:1568 +msgid "Device reencryption not in progress." +msgstr "El recifrado del dispositivo no está en proceso." -#: src/utils_password.c:243 -msgid "Passphrases do not match." -msgstr "La frase contraseña no coincide." +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 +#, c-format +msgid "Cannot exclusively open %s, device in use." +msgstr "No se puede abrir %s en exclusividad; el dispositivo está en uso." -#: src/utils_password.c:280 -msgid "Cannot use offset with terminal input." -msgstr "No se puede usar «offset» con entrada desde terminal." +#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945 +msgid "Allocation of aligned memory failed." +msgstr "La reserva de memoria alineada ha fallado." -#: src/utils_password.c:283 +#: src/utils_reencrypt_luks1.c:150 #, c-format -msgid "Enter passphrase: " -msgstr "Introduzca la frase contraseña: " +msgid "Cannot read device %s." +msgstr "No se puede leer el dispositivo %s." -#: src/utils_password.c:286 +#: src/utils_reencrypt_luks1.c:161 #, c-format -msgid "Enter passphrase for %s: " -msgstr "Introduzca la frase contraseña de %s: " +msgid "Marking LUKS1 device %s unusable." +msgstr "Marcando el dispositivo LUKS1 %s como inutilizable." -#: src/utils_password.c:317 -msgid "No key available with this passphrase." -msgstr "No hay ninguna clave disponible con esa frase contraseña." +#: src/utils_reencrypt_luks1.c:177 +#, c-format +msgid "Cannot write device %s." +msgstr "No se puede escribir en el dispositivo %s." -#: src/utils_password.c:319 -msgid "No usable keyslot is available." -msgstr "No hay niguna ranura de claves utilizable disponible." +#: src/utils_reencrypt_luks1.c:226 +msgid "Cannot write reencryption log file." +msgstr "No se puede escribir en el fichero de registro de recifrado." + +#: src/utils_reencrypt_luks1.c:282 +msgid "Cannot read reencryption log file." +msgstr "No se puede leer el fichero de registro de recifrado." -#: src/utils_luks2.c:47 +#: src/utils_reencrypt_luks1.c:293 +msgid "Wrong log format." +msgstr "Formato del fichero de registro incorrecto." + +#: src/utils_reencrypt_luks1.c:320 #, c-format -msgid "Failed to open file %s in read-only mode." -msgstr "No se ha podido abrir el fichero %s para solo lectura." +msgid "Log file %s exists, resuming reencryption.\n" +msgstr "El fichero de registro %s ya existe; reanudando el recifrado.\n" -#: src/utils_luks2.c:60 -msgid "Provide valid LUKS2 token JSON:\n" -msgstr "Proporciona «token» LUKS2 válido en JSON:\n" +#: src/utils_reencrypt_luks1.c:369 +msgid "Activating temporary device using old LUKS header." +msgstr "Activando dispositivo temporal utilizando cabecera LUKS antigua." -#: src/utils_luks2.c:67 -msgid "Failed to read JSON file." -msgstr "No se ha podido leer el fichero JSON." +#: src/utils_reencrypt_luks1.c:379 +msgid "Activating temporary device using new LUKS header." +msgstr "Activando dispositivo temporal utilizando cabecera LUKS nueva." -#: src/utils_luks2.c:72 -msgid "" -"\n" -"Read interrupted." -msgstr "" -"\n" -"Lectura interrumpida." +#: src/utils_reencrypt_luks1.c:389 +msgid "Activation of temporary devices failed." +msgstr "Fallo en la activación de los dispositivos temporales." + +#: src/utils_reencrypt_luks1.c:449 +msgid "Failed to set data offset." +msgstr "No se ha podido establecer el desplazamiento de los datos." + +#: src/utils_reencrypt_luks1.c:455 +msgid "Failed to set metadata size." +msgstr "No se ha podido establecer el tamaño de los metadatos." -#: src/utils_luks2.c:113 +#: src/utils_reencrypt_luks1.c:463 #, c-format -msgid "Failed to open file %s in write mode." -msgstr "No se ha podido abrir el fichero %s para escritura." +msgid "New LUKS header for device %s created." +msgstr "Se ha creado una nueva cabecera LUKS para el dispositivo %s." -#: src/utils_luks2.c:122 -msgid "" -"\n" -"Write interrupted." -msgstr "" -"\n" -"Escritura interrumpida." +#: src/utils_reencrypt_luks1.c:500 +#, c-format +msgid "%s header backup of device %s created." +msgstr "Se ha creado una copia de seguridad de la cabecera %s del dispositivo %s." -#: src/utils_luks2.c:126 -msgid "Failed to write JSON file." -msgstr "No se ha podido escribir el fichero JSON." +#: src/utils_reencrypt_luks1.c:556 +msgid "Creation of LUKS backup headers failed." +msgstr "No se ha podido crear la copia de seguridad de las cabeceras LUKS." + +#: src/utils_reencrypt_luks1.c:685 +#, c-format +msgid "Cannot restore %s header on device %s." +msgstr "No se puede restaurar la cabecera %s en el dispositivo %s." + +#: src/utils_reencrypt_luks1.c:687 +#, c-format +msgid "%s header on device %s restored." +msgstr "Se ha restaurado la cabecera %s en el dispositivo %s." + +#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923 +msgid "Cannot open temporary LUKS device." +msgstr "No se puede abrir el dispositivo LUKS temporal." + +#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933 +msgid "Cannot get device size." +msgstr "No se puede obtener el tamaño del dispositivo." + +#: src/utils_reencrypt_luks1.c:968 +msgid "IO error during reencryption." +msgstr "Error de entrada/salida durante el recifrado." + +#: src/utils_reencrypt_luks1.c:998 +msgid "Provided UUID is invalid." +msgstr "El UUID proporcionado no es válido." + +#: src/utils_reencrypt_luks1.c:1224 +msgid "Cannot open reencryption log file." +msgstr "No se puede abrir el fichero de registro de recifrado." + +#: src/utils_reencrypt_luks1.c:1230 +msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process." +msgstr "No hay ningún proceso de descifrado en marcha; el UUID proporcionado solo puede utilizarse para reanudar un proceso de descifrado suspendido." + +#: src/utils_reencrypt_luks1.c:1286 +#, c-format +msgid "Reencryption will change: %s%s%s%s%s%s." +msgstr "El recifrado va a cambiar: %s%s%s%s%s%s." + +#: src/utils_reencrypt_luks1.c:1287 +msgid "volume key" +msgstr "clave del volumen" + +#: src/utils_reencrypt_luks1.c:1289 +msgid "set hash to " +msgstr "nuevo algoritmo «hash» " + +#: src/utils_reencrypt_luks1.c:1290 +msgid ", set cipher to " +msgstr ", nuevo algoritmo de cifrado: " -#: src/utils_blockdev.c:192 +#: src/utils_blockdev.c:189 #, c-format msgid "WARNING: Device %s already contains a '%s' partition signature.\n" msgstr "ATENCIÓN: El dispositivo %s ya contiene una firma de partición '%s'.\n" -#: src/utils_blockdev.c:200 +#: src/utils_blockdev.c:197 #, c-format msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "ATENCIÓN: El dispositivo %s ya contiene una firma de superbloque '%s'.\n" -#: src/utils_blockdev.c:221 src/utils_blockdev.c:285 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "No se han podido inicializar los sondeos de firma del dispositivo." -#: src/utils_blockdev.c:265 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "No se ha podido efectuar «stat» sobre el dispositivo %s." -#: src/utils_blockdev.c:278 -#, c-format -msgid "Device %s is in use. Cannot proceed with format operation." -msgstr "El dispositivo %s está en uso. No se puede proceder con la operación de dar formato." - -#: src/utils_blockdev.c:280 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "No se ha podido abrir el fichero %s para lectura y escritura." -#: src/utils_blockdev.c:294 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "La firma de la partición '%s' existente en el dispositivo %s va a ser borrada." -#: src/utils_blockdev.c:297 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "La firma del superbloque '%s' existente en el dispositivo %s va a ser borrada." -#: src/utils_blockdev.c:300 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "No se ha podido limpiar la firma del dispositivo." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "No se ha podido sondear el dispositivo %s para una firma." @@ -3469,16 +3999,16 @@ msgstr "No se ha podido sondear el dispositivo %s para una firma." msgid "Invalid size specification in parameter --%s." msgstr "La especificación del tamaño no es válida en el parámetro --%s." -#: src/utils_args.c:121 +#: src/utils_args.c:125 #, c-format msgid "Option --%s is not allowed with %s action." msgstr "La opción --%s no se permite con la acción %s." -#: tokens/ssh/cryptsetup-ssh.c:108 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "No se ha podido escribir el json del «token» ssh." -#: tokens/ssh/cryptsetup-ssh.c:126 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3494,110 +4024,114 @@ msgstr "" "\n" "Nota: la información proporcionada al añadir el «token» (dirección del servidor SSH, usuario y rutas) se almacenará en la cabecera LUKS2 en texto plano." -#: tokens/ssh/cryptsetup-ssh.c:136 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:139 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Opciones para la acción 'add':" -#: tokens/ssh/cryptsetup-ssh.c:140 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "Dirección IP/URL del servidor remoto para este «token»" -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Nombre de usuario utilizado para el servidor remoto" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Ruta del fichero de claves en el servidor remoto" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Ruta de la clave SSH para conectarse al servidor remoto" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Ruta del directorio que contiene los «tokens» externos de libcryptsetup" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Ranura de claves a la que asignar el «token». Si no se especifica, el «token» será asignado a la primera ranura de claves que coincida con la frase contraseña proporcionada." -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Opciones genéricas:" -#: tokens/ssh/cryptsetup-ssh.c:147 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Muestra mensajes de error más detallados" -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Mostrar mensajes de depuración" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Mostrar mensajes de depuración incluidos los metadatos JSON" -#: tokens/ssh/cryptsetup-ssh.c:260 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "No se ha podido abrir e importar la clave privada:\n" -#: tokens/ssh/cryptsetup-ssh.c:264 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "No se ha podido importar la clave privada (¿está protegida por contraseña?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Contraseña de %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:355 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "No se han podido analizar los argumentos.\n" -#: tokens/ssh/cryptsetup-ssh.c:366 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Es preciso especificar una acción\n" -#: tokens/ssh/cryptsetup-ssh.c:372 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Es preciso especificar el dispositivo para la acción '%s'.\n" -#: tokens/ssh/cryptsetup-ssh.c:377 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Es preciso especificar el servidor SSH para la acción '%s'.\n" -#: tokens/ssh/cryptsetup-ssh.c:382 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Es preciso especificar el usuario SSH para la acción '%s'.\n" -#: tokens/ssh/cryptsetup-ssh.c:387 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Es preciso especificar la ruta SSH para la acción '%s'.\n" -#: tokens/ssh/cryptsetup-ssh.c:392 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Es preciso especificar la ruta de la ruta SSH para la acción '%s'.\n" -#: tokens/ssh/cryptsetup-ssh.c:399 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "No se ha podido abrir %s con las credenciales proporcionadas.\n" -#: tokens/ssh/cryptsetup-ssh.c:415 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "Actualmente este «plugin» solo admite la acción 'add'.\n" -#: tokens/ssh/ssh-utils.c:46 tokens/ssh/ssh-utils.c:59 +#: tokens/ssh/ssh-utils.c:46 msgid "Cannot create sftp session: " msgstr "No se puede crear la sesión sftp: " @@ -3605,6 +4139,10 @@ msgstr "No se puede crear la sesión sftp: " msgid "Cannot init sftp session: " msgstr "No se puede iniciar la sesión sftp: " +#: tokens/ssh/ssh-utils.c:59 +msgid "Cannot open sftp session: " +msgstr "No se puede abrir la sesión sftp: " + #: tokens/ssh/ssh-utils.c:66 msgid "Cannot stat sftp file: " msgstr "No se puede obtener el estado del fichero sftp: " @@ -3633,12 +4171,102 @@ msgstr "El método de autenticación de clave pública no está permitido en el msgid "Public key authentication error: " msgstr "Error de autenticación de clave pública: " +#~ msgid "compiled-in" +#~ msgstr "integrado en la compilación" + +#~ msgid "disabled" +#~ msgstr "desactivado" + +#~ msgid "WARNING: Data offset is outside of currently available data device.\n" +#~ msgstr "ATENCIÓN: El desplazamiento de los datos está fuera del dispositivo de datos actualmente disponible.\n" + +#~ msgid "Cannot get process priority." +#~ msgstr "No se puede obtener la prioridad del proceso." + +#~ msgid "Cannot unlock memory." +#~ msgstr "No se puede desbloquear la memoria." + +#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions." +#~ msgstr "El directorio de bloqueo %s/%s se creará con los permisos predeterminados al compilar." + +#~ msgid "Failed to read BITLK signature from %s." +#~ msgstr "No se ha podido leer la firma BITLK de %s." + +#~ msgid "Invalid or unknown signature for BITLK device." +#~ msgstr "Firma no válida o desconocida para el dispositivo BITLK" + +#~ msgid "Failed to wipe backup segment data." +#~ msgstr "No se han podido limpiar los datos de segmentos de respaldo." + +#~ msgid "Failed to disable reencryption requirement flag." +#~ msgstr "No se ha podido desactivar el indicador del requisito de descifrado." + +#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" +#~ msgstr "Se ha detectado un dispositivo LUKS en %s. ¿Desea cifrar de nuevo ese dispositivo LUKS?" + +#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1." +#~ msgstr "Actualmente solo se admite el formato LUKS2. Utilice la herramienta cryptsetup-reencrypt para LUKS1." + +#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility." +#~ msgstr "Ya hay un recifrado «offline» heredado en proceso. Utilice la utilidad cryptsetup-reencrypt." + +#~ msgid "LUKS2 device is not in reencryption." +#~ msgstr "El dispositivo LUKS2 no está en recifrado." + +#~ msgid "Reencryption already in-progress." +#~ msgstr "Recifrado ya en curso." + +#~ msgid "Setting LUKS2 offline reencrypt flag on device %s." +#~ msgstr "Estableciendo el indicador de recifrado fuera de línea LUKS2 en el dispositivo %s." + +#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s." +#~ msgstr "Esta versión de cryptsetup-reencrypt no sabe manejar el nuevo tipo de «token» interno %s." + +#~ msgid "Failed to read activation flags from backup header." +#~ msgstr "No se ha podido leer los indicadores de activación en la cabecera de respaldo." + +#~ msgid "Failed to read requirements from backup header." +#~ msgstr "No se ha podido leer los requisitos en la cabecera de respaldo." + +#~ msgid "Changed pbkdf parameters in keyslot %i." +#~ msgstr "Se han cambiado los parámetros pbkdf en la ranura de claves %i." + +#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size." +#~ msgstr "Solo se permiten valores entre 1 MiB y 64 MiB para el tamaño de bloque de recifrado." + +#~ msgid "Maximum device reduce size is 64 MiB." +#~ msgstr "El tamaño máximo de reducción del dispositivo es de 64 MiB." + +#~ msgid "[OPTION...] " +#~ msgstr "[OPCIÓN...] " + +#~ msgid "Argument required." +#~ msgstr "Hace falta argumento." + +#~ msgid "Option --new must be used together with --reduce-device-size or --header." +#~ msgstr "La opción --new debe utilizarse conjuntamente con --reduce-device-size o --header." + +#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations." +#~ msgstr "La opción --keep-key solamente puede utilizarse con --hash, --iter-time o --pbkdf-force-iterations." + +#~ msgid "Option --new cannot be used together with --decrypt." +#~ msgstr "La opción --new no puede utilizarse conjuntamente con --decrypt." + +#~ msgid "Option --decrypt is incompatible with specified parameters." +#~ msgstr "La opción --decrypt es incompatible con los parámetros especificados." + +#~ msgid "Option --uuid is allowed only together with --decrypt." +#~ msgstr "La opción --uuid solo está permitida conjuntamente con --decrypt." + +#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'." +#~ msgstr "Tipo de luks no válido. Utilice uno de estos: 'luks', 'luks1' o 'luks2'." + +#~ msgid "Device %s is in use. Cannot proceed with format operation." +#~ msgstr "El dispositivo %s está en uso. No se puede proceder con la operación de dar formato." + #~ msgid "No free token slot." #~ msgstr "No hay ninguna ranura de «token» libre." -#~ msgid "Failed to create builtin token %s." -#~ msgstr "No se ha podido crear el «token» interno %s." - #~ msgid "Invalid LUKS device type." #~ msgstr "Tipo de dispositivo LUKS no válido." @@ -3958,9 +4586,6 @@ msgstr "Error de autenticación de clave pública: " #~ msgid "Sector size option is not supported for this command." #~ msgstr "La opción de tamaño de sector no está disponible para esta orden." -#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions." -#~ msgstr "La opción --unbound solo puede utilizarse con las acciones luksAddKey y luksDump." - #~ msgid "Option --refresh may be used only with open action." #~ msgstr "La opción --refresh solo puede utilizarse con la acción de abrir." @@ -4141,9 +4766,6 @@ msgstr "Error de autenticación de clave pública: " #~ msgid "Read new volume (master) key from file" #~ msgstr "Leer la clave (maestra) del volumen desde fichero" -#~ msgid "PBKDF2 iteration time for LUKS (in ms)" -#~ msgstr "Tiempo de iteración PBKDF2 para LUKS (en ms)" - #~ msgid "Use direct-io when accessing devices" #~ msgstr "Utilizar entrada/salida directa para acceder a los dispositivos" @@ -4183,9 +4805,6 @@ msgstr "Error de autenticación de clave pública: " #~ msgid "Parameter --refresh is only allowed with open or refresh commands." #~ msgstr "El parámetro --refresh solo se permite con las órdenes de abrir y de refrescar." -#~ msgid "Cipher %s is not available." -#~ msgstr "El algoritmo de cifrado %s no está disponible." - #~ msgid "Unsupported encryption sector size.\n" #~ msgstr "Tamaño de sector de cifrado no admitido.\n" @@ -4195,9 +4814,6 @@ msgstr "Error de autenticación de clave pública: " #~ msgid "Online reencryption in progress. Aborting." #~ msgstr "Recifrado «online» en curso. Se aborta." -#~ msgid "No LUKS2 reencryption in progress." -#~ msgstr "No hay ningún recifrado LUKS2 en proceso." - #~ msgid "Interrupted by a signal." #~ msgstr "Interrumpido por una señal." @@ -4261,9 +4877,6 @@ msgstr "Error de autenticación de clave pública: " #~ msgid "Error: Calculated reencryption offset % is beyond device size %." #~ msgstr "Error: El desplazamiento % de recifrado calculado sobrepasa el tamaño % del dispositivo." -#~ msgid "Device is not in clean reencryption state." -#~ msgstr "El dispositivo no está en un estado de recifrado limpio." - #~ msgid "Failed to calculate new segments." #~ msgstr "No se ha podido calcular los nuevos segmentos." diff --git a/po/fr.po b/po/fr.po index 7517b8a..bf711ff 100644 --- a/po/fr.po +++ b/po/fr.po @@ -7,10 +7,10 @@ # Frédéric Marchal , 2023. msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 15:51+0100\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-21 11:38+0100\n" "Last-Translator: Frédéric Marchal \n" "Language-Team: French \n" "Language: fr\n" @@ -28,58 +28,62 @@ msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Exécuti msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Le module noyau dm_mod est-il chargé ?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Le fanion différé demandé n'est pas supporté." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "Le DM-UUID du périphérique %s a été tronqué." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Type de cible dm inconnu." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Les options de performance dm-crypt demandées ne sont pas supportées." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Les options demandées de gestion de corruption des données dm-verity ne sont pas supportées." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "L'option dm-verity tasklets demandée n'est pas supportée." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Les options dm-verity FEC demandées ne sont pas supportées." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Les options d'intégrité de données demandées ne sont pas supportées." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "L'option sector_size demandée n'est pas supportée." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "La taille du périphérique n'est pas un multiple de la taille de secteur demandée." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Le recalcule automatique des balises de sécurité demandés n'est pas supporté." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Discard/TRIM n'est pas supporté." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Le mode de carte de bits d'intégrité dm demandé n'est pas supporté." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Échec lors de l'interrogation du segment dm-%s." @@ -113,653 +117,743 @@ msgstr "La qualité du générateur aléatoire RNG demandé est inconnue." msgid "Error reading from RNG." msgstr "Erreur en lecture du générateur aléatoire RNG " -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "Le support de OPAL est désactivé dans libcryptsetup." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Le périphérique %s ou le noyau ne supporte pas le chiffrement OPAL." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Impossible d'initialiser le moteur aléatoire RNG pour le chiffrement." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Impossible d'initialiser le moteur de chiffrement." -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "L'algorithme de hachage %s n'est pas supporté." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Erreur de traitement de clé (valeur hachage %s)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Cette opération n'est possible que pour les périphériques LUKS." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Cette opération n'est possible que pour les périphériques LUKS2." -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Tous les emplacements de clés sont utilisés." -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0 et %d." -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre." -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc logique du périphérique." -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "En-tête détecté mais le périphérique %s est trop petit." -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Cette opération n'est pas supportée pour ce type de périphérique." -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Opération illégale avec une re-chiffrement en cours." -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Échec lors du retour en arrière des métadonnées LUKS2 en mémoire." -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "%s n'est pas un périphérique LUKS valide." -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "La version %d de LUKS n'est pas supportée." -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté pour le périphérique actif %s." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Le périphérique %s n'est pas activé." -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Le périphérique sous-jacent pour le périphérique chiffré %s a disparu." -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Paramètres de chiffrement non valides." -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "La taille de la clé n'est pas valide." -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "le UUID n'est pas supporté avec ce type de chiffrement." -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Un périphérique avec des métadonnées détachées n'est pas supporté avec ce type de chiffrement." -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Taille de secteur de chiffrement non supportée." -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "La taille du périphérique n'est pas alignée avec la taille de secteur demandée." -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Impossible de formater en LUKS sans périphérique." -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "L'alignement de données demandé n'est pas compatible avec le décalage des données." -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "ATTENTION : Un périphérique DAX peut corrompre les données car il ne garanti pas la mise à jour atomique des secteurs.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Impossible d'effacer l'en-tête du périphérique %s." -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Le périphérique %s est trop petit pour l'activation, il ne reste pas d'espace pour les données.\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "AVERTISSEMENT: L'activation du périphérique va échouer, dm-crypt ne supporte pas la taille de secteur de chiffrement demandée.\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "La clé de volume est trop petite pour chiffrer avec les extensions d'intégrité." -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Le chiffrement %s-%s (clé de %zd bits) n'est pas disponible." -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "ATTENTION: La taille des métadonnées LUKS2 est devenue % octets.\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "ATTENTION: La taille de la zone des emplacements de clés LUKS2 est devenue % octets.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "AVERTISSEMENT: L'activation du périphérique va échouer, dm-crypt ne supporte pas la taille de secteur de chiffrement demandée.\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Le périphérique %s est trop petit." -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Impossible de formater le périphérique %s qui est en cours d'utilisation." -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Impossible de formater le périphérique %s. Permission refusée." -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Impossible de formater l'intégrité du périphérique %s." -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Impossible de formater le périphérique %s" -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Impossible d'obtenir les paramètres d'alignement de OPAL." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Taille de bloc logique OPAL incorrecte." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "L'offset de données demandé n'est pas compatible avec la taille de bloc de OPAL." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "L'alignement de données demandé n'est pas compatible avec l'alignement de OPAL." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "L'offset de données ne satisfait pas les exigences d'alignement de OPAL." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "L'alignement de données demandé les exigences de la plage d'alignement du verrouillage." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "La taille du périphérique est compensée avec % secteurs pour l'aligner avec la granularité de l'alignement de OPAL." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Impossible d'acquérir le verrou OPAL sur le périphérique %s." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Clé admin OPAL incorrecte." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Impossible de configurer le segment OPAL." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Impossible de formater le périphérique %s. Le périphérique OPAL semble maintenant être complètement protégé contre l'écriture." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Il s'agit peut-être d'un bogue du micro logiciel. Exécutez une réinitialisation PSID OPAL et reconnectez pour récupération." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "La réinitialisation de la plage %d de verrouillage du périphérique %s a échouée." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Impossible de formater LOOPAES sans périphérique." -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Impossible de formater VERITY sans périphérique." -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Type de hachage VERITY %d non supporté." -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Taille de bloc VERITY non supportée." -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Décalage de hachage VERITY non supporté." -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Décalage VERITY FEC non supporté." -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "La zone de données recouvre la zone de hachage." -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "La zone de hachage recouvre la zone FEC." -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "La zone de données recouvre la zone FEC." -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "ATTENTION : La taille %d demandée pour l'étiquette est différente de la taille de sortie de %s (%d octets).\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Type de chiffrement de périphérique demandé (%s) inconnu." -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Paramètres non supportés sur le périphérique %s." -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Paramètres non concordants sur le périphérique %s." -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Désaccord entre les périphériques crypt." -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Impossible de recharger le périphérique %s." -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Impossible de suspendre le périphérique %s." -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Impossible de redémarrer le périphérique %s." -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Erreur fatale en rechargeant le périphérique %s (au dessus du périphérique %s)" -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Impossible de basculer le périphérique %s en dm-error." -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Impossible de redimensionner le périphérique LUKS2 avec une taille statique." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "Impossible de redimensionner le périphérique loopback." -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "ATTENTION: La taille maximale est déjà définie ou le noyau ne supporte pas le redimensionnement.\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Le redimensionnement a échoué, le noyau ne le supporte pas." -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Voulez vous réellement changer l'UUID du périphérique ?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Le fichier de sauvegarde de l'en-tête ne contient pas d'en-tête compatible LUKS." -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Le volume %s n'est pas actif." -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Le volume %s est déjà suspendu." -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Le périphérique %s ne supporte pas la suspension." -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Erreur lors de la suspension du périphérique %s." -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Le périphérique %s a été suspendu mais le périphérique matériel OPAL ne sait pas être verrouillé." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Le périphérique %s ne supporte pas la remise en service." -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Erreur lors de la remise en service du périphérique %s." -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Impossible de lier la clé au porte-clé spécifié." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Impossible de délier la clé du porte-clé utilisateur spécifié." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Impossible de lier la clé de volume dans le porte-clé utilisateur." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Le volume %s n'est pas suspendu." -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Ceci n'est pas la clé du volume." -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Nouvel emplacement de clé impossible à échanger." -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "L'emplacement de clé %d n'est pas valide." -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "L'emplacement de clé %d n'est pas actif." -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "L'en-tête du périphérique recouvre la zone de données." -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Re-chiffrement en cours. Impossible d'activer le périphérique." -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Impossible d'obtenir le verrou de re-chiffrement." -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "La récupération du rechiffrement LUKS2 a échoué." -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Type de périphérique improprement initialisé." -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Le périphérique %s existe déjà." -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Impossible d'utiliser le périphérique %s, le nom est invalide ou est toujours utilisé." -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Clé de volume incorrecte pour le périphérique en clair." -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "Hachage racine incorrect spécifié pour le périphérique verity." - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "Signature de hachage racine requise." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau." -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Le porte-clé du noyau est manquant : il est requis pour passer une signature au noyau." -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "Impossible de charger la clé dans le porte-clé du noyau." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "Hachage racine incorrect spécifié pour le périphérique verity." -#: lib/setup.c:4736 +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL ne supporte pas la désactivation différée." + +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Impossible d'annuler la suppression différée du périphérique %s." -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Le périphérique %s est toujours occupé." -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Le périphérique %s n'est pas valide." -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Le tampon de la clé du volume est trop petit." -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS2." -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS1." -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain »." -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "Impossible de récupérer le hachage racine pour le périphérique verity." -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Impossible de récupérer la clé du volume pour le périphérique BITLK." -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Impossible de récupérer la clé du volume pour le périphérique FVAULT2." -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s." -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique." -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Le décalage des données n'est pas un multiple de %u octets." -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Impossible de convertir le périphérique %s qui est toujours en cours d'utilisation." -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Échec de l'affectation de l'emplacement de clé %u pour la nouvelle clé de volume." -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Échec de l'initialisation des paramètres par défaut des emplacement de clé LUKS2." -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Échec de l'affectation de l'emplacement de clé %d aux résumé." -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume." -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Impossible de charger la clé dans le porte-clé du noyau." -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Impossible de délier la clé de volume du thread du porte-clé." + +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé (erreur %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Impossible de trouver le porte-clé décrit par « %s »." -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Erreur lors de l'acquisition du verrou global de sérialisation des accès strictes à la mémoire" -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Impossible d'ouvrir le fichier de clef." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Impossible de lire le fichier de clé depuis un terminal." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "Impossible d'exécuter « stat » sur le fichier de clef." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Impossible de sauter au décalage demandé dans le fichier de clé." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Plus assez de mémoire lors de la lecture de la phrase secrète." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Erreur de lecture de la phrase secrète." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Rien à lire en entrée." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Taille max. de fichier de clé dépassée." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Impossible de lire la quantité de données demandée." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Le périphérique %s n'existe pas ou l'accès y est interdit." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Le périphérique %s n'est pas compatible." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "La mauvaise taille de optimal-io est ignorée pour le périphérique de données (%u octets)." -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Le périphérique %s est trop petit. Il a besoin d'au moins % octets." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Impossible d'utiliser le périphérique %s actuellement utilisé (déjà mappé ou monté)." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Impossible d'utiliser le périphérique %s, permission refusée." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "Impossible d'obtenir des informations au sujet du périphérique %s." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Impossible d'utiliser un périphérique loopback. Fonctionne comme un utilisateur non-root." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Impossible d'associer le périphérique loopback (le drapeau « autoclear » est requis)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Le décalage demandé est au delà de la taille réelle du périphérique %s." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Le périphérique %s a une taille nulle." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Le temps cible PBKDF demandé ne peut pas être zéro." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Type PBKDF %s inconnu." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "L'algorithme de hachage %s demandé n'est pas supporté." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Le type PBKDF demandé n'est pas supporté par LUKS1." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "La mémoire maximum ou les threads parallèles de PBKDF ne peuvent pas être définis avec pbkdf2." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Le nombre d'itérations forcées est trop petit pour %s (le minimum est %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Le coût de la mémoire forcé est trop petit pour %s (le minimum est %u kilooctets)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Le coût de la mémoire PBKDF maximum demandée est trop grand (maximum est %d kilooctets)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "La mémoire PBKDF maximum demandée ne peut pas être zéro." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Le nombre de threads parallèles PBKDF demandé ne peut pas être zéro." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "Seul PBKDF2 est supporté en mode FIPS." -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "L'étalon PBKDF est désactivé mais les itérations ne sont pas définies." -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Options PBKDF2 incompatibles (en utilisant l'algorithme de hachage %s)." -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Options PBKDF incompatibles." @@ -773,16 +867,24 @@ msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisabl msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (%s n'est pas un répertoire)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Impossible de se déplacer au décalage du périphérique." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Erreur durant l'effacement total, offset %" +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "PSID OPAL incorrecte." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Impossible d'effacer le périphérique OPAL." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -803,7 +905,7 @@ msgstr "La spécification du chiffrement devrait être au format [chiffrement]-[ #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Impossible d'écrire sur le périphérique %s. Permission refusée." @@ -817,17 +919,17 @@ msgid "Failed to access temporary keystore device." msgstr "Impossible d'accéder au périphérique de stockage temporaire de clés." #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Erreur E/S pendant le chiffrement de l'emplacement de clé." #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -849,32 +951,32 @@ msgstr "Le périphérique %s est trop petit (LUKS1 a besoin d'au moins % msgid "LUKS keyslot %u is invalid." msgstr "L'emplacement de clé LUKS %u n'est pas valide." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Le fichier de sauvegarde d'en-tête demandé %s existe déjà." -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Impossible de créer le fichier de sauvegarde d'en-tête %s." -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Impossible d'écrire le fichier de sauvegarde d'en-tête %s." -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Le fichier de sauvegarde ne contient pas d'en-tête LUKS valide." #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Impossible d'ouvrir le fichier de sauvegarde d'en-tête %s." -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Impossible de lire le fichier de sauvegarde d'en-tête %s." @@ -896,7 +998,7 @@ msgstr "ne contient pas d'en-tête LUKS. Remplacer l'en-tête peut détruire les msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "contient déjà un en-tête LUKS. Remplacer l'en-tête détruira les emplacements de clés actuels." -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -970,7 +1072,7 @@ msgstr "Le mode de chiffrement LUKS %s n'est pas valide." msgid "LUKS hash %s is invalid." msgstr "La valeur hachée LUKS %s n'est pas valide." -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "Aucun problème connu détecté pour l'en-tête LUKS." @@ -989,8 +1091,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "L'offset des données d'un en-tête LUKS doit être soit 0 ou soit plus grand que la taille de l'en-tête." #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Mauvais format fourni pour le UUID LUKS." @@ -1027,7 +1129,7 @@ msgstr "Impossible d'ouvrir l'emplacement de clé (en utilisant le hachage %s)." msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "L'emplacement de clé %d n'est pas valide, merci de sélectionner un emplacement entre 0 et %d." -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Impossible d'effacer de façon sécurisée le périphérique %s." @@ -1048,48 +1150,48 @@ msgstr "Fichier de clé incompatible pour boucle « loop-AES »." msgid "Kernel does not support loop-AES compatible mapping." msgstr "Le noyau ne supporte pas les associations de type boucle « loop-AES »." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Erreur lors de la lecture du fichier de clé %s." -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Longueur maximum de la phrase secrète TCRYPT (%zu) dépassée." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "L'algorithme de hachage PBKDF2 %s n'est pas supporté, ignoré." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "L'interface du noyau requise pour le chiffrement n'est pas disponible." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Vérifiez que le module du noyau algif_skcipher est chargé." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "L'activation n'est pas supportée pour des secteurs de taille %d." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Le noyau ne supporte pas l'activation pour ce mode TCRYPT historique." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Activation du chiffrement du système TCRYPT sur la partition %s." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Le noyau ne supporte pas les associations de type TCRYPT." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT." @@ -1148,74 +1250,74 @@ msgstr "Impossible de lire les entrées des méta-données de BITLK depuis %s." msgid "Failed to convert BITLK volume description" msgstr "Échec lors de la conversion de la description du volume BITLK" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la clé externe." -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "Le GUID du fichier BEK « %s » ne correspond pas au GUID du volume." -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la clé externe." -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Métadonnées BEK version % non supportées" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "La taille inattendue des métadonnées BEK % ne correspond pas à la longueur du fichier BEK" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Une entrée de méta-donnée inattendue a été trouvée en analysant la clé de démarrage." -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Cette opération n'est pas supportée." -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Taille inattendue pour les données de la clé." -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Ce périphérique BITLK est dans un état non supporté et ne peut pas être activé." -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Les périphériques BITLK avec le type « %s » ne peuvent pas être activés." -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "L'activation d'un périphérique BITLK partiellement déchiffré n'est pas supporté." -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "AVERTISSEMENT: La taille % du volume BitLocker ne correspond pas à la taille % du périphérique sous-jacent" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas BITLK IV." -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas le diffuseur BITLK Elephant." -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas une grande taille de secteur." -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Impossible d'activer le périphérique car le module dm-zero est manquant dans le noyau." @@ -1253,28 +1355,32 @@ msgstr "Mauvais format d'UUID VERITY fourni sur le périphérique %s." msgid "Error during update of verity header on device %s." msgstr "Erreur lors de la mise à jour de l'en-tête verity sur le périphérique %s." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "La vérification de la signature du hachage racine n'est pas supportée." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Signature de hachage racine requise." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Les erreurs ne savent pas être réparées avec un périphérique FEC." -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "%u erreurs réparables ont été trouvées avec le périphérique FEC." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "Le noyau ne supporte pas les associations de type dm-verity." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "Le noyau ne supporte pas les options de signature dm-verity." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Le périphérique verity a détecté une corruption après l'activation." @@ -1368,7 +1474,7 @@ msgstr "Impossible de déterminer la taille du périphérique %s." msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Métadonnées dm-integrity du noyau incompatible (version %u) détectée sur %s." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "Le noyau ne supporte pas les associations de type dm-integrity." @@ -1380,8 +1486,8 @@ msgstr "Le noyau ne supporte pas les alignements de méta-données fixés de dm- msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Le noyau refuse d'activer l'option de recalcul non sûre (voyez les options d'activation historique pour outrepasser)." -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Impossible d'acquérir un verrou en écriture sur le périphérique %s." @@ -1398,49 +1504,59 @@ msgstr "" "Le périphérique contient une signature ambigüe, impossible de récupérer automatiquement LUKS2.\n" "Veuillez exécuter « cryptsetup repair » pour la récupération." -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "ATTENTION: la zone des emplacements de clés (% octets) est très petite, le nombre d'emplacements de clés LUKS2 est très limité.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "Le décalage de données demandé est trop petit." -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "ATTENTION: la zone des emplacements de clés (% octets) est très petite, le nombre d'emplacements de clés LUKS2 est très limité.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "ATTENTION: La taille des métadonnées LUKS2 est devenue % octets.\n" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "ATTENTION: La taille de la zone des emplacements de clés LUKS2 est devenue % octets.\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Impossible d'acquérir le verrou de lecture sur le périphérique %s." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Des exigences LUKS2 interdites ont été détectées dans la sauvegarde %s." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Les décalages des données ne sont pas identiques sur le périphérique et la sauvegarde, la restauration a échoué." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Les en-têtes binaires avec des tailles de zones d'emplacements de clés sont différents sur le périphérique et la sauvegarde, la restauration a échouée." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Périphérique %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "ne contient pas d'en-tête LUKS2. Remplacer l'en-tête peut détruire les données de ce périphérique." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "contient déjà un en-tête LUKS2. Remplacer l'en-tête détruira les emplacements de clés actuels." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1450,7 +1566,7 @@ msgstr "" "ATTENTION: des exigences LUKS2 inconnues ont été détectées sur l'en-tête du périphérique réel !\n" "Remplacer l'en-tête par la sauvegarde peut corrompre les données sur ce périphérique !" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1460,58 +1576,92 @@ msgstr "" "ATTENTION: Un rechiffrement hors-ligne non terminé a été détecté sur le périphérique !\n" "Remplacer l'en-tête par la sauvegarde peut corrompre les données." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Fanion inconnu %s ignoré." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Clé manquante pour le segment %u de dm-crypt" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Impossible de définir le segment dm-crypt." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Impossible de définir le segment dm-linear." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté dans l'en-tête LUKS2." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "Un périphérique OPAL doit avoir une taille de périphérique statique." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Un périphérique OPAL chiffré avec intégrité doit être plus petit que la plage de verrouillage." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "Un périphérique OPAL doit avoir la même taille que la plage de verrouillage." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Le périphérique OPAL %s est déjà déverrouillé.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Configuration d'intégrité du périphérique non supportée." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Les secteurs de données fournis sont inattendus pour le périphérique dm-integrity sous-jacent." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Re-chiffrement en cours. Le périphérique ne peut être désactivé." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Échec du remplacement du périphérique suspendu %s avec la cible dm-error." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Le périphérique %s a été désactivé mais le périphérique matériel OPAL ne sait pas être verrouillé." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Échec lors de la lecture des exigences LUKS2." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Des exigences LUKS2 non rencontrées ont été détectées." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement historique. Abandon." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement LUKS2. Abandon." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Opération incompatible avec un périphérique utilisant OPAL. Abandon." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Pas assez de mémoire disponible pour ouvrir l'emplacement de clé." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Échec de l'ouverture de l'emplacement de clé." @@ -1520,331 +1670,343 @@ msgstr "Échec de l'ouverture de l'emplacement de clé." msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Impossible d'utiliser le chiffrement %s-%s pour le chiffrement de l'emplacement de clé" -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "L'algorithme de hachage %s n'est pas disponible." -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Attention : l'opération sur l'emplacement de clé peut échouer car il requiert plus de mémoire disponible.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Plus d'espace pour le nouvel emplacement de clé." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "Requête de changement du mode de résilience du rechiffrement invalide." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Impossible de mettre à jour le type de résilience. Le nouveau type ne fourni que % octets alors que l'espace requis est % octets." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Impossible de rafraîchir le résumé de la vérification de rechiffrement." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Ne peut vérifier le statut du périphérique avec le uuid : %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Impossible de convertir un en-tête avec des métadonnées LUKSMETA supplémentaires." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Impossible d'utiliser la spécification de chiffrement %s-%s pour LUKS2." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Impossible de déplacer la zone des emplacements de clés. Pas assez d'espace." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Impossible de convertir au format LUKS2 – métadonnées invalides." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Impossible de déplacer la zone des emplacements de clés. Les emplacements de clés LULS2 sont trop petits." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Impossible de déplacer la zone des emplacements de clés." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Impossible de convertir au format LUKS1 – la taille du secteur de chiffrement du segment par défaut n'est pas 512 octets." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Impossible de convertir au format LUKS1 – les résumés des emplacements de clés ne sont pas compatibles avec LUKS1." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise des clés de chiffrement %s emballées." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise plus de segments." -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Impossible de convertir au format LUKS1 – l'en-tête LUKS2 contient %u jeton(s)." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u est dans un état invalide." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Impossible de convertir au format LUKS1 – l'emplacement %u (sur les emplacements maximum) est toujours actif." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u n'est pas compatible avec LUKS1." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "La taille de la zone chaude doit être un multiple de l'alignement de zone calculé (%zu octets)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "La taille du périphérique doit être un multiple de l'alignement de zone calculé (%zu octets)." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Impossible d'initialiser l'encapsulation pour le stockage de l'ancien segment." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Impossible d'initialiser l'encapsulation pour le stockage du nouveau segment." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Impossible d'initialiser la protection des zones chaudes." -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Impossible de lire les sommes de contrôle pour la zone chaude actuelle." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Échec de la lecture de la zone chaude démarrant à %." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Échec lors du déchiffrement du secteur %zu." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Échec lors de la récupération du secteur %zu." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Les tailles des périphériques source et cible ne correspondent pas. Source %, cible: %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Échec de l'activation du périphérique de zone chaude %s." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Impossible d'activer le périphérique de surcouche %s avec la table d'origine actuelle." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Impossible de charger la nouvelle cartographie du périphérique %s." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Impossible de rafraîchir la pile des périphériques de rechiffrement." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Impossible de définir la taille de la nouvelle zone des emplacements de clés." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "La valeur de décalage de données n'est pas alignée sur la taille de secteur de chiffrement (% octets)." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Mode de résilience %s non supporté" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "La taille du secteur déplacé ne peut pas être plus grande que la valeur de décalage des données." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Paramètres de rechiffrement de la résilience invalides." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Le segment déplacé est trop grand. La taille demandée est %, l'espace disponible est %" -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Erreur lors de la suppression de la table." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "La taille des données réduites est plus grande que la taille réelle du périphérique." -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Le périphérique de données n'est pas aligné sur la taille de secteur de chiffrement (% octets)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Le décalage de données (% secteurs) est plus petit que le décalage de données future (% secteurs)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Erreur lors de l'ouverture de %s en mode exclusif (déjà mappé ou monté)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Le périphérique n'est pas marqué pour le rechiffrement LUKS2." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Échec du chargement du contexte de rechiffrement LUKS2" -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Impossible d'obtenir l'état de rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Le périphérique n'est pas en rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Le rechiffrement est déjà en cours." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Impossible d'acquérir le verrou de rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Impossible de réaliser le rechiffrement. Exécutez d'abord la récupération du rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "La taille du périphérique actif et la taille de rechiffrement demandée ne correspondent pas." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "Taille de périphérique illégale demandée dans les paramètres de rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Rechiffrement en cours. La récupération ne peut pas être réalisée." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "Rechiffrement LUKS2 déjà initialisé dans les métadonnées." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Échec de l'initialisation du rechiffrement LUKS2 dans les métadonnées." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Le rechiffrement n'est pas supporté avec les périphériques DAX (mémoire persistante)." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Impossible de définir les segments du périphérique pour le rechiffrement suivant de la zone chaude." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Échec lors de l'écriture des métadonnées de la résilience du rechiffrement." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Échec du déchiffrement." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Échec de l'écriture de la zone chaude démarrant à %." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Erreur lors de la synchronisation des données." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Échec de la mise à jour des métadonnées après la fin du rechiffrement de la zone chaude courante." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Échec lors de l'écriture des métadonnées LUKS2" -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Impossible d'effacer la zone du périphérique contenant les données inutilisées." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Erreur lors de la suppression de l'emplacement de clé inutilisé (unbound) %d." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Erreur lors de la suppression de l'emplacement de clé de re-chiffrement." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Erreur fatale en rechiffrant le morceau commençant à % d'une longueur de % secteurs." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Échec du rechiffrement en-ligne." # Frédéric: Je n'ai pas la moindre idée de ce que le développeur a voulu écrire. Qu'est-ce que "error target" dans ce contexte ? -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Ne pas redémarrer le périphérique à moins qu'il ait été remplacé manuellement par la cible en erreur." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Impossible de réaliser le rechiffrement. Statut de rechiffrement inattendu." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Contexte de rechiffrement manquant ou invalide." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Impossible d'initialiser la pile du périphérique de rechiffrement." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Échec de la mise à jour du contexte de rechiffrement." @@ -1852,80 +2014,121 @@ msgstr "Échec de la mise à jour du contexte de rechiffrement." msgid "Reencryption metadata is invalid." msgstr "Les méta-données de rechiffrement sont invalides." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "Pour la plage OPAL %d, l'offset % ne correspond pas aux valeurs % attendues." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "Pour la plage OPAL %d, la longueur % ne correspond pas à la longueur % du périphérique." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "Pour la plage OPAL %d, le verrouillage est désactivé." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "État de verrouillage inattendu pour la plage OPAL %d." + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Les paramètres de chiffrement des emplacement de clés peuvent uniquement être définis pour un périphérique LUKS2." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Entrez le code PIN du jeton : " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Entrez le code PIN du jeton %d : " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "ATTENTION : Utilisation des options par défaut pour le chiffrement (%s-%s, taille de clé %u bits) qui pourraient être incompatibles avec les vieilles versions." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "ATTENTION : Utilisation des options par défaut pour le hachage (%s) qui pourraient être incompatibles avec les vieilles versions." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "En mode simple, utilisez toujours les options --cipher, --key-size et si aucun fichier de clé n'est utilisé, alors, aussi --hash." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "ATTENTION: Le paramètre --hash est ignoré en mode non chiffré quand le fichier de clé est spécifié.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "ATTENTION: L'option --keyfile-size est ignorée. La taille de lecture est la même que la taille de la clé de chiffrement.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "L'analyse de blkid a échouée pour %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Signature(s) de périphérique détectée(s) sur %s. Continuer risque d'endommager les données existantes." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Opération interrompue.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "L'option --key-file est requise." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Entrez le PIN VeraCrypt : " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Valeur PIN invalide : erreur d'analyse" -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Valeur PIN invalide: 0" -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Valeur PIN invalide: hors des limites." -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "Aucun en-tête détecté avec cette phrase secrète sur le périphérique." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Le périphérique %s n'est pas un périphérique BITLK valide." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Impossible de déterminer la taille de la clé de volume pour BITLK, veuillez utiliser l'option --key-size." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1935,7 +2138,7 @@ msgstr "" "sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n" "Ce contenu devrait toujours être stocké, chiffré, en lieu sûr." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1945,77 +2148,84 @@ msgstr "" "sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n" "Ce contenu devrait être stocké, chiffré, en lieu sûr." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Le périphérique %s n'est pas un périphérique FVAULT2 valide." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Impossible de déterminer la taille de la clé de volume pour FVAULT2, veuillez utiliser l'option --key-size." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Le périphérique %s est toujours actif et prévu pour une suppression différée.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Échec en essayant de définir le chemin %s pour les jetons externes." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Le redimensionnement d'un périphérique actif requiert que la clé du volume soit dans le porte-clé mais l'option --disable-keyring est définie." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Test de performance interrompu." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s N/A\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u itérations par seconde pour une clé de %zu bits\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s N/A\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u itérations, %5u mémoire, %1u threads parallèles (CPUs) pour une clé de %zu bits (temps de %u ms demandé)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Le résultat de l'évaluation de performance n'est pas fiable." -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Tests approximatifs en utilisant uniquement la mémoire (pas de stockage E/S).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algorithme | Clé | Chiffrement | Déchiffrement\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Le chiffrement %s (avec une clé de %i bits) n'est pas disponible." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algorithme | Clé | Chiffrement | Déchiffrement\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "N/D" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2024,27 +2234,27 @@ msgstr "" "désirable (consultez la sortie de luksDump) et continuez (mise à niveau des métadonnées) uniquement si vous constatez que\n" "l'opération est légitime." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Entrez la phrase secrète pour protéger et mettre à niveau les métadonnées de rechiffrement : " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Réellement procéder à la récupération du rechiffrement LUKS2 ?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Entrez la phrase secrète pour vérifier le résumé des métadonnées du rechiffrement : " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Entrez la phrase secrète pour la récupération du rechiffrement : " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Réellement essayer de réparer l'en-tête du périphérique LUKS ?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2052,7 +2262,7 @@ msgstr "" "\n" "Effacement interrompu." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2060,128 +2270,144 @@ msgstr "" "Effacement du périphérique pour initialiser les sommes de contrôle d'intégrité.\n" "Vous pouvez interrompre ceci en appuyant sur CTRL+c (le reste du périphérique effacé contiendra toujours des sommes de contrôle invalides).\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Impossible de désactiver le périphérique temporaire %s." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "L'option d'intégrité peut uniquement être utilisée avec le format LUKS2." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Options de taille des métadonnées LUKS2 non supportées." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL est uniquement supporté avec le format LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Le fichier d'en-tête n'existe pas, voulez-vous le créer ?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Impossible de créer le fichier d'en-tête %s." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Aucun motif connu de spécification d'intégrité n'a été détecté." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Ne peut utiliser %s comme en-tête sur disque." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Cette action écrasera définitivement les données sur %s." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Le mot de passe Admin de OPAL ne peut pas être vide." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Impossible de définir les paramètres pbkdf." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "La spécification de type dans la spécification du porte-clé --link-vk-to-keyring est ignorée." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Valeur invalide pour --link-vk-to-keyring." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Décalage réduit de données est uniquement permis dans un en-tête LUKS détaché." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "Le container %s du fichier LUKS est trop petit pour l'activation, il ne reste pas d'espace pour les données." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Impossible de déterminer la taille de la clé de volume pour LUKS sans emplacement de clé, veuillez utiliser l'option --key-size." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Le périphérique a été activé mais les fanions ne peuvent pas être rendus permanents." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Emplacement de clé %d sélectionné pour suppression." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Ceci est le dernier emplacement de clé. Le périphérique sera inutilisable après la suppression de cette clé." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Entrez toute phrase secrète restante : " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Opération interrompue, l'emplacement de clé n'a PAS été effacé.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Entrez la phrase secrète à effacer : " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "%s n'est pas un périphérique LUKS2 valide." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Entrez une nouvelle phrase secrète pour l'emplacement de clé : " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "ATTENTION: Le paramètre --key-slot est utilisé pour le nouveau numéro de l'emplacement de clé.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Entrez une phrase secrète existante : " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Entrez la phrase secrète à changer : " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Entrez la nouvelle phrase secrète : " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Entrez la phrase secrète pour l'emplacement de clé à convertir: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "L'opération isLuks supporte seulement un périphérique en argument." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "L'emplacement de clé %d ne contient pas de clé non liée." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2189,40 +2415,52 @@ msgstr "" "Le contenu de l'en-tête avec une clé non liée est une information sensible.\n" "Ce contenu devrait être stocké, chiffré, en lieu sûr." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s n'est pas un nom de périphérique %s actif." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s n'est pas un nom de périphérique LUKS actif ou l'en-tête est manquant." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "L'option --header-backup-file est requise." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s n'est pas un périphérique géré par cryptsetup." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Le rafraîchissement n'est pas supporté pour un périphérique de type %s" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Type de métadonnée du périphérique %s non reconnu." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "La commande exige un périphérique et un nom de correspondance comme arguments." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Entrez le PSID OPAL : " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Entrez le mot de passe Admin de OPAL : " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "ATTENTION : Le disque ENTIER sera réinitialisé d'usine et toutes les données seront perdues ! Continuer ?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2231,351 +2469,351 @@ msgstr "" "Cette opération va supprimer tous les emplacements de clés du périphérique %s.\n" "Le périphérique sera inutilisable après cette opération." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Opération interrompue, les emplacements de clés n'ont PAS été effacés.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Type LUKS invalide, seuls luks1 et luks2 sont supportés." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Le périphérique est déjà du type %s." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Cette opération va convertir %s au format %s.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Opération interrompue, le périphérique n'a PAS été converti.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "L'option --priority, --label ou --subsystem est manquante." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Le jeton %d est invalide." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Le jeton %d est utilisé." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Échec lors de l'ajout du jeton %d au porte-clé luks2." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Échec lors de l'affectation du jeton %d à l'emplacement de clé %d." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Le jeton %d n'est pas utilisé." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Impossible d'importer le jeton depuis le fichier." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Impossible d'obtenir le jeton %d pour l'export." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Le jeton %d n'est pas assigné à l'emplacement de clé %d." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Impossible de dissocier le jeton %d de l'emplacement de clé %d." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "L'option --veracrypt ou --disable-veracrypt est uniquement supportée pour un périphérique de type TCRYPT." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "L'option --veracrypt-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "L'option --veracrypt-query-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Les options --veracrypt-pim et --veracrypt-query-pim sont mutuellement exclusives." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "L'option --persistent n'est pas permise avec --test-passphrase." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Les options --refresh et --test-passphrase sont mutuellement exclusives." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "L'option --offset avec l'action d'ouverture est supportée uniquement pour des périphériques ordinaires et loopaes." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "L'option de taille de secteur avec l'action d'ouverture est uniquement supportée pour des périphérique ordinaires." -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "L'option des secteurs IV (vecteur d'initialisation) de grande taille est supportée uniquement à l'ouverture de périphériques de type simple avec une taille de secteur supérieure à 512 octets." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS, TCRYPT, BITLK et FVAULT2." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Les options --device-size et --size ne peuvent pas être combinées." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "L'option --unbound est permise uniquement pour ouvrir un périphérique luks." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "L'option --unbound ne peut pas être utilisée sans --test-passphrase." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Les options --cancel-deferred et --deferred ne peuvent pas être utilisées en même temps." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Les options --reduce-device-size et --data-size ne peuvent pas être combinées." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Les options --reduce-device-size et --device-size ne peuvent pas être combinées." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "L'option --active-name peut uniquement être définie pour un périphérique LUKS2." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Les options --active-name et --force-offline-reencrypt ne peuvent pas être combinées." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Une spécification d'emplacement de clé est requise." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Les options --align-payload et --offset ne peuvent pas être combinées." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "L'option --integrity-no-wipe peut uniquement être utilisée pour une action de formatage avec l'extension d'intégrité." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Seule une des deux possibilités --use-[u]random est autorisée." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "La taille de clé est requise avec l'option --unbound." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "L'action de jeton est invalide." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Le paramètre --key-description est requis pour l'action d'ajout d'un jeton." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --token-id." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "L'option --unbound est uniquement valable avec l'action d'ajout d'un jeton." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Les options --key-slot et --unbound ne peuvent pas être combinées." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --key-slot." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type ] []" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "ouvrir le périphérique comme " -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "fermeture du périphérique (supprime le « mapping »)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "redimensionner le périphérique actif" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "afficher le statut du périphérique" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher ]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "chiffrement pour test de performance" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "essayer de réparer les métadonnées sur le disque" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "rechiffrer le périphérique LUKS2" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "supprimer tous les emplacements de clés (supprime la clé de chiffrement)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "convertir LUKS depuis/vers le format LUKS2" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "définir les options de configuration permanentes pour LUKS2" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "formater un périphérique LUKS" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "ajouter une clé au périphérique LUKS" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "retire du périphérique LUKS la clé ou le fichier de clé fourni" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "modifie la clé ou le fichier de clé fourni pour le périphérique LUKS" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "converti une clé vers les nouveaux paramètres pbkdf" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "efface de façon sécurisée la clé avec le numéro du périphérique LUKS" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "afficher l'UUID du périphérique LUKS" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "teste si a un en-tête de partition LUKS" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "affiche les informations LUKS de la partition" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "affiche les informations du périphérique TCRYPT" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "affiche les informations du périphérique BITLK" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "affiche les informations du périphérique FVAULT2" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Suspendre le périphérique LUKS et effacer de façon sécurisée la clé (toutes les entrées/sorties sont suspendues)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Remettre en service le périphérique LUKS suspendu" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Sauvegarder l'en-tête et les emplacements de clés du périphérique LUKS" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Restaurer l'en-tête et les emplacements de clés du périphérique LUKS" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Manipuler les jetons LUKS2" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2583,7 +2821,7 @@ msgstr "" "\n" " est l'une de :\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2595,7 +2833,7 @@ msgstr "" "\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2610,7 +2848,7 @@ msgstr "" " est le numéro de l'emplacement de clé LUKS à modifier\n" " est un fichier optionnel contenant la nouvelle clé pour l'action luksAddKey\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2619,29 +2857,28 @@ msgstr "" "\n" "Le format de métadonnées compilé par défaut est %s (pour l'action luksFormat).\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Le support du greffon de jeton externe LUKS2 est %s.\n" +"Le support du greffon de jeton externe LUKS2 est enabled.\n" -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "intégré dans la compilation" - -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Chemin du greffon de jeton externe LUKS2 : %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "désactivé" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Le support du greffon de jeton externe LUKS2 est désactivé.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2658,7 +2895,7 @@ msgstr "" "PBKDF par défaut pour LUKS2 : %s\n" "\tTemps d'itération: %d, Mémoire requise: %d ko, Threads parallèles: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2673,96 +2910,100 @@ msgstr "" "\tplain: %s, Clé: %d bits, Hachage mot de passe: %s\n" "\tLUKS: %s, Clé: %d bits, Hachage en-tête LUKS: %s, RNG: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: La taille de clé par défaut en mode XTS (deux clés internes) sera doublée.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s : exige %s comme arguments." -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Emplacement de clé non valide." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "La taille du périphérique doit être un multiple d'un secteur de 512 octets." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "La spécification de la taille maximale de la zone chaude de rechiffrement est invalide." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "La taille de la clé doit être un multiple de 8 bits" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "La taille maximum réduite pour le périphérique est 1 GiB." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "La taille réduite doit être un multiple d'un secteur de 512 octets." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "L'option --priority peut uniquement être ignore/normal/prefer." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Afficher ce message d'aide" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Afficher, en résumé, la syntaxe d'invocation" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Afficher la version du paquet" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Options d'aide :" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[OPTION...] " -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Il manque l'argument ." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Action inconnue." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "L'option --key-file est prioritaire par rapport à un fichier de clé spécifié en argument." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Un seul argument --key-file est autorisé." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "La fonction de dérivation d'une clé basée sur un mot de passe (PBKDF = Password-Based Key Derivation Function) peut uniquement être pbkdf2 ou argon2i/argon2id." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Les itérations forcées de PBKDF ne peuvent pas être combinées avec l'option de temps d'itération." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Impossible de lier une clé de volume à un porte-clé quand le porte-clé est désactivé." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Les options --keyslot-cipher et --keyslot-key-size doivent être utilisées ensembles." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Aucune action réalisée. Invoqué avec l'option --test-args.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Impossible de désactiver le verrouillage des métadonnées." @@ -2827,7 +3068,7 @@ msgstr "La commande exige ou l'option --root-hash-file comme ar msgid " " msgstr " " -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "formater le périphérique" @@ -2843,7 +3084,7 @@ msgstr "vérifier le périphérique" msgid " []" msgstr " []" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "afficher le statut du périphérique actif" @@ -2851,7 +3092,7 @@ msgstr "afficher le statut du périphérique actif" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "afficher les informations sur le disque" @@ -2881,11 +3122,11 @@ msgstr "" "Paramètres compilés par défaut dans dm-verity :\n" "\tHachage: %s, Bloc données (octets): %u, Bloc hachage (octets): %u, Taille aléa: %u, Format hachage: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Les options --ignore-corruption et --restart-on-corruption ne peuvent être utilisées ensembles." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Les options --panic-on-corruption et --restart-on-corruption ne peuvent être utilisées ensembles." @@ -2898,29 +3139,29 @@ msgstr "" "Ceci écrasera les données sur %s et %s de manière irrévocable.\n" "Pour préserver le périphérique de données, utilisez l'option --no-wipe (et ensuite activez-le avec --integrity-recalculate)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Formaté avec une taille de balise de %u, intégrité interne %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Définir le fanion pour le recalcul n'est pas supporté, envisagez plutôt d'utiliser --wipe." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Le périphérique %s n'est pas un périphérique INTEGRITY valable." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2931,7 +3172,7 @@ msgstr "" " est le périphérique à créer sous %s\n" " est le périphérique contenant les données avec les balises d'intégrité\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2944,40 +3185,40 @@ msgstr "" "\tAlgorithme de somme de contrôle : %s\n" "\tTaille maximale du fichier de clé : %dko\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "La taille --%s n'est pas valide. Le maximum est %u octets." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Les options du fichier de clé et de la taille de la clé doivent être spécifiées toutes les deux." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Les options du fichier de clé de l'intégrité du journal et de la taille de la clé doivent être spécifiées toutes les deux." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "L'algorithme d'intégrité du journal doit être spécifié si la clé d'intégrité du journal est utilisée." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Les options du fichier de clé de chiffrement du journal et de la taille de la clé doivent être spécifiées toutes les deux." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "L'algorithme de chiffrement du journal doit être spécifié si la clé de chiffrement du journal est utilisée." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Les options de mode récupération et champ de bits sont mutuellement exclusives." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Les options de journal ne peuvent pas être utilisées en mode champ de bits." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Les options de champ de bits peuvent uniquement être utilisées en mode champ de bits." @@ -3189,58 +3430,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Échec de la vérification de la qualité du mot de passe : Mauvais mot de passe (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Erreur de lecture de la phrase secrète depuis la console." -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Vérifiez la phrase secrète : " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Les phrases secrètes ne sont pas identiques." -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Le décalage n'est pas possible si l'entrée provient de la console." -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Saisissez la phrase secrète : " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Saisissez la phrase secrète pour %s : " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "Aucune clé disponible avec cette phrase secrète." -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Aucun emplacement de clé utilisable est disponible." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Impossible de vérifier une phrase secrète non saisie sur une console." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Impossible d'ouvrir le fichier %s en lecture seule." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Fournissez le jeton LUKS valide au format JSON:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "Impossible de lire le fichier JSON." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3248,12 +3489,12 @@ msgstr "" "\n" "Lecture interrompue." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Impossible d'ouvrir le fichier %s en écriture seule." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3261,7 +3502,7 @@ msgstr "" "\n" "Écriture interrompue." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "Erreur lors de l'écriture du fichier JSON." @@ -3328,15 +3569,19 @@ msgstr "Le périphérique requiert une récupération de rechiffrement. Exécute msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS2. Voulez-vous redémarrer l'opération précédemment initialisée ?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Le rechiffrement LUKS2 historique n'est plus supporté." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Impossible de rechiffrer un périphérique LUKS2 configuré pour utiliser OPAL." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Le rechiffrement d'un périphérique avec un profil d'intégrité n'est pas supporté." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3345,103 +3590,103 @@ msgstr "" "La taille de secteur demandée avec --sector-size % est incompatible avec le superbloc %s\n" "(taille de bloc : % octets) détecté sur le périphérique %s." -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Le chiffrement sans en-tête détaché (--header) n'est pas possible sans une réduction de la taille du périphérique de données (--reduce-device-size)" -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Le décalage de données demandé doit être inférieur ou égal à la moitié du paramètre --reduce-device-size." -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Ajustement de la valeur de --reduce-device-size à deux fois --offset % (secteurs).\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Le fichier temporaire d'en-tête %s existe déjà. Abandon." -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Impossible de créer le fichier temporaire d'en-tête %s." -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "La taille des métadonnées LUKS2 est plus grande que la valeur de décalage des données." -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Impossible de placer le nouvel en-tête au début du périphérique %s." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne.\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Le périphérique actif %s n'est pas LUKS2." -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Restauration de l'en-tête LUKS2 original." -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Échec de la restauration de l'en-tête LUKS2 original." -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Le fichier d'en-tête %s n'existe pas. Voulez-vous initialiser le déchiffrement LUKS2 du périphérique %s et exporter l'en-tête LUKS2 dans le fichier %s ?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Échec de l'ajout des permissions lecture/écriture pour exporter le fichier d'en-tête." -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "L'initialisation du rechiffrement a échoué. La sauvegarde de l'en-tête est disponible dans %s." -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "Le déchiffrement LUKS2 est uniquement supporté avec un périphérique à l'en-tête détaché (avec l'offset de données défini à 0)." -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Pas assez d'emplacements de clés libres pour le rechiffrement." -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif." -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Entrez la phrase secrète pour l'emplacement de clé %d : " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Basculement de l'algorithme de chiffrement de données vers %s.\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Aucun paramètre de segment de donnée changé. Rechiffrement abandonné." -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3449,7 +3694,7 @@ msgstr "" "L'augmentation de la taille du secteur de chiffrement n'est pas supportée sur un périphérique hors-ligne.\n" "Activez d'abord le périphérique ou utilisez l'option --force-offline-reencrypt (dangereux !)." -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3458,62 +3703,62 @@ msgstr "" "\n" "Rechiffrement interrompu." -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Redémarrage du rechiffrement LUKS en mode hors-ligne forcé.\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Le périphérique %s contient des métadonnées LUKS endommagées. L'opération est abandonnée." -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Le périphérique %s est déjà un périphérique LUKS. L'opération est abandonnée." -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS. L'opération est abandonnée." -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "Le déchiffrement LUKS2 requiert l'option --header." -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "La commande exige un périphérique comme argument." -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Versions conflictuelles. Le périphérique %s est LUKS1." -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS1." -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Versions conflictuelle. Le périphérique %s est LUKS2" -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS2." -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Rechiffrement LUKS2 déjà initialisé. Abandon de l'opération." -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Le rechiffrement du périphérique n'est pas en cours." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé." @@ -3649,35 +3894,35 @@ msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour une p msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour un superblock « %s ».\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Impossible d'initialiser les sondes de la signature du périphérique." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "Impossible d'exécuter « stat » sur le périphérique %s." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Impossible d'ouvrir le fichier %s en mode lecture/écriture." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "La signature de partition « %s » existante sur le périphérique %s sera effacée." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "La signature de superbloc « %s » existante sur le périphérique %s sera effacée." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Impossible d'effacer la signature du périphérique." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Impossible de sonder le périphérique %s pour une signature." @@ -3692,11 +3937,11 @@ msgstr "La spécification de taille est invalide dans le paramètre --%s." msgid "Option --%s is not allowed with %s action." msgstr "L'option --%s n'est pas permise avec l'action %s." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Erreur lors de l'écriture du json du jeton ssh." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3712,105 +3957,109 @@ msgstr "" "\n" "Note : L'information fournie en ajoutant le jeton (adresse du serveur SSH, utilisateur et chemins) sont stockés dans l'en-tête LUKS2 sous forme de texte clair." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Options pour l'action « add » :" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "Adresse IP/URL du serveur distant pour ce jeton" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Nom d'utilisateur utilisé pour le serveur distant" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Chemin vers le fichier de clé sur le serveur distant" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Chemin vers la clé SSH pour se connecter au serveur distant" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Chemin vers le répertoire contenant les jetons externes de libcryptsetup" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Emplacement de clé à assigner au jeton. Si non spécifié, le jeton sera assigné au premier emplacement de clé correspondant à la phrase secrète fournie." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Options génériques :" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Afficher des messages d'erreur plus détaillés" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Afficher les messages de débogage" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Montrer les messages de débogage incluant les métadonnées JSON" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Impossible d'ouvrir et d'importer la clé privée :\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Impossible d'importer la clé privée (protégée par mot de passe ?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "mot de passe de %s@%s : " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Échec lors de l'analyse des arguments.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Une action doit être spécifiée\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Le périphérique doit être spécifié pour l'action « %s ».\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Le serveur SSH doit être spécifié pour l'action « %s ».\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "L'utilisateur SSH doit être spécifié pour l'action « %s ».\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Le chemin SSH doit être spécifié pour l'action « %s ».\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Le chemin de la clé SSH doit être spécifié pour l'action « %s ».\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Échec de l'ouverture de %s en utilisant les identifiants fournis.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "Seule l'action « add » est actuellement supportée par ce greffon.\n" @@ -3855,6 +4104,12 @@ msgstr "La méthode d'authentification par clé publique n'est pas permise sur l msgid "Public key authentication error: " msgstr "Erreur durant l'authentification par clé publique : " +#~ msgid "compiled-in" +#~ msgstr "intégré dans la compilation" + +#~ msgid "disabled" +#~ msgstr "désactivé" + #~ msgid "WARNING: Data offset is outside of currently available data device.\n" #~ msgstr "AVERTISSEMENT: L'offset des données est en dehors du périphérique de données actuellement disponible.\n" @@ -3879,9 +4134,6 @@ msgstr "Erreur durant l'authentification par clé publique : " #~ msgid "Failed to disable reencryption requirement flag." #~ msgstr "Impossible de désactiver le fanion de demande de rechiffrement." -#~ msgid "Encryption is supported only for LUKS2 format." -#~ msgstr "Le chiffrement est uniquement supporté avec le format LUKS2." - #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" #~ msgstr "Périphérique LUKS détecté sur %s. Voulez-vous chiffrer à nouveau ce périphérique LUKS ?" @@ -3948,9 +4200,6 @@ msgstr "Erreur durant l'authentification par clé publique : " #~ msgid "No free token slot." #~ msgstr "Aucun emplacement de jeton libre" -#~ msgid "Failed to create builtin token %s." -#~ msgstr "Échec lors de la création du jeton intégré %s" - #~ msgid "Invalid LUKS device type." #~ msgstr "Type de périphérique LUKS invalide." diff --git a/po/ja.po b/po/ja.po index db3799e..f2bb249 100644 --- a/po/ja.po +++ b/po/ja.po @@ -5,10 +5,10 @@ # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 20:52+0900\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-21 20:17+0900\n" "Last-Translator: Hiroshi Takekawa \n" "Language-Team: Japanese \n" "Language: ja\n" @@ -25,58 +25,62 @@ msgstr "device-mapper を初期化できません、non-root で実行します msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "device-mapper を初期化できません。dm_mod モジュールはロードされてますか?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "指定された延期フラグはサポートされていません。" -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "デバイス %s の DM-UUID は短縮されています。" -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "不明な dm target タイプです。" -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "指定された dm-crypt パフォーマンスオプションはサポートされていません。" -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "指定された dm-verity のデータ破壊時の対応についてのオプションはサポートされていません。" -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "指定された dm-verity のタスクレットオプションはサポートされていません。" -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "指定された dm-verity の誤り訂正(FEC)オプションはサポートされていません。" -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "指定されたデータの無改ざん確認のオプションはサポートされていません。" -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "指定された sector_size オプションはサポートされていません。" -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。" + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "指定された改ざん確認タグの自動再計算はサポートされていません。" -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Discard/TRIM はサポートしていません。" -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "要求された dm-integrity のビットマップモードはサポートされていません。" -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "dm-%s のクエリーに失敗しました。" @@ -110,653 +114,743 @@ msgstr "不明な RNG(乱数生成器) の質(quality)が要求されました msgid "Error reading from RNG." msgstr "RNG(乱数生成器)から読み込み中にエラー。" -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "OPAL サポートは libcryptsetup で無効化されています。" + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "デバイス %s かカーネルが OPAL 暗号化をサポートしていません。" + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "暗号向けRNG(乱数生成器)バックエンドの初期化ができません。" -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "暗号バックエンドの初期化ができません。" -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "ハッシュアルゴリズム %s がサポートされていません。" -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "鍵の処理でエラー (ハッシュ %s を使用)。" -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "デバイスタイプがわかりません。互換性のないデバイスのアクティベーションをしようとしていませんか?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "この操作は LUKS デバイスでしかサポートされていません。" -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "この操作は LUKS2 デバイスでしかサポートされていません。" -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "キースロットがいっぱいです。" -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "キースロット %d は不正です。0 から %d の間を選んでください。" -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "キースロット %d は使われています。別の番号を選んでください。" -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "デバイスサイズが論理ブロックサイズのアライメントに合いません。" -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "ヘッダが検出されましたがデバイス %s が小さすぎます。" -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "この操作はこのデバイスタイプではサポートされていません。" -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "オフラインでの再暗号化中です。中止します。" -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "メモリ上の LUKS2 メタデータのロールバックに失敗しました。" -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "デバイス %s は有効な LUKS デバイスではありません。" -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "LUKS バージョン %d はサポートされていません。" -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "アクティブなデバイス %s に既知の暗号スペックパターンが検出されませんでした。" + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "デバイス %s はアクティブではありません。" -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "暗号化されたデバイス %s の元になるデバイスが消滅しました。" -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "不正な plain crypt のパラメータ。" -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "不正なキーサイズ。" -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "UUID はこの暗号タイプではサポートされていません。" -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "分離したメタデータデバイスはこの暗号タイプではサポートされていません。" -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "サポートされていない暗号化セクタサイズです。" -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。" -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "デバイスなしには LUKS 形式にフォーマットできません。" -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "要求されたデータアライメントとデータオフセットが合いません。" -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "警告: DAX デバイスはアトミックなセクタ更新を保証しないためデータが壊れることがあります。\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "デバイス %s のヘッダを消し去れません。" -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "デバイス %s はアクティベートするのに小さすぎます。データ用のスペースがありません。\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "警告: デバイスアクティベーションが失敗しました。dm-crypt が要求された暗号セクタサイズをサポートしていません。\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "ボリュームキーは改ざん耐性拡張のため暗号には鍵長が小さすぎます。" -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "暗号 %s-%s (キーサイズ %zd ビット) は利用できません。" -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "警告: LUKS2 メタデータサイズが % バイトに変更されました。\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "警告: LUKS2 キースロット領域サイズが % バイトに変更されました。\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "警告: デバイスアクティベーションが失敗しました。dm-crypt が要求された暗号セクタサイズをサポートしていません。\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "デバイス %s のサイズが小さすぎます。" -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "デバイス %s は使用中のためフォーマットできません。" -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "デバイス %s は権限がないためフォーマットできません。" -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "デバイス %s を改ざん耐性がつくようフォーマットできません。" -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "デバイス %s をフォーマットできません。" -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "OPAL アライメントパラメータを取得できません。" + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "OPAL 論理ブロックサイズがおかしいです。" + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "要求されたデータオフセットが OPAL ブロックサイズと互換性がありません。" + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "要求されたデータアライメントが OPAL アライメントと互換性がありません。" + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "データオフセットが OPAL アライメント制約を満たしていません。" + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "要求されたデータアライメントはロックレンジアライメントに対する要求を満たしません。" + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "OPAL のアライメント粒度に合わせるためにデバイスサイズが % セクタ少なくなります。" + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "デバイス %s の OPAL ロックを取得できませんでした。" + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "OPAL 管理者キーが正しくありません。" + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "OPAL セグメントを設定できません。" + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "デバイス %s をフォーマットできません。OPAL デバイスは完全に書き込み禁止になっているようです。" + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "おそらくファームウェアのバグです。OPAL PSID リセットをして復旧のために再接続してください。" + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "ロックレンジ %d のリセットをデバイス %s に試みましたが失敗しました。" + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "LOOPAES としてフォーマットするにはデバイスが必要です。" -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "VERITY としてフォーマットするにはデバイスが必要です。" -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "VERITY ハッシュタイプ %d はサポートしていません。" -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "サポートしていない VERITY ブロックサイズです。" -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "サポートしていない VERITY ハッシュオフセットです。" -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "サポートしていない VERITY FEC オフセットです。" -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "データ領域がハッシュ領域と重なっています。" -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "ハッシュ領域が FEC 領域と重なっています。" -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "データ領域が FEC 領域と重なっています。" -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "警告: 指定されたタグのサイズ %d バイトが %s の出力サイズと異なります (%d バイト)。\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "不明な暗号デバイスタイプ %s が指定されました。" -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "デバイス %s のパラメータはサポートしていません。" -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "デバイス %s のパラメータがミスマッチしています。" -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Crypt デバイスが一致しません。" -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "デバイス %s のリロードに失敗しました。" -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "デバイス %s のサスペンドに失敗しました。" -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "デバイス %s のリジュームに失敗しました。" -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "デバイス %s のリロード中に致命的なエラー(デバイス %s の上で)。" -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "デバイス %s を dm-error にスイッチできません。" -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "静的サイズの LUKS2 デバイスはリサイズできません。" + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "ループデバイスはリサイズできません。" -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "警告: 最大サイズが既に設定済かカーネルがリサイズをサポートしていません。\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "リサイズに失敗しました。カーネルがサポートしていません。" -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "デバイスの UUID を本当に変更してもいいですか?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "ヘッダのバックアップファイルの中味が LUKS ヘッダと互換性がありません。" -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "ボリューム %s はアクティブではありません。" -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "ボリューム %s は既に停止されています。" -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "デバイス %s の停止はサポートされていません。" -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "デバイス %s 停止中にエラー。" -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "デバイス %s は停止されましたが、ハードウェア OPAL デバイスはロックできません。" + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "デバイス %s は再開をサポートしていません。" -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "デバイス %s の再開中にエラー。" -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "キーを指定されたキーリングにリンクできません。" + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "ボリュームキーを指定されたキーリングからアンリンクできません。" + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "ボリュームキーを指定されたキーリングにリンクできません。" + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "ボリューム %s は停止されていません。" -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "ボリュームキーがボリュームに合いません。" -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "新しいキースロットを交換できませんでした。" -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "キースロット %d は不正です。" -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "キースロット %d は非アクティブです。" -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "デバイスヘッダがデータ領域に重なっています。" -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "既に再暗号化中です。デバイスをアクティベートできません。" -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "再暗号化ロックを取得できません。" -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "LUKS2 の再暗号化は既に初期化されました。" -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "デバイスタイプが正しく初期化されていません。" -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "デバイス %s は既に存在します。" -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "デバイス %s を使えません。名前が不正か使用中です。" -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "正しくないボリュームキーがプレーンデバイスに指定されました。" -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "正しくないルートハッシュが verity デバイスに指定されました。" - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "ルートハッシュ署名が必要です。" +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "カーネルがカーネルキーリングをサポートしていません。" -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "署名をカーネルに渡すのに必要なカーネルキーリングをカーネルがサポートしていません。" -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "キーをカーネルキーリングにロードできません。" +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "正しくないルートハッシュが verity デバイスに指定されました。" -#: lib/setup.c:4736 +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL は遅延デアクティベーションをサポートしていません。" + +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "デバイス %s からの遅延削除をキャンセルできませんでした。" -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "デバイス %s は使用中です。" -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "デバイス %s は不正です。" -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "ボリュームキーのバッファが小さすぎます。" -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "LUKS2 デバイス向けのボリュームキーが取得できません。" -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "LUKS1 デバイス向けのボリュームキーが取得できません。" -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "プレーンデバイス向けのボリュームキーが取得できません。" -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "verity デバイスのルートハッシュが読み出せません。" -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "BITLK デバイス向けのボリュームキーが取得できません。" -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "FVAULT2 デバイス向けのボリュームキーが取得できません。" -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "この操作は %s 暗号化デバイスではサポートされていません。" -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "このデバイスタイプはダンプ操作をサポートしていません。" -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "データオフセットが %u バイトの倍数である必要があります。" -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "使用中のデバイス %s を変換できません。" -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "新しいボリュームキー向けのキースロット %u を確保できません。" -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "デフォルト LUKS2 キースロットパラメータを初期化できません。" -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "ダイジェストするためのキースロット %d が確保できません。" -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。" -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "カーネルがカーネルキーリングをサポートしていません。" +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "キーをカーネルキーリングにロードできません。" -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "ボリュームキーをスレッドキーリングからアンリンクできません。" + +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "キーリングからパスフレーズが読み出せません (エラー %d)。" +msgid "Could not find keyring described by \"%s\"." +msgstr "キーリング \"%s\" が見つかりませんでした。" -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "グローバル memory-hard アクセス直列化ロックが取れません。" -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "キーファイルがオープンできません。" -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "ターミナルからキーファイルを読みこめません。" -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "キーファイルを stat() できません。" -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "指定されたキーファイルオフセットにシークできません。" -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "パスフレーズ読み込み中にメモリが不足しました。" -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "パスフレーズの読み込みでエラー。" -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "読もうとしたら入力が空です。" -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "キーファイルが最大サイズを超えています。" -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "指定されたサイズのデータを読み込めません。" -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "デバイス %s は存在しないかアクセスが拒否されました。" -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "デバイス %s は互換性がありません。" -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "データデバイスのおかしな(bogus) optimal-io サイズ (%u バイト) は無視します。" -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "デバイス %s が小さすぎます。少なくとも % バイト必要です。" -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "デバイス %s は使用中で使えません (既にマップされているかマウントされています)。" -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "デバイス %s が使えません、拒否されました。" -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "デバイス %s についての情報が取得できません。" -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "ループバックデバイスが使えません、非 root ユーザで実行していませんか。" -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "ループデバイスのアタッチできません (autoclear 付きのループデバイスが必要です)。" -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "指定されたオフセットはデバイス %s の実際のサイズを超えています。" -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "デバイス %s のサイズが 0 です。" -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "要求された PBKDF の目標時間は 0 ではいけません。" -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "%s は不明な PBKDF タイプです。" -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "要求されたハッシュ %s はサポートしていません。" -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "要求された PBKDF タイプは LUKS1 ではサポートされていません。" -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "PBKDF の max memory や parallel threads は pbkdf2 の時は設定できません。" -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "%s について強制される最小繰り返し回数が小さすぎます (最小 %u)。" -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "%s について強制されるメモリコストが小さすぎます (最小 %u KB)。" -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "指定された PBKDF メモリコストが大きすぎます (最大 %d KB)。" -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "PBKDF メモリは 0 ではいけません。" -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "要求された PBKDF 並列スレッド数は 0 ではいけません。" -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "FIPS モードでは PBKDF2 しかサポートしていません。" -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "PBKDF ベンチマークが無効ですが繰り返し回数が設定されていません。" -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "PBKDF2 と互換性のないオプションです (ハッシュアルゴリズム %s)。" -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "互換性のない PBKDF オプションです。" @@ -770,16 +864,24 @@ msgstr "ロックを中止します。ロックに使うパス %s/%s が使用 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (%s はディレクトリではありません)。" -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "デバイスオフセットまで seek できません。" -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "デバイスのワイプでエラー, オフセット %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "OPAL PSID が正しくありません。" + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "OPAL デバイス を削除できません。" + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -799,7 +901,7 @@ msgstr "暗号の指定は [暗号]-[モード]-[初期ベクタ] という形 #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "デバイス %s に書き込めません。パーミッションがありません。" @@ -813,17 +915,17 @@ msgid "Failed to access temporary keystore device." msgstr "一時的なキーストアデバイスにアクセスできません。" #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "キースロットを暗号化中にI/Oエラーが発生しました。" #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -845,32 +947,32 @@ msgstr "デバイス %s が小さすぎます。(LUKS1 は最低でも % msgid "LUKS keyslot %u is invalid." msgstr "LUKS キースロット %u は不正です。" -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "要求されたヘッダバックアップファイル %s は既に存在しています。" -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "ヘッダバックアップファイル %s が作成できません。" -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "ヘッダバックアップファイル %s に書き込めません。" -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "バックアップファイルが有効な LUKS ヘッダを含んでいません。" #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "ヘッダバックアップファイル %s をオープンできません。" -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "ヘッダバックアップファイル %s を読めません。" @@ -892,7 +994,7 @@ msgstr "LUKS ヘッダが含まれていません。ヘッダを置き換える msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "LUKS ヘッダを既に含んでいます。ヘッダを置き換えると既にあるキースロットを破壊します。" -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -966,7 +1068,7 @@ msgstr "LUKS 暗号モード %s は不正です。" msgid "LUKS hash %s is invalid." msgstr "LUKS ハッシュ %s は不正です。" -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "LUKS ヘッダに既知の不具合は検出されませんでした。" @@ -985,8 +1087,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "LUKS ヘッダのデータへのオフセットは 0 かヘッダサイズより大きくなければいけません。" #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "LUKS UUID の形式が間違っています。" @@ -1023,7 +1125,7 @@ msgstr "キースロットをオープンできません (ハッシュ %s を使 msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "キースロット %d は不正です。0 から %d の間を選んでください。" -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "デバイス %s をワイプできません。" @@ -1044,48 +1146,48 @@ msgstr "互換性のない loop-AES キーファイルが検出されました msgid "Kernel does not support loop-AES compatible mapping." msgstr "カーネルが loop-AES 互換マッピングをサポートしていません。" -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "キーファイル %s を読み込み中にエラー。" -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "TCRYPT パスフレーズの最大長 (%zu) を超えました。" -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "PBKDF2 ハッシュアルゴリズム %s が利用できないのでスキップします。" -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "必要なカーネル crypto インターフェースが使用できません。" -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "algif_skcipher カーネルモジュールをロードしてください。" -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "アクティベーションは %d セクタサイズではサポートしていません。" -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "カーネルが TCRYPT レガシーモードのアクティベーションをサポートしていません。" -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "TCRYPT システム暗号をパーティション %s に対してアクティベーションしました。" -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "カーネルが TCRYPT 互換のマッピングをサポートしていません。" -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "この機能は TCRYPT ヘッダの読み込みなしではサポートしません。" @@ -1144,74 +1246,74 @@ msgstr "%s から BITLK メタデータエントリを読み込めませんで msgid "Failed to convert BITLK volume description" msgstr "BITLKボリュームの description を変換できません。" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "外部キーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。" -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "BEK ファイル GUID '%s' がボリュームの GUID と一致しません。" -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "外部キーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。" -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "サポートされていない BEK メタデータバージョン % です。" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "予期しない BEK メタデータサイズ % は BEK ファイルサイズと合いません" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "スタートアップキーを解釈中に予期しないメタデータエントリが見つかりました。" -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "この操作はサポートされていません。" -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "予期しないキーデータサイズです。" -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "この BITLK デバイスはサポートされてない状態にあるためアクティベートできません。" -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "タイプ '%s' の BITLK デバイスはアクティベートできません。" -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "部分的に復号された BITLK デバイスのアクティベーションはサポートされていません。" -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "警告: BitLocker ボリュームサイズ % がデバイスサイズ % と一致しません" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "カーネルの dm-crypt が BITLK IV をサポートしていないためデバイスをアクティベートできません。" -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "カーネルの dm-crypt が BITLK Elephant diffuser をサポートしていないためデバイスをアクティベートできません。" -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "カーネルの dm-crypt がラージセクタサイズをサポートしていないためデバイスをアクティベートできません。" -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "カーネルの dm-zero モジュールがないためデバイスをアクティベートできません。" @@ -1249,28 +1351,32 @@ msgstr "デバイス %s の VERITY UUID フォーマットが間違っていま msgid "Error during update of verity header on device %s." msgstr "デバイス %s の verity ヘッダを更新中にエラー。" -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "ルートハッシュ署名の検証はサポートしていません。" -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "ルートハッシュ署名が必要です。" + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "FEC デバイスのエラーが修復できません。" -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "FEC デバイスに %u 個の修復可能なエラーが見つかりました。" -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "カーネルが dm-verity マッピングをサポートしていません。" -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "カーネルが dm-verity 署名オプションをサポートしていません。" -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "アクティベーションされた Verity デバイスが破損が見つかりました。" @@ -1364,7 +1470,7 @@ msgstr "デバイス %s のサイズが不明です。" msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "互換性のないカーネルの dm-integrity のメタデータ (バージョン %u) が %s に検出されました。" -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "カーネルが dm-integrity マッピングをサポートしていません。" @@ -1376,8 +1482,8 @@ msgstr "カーネルが dm-integrity 固定メタデータアラインメント msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "カーネルが安全でない再計算オプションを拒否しました (レガジーアクティベーションオプションでオーバーライドできます)。" -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "デバイス %s の書き込みのためのロックを取得できませんでした。" @@ -1394,49 +1500,59 @@ msgstr "" "デバイスのシグネチャが曖昧なので、LUKS2 の自動修復ができません。.\n" "修復するには \"cryptsetup repair\" を実行してください。" -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "警告: キースロット領域 (% バイト) がとても小さいため、利用可能な LUKS2 キースロット数が制限されます。\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "要求されたデータオフセットが小さすぎます。" -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "警告: キースロット領域 (% バイト) がとても小さいため、利用可能な LUKS2 キースロット数が制限されます。\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "警告: LUKS2 メタデータサイズが % バイトに変更されました。\n" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "警告: LUKS2 キースロット領域サイズが % バイトに変更されました。\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "デバイス %s の読み込みのためのロックを取得できませんでした。" -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "禁止された LUKS2 要求がバックアップ %s に検出されました。" -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "データオフセットがデバイスとバックアップと異なるため修復できません。" -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "キースロット領域のあるバイナリヘッダのサイズがデバイスとバックアップで異なるため修復できません。" -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "デバイス %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "LUKS2 ヘッダが含まれていません。ヘッダを置き換えるとデータを破壊しかねません。" -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "既に LUKS2 ヘッダがあります。ヘッダを置き換えると既にあるキースロットを破壊します。" -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1446,7 +1562,7 @@ msgstr "" "警告: 不明な LUKS2 への要求がリアルデバイスヘッダにあります!\n" "ヘッダをバックアップで置き換えるとデータを破壊する恐れがあります!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1456,58 +1572,92 @@ msgstr "" "警告: オフラインの再暗号化が終了していません!\n" "ヘッダを置き換えるとデータを破壊しかねません。" -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "不明なフラグ %s を無視しました。" -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "dm-crypt セグメント %u にキーがありません" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "dm-crypt セグメントの設定に失敗しました。" -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "dm-linear セグメントの設定に失敗しました。" -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "LUKS2 ヘッダに既知の暗号スペックパターンを検出できませんでした。" + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "OPAL デバイスは固定デバイスサイズでなければなりません。" + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "完全性が有効な暗号化 OPAL デバイスはロックレンジより小さくなければなりません。" + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "OPAL デバイスはロックレンジと同じサイズでなければなりません。" + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "OPAL デバイス %s は既にアンロックされています。\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "サポートしていないデバイス整合性設定です。" -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "dm-integrity デバイスがデータセクタに対して期待通りではありません。" + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "再暗号化が実行中なのでデバイスのデアクティベートできません。. Cannot deactivate device." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "サスペンドされたデバイス %s を dm-error ターゲットで置き換えられません。" -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "デバイス %s はデアクティベートされましたが、ハードウェア OPAL デバイスはロックできません。" + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "LUKS2 の必要条件を読み込めませんでした。" -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "満たせない LUKS2 の必要条件があります。" -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "操作がレガシー再暗号化とマークされたデバイスと互換性がありません。中止します。" -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "操作が LUKS2 再暗号化とマークされたデバイスと互換性がありません。中止します。" -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "操作が OPAL を用いたデバイスと互換性がありません。中止します。" + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "キースロットをオープンするのにメモリが足りません。" -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "キースロットのオープンに失敗しました。" @@ -1516,330 +1666,342 @@ msgstr "キースロットのオープンに失敗しました。" msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "キースロットの暗号化に %s- %s 暗号は使えません。" -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "ハッシュアルゴリズム %s が利用できません。" -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "警告: メモリが不足しているためキースロット操作が失敗する可能性があります。\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "新しいキースロット用の領域がありません。" -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "不正な再暗号化耐性モード変更を要求されました。" -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "耐性タイプを更新できません。新しいタイプは % バイトしかありませんが、% バイト必要です。" -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "再暗号化検証ダイジェストのリフレッシュに失敗しました。" -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "UUID が %s のデバイスの状態が確認できません。" -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "LUKSMETA メタデータ付きのヘッダは変換できません。" -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "暗号スペック %s-%s は LUKS2 に使えません。" -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "領域が足りないのでキースロット領域を動かせません。" -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "LUKS2 形式に変換できません - メタデータが不正です。" -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "LUKS2 キースロット領域が足りないのでキースロット領域を動かせません。" -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "キースロット領域を動かせません。" -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "LUKS1 形式に変換できません - デフォルトの暗号セクタサイズが 512 バイトではありません。" -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "LUKS1 形式に変換できません - キースロットのハッシュ関数が LUKS1 互換ではありません。" -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "LUKS1 形式に変換できません - ラップされたキーの暗号に %s が使われています。" -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "LUKS1 形式に変換できません - デバイスが多くのセグメントを使っています。" -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "LUKS1 形式に変換できません - LUKS2 ヘッダ %u 個のトークンを含んでいます。" -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "LUKS1 形式に変換できません - キースロット %u が不正な状態です。" -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "LUKS1 形式に変換できません - スロット %u が(最大個数を超過して)有効です。" -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "LUKS1 形式に変換できません - キースロット %u が LUKS1 と互換ではありません。" -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "ホットゾーンサイズは計算されたゾーンアライメントの倍数である必要がありす (%zu バイト)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "デバイスサイズが計算ゾーンアライメント (%zu バイト) に合っていません。" -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "古いセグメントのストレージラッパの初期化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "新しいセグメントのストレージラッパの初期化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "ホットゾーン保護の初期化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "現在のホットゾーンのチェックサムを読み込めません。" -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "% から始めるホットゾーンエリアを読み込めません。" -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "セクタ %zu を復号できません。" -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "セクタ %zu を復元できません。" -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "ソースとターゲットデバイスのサイズが一致しません。ソース %, ターゲット: %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "ホットゾーンデバイス %s がアクティベートできません。" -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "実際の origin table があるオーバーレイデバイス %s をアクティベートできません。" -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "デバイス %s の新しいマッピングをロードできません。" -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "再暗号化デバイススタックのリフレッシュに失敗しました。" -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "新しいキースロットエリアサイズを設定できません。" -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "データシフト値が要求された暗号化セクタサイズにアラインされていません(% バイト)。" -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "耐性(resilience)モード %s はサポートしていません" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "移動されるセグメントサイズはデータシフト値より大きくできません。" -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "不正な再暗号化耐性パラメータを要求されました。" -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "移動されるセグメントが大きすぎます。要求されているサイズは % ですが、使えるサイズは % です。" -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "テーブルをクリアできません。" -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "小さくしたデータサイズが実際のデバイスサイズより大きいです。" -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "データデバイスが暗号化セクタサイズにアラインされていません(% バイト)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "データシフト (% セクタ) が今後のデータオフセットより少ないです (% セクタ)。" -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "デバイス %s を排他モードでオープンでません (既にマップされているかマウントされています)。" -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "デバイスは LUKS2 再暗号化向けにマークされていません。" -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "LUKS2 再暗号化コンテキストをロードできません。" -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "再暗号化状態を取得できません。" -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "デバイス %s は再暗号化中ではありません。" -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "既に再暗号化中です。" -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "再暗号化ロックを取得できません。" -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "再暗号化を開始できません。再暗号化のリカバリを先にしてください。" -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "実際のデバイスサイズと要求された再暗号化サイズが一致しません。" -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "再暗号化のパラメータとして不正なデバイスサイズが要求されました。" -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "既に再暗号化中です。復元を実行できません。" -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "メタデータの LUKS2 の再暗号化は既に初期化されました。" -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "メタデータの LUKS2 再暗号化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "再暗号化は DAX デバイスではサポートされていません。" + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "キーリングからパスフレーズが読み出せません。" + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "デバイスセグメントの次の再暗号化ホットゾーンの設定に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "再暗号化した耐性用メタデータを書き込めません。" -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "復号に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "% から始まるホットゾーンエリアに書き込めません。" -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "データを sync できません。" -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "現在のホットゾーンの再暗号化完了後にメタデータが更新できません。" -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "LUKS2 メタデータが書き込めません。" -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "未使用データデバイス領域を消せません。" -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "未使用のキースロット %d を削除できませんでした。" -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "再暗号化キースロットが削除できません。" -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "% から % セクタのチャンクの再暗号化中に致命的なエラー。" -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "オンライン再暗号化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "手動でエラーターゲットに置き換えた場合以外はデバイスのレジュームをしないでください。" -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "再暗号化を開始できません。予期しない再暗号化状態です。" -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "ないか不正な再暗号化コンテキストです。" -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "再暗号化デバイススタックの初期化に失敗しました。" -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "再暗号化コンテキストが更新できません。" @@ -1847,80 +2009,121 @@ msgstr "再暗号化コンテキストが更新できません。" msgid "Reencryption metadata is invalid." msgstr "再暗号化メタデータが不正です。" +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "OPAL レンジ %d オフセット % が期待値 % と一致しません。" + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "OPAL レンジ %d 長さ % がデバイス長 % と一致しません。" + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "OPAL レンジ %d ロックは無効です。" + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "OPAL レンジ %d のロック状態が期待されたものではありません。" + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "キースロットの暗号化パラメータは LUKS2 デバイスでしか設定できません。" -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "トークンPINを入力してください: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "トークン %d PINを入力してください: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "未知の暗号スペックです。" -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "警告: 古いバージョンと互換性がない可能性がある暗号 (%s-%s, キーサイズ %u ビット) のデフォルトオプションを使用します。" + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "警告: 古いバージョンと互換性がない可能性があるハッシュ (%s) のデフォルトオプションを使用します。" + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "プレインモードでは常に --cipher, --key-size オプションを使い、keyfile も使わない場合は --hash も使用してください。" + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "警告: --hash パラメータは plain モードでキーファイルが指定されていると無視されます。\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "警告: --keyfile-size オプションは無視されて、読み込みサイズは暗号鍵のサイズと同じになります。\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "%s の Blkid スキャンが失敗しました。" + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "%s にデバイス署名が検出されました。既にあるデータを破壊しかねません。" -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "中止されました。\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "オプション --key-file が必要です。" -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "VeraCrypt PIM を入力してください: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "不正な PIM: 解釈できません。" -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "不正 PIM の値で 0 です。" -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "不正な PIM の値: 範囲外です。" -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "このパスフレーズではデバイスヘッダが検出されませんでした。" -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "デバイス %s は有効な BITLK デバイスではありません。" -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "BITLK のボリュームキーサイズが決定できないので、--key-size を使ってください。" -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1930,7 +2133,7 @@ msgstr "" "暗号化されたパーティションにパスフレーズなしでアクセス可能にます。\n" "このダンプは暗号化された安全な所に保存してください。" -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1940,77 +2143,84 @@ msgstr "" "暗号化されたパーティションにパスフレーズなしでアクセス可能になります。\n" "このダンプは暗号化された安全な所に保存してください。" -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "デバイス %s は有効な FVAULT2 デバイスではありません。" -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "FVAULT2 のボリュームキーサイズが決定できないので、--key-size を使ってください。" -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "デバイス %s はまたアクティブで後から削除される予定になっています。.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "外部トークンパス %s の設定に失敗しました。" + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "アクティブなデバイスをリサイズするにはボリュームキーがキーリングに必要ですが、--disable-keyring が指定されています。" -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "ベンチマークが中止されました。" -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s 計測値なし\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u 回/秒 (%zu ビットの鍵)\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s 計測値なし\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u 回, %5u KB使用, %1u スレッド (%zu のビットの鍵) (%u ms 計測)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "ベンチマークの結果は信頼できません。" -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# テストはストレージI/Oがなくメモリ上のもののため目安です。\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algorithm | キー | 暗号化 | 復号化\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "暗号 %s (キーサイズ %i ビット) は利用できません。" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algorithm | キー | 暗号化 | 復号化\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "計測値なし" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2018,27 +2228,27 @@ msgstr "" "保護されていない LUKS2 再暗号化メタデータが検出されました。再暗号化操作が望ましいものか確認してください。(luksDump の出力を見てください)\n" "そのうえで、この操作が問題ないと確認できたら継続(メタデータのアップグレード)してください。" -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "再暗号化メタデータの保護とアップグレードのためのパスフレーズを入力してください: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "本当に LUKS2 再暗号化リカバリを行いますか?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "再暗号化メタデータダイジェストを検証するためのパスフレーズを入力してください: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "再暗号化のリカバリのためのパスフレーズを入力してください: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "本当に LUKS デバイスヘッダの復元を試みていいですか?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2046,7 +2256,7 @@ msgstr "" "\n" "ワイプが中断されました。" -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2054,128 +2264,144 @@ msgstr "" "整合性チェックサムの初期化のためにデバイスのデータを消去しています。\n" "CTRL+c で中止できます (初期化されなかったデバイスのチェックサムは正しくなくなります)。\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "一時的デバイス %s を非アクティブにできません。" -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "整合性オプションは LUKS2 形式でしか使えません。" -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "サポートされていない LUKS2 メタデータのサイズオプションです。" -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL は LUKS2 フォーマットでしかサポートされていません。" + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "ヘッダファイルがありません。作成しますか?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "ヘッダファイル %s を作成できません。" -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "サポートしている整合性確認方式が検出されませんでした。" -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "%s を on-disk ヘッダとして使えません。" -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "%s のデータを上書きします。戻せません。" -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "OPAL 管理者パスワードは空ではいけません。" + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "pbkdf パラメータを設定できません。" -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "--link-vk-to-keyring のキーリングスペックへのタイプ指定は無視されました。" + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "--link-vk-to-keyring の値が不正です。" + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "分離された LUKS ヘッダでのみ少ないデータオフセットが使えます。" -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "LUKS ファイルコンテナ %s がアクティベートするには小さすぎます。データ用の領域に空きがありません。" -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "キースロットのない LUKS のボリュームキーサイズが決定できないので、--key-size を使ってください。" -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "デバイスはアクティベートされましたが、フラグを恒常的なものにできません。" -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "キースロット %d は削除対象として選択されました。" -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "これは最後のキースロットです。このキーがなくなるとデバイスは使用不能になります。" -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "残っているパスフレーズを入力してください: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "操作は中止されました。キースロットは消去されていません。\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "削除するキーのパスフレーズを入力してください: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "デバイス %s は有効な LUKS2 デバイスではありません。" -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "キースロットの新しいパスフレーズを入力してください: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "警告: --key-slot パラメータは新しいキースロット番号に使われます。\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "有効なパスフレーズをどれか入力してください: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "変更するキーのパスフレーズを入力してください: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "新しいキーのパスフレーズを入力してください: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "変換されるキースロットのパスフレーズを入力してください: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "isLuks は一つのデバイス引数しかサポートしていません。" -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "キースロット %d は unbound キーを含んでいません。" -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2183,40 +2409,52 @@ msgstr "" "unbound キーを使ったヘッダダンプは取り扱いに注意すべき情報です。\n" "このダンプは暗号化された安全な所に保存してください。" -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s はアクティブな %s デバイスではありません。" -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s はアクティブな LUKS デバイス名ではないか、ヘッダがありません。" -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "オプション --header-backup-file が必要です。" -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s は cryptsetup で管理されているデバイスではありません。" -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "リフレッシュはデバイスタイプ %s ではサポートされていません。" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "%s は認識できないメタデータデータタイプです。" -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "コマンドはデバイスとマップされた名前を引数として必要とします。" -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "OPAL PSID を入力してください: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "OPAL 管理者パスワードを入力してください: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "警告: ディスク「全体」が出荷状態にリセットされ、データは全て消失します!続けますか?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2225,351 +2463,351 @@ msgstr "" "この処理はデバイス %s の全てのキースロットを消去します。\n" "デバイスのデータは使用できなくなります。" -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "処理は中止されました。キースロットは消去されません。\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "不正な LUKS タイプです。luks1 と luks2 しかサポートしていません。" -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "デバイスは既にタイプ %s です。" -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "この処理は %s から %s フォーマットに変換します。\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "処理は中止されました。デバイスは変換されませんでした。\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "オプション --priority, --label か --subsystem がありません。" -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "トークン %d は不正です。" -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "トークン %d は使用中です。" -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "luks2-キーリングトークン %d を追加できませんでした。" -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "トークン %d をキースロット %d に割りあてられませんでした。" -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "トークン %d は使われていません。" -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "ファイルからトークンをインポートできません。" -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "トークン %d をエクスポートのために取得できませんでした。" -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "トークン %d をキースロット %d に割りあてられませんでした。" -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "トークン %d をキースロット %d の割り当てから解除できませんでした。" -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "--tcrypt-hidden と --tcrypt-system と --tcrypt-backup は TCRYPT デバイスしか使えません。" -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "--veracrypt や --disable-veracrypt は TCRYPT デバイスでしか使えません。" -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "--veracrypt-pim は VeraCrypt 互換デバイスにしか使えません。" -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "--veracrypt-query-pim は VeraCrypt 互換デバイスにしか使えません。" -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "--veracrypt-pim と --veracrypt-query-pim はどちらかしか使えません。" -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "--persistent は --test-passphrase と一緒には使えません。" -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "--refresh と --test-passphrase は同時には使えません。" -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "--shared は plain デバイスの open にしか使えません。" -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "--skip は plain か loopaes デバイスの open にしか使えません。" -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "--offset は plain か loopaes デバイスの open にしか使えません。" -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "--tcrypt-hidden は --allow-discards と一緒に使えません。" -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "オープン時のセクタサイズオプションは plain デバイスでしかサポートされていません。" -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "大きな IV セクタオプションは plain タイプでセクタサイズが 512 バイトより大きいものをオープンする時しかサポートしていません。" -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "--test-passphrase は LUKS か TCRYPT か BITLK か FVAULT2 デバイスの open にしか使えません。." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "--device-size と --size は一緒に使えません。" -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "オプション --unbound は luks デバイスの open にしか使えません。" -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "オプション --unbound は --test-passphrase がないと使えません。" -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "オプション --cancel-deferred と --deferred は同時に使えません。" -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "オプション --reduce-device-size と --data-size は一緒に使えません。" +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "オプション --reduce-device-size と --device-size は一緒に使えません。" -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "オプション --active-nameは LUKS2 デバイスでしか設定できません。" -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "オプション --active-name と --force-offline-reencrypt は一緒に使えません。" -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "キースロットの指定が必要です。" -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "--align-payload と --offset は一緒に使えません。" -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "--integrity-no-wipe は format で integrity extension 付きの時しか使えません。" -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "--use-[u]random は一つしか使えません。" -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "--unbound にはキーサイズが必要です。" -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "不正なトークンアクションです。" -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "--key-description はトークン追加には必須です。" -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "トークンを必要としています。--token-id を使用してください。" -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "オプション --unbound はトークンの追加にしか使えません。" -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "--key-slot と --unbound は一緒に使えません。" -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "特定のキースロットを必要としています。--key-slot を使用してください。" -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr "<デバイス> [--type <タイプ>] [<名前>]" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "デバイスを <名前> としてオープン" -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "<名前>" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "デバイスをクローズします (マッピングを削除します)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "アクティブデバイスをリサイズ" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "デバイスステータスを表示" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher <暗号>]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "暗号ベンチマーク" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "<デバイス>" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "on-disk メタデータを修復しようとしています" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "LUKS2 デバイスを再暗号化" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "全てのキースロットを消去します (暗号鍵も削除します)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "LUKS2 から LUKS もしくは LUKS から LUKS2 形式に変換します" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "LUKS2 の permanent configuration オプションを設定します" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr "<デバイス> [<新しいキーファイル>]" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "LUKS デバイスをフォーマットします" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "LUKS デバイスにキーを追加します" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr "<デバイス> [<キーファイル>]" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "与えられたキーかキーファイルを LUKS デバイスから削除します。" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "与えられた LUKS デバイスのキーかキーファイルを変更します" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "キーを新しい pbkdf パラメータに変換します" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr "<デバイス> <キースロット>" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "<キースロット>のキーを LUKS デバイスから削除します" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "LUKS デバイスの UUID を表示" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "<デバイス> の LUKS パーティションヘッダをテストします" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "LUKS パーティション情報をダンプします" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "TCRYPT デバイス情報をダンプします" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "BITLK デバイス情報をダンプします" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "FVAULT2 デバイス情報をダンプします" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "LUKS デバイスを停止してキーを削除します (全てのI/Oは停止します)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "停止していた LUKS デバイスを再開します" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "LUKS デバイスヘッダとキースロットをバックアップします" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "LUKS デバイスヘッダとキースロットをリストアします" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " <デバイス>" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "LUKS2 トークンを操作します" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2577,7 +2815,7 @@ msgstr "" "\n" " は以下のうちの一つです:\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2589,7 +2827,7 @@ msgstr "" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2604,7 +2842,7 @@ msgstr "" "<キースロット> は変更する LUKS キースロット番号\n" "<キーファイル> は luskAddKey でオプションで与えられる新しいキーのキーファイル\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2613,29 +2851,28 @@ msgstr "" "\n" "デフォルトのコンパイル時に決められたメタデータ形式は %s です(luksFormat で使われます)。\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"LUKS2 外部トークンプラグインサポート: %s\n" - -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "本体に内蔵" +"LUKS2 外部トークンプラグインサポートは有効です。\n" -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "LUKS2 外部トークンプラグインパス: %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "利用不可" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"LUKS2 外部トークンプラグインサポートは無効です。\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2652,7 +2889,7 @@ msgstr "" "デフォルト LUKS2 向け PBKDF: %s\n" "\t繰り返す時間: %d, 使うメモリ: %dkB, 並列スレッド: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2667,96 +2904,100 @@ msgstr "" "\tplain: %s, キー: %d ビット, パスワードハッシュ: %s\n" "\tLUKS: %s, キー: %d ビット, LUKS ヘッダハッシュ: %s, 乱数生成: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: XTS モードのデフォルトキーサイズは (2つの内部キーがあるため) 倍になります。\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: は %s を引数で与える必要があります" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "キースロットは不正です。" -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "デバイスサイズは 512 バイトセクタの倍数である必要があります。" -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "再暗号化ホットゾーン最大サイズの指定が不正です。" -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "キーサイズは 8bit の倍数でなければなりません" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "デバイスを減らせる最大値は 1 GiB です。" -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "減らすサイズは 512 バイトセクタの倍数である必要があります。" -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "--priority の引数は ignore/normal/prefer のいずれかのみです。" -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "このヘルプを表示します" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "コンパクトな使用法表示をします" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "パッケージのバージョンを表示" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "ヘルプオプション:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[オプション...] <アクション> <アクション特有>" -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "<アクション> がありません。" -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "未知のアクションです。" -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "--key-file は他で指定されたキーファイルを上書きします。" -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "--key-file は一つしか使えません。" -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "パスワードからキーを作る関数 (PBKDF) は pbkdf2 argon2i argon2id のいずれかのみです。" -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "PBKDF の繰り返し回数の強制と繰り返し時間指定オプションは共存できません。" -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "キーリングが無効化されているためボリュームキーをキーリングにリンクできません。" + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "--keyslot-cipher と --keyslot-key-size は同時に使う必要があります。" -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "--test-args オプションつきだったため、何もしません。\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "メタデータロックを禁止できません。" @@ -2821,7 +3062,7 @@ msgstr "コマンドは か --root-hash-file オプションを引 msgid " " msgstr "<データデバイス> <ハッシュデバイス>" -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "デバイスをフォーマット" @@ -2837,7 +3078,7 @@ msgstr "デバイスを検証" msgid " []" msgstr "<データデバイス> <名前> <ハッシュデバイス> [<ルートハッシュ>]" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "アクティブデバイスのステータスを表示" @@ -2845,7 +3086,7 @@ msgstr "アクティブデバイスのステータスを表示" msgid "" msgstr "<ハッシュデバイス>" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "ディスク上の情報を表示" @@ -2875,11 +3116,11 @@ msgstr "" "コンパイル時に決めた dm-verity のデフォルトパラメータ:\n" "\tハッシュ: %s, データブロック (バイト): %u, ハッシュブロック (バイト): %u, ソルトサイズ: %u, ハッシュフォーマット: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "--ignore-corruption と --restart-on-corruption は同時に使えません。" -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "--panic-on-corruption と --restart-on-corruption は同時に使えません。" @@ -2892,29 +3133,29 @@ msgstr "" "%s と %s のデータを復元不能な形で上書きします。\n" "データデバイスを保持するにはオプション --no-wipe を使ってください (その後、--integrity-recalculate を付けてアクティベートしてください)。" -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "タグサイズ %u、内部整合性は %s でフォーマットされました。\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "再計算フラグの設定はサポートされていません。代わりに --wipe を使うことを検討してください。" -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "デバイス %s が有効な INTEGRITY デバイスではありません。" -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "<整合性デバイス>" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr "<整合性デバイス> <名前>" -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2925,7 +3166,7 @@ msgstr "" "<名前> は %s に作られるデバイス\n" "<整合性デバイス> は整合性タグを格納するデバイス\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2938,40 +3179,40 @@ msgstr "" "\tチェックサムアルゴリズム: %s\n" " 最大キーファイルサイズ: %dkB\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "不正な --%s サイズです。最大は %u バイトです。" -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "キーファイルとキーサイズの両方の指定が必要です。" -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "ジャーナル整合性キーファイルとキーサイズの両方の指定が必要です。" -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "ジャーナル整合性キーを使う場合はアルゴリズムの指定が必要です。" -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "ジャーナル暗号キーファイルとキーサイズの両方の指定が必要です。" -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "ジャーナル暗号キーを使う場合はアルゴリズムの指定が必要です。" -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "リカバリと bitmap モードオプションは同時には使えません。" -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "ジャーナルオプションは bitmap モードでは使えません。" -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "bitmap オプションは bitmap モードでしか使えません。" @@ -3183,58 +3424,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "パスワードの質が確認できません: 質の悪いパスフレーズ (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "端末からパスフレーズを読み込めません。" -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "同じパスフレーズを入力してください: " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "パスフレーズが一致しません。" -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "端末からの入力でオフセットは使用できません。" -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "パスフレーズを入力してください: " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "%s のパスフレーズを入力してください: " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "このパスフレーズで使用可能なキーはありません。" -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "使用可能なキースロットがありません。" -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "tty 入力以外ではパスフレーズ認証できません。" -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "ファイル %s を読み込み専用モードでオープンできません。" -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "妥当な LUKS2 トークンを JSON で与えてください:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "JSON ファイルを読み込めません。" -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3242,12 +3483,12 @@ msgstr "" "\n" "読み込みが中断されました。" -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "ファイル %s を書き込みモードでオープンできません。" -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3255,7 +3496,7 @@ msgstr "" "\n" "書き込みが中断されました。" -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "JSON ファイルに書き込めません。" @@ -3322,15 +3563,19 @@ msgstr "デバイスは再暗号化リカバリが必要です。先に修復し msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "デバイス %s は既に LUKS2 再暗号化状態にあります。以前に初期化された処理に復帰しますか?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "古い LUKS2 再暗号化はサポートされなくなりました。" -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "OPAL を使うよう設定された LUKS2 デバイスは再暗号化できません。" + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "整合性プロファイルつきのデバイスの再暗号化はサポートされていません。" -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3339,103 +3584,103 @@ msgstr "" "要求された --sector-size % は %s superblock\n" "(ブロックサイズ: % バイト、デバイス %s)と互換性がありません。" -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "データデバイスサイズの縮小(--reduce-device-size)なしに分離ヘッダ(--header)による暗号化はできません。" -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "要求されたデータオフセットは --reduce-device-size パラメータの半分以下である必要があります。" -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "--reduce-device-size の値を --offset % (セクタ) の倍にします。\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "テンポラリヘッダファイル %s は既に存在しているので、中止します。" -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "テンポラリヘッダファイル %s を作成できません。" -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "LUKS2 メタデータサイズがデータシフト値より大きいです。" -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "デバイス %s の先頭に新しいヘッダを置けません。" -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s がアクティブでオンライン暗号化可能です。\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "アクティブなデバイス %s は LUKS2 ではありません。" -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "オリジナルの LUKS2 ヘッダを復元しています。" -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "オリジナルの LUKS ヘッダの復元に失敗しました。" -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "ヘッダファイル %s が存在しません。デバイス %s の復号化をして LUKS2 ヘッダをファイル %s に出力しますか?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "エクスポートされたヘッダファイルに読み書き権限を付与できません。" -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "再暗号化の初期化に失敗しました。ヘッダのバックアップは %s にあります。" -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "LUKS2 復号は分離(detached)ヘッダデバイスしかサポートしていません(データへのオフセットが0)。" -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "再暗号化に必要な空きキースロットがありません。" -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。" -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "キースロット %d のパスフレーズを入力してください: " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "キースロット %u のパスフレーズを入力してください: " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "データの暗号化用の暗号アルゴリズムを %s にします。\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "データセグメントのパラメータが変わっていません。再暗号化を中止します。" -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3443,7 +3688,7 @@ msgstr "" "オフラインデバイスの暗号化セクタサイズの増加はサポートしていません。\n" "まずデバイスをアクティベートするか、--force-offline-reencrypt オプションを使ってください (ただし危険です!)。" -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3452,62 +3697,62 @@ msgstr "" "\n" "再暗号化が中断されました。" -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "LUKS 再暗号化を強制オフラインモードで再開します。\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "デバイス %s は壊れた LUKS メタデータを含んでいます。処理を中止します。" -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "デバイス %s は既に LUKS デバイスです。処理を中止します。" -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "デバイス %s は既に LUKS 再暗号化状態にあります。処理を中止します。" -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "LUKS2 復号には --header オプションが必要です。" -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "コマンドはデバイスを引数として必要とします。" -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "バージョンが衝突しています。デバイス %s は LUKS1 です。" -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "バージョンが衝突しています。デバイス %s は LUKS1 再暗号化状態にあります。" -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "バージョンが衝突しています。デバイス %s は LUKS2 です。" -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "バージョンが衝突しています。デバイス %s は LUKS2 再暗号化状態にあります。" -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "LUKS2 再暗号化が既に初期化済なので操作を中止します。" -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "再暗号化処理を実行中ではありません。" -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "デバイスが使用中のため %s を排他的にオープンできません。" @@ -3643,35 +3888,35 @@ msgstr "警告: デバイス %s が既に '%s' パーティションシグネチ msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "警告: デバイス %s が既に '%s' のスーパーブロックシグネチャを含んでいます。\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "デバイスシグネチャ検出の初期化に失敗しました。" -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "デバイス %s の stat() に失敗しました。" -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "ファイル %s を読み書き可能なモードでオープンできません。" -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "今ある '%s' パーティションシグネチャはデバイス %s から消されます。" -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "今ある '%s' スーパーブロックシグネチャはデバイス %s から消されます。" -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "デバイスシグネチャを消せません。" -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "デバイス %s のシグネチャが検出できません。" @@ -3686,11 +3931,11 @@ msgstr "--%s のサイズの指定が不正です。" msgid "Option --%s is not allowed with %s action." msgstr "オプション --%s は %s アクションと一緒には使えません。" -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "ssh token json ファイルに書き込めません。" -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3706,105 +3951,109 @@ msgstr "" "\n" "Note: トークンを追加する時に与えられる情報 (SSH server address, user and paths) は LUKS2 ヘッダに平文で保存されます。" -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr "<アクション> <デバイス>" -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "'add' アクションのオプション:" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "このトークンのリモートサーバのIPアドレス/URL" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "リモートサーバで使うユーザ名" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "リモートサーバのキーファイルのパス" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "リモートサーバに接続するための SSH キーへのパス" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "libcryptsetup 外部トークンを含むディレクトリパス" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "トークンが割り当てられるキースロット。指定されなければトークンは与えられたパスフレーズがマッチする最初のキースロットに割り当てられます。" -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "一般オプション:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "より詳細なエラーメッセージを表示します" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "デバッグメッセージを表示します" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "JSON メタデータを含むデバッグメッセージを表示する" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "秘密鍵を開いてインポートできませんでした:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "秘密鍵のインポートに失敗しました(パスワードで保護されているのでは?)。\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "%s@%s のパスワード: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "引数の解釈に失敗しました。\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "アクションの指定が必要です\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "'%s' アクションにはデバイスの指定が必要です。\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "'%s' アクションには SSH サーバの指定が必要です。\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "'%s' アクションには SSH ユーザの指定が必要です。\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "'%s' アクションには SSH パスの指定が必要です。\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "'%s' アクションには SSH キーパスの指定が必要です。\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "与えられた credential ではファイル %s をオープンできません。\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "今のところ、このプラグインでは 'add' アクションしかサポートされていません。\n" diff --git a/po/meson.build b/po/meson.build new file mode 100644 index 0000000..c61a953 --- /dev/null +++ b/po/meson.build @@ -0,0 +1,7 @@ +if get_option('nls') + i18n = import('i18n') + i18n.gettext(meson.project_name(), + preset: 'glib', + data_dirs: '.', + install: true) +endif diff --git a/po/pl.po b/po/pl.po index dd3b1a8..d2edf8b 100644 --- a/po/pl.po +++ b/po/pl.po @@ -1,14 +1,14 @@ # Polish translation for cryptsetup. # Copyright (C) 2010 Free Software Foundation, Inc. # This file is put in the public domain. -# Jakub Bogusz , 2010-2022. +# Jakub Bogusz , 2010-2023. # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.0-rc1\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2022-11-20 12:38+0100\n" -"PO-Revision-Date: 2022-11-20 20:45+0100\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-22 20:05+0100\n" "Last-Translator: Jakub Bogusz \n" "Language-Team: Polish \n" "Language: pl\n" @@ -26,58 +26,62 @@ msgstr "Nie można zainicjować device-mappera w czasie działania jako nie-root msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Nie można zainicjować device-mappera. Czy moduł jądra dm_mod jest wczytany?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Żądana flaga odroczona nie jest obsługiwana." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "DM-UUID dla urządzenia %s został skrócony." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Nieznany typ celu dm." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Żądane opcje dm-crypta dotyczące wydajności nie są obsługiwane." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Żądane opcje dm-verity dotyczące obsługi uszkodzenia danych nie są obsługiwane." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "Żądana opcja taskletów dm-verity nie jest obsługiwana." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Żądane opcje FEC dm-verity nie są obsługiwane." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Żądane opcje integralności danych nie są obsługiwane." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "Żądana opcja sector_size nie jest obsługiwana." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "Rozmiar urządzenia nie jest wielokrotnością żądanego rozmiaru sektura." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Żądane automatyczne przeliczenie znaczników integralności nie jest obsługiwane." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Porzucenie/TRIM nie jest obsługiwane." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Żądany tryb bitmapy dm-integrity nie jest obsługiwany." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Nie udało się odpytać segmentu dm-%s." @@ -111,653 +115,743 @@ msgstr "Nieznane żądanie jakości RNG." msgid "Error reading from RNG." msgstr "Błąd odczytu z RNG." -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "Obsługa OPAL jest wyłączona w libcryptsetup." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Urządzenie %s lub jądro nie obsługuje szyfrowania OPAL." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Nie można zainicjować backendu kryptograficznego RNG." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Nie można zainicjować backendu kryptograficznego." -#: lib/setup.c:268 lib/setup.c:2139 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Algorytm skrótu %s nie jest obsługiwany." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Błąd przetwarzania klucza (użyto algorytmu skrótu %s)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób uaktywniania urządzenia?" -#: lib/setup.c:348 lib/setup.c:3308 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS2." -#: lib/setup.c:430 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Wszyskie miejsca na klucze są pełne." -#: lib/setup.c:441 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Numer klucza %d jest błędny, proszę wybrać wartość między 0 a %d." -#: lib/setup.c:447 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Miejsce na klucz %d jest pełne, proszę wybrać inne." -#: lib/setup.c:532 lib/setup.c:3030 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "Rozmiar urządzenia nie jest wyrównany do rozmiaru bloku logicznego urządzenia." -#: lib/setup.c:630 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Wykryto nagłówek, ale urządzenie %s jest zbyt małe." -#: lib/setup.c:671 lib/setup.c:2930 lib/setup.c:4275 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Ta operacja nie jest obsługiwana dla tego rodzaju urządzenia." -#: lib/setup.c:676 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Niedozwolona operacja w trakcie ponownego szyfrowania." -#: lib/setup.c:762 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Nie udało się wycofać zmian w metadanych LUKS2 w pamięci." -#: lib/setup.c:849 lib/luks1/keymanage.c:247 lib/luks1/keymanage.c:525 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1433 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS." -#: lib/setup.c:852 lib/luks1/keymanage.c:528 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Nieobsługiwana wersja LUKS %d." -#: lib/setup.c:1479 lib/setup.c:2679 lib/setup.c:2761 lib/setup.c:2773 -#: lib/setup.c:2940 lib/setup.c:4752 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Nie wykryto znanego wzorca określającego szyfr dla aktywnego urządzenia %s." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Urządzenie %s nie jest aktywne." -#: lib/setup.c:1496 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Urządzenie stojące za urządzeniem szyfrowanym %s zniknęło." -#: lib/setup.c:1578 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Błędne parametry szyfru plain." -#: lib/setup.c:1583 lib/setup.c:2042 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Błędny rozmiar klucza." -#: lib/setup.c:1588 lib/setup.c:2047 lib/setup.c:2250 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "UUID nie jest obsługiwany dla tego rodzaju szyfrowania." -#: lib/setup.c:1593 lib/setup.c:2052 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Osobne urządzenie metadanych nie jest obsługiwane dla tego rodzaju szyfrowania." -#: lib/setup.c:1603 lib/setup.c:1819 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Nieobsługiwany rozmiar sektora szyfrowania." -#: lib/setup.c:1611 lib/setup.c:1947 lib/setup.c:3024 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "Rozmiar urządzenia nie jest wyrównany do żądanego rozmiaru sektura." -#: lib/setup.c:1663 lib/setup.c:1787 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Nie można sformatować LUKS-a bez urządzenia." -#: lib/setup.c:1669 lib/setup.c:1793 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "Żądane wyrównanie metadanych nie jest zgodne z offsetem danych." -#: lib/setup.c:1744 lib/setup.c:1964 lib/setup.c:1985 lib/setup.c:2262 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "UWAGA: urządzenie DAX może uszkodzić dane, ponieważ nie gwarantuje atomowych uaktualnień sektorów.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Nie można wymazać nagłówka na urządzeniu %s." -#: lib/setup.c:1757 lib/setup.c:2024 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Urządzenie %s jest zbyt małe do uaktywnienia, nie ma miejsca pozostałego na dane.\n" -#: lib/setup.c:1828 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "UWAGA: uaktywnienie urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n" - -#: lib/setup.c:1851 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Klucz wolumenu jest zbyt mały do szyfrowania z rozszerzeniami integralności." -#: lib/setup.c:1911 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Szyfr %s-%s (rozmiar klucza w bitach: %zd) nie jest dostępny." -#: lib/setup.c:1937 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "UWAGA: rozmiar metadanych LUKS2 zmienił się na % (w bajtach).\n" - -#: lib/setup.c:1941 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "UWAGA: rozmiar obszaru kluczy LUKS2 zmienił się na % (w bajtach).\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "UWAGA: uaktywnienie urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n" -#: lib/setup.c:1967 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Urządzenie %s jest zbyt małe." -#: lib/setup.c:1978 lib/setup.c:2004 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Nie można sformatować urządzenia %s, które jest w użyciu." -#: lib/setup.c:1981 lib/setup.c:2007 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Nie można sformatować urządzenia %s, brak uprawnień." -#: lib/setup.c:1993 lib/setup.c:2322 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Nie można sformatować integralności dla urządzenia %s." -#: lib/setup.c:2011 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Nie można sformatować urządzenia %s." -#: lib/setup.c:2037 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Nie można pobrać parametrów wyrównania OPAL." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Błędny rozmiar bloku logicznego OPAL." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "Żądana pozycja danych nie jest zgodna z rozmiarem bloku OPAL." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "Żądane wyrównanie danych nie jest zgodne z wyrównaniem OPAL." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "Pozycja danych nie jest zgodna z wymaganiami wyrównania OPAL." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "Żądane wyrównanie danych nie jest zgodne z wymaganiami wyrównania zakresu blokowania." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Kompensacja rozmiaru urządzenia o % sektorów, aby wyrównać do rozdzielczości wyrównania OPAL." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Nie udało się uzyskać blokady OPAL na urządzeniu %s." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Niepoprawny klucz administratora OPAL." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Nie można ustawić segmentu OPAL." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Nie można sformatować urządzenia %s, urządzenie OPAL obecnie wygląda na w pełni zabezpieczone przed zapisem." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "To prawdopodobnie błąd w oprogramowaniu sprzętowym. W celu odtworzenia można zresetować PSID OPAL i połączyć ponownie." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "Reset zakresu blokowania %d na urządzeniu %s nie powiódł się." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Nie można sformatować urządzenia LUKSAES bez urządzenia." -#: lib/setup.c:2082 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Nie można sformatować VERITY bez urządzenia." -#: lib/setup.c:2093 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Nieobsługiwany typ hasza VERITY %d." -#: lib/setup.c:2099 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Nieobsługiwany rozmiar bloku VERITY." -#: lib/setup.c:2104 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Nieobsługiwany offset hasza VERITY." -#: lib/setup.c:2109 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Nieobsługiwany offset FEC VERITY." -#: lib/setup.c:2133 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "Obszar danych zachodzi na obszar skrótów." -#: lib/setup.c:2158 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "Obszar skrótu zachodzi na obszar FEC." -#: lib/setup.c:2165 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "Obszar danych zachodzi na obszar FEC." -#: lib/setup.c:2301 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "UWAGA: żądany rozmiar znacznika %d B różni się od rozmiaru wyjścia %s (%d B).\n" -#: lib/setup.c:2380 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Nieznany typ żądanego urządzenia szyfrującego %s." -#: lib/setup.c:2687 lib/setup.c:2766 lib/setup.c:2779 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Nieobsługiwane parametry urządzenia %s." -#: lib/setup.c:2693 lib/setup.c:2786 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Niezgodne parametry dla urządzenia %s." -#: lib/setup.c:2810 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Urządzenia szyfrowane nie zgadzają się." -#: lib/setup.c:2847 lib/setup.c:2852 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Nie udało się przeładować urządzenia %s." -#: lib/setup.c:2858 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Nie udało się wstrzymać urządzenia %s." -#: lib/setup.c:2870 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Nie udało wznowić urządzenia %s." -#: lib/setup.c:2885 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Błąd krytyczny przy przeładowywaniu urządzenia %s (w oparciu o urządzenie %s)." -#: lib/setup.c:2888 lib/setup.c:2890 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Nie udało się przełączyć urządzenia %s na dm-error." -#: lib/setup.c:2972 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Nie można zmienić rozmiaru urządzenia LUKS2 o rozmiarze statycznym." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "Nie można zmienić rozmiaru urządzenia loopback." -#: lib/setup.c:3015 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "UWAGA: maksymalny rozmiar jest już ustawiony lub jądro nie obsługuje zmiany rozmiaru.\n" -#: lib/setup.c:3076 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Zmiana rozmiaru nie powiodła się, jądro tego nie obsługuje." -#: lib/setup.c:3108 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Czy na pewno zmienić UUID urządzenia?" -#: lib/setup.c:3200 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Plik nagłówka kopii zapasowej nie zawiera zgodnego nagłówka LUKS." -#: lib/setup.c:3316 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Wolumen %s nie jest aktywny." -#: lib/setup.c:3327 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Wolumen %s już został wstrzymany." -#: lib/setup.c:3340 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Wstrzymywanie nie jest obsługiwane dla urządzenia %s." -#: lib/setup.c:3342 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Błąd podczas wstrzymywania urządzenia %s." -#: lib/setup.c:3377 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Urządzenie %s zostało wstrzymane, ale sprzętowe urządzenie OPAL nie może być zablokowane." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Wznawianie nie jest obsługiwane dla urządzenia %s." -#: lib/setup.c:3379 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Błąd podczas wznawiania urządzenia %s." -#: lib/setup.c:3413 lib/setup.c:3461 lib/setup.c:3532 lib/setup.c:3577 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Nie udało się dołączyć klucza do określonego pęku kluczy." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Nie udało się odłączyć klucza wolumenu z pęku kluczy podanego przez użytkownika." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Nie udało się dołączuć klucza wolumenu do pęku kluczy zdefiniowanego przez użytkownika." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Wolumen %s nie jest wstrzymany." -#: lib/setup.c:3547 lib/setup.c:4528 lib/setup.c:4541 lib/setup.c:4549 -#: lib/setup.c:4562 lib/setup.c:6145 lib/setup.c:6167 lib/setup.c:6216 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Klucz wolumenu nie pasuje do wolumenu." -#: lib/setup.c:3725 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Nie udało się podstawić nowego klucza." -#: lib/setup.c:3823 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "Numer klucza %d jest nieprawidłowy." -#: lib/setup.c:3829 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "Klucz %d nie jest aktywny." -#: lib/setup.c:3848 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "Nagłówek urządzenia zachodzi na obszar danych." -#: lib/setup.c:4153 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Ponowne szyfrowanie trwa. Nie można uaktywnić urządzenia." -#: lib/setup.c:4155 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Nie udało się uzyskać blokady ponownego szyfrowania." -#: lib/setup.c:4168 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "Odtwarzanie ponownego szyfrowania LUKS2 nie powiodło się." -#: lib/setup.c:4340 lib/setup.c:4606 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Typ urządzenia nie został właściwie zainicjalizowany." -#: lib/setup.c:4388 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Urządzenie %s już istnieje." -#: lib/setup.c:4395 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Nie można użyć urządzenia %s, nazwa jest nieprawidłowa lub nadal w użyciu." -#: lib/setup.c:4515 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Podano niewłaściwy klucz wolumenu dla zwykłego urządzenia." -#: lib/setup.c:4632 -msgid "Incorrect root hash specified for verity device." -msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY." - -#: lib/setup.c:4642 -msgid "Root hash signature required." -msgstr "Wymagany podpis hasza głównego." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "Pęk kluczy w jądrze nie jest obsługiwany przez jądro." -#: lib/setup.c:4651 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Brak pęku kluczy w jądrze: wymagany do przekazania podpisu do jądra." -#: lib/setup.c:4668 lib/setup.c:6411 -msgid "Failed to load key in kernel keyring." -msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY." + +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL nie obsługuje odroczonej dezaktywacji." -#: lib/setup.c:4724 +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Nie udało się anulować opóźnionego usuwania z urządzenia %s." -#: lib/setup.c:4731 lib/setup.c:4747 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Urządzenie %s jest nadal w użyciu." -#: lib/setup.c:4756 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Błędne urządzenie %s." -#: lib/setup.c:4896 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Bufor klucza wolumenu zbyt mały." -#: lib/setup.c:4913 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS2." -#: lib/setup.c:4922 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS1." -#: lib/setup.c:4932 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Nie można odtworzyć klucza wolumenu dla zwykłego urządzenia." -#: lib/setup.c:4940 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "Nie można odtworzyć hasza głównego dla urządzenia VERITY." -#: lib/setup.c:4947 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia BITLK." -#: lib/setup.c:4952 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia FVAULT2." -#: lib/setup.c:4954 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Ta operacja nie jest obsługiwana dla urządzenia szyfrującego %s." -#: lib/setup.c:5135 lib/setup.c:5146 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Operacja zrzutu nie jest obsługiwana dla tego rodzaju urządzenia." -#: lib/setup.c:5488 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Offset danych nie jest wielokrotnością liczby bajtów %u." -#: lib/setup.c:5776 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Nie można przekonwertować urządzenia %s, które jest nadal w użyciu." -#: lib/setup.c:6086 lib/setup.c:6225 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Nie udało się przypisać klucza %u jako nowego klucza wolumenu." -#: lib/setup.c:6110 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Nie udało się zainicjować domyślnych parametrów klucza LUKS2." -#: lib/setup.c:6116 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Nie udało się przypisać klucza %d do skrótu." -#: lib/setup.c:6341 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu." -#: lib/setup.c:6478 -msgid "Kernel keyring is not supported by the kernel." -msgstr "Pęk kluczy w jądrze nie jest obsługiwany przez jądro." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze." + +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Nie udało się odłączyć klucza wolumenu z pęku klucza wątku." -#: lib/setup.c:6488 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Nie udało się odczytać hasła z pęku kluczy (błąd %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Nie udało się odnaleźć pęku kluczy opisanego przez \"%s\"." -#: lib/setup.c:6512 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Nie udało się uzyskać globalnej blokady serializacji dostępu ciężkiego pamięciowo." -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Nie udało się otworzyć pliku klucza." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Nie można odczytać pliku klucza z terminala." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "Nie udało się wykonać stat na pliku klucza." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Nie można przemieścić się do żądanego położenia pliku klucza." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:227 -#: src/utils_password.c:239 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Brak pamięci podczas odczytu hasła." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Błąd podczas odczytu hasła." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Na wejściu nie ma nic do odczytu." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Przekroczono maksymalny rozmiar pliku klucza." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Nie można odczytać żądanej ilości danych." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1408 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Urządzenie %s nie istnieje lub dostęp jest zabroniony." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Urządzenie %s nie jest zgodne." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Zignorowano niewłaściwy rozmiar optimal-io dla urządzenia danych (%u bajtów)." -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Urządzenie %s jest zbyt małe. Wymagane przynajmniej % bajtów." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Nie można użyć urządzenia %s, które jest w użyciu (już podmapowane lub zamontowane)." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Nie można użyć urządzenia %s, brak uprawnień." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "Nie można uzyskać informacji o urządzeniu %s." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Nie można użyć urządzenia loopback w czasie działania jako nie-root." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Nie udało się podłączyć urządzenia loopback (wymagane urządzenie loop z flagą autoclear)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Żądany offset jest poza rzeczywistym rozmiarem urządzenia %s." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Urządzenie %s ma zerowy rozmiar." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Żądany czas docelowy PBKDF nie może być zerowy." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Nieznany typ PBKDF %s." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "Żądany skrót %s nie jest obsługiwany." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Żądany typ PBKDF nie jest obsługiwany dla LUKS1." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "Wartości maksymalnej pamięci lub liczby wątków PBKDF nie mogą być ustawione dla PBKDF2." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Wymuszona liczba iteracji jest zbyt mała dla %s (minimum to %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Wymuszony koszt pamięciowy jest zbyt mały dla %s (minimum to %u kB)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Żądany maksymalny koszt pamięciowy PBKDF jest zbyt duży (maksimum to %d kB)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "Żądana maksymalna pamięć PBKDF nie może być zerowa." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Żądana liczba wątków PBKDF nie może być zerowa." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "W trybie FIPS obsługiwana jest tylko PBKDF2." -#: lib/utils_benchmark.c:174 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "Test wydajności PBKDF jest wyłączony, ale nie ustawiono liczby iteracji." -#: lib/utils_benchmark.c:193 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Niekompatybilne opcje PBKDF2 (przy użyciu algorytmu skrótu %s)." -#: lib/utils_benchmark.c:213 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Niekompatybilne opcje PBKDF." @@ -771,16 +865,24 @@ msgstr "Blokowanie nie powiodło się. Ścieżka blokady %s/%s jest nieużywalna msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Blokowanie przerwane. Ścieżka blokady %s/%s jest nieużywalna (%s nie jest katalogiem)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Nie można przemieścić się we właściwe położenie urządzenia." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Błąd wymazywania urządzenia, offset %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "Niepoprawny PSID OPAL." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Nie można wymazać urządzenia OPAL." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -798,9 +900,9 @@ msgstr "Rozmiar klucza w trybie XTS musi wynosić 256 lub 512 bitów." msgid "Cipher specification should be in [cipher]-[mode]-[iv] format." msgstr "Określenie szyfru powinno być w formacie [szyfr]-[tryb]-[iv]." -#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364 -#: lib/luks1/keymanage.c:675 lib/luks1/keymanage.c:1126 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 +#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Nie można zapisać na urządzenie %s, brak uprawnień." @@ -813,87 +915,87 @@ msgstr "Nie udało się otworzyć urządzenia do tymczasowego przechowywania klu msgid "Failed to access temporary keystore device." msgstr "Nie udało się uzyskać dostępu do urządzenia do tymczasowego przechowywania kluczy." -#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:61 -#: lib/luks2/luks2_keyslot_luks2.c:79 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Błąd we/wy podczas szyfrowania klucza." -#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367 -#: lib/luks1/keymanage.c:628 lib/luks1/keymanage.c:678 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." msgstr "Nie można otworzyć urządzenia %s." -#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:138 +#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139 msgid "IO error while decrypting keyslot." msgstr "Błąd we/wy podczas odszyfrowywania klucza." -#: lib/luks1/keymanage.c:129 +#: lib/luks1/keymanage.c:130 #, c-format msgid "Device %s is too small. (LUKS1 requires at least % bytes.)" msgstr "Urządzenie %s jest zbyt małe (LUKS1 wymaga przynajmniej % bajtów)." -#: lib/luks1/keymanage.c:150 lib/luks1/keymanage.c:158 -#: lib/luks1/keymanage.c:170 lib/luks1/keymanage.c:181 -#: lib/luks1/keymanage.c:193 +#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159 +#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182 +#: lib/luks1/keymanage.c:194 #, c-format msgid "LUKS keyslot %u is invalid." msgstr "Numer klucza LUKS %u jest nieprawidłowy." -#: lib/luks1/keymanage.c:265 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Żądany plik kopii zapasowej nagłówka %s już istnieje." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Nie można utworzyć pliku kopii zapasowej nagłówka %s." -#: lib/luks1/keymanage.c:274 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Nie można zapisać pliku kopii zapasowej nagłówka %s." -#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Plik kopii zapasowej nie zawiera prawidłowego nagłówka LUKS." -#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:591 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Nie można otworzyć pliku kopii zapasowej nagłówka %s." -#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Nie można odczytać pliku kopii zapasowej nagłówka %s." -#: lib/luks1/keymanage.c:337 +#: lib/luks1/keymanage.c:339 msgid "Data offset or key size differs on device and backup, restore failed." msgstr "Offset danych lub rozmiar klucza różnią się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się." -#: lib/luks1/keymanage.c:345 +#: lib/luks1/keymanage.c:347 #, c-format msgid "Device %s %s%s" msgstr "Urządzenie %s %s%s" -#: lib/luks1/keymanage.c:346 +#: lib/luks1/keymanage.c:348 msgid "does not contain LUKS header. Replacing header can destroy data on that device." msgstr "nie zawiera nagłówka LUKS. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu." -#: lib/luks1/keymanage.c:347 +#: lib/luks1/keymanage.c:349 msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "już zawiera nagłówek LUKS. Nadpisanie nagłówka zniszczy istniejące klucze." -#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -901,126 +1003,130 @@ msgstr "" "\n" "UWAGA: nagłówek prawdziwego urządzenia ma inny UUID niż kopia zapasowa!" -#: lib/luks1/keymanage.c:396 +#: lib/luks1/keymanage.c:398 msgid "Non standard key size, manual repair required." msgstr "Niestandardowy rozmiar klucza, wymagana ręczna naprawa." -#: lib/luks1/keymanage.c:406 +#: lib/luks1/keymanage.c:408 msgid "Non standard keyslots alignment, manual repair required." msgstr "Niestandardowe wyrównanie kluczy, wymagana ręczna naprawa." -#: lib/luks1/keymanage.c:415 +#: lib/luks1/keymanage.c:417 #, c-format msgid "Cipher mode repaired (%s -> %s)." msgstr "Tryb szyfru poprawiony (%s -> %s)." -#: lib/luks1/keymanage.c:426 +#: lib/luks1/keymanage.c:428 #, c-format msgid "Cipher hash repaired to lowercase (%s)." msgstr "Skrót szyfru poprawiony na małe litery (%s)." -#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:534 -#: lib/luks1/keymanage.c:790 +#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536 +#: lib/luks1/keymanage.c:792 #, c-format msgid "Requested LUKS hash %s is not supported." msgstr "Żądany skrót LUKS %s nie jest obsługiwany." -#: lib/luks1/keymanage.c:442 +#: lib/luks1/keymanage.c:444 msgid "Repairing keyslots." msgstr "Naprawianie kluczy." -#: lib/luks1/keymanage.c:461 +#: lib/luks1/keymanage.c:463 #, c-format msgid "Keyslot %i: offset repaired (%u -> %u)." msgstr "Klucz %i: naprawiono offset (%u -> %u)." -#: lib/luks1/keymanage.c:469 +#: lib/luks1/keymanage.c:471 #, c-format msgid "Keyslot %i: stripes repaired (%u -> %u)." msgstr "Klucz %i: naprawiono pasy (%u -> %u)." -#: lib/luks1/keymanage.c:478 +#: lib/luks1/keymanage.c:480 #, c-format msgid "Keyslot %i: bogus partition signature." msgstr "Klucz %i: błędna sygnatura partycji." -#: lib/luks1/keymanage.c:483 +#: lib/luks1/keymanage.c:485 #, c-format msgid "Keyslot %i: salt wiped." msgstr "Klucz %i: zarodek wymazany." -#: lib/luks1/keymanage.c:500 +#: lib/luks1/keymanage.c:502 msgid "Writing LUKS header to disk." msgstr "Zapis nagłówka LUKS na dysk." -#: lib/luks1/keymanage.c:505 +#: lib/luks1/keymanage.c:507 msgid "Repair failed." msgstr "Naprawa nie powiodła się." -#: lib/luks1/keymanage.c:560 +#: lib/luks1/keymanage.c:562 #, c-format msgid "LUKS cipher mode %s is invalid." msgstr "Tryb szyfru LUKS %s jest nieprawidłowy." -#: lib/luks1/keymanage.c:565 +#: lib/luks1/keymanage.c:567 #, c-format msgid "LUKS hash %s is invalid." msgstr "Skrót LUKS %s jest nieprawidłowy." -#: lib/luks1/keymanage.c:572 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "W nagłówku LUKS nie wykryto żadnych znanych problemów." -#: lib/luks1/keymanage.c:700 +#: lib/luks1/keymanage.c:702 #, c-format msgid "Error during update of LUKS header on device %s." msgstr "Błąd podczas uaktualniania nagłówka LUKS na urządzeniu %s." -#: lib/luks1/keymanage.c:708 +#: lib/luks1/keymanage.c:710 #, c-format msgid "Error re-reading LUKS header after update on device %s." msgstr "Błęd podczas ponownego odczytu nagłówka LUKS po uaktualnieniu na urządzeniu %s." -#: lib/luks1/keymanage.c:784 +#: lib/luks1/keymanage.c:786 msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Offset danych dla nagłówka LUKS musi wynosić 0 lub więcej niż rozmiar nagłówka." -#: lib/luks1/keymanage.c:795 lib/luks1/keymanage.c:864 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:514 +#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Podano zły format LUKS UUID." -#: lib/luks1/keymanage.c:817 +#: lib/luks1/keymanage.c:819 msgid "Cannot create LUKS header: reading random salt failed." msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powiódł się." -#: lib/luks1/keymanage.c:843 +#: lib/luks1/keymanage.c:845 #, c-format msgid "Cannot create LUKS header: header digest failed (using hash %s)." msgstr "Nie można utworzyć nagłówka LUKS: uzyskanie skrótu nagłówka nie powiodło się (przy użyciu algorytmu %s)." -#: lib/luks1/keymanage.c:887 +#: lib/luks1/keymanage.c:889 #, c-format msgid "Key slot %d active, purge first." msgstr "Klucz numer %d jest aktywny, należy go najpierw wyczyścić." -#: lib/luks1/keymanage.c:893 +#: lib/luks1/keymanage.c:895 #, c-format msgid "Key slot %d material includes too few stripes. Header manipulation?" msgstr "Klucz %d zawiera zbyt mało pasów. Zmieniony nagłówek?" -#: lib/luks1/keymanage.c:1034 +#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270 +msgid "PBKDF2 iteration value overflow." +msgstr "Przepełnienie wartości iteracji PBKDF2" + +#: lib/luks1/keymanage.c:1040 #, c-format msgid "Cannot open keyslot (using hash %s)." msgstr "Nie można otworzyć klucza (przy użyciu skrótu %s)." -#: lib/luks1/keymanage.c:1112 +#: lib/luks1/keymanage.c:1118 #, c-format msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Numer klucza %d jest błędny, proszę wybrać numer od 0 do %d." -#: lib/luks1/keymanage.c:1130 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Nie można wymazać urządzenia %s." @@ -1041,174 +1147,174 @@ msgstr "Wykryto niekompatybilny plik klucza loop-AES." msgid "Kernel does not support loop-AES compatible mapping." msgstr "Jądro nie obsługuje odwzorowań zgodnych z loop-AES." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Błąd odczytu pliku klucza %s." -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Przekroczono maksymalną długość hasła TCRYPT (%zu)." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "Algorytm skrótu PBKDF2 %s nie jest dostępny, pominięto." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "Wymagany interfejs kryptograficzny jądra nie jest dostępny." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Proszę upewnić się, że moduł jądra algif_skcipher został załadowany." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Uaktywnianie nie jest obsługiwane dla rozmiaru sektora %d." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Jądro nie obsługuje uaktywniania dla tego starego trybu TCRYPT." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Włączanie szyfrowania systemu TCRYPT dla partycji %s." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Jądro nie obsługuje odwzorowań zgodnych z TCRYPT." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Ta funkcja nie jest obsługiwana bez załadowanego nagłówka TCRYPT." -#: lib/bitlk/bitlk.c:275 +#: lib/bitlk/bitlk.c:278 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key." msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany wpis metadanych typu '%u'." -#: lib/bitlk/bitlk.c:328 +#: lib/bitlk/bitlk.c:337 msgid "Invalid string found when parsing Volume Master Key." msgstr "Przy analizie Głównego Klucza Wolumenu napotkano błędny ciąg znaków." -#: lib/bitlk/bitlk.c:332 +#: lib/bitlk/bitlk.c:341 #, c-format msgid "Unexpected string ('%s') found when parsing supported Volume Master Key." msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany ciąg znaków ('%s')." -#: lib/bitlk/bitlk.c:349 +#: lib/bitlk/bitlk.c:358 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key." msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwaną wartość wpisu metadanych '%u'." -#: lib/bitlk/bitlk.c:451 +#: lib/bitlk/bitlk.c:460 msgid "BITLK version 1 is currently not supported." msgstr "BITLK w wersji 1 nie jest obecnie obsługiwany." -#: lib/bitlk/bitlk.c:457 +#: lib/bitlk/bitlk.c:466 msgid "Invalid or unknown boot signature for BITLK device." msgstr "Błędna lub nieznana sygnatura rozruchowa urządzenia BITLK." -#: lib/bitlk/bitlk.c:469 +#: lib/bitlk/bitlk.c:478 #, c-format msgid "Unsupported sector size %." msgstr "Nieobsługiwany rozmiar sektora %." -#: lib/bitlk/bitlk.c:477 +#: lib/bitlk/bitlk.c:486 #, c-format msgid "Failed to read BITLK header from %s." msgstr "Nie udało się odczytać nagłówka BITLK z %s." -#: lib/bitlk/bitlk.c:502 +#: lib/bitlk/bitlk.c:511 #, c-format msgid "Failed to read BITLK FVE metadata from %s." msgstr "Nie udało się odczytać metadanych BITLK FVE z %s." -#: lib/bitlk/bitlk.c:554 +#: lib/bitlk/bitlk.c:562 msgid "Unknown or unsupported encryption type." msgstr "Nieznany lub nieobsługiwany rodzaj szyfrowania." -#: lib/bitlk/bitlk.c:587 +#: lib/bitlk/bitlk.c:602 #, c-format msgid "Failed to read BITLK metadata entries from %s." msgstr "Nie udało się odczytać wpisów metadanych BITLK z %s." -#: lib/bitlk/bitlk.c:681 +#: lib/bitlk/bitlk.c:719 msgid "Failed to convert BITLK volume description" msgstr "Nie udało się przekonwertować opisu wolumenu BITLK" -#: lib/bitlk/bitlk.c:841 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwany wpis metadanych typu '%u'." -#: lib/bitlk/bitlk.c:860 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "GUI pliku BEK '%s' nie pasuje do GUID-a wolumenu." -#: lib/bitlk/bitlk.c:864 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwaną wartość wpisu metadanych '%u'." -#: lib/bitlk/bitlk.c:903 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Nieobsługiwana wersja metadanych BEK %" -#: lib/bitlk/bitlk.c:908 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Nieoczekiwany rozmiar metadanych BEK % nie zgadza się z długością pliku BEK" -#: lib/bitlk/bitlk.c:933 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Przy analizie klucza początkowego napotkano nieoczekiwany wpis metadanych." -#: lib/bitlk/bitlk.c:1029 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Ta operacja nie jest obsługiwana." -#: lib/bitlk/bitlk.c:1037 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Nieoczekiwany rozmiar danych klucza." -#: lib/bitlk/bitlk.c:1163 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "To urządzenie BITLK jest w nieobsługiwanym stanie i może być uaktywnione." -#: lib/bitlk/bitlk.c:1168 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Urządzenia BITLK o typie '%s' nie mogą być uaktywnione." -#: lib/bitlk/bitlk.c:1175 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Uaktywnianie częściowo odszyfrowanych urządzeń BITLK nie jest obsługiwane." -#: lib/bitlk/bitlk.c:1216 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "UWAGA: rozmiar wolumenu BitLockera % nie zgadza się z rozmiarem urządzenia %" -#: lib/bitlk/bitlk.c:1343 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Nie można uaktywnić urządzenia, brak obsługi BITLK IV w module dm-crypt jądra." -#: lib/bitlk/bitlk.c:1347 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Nie można uaktywnić urządzenia, brak obsługi dyfuzora BITLK Elephant w module dm-crypt jądra." -#: lib/bitlk/bitlk.c:1351 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Nie można uaktywnić urządzenia, brak obsługi dużego rozmiaru sektora w module dm-crypt jądra." -#: lib/bitlk/bitlk.c:1355 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Nie można uaktywnić urządzenia, brak modułu jądra dm-zero." @@ -1246,28 +1352,32 @@ msgstr "Podano zły format UUID-a VERITY na urządzeniu %s." msgid "Error during update of verity header on device %s." msgstr "Błąd podczas uaktualniania nagłówka VERITY na urządzeniu %s." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "Weryfikacja podpisu hasza głównego nie jest obsługiwana." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Wymagany podpis hasza głównego." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Błędów nie można naprawić z urządzeniem FEC." -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "Znaleziono %u błędów możliwych do naprawienia z urządzeniem FEC." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "Jądro nie obsługuje odwzorowań dm-verity." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "Jądro nie obsługuje opcji podpisu dm-verity." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Urządzenie VERITY wykryło uszkodzenie po uaktywnieniu." @@ -1361,7 +1471,7 @@ msgstr "Nie udało się określić rozmiaru urządzenia %s." msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Wykryto niezgodne metadane dm-integrity jądra (wersja %u) na %s." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "Jądro nie obsługuje odwzorowań dm-integrity." @@ -1373,8 +1483,8 @@ msgstr "Jądro nie obsługuje stałego wyrównania metadanych dm-integrity." msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Jądro odmawia uaktywnienia niebezpiecznej opcji przeliczenia (p. stare opcje aktywacji, aby wymusić)." -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Nie udało się uzyskać blokady dla zapisu na urządzeniu %s." @@ -1391,49 +1501,59 @@ msgstr "" "Urządzenie zawiera niejednoznaczne sygnatury, nie można automatycznie odtworzyć LUKS2.\n" "W celu odtworzenia należy uruchomić \"cryptsetup repair\"." -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "UWAGA: obszar kluczy (% bajtów) bardzo mały, dostępna liczba kluczy LUKS2 jest bardzo ograniczona.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "Żądany offset danych jest zbyt mały." -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "UWAGA: obszar kluczy (% bajtów) bardzo mały, dostępna liczba kluczy LUKS2 jest bardzo ograniczona.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "UWAGA: rozmiar metadanych LUKS2 zmienił się na % (w bajtach).\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:93 -#: lib/luks2/luks2_keyslot_luks2.c:115 +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "UWAGA: rozmiar obszaru kluczy LUKS2 zmienił się na % (w bajtach).\n" + +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Nie udało się uzyskać blokady do odczytu na urządzeniu %s." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Wykryto zabronione wymagania LUKS2 w kopii zapasowej %s." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Offset danych różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Nagłówek binarny z rozmiarem obszarów kluczy różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Urządzenie %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "nie zawiera nagłówka LUKS2. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "już zawiera nagłówek LUKS2. Nadpisanie nagłówka zniszczy istniejące klucze." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1443,7 +1563,7 @@ msgstr "" "UWAGA: wykryto nieznane wymagania LUKS2 w nagłówku prawdziwego urządzenia!\n" "Nadpisanie nagłówka kopią zapasową może uszkodzić dane na tym urządzeniu!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1453,390 +1573,436 @@ msgstr "" "UWAGA: wykryto nie zakończone ponowne szyfrowanie offline na urządzeniu!\n" "Nadpisanie nagłówka kopią zapasową może uszkodzić dane." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Zignorowano nieznaną flagę %s." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Brak klucza dla segmentu dm-crypt %u" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Nie udało się ustawić segmentu dm-crypt." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Nie udało się ustawić segmentu dm-linear." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "Nie wykryto znanego wzorca określającego szyfr w nagłówku LUKS2." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "Urządzenie OPAL musi mieć statyczny rozmiar." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Szyfrowane urządzenie OPAL z integralnością musi być mniejsze, niż zakres blokowania." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "Urządzenie OPAL musi mieć ten sam rozmiar, co zakres blokowania." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Urządzenie OPAL %s jest już odblokowane.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Nieobsługiwana konfiguracja integralności urządzenia." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Urządzenie dm-integrity stojące poniżej o nieoczekiwanych sektorach danych." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Podobne szyfrowanie trwa. Nie można dezaktywować urządzenia." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Nie udało się zastąpić wstrzymanego urządzenia %s celem dm-error." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Urządzenie %s zostało dezaktywowane, ale sprzętowe urządzenie OPAL nie może być zablokowane." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Nie udało się odczytać wymagań LUKS2." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Wykryto nie spełnione wymagania LUKS2." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania starym szyfrem. Przerwano." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania LUKS2. Przerwano." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Operacja niezgodna z urządzeniem używającym OPAL. Przerwano." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Za mało dostępnej pamięci, aby otworzyć klucz." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Nie udało się otworzyć klucza." -#: lib/luks2/luks2_keyslot_luks2.c:54 lib/luks2/luks2_keyslot_luks2.c:109 +#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110 #, c-format msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Nie można użyć szyfru %s-%s do szyfrowania kluczy." -#: lib/luks2/luks2_keyslot_luks2.c:281 lib/luks2/luks2_keyslot_luks2.c:390 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "Algorytm skrótu %s nie jest dostępny." -#: lib/luks2/luks2_keyslot_luks2.c:506 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Uwaga: operacja na kluczu może się nie powieść, bo wymaga więcej pamięci, niż dostępna.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Brak miejsca na nowy klucz." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "Błędne żądanie zmiany trybu odporności przy ponownym szyfrowaniu." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Nie można uaktualnić rodzaju odporności. Nowy typ zapewnia % B, wymagane miejsce to % B." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Nie udało się odświeżyć skrótu weryfikacji ponownego szyfrowania." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Nie można sprawdzić stanu urządzenia mającego UUID: %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Nie można przekonwertować nagłówka z dodatkowymi metadanymi LUKSMETA." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Nie można użyć określenia szyfru %s-%s dla LUKS2." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Nie można przenieść obszaru kluczy. Brak miejsca." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Nie można przekonwertować do formatu LUKS1 - błędne metadane." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Nie można przenieść obszaru kluczy. Obszar kluczy LUKS2 zbyt mały." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Nie można przenieść obszaru kluczy." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Nie można przekonwertować do formatu LUKS1 - domyślny rozmiar sektora szyfrowania segmentu nie wynosi 512 bajtów." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Nie można przekonwertować formatu LUKS1 - skróty kluczy nie są zgodne z LUKS1." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa szyfru %s z obudowanym kluczem." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa większej liczby segmentów." -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Nie można przekonwertować do formatu LUKS1 - nagłówek LUKS2 zawiera %u token(ów)." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u jest w błędnym stanie." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u (powyzej maksimum) jest nadal aktywny." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u nie jest zgodny z LUKS1." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Rozmiar strefy hotzone musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Rozmiar urządzenia musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Nie udało się zainicjować obudowania przestrzeni starego segmentu." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Nie udało się zainicjować obudowania przestrzeni nowego segmentu." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Nie udało się zainicjować ochrony strefy hotzone." -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Nie udało się odczytać sum kontrolnych dla aktualnej strefy hotzone." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Nie udało się odczytać obszaru hotzone zaczynającego się od %." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Nie udało się odszyfrować sektora %zu." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Nie udało się odtworzyć sektora %zu." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Rozmiary urządzenia źródłowego i docelowego różnią się. Źródłowe %, docelowe: %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Nie udało się uaktywnić urządzenia hotzone %s." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Nie udało się uaktywnić urządzenia nakładkowego %s z aktualną tablicą źródła." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Nie udało się załadować nowego odwzorowania dla urządzenia %s." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Nie udało się odświeżyć stosu urządzenia ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Nie udało się ustawić nowego rozmiaru obszaru kluczy." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Wartość przesunięcia danych nie jest wyrównana do rozmiaru sektora szyfrowania (% B)." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Nieobsługiwany tryb odporności %s" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "Rozmiar przenoszonego segmentu nie może być większy niż wartość przesunięcia danych." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Błędne parametry odporności przy ponownym szyfrowaniu." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Przenoszony segment zbyt duży. Żądany rozmiar %, dostępne miejsce: %." -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Nie udało się wyczyścić tablicy." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "Zmniejszony rozmiar danych jest większy niż rzeczywisty rozmiar urządzenia." -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Urzędzenie danych nie jest wyrównane do rozmiaru sektora szyfrowania (% B)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Przesunięcie danych (sektorów: %) jest mniejsze niż przyszły offset danych (sektorów: %)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Nie udało się otworzyć %s w trybie wyłączności (już odwzorowano lub zamontowano)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Urządzenie nie jest oznaczone do ponownego szyfrowania LUKS2." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Nie udało się załadować kontekstu ponownego szyfrowania LUKS2." -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Nie udało się pobrać stanu ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Urządzenie nie jest w trakcie ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Proces ponownego szyfrowania już trwa." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Nie udało się uzyskać blokady dla ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Nie można kontynuować ponownego szyfrowania. Należy najpierw uruchomić odtworzenie ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "Rozmiar urządzenia aktywnego oraz żądany rozmiar ponownego szyfrowania różnią się." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "W parametrach ponownego szyfrowania zażądano niedozwolonego rozmiaru urządzenia." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Ponowne szyfrowanie trwa. Nie można wykonać odzyskiwania." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane w metadanych." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Nie udało się zainicjować ponownego szyfrowania LUKS2 w metadanych." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Ponowne szyfrowanie nie jest obsługiwane dla urządzeń DAX (pamięci trwałej)." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Nie udało się odczytać hasła z pęku kluczy." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Nie udało się ustawić segmentów urządzeń dla następnej strefy hotzone ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Nie udało się zapisać metadanych odporności ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Odszyfrowanie nie powiodło się." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Nie udało się zapisać obszaru hotzone zaczynającego się od %." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Nie udało się zsynchronizować danych." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Nie udało się uaktualnić metadanych po zakończeniu aktualnej strefy hotzone ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Nie udało się zapisać metadanych LUKS2." -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Nie udało się wymazać nie używanego obszaru urządzenia danych." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Nie udało się usunąć nie używanego (nie przypisanego) obszaru klucza %d." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Nie udało się usunąć obszaru klucza ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Błąd krytyczny podczas ponownego szyfrowania fragmentu zaczynającego się od % o długości w sektorach %." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Ponowne szyfrowanie online nie powiodło się." -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Proszę nie wznawiać urządzenia dopóki nie zostanie zastąpione celem błędnym ręcznie." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Nie można kontynuować ponownego szyfrowania. Nieoczekiwany stan ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Brak lub błędny kontekst ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Nie udało się zainicjować stosu urządzenia ponownego szyfrowania." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Nie udało się uaktualnić kontekstu ponownego szyfrowania." @@ -1844,80 +2010,121 @@ msgstr "Nie udało się uaktualnić kontekstu ponownego szyfrowania." msgid "Reencryption metadata is invalid." msgstr "Metadane ponownego szyfrowania są błędne." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "Pozycja zakresu OPAL %d % nie pasuje do oczekiwanych wartości %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "Długość zakresu OPAL %d % nie pasuje do długości urządzenia %." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "Blokowanie zakresu OPAL %d wyłączone." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Nieoczekiwany stan blokowania zakresu OPAL %d." + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Parametry szyfrowania kluczy mogą być ustawione tylko dla urządzeń LUKS2." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Proszę wprowadzić PIN: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Proszę wprowadzić PIN tokenu %d: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1097 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Nie wykryto znanego wzorca określającego szyfr." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "UWAGA: użycie domyślnych opcji szyfru (%s-%s, rozmiar klucza w bitach %u) może być niezgodne ze starszymi wersjami." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "UWAGA: użycie domyślnych opcji skrótu (%s) może być niezgodne ze starszymi wersjami." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "W trybie zwykłym bez podania klucza zawsze należy użyć opcji --cipher, --key-size, a następnie --hash." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "UWAGA: Parametr --hash jest ignorowany w trybie zwykłym z podanym plikiem klucza.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "UWAGA: Opcja --keyfile-size jest ignorowana, rozmiar odczytu jest taki sam, jak rozmiar klucza szyfrującego.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "Skanowanie blkid dla %s nie powiodło się." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Wykryto sygnatury urządzeń na %s. Dalsze operacje mogą uszkodzić istniejące dane." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:724 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Operacja przerwana.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Wymagana jest opcja --key-file." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Proszę wprowadzić PIM VeraCrypt: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Błędna wartość PIM: błąd składni." -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Błędna wartość PIM: 0." -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Błędna wartość PIM: poza zakresem." -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "Nie wykryto nagłówka urządzenia z tym hasłem." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Urządzenie %s nie jest prawidłowym urządzeniem BITLK." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Nie można określić rozmiaru klucza wolumenu dla BITLK, proszę użyć opcji --key-size." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1928,7 +2135,7 @@ msgstr "" "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n" "w bezpiecznym miejscu." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1939,77 +2146,84 @@ msgstr "" "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n" "w bezpiecznym miejscu." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Urządzenie %s nie jest prawidłowym urządzeniem FVAULT2." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Nie można określić rozmiaru klucza wolumenu dla FVAULT2, proszę użyć opcji --key-size." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Urządzenie %s jest nadal aktywne i zaplanowane do odroczonego usunięcia.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Nie udało się ustawić ścieżki tokenów zewnętrznych %s." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Zmiana rozmiaru aktywnego urządzenia wymaga klucza wolumenu w pęku, ale ustawiono opcję --disable-keyring." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Test szybkości przerwany." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s N/D\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u iteracji/sekundę dla klucza %zu-bitowego\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s N/D\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u iteracji, pamięć: %5u, równoległe wątki (CPU): %1u dla klucza %zu-bitowego (żądany czas %u ms)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Wynik testu wydajności nie jest wiarygodny." -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Testy są przybliżone tylko z użyciem pamięci (bez we/wy na dysk).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algorytm | Klucz | Szyfrowanie | Odszyfrowywanie\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Szyfr %s (rozmiar klucza w bitach: %i) nie jest dostępny." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algorytm | Klucz | Szyfrowanie | Odszyfrowywanie\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "N/D" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2017,27 +2231,27 @@ msgstr "" "Wybryto nie zabezpieczone metadane ponownego szyfrowania LUKS2. Proszę sprawdzić, czy operacja ponownego szyfrowania jest pożądana (p. wyjście luksDump)\n" "i kontynuować (uaktualnić metadane) tylko jeśli ta operacja ma być faktycznie wykonana." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Hasło do zabezpieczenia i uaktualnienia metadanych ponownego szyfrowania: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Naprawdę kontynuować odtwarzanie ponownego szyfrowania LUKS2?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Hasło do weryfikacji skrótu metadanych ponownego szyfrowania: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Hasło do odtwarzania ponownego szyfrowania: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Naprawdę próbować naprawić nagłówek urządzenia LUKS?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2045,7 +2259,7 @@ msgstr "" "\n" "Wymazywanie przerwane." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2053,128 +2267,144 @@ msgstr "" "Czyszczenie urządzenia w celu zainicjowania sumy kontrolnej integralności.\n" "Można przerwać ten proces wciskając Ctrl+C (reszta nie wymazanego urządzenia będzie zawierać błędną sumę kontrolną).\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Nie można dezaktywować urządzenia tymczasowego %s." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "Opcja integralności może być używana tylko dla formatu LUKS2." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Nieobsługiwane opcje rozmiaru metadanych LUKS2." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL jest obsługiwany tylko dla formatu LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Plik nagłówka nie istnieje, czy utworzyć go?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Nie można utworzyć pliku nagłówka %s." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Nie wykryto znanego wzorca określającego integralność." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Nie można użyć %s jako nagłówka na dysku." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "To nieodwołalnie nadpisze dane na %s." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Hasło administratora OPAL nie może być puste." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Nie udało się ustawić parametrów PBKDF." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "Opis typu w opisie pęku kluczy --link-vk-to-keyring jest ignorowany." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Błędna wartość --link-vk-to-keyring." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Offset zmniejszonych danych jest dozwolony tylko dla odłączonego nagłówka LUKS." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "Kontener plikowy LUKS %s jest zbyt mały do uaktywnienia, nie ma miejsca pozostałego na dane." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Nie można określić rozmiaru klucza wolumenu dla LUKS bez kluczy, proszę użyć opcji --key-size." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Urządzenie uaktywnione, ale nie można uczynić flag trwałymi." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Klucz %d jest wybrany do usunięcia." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "To jest ostatni klucz. Urządzenie stanie się bezużyteczne po usunięciu tego klucza." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Dowolne pozostałe hasło: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Operacja przerwana, klucz NIE został wymazany.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Hasło do usunięcia: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS2." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Nowe hasło dla klucza: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "UWAGA: Parametr --key-slot jest używany do numeru nowego klucza.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Dowolne istniejące hasło: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Hasło, które ma być zmienione: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Nowe hasło: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Hasło dla klucza do konwersji: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "Dla operacji isLuks obsługiwany jest tylko jeden argument będący urządzeniem." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Miejsce %d nie zawiera niepowiązanego klucza." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2183,40 +2413,52 @@ msgstr "" "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n" "w bezpiecznym miejscu." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s nie jest nazwą aktywnego urządzenia %s." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s nie jest nazwą aktywnego urządzenia LUKS lub brak nagłówka." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Wymagana jest opcja --header-backup-file." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s nie jest urządzeniem zarządzanym przez cryptsetup." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Odświeżanie nie jest obsługiwane dla typu urządzenia %s" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Nie rozpoznany typ urządzenia metadanych %s." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Polecenie wymaga urządzenia i nazwy odwzorowywanej jako argumentów." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Proszę wprowadzić PSID OPAL: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Hasło administratora OPAL: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "UWAGA: CAŁY dysk będzie przywrócony do stanu fabrycznego i wszystkie dane zostaną utracone! Kontynuować?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2225,351 +2467,351 @@ msgstr "" "Ta operacja usunię wszystkie klucze na urządzeniu %s.\n" "Urządzenie po tej operacji stanie się bezużyteczne." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Operacja przerwana, klucze NIE zostały wymazane.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Błędny typ LUKS, obsługiwane są tylko luks1 i luks2." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Urządzenie już ma typ %s." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Ta operacja przekonwertuje %s do formatu %s.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Operacja przerwana, urządzenie NIE zostało skonwertowane.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Brak opcji --priority, --label lub --subsystem." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Token %d jest błędny." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Token %d jest w użyciu." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Nie udało się dodać tokenu %d do pęku kluczy luks2." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Nie udało się przypisać tokenu %d do klucza %d." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Token %d nie jest w użyciu." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Nie udało się zaimportować tokenu z pliku." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Nie udało się pobrać tokenu %d do eksportu." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Token %d nie jest przypisany do klucza %d." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Nie udało się usunąć przypisania tokenu %d do klucza %d." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Opcje --veracrypt i --disable-veracrypt są obsługiwane tylko dla typu urządzeń TCRYPT." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Opcja --veracrypt-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Opcja --veracrypt-query-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Opcje --veracrypt-pim i --veracrypt-query-pim wykluczają się wzajemnie." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Opcja --persistent nie jest dozwolona z --test-passphrase." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Opcje --refresh i --test-passphrase wykluczają się wzajemnie." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Opcja --offset z akcją open jest obsługiwana tylko dla urządzeń plain i loopaes." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "Opcja rozmiaru sektora z akcją open jest obsługiwana tylko dla urządzeń plain." -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Opcja dużych rozmiarów sektorów IV jest obsługiwana tylko przy otwieraniu urządzeń typu plain z sektorem większym niż 512 bajtów." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS, TRCYPT, BITLK i FVAULT2." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Opcji --device-size i --size nie można łączyć." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "Opcja --unbound jest dozwolona tylko dla operacji otwarcia urządzenia LUKS." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Opcja --unbound nie może być użyta bez --test-passphrase." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Opcje --cancel-deferred i --deferred nie mogą być użyte naraz." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Opcji --reduce-device-size i --data-size nie można łączyć." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Opcji --reduce-device-size i --device-size nie można łączyć." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Opcja --active-name może być ustawiona tylko dla urządzenia LUKS2." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Opcji --active-name i --force-offline-reencrypt nie można łączyć." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Wymagane jest określenie klucza." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Opcji --align-payload i --offset nie można łączyć." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Opcja --integrity-no-wipe może być użyta tylko do akcji formatowania z rozszerzeniem integralności." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "Przy opcji --unbound wymagany jest rozmiar klucza." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "Błędna akcja token." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Parametr --key-description jest wymagany do akcji dodania tokenu." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "Akcja wymaga określonego tokenu. Należy użyć parametru --token-id." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "Opcja --unbound jest dozwolona tylko dla operacji dodania tokenu." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Opcji --key-slot i --unbound nie można łączyć." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "Akcja wymaga określonego klucza. Należy użyć parametru --key-slot." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type ] []" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "otwarcie urządzenia jako " -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "zamknięcie urządzenia (usunięcie odwzorowania)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "zmiana rozmiaru aktywnego urządzenia" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "pokazanie stanu urządzenia" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher ]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "test szybkości szyfru" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "próba naprawy metadanych na dysku" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "ponowne szyfrowanie urządzenia LUKS2" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "usunięcie wszystkich kluczy (usunięcie klucza szyfrującego)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "przekonwertowanie formatu LUKS z/do LUKS2" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "ustawienie opcji trwałej konfiguracji dla LUKS2" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "sformatowanie urządzenia LUKS" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "dodanie klucza do urządzenia LUKS" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "usunięcie podanego klucza lub pliku klucza z urządzenia LUKS" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "zmiana podanego klucza lub pliku klucza urządzenia LUKS" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "konwersja klucza na nowe parametry pbkdf" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "wymazanie klucza o numerze z urządzenia LUKS" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "wypisanie UUID-a urządzenia LUKS" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "sprawdzenie pod kątem nagłówka partycji LUKS" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "zrzut informacji o partycji LUKS" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "zrzut informacji o urządzeniu TCRYPT" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "zrzut informacji o urządzeniu BITLK" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "zrzut informacji o urządzeniu FVAULT2" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Wstrzymanie urządzenia LUKS i wymazanie klucza (zamraża wszystkie operacje we/wy)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Wznowienie zatrzymanego urządzenia LUKS" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Kopia zapasowa nagłówka i kluczy urządzenia LUKS" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Odtworzenie nagłówka i kluczy urządzenia LUKS z kopii zapasowej" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Operacja na tokenach LUKS2" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2577,7 +2819,7 @@ msgstr "" "\n" " to jedno z:\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2589,7 +2831,7 @@ msgstr "" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2604,7 +2846,7 @@ msgstr "" " to numer klucza LUKS do zmiany\n" " to opcjonalny plik nowego klucza dla akcji luksAddKey\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2613,29 +2855,28 @@ msgstr "" "\n" "Domyślny wkompilowany format metadanych to %s (dla akcji luksFormat).\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Obsługa zewnętrznych wtyczek tokenów LUKS2 jest %s.\n" +"Obsługa zewnętrznych wtyczek tokenów LUKS2 jest włączona.\n" -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "wkompilowana" - -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Ścieżka zewnętrznych wtyczek tokenów LUKS2: %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "wyłączona" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Obsługa zewnętrznych wtyczek tokenów LUKS2 jest wyłączona.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2652,7 +2893,7 @@ msgstr "" "Domyślny PBKDF dla LUKS2: %s\n" "\tCzas iteracji: %d, wymagana pamięć: %dkB, liczba wątków: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2667,96 +2908,100 @@ msgstr "" "\tplain: %s, bitów klucza: %d, skrót hasła: %s\n" "\tLUKS: %s, bitów klucza: %d, skrót nagłówka LUKS: %s, RNG: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: Domyślny rozmiar klucza z trybem XTS (dwa klucze wewnętrzne) będzie podwojony.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: wymaga %s jako argumentów" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Numer klucza jest nieprawidłowy." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "Rozmiar urządzenia musi być wielokrotnością 512-bajtowego sektora." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "Błędne określenie maksymalnego rozmiaru strefy hotzone ponownego szyfrowania." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "Rozmiar klucza musi być wielokrotnością 8 bitów" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 1GiB." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Rozmiar ograniczenia musi być wielokrotnością 512-bajtowego sektora." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Opcja --priority może mieć wartości tylko ignore/normal/prefer." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Wyświetlenie tego opisu" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Wyświetlenie krótkiej informacji o składni" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Wypisanie wersji pakietu" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Opcje pomocnicze:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[OPCJA...] " -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Brak argumentu ." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Nieznana akcja." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Dozwolony jest tylko jeden argument --key-file." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Funkcja pochodna klucza oparta na haśle (PBKDF) może być tylko pbkdf2 lub argon2i/argon2id." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Wymuszonych iteracji PBKDF nie można łączyć z opcją czasu iteracji." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Nie można dołączyć klucza wolumenu do pęku kluczy, kiedy pęk kluczy jest wyłączony." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Opcje --keyslot-cipher i --keyslot-key-size muszą być użyte łącznie." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Nie wykonano akcji. Wywołano z opcją --test-args.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Nie można wyłączyć blokowania metadanych." @@ -2821,7 +3066,7 @@ msgstr "Polecenie wymaga lub opcji --root-hash-file jako argu msgid " " msgstr " " -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "sformatowanie urządzenia" @@ -2837,7 +3082,7 @@ msgstr "weryfikacja urządzenia" msgid " []" msgstr " []" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "pokazanie stanu aktywnego urządzenia" @@ -2845,7 +3090,7 @@ msgstr "pokazanie stanu aktywnego urządzenia" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "wyświetlenie informacji z dysku" @@ -2875,11 +3120,11 @@ msgstr "" "Domyślnie wkompilowane parametry dm-verity:\n" "\tHasz: %s, blok danych (bajtów): %u, blok haszy (bajtów): %u, rozmiar zarodka: %u, format haszy: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Opcji --ignore-corruption oraz --restart-on-corruption nie można użyć naraz." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Opcji --panic-on-corruption oraz --restart-on-corruption nie można użyć naraz." @@ -2892,29 +3137,29 @@ msgstr "" "Ta operacja nieodwracalnie nadpisze dane na %s i %s.\n" "Aby zachować urządzenie danych, można użyć opcji --no-wipe (a następnie uaktywnić z --integrity-recalculate)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Sformatowano z rozmiarem znacznika %u, wewnętrzna integralność %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Ustawianie flagi recalculate nie jest obsługiwane, zamiast tego można rozważyć użycie --wipe." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Urządzenie %s nie jest prawidłowym urządzeniem INTEGRITY." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2925,7 +3170,7 @@ msgstr "" " to urządzenie do utworzenia pod %s\n" " to urządzenie zawierające dane ze znacznikami integralności\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2938,40 +3183,40 @@ msgstr "" "\tAlgorytm sumy kontrolnej: %s\n" "\tMaksymalny rozmiar pliku klucza: %dkB\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Błędny rozmiar --%s. Maksimum w bajtach to %u." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Muszą być podane obie opcje: pliku klucza i rozmiaru klucza." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Muszą być podane obie opcje: pliku klucza integralności i rozmiaru klucza." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Algorytm integralności kroniki musi być podany, jeśli używany jest klucz integralności kroniki." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Muszą być podane obie opcje: pliku szyfrowania kroniki i rozmiaru klucza." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Algorytm szyfrowania kroniki musi być podany, jeśli używany jest klucz szyfrowania kroniki." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Opcje trybu odtwarzania i bitmapy wykluczają się wzajemnie." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Opcji kroniki nie można używać w trybie bitmapy." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Opcje bitmapy mogą być używane tylko w trybie bitmapy." @@ -3164,7 +3409,7 @@ msgstr "Postęp: %5.1f%%, przewidywany czas zakończenia %s, %s, %s%s" msgid "Finished, time %s, %s, %s\n" msgstr "Zakończono, czas %s, %s, %s\n" -#: src/utils_password.c:41 src/utils_password.c:74 +#: src/utils_password.c:41 src/utils_password.c:72 #, c-format msgid "Cannot check password quality: %s" msgstr "Nie można sprawdzić jakości hasła: %s" @@ -3178,63 +3423,63 @@ msgstr "" "Sprawdzenie jakości hasła nie powiodło się:\n" " %s" -#: src/utils_password.c:81 +#: src/utils_password.c:79 #, c-format msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Sprawdzenie jakości hasła nie powiodło się: błędne hasło (%s)" -#: src/utils_password.c:232 src/utils_password.c:246 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Błąd podczas odczytu hasła z terminala." -#: src/utils_password.c:244 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Weryfikacja hasła: " -#: src/utils_password.c:251 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Hasła nie zgadzają się." -#: src/utils_password.c:289 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Nie można użyć offsetu, jeśli wejściem jest terminal." -#: src/utils_password.c:293 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Hasło: " -#: src/utils_password.c:296 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Hasło dla %s: " -#: src/utils_password.c:330 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "Dla tego hasła nie ma dostępnego klucza." -#: src/utils_password.c:332 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Brak dostępnego miejsca na klucz." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Nie udało się otworzyć pliku %s tylko do odczytu." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Poprawny token JSON dla LUKS2:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "Nie udało się odczytać pliku JSON." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3242,12 +3487,12 @@ msgstr "" "\n" "Odczyt przerwany." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Nie udało się otworzyć pliku %s do zapisu." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3255,7 +3500,7 @@ msgstr "" "\n" "Zapis przerwany." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "Nie udało się zapisać pliku JSON." @@ -3323,15 +3568,19 @@ msgstr "Urządzenie wymaga odtwarzania ponownego szyfrowania. Najpierw należy u msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS2. Czy wznowić uprzednio zainicjowaną operację?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Stara wersja ponownego szyfrowania LUKS2 nie jest już obsługiwana." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Nie można ponownie zaszyfrować urządzenia LUKS2 skonfigurowanego do używania OPAL." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Ponowne szyfrowanie urządzenia z profilem integralności nie jest obsługiwane." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3340,103 +3589,103 @@ msgstr "" "Żądany --sector-size % jest niezgodny z superblokiem %s\n" "(rozmiar bloku: % B), wykrytym na urządzeniu %s." -#: src/utils_reencrypt.c:494 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Szyfrowanie bez odłączonego nagłówka (--header) jest niemożliwe bez ograniczenia rozmiaru urządzenia danych (--reduce-device-size)." -#: src/utils_reencrypt.c:500 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Żądany offset danych musi być mniejszy lub równy połowie parametru --reduce-device-size." -#: src/utils_reencrypt.c:510 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Modyfikowanie wartości --reduce-device-size do dwukrotności parametru --offset % (w sektorach).\n" -#: src/utils_reencrypt.c:540 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Plik nagłówka %s już istnieje. Przerwano." -#: src/utils_reencrypt.c:542 src/utils_reencrypt.c:549 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Nie można utworzyć pliku tymczasowego nagłówka %s." -#: src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Rozmiar metadanych LUKS2 jest większy niż wartość przesunięcia danych." -#: src/utils_reencrypt.c:611 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Nie udało się umieścić nowego nagłówka na początku urządzenia %s." -#: src/utils_reencrypt.c:621 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie.\n" -#: src/utils_reencrypt.c:657 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Aktywne urządzenie %s nie jest urządzeniem LUKS2." -#: src/utils_reencrypt.c:685 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Odtwarzanie oryginalnego nagłówka LUKS2." -#: src/utils_reencrypt.c:693 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Odtwarzanie oryginalnego nagłówka LUKS2 nie powiodło się." -#: src/utils_reencrypt.c:719 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Plik nagłówka %s nie istnieje. Czy zainicjować odszyfrowywanie LUKS2 urządzenia %s i eksport nagłówka LUKS2 do pliku %s?" -#: src/utils_reencrypt.c:767 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Nie udało się dodać uprawnień odczytu/zapisu do pliku wyeksportowanego nagłówka." -#: src/utils_reencrypt.c:820 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Inicjowanie ponownego szyfrowania nie powiodło się. Kopia zapasowa nagłówka jest dostępna w %s." -#: src/utils_reencrypt.c:848 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "Odszyfrowanie LUKS2 jest obsługiwane tylko z urządzeniem z odłączonym nagłówkiem (z offsetem danych ustawionym na 0)." -#: src/utils_reencrypt.c:983 src/utils_reencrypt.c:992 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Za mało wolnych kluczy do ponownego szyfrowania." -#: src/utils_reencrypt.c:1013 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu." -#: src/utils_reencrypt.c:1022 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Hasło dla klucza %d: " -#: src/utils_reencrypt.c:1034 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Hasło dla klucza %u: " -#: src/utils_reencrypt.c:1086 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Zmiana szyfru do szyfrowania danych na %s.\n" -#: src/utils_reencrypt.c:1140 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Nie zmieniono parametrów segmentu danych. Ponowne szyfrowanie przerwane." -#: src/utils_reencrypt.c:1242 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3444,7 +3693,7 @@ msgstr "" "Zwiększanie rozmiaru sektora szyfrowania na urządzeniu offline nie jest obsługiwane.\n" "Należy najpierw uaktywnić urządzenie lub użyć opcji --force-offline-reencrypt (niebezpieczna!)." -#: src/utils_reencrypt.c:1282 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3453,62 +3702,62 @@ msgstr "" "\n" "Ponowne szyfrowanie przerwane." -#: src/utils_reencrypt.c:1287 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Wznawianie ponownego szyfrowania LUKS w wymuszonym trybie offline.\n" -#: src/utils_reencrypt.c:1304 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Urządzenie %s zawiera uszkodzone metadane LUKS. Przerwano operację." -#: src/utils_reencrypt.c:1320 src/utils_reencrypt.c:1342 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Urządzenie %s jest już urządzeniem LUKS. Przerwano operację." -#: src/utils_reencrypt.c:1348 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS. Przerwano operację." -#: src/utils_reencrypt.c:1421 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "Odszyfrowanie LUKS2 wymaga opcji --header." -#: src/utils_reencrypt.c:1469 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "Polecenie wymaga urządzenia jako argumentu." -#: src/utils_reencrypt.c:1482 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS1." -#: src/utils_reencrypt.c:1488 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS1." -#: src/utils_reencrypt.c:1494 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS2." -#: src/utils_reencrypt.c:1500 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS2." -#: src/utils_reencrypt.c:1506 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane. Przerywanie operacji." -#: src/utils_reencrypt.c:1513 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Ponowne szyfrowanie urządzenia nie jest w toku." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu." @@ -3644,35 +3893,35 @@ msgstr "UWAGA: urządzenie %s już zawiera sygnaturę partycji '%s'.\n" msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "UWAGA: urządzenie %s już zawiera sygnaturę superbloku '%s'.\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Nie udało się zainicjować sond sygnatur urządzeń." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "Nie udało się wykonać stat na urządzeniu %s." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Nie udało się otworzyć pliku %s do odczytu i zapisu." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "Istniejąca sygnatura partycji '%s' na urządzeniu %s zostanie wymazana." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "Istniejąca sygnatura superbloku '%s' na urządzeniu %s zostanie wymazana." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Nie udało się wymazać sygnatury urządzenia." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Nie udało się sprawdzić sygnatury urządzenia %s." @@ -3687,11 +3936,11 @@ msgstr "Błędne określenie rozmiaru w parametrze --%s." msgid "Option --%s is not allowed with %s action." msgstr "Opcja --%s nie jest dozwolona z akcją %s." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Nie udało się zapisać danych JSON tokenu SSH." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3707,105 +3956,109 @@ msgstr "" "\n" "Uwaga: informacje dostarczone przy dodawaniu tokenu (adres serwera SSH, użytkownik i ścieżki) zostaną zapisane w nagłówku LUKS2 czystym tekstem." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Opcje dla akcji 'add':" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "Adres IP/URL zdalnego serwera dla tego tokenu" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Nazwa użytkownika do użycia ze zdalnym serwerem" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Ścieżka do pliku klucza na zdalnym serwerze" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Ścieżka do klucza SSH do połączenia ze zdalnym serwerem" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Ścieżka do katalogu zawierającego tokeny zewnętrzne libcryptsetup" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Obszar klucza do przypisania tokenu. Domyślnie token zostanie przypisany do pierwszego obszaru pasującego do podanego hasła." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Opcje ogólne:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Wyświetlanie bardziej szczegółowych komunikatów błędów" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Wyświetlanie komunikatów diagnostycznych" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Wyświetlanie komunikatów diagnostycznych wraz z metadanymi JSON" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Nie udało się otworzyć i zaimportować klucza prywatnego:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Nie udało się zaimportować klucza prywatnego (zabezpieczony hasłem?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Hasło %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Nie udało się przeanalizować argumentów.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Musi być podana akcja\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Dla akcji '%s' musi być podane urządzenie.\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Dla akcji '%s' musi być podany serwer SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Dla akcji '%s' musi być podany użytkownik SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Dla akcji '%s' musi być podana ścieżka SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Dla akcji '%s' musi być podana ścieżka klucza SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Nie udało się otworzyć %s przy użyciu podanych danych uwierzytelniających.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "Ta wtyczka obecnie obsługuje wyłącznie akcję 'add'.\n" diff --git a/po/ro.po b/po/ro.po index c12b283..ae2fac3 100644 --- a/po/ro.po +++ b/po/ro.po @@ -8,14 +8,16 @@ # Cronologia traducerii fișierului „cryptsetup”: # Traducerea inițială, făcută de R-GC, pentru versiunea cryptsetup 2.6.0-rc1. # Actualizare a traducerii pentru versiunea 2.6.1-rc0, făcută de R-GC, ian-2023. +# Actualizare a traducerii pentru versiunea 2.7.0-rc0, făcută de R-GC, noi-2023. +# Actualizare a traducerii pentru versiunea 2.7.0-rc1, făcută de R-GC, dec-2023. # Actualizare a traducerii pentru versiunea Y, făcută de X, Y(luna-anul). # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 10:02+0100\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-21 13:41+0100\n" "Last-Translator: Remus-Gabriel Chelu \n" "Language-Team: Romanian \n" "Language: ro\n" @@ -28,64 +30,68 @@ msgstr "" #: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." -msgstr "Nu se poate inițializa device-mapper, rulând ca utilizator non-root." +msgstr "Nu se poate inițializa «device-mapper», rulând ca utilizator non-root." #: lib/libdevmapper.c:422 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" -msgstr "Nu se poate inițializa device-mapper. Este încărcat modulul nucleului, «dm_mod»?" +msgstr "Nu se poate inițializa «device-mapper». Este încărcat modulul nucleului, «dm_mod»?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Fanionul de întârziere solicitat nu este acceptat." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "DM-UUID pentru dispozitivul %s a fost trunchiat." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Tip de țintă dm necunoscut." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Opțiunile de performanță dm-crypt solicitate nu sunt acceptate." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Opțiunile de gestionare a corupției datelor dm-verity solicitate nu sunt acceptate." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "Opțiunea de tasklets dm-verity solicitată nu este acceptată." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Opțiunile FEC dm-verity solicitate nu sunt acceptate." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Opțiunile de integritate a datelor solicitate nu sunt acceptate." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "Opțiunea sector_size solicitată nu este acceptată." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "Dimensiunea dispozitivului nu este un multiplu al dimensiunii solicitate a sectorului." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Recalcularea automată a etichetelor de integritate solicitată nu este acceptată." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Înlăturarea/Decuparea(TRIM) nu este acceptată." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Modul de hartă de biți dm-integrity solicitat nu este acceptat." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Nu s-a putut interoga segmentul dm-%s." @@ -119,676 +125,774 @@ msgstr "Calitatea solicitată pentru generatorul de numere aleatoare(RNG) este n msgid "Error reading from RNG." msgstr "Eroare la citirea din generatorul de numere aleatorii(RNG)." -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "Suportul pentru OPAL este dezactivat în libcryptsetup." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Dispozitivul %s sau nucleul nu acceptă criptarea OPAL." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Nu s-a putut inițializa utilitarul de criptare al generatorului de numere aleatorii(RNG)." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Nu s-a putut inițializa utilitarul de criptare ." -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Algoritmul sumei de control %s nu este acceptat." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Eroare de procesare a cheii (folosind suma de control %s)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Nu se poate determina tipul de dispozitiv. Activare a dispozitivului incompatibilă?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Această operație este acceptată doar pentru dispozitive LUKS." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Această operație este acceptată doar pentru dispozitive LUKS2." -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Toate sloturile pentru chei sunt ocupate." -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Slotul de cheie %d este nu este valid, selectați între 0 și %d." -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Slotul pentru chei %d este ocupat, selectați altul." -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea blocului logic al dispozitivului." -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Antet detectat, dar dispozitivul %s este prea mic." -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Această operație nu este suportată pentru acest tip de dispozitiv." -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Operație ilegală cu recriptare în curs." -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Nu s-au putut reîncărca metadatele LUKS2 în memorie." -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Dispozitivul %s nu este un dispozitiv LUKS valid." -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Versiunea %d de LUKS nu este acceptată." -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Nu a fost detectat niciun model cunoscut de specificație de cifrare pentru dispozitivul activ %s." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Dispozitivul %s nu este activ." -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Dispozitivul subiacent pentru dispozitivul criptat %s a dispărut." -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Parametrii de criptare simplă sunt incorecți." -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Dimensiunea cheii este nevalidă." -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "UUID-ul nu este acceptat pentru acest tip de criptare." -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Dispozitivul cu metadate detașate nu este acceptat pentru acest tip de criptare." -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Dimensiunea sectorului de criptare nu este acceptată." -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea sectorului solicitată." -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Formatarea LUKS fără dispozitiv nu este posibilă." -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "Alinierea datelor solicitată nu este compatibilă cu poziția datelor." -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "AVERTISMENT: Dispozitivul DAX poate corupe datele, deoarece nu garantează actualizări atomice ale sectoarelor.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Nu se poate șterge antetul pe dispozitivul %s." -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Dispozitivul %s este prea mic pentru activare, nu a mai rămas spațiu pentru date.\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "AVERTISMENT: Activarea dispozitivului va eșua, dm-crypt nu are suport pentru dimensiunea sectorului de criptare solicitată.\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Cheia de volum este prea mică pentru criptare cu extensii de integritate." -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Cifrul %s-%s (dimensiunea cheii %zd biți) nu este disponibil." -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "AVERTISMENT: dimensiunea metadatelor LUKS2 s-a schimbat la % octeți.\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "AVERTISMENT: dimensiunea zonei sloturilor de chei LUKS2 s-a schimbat la % octeți.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "AVERTISMENT: Activarea dispozitivului va eșua, dm-crypt nu are suport pentru dimensiunea sectorului de criptare solicitată.\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Dispozitivul %s este prea mic." -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Nu se poate formata dispozitivul %s, este în uz." -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Nu se poate formata dispozitivul %s; permisiune refuzată." -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Nu se poate formata integritatea pentru dispozitivul %s." -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Nu se poate formata dispozitivul %s." -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Nu se pot obține parametrii de aliniere OPAL." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Dimensiune falsă a blocului logic OPAL." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "Intervalul(offset) de date solicitat nu este compatibil cu dimensiunea blocului OPAL." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "Alinierea datelor solicitată nu este compatibilă cu alinierea OPAL." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "Intervalul datelor nu îndeplinește cerințele de aliniere OPAL." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "Alinierea datelor solicitată nu satisface cerințele de aliniere a intervalului de blocare." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Compensarea dimensiunii dispozitivului cu % sectoare pentru a-l alinia cu gradul de finețe al alinierii OPAL." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Nu s-a putut obține blocarea OPAL pe dispozitivul %s." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Cheie de administrare OPAL incorectă." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Nu se poate configura segmentul OPAL." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Nu se poate formata dispozitivul %s, dispozitivul OPAL pare a fi complet protejat la scriere acum." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Aceasta este probabil o eroare în firmware. Efectuați reinițierea PSID OPAL și reconectați-vă pentru recuperare." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "Reinițierea intervalului de blocare %d pe dispozitivul %s a eșuat." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Nu se poate formata LOOPAES fără dispozitiv." -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Nu se poate formata VERITY fără dispozitiv." -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Tip de sumă de control VERITY neacceptat %d." -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Dimensiunea blocului VERITY nu este acceptată." -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Decalajul sumei de control VERITY nu este acceptat." -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Decalajul FEC VERITY nu este acceptat." -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "Zona de date se suprapune cu zona de sume de control." -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "Zona sumelor de control se suprapune cu zona FEC." -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "Zona de date se suprapune cu zona FEC." -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "AVERTISMENT: Dimensiunea solicitată a etichetei %d octeți diferă de dimensiunea %s de ieșire (%d octeți).\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "A fost solicitat un tip de dispozitiv de criptare necunoscut %s." -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Parametri neacceptați pentru dispozitivul %s." -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Parametrii nepotriviți în dispozitivul %s." -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Dispozitivele de criptare nu se potrivesc." -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Nu s-a putut reîncărca dispozitivul %s." -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Nu s-a putut suspenda dispozitivul %s." -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Nu s-a putut reîncărca dispozitivul %s." -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Eroare fatală la reîncărcarea dispozitivului %s (în partea superioară a dispozitivului %s)." -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Nu s-a putut comuta dispozitivul %s la dm-error." -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Nu se poate redimensiona dispozitivul LUKS2 cu o dimensiune statică." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "Nu se poate redimensiona dispozitivul de buclă." -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "AVERTISMENT: Dimensiunea maximă a fost deja stabilită sau nucleul nu acceptă redimensionarea.\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Redimensionarea nu a reușit, nucleul nu acceptă redimensionarea." -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Chiar doriți să schimbați UUID-ul dispozitivului?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Fișierul de copie de rezervă pentru antet nu conține un antet LUKS compatibil." -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Volumul %s nu este activ." -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Volumul %s este deja suspendat." -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Suspendarea nu este acceptată pentru dispozitivul %s." -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Eroare la suspendarea dispozitivului %s." -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Dispozitivul %s a fost suspendat, dar dispozitivul hardware OPAL nu poate fi blocat." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Reluarea activității nu este acceptată pentru dispozitivul %s." -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Eroare la reluarea activității dispozitivului %s." -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Nu s-a putut lega cheia la inelul de chei specificat." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Nu s-a putut dezlega cheia de volum de la inelul de chei specificat de utilizator." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Nu s-a putut leg cheia de volum la inelul de chei specificat de utilizator." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Volumul %s nu este suspendat." -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Cheia de volum nu se potrivește cu volumul." -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Nu s-a putut efectua interschimbarea cu noul slot pentru cheie." -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "Slotul de cheie %d nu este valid." -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "Slotul de cheie %d nu este activ." -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "Antetul dispozitivului se suprapune cu zona de date." -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Recriptare în curs. Nu se poate activa dispozitivul." -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Nu s-a putut obține blocarea pentru recriptare." -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "Recuperarea recriptării LUKS2 a eșuat." -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Tipul de dispozitiv nu este inițializat corect." -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Dispozitivul %s există deja." -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Nu se poate folosi dispozitivul %s, numele este nevalid sau este încă în uz." -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Este specificată o cheie de volum incorectă pentru un dispozitiv cu criptare normală." -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "Sumă de control rădăcină incorectă specificată pentru dispozitivul verity." - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "Este necesară semnătura de sumă de control rădăcină." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "Inelul de chei pentru nucleu nu este acceptat de nucleu actual." -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Lipsește inelul de chei pentru nucleu: este necesar pentru transmiterea semnăturii către nucleu." -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "Nu s-a putut încărca cheia în inelul de chei al nucleului." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "Sumă de control rădăcină incorectă specificată pentru dispozitivul verity." + +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "OPAL nu acceptă dezactivarea amânată." -#: lib/setup.c:4736 +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Nu s-a putut anula eliminarea întârziată din dispozitivul %s." -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Dispozitivul %s este încă în uz." -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Dispozitiv nevalid %s." -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Memoria tampon a cheii de volum este prea mică." -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS2." -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS1." -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Nu se poate recupera tasta de volum pentru dispozitivul normal." -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "Nu se poate recupera suma de control rădăcină pentru dispozitivul verity." -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Nu se poate recupera cheia de volum pentru dispozitivul BITLK." -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Nu se poate recupera cheia de volum pentru dispozitivul FVAULT2." -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Această operație nu este acceptată pentru dispozitivul criptat %s." -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Operația de descărcare nu este acceptată pentru acest tip de dispozitiv." -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Decalajul datelor nu este multiplu de %u octeți." -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Nu se poate converti dispozitivul %s care este încă în uz." -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Nu s-a putut atribui slotul %u ca nouă cheie de volum." -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Nu s-au putut inițializa parametrii impliciți pentru slotul de cheie LUKS2." -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Nu s-a putut aloca slotul de cheie %d pentru a digera." -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Nu se poate adăuga slotul pentru cheie, toate sloturile sunt dezactivate și nu este furnizată nicio cheie pentru volum." -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "Inelul de chei pentru nucleu nu este acceptat de nucleu actual." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Nu s-a putut încărca cheia în inelul de chei al nucleului." + +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Nu s-a putut dezlega cheia de la inelul de chei al firului." -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Nu s-a putut citi expresia de acces din inelul de chei (eroarea %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Nu s-a putut găsi inelul de chei descris de „%s”." -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Nu s-a putut obține blocarea de serializare a accesului la memoria-hardwarw globală." -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Nu s-a putut deschide fișierul cheii." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Nu se poate citi fișierul de cheie de la un terminal." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "Nu s-a putut obține starea fișierului de cheie." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Nu se poate căuta poziția fișierului de cheie solicitat." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Memoria epuizată în timpul citirii frazei de acces." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Eroare la citirea frazei de acces." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Nimic de citit la intrare." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Dimensiunea maximă a fișierului de cheie a fost depășită." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Nu se poate citi cantitatea de date solicitată." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Dispozitivul %s nu există sau accesul a fost refuzat." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Dispozitivul %s nu este compatibil." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Se ignoră dimensiunea optimă de transfer de date falsă pentru dispozitivul de date (%u octeți)." -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Dispozitivul %s este prea mic. Aveți nevoie de cel puțin % octeți." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Nu se poate utiliza dispozitivul %s care este în uz (deja cartografiat sau montat)." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Nu se poate utiliza dispozitivul %s, permisiune refuzată." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "Nu se pot obține informații despre dispozitivul %s." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Nu se poate utiliza un dispozitiv loopback, deoarece programul nu rulează cu privilegii de root." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Atașarea dispozitivului de loopback a eșuat (este necesar un dispozitiv de buclă cu fanion de ștergere automată)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Decalajul solicitat depășește dimensiunea reală a dispozitivului %s." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Dispozitivul %s are dimensiune zero." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Ora specificată pentru PBKDF nu poate fi zero." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Tip PBKDF necunoscut %s." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "Suma de control solicitată %s nu este acceptată." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Tipul PBKDF solicitat nu este acceptat pentru LUKS1." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "Memoria maximă PBKDF sau firele de execuție paralele nu trebuie definite cu pbkdf2." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Numărul de iterații forțate este prea mic pentru %s (minimul este %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Costul memoriei forțate este prea mic pentru %s (minimul este de %u kiloocteți)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Costul maxim de memorie PBKDF solicitat este prea mare (maximul este de %d kiloocteți)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "Memoria PBKDF maximă solicitată nu poate fi zero." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Firele paralele de execuție PBKDF solicitate nu pot fi zero." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "Doar PBKDF2 este acceptat în modul FIPS." -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "Testarea PBKDF este dezactivată, dar numărul de iterații nu este definit." -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Opțiuni PBKDF2 incompatibile (folosind algoritmul de sumă de control %s)." -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Opțiuni PBKDF2 incompatibile." #: lib/utils_device_locking.c:101 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)." -msgstr "Blocarea a fost anulată. Calea de blocare %s/%s este inutilizabilă (nu este un director sau lipsește)." +msgstr "Blocarea a fost anulată. Ruta de blocare %s/%s este inutilizabilă (nu este un director sau lipsește)." #: lib/utils_device_locking.c:118 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." -msgstr "Blocarea a fost anulată. Calea de blocare %s/%s este inutilizabilă (%s nu este un director)." +msgstr "Blocarea a fost anulată. Ruta de blocare %s/%s este inutilizabilă (%s nu este un director)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Nu se poate căuta la poziția dispozitivului." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Eroare de ștergere a dispozitivului, decalaj %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "PSID OPAL incorect." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Nu se poate șterge dispozitivul OPAL." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -808,7 +912,7 @@ msgstr "Specificațiile de cifrare ar trebui să fie în formatul [cifrarea]-[mo #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Nu se poate scrie în dispozitivul %s, permisiune refuzată." @@ -822,17 +926,17 @@ msgid "Failed to access temporary keystore device." msgstr "Nu s-a putut accesa dispozitivul pentru stocarea temporară a cheilor." #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Eroare de In/Ieș în timpul criptării slotului de cheie." #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -854,32 +958,32 @@ msgstr "Dispozitivul %s este prea mic. (LUKS1 necesită cel puțin % oct msgid "LUKS keyslot %u is invalid." msgstr "Slotul de cheie LUKS %u nu este valid." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Fișierul de copie de rezervă pentru antetul solicitat %s există deja." -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Nu se poate crea fișierul de copie de rezervă al antetului %s." -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Nu se poate scrie fișierul de copie de rezervă al antetului %s." -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Fișierul de copie de rezervă nu conține antet LUKS valid." #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Nu se poate deschide fișierul de copie de rezervă al antetului %s." -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Nu se poate citi fișierul de copie de rezervă al antetului %s." @@ -901,7 +1005,7 @@ msgstr "nu conține antetul LUKS. Înlocuirea antetului poate distruge datele de msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "conține deja antetul LUKS. Înlocuirea antetului va distruge sloturile de chei existente." -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -975,7 +1079,7 @@ msgstr "Modul de cifrare LUKS %s este nevalid." msgid "LUKS hash %s is invalid." msgstr "Suma de control(hash) LUKS %s nu este validă." -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "Nu s-a detectat nicio problemă cunoscută pentru antetul LUKS." @@ -994,8 +1098,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Decalajul datelor pentru antetul LUKS trebuie să fie 0 sau mai mare decât dimensiunea antetului." #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Formatul UUID LUKS furnizat este greșit." @@ -1032,7 +1136,7 @@ msgstr "Nu se poate deschide slotul de cheie (folosind suma de control(hash) %s) msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Slotul de cheie %d nu este valid, selectați slotul de cheie între 0 și %d." -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Nu se poate șterge dispozitivul %s." @@ -1053,48 +1157,48 @@ msgstr "S-a detectat un fișier de cheie loop-AES incompatibil." msgid "Kernel does not support loop-AES compatible mapping." msgstr "Nucleul nu acceptă asocierea compatibilă cu bucla loop-AES." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Eroare la citirea fișierului de cheie %s." -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Lungimea maximă a frazei de acces TCRYPT (%zu) a fost depășită." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "Algoritmul sumei de control(hash) PBKDF2 %s nu este disponibil, se omite." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "Interfața necesară de criptare a nucleului nu este disponibilă." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Asigurați-vă că aveți modulul nucleului «algif_skcipher», încărcat." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Activarea nu este acceptată pentru dimensiunea sectorului de %d." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Nucleul nu acceptă activarea pentru acest mod vechi TCRYPT." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Se activează criptarea sistemului TCRYPT pentru partiția %s." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Nucleul nu acceptă asocierea compatibilă cu TCRYPT." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Această funcție nu este acceptată fără încărcarea antetului TCRYPT." @@ -1153,74 +1257,74 @@ msgstr "Nu s-au putut citi intrările de metadate BITLK de la %s." msgid "Failed to convert BITLK volume description" msgstr "Nu s-a putut converti descrierea volumului BITLK" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Tip neașteptat de intrare de metadate „%u” găsit la analizarea cheii externe." -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "GUID-ul fișierului BEK „%s”, nu se potrivește cu GUID-ul volumului." -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Valoare neașteptată a intrării metadatelor „%u”, a fost găsită la analizarea cheii externe." -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Versiune neacceptată de metadate BEK %" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Dimensiune neașteptată a metadatelor BEK %, nu se potrivește cu lungimea fișierului BEK" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Intrare neașteptată de metadate găsită la analizarea cheii de pornire." -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Această operație nu este acceptată." -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Dimensiune neașteptată a datelor cheii." -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Acest dispozitiv BITLK este într-o stare neacceptată și nu poate fi activat." -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Dispozitivele BITLK de tip „%s” nu pot fi activate." -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Activarea dispozitivului BITLK parțial decriptat nu este acceptată." -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "AVERTISMENT: dimensiunea volumului BitLocker % nu se potrivește cu dimensiunea dispozitivului subiacent %" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Nu se poate activa dispozitivul, modulul nucleului «dm-crypt» nu are suport pentru BITLK IV." -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Dispozitivul nu poate fi activat, modulul nucleului «dm-crypt» nu are suport pentru difuzorul BITLK Elephant." -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." -msgstr "Dispozitivul nu poate fi activat, kernel-ul dm-crypt nu are suport pentru dimensiune mare a sectorului." +msgstr "Dispozitivul nu poate fi activat, nucleul dm-crypt nu are suport pentru dimensiune mare a sectorului." -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Dispozitivul nu se poate activa, modulul nucleului, «dm-zero», lipsește." @@ -1258,28 +1362,32 @@ msgstr "Formatul UUID VERITY furnizat pe dispozitivul %s este greșit." msgid "Error during update of verity header on device %s." msgstr "Eroare la actualizarea antetului Verity pe dispozitivul %s." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "Verificarea semnăturii sumei de verificare(hash) rădăcină nu este acceptată." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Este necesară semnătura de sumă de control rădăcină." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Erorile nu pot fi reparate cu dispozitivul FEC." -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "S-au găsit %u erori reparabile cu dispozitivul FEC." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "Nucleul nu acceptă asocierea dm-verity." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "Nucleul nu acceptă opțiunea de semnătură dm-verity." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Dispozitivul verity a detectat corupție după activare." @@ -1373,7 +1481,7 @@ msgstr "Nu s-a putut determina dimensiunea pentru dispozitivul %s." msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Metadate incompatibile cu modulul nucleului «dm-integrity» (versiunea %u) detectate pe %s." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "Nucleul nu acceptă asocierea dm-integrity." @@ -1385,8 +1493,8 @@ msgstr "Nucleul nu acceptă alinierea metadatelor fixe dm-integrity." msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Nucleul refuză să activeze opțiunea de recalculare nesigură (consultați opțiunile de activare vechi pentru a le înlocui)." -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Nu s-a putut obține blocarea la scriere pe dispozitivul %s." @@ -1403,49 +1511,59 @@ msgstr "" "Dispozitivul conține semnături ambigue, nu se poate recupera automat LUKS2.\n" "Rulați «cryptsetup repair» pentru recuperare." -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "AVERTISMENT: zona sloturilor de chei (% octeți) este foarte mică, numărul de sloturi de chei LUKS2 disponibil este foarte limitat.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "Decalajul de date solicitat este prea mic." -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "AVERTISMENT: zona sloturilor de chei (% octeți) este foarte mică, numărul de sloturi de chei LUKS2 disponibil este foarte limitat.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "AVERTISMENT: dimensiunea metadatelor LUKS2 s-a schimbat la % octeți.\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "AVERTISMENT: dimensiunea zonei sloturilor de chei LUKS2 s-a schimbat la % octeți.\n" + +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Nu s-a putut obține blocarea pentru citire pe dispozitivul %s." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Cerințe LUKS2 interzise detectate în copia de rezervă %s." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Decalajul datelor diferă între dispozitiv și copia de rezervă, restaurare eșuată." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Antetul binar cu dimensiunea zonelor sloturilor pentru chei diferă între dispozitiv și copia de rezervă, restaurare eșuată." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Dispozitiv %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "nu conține antetul LUKS2. Înlocuirea antetului poate distruge datele de pe acest dispozitiv." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "conține deja antetul LUKS2. Înlocuirea antetului va distruge sloturile de chei existente." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1455,7 +1573,7 @@ msgstr "" "AVERTISMENT: cerințe necunoscute LUKS2 detectate în antetul dispozitivului real!\n" "Înlocuirea antetului cu copia de rezervă poate deteriora datele de pe acest dispozitiv!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1465,58 +1583,92 @@ msgstr "" "AVERTISMENT: Recriptare „offline” nefinalizată detectată pe dispozitiv!\n" "Înlocuirea antetului cu copia de rezervă poate deteriora datele." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "S-a ignorat fanionul necunoscut %s." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Lipsește cheia pentru segmentul dm-crypt %u" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Nu s-a putut definii segmentul dm-crypt." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Nu s-a putut definii segmentul dm-linear." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "Nu s-a detectat niciun model de specificație de cifrare cunoscut în antetul LUKS2." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "Dispozitivul OPAL trebuie să aibă dimensiunea dispozitivului statică." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Dispozitivul OPAL criptat cu integritate trebuie să fie mai mic decât intervalul de blocare." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "Dispozitivul OPAL trebuie să aibă aceeași dimensiune ca și intervalul de blocare." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Dispozitivul OPAL %s este deja deblocat.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Configurație de integritate a dispozitivului neacceptată." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Dispozitiv dm-integrity subiacent cu sectoare de date neașteptate furnizate." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Recriptare în curs. Nu se poate dezactiva dispozitivul." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Nu s-a putut înlocui dispozitivul suspendat %s cu ținta dm-error." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Dispozitivul %s a fost dezactivat, dar dispozitivul hardware OPAL nu poate fi blocat." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Nu s-au putut citi cerințele LUKS2." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Au fost detectate cerințe LUKS2 neîndeplinite." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare învechită. Se abandonează." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare LUKS2. Se abandonează." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Operație incompatibilă cu dispozitivul care utilizează OPAL. Se abandonează." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Nu există suficientă memorie disponibilă pentru a deschide un slot de cheie." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Deschiderea slotului de cheie a eșuat." @@ -1525,330 +1677,342 @@ msgstr "Deschiderea slotului de cheie a eșuat." msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Nu se poate utiliza cifrul %s-%s pentru criptarea slotului de cheie." -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "Algoritmul sumei de control(hash) %s nu este disponibil." -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Avertisment: operația pe slotul de chei poate eșua, deoarece necesită mai mult decât memoria disponibilă.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Nu există spațiu pentru noul slot de cheie." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "A fost solicitată o schimbare incorectă a modului de adaptabilitate pentru recriptare." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Nu se poate actualiza tipul de adaptabilitate. Tipul nou oferă numai % octeți, spațiul necesar este: % octeți." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Nu s-a putut reîmprospăta calcularea sumei de control de verificare a recriptării." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Nu se poate verifica starea dispozitivului cu uuid: %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Nu s-a putut converti antetul cu metadate suplimentare LUKSMETA." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Nu se poate utiliza specificația de cifrare %s-%s pentru LUKS2." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Nu se poate muta zona slotului pentru chei. Spațiu insuficient." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Nu se poate converti în format LUKS2 - metadate nevalide." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Nu se poate muta zona slotului pentru chei. Zona sloturilor pentru chei LUKS2 este prea mică." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Nu se poate muta zona slotului pentru chei." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Nu se poate converti în format LUKS1 - dimensiunea implicită a sectorului de criptare al segmentului nu este de 512 octeți." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Nu se poate converti în formatul LUKS1 - calcularea sumelor de control ale slotului de cheie nu este compatibilă cu LUKS1." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul folosește cifrul de cheie încapsulat %s." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul utilizează mai multe segmente." -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Nu se poate converti în formatul LUKS1 - antetul LUKS2 conține %u jetoane(tokens)." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u este într-o stare nevalidă." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Nu se poate converti în formatul LUKS1 - slotul %u (peste sloturile maxime) este încă activ." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u nu este compatibil cu LUKS1." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Dimensiunea zonei „fierbinți” (active) trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Nu s-a putut inițializa vechea încapsulare de stocare a segmentului." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Nu s-a putut inițializa noua încapsulare de stocare a segmentului." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Nu s-a putut inițializa protecția zonei „fierbinți” (active)." -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Nu s-au putut citii sumele de control pentru zona „fierbinte” (activă) actuală." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Nu s-a putut citi zona „fierbinte” (activă) începând cu %." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Nu s-a putut decripta sectorul %zu." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Nu s-a putut recupera sectorul %zu." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Dimensiunile dispozitivelor sursă și țintă nu se potrivesc. Sursa %, ținta: %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Nu s-a putut activa zona „fierbinte” (activă) a dispozitivului %s." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Nu s-a putut activa dispozitivul de suprapunere %s cu tabelul de origine actual." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Nu s-a putut încărca noua asociere pentru dispozitivul %s." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Nu s-a putut reîmprospăta stiva de dispozitive de recriptare." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Nu s-a putut definii dimensiunea zonei noilor sloturi pentru chei." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Valoarea deplasării datelor nu este aliniată la dimensiunea sectorului de criptare (% octeți)." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Modul de adaptabilitate neacceptat %s" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "Dimensiunea segmentului mutat nu poate fi mai mare decât valoarea deplasării de date." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Parametri de adaptabilitate de recriptare nevalizi." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Segmentul mutat este prea mare. Dimensiunea solicitată este de %, iar spațiul disponibil pentru aceasta este de: %." -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Nu s-a putut șterge tabelul." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "Dimensiunea redusă a datelor este mai mare decât dimensiunea dispozitivului real." -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Dispozitivul de date nu este aliniat la dimensiunea sectorului de criptare (% octeți)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Deplasarea datelor (% sectoare) este mai mică decât decalajul viitor al datelor (% sectoare)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Nu s-a putut deschide %s în modul exclusiv (deja cartografiat sau montat)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Dispozitivul nu este marcat pentru recriptarea LUKS2." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Nu s-a putut încărca contextul de recriptare LUKS2." -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Nu s-a putut obține stadiul recriptării." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Dispozitivul nu se află în recriptare." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Procesul de recriptare rulează deja." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Nu s-a putut obține blocarea pentru recriptare." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Nu se poate continua cu recriptarea. Rulați mai întâi recuperarea recriptării." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "Dimensiunea dispozitivului activ și dimensiunea de recriptare solicitată nu se potrivesc." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "Dimensiunea dispozitivului solicitată în parametrii de recriptare este incorectă." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Recriptare în curs. Nu se poate efectua recuperarea." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "Recriptare LUKS2 deja inițializată în metadate." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Nu s-a putut inițializa recriptarea LUKS2 în metadate." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Recriptarea nu este acceptată pentru dispozitivele DAX (memorie persistentă)." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Nu s-a putut citi expresia de acces din inelul de chei." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Nu s-au putut definii segmentele dispozitivului pentru următoarea zonă „fierbinte” (activă) de recriptare." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Nu s-au putut scrie metadatele adaptabilității recriptării." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Decriptarea a eșuat." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Nu s-a putut scrie zona „fierbinte” (activă) începând de la %." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Nu s-au putut sincroniza datele." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Nu s-au putut actualiza metadatele după finalizarea zonei „fierbinți” (active) de recriptare actuală." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Nu s-au putut scrie metadatele LUKS2." -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Nu s-a putut șterge zona nefolosită a dispozitivului de date." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Nu s-a putut elimina slotul de cheie neutilizat (neasociat) %d." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Nu s-a putut elimina slotul de cheie de recriptare." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Eroare fatală la recriptarea porțiunii începând de la %, % sectoare lungi." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Recriptarea «online» a eșuat." -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Nu reluați dispozitivul decât dacă este înlocuit manual cu ținta erorii." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Nu se poate continua cu recriptarea. Stare neașteptată a recriptării." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Context de recriptare lipsă sau nevalid." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Nu s-a putut inițializa stiva dispozitivului de recriptare." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Nu s-a putut actualiza contextul de recriptare." @@ -1856,80 +2020,121 @@ msgstr "Nu s-a putut actualiza contextul de recriptare." msgid "Reencryption metadata is invalid." msgstr "Metadatele de recriptare sunt nevalide." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "Intervalul OPAL %d poziția % nu se potrivește cu valorile așteptate %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "Intervalul OPAL %d lungime % nu se potrivește cu lungimea dispozitivului %." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "Intervalul OPAL %d de blocare este dezactivat." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Stare de blocare neașteptată a intervalului OPAL %d." + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Parametrii de criptare a slotului de cheie pot fi stabiliți numai pentru dispozitivul LUKS2." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Introduceți codul PIN al jetonului: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Introduceți codul PIN al jetonului(token) %d: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Nu s-a detectat niciun model de specificație de cifrare cunoscut." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "AVERTISMENT: Se utilizează opțiunile implicite pentru cifrare (%s-%s, dimensiunea cheii %u biți) care ar putea fi incompatibile cu versiunile mai vechi." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "AVERTISMENT: Se utilizează opțiunile implicite pentru suma de control „hash” (%s) care ar putea fi incompatibile cu versiunile mai vechi." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "Pentru modul simplu, utilizați întotdeauna opțiunile „--cipher”, „--key-size” și dacă nu este folosit fișierul de chei, atunci și opțiunea „--hash”." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "AVERTISMENT: Parametrul „--hash” este ignorat în modul simplu, cu fișierul de cheie specificat.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "AVERTISMENT: Opțiunea „--keyfile-size” este ignorată, dimensiunea de citire este aceeași cu dimensiunea cheii de criptare.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "Scanarea «blkid» a eșuat pentru %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "S-au detectat semnături de dispozitiv pe %s. Continuarea operației, riscă să deterioreze datele existente." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Operația se întrerupe.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Opțiunea „--key-file” este necesară." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Introduceți PIM-ul VeraCrypt: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Valoare PIM nevalidă: eroare de analizare." -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Valoare PIM nevalidă: 0." -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Valoare PIM nevalidă: în afara intervalului." -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "Nu a fost detectat niciun antet de dispozitiv cu această frază de acces." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Dispozitivul %s nu este un dispozitiv BITLK valid." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Nu se poate determina dimensiunea cheii de volum pentru BITLK; utilizați opțiunea „--key-size” pentru a o furniza." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1939,7 +2144,7 @@ msgstr "" "care permite accesul la partiția criptată fără fraza de acces.\n" "Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1949,103 +2154,110 @@ msgstr "" "care permite accesul la partiția criptată fără fraza de acces.\n" "Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Dispozitivul %s nu este un dispozitiv FVAULT2 valid." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Nu se poate determina dimensiunea cheii de volum pentru FVAULT2; utilizați opțiunea „--key-size” pentru a o furniza." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Dispozitivul %s este încă activ și programat pentru eliminare temporizată.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Nu s-a putut definii ruta jetoanelor(tokens) externe %s." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Redimensionarea dispozitivului activ necesită cheia de volum în inelul de chei, dar opțiunea „--disable-keyring” este furnizată." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Testarea pentru evaluarea performanței a fost întreruptă." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s (neaplicabil)\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u iterații pe secundă pentru cheia %zu-bit\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s (neaplicabil)\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u iterații, %5u memorie, %1u fire paralele (CPU-uri) pentru cheia %zu-bit (timpul necesitat %u ms)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Rezultatul testului de evaluare a performanței nu este fiabil." -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Testele sunt aproximative folosind doar memoria (fără In/Ieș de stocare).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Algoritm | Cheie | Criptare | Decriptare\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Cifrarea %s (cu cheie de %i biți) nu este disponibilă." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Algoritm | Cheie | Criptare | Decriptare\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "nedisponibil" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." msgstr "Au fost detectate metadate neprotejate de recriptare LUKS2. Verificați că operațiunea de recriptare este de dorit (consultați ieșirea luksDump) și continuați (să actualizați metadatele) numai dacă recunoașteți operația ca fiind autentică." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Introduceți fraza de acces pentru a proteja și actualiza metadatele de recriptare: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Continuați cu adevărat cu recuperarea recriptării LUKS2?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Introduceți fraza de acces pentru a verifica calcularea sumele de control a metadatelor de recriptare: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Introduceți fraza de acces pentru recuperarea recriptării: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Încercați cu adevărat să reparați antetul dispozitivului LUKS?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2053,7 +2265,7 @@ msgstr "" "\n" "Ștergere întreruptă." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2061,128 +2273,144 @@ msgstr "" "Se șterge dispozitivul pentru a inițializa calcularea sumei de control a integrității.\n" "Puteți întrerupe acest lucru apăsând CTRL+c (restul dispozitivului care nu este șters va conține o sumă de control nevalidă).\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Nu se poate dezactiva dispozitivul temporar %s." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "Opțiunea de integritate poate fi utilizată numai pentru formatul LUKS2." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Opțiuni de dimensiune a metadatelor LUKS2 neacceptate." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "OPAL este acceptat numai pentru formatul LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Fișierul antet nu există, doriți să îl creați?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Nu se poate crea fișierul antet %s." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Nu a fost detectat niciun model de specificație de integritate cunoscut." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Nu se poate folosi %s ca antet pe disc." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Acest lucru va suprascrie datele de pe %s în mod irevocabil." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Parola de administrator OPAL nu poate fi goală." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Nu s-au putut definii parametrii pbkdf." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "Specificația tipului din specificația pentru inelul de chei „--link-vk-to-keyring” este ignorată." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Valoare nevalidă a opțiunii „--link-vk-to-keyring”." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Decalajul redus de date este permis numai pentru antetul LUKS detașat." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "Containerul de fișiere LUKS %s este prea mic pentru activare, nu mai rămâne spațiu pentru date." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Nu se poate determina dimensiunea cheii de volum pentru LUKS fără sloturi de chei; folosiți opțiunea „--key-size” pentru a furniza aceste date." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Dispozitivul a fost activat, dar nu se poate face ca fanioanele să fie persistente." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Slotul de cheie %d este selectat pentru ștergere." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Acesta este ultimul slot de cheie. Dispozitivul va deveni inutilizabil după eliminarea acestei chei." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Introduceți orice frază de acces rămasă: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Operația a fost întreruptă, slotul de cheie NU a fost șters.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Introduceți fraza de acces pentru a fi ștearsă: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Dispozitivul %s nu este un dispozitiv LUKS2 valid." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Introduceți noua frază de acces pentru slotul de cheie: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "AVERTISMENT: Parametrul „--key-slot” este utilizat pentru noul număr de slot de cheie.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Introduceți orice frază de acces existentă: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Introduceți fraza de acces pentru a fi schimbată: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Introduceți nouă frază de acces: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Introduceți fraza de acces pentru slotul de cheie care urmează să fie convertit: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "Doar un singur dispozitiv este admis ca argument pentru operația isLuks." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Slotul de cheie %d nu conține o cheie neasociată." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2190,40 +2418,52 @@ msgstr "" "Conținutul antetului cu cheia neasociată este o informație sensibilă.\n" "Acest conținut ar trebui să fie stocat criptat într-un loc sigur." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s nu este numele dispozitivului activ %s." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s nu este numele unui dispozitiv LUKS activ sau antetul lipsește." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Este necesară opțiunea „--header-backup-file”." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s nu este un dispozitiv gestionat de «cryptsetup»." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Reîmprospătarea nu este disponibilă pentru tipul de dispozitiv %s" -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Tip de dispozitiv de metadate nerecunoscut %s." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Comanda necesită un dispozitiv și numele asociat acestuia ca argumente." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Introduceți PSID OPAL: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Introduceți parola de administrator OPAL: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "AVERTISMENT: ÎNTREGUL disc va fi reinițializat la valorile din fabrică și toate datele se vor pierde! Continuați?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2232,351 +2472,351 @@ msgstr "" "Această operație va șterge toate sloturile de chei de pe dispozitivul %s.\n" "Dispozitivul va deveni inutilizabil după această operație." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Operația a fost întreruptă, sloturile de chei NU au fost șterse.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Tip LUKS nevalid, numai luks1 și luks2 sunt acceptate." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Dispozitivul este deja de tip %s." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Această operație va converti %s în formatul %s.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Operația a fost întreruptă, dispozitivul NU a fost convertit.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Opțiunea „--priority”, „--label” sau „--subsystem” lipsește." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Jetonul(token) %d nu este valid." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Jetonul(token) %d este în uz." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Nu s-a putut adăuga jetonul(token) %d la inelul de chei luks2." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Nu s-a putut atribui jetonul(token) %d slotului pentru cheie %d." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Jetonul %d nu este în uz." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Nu s-a putut importa jetonul din fișier." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Nu s-a putut obține jetonul %d pentru export." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Jetonul %d nu este alocat slotului de cheie %d." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Nu s-a putut anula atribuirea jetonului %d din slotul de cheie %d." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Opțiunea „--tcrypt-hidden”, „--tcrypt-system” sau „--tcrypt-backup” este acceptată doar pentru dispozitivele TCRYPT." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Opțiunea „--veracrypt” sau „--disable-veracrypt” este acceptată numai pentru tipul de dispozitiv TCRYPT." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Opțiunea „--veracrypt-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Opțiunea „--veracrypt-query-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Opțiunile „--veracrypt-pim” și „--veracrypt-query-pim” se exclud reciproc." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Opțiunea „--persistent” nu este permisă cu opțiunea „--test-passphrase”." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Opțiunile „--refresh” și „--test-passphrase” se exclud reciproc." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "Opțiunea „--shared” este permisă numai pentru deschiderea unui dispozitiv simplu." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Opțiunea „--skip” este acceptată numai pentru deschiderea dispozitivelor simple și a dispozitivelor loopaes." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Opțiunea „--offset” cu acțiune de deschidere este acceptată numai pentru dispozitivele simple și dispozitivele loopaes." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Opțiunea „--tcrypt-hidden” nu poate fi combinată cu opțiunea „--allow-discards”." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "Opțiunea de dimensiune a sectorului cu acțiune de deschidere este acceptată numai pentru dispozitivele simple." -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Opțiunea sectoare IV (vector de inițializare) mari este acceptată numai pentru deschiderea dispozitivelor de tip simplu, cu dimensiunea sectorului mai mare de 512 de octeți." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "Opțiunea „--test-passphrase” este permisă numai pentru deschiderea dispozitivelor LUKS, TCRYPT, BITLK și FVAULT2." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Opțiunile „--device-size” și „--size” nu pot fi combinate." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "Opțiunea „--unbound” este permisă numai pentru deschiderea dispozitivelor luks." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Opțiunea „--unbound” nu poate fi utilizată fără opțiunea „--test-passphrase”." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Opțiunile „--cancel-deferred” și „--deferred” nu pot fi utilizate în același timp." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Opțiunile „--reduce-device-size” și „--data-size” nu pot fi combinate." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Opțiunile „--reduce-device-size” și „--device-size” nu pot fi combinate." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Opțiunea „--active-name” poate fi utilizată numai pentru dispozitivele LUKS2." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Opțiunile „--active-name” și „--force-offline-reencrypt” nu pot fi combinate." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Este necesară specificarea slotului de cheie." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Opțiunile „--align-payload” și „--offset” nu pot fi combinate." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Opțiunea „--integrity-no-wipe” poate fi utilizată numai pentru acțiuni de formatare cu extensie de integritate." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Numai una dintre opțiunile „--use-[u]random” este permisă." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "Dimensiunea cheii este necesară cu opțiunea „--unbound”." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "Operație cu jeton(token) nevalidă." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Parametrul „--key-description” este obligatoriu pentru acțiunea de adăugare a jetonului." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "Acțiunea necesită un jeton(token)l specific. Utilizați parametrul „--token-id”." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "Opțiunea „--unbound” este validă numai cu acțiunea de adăugare a jetonului." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Opțiunile „--key-slot” și „--unbound” nu pot fi combinate." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "Acțiunea necesită un slot de cheie specific. Utilizați parametrul „--key-slot”." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr " [--type ] []" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "deschide dispozitivul ca " -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "închide dispozitivul (elimină asocierea)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "redimensionează dispozitivul activ" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "afișează starea dispozitivului" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher ]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "evaluează performanța cifrului" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "încearcă să repare metadatele de pe disc" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "recriptează dispozitivul LUKS2" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "șterge toate sloturile de chei (elimină cheia de criptare)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "convertește LUKS din/în formatul LUKS2" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "definește opțiunile permanente de configurare pentru LUKS2" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr " []" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "formatează un dispozitiv LUKS" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "adaugă o cheie la dispozitivul LUKS" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr " []" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "elimină cheia sau fișierul cheie furnizat de pe dispozitivul LUKS" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "modifică cheia furnizată sau fișierul cheie al dispozitivului LUKS" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "convertește o cheie în noii parametri pbkdf" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr " " -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "șterge cheia cu numărul de pe dispozitivul LUKS" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "afișează UUID-ul dispozitivului LUKS" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "testează pentru antetul partiției LUKS" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "afișează informațiile despre partiția LUKS" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "afișează informațiile despre dispozitivul TCRYPT" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "afișează informațiile despre dispozitivul BITLK" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "afișează informațiile despre dispozitivul FVAULT2" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Suspendă dispozitivul LUKS și șterge cheia (toate In/Ieșirile sunt înghețate)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Repune în funcțiune dispozitivul LUKS suspendat" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Face copie de rezervă pentru antetul dispozitivului LUKS și pentru sloturile de chei" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Restaurează antetul dispozitivului LUKS și sloturile de chei" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " " -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Manipulează jetoanele LUKS2" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2591,7 +2831,7 @@ msgstr "" # nume, sau alias pentru primele. # A se vedea ieșirea comenzii: # «cryptsetup -?|--help» -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2603,7 +2843,7 @@ msgstr "" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2618,7 +2858,7 @@ msgstr "" " este numărul slotului de cheie LUKS de modificat\n" " fișier cheie opțional pentru noua cheie pentru acțiunea luksAddKey\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2627,29 +2867,28 @@ msgstr "" "\n" "Formatul implicit de metadate compilate este %s (pentru acțiunea luksFormat).\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Suportul pentru modulul de jeton(token) extern LUKS2 este %s.\n" +"Suportul pentru modulul de jeton(token) extern LUKS2 este activat.\n" -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "integrat în compilare" - -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" -msgstr "Calea modulului pentru jetonul(token) extern LUKS2: %s.\n" +msgstr "Ruta modulului pentru jetonul(token) extern LUKS2: %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "dezactivat" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Suportul pentru modulul de jeton(token) extern LUKS2 este dezactivat.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2666,7 +2905,7 @@ msgstr "" "PBKDF implicit pentru LUKS2: %s\n" "\tTimp de iterare: %d, Memorie necesară: %dko, Fire de execuție paralele: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2681,96 +2920,100 @@ msgstr "" "\tsimplu: %s, Cheie: %d biți, Suma de control a parolei: %s\n" "\tLUKS: %s, Cheie: %d biți, Suma de control a antetului LUKS: %s, RNG: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: Dimensiunea implicită a cheii cu modul XTS (două chei interne) va fi dublată.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: necesită %s ca argumente" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Slotul de cheie nu este valid." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al sectorului de 512 octeți." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "Specificația pentru dimensiunea zonei fierbinți(active) pentru recriptare maximă nu este validă." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "Dimensiunea cheii trebuie să fie multiplu de 8 biți" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "Dimensiunea maximă de reducere a dispozitivului este de 1 GiB." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Dimensiunea redusă trebuie să fie multiplu al sectorului de 512 octeți." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Argumentul opțiuni „--priority” poate fi doar «ignore/normal/prefer»." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Afișează acest mesaj de ajutor" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Afișează modul de utilizare pe scurt" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Afișează versiunea pachetului" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Opțiuni de ajutor:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[OPȚIUNE...] " -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Argumentul lipsește." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Acțiune necunoscută." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Opțiunea „--key-file” are prioritate față de argumentul specificat pentru fișierul cheie." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Numai un argument „--key-file” este permis." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Funcția de derivare a unei chei bazată pe parolă (PBKDF=Password-Based Key Derivation Function) poate fi doar pbkdf2 sau argon2i/argon2id." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Iterațiile forțate PBKDF nu pot fi combinate cu opțiunea de timp de iterație." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Nu se poate lega cheia de volum la un inel de chei când este dezactivat." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Opțiunile „--keyslot-cipher” și „--keyslot-key-size” trebuie să fie folosite împreună." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Nu s-a executat nicio acțiune. Programul a fost invocat cu opțiunea „--test-args”.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Nu se poate dezactiva blocarea metadatelor." @@ -2835,7 +3078,7 @@ msgstr "Comanda necesită ca argument opțiunea " msgstr " " -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "formatează dispozitivul" @@ -2851,7 +3094,7 @@ msgstr "verifică dispozitivul" msgid " []" msgstr " []" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "afișează starea dispozitivului activ" @@ -2859,7 +3102,7 @@ msgstr "afișează starea dispozitivului activ" msgid "" msgstr "" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "afișează informațiile de pe disc" @@ -2890,11 +3133,11 @@ msgstr "" "\tAlgoritmul sumei de control(hash): %s, Bloc de date (octeți): %u, Bloc sumă de control(hash) (octeți): %u,\n" "\tDimensiune date «salt»: %u, Formatul sumei de control(hash): %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Opțiunile „--ignore-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Opțiunile „--panic-on-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună." @@ -2907,29 +3150,29 @@ msgstr "" "Acest lucru va suprascrie datele de pe %s și %s în mod irevocabil.\n" "Pentru a păstra datele dispozitivului de date, utilizați opțiunea „--no-wipe” (și apoi activați-l cu „--integrity-recalculate”)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Formatat cu dimensiunea etichetei %u, integritate internă %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Utilizarea fanionului pentru recalculare(...-recalculate) nu este acceptată, luați în considerare utilizarea opțiunii „--wipe” în schimb." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Dispozitivul %s nu este un dispozitiv INTEGRITY valid." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr " " -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2940,7 +3183,7 @@ msgstr "" " este dispozitivul de creat sub %s\n" " este dispozitivul care conține date cu etichete de integritate\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2953,40 +3196,40 @@ msgstr "" "\tAlgoritmul sumei de control: %s\n" "\tDimensiunea maximă a fișierului cheie: %dko\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Dimensiune nevalidă --%s. Maximul este de %u octeți." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Trebuie specificată atât opțiunea pentru fișierul cheie, cât și opțiunea pentru dimensiunea cheii." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de integritate a jurnalului, cât și opțiunea pentru dimensiunea cheii." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Algoritmul de integritate a jurnalului trebuie să fie specificat dacă este utilizată cheia de integritate a jurnalului." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de criptare a jurnalului, cât și opțiunea pentru dimensiunea cheii." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Algoritmul de criptare a jurnalului trebuie să fie specificat dacă este utilizată cheia de criptare a jurnalului." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Opțiunile de recuperare și modul de hartă de biți(bitmap) se exclud reciproc." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Opțiunile jurnalului nu pot fi utilizate în modul de hartă de biți(bitmap)." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Opțiunile de hartă de biți(bitmap) pot fi utilizate numai în modul de hartă de biți(bitmap)." @@ -3198,58 +3441,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Verificarea calității parolei a eșuat: frază de acces greșită (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Eroare la citirea frazei de acces de la terminal." -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Verifică fraza de acces: " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Frazele de acces nu se potrivesc." -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Nu se poate utiliza decalajul cu intrarea terminalului." -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Introduceți fraza de acces: " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Introduceți fraza de acces pentru %s: " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "Nu este disponibilă nicio cheie cu această frază de acces." -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Nu este disponibil niciun slot de cheie utilizabil." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Nu se poate face verificarea frazei de acces pe intrări non-tty." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Nu s-a putut deschide fișierul %s în modul numai-pentru-citire." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Furnizați un jeton(token) JSON LUKS2 valid:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "Nu s-a putut citi fișierul JSON." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3257,12 +3500,12 @@ msgstr "" "\n" "Citire întreruptă." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Nu s-a putut deschide fișierul %s în modul de scriere." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3270,7 +3513,7 @@ msgstr "" "\n" "Scriere întreruptă." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "Nu s-a putut scrie fișierul JSON." @@ -3346,15 +3589,19 @@ msgstr "Dispozitivul necesită recuperarea recriptării. Rulați mai întâi ope msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Dispozitivul %s este deja în recriptare LUKS2. Doriți să reluați operația inițializată anterior?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Recriptarea veche LUKS2 nu mai este acceptată." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Nu se poate recripta dispozitivul LUKS2 configurat să utilizeze OPAL." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Recriptarea dispozitivului cu profil de integritate nu este acceptată." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3363,103 +3610,103 @@ msgstr "" "Solicitarea făcută cu opțiunea „--sector-size %” este incompatibilă cu superblocul %s\n" "(dimensiunea blocului: % octeți) detectat pe dispozitivul %s." -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Criptarea fără antet detașat (--header) nu este posibilă fără reducerea dimensiunii dispozitivului de date (--reduce-device-size)." -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Decalajul de date solicitat trebuie să fie mai mic sau egal cu jumătate din parametrul opțiunii „--reduce-device-size”." -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Ajustarea valorii „--reduce-device-size” la de două ori față de „--offset % (sectoare)”.\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Fișierul antet temporar %s există deja. Se abandonează." -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Nu se poate crea fișierul antet temporar %s." -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Dimensiunea metadatelor LUKS2 este mai mare decât valoarea decalajului de date." -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Nu s-a putut plasa antetul nou la începutul dispozitivului %s." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s este acum activ și pregătit pentru criptarea online.\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Dispozitivul activ %s nu este LUKS2." -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Se restabilește antetul LUKS2 original." -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Restaurarea antetului LUKS2 original a eșuat." -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Fișierul antet %s nu există. Doriți să inițializați decriptarea LUKS2 a dispozitivului %s și să exportați antetul LUKS2 în fișierul %s?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Nu s-au putut adăuga permisiuni de citire/scriere la fișierul antet exportat." -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Inițializarea recriptării a eșuat. Copia de rezervă a antetului este disponibilă în %s." -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "Decriptarea LUKS2 este acceptată numai cu dispozitivul antet detașat (cu decalajul de date fixat la 0)." -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Nu sunt suficiente sloturi de chei liberee pentru recriptare." -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Fișierul de cheie poate fi utilizat numai cu opțiunea „--key-slot” sau cu exact un slot de cheie activ." -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Introduceți fraza de acces pentru slotul de cheie %d: " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Introduceți fraza de acces pentru slotul de cheie %u: " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Se comută cifrul de criptare a datelor la %s.\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Nu s-au modificat parametrii de segment de date. Recriptarea a fost abandonată." -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3467,7 +3714,7 @@ msgstr "" "Creșterea dimensiunii sectorului de criptare pe dispozitivul offline nu este acceptată.\n" "Activați mai întâi dispozitivul sau utilizați opțiunea „--force-offline-reencrypt” (periculos!)." -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3476,62 +3723,62 @@ msgstr "" "\n" "Recriptarea a fost întreruptă." -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Reluarea recriptării LUKS în modul offline forțat.\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Dispozitivul %s conține metadate LUKS deteriorate. Se abandonează operația." -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Dispozitivul %s este deja un dispozitiv LUKS. Se abandonează operația." -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Dispozitivul %s este deja în recriptare LUKS. Se abandonează operația." -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "Decriptarea LUKS2 necesită opțiunea „--header”." -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "Comanda necesită un dispozitiv ca argument." -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Versiuni în conflict. Dispozitivul %s este LUKS1." -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS1." -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Versiuni în conflict. Dispozitivul %s este LUKS2." -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS2." -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Recriptarea LUKS2 a fost deja inițializată. Se abandonează operația." -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Recriptarea dispozitivului nu este în curs de desfășurare." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Nu se poate deschide exclusiv %s, dispozitiv în uz." @@ -3667,35 +3914,35 @@ msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură de partiție msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură superbloc „%s”.\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Nu s-au inițializat probele de semnătură a dispozitivului." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "Nu s-a putut obține starea dispozitivului %s." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Nu s-a putut deschide fișierul %s în modul citire/scriere." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "Semnătura partiției „%s” existentă pe dispozitivul %s va fi ștearsă." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "Semnătura superblocului „%s” existentă pe dispozitivul %s va fi ștearsă." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Nu s-a putut șterge semnătura dispozitivului." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Nu s-a putut verifica dispozitivul %s pentru o semnătură." @@ -3710,11 +3957,11 @@ msgstr "Specificație de dimensiune nevalidă în parametrul „--%s”." msgid "Option --%s is not allowed with %s action." msgstr "Opțiunea „--%s” nu este permisă cu acțiunea %s." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Nu s-a putut scrie jetonul ssh în format JSON." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3725,110 +3972,114 @@ msgid "" msgstr "" "Modul de criptare experimentală pentru deblocarea dispozitivelor LUKS2 cu jeton(token) conectat la un server SSH\v Acest modul permite în prezent doar adăugarea unui jeton(token) la un slot de cheie existent.\n" "\n" -"Serverul SSH specificat trebuie să conțină un fișier cheie în calea specificată, cu o frază de acces pentru un slot de cheie existent pe dispozitiv.\n" +"Serverul SSH specificat trebuie să conțină un fișier cheie în ruta specificată, cu o frază de acces pentru un slot de cheie existent pe dispozitiv.\n" "Acreditările furnizate vor fi folosite de «cryptsetup» pentru a obține parola atunci când deschideți dispozitivul folosind jetonul(token).\n" "\n" -"Notă: Informațiile furnizate la adăugarea jetonului(token) (adresa serverului SSH, utilizatorul și căile) vor fi stocate în antetul LUKS2 în text clar." +"Notă: Informațiile furnizate la adăugarea jetonului(token) (adresa serverului SSH, utilizatorul și rutele) vor fi stocate în antetul LUKS2 în text clar." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr " " -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Opțiuni pentru acțiunea „add”:" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "Adresa IP/URL a serverului de la distanță pentru acest jeton(token)" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Nume de utilizator folosit pentru serverul de la distanță" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" -msgstr "Calea către fișierul de cheie din serverul de la distanță" +msgstr "Ruta către fișierul de cheie din serverul de la distanță" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" -msgstr "Calea către cheia SSH pentru conectarea la serverul de la distanță" +msgstr "Ruta către cheia SSH pentru conectarea la serverul de la distanță" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Ruta către directorul care conține jetoane(tokens) externe „libcryptsetup”" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Slotul de cheie căruia să îi atribuiți jetonul. Dacă nu este specificat, jetonul va fi atribuit primei fraze de acces furnizate care se potrivește cu slotul de cheie." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Opțiuni generice:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Afișează mesaje de eroare mult mai detaliate" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Afișează mesajele de depanare" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Afișează mesajele de depanare, inclusiv metadate JSON" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Nu s-a putut deschide și importa cheia privată:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Nu s-a putut importa cheia privată (protejată prin parolă?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Parola pentru %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Argumentele nu au putut fi analizate.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Trebuie specificată o acțiune\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Trebuie specificat dispozitivul pentru acțiunea „%s”.\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Serverul SSH trebuie să fie specificat pentru acțiunea „%s”.\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Trebuie specificat utilizatorul SSH pentru acțiunea „%s”.\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" -msgstr "Trebuie specificată calea SSH pentru acțiunea „%s”.\n" +msgstr "Trebuie specificată ruta SSH pentru acțiunea „%s”.\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" -msgstr "Trebuie specificată calea cheii SSH pentru acțiunea „%s”.\n" +msgstr "Trebuie specificată ruta cheii SSH pentru acțiunea „%s”.\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Nu s-a putut deschide %s folosind acreditările furnizate.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "Doar acțiunea „addi” este suportată în prezent de acest modul.\n" @@ -3872,3 +4123,9 @@ msgstr "Metoda de autentificare cu cheie publică nu este permisă pe gazdă.\n" #: tokens/ssh/ssh-utils.c:171 msgid "Public key authentication error: " msgstr "Eroare la autentificarea cu cheia publică: " + +#~ msgid "compiled-in" +#~ msgstr "integrat în compilare" + +#~ msgid "disabled" +#~ msgstr "dezactivat" diff --git a/po/ru.po b/po/ru.po index 1133486..d32901f 100644 --- a/po/ru.po +++ b/po/ru.po @@ -10,7 +10,7 @@ msgstr "" "Project-Id-Version: cryptsetup 2.6.1-rc0\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" "POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-04 15:38+0300\n" +"PO-Revision-Date: 2023-11-02 21:04+0300\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" @@ -19,7 +19,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "X-Bugs: Report translation errors to the Language-Team address.\n" "X-Launchpad-Export-Date: 2018-12-03 15:52+0000\n" -"X-Generator: Lokalize 20.12.0\n" +"X-Generator: Lokalize 22.12.3\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #: lib/libdevmapper.c:419 @@ -723,7 +723,7 @@ msgstr "Запрошенный тип PBKDF %s не поддерживается #: lib/utils_pbkdf.c:128 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." -msgstr "Максимальный размер памяти PBKDF и количество параллельных нитей нельзя задавать вместе с pbkdf2." +msgstr "Максимальный размер памяти PBKDF или количество параллельных потоков нельзя задавать вместе с pbkdf2." #: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 #, c-format @@ -746,7 +746,7 @@ msgstr "Запрошенная максимальная стоимость па #: lib/utils_pbkdf.c:164 msgid "Requested PBKDF parallel threads cannot be zero." -msgstr "Запрошенное количество параллельных нитей PBKDF не может быть нулевым." +msgstr "Запрошенное количество параллельных потоков PBKDF не может быть нулевым." #: lib/utils_pbkdf.c:184 msgid "Only PBKDF2 is supported in FIPS mode." @@ -1986,7 +1986,7 @@ msgstr "%-10s Н/Д\n" #: src/cryptsetup.c:1021 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" -msgstr "%-10s %4u итераций, %5u памяти, %1u параллельных нитей (ЦП) для %zu-битного ключа (запрашивался %u мс)\n" +msgstr "%-10s %4u итераций, %5u памяти, %1u параллельных потоков (ЦП) для %zu-битного ключа (запрашивался %u мс)\n" #: src/cryptsetup.c:1045 msgid "Result of benchmark is not reliable." @@ -2660,7 +2660,7 @@ msgstr "" "\tМаксимальный размер файла ключа: %dКБ, Максимальная длина парольной фразы при вводе вручную: %d (символов)\n" "PBKDF по умолчанию для LUKS1: %s, Время итерации: %d (мс)\n" "PBKDF по умолчанию для LUKS2: %s\n" -"\tВремя итерации: %d, Требуемая память: %dКБ, Кол-во параллельных нитей: %d\n" +"\tВремя итерации: %d, Требуемая память: %dКБ, Кол-во параллельных потоков: %d\n" #: src/cryptsetup.c:3241 #, c-format diff --git a/po/sr.po b/po/sr.po index 5ca41d8..2b821fe 100644 --- a/po/sr.po +++ b/po/sr.po @@ -1,14 +1,14 @@ # Serbian translation for cryptsetup. # Copyright © 2014 Free Software Foundation, Inc. # This file is distributed under the same license as the cryptsetup package. -# Мирослав Николић , 2014–2022. +# Мирослав Николић , 2014–2023. # msgid "" msgstr "" -"Project-Id-Version: cryptsetup-2.5.0-rc1\n" +"Project-Id-Version: cryptsetup-2.6.1-rc0\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2022-07-14 14:04+0200\n" -"PO-Revision-Date: 2022-09-08 05:02+0200\n" +"POT-Creation-Date: 2023-02-01 15:58+0100\n" +"PO-Revision-Date: 2023-02-19 11:50+0100\n" "Last-Translator: Мирослав Николић \n" "Language-Team: Serbian <(nothing)>\n" "Language: sr\n" @@ -18,67 +18,71 @@ msgstr "" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" "X-Bugs: Report translation errors to the Language-Team address.\n" -#: lib/libdevmapper.c:417 +#: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." msgstr "Не могу да покренем мапера уређаја, радим као обичан корисник." -#: lib/libdevmapper.c:420 +#: lib/libdevmapper.c:422 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Не могу да покренем мапера уређаја. Да ли је учитан модул кернела „dm_mod“?" -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1102 msgid "Requested deferred flag is not supported." msgstr "Затражена одложена заставица није подржана." -#: lib/libdevmapper.c:1240 +#: lib/libdevmapper.c:1171 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "ДМ-УЈИБ за уређај „%s“ је скраћен." -#: lib/libdevmapper.c:1570 +#: lib/libdevmapper.c:1501 msgid "Unknown dm target type." msgstr "Непозната врста „dm“ мете." -#: lib/libdevmapper.c:1694 lib/libdevmapper.c:1699 lib/libdevmapper.c:1763 -#: lib/libdevmapper.c:1766 +#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 +#: lib/libdevmapper.c:1727 msgid "Requested dm-crypt performance options are not supported." msgstr "Затражене опције перформанси дм-шифровања нису подржане." -#: lib/libdevmapper.c:1706 lib/libdevmapper.c:1710 +#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Затражене опције рада оштећених података дм-веритија нису подржане." -#: lib/libdevmapper.c:1714 +#: lib/libdevmapper.c:1641 +msgid "Requested dm-verity tasklets option is not supported." +msgstr "Затражене „dm-verity“ опција без задатка није подржана." + +#: lib/libdevmapper.c:1653 msgid "Requested dm-verity FEC options are not supported." msgstr "Затражене „dm-verity FEC“ опције нису подржане." -#: lib/libdevmapper.c:1718 +#: lib/libdevmapper.c:1659 msgid "Requested data integrity options are not supported." msgstr "Затражене опције целовитости података нису подржане." -#: lib/libdevmapper.c:1720 +#: lib/libdevmapper.c:1663 msgid "Requested sector_size option is not supported." msgstr "Затражене опције величине одељка нису подржане." -#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1729 +#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Затражене опције самосталног прерачунавања ознака целовитости нису подржане." -#: lib/libdevmapper.c:1733 lib/libdevmapper.c:1769 lib/libdevmapper.c:1772 -#: lib/luks2/luks2_json_metadata.c:2552 +#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 +#: lib/luks2/luks2_json_metadata.c:2620 msgid "Discard/TRIM is not supported." msgstr "Одбацивање/ОДСЕЦАЊЕ није подржано." -#: lib/libdevmapper.c:1737 +#: lib/libdevmapper.c:1688 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Затражени режим битмапе дм-целовитости није подржан." -#: lib/libdevmapper.c:2763 +#: lib/libdevmapper.c:2724 #, c-format msgid "Failed to query dm-%s segment." msgstr "Нисам успео да пропитам „dm-%s“ подеок." -#: lib/random.c:74 +#: lib/random.c:73 msgid "" "System is out of entropy while generating volume key.\n" "Please move mouse or type some text in another window to gather some random events.\n" @@ -86,16 +90,16 @@ msgstr "" "Систем је ван ентропије приликом стварања кључа волумена.\n" "Померите миша или откуцајте неки текст у другом прозору да прикупите неке насумичне догађаје.\n" -#: lib/random.c:78 +#: lib/random.c:77 #, c-format msgid "Generating key (%d%% done).\n" msgstr "Стварам кључ (%d %% је урађено).\n" -#: lib/random.c:164 +#: lib/random.c:163 msgid "Running in FIPS mode." msgstr "Ради у „FIPS“ режиму." -#: lib/random.c:170 +#: lib/random.c:169 msgid "Fatal error during RNG initialisation." msgstr "Кобна грешка за време покретања „RNG“-а." @@ -107,430 +111,440 @@ msgstr "Затражен је непознат квалитет „RNG“-а." msgid "Error reading from RNG." msgstr "Грешка читања из „RNG“-а." -#: lib/setup.c:226 +#: lib/setup.c:231 msgid "Cannot initialize crypto RNG backend." msgstr "Не могу да покренем „RNG“ позадинца криптографије." -#: lib/setup.c:232 +#: lib/setup.c:237 msgid "Cannot initialize crypto backend." msgstr "Не могу да покренем позадинца криптографије." -#: lib/setup.c:263 lib/setup.c:2080 lib/verity/verity.c:122 +#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Хеш алгоритам „%s“ није подржан." -#: lib/setup.c:266 lib/loopaes/loopaes.c:90 +#: lib/setup.c:271 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Грешка обраде кључа (користим хеш %s)." -#: lib/setup.c:332 lib/setup.c:359 +#: lib/setup.c:342 lib/setup.c:369 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Не могу да одредим врсту уређаја. Несагласно покретање уређаја?" -#: lib/setup.c:338 lib/setup.c:3221 +#: lib/setup.c:348 lib/setup.c:3320 msgid "This operation is supported only for LUKS device." msgstr "Ова радња је подржана само за ЛУКС уређај." -#: lib/setup.c:365 +#: lib/setup.c:375 msgid "This operation is supported only for LUKS2 device." msgstr "Ова радња је подржана само за ЛУКС2 уређај." -#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2985 +#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 msgid "All key slots full." msgstr "Сви утори кључева су пуни." -#: lib/setup.c:431 +#: lib/setup.c:438 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Утор кључа %d није исправан, изаберите између 0 и %d." -#: lib/setup.c:437 +#: lib/setup.c:444 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Утор кључа %d је пун, изаберите неки други." -#: lib/setup.c:522 lib/setup.c:2946 +#: lib/setup.c:529 lib/setup.c:3042 msgid "Device size is not aligned to device logical block size." msgstr "Величина уређаја није поравната на величину логичког блока уређаја." -#: lib/setup.c:620 +#: lib/setup.c:627 #, c-format msgid "Header detected but device %s is too small." msgstr "Заглавље је откривено али уређај „%s“ је премали." -#: lib/setup.c:661 lib/setup.c:2851 lib/setup.c:4335 -#: lib/luks2/luks2_reencrypt.c:3757 lib/luks2/luks2_reencrypt.c:4159 +#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 +#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 msgid "This operation is not supported for this device type." msgstr "Ова радња није подржана за ову врсту уређаја." -#: lib/setup.c:666 +#: lib/setup.c:673 msgid "Illegal operation with reencryption in-progress." msgstr "Неисправна радња са поновним шифровањем је у току." -#: lib/setup.c:833 lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524 -#: lib/luks2/luks2_json_metadata.c:1267 src/cryptsetup.c:1449 -#: src/cryptsetup.c:1581 src/cryptsetup.c:1636 src/cryptsetup.c:1756 -#: src/cryptsetup.c:1861 src/cryptsetup.c:2142 src/cryptsetup.c:2380 -#: src/cryptsetup.c:2440 src/utils_reencrypt.c:1378 -#: src/utils_reencrypt_luks1.c:1188 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:802 +msgid "Failed to rollback LUKS2 metadata in memory." +msgstr "Нисам успео да повратим ЛУКС2 метаподатке у меморију." + +#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 +#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 +#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 +#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Уређај „%s“ није исправан ЛУКС уређај." -#: lib/setup.c:836 lib/luks1/keymanage.c:527 +#: lib/setup.c:892 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Неподржано ЛУКС издање %d." -#: lib/setup.c:1431 lib/setup.c:2602 lib/setup.c:2682 lib/setup.c:2694 -#: lib/setup.c:2859 lib/setup.c:4807 +#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 +#: lib/setup.c:2952 lib/setup.c:4764 #, c-format msgid "Device %s is not active." msgstr "Уређај „%s“ није радан." -#: lib/setup.c:1448 +#: lib/setup.c:1508 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Основни уређај за криптографски уређај „%s“ је нестао." -#: lib/setup.c:1528 +#: lib/setup.c:1590 msgid "Invalid plain crypt parameters." msgstr "Неисправни параметри обичне криптографије." -#: lib/setup.c:1533 lib/setup.c:1983 +#: lib/setup.c:1595 lib/setup.c:2054 msgid "Invalid key size." msgstr "Неисправна величина кључа." -#: lib/setup.c:1538 lib/setup.c:1988 lib/setup.c:2191 +#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 msgid "UUID is not supported for this crypt type." msgstr "УЈИБ није подржан за ову врсту криптографије." -#: lib/setup.c:1543 lib/setup.c:1993 +#: lib/setup.c:1605 lib/setup.c:2064 msgid "Detached metadata device is not supported for this crypt type." msgstr "Откачени уређај метаподатака није подржан за ову врсту криптографије." -#: lib/setup.c:1553 lib/setup.c:1765 lib/luks2/luks2_reencrypt.c:2941 -#: src/cryptsetup.c:1250 src/cryptsetup.c:3072 +#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 +#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 msgid "Unsupported encryption sector size." msgstr "Неподржана величина одељка шифровања." -#: lib/setup.c:1561 lib/setup.c:1896 lib/setup.c:2940 +#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 msgid "Device size is not aligned to requested sector size." msgstr "Величина уређаја није поравната на затражену величину одељка." -#: lib/setup.c:1613 lib/setup.c:1733 +#: lib/setup.c:1675 lib/setup.c:1799 msgid "Can't format LUKS without device." msgstr "Не могу да обликујем ЛУКС без уређаја." -#: lib/setup.c:1619 lib/setup.c:1739 +#: lib/setup.c:1681 lib/setup.c:1805 msgid "Requested data alignment is not compatible with data offset." msgstr "Затражено поравнање података није сагласно са померајем података." -#: lib/setup.c:1687 lib/setup.c:1883 -msgid "WARNING: Data offset is outside of currently available data device.\n" -msgstr "УПОЗОРЕЊЕ: Померај података је ван тренутно доступног уређаја података.\n" - -#: lib/setup.c:1697 lib/setup.c:1913 lib/setup.c:1934 lib/setup.c:2203 +#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 #, c-format msgid "Cannot wipe header on device %s." msgstr "Не могу да обришем заглавље на уређају „%s“." -#: lib/setup.c:1774 +#: lib/setup.c:1769 lib/setup.c:2036 +#, c-format +msgid "Device %s is too small for activation, there is no remaining space for data.\n" +msgstr "Уређај „%s“ је премали за активирање, није преостао простор за податке.\n" + +#: lib/setup.c:1840 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" msgstr "УПОЗОРЕЊЕ: Покретање уређаја неће успети, „dm-crypt“-у недостаје подршка за затражену величину одељка шифровања.\n" -#: lib/setup.c:1797 +#: lib/setup.c:1863 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Кључ волумена је премали за шифровање са проширењима целовитости." -#: lib/setup.c:1857 +#: lib/setup.c:1923 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Шифрер %s-%s (величина кључа %zd бита) није доступан." -#: lib/setup.c:1886 +#: lib/setup.c:1949 #, c-format msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" msgstr "УПОЗОРЕЊЕ: Величина ЛУКС2 метаподатака је промењена на % бајта.\n" -#: lib/setup.c:1890 +#: lib/setup.c:1953 #, c-format msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" msgstr "УПОЗОРЕЊЕ: Величина области ЛУКС2 утора кључева је промењена на % бајта.\n" -#: lib/setup.c:1916 lib/utils_device.c:909 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3009 lib/luks2/luks2_reencrypt.c:4254 +#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 +#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 #, c-format msgid "Device %s is too small." msgstr "Уређај „%s“ је премали." -#: lib/setup.c:1927 lib/setup.c:1953 +#: lib/setup.c:1990 lib/setup.c:2016 #, c-format msgid "Cannot format device %s in use." msgstr "Не могу да обликујем уређај „%s“ у употреби." -#: lib/setup.c:1930 lib/setup.c:1956 +#: lib/setup.c:1993 lib/setup.c:2019 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Не могу да обликујем уређај „%s“, овлашћење је одбијено." -#: lib/setup.c:1942 lib/setup.c:2263 +#: lib/setup.c:2005 lib/setup.c:2334 #, c-format msgid "Cannot format integrity for device %s." msgstr "Не могу да обликујем целовитост за уређај „%s“." -#: lib/setup.c:1960 +#: lib/setup.c:2023 #, c-format msgid "Cannot format device %s." msgstr "Не могу да обликујем уређај „%s“." -#: lib/setup.c:1978 +#: lib/setup.c:2049 msgid "Can't format LOOPAES without device." msgstr "Не могу да обликујем „LOOPAES“ без уређаја." -#: lib/setup.c:2023 +#: lib/setup.c:2094 msgid "Can't format VERITY without device." msgstr "Не могу да обликујем „VERITY“ без уређаја." -#: lib/setup.c:2034 lib/verity/verity.c:101 +#: lib/setup.c:2105 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Неподржана врста „VERITY“ хеша %d." -#: lib/setup.c:2040 lib/verity/verity.c:109 +#: lib/setup.c:2111 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Неподржана величина блока „VERITY“." -#: lib/setup.c:2045 lib/verity/verity.c:74 +#: lib/setup.c:2116 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Неподржан померај хеша „VERITY“." -#: lib/setup.c:2050 +#: lib/setup.c:2121 msgid "Unsupported VERITY FEC offset." msgstr "Неподржан „VERITY FEC“ померај." -#: lib/setup.c:2074 +#: lib/setup.c:2145 msgid "Data area overlaps with hash area." msgstr "Област података се преклапа са облашћу хеша." -#: lib/setup.c:2099 +#: lib/setup.c:2170 msgid "Hash area overlaps with FEC area." msgstr "Област хеша се преклапа са „FEC“ облашћу." -#: lib/setup.c:2106 +#: lib/setup.c:2177 msgid "Data area overlaps with FEC area." msgstr "Област података се преклапа са „FEC“ облашћу." -#: lib/setup.c:2242 +#: lib/setup.c:2313 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "УПОЗОРЕЊЕ: Затражена величина ознаке %d бајта се разликује од излаза величине „%s“ (%d бајта).\n" -#: lib/setup.c:2321 +#: lib/setup.c:2392 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Затражена је непозната врста „%s“ криптографског уређаја." -#: lib/setup.c:2608 lib/setup.c:2687 lib/setup.c:2700 +#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 #, c-format msgid "Unsupported parameters on device %s." msgstr "Неподржани параметри на уређају „%s“." -#: lib/setup.c:2614 lib/setup.c:2707 lib/luks2/luks2_reencrypt.c:2837 -#: lib/luks2/luks2_reencrypt.c:3074 lib/luks2/luks2_reencrypt.c:3459 +#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 +#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 #, c-format msgid "Mismatching parameters on device %s." msgstr "Неодговарајући параметри на уређају „%s“." -#: lib/setup.c:2731 +#: lib/setup.c:2822 msgid "Crypt devices mismatch." msgstr "Криптографски уређаји се не поклапају." -#: lib/setup.c:2768 lib/setup.c:2773 lib/luks2/luks2_reencrypt.c:2315 -#: lib/luks2/luks2_reencrypt.c:2853 lib/luks2/luks2_reencrypt.c:4007 +#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 #, c-format msgid "Failed to reload device %s." msgstr "Нисам успео поново да учитам уређај „%s“." -#: lib/setup.c:2779 lib/setup.c:2785 lib/luks2/luks2_reencrypt.c:2286 -#: lib/luks2/luks2_reencrypt.c:2293 lib/luks2/luks2_reencrypt.c:2867 +#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 +#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 #, c-format msgid "Failed to suspend device %s." msgstr "Нисам успео да обуставим уређај „%s“." -#: lib/setup.c:2791 lib/luks2/luks2_reencrypt.c:2300 -#: lib/luks2/luks2_reencrypt.c:2888 lib/luks2/luks2_reencrypt.c:3920 -#: lib/luks2/luks2_reencrypt.c:4011 +#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 +#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 +#: lib/luks2/luks2_reencrypt.c:4036 #, c-format msgid "Failed to resume device %s." msgstr "Нисам успео да наставим са уређајем „%s“." -#: lib/setup.c:2806 +#: lib/setup.c:2897 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Кобна грешка приликом поновног учитавања уређаја „%s“ (на врху уређаја „%s“)." -#: lib/setup.c:2809 lib/setup.c:2811 +#: lib/setup.c:2900 lib/setup.c:2902 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Нисам успео да променим уређај „%s“ на дм-грешку." -#: lib/setup.c:2891 +#: lib/setup.c:2984 msgid "Cannot resize loop device." msgstr "Не могу да променим величину уређаја петље." -#: lib/setup.c:2931 +#: lib/setup.c:3027 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "" "УПОЗОРЕЊЕ: Највећа величина је већ постављена или кернел не подржава промену величине.\n" "\n" -#: lib/setup.c:2989 +#: lib/setup.c:3088 msgid "Resize failed, the kernel doesn't support it." msgstr "Промена величине није успела, кернел је не подржава." -#: lib/setup.c:3021 +#: lib/setup.c:3120 msgid "Do you really want to change UUID of device?" msgstr "Да ли стварно желите да измените УЈИБ уређаја?" -#: lib/setup.c:3113 +#: lib/setup.c:3212 msgid "Header backup file does not contain compatible LUKS header." msgstr "Датотека резерве заглавља не садржи сагласно ЛУКС заглавље." -#: lib/setup.c:3229 +#: lib/setup.c:3328 #, c-format msgid "Volume %s is not active." msgstr "Волумен „%s“ није радан." -#: lib/setup.c:3240 +#: lib/setup.c:3339 #, c-format msgid "Volume %s is already suspended." msgstr "Волумен „%s“ је већ обустављен." -#: lib/setup.c:3253 +#: lib/setup.c:3352 #, c-format msgid "Suspend is not supported for device %s." msgstr "Обустављање није подржано за уређај „%s“." -#: lib/setup.c:3255 +#: lib/setup.c:3354 #, c-format msgid "Error during suspending device %s." msgstr "Грешка за време обустављања уређаја „%s“." -#: lib/setup.c:3290 +#: lib/setup.c:3389 #, c-format msgid "Resume is not supported for device %s." msgstr "Настављање није подржано за уређај „%s“." -#: lib/setup.c:3292 +#: lib/setup.c:3391 #, c-format msgid "Error during resuming device %s." msgstr "Грешка за време настављања уређаја „%s“." -#: lib/setup.c:3326 lib/setup.c:3374 lib/setup.c:3444 lib/setup.c:3489 -#: src/cryptsetup.c:2207 +#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 +#: src/cryptsetup.c:2479 #, c-format msgid "Volume %s is not suspended." msgstr "Волумен „%s“ није обустављен." -#: lib/setup.c:3459 lib/setup.c:3862 lib/setup.c:4584 lib/setup.c:4597 -#: lib/setup.c:4605 lib/setup.c:4618 lib/setup.c:6142 src/cryptsetup.c:1790 +#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 +#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 +#: src/cryptsetup.c:2011 msgid "Volume key does not match the volume." msgstr "Кључ волумена не одговара волумену." -#: lib/setup.c:3540 lib/setup.c:3745 -msgid "Cannot add key slot, all slots disabled and no volume key provided." -msgstr "Не могу да додам утор кључа, сви утори су искључени а није обезбеђен ниједан кључ волумена." - -#: lib/setup.c:3697 +#: lib/setup.c:3737 msgid "Failed to swap new key slot." msgstr "Нисам успео да разменим нови утор кључа." -#: lib/setup.c:3883 +#: lib/setup.c:3835 #, c-format msgid "Key slot %d is invalid." msgstr "Утор кључа „%d“ није исправан." -#: lib/setup.c:3889 src/cryptsetup.c:1594 src/cryptsetup.c:1936 -#: src/cryptsetup.c:2540 src/cryptsetup.c:2597 +#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 +#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 #, c-format msgid "Keyslot %d is not active." msgstr "Утор кључа „%d“ није радан." -#: lib/setup.c:3908 +#: lib/setup.c:3860 msgid "Device header overlaps with data area." msgstr "Заглавље уређаја се преклапа са облашћу података." -#: lib/setup.c:4213 +#: lib/setup.c:4165 msgid "Reencryption in-progress. Cannot activate device." msgstr "Поновно шифровање је у току. Не могу да активирам уређај." -#: lib/setup.c:4215 lib/luks2/luks2_json_metadata.c:2635 -#: lib/luks2/luks2_reencrypt.c:3565 +#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 +#: lib/luks2/luks2_reencrypt.c:3590 msgid "Failed to get reencryption lock." msgstr "Нисам успео да добавим закључавање поновног шифровања." -#: lib/setup.c:4228 lib/luks2/luks2_reencrypt.c:3584 +#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 msgid "LUKS2 reencryption recovery failed." msgstr "Опоравак ЛУКС2 поновног шифровања није успело." -#: lib/setup.c:4396 lib/setup.c:4661 +#: lib/setup.c:4352 lib/setup.c:4618 msgid "Device type is not properly initialized." msgstr "Врста уређаја није исправно покренута." -#: lib/setup.c:4444 +#: lib/setup.c:4400 #, c-format msgid "Device %s already exists." msgstr "Већ постоји уређај „%s“." -#: lib/setup.c:4451 +#: lib/setup.c:4407 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Не могу да користим уређај „%s“, назив није исправан или је још у употреби." -#: lib/setup.c:4571 +#: lib/setup.c:4527 msgid "Incorrect volume key specified for plain device." msgstr "Наведен је неисправан кључ волумена за обичан уређај." -#: lib/setup.c:4687 +#: lib/setup.c:4644 msgid "Incorrect root hash specified for verity device." msgstr "Наведен је неисправан хеш корена за уређај тачности." -#: lib/setup.c:4697 +#: lib/setup.c:4654 msgid "Root hash signature required." msgstr "Потпис хеша корена је потребан." -#: lib/setup.c:4706 +#: lib/setup.c:4663 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Привезак кључева кернела недостаје: потребан је за прослеђивање потписа кернелу." -#: lib/setup.c:4723 lib/setup.c:6218 +#: lib/setup.c:4680 lib/setup.c:6423 msgid "Failed to load key in kernel keyring." msgstr "Нисам успео да учитам кључ у привеску кључева кернела." -#: lib/setup.c:4779 +#: lib/setup.c:4736 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Не могу да откажем различно уклањање из уређаја „%s“." -#: lib/setup.c:4786 lib/setup.c:4802 lib/luks2/luks2_json_metadata.c:2688 +#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Уређај „%s“ је још увеку употреби." -#: lib/setup.c:4811 +#: lib/setup.c:4768 #, c-format msgid "Invalid device %s." msgstr "Неисправан уређај „%s“." -#: lib/setup.c:4927 +#: lib/setup.c:4908 msgid "Volume key buffer too small." msgstr "Међумеморија кључа волумена је премала." -#: lib/setup.c:4935 +#: lib/setup.c:4925 +msgid "Cannot retrieve volume key for LUKS2 device." +msgstr "Не могу да довучем кључ волумена за ЛУКС2 уређај." + +#: lib/setup.c:4934 +msgid "Cannot retrieve volume key for LUKS1 device." +msgstr "Не могу да довучем кључ волумена за ЛУКС1 уређај." + +#: lib/setup.c:4944 msgid "Cannot retrieve volume key for plain device." msgstr "Не могу да довучем кључ волумена за обичан уређај." @@ -538,147 +552,151 @@ msgstr "Не могу да довучем кључ волумена за оби msgid "Cannot retrieve root hash for verity device." msgstr "Не могу да довучем хеш корена за уређај тачности." -#: lib/setup.c:4956 +#: lib/setup.c:4959 +msgid "Cannot retrieve volume key for BITLK device." +msgstr "Не могу да довучем кључ волумена за BITLK уређај." + +#: lib/setup.c:4964 +msgid "Cannot retrieve volume key for FVAULT2 device." +msgstr "Не могу да довучем кључ волумена за FVAULT2 уређај." + +#: lib/setup.c:4966 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Ова радња није подржана за криптографски уређај „%s“." -#: lib/setup.c:5130 lib/setup.c:5141 +#: lib/setup.c:5147 lib/setup.c:5158 msgid "Dump operation is not supported for this device type." msgstr "Радња исписа није подржана за ову врсту уређаја." -#: lib/setup.c:5471 +#: lib/setup.c:5500 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Померај података није умножак %u бајта." -#: lib/setup.c:5756 +#: lib/setup.c:5788 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Не могу да преобратим уређај „%s“ који је још увек у употреби." -#: lib/setup.c:6075 +#: lib/setup.c:6098 lib/setup.c:6237 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Нисам успео да доделим утор кључа „%u“ као нови кључ волумена." -#: lib/setup.c:6148 +#: lib/setup.c:6122 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Нисам успео да покренем основне параметре ЛУКС2 утора кључа." -#: lib/setup.c:6154 +#: lib/setup.c:6128 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Нисам успео да доделим утор кључа „%d“ за преглед." -#: lib/setup.c:6285 +#: lib/setup.c:6353 +msgid "Cannot add key slot, all slots disabled and no volume key provided." +msgstr "Не могу да додам утор кључа, сви утори су искључени а није обезбеђен ниједан кључ волумена." + +#: lib/setup.c:6490 msgid "Kernel keyring is not supported by the kernel." msgstr "Привезак кључева кернела није подржан кернелом." -#: lib/setup.c:6295 lib/luks2/luks2_reencrypt.c:3782 +#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 #, c-format msgid "Failed to read passphrase from keyring (error %d)." msgstr "Нисам успео да прочитам пропусну реч из привеска кључа (грешка %d)." -#: lib/setup.c:6319 +#: lib/setup.c:6523 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Нисам успео да остварим опште закључавање серијализације приступа чврстој меморији." -#: lib/utils.c:80 -msgid "Cannot get process priority." -msgstr "Не могу да добавим хитност процеса." - -#: lib/utils.c:94 -msgid "Cannot unlock memory." -msgstr "Не могу да откључам меморију." - -#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502 +#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 msgid "Failed to open key file." msgstr "Нисам успео да отворим датотеку кључа." -#: lib/utils.c:173 +#: lib/utils.c:163 msgid "Cannot read keyfile from a terminal." msgstr "Не могу да прочитам датотеку кључа из терминала." -#: lib/utils.c:189 +#: lib/utils.c:179 msgid "Failed to stat key file." msgstr "Нисам успео да добавим податке датотеке кључа." -#: lib/utils.c:197 lib/utils.c:218 +#: lib/utils.c:187 lib/utils.c:208 msgid "Cannot seek to requested keyfile offset." msgstr "Не могу да премотам на затражени померај датотеке кључа." -#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:226 -#: src/utils_password.c:238 +#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 +#: src/utils_password.c:237 msgid "Out of memory while reading passphrase." msgstr "Нестало је меморије приликом читања пропусне речи." -#: lib/utils.c:247 +#: lib/utils.c:237 msgid "Error reading passphrase." msgstr "Грешка читања пропусне речи." -#: lib/utils.c:264 +#: lib/utils.c:254 msgid "Nothing to read on input." msgstr "Нема ничега за читање на улазу." -#: lib/utils.c:271 +#: lib/utils.c:261 msgid "Maximum keyfile size exceeded." msgstr "Премашена је највећа величина датотеке кључа." -#: lib/utils.c:276 +#: lib/utils.c:266 msgid "Cannot read requested amount of data." msgstr "Не могу да прочитам затражену количину података." -#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1353 +#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 #, c-format msgid "Device %s does not exist or access denied." msgstr "Уређај „%s“ не постоји или је приступ одбијен." -#: lib/utils_device.c:218 +#: lib/utils_device.c:217 #, c-format msgid "Device %s is not compatible." msgstr "Уређај „%s“ није сагласан." -#: lib/utils_device.c:562 +#: lib/utils_device.c:561 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Занемарујем лажну оптималну-уи величину за уређај података (%u бајта)." -#: lib/utils_device.c:720 +#: lib/utils_device.c:722 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Уређај „%s“ је премали. Захтева барем % бајта." -#: lib/utils_device.c:801 +#: lib/utils_device.c:803 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Не могу да користим уређај „%s“ који је у употреби (већ мапиран или прикачен)." -#: lib/utils_device.c:805 +#: lib/utils_device.c:807 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Не могу да користим уређај „%s“, овлашћење је одбијено." -#: lib/utils_device.c:808 +#: lib/utils_device.c:810 #, c-format msgid "Cannot get info about device %s." msgstr "Не могу да добавим податке о уређају „%s“." -#: lib/utils_device.c:831 +#: lib/utils_device.c:833 msgid "Cannot use a loopback device, running as non-root user." msgstr "Не могу да користим уређај повратне петље, радим као обичан корисник." -#: lib/utils_device.c:842 +#: lib/utils_device.c:844 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Прикачињање уређаја повратне петље није успело (потребан је уређај петље са опцијом самочишћења)." -#: lib/utils_device.c:890 +#: lib/utils_device.c:892 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Захтевани померај је изван стварне величине уређаја „%s“." -#: lib/utils_device.c:898 +#: lib/utils_device.c:900 #, c-format msgid "Device %s has zero size." msgstr "Уређај „%s“ има нулту величину." @@ -732,30 +750,25 @@ msgstr "Затражене „PBKDF“ паралелне нити не могу msgid "Only PBKDF2 is supported in FIPS mode." msgstr "Само „PBKDF2“ је подржано у „FIPS“ режиму." -#: lib/utils_benchmark.c:172 +#: lib/utils_benchmark.c:175 msgid "PBKDF benchmark disabled but iterations not set." msgstr "„PBKDF“ оцењивање је искључено али понављања нису постављена." -#: lib/utils_benchmark.c:191 +#: lib/utils_benchmark.c:194 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Нису сагласне „PBKDF2“ опције (користим хеш алгоритам %s)." -#: lib/utils_benchmark.c:211 +#: lib/utils_benchmark.c:214 msgid "Not compatible PBKDF options." msgstr "Несагласне „PBKDF“ опције." -#: lib/utils_device_locking.c:102 +#: lib/utils_device_locking.c:101 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)." msgstr "Закључавање је прекинуто. Путања закључавања „%s/%s“ је неискористива (није директоријум или недостаје)." -#: lib/utils_device_locking.c:109 -#, c-format -msgid "Locking directory %s/%s will be created with default compiled-in permissions." -msgstr "Директоријум закључавања „%s/%s“ биће направљен са основним преведеним овлашћењима." - -#: lib/utils_device_locking.c:119 +#: lib/utils_device_locking.c:118 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Закључавање је прекинуто. Путања закључавања „%s/%s“ је неискористива („%s“ није директоријум)." @@ -787,9 +800,9 @@ msgstr "Величина кључа у „XTS“ режиму мора да бу msgid "Cipher specification should be in [cipher]-[mode]-[iv] format." msgstr "Спецификација шифрера треба бити у запису „[шифрер]-[режим]-[ив]“." -#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364 -#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125 -#: lib/luks2/luks2_json_metadata.c:1421 lib/luks2/luks2_keyslot.c:714 +#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 +#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 +#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Не могу да пишем на уређај „%s“, овлашћење је одбијено." @@ -802,23 +815,24 @@ msgstr "Нисам успео да отворим привремени уређ msgid "Failed to access temporary keystore device." msgstr "Нисам успео да приступм привременом уређају смештаја кључа." -#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60 -#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 msgid "IO error while encrypting keyslot." msgstr "Грешка УИ приликом шифровања утора кључа." -#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367 -#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:680 -#: lib/verity/verity.c:80 lib/verity/verity.c:196 lib/verity/verity_hash.c:320 -#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349 -#: lib/verity/verity_fec.c:260 lib/verity/verity_fec.c:272 -#: lib/verity/verity_fec.c:277 lib/luks2/luks2_json_metadata.c:1424 -#: src/utils_reencrypt_luks1.c:121 src/utils_reencrypt_luks1.c:133 +#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 +#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 +#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 +#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 +#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." msgstr "Не могу да отворим уређај „%s“." -#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137 +#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139 msgid "IO error while decrypting keyslot." msgstr "Грешка УИ приликом дешифровања утора кључа." @@ -834,54 +848,54 @@ msgstr "Уређај „%s“ је премали. (ЛУКС1 захтева б msgid "LUKS keyslot %u is invalid." msgstr "ЛУКС утор кључа „%u“ није исправан." -#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1284 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 #, c-format msgid "Requested header backup file %s already exists." msgstr "Затражена датотека резерве заглавља „%s“ већ постоји." -#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1286 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 #, c-format msgid "Cannot create header backup file %s." msgstr "Не могу да направим резервну датотеку заглавља „%s“." -#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1293 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 #, c-format msgid "Cannot write header backup file %s." msgstr "Не могу да запишем резервну датотеку заглавља „%s“." -#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1330 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 msgid "Backup file does not contain valid LUKS header." msgstr "Датотека резерве не садржи исправно ЛУКС заглавље." -#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590 -#: lib/luks2/luks2_json_metadata.c:1351 +#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 +#: lib/luks2/luks2_json_metadata.c:1420 #, c-format msgid "Cannot open header backup file %s." msgstr "Не могу да отворим резервну датотеку заглавља „%s“." -#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1359 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 #, c-format msgid "Cannot read header backup file %s." msgstr "Не могу да прочитам резервну датотеку заглавља „%s“." -#: lib/luks1/keymanage.c:337 +#: lib/luks1/keymanage.c:339 msgid "Data offset or key size differs on device and backup, restore failed." msgstr "Померај датума или величина кључа се разликују на уређају и резерви, враћање није успело." -#: lib/luks1/keymanage.c:345 +#: lib/luks1/keymanage.c:347 #, c-format msgid "Device %s %s%s" msgstr "Уређај %s %s%s" -#: lib/luks1/keymanage.c:346 +#: lib/luks1/keymanage.c:348 msgid "does not contain LUKS header. Replacing header can destroy data on that device." msgstr "не садржи ЛУКС заглавље. Замена заглавља може да уништи податке на том уређају." -#: lib/luks1/keymanage.c:347 +#: lib/luks1/keymanage.c:349 msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "већ садржи ЛУКС заглавље. Замена заглавља ће уништити постојеће уторе кључева." -#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1393 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -889,126 +903,130 @@ msgstr "" "\n" "УПОЗОРЕЊЕ: право заглавље уређаја има другачији УЈИБ од резерве!" -#: lib/luks1/keymanage.c:395 +#: lib/luks1/keymanage.c:398 msgid "Non standard key size, manual repair required." msgstr "Неуобичајена величина кључа, потребна је ручна поправка." -#: lib/luks1/keymanage.c:405 +#: lib/luks1/keymanage.c:408 msgid "Non standard keyslots alignment, manual repair required." msgstr "Неуобичајено поравнање утора кључева, потребна је ручна поправка." -#: lib/luks1/keymanage.c:414 +#: lib/luks1/keymanage.c:417 #, c-format msgid "Cipher mode repaired (%s -> %s)." msgstr "Режим шифрера је оправљен (%s → %s)." -#: lib/luks1/keymanage.c:425 +#: lib/luks1/keymanage.c:428 #, c-format msgid "Cipher hash repaired to lowercase (%s)." msgstr "Хеш шифрера је преправљен на мала слова (%s)." -#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533 -#: lib/luks1/keymanage.c:789 +#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536 +#: lib/luks1/keymanage.c:792 #, c-format msgid "Requested LUKS hash %s is not supported." msgstr "Затражени ЛУКС хеш „%s“ није подржан." -#: lib/luks1/keymanage.c:441 +#: lib/luks1/keymanage.c:444 msgid "Repairing keyslots." msgstr "Поправљам уторе кључева." -#: lib/luks1/keymanage.c:460 +#: lib/luks1/keymanage.c:463 #, c-format msgid "Keyslot %i: offset repaired (%u -> %u)." msgstr "Утор кључа %i: померај је оправљен (%u —> %u)." -#: lib/luks1/keymanage.c:468 +#: lib/luks1/keymanage.c:471 #, c-format msgid "Keyslot %i: stripes repaired (%u -> %u)." msgstr "Утор кључа %i: траке су оправљене (%u —> %u)." -#: lib/luks1/keymanage.c:477 +#: lib/luks1/keymanage.c:480 #, c-format msgid "Keyslot %i: bogus partition signature." msgstr "Утор кључа %i: лажан потпис партиције." -#: lib/luks1/keymanage.c:482 +#: lib/luks1/keymanage.c:485 #, c-format msgid "Keyslot %i: salt wiped." msgstr "Утор кључа %i: присолак је обрисан." -#: lib/luks1/keymanage.c:499 +#: lib/luks1/keymanage.c:502 msgid "Writing LUKS header to disk." msgstr "Записујем ЛУКС заглавље на диск." -#: lib/luks1/keymanage.c:504 +#: lib/luks1/keymanage.c:507 msgid "Repair failed." msgstr "Поправка није успела." -#: lib/luks1/keymanage.c:559 +#: lib/luks1/keymanage.c:562 #, c-format msgid "LUKS cipher mode %s is invalid." msgstr "Режим ЛУКС шифрера „%s“ није исправан." -#: lib/luks1/keymanage.c:564 +#: lib/luks1/keymanage.c:567 #, c-format msgid "LUKS hash %s is invalid." msgstr "ЛУКС хеш „%s“ није исправан." -#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1144 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 msgid "No known problems detected for LUKS header." msgstr "Нису откривени познати проблеми за ЛУКС заглавље." -#: lib/luks1/keymanage.c:699 +#: lib/luks1/keymanage.c:702 #, c-format msgid "Error during update of LUKS header on device %s." msgstr "Грешка приликом освежавања ЛУКС заглавља на уређају „%s“." -#: lib/luks1/keymanage.c:707 +#: lib/luks1/keymanage.c:710 #, c-format msgid "Error re-reading LUKS header after update on device %s." msgstr "Грешка поновног читања ЛУКС заглавља након освежења на уређају „%s“." -#: lib/luks1/keymanage.c:783 +#: lib/luks1/keymanage.c:786 msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Померај података за ЛУКС заглавље мора бити или 0 или већи од величине заглавља." -#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863 -#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1175 -#: src/utils_reencrypt.c:475 +#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 +#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 +#: src/utils_reencrypt.c:539 msgid "Wrong LUKS UUID format provided." msgstr "Достављен је погрешан запис ЛУКС УЈИБ-а." -#: lib/luks1/keymanage.c:816 +#: lib/luks1/keymanage.c:819 msgid "Cannot create LUKS header: reading random salt failed." msgstr "Не могу да направим ЛУКС заглавље: није успело читање насумичног присолка." -#: lib/luks1/keymanage.c:842 +#: lib/luks1/keymanage.c:845 #, c-format msgid "Cannot create LUKS header: header digest failed (using hash %s)." msgstr "Не могу да направим ЛУКС заглавље: није успео преглед заглавља (користим хеш „%s“)." -#: lib/luks1/keymanage.c:886 +#: lib/luks1/keymanage.c:889 #, c-format msgid "Key slot %d active, purge first." msgstr "Утор кључа „%d“ је радан, прво прочистите." -#: lib/luks1/keymanage.c:892 +#: lib/luks1/keymanage.c:895 #, c-format msgid "Key slot %d material includes too few stripes. Header manipulation?" msgstr "Материјал утора кључа „%d“ обухвата премало трака. Да управљам заглављем?" -#: lib/luks1/keymanage.c:1033 +#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270 +msgid "PBKDF2 iteration value overflow." +msgstr "Прекорачење вредности ПБКДФ2 понављања." + +#: lib/luks1/keymanage.c:1040 #, c-format msgid "Cannot open keyslot (using hash %s)." msgstr "Не могу да отворим утор кључа (користим хеш %s)." -#: lib/luks1/keymanage.c:1111 +#: lib/luks1/keymanage.c:1118 #, c-format msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Утор кључа %d није исправан, изаберите га између 0 и %d." -#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 #, c-format msgid "Cannot wipe device %s." msgstr "Не могу да обришем уређај „%s“." @@ -1029,177 +1047,187 @@ msgstr "Откривена је несагласна датотека кључа msgid "Kernel does not support loop-AES compatible mapping." msgstr "Језгро не подржава мапирање сагласно са „AES“ петљом." -#: lib/tcrypt/tcrypt.c:509 +#: lib/tcrypt/tcrypt.c:508 #, c-format msgid "Error reading keyfile %s." msgstr "Грешка читања датотеке кључа „%s“." -#: lib/tcrypt/tcrypt.c:559 +#: lib/tcrypt/tcrypt.c:558 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Премашена је највећа дужина „TCRYPT“ пропусне речи (%zu)." -#: lib/tcrypt/tcrypt.c:601 +#: lib/tcrypt/tcrypt.c:600 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "„PBKDF2“ алгоритам хеша „%s“ није доступан, прескачем." -#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1019 +#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 msgid "Required kernel crypto interface not available." msgstr "Није доступно затражено сучеље криптографије језгра." -#: lib/tcrypt/tcrypt.c:622 src/cryptsetup.c:1021 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Уверите се да је учитан модул кернела „algif_skcipher“." -#: lib/tcrypt/tcrypt.c:763 +#: lib/tcrypt/tcrypt.c:762 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Покретање није подржано за величину %d области." -#: lib/tcrypt/tcrypt.c:769 +#: lib/tcrypt/tcrypt.c:768 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "Језгро не подржава покретање за овај стари „TCRYPT“ режим." -#: lib/tcrypt/tcrypt.c:800 +#: lib/tcrypt/tcrypt.c:799 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Покрећем „TCRYPT“ систем шифровања за партицију „%s“." -#: lib/tcrypt/tcrypt.c:883 +#: lib/tcrypt/tcrypt.c:882 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "Кернел не подржава мапирање сагласно са „TCRYPT“-ом." -#: lib/tcrypt/tcrypt.c:1096 +#: lib/tcrypt/tcrypt.c:1095 msgid "This function is not supported without TCRYPT header load." msgstr "Ова функција није подржана без учитавања „TCRYPT“ заглавља." -#: lib/bitlk/bitlk.c:275 +#: lib/bitlk/bitlk.c:278 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key." msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена." -#: lib/bitlk/bitlk.c:328 +#: lib/bitlk/bitlk.c:337 msgid "Invalid string found when parsing Volume Master Key." msgstr "Нађох неисправну ниску приликом обраде главног кључа волумена." -#: lib/bitlk/bitlk.c:332 +#: lib/bitlk/bitlk.c:341 #, c-format msgid "Unexpected string ('%s') found when parsing supported Volume Master Key." msgstr "Нађох неочекивану ниску („%s“) приликом обраде подржаног главног кључа волумена." -#: lib/bitlk/bitlk.c:349 +#: lib/bitlk/bitlk.c:358 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key." msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена." -#: lib/bitlk/bitlk.c:451 +#: lib/bitlk/bitlk.c:460 msgid "BITLK version 1 is currently not supported." msgstr "„BITLK“ издање 1 тренутно није подржано." -#: lib/bitlk/bitlk.c:457 +#: lib/bitlk/bitlk.c:466 msgid "Invalid or unknown boot signature for BITLK device." msgstr "Неисправан или непознат потпис учитавања за „BITLK“ уређај." -#: lib/bitlk/bitlk.c:469 +#: lib/bitlk/bitlk.c:478 #, c-format msgid "Unsupported sector size %." msgstr "Неподржана величина одељка „%“." -#: lib/bitlk/bitlk.c:477 +#: lib/bitlk/bitlk.c:486 #, c-format msgid "Failed to read BITLK header from %s." msgstr "Нисам успео да прочитам „BITLK“ заглавље из „%s“." -#: lib/bitlk/bitlk.c:502 +#: lib/bitlk/bitlk.c:511 #, c-format msgid "Failed to read BITLK FVE metadata from %s." msgstr "Нисам успео да прочитам „BITLK FVE“ метаподатаке из „%s“." -#: lib/bitlk/bitlk.c:554 +#: lib/bitlk/bitlk.c:562 msgid "Unknown or unsupported encryption type." msgstr "Непозната или неподржана врста криптографије." -#: lib/bitlk/bitlk.c:587 +#: lib/bitlk/bitlk.c:602 #, c-format msgid "Failed to read BITLK metadata entries from %s." msgstr "Нисам успео да прочитам уносе „BITLK“ метаподатака из „%s“." -#: lib/bitlk/bitlk.c:681 +#: lib/bitlk/bitlk.c:719 msgid "Failed to convert BITLK volume description" msgstr "Нисам успео да претворим опис „BITLK“ волумена" -#: lib/bitlk/bitlk.c:841 +#: lib/bitlk/bitlk.c:882 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде спољног кључа." -#: lib/bitlk/bitlk.c:860 +#: lib/bitlk/bitlk.c:905 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "ГУИД „%s“ датотеке „BEK“ не одговара ГУИД-у волумена." -#: lib/bitlk/bitlk.c:864 +#: lib/bitlk/bitlk.c:909 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде спољног кључа." -#: lib/bitlk/bitlk.c:903 +#: lib/bitlk/bitlk.c:948 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Неподржани „BEK“ метаподаци издање %" -#: lib/bitlk/bitlk.c:908 +#: lib/bitlk/bitlk.c:953 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Неочекивана величина „BEK“ метаподатака % не одговара величини „BEK“ датотеке" -#: lib/bitlk/bitlk.c:933 +#: lib/bitlk/bitlk.c:979 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Нађох неочекивану врсту уноса метаподатака приликом обраде кључа почретања." -#: lib/bitlk/bitlk.c:1029 +#: lib/bitlk/bitlk.c:1075 msgid "This operation is not supported." msgstr "Радња није подржана." -#: lib/bitlk/bitlk.c:1037 +#: lib/bitlk/bitlk.c:1083 msgid "Unexpected key data size." msgstr "Неочекивана величина података кључа." -#: lib/bitlk/bitlk.c:1163 +#: lib/bitlk/bitlk.c:1209 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Овај „BITLK“ уређај је у неподржаном стању и не може бити активиран." -#: lib/bitlk/bitlk.c:1168 +#: lib/bitlk/bitlk.c:1214 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "„BITLK“ уређај са врстом „%s“ се не може активирати." -#: lib/bitlk/bitlk.c:1175 +#: lib/bitlk/bitlk.c:1221 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Активирање делимично дешифрованог „BITLK“ уређаја није подржано." -#: lib/bitlk/bitlk.c:1216 +#: lib/bitlk/bitlk.c:1262 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "УПОЗОРЕЊЕ: Величина волумена закључавача бита % не одговара величини садржаног уређаја %" -#: lib/bitlk/bitlk.c:1343 +#: lib/bitlk/bitlk.c:1389 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK IV“." -#: lib/bitlk/bitlk.c:1347 +#: lib/bitlk/bitlk.c:1393 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK Elephant“ дифузера." -#: lib/bitlk/bitlk.c:1351 +#: lib/bitlk/bitlk.c:1397 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за велику величину сектора." -#: lib/bitlk/bitlk.c:1355 +#: lib/bitlk/bitlk.c:1401 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Не могу да активирам уређај, недостаје „dm-zero“ модул кернела." +#: lib/fvault2/fvault2.c:542 +#, c-format +msgid "Could not read %u bytes of volume header." +msgstr "Не могу да прочитам %u бајта заглавља волумена." + +#: lib/fvault2/fvault2.c:554 +#, c-format +msgid "Unsupported FVAULT2 version %." +msgstr "Неподржано FVAULT2 издање „%“." + #: lib/verity/verity.c:68 lib/verity/verity.c:182 #, c-format msgid "Verity device %s does not use on-disk header." @@ -1351,17 +1379,17 @@ msgstr "Кернел не подржава поравнање фиксних м msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Кернел одбија да покрене небезбедну опцију поновног израчунавања (видите старе опције покретања да избегнете ово)." -#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:1133 -#: lib/luks2/luks2_json_metadata.c:1413 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 +#: lib/luks2/luks2_json_metadata.c:1482 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Нисам успео да остварим закључавање писања на уређају „%s“." -#: lib/luks2/luks2_disk_metadata.c:402 +#: lib/luks2/luks2_disk_metadata.c:400 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation." msgstr "Открих покушај истовременог ажурирања ЛУКС2 метаподатака. Прекидам." -#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722 +#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720 msgid "" "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" "Please run \"cryptsetup repair\" for recovery." @@ -1369,49 +1397,49 @@ msgstr "" "Уређај садржи нејасне потписе, не могу сам да поправим ЛУКС2.\n" "Покрените „cryptsetup repair“ за опорављање." -#: lib/luks2/luks2_json_format.c:230 +#: lib/luks2/luks2_json_format.c:229 msgid "Requested data offset is too small." msgstr "Затражени померај података је премали." -#: lib/luks2/luks2_json_format.c:275 +#: lib/luks2/luks2_json_format.c:274 #, c-format msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" msgstr "УПОЗОРЕЊЕ: област утора кључа (% бајта) је врло мала, доступан број ЛУКС2 утора кључа врло ограничен.\n" -#: lib/luks2/luks2_json_metadata.c:1120 lib/luks2/luks2_json_metadata.c:1258 -#: lib/luks2/luks2_json_metadata.c:1319 lib/luks2/luks2_keyslot_luks2.c:92 -#: lib/luks2/luks2_keyslot_luks2.c:114 +#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 +#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Нисам успео да остварим закључавање читања на уређају „%s“." -#: lib/luks2/luks2_json_metadata.c:1336 +#: lib/luks2/luks2_json_metadata.c:1405 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "Забрањени ЛУКС2 захтеви су откривени у резерви „%s“." -#: lib/luks2/luks2_json_metadata.c:1377 +#: lib/luks2/luks2_json_metadata.c:1446 msgid "Data offset differ on device and backup, restore failed." msgstr "Померај података се разликује на уређају и резерви, враћање није успело." -#: lib/luks2/luks2_json_metadata.c:1383 +#: lib/luks2/luks2_json_metadata.c:1452 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Бинарно заглавље са областима утора кључа се разликује на уређају и резерви, враћање није успело." -#: lib/luks2/luks2_json_metadata.c:1390 +#: lib/luks2/luks2_json_metadata.c:1459 #, c-format msgid "Device %s %s%s%s%s" msgstr "Уређај %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1391 +#: lib/luks2/luks2_json_metadata.c:1460 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "не садржи ЛУКС2 заглавље. Замена заглавља може да уништи податке на том уређају." -#: lib/luks2/luks2_json_metadata.c:1392 +#: lib/luks2/luks2_json_metadata.c:1461 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "већ садржи „LUKS2“ заглавље. Замена заглавља ће уништити постојеће уторе кључева." -#: lib/luks2/luks2_json_metadata.c:1394 +#: lib/luks2/luks2_json_metadata.c:1463 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1421,7 +1449,7 @@ msgstr "" "УПОЗОРЕЊЕ: непознати ЛУКС2 захтеви су откривени у стварном заглављу уређаја!\n" "Замена заглавља резервом може оштетити податке на том уређају!" -#: lib/luks2/luks2_json_metadata.c:1396 +#: lib/luks2/luks2_json_metadata.c:1465 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1431,50 +1459,50 @@ msgstr "" "УПОЗОРЕЊЕ: Недовршено ван мрежно поновно шифровање је откривено на уређају!\n" "Замена заглавља резервом може оштетити податке." -#: lib/luks2/luks2_json_metadata.c:1494 +#: lib/luks2/luks2_json_metadata.c:1562 #, c-format msgid "Ignored unknown flag %s." msgstr "Занемарена непозната заставица „%s“." -#: lib/luks2/luks2_json_metadata.c:2402 lib/luks2/luks2_reencrypt.c:2015 +#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Недостаје кључ за „dm-crypt“ подеок %u" -#: lib/luks2/luks2_json_metadata.c:2414 lib/luks2/luks2_reencrypt.c:2029 +#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 msgid "Failed to set dm-crypt segment." msgstr "Нисам успео да подесим „dm-crypt“ подеок." -#: lib/luks2/luks2_json_metadata.c:2420 lib/luks2/luks2_reencrypt.c:2035 +#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 msgid "Failed to set dm-linear segment." msgstr "Нисам успео да подесим „dm-linear“ подеок." -#: lib/luks2/luks2_json_metadata.c:2547 +#: lib/luks2/luks2_json_metadata.c:2615 msgid "Unsupported device integrity configuration." msgstr "Неподржано подешавање целовитости уређаја." -#: lib/luks2/luks2_json_metadata.c:2633 +#: lib/luks2/luks2_json_metadata.c:2701 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Поновно шифровање је у току. Не могу да деактивирам уређај." -#: lib/luks2/luks2_json_metadata.c:2644 lib/luks2/luks2_reencrypt.c:4057 +#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Нисам успео да заменим обустављени уређај „%s“ са метом „dm-error“." -#: lib/luks2/luks2_json_metadata.c:2724 +#: lib/luks2/luks2_json_metadata.c:2792 msgid "Failed to read LUKS2 requirements." msgstr "Нисам успео да прочитам ЛУКС2 захтеве." -#: lib/luks2/luks2_json_metadata.c:2731 +#: lib/luks2/luks2_json_metadata.c:2799 msgid "Unmet LUKS2 requirements detected." msgstr "Неоствариви ЛУКС2 захтеви су откривени." -#: lib/luks2/luks2_json_metadata.c:2739 +#: lib/luks2/luks2_json_metadata.c:2807 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Радња је несагласна са уређајем означеним за старо поновно шифровање. Прекидам." -#: lib/luks2/luks2_json_metadata.c:2741 +#: lib/luks2/luks2_json_metadata.c:2809 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Радња је несагласна са уређајем означеним за ЛУКС2 поновно шифровање. Прекидам." @@ -1486,20 +1514,21 @@ msgstr "Нема довољно доступне меморије за отва msgid "Keyslot open failed." msgstr "Отварање утора кључа није успело." -#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108 +#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110 #, c-format msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Не могу користити шифрер „%s-%s“ за шифровање утора кључа." -#: lib/luks2/luks2_keyslot_luks2.c:496 -msgid "No space for new keyslot." -msgstr "Нема простора за нови утор кључа." - -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2615 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 +#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 #, c-format msgid "Hash algorithm %s is not available." msgstr "Алгоритам хеша „%s“ није доступан." +#: lib/luks2/luks2_keyslot_luks2.c:510 +msgid "No space for new keyslot." +msgstr "Нема простора за нови утор кључа." + #: lib/luks2/luks2_keyslot_reenc.c:593 msgid "Invalid reencryption resilience mode change requested." msgstr "Затражена је неисправна промена режима гипкости поновног шифровања." @@ -1522,7 +1551,7 @@ msgstr "Не могу да проверим стање уређаја са уј msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Не могу да претворим заглавље са „LUKSMETA“ додатним метаподацима." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3715 +#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Не могу да користим спецификацију шифрера „%s-%s“ за ЛУКС2." @@ -1580,240 +1609,244 @@ msgstr "Не могу да претворим у ЛУКС1 запис – уто msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u није ЛУКС1 сагласан." -#: lib/luks2/luks2_reencrypt.c:1107 +#: lib/luks2/luks2_reencrypt.c:1152 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Величина вруће зоне мора бити умножак прорачунатог поравнања зоне (%zu бајта)." -#: lib/luks2/luks2_reencrypt.c:1112 +#: lib/luks2/luks2_reencrypt.c:1157 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Величина уређаја мора бити производ прорачунатог поравнања зоне (%zu бајта)." -#: lib/luks2/luks2_reencrypt.c:1319 lib/luks2/luks2_reencrypt.c:1505 -#: lib/luks2/luks2_reencrypt.c:1588 lib/luks2/luks2_reencrypt.c:1630 -#: lib/luks2/luks2_reencrypt.c:3852 +#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 +#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 +#: lib/luks2/luks2_reencrypt.c:3877 msgid "Failed to initialize old segment storage wrapper." msgstr "Нисам успео да покренем старог увијача смештаја подеока." -#: lib/luks2/luks2_reencrypt.c:1333 lib/luks2/luks2_reencrypt.c:1483 +#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 msgid "Failed to initialize new segment storage wrapper." msgstr "Нисам успео да покренем новог увијача смештаја подеока." -#: lib/luks2/luks2_reencrypt.c:1460 lib/luks2/luks2_reencrypt.c:3864 +#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 msgid "Failed to initialize hotzone protection." msgstr "Нисам успео да покренем заштиту вруће зоне." -#: lib/luks2/luks2_reencrypt.c:1532 +#: lib/luks2/luks2_reencrypt.c:1578 msgid "Failed to read checksums for current hotzone." msgstr "Нисам успео да прочитам суму провере за текућу врућу зону." -#: lib/luks2/luks2_reencrypt.c:1539 lib/luks2/luks2_reencrypt.c:3878 +#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Нисам успео да прочитам област вруће зоне са почетком на %." -#: lib/luks2/luks2_reencrypt.c:1558 +#: lib/luks2/luks2_reencrypt.c:1604 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Нисам успео да дешифрујем област %zu." -#: lib/luks2/luks2_reencrypt.c:1564 +#: lib/luks2/luks2_reencrypt.c:1610 #, c-format msgid "Failed to recover sector %zu." msgstr "Нисам успео да опоравим област %zu." -#: lib/luks2/luks2_reencrypt.c:2128 +#: lib/luks2/luks2_reencrypt.c:2174 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Величине изворног и циљног уређаја не одговарају. Извор %, мета: %." -#: lib/luks2/luks2_reencrypt.c:2226 +#: lib/luks2/luks2_reencrypt.c:2272 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Нисам успео да активирам уређај вруће зоне „%s“." -#: lib/luks2/luks2_reencrypt.c:2243 +#: lib/luks2/luks2_reencrypt.c:2289 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Нисам успео да активирам уређај преклапања „%s“ са стварном табелом порекла." -#: lib/luks2/luks2_reencrypt.c:2250 +#: lib/luks2/luks2_reencrypt.c:2296 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Нисам успео да учитам ново мапирање за уређај „%s“." -#: lib/luks2/luks2_reencrypt.c:2321 +#: lib/luks2/luks2_reencrypt.c:2367 msgid "Failed to refresh reencryption devices stack." msgstr "Нисам успео да освежим спремник уређаја поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:2497 +#: lib/luks2/luks2_reencrypt.c:2550 msgid "Failed to set new keyslots area size." msgstr "Нисам успео да подесим нову величину области утора кључа." -#: lib/luks2/luks2_reencrypt.c:2633 +#: lib/luks2/luks2_reencrypt.c:2686 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Вредност помака података није поравната на величину одељка шифровања (% бајта)." -#: lib/luks2/luks2_reencrypt.c:2664 +#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Неподржан режим гипкости „%s“" -#: lib/luks2/luks2_reencrypt.c:2741 +#: lib/luks2/luks2_reencrypt.c:2760 msgid "Moved segment size can not be greater than data shift value." msgstr "Величина премештеног подеока не може бити већа од вредности помака података." -#: lib/luks2/luks2_reencrypt.c:2799 +#: lib/luks2/luks2_reencrypt.c:2802 +msgid "Invalid reencryption resilience parameters." +msgstr "Неисправни параметри гипкости поновног шифровања." + +#: lib/luks2/luks2_reencrypt.c:2824 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Премештени подеок је превелик. Захтевана величина је %, доступан простор за: %." -#: lib/luks2/luks2_reencrypt.c:2886 +#: lib/luks2/luks2_reencrypt.c:2911 msgid "Failed to clear table." msgstr "Нисам успео да очистим табелу." -#: lib/luks2/luks2_reencrypt.c:2972 +#: lib/luks2/luks2_reencrypt.c:2997 msgid "Reduced data size is larger than real device size." msgstr "Величина умањених података је већа од стварне величине уређаја." -#: lib/luks2/luks2_reencrypt.c:2979 +#: lib/luks2/luks2_reencrypt.c:3004 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Уређај података није поравнат на величину одељка шифровања (% бајта)." -#: lib/luks2/luks2_reencrypt.c:3013 +#: lib/luks2/luks2_reencrypt.c:3038 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Помак података (% одељка) је мањи од будућег помераја података (% одељка)." -#: lib/luks2/luks2_reencrypt.c:3020 lib/luks2/luks2_reencrypt.c:3508 -#: lib/luks2/luks2_reencrypt.c:3529 +#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 +#: lib/luks2/luks2_reencrypt.c:3554 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Нисам успео да отворим „%s“ у искључивом режиму (већ мапиран или прикачен)." -#: lib/luks2/luks2_reencrypt.c:3209 +#: lib/luks2/luks2_reencrypt.c:3234 msgid "Device not marked for LUKS2 reencryption." msgstr "Уређај није означен за ЛУКС2 поновно шифровање." -#: lib/luks2/luks2_reencrypt.c:3226 lib/luks2/luks2_reencrypt.c:4181 +#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 msgid "Failed to load LUKS2 reencryption context." msgstr "Нисам успео да учитам контекст ЛУКС2 поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3306 +#: lib/luks2/luks2_reencrypt.c:3331 msgid "Failed to get reencryption state." msgstr "Нисам успео да добавим стање поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3310 lib/luks2/luks2_reencrypt.c:3624 +#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 msgid "Device is not in reencryption." msgstr "Уређај није у поновном шифровању." -#: lib/luks2/luks2_reencrypt.c:3317 lib/luks2/luks2_reencrypt.c:3631 +#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 msgid "Reencryption process is already running." msgstr "Процес поновног шифровања је већ покренут." -#: lib/luks2/luks2_reencrypt.c:3319 lib/luks2/luks2_reencrypt.c:3633 +#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 msgid "Failed to acquire reencryption lock." msgstr "Нисам успео да остварим закључавање поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3337 +#: lib/luks2/luks2_reencrypt.c:3362 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Не могу да наставим са поновним шифровањем. Прво покрените опоравак поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3472 +#: lib/luks2/luks2_reencrypt.c:3497 msgid "Active device size and requested reencryption size don't match." msgstr "Активна величина уређаја и величина затраженог поновног шифровања не одговарају." -#: lib/luks2/luks2_reencrypt.c:3486 +#: lib/luks2/luks2_reencrypt.c:3511 msgid "Illegal device size requested in reencryption parameters." msgstr "Неисправна величина уређаја је затражена у параметрима поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3563 +#: lib/luks2/luks2_reencrypt.c:3588 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Поновно шифровање је у току. Не могу да обавим опоравак." -#: lib/luks2/luks2_reencrypt.c:3732 +#: lib/luks2/luks2_reencrypt.c:3757 msgid "LUKS2 reencryption already initialized in metadata." msgstr "ЛУКС2 поновно шифровање је већ покренуто у метаподацима." -#: lib/luks2/luks2_reencrypt.c:3739 +#: lib/luks2/luks2_reencrypt.c:3764 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Нисам успео да покренем ЛУКС2 поновно шифровање у метаподацима." -#: lib/luks2/luks2_reencrypt.c:3834 +#: lib/luks2/luks2_reencrypt.c:3859 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Нисам успео да поставим подеоке уређаја за следећу врућу зону поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3886 +#: lib/luks2/luks2_reencrypt.c:3911 msgid "Failed to write reencryption resilience metadata." msgstr "Нисам успео да запишем метаподатаке гипкости поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:3893 +#: lib/luks2/luks2_reencrypt.c:3918 msgid "Decryption failed." msgstr "Дешифровање није успело." -#: lib/luks2/luks2_reencrypt.c:3898 +#: lib/luks2/luks2_reencrypt.c:3923 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Нисам успео да запишем област вруће зоне са почетком на %." -#: lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:3928 msgid "Failed to sync data." msgstr "Нисам успео да усагласим податке." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Нисам успео да освежим метаподатке након тренутно завршеног поновног шифровања вруће зоне." -#: lib/luks2/luks2_reencrypt.c:4000 +#: lib/luks2/luks2_reencrypt.c:4025 msgid "Failed to write LUKS2 metadata." msgstr "Нисам успео да запишем ЛУКС2 метаподатке." -#: lib/luks2/luks2_reencrypt.c:4023 +#: lib/luks2/luks2_reencrypt.c:4048 msgid "Failed to wipe unused data device area." msgstr "Нисам успео да обришем област уређаја података." -#: lib/luks2/luks2_reencrypt.c:4029 +#: lib/luks2/luks2_reencrypt.c:4054 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Нисам успео да уклоним некоришћени (несвезани) утор кључа %d." -#: lib/luks2/luks2_reencrypt.c:4039 +#: lib/luks2/luks2_reencrypt.c:4064 msgid "Failed to remove reencryption keyslot." msgstr "Нисам успео да уклоним утор кључа поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:4049 +#: lib/luks2/luks2_reencrypt.c:4074 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Кобна грешка приликом поновног шифровања комада који почиње на %, % подеока дуг." -#: lib/luks2/luks2_reencrypt.c:4053 +#: lib/luks2/luks2_reencrypt.c:4078 msgid "Online reencryption failed." msgstr "Поновно шифровање на мрежи није успело." -#: lib/luks2/luks2_reencrypt.c:4058 +#: lib/luks2/luks2_reencrypt.c:4083 msgid "Do not resume the device unless replaced with error target manually." msgstr "Не наставља са уређајем осим ако није ручно замењен метом грешке." -#: lib/luks2/luks2_reencrypt.c:4112 +#: lib/luks2/luks2_reencrypt.c:4137 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Не могу да наставим са поновним шифровањем. Неочекивано стање поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:4118 +#: lib/luks2/luks2_reencrypt.c:4143 msgid "Missing or invalid reencrypt context." msgstr "Недостаје или неисправан контекст поновног шифровања." -#: lib/luks2/luks2_reencrypt.c:4125 +#: lib/luks2/luks2_reencrypt.c:4150 msgid "Failed to initialize reencryption device stack." msgstr "Нисам успео да покренем поновно шифровање спремника уређаја." -#: lib/luks2/luks2_reencrypt.c:4147 lib/luks2/luks2_reencrypt.c:4194 +#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 msgid "Failed to update reencryption context." msgstr "Нисам успео да освежим контекст поновног шифровања." -#: lib/luks2/luks2_reencrypt_digest.c:406 +#: lib/luks2/luks2_reencrypt_digest.c:405 msgid "Reencryption metadata is invalid." msgstr "Метаподаци поновног шифровања нису исправни." @@ -1821,18 +1854,18 @@ msgstr "Метаподаци поновног шифровања нису исп msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Параметри шифровања утора кључа се могу поставити само за ЛУКС2 уређај." -#: src/cryptsetup.c:108 +#: src/cryptsetup.c:108 src/cryptsetup.c:1901 #, c-format -msgid "Enter token PIN:" -msgstr "Унесите ПИН скупине:" +msgid "Enter token PIN: " +msgstr "Унесите ПИН скупине: " -#: src/cryptsetup.c:110 +#: src/cryptsetup.c:110 src/cryptsetup.c:1903 #, c-format -msgid "Enter token %d PIN:" -msgstr "Унесите %d ПИН скупине:" +msgid "Enter token %d PIN: " +msgstr "Унесите %d ПИН скупине: " -#: src/cryptsetup.c:159 src/cryptsetup.c:966 src/cryptsetup.c:1293 -#: src/utils_reencrypt.c:1048 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 +#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Није откривен познат образац одреднице шифрера." @@ -1850,10 +1883,10 @@ msgstr "УПОЗОРЕЊЕ: Опција „--keyfile-size“ је занема msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "Открих потпис(е) уређаја на „%s“. Даље настављање може оштетити постојеће податке." -#: src/cryptsetup.c:221 src/cryptsetup.c:1040 src/cryptsetup.c:1088 -#: src/cryptsetup.c:1154 src/cryptsetup.c:1270 src/cryptsetup.c:1343 -#: src/cryptsetup.c:1994 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:275 +#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 +#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 +#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 +#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 msgid "Operation aborted.\n" msgstr "Радња је обустављена.\n" @@ -1900,7 +1933,7 @@ msgstr "" "који омогућава приступ шифрованој партицији без лозинке.\n" "Овај избачај треба увек бити смештен шифрован на безбедном месту." -#: src/cryptsetup.c:573 src/cryptsetup.c:2019 +#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1910,68 +1943,77 @@ msgstr "" "који омогућава приступ шифрованој партицији без лозинке.\n" "Овај избачај треба бити смештен шифрован на безбедном месту." -#: src/cryptsetup.c:664 src/veritysetup.c:321 src/integritysetup.c:400 +#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#, c-format +msgid "Device %s is not a valid FVAULT2 device." +msgstr "Уређај „%s“ није исправан FVAULT2 уређај." + +#: src/cryptsetup.c:747 +msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." +msgstr "Не могу да одредим величину кључа волумена за FVAULT2, користите „--key-size“ опцију." + +#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Уређај „%s“ је још увек активан и заказан за одложено уклањање.\n" -#: src/cryptsetup.c:698 +#: src/cryptsetup.c:835 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Сразмеравање активног уређаја захтева кључ волумена у привеску кључева али је постављена „--disable-keyring“ опција." -#: src/cryptsetup.c:845 +#: src/cryptsetup.c:982 msgid "Benchmark interrupted." msgstr "Оцењивање је прекинуто." -#: src/cryptsetup.c:866 +#: src/cryptsetup.c:1003 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "„PBKDF2-%-9s“ Н/Д\n" -#: src/cryptsetup.c:868 +#: src/cryptsetup.c:1005 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "„PBKDF2-%-9s“ %7u понављања у секунди за %zu-битни кључ\n" -#: src/cryptsetup.c:882 +#: src/cryptsetup.c:1019 #, c-format msgid "%-10s N/A\n" msgstr "%-10s Н/Д\n" -#: src/cryptsetup.c:884 +#: src/cryptsetup.c:1021 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u понављања, %5u меморије, %1u паралелних нити (процесора) за %zu-битни кључ (захтева се %u ms време)\n" -#: src/cryptsetup.c:908 +#: src/cryptsetup.c:1045 msgid "Result of benchmark is not reliable." msgstr "Резултат оцењивања није поуздан." -#: src/cryptsetup.c:958 +#: src/cryptsetup.c:1095 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Пробе су приближне користећи само меморију (без УИ смештаја).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:978 +#: src/cryptsetup.c:1115 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "#%*s Алгоритам | Кључ | Шифровање | Дешифровање\n" -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1119 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Шифрер „%s“ (са %i битним кључем) није доступан." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1001 +#: src/cryptsetup.c:1138 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "# Алгоритам | Кључ | Шифровање | Дешифровање\n" -#: src/cryptsetup.c:1012 +#: src/cryptsetup.c:1149 msgid "N/A" msgstr "Недоступно" -#: src/cryptsetup.c:1037 +#: src/cryptsetup.c:1174 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -1979,27 +2021,27 @@ msgstr "" "Откривени су незаштићени ЛУКС2 метаподаци поновног шифровања. Проверите да ли је радња поновног шифровања пожељна (видите „luksDump“ излаз)\n" "и наставите (са надоградњом метаподатака само ако знате да је радња безопасна." -#: src/cryptsetup.c:1043 +#: src/cryptsetup.c:1180 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Унесите пропусну реч да заштитите и надоградите метаподатке поновног шифровања: " -#: src/cryptsetup.c:1087 +#: src/cryptsetup.c:1224 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Да наставим са опоравком ЛУКС2 поновног шифровања?" -#: src/cryptsetup.c:1096 +#: src/cryptsetup.c:1233 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Унесите пропусну реч да проверите упит метаподатака поновног шифровања: " -#: src/cryptsetup.c:1098 +#: src/cryptsetup.c:1235 msgid "Enter passphrase for reencryption recovery: " msgstr "Унесите пропусну реч за опоравак поновног шифровања: " -#: src/cryptsetup.c:1153 +#: src/cryptsetup.c:1290 msgid "Really try to repair LUKS device header?" msgstr "Стварно да покушам да поправим заглавље ЛУКС уређаја?" -#: src/cryptsetup.c:1177 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 msgid "" "\n" "Wipe interrupted." @@ -2007,7 +2049,7 @@ msgstr "" "\n" "Брисање је прекинуто." -#: src/cryptsetup.c:1182 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2015,119 +2057,128 @@ msgstr "" "Бришем уређај да бих започео суму провере целовитости.\n" "Можете прекинути ово притиском на „CTRL+c“ (остатак необрисаног уређаја садржаће неисправну суму провере).\n" -#: src/cryptsetup.c:1204 src/integritysetup.c:116 +#: src/cryptsetup.c:1341 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Не могу да деактивирам привремени уређај „%s“." -#: src/cryptsetup.c:1255 +#: src/cryptsetup.c:1392 msgid "Integrity option can be used only for LUKS2 format." msgstr "Опција целовитости се може користити само за ЛУКС2 запис." -#: src/cryptsetup.c:1260 src/cryptsetup.c:1320 +#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 msgid "Unsupported LUKS2 metadata size options." msgstr "Неподржана опција величине ЛУКС2 метаподатака." -#: src/cryptsetup.c:1269 +#: src/cryptsetup.c:1406 msgid "Header file does not exist, do you want to create it?" msgstr "Датотека заглавља не постоји, да ли желите да је направите?" -#: src/cryptsetup.c:1277 +#: src/cryptsetup.c:1414 #, c-format msgid "Cannot create header file %s." msgstr "Не могу да направим датотеку заглавља „%s“." -#: src/cryptsetup.c:1300 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 #: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 #: src/integritysetup.c:333 msgid "No known integrity specification pattern detected." msgstr "Није откривен познат образац одреднице целовитости." -#: src/cryptsetup.c:1313 +#: src/cryptsetup.c:1450 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Не могу да користим „%s“ као заглавље на-диску." -#: src/cryptsetup.c:1337 src/integritysetup.c:181 +#: src/cryptsetup.c:1474 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Ово ће неповратно да препише податке на „%s“." -#: src/cryptsetup.c:1370 src/cryptsetup.c:1707 src/cryptsetup.c:1772 -#: src/cryptsetup.c:1876 src/cryptsetup.c:1942 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 +#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Нисам успео да подесим „pbkdf“ параметре." -#: src/cryptsetup.c:1455 +#: src/cryptsetup.c:1593 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Смањени померај података је допуштен само за откачена ЛУКС заглавља." -#: src/cryptsetup.c:1466 src/cryptsetup.c:1778 +#: src/cryptsetup.c:1600 +#, c-format +msgid "LUKS file container %s is too small for activation, there is no remaining space for data." +msgstr "Садржалац ЛУКС датотеке „%s“ је премали за активирање, није преостао простор за податке." + +#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Не могу да одредим величину кључа за ЛУКС без утора кључа, користите „--key-size“ опцију." -#: src/cryptsetup.c:1512 +#: src/cryptsetup.c:1658 msgid "Device activated but cannot make flags persistent." msgstr "Уређај је активиран али не могу да учиним заставице трајним." -#: src/cryptsetup.c:1591 src/cryptsetup.c:1659 +#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Утор кључа „%d“ је изабран за брисање." -#: src/cryptsetup.c:1603 src/cryptsetup.c:1663 +#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Ово је последњи утор кључа. Уређај ће постати неупотребљив након чишћења овог кључа." -#: src/cryptsetup.c:1604 +#: src/cryptsetup.c:1750 msgid "Enter any remaining passphrase: " msgstr "Унесите неку преосталу пропусну реч: " -#: src/cryptsetup.c:1605 src/cryptsetup.c:1665 +#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Радња је прекинута, утор кључа НИЈЕ обрисан.\n" -#: src/cryptsetup.c:1641 +#: src/cryptsetup.c:1787 msgid "Enter passphrase to be deleted: " msgstr "Унесите пропусну реч за брисање: " -#: src/cryptsetup.c:1691 src/cryptsetup.c:1925 src/cryptsetup.c:2505 -#: src/cryptsetup.c:2649 +#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 +#: src/cryptsetup.c:2948 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Уређај „%s“ није исправан ЛУКС2 уређај." -#: src/cryptsetup.c:1721 src/cryptsetup.c:1795 src/cryptsetup.c:1829 +#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 msgid "Enter new passphrase for key slot: " msgstr "Унесите нову пропусну реч за утор кључа: " -#: src/cryptsetup.c:1812 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:1968 +msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" +msgstr "УПОЗОРЕЊЕ: Параметар „--key-slot“ се користи за нови број утора кључа.\n" + +#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Унесите неку постојећу пропусну реч: " -#: src/cryptsetup.c:1880 +#: src/cryptsetup.c:2152 msgid "Enter passphrase to be changed: " msgstr "Унесите пропусну реч за мењање: " -#: src/cryptsetup.c:1896 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Унесите нову пропусну реч: " -#: src/cryptsetup.c:1946 +#: src/cryptsetup.c:2218 msgid "Enter passphrase for keyslot to be converted: " msgstr "Унесите пропусну реч за утор кључа за претварање: " -#: src/cryptsetup.c:1970 +#: src/cryptsetup.c:2242 msgid "Only one device argument for isLuks operation is supported." msgstr "Подржан је само један аргумент уређаја за радњу „isLuks“." -#: src/cryptsetup.c:2078 +#: src/cryptsetup.c:2350 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Утор кључа %d не садржи несвезани кључ." -#: src/cryptsetup.c:2083 +#: src/cryptsetup.c:2355 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2135,40 +2186,40 @@ msgstr "" "Избачај заглавља са кључем волумена је осетљив податак\n" "Овај избачај треба увек бити смештен шифрован на безбедном месту." -#: src/cryptsetup.c:2169 src/cryptsetup.c:2198 +#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 #, c-format msgid "%s is not active %s device name." msgstr "„%s“ није назив активног „%s“ уређаја." -#: src/cryptsetup.c:2193 +#: src/cryptsetup.c:2465 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "„%s“ није назив активног ЛУКС уређаја или недостаје заглавље." -#: src/cryptsetup.c:2255 src/cryptsetup.c:2274 +#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 msgid "Option --header-backup-file is required." msgstr "Захтевана је опција „--header-backup-file“." -#: src/cryptsetup.c:2305 +#: src/cryptsetup.c:2577 #, c-format msgid "%s is not cryptsetup managed device." msgstr "„%s“ није уређај управљан криптоподешавањем." -#: src/cryptsetup.c:2316 +#: src/cryptsetup.c:2588 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Освежавање није подржано за врсту уређаја „%s“" -#: src/cryptsetup.c:2362 +#: src/cryptsetup.c:2638 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Непозната врста уређаја метаподатака „%s“." -#: src/cryptsetup.c:2364 +#: src/cryptsetup.c:2640 msgid "Command requires device and mapped name as arguments." msgstr "Наредба захтева уређај и мапирани назив као аргумент." -#: src/cryptsetup.c:2385 +#: src/cryptsetup.c:2661 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2177,325 +2228,351 @@ msgstr "" "Ова радња ће обрисати све уторе кључева на уређају „%s“.\n" "Уређај ће постати неупотребљив након ове радње." -#: src/cryptsetup.c:2392 +#: src/cryptsetup.c:2668 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Радња је прекинута, утори кључева НИСУ обрисани.\n" -#: src/cryptsetup.c:2431 +#: src/cryptsetup.c:2707 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Неисправна ЛУКС врста, само „luks1“ и „luks2“ су подржане." -#: src/cryptsetup.c:2447 +#: src/cryptsetup.c:2723 #, c-format msgid "Device is already %s type." msgstr "Уређај је већ „%s“ врсте." -#: src/cryptsetup.c:2454 +#: src/cryptsetup.c:2730 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Ова радња ће претворити „%s“ у „%s“ запис.\n" -#: src/cryptsetup.c:2457 +#: src/cryptsetup.c:2733 msgid "Operation aborted, device was NOT converted.\n" msgstr "Радња је прекинута, уређај НИЈЕ претворен.\n" -#: src/cryptsetup.c:2497 +#: src/cryptsetup.c:2773 msgid "Option --priority, --label or --subsystem is missing." msgstr "Недостаје опција „--priority“, „--label“ или „--subsystem“." -#: src/cryptsetup.c:2531 src/cryptsetup.c:2568 src/cryptsetup.c:2588 +#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 #, c-format msgid "Token %d is invalid." msgstr "Скупина „%d“ није исправна." -#: src/cryptsetup.c:2534 src/cryptsetup.c:2591 +#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 #, c-format msgid "Token %d in use." msgstr "Скупина „%d“ је у употреби." -#: src/cryptsetup.c:2546 +#: src/cryptsetup.c:2822 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Нисам успео да додам „luks2-keyring“ скупину „%d“." -#: src/cryptsetup.c:2554 src/cryptsetup.c:2617 +#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Нисам успео да доделим скупину „%d“ утору кључа %d." -#: src/cryptsetup.c:2571 +#: src/cryptsetup.c:2850 #, c-format msgid "Token %d is not in use." msgstr "Скупина „%d“ није у употреби." -#: src/cryptsetup.c:2608 +#: src/cryptsetup.c:2887 msgid "Failed to import token from file." msgstr "Нисам успео да увезем скупину из датотеке." -#: src/cryptsetup.c:2633 +#: src/cryptsetup.c:2912 #, c-format msgid "Failed to get token %d for export." msgstr "Нисам успео да добавим скупину „%d“ за извоз." -#: src/cryptsetup.c:2682 +#: src/cryptsetup.c:2925 +#, c-format +msgid "Token %d is not assigned to keyslot %d." +msgstr "Скупина „%d“ није додељена утору кључа %d." + +#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#, c-format +msgid "Failed to unassign token %d from keyslot %d." +msgstr "Нисам успео да поништим доделу скупине „%d“ из утора кључа %d." + +#: src/cryptsetup.c:2983 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Опција „--tcrypt-hidden“, „--tcrypt-system“ или „--tcrypt-backup“ је подржана само за ТКРИПТ уређај." -#: src/cryptsetup.c:2685 +#: src/cryptsetup.c:2986 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Опција „--veracrypt“ или „--disable-veracrypt“ је подржана само за ТКРИПТ врсту уређаја." -#: src/cryptsetup.c:2688 +#: src/cryptsetup.c:2989 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Опција „--veracrypt-pim“ је подржана само за „VeraCrypt“ сагласне уређаје." -#: src/cryptsetup.c:2692 +#: src/cryptsetup.c:2993 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Опција „--veracrypt-query-pim“ је подржана само за „VeraCrypt“ сагласне уређаје." -#: src/cryptsetup.c:2694 +#: src/cryptsetup.c:2995 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Опције „--veracrypt-pim“ и „--veracrypt-query-pim“ се узајамно искључују." -#: src/cryptsetup.c:2703 +#: src/cryptsetup.c:3004 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Опција „--persistent“ није допуштена са опцијом „--test-passphrase“." -#: src/cryptsetup.c:2706 +#: src/cryptsetup.c:3007 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Опције „--refresh“ и „--test-passphrase“ се узајамно искључују." -#: src/cryptsetup.c:2709 +#: src/cryptsetup.c:3010 msgid "Option --shared is allowed only for open of plain device." msgstr "Опција „--shared“ је допуштена само за отварање обичног уређаја." -#: src/cryptsetup.c:2712 +#: src/cryptsetup.c:3013 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Опција „--skip“ је подржана само за отварање обичних и упетљаних уређаја." -#: src/cryptsetup.c:2715 +#: src/cryptsetup.c:3016 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Опција „--offset“ са отвореном радњом је подржана само за обичне и упетљане уређаје." -#: src/cryptsetup.c:2718 +#: src/cryptsetup.c:3019 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Опција „--tcrypt-hidden“ не може бити обједињена са „--allow-discards“." -#: src/cryptsetup.c:2722 +#: src/cryptsetup.c:3023 msgid "Sector size option with open action is supported only for plain devices." msgstr "Опција величине одељка са отвореном радњом је подржана само за обичне уређаје." -#: src/cryptsetup.c:2726 +#: src/cryptsetup.c:3027 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Опција великих IV одељака је подржана само за отварање обичних уређаја са величином одељка већом од 512 бајта." -#: src/cryptsetup.c:2730 -msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices." -msgstr "Опција „--test-passphrase“ је допуштена само за отварање ЛУКС, „TCRYPT“ и „BITLK“ уређаја." +#: src/cryptsetup.c:3032 +msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." +msgstr "Опција „--test-passphrase“ је допуштена само за отварање LUKS, TCRYPT, BITLK и FVAULT2 уређаја." -#: src/cryptsetup.c:2733 src/cryptsetup.c:2756 +#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 msgid "Options --device-size and --size cannot be combined." msgstr "Опције „--device-size“ и „--size“ се не могу комбиновати." -#: src/cryptsetup.c:2736 +#: src/cryptsetup.c:3038 msgid "Option --unbound is allowed only for open of luks device." msgstr "Опција „--unbound“ је допуштена само за отварање лукс уређаја." -#: src/cryptsetup.c:2739 +#: src/cryptsetup.c:3041 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Опција „--unbound“ се не може користити без „--test-passphrase“." -#: src/cryptsetup.c:2748 src/veritysetup.c:664 src/integritysetup.c:755 +#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Опције „--cancel-deferred“ и „--deferred“ се не могу користити у исто време." -#: src/cryptsetup.c:2764 +#: src/cryptsetup.c:3066 msgid "Options --reduce-device-size and --data-size cannot be combined." msgstr "Опције „--reduce-device-size“ и „--data-size“ се не могу комбиновати." -#: src/cryptsetup.c:2767 +#: src/cryptsetup.c:3069 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Опција „--active-name“ се може поставити само за ЛУКС2 уређај." -#: src/cryptsetup.c:2770 +#: src/cryptsetup.c:3072 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Опције „--active-name“ и „--force-offline-reencrypt“ се не могу комбиновати." -#: src/cryptsetup.c:2778 src/cryptsetup.c:2808 +#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 msgid "Keyslot specification is required." msgstr "Одредба утора кључа је потребна." -#: src/cryptsetup.c:2786 +#: src/cryptsetup.c:3088 msgid "Options --align-payload and --offset cannot be combined." msgstr "Опције „--align-payload“ и „--offset“ се не могу комбиновати." -#: src/cryptsetup.c:2789 +#: src/cryptsetup.c:3091 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Опција „--integrity-no-wipe“ се може користити само за радњу форматирања са проширењем целовитости." -#: src/cryptsetup.c:2792 +#: src/cryptsetup.c:3094 msgid "Only one of --use-[u]random options is allowed." msgstr "Дозвољена је само једна опција „--use-[u]random“." -#: src/cryptsetup.c:2800 +#: src/cryptsetup.c:3102 msgid "Key size is required with --unbound option." msgstr "Величина кључа је потребна са опцијом „--unbound“." -#: src/cryptsetup.c:2819 +#: src/cryptsetup.c:3122 msgid "Invalid token action." msgstr "Неисправна радња скупине." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3125 msgid "--key-description parameter is mandatory for token add action." msgstr "„--key-description“ параметар је обавезан за радњу додавања скупине." -#: src/cryptsetup.c:2826 +#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 msgid "Action requires specific token. Use --token-id parameter." msgstr "Радња захтева нарочиту скупину. Користите параметар „--token-id“." -#: src/cryptsetup.c:2840 +#: src/cryptsetup.c:3133 +msgid "Option --unbound is valid only with token add action." +msgstr "Опција „--unbound“ је исправна само са радњом додавања скупине." + +#: src/cryptsetup.c:3135 +msgid "Options --key-slot and --unbound cannot be combined." +msgstr "Опције „--key-slot“ и „--unbound“ се не могу комбиновати." + +#: src/cryptsetup.c:3140 +msgid "Action requires specific keyslot. Use --key-slot parameter." +msgstr "Радња захтева нарочити утор кључа. Користите параметар „--key-slot“." + +#: src/cryptsetup.c:3156 msgid " [--type ] []" msgstr "<уређај> [--type <врста>] [<назив>]" -#: src/cryptsetup.c:2840 src/veritysetup.c:487 src/integritysetup.c:535 +#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 msgid "open device as " msgstr "отвара уређај као <назив>" -#: src/cryptsetup.c:2841 src/cryptsetup.c:2842 src/cryptsetup.c:2843 -#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:536 +#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 #: src/integritysetup.c:537 src/integritysetup.c:539 msgid "" msgstr "<назив>" -#: src/cryptsetup.c:2841 src/veritysetup.c:488 src/integritysetup.c:536 +#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 msgid "close device (remove mapping)" msgstr "затвара уређај (уклања мапирање)" -#: src/cryptsetup.c:2842 src/integritysetup.c:539 +#: src/cryptsetup.c:3158 src/integritysetup.c:539 msgid "resize active device" msgstr "мења величину радног уређаја" -#: src/cryptsetup.c:2843 +#: src/cryptsetup.c:3159 msgid "show device status" msgstr "показује стање уређаја" -#: src/cryptsetup.c:2844 +#: src/cryptsetup.c:3160 msgid "[--cipher ]" msgstr "[--cipher <шифрер>]" -#: src/cryptsetup.c:2844 +#: src/cryptsetup.c:3160 msgid "benchmark cipher" msgstr "шифрер оцењивања" -#: src/cryptsetup.c:2845 src/cryptsetup.c:2846 src/cryptsetup.c:2847 -#: src/cryptsetup.c:2848 src/cryptsetup.c:2849 src/cryptsetup.c:2856 -#: src/cryptsetup.c:2857 src/cryptsetup.c:2858 src/cryptsetup.c:2859 -#: src/cryptsetup.c:2860 src/cryptsetup.c:2861 src/cryptsetup.c:2862 -#: src/cryptsetup.c:2863 src/cryptsetup.c:2864 +#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 +#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 +#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 +#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 +#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 msgid "" msgstr "<уређај>" -#: src/cryptsetup.c:2845 +#: src/cryptsetup.c:3161 msgid "try to repair on-disk metadata" msgstr "покушава да поправи метаподатке на-диску" -#: src/cryptsetup.c:2846 +#: src/cryptsetup.c:3162 msgid "reencrypt LUKS2 device" msgstr "ЛУКС2 уређај поновног шифровања" -#: src/cryptsetup.c:2847 +#: src/cryptsetup.c:3163 msgid "erase all keyslots (remove encryption key)" msgstr "брише све уторе кључева (уклања кључ шифровања)" -#: src/cryptsetup.c:2848 +#: src/cryptsetup.c:3164 msgid "convert LUKS from/to LUKS2 format" msgstr "претвара ЛУКС из/у ЛУКС2 запис" -#: src/cryptsetup.c:2849 +#: src/cryptsetup.c:3165 msgid "set permanent configuration options for LUKS2" msgstr "поставља трајне опције подешавања за ЛУКС2" -#: src/cryptsetup.c:2850 src/cryptsetup.c:2851 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 msgid " []" msgstr "<уређај> [<нова датотека кључа>]" -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3166 msgid "formats a LUKS device" msgstr "форматира ЛУКС уређај" -#: src/cryptsetup.c:2851 +#: src/cryptsetup.c:3167 msgid "add key to LUKS device" msgstr "додаје кључ у ЛУКС уређај" -#: src/cryptsetup.c:2852 src/cryptsetup.c:2853 src/cryptsetup.c:2854 +#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 msgid " []" msgstr "<уређај> [<датотека кључа>]" -#: src/cryptsetup.c:2852 +#: src/cryptsetup.c:3168 msgid "removes supplied key or key file from LUKS device" msgstr "уклања достављени кључ или датотеку кључа из ЛУКС уређаја" -#: src/cryptsetup.c:2853 +#: src/cryptsetup.c:3169 msgid "changes supplied key or key file of LUKS device" msgstr "мења достављени кључ или датотеку кључа ЛУКС уређаја" -#: src/cryptsetup.c:2854 +#: src/cryptsetup.c:3170 msgid "converts a key to new pbkdf parameters" msgstr "претвара кључ у нове „pbkdf“ параметре" -#: src/cryptsetup.c:2855 +#: src/cryptsetup.c:3171 msgid " " msgstr "<уређај> <утор кључа>" -#: src/cryptsetup.c:2855 +#: src/cryptsetup.c:3171 msgid "wipes key with number from LUKS device" msgstr "брише кључ са бројем <утор кључа> са ЛУКС уређаја" -#: src/cryptsetup.c:2856 +#: src/cryptsetup.c:3172 msgid "print UUID of LUKS device" msgstr "исписује УЈИБ ЛУКС уређаја" -#: src/cryptsetup.c:2857 +#: src/cryptsetup.c:3173 msgid "tests for LUKS partition header" msgstr "испробава <уређај> за заглављем ЛУКС партиције" -#: src/cryptsetup.c:2858 +#: src/cryptsetup.c:3174 msgid "dump LUKS partition information" msgstr "исписује податке ЛУКС партиције" -#: src/cryptsetup.c:2859 +#: src/cryptsetup.c:3175 msgid "dump TCRYPT device information" msgstr "исписује податке ТКРИПТ уређаја" -#: src/cryptsetup.c:2860 +#: src/cryptsetup.c:3176 msgid "dump BITLK device information" msgstr "исписује податке „BITLK“ уређаја" -#: src/cryptsetup.c:2861 +#: src/cryptsetup.c:3177 +msgid "dump FVAULT2 device information" +msgstr "исписује податке „FVAULT2“ уређаја" + +#: src/cryptsetup.c:3178 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Обуставља ЛУКС уређај и брише кључ (сви УИ су замрзнути)" -#: src/cryptsetup.c:2862 +#: src/cryptsetup.c:3179 msgid "Resume suspended LUKS device" msgstr "Наставља са обустављеним ЛУКС уређајем" -#: src/cryptsetup.c:2863 +#: src/cryptsetup.c:3180 msgid "Backup LUKS device header and keyslots" msgstr "Прави резерву заглавља „LUKS“ уређаја и утора кључева" -#: src/cryptsetup.c:2864 +#: src/cryptsetup.c:3181 msgid "Restore LUKS device header and keyslots" msgstr "Враћа заглавље „LUKS“ уређаја и уторе кључева" -#: src/cryptsetup.c:2865 +#: src/cryptsetup.c:3182 msgid " " msgstr "<додај|уклони|увези|извези> <уређај>" -#: src/cryptsetup.c:2865 +#: src/cryptsetup.c:3182 msgid "Manipulate LUKS2 tokens" msgstr "Управља ЛУКС2 скупинама" -#: src/cryptsetup.c:2884 src/veritysetup.c:505 src/integritysetup.c:554 +#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 msgid "" "\n" " is one of:\n" @@ -2503,19 +2580,19 @@ msgstr "" "\n" "<радња> је једна од следећих:\n" -#: src/cryptsetup.c:2890 +#: src/cryptsetup.c:3207 msgid "" "\n" "You can also use old syntax aliases:\n" -"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n" -"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n" +"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" +"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" msgstr "" "\n" "Можете такође да користите старе надимке синтаксе <радње>:\n" -"\tотварање: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n" -"\tзатвори: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n" +"\tотвори: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" +"\tзатвори: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:2894 +#: src/cryptsetup.c:3211 #, c-format msgid "" "\n" @@ -2530,7 +2607,7 @@ msgstr "" "<утор кључа> је број ЛУКС утора кључа за мењање\n" "<датотека кључа> изборна датотека кључа за нови кључ за радњу „luksAddKey“\n" -#: src/cryptsetup.c:2901 +#: src/cryptsetup.c:3218 #, c-format msgid "" "\n" @@ -2539,7 +2616,7 @@ msgstr "" "\n" "Основни уграђени запис метаподатака је „%s“ (за „luksFormat“ радњу).\n" -#: src/cryptsetup.c:2906 src/cryptsetup.c:2909 +#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 #, c-format msgid "" "\n" @@ -2548,20 +2625,20 @@ msgstr "" "\n" "Подршка прикључка спољне скупине за „LUKS2“ је „%s“.\n" -#: src/cryptsetup.c:2906 +#: src/cryptsetup.c:3223 msgid "compiled-in" msgstr "преведено" -#: src/cryptsetup.c:2907 +#: src/cryptsetup.c:3224 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Путања прикључка спољне скупине за „LUKS2“: %s.\n" -#: src/cryptsetup.c:2909 +#: src/cryptsetup.c:3226 msgid "disabled" msgstr "искључено" -#: src/cryptsetup.c:2913 +#: src/cryptsetup.c:3230 #, c-format msgid "" "\n" @@ -2578,7 +2655,7 @@ msgstr "" "Основни „PBKDF“ за ЛУКС2: %s\n" "\tВреме понављања: %d, Захтевана меморија: %dkB, Паралелне нити: %d\n" -#: src/cryptsetup.c:2924 +#: src/cryptsetup.c:3241 #, c-format msgid "" "\n" @@ -2593,96 +2670,96 @@ msgstr "" "\tобично: %s, Кључ: %d бита, Хеширање лозинке: %s\n" "\tЛУКС: %s, Кључ: %d бита, Хеширање ЛУКС заглавља: %s, РНГ: %s\n" -#: src/cryptsetup.c:2933 +#: src/cryptsetup.c:3250 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tЛУКС: Основна величина кључа са „XTS“ режимом (два унутрашња кључа) биће удвостручена.\n" -#: src/cryptsetup.c:2951 src/veritysetup.c:644 src/integritysetup.c:711 +#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: захтева „%s“ као аргумент" -#: src/cryptsetup.c:2997 src/utils_reencrypt_luks1.c:1194 +#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Утор кључа није исправан." -#: src/cryptsetup.c:3024 +#: src/cryptsetup.c:3335 msgid "Device size must be multiple of 512 bytes sector." msgstr "Величина уређаја мора бити умножак одељка од 512 бајта." -#: src/cryptsetup.c:3029 +#: src/cryptsetup.c:3340 msgid "Invalid max reencryption hotzone size specification." msgstr "Неисправна одредба највеће величине вруће зоне поновног шифровања." -#: src/cryptsetup.c:3043 src/cryptsetup.c:3055 +#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 msgid "Key size must be a multiple of 8 bits" msgstr "Величина кључа мора бити умножак од 8 бита" -#: src/cryptsetup.c:3060 +#: src/cryptsetup.c:3371 msgid "Maximum device reduce size is 1 GiB." msgstr "Највећа величина смањења уређаја је 1 GiB." -#: src/cryptsetup.c:3063 +#: src/cryptsetup.c:3374 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Величина смањивања мора бити умножак одељка од 512 бајта." -#: src/cryptsetup.c:3080 +#: src/cryptsetup.c:3391 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Опција „--priority“ може бити само „ignore/normal/prefer“." -#: src/cryptsetup.c:3099 src/veritysetup.c:568 src/integritysetup.c:634 +#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 msgid "Show this help message" msgstr "Приказује ову поруку помоћи" -#: src/cryptsetup.c:3100 src/veritysetup.c:569 src/integritysetup.c:635 +#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 msgid "Display brief usage" msgstr "Прикажите кратку поруку о коришћењу" -#: src/cryptsetup.c:3101 src/veritysetup.c:570 src/integritysetup.c:636 +#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 msgid "Print package version" msgstr "Исписује издање пакета" -#: src/cryptsetup.c:3112 src/veritysetup.c:581 src/integritysetup.c:647 +#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 msgid "Help options:" msgstr "Опције помоћи:" -#: src/cryptsetup.c:3132 src/veritysetup.c:599 src/integritysetup.c:664 +#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 msgid "[OPTION...] " msgstr "[ОПЦИЈА...] <радња> <посебност-радње>" -#: src/cryptsetup.c:3141 src/veritysetup.c:608 src/integritysetup.c:675 +#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 msgid "Argument missing." msgstr "Недостаје аргумент <радња>." -#: src/cryptsetup.c:3211 src/veritysetup.c:639 src/integritysetup.c:706 +#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 msgid "Unknown action." msgstr "Непозната радња." -#: src/cryptsetup.c:3229 +#: src/cryptsetup.c:3546 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Опција „--key-file“ има првенство над наведеним аргументом датотеке кључа." -#: src/cryptsetup.c:3235 +#: src/cryptsetup.c:3552 msgid "Only one --key-file argument is allowed." msgstr "Дозвољен је само један аргумент „--key-file“." -#: src/cryptsetup.c:3240 +#: src/cryptsetup.c:3557 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Функција произилажења кључа заснованог на пропусној речи (PBKDF) може бити само „pbkdf2“ или „argon2i/argon2id“." -#: src/cryptsetup.c:3245 +#: src/cryptsetup.c:3562 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "„PBKDF“ присиљена понављања се не могу комбиновати са опцијом времена понављања." -#: src/cryptsetup.c:3256 +#: src/cryptsetup.c:3573 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Опције „--keyslot-cipher“ и „--keyslot-key-size“ се морају користити заједно." -#: src/cryptsetup.c:3264 +#: src/cryptsetup.c:3581 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Није предузета никаква радња. Призвана опцијом „--test-args“.\n" -#: src/cryptsetup.c:3277 +#: src/cryptsetup.c:3594 msgid "Cannot disable metadata locking." msgstr "Не могу да искључим закључавање метаподатака." @@ -2710,72 +2787,72 @@ msgstr "Не могу да направим корену хеш датотеку msgid "Cannot write to root hash file %s." msgstr "Не могу да пишем у корену хеш датотеку „%s“." -#: src/veritysetup.c:196 src/veritysetup.c:472 +#: src/veritysetup.c:198 src/veritysetup.c:476 #, c-format msgid "Device %s is not a valid VERITY device." msgstr "Уређај „%s“ није исправан „VERITY“ уређај." -#: src/veritysetup.c:213 src/veritysetup.c:230 +#: src/veritysetup.c:215 src/veritysetup.c:232 #, c-format msgid "Cannot read root hash file %s." msgstr "Не могу да читам корену хеш датотеку „%s“." -#: src/veritysetup.c:218 +#: src/veritysetup.c:220 #, c-format msgid "Invalid root hash file %s." msgstr "Неисправна корена хеш датотека „%s“." -#: src/veritysetup.c:239 +#: src/veritysetup.c:241 msgid "Invalid root hash string specified." msgstr "Наведена је неисправна ниска хеша корена." -#: src/veritysetup.c:247 +#: src/veritysetup.c:249 #, c-format msgid "Invalid signature file %s." msgstr "Неисправна датотека потписа „%s“." -#: src/veritysetup.c:254 +#: src/veritysetup.c:256 #, c-format msgid "Cannot read signature file %s." msgstr "Не могу да прочитам датотеку потписа „%s“." -#: src/veritysetup.c:277 src/veritysetup.c:291 +#: src/veritysetup.c:279 src/veritysetup.c:293 msgid "Command requires or --root-hash-file option as argument." msgstr "Наредба захтева „“ или „--root-hash-file“ опцију као аргумент." -#: src/veritysetup.c:485 +#: src/veritysetup.c:489 msgid " " msgstr "<уређај_података> <уређај_хеша>" -#: src/veritysetup.c:485 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:534 msgid "format device" msgstr "форматира уређај" -#: src/veritysetup.c:486 +#: src/veritysetup.c:490 msgid " []" msgstr "<уређај_података> <уређај_хеша> [<хеш_корена>]" -#: src/veritysetup.c:486 +#: src/veritysetup.c:490 msgid "verify device" msgstr "проверава уређај" -#: src/veritysetup.c:487 +#: src/veritysetup.c:491 msgid " []" msgstr "<уређај_података> <назив> <уређај_хеша> [<хеш_корена>]" -#: src/veritysetup.c:489 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:537 msgid "show active device status" msgstr "показује стање радног уређаја" -#: src/veritysetup.c:490 +#: src/veritysetup.c:494 msgid "" msgstr "<уређај_хеша>" -#: src/veritysetup.c:490 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:538 msgid "show on-disk information" msgstr "приказује податке на-диску" -#: src/veritysetup.c:509 +#: src/veritysetup.c:513 #, c-format msgid "" "\n" @@ -2790,7 +2867,7 @@ msgstr "" "<уређај_хеша> јесте уређај који садржи податке проверавања\n" "<хеш_корена> хеш кореног чвора на <уређају_хеша>\n" -#: src/veritysetup.c:516 +#: src/veritysetup.c:520 #, c-format msgid "" "\n" @@ -2801,11 +2878,11 @@ msgstr "" "Основни преведени параметри дм-тачности:\n" "\tХеш: %s, Блок података (бајта): %u, Блок хеша (бајта): %u, Величина присолка: %u, Запис хеша: %u\n" -#: src/veritysetup.c:654 +#: src/veritysetup.c:658 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Опције „--ignore-corruption“ и „--restart-on-corruption“ се не могу користити заједно." -#: src/veritysetup.c:659 +#: src/veritysetup.c:663 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Опције „--panic-on-corruption“ и „--restart-on-corruption“ се не могу користити заједно." @@ -3090,7 +3167,7 @@ msgstr "Напредовање: %5.1f%%, ETA %s, %s, %s%s" msgid "Finished, time %s, %s, %s\n" msgstr "Завршено, време %s, %s, %s\n" -#: src/utils_password.c:41 src/utils_password.c:74 +#: src/utils_password.c:41 src/utils_password.c:72 #, c-format msgid "Cannot check password quality: %s" msgstr "Не могу да проверим квалитет лозинке: %s" @@ -3104,42 +3181,42 @@ msgstr "" "Провера квалитета лозинке није успела:\n" " %s" -#: src/utils_password.c:81 +#: src/utils_password.c:79 #, c-format msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Провера квалитета лозинке није успела: Лоша шифра (%s)" -#: src/utils_password.c:231 src/utils_password.c:245 +#: src/utils_password.c:230 src/utils_password.c:244 msgid "Error reading passphrase from terminal." msgstr "Грешка читања пропусне речи из терминала." -#: src/utils_password.c:243 +#: src/utils_password.c:242 msgid "Verify passphrase: " msgstr "Провери пропусну реч: " -#: src/utils_password.c:250 +#: src/utils_password.c:249 msgid "Passphrases do not match." msgstr "Пропусне речи се не подударају." -#: src/utils_password.c:288 +#: src/utils_password.c:287 msgid "Cannot use offset with terminal input." msgstr "Не могу да користим померај са улазом терминала." -#: src/utils_password.c:292 +#: src/utils_password.c:291 #, c-format msgid "Enter passphrase: " msgstr "Унесите пропусну реч: " -#: src/utils_password.c:295 +#: src/utils_password.c:294 #, c-format msgid "Enter passphrase for %s: " msgstr "Унесите пропусну реч за „%s“: " -#: src/utils_password.c:329 +#: src/utils_password.c:328 msgid "No key available with this passphrase." msgstr "Нема доступног кључа са овом пропусном речју." -#: src/utils_password.c:331 +#: src/utils_password.c:330 msgid "No usable keyslot is available." msgstr "Нема доступног употребљивог утора кључа." @@ -3213,41 +3290,50 @@ msgstr "" "То може довести до оштећења података ако је уређај заправо активиран.\n" "Да покренете поновно шифровање у режиму на мрежи, користите параметар „--active-name“.\n" -#: src/utils_reencrypt.c:175 +#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274 +#, c-format +msgid "" +"Device %s is not a block device. Can not auto-detect if it is active or not.\n" +"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)." +msgstr "" +"Уређај „%s“ није блок уређај. Не могу да само-откријем да ли је активан или није.\n" +"Користите „--force-offline-reencrypt“ да заобиђете проверу и да радите у режиму ван мреже (опасно!)." + +#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221 +#: src/utils_reencrypt.c:231 +msgid "Requested --resilience option cannot be applied to current reencryption operation." +msgstr "Захтевана опција „--resilience“ се не може применити на текућој радњи поновног шифровања." + +#: src/utils_reencrypt.c:203 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt." msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--encrypt“." -#: src/utils_reencrypt.c:180 +#: src/utils_reencrypt.c:208 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt." msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--decrypt“." -#: src/utils_reencrypt.c:187 +#: src/utils_reencrypt.c:215 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied." msgstr "Уређај је у поновном шифровању користећи гипкост помака података. Захтевана опција „--resilience“ се не може применити." -#: src/utils_reencrypt.c:193 src/utils_reencrypt.c:199 -#: src/utils_reencrypt.c:205 src/utils_reencrypt.c:681 -msgid "Requested --resilience option cannot be applied to current reencryption operation." -msgstr "Захтевана опција „--resilience“ се не може применити на текућој радњи поновног шифровања." - -#: src/utils_reencrypt.c:258 +#: src/utils_reencrypt.c:293 msgid "Device requires reencryption recovery. Run repair first." msgstr "Уређај захтева опоравак поновног шифровања. Прво покрените поправку." -#: src/utils_reencrypt.c:268 +#: src/utils_reencrypt.c:307 #, c-format msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Да ли желите да наставите са претходно започетом радњом?" -#: src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:353 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Старо ЛУКС2 поновно шифровања више није подржано." -#: src/utils_reencrypt.c:379 +#: src/utils_reencrypt.c:418 msgid "Reencryption of device with integrity profile is not supported." msgstr "Поновно шифровање уређаја са профилом целовитости није подржано." -#: src/utils_reencrypt.c:410 +#: src/utils_reencrypt.c:449 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3256,98 +3342,103 @@ msgstr "" "Захтевано „--sector-size“ % је несагласно са „%s“ суперблоком\n" "(величина блока: % бајта) је откривено на уређају „%s“." -#: src/utils_reencrypt.c:455 +#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Шифровање без откаченог заглавља (--header) није могуће без смањења величине уређаја података (--reduce-device-size)." -#: src/utils_reencrypt.c:461 +#: src/utils_reencrypt.c:525 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Затражени померај података мора бити мањи или једнак половини параметра „--reduce-device-size“." -#: src/utils_reencrypt.c:471 +#: src/utils_reencrypt.c:535 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Подешавам „--reduce-device-size“ вредност на двоструко од „--offset“ % (подеока).\n" -#: src/utils_reencrypt.c:501 +#: src/utils_reencrypt.c:565 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Привремена датотека заглавља „%s“ већ постоји. Прекидам." -#: src/utils_reencrypt.c:503 src/utils_reencrypt.c:510 +#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 #, c-format msgid "Cannot create temporary header file %s." msgstr "Не могу да направим привремену датотеку заглавља „%s“." -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:599 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Величина ЛУКС2 метаподатака је већа од вредности помака података." -#: src/utils_reencrypt.c:572 +#: src/utils_reencrypt.c:636 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Нисам успео да ставим ново заглавље на главу уређаја „%s“." -#: src/utils_reencrypt.c:582 +#: src/utils_reencrypt.c:646 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "„%s/%s“ је сада активно и спремно за шифровање на мрежи.\n" -#: src/utils_reencrypt.c:618 +#: src/utils_reencrypt.c:682 #, c-format msgid "Active device %s is not LUKS2." msgstr "Радни уређај „%s“ није ЛУКС2." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:710 msgid "Restoring original LUKS2 header." msgstr "Враћам изворно ЛУКС2 заглавље." -#: src/utils_reencrypt.c:654 +#: src/utils_reencrypt.c:718 msgid "Original LUKS2 header restore failed." msgstr "Враћање изворног ЛУКС2 заглавља није успело." -#: src/utils_reencrypt.c:722 +#: src/utils_reencrypt.c:744 +#, c-format +msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" +msgstr "Датотека заглавља „%s“ не постоји. Да ли желите да покренете LUKS2 дешифровање уређаја „%s“ и да извезете LUKS2 заглавље у датотеку „%s“?" + +#: src/utils_reencrypt.c:792 msgid "Failed to add read/write permissions to exported header file." msgstr "Нисам успео да додам дозволе за читање/писање у извезену датотеку заглавља." -#: src/utils_reencrypt.c:775 +#: src/utils_reencrypt.c:845 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Покретање поновног шифровања није успело. Резерва заглавља је доступна у „%s“." -#: src/utils_reencrypt.c:803 +#: src/utils_reencrypt.c:873 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "ЛУКС2 дешифровање је подржано само са откаченим уређајем заглавља (са померајем података постављеним на 0)." -#: src/utils_reencrypt.c:934 src/utils_reencrypt.c:943 +#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 msgid "Not enough free keyslots for reencryption." msgstr "Нема довољно слободних утора кључева за поновно шифровање." -#: src/utils_reencrypt.c:964 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним активним утором кључа." -#: src/utils_reencrypt.c:973 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Унесите пропусну реч за утор кључа %d: " -#: src/utils_reencrypt.c:985 +#: src/utils_reencrypt.c:1059 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Унесите пропусну реч за утор кључа %u: " -#: src/utils_reencrypt.c:1037 +#: src/utils_reencrypt.c:1111 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Пребацујем шифрера података на „%s“.\n" -#: src/utils_reencrypt.c:1091 +#: src/utils_reencrypt.c:1165 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Никакви параметри подеока података нису измењени. Поновно шифровање је прекинуто." -#: src/utils_reencrypt.c:1187 +#: src/utils_reencrypt.c:1267 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3355,7 +3446,7 @@ msgstr "" "Повећање величине одељка шифровања на не прикљученом уређају није подржано.\n" "Прво покрените уређај или користите опцију „--force-offline-reencrypt“ (опасно, вруће!!)." -#: src/utils_reencrypt.c:1227 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3364,58 +3455,58 @@ msgstr "" "\n" "Поновно шифровање је прекинуто." -#: src/utils_reencrypt.c:1232 +#: src/utils_reencrypt.c:1312 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Настављам са ЛУКС2 поновним шифровањем у насилном ванмрежном режиму.\n" -#: src/utils_reencrypt.c:1249 +#: src/utils_reencrypt.c:1329 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "Уређај „%s“ садржи оштећене ЛУКС2 метаподатке. Прекидам радњу." -#: src/utils_reencrypt.c:1265 src/utils_reencrypt.c:1287 +#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Уређај „%s“ већ јесте ЛУКС уређај. Прекидам радњу." -#: src/utils_reencrypt.c:1293 +#: src/utils_reencrypt.c:1373 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Прекидам радњу." -#: src/utils_reencrypt.c:1366 +#: src/utils_reencrypt.c:1453 msgid "LUKS2 decryption requires --header option." msgstr "ЛУКС2 дешифровање захтева опцију „--header“." -#: src/utils_reencrypt.c:1414 +#: src/utils_reencrypt.c:1501 msgid "Command requires device as argument." msgstr "Наредба захтева уређај као аргумент." -#: src/utils_reencrypt.c:1427 +#: src/utils_reencrypt.c:1514 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС1." -#: src/utils_reencrypt.c:1433 +#: src/utils_reencrypt.c:1520 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС1 поновном шифровању." -#: src/utils_reencrypt.c:1439 +#: src/utils_reencrypt.c:1526 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС2." -#: src/utils_reencrypt.c:1445 +#: src/utils_reencrypt.c:1532 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС2 поновном шифровању." -#: src/utils_reencrypt.c:1451 +#: src/utils_reencrypt.c:1538 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "ЛУКС2 поновно шифровање је већ покренуто. Прекидам радњу." -#: src/utils_reencrypt.c:1458 +#: src/utils_reencrypt.c:1545 msgid "Device reencryption not in progress." msgstr "Поновно шифровање уређаја није у току." @@ -3520,28 +3611,28 @@ msgstr "УИ грешка за време поновног шифровања." msgid "Provided UUID is invalid." msgstr "Достављени УУИД није исправан." -#: src/utils_reencrypt_luks1.c:1220 +#: src/utils_reencrypt_luks1.c:1224 msgid "Cannot open reencryption log file." msgstr "Не могу да отворим датотеку дневника поновног шифровања." -#: src/utils_reencrypt_luks1.c:1226 +#: src/utils_reencrypt_luks1.c:1230 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process." msgstr "Нема описа у напретку, достављени УУИД се може користити само за настављање заустављеног процеса дешифровања." -#: src/utils_reencrypt_luks1.c:1280 +#: src/utils_reencrypt_luks1.c:1286 #, c-format msgid "Reencryption will change: %s%s%s%s%s%s." msgstr "Поновно шифровање ће изменити: %s%s%s%s%s%s." -#: src/utils_reencrypt_luks1.c:1281 +#: src/utils_reencrypt_luks1.c:1287 msgid "volume key" msgstr "кључ волумена" -#: src/utils_reencrypt_luks1.c:1283 +#: src/utils_reencrypt_luks1.c:1289 msgid "set hash to " msgstr "поставља хеш на " -#: src/utils_reencrypt_luks1.c:1284 +#: src/utils_reencrypt_luks1.c:1290 msgid ", set cipher to " msgstr ", поставља шифрера на " @@ -3761,6 +3852,18 @@ msgstr "Метода потврђивања идентитета јавног к msgid "Public key authentication error: " msgstr "Грешка потврђивања идентитета јавног кључа: " +#~ msgid "WARNING: Data offset is outside of currently available data device.\n" +#~ msgstr "УПОЗОРЕЊЕ: Померај података је ван тренутно доступног уређаја података.\n" + +#~ msgid "Cannot get process priority." +#~ msgstr "Не могу да добавим хитност процеса." + +#~ msgid "Cannot unlock memory." +#~ msgstr "Не могу да откључам меморију." + +#~ msgid "Locking directory %s/%s will be created with default compiled-in permissions." +#~ msgstr "Директоријум закључавања „%s/%s“ биће направљен са основним преведеним овлашћењима." + #~ msgid "Failed to read BITLK signature from %s." #~ msgstr "Нисам успео да прочитам „BITLK“ потпис из „%s“." @@ -4158,9 +4261,6 @@ msgstr "Грешка потврђивања идентитета јавног к #~ msgid "Sector size option is not supported for this command." #~ msgstr "Опција величине сектора није подржана за ову наредбу." -#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions." -#~ msgstr "Опција „--unbound“ се може користити само са радњама „luksAddKey“ и „luksDump“." - #~ msgid "Option --refresh may be used only with open action." #~ msgstr "Опција „--refresh“ се може користити само са радњом отварања." @@ -4341,9 +4441,6 @@ msgstr "Грешка потврђивања идентитета јавног к #~ msgid "Read new volume (master) key from file" #~ msgstr "Чита (главни) кључ волумена из датотеке" -#~ msgid "PBKDF2 iteration time for LUKS (in ms)" -#~ msgstr "Време ПБКДФ2 понављања за ЛУКС (у милисекундама)" - #~ msgid "Use direct-io when accessing devices" #~ msgstr "Користи непосредни-уи приликом приступа уређајима" diff --git a/po/uk.po b/po/uk.po index 6b0218f..bfd8a4d 100644 --- a/po/uk.po +++ b/po/uk.po @@ -2,13 +2,13 @@ # Copyright (C) 2012 Free Software Foundation, Inc. # This file is put in the public domain. # -# Yuri Chornoivan , 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023. +# Yuri Chornoivan , 2012-2023. msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.6.1-rc0\n" +"Project-Id-Version: cryptsetup 2.7.0-rc1\n" "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" -"POT-Creation-Date: 2023-02-01 15:58+0100\n" -"PO-Revision-Date: 2023-02-02 10:48+0200\n" +"POT-Creation-Date: 2023-12-20 15:16+0100\n" +"PO-Revision-Date: 2023-12-21 12:16+0200\n" "Last-Translator: Yuri Chornoivan \n" "Language-Team: Ukrainian \n" "Language: uk\n" @@ -17,7 +17,7 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "X-Bugs: Report translation errors to the Language-Team address.\n" "Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Lokalize 20.12.0\n" +"X-Generator: Lokalize 23.04.1\n" #: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." @@ -27,58 +27,62 @@ msgstr "Не можна ініціалізувати device-mapper, якщо п msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "Не вдалося ініціалізувати device-mapper. Чи завантажено модуль ядра dm_mod?" -#: lib/libdevmapper.c:1102 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "Підтримки бажаного прапорця відкладення, %s, не передбачено." -#: lib/libdevmapper.c:1171 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "DM-UUID для пристрою %s було обрізано." -#: lib/libdevmapper.c:1501 +#: lib/libdevmapper.c:1510 msgid "Unknown dm target type." msgstr "Невідомий тип призначення dm." -#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724 -#: lib/libdevmapper.c:1727 +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "Підтримки вказаних параметрів швидкодії dm-crypt не передбачено." -#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "Підтримки вказаних параметрів обробки пошкоджених даних за допомогою dm-verity не передбачено." -#: lib/libdevmapper.c:1641 +#: lib/libdevmapper.c:1650 msgid "Requested dm-verity tasklets option is not supported." msgstr "Підтримки вказаного параметра завдань dm-verity не передбачено." -#: lib/libdevmapper.c:1653 +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "Підтримки вказаних параметрів FEC за допомогою dm-verity не передбачено." -#: lib/libdevmapper.c:1659 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "Підтримки вказаних параметрів цілісності даних не передбачено." -#: lib/libdevmapper.c:1663 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "Підтримки вказаного параметра sector_size не передбачено." -#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676 +#: lib/libdevmapper.c:1677 +msgid "The device size is not multiple of the requested sector size." +msgstr "Розмір пристрою не є кратним до розміру сектора у запиті." + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 msgid "Requested automatic recalculation of integrity tags is not supported." msgstr "Підтримки потрібного вам автоматичного повторного обчислення міток цілісності не передбачено." -#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733 -#: lib/luks2/luks2_json_metadata.c:2620 +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2754 msgid "Discard/TRIM is not supported." msgstr "Підтримки відкидання або обрізання не передбачено." -#: lib/libdevmapper.c:1688 +#: lib/libdevmapper.c:1702 msgid "Requested dm-integrity bitmap mode is not supported." msgstr "Підтримки вказаного режиму бітової карти цілісності dm не передбачено." -#: lib/libdevmapper.c:2724 +#: lib/libdevmapper.c:2738 #, c-format msgid "Failed to query dm-%s segment." msgstr "Не вдалося опитати сегмент dm-%s." @@ -112,653 +116,743 @@ msgstr "Надійшов запит щодо невідомої якості п msgid "Error reading from RNG." msgstr "Помилка читання з генератора псевдовипадкових чисел." -#: lib/setup.c:231 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "Підтримку OPAL у libcryptsetup вимкнено." + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "Для пристрою %s або ядра не передбачено підтримки шифрування OPAL." + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "Не вдалося ініціалізувати допоміжну програму шифрування генератора псевдовипадкових чисел." -#: lib/setup.c:237 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "Не вдалося ініціалізувати допоміжну програму шифрування." -#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122 +#: lib/setup.c:317 lib/setup.c:2777 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "Підтримки алгоритму хешування %s не передбачено." -#: lib/setup.c:271 lib/loopaes/loopaes.c:90 +#: lib/setup.c:320 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "Помилка під час обробки ключа (на основі хешу %s)." -#: lib/setup.c:342 lib/setup.c:369 +#: lib/setup.c:391 lib/setup.c:428 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "Не вдалося визначити тип пристрою. Несумісна дія з активації пристрою?" -#: lib/setup.c:348 lib/setup.c:3320 +#: lib/setup.c:397 lib/setup.c:3971 msgid "This operation is supported only for LUKS device." msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS." -#: lib/setup.c:375 +#: lib/setup.c:434 msgid "This operation is supported only for LUKS2 device." msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS2." -#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010 +#: lib/setup.c:491 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "Заповнено всі слоти ключів." -#: lib/setup.c:438 +#: lib/setup.c:502 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "Слот ключа %d є некоректним, будь ласка, виберіть число від 0 до %d." -#: lib/setup.c:444 +#: lib/setup.c:508 #, c-format msgid "Key slot %d is full, please select another one." msgstr "Слот ключа %d заповнено, будь ласка, виберіть інший." -#: lib/setup.c:529 lib/setup.c:3042 +#: lib/setup.c:619 lib/setup.c:3672 msgid "Device size is not aligned to device logical block size." msgstr "Розмір пристрою не вирівняно за розміром логічного блоку пристрою." -#: lib/setup.c:627 +#: lib/setup.c:717 #, c-format msgid "Header detected but device %s is too small." msgstr "Виявлено заголовок, але об’єм пристрою %s є надто малим." -#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287 -#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184 +#: lib/setup.c:758 lib/setup.c:3563 lib/setup.c:5163 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "Підтримки цієї дії для цього типу пристроїв не передбачено." -#: lib/setup.c:673 +#: lib/setup.c:763 msgid "Illegal operation with reencryption in-progress." msgstr "Виконуємо заборонену дію із повторного шифрування." -#: lib/setup.c:802 +#: lib/setup.c:895 msgid "Failed to rollback LUKS2 metadata in memory." msgstr "Не вдалося відкотити метадані LUKS2 у пам'яті." -#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 -#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587 -#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977 -#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656 -#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465 -#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77 +#: lib/setup.c:982 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 #, c-format msgid "Device %s is not a valid LUKS device." msgstr "Пристрій %s не є коректним пристроєм LUKS." -#: lib/setup.c:892 lib/luks1/keymanage.c:530 +#: lib/setup.c:985 lib/luks1/keymanage.c:530 #, c-format msgid "Unsupported LUKS version %d." msgstr "Непідтримувана версія LUKS, %d." -#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785 -#: lib/setup.c:2952 lib/setup.c:4764 +#: lib/setup.c:1358 +#, c-format +msgid "No known cipher specification pattern detected for active device %s." +msgstr "Не виявлено жодного відомого зразка специфікації шифрування для активного пристрою %s." + +#: lib/setup.c:1604 lib/setup.c:3317 lib/setup.c:3399 lib/setup.c:3411 +#: lib/setup.c:3581 lib/setup.c:5755 #, c-format msgid "Device %s is not active." msgstr "Пристрій %s є неактивним." -#: lib/setup.c:1508 +#: lib/setup.c:1621 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "Зник основний пристрій для пристрою для шифрування %s." -#: lib/setup.c:1590 +#: lib/setup.c:1703 msgid "Invalid plain crypt parameters." msgstr "Некоректні параметри звичайного шифрування." -#: lib/setup.c:1595 lib/setup.c:2054 +#: lib/setup.c:1708 lib/setup.c:2680 msgid "Invalid key size." msgstr "Некоректний розмір ключа." -#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262 +#: lib/setup.c:1713 lib/setup.c:2685 lib/setup.c:2888 msgid "UUID is not supported for this crypt type." msgstr "Підтримки UUID для цього типу шифрування не передбачено." -#: lib/setup.c:1605 lib/setup.c:2064 +#: lib/setup.c:1718 lib/setup.c:2690 msgid "Detached metadata device is not supported for this crypt type." msgstr "Підтримки пристрою від'єднаних метаданих для цього типу шифрування не передбачено." -#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966 -#: src/cryptsetup.c:1387 src/cryptsetup.c:3383 +#: lib/setup.c:1728 lib/setup.c:1963 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "Непідтримуваний розмір сектора шифрування." -#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036 +#: lib/setup.c:1736 lib/setup.c:1992 lib/setup.c:3666 msgid "Device size is not aligned to requested sector size." msgstr "Розмір пристрою не вирівняно за вказаним розміром сектора." -#: lib/setup.c:1675 lib/setup.c:1799 +#: lib/setup.c:1788 lib/setup.c:2025 lib/setup.c:2357 msgid "Can't format LUKS without device." msgstr "Форматування LUKS без пристрою неможливе." -#: lib/setup.c:1681 lib/setup.c:1805 +#: lib/setup.c:1794 lib/setup.c:2031 lib/setup.c:2363 msgid "Requested data alignment is not compatible with data offset." msgstr "Потрібне вам вирівнювання даних є несумісним із відступом у даних." -#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274 +#: lib/setup.c:1834 lib/setup.c:2049 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "УВАГА: пристрій DAX може пошкодити дані, оскільки для нього не гарантовано атомарні оновлення секторів.\n" + +#: lib/setup.c:1872 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2541 +#: lib/setup.c:2587 lib/setup.c:2900 #, c-format msgid "Cannot wipe header on device %s." msgstr "Не можна витирати заголовок на пристрої %s." -#: lib/setup.c:1769 lib/setup.c:2036 +#: lib/setup.c:1885 lib/setup.c:2204 #, c-format msgid "Device %s is too small for activation, there is no remaining space for data.\n" msgstr "Пристрій %s є надто малим для активації, на ньому не лишиться місця для даних.\n" -#: lib/setup.c:1840 -msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" -msgstr "Увага: спроба активувати пристрій завершиться невдало, у dm-crypt не передбачено підтримки для вказаного розміру сектора шифрування.\n" - -#: lib/setup.c:1863 +#: lib/setup.c:1925 msgid "Volume key is too small for encryption with integrity extensions." msgstr "Ключ тому є надто малим для шифрування із розширеннями цілісності." -#: lib/setup.c:1923 +#: lib/setup.c:1934 #, c-format msgid "Cipher %s-%s (key size %zd bits) is not available." msgstr "Шифрування %s-%s (розмір ключа — %zd бітів) є недоступним." -#: lib/setup.c:1949 -#, c-format -msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" -msgstr "Увага: розмір метаданих LUKS2 змінено до % байтів.\n" - -#: lib/setup.c:1953 -#, c-format -msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" -msgstr "Увага: розмір області слотів ключів LUKS2 змінено до % байтів.\n" +#: lib/setup.c:1973 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "Увага: спроба активувати пристрій завершиться невдало, у dm-crypt не передбачено підтримки для вказаного розміру сектора шифрування.\n" -#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255 -#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279 +#: lib/setup.c:2147 lib/setup.c:2484 lib/setup.c:2544 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format msgid "Device %s is too small." msgstr "Об’єм пристрою %s є надто малим." -#: lib/setup.c:1990 lib/setup.c:2016 +#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2580 lib/setup.c:2626 #, c-format msgid "Cannot format device %s in use." msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні." -#: lib/setup.c:1993 lib/setup.c:2019 +#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2583 lib/setup.c:2629 #, c-format msgid "Cannot format device %s, permission denied." msgstr "Не можна форматувати пристрій %s, недостатні права доступу." -#: lib/setup.c:2005 lib/setup.c:2334 +#: lib/setup.c:2173 lib/setup.c:2600 lib/setup.c:2960 #, c-format msgid "Cannot format integrity for device %s." msgstr "Не вдалося форматувати цілісність для пристрою %s." -#: lib/setup.c:2023 +#: lib/setup.c:2191 lib/setup.c:2637 #, c-format msgid "Cannot format device %s." msgstr "Не вдалося форматувати пристрій %s." -#: lib/setup.c:2049 +#: lib/setup.c:2234 +msgid "Cannot get OPAL alignment parameters." +msgstr "Не вдалося отримати параметри вирівнювання OPAL." + +#: lib/setup.c:2243 +msgid "Bogus OPAL logical block size." +msgstr "Фіктивний розмір логічного блоку OPAL." + +#: lib/setup.c:2249 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "Потрібний вам відступ даних є несумісним із розміром блоку OPAL." + +#: lib/setup.c:2256 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "Потрібне вам вирівнювання даних є несумісним із вирівнюванням OPAL." + +#: lib/setup.c:2276 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "Відступ даних не відповідає вимогам вирівнювання OPAL." + +#: lib/setup.c:2289 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "Потрібне вам вирівнювання даних не відповідає вимогам щодо вирівнювання заблокованого діапазону." + +#: lib/setup.c:2494 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "Компенсуємо розмір пристрою на % секторів для вирівнювання його за рівнем розбиття вирівнювання OPAL." + +#: lib/setup.c:2552 lib/setup.c:4068 lib/setup.c:4223 lib/utils_wipe.c:368 +#: lib/luks2/luks2_json_metadata.c:2703 lib/luks2/luks2_json_metadata.c:2955 +#, c-format +msgid "Failed to acquire OPAL lock on device %s." +msgstr "Не вдалося отримати блокування OPAL на пристрої %s." + +#: lib/setup.c:2561 +msgid "Incorrect OPAL Admin key." +msgstr "Неправильний адміністративний ключ OPAL." + +#: lib/setup.c:2563 +msgid "Cannot setup OPAL segment." +msgstr "Не вдалося налаштувати сегмент OPAL." + +#: lib/setup.c:2633 +#, c-format +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "Не вдалося форматувати пристрій %s, здається, пристрій OPAL тепер повністю захищено від запису." + +#: lib/setup.c:2635 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "Можливо, це вада у мікропрограмі. Виконайте скидання PSID OPAL і повторно з'єднайте пристрій для відновлення." + +#: lib/setup.c:2655 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "Помилка під час спроби скидання діапазону блокування %d на пристрої %s." + +#: lib/setup.c:2675 msgid "Can't format LOOPAES without device." msgstr "Не можна форматувати LOOPAES без пристрою." -#: lib/setup.c:2094 +#: lib/setup.c:2720 msgid "Can't format VERITY without device." msgstr "Форматування VERITY без пристрою неможливе." -#: lib/setup.c:2105 lib/verity/verity.c:101 +#: lib/setup.c:2731 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "Непідтримуваний тип хешування VERITY, %d." -#: lib/setup.c:2111 lib/verity/verity.c:109 +#: lib/setup.c:2737 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "Непідтримуваний розмір блоку VERITY." -#: lib/setup.c:2116 lib/verity/verity.c:74 +#: lib/setup.c:2742 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "Непідтримуваний відступ хешу VERITY." -#: lib/setup.c:2121 +#: lib/setup.c:2747 msgid "Unsupported VERITY FEC offset." msgstr "Непідтримуваний зсув FEC VERITY." -#: lib/setup.c:2145 +#: lib/setup.c:2771 msgid "Data area overlaps with hash area." msgstr "Область даних перекривається із областю хешу." -#: lib/setup.c:2170 +#: lib/setup.c:2796 msgid "Hash area overlaps with FEC area." msgstr "Область хешування перекриваються з областю FEC." -#: lib/setup.c:2177 +#: lib/setup.c:2803 msgid "Data area overlaps with FEC area." msgstr "Область даних перекривається із областю FEC." -#: lib/setup.c:2313 +#: lib/setup.c:2939 #, c-format msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" msgstr "Увага: бажаний розмір мітки у %d байтів відрізняється від розміру у результаті %s (%d байтів).\n" -#: lib/setup.c:2392 +#: lib/setup.c:3018 #, c-format msgid "Unknown crypt device type %s requested." msgstr "Надіслано запит щодо невідомого типу пристрою шифрування, %s." -#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791 +#: lib/setup.c:3325 lib/setup.c:3404 lib/setup.c:3417 #, c-format msgid "Unsupported parameters on device %s." msgstr "Непідтримувані параметри на пристрої %s." -#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862 -#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484 +#: lib/setup.c:3331 lib/setup.c:3424 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 #, c-format msgid "Mismatching parameters on device %s." msgstr "Невідповідність параметрів на пристрої %s." -#: lib/setup.c:2822 +#: lib/setup.c:3448 msgid "Crypt devices mismatch." msgstr "Невідповідність пристроїв шифрування." -#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361 -#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032 +#: lib/setup.c:3485 lib/setup.c:3490 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 #, c-format msgid "Failed to reload device %s." msgstr "Не вдалося перезавантажити пристрій %s." -#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332 -#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892 +#: lib/setup.c:3496 lib/setup.c:3502 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 #, c-format msgid "Failed to suspend device %s." msgstr "Не вдалося приспати пристрій %s." -#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346 -#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945 -#: lib/luks2/luks2_reencrypt.c:4036 +#: lib/setup.c:3508 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 #, c-format msgid "Failed to resume device %s." msgstr "Не вдалося відновити роботу пристрою %s." -#: lib/setup.c:2897 +#: lib/setup.c:3523 #, c-format msgid "Fatal error while reloading device %s (on top of device %s)." msgstr "Критична помилка під час перезавантаження пристрої %s (над пристроєм %s)." -#: lib/setup.c:2900 lib/setup.c:2902 +#: lib/setup.c:3526 lib/setup.c:3528 #, c-format msgid "Failed to switch device %s to dm-error." msgstr "Не вдалося перемкнути пристрій %s у режим dm-error." -#: lib/setup.c:2984 +#: lib/setup.c:3568 +msgid "Can not resize LUKS2 device with static size." +msgstr "Неможливо змінити розмір пристрою LUKS2 зі статичним розміром." + +#: lib/setup.c:3613 msgid "Cannot resize loop device." msgstr "Неможливо змінити розмір петльового пристрою." -#: lib/setup.c:3027 +#: lib/setup.c:3657 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" msgstr "УВАГА: уже вказано максимальний розмір або у ядрі не передбачено можливості зміни розміру.\n" -#: lib/setup.c:3088 +#: lib/setup.c:3723 msgid "Resize failed, the kernel doesn't support it." msgstr "Не вдалося змінити розмір, у ядрі не передбачено підтримки такої дії." -#: lib/setup.c:3120 +#: lib/setup.c:3755 msgid "Do you really want to change UUID of device?" msgstr "Ви справді хочете змінити UUID пристрою?" -#: lib/setup.c:3212 +#: lib/setup.c:3847 msgid "Header backup file does not contain compatible LUKS header." msgstr "Файл резервної копії заголовка не містить сумісного із LUKS заголовка." -#: lib/setup.c:3328 +#: lib/setup.c:3956 #, c-format msgid "Volume %s is not active." msgstr "Том %s не є активним." -#: lib/setup.c:3339 +#: lib/setup.c:4022 #, c-format msgid "Volume %s is already suspended." msgstr "Том %s вже приспано." -#: lib/setup.c:3352 +#: lib/setup.c:4050 #, c-format msgid "Suspend is not supported for device %s." msgstr "Підтримки присипляння для пристрою %s не передбачено." -#: lib/setup.c:3354 +#: lib/setup.c:4052 lib/setup.c:4060 #, c-format msgid "Error during suspending device %s." msgstr "Помилка під час спроби приспати пристрій %s." -#: lib/setup.c:3389 +#: lib/setup.c:4074 +#, c-format +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "Роботу пристрою %s було призупинено, але апаратний пристрій OPAL не може бути заблоковано." + +#: lib/setup.c:4106 lib/setup.c:4250 #, c-format msgid "Resume is not supported for device %s." msgstr "Підтримки дії з пробудження для пристрою %s не передбачено." -#: lib/setup.c:3391 +#: lib/setup.c:4108 lib/setup.c:4241 lib/setup.c:4252 #, c-format msgid "Error during resuming device %s." msgstr "Помилка під час спроби пробудити пристрій %s." -#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589 -#: src/cryptsetup.c:2479 +#: lib/setup.c:4131 +msgid "Failed to link key to the specified keyring." +msgstr "Не вдалося пов'язати ключ зі вказаним сховищем ключів." + +#: lib/setup.c:4150 +msgid "Failed to unlink volume key from user specified keyring." +msgstr "Не вдалося скасувати прив'язку ключа тому до вказаного користувачем сховища ключів." + +#: lib/setup.c:4213 lib/setup.c:4934 lib/setup.c:5549 +msgid "Failed to link volume key in user defined keyring." +msgstr "Не вдалося пов'язати ключ тому із визначеним користувачем сховищем ключів." + +#: lib/setup.c:4313 src/cryptsetup.c:2755 #, c-format msgid "Volume %s is not suspended." msgstr "Том %s не приспано." -#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561 -#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228 -#: src/cryptsetup.c:2011 +#: lib/setup.c:4414 lib/setup.c:5310 lib/setup.c:5317 lib/setup.c:7176 +#: lib/setup.c:7198 lib/setup.c:7247 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "Ключ тому не відповідає тому." -#: lib/setup.c:3737 +#: lib/setup.c:4568 msgid "Failed to swap new key slot." msgstr "Не вдалося зарезервувати новий слот ключа." -#: lib/setup.c:3835 +#: lib/setup.c:4666 #, c-format msgid "Key slot %d is invalid." msgstr "Слот ключа %d є некоректним." -#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208 -#: src/cryptsetup.c:2816 src/cryptsetup.c:2876 +#: lib/setup.c:4672 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 #, c-format msgid "Keyslot %d is not active." msgstr "Слот ключа %d не є активним." -#: lib/setup.c:3860 +#: lib/setup.c:4691 msgid "Device header overlaps with data area." msgstr "Заголовок пристрою перекривається із областю даних." -#: lib/setup.c:4165 +#: lib/setup.c:5041 msgid "Reencryption in-progress. Cannot activate device." msgstr "Виконуємо повторне шифрування. Не можна активувати пристрій." -#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703 -#: lib/luks2/luks2_reencrypt.c:3590 +#: lib/setup.c:5043 lib/luks2/luks2_json_metadata.c:2861 +#: lib/luks2/luks2_reencrypt.c:3646 msgid "Failed to get reencryption lock." msgstr "Не вдалося отримати стан блокування для повторного шифрування." -#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609 +#: lib/setup.c:5056 lib/luks2/luks2_reencrypt.c:3665 msgid "LUKS2 reencryption recovery failed." msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2." -#: lib/setup.c:4352 lib/setup.c:4618 +#: lib/setup.c:5228 lib/setup.c:5328 lib/setup.c:5386 msgid "Device type is not properly initialized." msgstr "Тип пристрою не ініціалізовано належним чином." -#: lib/setup.c:4400 +#: lib/setup.c:5283 #, c-format msgid "Device %s already exists." msgstr "Пристрій %s вже існує." -#: lib/setup.c:4407 +#: lib/setup.c:5290 #, c-format msgid "Cannot use device %s, name is invalid or still in use." msgstr "Неможливо скористатися пристроєм %s, некоректна назва або пристрій усе ще використовується." -#: lib/setup.c:4527 +#: lib/setup.c:5306 msgid "Incorrect volume key specified for plain device." msgstr "Для пристрою зі звичайним шифруванням вказано помилковий ключ тому." -#: lib/setup.c:4644 -msgid "Incorrect root hash specified for verity device." -msgstr "Для пристрою перевірки вказано помилковий кореневий хеш." - -#: lib/setup.c:4654 -msgid "Root hash signature required." -msgstr "Потрібен хеш-підпис кореневої теки." +#: lib/setup.c:5424 +msgid "Kernel keyring is not supported by the kernel." +msgstr "У ядрі не передбачено підтримки сховища ключів ядра." -#: lib/setup.c:4663 +#: lib/setup.c:5428 msgid "Kernel keyring missing: required for passing signature to kernel." msgstr "Немає сховища ключів ядра: це сховище потрібне для передавання підпису ядру." -#: lib/setup.c:4680 lib/setup.c:6423 -msgid "Failed to load key in kernel keyring." -msgstr "Не вдалося завантажити ключ до сховища ключів ядра." +#: lib/setup.c:5668 +msgid "Incorrect root hash specified for verity device." +msgstr "Для пристрою перевірки вказано помилковий кореневий хеш." -#: lib/setup.c:4736 +#: lib/setup.c:5711 +msgid "OPAL does not support deferred deactivation." +msgstr "В OPAL не передбачено підтримки відкладеної деактивації." + +#: lib/setup.c:5727 #, c-format msgid "Could not cancel deferred remove from device %s." msgstr "Не вдалося скасувати відкладене вилучення з пристрою %s." -#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756 +#: lib/setup.c:5734 lib/setup.c:5750 lib/luks2/luks2_json_metadata.c:2915 #: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "Пристрій %s все ще використовується." -#: lib/setup.c:4768 +#: lib/setup.c:5759 #, c-format msgid "Invalid device %s." msgstr "Некоректний пристрій %s." -#: lib/setup.c:4908 +#: lib/setup.c:5899 msgid "Volume key buffer too small." msgstr "Буфер ключів тому є занадто малим." -#: lib/setup.c:4925 +#: lib/setup.c:5916 msgid "Cannot retrieve volume key for LUKS2 device." msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS2." -#: lib/setup.c:4934 +#: lib/setup.c:5925 msgid "Cannot retrieve volume key for LUKS1 device." msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS1." -#: lib/setup.c:4944 +#: lib/setup.c:5935 msgid "Cannot retrieve volume key for plain device." msgstr "Неможливо отримати ключ тому для пристрою зі звичайним шифруванням." -#: lib/setup.c:4952 +#: lib/setup.c:5943 msgid "Cannot retrieve root hash for verity device." msgstr "Не вдалося отримати кореневий хеш для пристрою VERITY." -#: lib/setup.c:4959 +#: lib/setup.c:5950 msgid "Cannot retrieve volume key for BITLK device." msgstr "Неможливо отримати ключ тому для пристрою BITLK." -#: lib/setup.c:4964 +#: lib/setup.c:5955 msgid "Cannot retrieve volume key for FVAULT2 device." msgstr "Неможливо отримати ключ тому для пристрою FVAULT2." -#: lib/setup.c:4966 +#: lib/setup.c:5957 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "Підтримки цієї дії для шифрованого пристрою %s не передбачено." -#: lib/setup.c:5147 lib/setup.c:5158 +#: lib/setup.c:6141 lib/setup.c:6152 msgid "Dump operation is not supported for this device type." msgstr "Підтримки дії зі створення дампу для цього типу пристроїв не передбачено." -#: lib/setup.c:5500 +#: lib/setup.c:6511 #, c-format msgid "Data offset is not multiple of %u bytes." msgstr "Зсув у даних не є кратним до %u байтів." -#: lib/setup.c:5788 +#: lib/setup.c:6819 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "Не можна перетворити пристрій %s, який перебуває у користуванні." -#: lib/setup.c:6098 lib/setup.c:6237 +#: lib/setup.c:7117 lib/setup.c:7256 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "Не вдалося прив'язати слот ключа %u як новий ключ тому." -#: lib/setup.c:6122 +#: lib/setup.c:7141 msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "Не вдалося ініціалізувати типові параметри слоту ключів LUKS2." -#: lib/setup.c:6128 +#: lib/setup.c:7147 #, c-format msgid "Failed to assign keyslot %d to digest." msgstr "Не вдалося прив'язати слот ключа %d до контрольної суми." -#: lib/setup.c:6353 +#: lib/setup.c:7372 msgid "Cannot add key slot, all slots disabled and no volume key provided." msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому." -#: lib/setup.c:6490 -msgid "Kernel keyring is not supported by the kernel." -msgstr "У ядрі не передбачено підтримки сховища ключів ядра." +#: lib/setup.c:7441 lib/verity/verity.c:343 +msgid "Failed to load key in kernel keyring." +msgstr "Не вдалося завантажити ключ до сховища ключів ядра." -#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807 +#: lib/setup.c:7559 +msgid "Failed to unlink volume key from thread keyring." +msgstr "Не вдалося скасувати прив'язку ключа тому до сховища ключів потоку обробки." + +#: lib/setup.c:7586 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів (помилка %d)." +msgid "Could not find keyring described by \"%s\"." +msgstr "Не вдалося знайти сховище ключів, яке описано «%s»." -#: lib/setup.c:6523 +#: lib/setup.c:7645 msgid "Failed to acquire global memory-hard access serialization lock." msgstr "Не вдалося створити загальне блокування серіалізації доступу до пам'яті." -#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "Не вдалося відкрити файл ключа." -#: lib/utils.c:163 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "Не вдалося прочитати файл ключа з термінала." -#: lib/utils.c:179 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "Не вдалося отримати статистичні дані щодо файла ключа." -#: lib/utils.c:187 lib/utils.c:208 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "Не вдалося встановити потрібну позицію у файлі ключа." -#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225 -#: src/utils_password.c:237 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "Під час читання пароля вичерпано пам’ять." -#: lib/utils.c:237 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "Помилка під час читання пароля." -#: lib/utils.c:254 +#: lib/utils.c:301 msgid "Nothing to read on input." msgstr "Нічого читати з вхідних даних." -#: lib/utils.c:261 +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "Перевищено максимальний розмір файла ключа." -#: lib/utils.c:266 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "Не вдалося прочитати бажаний об’єм даних." -#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110 -#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440 +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 #, c-format msgid "Device %s does not exist or access denied." msgstr "Пристрою %s не існує або доступ до цього пристрою заборонено." -#: lib/utils_device.c:217 +#: lib/utils_device.c:223 #, c-format msgid "Device %s is not compatible." msgstr "Пристрій %s є сумісним." -#: lib/utils_device.c:561 +#: lib/utils_device.c:567 #, c-format msgid "Ignoring bogus optimal-io size for data device (%u bytes)." msgstr "Ігноруємо фіктивний розмір optimal-io для пристрою даних (%u байтів)." -#: lib/utils_device.c:722 +#: lib/utils_device.c:728 #, c-format msgid "Device %s is too small. Need at least % bytes." msgstr "Обсяг пристрою %s є надто малим. Потрібно принаймні % байтів." -#: lib/utils_device.c:803 +#: lib/utils_device.c:809 #, c-format msgid "Cannot use device %s which is in use (already mapped or mounted)." msgstr "Не можна використовувати пристрій %s, оскільки його вже використано (призначено або змонтовано)." -#: lib/utils_device.c:807 +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "Не можна скористатися пристроєм %s, недостатні права доступу." -#: lib/utils_device.c:810 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "Не вдалося отримати дані щодо пристрою %s." -#: lib/utils_device.c:833 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "Не можна використовувати петльовий пристрій, програму запущено не від імені адміністративного користувача (root)." -#: lib/utils_device.c:844 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "Спроба долучення петльового пристрою зазнала невдачі (потрібен петльовий пристрій з встановленим прапорцем автоматичного спорожнення)." -#: lib/utils_device.c:892 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "Бажана точка відступу перебуває за межами об’єму пристрою %s." -#: lib/utils_device.c:900 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "Об’єм пристрою %s є нульовим." -#: lib/utils_pbkdf.c:100 +#: lib/utils_pbkdf.c:116 msgid "Requested PBKDF target time cannot be zero." msgstr "Вказаний час PBKDF не може бути нульовим." -#: lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "Невідомий тип PBKDF, %s." -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:127 #, c-format msgid "Requested hash %s is not supported." msgstr "Підтримки бажаного хешування, %s, не передбачено." -#: lib/utils_pbkdf.c:122 +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "Підтримки бажаного типу PBKDF для LUKS1 не передбачено." -#: lib/utils_pbkdf.c:128 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "Максимальний об'єм пам'яті PBKDF або кількість паралельних потоків обробки не можна встановлювати разом із pbkdf2." -#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "Задане значення кількості ітерацій для %s є надто низьким (мінімальним є %u)." -#: lib/utils_pbkdf.c:148 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "Задане значення об'єму пам'яті для %s є надто низьким (мінімальним є %u кілобайтів)." -#: lib/utils_pbkdf.c:155 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "Бажана максимальна вартість пам'яті PBKDF є надто високою (максимальною є %d кілобайтів)." -#: lib/utils_pbkdf.c:160 +#: lib/utils_pbkdf.c:176 msgid "Requested maximum PBKDF memory cannot be zero." msgstr "Бажаний максимальний обсяг пам'яті PBKDF не може бути нульовим." -#: lib/utils_pbkdf.c:164 +#: lib/utils_pbkdf.c:180 msgid "Requested PBKDF parallel threads cannot be zero." msgstr "Вказана кількість паралельних потоків обробки PBKDF не може бути нульовою." -#: lib/utils_pbkdf.c:184 +#: lib/utils_pbkdf.c:200 msgid "Only PBKDF2 is supported in FIPS mode." msgstr "У режимі FIPS передбачено підтримку лише PBKDF2." -#: lib/utils_benchmark.c:175 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "Тестування PBKDF вимкнено, але кількість ітерацій не встановлено." -#: lib/utils_benchmark.c:194 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "Несумісні параметри PBKDF2 (з використанням алгоритму хешування %s)." -#: lib/utils_benchmark.c:214 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "Несумісні параметри PBKDF." @@ -772,16 +866,24 @@ msgstr "Блокування перервано. Шлях блокування % msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "Блокування перервано Шлях блокування %s/%s є непридатним для користування (%s не є каталогом)." -#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 #: src/utils_reencrypt_luks1.c:832 msgid "Cannot seek to device offset." msgstr "Не вдалося встановити вказану позицію на пристрої." -#: lib/utils_wipe.c:247 +#: lib/utils_wipe.c:249 #, c-format msgid "Device wipe error, offset %." msgstr "Помилка витирання пристрою, зсув %." +#: lib/utils_wipe.c:344 +msgid "Incorrect OPAL PSID." +msgstr "Помилковий PSID OPAL." + +#: lib/utils_wipe.c:346 +msgid "Cannot erase OPAL device." +msgstr "Не вдалося витерти пристрій OPAL." + #: lib/luks1/keyencryption.c:39 #, c-format msgid "" @@ -801,7 +903,7 @@ msgstr "Специфікацію шифрування слід вказуват #: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 #: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 -#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "Не вдалося виконати запис на пристрій %s, недостатні права доступу." @@ -815,17 +917,17 @@ msgid "Failed to access temporary keystore device." msgstr "Не вдалося отримати доступ до пристрою тимчасового сховища ключів." #: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 -#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "Помилка введення-виведення під час шифрування слоту ключів." #: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 -#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 #: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 -#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 #: src/utils_reencrypt_luks1.c:133 #, c-format msgid "Cannot open device %s." @@ -847,32 +949,32 @@ msgstr "Обсяг пристрою %s є надто малим. (LUKS1 потр msgid "LUKS keyslot %u is invalid." msgstr "Слот ключа LUKS %u є некоректним." -#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "Потрібний вам файл резервної копії заголовка, %s, вже існує." -#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "Не вдалося створити файл резервної копії заголовка, %s." -#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "Не вдалося записати файл резервної копії заголовка, %s." -#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399 +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 msgid "Backup file does not contain valid LUKS header." msgstr "Файл резервної копії не містить коректного заголовка LUKS." #: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 -#: lib/luks2/luks2_json_metadata.c:1420 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "Не вдалося відкрити файл резервної копії заголовка, %s." -#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "Не вдалося прочитати дані з файла резервної копії заголовка, %s." @@ -894,7 +996,7 @@ msgstr "не містить заголовка LUKS. Заміна заголов msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "вже містить заголовок LUKS. Заміна заголовка призведе до руйнування вже створених слотів ключів." -#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -968,7 +1070,7 @@ msgstr "Режим шифрування LUKS %s є некоректним." msgid "LUKS hash %s is invalid." msgstr "Хеш-сума LUKS %s є некоректною." -#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "У заголовку LUKS не виявлено жодних проблем." @@ -987,8 +1089,8 @@ msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "Відступ даних для заголовка LUKS має бути або рівним нулеві, або перевищувати розмір заголовка." #: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 -#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236 -#: src/utils_reencrypt.c:539 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "Вказано UUID LUKS у помилковому форматі." @@ -1025,7 +1127,7 @@ msgstr "Не вдалося відкрити слот ключа (за допо msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "Слот ключа %d є некоректним, будь ласка, виберіть слот ключа з номером від 0 до %d." -#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "Не вдалося витерти пристрій %s." @@ -1046,48 +1148,48 @@ msgstr "Виявлено несумісний з loop-AES файл ключа." msgid "Kernel does not support loop-AES compatible mapping." msgstr "У ядрі не передбачено підтримки призначення, сумісного з loop-AES." -#: lib/tcrypt/tcrypt.c:508 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "Помилка під час спроби читання файла ключа %s." -#: lib/tcrypt/tcrypt.c:558 +#: lib/tcrypt/tcrypt.c:560 #, c-format msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "Перевищено максимальну можливу довжину пароля TCRYPT (%zu)." -#: lib/tcrypt/tcrypt.c:600 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "Засіб створення хешів PBKDF2 за алгоритмом %s недоступний, пропускаємо." -#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "Потрібний для роботи інтерфейс ядра для шифрування недоступний." -#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "Переконайтеся, що завантажено модуль ядра algif_skcipher." -#: lib/tcrypt/tcrypt.c:762 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "Підтримки активації для розміру сектора %d не передбачено." -#: lib/tcrypt/tcrypt.c:768 +#: lib/tcrypt/tcrypt.c:770 msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "У ядрі не передбачено підтримки вмикання цього застарілого режиму TCRYPT." -#: lib/tcrypt/tcrypt.c:799 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "Активуємо шифрування системи за допомогою TCRYPT для розділу %s." -#: lib/tcrypt/tcrypt.c:882 +#: lib/tcrypt/tcrypt.c:884 msgid "Kernel does not support TCRYPT compatible mapping." msgstr "У ядрі не передбачено підтримки призначення, сумісного з TCRYPT." -#: lib/tcrypt/tcrypt.c:1095 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "Підтримки цієї дії без завантаження заголовка TCRYPT." @@ -1146,74 +1248,74 @@ msgstr "Не вдалося прочитати записи метаданих B msgid "Failed to convert BITLK volume description" msgstr "Не вдалося перетворити опис тому BITLK" -#: lib/bitlk/bitlk.c:882 +#: lib/bitlk/bitlk.c:884 #, c-format msgid "Unexpected metadata entry type '%u' found when parsing external key." msgstr "Під час обробки зовнішнього ключа виявлено неочікуваний тип запису метаданих «%u»." -#: lib/bitlk/bitlk.c:905 +#: lib/bitlk/bitlk.c:907 #, c-format msgid "BEK file GUID '%s' does not match GUID of the volume." msgstr "Файл GUID BEK «%s» не відповідає GUID тому." -#: lib/bitlk/bitlk.c:909 +#: lib/bitlk/bitlk.c:911 #, c-format msgid "Unexpected metadata entry value '%u' found when parsing external key." msgstr "Під час обробки зовнішнього ключа виявлено неочікуване значення запису метаданих «%u»." -#: lib/bitlk/bitlk.c:948 +#: lib/bitlk/bitlk.c:950 #, c-format msgid "Unsupported BEK metadata version %" msgstr "Непідтримувана версія метаданих BEK, %" -#: lib/bitlk/bitlk.c:953 +#: lib/bitlk/bitlk.c:955 #, c-format msgid "Unexpected BEK metadata size % does not match BEK file length" msgstr "Неочікуваний розмір метаданих BEK, %, не відповідає довжині файла BEK" -#: lib/bitlk/bitlk.c:979 +#: lib/bitlk/bitlk.c:981 msgid "Unexpected metadata entry found when parsing startup key." msgstr "Під час обробки ключа запуску виявлено неочікуваний запис метаданих." -#: lib/bitlk/bitlk.c:1075 +#: lib/bitlk/bitlk.c:1076 msgid "This operation is not supported." msgstr "Підтримки цієї дії не передбачено." -#: lib/bitlk/bitlk.c:1083 +#: lib/bitlk/bitlk.c:1084 msgid "Unexpected key data size." msgstr "Неочікуваний розмір даних ключа." -#: lib/bitlk/bitlk.c:1209 +#: lib/bitlk/bitlk.c:1210 msgid "This BITLK device is in an unsupported state and cannot be activated." msgstr "Цей пристрій BITLK перебуває у непідтримуваному стані — його неможливо активувати." -#: lib/bitlk/bitlk.c:1214 +#: lib/bitlk/bitlk.c:1215 #, c-format msgid "BITLK devices with type '%s' cannot be activated." msgstr "Пристрої BITLK типу «%s» неможливо активувати." -#: lib/bitlk/bitlk.c:1221 +#: lib/bitlk/bitlk.c:1222 msgid "Activation of partially decrypted BITLK device is not supported." msgstr "Активації частково розшифрованого пристрою BITLK не передбачено." -#: lib/bitlk/bitlk.c:1262 +#: lib/bitlk/bitlk.c:1263 #, c-format msgid "WARNING: BitLocker volume size % does not match the underlying device size %" msgstr "УВАГА: розмір тому BitLocker % не відповідає розміру базового пристрою %" -#: lib/bitlk/bitlk.c:1389 +#: lib/bitlk/bitlk.c:1390 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки BITLK IV." -#: lib/bitlk/bitlk.c:1393 +#: lib/bitlk/bitlk.c:1394 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки дифузера Elephant BITLK." -#: lib/bitlk/bitlk.c:1397 +#: lib/bitlk/bitlk.c:1398 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки великого розміру секторів." -#: lib/bitlk/bitlk.c:1401 +#: lib/bitlk/bitlk.c:1402 msgid "Cannot activate device, kernel dm-zero module is missing." msgstr "Не вдалося активувати пристрій — немає модуля ядра dm-zero." @@ -1251,28 +1353,32 @@ msgstr "На пристрої %s вказано UUID VERITY у помилков msgid "Error during update of verity header on device %s." msgstr "Помилка під час оновлення заголовка verity на пристрої %s." -#: lib/verity/verity.c:278 +#: lib/verity/verity.c:274 msgid "Root hash signature verification is not supported." msgstr "Підтримки перевірки підпису кореневого хешу не передбачено." -#: lib/verity/verity.c:290 +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "Потрібен хеш-підпис кореневої теки." + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "Помилки не може бути виправлено за допомогою пристрою FEC." -#: lib/verity/verity.c:292 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "За допомогою пристрою FEC виявлено %u придатних до виправлення помилок." -#: lib/verity/verity.c:335 +#: lib/verity/verity.c:377 msgid "Kernel does not support dm-verity mapping." msgstr "У ядрі не передбачено підтримки прив'язки dm-verity." -#: lib/verity/verity.c:339 +#: lib/verity/verity.c:381 msgid "Kernel does not support dm-verity signature option." msgstr "У ядрі не передбачено підтримки параметра підпису dm-verity." -#: lib/verity/verity.c:350 +#: lib/verity/verity.c:392 msgid "Verity device detected corruption after activation." msgstr "Виявлено пошкодження даних на пристрої перевірки після активації." @@ -1366,7 +1472,7 @@ msgstr "Не вдалося визначити розмір для пристр msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." msgstr "Виявлено несумісні метадані dm-integrity ядра (версія %u) у %s." -#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379 +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 msgid "Kernel does not support dm-integrity mapping." msgstr "У ядрі не передбачено підтримки прив'язки dm-integrity." @@ -1378,8 +1484,8 @@ msgstr "У ядрі не передбачено підтримки вирівн msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." msgstr "Ядром відмовлено у активації небезпечного параметра повторного обчислення (див. застарілі параметри активації, щоб скористатися обчисленням попри це)." -#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159 -#: lib/luks2/luks2_json_metadata.c:1482 +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format msgid "Failed to acquire write lock on device %s." msgstr "Не вдалося отримати блокування запису на пристрої %s." @@ -1396,49 +1502,59 @@ msgstr "" "Пристрій містить неоднозначні підписи. Автоматичне відновлення LUKS2 неможливе.\n" "Будь ласка, запустіть «cryptsetup repair» для відновлення." -#: lib/luks2/luks2_json_format.c:229 +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "Увага: область слоту ключів є надто малою (% байтів), доступна кількість слотів ключів LUKS2 буде дуже обмеженою.\n" + +#: lib/luks2/luks2_json_format.c:427 msgid "Requested data offset is too small." msgstr "Вказаний відступ у даних є надто малим." -#: lib/luks2/luks2_json_format.c:274 +#: lib/luks2/luks2_json_format.c:468 #, c-format -msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" -msgstr "Увага: область слоту ключів є надто малою (% байтів), доступна кількість слотів ключів LUKS2 буде дуже обмеженою.\n" +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "Увага: розмір метаданих LUKS2 змінено до % байтів.\n" -#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328 -#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "Увага: розмір області слотів ключів LUKS2 змінено до % байтів.\n" + +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 #: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "Не вдалося отримати блокування читання на пристрої %s." -#: lib/luks2/luks2_json_metadata.c:1405 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "У резервній копії %s виявлено заборонені вимоги щодо LUKS2." -#: lib/luks2/luks2_json_metadata.c:1446 +#: lib/luks2/luks2_json_metadata.c:1484 msgid "Data offset differ on device and backup, restore failed." msgstr "Зсуви даних на пристрої і на резервній копії різняться, не вдалося відновити." -#: lib/luks2/luks2_json_metadata.c:1452 +#: lib/luks2/luks2_json_metadata.c:1490 msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "Двійкові заголовки із розмірами областей слотів ключів на пристрої і у резервній копії різняться, не вдалося відновити копію." -#: lib/luks2/luks2_json_metadata.c:1459 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "Пристрій %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1460 +#: lib/luks2/luks2_json_metadata.c:1498 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "не містить заголовка LUKS2. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої." -#: lib/luks2/luks2_json_metadata.c:1461 +#: lib/luks2/luks2_json_metadata.c:1499 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "вже містить заголовок LUKS2. Заміна заголовка призведе до руйнування вже створених слотів ключів." -#: lib/luks2/luks2_json_metadata.c:1463 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" @@ -1448,7 +1564,7 @@ msgstr "" "ПОПЕРЕДЖЕННЯ: виявлено невідомі вимоги LUKS2 у справжньому заголовку пристрою!\n" "Заміна заголовка резервною копією може пошкодити дані на пристрої!" -#: lib/luks2/luks2_json_metadata.c:1465 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" @@ -1458,58 +1574,92 @@ msgstr "" "ПОПЕРЕДЖЕННЯ: на пристрої виявлено дані незавершеного повторного шифрування!\n" "Заміна заголовка заголовком із резервної копії може пошкодити дані." -#: lib/luks2/luks2_json_metadata.c:1562 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "Проігноровано невідомий прапорець %s." -#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 #, c-format msgid "Missing key for dm-crypt segment %u" msgstr "Не вистачає ключа для сегмента dm-crypt %u" -#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075 +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 msgid "Failed to set dm-crypt segment." msgstr "Не вдалося встановити сегмент dm-crypt." -#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081 +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 msgid "Failed to set dm-linear segment." msgstr "Не вдалося встановити сегмент dm-linear." -#: lib/luks2/luks2_json_metadata.c:2615 +#: lib/luks2/luks2_json_metadata.c:2662 src/utils_reencrypt.c:433 +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "Не виявлено жодного відомого зразка специфікації шифрування у заголовку LUKS." + +#: lib/luks2/luks2_json_metadata.c:2670 +msgid "OPAL device must have static device size." +msgstr "Пристій OPAL повинен мати статичний розмір пристрою." + +#: lib/luks2/luks2_json_metadata.c:2690 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "Зашифрований пристрій OPAL із механізмами цілісності має бути меншим за діапазон блокування." + +#: lib/luks2/luks2_json_metadata.c:2695 +msgid "OPAL device must have same size as locking range." +msgstr "Пристрій OPAL повинен мати той самий розмір, що і діапазон блокування." + +#: lib/luks2/luks2_json_metadata.c:2715 +#, c-format +msgid "OPAL device is %s already unlocked.\n" +msgstr "Пристрій OPAL %s вже розблоковано.\n" + +#: lib/luks2/luks2_json_metadata.c:2748 msgid "Unsupported device integrity configuration." msgstr "Непідтримувані налаштування цілісності даних на пристрої." -#: lib/luks2/luks2_json_metadata.c:2701 +#: lib/luks2/luks2_json_metadata.c:2764 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "Базовий пристрій dm-integrity із неочікуваними наданими секторами даних." + +#: lib/luks2/luks2_json_metadata.c:2859 msgid "Reencryption in-progress. Cannot deactivate device." msgstr "Виконуємо повторне шифрування. Не можна деактивувати пристрій." -#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082 +#: lib/luks2/luks2_json_metadata.c:2870 lib/luks2/luks2_reencrypt.c:4159 #, c-format msgid "Failed to replace suspended device %s with dm-error target." msgstr "Не вдалося замінити пристрій %s, роботу якого призупинено, ціллю dm-error." -#: lib/luks2/luks2_json_metadata.c:2792 +#: lib/luks2/luks2_json_metadata.c:2939 lib/luks2/luks2_json_metadata.c:2961 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "Пристрій %s було деактивовано, але апаратний пристрій OPAL не може бути заблоковано." + +#: lib/luks2/luks2_json_metadata.c:2980 msgid "Failed to read LUKS2 requirements." msgstr "Не вдалося прочитати вимоги LUKS2." -#: lib/luks2/luks2_json_metadata.c:2799 +#: lib/luks2/luks2_json_metadata.c:2987 msgid "Unmet LUKS2 requirements detected." msgstr "Виявлено невідповідність вимог LUKS2." -#: lib/luks2/luks2_json_metadata.c:2807 +#: lib/luks2/luks2_json_metadata.c:2995 msgid "Operation incompatible with device marked for legacy reencryption. Aborting." msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування застарілого варіанта. Перериваємо дію." -#: lib/luks2/luks2_json_metadata.c:2809 +#: lib/luks2/luks2_json_metadata.c:2997 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування LUKS2. Перериваємо дію." -#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600 +#: lib/luks2/luks2_json_metadata.c:2999 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "Дія є несумісною із пристроєм з використанням OPAL. Перериваємо дію." + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 msgid "Not enough available memory to open a keyslot." msgstr "Недостатньо пам'яті для відкриття слоту ключів." -#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602 +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 msgid "Keyslot open failed." msgstr "Не вдалося відкрити слот ключів." @@ -1518,330 +1668,342 @@ msgstr "Не вдалося відкрити слот ключів." msgid "Cannot use %s-%s cipher for keyslot encryption." msgstr "Не можна використовувати шифрування %s-%s для слотів ключів." -#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394 -#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668 +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 #, c-format msgid "Hash algorithm %s is not available." msgstr "Алгоритм хешування %s є недоступним." -#: lib/luks2/luks2_keyslot_luks2.c:510 +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "Попередження: дія зі слотом ключа може завершитися помилкою, оскільки потребує більшого за доступний розміру пам'яті.\n" + +#: lib/luks2/luks2_keyslot_luks2.c:520 msgid "No space for new keyslot." msgstr "Немає простору для нового слоту ключа." -#: lib/luks2/luks2_keyslot_reenc.c:593 +#: lib/luks2/luks2_keyslot_reenc.c:596 msgid "Invalid reencryption resilience mode change requested." msgstr "Отримано запит щодо некоректної зміни режиму стійкості для повторного шифрування." -#: lib/luks2/luks2_keyslot_reenc.c:714 +#: lib/luks2/luks2_keyslot_reenc.c:717 #, c-format msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." msgstr "Не вдалося оновити тип стійкості. Новим типом передбачено % байтів, потрібне місце: % байтів." -#: lib/luks2/luks2_keyslot_reenc.c:724 +#: lib/luks2/luks2_keyslot_reenc.c:727 msgid "Failed to refresh reencryption verification digest." msgstr "Не вдалося освіжити контрольні суми для перевірки для повторного шифрування." -#: lib/luks2/luks2_luks1_convert.c:512 +#: lib/luks2/luks2_luks1_convert.c:545 #, c-format msgid "Cannot check status of device with uuid: %s." msgstr "Не вдалося перевірити стан пристрою з uuid %s." -#: lib/luks2/luks2_luks1_convert.c:538 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "Не вдалося перетворити заголовок з додатковими метаданими LUKSMETA." -#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 #, c-format msgid "Unable to use cipher specification %s-%s for LUKS2." msgstr "Не вдалося використати специфікацію шифрування %s-%s для LUKS2." -#: lib/luks2/luks2_luks1_convert.c:584 +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "Не вдалося пересунути область слотів ключів. Недостатньо місця." -#: lib/luks2/luks2_luks1_convert.c:619 +#: lib/luks2/luks2_luks1_convert.c:652 msgid "Cannot convert to LUKS2 format - invalid metadata." msgstr "Не вдалося перетворити до формату LUKS2 - некоректні метадані." -#: lib/luks2/luks2_luks1_convert.c:636 +#: lib/luks2/luks2_luks1_convert.c:669 msgid "Unable to move keyslot area. LUKS2 keyslots area too small." msgstr "Не вдалося пересунути область слотів ключів. Область слотів ключів LUKS2 є надто малою." -#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936 +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "Не вдалося пересунути область слотів ключів." -#: lib/luks2/luks2_luks1_convert.c:732 +#: lib/luks2/luks2_luks1_convert.c:765 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." msgstr "Не вдалося перетворити на формат LUKS1 — типовий розмір сектору шифрування сегмента не дорівнює 512 байтам." -#: lib/luks2/luks2_luks1_convert.c:740 +#: lib/luks2/luks2_luks1_convert.c:773 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "Не вдалося перетворити до формату LUKS1 — контрольні суми слотів ключів не сумісні з LUKS1." -#: lib/luks2/luks2_luks1_convert.c:752 +#: lib/luks2/luks2_luks1_convert.c:785 #, c-format msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується загорнуте шифрування ключів %s." -#: lib/luks2/luks2_luks1_convert.c:757 +#: lib/luks2/luks2_luks1_convert.c:790 msgid "Cannot convert to LUKS1 format - device uses more segments." msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується більше сегментів." -#: lib/luks2/luks2_luks1_convert.c:765 +#: lib/luks2/luks2_luks1_convert.c:798 #, c-format msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "Не вдалося перетворити до формату LUKS1 - заголовок LUKS2 містить %u жетонів." -#: lib/luks2/luks2_luks1_convert.c:779 +#: lib/luks2/luks2_luks1_convert.c:812 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "Не вдалося перетворити до формату LUKS1 - слот ключа %u перебуває у некоректному стані." -#: lib/luks2/luks2_luks1_convert.c:784 +#: lib/luks2/luks2_luks1_convert.c:817 #, c-format msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "Не вдалося перетворити до формату LUKS1 — слот %u (перевищує максимальну кількість слотів) усе ще є активним." -#: lib/luks2/luks2_luks1_convert.c:789 +#: lib/luks2/luks2_luks1_convert.c:822 #, c-format msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "не вдалося перетворити до формату LUKS1 — слот ключів %u є несумісним з LUKS1." -#: lib/luks2/luks2_reencrypt.c:1152 +#: lib/luks2/luks2_reencrypt.c:1181 #, c-format msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Розмір «гарячої» ділянки має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)." -#: lib/luks2/luks2_reencrypt.c:1157 +#: lib/luks2/luks2_reencrypt.c:1186 #, c-format msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." msgstr "Розмір пристрою має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)." -#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551 -#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676 -#: lib/luks2/luks2_reencrypt.c:3877 +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 msgid "Failed to initialize old segment storage wrapper." msgstr "Не вдалося ініціалізувати обгортку старого сховища сегментів." -#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529 +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 msgid "Failed to initialize new segment storage wrapper." msgstr "Не вдалося ініціалізувати обгортку нового сховища сегментів." -#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889 +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 msgid "Failed to initialize hotzone protection." msgstr "Не вдалося ініціалізувати захист «гарячої» зони" -#: lib/luks2/luks2_reencrypt.c:1578 +#: lib/luks2/luks2_reencrypt.c:1607 msgid "Failed to read checksums for current hotzone." msgstr "Не вдалося прочитати контрольні суми для поточної «гарячої» ділянки." -#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903 +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 #, c-format msgid "Failed to read hotzone area starting at %." msgstr "Не вдалося прочитати «гарячу» ділянку, починаючи з %." -#: lib/luks2/luks2_reencrypt.c:1604 +#: lib/luks2/luks2_reencrypt.c:1633 #, c-format msgid "Failed to decrypt sector %zu." msgstr "Не вдалося розшифрувати сектор %zu." -#: lib/luks2/luks2_reencrypt.c:1610 +#: lib/luks2/luks2_reencrypt.c:1639 #, c-format msgid "Failed to recover sector %zu." msgstr "Не вдалося відновити сектор %zu." -#: lib/luks2/luks2_reencrypt.c:2174 +#: lib/luks2/luks2_reencrypt.c:2203 #, c-format msgid "Source and target device sizes don't match. Source %, target: %." msgstr "Розміри пристроїв джерела та призначення не збігаються. Розмір джерела — %, розмір призначення — %." -#: lib/luks2/luks2_reencrypt.c:2272 +#: lib/luks2/luks2_reencrypt.c:2301 #, c-format msgid "Failed to activate hotzone device %s." msgstr "Не вдалося задіяти пристрій «гарячої» ділянки %s." -#: lib/luks2/luks2_reencrypt.c:2289 +#: lib/luks2/luks2_reencrypt.c:2318 #, c-format msgid "Failed to activate overlay device %s with actual origin table." msgstr "Не вдалося задіяти пристрій-накладку %s зі справжньою таблицею походження." -#: lib/luks2/luks2_reencrypt.c:2296 +#: lib/luks2/luks2_reencrypt.c:2325 #, c-format msgid "Failed to load new mapping for device %s." msgstr "Не вдалося завантажити нову прив'язку для пристрою %s." -#: lib/luks2/luks2_reencrypt.c:2367 +#: lib/luks2/luks2_reencrypt.c:2396 msgid "Failed to refresh reencryption devices stack." msgstr "Не вдалося освіжити тек пристрої для повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:2550 +#: lib/luks2/luks2_reencrypt.c:2596 msgid "Failed to set new keyslots area size." msgstr "Не вдалося встановити розмір області нових слотів ключів." -#: lib/luks2/luks2_reencrypt.c:2686 +#: lib/luks2/luks2_reencrypt.c:2732 #, c-format msgid "Data shift value is not aligned to encryption sector size (% bytes)." msgstr "Значення зміщення даних не вирівняно до розміру сектора для шифрування (% байтів)." -#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189 +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 #, c-format msgid "Unsupported resilience mode %s" msgstr "Непідтримуваний режим стійкості %s" -#: lib/luks2/luks2_reencrypt.c:2760 +#: lib/luks2/luks2_reencrypt.c:2806 msgid "Moved segment size can not be greater than data shift value." msgstr "Розмір пересунутого сегмента не може перевищувати значення зсуву даних." -#: lib/luks2/luks2_reencrypt.c:2802 +#: lib/luks2/luks2_reencrypt.c:2848 msgid "Invalid reencryption resilience parameters." msgstr "Некоректні параметри стійкості для повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:2824 +#: lib/luks2/luks2_reencrypt.c:2870 #, c-format msgid "Moved segment too large. Requested size %, available space for: %." msgstr "Пересунутий сегмент є надто великим. Потрібний розмір %, доступне місце: %." -#: lib/luks2/luks2_reencrypt.c:2911 +#: lib/luks2/luks2_reencrypt.c:2957 msgid "Failed to clear table." msgstr "Не вдалося очистити таблицю." -#: lib/luks2/luks2_reencrypt.c:2997 +#: lib/luks2/luks2_reencrypt.c:3043 msgid "Reduced data size is larger than real device size." msgstr "Зменшений розмір даних перевищує справжній розмір пристрою." -#: lib/luks2/luks2_reencrypt.c:3004 +#: lib/luks2/luks2_reencrypt.c:3050 #, c-format msgid "Data device is not aligned to encryption sector size (% bytes)." msgstr "Пристрій зберігання даних не вирівняно до розміру сектора для шифрування (% байтів)." -#: lib/luks2/luks2_reencrypt.c:3038 +#: lib/luks2/luks2_reencrypt.c:3084 #, c-format msgid "Data shift (% sectors) is less than future data offset (% sectors)." msgstr "Зміщення даних (% секторів) є меншим за майбутній зсув даних (% секторів)." -#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533 -#: lib/luks2/luks2_reencrypt.c:3554 +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 #, c-format msgid "Failed to open %s in exclusive mode (already mapped or mounted)." msgstr "Не вдалося відкрити %s в ексклюзивному режимі (вже пов'язано або змонтовано)." -#: lib/luks2/luks2_reencrypt.c:3234 +#: lib/luks2/luks2_reencrypt.c:3280 msgid "Device not marked for LUKS2 reencryption." msgstr "Пристрій не позначено для повторного шифрування LUKS2." -#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206 +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 msgid "Failed to load LUKS2 reencryption context." msgstr "Не вдалося завантажити контекст повторного шифрування LUKS2." -#: lib/luks2/luks2_reencrypt.c:3331 +#: lib/luks2/luks2_reencrypt.c:3387 msgid "Failed to get reencryption state." msgstr "Не вдалося отримати стан повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649 +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 msgid "Device is not in reencryption." msgstr "Пристрій не перебуває у повторному шифруванні." -#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656 +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 msgid "Reencryption process is already running." msgstr "Процес повторного шифрування вже виконується." -#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658 +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 msgid "Failed to acquire reencryption lock." msgstr "Не вдалося створити блокування для повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3362 +#: lib/luks2/luks2_reencrypt.c:3418 msgid "Cannot proceed with reencryption. Run reencryption recovery first." msgstr "Продовження повторного шифрування неможливе. Спочатку слід виконати відновлення повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3497 +#: lib/luks2/luks2_reencrypt.c:3553 msgid "Active device size and requested reencryption size don't match." msgstr "Не збігаються розмір активного пристрою і запитаний розмір повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3511 +#: lib/luks2/luks2_reencrypt.c:3567 msgid "Illegal device size requested in reencryption parameters." msgstr "У параметрах повторного шифрування вказано некоректний розмір пристрою." -#: lib/luks2/luks2_reencrypt.c:3588 +#: lib/luks2/luks2_reencrypt.c:3644 msgid "Reencryption in-progress. Cannot perform recovery." msgstr "Виконується повторне шифрування. Неможливо виконати відновлення." -#: lib/luks2/luks2_reencrypt.c:3757 +#: lib/luks2/luks2_reencrypt.c:3812 msgid "LUKS2 reencryption already initialized in metadata." msgstr "Повторне шифрування LUKS2 вже ініційовано у метаданих." -#: lib/luks2/luks2_reencrypt.c:3764 +#: lib/luks2/luks2_reencrypt.c:3819 msgid "Failed to initialize LUKS2 reencryption in metadata." msgstr "Не вдалося ініціалізувати повторне шифрування LUKS2 лише у метаданих." -#: lib/luks2/luks2_reencrypt.c:3859 +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "Для пристроїв DAX (сталої пам'яті) не передбачено підтримки повторного шифрування." + +#: lib/luks2/luks2_reencrypt.c:3879 +msgid "Failed to read passphrase from keyring." +msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів." + +#: lib/luks2/luks2_reencrypt.c:3936 msgid "Failed to set device segments for next reencryption hotzone." msgstr "Не вдалося встановити сегменти пристрою для наступної «гарячої» ділянки повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3911 +#: lib/luks2/luks2_reencrypt.c:3988 msgid "Failed to write reencryption resilience metadata." msgstr "Не вдалося записати метадані стійкості для повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:3918 +#: lib/luks2/luks2_reencrypt.c:3995 msgid "Decryption failed." msgstr "Помилка розшифрування." -#: lib/luks2/luks2_reencrypt.c:3923 +#: lib/luks2/luks2_reencrypt.c:4000 #, c-format msgid "Failed to write hotzone area starting at %." msgstr "Не вдалося записати «гарячу» ділянку, починаючи з %." -#: lib/luks2/luks2_reencrypt.c:3928 +#: lib/luks2/luks2_reencrypt.c:4005 msgid "Failed to sync data." msgstr "Не вдалося синхронізувати дані." -#: lib/luks2/luks2_reencrypt.c:3936 +#: lib/luks2/luks2_reencrypt.c:4013 msgid "Failed to update metadata after current reencryption hotzone completed." msgstr "Не вдалося оновити метадані після завершення обробки поточної «гарячої» зони повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:4025 +#: lib/luks2/luks2_reencrypt.c:4102 msgid "Failed to write LUKS2 metadata." msgstr "Не вдалося записати метадані LUKS2." -#: lib/luks2/luks2_reencrypt.c:4048 +#: lib/luks2/luks2_reencrypt.c:4125 msgid "Failed to wipe unused data device area." msgstr "Не вдалося витерти область невикористаних даних пристрою." -#: lib/luks2/luks2_reencrypt.c:4054 +#: lib/luks2/luks2_reencrypt.c:4131 #, c-format msgid "Failed to remove unused (unbound) keyslot %d." msgstr "Не вдалося вилучити невикористаний (непов'язаний) слот ключа %d." -#: lib/luks2/luks2_reencrypt.c:4064 +#: lib/luks2/luks2_reencrypt.c:4141 msgid "Failed to remove reencryption keyslot." msgstr "Не вдалося вилучити слот ключа для повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:4074 +#: lib/luks2/luks2_reencrypt.c:4151 #, c-format msgid "Fatal error while reencrypting chunk starting at %, % sectors long." msgstr "Критична помилка під час повторного шифрування фрагмента, починаючи з %, довжиною у % секторів." -#: lib/luks2/luks2_reencrypt.c:4078 +#: lib/luks2/luks2_reencrypt.c:4155 msgid "Online reencryption failed." msgstr "Не вдалося виконати інтерактивне повторне шифрування." -#: lib/luks2/luks2_reencrypt.c:4083 +#: lib/luks2/luks2_reencrypt.c:4160 msgid "Do not resume the device unless replaced with error target manually." msgstr "Не відновлюйте пристрій, якщо не заміните вручну пристрій призначення для помилок." -#: lib/luks2/luks2_reencrypt.c:4137 +#: lib/luks2/luks2_reencrypt.c:4212 msgid "Cannot proceed with reencryption. Unexpected reencryption status." msgstr "Не вдалося виконати повторне шифрування. Неочікуваний стан засобу повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:4143 +#: lib/luks2/luks2_reencrypt.c:4218 msgid "Missing or invalid reencrypt context." msgstr "Не вказано контекст повторного шифрування або вказано некоректний контекст." -#: lib/luks2/luks2_reencrypt.c:4150 +#: lib/luks2/luks2_reencrypt.c:4225 msgid "Failed to initialize reencryption device stack." msgstr "Не вдалося ініціалізувати стос пристроїв повторного шифрування." -#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219 +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 msgid "Failed to update reencryption context." msgstr "Не вдалося оновити контекст повторного шифрування." @@ -1849,80 +2011,121 @@ msgstr "Не вдалося оновити контекст повторного msgid "Reencryption metadata is invalid." msgstr "Метадані повторного шифрування є некоректними." +#: lib/luks2/hw_opal/hw_opal.c:335 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "Відступ діапазону OPAL %d % не відповідає очікуваним значенням %." + +#: lib/luks2/hw_opal/hw_opal.c:344 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "Довжина діапазону OPAL %d % не відповідає розміру пристрою %." + +#: lib/luks2/hw_opal/hw_opal.c:351 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "Вимкнено діапазон блокування %d OPAL." + +#: lib/luks2/hw_opal/hw_opal.c:361 lib/luks2/hw_opal/hw_opal.c:368 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "Неочікуваний стан блокування діапазону OPAL %d." + #: src/cryptsetup.c:85 msgid "Keyslot encryption parameters can be set only for LUKS2 device." msgstr "Параметри шифрування слоту ключів можна встановлювати лише для пристроїв LUKS2." -#: src/cryptsetup.c:108 src/cryptsetup.c:1901 +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 #, c-format msgid "Enter token PIN: " msgstr "Введіть пінкод жетона: " -#: src/cryptsetup.c:110 src/cryptsetup.c:1903 +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 #, c-format msgid "Enter token %d PIN: " msgstr "Введіть пінкод жетона %d: " -#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430 -#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 #: src/utils_reencrypt_luks1.c:580 msgid "No known cipher specification pattern detected." msgstr "Не виявлено жодного відомого зразка специфікації шифрування." -#: src/cryptsetup.c:167 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "УВАГА: використовуємо типові параметри шифрування (%s-%s, розмір ключа — %u бітів), що може бути несумісним із застарілими версіями." + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "УВАГА: використовуємо типові параметри хешування (%s), що може бути несумісним із застарілими версіями." + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "Для простого режиму завжди використовувати параметри --cipher, --key-size і, якщо не використано файл ключа, також --hash." + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "Попередження: параметр --hash у простому режимі із вказаним файлом ключа ігнорується.\n" -#: src/cryptsetup.c:175 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "Попередження: параметр --keyfile-size проігноровано, розмір прочитаних даних збігається із розміром ключа шифрування.\n" -#: src/cryptsetup.c:215 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "Помилка сканування Blkid для %s." + +#: src/cryptsetup.c:264 #, c-format msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." msgstr "На %s виявлено підписи пристроїв. Подальша обробка може пошкодити наявні дані." -#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225 -#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480 -#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138 -#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749 +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 msgid "Operation aborted.\n" msgstr "Дію перервано.\n" -#: src/cryptsetup.c:294 +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "Слід вказати параметр --key-file." -#: src/cryptsetup.c:345 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "Введіть PIM VeraCrypt: " -#: src/cryptsetup.c:354 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "Некоректне значення PIM: помилка обробки." -#: src/cryptsetup.c:357 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "Некоректне значення PIM: 0." -#: src/cryptsetup.c:360 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "Некоректне значення PIM: поза межами діапазону." -#: src/cryptsetup.c:383 +#: src/cryptsetup.c:432 msgid "No device header detected with this passphrase." msgstr "Для цього пароля не виявлено заголовка пристрою." -#: src/cryptsetup.c:456 src/cryptsetup.c:632 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 #, c-format msgid "Device %s is not a valid BITLK device." msgstr "Пристрій %s не є коректним пристроєм BITLK." -#: src/cryptsetup.c:464 +#: src/cryptsetup.c:513 msgid "Cannot determine volume key size for BITLK, please use --key-size option." msgstr "Неможливо визначити розмір ключа тому для BITLK. Будь ласка, скористайтеся параметром --key-size." -#: src/cryptsetup.c:506 +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" @@ -1933,7 +2136,7 @@ msgstr "" "без пароля. Цей дамп слід зберігати у зашифрованому форматі\n" "у безпечному місці." -#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 msgid "" "The header dump with volume key is sensitive information\n" "that allows access to encrypted partition without a passphrase.\n" @@ -1944,77 +2147,84 @@ msgstr "" "без пароля. Цей дамп слід зберігати у зашифрованому форматі\n" "у безпечному місці." -#: src/cryptsetup.c:709 src/cryptsetup.c:739 +#: src/cryptsetup.c:758 src/cryptsetup.c:788 #, c-format msgid "Device %s is not a valid FVAULT2 device." msgstr "Пристрій %s не є коректним пристроєм FVAULT2." -#: src/cryptsetup.c:747 +#: src/cryptsetup.c:796 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." msgstr "Неможливо визначити розмір ключа тому для FVAULT2. Будь ласка, скористайтеся параметром --key-size." -#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400 +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "Пристрій %s усе ще є активним, його заплановано для відкладеного вилучення.\n" -#: src/cryptsetup.c:835 +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, c-format +msgid "Failed to set external tokens path %s." +msgstr "Не вдалося встановити шлях до зовнішніх жетонів %s." + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "Зміна розмірів активного пристрою потребує наявності ключа тому у сховищі ключів, але вказано параметр --disable-keyring." -#: src/cryptsetup.c:982 +#: src/cryptsetup.c:1053 msgid "Benchmark interrupted." msgstr "Тестування перервано." -#: src/cryptsetup.c:1003 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "PBKDF2-%-9s н/д\n" -#: src/cryptsetup.c:1005 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "PBKDF2-%-9s %7u ітерацій за секунду для %zu-бітового ключа\n" -#: src/cryptsetup.c:1019 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "%-10s н/д\n" -#: src/cryptsetup.c:1021 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "%-10s %4u ітерацій, пам'ять: %5u, %1u паралельних потоків (процесорів) для %zu-бітового ключа (запит на %u мс часу)\n" -#: src/cryptsetup.c:1045 +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." msgstr "Результат тестування є ненадійним." -#: src/cryptsetup.c:1095 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# Наближені значення під час перевірки визначаються лише за допомогою оперативної пам’яті (без запису на диск).\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1115 +#: src/cryptsetup.c:1186 #, c-format msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "№%*s Алгоритм | Ключ | Шифрування | Розшифрування\n" -#: src/cryptsetup.c:1119 +#: src/cryptsetup.c:1190 #, c-format msgid "Cipher %s (with %i bits key) is not available." msgstr "Шифрування %s (розмір ключа — %i бітів) є недоступним." #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:1138 +#: src/cryptsetup.c:1209 msgid "# Algorithm | Key | Encryption | Decryption\n" msgstr "№ Алгоритм | Ключ | Шифрування | Розшифрування\n" -#: src/cryptsetup.c:1149 +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "н/д" -#: src/cryptsetup.c:1174 +#: src/cryptsetup.c:1245 msgid "" "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" "and continue (upgrade metadata) only if you acknowledge the operation as genuine." @@ -2022,27 +2232,27 @@ msgstr "" "Виявлено незахищені метадані повторного шифрування LUKS2. Будь ласка, перевірте, чи бажаною є дія з повторного шифрування\n" "(див. виведення luksDump), і продовжуйте (оновлення метаданих), лише якщо впевнені, що дія є бажаною." -#: src/cryptsetup.c:1180 +#: src/cryptsetup.c:1251 msgid "Enter passphrase to protect and upgrade reencryption metadata: " msgstr "Вкажіть пароль для захисту і оновлення метаданих повторного шифрування: " -#: src/cryptsetup.c:1224 +#: src/cryptsetup.c:1295 msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "Ви справді хочете продовжити процедуру відновлення повторного шифрування LUKS2?" -#: src/cryptsetup.c:1233 +#: src/cryptsetup.c:1304 msgid "Enter passphrase to verify reencryption metadata digest: " msgstr "Вкажіть пароль для перевірки контрольної суми метаданих повторного шифрування: " -#: src/cryptsetup.c:1235 +#: src/cryptsetup.c:1306 msgid "Enter passphrase for reencryption recovery: " msgstr "Вкажіть пароль для відновлення повторного шифрування: " -#: src/cryptsetup.c:1290 +#: src/cryptsetup.c:1366 msgid "Really try to repair LUKS device header?" msgstr "Спробувати відновити заголовок пристрою LUKS?" -#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238 +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 msgid "" "\n" "Wipe interrupted." @@ -2050,7 +2260,7 @@ msgstr "" "\n" "Витирання перервано." -#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275 +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 msgid "" "Wiping device to initialize integrity checksum.\n" "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" @@ -2058,128 +2268,144 @@ msgstr "" "Витираємо пристрій для ініціалізації контрольних сум для цілісності.\n" "Ви можете перервати цей процес натисканням комбінації клавіш CTRL+C (решта невитертого пристрою міститиме некоректну контрольну суму).\n" -#: src/cryptsetup.c:1341 src/integritysetup.c:116 +#: src/cryptsetup.c:1417 src/integritysetup.c:116 #, c-format msgid "Cannot deactivate temporary device %s." msgstr "Не можна скасувати активацію тимчасового пристрою %s." -#: src/cryptsetup.c:1392 +#: src/cryptsetup.c:1472 msgid "Integrity option can be used only for LUKS2 format." msgstr "Параметр цілісності може бути використано лише для формату LUKS2." -#: src/cryptsetup.c:1397 src/cryptsetup.c:1457 +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 msgid "Unsupported LUKS2 metadata size options." msgstr "Непідтримувані параметри розміру метаданих LUKS2." -#: src/cryptsetup.c:1406 +#: src/cryptsetup.c:1482 +msgid "OPAL is supported only for LUKS2 format." +msgstr "Підтримку OPAL передбачено лише для формату LUKS2." + +#: src/cryptsetup.c:1491 msgid "Header file does not exist, do you want to create it?" msgstr "Файла заголовка не існує. Хочете його створити?" -#: src/cryptsetup.c:1414 +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "Не вдалося створити файл заголовка %s." -#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152 -#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323 -#: src/integritysetup.c:333 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 msgid "No known integrity specification pattern detected." msgstr "Не виявлено жодного відомого зразка специфікації цілісності." -#: src/cryptsetup.c:1450 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "Не можна використовувати %s як заголовок на диску." -#: src/cryptsetup.c:1474 src/integritysetup.c:181 +#: src/cryptsetup.c:1564 src/integritysetup.c:181 #, c-format msgid "This will overwrite data on %s irrevocably." msgstr "Дані на %s буде перезаписано без можливості відновлення." -#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993 -#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443 +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "Пароль адміністратора OPAL не може бути порожнім." + +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "Не вдалося встановити параметри pbkdf." -#: src/cryptsetup.c:1593 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "Специфікацію типу у специфікації сховища ключів --link-vk-to-keyring проігноровано." + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "Некоректне значення --link-vk-to-keyring." + +#: src/cryptsetup.c:1805 msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "Зменшений відступ даних можна використовувати лише для від’єднаних заголовків LUKS." -#: src/cryptsetup.c:1600 +#: src/cryptsetup.c:1812 #, c-format msgid "LUKS file container %s is too small for activation, there is no remaining space for data." msgstr "Контейнер файлів LUKS %s є надто малим для активації, на ньому не лишиться місця для даних." -#: src/cryptsetup.c:1612 src/cryptsetup.c:1999 +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." msgstr "Неможливо визначити розмір ключа тому для LUKS без слотів ключів. Будь ласка, скористайтеся параметром --key-size." -#: src/cryptsetup.c:1658 +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "Пристрій задіяно, але не вдалося зробити прапорці сталими." -#: src/cryptsetup.c:1737 src/cryptsetup.c:1805 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, c-format msgid "Keyslot %d is selected for deletion." msgstr "Слот ключа %d позначено для вилучення." -#: src/cryptsetup.c:1749 src/cryptsetup.c:1809 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "Це останній слот ключа. Пристрій стане непридатним для використання після спорожнення цього ключа." -#: src/cryptsetup.c:1750 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "Введіть будь-який інший пароль: " -#: src/cryptsetup.c:1751 src/cryptsetup.c:1811 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" msgstr "Дію перервано, слот ключів НЕ витерто.\n" -#: src/cryptsetup.c:1787 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "Введіть пароль, який слід вилучити: " -#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781 -#: src/cryptsetup.c:2948 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format msgid "Device %s is not a valid LUKS2 device." msgstr "Пристрій %s не є коректним пристроєм LUKS2." -#: src/cryptsetup.c:1867 src/cryptsetup.c:2072 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "Введіть новий пароль для слота ключа: " -#: src/cryptsetup.c:1968 +#: src/cryptsetup.c:2213 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" msgstr "Попередження: параметр --key-slot використано для нового числа слоту ключа.\n" -#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149 +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "Введіть будь-який пароль: " -#: src/cryptsetup.c:2152 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "Введіть пароль, який слід змінити: " -#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "Введіть новий пароль: " -#: src/cryptsetup.c:2218 +#: src/cryptsetup.c:2477 msgid "Enter passphrase for keyslot to be converted: " msgstr "Вкажіть пароль для слоту ключа, який буде перетворено: " -#: src/cryptsetup.c:2242 +#: src/cryptsetup.c:2501 msgid "Only one device argument for isLuks operation is supported." msgstr "У команді isLuks можна використовувати лише один аргумент назви пристрою." -#: src/cryptsetup.c:2350 +#: src/cryptsetup.c:2609 #, c-format msgid "Keyslot %d does not contain unbound key." msgstr "Слот ключа %d не містить непов'язаного ключа." -#: src/cryptsetup.c:2355 +#: src/cryptsetup.c:2614 msgid "" "The header dump with unbound key is sensitive information.\n" "This dump should be stored encrypted in a safe place." @@ -2187,40 +2413,52 @@ msgstr "" "Дамп заголовка з непов'язаним ключем є конфіденційними даними.\n" "Цей дамп слід зберігати у зашифрованому форматі у безпечному місці." -#: src/cryptsetup.c:2441 src/cryptsetup.c:2470 +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 #, c-format msgid "%s is not active %s device name." msgstr "%s не є назвою активного пристрою %s." -#: src/cryptsetup.c:2465 +#: src/cryptsetup.c:2741 #, c-format msgid "%s is not active LUKS device name or header is missing." msgstr "%s не є назвою активного пристрою LUKS або пропущено заголовок." -#: src/cryptsetup.c:2527 src/cryptsetup.c:2546 +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." msgstr "Слід вказати параметр --header-backup-file." -#: src/cryptsetup.c:2577 +#: src/cryptsetup.c:2869 #, c-format msgid "%s is not cryptsetup managed device." msgstr "%s не є керованим cryptsetup пристроєм." -#: src/cryptsetup.c:2588 +#: src/cryptsetup.c:2880 #, c-format msgid "Refresh is not supported for device type %s" msgstr "Підтримки дії з оновлення для пристрою типу %s не передбачено." -#: src/cryptsetup.c:2638 +#: src/cryptsetup.c:2930 #, c-format msgid "Unrecognized metadata device type %s." msgstr "Нерозпізнаний тип пристрою метаданих, %s." -#: src/cryptsetup.c:2640 +#: src/cryptsetup.c:2932 msgid "Command requires device and mapped name as arguments." msgstr "Аргументами команди мають бути назва пристрою та призначена до нього назва." -#: src/cryptsetup.c:2661 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "Введіть PSID OPAL: " + +#: src/cryptsetup.c:2942 +msgid "Enter OPAL Admin password: " +msgstr "Введіть пароль адміністратора OPAL: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "УВАГА: УВЕСЬ диск буде повернуто до початкових параметрів, а усі дані на ньому буде втрачено! Виконати дію?" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -2229,351 +2467,351 @@ msgstr "" "У результаті виконання цієї операції буде витерто усі слоти ключів на пристрої %s.\n" "Після виконання цієї дії пристроєм не можна буде скористатися." -#: src/cryptsetup.c:2668 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "Дію перервано, слоти ключів НЕ витерто.\n" -#: src/cryptsetup.c:2707 +#: src/cryptsetup.c:3040 msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "Некоректний тип LUKS. Передбачено підтримку лише luks1 і luks2." -#: src/cryptsetup.c:2723 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "Пристрій вже належить до типу %s." -#: src/cryptsetup.c:2730 +#: src/cryptsetup.c:3063 #, c-format msgid "This operation will convert %s to %s format.\n" msgstr "Ця дія перетворить %s до формату %s.\n" -#: src/cryptsetup.c:2733 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "Дію перервано, дані пристрою НЕ перетворено.\n" -#: src/cryptsetup.c:2773 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "Пропущено параметр --priority, --label або --subsystem." -#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, c-format msgid "Token %d is invalid." msgstr "Жетон %d є некоректним." -#: src/cryptsetup.c:2810 src/cryptsetup.c:2870 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, c-format msgid "Token %d in use." msgstr "Жетон %d використовується." -#: src/cryptsetup.c:2822 +#: src/cryptsetup.c:3155 #, c-format msgid "Failed to add luks2-keyring token %d." msgstr "Не вдалося додати жетон %d зі сховища ключів luks2." -#: src/cryptsetup.c:2833 src/cryptsetup.c:2896 +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, c-format msgid "Failed to assign token %d to keyslot %d." msgstr "Не вдалося прив'язати жетон %d до слоту ключа %d." -#: src/cryptsetup.c:2850 +#: src/cryptsetup.c:3183 #, c-format msgid "Token %d is not in use." msgstr "Жетон %d не використовується." -#: src/cryptsetup.c:2887 +#: src/cryptsetup.c:3220 msgid "Failed to import token from file." msgstr "Не вдалося імпортувати жетон з файла." -#: src/cryptsetup.c:2912 +#: src/cryptsetup.c:3245 #, c-format msgid "Failed to get token %d for export." msgstr "Не вдалося отримати жетон %d для експортування." -#: src/cryptsetup.c:2925 +#: src/cryptsetup.c:3258 #, c-format msgid "Token %d is not assigned to keyslot %d." msgstr "Жетон %d не пов'язано зі слотом ключа %d." -#: src/cryptsetup.c:2927 src/cryptsetup.c:2934 +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 #, c-format msgid "Failed to unassign token %d from keyslot %d." msgstr "Не вдалося відв'язати жетон %d від слоту ключа %d." -#: src/cryptsetup.c:2983 +#: src/cryptsetup.c:3326 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT." -#: src/cryptsetup.c:2986 +#: src/cryptsetup.c:3329 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." msgstr "Підтримку параметра --veracrypt або --disable-veracrypt передбачено лише для пристроїв TCRYPT." -#: src/cryptsetup.c:2989 +#: src/cryptsetup.c:3332 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." msgstr "Параметр --veracrypt-pim можна використовувати лише для сумісних із VeraCrypt пристроїв." -#: src/cryptsetup.c:2993 +#: src/cryptsetup.c:3336 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." msgstr "Параметр --veracrypt-query-pim можна використовувати лише для сумісних із VeraCrypt пристроїв." -#: src/cryptsetup.c:2995 +#: src/cryptsetup.c:3338 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "Не можна поєднувати параметри --veracrypt-pim і --veracrypt-query-pim." -#: src/cryptsetup.c:3004 +#: src/cryptsetup.c:3347 msgid "Option --persistent is not allowed with --test-passphrase." msgstr "Параметр --persistent не можна використовувати разом із --test-passphrase." -#: src/cryptsetup.c:3007 +#: src/cryptsetup.c:3350 msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "Не можна поєднувати параметри --refresh і --test-passphrase." -#: src/cryptsetup.c:3010 +#: src/cryptsetup.c:3353 msgid "Option --shared is allowed only for open of plain device." msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою." -#: src/cryptsetup.c:3013 +#: src/cryptsetup.c:3356 msgid "Option --skip is supported only for open of plain and loopaes devices." msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes." -#: src/cryptsetup.c:3016 +#: src/cryptsetup.c:3359 msgid "Option --offset with open action is only supported for plain and loopaes devices." msgstr "Підтримку параметра --offset разом із дією з відкриття передбачено лише для незашифрованих пристроїв та пристроїв loopaes." -#: src/cryptsetup.c:3019 +#: src/cryptsetup.c:3362 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards." -#: src/cryptsetup.c:3023 +#: src/cryptsetup.c:3366 msgid "Sector size option with open action is supported only for plain devices." msgstr "Підтримку параметра розміру сектора разом із дією з відкриття передбачено лише для незашифрованих пристроїв." -#: src/cryptsetup.c:3027 +#: src/cryptsetup.c:3370 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." msgstr "Підтримку можливості використання великих секторів IV передбачено лише для відкриття пристроїв простого типу з розміром сектора, який перевищує 512 байтів." -#: src/cryptsetup.c:3032 +#: src/cryptsetup.c:3375 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS, TCRYPT, BITLK та FVAULT2." -#: src/cryptsetup.c:3035 src/cryptsetup.c:3058 +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 msgid "Options --device-size and --size cannot be combined." msgstr "Не можна одночасно використовувати параметри --device-size і --size." -#: src/cryptsetup.c:3038 +#: src/cryptsetup.c:3381 msgid "Option --unbound is allowed only for open of luks device." msgstr "Параметр --sunbound можна використовувати лише для відкриття пристрою LUKS." -#: src/cryptsetup.c:3041 +#: src/cryptsetup.c:3384 msgid "Option --unbound cannot be used without --test-passphrase." msgstr "Параметр --unbound не можна використовувати без --test-passphrase." -#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755 +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 msgid "Options --cancel-deferred and --deferred cannot be used at the same time." msgstr "Не можна одночасно використовувати параметр --cancel-deferred і --deferred." -#: src/cryptsetup.c:3066 -msgid "Options --reduce-device-size and --data-size cannot be combined." -msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --data-size." +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --device-size." -#: src/cryptsetup.c:3069 +#: src/cryptsetup.c:3412 msgid "Option --active-name can be set only for LUKS2 device." msgstr "Параметр --active-name можна встановлювати лише для пристроїв LUKS2." -#: src/cryptsetup.c:3072 +#: src/cryptsetup.c:3415 msgid "Options --active-name and --force-offline-reencrypt cannot be combined." msgstr "Не можна одночасно використовувати параметри ---active-name і --force-offline-reencrypt." -#: src/cryptsetup.c:3080 src/cryptsetup.c:3110 +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 msgid "Keyslot specification is required." msgstr "Слід вказати специфікація слотів ключів." -#: src/cryptsetup.c:3088 +#: src/cryptsetup.c:3431 msgid "Options --align-payload and --offset cannot be combined." msgstr "Не можна одночасно використовувати параметри --align-payload і --offset." -#: src/cryptsetup.c:3091 +#: src/cryptsetup.c:3434 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." msgstr "Параметром --integrity-no-wipe можна користуватися лише для дії з форматування із розширенням забезпечення цілісності." -#: src/cryptsetup.c:3094 +#: src/cryptsetup.c:3437 msgid "Only one of --use-[u]random options is allowed." msgstr "Можна використовувати лише один з параметрів --use-[u]random." -#: src/cryptsetup.c:3102 +#: src/cryptsetup.c:3445 msgid "Key size is required with --unbound option." msgstr "Разом із параметром --unbound слід вказувати розмір ключа." -#: src/cryptsetup.c:3122 +#: src/cryptsetup.c:3465 msgid "Invalid token action." msgstr "Некоректна дія з жетоном." -#: src/cryptsetup.c:3125 +#: src/cryptsetup.c:3468 msgid "--key-description parameter is mandatory for token add action." msgstr "Параметр --key-description є обов'язковим для дій із додавання жетонів." -#: src/cryptsetup.c:3129 src/cryptsetup.c:3142 +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 msgid "Action requires specific token. Use --token-id parameter." msgstr "Для виконання дії потрібен специфічний жетон. Скористайтеся параметром --token-id." -#: src/cryptsetup.c:3133 +#: src/cryptsetup.c:3476 msgid "Option --unbound is valid only with token add action." msgstr "Параметр --unbound можна використовувати лише разом із дією з додавання жетона." -#: src/cryptsetup.c:3135 +#: src/cryptsetup.c:3478 msgid "Options --key-slot and --unbound cannot be combined." msgstr "Не можна поєднувати параметри --key-slot і --unbound." -#: src/cryptsetup.c:3140 +#: src/cryptsetup.c:3483 msgid "Action requires specific keyslot. Use --key-slot parameter." msgstr "Дія потребує зазначення слоту ключа. Скористайтеся параметром --key-slot." -#: src/cryptsetup.c:3156 +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr "<пристрій> [--type <тип>] [<назва>]" -#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535 +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 msgid "open device as " msgstr "відкрити пристрій як <назва>" -#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159 -#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536 -#: src/integritysetup.c:537 src/integritysetup.c:539 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "<назва>" -#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "закрити пристрій (вилучити призначення)" -#: src/cryptsetup.c:3158 src/integritysetup.c:539 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "змінити розмір активного пристрою" -#: src/cryptsetup.c:3159 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "показати стан пристрою" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "[--cipher <шифр>]" -#: src/cryptsetup.c:3160 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "перевірити швидкодію шифрування" -#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163 -#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172 -#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175 -#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178 -#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "<пристрій>" -#: src/cryptsetup.c:3161 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "спробувати виправити метадані на диску" -#: src/cryptsetup.c:3162 +#: src/cryptsetup.c:3505 msgid "reencrypt LUKS2 device" msgstr "повторно зашифрувати пристрій LUKS2" -#: src/cryptsetup.c:3163 +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "витерти усі слоти ключів (вилучити ключ шифрування)" -#: src/cryptsetup.c:3164 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "перетворити LUKS із формату LUKS2 або навпаки" -#: src/cryptsetup.c:3165 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "встановити сталі параметри налаштування для LUKS2" -#: src/cryptsetup.c:3166 src/cryptsetup.c:3167 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr "<пристрій> [<новий файл ключа>]" -#: src/cryptsetup.c:3166 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "форматує пристрій LUKS" -#: src/cryptsetup.c:3167 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "додати ключ до пристрою LUKS" -#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr "<пристрій> [<файл ключа>]" -#: src/cryptsetup.c:3168 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "вилучає наданий ключ або файл ключа з пристрою LUKS" -#: src/cryptsetup.c:3169 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "змінює наданий ключ або файл ключа пристрою LUKS" -#: src/cryptsetup.c:3170 +#: src/cryptsetup.c:3513 msgid "converts a key to new pbkdf parameters" msgstr "перетворює ключ до нових параметрів pbkdf" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid " " msgstr "<пристрій> <слот ключа>" -#: src/cryptsetup.c:3171 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "вилучає ключ з номером <слот ключа> з пристрою LUKS" -#: src/cryptsetup.c:3172 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "вивести UUID пристрою LUKS" -#: src/cryptsetup.c:3173 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "виконати спробу виявлення заголовка розділу LUKS на пристрої <пристрій>" -#: src/cryptsetup.c:3174 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "створити дамп даних щодо розділу LUKS" -#: src/cryptsetup.c:3175 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "створити дамп даних пристрою TCRYPT" -#: src/cryptsetup.c:3176 +#: src/cryptsetup.c:3519 msgid "dump BITLK device information" msgstr "створити дамп даних пристрою BITLK" -#: src/cryptsetup.c:3177 +#: src/cryptsetup.c:3520 msgid "dump FVAULT2 device information" msgstr "створити дамп даних пристрою FVAULT2" -#: src/cryptsetup.c:3178 +#: src/cryptsetup.c:3521 msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "Приспати пристрій LUKS і витерти ключ (роботу всіх каналів введення-виведення буде заморожено)" -#: src/cryptsetup.c:3179 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "Відновити роботу приспаного пристрою LUKS" -#: src/cryptsetup.c:3180 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "Створити резервну копію заголовка пристрою LUKS і слотів ключів" -#: src/cryptsetup.c:3181 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "Відновити заголовок пристрою LUKS і слоти ключів" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid " " msgstr " <пристрій>" -#: src/cryptsetup.c:3182 +#: src/cryptsetup.c:3525 msgid "Manipulate LUKS2 tokens" msgstr "Керування жетонами LUKS2" -#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -2581,7 +2819,7 @@ msgstr "" "\n" "<дія> є однією з таких:\n" -#: src/cryptsetup.c:3207 +#: src/cryptsetup.c:3550 msgid "" "\n" "You can also use old syntax aliases:\n" @@ -2594,7 +2832,7 @@ msgstr "" "\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" "\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" -#: src/cryptsetup.c:3211 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -2609,7 +2847,7 @@ msgstr "" "<слот ключа> — номер слота ключа LUKS, який слід змінити\n" "<файл ключа> — необов’язковий файл ключа для нового ключа для дії luksAddKey\n" -#: src/cryptsetup.c:3218 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" @@ -2618,29 +2856,28 @@ msgstr "" "\n" "Типовий укомпільований формат метаданих — %s (для дії luksFormat).\n" -#: src/cryptsetup.c:3223 src/cryptsetup.c:3226 -#, c-format +#: src/cryptsetup.c:3566 msgid "" "\n" -"LUKS2 external token plugin support is %s.\n" +"LUKS2 external token plugin support is enabled.\n" msgstr "" "\n" -"Підтримка додатків зовнішніх жетонів LUKS2 — %s.\n" - -#: src/cryptsetup.c:3223 -msgid "compiled-in" -msgstr "вбудована" +"Підтримку додатків зовнішніх жетонів LUKS2 увімкнено.\n" -#: src/cryptsetup.c:3224 +#: src/cryptsetup.c:3567 #, c-format msgid "LUKS2 external token plugin path: %s.\n" msgstr "Шлях до теки додатків зовнішніх жетонів LUKS2: %s.\n" -#: src/cryptsetup.c:3226 -msgid "disabled" -msgstr "вимкнено" +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" +"\n" +"Підтримку додатків зовнішніх жетонів LUKS2 вимкнено.\n" -#: src/cryptsetup.c:3230 +#: src/cryptsetup.c:3573 #, c-format msgid "" "\n" @@ -2657,7 +2894,7 @@ msgstr "" "Типовий PBKDF для LUKS2: %s\n" "\tЧас ітерації: %d, потрібний обсяг пам'яті: %d кБ, паралельних потоків: %d\n" -#: src/cryptsetup.c:3241 +#: src/cryptsetup.c:3584 #, c-format msgid "" "\n" @@ -2672,96 +2909,100 @@ msgstr "" "\tзвичайне: %s, ключ: %d-бітовий, хешування пароля: %s\n" "\tLUKS: %s, ключ: %d-бітовий, хешування заголовка LUKS: %s, RNG: %s\n" -#: src/cryptsetup.c:3250 +#: src/cryptsetup.c:3593 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" msgstr "\tLUKS: типовий розмір ключа у режимі XTS (два вбудованих ключа) буде подвоєно.\n" -#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711 +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: слід вказати у параметрах %s" -#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198 +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 msgid "Key slot is invalid." msgstr "Некоректний слот ключа." -#: src/cryptsetup.c:3335 +#: src/cryptsetup.c:3678 msgid "Device size must be multiple of 512 bytes sector." msgstr "Розмір пристрою має бути кратним до 512-байтового сектора." -#: src/cryptsetup.c:3340 +#: src/cryptsetup.c:3683 msgid "Invalid max reencryption hotzone size specification." msgstr "Некоректна специфікація розміру «гарячої» ділянки повторного шифрування." -#: src/cryptsetup.c:3354 src/cryptsetup.c:3366 +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 msgid "Key size must be a multiple of 8 bits" msgstr "Розмір ключа має бути кратним 8 бітам" -#: src/cryptsetup.c:3371 +#: src/cryptsetup.c:3714 msgid "Maximum device reduce size is 1 GiB." msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 1 ГіБ." -#: src/cryptsetup.c:3374 +#: src/cryptsetup.c:3717 msgid "Reduce size must be multiple of 512 bytes sector." msgstr "Розмір зменшення має бути кратним до 512-байтового сектора." -#: src/cryptsetup.c:3391 +#: src/cryptsetup.c:3734 msgid "Option --priority can be only ignore/normal/prefer." msgstr "Значенням для параметра --priority може бути лише один з таких рядків: ignore, normal або prefer." -#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634 +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 msgid "Show this help message" msgstr "Показати цю довідку" -#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635 +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 msgid "Display brief usage" msgstr "Показати короткі настанови щодо користування" -#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636 +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 msgid "Print package version" msgstr "Вивести дані щодо версії пакунка" -#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647 +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 msgid "Help options:" msgstr "Пункти довідки:" -#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[ПАРАМЕТР...] <дія> <параметри_дії>" -#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "Не вказано аргумент <дія>." -#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "Невідома дія." -#: src/cryptsetup.c:3546 +#: src/cryptsetup.c:3895 msgid "Option --key-file takes precedence over specified key file argument." msgstr "Параметр --key-file має пріоритет над вказаним параметром файла ключа." -#: src/cryptsetup.c:3552 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "Можна використовувати лише один аргумент --key-file." -#: src/cryptsetup.c:3557 +#: src/cryptsetup.c:3906 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "Функцією отримання ключа на основі пароля (PBKDF) може бути лише pbkdf2 або argon2i/argon2id." -#: src/cryptsetup.c:3562 +#: src/cryptsetup.c:3911 msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "Примусові ітерації PBKDF не можна поєднувати із параметром тривалості ітерацій." -#: src/cryptsetup.c:3573 +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." +msgstr "Неможливо пов'язати ключ тому зі сховищем ключів, якщо сховище ключів вимкнено." + +#: src/cryptsetup.c:3927 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "Параметри --keyslot-cipher і --keyslot-key-size має бути використано разом." -#: src/cryptsetup.c:3581 +#: src/cryptsetup.c:3935 msgid "No action taken. Invoked with --test-args option.\n" msgstr "Дій не виконано. Викликано із параметром --test-args.\n" -#: src/cryptsetup.c:3594 +#: src/cryptsetup.c:3948 msgid "Cannot disable metadata locking." msgstr "Не вдалося вимкнути блокування метаданих." @@ -2826,7 +3067,7 @@ msgstr "Для виконання команди потрібен <корене msgid " " msgstr "<пристрій_даних> <пристрій_хешу>" -#: src/veritysetup.c:489 src/integritysetup.c:534 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "форматувати пристрій" @@ -2842,7 +3083,7 @@ msgstr "перевірити пристрій" msgid " []" msgstr "<пристрій_даних> <назва> <пристрій_хешу> [<кореневий_хеш>]" -#: src/veritysetup.c:493 src/integritysetup.c:537 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "показати стан активного пристрою" @@ -2850,7 +3091,7 @@ msgstr "показати стан активного пристрою" msgid "" msgstr "<пристрій_хешу>" -#: src/veritysetup.c:494 src/integritysetup.c:538 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "показати вбудовані дані" @@ -2880,11 +3121,11 @@ msgstr "" "Типові вбудовані параметри dm-verity:\n" "\tхеш: %s, блок даних (у байтах): %u, блок хешу (у байтах): %u, розмір солі: %u, формат хешування: %u\n" -#: src/veritysetup.c:658 +#: src/veritysetup.c:661 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." msgstr "Параметри --ignore-corruption і --restart-on-corruption не можна використовувати одночасно." -#: src/veritysetup.c:663 +#: src/veritysetup.c:666 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." msgstr "Параметри --panic-on-corruption і --restart-on-corruption не можна використовувати одночасно." @@ -2897,29 +3138,29 @@ msgstr "" "Дані на %s і %s буде перезаписано без можливості відновлення.\n" "Щоб зберегти пристрій даних, скористайтеся параметром --no-wipe (а потім активуйте за допомогою --integrity-recalculate)." -#: src/integritysetup.c:212 +#: src/integritysetup.c:217 #, c-format msgid "Formatted with tag size %u, internal integrity %s.\n" msgstr "Форматовано із розміром мітки %u, внутрішня цілісність %s.\n" -#: src/integritysetup.c:289 +#: src/integritysetup.c:298 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." msgstr "Підтримки встановлення прапорця повторного обчислення не передбачено. Вам варто розглянути можливість використання --wipe." -#: src/integritysetup.c:364 src/integritysetup.c:521 +#: src/integritysetup.c:373 src/integritysetup.c:530 #, c-format msgid "Device %s is not a valid INTEGRITY device." msgstr "Пристрій %s не є коректним пристроєм INTEGRITY." -#: src/integritysetup.c:534 src/integritysetup.c:538 +#: src/integritysetup.c:543 src/integritysetup.c:547 msgid "" msgstr "<пристрій_цілісності>" -#: src/integritysetup.c:535 +#: src/integritysetup.c:544 msgid " " msgstr "<пристрій_цілісності> <назва>" -#: src/integritysetup.c:558 +#: src/integritysetup.c:567 #, c-format msgid "" "\n" @@ -2930,7 +3171,7 @@ msgstr "" "<назва> є пристроєм, який слід створити у %s\n" "<пристрій_цілісності> є пристроєм, на якому зберігаються дані із мітками цілісності\n" -#: src/integritysetup.c:563 +#: src/integritysetup.c:572 #, c-format msgid "" "\n" @@ -2943,40 +3184,40 @@ msgstr "" "\tАлгоритм обчислення контрольної суми: %s\n" "\tМаксимальний розмір файла ключа: %d кБ\n" -#: src/integritysetup.c:620 +#: src/integritysetup.c:629 #, c-format msgid "Invalid --%s size. Maximum is %u bytes." msgstr "Некоректний розмір --%s. Максимальний розмір дорівнює %u байтів." -#: src/integritysetup.c:720 +#: src/integritysetup.c:732 msgid "Both key file and key size options must be specified." msgstr "Не можна одночасно вказувати параметри файла ключа і розміру ключа." -#: src/integritysetup.c:724 +#: src/integritysetup.c:736 msgid "Both journal integrity key file and key size options must be specified." msgstr "Не можна одночасно вказувати параметри файла ключа цілісності журналу і розміру ключа." -#: src/integritysetup.c:727 +#: src/integritysetup.c:739 msgid "Journal integrity algorithm must be specified if journal integrity key is used." msgstr "Якщо використано ключ цілісності журналу, має бути вказано алгоритм забезпечення цілісності журналу." -#: src/integritysetup.c:731 +#: src/integritysetup.c:743 msgid "Both journal encryption key file and key size options must be specified." msgstr "Не можна одночасно вказувати параметри файла ключа шифрування журналу і розміру ключа." -#: src/integritysetup.c:734 +#: src/integritysetup.c:746 msgid "Journal encryption algorithm must be specified if journal encryption key is used." msgstr "Якщо використано ключ шифрування журналу, має бути вказано алгоритм забезпечення шифрування журналу." -#: src/integritysetup.c:738 +#: src/integritysetup.c:750 msgid "Recovery and bitmap mode options are mutually exclusive." msgstr "Не можна поєднувати параметри відновлення і бітової карти." -#: src/integritysetup.c:745 +#: src/integritysetup.c:757 msgid "Journal options cannot be used in bitmap mode." msgstr "Параметри журналу у режимі бітової карти використовувати не можна." -#: src/integritysetup.c:750 +#: src/integritysetup.c:762 msgid "Bitmap options can be used only in bitmap mode." msgstr "Параметри бітової карти можна використовувати лише у режимі бітового карти." @@ -3188,58 +3429,58 @@ msgstr "" msgid "Password quality check failed: Bad passphrase (%s)" msgstr "Помилка під час спроби оцінити якість пароля: некоректний пароль (%s)" -#: src/utils_password.c:230 src/utils_password.c:244 +#: src/utils_password.c:231 src/utils_password.c:245 msgid "Error reading passphrase from terminal." msgstr "Помилка під час читання пароля з термінала." -#: src/utils_password.c:242 +#: src/utils_password.c:243 msgid "Verify passphrase: " msgstr "Перевірка пароля: " -#: src/utils_password.c:249 +#: src/utils_password.c:250 msgid "Passphrases do not match." msgstr "Паролі не збігаються." -#: src/utils_password.c:287 +#: src/utils_password.c:288 msgid "Cannot use offset with terminal input." msgstr "Не можна використовувати відступ у даних, що надходять з термінала." -#: src/utils_password.c:291 +#: src/utils_password.c:292 #, c-format msgid "Enter passphrase: " msgstr "Введіть пароль: " -#: src/utils_password.c:294 +#: src/utils_password.c:295 #, c-format msgid "Enter passphrase for %s: " msgstr "Введіть пароль до %s: " -#: src/utils_password.c:328 +#: src/utils_password.c:329 msgid "No key available with this passphrase." msgstr "Для цього пароля немає відповідного ключа." -#: src/utils_password.c:330 +#: src/utils_password.c:331 msgid "No usable keyslot is available." msgstr "Немає доступних придатних до користування слотів ключів." -#: src/utils_luks.c:67 +#: src/utils_luks.c:68 msgid "Can't do passphrase verification on non-tty inputs." msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty." -#: src/utils_luks.c:182 +#: src/utils_luks.c:183 #, c-format msgid "Failed to open file %s in read-only mode." msgstr "Не вдалося відкрити файл %s у режимі лише читання." -#: src/utils_luks.c:195 +#: src/utils_luks.c:196 msgid "Provide valid LUKS2 token JSON:\n" msgstr "Надайте коректний жетон JSON LUKS2:\n" -#: src/utils_luks.c:202 +#: src/utils_luks.c:203 msgid "Failed to read JSON file." msgstr "Не вдалося прочитати файл JSON." -#: src/utils_luks.c:207 +#: src/utils_luks.c:208 msgid "" "\n" "Read interrupted." @@ -3247,12 +3488,12 @@ msgstr "" "\n" "Читання перервано." -#: src/utils_luks.c:248 +#: src/utils_luks.c:249 #, c-format msgid "Failed to open file %s in write mode." msgstr "Не вдалося відкрити файл %s у режимі запису." -#: src/utils_luks.c:257 +#: src/utils_luks.c:258 msgid "" "\n" "Write interrupted." @@ -3260,7 +3501,7 @@ msgstr "" "\n" "Запис перервано." -#: src/utils_luks.c:261 +#: src/utils_luks.c:262 msgid "Failed to write JSON file." msgstr "Не вдалося записати файл JSON." @@ -3327,15 +3568,19 @@ msgstr "Пристрій потребує відновлення повторн msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS2. Хочете відновити раніше ініціалізовану дію?" -#: src/utils_reencrypt.c:353 +#: src/utils_reencrypt.c:416 msgid "Legacy LUKS2 reencryption is no longer supported." msgstr "Підтримки застарілого повторного шифрування LUKS2 більше не передбачено." -#: src/utils_reencrypt.c:418 +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "Неможливо повторно зашифрувати пристрій LUKS2, який налаштовано на використання OPAL." + +#: src/utils_reencrypt.c:427 msgid "Reencryption of device with integrity profile is not supported." msgstr "Підтримки повторного шифрування пристрою із профілем цілісності не передбачено." -#: src/utils_reencrypt.c:449 +#: src/utils_reencrypt.c:464 #, c-format msgid "" "Requested --sector-size % is incompatible with %s superblock\n" @@ -3344,103 +3589,103 @@ msgstr "" "Вказаний --sector-size % є несумісним із суперблоком %s\n" "(розмір блоку: % байтів), який виявлено на пристрої %s." -#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391 +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." msgstr "Шифрування без від'єднаного заголовка (--header) є неможливим без зменшення розміру пристрою зберігання даних (--reduce-device-size)." -#: src/utils_reencrypt.c:525 +#: src/utils_reencrypt.c:540 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." msgstr "Вказаний зсув даних має бути меншим або рівним половині значення параметра --reduce-device-size." -#: src/utils_reencrypt.c:535 +#: src/utils_reencrypt.c:550 #, c-format msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" msgstr "Коригуємо значення --reduce-device-size до подвійного значення --offset % (у секторах).\n" -#: src/utils_reencrypt.c:565 +#: src/utils_reencrypt.c:580 #, c-format msgid "Temporary header file %s already exists. Aborting." msgstr "Файл тимчасового заголовка %s вже існує. Перериваємо обробку." -#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574 +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 #, c-format msgid "Cannot create temporary header file %s." msgstr "Не вдалося створити файл тимчасового заголовка %s." -#: src/utils_reencrypt.c:599 +#: src/utils_reencrypt.c:614 msgid "LUKS2 metadata size is larger than data shift value." msgstr "Розмір метаданих LUKS2 перевищує значення зсуву даних." -#: src/utils_reencrypt.c:636 +#: src/utils_reencrypt.c:651 #, c-format msgid "Failed to place new header at head of device %s." msgstr "Не вдалося розмістити новий заголовок на початку пристрою %s." -#: src/utils_reencrypt.c:646 +#: src/utils_reencrypt.c:661 #, c-format msgid "%s/%s is now active and ready for online encryption.\n" msgstr "%s/%s задіяно, система готова до інтерактивного шифрування.\n" -#: src/utils_reencrypt.c:682 +#: src/utils_reencrypt.c:697 #, c-format msgid "Active device %s is not LUKS2." msgstr "Активний пристрій %s не є пристроєм LUKS2." -#: src/utils_reencrypt.c:710 +#: src/utils_reencrypt.c:725 msgid "Restoring original LUKS2 header." msgstr "Відновлюємо початковий заголовок LUKS2." -#: src/utils_reencrypt.c:718 +#: src/utils_reencrypt.c:733 msgid "Original LUKS2 header restore failed." msgstr "Спроба відновлення початкового заголовка LUKS2 зазнала невдачі." -#: src/utils_reencrypt.c:744 +#: src/utils_reencrypt.c:759 #, c-format msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" msgstr "Файла заголовка %s не існує. Хочете ініціалізувати розшифрування LUKS2 пристрою %s і експортувати заголовок LUKS2 до файла %s?" -#: src/utils_reencrypt.c:792 +#: src/utils_reencrypt.c:807 msgid "Failed to add read/write permissions to exported header file." msgstr "Не вдалося додати права доступу для читання-запису до експортованого файла заголовка." -#: src/utils_reencrypt.c:845 +#: src/utils_reencrypt.c:860 #, c-format msgid "Reencryption initialization failed. Header backup is available in %s." msgstr "Не вдалося ініціалізувати повторне шифрування. Резервна копія заголовка перебуває у %s." -#: src/utils_reencrypt.c:873 +#: src/utils_reencrypt.c:888 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." msgstr "Підтримку розшифровування LUKS2 передбачено лише для пристроїв із від'єднаним заголовком (із встановленим нульовим відступом даних)." -#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017 +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 msgid "Not enough free keyslots for reencryption." msgstr "Недостатньо вільних слотів ключів для повторного шифрування." -#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100 +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 msgid "Key file can be used only with --key-slot or with exactly one key slot active." msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа." -#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 #: src/utils_reencrypt_luks1.c:1158 #, c-format msgid "Enter passphrase for key slot %d: " msgstr "Вкажіть пароль для слоту ключа %d: " -#: src/utils_reencrypt.c:1059 +#: src/utils_reencrypt.c:1074 #, c-format msgid "Enter passphrase for key slot %u: " msgstr "Вкажіть пароль для слоту ключа %u: " -#: src/utils_reencrypt.c:1111 +#: src/utils_reencrypt.c:1126 #, c-format msgid "Switching data encryption cipher to %s.\n" msgstr "Перемикаємося на шифрування даних %s.\n" -#: src/utils_reencrypt.c:1165 +#: src/utils_reencrypt.c:1180 msgid "No data segment parameters changed. Reencryption aborted." msgstr "Не змінено параметри сегмента даних. Повторне шифрування перервано." -#: src/utils_reencrypt.c:1267 +#: src/utils_reencrypt.c:1282 msgid "" "Encryption sector size increase on offline device is not supported.\n" "Activate the device first or use --force-offline-reencrypt option (dangerous!)." @@ -3448,7 +3693,7 @@ msgstr "" "Підтримки збільшення розміру сектора шифрування на вимкненому пристрої не передбачено.\n" "Спочатку активуйте пристрій або скористайтеся параметром --force-offline-reencrypt (небезпечно!)." -#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 #: src/utils_reencrypt_luks1.c:798 msgid "" "\n" @@ -3457,62 +3702,62 @@ msgstr "" "\n" "Повторне шифрування перервано." -#: src/utils_reencrypt.c:1312 +#: src/utils_reencrypt.c:1327 msgid "Resuming LUKS reencryption in forced offline mode.\n" msgstr "Відновлюємо повторне шифрування LUKS у примусовому вимкненому режимі.\n" -#: src/utils_reencrypt.c:1329 +#: src/utils_reencrypt.c:1350 #, c-format msgid "Device %s contains broken LUKS metadata. Aborting operation." msgstr "На пристрої %s містяться пошкоджені метадані LUKS. Перериваємо дію." -#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367 +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 #, c-format msgid "Device %s is already LUKS device. Aborting operation." msgstr "Пристрій %s вже є пристроєм LUKS. Перериваємо дію." -#: src/utils_reencrypt.c:1373 +#: src/utils_reencrypt.c:1394 #, c-format msgid "Device %s is already in LUKS reencryption. Aborting operation." msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS. Перериваємо дію." -#: src/utils_reencrypt.c:1453 +#: src/utils_reencrypt.c:1476 msgid "LUKS2 decryption requires --header option." msgstr "Для розшифровування LUKS2 потрібен параметр --header." -#: src/utils_reencrypt.c:1501 +#: src/utils_reencrypt.c:1524 msgid "Command requires device as argument." msgstr "Комарні слід передати аргумент пристрою." -#: src/utils_reencrypt.c:1514 +#: src/utils_reencrypt.c:1537 #, c-format msgid "Conflicting versions. Device %s is LUKS1." msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS1." -#: src/utils_reencrypt.c:1520 +#: src/utils_reencrypt.c:1543 #, c-format msgid "Conflicting versions. Device %s is in LUKS1 reencryption." msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS1." -#: src/utils_reencrypt.c:1526 +#: src/utils_reencrypt.c:1549 #, c-format msgid "Conflicting versions. Device %s is LUKS2." msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS2." -#: src/utils_reencrypt.c:1532 +#: src/utils_reencrypt.c:1555 #, c-format msgid "Conflicting versions. Device %s is in LUKS2 reencryption." msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS2." -#: src/utils_reencrypt.c:1538 +#: src/utils_reencrypt.c:1561 msgid "LUKS2 reencryption already initialized. Aborting operation." msgstr "Вже ініційовано повторне шифрування LUKS2. Перериваємо виконання дії." -#: src/utils_reencrypt.c:1545 +#: src/utils_reencrypt.c:1568 msgid "Device reencryption not in progress." msgstr "Повторне шифрування пристрою не виконується." -#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287 +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 #, c-format msgid "Cannot exclusively open %s, device in use." msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується." @@ -3648,35 +3893,35 @@ msgstr "Попередження: пристрій %s вже містить пі msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" msgstr "Попередження: пристрій %s вже містить підпис суперблоку «%s».\n" -#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344 +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 msgid "Failed to initialize device signature probes." msgstr "Не вдалося ініціалізувати зондування підписів пристроїв." -#: src/utils_blockdev.c:274 +#: src/utils_blockdev.c:282 #, c-format msgid "Failed to stat device %s." msgstr "Не вдалося зібрати статистичні дані щодо пристрою %s." -#: src/utils_blockdev.c:289 +#: src/utils_blockdev.c:297 #, c-format msgid "Failed to open file %s in read/write mode." msgstr "Не вдалося відкрити файл %s у режимі читання-запису." -#: src/utils_blockdev.c:307 +#: src/utils_blockdev.c:317 #, c-format msgid "Existing '%s' partition signature on device %s will be wiped." msgstr "Наявний підпис розділу «%s» на пристрої %s буде витерто." -#: src/utils_blockdev.c:310 +#: src/utils_blockdev.c:320 #, c-format msgid "Existing '%s' superblock signature on device %s will be wiped." msgstr "Наявний підпис суперблоку «%s» на пристрої %s буде витерто." -#: src/utils_blockdev.c:313 +#: src/utils_blockdev.c:323 msgid "Failed to wipe device signature." msgstr "Не вдалося витерти підпис пристрою." -#: src/utils_blockdev.c:320 +#: src/utils_blockdev.c:330 #, c-format msgid "Failed to probe device %s for a signature." msgstr "Не вдалося виконати зондування пристрою %s з метою виявлення підпису." @@ -3691,11 +3936,11 @@ msgstr "Некоректна специфікація розміру у пара msgid "Option --%s is not allowed with %s action." msgstr "Параметр --%s не можна використовувати разом із дією %s." -#: tokens/ssh/cryptsetup-ssh.c:110 +#: tokens/ssh/cryptsetup-ssh.c:123 msgid "Failed to write ssh token json." msgstr "Не вдалося записати JSON жетона ssh." -#: tokens/ssh/cryptsetup-ssh.c:128 +#: tokens/ssh/cryptsetup-ssh.c:141 msgid "" "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" "\n" @@ -3711,105 +3956,109 @@ msgstr "" "\n" "Зауваження: дані, які надано при додаванні жетона (адреса сервера SSH, користувач та шляхи) буде збережено у заголовку LUKS2 у форматі звичайного тексту." -#: tokens/ssh/cryptsetup-ssh.c:138 +#: tokens/ssh/cryptsetup-ssh.c:151 msgid " " msgstr "<дія> <пристрій>" -#: tokens/ssh/cryptsetup-ssh.c:141 +#: tokens/ssh/cryptsetup-ssh.c:154 msgid "Options for the 'add' action:" msgstr "Параметри дії «add» (додати):" -#: tokens/ssh/cryptsetup-ssh.c:142 +#: tokens/ssh/cryptsetup-ssh.c:155 msgid "IP address/URL of the remote server for this token" msgstr "IP-адреса/Назва віддаленого сервера для цього жетона" -#: tokens/ssh/cryptsetup-ssh.c:143 +#: tokens/ssh/cryptsetup-ssh.c:156 msgid "Username used for the remote server" msgstr "Ім'я користувача для доступу до віддаленого сервера" -#: tokens/ssh/cryptsetup-ssh.c:144 +#: tokens/ssh/cryptsetup-ssh.c:157 msgid "Path to the key file on the remote server" msgstr "Шлях до файла ключа на віддаленому сервері" -#: tokens/ssh/cryptsetup-ssh.c:145 +#: tokens/ssh/cryptsetup-ssh.c:158 msgid "Path to the SSH key for connecting to the remote server" msgstr "Шлях до ключа SSH для з'єднання із віддаленим сервером" -#: tokens/ssh/cryptsetup-ssh.c:146 +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "Шлях до каталогу, що містить зовнішні жетони libcryptsetup" + +#: tokens/ssh/cryptsetup-ssh.c:161 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." msgstr "Слот ключа для прив'язування жетона. Якщо не вказано, жетон буде пов'язано із першим слотом ключа, який відповідає наданому паролю." -#: tokens/ssh/cryptsetup-ssh.c:148 +#: tokens/ssh/cryptsetup-ssh.c:163 msgid "Generic options:" msgstr "Загальні параметри:" -#: tokens/ssh/cryptsetup-ssh.c:149 +#: tokens/ssh/cryptsetup-ssh.c:164 msgid "Shows more detailed error messages" msgstr "Показувати докладні повідомлення про помилки" -#: tokens/ssh/cryptsetup-ssh.c:150 +#: tokens/ssh/cryptsetup-ssh.c:165 msgid "Show debug messages" msgstr "Показувати діагностичні повідомлення" -#: tokens/ssh/cryptsetup-ssh.c:151 +#: tokens/ssh/cryptsetup-ssh.c:166 msgid "Show debug messages including JSON metadata" msgstr "Показувати діагностичні повідомлення, зокрема метадані JSON" -#: tokens/ssh/cryptsetup-ssh.c:262 +#: tokens/ssh/cryptsetup-ssh.c:281 msgid "Failed to open and import private key:\n" msgstr "Не вдалося відкрити і імпортувати закритий ключ:\n" -#: tokens/ssh/cryptsetup-ssh.c:266 +#: tokens/ssh/cryptsetup-ssh.c:285 msgid "Failed to import private key (password protected?).\n" msgstr "Не вдалося імпортувати закритий ключ (захищено паролем?).\n" #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " -#: tokens/ssh/cryptsetup-ssh.c:268 +#: tokens/ssh/cryptsetup-ssh.c:287 #, c-format msgid "%s@%s's password: " msgstr "Пароль до %s@%s: " -#: tokens/ssh/cryptsetup-ssh.c:357 +#: tokens/ssh/cryptsetup-ssh.c:376 #, c-format msgid "Failed to parse arguments.\n" msgstr "Не вдалося обробити аргументи.\n" -#: tokens/ssh/cryptsetup-ssh.c:368 +#: tokens/ssh/cryptsetup-ssh.c:387 #, c-format msgid "An action must be specified\n" msgstr "Має бути вказано дію\n" -#: tokens/ssh/cryptsetup-ssh.c:374 +#: tokens/ssh/cryptsetup-ssh.c:393 #, c-format msgid "Device must be specified for '%s' action.\n" msgstr "Для виконання дії «%s» має бути вказано пристрій.\n" -#: tokens/ssh/cryptsetup-ssh.c:379 +#: tokens/ssh/cryptsetup-ssh.c:398 #, c-format msgid "SSH server must be specified for '%s' action.\n" msgstr "Для виконання дії «%s» має бути вказано сервер SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:384 +#: tokens/ssh/cryptsetup-ssh.c:403 #, c-format msgid "SSH user must be specified for '%s' action.\n" msgstr "Для виконання дії «%s» має бути вказано користувача SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:389 +#: tokens/ssh/cryptsetup-ssh.c:408 #, c-format msgid "SSH path must be specified for '%s' action.\n" msgstr "Для виконання дії «%s» має бути вказано шлях до SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:394 +#: tokens/ssh/cryptsetup-ssh.c:413 #, c-format msgid "SSH key path must be specified for '%s' action.\n" msgstr "Для виконання дії «%s» має бути вказано шлях до ключа SSH.\n" -#: tokens/ssh/cryptsetup-ssh.c:401 +#: tokens/ssh/cryptsetup-ssh.c:420 #, c-format msgid "Failed open %s using provided credentials.\n" msgstr "Не вдалося відкрити %s за допомогою наданих реєстраційних даних.\n" -#: tokens/ssh/cryptsetup-ssh.c:417 +#: tokens/ssh/cryptsetup-ssh.c:437 #, c-format msgid "Only 'add' action is currently supported by this plugin.\n" msgstr "У поточній версії цього додатка передбачено підтримку лише дії «add» (додати0.\n" @@ -3854,6 +4103,12 @@ msgstr "На вузлі заборонено спосіб розпізнаван msgid "Public key authentication error: " msgstr "Помилка розпізнавання за відкритим ключем: " +#~ msgid "compiled-in" +#~ msgstr "вбудована" + +#~ msgid "disabled" +#~ msgstr "вимкнено" + #~ msgid "WARNING: Data offset is outside of currently available data device.\n" #~ msgstr "Увага: відступ у даних виходить за межі поточного доступного пристрою для зберігання даних.\n" @@ -3878,9 +4133,6 @@ msgstr "Помилка розпізнавання за відкритим клю #~ msgid "Failed to disable reencryption requirement flag." #~ msgstr "Не вдалося вимкнути прапорець вимоги повторного шифрування." -#~ msgid "Encryption is supported only for LUKS2 format." -#~ msgstr "Підтримку шифрування передбачено лише для формату LUKS2." - #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?" #~ msgstr "Виявлено пристрій LUKS на %s. Хочете зашифрувати цей пристрій LUKS знову?" diff --git a/po/zh_CN.po b/po/zh_CN.po index 5ab96fb..c6c5d98 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -3,14 +3,14 @@ # This file is distributed under the same license as the cryptsetup package. # Mingcong Bai , 2015. # Mingye Wang , 2015. -# Boyuan Yang <073plan@gmail.com>, 2018. +# Boyuan Yang <073plan@gmail.com>, 2018, 2023. # msgid "" msgstr "" -"Project-Id-Version: cryptsetup 2.0.3.1\n" -"Report-Msgid-Bugs-To: dm-crypt@saout.de\n" -"POT-Creation-Date: 2018-04-26 22:11+0200\n" -"PO-Revision-Date: 2018-04-27 22:41+0800\n" +"Project-Id-Version: cryptsetup 2.7.0-rc0\n" +"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n" +"POT-Creation-Date: 2023-11-29 09:21+0100\n" +"PO-Revision-Date: 2023-12-01 10:37-0500\n" "Last-Translator: Boyuan Yang <073plan@gmail.com>\n" "Language-Team: Chinese (simplified) \n" "Language: zh_CN\n" @@ -18,47 +18,86 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Bugs: Report translation errors to the Language-Team address.\n" -"X-Generator: Poedit 2.0.6\n" +"X-Generator: Poedit 2.4.3\n" "Plural-Forms: nplurals=1; plural=0;\n" -#: lib/libdevmapper.c:331 +#: lib/libdevmapper.c:419 msgid "Cannot initialize device-mapper, running as non-root user." msgstr "无法初始化设备映射器,正作为非 root 用户运行。" -#: lib/libdevmapper.c:334 +#: lib/libdevmapper.c:422 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" msgstr "无法初始化设备映射器。dm_mod 内核模块装载了吗?" -#: lib/libdevmapper.c:938 +#: lib/libdevmapper.c:1103 msgid "Requested deferred flag is not supported." msgstr "不支持请求的推迟(deferred)标记。" -#: lib/libdevmapper.c:1003 +#: lib/libdevmapper.c:1172 #, c-format msgid "DM-UUID for device %s was truncated." msgstr "设备 %s 的 DM-UUID 被截断。" -#: lib/libdevmapper.c:1223 +#: lib/libdevmapper.c:1510 +msgid "Unknown dm target type." +msgstr "未知的 dm 目标类型。" + +#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738 +#: lib/libdevmapper.c:1741 msgid "Requested dm-crypt performance options are not supported." msgstr "不支持请求的 dm-crypt 性能选项。" -#: lib/libdevmapper.c:1230 +#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656 msgid "Requested dm-verity data corruption handling options are not supported." msgstr "不支持请求的 dm-verity 数据损坏处理选项。" -#: lib/libdevmapper.c:1234 +#: lib/libdevmapper.c:1650 +msgid "Requested dm-verity tasklets option is not supported." +msgstr "不支持请求的 dm-verity FEC 选项。" + +#: lib/libdevmapper.c:1662 msgid "Requested dm-verity FEC options are not supported." msgstr "不支持请求的 dm-verity FEC 选项。" -#: lib/libdevmapper.c:1238 +#: lib/libdevmapper.c:1668 msgid "Requested data integrity options are not supported." msgstr "不支持请求的数据完整性选项。" -#: lib/libdevmapper.c:1240 +#: lib/libdevmapper.c:1672 msgid "Requested sector_size option is not supported." msgstr "不支持请求的 sector_size 选项。" -#: lib/random.c:80 +#: lib/libdevmapper.c:1677 +#, fuzzy +#| msgid "Device %s size is not aligned to requested sector size (%u bytes)." +msgid "The device size is not multiple of the requested sector size." +msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" + +#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690 +#, fuzzy +#| msgid "Requested data integrity options are not supported." +msgid "Requested automatic recalculation of integrity tags is not supported." +msgstr "不支持请求的数据完整性选项。" + +#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747 +#: lib/luks2/luks2_json_metadata.c:2742 +#, fuzzy +#| msgid "Hash algorithm %s not supported." +msgid "Discard/TRIM is not supported." +msgstr "不支持哈希算法 %s。" + +#: lib/libdevmapper.c:1702 +#, fuzzy +#| msgid "Requested data integrity options are not supported." +msgid "Requested dm-integrity bitmap mode is not supported." +msgstr "不支持请求的数据完整性选项。" + +#: lib/libdevmapper.c:2738 +#, c-format +msgid "Failed to query dm-%s segment." +msgstr "" + +#: lib/random.c:73 msgid "" "System is out of entropy while generating volume key.\n" "Please move mouse or type some text in another window to gather some random events.\n" @@ -66,523 +105,853 @@ msgstr "" "系统在生成卷密钥时熵不足。\n" "请随意移动鼠标或是在别的窗口打字,以便生成随机事件让系统使用。\n" -#: lib/random.c:84 +#: lib/random.c:77 #, c-format msgid "Generating key (%d%% done).\n" msgstr "正生成密钥(%d%% 已完成)\n" -#: lib/random.c:170 +#: lib/random.c:163 msgid "Running in FIPS mode." msgstr "在 FIPS 模式下运行。" -#: lib/random.c:176 +#: lib/random.c:169 msgid "Fatal error during RNG initialisation." msgstr "随机数生成器初始化时发生致命错误。" -#: lib/random.c:213 +#: lib/random.c:207 msgid "Unknown RNG quality requested." msgstr "未知的随机数生成器质量请求。" -#: lib/random.c:218 +#: lib/random.c:212 msgid "Error reading from RNG." msgstr "从随机数生成器(RNG)读取时出错。" -#: lib/setup.c:203 +#: lib/setup.c:261 +msgid "OPAL support is disabled in libcryptsetup." +msgstr "OPAL 支持在 libcryptsetup 中被禁用。" + +#: lib/setup.c:263 +#, c-format +msgid "Device %s or kernel does not support OPAL encryption." +msgstr "设备 %s 或内核不支持 OPAL 加密。" + +#: lib/setup.c:279 msgid "Cannot initialize crypto RNG backend." msgstr "无法初始化加密随机数生成器后端。" -#: lib/setup.c:209 +#: lib/setup.c:285 msgid "Cannot initialize crypto backend." msgstr "无法初始化加密后端。" -#: lib/setup.c:240 lib/setup.c:1766 lib/verity/verity.c:123 +#: lib/setup.c:316 lib/setup.c:2766 lib/verity/verity.c:122 #, c-format msgid "Hash algorithm %s not supported." msgstr "不支持哈希算法 %s。" -#: lib/setup.c:243 lib/loopaes/loopaes.c:90 +#: lib/setup.c:319 lib/loopaes/loopaes.c:90 #, c-format msgid "Key processing error (using hash %s)." msgstr "密钥处理错误(使用散列 %s)。" -#: lib/setup.c:304 lib/setup.c:331 +#: lib/setup.c:390 lib/setup.c:427 msgid "Cannot determine device type. Incompatible activation of device?" msgstr "无法确定设备类型。不兼容的设备激活?" -#: lib/setup.c:310 lib/setup.c:2326 +#: lib/setup.c:396 lib/setup.c:3959 msgid "This operation is supported only for LUKS device." msgstr "此操作只适用 LUKS 设备。" -#: lib/setup.c:337 +#: lib/setup.c:433 msgid "This operation is supported only for LUKS2 device." msgstr "此操作只适用 LUKS2 设备。" -#: lib/setup.c:382 +#: lib/setup.c:490 lib/luks2/luks2_reencrypt.c:3056 msgid "All key slots full." msgstr "密钥槽全都满了。" -#: lib/setup.c:393 +#: lib/setup.c:501 #, c-format msgid "Key slot %d is invalid, please select between 0 and %d." msgstr "密钥槽 %d 无效,请选择 0 到 %d 间的数字。" -#: lib/setup.c:399 +#: lib/setup.c:507 #, c-format msgid "Key slot %d is full, please select another one." msgstr "密钥槽 %d 满了,请选择另一个。" -#: lib/setup.c:597 +#: lib/setup.c:618 lib/setup.c:3661 +msgid "Device size is not aligned to device logical block size." +msgstr "设备的大小没有和设备逻辑块大小对齐。" + +#: lib/setup.c:716 #, c-format msgid "Header detected but device %s is too small." msgstr "检测到标头但设备 %s 太小。" -#: lib/setup.c:616 +#: lib/setup.c:757 lib/setup.c:3552 lib/setup.c:5134 +#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305 msgid "This operation is not supported for this device type." msgstr "不支持在这类设备上执行此操作。" -#: lib/setup.c:1239 lib/setup.c:2066 lib/setup.c:3300 +#: lib/setup.c:762 +msgid "Illegal operation with reencryption in-progress." +msgstr "正在进行重加密中的非法操作。" + +#: lib/setup.c:894 +#, fuzzy +#| msgid "Failed to read LUKS2 requirements." +msgid "Failed to rollback LUKS2 metadata in memory." +msgstr "读取 LUKS2 需求时失败。" + +#: lib/setup.c:981 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527 +#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799 +#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222 +#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981 +#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488 +#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85 +#, c-format +msgid "Device %s is not a valid LUKS device." +msgstr "%s 不是有效的 LUKS 设备。" + +#: lib/setup.c:984 lib/luks1/keymanage.c:530 +#, c-format +msgid "Unsupported LUKS version %d." +msgstr "不支持的 LUKS 版本 %d。" + +#: lib/setup.c:1357 +#, fuzzy, c-format +#| msgid "No known cipher specification pattern detected.\n" +msgid "No known cipher specification pattern detected for active device %s." +msgstr "未探测到已知的密文特征。\n" + +#: lib/setup.c:1603 lib/setup.c:3306 lib/setup.c:3388 lib/setup.c:3400 +#: lib/setup.c:3570 lib/setup.c:5721 #, c-format msgid "Device %s is not active." msgstr "设备 %s 未激活。" -#: lib/setup.c:1256 +#: lib/setup.c:1620 #, c-format msgid "Underlying device for crypt device %s disappeared." msgstr "加密设备 %s 下层的设备消失了。" -#: lib/setup.c:1336 +#: lib/setup.c:1702 msgid "Invalid plain crypt parameters." msgstr "无效的纯加密选项。" -#: lib/setup.c:1341 lib/setup.c:1680 src/integritysetup.c:68 +#: lib/setup.c:1707 lib/setup.c:2669 msgid "Invalid key size." msgstr "无效的密钥大小。" -#: lib/setup.c:1346 lib/setup.c:1685 lib/setup.c:1876 +#: lib/setup.c:1712 lib/setup.c:2674 lib/setup.c:2877 msgid "UUID is not supported for this crypt type." msgstr "此加密类型不支持 UUID。" -#: lib/setup.c:1356 lib/setup.c:1500 src/cryptsetup.c:950 +#: lib/setup.c:1717 lib/setup.c:2679 +#, fuzzy +#| msgid "UUID is not supported for this crypt type." +msgid "Detached metadata device is not supported for this crypt type." +msgstr "此加密类型不支持 UUID。" + +#: lib/setup.c:1727 lib/setup.c:1962 lib/luks2/luks2_reencrypt.c:3012 +#: src/cryptsetup.c:1467 src/cryptsetup.c:3726 msgid "Unsupported encryption sector size." msgstr "不支持的加密扇区大小。" -#: lib/setup.c:1402 lib/setup.c:1494 +#: lib/setup.c:1735 lib/setup.c:1991 lib/setup.c:3655 +#, fuzzy +#| msgid "Device %s size is not aligned to requested sector size (%u bytes)." +msgid "Device size is not aligned to requested sector size." +msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" + +#: lib/setup.c:1787 lib/setup.c:2024 lib/setup.c:2355 msgid "Can't format LUKS without device." msgstr "无法在没有设备的情况下格式化 LUKS。" -#: lib/setup.c:1464 lib/setup.c:1617 lib/setup.c:1888 +#: lib/setup.c:1793 lib/setup.c:2030 lib/setup.c:2361 +msgid "Requested data alignment is not compatible with data offset." +msgstr "" + +#: lib/setup.c:1833 lib/setup.c:2048 +msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n" +msgstr "" + +#: lib/setup.c:1871 lib/setup.c:2143 lib/setup.c:2164 lib/setup.c:2539 +#: lib/setup.c:2579 lib/setup.c:2889 #, c-format msgid "Cannot wipe header on device %s." msgstr "无法将设备 %s 上的标头擦除。" -#: lib/setup.c:1523 +#: lib/setup.c:1884 lib/setup.c:2203 +#, c-format +msgid "Device %s is too small for activation, there is no remaining space for data.\n" +msgstr "" + +#: lib/setup.c:1924 msgid "Volume key is too small for encryption with integrity extensions." msgstr "卷密钥对于带完整性校验扩展的加密而言过小。" -#: lib/setup.c:1530 lib/utils_device.c:599 +#: lib/setup.c:1933 +#, fuzzy, c-format +#| msgid "Cipher %s is not available.\n" +msgid "Cipher %s-%s (key size %zd bits) is not available." +msgstr "密文 %s 不可用。\n" + +#: lib/setup.c:1972 +msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n" +msgstr "" + +#: lib/setup.c:2146 lib/setup.c:2482 lib/setup.c:2542 lib/utils_device.c:917 +#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080 +#: lib/luks2/luks2_reencrypt.c:4364 #, c-format -msgid "Cannot use device %s which is in use (already mapped or mounted)." -msgstr "无法使用正被使用的设备 %s(已被映射或挂载)。" +msgid "Device %s is too small." +msgstr "设备 %s 太小。" -#: lib/setup.c:1610 +#: lib/setup.c:2157 lib/setup.c:2183 lib/setup.c:2572 lib/setup.c:2618 #, c-format -msgid "Cannot format device %s which is still in use." +msgid "Cannot format device %s in use." msgstr "无法格式化正在使用的设备 %s。" -#: lib/setup.c:1613 lib/setup.c:1648 +#: lib/setup.c:2160 lib/setup.c:2186 lib/setup.c:2575 lib/setup.c:2621 #, c-format msgid "Cannot format device %s, permission denied." msgstr "无法格式化设备 %s,权限被拒绝。" -#: lib/setup.c:1625 lib/luks2/luks2_json_metadata.c:863 -#: lib/luks2/luks2_json_metadata.c:1141 lib/luks2/luks2_keyslot.c:429 -#: lib/luks2/luks2_keyslot_luks2.c:40 lib/luks2/luks2_keyslot_luks2.c:69 -#, c-format -msgid "Failed to acquire write lock on device %s." -msgstr "无法获取设备 %s 上的写入锁。" - -#: lib/setup.c:1633 lib/setup.c:1940 +#: lib/setup.c:2172 lib/setup.c:2592 lib/setup.c:2949 #, fuzzy, c-format #| msgid "Cannot write device %s.\n" msgid "Cannot format integrity for device %s." msgstr "无法写入设备 %s。\n" -#: lib/setup.c:1645 -#, c-format -msgid "Cannot format device %s in use." -msgstr "无法格式化正在使用的设备 %s。" - -#: lib/setup.c:1652 +#: lib/setup.c:2190 lib/setup.c:2629 #, c-format msgid "Cannot format device %s." msgstr "无法格式化设备 %s。" -#: lib/setup.c:1675 +#: lib/setup.c:2233 +msgid "Cannot get OPAL alignment parameters." +msgstr "" + +#: lib/setup.c:2242 +msgid "Bogus OPAL logical block size." +msgstr "" + +#: lib/setup.c:2248 +msgid "Requested data offset is not compatible with OPAL block size." +msgstr "" + +#: lib/setup.c:2255 +msgid "Requested data alignment is not compatible with OPAL alignment." +msgstr "" + +#: lib/setup.c:2275 +msgid "Data offset does not satisfy OPAL alignment requirements." +msgstr "" + +#: lib/setup.c:2288 +msgid "Requested data alignment does not satisfy locking range alignment requirements." +msgstr "" + +#: lib/setup.c:2492 +#, c-format +msgid "Compensating device size by % sectors to align it with OPAL alignment granularity." +msgstr "" + +#: lib/setup.c:2553 +msgid "Incorrect OPAL Admin key." +msgstr "OPAL 管理密钥不正确。" + +#: lib/setup.c:2555 +msgid "Cannot setup OPAL segment." +msgstr "" + +#: lib/setup.c:2625 +#, fuzzy, c-format +#| msgid "Cannot format device %s, permission denied." +msgid "Cannot format device %s, OPAL device seems to be fully write-protected now." +msgstr "无法格式化设备 %s,权限被拒绝。" + +#: lib/setup.c:2627 +msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery." +msgstr "" + +#: lib/setup.c:2645 +#, c-format +msgid "Locking range %d reset on device %s failed." +msgstr "" + +#: lib/setup.c:2664 msgid "Can't format LOOPAES without device." msgstr "无法在没有设备的情况下格式化 LOOPAES。" -#: lib/setup.c:1715 +#: lib/setup.c:2709 msgid "Can't format VERITY without device." msgstr "无法在没有设备的情况下格式化 VERIFY。" -#: lib/setup.c:1723 lib/verity/verity.c:106 +#: lib/setup.c:2720 lib/verity/verity.c:101 #, c-format msgid "Unsupported VERITY hash type %d." msgstr "不支持的 VERITY 哈希类型 %d。" -#: lib/setup.c:1729 lib/verity/verity.c:114 +#: lib/setup.c:2726 lib/verity/verity.c:109 msgid "Unsupported VERITY block size." msgstr "不支持的 VERITY 块大小。" -#: lib/setup.c:1734 lib/verity/verity.c:75 +#: lib/setup.c:2731 lib/verity/verity.c:74 msgid "Unsupported VERITY hash offset." msgstr "不支持的 VERITY 哈希偏移量。" -#: lib/setup.c:1739 +#: lib/setup.c:2736 msgid "Unsupported VERITY FEC offset." msgstr "不支持的 VERITY 哈希偏移量。" -#: lib/setup.c:1760 +#: lib/setup.c:2760 msgid "Data area overlaps with hash area." msgstr "数据区域重叠覆盖了哈希区域。" -#: lib/setup.c:1785 +#: lib/setup.c:2785 msgid "Hash area overlaps with FEC area." msgstr "哈希区域重叠覆盖了 FEC 区域。" -#: lib/setup.c:1792 +#: lib/setup.c:2792 msgid "Data area overlaps with FEC area." msgstr "数据区域重叠覆盖了 FEC 区域。" -#: lib/setup.c:1997 +#: lib/setup.c:2928 +#, c-format +msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n" +msgstr "" + +#: lib/setup.c:3007 #, c-format msgid "Unknown crypt device type %s requested." msgstr "请求了未知的加密设备类型 %s。" -#: lib/setup.c:2098 +#: lib/setup.c:3314 lib/setup.c:3393 lib/setup.c:3406 +#, fuzzy, c-format +#| msgid "Cannot wipe header on device %s." +msgid "Unsupported parameters on device %s." +msgstr "无法将设备 %s 上的标头擦除。" + +#: lib/setup.c:3320 lib/setup.c:3413 lib/luks2/luks2_reencrypt.c:2908 +#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540 +#, fuzzy, c-format +#| msgid "Cannot wipe header on device %s." +msgid "Mismatching parameters on device %s." +msgstr "无法将设备 %s 上的标头擦除。" + +#: lib/setup.c:3437 +msgid "Crypt devices mismatch." +msgstr "" + +#: lib/setup.c:3474 lib/setup.c:3479 lib/luks2/luks2_reencrypt.c:2390 +#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109 +#, c-format +msgid "Failed to reload device %s." +msgstr "重新加载设备 %s 失败。" + +#: lib/setup.c:3485 lib/setup.c:3491 lib/luks2/luks2_reencrypt.c:2361 +#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938 +#, fuzzy, c-format +#| msgid "Failed to acquire read lock on device %s." +msgid "Failed to suspend device %s." +msgstr "无法获取设备 %s 的读取锁。" + +#: lib/setup.c:3497 lib/luks2/luks2_reencrypt.c:2375 +#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022 +#: lib/luks2/luks2_reencrypt.c:4113 +#, fuzzy, c-format +#| msgid "Failed to open temporary keystore device.\n" +msgid "Failed to resume device %s." +msgstr "打开临时密钥存储设备失败。\n" + +#: lib/setup.c:3512 +#, c-format +msgid "Fatal error while reloading device %s (on top of device %s)." +msgstr "" + +#: lib/setup.c:3515 lib/setup.c:3517 +#, fuzzy, c-format +#| msgid "Failed to acquire write lock on device %s." +msgid "Failed to switch device %s to dm-error." +msgstr "无法获取设备 %s 上的写入锁。" + +#: lib/setup.c:3557 +#, fuzzy +#| msgid "Cannot check password quality: %s\n" +msgid "Can not resize LUKS2 device with static size." +msgstr "无法检查密码质量:%s\n" + +#: lib/setup.c:3602 msgid "Cannot resize loop device." msgstr "无法改变回环设备大小。" -#: lib/setup.c:2107 -#, c-format -msgid "Device %s size is not aligned to requested sector size (%u bytes)." -msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" +#: lib/setup.c:3646 +msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n" +msgstr "" + +#: lib/setup.c:3712 +msgid "Resize failed, the kernel doesn't support it." +msgstr "" -#: lib/setup.c:2161 +#: lib/setup.c:3744 msgid "Do you really want to change UUID of device?" msgstr "你真的想改变设备的 UUID 吗?" -#: lib/setup.c:2237 +#: lib/setup.c:3836 msgid "Header backup file does not contain compatible LUKS header." msgstr "标头备份文件不包含兼容的 LUKS 标头。" -#: lib/setup.c:2334 +#: lib/setup.c:3944 #, c-format msgid "Volume %s is not active." msgstr "卷 %s 未激活。" -#: lib/setup.c:2345 +#: lib/setup.c:4010 #, c-format msgid "Volume %s is already suspended." msgstr "卷 %s 已挂起。" -#: lib/setup.c:2359 +#: lib/setup.c:4038 #, c-format msgid "Suspend is not supported for device %s." msgstr "设备 %s 不支持挂起。" -#: lib/setup.c:2361 +#: lib/setup.c:4040 lib/setup.c:4048 #, c-format msgid "Error during suspending device %s." msgstr "挂起设备 %s 时出错。" -#: lib/setup.c:2394 lib/setup.c:2461 +#: lib/setup.c:4054 #, c-format -msgid "Volume %s is not suspended." -msgstr "卷 %s 未挂起。" +msgid "Device %s was suspended but hardware OPAL device cannot be locked." +msgstr "" -#: lib/setup.c:2423 +#: lib/setup.c:4085 lib/setup.c:4222 #, c-format msgid "Resume is not supported for device %s." msgstr "设备 %s 不支持恢复。" -#: lib/setup.c:2425 lib/setup.c:2493 +#: lib/setup.c:4087 lib/setup.c:4213 lib/setup.c:4224 #, c-format msgid "Error during resuming device %s." msgstr "恢复设备 %s 时出错。" -#: lib/setup.c:2561 lib/setup.c:2754 -msgid "Cannot add key slot, all slots disabled and no volume key provided." -msgstr "无法添加密钥槽,所有密钥槽已禁用且未提供卷密钥。" +#: lib/setup.c:4110 +#, fuzzy +#| msgid "Failed to load key in kernel keyring." +msgid "Failed to link key to the specified keyring." +msgstr "在内核密钥环中加载密钥失败。" -#: lib/setup.c:2698 -#, c-format -msgid "Key slot %d changed." -msgstr "密钥槽 %d 已改变。" +#: lib/setup.c:4129 +#, fuzzy +#| msgid "Failed to load key in kernel keyring." +msgid "Failed to unlink volume key from user specified keyring." +msgstr "在内核密钥环中加载密钥失败。" -#: lib/setup.c:2701 -#, c-format -msgid "Replaced with key slot %d." -msgstr "替换为密钥槽 %d。" +#: lib/setup.c:4191 lib/setup.c:4905 lib/setup.c:5515 +#, fuzzy +#| msgid "Failed to load key in kernel keyring." +msgid "Failed to link volume key in user defined keyring." +msgstr "在内核密钥环中加载密钥失败。" -#: lib/setup.c:2706 -msgid "Failed to swap new key slot." -msgstr "交换新密钥槽失败。" +#: lib/setup.c:4284 src/cryptsetup.c:2755 +#, c-format +msgid "Volume %s is not suspended." +msgstr "卷 %s 未挂起。" -#: lib/setup.c:2871 lib/setup.c:3145 lib/setup.c:3158 lib/setup.c:3166 -#: lib/setup.c:3179 lib/setup.c:3453 lib/setup.c:4370 +#: lib/setup.c:4385 lib/setup.c:5281 lib/setup.c:5288 lib/setup.c:7142 +#: lib/setup.c:7164 lib/setup.c:7213 src/cryptsetup.c:2265 msgid "Volume key does not match the volume." msgstr "卷密钥与卷不匹配。" -#: lib/setup.c:2892 +#: lib/setup.c:4539 +msgid "Failed to swap new key slot." +msgstr "交换新密钥槽失败。" + +#: lib/setup.c:4637 #, c-format msgid "Key slot %d is invalid." msgstr "密钥槽 %d 无效。" -#: lib/setup.c:2898 -#, c-format -msgid "Key slot %d is not used." -msgstr "密钥槽 %d 未使用。" +#: lib/setup.c:4643 src/cryptsetup.c:1975 src/cryptsetup.c:2467 +#: src/cryptsetup.c:3149 src/cryptsetup.c:3209 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Keyslot %d is not active." +msgstr "密钥槽 %d 未使用。\n" -#: lib/setup.c:2968 lib/setup.c:3232 -msgid "Device type is not properly initialised." -msgstr "设备类型未正确初始化。" +#: lib/setup.c:4662 +#, fuzzy +#| msgid "Data area overlaps with hash area." +msgid "Device header overlaps with data area." +msgstr "数据区域重叠覆盖了哈希区域。" -#: lib/setup.c:3010 -#, c-format -msgid "Cannot use device %s, name is invalid or still in use." -msgstr "无法使用设备 %s,名称无效或它正被使用。" +#: lib/setup.c:5012 +#, fuzzy +#| msgid "Reencryption already in-progress." +msgid "Reencryption in-progress. Cannot activate device." +msgstr "重加密已在进行中。" + +#: lib/setup.c:5014 lib/luks2/luks2_json_metadata.c:2847 +#: lib/luks2/luks2_reencrypt.c:3646 +msgid "Failed to get reencryption lock." +msgstr "获取重加密锁失败。" + +#: lib/setup.c:5027 lib/luks2/luks2_reencrypt.c:3665 +msgid "LUKS2 reencryption recovery failed." +msgstr "LUKS2 重加密恢复失败。" -#: lib/setup.c:3013 +#: lib/setup.c:5199 lib/setup.c:5299 lib/setup.c:5357 +msgid "Device type is not properly initialized." +msgstr "设备类型未正确初始化。" + +#: lib/setup.c:5254 #, c-format msgid "Device %s already exists." msgstr "设备 %s 已存在。" -#: lib/setup.c:3132 +#: lib/setup.c:5261 +#, c-format +msgid "Cannot use device %s, name is invalid or still in use." +msgstr "无法使用设备 %s,名称无效或它正被使用。" + +#: lib/setup.c:5277 msgid "Incorrect volume key specified for plain device." msgstr "为普通设备指定的卷密钥有误。" -#: lib/setup.c:3198 +#: lib/setup.c:5390 +msgid "Kernel keyring is not supported by the kernel." +msgstr "该内核不支持内核密钥环。" + +#: lib/setup.c:5394 +#, fuzzy +#| msgid "Kernel keyring is not supported by the kernel." +msgid "Kernel keyring missing: required for passing signature to kernel." +msgstr "该内核不支持内核密钥环。" + +#: lib/setup.c:5634 msgid "Incorrect root hash specified for verity device." msgstr "为 verity 设备指定的根 hash 不正确。" -#: lib/setup.c:3274 lib/setup.c:3289 +#: lib/setup.c:5677 +msgid "OPAL does not support deferred deactivation." +msgstr "" + +#: lib/setup.c:5693 +#, fuzzy, c-format +#| msgid "Failed to acquire read lock on device %s." +msgid "Could not cancel deferred remove from device %s." +msgstr "无法获取设备 %s 的读取锁。" + +#: lib/setup.c:5700 lib/setup.c:5716 lib/luks2/luks2_json_metadata.c:2901 +#: src/utils_reencrypt.c:116 #, c-format msgid "Device %s is still in use." msgstr "设备 %s 仍在使用。" -#: lib/setup.c:3304 +#: lib/setup.c:5725 #, c-format msgid "Invalid device %s." msgstr "设备 %s 无效。" -#: lib/setup.c:3389 -msgid "Function not available in FIPS mode." -msgstr "功能在 FIPS 模式无效。" - -#: lib/setup.c:3403 +#: lib/setup.c:5865 msgid "Volume key buffer too small." msgstr "卷密钥缓冲区太小。" -#: lib/setup.c:3411 +#: lib/setup.c:5882 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot retrieve volume key for LUKS2 device." +msgstr "无法获取普通设备的卷密钥。" + +#: lib/setup.c:5891 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot retrieve volume key for LUKS1 device." +msgstr "无法获取普通设备的卷密钥。" + +#: lib/setup.c:5901 msgid "Cannot retrieve volume key for plain device." msgstr "无法获取普通设备的卷密钥。" -#: lib/setup.c:3422 +#: lib/setup.c:5909 +#, fuzzy +#| msgid "Incorrect root hash specified for verity device." +msgid "Cannot retrieve root hash for verity device." +msgstr "为 verity 设备指定的根 hash 不正确。" + +#: lib/setup.c:5916 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot retrieve volume key for BITLK device." +msgstr "无法获取普通设备的卷密钥。" + +#: lib/setup.c:5921 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot retrieve volume key for FVAULT2 device." +msgstr "无法获取普通设备的卷密钥。" + +#: lib/setup.c:5923 #, c-format msgid "This operation is not supported for %s crypt device." msgstr "不支持在 %s 加密设备上执行此操作。" -#: lib/setup.c:3609 +#: lib/setup.c:6107 lib/setup.c:6118 msgid "Dump operation is not supported for this device type." msgstr "不支持在此类设备上执行导出操作。" -#: lib/setup.c:4018 +#: lib/setup.c:6477 +#, c-format +msgid "Data offset is not multiple of %u bytes." +msgstr "" + +#: lib/setup.c:6785 #, c-format msgid "Cannot convert device %s which is still in use." msgstr "无法转换正在使用的设备 %s。" -#: lib/setup.c:4301 +#: lib/setup.c:7083 lib/setup.c:7222 #, c-format msgid "Failed to assign keyslot %u as the new volume key." msgstr "将密钥槽 %u 指定为新卷密钥的操作失败。" -#: lib/setup.c:4364 -msgid "Failed to initialise default LUKS2 keyslot parameters." +#: lib/setup.c:7107 +#, fuzzy +#| msgid "Failed to initialise default LUKS2 keyslot parameters." +msgid "Failed to initialize default LUKS2 keyslot parameters." msgstr "初始化默认 LUKS2 密钥槽参数失败。" -#: lib/setup.c:4376 +#: lib/setup.c:7113 #, fuzzy, c-format #| msgid "Failed to swap new key slot.\n" msgid "Failed to assign keyslot %d to digest." msgstr "交换新密钥槽失败。\n" -#: lib/setup.c:4460 +#: lib/setup.c:7338 +msgid "Cannot add key slot, all slots disabled and no volume key provided." +msgstr "无法添加密钥槽,所有密钥槽已禁用且未提供卷密钥。" + +#: lib/setup.c:7407 lib/verity/verity.c:343 msgid "Failed to load key in kernel keyring." msgstr "在内核密钥环中加载密钥失败。" -#: lib/setup.c:4515 -msgid "Kernel keyring is not supported by the kernel." -msgstr "该内核不支持内核密钥环。" +#: lib/setup.c:7525 +#, fuzzy +#| msgid "Failed to load key in kernel keyring." +msgid "Failed to unlink volume key from thread keyring." +msgstr "在内核密钥环中加载密钥失败。" -#: lib/setup.c:4525 +#: lib/setup.c:7549 #, c-format -msgid "Failed to read passphrase from keyring (error %d)." -msgstr "从密钥环读取口令失败(错误 %d)。" - -#: lib/utils.c:81 -msgid "Cannot get process priority." -msgstr "无法获取进程优先级。" +msgid "Could not find keyring described by \"%s\"." +msgstr "" -#: lib/utils.c:95 -msgid "Cannot unlock memory." -msgstr "无法解锁内存。" +#: lib/setup.c:7608 +msgid "Failed to acquire global memory-hard access serialization lock." +msgstr "" -#: lib/utils.c:169 lib/tcrypt/tcrypt.c:475 +#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503 msgid "Failed to open key file." msgstr "打开 (open) 密钥文件失败。" -#: lib/utils.c:174 +#: lib/utils.c:210 msgid "Cannot read keyfile from a terminal." msgstr "无法从终端读取密钥文件。" # stat() 主要就是出来一个各种文件信息…… -#: lib/utils.c:191 +#: lib/utils.c:226 msgid "Failed to stat key file." msgstr "获取 (stat) 密钥文件信息失败。" -#: lib/utils.c:199 lib/utils.c:220 +#: lib/utils.c:234 lib/utils.c:255 msgid "Cannot seek to requested keyfile offset." msgstr "无法寻找 (seek) 到请求的密钥文件偏移量。" -#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:207 -#: src/utils_password.c:220 +#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226 +#: src/utils_password.c:238 msgid "Out of memory while reading passphrase." msgstr "读取密码时内存耗尽。" -#: lib/utils.c:249 +#: lib/utils.c:284 msgid "Error reading passphrase." msgstr "读取口令出错。" -#: lib/utils.c:273 +#: lib/utils.c:301 +msgid "Nothing to read on input." +msgstr "" + +#: lib/utils.c:308 msgid "Maximum keyfile size exceeded." msgstr "超出最大密钥文件大小。" -#: lib/utils.c:278 +#: lib/utils.c:313 msgid "Cannot read requested amount of data." msgstr "无法读取请求量的数据。" -#: lib/utils_device.c:184 lib/luks1/keyencryption.c:101 -#, c-format -msgid "Device %s doesn't exist or access denied." +#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110 +#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461 +#, fuzzy, c-format +#| msgid "Device %s doesn't exist or access denied." +msgid "Device %s does not exist or access denied." msgstr "设备 %s 不存在或访问被拒绝。" -#: lib/utils_device.c:603 +#: lib/utils_device.c:223 +#, fuzzy, c-format +#| msgid "Device %s is not active." +msgid "Device %s is not compatible." +msgstr "设备 %s 未激活。" + +#: lib/utils_device.c:567 +#, c-format +msgid "Ignoring bogus optimal-io size for data device (%u bytes)." +msgstr "" + +#: lib/utils_device.c:728 +#, fuzzy, c-format +#| msgid "Device %s is too small. (LUKS1 requires at least % bytes.)" +msgid "Device %s is too small. Need at least % bytes." +msgstr "设备 %s 过小。(LUKS1 需要至少 % 字节。)" + +#: lib/utils_device.c:809 +#, c-format +msgid "Cannot use device %s which is in use (already mapped or mounted)." +msgstr "无法使用正被使用的设备 %s(已被映射或挂载)。" + +#: lib/utils_device.c:813 #, c-format msgid "Cannot use device %s, permission denied." msgstr "无法使用设备 %s,权限被拒绝。" -#: lib/utils_device.c:606 +#: lib/utils_device.c:816 #, c-format msgid "Cannot get info about device %s." msgstr "无法获取有关设备 %s 的信息。" -#: lib/utils_device.c:628 +#: lib/utils_device.c:839 msgid "Cannot use a loopback device, running as non-root user." msgstr "无法使用回环设备,正作为非 root 用户运行。" -#: lib/utils_device.c:638 +#: lib/utils_device.c:850 msgid "Attaching loopback device failed (loop device with autoclear flag is required)." msgstr "连接回环设备失败(需要有 autoclear 旗标的回环设备)。" -#: lib/utils_device.c:684 +#: lib/utils_device.c:898 #, c-format msgid "Requested offset is beyond real size of device %s." msgstr "请求的偏移量超出设备 %s 的真实大小。" -#: lib/utils_device.c:692 +#: lib/utils_device.c:906 #, c-format msgid "Device %s has zero size." msgstr "设备 %s 大小为零。" -#: lib/utils_device.c:703 -#, c-format -msgid "Device %s is too small." -msgstr "设备 %s 太小。" +#: lib/utils_pbkdf.c:116 +#, fuzzy +#| msgid "Requested PBKDF target time can not be zero." +msgid "Requested PBKDF target time cannot be zero." +msgstr "请求的 PBKDF 目标时间不能为零。" -#: lib/utils_pbkdf.c:74 +#: lib/utils_pbkdf.c:122 #, c-format msgid "Unknown PBKDF type %s." msgstr "未知的 PBKDF 类型 %s。" -#: lib/utils_pbkdf.c:85 +#: lib/utils_pbkdf.c:127 +#, fuzzy, c-format +#| msgid "Requested LUKS hash %s is not supported." +msgid "Requested hash %s is not supported." +msgstr "不支持请求的 LUKS 哈希 %s。" + +#: lib/utils_pbkdf.c:138 msgid "Requested PBKDF type is not supported for LUKS1." msgstr "请求的 PBKDF 类型不被 LUKS1 支持。" -#: lib/utils_pbkdf.c:91 +#: lib/utils_pbkdf.c:144 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2." msgstr "" -#: lib/utils_pbkdf.c:96 lib/utils_pbkdf.c:106 +#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159 #, c-format msgid "Forced iteration count is too low for %s (minimum is %u)." msgstr "" -#: lib/utils_pbkdf.c:111 +#: lib/utils_pbkdf.c:164 #, c-format msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)." msgstr "" -#: lib/utils_pbkdf.c:118 +#: lib/utils_pbkdf.c:171 #, c-format msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)." msgstr "请求的最大 PBKDF 内存开销过大(最大为 %d 千字节)。" -#: lib/utils_pbkdf.c:123 -msgid "Requested maximum PBKDF memory can not be zero." +#: lib/utils_pbkdf.c:176 +#, fuzzy +#| msgid "Requested maximum PBKDF memory can not be zero." +msgid "Requested maximum PBKDF memory cannot be zero." msgstr "请求的最大 PBKDF 内存使用量不能为零。" -#: lib/utils_pbkdf.c:127 -msgid "Requested PBKDF parallel threads can not be zero." +#: lib/utils_pbkdf.c:180 +#, fuzzy +#| msgid "Requested PBKDF parallel threads can not be zero." +msgid "Requested PBKDF parallel threads cannot be zero." msgstr "请求的 PBKDF 并行线程数不能为零。" -#: lib/utils_pbkdf.c:131 -msgid "Requested PBKDF target time can not be zero." -msgstr "请求的 PBKDF 目标时间不能为零。" +#: lib/utils_pbkdf.c:200 +msgid "Only PBKDF2 is supported in FIPS mode." +msgstr "" -#: lib/utils_benchmark.c:304 +#: lib/utils_benchmark.c:184 msgid "PBKDF benchmark disabled but iterations not set." msgstr "" -#: lib/utils_benchmark.c:326 +#: lib/utils_benchmark.c:203 #, c-format msgid "Not compatible PBKDF2 options (using hash algorithm %s)." msgstr "PBKDF2 选项不兼容(正在使用哈希算法 %s)。" -#: lib/utils_benchmark.c:340 +#: lib/utils_benchmark.c:223 msgid "Not compatible PBKDF options." msgstr "PBKDF2 选项不兼容。" -#: lib/utils_device_locking.c:80 +#: lib/utils_device_locking.c:101 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)." msgstr "锁定中止。锁定路径 %s/%s 不可用(不是一个目录或缺失)。" -#: lib/utils_device_locking.c:87 -#, c-format -msgid "WARNING: Locking directory %s/%s is missing!\n" -msgstr "警告:锁定目录 %s/%s 缺失!\n" - -#: lib/utils_device_locking.c:97 +#: lib/utils_device_locking.c:118 #, c-format msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)." msgstr "锁定中止。锁定路径 %s/%s 不可用(%s 不是目录)。" -#: lib/luks1/keyencryption.c:39 +#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734 +#: src/utils_reencrypt_luks1.c:832 +msgid "Cannot seek to device offset." +msgstr "无法寻找到设备偏移位置。" + +#: lib/utils_wipe.c:249 #, c-format -msgid "" -"Failed to setup dm-crypt key mapping for device %s.\n" -"Check that kernel supports %s cipher (check syslog for more info)." +msgid "Device wipe error, offset %." +msgstr "" + +#: lib/utils_wipe.c:343 +msgid "Incorrect OPAL PSID." +msgstr "不正确的 OPAL PSID。" + +#: lib/utils_wipe.c:345 +#, fuzzy +#| msgid "Cannot resize loop device." +msgid "Cannot erase OPAL device." +msgstr "无法改变回环设备大小。" + +#: lib/luks1/keyencryption.c:39 +#, c-format +msgid "" +"Failed to setup dm-crypt key mapping for device %s.\n" +"Check that kernel supports %s cipher (check syslog for more info)." msgstr "" "为设备 %s 配置 dm-crypt 键映射失败。\n" "请确认内核支持 %s 加密(查看系统日志 (syslog) 以获取更多信息)。" @@ -595,97 +964,106 @@ msgstr "XTS 模式的密钥大小必须是 256 或 512 位。" msgid "Cipher specification should be in [cipher]-[mode]-[iv] format." msgstr "" -#: lib/luks1/keyencryption.c:107 lib/luks1/keymanage.c:362 -#: lib/luks1/keymanage.c:658 lib/luks1/keymanage.c:1094 -#: lib/luks2/luks2_json_metadata.c:1149 lib/luks2/luks2_keyslot.c:446 +#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366 +#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132 +#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712 #, c-format msgid "Cannot write to device %s, permission denied." msgstr "无法写入到设备 %s,访问被拒绝。" -#: lib/luks1/keyencryption.c:122 +#: lib/luks1/keyencryption.c:120 msgid "Failed to open temporary keystore device." msgstr "打开临时密钥存储设备失败。" -#: lib/luks1/keyencryption.c:129 +#: lib/luks1/keyencryption.c:127 msgid "Failed to access temporary keystore device." msgstr "访问临时密钥存储设备失败。" -#: lib/luks1/keyencryption.c:199 lib/luks2/luks2_keyslot_luks2.c:89 +#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62 +#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197 msgid "IO error while encrypting keyslot." msgstr "加密密钥槽时发生输入输出错误。" -#: lib/luks1/keyencryption.c:261 lib/luks2/luks2_keyslot_luks2.c:150 +#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369 +#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681 +#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196 +#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329 +#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260 +#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277 +#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121 +#: src/utils_reencrypt_luks1.c:133 +#, c-format +msgid "Cannot open device %s." +msgstr "无法打开设备 %s。" + +#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139 msgid "IO error while decrypting keyslot." msgstr "解密密钥槽时发生输入输出错误。" -#: lib/luks1/keymanage.c:128 +#: lib/luks1/keymanage.c:130 #, c-format msgid "Device %s is too small. (LUKS1 requires at least % bytes.)" msgstr "设备 %s 过小。(LUKS1 需要至少 % 字节。)" -#: lib/luks1/keymanage.c:149 lib/luks1/keymanage.c:157 -#: lib/luks1/keymanage.c:169 lib/luks1/keymanage.c:180 -#: lib/luks1/keymanage.c:192 +#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159 +#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182 +#: lib/luks1/keymanage.c:194 #, c-format msgid "LUKS keyslot %u is invalid." msgstr "LUKS 密钥槽 %u 无效。" -#: lib/luks1/keymanage.c:245 lib/luks1/keymanage.c:494 -#: lib/luks2/luks2_json_metadata.c:983 src/cryptsetup_reencrypt.c:1396 -#, c-format -msgid "Device %s is not a valid LUKS device." -msgstr "%s 不是有效的 LUKS 设备。" - -#: lib/luks1/keymanage.c:264 lib/luks2/luks2_json_metadata.c:1002 +#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391 #, c-format msgid "Requested header backup file %s already exists." msgstr "请求的标头备份文件 %s 已存在。" -#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1004 +#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393 #, c-format msgid "Cannot create header backup file %s." msgstr "无法创建标头备份文件 %s。" -#: lib/luks1/keymanage.c:271 lib/luks2/luks2_json_metadata.c:1009 +#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400 #, c-format msgid "Cannot write header backup file %s." msgstr "无法写入标头备份文件 %s。" -#: lib/luks1/keymanage.c:304 lib/luks2/luks2_json_metadata.c:1058 -msgid "Backup file doesn't contain valid LUKS header." +#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437 +#, fuzzy +#| msgid "Backup file doesn't contain valid LUKS header." +msgid "Backup file does not contain valid LUKS header." msgstr "备份文件不包含有效 LUKS 标头。" -#: lib/luks1/keymanage.c:317 lib/luks1/keymanage.c:571 -#: lib/luks2/luks2_json_metadata.c:1079 +#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593 +#: lib/luks2/luks2_json_metadata.c:1458 #, c-format msgid "Cannot open header backup file %s." msgstr "无法打开备份标头文件 %s。" -#: lib/luks1/keymanage.c:323 lib/luks2/luks2_json_metadata.c:1085 +#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466 #, c-format msgid "Cannot read header backup file %s." msgstr "无法读取标头备份文件 %s。" -#: lib/luks1/keymanage.c:335 +#: lib/luks1/keymanage.c:339 #, fuzzy #| msgid "Data offset or key size differs on device and backup, restore failed.\n" msgid "Data offset or key size differs on device and backup, restore failed." msgstr "源设备和备份上的数据偏移或密钥大小不符,恢复失败。\n" -#: lib/luks1/keymanage.c:343 +#: lib/luks1/keymanage.c:347 #, c-format msgid "Device %s %s%s" msgstr "设备 %s %s%s" -#: lib/luks1/keymanage.c:344 +#: lib/luks1/keymanage.c:348 msgid "does not contain LUKS header. Replacing header can destroy data on that device." msgstr "不包含 LUKS 标头。替换标头可能损毁设备上的数据。" -#: lib/luks1/keymanage.c:345 +#: lib/luks1/keymanage.c:349 msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgstr "已包含 LUKS 标头。替换标头将损毁已存在的密钥槽。" -#: lib/luks1/keymanage.c:346 lib/luks2/luks2_json_metadata.c:1121 +#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500 msgid "" "\n" "WARNING: real device header has different UUID than backup!" @@ -693,129 +1071,145 @@ msgstr "" "\n" "警告: 真实设备标头 UUID 和备份不符!" -#: lib/luks1/keymanage.c:365 lib/luks1/keymanage.c:610 -#: lib/luks1/keymanage.c:661 lib/tcrypt/tcrypt.c:640 lib/verity/verity.c:81 -#: lib/verity/verity.c:182 lib/verity/verity_hash.c:308 -#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339 -#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253 -#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1152 -#: src/cryptsetup_reencrypt.c:207 -#, c-format -msgid "Cannot open device %s." -msgstr "无法打开设备 %s。" - -#: lib/luks1/keymanage.c:396 +#: lib/luks1/keymanage.c:398 msgid "Non standard key size, manual repair required." msgstr "不标准的密钥大小,需要手动修复。" -#: lib/luks1/keymanage.c:401 +#: lib/luks1/keymanage.c:408 msgid "Non standard keyslots alignment, manual repair required." msgstr "不标准的密钥槽对齐,需要手动修复。" -#: lib/luks1/keymanage.c:411 +#: lib/luks1/keymanage.c:417 +#, fuzzy, c-format +#| msgid "Keyslot %i: offset repaired (%u -> %u)." +msgid "Cipher mode repaired (%s -> %s)." +msgstr "密钥槽 %i: 偏移已修复 (%u -> %u)。" + +#: lib/luks1/keymanage.c:428 +#, c-format +msgid "Cipher hash repaired to lowercase (%s)." +msgstr "" + +#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536 +#: lib/luks1/keymanage.c:792 +#, c-format +msgid "Requested LUKS hash %s is not supported." +msgstr "不支持请求的 LUKS 哈希 %s。" + +#: lib/luks1/keymanage.c:444 msgid "Repairing keyslots." msgstr "正在修复密钥槽。" -#: lib/luks1/keymanage.c:431 +#: lib/luks1/keymanage.c:463 #, c-format msgid "Keyslot %i: offset repaired (%u -> %u)." msgstr "密钥槽 %i: 偏移已修复 (%u -> %u)。" -#: lib/luks1/keymanage.c:439 +#: lib/luks1/keymanage.c:471 #, c-format msgid "Keyslot %i: stripes repaired (%u -> %u)." msgstr "密钥槽 %i:已修复条带(%u -> %u)。" -#: lib/luks1/keymanage.c:448 +#: lib/luks1/keymanage.c:480 #, c-format msgid "Keyslot %i: bogus partition signature." msgstr "密钥槽 %i:虚假的分区签名。" -#: lib/luks1/keymanage.c:453 +#: lib/luks1/keymanage.c:485 #, c-format msgid "Keyslot %i: salt wiped." msgstr "密钥槽 %i: 已清除盐。" -#: lib/luks1/keymanage.c:470 +#: lib/luks1/keymanage.c:502 msgid "Writing LUKS header to disk." msgstr "正在将 LUKS 标头写入磁盘。" -#: lib/luks1/keymanage.c:475 +#: lib/luks1/keymanage.c:507 msgid "Repair failed." msgstr "修复失败。" -#: lib/luks1/keymanage.c:497 -#, c-format -msgid "Unsupported LUKS version %d." -msgstr "不支持的 LUKS 版本 %d。" +#: lib/luks1/keymanage.c:562 +#, fuzzy, c-format +#| msgid "LUKS keyslot %u is invalid." +msgid "LUKS cipher mode %s is invalid." +msgstr "LUKS 密钥槽 %u 无效。" -#: lib/luks1/keymanage.c:503 lib/luks1/keymanage.c:749 +#: lib/luks1/keymanage.c:567 #, c-format -msgid "Requested LUKS hash %s is not supported." -msgstr "不支持请求的 LUKS 哈希 %s。" +msgid "LUKS hash %s is invalid." +msgstr "LUKS 哈希值 %s 无效。" -#: lib/luks1/keymanage.c:531 src/cryptsetup.c:869 +#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352 msgid "No known problems detected for LUKS header." msgstr "未在 LUKS 标头发现已知问题。" -#: lib/luks1/keymanage.c:683 +#: lib/luks1/keymanage.c:702 #, c-format msgid "Error during update of LUKS header on device %s." msgstr "更新设备 %s 上的 LUKS 标头时出错。" -#: lib/luks1/keymanage.c:690 +#: lib/luks1/keymanage.c:710 #, c-format msgid "Error re-reading LUKS header after update on device %s." msgstr "在更新设备 %s 后重新读取 LUKS 标头失败。" -#: lib/luks1/keymanage.c:742 -#, c-format -msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors)." +#: lib/luks1/keymanage.c:786 +#, fuzzy +#| msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors)." +msgid "Data offset for LUKS header must be either 0 or higher than header size." msgstr "分离的 LUKS 标头的数据偏移量必须为零或高于标头大小(%d 扇区)。" -#: lib/luks1/keymanage.c:754 lib/luks1/keymanage.c:840 -#: lib/luks2/luks2_json_format.c:145 lib/luks2/luks2_json_metadata.c:894 +#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866 +#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274 +#: src/utils_reencrypt.c:554 msgid "Wrong LUKS UUID format provided." msgstr "提供了错误的 LUKS UUID 格式。" -#: lib/luks1/keymanage.c:779 +#: lib/luks1/keymanage.c:819 msgid "Cannot create LUKS header: reading random salt failed." msgstr "无法创建 LUKS 标头:读取随机盐失败。" -#: lib/luks1/keymanage.c:800 +#: lib/luks1/keymanage.c:845 #, c-format msgid "Cannot create LUKS header: header digest failed (using hash %s)." msgstr "无法创建 LUKS 标头:标头摘要失败(正在使用哈希 %s)。" -#: lib/luks1/keymanage.c:863 +#: lib/luks1/keymanage.c:889 #, c-format msgid "Key slot %d active, purge first." msgstr "密钥槽 %d 已激活,请先清除。" -#: lib/luks1/keymanage.c:869 +#: lib/luks1/keymanage.c:895 #, fuzzy, c-format #| msgid "Key slot %d material includes too few stripes. Header manipulation?\n" msgid "Key slot %d material includes too few stripes. Header manipulation?" msgstr "密钥槽 %d 条带数过少。标头修改?\n" -#: lib/luks1/keymanage.c:1028 -#, c-format -msgid "Key slot %d unlocked." -msgstr "密钥槽 %d 已解锁。" +#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270 +msgid "PBKDF2 iteration value overflow." +msgstr "PBKDF2 迭代值溢出。" + +#: lib/luks1/keymanage.c:1040 +#, fuzzy, c-format +#| msgid "Key processing error (using hash %s)." +msgid "Cannot open keyslot (using hash %s)." +msgstr "密钥处理错误(使用散列 %s)。" -#: lib/luks1/keymanage.c:1080 +#: lib/luks1/keymanage.c:1118 #, fuzzy, c-format #| msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n" msgid "Key slot %d is invalid, please select keyslot between 0 and %d." msgstr "密钥槽 %d 无效,请选择标号 0 到 %d 间的密钥槽。\n" -#: lib/luks1/keymanage.c:1098 lib/luks2/luks2_keyslot.c:450 +#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716 #, c-format msgid "Cannot wipe device %s." msgstr "无法擦除设备 %s。" #: lib/loopaes/loopaes.c:146 -msgid "Detected not yet supported GPG encrypted keyfile.\n" +#, fuzzy +#| msgid "Detected not yet supported GPG encrypted keyfile.\n" +msgid "Detected not yet supported GPG encrypted keyfile." msgstr "探测到未支持的 GPG 加密密钥文件。\n" #: lib/loopaes/loopaes.c:147 @@ -826,630 +1220,1502 @@ msgstr "请使用 gpg --decrypt <密钥文件> | cryptsetup --keyfile=- ...\n" msgid "Incompatible loop-AES keyfile detected." msgstr "探测到不兼容的 loop-AES 密钥文件。" -#: lib/loopaes/loopaes.c:246 +#: lib/loopaes/loopaes.c:245 #, fuzzy #| msgid "Kernel doesn't support loop-AES compatible mapping.\n" -msgid "Kernel doesn't support loop-AES compatible mapping." +msgid "Kernel does not support loop-AES compatible mapping." msgstr "内核不支持 loop-AES 兼容映射。\n" -#: lib/tcrypt/tcrypt.c:482 +#: lib/tcrypt/tcrypt.c:510 #, c-format msgid "Error reading keyfile %s." msgstr "读取密钥文件 %s 出错。" -#: lib/tcrypt/tcrypt.c:522 -#, c-format -msgid "Maximum TCRYPT passphrase length (%d) exceeded." +#: lib/tcrypt/tcrypt.c:560 +#, fuzzy, c-format +#| msgid "Maximum TCRYPT passphrase length (%d) exceeded." +msgid "Maximum TCRYPT passphrase length (%zu) exceeded." msgstr "超出 TCRYPT 口令最大长度限制 (%d)。" -#: lib/tcrypt/tcrypt.c:563 +#: lib/tcrypt/tcrypt.c:602 #, c-format msgid "PBKDF2 hash algorithm %s not available, skipping." msgstr "PBKDF2 哈希算法 %s 不可用,将跳过。" -#: lib/tcrypt/tcrypt.c:581 src/cryptsetup.c:820 +#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227 msgid "Required kernel crypto interface not available." msgstr "无法找到所需的内核加密接口。" -#: lib/tcrypt/tcrypt.c:583 src/cryptsetup.c:822 +#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229 msgid "Ensure you have algif_skcipher kernel module loaded." msgstr "请确定您已载入内核模块 algif_skcipher。" -#: lib/tcrypt/tcrypt.c:729 +#: lib/tcrypt/tcrypt.c:764 #, c-format msgid "Activation is not supported for %d sector size." msgstr "扇区大小为 %d 时不支持激活。" -#: lib/tcrypt/tcrypt.c:735 -msgid "Kernel doesn't support activation for this TCRYPT legacy mode." +#: lib/tcrypt/tcrypt.c:770 +#, fuzzy +#| msgid "Kernel doesn't support activation for this TCRYPT legacy mode." +msgid "Kernel does not support activation for this TCRYPT legacy mode." msgstr "内核不支持激活此处的旧 TCRYPT 模式。" -#: lib/tcrypt/tcrypt.c:769 +#: lib/tcrypt/tcrypt.c:801 #, c-format msgid "Activating TCRYPT system encryption for partition %s." msgstr "正在为分区 %s 激活 TCRYPT 系统加密。" -#: lib/tcrypt/tcrypt.c:837 -msgid "Kernel doesn't support TCRYPT compatible mapping." +#: lib/tcrypt/tcrypt.c:884 +#, fuzzy +#| msgid "Kernel doesn't support TCRYPT compatible mapping." +msgid "Kernel does not support TCRYPT compatible mapping." msgstr "内核不支持 TCRYPT 兼容映射。" -#: lib/tcrypt/tcrypt.c:1052 +#: lib/tcrypt/tcrypt.c:1097 msgid "This function is not supported without TCRYPT header load." msgstr "未载入 TCRYPT 标头时不支持此功能。" -#: lib/verity/verity.c:69 lib/verity/verity.c:175 +#: lib/bitlk/bitlk.c:278 #, c-format -msgid "Verity device %s doesn't use on-disk header." -msgstr "Verity 设备 %s 未使用磁盘上的标头。" +msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key." +msgstr "" + +#: lib/bitlk/bitlk.c:337 +msgid "Invalid string found when parsing Volume Master Key." +msgstr "" -#: lib/verity/verity.c:94 +#: lib/bitlk/bitlk.c:341 #, c-format -msgid "Device %s is not a valid VERITY device." -msgstr "%s 不是有效的 VERITY 设备。" +msgid "Unexpected string ('%s') found when parsing supported Volume Master Key." +msgstr "" + +#: lib/bitlk/bitlk.c:358 +#, c-format +msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key." +msgstr "" + +#: lib/bitlk/bitlk.c:460 +msgid "BITLK version 1 is currently not supported." +msgstr "" + +#: lib/bitlk/bitlk.c:466 +msgid "Invalid or unknown boot signature for BITLK device." +msgstr "" + +#: lib/bitlk/bitlk.c:478 +#, fuzzy, c-format +#| msgid "Unsupported encryption sector size." +msgid "Unsupported sector size %." +msgstr "不支持的加密扇区大小。" + +#: lib/bitlk/bitlk.c:486 +#, fuzzy, c-format +#| msgid "Failed to read LUKS2 requirements." +msgid "Failed to read BITLK header from %s." +msgstr "读取 LUKS2 需求时失败。" + +#: lib/bitlk/bitlk.c:511 +#, fuzzy, c-format +#| msgid "Failed to read LUKS2 requirements." +msgid "Failed to read BITLK FVE metadata from %s." +msgstr "读取 LUKS2 需求时失败。" + +#: lib/bitlk/bitlk.c:562 +#, fuzzy +#| msgid "Unsupported encryption sector size." +msgid "Unknown or unsupported encryption type." +msgstr "不支持的加密扇区大小。" + +#: lib/bitlk/bitlk.c:602 +#, fuzzy, c-format +#| msgid "Failed to read LUKS2 requirements." +msgid "Failed to read BITLK metadata entries from %s." +msgstr "读取 LUKS2 需求时失败。" + +#: lib/bitlk/bitlk.c:719 +msgid "Failed to convert BITLK volume description" +msgstr "" + +#: lib/bitlk/bitlk.c:884 +#, c-format +msgid "Unexpected metadata entry type '%u' found when parsing external key." +msgstr "" + +#: lib/bitlk/bitlk.c:907 +#, fuzzy, c-format +#| msgid "Volume key does not match the volume." +msgid "BEK file GUID '%s' does not match GUID of the volume." +msgstr "卷密钥与卷不匹配。" + +#: lib/bitlk/bitlk.c:911 +#, c-format +msgid "Unexpected metadata entry value '%u' found when parsing external key." +msgstr "" + +#: lib/bitlk/bitlk.c:950 +#, fuzzy, c-format +#| msgid "Unsupported LUKS version %d." +msgid "Unsupported BEK metadata version %" +msgstr "不支持的 LUKS 版本 %d。" + +#: lib/bitlk/bitlk.c:955 +#, c-format +msgid "Unexpected BEK metadata size % does not match BEK file length" +msgstr "" + +#: lib/bitlk/bitlk.c:981 +msgid "Unexpected metadata entry found when parsing startup key." +msgstr "" + +#: lib/bitlk/bitlk.c:1076 +#, fuzzy +#| msgid "This operation is not supported for %s crypt device." +msgid "This operation is not supported." +msgstr "不支持在 %s 加密设备上执行此操作。" + +#: lib/bitlk/bitlk.c:1084 +msgid "Unexpected key data size." +msgstr "" + +#: lib/bitlk/bitlk.c:1210 +msgid "This BITLK device is in an unsupported state and cannot be activated." +msgstr "" + +#: lib/bitlk/bitlk.c:1215 +#, c-format +msgid "BITLK devices with type '%s' cannot be activated." +msgstr "" + +#: lib/bitlk/bitlk.c:1222 +#, fuzzy +#| msgid "Activation of temporary devices failed." +msgid "Activation of partially decrypted BITLK device is not supported." +msgstr "激活临时设备失败。" + +#: lib/bitlk/bitlk.c:1263 +#, c-format +msgid "WARNING: BitLocker volume size % does not match the underlying device size %" +msgstr "" + +#: lib/bitlk/bitlk.c:1390 +msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV." +msgstr "" + +#: lib/bitlk/bitlk.c:1394 +msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser." +msgstr "" + +#: lib/bitlk/bitlk.c:1398 +#, fuzzy +#| msgid "Activation is not supported for %d sector size." +msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size." +msgstr "扇区大小为 %d 时不支持激活。" + +#: lib/bitlk/bitlk.c:1402 +msgid "Cannot activate device, kernel dm-zero module is missing." +msgstr "" + +#: lib/fvault2/fvault2.c:542 +#, fuzzy, c-format +#| msgid "Cannot read %d bytes from keyfile %s.\n" +msgid "Could not read %u bytes of volume header." +msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n" + +#: lib/fvault2/fvault2.c:554 +#, fuzzy, c-format +#| msgid "Unsupported VERITY version %d." +msgid "Unsupported FVAULT2 version %." +msgstr "不支持的 VERITY 版本 %d。" + +#: lib/verity/verity.c:68 lib/verity/verity.c:182 +#, fuzzy, c-format +#| msgid "Verity device %s doesn't use on-disk header." +msgid "Verity device %s does not use on-disk header." +msgstr "Verity 设备 %s 未使用磁盘上的标头。" -#: lib/verity/verity.c:101 +#: lib/verity/verity.c:96 #, c-format msgid "Unsupported VERITY version %d." msgstr "不支持的 VERITY 版本 %d。" -#: lib/verity/verity.c:132 +#: lib/verity/verity.c:131 msgid "VERITY header corrupted." msgstr "VERITY 标头损坏。" -#: lib/verity/verity.c:169 +#: lib/verity/verity.c:176 #, fuzzy, c-format #| msgid "Wrong VERITY UUID format provided on device %s.\n" msgid "Wrong VERITY UUID format provided on device %s." msgstr "为设备 %s 提供的 VERITY UUID 错误。\n" -#: lib/verity/verity.c:202 +#: lib/verity/verity.c:220 #, fuzzy, c-format #| msgid "Error during update of verity header on device %s.\n" msgid "Error during update of verity header on device %s." msgstr "更新设备 %s 上的 VERITY 标头时出错。\n" -#: lib/verity/verity.c:259 +#: lib/verity/verity.c:274 +#, fuzzy +#| msgid "Requested sector_size option is not supported." +msgid "Root hash signature verification is not supported." +msgstr "不支持请求的 sector_size 选项。" + +#: lib/verity/verity.c:279 +msgid "Root hash signature required." +msgstr "" + +#: lib/verity/verity.c:294 msgid "Errors cannot be repaired with FEC device." msgstr "" -#: lib/verity/verity.c:261 +#: lib/verity/verity.c:296 #, c-format msgid "Found %u repairable errors with FEC device." msgstr "" -#: lib/verity/verity.c:305 -msgid "Kernel doesn't support dm-verity mapping." +#: lib/verity/verity.c:377 +#, fuzzy +#| msgid "Kernel doesn't support dm-verity mapping." +msgid "Kernel does not support dm-verity mapping." +msgstr "内核不支持 dm-verity 映射。" + +#: lib/verity/verity.c:381 +#, fuzzy +#| msgid "Kernel doesn't support dm-verity mapping." +msgid "Kernel does not support dm-verity signature option." msgstr "内核不支持 dm-verity 映射。" -#: lib/verity/verity.c:316 +#: lib/verity/verity.c:392 #, fuzzy #| msgid "Verity device detected corruption after activation.\n" msgid "Verity device detected corruption after activation." msgstr "在 VERITY 设备激活后探测到损坏。\n" -#: lib/verity/verity_hash.c:59 +#: lib/verity/verity_hash.c:66 #, fuzzy, c-format #| msgid "Spare area is not zeroed at position %.\n" msgid "Spare area is not zeroed at position %." msgstr "备用区位置 % 未清零。\n" -#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287 -#: lib/verity/verity_hash.c:300 +#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300 +#: lib/verity/verity_hash.c:311 msgid "Device offset overflow." msgstr "设备偏移量溢出。" -#: lib/verity/verity_hash.c:200 +#: lib/verity/verity_hash.c:218 #, fuzzy, c-format #| msgid "Verification failed at position %.\n" msgid "Verification failed at position %." msgstr "在 % 上发生检验错误。\n" -#: lib/verity/verity_hash.c:273 -#, fuzzy -#| msgid "Invalid size parameters for verity device.\n" -msgid "Invalid size parameters for verity device." -msgstr "为 VERITY 设备提供的大小指标无效。\n" - -#: lib/verity/verity_hash.c:293 +#: lib/verity/verity_hash.c:307 msgid "Hash area overflow." msgstr "哈希区域溢出。" -#: lib/verity/verity_hash.c:370 +#: lib/verity/verity_hash.c:380 msgid "Verification of data area failed." msgstr "数据区检验失败。" -#: lib/verity/verity_hash.c:375 +#: lib/verity/verity_hash.c:385 msgid "Verification of root hash failed." msgstr "根哈希值检验失败。" -#: lib/verity/verity_hash.c:381 +#: lib/verity/verity_hash.c:391 #, fuzzy #| msgid "Input/output error while creating hash area.\n" msgid "Input/output error while creating hash area." msgstr "创建哈希数据区时发生输入/输出错误。\n" -#: lib/verity/verity_hash.c:383 +#: lib/verity/verity_hash.c:393 msgid "Creation of hash area failed." msgstr "创建哈希区失败。" -#: lib/verity/verity_hash.c:430 +#: lib/verity/verity_hash.c:428 #, fuzzy, c-format #| msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n" msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)." msgstr "警告:如数据块大小超过内存分页大小,内核将无法激活设备 (%u)。\n" -#: lib/verity/verity_fec.c:132 +#: lib/verity/verity_fec.c:131 #, fuzzy #| msgid "Failed to open key file.\n" msgid "Failed to allocate RS context." msgstr "打开 (open) 密钥文件失败。\n" # stat() 主要就是出来一个各种文件信息…… -#: lib/verity/verity_fec.c:147 +#: lib/verity/verity_fec.c:149 #, fuzzy #| msgid "Failed to stat key file.\n" msgid "Failed to allocate buffer." msgstr "获取 (stat) 密钥文件统计数据失败。\n" -#: lib/verity/verity_fec.c:157 +#: lib/verity/verity_fec.c:159 #, fuzzy, c-format #| msgid "Failed to access temporary keystore device.\n" msgid "Failed to read RS block % byte %d." msgstr "无法访问临时密钥存储设备。\n" -#: lib/verity/verity_fec.c:170 +#: lib/verity/verity_fec.c:172 #, fuzzy, c-format #| msgid "Failed to access temporary keystore device.\n" msgid "Failed to read parity for RS block %." msgstr "无法访问临时密钥存储设备。\n" -#: lib/verity/verity_fec.c:177 +#: lib/verity/verity_fec.c:180 #, fuzzy, c-format #| msgid "Failed to access temporary keystore device.\n" msgid "Failed to repair parity for block %." msgstr "无法访问临时密钥存储设备。\n" -#: lib/verity/verity_fec.c:188 +#: lib/verity/verity_fec.c:192 #, fuzzy, c-format #| msgid "Failed to access temporary keystore device.\n" msgid "Failed to write parity for RS block %." msgstr "无法访问临时密钥存储设备。\n" -#: lib/verity/verity_fec.c:223 +#: lib/verity/verity_fec.c:208 msgid "Block sizes must match for FEC." msgstr "" -#: lib/verity/verity_fec.c:229 +#: lib/verity/verity_fec.c:214 msgid "Invalid number of parity bytes." msgstr "" -#: lib/verity/verity_fec.c:265 +#: lib/verity/verity_fec.c:248 +msgid "Invalid FEC segment length." +msgstr "" + +#: lib/verity/verity_fec.c:316 #, fuzzy, c-format #| msgid "Failed to open temporary keystore device.\n" msgid "Failed to determine size for device %s." msgstr "打开临时密钥存储设备失败。\n" -#: lib/integrity/integrity.c:219 lib/integrity/integrity.c:270 +#: lib/integrity/integrity.c:57 +#, c-format +msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s." +msgstr "" + +#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454 #, fuzzy #| msgid "Kernel doesn't support dm-verity mapping.\n" -msgid "Kernel doesn't support dm-integrity mapping." +msgid "Kernel does not support dm-integrity mapping." msgstr "内核不支持 dm-verity 映射。\n" -#: lib/luks2/luks2_disk_metadata.c:364 +#: lib/integrity/integrity.c:283 +#, fuzzy +#| msgid "Kernel doesn't support dm-verity mapping.\n" +msgid "Kernel does not support dm-integrity fixed metadata alignment." +msgstr "内核不支持 dm-verity 映射。\n" + +#: lib/integrity/integrity.c:292 +msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)." +msgstr "" + +#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197 +#: lib/luks2/luks2_json_metadata.c:1520 #, c-format -msgid "Device %s is too small. (LUKS2 requires at least % bytes.)" -msgstr "设备 %s 过小。(LUKS2 需要至少 % 字节。)" +msgid "Failed to acquire write lock on device %s." +msgstr "无法获取设备 %s 上的写入锁。" -#: lib/luks2/luks2_disk_metadata.c:428 -msgid "Failed to acquire write device lock." -msgstr "无法获取写入设备锁。" +#: lib/luks2/luks2_disk_metadata.c:400 +msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation." +msgstr "" + +#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720 +msgid "" +"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" +"Please run \"cryptsetup repair\" for recovery." +msgstr "" + +#: lib/luks2/luks2_json_format.c:231 +#, c-format +msgid "WARNING: keyslots area (% bytes) is very small, available LUKS2 keyslot count is very limited.\n" +msgstr "" -#: lib/luks2/luks2_json_format.c:99 +#: lib/luks2/luks2_json_format.c:427 #, fuzzy -#| msgid "Failed to swap new key slot.\n" -msgid "No space for new keyslot." -msgstr "交换新密钥槽失败。\n" +#| msgid "Device %s is too small." +msgid "Requested data offset is too small." +msgstr "设备 %s 太小。" + +#: lib/luks2/luks2_json_format.c:468 +#, c-format +msgid "WARNING: LUKS2 metadata size changed to % bytes.\n" +msgstr "" + +#: lib/luks2/luks2_json_format.c:472 +#, c-format +msgid "WARNING: LUKS2 keyslots area size changed to % bytes.\n" +msgstr "" -#: lib/luks2/luks2_json_metadata.c:851 lib/luks2/luks2_json_metadata.c:974 -#: lib/luks2/luks2_json_metadata.c:1047 lib/luks2/luks2_keyslot_luks2.c:103 -#: lib/luks2/luks2_keyslot_luks2.c:126 +#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366 +#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94 +#: lib/luks2/luks2_keyslot_luks2.c:116 #, c-format msgid "Failed to acquire read lock on device %s." msgstr "无法获取设备 %s 的读取锁。" -#: lib/luks2/luks2_json_metadata.c:1064 +#: lib/luks2/luks2_json_metadata.c:1443 #, c-format msgid "Forbidden LUKS2 requirements detected in backup %s." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1105 +#: lib/luks2/luks2_json_metadata.c:1484 #, fuzzy #| msgid "Data offset or key size differs on device and backup, restore failed.\n" msgid "Data offset differ on device and backup, restore failed." msgstr "源设备和备份上的数据偏移或密钥大小不符,恢复失败。\n" -#: lib/luks2/luks2_json_metadata.c:1111 +#: lib/luks2/luks2_json_metadata.c:1490 #, fuzzy #| msgid "Data offset or key size differs on device and backup, restore failed.\n" msgid "Binary header with keyslot areas size differ on device and backup, restore failed." msgstr "源设备和备份上的数据偏移或密钥大小不符,恢复失败。\n" -#: lib/luks2/luks2_json_metadata.c:1118 +#: lib/luks2/luks2_json_metadata.c:1497 #, c-format msgid "Device %s %s%s%s%s" msgstr "设备 %s %s%s%s%s" -#: lib/luks2/luks2_json_metadata.c:1119 +#: lib/luks2/luks2_json_metadata.c:1498 #, fuzzy #| msgid "does not contain LUKS header. Replacing header can destroy data on that device." msgid "does not contain LUKS2 header. Replacing header can destroy data on that device." msgstr "不包含 LUKS 标头。替换标头可能损毁设备上的数据。" -#: lib/luks2/luks2_json_metadata.c:1120 +#: lib/luks2/luks2_json_metadata.c:1499 #, fuzzy #| msgid "already contains LUKS header. Replacing header will destroy existing keyslots." msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots." msgstr "已包含 LUKS 标头。替换标头将损毁已存在的密钥槽。" -#: lib/luks2/luks2_json_metadata.c:1122 +#: lib/luks2/luks2_json_metadata.c:1501 msgid "" "\n" "WARNING: unknown LUKS2 requirements detected in real device header!\n" "Replacing header with backup may corrupt the data on that device!" msgstr "" -#: lib/luks2/luks2_json_metadata.c:1124 +#: lib/luks2/luks2_json_metadata.c:1503 msgid "" "\n" "WARNING: Unfinished offline reencryption detected on the device!\n" "Replacing header with backup may corrupt data." msgstr "" -#: lib/luks2/luks2_json_metadata.c:1226 +#: lib/luks2/luks2_json_metadata.c:1600 #, c-format msgid "Ignored unknown flag %s." msgstr "已忽略未知旗标 %s。" -#: lib/luks2/luks2_json_metadata.c:1923 +#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090 +#, c-format +msgid "Missing key for dm-crypt segment %u" +msgstr "" + +# stat() 主要就是出来一个各种文件信息…… +#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104 +#, fuzzy +#| msgid "Failed to set pbkdf parameters." +msgid "Failed to set dm-crypt segment." +msgstr "设置 pbkdf 参数失败。" + +# stat() 主要就是出来一个各种文件信息…… +#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110 +#, fuzzy +#| msgid "Failed to set pbkdf parameters." +msgid "Failed to set dm-linear segment." +msgstr "设置 pbkdf 参数失败。" + +#: lib/luks2/luks2_json_metadata.c:2661 src/utils_reencrypt.c:433 +#, fuzzy +#| msgid "No known cipher specification pattern detected.\n" +msgid "No known cipher specification pattern detected in LUKS2 header." +msgstr "未探测到已知的密文特征。\n" + +#: lib/luks2/luks2_json_metadata.c:2669 +msgid "OPAL device must have static device size." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2689 +msgid "Encrypted OPAL device with integrity must be smaller than locking range." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2694 +msgid "OPAL device must have same size as locking range." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2736 +msgid "Unsupported device integrity configuration." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2752 +msgid "Underlying dm-integrity device with unexpected provided data sectors." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2845 +msgid "Reencryption in-progress. Cannot deactivate device." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2856 lib/luks2/luks2_reencrypt.c:4159 +#, c-format +msgid "Failed to replace suspended device %s with dm-error target." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2925 lib/luks2/luks2_json_metadata.c:2939 +#, c-format +msgid "Device %s was deactivated but hardware OPAL device cannot be locked." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2957 msgid "Failed to read LUKS2 requirements." msgstr "读取 LUKS2 需求时失败。" -#: lib/luks2/luks2_json_metadata.c:1930 +#: lib/luks2/luks2_json_metadata.c:2964 msgid "Unmet LUKS2 requirements detected." msgstr "探测到未满足的 LUKS2 需求。" -#: lib/luks2/luks2_json_metadata.c:1938 -msgid "Offline reencryption in progress. Aborting." -msgstr "正在进行离线重加密。中止。" +#: lib/luks2/luks2_json_metadata.c:2972 +msgid "Operation incompatible with device marked for legacy reencryption. Aborting." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2974 +msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting." +msgstr "" + +#: lib/luks2/luks2_json_metadata.c:2976 +msgid "Operation incompatible with device using OPAL. Aborting." +msgstr "" + +#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602 +msgid "Not enough available memory to open a keyslot." +msgstr "" + +#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604 +#, fuzzy +#| msgid "Keyslot %i: salt wiped." +msgid "Keyslot open failed." +msgstr "密钥槽 %i: 已清除盐。" + +#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110 +#, c-format +msgid "Cannot use %s-%s cipher for keyslot encryption." +msgstr "" + +#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404 +#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714 +#, c-format +msgid "Hash algorithm %s is not available." +msgstr "哈希算法 %s 不可用。" + +#: lib/luks2/luks2_keyslot_luks2.c:371 +msgid "Warning: keyslot operation could fail as it requires more than available memory.\n" +msgstr "" + +#: lib/luks2/luks2_keyslot_luks2.c:520 +#, fuzzy +#| msgid "Failed to swap new key slot.\n" +msgid "No space for new keyslot." +msgstr "交换新密钥槽失败。\n" + +#: lib/luks2/luks2_keyslot_reenc.c:596 +msgid "Invalid reencryption resilience mode change requested." +msgstr "" + +#: lib/luks2/luks2_keyslot_reenc.c:717 +#, c-format +msgid "Can not update resilience type. New type only provides % bytes, required space is: % bytes." +msgstr "" + +#: lib/luks2/luks2_keyslot_reenc.c:727 +msgid "Failed to refresh reencryption verification digest." +msgstr "" -#: lib/luks2/luks2_luks1_convert.c:477 +#: lib/luks2/luks2_luks1_convert.c:545 #, fuzzy, c-format #| msgid "Cannot check password quality: %s\n" -msgid "Can not check status of device with uuid: %s." +msgid "Cannot check status of device with uuid: %s." msgstr "无法检查密码质量:%s\n" -#: lib/luks2/luks2_luks1_convert.c:503 +#: lib/luks2/luks2_luks1_convert.c:571 msgid "Unable to convert header with LUKSMETA additional metadata." msgstr "" -#: lib/luks2/luks2_luks1_convert.c:540 +#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795 +#, c-format +msgid "Unable to use cipher specification %s-%s for LUKS2." +msgstr "" + +#: lib/luks2/luks2_luks1_convert.c:617 msgid "Unable to move keyslot area. Not enough space." msgstr "无法移动密钥槽区域。空间不足。" -#: lib/luks2/luks2_luks1_convert.c:580 lib/luks2/luks2_luks1_convert.c:846 +#: lib/luks2/luks2_luks1_convert.c:652 +#, fuzzy +#| msgid "LUKS keyslot %u is invalid.\n" +msgid "Cannot convert to LUKS2 format - invalid metadata." +msgstr "LUKS 密钥槽 %u 无效。\n" + +#: lib/luks2/luks2_luks1_convert.c:669 +#, fuzzy +#| msgid "Unable to move keyslot area. Not enough space." +msgid "Unable to move keyslot area. LUKS2 keyslots area too small." +msgstr "无法移动密钥槽区域。空间不足。" + +#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969 msgid "Unable to move keyslot area." msgstr "无法移动密钥槽区域。" -#: lib/luks2/luks2_luks1_convert.c:668 +#: lib/luks2/luks2_luks1_convert.c:765 +#, fuzzy +#| msgid "LUKS keyslot %u is invalid.\n" +msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes." +msgstr "LUKS 密钥槽 %u 无效。\n" + +#: lib/luks2/luks2_luks1_convert.c:773 #, fuzzy #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_luks1_convert.c:677 +#: lib/luks2/luks2_luks1_convert.c:785 #, fuzzy, c-format #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_luks1_convert.c:685 -#, fuzzy, c-format +#: lib/luks2/luks2_luks1_convert.c:790 +#, fuzzy +#| msgid "LUKS keyslot %u is invalid.\n" +msgid "Cannot convert to LUKS1 format - device uses more segments." +msgstr "LUKS 密钥槽 %u 无效。\n" + +#: lib/luks2/luks2_luks1_convert.c:798 +#, fuzzy, c-format #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_luks1_convert.c:699 +#: lib/luks2/luks2_luks1_convert.c:812 #, fuzzy, c-format #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_luks1_convert.c:704 +#: lib/luks2/luks2_luks1_convert.c:817 #, fuzzy, c-format #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_luks1_convert.c:709 +#: lib/luks2/luks2_luks1_convert.c:822 #, fuzzy, c-format #| msgid "LUKS keyslot %u is invalid.\n" msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible." msgstr "LUKS 密钥槽 %u 无效。\n" -#: lib/luks2/luks2_token.c:266 +#: lib/luks2/luks2_reencrypt.c:1181 +#, c-format +msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:1186 +#, fuzzy, c-format +#| msgid "Device %s size is not aligned to requested sector size (%u bytes)." +msgid "Device size must be multiple of calculated zone alignment (%zu bytes)." +msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" + +#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580 +#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705 +#: lib/luks2/luks2_reencrypt.c:3954 #, fuzzy -#| msgid "Failed to swap new key slot.\n" -msgid "No free token slot." -msgstr "交换新密钥槽失败。\n" +#| msgid "Failed to initialise default LUKS2 keyslot parameters." +msgid "Failed to initialize old segment storage wrapper." +msgstr "初始化默认 LUKS2 密钥槽参数失败。" + +#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558 +#, fuzzy +#| msgid "Failed to initialise default LUKS2 keyslot parameters." +msgid "Failed to initialize new segment storage wrapper." +msgstr "初始化默认 LUKS2 密钥槽参数失败。" + +#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966 +#, fuzzy +#| msgid "Failed to open key file.\n" +msgid "Failed to initialize hotzone protection." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:1607 +#, fuzzy +#| msgid "Failed to read requirements from backup header." +msgid "Failed to read checksums for current hotzone." +msgstr "从备份标头读取需求失败。" + +#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980 +#, fuzzy, c-format +#| msgid "Failed to access temporary keystore device.\n" +msgid "Failed to read hotzone area starting at %." +msgstr "无法访问临时密钥存储设备。\n" # stat() 主要就是出来一个各种文件信息…… -#: lib/luks2/luks2_token.c:274 +#: lib/luks2/luks2_reencrypt.c:1633 #, fuzzy, c-format #| msgid "Failed to stat key file.\n" -msgid "Failed to create builtin token %s." +msgid "Failed to decrypt sector %zu." msgstr "获取 (stat) 密钥文件统计数据失败。\n" -#: src/cryptsetup.c:132 +#: lib/luks2/luks2_reencrypt.c:1639 +#, fuzzy, c-format +#| msgid "Failed to open key file.\n" +msgid "Failed to recover sector %zu." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:2203 +#, c-format +msgid "Source and target device sizes don't match. Source %, target: %." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:2301 +#, fuzzy, c-format +#| msgid "Failed to acquire write lock on device %s." +msgid "Failed to activate hotzone device %s." +msgstr "无法获取设备 %s 上的写入锁。" + +#: lib/luks2/luks2_reencrypt.c:2318 +#, c-format +msgid "Failed to activate overlay device %s with actual origin table." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:2325 +#, fuzzy, c-format +#| msgid "Failed to open temporary keystore device.\n" +msgid "Failed to load new mapping for device %s." +msgstr "打开临时密钥存储设备失败。\n" + +#: lib/luks2/luks2_reencrypt.c:2396 #, fuzzy -#| msgid "Can't do passphrase verification on non-tty inputs.\n" -msgid "Can't do passphrase verification on non-tty inputs." -msgstr "无法从非 TTY 输入验证密码。\n" +#| msgid "Failed to acquire read lock on device %s." +msgid "Failed to refresh reencryption devices stack." +msgstr "无法获取设备 %s 的读取锁。" + +#: lib/luks2/luks2_reencrypt.c:2596 +#, fuzzy +#| msgid "Failed to swap new key slot." +msgid "Failed to set new keyslots area size." +msgstr "交换新密钥槽失败。" + +#: lib/luks2/luks2_reencrypt.c:2732 +#, fuzzy, c-format +#| msgid "Device %s size is not aligned to requested sector size (%u bytes)." +msgid "Data shift value is not aligned to encryption sector size (% bytes)." +msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" + +#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189 +#, fuzzy, c-format +#| msgid "Unsupported LUKS version %d." +msgid "Unsupported resilience mode %s" +msgstr "不支持的 LUKS 版本 %d。" + +#: lib/luks2/luks2_reencrypt.c:2806 +msgid "Moved segment size can not be greater than data shift value." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:2848 +#, fuzzy +#| msgid "Invalid plain crypt parameters." +msgid "Invalid reencryption resilience parameters." +msgstr "无效的纯加密选项。" + +#: lib/luks2/luks2_reencrypt.c:2870 +#, c-format +msgid "Moved segment too large. Requested size %, available space for: %." +msgstr "" + +# stat() 主要就是出来一个各种文件信息…… +#: lib/luks2/luks2_reencrypt.c:2957 +#, fuzzy +#| msgid "Failed to stat key file.\n" +msgid "Failed to clear table." +msgstr "获取 (stat) 密钥文件统计数据失败。\n" + +#: lib/luks2/luks2_reencrypt.c:3043 +msgid "Reduced data size is larger than real device size." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3050 +#, fuzzy, c-format +#| msgid "Device %s size is not aligned to requested sector size (%u bytes)." +msgid "Data device is not aligned to encryption sector size (% bytes)." +msgstr "设备 %s 的大小没有和请求的扇区大小对齐(%u 字节)。" + +#: lib/luks2/luks2_reencrypt.c:3084 +#, c-format +msgid "Data shift (% sectors) is less than future data offset (% sectors)." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589 +#: lib/luks2/luks2_reencrypt.c:3610 +#, fuzzy, c-format +#| msgid "Cannot use device %s which is in use (already mapped or mounted)." +msgid "Failed to open %s in exclusive mode (already mapped or mounted)." +msgstr "无法使用正被使用的设备 %s(已被映射或挂载)。" + +#: lib/luks2/luks2_reencrypt.c:3280 +msgid "Device not marked for LUKS2 reencryption." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271 +#, fuzzy +#| msgid "Failed to open key file.\n" +msgid "Failed to load LUKS2 reencryption context." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:3387 +#, fuzzy +#| msgid "Failed to open key file.\n" +msgid "Failed to get reencryption state." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705 +#, fuzzy +#| msgid "Device %s is not active." +msgid "Device is not in reencryption." +msgstr "设备 %s 未激活。" + +#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712 +#, fuzzy +#| msgid "Reencryption already in-progress." +msgid "Reencryption process is already running." +msgstr "重加密已在进行中。" + +#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714 +#, fuzzy +#| msgid "Failed to acquire write device lock." +msgid "Failed to acquire reencryption lock." +msgstr "无法获取写入设备锁。" + +#: lib/luks2/luks2_reencrypt.c:3418 +msgid "Cannot proceed with reencryption. Run reencryption recovery first." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3553 +msgid "Active device size and requested reencryption size don't match." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3567 +msgid "Illegal device size requested in reencryption parameters." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3644 +#, fuzzy +#| msgid "Reencryption already in-progress." +msgid "Reencryption in-progress. Cannot perform recovery." +msgstr "重加密已在进行中。" + +#: lib/luks2/luks2_reencrypt.c:3812 +msgid "LUKS2 reencryption already initialized in metadata." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3819 +#, fuzzy +#| msgid "Failed to initialise default LUKS2 keyslot parameters." +msgid "Failed to initialize LUKS2 reencryption in metadata." +msgstr "初始化默认 LUKS2 密钥槽参数失败。" + +#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907 +#, fuzzy +#| msgid "This operation is not supported for %s crypt device." +msgid "Reencryption is not supported for DAX (persistent memory) devices." +msgstr "不支持在 %s 加密设备上执行此操作。" + +#: lib/luks2/luks2_reencrypt.c:3879 +#, fuzzy +#| msgid "Failed to read passphrase from keyring (error %d)." +msgid "Failed to read passphrase from keyring." +msgstr "从密钥环读取口令失败(错误 %d)。" + +#: lib/luks2/luks2_reencrypt.c:3936 +msgid "Failed to set device segments for next reencryption hotzone." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:3988 +#, fuzzy +#| msgid "Failed to write activation flags to new header." +msgid "Failed to write reencryption resilience metadata." +msgstr "向新表头写入活动旗标失败。" + +#: lib/luks2/luks2_reencrypt.c:3995 +msgid "Decryption failed." +msgstr "解密失败。" + +#: lib/luks2/luks2_reencrypt.c:4000 +#, fuzzy, c-format +#| msgid "Failed to access temporary keystore device.\n" +msgid "Failed to write hotzone area starting at %." +msgstr "无法访问临时密钥存储设备。\n" + +# stat() 主要就是出来一个各种文件信息…… +#: lib/luks2/luks2_reencrypt.c:4005 +#, fuzzy +#| msgid "Failed to stat key file." +msgid "Failed to sync data." +msgstr "获取 (stat) 密钥文件信息失败。" + +#: lib/luks2/luks2_reencrypt.c:4013 +msgid "Failed to update metadata after current reencryption hotzone completed." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:4102 +#, fuzzy +#| msgid "Failed to read LUKS2 requirements." +msgid "Failed to write LUKS2 metadata." +msgstr "读取 LUKS2 需求时失败。" + +#: lib/luks2/luks2_reencrypt.c:4125 +#, fuzzy +#| msgid "Failed to open temporary keystore device.\n" +msgid "Failed to wipe unused data device area." +msgstr "打开临时密钥存储设备失败。\n" + +#: lib/luks2/luks2_reencrypt.c:4131 +#, fuzzy, c-format +#| msgid "Failed to open key file.\n" +msgid "Failed to remove unused (unbound) keyslot %d." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:4141 +#, fuzzy +#| msgid "Failed to open key file.\n" +msgid "Failed to remove reencryption keyslot." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt.c:4151 +#, c-format +msgid "Fatal error while reencrypting chunk starting at %, % sectors long." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:4155 +#, fuzzy +#| msgid "Cannot read reencryption log file." +msgid "Online reencryption failed." +msgstr "无法读取重加密日志文件。" + +#: lib/luks2/luks2_reencrypt.c:4160 +msgid "Do not resume the device unless replaced with error target manually." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:4212 +msgid "Cannot proceed with reencryption. Unexpected reencryption status." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:4218 +msgid "Missing or invalid reencrypt context." +msgstr "" + +#: lib/luks2/luks2_reencrypt.c:4225 +#, fuzzy +#| msgid "Failed to acquire read lock on device %s." +msgid "Failed to initialize reencryption device stack." +msgstr "无法获取设备 %s 的读取锁。" + +#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284 +#, fuzzy +#| msgid "Failed to open key file.\n" +msgid "Failed to update reencryption context." +msgstr "打开 (open) 密钥文件失败。\n" + +#: lib/luks2/luks2_reencrypt_digest.c:405 +msgid "Reencryption metadata is invalid." +msgstr "重加密元数据无效。" + +#: lib/luks2/hw_opal/hw_opal.c:327 +#, c-format +msgid "OPAL range %d offset % does not match expected values %." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:334 +#, c-format +msgid "OPAL range %d length % does not match device length %." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:340 +#, c-format +msgid "OPAL range %d locking is disabled." +msgstr "" + +#: lib/luks2/hw_opal/hw_opal.c:350 lib/luks2/hw_opal/hw_opal.c:357 +#, c-format +msgid "Unexpected OPAL range %d lock state." +msgstr "" + +#: src/cryptsetup.c:85 +#, fuzzy +#| msgid "This operation is supported only for LUKS2 device." +msgid "Keyslot encryption parameters can be set only for LUKS2 device." +msgstr "此操作只适用 LUKS2 设备。" + +#: src/cryptsetup.c:128 src/cryptsetup.c:2145 +#, fuzzy, c-format +#| msgid "Enter VeraCrypt PIM: " +msgid "Enter token PIN: " +msgstr "输入 VeraCrypt PIM: " + +#: src/cryptsetup.c:130 src/cryptsetup.c:2147 +#, c-format +msgid "Enter token %d PIN: " +msgstr "" -#: src/cryptsetup.c:185 src/cryptsetup.c:760 src/cryptsetup.c:995 -#: src/cryptsetup_reencrypt.c:743 src/cryptsetup_reencrypt.c:817 +#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515 +#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517 +#: src/utils_reencrypt_luks1.c:580 #, fuzzy #| msgid "No known cipher specification pattern detected.\n" msgid "No known cipher specification pattern detected." msgstr "未探测到已知的密文特征。\n" -#: src/cryptsetup.c:193 +#: src/cryptsetup.c:198 +#, c-format +msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions." +msgstr "" + +#: src/cryptsetup.c:203 +#, c-format +msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions." +msgstr "" + +#: src/cryptsetup.c:207 +msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash." +msgstr "" + +#: src/cryptsetup.c:213 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" msgstr "警告:在纯文本模式下指定密钥文件时将忽略参数 --hash。\n" -#: src/cryptsetup.c:201 +#: src/cryptsetup.c:221 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n" msgstr "警告:将忽略参数 --keyfile-size,读取大小应与加密密钥大小一致。\n" -#: src/cryptsetup.c:263 +#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558 +#: src/integritysetup.c:197 src/utils_reencrypt.c:1346 +#, c-format +msgid "Blkid scan failed for %s." +msgstr "" + +#: src/cryptsetup.c:264 +#, c-format +msgid "Detected device signature(s) on %s. Proceeding further may damage existing data." +msgstr "" + +#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296 +#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570 +#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187 +#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314 +#: src/utils_reencrypt.c:764 +msgid "Operation aborted.\n" +msgstr "操作中止。\n" + +#: src/cryptsetup.c:343 msgid "Option --key-file is required." msgstr "需要选项 --key-file。" -#: src/cryptsetup.c:308 +#: src/cryptsetup.c:394 msgid "Enter VeraCrypt PIM: " msgstr "输入 VeraCrypt PIM: " -#: src/cryptsetup.c:317 +#: src/cryptsetup.c:403 msgid "Invalid PIM value: parse error." msgstr "无效的 PIM 值:解析错误。" -#: src/cryptsetup.c:320 +#: src/cryptsetup.c:406 msgid "Invalid PIM value: 0." msgstr "无效的 PIM 值:0。" -#: src/cryptsetup.c:323 +#: src/cryptsetup.c:409 msgid "Invalid PIM value: outside of range." msgstr "无效的 PIM 值:超出范围。" -#: src/cryptsetup.c:346 +#: src/cryptsetup.c:432 #, fuzzy #| msgid "No device header detected with this passphrase.\n" msgid "No device header detected with this passphrase." msgstr "未从此密码中探测到设备标头。\n" -#: src/cryptsetup.c:408 src/cryptsetup.c:1587 +#: src/cryptsetup.c:505 src/cryptsetup.c:681 +#, fuzzy, c-format +#| msgid "Device %s is not a valid LUKS device." +msgid "Device %s is not a valid BITLK device." +msgstr "%s 不是有效的 LUKS 设备。" + +#: src/cryptsetup.c:513 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot determine volume key size for BITLK, please use --key-size option." +msgstr "无法获取普通设备的卷密钥。" + +#: src/cryptsetup.c:555 msgid "" "Header dump with volume key is sensitive information\n" "which allows access to encrypted partition without passphrase.\n" "This dump should be always stored encrypted on safe place." msgstr "" -#: src/cryptsetup.c:487 +#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550 +msgid "" +"The header dump with volume key is sensitive information\n" +"that allows access to encrypted partition without a passphrase.\n" +"This dump should be stored encrypted in a safe place." +msgstr "" + +#: src/cryptsetup.c:758 src/cryptsetup.c:788 +#, fuzzy, c-format +#| msgid "Device %s is not a valid VERITY device." +msgid "Device %s is not a valid FVAULT2 device." +msgstr "%s 不是有效的 VERITY 设备。" + +#: src/cryptsetup.c:796 +#, fuzzy +#| msgid "Cannot retrieve volume key for plain device." +msgid "Cannot determine volume key size for FVAULT2, please use --key-size option." +msgstr "无法获取普通设备的卷密钥。" + +#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409 #, c-format msgid "Device %s is still active and scheduled for deferred removal.\n" msgstr "" -#: src/cryptsetup.c:515 +# stat() 主要就是出来一个各种文件信息…… +#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080 +#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763 +#: src/cryptsetup.c:3290 +#, fuzzy, c-format +#| msgid "Failed to stat key file.\n" +msgid "Failed to set external tokens path %s." +msgstr "获取 (stat) 密钥文件统计数据失败。\n" + +#: src/cryptsetup.c:893 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set." msgstr "" -#: src/cryptsetup.c:638 +#: src/cryptsetup.c:1053 #, fuzzy #| msgid "benchmark cipher" msgid "Benchmark interrupted." msgstr "测试密文" -#: src/cryptsetup.c:659 +#: src/cryptsetup.c:1074 #, c-format msgid "PBKDF2-%-9s N/A\n" msgstr "" -#: src/cryptsetup.c:661 +#: src/cryptsetup.c:1076 #, c-format msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n" msgstr "" -#: src/cryptsetup.c:675 +#: src/cryptsetup.c:1090 #, c-format msgid "%-10s N/A\n" msgstr "" -#: src/cryptsetup.c:677 +#: src/cryptsetup.c:1092 #, c-format msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n" msgstr "" -#: src/cryptsetup.c:701 -#, fuzzy -#| msgid "Result of benchmark is not reliable.\n" +#: src/cryptsetup.c:1116 msgid "Result of benchmark is not reliable." -msgstr "测试结果不可靠。\n" +msgstr "测试结果不可靠。" -#: src/cryptsetup.c:752 +#: src/cryptsetup.c:1166 msgid "# Tests are approximate using memory only (no storage IO).\n" msgstr "# 测试仅使用内存(无存储 IO)。\n" #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. -#: src/cryptsetup.c:780 src/cryptsetup.c:804 -#, fuzzy +#: src/cryptsetup.c:1186 +#, fuzzy, c-format #| msgid "# Algorithm | Key | Encryption | Decryption\n" -msgid "# Algorithm | Key | Encryption | Decryption\n" +msgid "#%*s Algorithm | Key | Encryption | Decryption\n" msgstr "# 算法 | 密钥 | 加密 | 解密\n" -#: src/cryptsetup.c:784 +#: src/cryptsetup.c:1190 #, fuzzy, c-format #| msgid "Cipher %s is not available.\n" -msgid "Cipher %s is not available." +msgid "Cipher %s (with %i bits key) is not available." msgstr "密文 %s 不可用。\n" -#: src/cryptsetup.c:813 +#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned. +#: src/cryptsetup.c:1209 +#, fuzzy +#| msgid "# Algorithm | Key | Encryption | Decryption\n" +msgid "# Algorithm | Key | Encryption | Decryption\n" +msgstr "# 算法 | 密钥 | 加密 | 解密\n" + +#: src/cryptsetup.c:1220 msgid "N/A" msgstr "不可用" -#: src/cryptsetup.c:873 -msgid "Really try to repair LUKS device header?" -msgstr "确定要尝试修复 LUKS 设备标头吗?" - -#: src/cryptsetup.c:874 src/cryptsetup.c:965 src/cryptsetup.c:987 -#: src/cryptsetup.c:1560 -msgid "Operation aborted.\n" -msgstr "操作中止。\n" - -#: src/cryptsetup.c:889 src/integritysetup.c:140 +#: src/cryptsetup.c:1245 msgid "" -"Wiping device to initialize integrity checksum.\n" -"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" +"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n" +"and continue (upgrade metadata) only if you acknowledge the operation as genuine." msgstr "" -#: src/cryptsetup.c:911 src/integritysetup.c:162 -#, fuzzy, c-format -#| msgid "Cannot open temporary LUKS device.\n" -msgid "Cannot deactivate temporary device %s." -msgstr "无法打开临时 LUKS 设备。\n" +#: src/cryptsetup.c:1251 +#, fuzzy +#| msgid "Enter passphrase to be deleted: " +msgid "Enter passphrase to protect and upgrade reencryption metadata: " +msgstr "输入要移除的口令: " -#: src/cryptsetup.c:955 -msgid "Integrity option can be used only for LUKS2 format." +#: src/cryptsetup.c:1295 +msgid "Really proceed with LUKS2 reencryption recovery?" msgstr "" -#: src/cryptsetup.c:971 +#: src/cryptsetup.c:1304 +#, fuzzy +#| msgid "Enter passphrase to be deleted: " +msgid "Enter passphrase to verify reencryption metadata digest: " +msgstr "输入要移除的口令: " + +#: src/cryptsetup.c:1306 +#, fuzzy +#| msgid "Enter passphrase for key slot %u: " +msgid "Enter passphrase for reencryption recovery: " +msgstr "输入密钥槽 %u 的密码:" + +#: src/cryptsetup.c:1366 +msgid "Really try to repair LUKS device header?" +msgstr "确定要尝试修复 LUKS 设备标头吗?" + +#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247 +msgid "" +"\n" +"Wipe interrupted." +msgstr "" +"\n" +"擦除被打断" + +#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284 +msgid "" +"Wiping device to initialize integrity checksum.\n" +"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n" +msgstr "" + +#: src/cryptsetup.c:1417 src/integritysetup.c:116 +#, fuzzy, c-format +#| msgid "Cannot open temporary LUKS device.\n" +msgid "Cannot deactivate temporary device %s." +msgstr "无法打开临时 LUKS 设备。\n" + +#: src/cryptsetup.c:1472 +msgid "Integrity option can be used only for LUKS2 format." +msgstr "" + +#: src/cryptsetup.c:1477 src/cryptsetup.c:1542 +#, fuzzy +#| msgid "Unsupported LUKS version %d." +msgid "Unsupported LUKS2 metadata size options." +msgstr "不支持的 LUKS 版本 %d。" + +#: src/cryptsetup.c:1482 +#, fuzzy +#| msgid "This operation is supported only for LUKS2 device." +msgid "OPAL is supported only for LUKS2 format." +msgstr "此操作只适用 LUKS2 设备。" + +#: src/cryptsetup.c:1491 +msgid "Header file does not exist, do you want to create it?" +msgstr "" + +#: src/cryptsetup.c:1499 #, c-format msgid "Cannot create header file %s." msgstr "无法创建标头文件 %s。" -#: src/cryptsetup.c:982 -#, c-format -msgid "This will overwrite data on %s irrevocably." -msgstr "这将覆盖 %s 上的数据,该动作不可取消。" - -#: src/cryptsetup.c:1002 src/integritysetup.c:187 src/integritysetup.c:196 -#: src/integritysetup.c:205 src/integritysetup.c:252 src/integritysetup.c:261 -#: src/integritysetup.c:271 +#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152 +#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332 +#: src/integritysetup.c:342 #, fuzzy #| msgid "No known cipher specification pattern detected.\n" msgid "No known integrity specification pattern detected." msgstr "未探测到已知的密文特征。\n" -#: src/cryptsetup.c:1015 +#: src/cryptsetup.c:1535 #, c-format msgid "Cannot use %s as on-disk header." msgstr "无法将 %s 作为磁盘上的标头使用。" +#: src/cryptsetup.c:1564 src/integritysetup.c:181 +#, c-format +msgid "This will overwrite data on %s irrevocably." +msgstr "这将覆盖 %s 上的数据,该动作不可取消。" + +#: src/cryptsetup.c:1601 +msgid "OPAL Admin password cannot be empty." +msgstr "" + # stat() 主要就是出来一个各种文件信息…… -#: src/cryptsetup.c:1040 src/cryptsetup.c:1314 src/cryptsetup.c:1373 -#: src/cryptsetup.c:1459 src/cryptsetup.c:1510 +#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247 +#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443 msgid "Failed to set pbkdf parameters." msgstr "设置 pbkdf 参数失败。" -#: src/cryptsetup.c:1092 +#: src/cryptsetup.c:1745 +msgid "Type specification in --link-vk-to-keyring keyring specification is ignored." +msgstr "" + +#: src/cryptsetup.c:1765 +msgid "Invalid --link-vk-to-keyring value." +msgstr "" + +#: src/cryptsetup.c:1805 #, fuzzy #| msgid "Reduced data offset is allowed only for detached LUKS header.\n" msgid "Reduced data offset is allowed only for detached LUKS header." msgstr "仅已脱离的 LUKS 数据头可以使用缩减的数据偏移。\n" -#: src/cryptsetup.c:1131 +#: src/cryptsetup.c:1812 +#, c-format +msgid "LUKS file container %s is too small for activation, there is no remaining space for data." +msgstr "" + +#: src/cryptsetup.c:1839 src/cryptsetup.c:2253 +msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option." +msgstr "" + +#: src/cryptsetup.c:1890 msgid "Device activated but cannot make flags persistent." msgstr "" -#: src/cryptsetup.c:1209 +#: src/cryptsetup.c:1972 src/cryptsetup.c:2040 #, fuzzy, c-format #| msgid "Key slot %d selected for deletion.\n" msgid "Keyslot %d is selected for deletion." msgstr "已选中密钥槽 %d 以删除。\n" -#: src/cryptsetup.c:1212 -#, fuzzy, c-format -#| msgid "Key slot %d is not used.\n" -msgid "Keyslot %d is not active." -msgstr "密钥槽 %d 未使用。\n" - -#: src/cryptsetup.c:1221 src/cryptsetup.c:1276 +#: src/cryptsetup.c:1984 src/cryptsetup.c:2044 msgid "This is the last keyslot. Device will become unusable after purging this key." msgstr "这是最后一个密钥槽。设备在清空此密钥后将不可用。" -#: src/cryptsetup.c:1222 +#: src/cryptsetup.c:1985 msgid "Enter any remaining passphrase: " msgstr "输入任意剩余的口令: " -#: src/cryptsetup.c:1223 src/cryptsetup.c:1278 +#: src/cryptsetup.c:1986 src/cryptsetup.c:2046 msgid "Operation aborted, the keyslot was NOT wiped.\n" -msgstr "" +msgstr "操作中止,密钥槽【未被】擦除。\n" -#: src/cryptsetup.c:1256 +#: src/cryptsetup.c:2022 msgid "Enter passphrase to be deleted: " msgstr "输入要移除的口令: " -#: src/cryptsetup.c:1273 +#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114 +#: src/cryptsetup.c:3281 #, c-format -msgid "Key slot %d selected for deletion." -msgstr "已选中密钥槽 %d 以供删除。" +msgid "Device %s is not a valid LUKS2 device." +msgstr "设备 %s 不是有效的 LUKS2 设备。" -#: src/cryptsetup.c:1328 src/cryptsetup.c:1387 src/cryptsetup.c:1420 +#: src/cryptsetup.c:2111 src/cryptsetup.c:2330 msgid "Enter new passphrase for key slot: " msgstr "输入密钥槽的新口令: " -#: src/cryptsetup.c:1404 src/cryptsetup_reencrypt.c:1351 +#: src/cryptsetup.c:2213 +#, fuzzy +#| msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n" +msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n" +msgstr "警告:在纯文本模式下指定密钥文件时将忽略参数 --hash。\n" + +#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149 #, c-format msgid "Enter any existing passphrase: " msgstr "输入任意已存在的口令: " -#: src/cryptsetup.c:1463 +#: src/cryptsetup.c:2411 msgid "Enter passphrase to be changed: " msgstr "输入要更改的口令: " -#: src/cryptsetup.c:1478 src/cryptsetup_reencrypt.c:1336 +#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135 msgid "Enter new passphrase: " msgstr "输入新口令: " -#: src/cryptsetup.c:1514 +#: src/cryptsetup.c:2477 #, fuzzy #| msgid "Enter passphrase for key slot %u: " msgid "Enter passphrase for keyslot to be converted: " msgstr "输入密钥槽 %u 的密码:" -#: src/cryptsetup.c:1537 +#: src/cryptsetup.c:2501 #, fuzzy #| msgid "Only one device argument for isLuks operation is supported.\n" msgid "Only one device argument for isLuks operation is supported." msgstr "isLuks 操作仅支持一个设备参数。\n" -#: src/cryptsetup.c:1716 src/cryptsetup.c:1737 -#, fuzzy -#| msgid "Option --header-backup-file is required.\n" +#: src/cryptsetup.c:2609 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Keyslot %d does not contain unbound key." +msgstr "密钥槽 %d 未使用。\n" + +#: src/cryptsetup.c:2614 +msgid "" +"The header dump with unbound key is sensitive information.\n" +"This dump should be stored encrypted in a safe place." +msgstr "" + +#: src/cryptsetup.c:2709 src/cryptsetup.c:2746 +#, fuzzy, c-format +#| msgid "show active device status" +msgid "%s is not active %s device name." +msgstr "显示已激活的设备信息" + +#: src/cryptsetup.c:2741 +#, c-format +msgid "%s is not active LUKS device name or header is missing." +msgstr "" + +#: src/cryptsetup.c:2819 src/cryptsetup.c:2838 msgid "Option --header-backup-file is required." -msgstr "必须指定 --header-backup-file 选项。\n" +msgstr "必须指定 --header-backup-file 选项。" + +#: src/cryptsetup.c:2869 +#, c-format +msgid "%s is not cryptsetup managed device." +msgstr "" + +#: src/cryptsetup.c:2880 +#, fuzzy, c-format +#| msgid "Resume is not supported for device %s." +msgid "Refresh is not supported for device type %s" +msgstr "设备 %s 不支持恢复。" -#: src/cryptsetup.c:1776 +#: src/cryptsetup.c:2930 #, fuzzy, c-format #| msgid "Unrecognized metadata device type %s.\n" msgid "Unrecognized metadata device type %s." msgstr "无法识别的元数据设备类型 %s。\n" -#: src/cryptsetup.c:1779 +#: src/cryptsetup.c:2932 #, fuzzy #| msgid "Command requires device and mapped name as arguments.\n" msgid "Command requires device and mapped name as arguments." msgstr "命令需要设备及映射名作为参数。\n" -#: src/cryptsetup.c:1798 +#: src/cryptsetup.c:2942 +msgid "Enter OPAL PSID: " +msgstr "输入 OPAL PSID:" + +#: src/cryptsetup.c:2942 +#, fuzzy +#| msgid "Enter new passphrase: " +msgid "Enter OPAL Admin password: " +msgstr "输入新口令: " + +#: src/cryptsetup.c:2951 +msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?" +msgstr "" + +#: src/cryptsetup.c:2994 #, c-format msgid "" "This operation will erase all keyslots on device %s.\n" @@ -1458,217 +2724,406 @@ msgstr "" "该操作将清空设备 %s 上所有的密钥槽。\n" "设备在此操作后将不可用。" -#: src/cryptsetup.c:1805 +#: src/cryptsetup.c:3001 msgid "Operation aborted, keyslots were NOT wiped.\n" msgstr "操作已中止,密钥槽没有被擦除。\n" -#: src/cryptsetup.c:1841 -msgid "Missing LUKS target type, option --type is required." +#: src/cryptsetup.c:3040 +msgid "Invalid LUKS type, only luks1 and luks2 are supported." msgstr "" -#: src/cryptsetup.c:1857 +#: src/cryptsetup.c:3056 #, c-format msgid "Device is already %s type." msgstr "设备已为 %s 类型。" -#: src/cryptsetup.c:1862 +#: src/cryptsetup.c:3063 #, fuzzy, c-format #| msgid "This operation is not supported for %s crypt device.\n" msgid "This operation will convert %s to %s format.\n" msgstr "不支持在 %s 加密设备上执行此操作。\n" -#: src/cryptsetup.c:1868 +#: src/cryptsetup.c:3066 msgid "Operation aborted, device was NOT converted.\n" msgstr "" -#: src/cryptsetup.c:1908 +#: src/cryptsetup.c:3106 msgid "Option --priority, --label or --subsystem is missing." msgstr "选项 --priority、--label 或 --subsystem 缺失。" -#: src/cryptsetup.c:1939 +#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200 #, fuzzy, c-format #| msgid "Key slot %d is invalid.\n" msgid "Token %d is invalid." msgstr "密钥槽 %d 无效。\n" -#: src/cryptsetup.c:1942 +#: src/cryptsetup.c:3143 src/cryptsetup.c:3203 #, fuzzy, c-format #| msgid "Key slot %d is not used.\n" msgid "Token %d in use." msgstr "密钥槽 %d 未使用。\n" -#: src/cryptsetup.c:1955 +# stat() 主要就是出来一个各种文件信息…… +#: src/cryptsetup.c:3155 +#, fuzzy, c-format +#| msgid "Failed to stat key file.\n" +msgid "Failed to add luks2-keyring token %d." +msgstr "获取 (stat) 密钥文件统计数据失败。\n" + +#: src/cryptsetup.c:3166 src/cryptsetup.c:3229 #, fuzzy, c-format #| msgid "Failed to swap new key slot.\n" msgid "Failed to assign token %d to keyslot %d." msgstr "交换新密钥槽失败。\n" -#: src/cryptsetup.c:1969 -msgid "--key-description parameter is mandatory for token add action." +#: src/cryptsetup.c:3183 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Token %d is not in use." +msgstr "密钥槽 %d 未使用。\n" + +#: src/cryptsetup.c:3220 +#, fuzzy +#| msgid "Failed to open key file." +msgid "Failed to import token from file." +msgstr "打开 (open) 密钥文件失败。" + +#: src/cryptsetup.c:3245 +#, fuzzy, c-format +#| msgid "Failed to swap new key slot.\n" +msgid "Failed to get token %d for export." +msgstr "交换新密钥槽失败。\n" + +#: src/cryptsetup.c:3258 +#, fuzzy, c-format +#| msgid "Failed to swap new key slot.\n" +msgid "Token %d is not assigned to keyslot %d." +msgstr "交换新密钥槽失败。\n" + +#: src/cryptsetup.c:3260 src/cryptsetup.c:3267 +#, fuzzy, c-format +#| msgid "Failed to swap new key slot.\n" +msgid "Failed to unassign token %d from keyslot %d." +msgstr "交换新密钥槽失败。\n" + +#: src/cryptsetup.c:3326 +#, fuzzy +#| msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n" +msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device." +msgstr "选项 --tcrypt-hidden, --tcrypt-system 或 --tcrypt-backup 只支持 TCRYPT 设备。\n" + +#: src/cryptsetup.c:3329 +#, fuzzy +#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n" +msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type." +msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" + +#: src/cryptsetup.c:3332 +#, fuzzy +#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n" +msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices." +msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" + +#: src/cryptsetup.c:3336 +#, fuzzy +#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n" +msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices." +msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" + +#: src/cryptsetup.c:3338 +msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive." msgstr "" -#: src/cryptsetup.c:1975 -msgid "Missing --token option specifying token for removal." +#: src/cryptsetup.c:3347 +#, fuzzy +#| msgid "Option --allow-discards is allowed only for open operation.\n" +msgid "Option --persistent is not allowed with --test-passphrase." +msgstr "选项 --allow-discards 只适用于打开操作。\n" + +#: src/cryptsetup.c:3350 +msgid "Options --refresh and --test-passphrase are mutually exclusive." msgstr "" -#: src/cryptsetup.c:1980 -#, fuzzy, c-format +#: src/cryptsetup.c:3353 +#, fuzzy +#| msgid "Option --shared is allowed only for open of plain device.\n" +msgid "Option --shared is allowed only for open of plain device." +msgstr "选项 --shared 只适用于打开纯设备。\n" + +#: src/cryptsetup.c:3356 +#, fuzzy +#| msgid "Option --skip is supported only for open of plain and loopaes devices.\n" +msgid "Option --skip is supported only for open of plain and loopaes devices." +msgstr "选项 --skip 只适用于打开纯设备和 loopaes 设备。\n" + +#: src/cryptsetup.c:3359 +#, fuzzy +#| msgid "Option --offset is supported only for open of plain and loopaes devices.\n" +msgid "Option --offset with open action is only supported for plain and loopaes devices." +msgstr "选项 --offset 只适用于打开纯设备和 loopaes 设备。\n" + +#: src/cryptsetup.c:3362 +#, fuzzy +#| msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n" +msgid "Option --tcrypt-hidden cannot be combined with --allow-discards." +msgstr "选项 --tcrypt-hidden 不能与 --allow-discards 共用。\n" + +#: src/cryptsetup.c:3366 +#, fuzzy +#| msgid "This operation is supported only for LUKS device." +msgid "Sector size option with open action is supported only for plain devices." +msgstr "此操作只适用 LUKS 设备。" + +#: src/cryptsetup.c:3370 +msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes." +msgstr "" + +#: src/cryptsetup.c:3375 +#, fuzzy +#| msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n" +msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices." +msgstr "选项 --test-passphrase 只能用于打开 LUKS 和 TCRYPT 设备。\n" + +#: src/cryptsetup.c:3378 src/cryptsetup.c:3401 +msgid "Options --device-size and --size cannot be combined." +msgstr "" + +#: src/cryptsetup.c:3381 +#, fuzzy +#| msgid "Option --shared is allowed only for open of plain device.\n" +msgid "Option --unbound is allowed only for open of luks device." +msgstr "选项 --shared 只适用于打开纯设备。\n" + +#: src/cryptsetup.c:3384 +#, fuzzy +#| msgid "Option --new cannot be used together with --decrypt." +msgid "Option --unbound cannot be used without --test-passphrase." +msgstr "选项 --new 不可与 --decrypt 共用。" + +#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767 +msgid "Options --cancel-deferred and --deferred cannot be used at the same time." +msgstr "" + +#: src/cryptsetup.c:3409 +msgid "Options --reduce-device-size and --device-size cannot be combined." +msgstr "" + +#: src/cryptsetup.c:3412 +#, fuzzy +#| msgid "This operation is supported only for LUKS2 device." +msgid "Option --active-name can be set only for LUKS2 device." +msgstr "此操作只适用 LUKS2 设备。" + +#: src/cryptsetup.c:3415 +msgid "Options --active-name and --force-offline-reencrypt cannot be combined." +msgstr "" + +#: src/cryptsetup.c:3423 src/cryptsetup.c:3453 +msgid "Keyslot specification is required." +msgstr "" + +#: src/cryptsetup.c:3431 +#, fuzzy +#| msgid "Option --align-payload is allowed only for luksFormat." +msgid "Options --align-payload and --offset cannot be combined." +msgstr "选项 --align-payload 只允许用于 luksFormat。" + +#: src/cryptsetup.c:3434 +msgid "Option --integrity-no-wipe can be used only for format action with integrity extension." +msgstr "" + +#: src/cryptsetup.c:3437 +msgid "Only one of --use-[u]random options is allowed." +msgstr "--use-[u]random 选项只能用一处。" + +#: src/cryptsetup.c:3445 +msgid "Key size is required with --unbound option." +msgstr "" + +#: src/cryptsetup.c:3465 +#, fuzzy #| msgid "Invalid device %s.\n" -msgid "Invalid token operation %s." +msgid "Invalid token action." msgstr "设备 %s 无效。\n" -# stat() 主要就是出来一个各种文件信息…… -#: src/cryptsetup.c:1995 -#, fuzzy, c-format -#| msgid "Failed to stat key file.\n" -msgid "Failed to add keyring token %d." -msgstr "获取 (stat) 密钥文件统计数据失败。\n" +#: src/cryptsetup.c:3468 +msgid "--key-description parameter is mandatory for token add action." +msgstr "" -#: src/cryptsetup.c:1997 -#, fuzzy, c-format -#| msgid "Failed to open key file.\n" -msgid "Failed to remove token %d." -msgstr "打开 (open) 密钥文件失败。\n" +#: src/cryptsetup.c:3472 src/cryptsetup.c:3485 +msgid "Action requires specific token. Use --token-id parameter." +msgstr "" + +#: src/cryptsetup.c:3476 +#, fuzzy +#| msgid "Option --new cannot be used together with --decrypt." +msgid "Option --unbound is valid only with token add action." +msgstr "选项 --new 不可与 --decrypt 共用。" -#: src/cryptsetup.c:2013 +#: src/cryptsetup.c:3478 +msgid "Options --key-slot and --unbound cannot be combined." +msgstr "" + +#: src/cryptsetup.c:3483 +msgid "Action requires specific keyslot. Use --key-slot parameter." +msgstr "" + +#: src/cryptsetup.c:3499 msgid " [--type ] []" msgstr "<设备> [--type <类型>] [<名称>]" -#: src/cryptsetup.c:2013 -msgid "open device as mapping " -msgstr "以映射 <名称> 打开设备" +#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544 +msgid "open device as " +msgstr "以 <名称> 打开设备" -#: src/cryptsetup.c:2014 src/cryptsetup.c:2015 src/cryptsetup.c:2016 -#: src/veritysetup.c:366 src/veritysetup.c:367 src/integritysetup.c:427 -#: src/integritysetup.c:428 +#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502 +#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545 +#: src/integritysetup.c:546 src/integritysetup.c:548 msgid "" msgstr "<名称>" -#: src/cryptsetup.c:2014 +#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545 msgid "close device (remove mapping)" msgstr "关闭设备(移除映射)" -#: src/cryptsetup.c:2015 +#: src/cryptsetup.c:3501 src/integritysetup.c:548 msgid "resize active device" msgstr "改变活动设备大小。" -#: src/cryptsetup.c:2016 +#: src/cryptsetup.c:3502 msgid "show device status" msgstr "显示设备状态" -#: src/cryptsetup.c:2017 +#: src/cryptsetup.c:3503 msgid "[--cipher ]" msgstr "" -#: src/cryptsetup.c:2017 +#: src/cryptsetup.c:3503 msgid "benchmark cipher" msgstr "测试密文" -#: src/cryptsetup.c:2018 src/cryptsetup.c:2019 src/cryptsetup.c:2020 -#: src/cryptsetup.c:2021 src/cryptsetup.c:2028 src/cryptsetup.c:2029 -#: src/cryptsetup.c:2030 src/cryptsetup.c:2031 src/cryptsetup.c:2032 -#: src/cryptsetup.c:2033 src/cryptsetup.c:2034 src/cryptsetup.c:2035 +#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506 +#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515 +#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518 +#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521 +#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524 msgid "" msgstr "<设备>" -#: src/cryptsetup.c:2018 +#: src/cryptsetup.c:3504 msgid "try to repair on-disk metadata" msgstr "尝试修复磁盘上的元数据" -#: src/cryptsetup.c:2019 +#: src/cryptsetup.c:3505 +msgid "reencrypt LUKS2 device" +msgstr "重加密 LUKS2 设备" + +#: src/cryptsetup.c:3506 msgid "erase all keyslots (remove encryption key)" msgstr "清空所有密钥槽(移除加密密钥)" -#: src/cryptsetup.c:2020 +#: src/cryptsetup.c:3507 msgid "convert LUKS from/to LUKS2 format" msgstr "在 LUKS 和 LUKS2 格式之间转换" -#: src/cryptsetup.c:2021 +#: src/cryptsetup.c:3508 msgid "set permanent configuration options for LUKS2" msgstr "" -#: src/cryptsetup.c:2022 src/cryptsetup.c:2023 +#: src/cryptsetup.c:3509 src/cryptsetup.c:3510 msgid " []" msgstr "<设备> [<新密钥文件>]" -#: src/cryptsetup.c:2022 +#: src/cryptsetup.c:3509 msgid "formats a LUKS device" msgstr "格式化一个 LUKS 设备" -#: src/cryptsetup.c:2023 +#: src/cryptsetup.c:3510 msgid "add key to LUKS device" msgstr "向 LUKS 设备添加密钥" -#: src/cryptsetup.c:2024 src/cryptsetup.c:2025 src/cryptsetup.c:2026 +#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513 msgid " []" msgstr "<设备> [<密钥文件>]" -#: src/cryptsetup.c:2024 +#: src/cryptsetup.c:3511 msgid "removes supplied key or key file from LUKS device" msgstr "移除 LUKS 设备中指定的密钥或密钥文件" -#: src/cryptsetup.c:2025 +#: src/cryptsetup.c:3512 msgid "changes supplied key or key file of LUKS device" msgstr "更改 LUKS 设备中指定的密钥或密钥文件" # stat() 主要就是出来一个各种文件信息…… -#: src/cryptsetup.c:2026 +#: src/cryptsetup.c:3513 #, fuzzy #| msgid "Failed to stat key file.\n" msgid "converts a key to new pbkdf parameters" msgstr "获取 (stat) 密钥文件统计数据失败。\n" -#: src/cryptsetup.c:2027 +#: src/cryptsetup.c:3514 msgid " " msgstr "<设备> <密钥槽>" -#: src/cryptsetup.c:2027 +#: src/cryptsetup.c:3514 msgid "wipes key with number from LUKS device" msgstr "从 LUKS 设备清理标号为 的密钥" -#: src/cryptsetup.c:2028 +#: src/cryptsetup.c:3515 msgid "print UUID of LUKS device" msgstr "输出 LUKS 设备的 UUID(唯一标识符)" -#: src/cryptsetup.c:2029 +#: src/cryptsetup.c:3516 msgid "tests for LUKS partition header" msgstr "从 探测 LUKS 分区标头" -#: src/cryptsetup.c:2030 +#: src/cryptsetup.c:3517 msgid "dump LUKS partition information" msgstr "调出 LUKS 分区信息" -#: src/cryptsetup.c:2031 +#: src/cryptsetup.c:3518 msgid "dump TCRYPT device information" msgstr "调出 TCRYPT 设备信息" -#: src/cryptsetup.c:2032 +#: src/cryptsetup.c:3519 +#, fuzzy +#| msgid "dump TCRYPT device information" +msgid "dump BITLK device information" +msgstr "调出 TCRYPT 设备信息" + +#: src/cryptsetup.c:3520 +#, fuzzy +#| msgid "dump TCRYPT device information" +msgid "dump FVAULT2 device information" +msgstr "调出 TCRYPT 设备信息" + +#: src/cryptsetup.c:3521 #, fuzzy #| msgid "Suspend LUKS device and wipe key (all IOs are frozen)." msgid "Suspend LUKS device and wipe key (all IOs are frozen)" msgstr "挂起 LUKS 设备并清除密钥(冻结所有 IO 操作)。" -#: src/cryptsetup.c:2033 +#: src/cryptsetup.c:3522 msgid "Resume suspended LUKS device" msgstr "恢复已挂起的 LUKS 设备" -#: src/cryptsetup.c:2034 +#: src/cryptsetup.c:3523 msgid "Backup LUKS device header and keyslots" msgstr "备份 LUKS 设备标头和密钥槽" -#: src/cryptsetup.c:2035 +#: src/cryptsetup.c:3524 msgid "Restore LUKS device header and keyslots" msgstr "恢复 LUKS 设备标头和密钥槽" -#: src/cryptsetup.c:2036 -msgid " " +#: src/cryptsetup.c:3525 +msgid " " msgstr "" -#: src/cryptsetup.c:2036 -msgid "Add or remove keyring token" +#: src/cryptsetup.c:3525 +msgid "Manipulate LUKS2 tokens" msgstr "" -#: src/cryptsetup.c:2054 src/veritysetup.c:383 src/integritysetup.c:444 +#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563 msgid "" "\n" " is one of:\n" @@ -1676,19 +3131,25 @@ msgstr "" "\n" "<动作> 为其中之一:\n" -#: src/cryptsetup.c:2060 +#: src/cryptsetup.c:3550 +#, fuzzy +#| msgid "" +#| "\n" +#| "You can also use old syntax aliases:\n" +#| "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n" +#| "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n" msgid "" "\n" "You can also use old syntax aliases:\n" -"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n" -"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n" +"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n" +"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n" msgstr "" "\n" "你亦可使用老的 <动作> 语法别名:\n" "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n" "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n" -#: src/cryptsetup.c:2064 +#: src/cryptsetup.c:3554 #, c-format msgid "" "\n" @@ -1703,14 +3164,31 @@ msgstr "" " 为需要更改的 LUKS 密钥槽\n" " 提供给 luksAddKey 动作的密钥文件\n" -#: src/cryptsetup.c:2071 +#: src/cryptsetup.c:3561 #, c-format msgid "" "\n" "Default compiled-in metadata format is %s (for luksFormat action).\n" msgstr "" -#: src/cryptsetup.c:2076 +#: src/cryptsetup.c:3566 +msgid "" +"\n" +"LUKS2 external token plugin support is enabled.\n" +msgstr "" + +#: src/cryptsetup.c:3567 +#, c-format +msgid "LUKS2 external token plugin path: %s.\n" +msgstr "" + +#: src/cryptsetup.c:3569 +msgid "" +"\n" +"LUKS2 external token plugin support is disabled.\n" +msgstr "" + +#: src/cryptsetup.c:3573 #, fuzzy, c-format #| msgid "" #| "\n" @@ -1730,14 +3208,20 @@ msgstr "" "\t密钥文件的最大大小:%dkB, 交互式密码的最大长度:%d (字符)\n" "LUKS 的默认 PBKDF2 迭代时间:%d (毫秒)\n" -#: src/cryptsetup.c:2087 -#, c-format +#: src/cryptsetup.c:3584 +#, fuzzy, c-format +#| msgid "" +#| "\n" +#| "Default compiled-in device cipher parameters:\n" +#| "\tloop-AES: %s, Key %d bits\n" +#| "\tplain: %s, Key: %d bits, Password hashing: %s\n" +#| "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n" msgid "" "\n" "Default compiled-in device cipher parameters:\n" "\tloop-AES: %s, Key %d bits\n" "\tplain: %s, Key: %d bits, Password hashing: %s\n" -"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n" +"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n" msgstr "" "\n" "默认集成的设备密文参数:\n" @@ -1745,611 +3229,217 @@ msgstr "" "\tplain:%s, 密钥:%d 位, 密码哈希:%s\n" "\tLUKS1:%s, 密钥:%d bits, LUKS 数据头哈希:%s, RNG:%s\n" -#: src/cryptsetup.c:2104 src/veritysetup.c:540 src/integritysetup.c:581 +#: src/cryptsetup.c:3593 +msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n" +msgstr "" + +#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723 #, c-format msgid "%s: requires %s as arguments" msgstr "%s: 需要 %s 作为参数" -#: src/cryptsetup.c:2137 src/veritysetup.c:423 src/integritysetup.c:478 -#: src/cryptsetup_reencrypt.c:1608 -msgid "Show this help message" -msgstr "显示此帮助" +#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198 +msgid "Key slot is invalid." +msgstr "密钥槽无效。" -#: src/cryptsetup.c:2138 src/veritysetup.c:424 src/integritysetup.c:479 -#: src/cryptsetup_reencrypt.c:1609 -msgid "Display brief usage" -msgstr "显示简短用法" +#: src/cryptsetup.c:3678 +#, fuzzy +#| msgid "Reduce size must be multiple of 512 bytes sector." +msgid "Device size must be multiple of 512 bytes sector." +msgstr "缩减大小必须为 512 字节扇区的倍数。" -#: src/cryptsetup.c:2142 src/veritysetup.c:428 src/integritysetup.c:483 -#: src/cryptsetup_reencrypt.c:1613 -msgid "Help options:" -msgstr "帮助选项:" +#: src/cryptsetup.c:3683 +#, fuzzy +#| msgid "Invalid device size specification." +msgid "Invalid max reencryption hotzone size specification." +msgstr "无效的设备大小指标。" -#: src/cryptsetup.c:2143 src/veritysetup.c:429 src/integritysetup.c:484 -#: src/cryptsetup_reencrypt.c:1614 -msgid "Print package version" -msgstr "打印软件包版本" - -#: src/cryptsetup.c:2144 src/veritysetup.c:430 src/integritysetup.c:485 -#: src/cryptsetup_reencrypt.c:1615 -msgid "Shows more detailed error messages" -msgstr "显示更详细的错误信息" - -#: src/cryptsetup.c:2145 src/veritysetup.c:431 src/integritysetup.c:486 -#: src/cryptsetup_reencrypt.c:1616 -msgid "Show debug messages" -msgstr "显示调试信息" - -#: src/cryptsetup.c:2146 src/cryptsetup_reencrypt.c:1618 -msgid "The cipher used to encrypt the disk (see /proc/crypto)" -msgstr "用于加密磁盘的密文(参见 /proc/crypto)" - -#: src/cryptsetup.c:2147 src/cryptsetup_reencrypt.c:1620 -msgid "The hash used to create the encryption key from the passphrase" -msgstr "用于从密码创建加密密钥的哈希值" - -#: src/cryptsetup.c:2148 -msgid "Verifies the passphrase by asking for it twice" -msgstr "两次询问密码以进行验证" - -#: src/cryptsetup.c:2149 src/cryptsetup_reencrypt.c:1622 -msgid "Read the key from a file" -msgstr "从文件读取密钥" - -#: src/cryptsetup.c:2150 -msgid "Read the volume (master) key from file." -msgstr "从文件读取卷(主)密钥。" - -#: src/cryptsetup.c:2151 -#, fuzzy -#| msgid "Dump volume (master) key instead of keyslots info." -msgid "Dump volume (master) key instead of keyslots info" -msgstr "转储卷(主)密钥而不是键槽信息。" - -#: src/cryptsetup.c:2152 src/cryptsetup_reencrypt.c:1619 -msgid "The size of the encryption key" -msgstr "加密密钥大小" - -#: src/cryptsetup.c:2152 src/integritysetup.c:500 src/integritysetup.c:504 -#: src/integritysetup.c:508 src/cryptsetup_reencrypt.c:1619 -msgid "BITS" -msgstr "位" - -#: src/cryptsetup.c:2153 src/cryptsetup_reencrypt.c:1635 -msgid "Limits the read from keyfile" -msgstr "限制从密钥文件读取" - -#: src/cryptsetup.c:2153 src/cryptsetup.c:2154 src/cryptsetup.c:2155 -#: src/cryptsetup.c:2156 src/veritysetup.c:434 src/veritysetup.c:435 -#: src/veritysetup.c:436 src/veritysetup.c:439 src/veritysetup.c:440 -#: src/integritysetup.c:491 src/integritysetup.c:495 src/integritysetup.c:496 -#: src/cryptsetup_reencrypt.c:1634 src/cryptsetup_reencrypt.c:1635 -#: src/cryptsetup_reencrypt.c:1636 src/cryptsetup_reencrypt.c:1637 -msgid "bytes" -msgstr "字节" - -#: src/cryptsetup.c:2154 src/cryptsetup_reencrypt.c:1634 -msgid "Number of bytes to skip in keyfile" -msgstr "要从密钥文件跳过的字节数" - -#: src/cryptsetup.c:2155 -msgid "Limits the read from newly added keyfile" -msgstr "限制从新增密钥文件的读取" - -#: src/cryptsetup.c:2156 -msgid "Number of bytes to skip in newly added keyfile" -msgstr "要从新增密钥文件跳过的字节数" - -#: src/cryptsetup.c:2157 -msgid "Slot number for new key (default is first free)" -msgstr "新密钥的槽号(默认为第一个可用的)" - -#: src/cryptsetup.c:2158 -msgid "The size of the device" -msgstr "设备大小" - -#: src/cryptsetup.c:2158 src/cryptsetup.c:2159 src/cryptsetup.c:2160 -#: src/cryptsetup.c:2166 src/integritysetup.c:492 src/integritysetup.c:497 -msgid "SECTORS" -msgstr "扇区" - -#: src/cryptsetup.c:2159 -msgid "The start offset in the backend device" -msgstr "后端设备的起始偏移量" - -#: src/cryptsetup.c:2160 -msgid "How many sectors of the encrypted data to skip at the beginning" -msgstr "从开头要跳过的加密数据扇区数量" - -#: src/cryptsetup.c:2161 -msgid "Create a readonly mapping" -msgstr "创建只读映射" - -#: src/cryptsetup.c:2162 src/integritysetup.c:487 -#: src/cryptsetup_reencrypt.c:1625 -msgid "Do not ask for confirmation" -msgstr "不要请求确认" - -#: src/cryptsetup.c:2163 -msgid "Timeout for interactive passphrase prompt (in seconds)" -msgstr "交互式密码提示符超时长度(秒)" - -#: src/cryptsetup.c:2163 src/cryptsetup.c:2164 src/integritysetup.c:488 -#: src/cryptsetup_reencrypt.c:1626 -msgid "secs" -msgstr "秒" - -#: src/cryptsetup.c:2164 src/integritysetup.c:488 -#: src/cryptsetup_reencrypt.c:1626 -msgid "Progress line update (in seconds)" -msgstr "" - -#: src/cryptsetup.c:2165 src/cryptsetup_reencrypt.c:1627 -msgid "How often the input of the passphrase can be retried" -msgstr "输入密码的最大重试频率" - -#: src/cryptsetup.c:2166 -msgid "Align payload at sector boundaries - for luksFormat" -msgstr "于 个扇区边界处对其载荷数据 - 供 luks 格式用" - -#: src/cryptsetup.c:2167 -#, fuzzy -#| msgid "File with LUKS header and keyslots backup." -msgid "File with LUKS header and keyslots backup" -msgstr "带有 LUKS 数据头和密钥槽备份的文件。" - -#: src/cryptsetup.c:2168 src/cryptsetup_reencrypt.c:1628 -msgid "Use /dev/random for generating volume key" -msgstr "使用 /dev/random 生成卷密钥" - -#: src/cryptsetup.c:2169 src/cryptsetup_reencrypt.c:1629 -msgid "Use /dev/urandom for generating volume key" -msgstr "使用 /dev/urandom 生成卷密钥" - -#: src/cryptsetup.c:2170 -#, fuzzy -#| msgid "Share device with another non-overlapping crypt segment." -msgid "Share device with another non-overlapping crypt segment" -msgstr "与另一个不重合的加密段共享设备。" - -#: src/cryptsetup.c:2171 src/veritysetup.c:443 -#, fuzzy -#| msgid "UUID for device to use." -msgid "UUID for device to use" -msgstr "设备使用的 UUID 已占用。" - -#: src/cryptsetup.c:2172 -#, fuzzy -#| msgid "Allow discards (aka TRIM) requests for device." -msgid "Allow discards (aka TRIM) requests for device" -msgstr "允许设备的 discard(或称 TRIM)请求。" - -#: src/cryptsetup.c:2173 src/cryptsetup_reencrypt.c:1646 -#, fuzzy -#| msgid "Device or file with separated LUKS header." -msgid "Device or file with separated LUKS header" -msgstr "带有分离 LUKS 数据头的设备或文件。" - -#: src/cryptsetup.c:2174 -#, fuzzy -#| msgid "Do not activate device, just check passphrase." -msgid "Do not activate device, just check passphrase" -msgstr "不要激活设备,仅检查密码。" - -#: src/cryptsetup.c:2175 -#, fuzzy -#| msgid "Use hidden header (hidden TCRYPT device)." -msgid "Use hidden header (hidden TCRYPT device)" -msgstr "使用隐藏数据头(隐藏 TCRYPT 设备)" - -#: src/cryptsetup.c:2176 -#, fuzzy -#| msgid "Device is system TCRYPT drive (with bootloader)." -msgid "Device is system TCRYPT drive (with bootloader)" -msgstr "设备为系统 TCRYPT 驱动器(带有引导器)。" - -#: src/cryptsetup.c:2177 -msgid "Use backup (secondary) TCRYPT header" -msgstr "使用备份(次级)TCRYPT 标头" - -#: src/cryptsetup.c:2178 -#, fuzzy -#| msgid "Scan also for VeraCrypt compatible device." -msgid "Scan also for VeraCrypt compatible device" -msgstr "同时扫描 VeraCrypt 兼容的设备。" - -#: src/cryptsetup.c:2179 -#, fuzzy -#| msgid "Scan also for VeraCrypt compatible device." -msgid "Personal Iteration Multiplier for VeraCrypt compatible device" -msgstr "同时扫描 VeraCrypt 兼容的设备。" - -#: src/cryptsetup.c:2180 -#, fuzzy -#| msgid "Scan also for VeraCrypt compatible device." -msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device" -msgstr "同时扫描 VeraCrypt 兼容的设备。" - -#: src/cryptsetup.c:2181 -#, fuzzy -#| msgid "Type of device metadata: luks, plain, loopaes, tcrypt." -msgid "Type of device metadata: luks, plain, loopaes, tcrypt" -msgstr "设备元数据类型:luks, 纯粹 (plain), loopaes, tcrypt." - -#: src/cryptsetup.c:2182 -#, fuzzy -#| msgid "Disable password quality check (if enabled)." -msgid "Disable password quality check (if enabled)" -msgstr "禁用密码质量检查 (如果已启用)。" - -#: src/cryptsetup.c:2183 -#, fuzzy -#| msgid "Use dm-crypt same_cpu_crypt performance compatibility option." -msgid "Use dm-crypt same_cpu_crypt performance compatibility option" -msgstr "使用 dm-crypt same_cpu_crypt 性能兼容性选项。" - -#: src/cryptsetup.c:2184 -#, fuzzy -#| msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option." -msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option" -msgstr "使用 dm-crypt submit_from_crypt_cpus 性能兼容性选项。" - -#: src/cryptsetup.c:2185 -msgid "Device removal is deferred until the last user closes it" -msgstr "" - -#: src/cryptsetup.c:2186 -msgid "PBKDF iteration time for LUKS (in ms)" -msgstr "LUKS 默认 PBKDF 迭代时间(毫秒)" - -#: src/cryptsetup.c:2186 src/cryptsetup_reencrypt.c:1624 -msgid "msecs" -msgstr "毫秒" - -#: src/cryptsetup.c:2187 src/cryptsetup_reencrypt.c:1642 -msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2" -msgstr "" - -#: src/cryptsetup.c:2188 src/cryptsetup_reencrypt.c:1643 -msgid "PBKDF memory cost limit" -msgstr "PBKDF 内存开销限制" - -#: src/cryptsetup.c:2188 src/cryptsetup_reencrypt.c:1643 -msgid "kilobytes" -msgstr "千字节" - -#: src/cryptsetup.c:2189 src/cryptsetup_reencrypt.c:1644 -msgid "PBKDF parallel cost" -msgstr "PBKDF 并行开销" - -#: src/cryptsetup.c:2189 src/cryptsetup_reencrypt.c:1644 -msgid "threads" -msgstr "线程" - -#: src/cryptsetup.c:2190 src/cryptsetup_reencrypt.c:1645 -msgid "PBKDF iterations cost (forced, disables benchmark)" -msgstr "" - -#: src/cryptsetup.c:2191 -msgid "Keyslot priority: ignore, normal, prefer)" -msgstr "" - -#: src/cryptsetup.c:2192 -#, fuzzy -#| msgid "try to repair on-disk metadata" -msgid "Disable locking of on-disk metadata" -msgstr "尝试修复磁盘上的元数据" - -#: src/cryptsetup.c:2193 -msgid "Disable loading volume keys via kernel keyring" -msgstr "" - -#: src/cryptsetup.c:2194 -msgid "Data integrity algorithm (LUKS2 only)" -msgstr "" +#: src/cryptsetup.c:3697 src/cryptsetup.c:3709 +msgid "Key size must be a multiple of 8 bits" +msgstr "密钥尺寸必须是 8 的倍数" -#: src/cryptsetup.c:2195 src/integritysetup.c:511 +#: src/cryptsetup.c:3714 #, fuzzy -#| msgid "Invalid size parameters for verity device.\n" -msgid "Disable journal for integrity device" -msgstr "为 VERITY 设备提供的大小指标无效。\n" - -#: src/cryptsetup.c:2196 src/integritysetup.c:489 -msgid "Do not wipe device after format" -msgstr "" - -#: src/cryptsetup.c:2197 -msgid "Do not ask for passphrase if activation by token fails" -msgstr "" - -#: src/cryptsetup.c:2198 -msgid "Token number (default: any)" -msgstr "" +#| msgid "Maximum device reduce size is 64 MiB." +msgid "Maximum device reduce size is 1 GiB." +msgstr "最大设备缩减大小为 64 MiB。" -#: src/cryptsetup.c:2199 -msgid "Key description" -msgstr "" +#: src/cryptsetup.c:3717 +msgid "Reduce size must be multiple of 512 bytes sector." +msgstr "缩减大小必须为 512 字节扇区的倍数。" -#: src/cryptsetup.c:2200 -msgid "Encryption sector size (default: 512 bytes)" +#: src/cryptsetup.c:3734 +msgid "Option --priority can be only ignore/normal/prefer." msgstr "" -#: src/cryptsetup.c:2201 -msgid "Set activation flags persistent for device" -msgstr "" +#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643 +msgid "Show this help message" +msgstr "显示此帮助" -#: src/cryptsetup.c:2202 -#, fuzzy -#| msgid "formats a LUKS device" -msgid "Set label for the LUKS2 device" -msgstr "格式化一个 LUKS 设备" +#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644 +msgid "Display brief usage" +msgstr "显示简短用法" -#: src/cryptsetup.c:2203 -#, fuzzy -#| msgid "formats a LUKS device" -msgid "Set subsystem label for the LUKS2 device" -msgstr "格式化一个 LUKS 设备" +#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645 +msgid "Print package version" +msgstr "打印软件包版本" -#: src/cryptsetup.c:2204 -msgid "Create unbound (no assigned data segment) LUKS2 keyslot" -msgstr "" +#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656 +msgid "Help options:" +msgstr "帮助选项:" -#: src/cryptsetup.c:2220 src/veritysetup.c:464 src/integritysetup.c:528 +#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676 msgid "[OPTION...] " msgstr "[选项…] <动作> <动作特定参数>" -#: src/cryptsetup.c:2277 src/veritysetup.c:504 src/integritysetup.c:545 +#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687 msgid "Argument missing." msgstr "缺失参数 <动作>。" -#: src/cryptsetup.c:2333 src/veritysetup.c:535 src/integritysetup.c:576 +#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718 msgid "Unknown action." msgstr "未知动作。" -#: src/cryptsetup.c:2343 -#, fuzzy -#| msgid "Option --shared is allowed only for open of plain device.\n" -msgid "Option --deferred is allowed only for close command.\n" -msgstr "选项 --shared 只适用于打开纯设备。\n" - -#: src/cryptsetup.c:2348 -msgid "Option --shared is allowed only for open of plain device.\n" -msgstr "选项 --shared 只适用于打开纯设备。\n" - -#: src/cryptsetup.c:2353 -msgid "Option --allow-discards is allowed only for open operation.\n" -msgstr "选项 --allow-discards 只适用于打开操作。\n" - -#: src/cryptsetup.c:2358 -#, fuzzy -#| msgid "Option --allow-discards is allowed only for open operation.\n" -msgid "Option --persistent is allowed only for open operation.\n" -msgstr "选项 --allow-discards 只适用于打开操作。\n" - -#: src/cryptsetup.c:2363 -msgid "Option --persistent is not allowed with --test-passphrase.\n" -msgstr "" - -#: src/cryptsetup.c:2372 -#, fuzzy -#| msgid "" -#| "Option --key-size is allowed only for luksFormat, open and benchmark.\n" -#| "To limit read from keyfile use --keyfile-size=(bytes)." -msgid "" -"Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n" -"open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)." -msgstr "" -"选项 --key-size 只能用于 luksFormat, 打开和性能测试。\n" -"要限制密钥文件读取请使用 --keyfile-size=(字节数)。" - -#: src/cryptsetup.c:2378 -#, fuzzy -#| msgid "Option --align-payload is allowed only for luksFormat." -msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n" -msgstr "选项 --align-payload 只允许用于 luksFormat。" - -#: src/cryptsetup.c:2383 -msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n" -msgstr "" - -#: src/cryptsetup.c:2389 -#, fuzzy -#| msgid "Option --uuid is allowed only for luksFormat and luksUUID." -msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n" -msgstr "选项 --uuid 只允许用于 luksFormat 和 luksUUID。" - -#: src/cryptsetup.c:2395 -msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n" -msgstr "选项 --test-passphrase 只能用于打开 LUKS 和 TCRYPT 设备。\n" - -#: src/cryptsetup.c:2400 src/cryptsetup_reencrypt.c:1717 -msgid "Key size must be a multiple of 8 bits" -msgstr "密钥尺寸必须是 8 的倍数" - -#: src/cryptsetup.c:2406 src/cryptsetup_reencrypt.c:1402 -#: src/cryptsetup_reencrypt.c:1722 -msgid "Key slot is invalid." -msgstr "密钥槽无效。" - -#: src/cryptsetup.c:2413 +#: src/cryptsetup.c:3895 #, fuzzy #| msgid "Option --key-file takes precedence over specified key file argument.\n" msgid "Option --key-file takes precedence over specified key file argument." msgstr "选项 --key-file 优先使用指定的密钥文件参数。\n" -#: src/cryptsetup.c:2420 src/veritysetup.c:547 src/integritysetup.c:595 -#: src/cryptsetup_reencrypt.c:1696 -msgid "Negative number for option not permitted." -msgstr "不允许在选项中填入负数。" - -#: src/cryptsetup.c:2424 +#: src/cryptsetup.c:3901 msgid "Only one --key-file argument is allowed." msgstr "只允许存在一个 --key-file 选项。" -#: src/cryptsetup.c:2428 src/cryptsetup_reencrypt.c:1688 -#: src/cryptsetup_reencrypt.c:1726 -msgid "Only one of --use-[u]random options is allowed." -msgstr "--use-[u]random 选项只能用一处。" - -#: src/cryptsetup.c:2432 -msgid "Option --use-[u]random is allowed only for luksFormat." -msgstr "选项 --use-[u]random 只适用于 luksFormat。" - -#: src/cryptsetup.c:2436 -msgid "Option --uuid is allowed only for luksFormat and luksUUID." -msgstr "选项 --uuid 只允许用于 luksFormat 和 luksUUID。" - -#: src/cryptsetup.c:2440 -msgid "Option --align-payload is allowed only for luksFormat." -msgstr "选项 --align-payload 只允许用于 luksFormat。" - -#: src/cryptsetup.c:2446 -msgid "Option --skip is supported only for open of plain and loopaes devices.\n" -msgstr "选项 --skip 只适用于打开纯设备和 loopaes 设备。\n" - -#: src/cryptsetup.c:2452 -msgid "Option --offset is supported only for open of plain and loopaes devices.\n" -msgstr "选项 --offset 只适用于打开纯设备和 loopaes 设备。\n" - -#: src/cryptsetup.c:2458 -msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n" -msgstr "选项 --tcrypt-hidden, --tcrypt-system 或 --tcrypt-backup 只支持 TCRYPT 设备。\n" - -#: src/cryptsetup.c:2463 -msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n" -msgstr "选项 --tcrypt-hidden 不能与 --allow-discards 共用。\n" - -#: src/cryptsetup.c:2468 -msgid "Option --veracrypt is supported only for TCRYPT device type.\n" -msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" - -#: src/cryptsetup.c:2474 -msgid "Invalid argument for parameter --veracrypt-pim supplied.\n" -msgstr "" - -#: src/cryptsetup.c:2478 -#, fuzzy -#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n" -msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n" -msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" - -#: src/cryptsetup.c:2486 -#, fuzzy -#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n" -msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n" -msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n" - -#: src/cryptsetup.c:2490 -msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n" -msgstr "" - -#: src/cryptsetup.c:2497 -msgid "Option --priority can be only ignore/normal/prefer.\n" +#: src/cryptsetup.c:3906 +msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id." msgstr "" -#: src/cryptsetup.c:2502 -msgid "Keyslot specification is required.\n" +#: src/cryptsetup.c:3911 +msgid "PBKDF forced iterations cannot be combined with iteration time option." msgstr "" -#: src/cryptsetup.c:2507 src/cryptsetup_reencrypt.c:1702 -msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n" +#: src/cryptsetup.c:3916 +msgid "Cannot link volume key to a keyring when keyring is disabled." msgstr "" -#: src/cryptsetup.c:2512 src/cryptsetup_reencrypt.c:1707 -msgid "PBKDF forced iterations cannot be combined with iteration time option.\n" +#: src/cryptsetup.c:3927 +msgid "Options --keyslot-cipher and --keyslot-key-size must be used together." msgstr "" -#: src/cryptsetup.c:2518 -#, fuzzy -#| msgid "This operation is not supported for this device type.\n" -msgid "Sector size option is not supported for this command.\n" -msgstr "不支持在这类设备上执行此操作。\n" - -#: src/cryptsetup.c:2524 -msgid "Unsupported encryption sector size.\n" -msgstr "不支持的加密扇区大小。\n" - -#: src/cryptsetup.c:2529 -msgid "Key size is required with --unbound option.\n" +#: src/cryptsetup.c:3935 +msgid "No action taken. Invoked with --test-args option.\n" msgstr "" -#: src/cryptsetup.c:2534 -#, fuzzy -#| msgid "Option --new cannot be used together with --decrypt." -msgid "Option --unbound may be used only with luksAddKey action.\n" -msgstr "选项 --new 不可与 --decrypt 共用。" - -#: src/cryptsetup.c:2544 -msgid "Cannot disable metadata locking.\n" -msgstr "无法禁用元数据锁定。\n" +#: src/cryptsetup.c:3948 +msgid "Cannot disable metadata locking." +msgstr "无法禁用元数据锁定。" -#: src/veritysetup.c:67 +#: src/veritysetup.c:54 msgid "Invalid salt string specified." msgstr "指定了无效的盐字串。" -#: src/veritysetup.c:98 +#: src/veritysetup.c:87 #, fuzzy, c-format #| msgid "Cannot create hash image %s for writing.\n" msgid "Cannot create hash image %s for writing." msgstr "无法为创建哈希映像 %s 以供写入。\n" -#: src/veritysetup.c:108 +#: src/veritysetup.c:97 #, fuzzy, c-format #| msgid "Cannot create hash image %s for writing.\n" msgid "Cannot create FEC image %s for writing." msgstr "无法为创建哈希映像 %s 以供写入。\n" -#: src/veritysetup.c:181 +#: src/veritysetup.c:136 +#, fuzzy, c-format +#| msgid "Cannot create hash image %s for writing.\n" +msgid "Cannot create root hash file %s for writing." +msgstr "无法为创建哈希映像 %s 以供写入。\n" + +#: src/veritysetup.c:143 +#, fuzzy, c-format +#| msgid "Cannot write to keyfile %s." +msgid "Cannot write to root hash file %s." +msgstr "无法写入密钥文件 %s。" + +#: src/veritysetup.c:198 src/veritysetup.c:476 +#, c-format +msgid "Device %s is not a valid VERITY device." +msgstr "%s 不是有效的 VERITY 设备。" + +#: src/veritysetup.c:215 src/veritysetup.c:232 +#, fuzzy, c-format +#| msgid "Cannot create header file %s." +msgid "Cannot read root hash file %s." +msgstr "无法创建标头文件 %s。" + +#: src/veritysetup.c:220 +#, fuzzy, c-format +#| msgid "Invalid root hash string specified.\n" +msgid "Invalid root hash file %s." +msgstr "指定了无效的根哈希值字串。\n" + +#: src/veritysetup.c:241 #, fuzzy #| msgid "Invalid root hash string specified.\n" msgid "Invalid root hash string specified." msgstr "指定了无效的根哈希值字串。\n" -#: src/veritysetup.c:363 +#: src/veritysetup.c:249 +#, fuzzy, c-format +#| msgid "Invalid device %s." +msgid "Invalid signature file %s." +msgstr "设备 %s 无效。" + +#: src/veritysetup.c:256 +#, fuzzy, c-format +#| msgid "Cannot read keyfile %s.\n" +msgid "Cannot read signature file %s." +msgstr "" +"无法读取密钥文件 %s。\n" +"\n" + +#: src/veritysetup.c:279 src/veritysetup.c:293 +msgid "Command requires or --root-hash-file option as argument." +msgstr "" + +#: src/veritysetup.c:489 msgid " " msgstr "<数据设备> <哈希设备>" -#: src/veritysetup.c:363 src/integritysetup.c:425 +#: src/veritysetup.c:489 src/integritysetup.c:543 msgid "format device" msgstr "格式化设备" -#: src/veritysetup.c:364 -msgid " " +#: src/veritysetup.c:490 +#, fuzzy +#| msgid " " +msgid " []" msgstr "<数据设备> <哈希设备> <根哈希值>" -#: src/veritysetup.c:364 +#: src/veritysetup.c:490 msgid "verify device" msgstr "验证设备" -#: src/veritysetup.c:365 +#: src/veritysetup.c:491 #, fuzzy #| msgid " " -msgid " " +msgid " []" msgstr "<数据设备> <哈希设备> <根哈希值>" -#: src/veritysetup.c:365 src/integritysetup.c:426 -msgid "open device as " -msgstr "以 <名称> 打开设备" - -#: src/veritysetup.c:366 src/integritysetup.c:427 -#, fuzzy -#| msgid "close device (remove mapping)" -msgid "close device (deactivate and remove mapping)" -msgstr "关闭设备(移除映射)" - -#: src/veritysetup.c:367 src/integritysetup.c:428 +#: src/veritysetup.c:493 src/integritysetup.c:546 msgid "show active device status" msgstr "显示已激活的设备信息" -#: src/veritysetup.c:368 +#: src/veritysetup.c:494 msgid "" msgstr "<哈希设备>" -#: src/veritysetup.c:368 src/integritysetup.c:429 +#: src/veritysetup.c:494 src/integritysetup.c:547 msgid "show on-disk information" msgstr "显示磁盘上的信息" -#: src/veritysetup.c:387 +#: src/veritysetup.c:513 #, c-format msgid "" "\n" @@ -2364,7 +3454,7 @@ msgstr "" "<哈希设备> 是含有验证信息的设备\n" "<根哈希值> 是 <哈希设备> 根节点的哈希值\n" -#: src/veritysetup.c:394 +#: src/veritysetup.c:520 #, c-format msgid "" "\n" @@ -2375,666 +3465,1527 @@ msgstr "" "编译时决定的默认 dm-verify 参数:\n" "\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n" -#: src/veritysetup.c:432 -msgid "Do not use verity superblock" -msgstr "不使用真理超级块" +#: src/veritysetup.c:661 +#, fuzzy +#| msgid "Option --allow-discards is allowed only for open operation.\n" +msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together." +msgstr "选项 --allow-discards 只适用于打开操作。\n" -#: src/veritysetup.c:433 -msgid "Format type (1 - normal, 0 - original Chrome OS)" -msgstr "格式类型 (1 - 正常, 0 - 原版 Chrome OS)" +#: src/veritysetup.c:666 +#, fuzzy +#| msgid "Option --allow-discards is allowed only for open operation.\n" +msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together." +msgstr "选项 --allow-discards 只适用于打开操作。\n" -#: src/veritysetup.c:433 -msgid "number" -msgstr "数字" +#: src/integritysetup.c:177 +#, c-format +msgid "" +"This will overwrite data on %s and %s irrevocably.\n" +"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)." +msgstr "" -#: src/veritysetup.c:434 -msgid "Block size on the data device" -msgstr "数据设备的块大小" +#: src/integritysetup.c:217 +#, c-format +msgid "Formatted with tag size %u, internal integrity %s.\n" +msgstr "" -#: src/veritysetup.c:435 -msgid "Block size on the hash device" -msgstr "哈希设备的块大小" +#: src/integritysetup.c:298 +msgid "Setting recalculate flag is not supported, you may consider using --wipe instead." +msgstr "" -#: src/veritysetup.c:436 -msgid "FEC parity bytes" -msgstr "FEC 校验字节" +#: src/integritysetup.c:373 src/integritysetup.c:530 +#, fuzzy, c-format +#| msgid "Device %s is not a valid VERITY device." +msgid "Device %s is not a valid INTEGRITY device." +msgstr "%s 不是有效的 VERITY 设备。" -#: src/veritysetup.c:437 -msgid "The number of blocks in the data file" -msgstr "数据文件的块数量" +#: src/integritysetup.c:543 src/integritysetup.c:547 +#, fuzzy +#| msgid "verify device" +msgid "" +msgstr "验证设备" -#: src/veritysetup.c:437 -msgid "blocks" -msgstr "块" +#: src/integritysetup.c:544 +msgid " " +msgstr "" -#: src/veritysetup.c:438 -msgid "Path to device with error correction data" +#: src/integritysetup.c:567 +#, fuzzy, c-format +#| msgid "" +#| "\n" +#| " is the device to create under %s\n" +#| " is the data device\n" +#| " is the device containing verification data\n" +#| " hash of the root node on \n" +msgid "" +"\n" +" is the device to create under %s\n" +" is the device containing data with integrity tags\n" msgstr "" +"\n" +"<名称> 是在 %s 下要创建的设备\n" +"<数据设备> 就是数据设备\n" +"<哈希设备> 是含有验证信息的设备\n" +"<根哈希值> 是 <哈希设备> 根节点的哈希值\n" + +#: src/integritysetup.c:572 +#, fuzzy, c-format +#| msgid "" +#| "\n" +#| "Default compiled-in dm-verity parameters:\n" +#| "\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n" +msgid "" +"\n" +"Default compiled-in dm-integrity parameters:\n" +"\tChecksum algorithm: %s\n" +"\tMaximum keyfile size: %dkB\n" +msgstr "" +"\n" +"编译时决定的默认 dm-verify 参数:\n" +"\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n" + +#: src/integritysetup.c:629 +#, c-format +msgid "Invalid --%s size. Maximum is %u bytes." +msgstr "" + +#: src/integritysetup.c:732 +msgid "Both key file and key size options must be specified." +msgstr "密钥文件和密钥大小选项均必须指定。" + +#: src/integritysetup.c:736 +msgid "Both journal integrity key file and key size options must be specified." +msgstr "" + +#: src/integritysetup.c:739 +msgid "Journal integrity algorithm must be specified if journal integrity key is used." +msgstr "如果使用了日志加密密钥,则必须指定日志完整性校验算法。" + +#: src/integritysetup.c:743 +msgid "Both journal encryption key file and key size options must be specified." +msgstr "日志加密密钥文件和密钥大小选项均必须指定。" + +#: src/integritysetup.c:746 +msgid "Journal encryption algorithm must be specified if journal encryption key is used." +msgstr "如果使用了日志加密密钥,则必须指定日志加密算法。" + +#: src/integritysetup.c:750 +msgid "Recovery and bitmap mode options are mutually exclusive." +msgstr "" + +#: src/integritysetup.c:757 +msgid "Journal options cannot be used in bitmap mode." +msgstr "" + +#: src/integritysetup.c:762 +msgid "Bitmap options can be used only in bitmap mode." +msgstr "" + +#: src/utils_tools.c:118 +msgid "" +"\n" +"WARNING!\n" +"========\n" +msgstr "" +"\n" +"警告!\n" +"========\n" + +#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word. +#: src/utils_tools.c:120 +#, c-format +msgid "" +"%s\n" +"\n" +"Are you sure? (Type 'yes' in capital letters): " +msgstr "" + +#: src/utils_tools.c:126 +msgid "Error reading response from terminal." +msgstr "从终端读取响应时失败。" + +#: src/utils_tools.c:158 +msgid "Command successful." +msgstr "命令成功。" + +#: src/utils_tools.c:166 +msgid "wrong or missing parameters" +msgstr "错误或缺失的参数" + +#: src/utils_tools.c:168 +msgid "no permission or bad passphrase" +msgstr "无权限或口令错误" + +#: src/utils_tools.c:170 +msgid "out of memory" +msgstr "内存耗尽" + +#: src/utils_tools.c:172 +msgid "wrong device or file specified" +msgstr "指定了错误的设备或文件" + +#: src/utils_tools.c:174 +msgid "device already exists or device is busy" +msgstr "设备已存在或设备正忙" + +#: src/utils_tools.c:176 +msgid "unknown error" +msgstr "未知错误" + +#: src/utils_tools.c:178 +#, c-format +msgid "Command failed with code %i (%s)." +msgstr "命令失败,代码 %i(%s)。" + +#: src/utils_tools.c:256 +#, fuzzy, c-format +#| msgid "Key slot %d changed." +msgid "Key slot %i created." +msgstr "密钥槽 %d 已改变。" + +#: src/utils_tools.c:258 +#, fuzzy, c-format +#| msgid "Key slot %d unlocked." +msgid "Key slot %i unlocked." +msgstr "密钥槽 %d 已解锁。" + +#: src/utils_tools.c:260 +#, fuzzy, c-format +#| msgid "Key slot %d unlocked." +msgid "Key slot %i removed." +msgstr "密钥槽 %d 已解锁。" + +#: src/utils_tools.c:269 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Token %i created." +msgstr "密钥槽 %d 未使用。\n" + +#: src/utils_tools.c:271 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Token %i removed." +msgstr "密钥槽 %d 未使用。\n" + +#: src/utils_tools.c:281 +msgid "No token could be unlocked with this PIN." +msgstr "" + +#: src/utils_tools.c:283 +#, fuzzy, c-format +#| msgid "Key slot %d is not used.\n" +msgid "Token %i requires PIN." +msgstr "密钥槽 %d 未使用。\n" + +#: src/utils_tools.c:285 +#, c-format +msgid "Token (type %s) requires PIN." +msgstr "" + +#: src/utils_tools.c:288 +#, c-format +msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." +msgstr "" + +#: src/utils_tools.c:290 +#, c-format +msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)." +msgstr "" + +#: src/utils_tools.c:293 +#, c-format +msgid "Token %i requires additional missing resource." +msgstr "" + +#: src/utils_tools.c:295 +#, c-format +msgid "Token (type %s) requires additional missing resource." +msgstr "" + +#: src/utils_tools.c:298 +#, c-format +msgid "No usable token (type %s) is available." +msgstr "" + +#: src/utils_tools.c:300 +msgid "No usable token is available." +msgstr "" + +#: src/utils_tools.c:393 +#, fuzzy, c-format +#| msgid "Cannot read keyfile %s.\n" +msgid "Cannot read keyfile %s." +msgstr "" +"无法读取密钥文件 %s。\n" +"\n" + +#: src/utils_tools.c:398 +#, fuzzy, c-format +#| msgid "Cannot read %d bytes from keyfile %s.\n" +msgid "Cannot read %d bytes from keyfile %s." +msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n" + +#: src/utils_tools.c:423 +#, c-format +msgid "Cannot open keyfile %s for write." +msgstr "无法打开密钥文件 %s 以供写入。" + +#: src/utils_tools.c:430 +#, c-format +msgid "Cannot write to keyfile %s." +msgstr "无法写入密钥文件 %s。" + +#: src/utils_progress.c:74 +#, c-format +msgid "%02m%02s" +msgstr "" + +#: src/utils_progress.c:76 +#, c-format +msgid "%02h%02m%02s" +msgstr "" + +#: src/utils_progress.c:78 +#, c-format +msgid "%02 days" +msgstr "" + +#: src/utils_progress.c:105 src/utils_progress.c:138 +#, c-format +msgid "%4 %s written" +msgstr "" + +#: src/utils_progress.c:109 src/utils_progress.c:142 +#, c-format +msgid "speed %5.1f %s/s" +msgstr "" + +#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed +#. to get translated as well. 'eol' is always new-line or empty. +#. See above. +#. +#: src/utils_progress.c:118 +#, c-format +msgid "Progress: %5.1f%%, ETA %s, %s, %s%s" +msgstr "" + +#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed +#. to get translated as well. See above +#. +#: src/utils_progress.c:150 +#, c-format +msgid "Finished, time %s, %s, %s\n" +msgstr "" + +#: src/utils_password.c:41 src/utils_password.c:72 +#, c-format +msgid "Cannot check password quality: %s" +msgstr "无法检查密码质量:%s" + +#: src/utils_password.c:49 +#, c-format +msgid "" +"Password quality check failed:\n" +" %s" +msgstr "" +"密码质量检查失败:\n" +" %s" + +#: src/utils_password.c:79 +#, c-format +msgid "Password quality check failed: Bad passphrase (%s)" +msgstr "密码质量检查失败:无效密码 (%s)" + +#: src/utils_password.c:231 src/utils_password.c:245 +msgid "Error reading passphrase from terminal." +msgstr "从终端读取口令时出错。" + +#: src/utils_password.c:243 +msgid "Verify passphrase: " +msgstr "确认密码:" + +#: src/utils_password.c:250 +msgid "Passphrases do not match." +msgstr "口令不匹配。" + +#: src/utils_password.c:288 +msgid "Cannot use offset with terminal input." +msgstr "不能将偏移量用于终端输入。" + +#: src/utils_password.c:292 +#, c-format +msgid "Enter passphrase: " +msgstr "输入口令:" + +#: src/utils_password.c:295 +#, c-format +msgid "Enter passphrase for %s: " +msgstr "输入 %s 的口令:" + +#: src/utils_password.c:329 +msgid "No key available with this passphrase." +msgstr "此口令无可用的密钥。" + +#: src/utils_password.c:331 +msgid "No usable keyslot is available." +msgstr "" + +#: src/utils_luks.c:68 +#, fuzzy +#| msgid "Can't do passphrase verification on non-tty inputs.\n" +msgid "Can't do passphrase verification on non-tty inputs." +msgstr "无法从非 TTY 输入验证密码。\n" + +#: src/utils_luks.c:183 +#, c-format +msgid "Failed to open file %s in read-only mode." +msgstr "以只读模式打开文件 %s 失败。" + +#: src/utils_luks.c:196 +msgid "Provide valid LUKS2 token JSON:\n" +msgstr "" + +#: src/utils_luks.c:203 +msgid "Failed to read JSON file." +msgstr "读取 JSON 文件失败。" + +#: src/utils_luks.c:208 +msgid "" +"\n" +"Read interrupted." +msgstr "" +"\n" +"读取被打断。" + +#: src/utils_luks.c:249 +#, fuzzy, c-format +#| msgid "Cannot open keyfile %s for write." +msgid "Failed to open file %s in write mode." +msgstr "无法打开密钥文件 %s 以供写入。" + +#: src/utils_luks.c:258 +msgid "" +"\n" +"Write interrupted." +msgstr "" +"\n" +"写入被打断。" + +#: src/utils_luks.c:262 +msgid "Failed to write JSON file." +msgstr "写入 JSON 文件失败。" + +#: src/utils_reencrypt.c:120 +#, c-format +msgid "Auto-detected active dm device '%s' for data device %s.\n" +msgstr "" + +#: src/utils_reencrypt.c:124 +#, fuzzy, c-format +#| msgid "Failed to acquire write lock on device %s." +msgid "Failed to auto-detect device %s holders." +msgstr "无法获取设备 %s 上的写入锁。" + +#: src/utils_reencrypt.c:130 +#, c-format +msgid "Device %s is not a block device.\n" +msgstr "设备 %s 不是块设备。\n" + +#: src/utils_reencrypt.c:132 +#, c-format +msgid "" +"Unable to decide if device %s is activated or not.\n" +"Are you sure you want to proceed with reencryption in offline mode?\n" +"It may lead to data corruption if the device is actually activated.\n" +"To run reencryption in online mode, use --active-name parameter instead.\n" +msgstr "" + +#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274 +#, c-format +msgid "" +"Device %s is not a block device. Can not auto-detect if it is active or not.\n" +"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)." +msgstr "" + +#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221 +#: src/utils_reencrypt.c:231 +msgid "Requested --resilience option cannot be applied to current reencryption operation." +msgstr "" + +#: src/utils_reencrypt.c:203 +msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt." +msgstr "" + +#: src/utils_reencrypt.c:208 +msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt." +msgstr "" + +#: src/utils_reencrypt.c:215 +msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied." +msgstr "" + +#: src/utils_reencrypt.c:293 +msgid "Device requires reencryption recovery. Run repair first." +msgstr "" + +#: src/utils_reencrypt.c:307 +#, c-format +msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?" +msgstr "" + +#: src/utils_reencrypt.c:416 +msgid "Legacy LUKS2 reencryption is no longer supported." +msgstr "" + +#: src/utils_reencrypt.c:421 +msgid "Can not reencrypt LUKS2 device configured to use OPAL." +msgstr "" + +#: src/utils_reencrypt.c:427 +msgid "Reencryption of device with integrity profile is not supported." +msgstr "不支持带有完整性 profile 信息的设备的重加密。" + +#: src/utils_reencrypt.c:464 +#, c-format +msgid "" +"Requested --sector-size % is incompatible with %s superblock\n" +"(block size: % bytes) detected on device %s." +msgstr "" + +#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412 +msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)." +msgstr "" + +#: src/utils_reencrypt.c:540 +msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter." +msgstr "" + +#: src/utils_reencrypt.c:550 +#, c-format +msgid "Adjusting --reduce-device-size value to twice the --offset % (sectors).\n" +msgstr "" + +#: src/utils_reencrypt.c:580 +#, fuzzy, c-format +#| msgid "Requested header backup file %s already exists." +msgid "Temporary header file %s already exists. Aborting." +msgstr "请求的标头备份文件 %s 已存在。" + +#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589 +#, fuzzy, c-format +#| msgid "Cannot create header file %s." +msgid "Cannot create temporary header file %s." +msgstr "无法创建标头文件 %s。" + +#: src/utils_reencrypt.c:614 +msgid "LUKS2 metadata size is larger than data shift value." +msgstr "" + +#: src/utils_reencrypt.c:651 +#, fuzzy, c-format +#| msgid "Failed to acquire read lock on device %s." +msgid "Failed to place new header at head of device %s." +msgstr "无法获取设备 %s 的读取锁。" + +#: src/utils_reencrypt.c:661 +#, c-format +msgid "%s/%s is now active and ready for online encryption.\n" +msgstr "" + +#: src/utils_reencrypt.c:697 +#, fuzzy, c-format +#| msgid "Device %s is not active." +msgid "Active device %s is not LUKS2." +msgstr "设备 %s 未激活。" + +#: src/utils_reencrypt.c:725 +msgid "Restoring original LUKS2 header." +msgstr "" + +#: src/utils_reencrypt.c:733 +#, fuzzy +#| msgid "Writing LUKS header to disk." +msgid "Original LUKS2 header restore failed." +msgstr "正在将 LUKS 标头写入磁盘。" + +#: src/utils_reencrypt.c:759 +#, c-format +msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?" +msgstr "" + +#: src/utils_reencrypt.c:807 +#, fuzzy +#| msgid "Failed to write activation flags to new header." +msgid "Failed to add read/write permissions to exported header file." +msgstr "向新表头写入活动旗标失败。" + +#: src/utils_reencrypt.c:860 +#, c-format +msgid "Reencryption initialization failed. Header backup is available in %s." +msgstr "" + +#: src/utils_reencrypt.c:888 +msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)." +msgstr "" + +#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032 +#, fuzzy +#| msgid "Do not change key, no data area reencryption" +msgid "Not enough free keyslots for reencryption." +msgstr "不要更改密钥,无数据区重加密" + +#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100 +msgid "Key file can be used only with --key-slot or with exactly one key slot active." +msgstr "密钥文件只能在指定 --key-slot 时或有且只有一个槽启用时使用。" + +#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147 +#: src/utils_reencrypt_luks1.c:1158 +#, fuzzy, c-format +#| msgid "Enter passphrase for key slot %u: " +msgid "Enter passphrase for key slot %d: " +msgstr "输入密钥槽 %u 的口令: " + +#: src/utils_reencrypt.c:1074 +#, c-format +msgid "Enter passphrase for key slot %u: " +msgstr "输入密钥槽 %u 的口令: " + +#: src/utils_reencrypt.c:1126 +#, c-format +msgid "Switching data encryption cipher to %s.\n" +msgstr "" + +#: src/utils_reencrypt.c:1180 +msgid "No data segment parameters changed. Reencryption aborted." +msgstr "" + +#: src/utils_reencrypt.c:1282 +msgid "" +"Encryption sector size increase on offline device is not supported.\n" +"Activate the device first or use --force-offline-reencrypt option (dangerous!)." +msgstr "" + +#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726 +#: src/utils_reencrypt_luks1.c:798 +msgid "" +"\n" +"Reencryption interrupted." +msgstr "" +"\n" +"重加密被中断。" + +#: src/utils_reencrypt.c:1327 +msgid "Resuming LUKS reencryption in forced offline mode.\n" +msgstr "" + +#: src/utils_reencrypt.c:1350 +#, c-format +msgid "Device %s contains broken LUKS metadata. Aborting operation." +msgstr "" + +#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388 +#, fuzzy, c-format +#| msgid "Device %s is not a valid LUKS device." +msgid "Device %s is already LUKS device. Aborting operation." +msgstr "%s 不是有效的 LUKS 设备。" + +#: src/utils_reencrypt.c:1394 +#, c-format +msgid "Device %s is already in LUKS reencryption. Aborting operation." +msgstr "" + +#: src/utils_reencrypt.c:1476 +msgid "LUKS2 decryption requires --header option." +msgstr "" + +#: src/utils_reencrypt.c:1524 +#, fuzzy +#| msgid "Command requires device and mapped name as arguments.\n" +msgid "Command requires device as argument." +msgstr "命令需要设备及映射名作为参数。\n" + +#: src/utils_reencrypt.c:1537 +#, c-format +msgid "Conflicting versions. Device %s is LUKS1." +msgstr "" + +#: src/utils_reencrypt.c:1543 +#, c-format +msgid "Conflicting versions. Device %s is in LUKS1 reencryption." +msgstr "" + +#: src/utils_reencrypt.c:1549 +#, c-format +msgid "Conflicting versions. Device %s is LUKS2." +msgstr "" + +#: src/utils_reencrypt.c:1555 +#, c-format +msgid "Conflicting versions. Device %s is in LUKS2 reencryption." +msgstr "" + +#: src/utils_reencrypt.c:1561 +msgid "LUKS2 reencryption already initialized. Aborting operation." +msgstr "" + +#: src/utils_reencrypt.c:1568 +msgid "Device reencryption not in progress." +msgstr "未在进行设备重加密。" + +#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295 +#, c-format +msgid "Cannot exclusively open %s, device in use." +msgstr "无法独占打开 %s,设备正在使用中。" + +#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945 +msgid "Allocation of aligned memory failed." +msgstr "分配对齐内存失败。" + +#: src/utils_reencrypt_luks1.c:150 +#, c-format +msgid "Cannot read device %s." +msgstr "无法读取设备 %s。" + +#: src/utils_reencrypt_luks1.c:161 +#, c-format +msgid "Marking LUKS1 device %s unusable." +msgstr "正在标记 LUKS1 设备 %s 为不可用状态。" + +#: src/utils_reencrypt_luks1.c:177 +#, c-format +msgid "Cannot write device %s." +msgstr "无法写入设备 %s。" + +#: src/utils_reencrypt_luks1.c:226 +msgid "Cannot write reencryption log file." +msgstr "无法写入重加密日志文件。" + +#: src/utils_reencrypt_luks1.c:282 +msgid "Cannot read reencryption log file." +msgstr "无法读取重加密日志文件。" + +#: src/utils_reencrypt_luks1.c:293 +msgid "Wrong log format." +msgstr "错误的日志格式。" + +#: src/utils_reencrypt_luks1.c:320 +#, c-format +msgid "Log file %s exists, resuming reencryption.\n" +msgstr "日志文件 %s 存在,继续重加密。\n" + +#: src/utils_reencrypt_luks1.c:369 +msgid "Activating temporary device using old LUKS header." +msgstr "正使用旧 LUKS 标头激活临时设备。" + +#: src/utils_reencrypt_luks1.c:379 +msgid "Activating temporary device using new LUKS header." +msgstr "正使用新 LUKS 标头激活临时设备。" + +#: src/utils_reencrypt_luks1.c:389 +msgid "Activation of temporary devices failed." +msgstr "激活临时设备失败。" + +# stat() 主要就是出来一个各种文件信息…… +#: src/utils_reencrypt_luks1.c:449 +#, fuzzy +#| msgid "Failed to stat key file." +msgid "Failed to set data offset." +msgstr "获取 (stat) 密钥文件信息失败。" + +# stat() 主要就是出来一个各种文件信息…… +#: src/utils_reencrypt_luks1.c:455 +#, fuzzy +#| msgid "Failed to stat key file." +msgid "Failed to set metadata size." +msgstr "获取 (stat) 密钥文件信息失败。" + +#: src/utils_reencrypt_luks1.c:463 +#, c-format +msgid "New LUKS header for device %s created." +msgstr "已创建设备 %s 的新 LUKS 标头。" + +#: src/utils_reencrypt_luks1.c:500 +#, c-format +msgid "%s header backup of device %s created." +msgstr "已创建 %s 标头备份(对应设备 %s)。" + +#: src/utils_reencrypt_luks1.c:556 +msgid "Creation of LUKS backup headers failed." +msgstr "LUKS 备份标头创建失败。" + +#: src/utils_reencrypt_luks1.c:685 +#, c-format +msgid "Cannot restore %s header on device %s." +msgstr "无法恢复 %s 标头(在设备 %s 上)。" + +#: src/utils_reencrypt_luks1.c:687 +#, c-format +msgid "%s header on device %s restored." +msgstr "已恢复 %s 标头(在设备 %s 上)。" + +#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923 +msgid "Cannot open temporary LUKS device." +msgstr "无法打开临时 LUKS 设备。" + +#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933 +msgid "Cannot get device size." +msgstr "无法获取设备大小。" + +#: src/utils_reencrypt_luks1.c:968 +msgid "IO error during reencryption." +msgstr "重加密时发生 IO 错误。" + +#: src/utils_reencrypt_luks1.c:998 +msgid "Provided UUID is invalid." +msgstr "提供的 UUID 无效。" + +#: src/utils_reencrypt_luks1.c:1224 +msgid "Cannot open reencryption log file." +msgstr "无法打开重加密日志文件。" + +#: src/utils_reencrypt_luks1.c:1230 +msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process." +msgstr "没有正在进行中的解密操作,提供的 UUID 仅能用于继续已挂起的解密操作。" + +#: src/utils_reencrypt_luks1.c:1286 +#, c-format +msgid "Reencryption will change: %s%s%s%s%s%s." +msgstr "重加密会改变:%s%s%s%s%s%s。" + +#: src/utils_reencrypt_luks1.c:1287 +msgid "volume key" +msgstr "卷密钥" + +#: src/utils_reencrypt_luks1.c:1289 +msgid "set hash to " +msgstr "设置哈希值为 " + +#: src/utils_reencrypt_luks1.c:1290 +msgid ", set cipher to " +msgstr ",设定密文为 " + +#: src/utils_blockdev.c:189 +#, c-format +msgid "WARNING: Device %s already contains a '%s' partition signature.\n" +msgstr "" + +#: src/utils_blockdev.c:197 +#, c-format +msgid "WARNING: Device %s already contains a '%s' superblock signature.\n" +msgstr "" + +#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354 +#, fuzzy +#| msgid "Failed to initialise default LUKS2 keyslot parameters." +msgid "Failed to initialize device signature probes." +msgstr "初始化默认 LUKS2 密钥槽参数失败。" + +# stat() 主要就是出来一个各种文件信息…… +#: src/utils_blockdev.c:282 +#, fuzzy, c-format +#| msgid "Failed to stat key file." +msgid "Failed to stat device %s." +msgstr "获取 (stat) 密钥文件信息失败。" + +#: src/utils_blockdev.c:297 +#, fuzzy, c-format +#| msgid "Cannot open keyfile %s for write." +msgid "Failed to open file %s in read/write mode." +msgstr "无法打开密钥文件 %s 以供写入。" + +#: src/utils_blockdev.c:317 +#, c-format +msgid "Existing '%s' partition signature on device %s will be wiped." +msgstr "" + +#: src/utils_blockdev.c:320 +#, c-format +msgid "Existing '%s' superblock signature on device %s will be wiped." +msgstr "" + +#: src/utils_blockdev.c:323 +#, fuzzy +#| msgid "Failed to acquire write device lock." +msgid "Failed to wipe device signature." +msgstr "无法获取写入设备锁。" + +#: src/utils_blockdev.c:330 +#, c-format +msgid "Failed to probe device %s for a signature." +msgstr "" + +#: src/utils_args.c:65 +#, fuzzy, c-format +#| msgid "Invalid device size specification." +msgid "Invalid size specification in parameter --%s." +msgstr "无效的设备大小指标。" + +#: src/utils_args.c:125 +#, fuzzy, c-format +#| msgid "Option --allow-discards is allowed only for open operation.\n" +msgid "Option --%s is not allowed with %s action." +msgstr "选项 --allow-discards 只适用于打开操作。\n" + +# stat() 主要就是出来一个各种文件信息…… +#: tokens/ssh/cryptsetup-ssh.c:123 +#, fuzzy +#| msgid "Failed to stat key file.\n" +msgid "Failed to write ssh token json." +msgstr "获取 (stat) 密钥文件统计数据失败。\n" + +#: tokens/ssh/cryptsetup-ssh.c:141 +msgid "" +"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n" +"\n" +"Specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device.\n" +"Provided credentials will be used by cryptsetup to get the password when opening the device using the token.\n" +"\n" +"Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext." +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:151 +#, fuzzy +#| msgid "" +msgid " " +msgstr "<设备>" + +#: tokens/ssh/cryptsetup-ssh.c:154 +msgid "Options for the 'add' action:" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:155 +msgid "IP address/URL of the remote server for this token" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:156 +msgid "Username used for the remote server" +msgstr "为远程服务器使用的用户名" + +#: tokens/ssh/cryptsetup-ssh.c:157 +msgid "Path to the key file on the remote server" +msgstr "远程服务器上密钥文件的路径" + +#: tokens/ssh/cryptsetup-ssh.c:158 +msgid "Path to the SSH key for connecting to the remote server" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:160 +msgid "Path to directory containinig libcryptsetup external tokens" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:161 +msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase." +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:163 +msgid "Generic options:" +msgstr "通用选项:" + +#: tokens/ssh/cryptsetup-ssh.c:164 +msgid "Shows more detailed error messages" +msgstr "显示更详细的错误信息" + +#: tokens/ssh/cryptsetup-ssh.c:165 +msgid "Show debug messages" +msgstr "显示调试信息" + +#: tokens/ssh/cryptsetup-ssh.c:166 +#, fuzzy +#| msgid "Show debug messages" +msgid "Show debug messages including JSON metadata" +msgstr "显示调试信息" + +#: tokens/ssh/cryptsetup-ssh.c:281 +#, fuzzy +#| msgid "Failed to open temporary keystore device." +msgid "Failed to open and import private key:\n" +msgstr "打开临时密钥存储设备失败。" + +#: tokens/ssh/cryptsetup-ssh.c:285 +msgid "Failed to import private key (password protected?).\n" +msgstr "导入私钥失败(存在密码保护?)。\n" + +#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " +#: tokens/ssh/cryptsetup-ssh.c:287 +#, c-format +msgid "%s@%s's password: " +msgstr "%s@%s 的密码:" + +# stat() 主要就是出来一个各种文件信息…… +#: tokens/ssh/cryptsetup-ssh.c:376 +#, c-format +msgid "Failed to parse arguments.\n" +msgstr "解析参数失败。\n" + +#: tokens/ssh/cryptsetup-ssh.c:387 +#, c-format +msgid "An action must be specified\n" +msgstr "必须指定一个操作\n" + +#: tokens/ssh/cryptsetup-ssh.c:393 +#, c-format +msgid "Device must be specified for '%s' action.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:398 +#, c-format +msgid "SSH server must be specified for '%s' action.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:403 +#, c-format +msgid "SSH user must be specified for '%s' action.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:408 +#, c-format +msgid "SSH path must be specified for '%s' action.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:413 +#, c-format +msgid "SSH key path must be specified for '%s' action.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:420 +#, c-format +msgid "Failed open %s using provided credentials.\n" +msgstr "" + +#: tokens/ssh/cryptsetup-ssh.c:437 +#, c-format +msgid "Only 'add' action is currently supported by this plugin.\n" +msgstr "" + +#: tokens/ssh/ssh-utils.c:46 +msgid "Cannot create sftp session: " +msgstr "无法创建 sftp 会话:" + +#: tokens/ssh/ssh-utils.c:53 +msgid "Cannot init sftp session: " +msgstr "无法初始化 sftp 会话:" + +#: tokens/ssh/ssh-utils.c:59 +msgid "Cannot open sftp session: " +msgstr "无法打开 sftp 会话:" + +#: tokens/ssh/ssh-utils.c:66 +#, fuzzy +#| msgid "Cannot write to keyfile %s." +msgid "Cannot stat sftp file: " +msgstr "无法写入密钥文件 %s。" + +#: tokens/ssh/ssh-utils.c:74 +msgid "Not enough memory.\n" +msgstr "内存不足。\n" + +#: tokens/ssh/ssh-utils.c:81 +msgid "Cannot read remote key: " +msgstr "无法读取密钥文件:" + +#: tokens/ssh/ssh-utils.c:122 +msgid "Connection failed: " +msgstr "连接失败:" + +#: tokens/ssh/ssh-utils.c:132 +msgid "Server not known: " +msgstr "服务器未知:" + +#: tokens/ssh/ssh-utils.c:160 +msgid "Public key auth method not allowed on host.\n" +msgstr "" + +#: tokens/ssh/ssh-utils.c:171 +msgid "Public key authentication error: " +msgstr "公钥认证错误:" + +#, c-format +#~ msgid "Cannot format device %s which is still in use." +#~ msgstr "无法格式化正在使用的设备 %s。" + +#, c-format +#~ msgid "Replaced with key slot %d." +#~ msgstr "替换为密钥槽 %d。" + +#, c-format +#~ msgid "Key slot %d is not used." +#~ msgstr "密钥槽 %d 未使用。" + +#~ msgid "Function not available in FIPS mode." +#~ msgstr "功能在 FIPS 模式无效。" + +#~ msgid "Cannot get process priority." +#~ msgstr "无法获取进程优先级。" -#: src/veritysetup.c:438 -msgid "path" -msgstr "" +#~ msgid "Cannot unlock memory." +#~ msgstr "无法解锁内存。" -#: src/veritysetup.c:439 -msgid "Starting offset on the hash device" -msgstr "哈希设备开始位置偏移量" +#, c-format +#~ msgid "WARNING: Locking directory %s/%s is missing!\n" +#~ msgstr "警告:锁定目录 %s/%s 缺失!\n" -#: src/veritysetup.c:440 #, fuzzy -#| msgid "Starting offset on the hash device" -msgid "Starting offset on the FEC device" -msgstr "哈希设备开始位置偏移量" +#~| msgid "Invalid size parameters for verity device.\n" +#~ msgid "Invalid size parameters for verity device." +#~ msgstr "为 VERITY 设备提供的大小指标无效。\n" -#: src/veritysetup.c:441 -msgid "Hash algorithm" -msgstr "哈希算法" +#, c-format +#~ msgid "Device %s is too small. (LUKS2 requires at least % bytes.)" +#~ msgstr "设备 %s 过小。(LUKS2 需要至少 % 字节。)" -#: src/veritysetup.c:441 -msgid "string" -msgstr "字符串" +#, fuzzy +#~| msgid "Failed to swap new key slot.\n" +#~ msgid "No free token slot." +#~ msgstr "交换新密钥槽失败。\n" -#: src/veritysetup.c:442 -msgid "Salt" -msgstr "盐" +#, c-format +#~ msgid "Key slot %d selected for deletion." +#~ msgstr "已选中密钥槽 %d 以供删除。" -#: src/veritysetup.c:442 -msgid "hex string" -msgstr "十六进制字符串" +#~ msgid "open device as mapping " +#~ msgstr "以映射 <名称> 打开设备" -#: src/veritysetup.c:444 -msgid "Restart kernel if corruption is detected" -msgstr "" +#~ msgid "The cipher used to encrypt the disk (see /proc/crypto)" +#~ msgstr "用于加密磁盘的密文(参见 /proc/crypto)" -#: src/veritysetup.c:445 -msgid "Ignore corruption, log it only" -msgstr "忽略数据损坏,仅对其进行日志记录" +#~ msgid "The hash used to create the encryption key from the passphrase" +#~ msgstr "用于从密码创建加密密钥的哈希值" -#: src/veritysetup.c:446 -#, fuzzy -#| msgid "Do not use verity superblock" -msgid "Do not verify zeroed blocks" -msgstr "不使用真理超级块" +#~ msgid "Verifies the passphrase by asking for it twice" +#~ msgstr "两次询问密码以进行验证" -#: src/veritysetup.c:447 -msgid "Verify data block only the first time it is read" -msgstr "" +#~ msgid "Read the key from a file" +#~ msgstr "从文件读取密钥" + +#~ msgid "Read the volume (master) key from file." +#~ msgstr "从文件读取卷(主)密钥。" -#: src/veritysetup.c:553 #, fuzzy -#| msgid "Option --allow-discards is allowed only for open operation.\n" -msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n" -msgstr "选项 --allow-discards 只适用于打开操作。\n" +#~| msgid "Dump volume (master) key instead of keyslots info." +#~ msgid "Dump volume (master) key instead of keyslots info" +#~ msgstr "转储卷(主)密钥而不是键槽信息。" -#: src/veritysetup.c:558 -msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n" -msgstr "" +#~ msgid "The size of the encryption key" +#~ msgstr "加密密钥大小" -#: src/integritysetup.c:78 src/utils_password.c:317 -#, fuzzy, c-format -#| msgid "Cannot read keyfile %s.\n" -msgid "Cannot read keyfile %s." -msgstr "" -"无法读取密钥文件 %s。\n" -"\n" +#~ msgid "BITS" +#~ msgstr "位" -#: src/integritysetup.c:82 src/utils_password.c:321 -#, fuzzy, c-format -#| msgid "Cannot read %d bytes from keyfile %s.\n" -msgid "Cannot read %d bytes from keyfile %s." -msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n" +#~ msgid "Limits the read from keyfile" +#~ msgstr "限制从密钥文件读取" -#: src/integritysetup.c:224 -#, c-format -msgid "Formatted with tag size %u, internal integrity %s.\n" -msgstr "" +#~ msgid "bytes" +#~ msgstr "字节" -#: src/integritysetup.c:425 src/integritysetup.c:429 -#, fuzzy -#| msgid "verify device" -msgid "" -msgstr "验证设备" +#~ msgid "Number of bytes to skip in keyfile" +#~ msgstr "要从密钥文件跳过的字节数" -#: src/integritysetup.c:426 -msgid " " -msgstr "" +#~ msgid "Limits the read from newly added keyfile" +#~ msgstr "限制从新增密钥文件的读取" -#: src/integritysetup.c:448 -#, fuzzy, c-format -#| msgid "" -#| "\n" -#| " is the device to create under %s\n" -#| " is the data device\n" -#| " is the device containing verification data\n" -#| " hash of the root node on \n" -msgid "" -"\n" -" is the device to create under %s\n" -" is the device containing data with integrity tags\n" -msgstr "" -"\n" -"<名称> 是在 %s 下要创建的设备\n" -"<数据设备> 就是数据设备\n" -"<哈希设备> 是含有验证信息的设备\n" -"<根哈希值> 是 <哈希设备> 根节点的哈希值\n" +#~ msgid "Number of bytes to skip in newly added keyfile" +#~ msgstr "要从新增密钥文件跳过的字节数" -#: src/integritysetup.c:453 -#, fuzzy, c-format -#| msgid "" -#| "\n" -#| "Default compiled-in dm-verity parameters:\n" -#| "\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n" -msgid "" -"\n" -"Default compiled-in dm-integrity parameters:\n" -"\tTag size: %u bytes, Checksum algorithm: %s\n" -msgstr "" -"\n" -"编译时决定的默认 dm-verify 参数:\n" -"\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n" +#~ msgid "Slot number for new key (default is first free)" +#~ msgstr "新密钥的槽号(默认为第一个可用的)" -#: src/integritysetup.c:491 -msgid "Journal size" -msgstr "日志大小" +#~ msgid "The size of the device" +#~ msgstr "设备大小" -#: src/integritysetup.c:492 -msgid "Interleave sectors" -msgstr "" +#~ msgid "SECTORS" +#~ msgstr "扇区" -#: src/integritysetup.c:493 -msgid "Journal watermark" -msgstr "" +#~ msgid "The start offset in the backend device" +#~ msgstr "后端设备的起始偏移量" -#: src/integritysetup.c:493 -msgid "percent" -msgstr "" +#~ msgid "How many sectors of the encrypted data to skip at the beginning" +#~ msgstr "从开头要跳过的加密数据扇区数量" -#: src/integritysetup.c:494 -msgid "Journal commit time" -msgstr "日志提交时间" +#~ msgid "Create a readonly mapping" +#~ msgstr "创建只读映射" -#: src/integritysetup.c:494 -msgid "ms" -msgstr "" +#~ msgid "Do not ask for confirmation" +#~ msgstr "不要请求确认" -#: src/integritysetup.c:495 -msgid "Tag size (per-sector)" -msgstr "" +#~ msgid "Timeout for interactive passphrase prompt (in seconds)" +#~ msgstr "交互式密码提示符超时长度(秒)" -#: src/integritysetup.c:496 -msgid "Sector size" -msgstr "扇区大小" +#~ msgid "secs" +#~ msgstr "秒" -#: src/integritysetup.c:497 -msgid "Buffers size" -msgstr "缓冲大小" +#~ msgid "How often the input of the passphrase can be retried" +#~ msgstr "输入密码的最大重试频率" -#: src/integritysetup.c:499 -msgid "Data integrity algorithm" -msgstr "数据完整性校验算法" +#~ msgid "Align payload at sector boundaries - for luksFormat" +#~ msgstr "于 个扇区边界处对其载荷数据 - 供 luks 格式用" -#: src/integritysetup.c:500 #, fuzzy -#| msgid "The size of the encryption key" -msgid "The size of the data integrity key" -msgstr "加密密钥大小" +#~| msgid "File with LUKS header and keyslots backup." +#~ msgid "File with LUKS header and keyslots backup" +#~ msgstr "带有 LUKS 数据头和密钥槽备份的文件。" -#: src/integritysetup.c:501 -#, fuzzy -#| msgid "Read the key from a file." -msgid "Read the integrity key from a file" -msgstr "从文件读取密钥。" +#~ msgid "Use /dev/random for generating volume key" +#~ msgstr "使用 /dev/random 生成卷密钥" -#: src/integritysetup.c:503 -msgid "Journal integrity algorithm" -msgstr "" +#~ msgid "Use /dev/urandom for generating volume key" +#~ msgstr "使用 /dev/urandom 生成卷密钥" -#: src/integritysetup.c:504 #, fuzzy -#| msgid "The size of the encryption key" -msgid "The size of the journal integrity key" -msgstr "加密密钥大小" +#~| msgid "Share device with another non-overlapping crypt segment." +#~ msgid "Share device with another non-overlapping crypt segment" +#~ msgstr "与另一个不重合的加密段共享设备。" -#: src/integritysetup.c:505 #, fuzzy -#| msgid "Read the key from a file." -msgid "Read the journal integrity key from a file" -msgstr "从文件读取密钥。" - -#: src/integritysetup.c:507 -msgid "Journal encryption algorithm" -msgstr "日志加密算法" +#~| msgid "UUID for device to use." +#~ msgid "UUID for device to use" +#~ msgstr "设备使用的 UUID 已占用。" -#: src/integritysetup.c:508 #, fuzzy -#| msgid "The size of the encryption key" -msgid "The size of the journal encryption key" -msgstr "加密密钥大小" +#~| msgid "Allow discards (aka TRIM) requests for device." +#~ msgid "Allow discards (aka TRIM) requests for device" +#~ msgstr "允许设备的 discard(或称 TRIM)请求。" -#: src/integritysetup.c:509 #, fuzzy -#| msgid "Read the key from a file." -msgid "Read the journal encryption key from a file" -msgstr "从文件读取密钥。" +#~| msgid "Device or file with separated LUKS header." +#~ msgid "Device or file with separated LUKS header" +#~ msgstr "带有分离 LUKS 数据头的设备或文件。" -#: src/integritysetup.c:512 -msgid "Recovery mode (no journal, no tag checking)" -msgstr "" - -#: src/integritysetup.c:601 -msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n" -msgstr "" +#, fuzzy +#~| msgid "Do not activate device, just check passphrase." +#~ msgid "Do not activate device, just check passphrase" +#~ msgstr "不要激活设备,仅检查密码。" -#: src/integritysetup.c:607 -msgid "Invalid journal size specification." -msgstr "无效的日志大小指标。" +#, fuzzy +#~| msgid "Use hidden header (hidden TCRYPT device)." +#~ msgid "Use hidden header (hidden TCRYPT device)" +#~ msgstr "使用隐藏数据头(隐藏 TCRYPT 设备)" -#: src/integritysetup.c:612 -msgid "Both key file and key size options must be specified." -msgstr "密钥文件和密钥大小选项均必须指定。" +#, fuzzy +#~| msgid "Device is system TCRYPT drive (with bootloader)." +#~ msgid "Device is system TCRYPT drive (with bootloader)" +#~ msgstr "设备为系统 TCRYPT 驱动器(带有引导器)。" -#: src/integritysetup.c:615 -msgid "Integrity algorithm must be specified if integrity key is used." -msgstr "" +#~ msgid "Use backup (secondary) TCRYPT header" +#~ msgstr "使用备份(次级)TCRYPT 标头" -#: src/integritysetup.c:620 -msgid "Both journal integrity key file and key size options must be specified." -msgstr "" +#, fuzzy +#~| msgid "Scan also for VeraCrypt compatible device." +#~ msgid "Scan also for VeraCrypt compatible device" +#~ msgstr "同时扫描 VeraCrypt 兼容的设备。" -#: src/integritysetup.c:623 -msgid "Journal integrity algorithm must be specified if journal integrity key is used." -msgstr "如果使用了日志加密密钥,则必须指定日志完整性校验算法。" +#, fuzzy +#~| msgid "Scan also for VeraCrypt compatible device." +#~ msgid "Personal Iteration Multiplier for VeraCrypt compatible device" +#~ msgstr "同时扫描 VeraCrypt 兼容的设备。" -#: src/integritysetup.c:628 -msgid "Both journal encryption key file and key size options must be specified." -msgstr "日志加密密钥文件和密钥大小选项均必须指定。" +#, fuzzy +#~| msgid "Scan also for VeraCrypt compatible device." +#~ msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device" +#~ msgstr "同时扫描 VeraCrypt 兼容的设备。" -#: src/integritysetup.c:631 -msgid "Journal encryption algorithm must be specified if journal encryption key is used." -msgstr "如果使用了日志加密密钥,则必须指定日志加密算法。" +#, fuzzy +#~| msgid "Type of device metadata: luks, plain, loopaes, tcrypt." +#~ msgid "Type of device metadata: luks, plain, loopaes, tcrypt" +#~ msgstr "设备元数据类型:luks, 纯粹 (plain), loopaes, tcrypt." -#: src/cryptsetup_reencrypt.c:174 -msgid "Reencryption already in-progress." -msgstr "重加密已在进行中。" +#, fuzzy +#~| msgid "Disable password quality check (if enabled)." +#~ msgid "Disable password quality check (if enabled)" +#~ msgstr "禁用密码质量检查 (如果已启用)。" -#: src/cryptsetup_reencrypt.c:180 -msgid "Reencryption of device with integrity profile is not supported." -msgstr "不支持带有完整性 profile 信息的设备的重加密。" +#, fuzzy +#~| msgid "Use dm-crypt same_cpu_crypt performance compatibility option." +#~ msgid "Use dm-crypt same_cpu_crypt performance compatibility option" +#~ msgstr "使用 dm-crypt same_cpu_crypt 性能兼容性选项。" -#: src/cryptsetup_reencrypt.c:203 -#, c-format -msgid "Cannot exclusively open %s, device in use." -msgstr "无法独占打开 %s,设备正在使用中。" +#, fuzzy +#~| msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option." +#~ msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option" +#~ msgstr "使用 dm-crypt submit_from_crypt_cpus 性能兼容性选项。" -#: src/cryptsetup_reencrypt.c:217 src/cryptsetup_reencrypt.c:1147 -msgid "Allocation of aligned memory failed." -msgstr "分配对齐内存失败。" +#~ msgid "PBKDF iteration time for LUKS (in ms)" +#~ msgstr "LUKS 默认 PBKDF 迭代时间(毫秒)" -#: src/cryptsetup_reencrypt.c:224 -#, c-format -msgid "Cannot read device %s." -msgstr "无法读取设备 %s。" +#~ msgid "msecs" +#~ msgstr "毫秒" -#: src/cryptsetup_reencrypt.c:235 -#, c-format -msgid "Marking LUKS1 device %s unusable." -msgstr "正在标记 LUKS1 设备 %s 为不可用状态。" +#~ msgid "PBKDF memory cost limit" +#~ msgstr "PBKDF 内存开销限制" -#: src/cryptsetup_reencrypt.c:239 -#, c-format -msgid "Setting LUKS2 offline reencrypt flag on device %s." -msgstr "正在设备 %s 上设定 LUKS2 离线重加密旗标。" +#~ msgid "kilobytes" +#~ msgstr "千字节" -#: src/cryptsetup_reencrypt.c:256 -#, c-format -msgid "Cannot write device %s." -msgstr "无法写入设备 %s。" +#~ msgid "PBKDF parallel cost" +#~ msgstr "PBKDF 并行开销" -#: src/cryptsetup_reencrypt.c:340 -msgid "Cannot write reencryption log file." -msgstr "无法写入重加密日志文件。" +#~ msgid "threads" +#~ msgstr "线程" -#: src/cryptsetup_reencrypt.c:396 -msgid "Cannot read reencryption log file." -msgstr "无法读取重加密日志文件。" +#, fuzzy +#~| msgid "try to repair on-disk metadata" +#~ msgid "Disable locking of on-disk metadata" +#~ msgstr "尝试修复磁盘上的元数据" -#: src/cryptsetup_reencrypt.c:434 -#, c-format -msgid "Log file %s exists, resuming reencryption.\n" -msgstr "日志文件 %s 存在,继续重加密。\n" +#, fuzzy +#~| msgid "Invalid size parameters for verity device.\n" +#~ msgid "Disable journal for integrity device" +#~ msgstr "为 VERITY 设备提供的大小指标无效。\n" -#: src/cryptsetup_reencrypt.c:484 -msgid "Activating temporary device using old LUKS header." -msgstr "正使用旧 LUKS 标头激活临时设备。" +#, fuzzy +#~| msgid "formats a LUKS device" +#~ msgid "Set label for the LUKS2 device" +#~ msgstr "格式化一个 LUKS 设备" -#: src/cryptsetup_reencrypt.c:495 -msgid "Activating temporary device using new LUKS header." -msgstr "正使用新 LUKS 标头激活临时设备。" +#, fuzzy +#~| msgid "formats a LUKS device" +#~ msgid "Set subsystem label for the LUKS2 device" +#~ msgstr "格式化一个 LUKS 设备" -#: src/cryptsetup_reencrypt.c:505 -msgid "Activation of temporary devices failed." -msgstr "激活临时设备失败。" +#, fuzzy +#~| msgid "Option --shared is allowed only for open of plain device.\n" +#~ msgid "Option --deferred is allowed only for close command.\n" +#~ msgstr "选项 --shared 只适用于打开纯设备。\n" -# stat() 主要就是出来一个各种文件信息…… -#: src/cryptsetup_reencrypt.c:587 -msgid "Failed to set PBKDF parameters." -msgstr "设置 pbkdf 参数失败。" +#~ msgid "Option --allow-discards is allowed only for open operation.\n" +#~ msgstr "选项 --allow-discards 只适用于打开操作。\n" -#: src/cryptsetup_reencrypt.c:594 -#, c-format -msgid "New LUKS header for device %s created." -msgstr "已创建设备 %s 的新 LUKS 标头。" +#, fuzzy +#~| msgid "" +#~| "Option --key-size is allowed only for luksFormat, open and benchmark.\n" +#~| "To limit read from keyfile use --keyfile-size=(bytes)." +#~ msgid "" +#~ "Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n" +#~ "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)." +#~ msgstr "" +#~ "选项 --key-size 只能用于 luksFormat, 打开和性能测试。\n" +#~ "要限制密钥文件读取请使用 --keyfile-size=(字节数)。" -#: src/cryptsetup_reencrypt.c:603 -#, c-format -msgid "Activated keyslot %i." -msgstr "已激活密钥槽 %i。" +#, fuzzy +#~| msgid "Option --align-payload is allowed only for luksFormat." +#~ msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n" +#~ msgstr "选项 --align-payload 只允许用于 luksFormat。" -#: src/cryptsetup_reencrypt.c:653 -#, c-format -msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s." -msgstr "该版本的 cryptsetup-reencrypt 无法处理新的内部 token 类型 %s。" +#, fuzzy +#~| msgid "Option --uuid is allowed only for luksFormat and luksUUID." +#~ msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n" +#~ msgstr "选项 --uuid 只允许用于 luksFormat 和 luksUUID。" -#: src/cryptsetup_reencrypt.c:675 -msgid "Failed to read activation flags from backup header." -msgstr "从备份标头读取活动旗标失败。" +#~ msgid "Negative number for option not permitted." +#~ msgstr "不允许在选项中填入负数。" -#: src/cryptsetup_reencrypt.c:679 -msgid "Failed to write activation flags to new header." -msgstr "向新表头写入活动旗标失败。" +#~ msgid "Option --use-[u]random is allowed only for luksFormat." +#~ msgstr "选项 --use-[u]random 只适用于 luksFormat。" -#: src/cryptsetup_reencrypt.c:683 src/cryptsetup_reencrypt.c:687 -msgid "Failed to read requirements from backup header." -msgstr "从备份标头读取需求失败。" +#~ msgid "Option --uuid is allowed only for luksFormat and luksUUID." +#~ msgstr "选项 --uuid 只允许用于 luksFormat 和 luksUUID。" -#: src/cryptsetup_reencrypt.c:723 -#, c-format -msgid "%s header backup of device %s created." -msgstr "已创建 %s 标头备份(对应设备 %s)。" +#, fuzzy +#~| msgid "This operation is not supported for this device type.\n" +#~ msgid "Sector size option is not supported for this command.\n" +#~ msgstr "不支持在这类设备上执行此操作。\n" -#: src/cryptsetup_reencrypt.c:783 -msgid "Creation of LUKS backup headers failed." -msgstr "LUKS 备份标头创建失败。" +#~ msgid "Unsupported encryption sector size.\n" +#~ msgstr "不支持的加密扇区大小。\n" -#: src/cryptsetup_reencrypt.c:917 -#, c-format -msgid "Cannot restore %s header on device %s." -msgstr "无法恢复 %s 标头(在设备 %s 上)。" +#, fuzzy +#~| msgid "close device (remove mapping)" +#~ msgid "close device (deactivate and remove mapping)" +#~ msgstr "关闭设备(移除映射)" -#: src/cryptsetup_reencrypt.c:919 -#, c-format -msgid "%s header on device %s restored." -msgstr "已恢复 %s 标头(在设备 %s 上)。" +#~ msgid "Do not use verity superblock" +#~ msgstr "不使用真理超级块" -#: src/cryptsetup_reencrypt.c:957 src/cryptsetup_reencrypt.c:1037 -msgid "Cannot seek to device offset." -msgstr "无法寻找到设备偏移位置。" +#~ msgid "Format type (1 - normal, 0 - original Chrome OS)" +#~ msgstr "格式类型 (1 - 正常, 0 - 原版 Chrome OS)" -#: src/cryptsetup_reencrypt.c:1080 -msgid "Cannot seek to device offset.\n" -msgstr "无法寻找到设备偏移位置。\n" +#~ msgid "number" +#~ msgstr "数字" -#: src/cryptsetup_reencrypt.c:1119 src/cryptsetup_reencrypt.c:1125 -msgid "Cannot open temporary LUKS device." -msgstr "无法打开临时 LUKS 设备。" +#~ msgid "Block size on the data device" +#~ msgstr "数据设备的块大小" -#: src/cryptsetup_reencrypt.c:1130 src/cryptsetup_reencrypt.c:1135 -msgid "Cannot get device size." -msgstr "无法获取设备大小。" +#~ msgid "Block size on the hash device" +#~ msgstr "哈希设备的块大小" -#: src/cryptsetup_reencrypt.c:1172 -msgid "Interrupted by a signal." -msgstr "被信号中断。" +#~ msgid "FEC parity bytes" +#~ msgstr "FEC 校验字节" -#: src/cryptsetup_reencrypt.c:1174 -msgid "IO error during reencryption." -msgstr "重加密时发生 IO 错误。" +#~ msgid "The number of blocks in the data file" +#~ msgstr "数据文件的块数量" -#: src/cryptsetup_reencrypt.c:1205 -msgid "Provided UUID is invalid." -msgstr "提供的 UUID 无效。" +#~ msgid "blocks" +#~ msgstr "块" -#: src/cryptsetup_reencrypt.c:1307 -msgid "Key file can be used only with --key-slot or with exactly one key slot active." -msgstr "密钥文件只能在指定 --key-slot 时或有且只有一个槽启用时使用。" +#~ msgid "Starting offset on the hash device" +#~ msgstr "哈希设备开始位置偏移量" -#: src/cryptsetup_reencrypt.c:1349 src/cryptsetup_reencrypt.c:1360 -#, c-format -msgid "Enter passphrase for key slot %u: " -msgstr "输入密钥槽 %u 的口令: " +#, fuzzy +#~| msgid "Starting offset on the hash device" +#~ msgid "Starting offset on the FEC device" +#~ msgstr "哈希设备开始位置偏移量" -#: src/cryptsetup_reencrypt.c:1431 -msgid "Cannot open reencryption log file." -msgstr "无法打开重加密日志文件。" +#~ msgid "Hash algorithm" +#~ msgstr "哈希算法" -#: src/cryptsetup_reencrypt.c:1437 -msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process." -msgstr "没有正在进行中的解密操作,提供的 UUID 仅能用于继续已挂起的解密操作。" +#~ msgid "string" +#~ msgstr "字符串" -#: src/cryptsetup_reencrypt.c:1512 -#, c-format -msgid "Changed pbkdf parameters in keyslot %i." -msgstr "已在密钥槽 %i 更改 pbkdf 参数。" +#~ msgid "Salt" +#~ msgstr "盐" -#: src/cryptsetup_reencrypt.c:1617 -msgid "Reencryption block size" -msgstr "重加密块大小" +#~ msgid "hex string" +#~ msgstr "十六进制字符串" -#: src/cryptsetup_reencrypt.c:1617 -msgid "MiB" -msgstr "MiB" +#~ msgid "Ignore corruption, log it only" +#~ msgstr "忽略数据损坏,仅对其进行日志记录" -#: src/cryptsetup_reencrypt.c:1621 -msgid "Do not change key, no data area reencryption" -msgstr "不要更改密钥,无数据区重加密" +#, fuzzy +#~| msgid "Do not use verity superblock" +#~ msgid "Do not verify zeroed blocks" +#~ msgstr "不使用真理超级块" -#: src/cryptsetup_reencrypt.c:1623 -msgid "Read new volume (master) key from file" -msgstr "从文件读取卷(主)密钥" +#~ msgid "Journal size" +#~ msgstr "日志大小" -#: src/cryptsetup_reencrypt.c:1624 -msgid "PBKDF2 iteration time for LUKS (in ms)" -msgstr "LUKS 默认 PBKDF2 迭代时间(毫秒)" +#~ msgid "Journal commit time" +#~ msgstr "日志提交时间" -#: src/cryptsetup_reencrypt.c:1630 -msgid "Use direct-io when accessing devices" -msgstr "在访问设备时使用 direct-io" +#~ msgid "Sector size" +#~ msgstr "扇区大小" -#: src/cryptsetup_reencrypt.c:1631 -msgid "Use fsync after each block" -msgstr "在每个数据块后使用 fsync" +#~ msgid "Buffers size" +#~ msgstr "缓冲大小" -#: src/cryptsetup_reencrypt.c:1632 -msgid "Update log file after every block" -msgstr "在每个数据块后更新日志文件" +#~ msgid "Data integrity algorithm" +#~ msgstr "数据完整性校验算法" -#: src/cryptsetup_reencrypt.c:1633 -msgid "Use only this slot (others will be disabled)" -msgstr "仅使用这个密钥槽(其他的密钥槽将被禁用)" +#, fuzzy +#~| msgid "The size of the encryption key" +#~ msgid "The size of the data integrity key" +#~ msgstr "加密密钥大小" -#: src/cryptsetup_reencrypt.c:1636 -msgid "Reduce data device size (move data offset). DANGEROUS!" -msgstr "减少数据设备大小(移动数据偏移量)。危险!" +#, fuzzy +#~| msgid "Read the key from a file." +#~ msgid "Read the integrity key from a file" +#~ msgstr "从文件读取密钥。" -#: src/cryptsetup_reencrypt.c:1637 -msgid "Use only specified device size (ignore rest of device). DANGEROUS!" -msgstr "只使用指定的设备大小(忽略设备其余部分)。危险!" +#, fuzzy +#~| msgid "The size of the encryption key" +#~ msgid "The size of the journal integrity key" +#~ msgstr "加密密钥大小" -#: src/cryptsetup_reencrypt.c:1638 -msgid "Create new header on not encrypted device" -msgstr "在未加密的设备上创建新的标头" +#, fuzzy +#~| msgid "Read the key from a file." +#~ msgid "Read the journal integrity key from a file" +#~ msgstr "从文件读取密钥。" -#: src/cryptsetup_reencrypt.c:1639 -msgid "Permanently decrypt device (remove encryption)" -msgstr "永久解密设备(移除加密)" +#~ msgid "Journal encryption algorithm" +#~ msgstr "日志加密算法" -#: src/cryptsetup_reencrypt.c:1640 -msgid "The UUID used to resume decryption" -msgstr "用于继续解密的 UUID" +#, fuzzy +#~| msgid "The size of the encryption key" +#~ msgid "The size of the journal encryption key" +#~ msgstr "加密密钥大小" -#: src/cryptsetup_reencrypt.c:1641 -msgid "Type of LUKS metadata: luks1, luks2" -msgstr "LUKS 元数据类型:luks1、luks2" +#, fuzzy +#~| msgid "Read the key from a file." +#~ msgid "Read the journal encryption key from a file" +#~ msgstr "从文件读取密钥。" -#: src/cryptsetup_reencrypt.c:1662 -msgid "[OPTION...] " -msgstr "[选项...] <设备>" +#~ msgid "Invalid journal size specification." +#~ msgstr "无效的日志大小指标。" -#: src/cryptsetup_reencrypt.c:1676 #, c-format -msgid "Reencryption will change: %s%s%s%s%s%s." -msgstr "重加密会改变:%s%s%s%s%s%s。" - -#: src/cryptsetup_reencrypt.c:1677 -msgid "volume key" -msgstr "卷密钥" - -#: src/cryptsetup_reencrypt.c:1679 -msgid "set hash to " -msgstr "设置哈希值为 " - -#: src/cryptsetup_reencrypt.c:1680 -msgid ", set cipher to " -msgstr ",设定密文为 " - -#: src/cryptsetup_reencrypt.c:1684 -msgid "Argument required." -msgstr "需要参数。" - -#: src/cryptsetup_reencrypt.c:1712 -msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size." -msgstr "重加密块大小只能是 1 MiB 到 64 MiB 之间的值。" - -#: src/cryptsetup_reencrypt.c:1731 src/cryptsetup_reencrypt.c:1736 -msgid "Invalid device size specification." -msgstr "无效的设备大小指标。" - -#: src/cryptsetup_reencrypt.c:1739 -msgid "Maximum device reduce size is 64 MiB." -msgstr "最大设备缩减大小为 64 MiB。" +#~ msgid "Setting LUKS2 offline reencrypt flag on device %s." +#~ msgstr "正在设备 %s 上设定 LUKS2 离线重加密旗标。" -#: src/cryptsetup_reencrypt.c:1742 -msgid "Reduce size must be multiple of 512 bytes sector." -msgstr "缩减大小必须为 512 字节扇区的倍数。" +# stat() 主要就是出来一个各种文件信息…… +#~ msgid "Failed to set PBKDF parameters." +#~ msgstr "设置 pbkdf 参数失败。" -#: src/cryptsetup_reencrypt.c:1746 -msgid "Option --new must be used together with --reduce-device-size or --header." -msgstr "选项 --new 必须与 --reduce-device-size 或 --header 共用。" +#, c-format +#~ msgid "Activated keyslot %i." +#~ msgstr "已激活密钥槽 %i。" -#: src/cryptsetup_reencrypt.c:1750 -msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations." -msgstr "选项 --keep-key 只能与 --hash、--iter-time 或 --pbkdf-force-iterations 共用。" +#, c-format +#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s." +#~ msgstr "该版本的 cryptsetup-reencrypt 无法处理新的内部 token 类型 %s。" -#: src/cryptsetup_reencrypt.c:1754 -msgid "Option --new cannot be used together with --decrypt." -msgstr "选项 --new 不可与 --decrypt 共用。" +#~ msgid "Failed to read activation flags from backup header." +#~ msgstr "从备份标头读取活动旗标失败。" -#: src/cryptsetup_reencrypt.c:1758 -msgid "Option --decrypt is incompatible with specified parameters." -msgstr "选项 --decrypt 与选定参数不兼容。" +#~ msgid "Cannot seek to device offset.\n" +#~ msgstr "无法寻找到设备偏移位置。\n" -#: src/cryptsetup_reencrypt.c:1762 -msgid "Option --uuid is allowed only together with --decrypt." -msgstr "选项 --uuid 不可与 --decrypt 共用。" +#~ msgid "Interrupted by a signal." +#~ msgstr "被信号中断。" -#: src/cryptsetup_reencrypt.c:1766 -msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'." -msgstr "无效的 luks 类型。请使用下列选项之一:'luks'、'luks1' 或 'luks2'。" +#, c-format +#~ msgid "Changed pbkdf parameters in keyslot %i." +#~ msgstr "已在密钥槽 %i 更改 pbkdf 参数。" -#: src/utils_tools.c:159 -msgid "Error reading response from terminal." -msgstr "从终端读取响应时失败。" +#~ msgid "Reencryption block size" +#~ msgstr "重加密块大小" -#: src/utils_tools.c:184 -msgid "Command successful.\n" -msgstr "命令成功。\n" +#~ msgid "MiB" +#~ msgstr "MiB" -#: src/utils_tools.c:192 -msgid "wrong or missing parameters" -msgstr "错误或缺失的参数" +#~ msgid "Read new volume (master) key from file" +#~ msgstr "从文件读取卷(主)密钥" -#: src/utils_tools.c:194 -msgid "no permission or bad passphrase" -msgstr "无权限或口令错误" +#~ msgid "Use direct-io when accessing devices" +#~ msgstr "在访问设备时使用 direct-io" -#: src/utils_tools.c:196 -msgid "out of memory" -msgstr "内存耗尽" +#~ msgid "Use fsync after each block" +#~ msgstr "在每个数据块后使用 fsync" -#: src/utils_tools.c:198 -msgid "wrong device or file specified" -msgstr "指定了错误的设备或文件" +#~ msgid "Update log file after every block" +#~ msgstr "在每个数据块后更新日志文件" -#: src/utils_tools.c:200 -msgid "device already exists or device is busy" -msgstr "设备已存在或设备正忙" +#~ msgid "Use only this slot (others will be disabled)" +#~ msgstr "仅使用这个密钥槽(其他的密钥槽将被禁用)" -#: src/utils_tools.c:202 -msgid "unknown error" -msgstr "未知错误" +#~ msgid "Reduce data device size (move data offset). DANGEROUS!" +#~ msgstr "减少数据设备大小(移动数据偏移量)。危险!" -#: src/utils_tools.c:204 -#, c-format -msgid "Command failed with code %i (%s).\n" -msgstr "命令失败,代码 %i(%s)。\n" +#~ msgid "Use only specified device size (ignore rest of device). DANGEROUS!" +#~ msgstr "只使用指定的设备大小(忽略设备其余部分)。危险!" -#: src/utils_password.c:43 src/utils_password.c:75 -#, c-format -msgid "Cannot check password quality: %s" -msgstr "无法检查密码质量:%s" +#~ msgid "Create new header on not encrypted device" +#~ msgstr "在未加密的设备上创建新的标头" -#: src/utils_password.c:51 -#, c-format -msgid "" -"Password quality check failed:\n" -" %s" -msgstr "" -"密码质量检查失败:\n" -" %s" +#~ msgid "Permanently decrypt device (remove encryption)" +#~ msgstr "永久解密设备(移除加密)" -#: src/utils_password.c:83 -#, c-format -msgid "Password quality check failed: Bad passphrase (%s)" -msgstr "密码质量检查失败:无效密码 (%s)" +#~ msgid "The UUID used to resume decryption" +#~ msgstr "用于继续解密的 UUID" -#: src/utils_password.c:212 src/utils_password.c:227 -msgid "Error reading passphrase from terminal." -msgstr "从终端读取口令时出错。" +#~ msgid "Type of LUKS metadata: luks1, luks2" +#~ msgstr "LUKS 元数据类型:luks1、luks2" -#: src/utils_password.c:225 -msgid "Verify passphrase: " -msgstr "确认密码:" +#~ msgid "[OPTION...] " +#~ msgstr "[选项...] <设备>" -#: src/utils_password.c:232 -msgid "Passphrases do not match." -msgstr "口令不匹配。" +#~ msgid "Argument required." +#~ msgstr "需要参数。" -#: src/utils_password.c:269 -msgid "Cannot use offset with terminal input." -msgstr "不能将偏移量用于终端输入。" +#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size." +#~ msgstr "重加密块大小只能是 1 MiB 到 64 MiB 之间的值。" -#: src/utils_password.c:272 -#, c-format -msgid "Enter passphrase: " -msgstr "输入口令:" +#~ msgid "Option --new must be used together with --reduce-device-size or --header." +#~ msgstr "选项 --new 必须与 --reduce-device-size 或 --header 共用。" -#: src/utils_password.c:274 -#, c-format -msgid "Enter passphrase for %s: " -msgstr "输入 %s 的口令:" +#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations." +#~ msgstr "选项 --keep-key 只能与 --hash、--iter-time 或 --pbkdf-force-iterations 共用。" -#: src/utils_password.c:304 -msgid "No key available with this passphrase." -msgstr "此口令无可用的密钥。" +#~ msgid "Option --decrypt is incompatible with specified parameters." +#~ msgstr "选项 --decrypt 与选定参数不兼容。" -#: src/utils_password.c:339 -#, c-format -msgid "Cannot open keyfile %s for write." -msgstr "无法打开密钥文件 %s 以供写入。" +#~ msgid "Option --uuid is allowed only together with --decrypt." +#~ msgstr "选项 --uuid 不可与 --decrypt 共用。" -#: src/utils_password.c:346 -#, c-format -msgid "Cannot write to keyfile %s." -msgstr "无法写入密钥文件 %s。" +#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'." +#~ msgstr "无效的 luks 类型。请使用下列选项之一:'luks'、'luks1' 或 'luks2'。" #~ msgid "memory allocation error in action_luksFormat" #~ msgstr "在 action_luksFormat 中发生内存分配错误" diff --git a/scripts/meson.build b/scripts/meson.build new file mode 100644 index 0000000..fbb94aa --- /dev/null +++ b/scripts/meson.build @@ -0,0 +1,7 @@ +if tmpfilesdir != '' + cryptsetup_conf = configure_file( + input: 'cryptsetup.conf.in', + output: 'cryptsetup.conf', + configuration: conf, + install_dir: tmpfilesdir) +endif diff --git a/src/cryptsetup.c b/src/cryptsetup.c index e387c1c..a46e2dd 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -28,9 +28,13 @@ #include "utils_luks.h" static char *keyfiles[MAX_KEYFILES]; +static char *keyring_links[MAX_KEYRING_LINKS]; +static char *vks_in_keyring[MAX_VK_IN_KEYRING]; static char *keyfile_stdin = NULL; static int keyfiles_count = 0; +static int keyring_links_count = 0; +static int vks_in_keyring_count = 0; int64_t data_shift = 0; const char *device_type = "luks"; @@ -57,6 +61,10 @@ void tools_cleanup(void) while (keyfiles_count) free(keyfiles[--keyfiles_count]); + while (keyring_links_count) + free(keyring_links[--keyring_links_count]); + while (vks_in_keyring_count) + free(vks_in_keyring[--vks_in_keyring_count]); total_keyfiles = 0; } @@ -89,27 +97,49 @@ static int _set_keyslot_encryption_params(struct crypt_device *cd) return crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8); } -static int _try_token_pin_unlock(struct crypt_device *cd, - int token_id, - const char *activated_name, - const char *token_type, - uint32_t activate_flags, - int tries, - bool activation) +static int _try_token_unlock(struct crypt_device *cd, + int keyslot, + int token_id, + const char *activated_name, + const char *token_type, + uint32_t activate_flags, + int tries, + bool activation, + bool token_only) { + int r; + struct crypt_keyslot_context *kc; size_t pin_len; char msg[64], *pin = NULL; - int r; assert(tries >= 1); assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN); + assert(keyslot >= 0 || keyslot == CRYPT_ANY_SLOT); + + r = crypt_keyslot_context_init_by_token(cd, token_id, token_type, NULL, 0, NULL, &kc); + if (r < 0) + return r; + + if (activation) + r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, NULL, activate_flags); + else + r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc); + + tools_keyslot_msg(r, UNLOCKED); + tools_token_error_msg(r, token_type, token_id, false); + + /* Token requires PIN (-ENOANO). Ask for it if there is evident preference for tokens */ + if (r != -ENOANO || (!token_only && !token_type && token_id == CRYPT_ANY_TOKEN)) + goto out; if (token_id == CRYPT_ANY_TOKEN) r = snprintf(msg, sizeof(msg), _("Enter token PIN: ")); else r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id); - if (r < 0 || (size_t)r >= sizeof(msg)) - return -EINVAL; + if (r < 0 || (size_t)r >= sizeof(msg)) { + r = -EINVAL; + goto out; + } do { r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL, @@ -117,20 +147,26 @@ static int _try_token_pin_unlock(struct crypt_device *cd, if (r < 0) break; + r = crypt_keyslot_context_set_pin(cd, pin, pin_len, kc); + if (r < 0) { + crypt_safe_free(pin); + break; + } + if (activation) - r = crypt_activate_by_token_pin(cd, activated_name, token_type, - token_id, pin, pin_len, NULL, - activate_flags); + r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, + kc, CRYPT_ANY_SLOT, NULL, activate_flags); else - r = crypt_resume_by_token_pin(cd, activated_name, token_type, - token_id, pin, pin_len, NULL); + r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc); + crypt_safe_free(pin); pin = NULL; tools_keyslot_msg(r, UNLOCKED); - tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), token_id, true); + tools_token_error_msg(r, token_type, token_id, true); check_signal(&r); } while (r == -ENOANO && (--tries > 0)); - +out: + crypt_keyslot_context_free(kc); return r; } @@ -151,6 +187,7 @@ static int action_open_plain(void) size_t passwordLen, key_size_max, signatures = 0, key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_PLAIN_KEYBITS) / 8; uint32_t activate_flags = 0; + bool compat_warning = false; int r; r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID) ?: DEFAULT_CIPHER(PLAIN), @@ -160,6 +197,23 @@ static int action_open_plain(void) goto out; } + /* + * Warn user if no cipher options and passphrase hashing is not specified. + * For keyfile, password hashing is not used, no need to print warning for missing --hash. + * Keep this enabled even in batch mode to fix scripts and avoid data corruption. + */ + if (!ARG_SET(OPT_CIPHER_ID) || !ARG_SET(OPT_KEY_SIZE_ID)) { + log_err(_("WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."), + cipher, cipher_mode, key_size * 8); + compat_warning = true; + } + if (!ARG_SET(OPT_HASH_ID) && !ARG_SET(OPT_KEY_FILE_ID)) { + log_err(_("WARNING: Using default options for hash (%s) that could be incompatible with older versions."), params.hash); + compat_warning = true; + } + if (compat_warning) + log_err(_("For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash.")); + /* FIXME: temporary hack, no hashing for keyfiles in plain mode */ if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) { params.hash = NULL; @@ -204,11 +258,14 @@ static int action_open_plain(void) goto out; /* Skip blkid scan when activating plain device with offset */ - if (!ARG_UINT64(OPT_OFFSET_ID)) { + if (!ARG_UINT64(OPT_OFFSET_ID) && !ARG_SET(OPT_DISABLE_BLKID_ID)) { /* Print all present signatures in read-only mode */ r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID)); - if (r < 0) + if (r < 0) { + if (r == -EIO) + log_err(_("Blkid scan failed for %s."), action_argv[0]); goto out; + } } if (signatures && !ARG_SET(OPT_BATCH_MODE_ID)) { @@ -829,6 +886,15 @@ static int action_resize(void) else if (ARG_SET(OPT_SIZE_ID)) dev_size = ARG_UINT64(OPT_SIZE_ID); + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) { if (ARG_SET(OPT_DISABLE_KEYRING_ID)) { r = -EINVAL; @@ -838,16 +904,9 @@ static int action_resize(void) } /* try load VK in kernel keyring using token */ - r = crypt_activate_by_token_pin(cd, NULL, ARG_STR(OPT_TOKEN_TYPE_ID), - ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL, - CRYPT_ACTIVATE_KEYRING_KEY); - tools_keyslot_msg(r, UNLOCKED); - tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false); - - /* Token requires PIN. Ask if there is evident preference for tokens */ - if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || - ARG_SET(OPT_TOKEN_ID_ID))) - r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, 1, true); + r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), + NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, + 1, true, ARG_SET(OPT_TOKEN_ONLY_ID)); if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; @@ -883,7 +942,7 @@ static int action_status(void) struct crypt_device *cd = NULL; char *backing_file; const char *device; - int path = 0, r = 0; + int path = 0, r = 0, hw_enc; /* perhaps a path, not a dm device name */ if (strchr(action_argv[0], '/')) @@ -932,13 +991,33 @@ static int action_status(void) if (r < 0 && r != -ENOTSUP) goto out; - log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd)); - log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8); - log_std(" key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt"); + hw_enc = crypt_get_hw_encryption_type(cd); + if (hw_enc < 0) { + r = hw_enc; + goto out; + } + + if (hw_enc == CRYPT_SW_ONLY) { + log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd)); + log_std(" keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8); + log_std(" key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt"); + } else if (hw_enc == CRYPT_OPAL_HW_ONLY) { + log_std(" encryption: HW OPAL only\n"); + log_std(" OPAL keysize: %d bits\n", crypt_get_hw_encryption_key_size(cd) * 8); + } else if (hw_enc == CRYPT_SW_AND_OPAL_HW) { + log_std(" encryption: dm-crypt over HW OPAL\n"); + log_std(" OPAL keysize: %d bits\n", crypt_get_hw_encryption_key_size(cd) * 8); + log_std(" cipher: %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd)); + log_std(" keysize: %d bits\n", (crypt_get_volume_key_size(cd) - crypt_get_hw_encryption_key_size(cd)) * 8); + log_std(" key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt"); + } + if (ip.integrity) log_std(" integrity: %s\n", ip.integrity); if (ip.integrity_key_size) log_std(" integrity keysize: %d bits\n", ip.integrity_key_size * 8); + if (ip.tag_size) + log_std(" integrity tag size: %u bytes\n", ip.tag_size); device = crypt_get_device_name(cd); log_std(" device: %s\n", device); if ((backing_file = crypt_loop_backing_file(device))) { @@ -1282,9 +1361,14 @@ static int action_luksRepair(void) goto out; } - r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID)); - if (r < 0) - goto out; + if (!ARG_SET(OPT_DISABLE_BLKID_ID)) { + r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID)); + if (r < 0) { + if (r == -EIO) + log_err(_("Blkid scan failed for %s."), action_argv[0]); + goto out; + } + } if (!ARG_SET(OPT_BATCH_MODE_ID) && !yesDialog(_("Really try to repair LUKS device header?"), @@ -1353,12 +1437,13 @@ static int strcmp_or_null(const char *str, const char *expected) int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen) { - int r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0; + bool wipe_signatures = false; + int encrypt_type, r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0; struct stat st; const char *header_device, *type; char *msg = NULL, *key = NULL, *password = NULL; char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN]; - size_t passwordLen, signatures; + size_t passwordLen, signatures = 0; struct crypt_device *cd = NULL; struct crypt_params_luks1 params1 = { .hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH, @@ -1372,6 +1457,9 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password .label = ARG_STR(OPT_LABEL_ID), .subsystem = ARG_STR(OPT_SUBSYSTEM_ID) }; + struct crypt_params_hw_opal opal_params = { + .user_key_size = DEFAULT_LUKS1_KEYBITS / 8 + }; void *params; type = luksType(device_type); @@ -1397,6 +1485,11 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password log_err(_("Unsupported LUKS2 metadata size options.")); return -EINVAL; } + + if (ARG_SET(OPT_HW_OPAL_ID) || ARG_SET(OPT_HW_OPAL_ONLY_ID)) { + log_err(_("OPAL is supported only for LUKS2 format.")); + return -EINVAL; + } } else return -EINVAL; @@ -1466,9 +1559,14 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password } /* Print all present signatures in read-only mode */ - r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID)); - if (r < 0) - goto out; + if (!ARG_SET(OPT_DISABLE_BLKID_ID)) { + r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID)); + if (r < 0) { + if (r == -EIO) + log_err(_("Blkid scan failed for %s."), header_device); + goto out; + } + } if (!created && !ARG_SET(OPT_BATCH_MODE_ID)) { r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device); @@ -1485,6 +1583,11 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password keysize = get_adjusted_key_size(cipher_mode, DEFAULT_LUKS1_KEYBITS, integrity_keysize); + if (ARG_SET(OPT_HW_OPAL_ONLY_ID)) + keysize = opal_params.user_key_size; + else if (ARG_SET(OPT_HW_OPAL_ID)) + keysize += opal_params.user_key_size; + if (ARG_SET(OPT_USE_RANDOM_ID)) crypt_set_rng_type(cd, CRYPT_RNG_RANDOM); else if (ARG_SET(OPT_USE_URANDOM_ID)) @@ -1496,6 +1599,19 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password if (r < 0) goto out; + if (ARG_SET(OPT_HW_OPAL_ID) || ARG_SET(OPT_HW_OPAL_ONLY_ID)) { + r = tools_get_key("Enter OPAL Admin password: ", CONST_CAST(char **)&opal_params.admin_key, &opal_params.admin_key_size, + 0, 0, NULL, + ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd); + if (r < 0) + goto out; + if (opal_params.admin_key_size == 0) { + log_err(_("OPAL Admin password cannot be empty.")); + r = -EPERM; + goto out; + } + } + if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) { r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize); if (r < 0) @@ -1509,13 +1625,20 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password } /* Signature candidates found */ - if (signatures && ((r = tools_wipe_all_signatures(header_device, true, false)) < 0)) + if (!ARG_SET(OPT_DISABLE_BLKID_ID) && signatures && + ((r = tools_wipe_all_signatures(header_device, true, false)) < 0)) goto out; if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID)) crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING); - r = crypt_format(cd, type, cipher, cipher_mode, + if (ARG_SET(OPT_HW_OPAL_ID) || ARG_SET(OPT_HW_OPAL_ONLY_ID)) + r = crypt_format_luks2_opal(cd, + ARG_SET(OPT_HW_OPAL_ONLY_ID) ? NULL : cipher, + ARG_SET(OPT_HW_OPAL_ONLY_ID) ? NULL : cipher_mode, + ARG_STR(OPT_UUID_ID), key, keysize, params, &opal_params); + else + r = crypt_format(cd, type, cipher, cipher_mode, ARG_STR(OPT_UUID_ID), key, keysize, params); check_signal(&r); if (r < 0) @@ -1529,25 +1652,44 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password key, keysize, password, passwordLen); if (r < 0) { - (void) tools_wipe_all_signatures(header_device, true, false); + wipe_signatures = true; goto out; } tools_keyslot_msg(r, CREATED); if (ARG_SET(OPT_INTEGRITY_ID) && !ARG_SET(OPT_INTEGRITY_NO_WIPE_ID) && - strcmp_or_null(params2.integrity, "none")) + strcmp_or_null(params2.integrity, "none")) { r = _wipe_data_device(cd); + /* Interrupted wipe should not fail luksFormat action */ + if (r == -EINTR) + r = 0; + } out: + crypt_safe_free(key); + + if (r < 0) { + encrypt_type = crypt_get_hw_encryption_type(cd); + if (encrypt_type == CRYPT_OPAL_HW_ONLY || + encrypt_type == CRYPT_SW_AND_OPAL_HW) { + (void) crypt_wipe_hw_opal(cd, CRYPT_LUKS2_SEGMENT, + opal_params.admin_key, opal_params.admin_key_size, + 0); + } + if (wipe_signatures) + (void) tools_wipe_all_signatures(header_device, true, false); + } + + crypt_safe_free(CONST_CAST(void *)opal_params.admin_key); + if (r >= 0 && r_cd && r_password && r_passwordLen) { *r_cd = cd; *r_password = password; *r_passwordLen = passwordLen; - } else { - crypt_free(cd); - crypt_safe_free(password); + return r; } - crypt_safe_free(key); + crypt_free(cd); + crypt_safe_free(password); return r; } @@ -1557,17 +1699,166 @@ static int action_luksFormat(void) return luksFormat(NULL, NULL, NULL); } +static int parse_vk_description(const char *key_description, char **ret_key_description) +{ + char *tmp; + int r; + + assert(key_description); + assert(ret_key_description); + + /* apply default key type */ + if (*key_description != '%') + r = asprintf(&tmp, "%%user:%s", key_description) < 0 ? -EINVAL : 0; + else + r = (tmp = strdup(key_description)) ? 0 : -ENOMEM; + if (!r) + *ret_key_description = tmp; + + return r; +} + +static int parse_single_vk_and_keyring_description( + struct crypt_device *cd, + char *keyring_key_description, char **keyring_part_out, char + **key_part_out, char **type_part_out) +{ + int r = -EINVAL; + char *endp, *sep, *key_part, *type_part = NULL; + char *key_part_copy = NULL, *type_part_copy = NULL, *keyring_part = NULL; + + if (!cd || !keyring_key_description) + return -EINVAL; + + /* "::" is separator between keyring specification a key description */ + key_part = strstr(keyring_key_description, "::"); + if (!key_part) + goto out; + + *key_part = '\0'; + key_part = key_part + 2; + + if (*key_part == '%') { + type_part = key_part + 1; + sep = strstr(type_part, ":"); + if (!sep) + goto out; + *sep = '\0'; + + key_part = sep + 1; + } + + if (*keyring_key_description == '%') { + keyring_key_description = strstr(keyring_key_description, ":"); + if (!keyring_key_description) + goto out; + log_verbose(_("Type specification in --link-vk-to-keyring keyring specification is ignored.")); + keyring_key_description++; + } + + (void)strtol(keyring_key_description, &endp, 0); + + r = 0; + if (*keyring_key_description == '@' || !*endp) + keyring_part = strdup(keyring_key_description); + else + r = asprintf(&keyring_part, "%%:%s", keyring_key_description); + + if (!keyring_part || r < 0) { + r = -ENOMEM; + goto out; + } + + if (!(key_part_copy = strdup(key_part))) { + r = -ENOMEM; + goto out; + } + if (type_part && !(type_part_copy = strdup(type_part))) + r = -ENOMEM; + +out: + if (r < 0) { + free(keyring_part); + free(key_part_copy); + free(type_part_copy); + } else { + *keyring_part_out = keyring_part; + *key_part_out = key_part_copy; + *type_part_out = type_part_copy; + } + + return r; +} + +static int parse_vk_and_keyring_description( + struct crypt_device *cd, + char **keyring_key_descriptions, + int keyring_key_links_count) +{ + int r = 0; + + char *keyring_part_out1 = NULL, *key_part_out1 = NULL, *type_part_out1 = NULL; + char *keyring_part_out2 = NULL, *key_part_out2 = NULL, *type_part_out2 = NULL; + + if (keyring_key_links_count > 0) { + r = parse_single_vk_and_keyring_description(cd, + keyring_key_descriptions[0], + &keyring_part_out1, &key_part_out1, + &type_part_out1); + if (r < 0) + goto out; + } + if (keyring_key_links_count > 1) { + r = parse_single_vk_and_keyring_description(cd, + keyring_key_descriptions[1], + &keyring_part_out2, &key_part_out2, + &type_part_out2); + if (r < 0) + goto out; + + if ((type_part_out1 && type_part_out2) && strcmp(type_part_out1, type_part_out2)) { + log_err(_("Key types have to be the same for both volume keys.")); + r = -EINVAL; + goto out; + } + if ((keyring_part_out1 && keyring_part_out2) && strcmp(keyring_part_out1, keyring_part_out2)) { + log_err(_("Both volume keys have to be linked to the same keyring.")); + r = -EINVAL; + goto out; + } + } + + if (keyring_key_links_count > 0) { + r = crypt_set_keyring_to_link(cd, key_part_out1, key_part_out2, + type_part_out1, keyring_part_out1); + if (r == -EAGAIN) + log_err(_("You need to supply more key names.")); + } +out: + if (r == -EINVAL) + log_err(_("Invalid --link-vk-to-keyring value.")); + free(keyring_part_out1); + free(key_part_out1); + free(type_part_out1); + free(keyring_part_out2); + free(key_part_out2); + free(type_part_out2); + + return r; +} + static int action_open_luks(void) { struct crypt_active_device cad; struct crypt_device *cd = NULL; const char *data_device, *header_device, *activated_name; - char *key = NULL; + char *key = NULL, *vk_description_activation1 = NULL, *vk_description_activation2 = NULL; uint32_t activate_flags = 0; int r, keysize, tries; char *password = NULL; size_t passwordLen; struct stat st; + struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL; if (ARG_SET(OPT_REFRESH_ID)) { activated_name = action_argc > 1 ? action_argv[1] : action_argv[0]; @@ -1606,6 +1897,21 @@ static int action_open_luks(void) set_activation_flags(&activate_flags); + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + + if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) { + r = parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count); + if (r < 0) + goto out; + } + if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) { keysize = crypt_get_volume_key_size(cd); if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) { @@ -1620,16 +1926,37 @@ static int action_open_luks(void) goto out; r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags); + } else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) { + if (vks_in_keyring_count == 1) { + r = parse_vk_description(vks_in_keyring[0], &vk_description_activation1); + if (r < 0) + goto out; + r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation1, &kc1); + if (r) + goto out; + r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc1, CRYPT_ANY_SLOT, NULL, activate_flags); + } else if (vks_in_keyring_count == 2) { + r = parse_vk_description(vks_in_keyring[0], &vk_description_activation1); + if (r < 0) + goto out; + r = parse_vk_description(vks_in_keyring[1], &vk_description_activation2); + if (r < 0) + goto out; + r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation1, &kc1); + if (r) + goto out; + r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation2, &kc2); + if (r) + goto out; + r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc1, CRYPT_ANY_SLOT, kc2, activate_flags); + } + if (r) + goto out; } else { - r = crypt_activate_by_token_pin(cd, activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), - ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL, activate_flags); - tools_keyslot_msg(r, UNLOCKED); - tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false); - - /* Token requires PIN. Ask if there is evident preference for tokens */ - if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || - ARG_SET(OPT_TOKEN_ID_ID))) - r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, set_tries_tty(), true); + r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), + ARG_INT32(OPT_TOKEN_ID_ID), activated_name, + ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, + set_tries_tty(), true, ARG_SET(OPT_TOKEN_ONLY_ID)); if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; @@ -1657,9 +1984,14 @@ out: crypt_persistent_flags_set(cd, CRYPT_FLAGS_ACTIVATION, cad.flags & activate_flags))) log_err(_("Device activated but cannot make flags persistent.")); + crypt_keyslot_context_free(kc1); + crypt_keyslot_context_free(kc2); crypt_safe_free(key); crypt_safe_free(password); crypt_free(cd); + free(vk_description_activation1); + free(vk_description_activation2); + return r; } @@ -1839,6 +2171,15 @@ static int luksAddUnboundKey(void) goto out; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + r = _set_keyslot_encryption_params(cd); if (r < 0) goto out; @@ -1943,7 +2284,8 @@ static int action_luksAddKey(void) { int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL; const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL); - char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL; + char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL, + *vk_description = NULL; size_t pin_size, pin_size_new, password_size = 0, password_new_size = 0; struct crypt_device *cd = NULL; struct crypt_keyslot_context *p_kc_new = NULL, *kc = NULL, *kc_new = NULL; @@ -1983,6 +2325,15 @@ static int action_luksAddKey(void) if (r < 0) goto out; + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + /* Never call pwquality if using null cipher */ if (crypt_is_cipher_null(crypt_get_cipher(cd))) ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID); @@ -2019,7 +2370,11 @@ static int action_luksAddKey(void) ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_UINT64(OPT_KEYFILE_OFFSET_ID), &kc); - else if (ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || ARG_SET(OPT_TOKEN_ONLY_ID)) { + else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) { + r = parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description); + if (!r) + r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc); + } else if (ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || ARG_SET(OPT_TOKEN_ONLY_ID)) { r = crypt_keyslot_context_init_by_token(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_STR(OPT_TOKEN_TYPE_ID), @@ -2034,7 +2389,7 @@ static int action_luksAddKey(void) goto out; /* Check password before asking for new one */ - r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, + r = crypt_activate_by_passphrase(cd, NULL, keyslot_old, password, password_size, 0); check_signal(&r); tools_passphrase_msg(r); @@ -2107,6 +2462,7 @@ static int action_luksAddKey(void) } out: tools_keyslot_msg(r, CREATED); + free(vk_description); crypt_keyslot_context_free(kc); crypt_keyslot_context_free(kc_new); crypt_safe_free(password); @@ -2416,6 +2772,15 @@ static int action_luksDump(void) goto out; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID)) r = luksDump_with_volume_key(cd); else if (ARG_SET(OPT_UNBOUND_ID)) @@ -2448,11 +2813,12 @@ static int action_luksSuspend(void) static int action_luksResume(void) { struct crypt_device *cd = NULL; - char *password = NULL; + char *password = NULL, *vk_description_activation = NULL; size_t passwordLen; int r, tries; struct crypt_active_device cad; const char *req_type = luksType(device_type); + struct crypt_keyslot_context *kc = NULL; if (req_type && !isLUKS(req_type)) return -EINVAL; @@ -2460,7 +2826,14 @@ static int action_luksResume(void) if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(ARG_STR(OPT_HEADER_ID))))) return r; + if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) { + r = parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count); + if (r < 0) + goto out; + } + r = -EINVAL; + if (!isLUKS(crypt_get_type(cd))) { log_err(_("%s is not active LUKS device name or header is missing."), action_argv[0]); goto out; @@ -2481,20 +2854,34 @@ static int action_luksResume(void) goto out; } - /* try to resume LUKS2 device by token first */ - r = crypt_resume_by_token_pin(cd, action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), - ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL); - tools_keyslot_msg(r, UNLOCKED); - tools_token_error_msg(r, ARG_STR(OPT_TOKEN_TYPE_ID), ARG_INT32(OPT_TOKEN_ID_ID), false); + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } - /* Token requires PIN. Ask if there is evident preference for tokens */ - if (r == -ENOANO && (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || - ARG_SET(OPT_TOKEN_ID_ID))) - r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, set_tries_tty(), false); + /* try to resume LUKS2 device by token first */ + r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), + action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, + set_tries_tty(), false, ARG_SET(OPT_TOKEN_ONLY_ID)); if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; + if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) { + r = parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description_activation); + if (r < 0) + goto out; + r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation, &kc); + if (r) + goto out; + r = crypt_resume_by_keyslot_context(cd, action_argv[0], CRYPT_ANY_SLOT, kc); + goto out; + } + tries = set_tries_tty(); do { r = tools_get_key(NULL, &password, &passwordLen, @@ -2513,7 +2900,9 @@ static int action_luksResume(void) password = NULL; } while ((r == -EPERM || r == -ERANGE) && (--tries > 0)); out: + crypt_keyslot_context_free(kc); crypt_safe_free(password); + free(vk_description_activation); crypt_free(cd); return r; } @@ -2642,15 +3031,48 @@ out: return r; } +static int opal_erase(struct crypt_device *cd, bool factory_reset) { + char *password = NULL; + size_t password_size = 0; + int r; + + r = tools_get_key(factory_reset ? _("Enter OPAL PSID: ") : _("Enter OPAL Admin password: "), + &password, &password_size, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), + ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), + ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), + !ARG_SET(OPT_FORCE_PASSWORD_ID), cd); + if (r < 0) + return r; + + if (factory_reset && !ARG_SET(OPT_BATCH_MODE_ID) && + !yesDialog(_("WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"), + _("Operation aborted.\n"))) { + crypt_safe_free(password); + return -EPERM; + } + + r = crypt_wipe_hw_opal(cd, factory_reset ? CRYPT_NO_SEGMENT : CRYPT_LUKS2_SEGMENT, + password, password_size, 0); + + crypt_safe_free(password); + return r; +} + static int action_luksErase(void) { struct crypt_device *cd = NULL; crypt_keyslot_info ki; char *msg = NULL; - int i, max, r; + int i, max, r, hw_enc; - if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) + if ((r = crypt_init_data_device(&cd, uuid_or_device(ARG_STR(OPT_HEADER_ID) ?: action_argv[0]), action_argv[0]))) + return r; + + /* Allow factory reset even if there's no LUKS header, as long as OPAL is enabled on the device */ + if (ARG_SET(OPT_HW_OPAL_FACTORY_RESET_ID)) { + r = opal_erase(cd, true); goto out; + } if ((r = crypt_load(cd, luksType(device_type), NULL))) { log_err(_("Device %s is not a valid LUKS device."), @@ -2658,7 +3080,15 @@ static int action_luksErase(void) goto out; } - if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n" + hw_enc = crypt_get_hw_encryption_type(cd); + if (hw_enc < 0) + goto out; + if (hw_enc == CRYPT_OPAL_HW_ONLY || hw_enc == CRYPT_SW_AND_OPAL_HW) { + r = opal_erase(cd, false); + goto out; + } + + if (asprintf(&msg, _("This operation will erase all keyslots on device %s.\n" "Device will become unusable after this operation."), uuid_or_device_header(NULL)) == -1) { r = -ENOMEM; @@ -2951,6 +3381,16 @@ static int action_token(void) return r; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + crypt_free(cd); + return r; + } + } + r = -EINVAL; if (!strcmp(action_argv[0], "add")) { @@ -3063,7 +3503,7 @@ static const char *verify_resize(void) static const char *verify_reencrypt(void) { if (ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && ARG_SET(OPT_DEVICE_SIZE_ID)) - return _("Options --reduce-device-size and --data-size cannot be combined."); + return _("Options --reduce-device-size and --device-size cannot be combined."); if (isLUKS1(luksType(device_type)) && ARG_SET(OPT_ACTIVE_NAME_ID)) return _("Option --active-name can be set only for LUKS2 device."); @@ -3220,10 +3660,10 @@ static void help(poptContext popt_context, path = crypt_token_external_path(); if (path) { - log_std(_("\nLUKS2 external token plugin support is %s.\n"), _("compiled-in")); + log_std(_("\nLUKS2 external token plugin support is enabled.\n")); log_std(_("LUKS2 external token plugin path: %s.\n"), path); } else - log_std(_("\nLUKS2 external token plugin support is %s.\n"), _("disabled")); + log_std(_("\nLUKS2 external token plugin support is disabled.\n")); pbkdf_luks1 = crypt_get_pbkdf_default(CRYPT_LUKS1); pbkdf_luks2 = crypt_get_pbkdf_default(CRYPT_LUKS2); @@ -3315,6 +3755,7 @@ static void basic_options_cb(poptContext popt_context, const char *arg, void *data __attribute__((unused))) { + char buf[128]; tools_parse_arg_value(popt_context, tool_core_args[key->val].type, tool_core_args + key->val, arg, key->val, needs_size_conversion); /* special cases additional handling */ @@ -3366,6 +3807,29 @@ static void basic_options_cb(poptContext popt_context, _("Key size must be a multiple of 8 bits"), poptGetInvocationName(popt_context)); break; + case OPT_VOLUME_KEY_KEYRING_ID: + if (vks_in_keyring_count < MAX_VK_IN_KEYRING) + vks_in_keyring[vks_in_keyring_count++] = strdup(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID)); + else { + if (snprintf(buf, sizeof(buf), _("At most %d volume key specifications can be supplied."), MAX_KEYRING_LINKS) < 0) + buf[0] = '\0'; + usage(popt_context, EXIT_FAILURE, + buf, + poptGetInvocationName(popt_context)); + } + break; + case OPT_LINK_VK_TO_KEYRING_ID: + if (keyring_links_count < MAX_KEYRING_LINKS) + keyring_links[keyring_links_count++] = strdup(ARG_STR(OPT_LINK_VK_TO_KEYRING_ID)); + else { + + if (snprintf(buf, sizeof(buf), _("At most %d keyring link specifications can be supplied."), MAX_KEYRING_LINKS) < 0) + buf[0] = '\0'; + usage(popt_context, EXIT_FAILURE, + buf, + poptGetInvocationName(popt_context)); + } + break; case OPT_REDUCE_DEVICE_SIZE_ID: if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) > 1024 * 1024 * 1024) usage(popt_context, EXIT_FAILURE, _("Maximum device reduce size is 1 GiB."), @@ -3439,6 +3903,9 @@ int main(int argc, const char **argv) textdomain(PACKAGE); popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); + if (!popt_context) + exit(EXIT_FAILURE); + poptSetOtherOptionHelp(popt_context, _("[OPTION...] ")); @@ -3506,7 +3973,10 @@ int main(int argc, const char **argv) aname = CLOSE_ACTION; } else if (!strcmp(aname, "luksErase")) { aname = ERASE_ACTION; - device_type = "luks"; + if (ARG_SET(OPT_TYPE_ID)) + device_type = ARG_STR(OPT_TYPE_ID); + else + device_type = "luks"; } else if (!strcmp(aname, "luksConfig")) { aname = CONFIG_ACTION; device_type = "luks2"; @@ -3562,6 +4032,11 @@ int main(int argc, const char **argv) _("PBKDF forced iterations cannot be combined with iteration time option."), poptGetInvocationName(popt_context)); + if (ARG_SET(OPT_DISABLE_KEYRING_ID) && ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) + usage(popt_context, EXIT_FAILURE, + _("Cannot link volume key to a keyring when keyring is disabled."), + poptGetInvocationName(popt_context)); + if (ARG_SET(OPT_DEBUG_ID) || ARG_SET(OPT_DEBUG_JSON_ID)) { crypt_set_debug_level(ARG_SET(OPT_DEBUG_JSON_ID)? CRYPT_DEBUG_JSON : CRYPT_DEBUG_ALL); dbg_version_and_cmd(argc, argv); diff --git a/src/cryptsetup.h b/src/cryptsetup.h index 011a669..8de8744 100644 --- a/src/cryptsetup.h +++ b/src/cryptsetup.h @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h index a7e5bb0..7496748 100644 --- a/src/cryptsetup_arg_list.h +++ b/src/cryptsetup_arg_list.h @@ -1,8 +1,8 @@ /* * Cryptsetup command line arguments list * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -37,11 +37,13 @@ ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_B ARG(OPT_DEBUG_JSON, '\0', POPT_ARG_NONE, N_("Show debug messages including JSON metadata"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)"), NULL, CRYPT_ARG_BOOL, {}, {}) + ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS) -ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS) +ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device), DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS) -ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS) ARG(OPT_DISABLE_EXTERNAL_TOKENS, '\0', POPT_ARG_NONE, N_("Disable loading of external LUKS2 token plugins"), NULL, CRYPT_ARG_BOOL, {}, {}) @@ -55,11 +57,13 @@ ARG(OPT_DUMP_JSON, '\0', POPT_ARG_NONE, N_("Dump info in JSON format (LUKS2 only ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of keyslots info"), NULL, CRYPT_ARG_BOOL, {}, {}) -ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)."), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {}) + +ARG(OPT_EXTERNAL_TOKENS_PATH, '\0', POPT_ARG_STRING, N_("Path to directory with external token handlers (plugins)."), NULL, CRYPT_ARG_STRING, {}, OPT_EXTERNAL_TOKENS_PATH_ACTIONS) ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {}) -ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection."), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS) +ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS) ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {}, {}) @@ -67,9 +71,15 @@ ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS he ARG(OPT_HEADER_BACKUP_FILE, '\0', POPT_ARG_STRING, N_("File with LUKS header and keyslots backup"), NULL, CRYPT_ARG_STRING, {}, {}) -ARG(OPT_HOTZONE_SIZE, '\0', POPT_ARG_STRING, N_("Maximal reencryption hotzone size."), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_HOTZONE_SIZE_ACTIONS) +ARG(OPT_HOTZONE_SIZE, '\0', POPT_ARG_STRING, N_("Maximal reencryption hotzone size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_HOTZONE_SIZE_ACTIONS) + +ARG(OPT_HW_OPAL, '\0', POPT_ARG_NONE, N_("Use HW OPAL encryption together with SW encryption"), NULL, CRYPT_ARG_BOOL, {}, OPT_HW_OPAL_ACTIONS) + +ARG(OPT_HW_OPAL_FACTORY_RESET, '\0', POPT_ARG_NONE, N_("Wipe WHOLE OPAL disk on luksErase"), NULL, CRYPT_ARG_BOOL, {}, OPT_ERASE_ACTIONS) -ARG(OPT_INIT_ONLY, '\0', POPT_ARG_NONE, N_("Initialize LUKS2 reencryption in metadata only."), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_HW_OPAL_ONLY, '\0', POPT_ARG_NONE, N_("Use only HW OPAL encryption"), NULL, CRYPT_ARG_BOOL, {}, OPT_HW_OPAL_ONLY_ACTIONS) + +ARG(OPT_INIT_ONLY, '\0', POPT_ARG_NONE, N_("Initialize LUKS2 reencryption in metadata only"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_INTEGRITY, 'I', POPT_ARG_STRING, N_("Data integrity algorithm (LUKS2 only)"), NULL, CRYPT_ARG_STRING, {}, OPT_INTEGRITY_ACTIONS) @@ -85,7 +95,7 @@ ARG(OPT_IV_LARGE_SECTORS, '\0', POPT_ARG_NONE, N_("Use IV counted in sector size ARG(OPT_JSON_FILE, '\0', POPT_ARG_STRING, N_("Read or write the json from or to a file"), NULL, CRYPT_ARG_STRING, {}, {}) -ARG(OPT_KEEP_KEY, '\0', POPT_ARG_NONE, N_("Do not change volume key."), NULL, CRYPT_ARG_BOOL, {}, OPT_KEEP_KEY_ACTIONS) +ARG(OPT_KEEP_KEY, '\0', POPT_ARG_NONE, N_("Do not change volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_KEEP_KEY_ACTIONS) ARG(OPT_KEY_DESCRIPTION, '\0', POPT_ARG_STRING, N_("Key description"), NULL, CRYPT_ARG_STRING, {}, {}) @@ -105,20 +115,20 @@ ARG(OPT_KEYSLOT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 keyslot: The size of ARG(OPT_LABEL, '\0', POPT_ARG_STRING, N_("Set label for the LUKS2 device"), NULL, CRYPT_ARG_STRING, {}, OPT_LABEL_ACTIONS) +ARG(OPT_LINK_VK_TO_KEYRING, '\0', POPT_ARG_STRING, N_("Set keyring where to link volume key"), NULL, CRYPT_ARG_STRING, {}, OPT_LINK_VK_TO_KEYRING_ACTIONS) + ARG(OPT_LUKS2_KEYSLOTS_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 header keyslots area size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_LUKS2_KEYSLOTS_SIZE_ACTIONS) ARG(OPT_LUKS2_METADATA_SIZE, '\0', POPT_ARG_STRING, N_("LUKS2 header metadata area size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_LUKS2_METADATA_SIZE_ACTIONS) -ARG(OPT_VOLUME_KEY_FILE, '\0', POPT_ARG_STRING, N_("Use the volume key from file."), NULL, CRYPT_ARG_STRING, {}, {}) - ARG(OPT_NEW_KEYFILE, '\0', POPT_ARG_STRING, N_("Read the key for a new slot from a file"), NULL, CRYPT_ARG_STRING, {}, OPT_NEW_KEYFILE_ACTIONS) -ARG(OPT_NEW_KEY_SLOT, '\0', POPT_ARG_STRING, N_("Slot number for new key (default is first free)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_SLOT }, OPT_NEW_KEY_SLOT_ACTIONS) - ARG(OPT_NEW_KEYFILE_OFFSET , '\0', POPT_ARG_STRING, N_("Number of bytes to skip in newly added keyfile"), N_("bytes"), CRYPT_ARG_UINT64, {}, {}) ARG(OPT_NEW_KEYFILE_SIZE, '\0', POPT_ARG_STRING, N_("Limits the read from newly added keyfile"), N_("bytes"), CRYPT_ARG_UINT32, {}, {}) +ARG(OPT_NEW_KEY_SLOT, '\0', POPT_ARG_STRING, N_("Slot number for new key (default is first free)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_SLOT }, OPT_NEW_KEY_SLOT_ACTIONS) + ARG(OPT_NEW_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_TOKEN }, OPT_NEW_TOKEN_ID_ACTIONS) ARG(OPT_OFFSET, 'o', POPT_ARG_STRING, N_("The start offset in the backend device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_OFFSET_ACTIONS) @@ -149,7 +159,7 @@ ARG(OPT_PROGRESS_FREQUENCY, '\0', POPT_ARG_STRING, N_("Progress line update (in ARG(OPT_READONLY, 'r', POPT_ARG_NONE, N_("Create a readonly mapping"), NULL, CRYPT_ARG_BOOL, {}, {}) -ARG(OPT_REDUCE_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Reduce data device size (move data offset). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, {}) +ARG(OPT_REDUCE_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Reduce data device size (move data offset), DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, {}) ARG(OPT_REFRESH, '\0', POPT_ARG_NONE, N_("Refresh (reactivate) device with new parameters"), NULL, CRYPT_ARG_BOOL, {}, OPT_REFRESH_ACTIONS) @@ -157,7 +167,7 @@ ARG(OPT_RESILIENCE, '\0', POPT_ARG_STRING, N_("Reencryption hotzone resilience t ARG(OPT_RESILIENCE_HASH, '\0', POPT_ARG_STRING, N_("Reencryption hotzone checksums hash"), NULL, CRYPT_ARG_STRING, {}, {}) -ARG(OPT_RESUME_ONLY, '\0', POPT_ARG_NONE, N_("Resume initialized LUKS2 reencryption only."), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_RESUME_ONLY, '\0', POPT_ARG_NONE, N_("Resume initialized LUKS2 reencryption only"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_SECTOR_SIZE, '\0', POPT_ARG_STRING, N_("Encryption sector size (default: 512 bytes)"), "INT", CRYPT_ARG_UINT32, {}, OPT_SECTOR_SIZE_ACTIONS) @@ -171,12 +181,6 @@ ARG(OPT_SKIP, 'p', POPT_ARG_STRING, N_("How many sectors of the encrypted data t ARG(OPT_SUBSYSTEM, '\0', POPT_ARG_STRING, N_("Set subsystem label for the LUKS2 device"), NULL, CRYPT_ARG_STRING, {}, OPT_SUBSYSTEM_ACTIONS) -ARG(OPT_TCRYPT_BACKUP, '\0', POPT_ARG_NONE, N_("Use backup (secondary) TCRYPT header"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_BACKUP_ACTIONS) - -ARG(OPT_TCRYPT_HIDDEN, '\0', POPT_ARG_NONE, N_("Use hidden header (hidden TCRYPT device)"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_HIDDEN_ACTIONS) - -ARG(OPT_TCRYPT_SYSTEM, '\0', POPT_ARG_NONE, N_("Device is system TCRYPT drive (with bootloader)"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_SYSTEM_ACTIONS) - ARG(OPT_TEST_ARGS, '\0', POPT_ARG_NONE, N_("Do not run action, just validate all command line parameters"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_TEST_PASSPHRASE, '\0', POPT_ARG_NONE, N_("Do not activate device, just check passphrase"), NULL, CRYPT_ARG_BOOL, {}, OPT_TEST_PASSPHRASE_ACTIONS) @@ -191,6 +195,12 @@ ARG(OPT_TOKEN_REPLACE, '\0', POPT_ARG_NONE, N_("Replace the current token"), NUL ARG(OPT_TOKEN_TYPE, '\0', POPT_ARG_STRING, N_("Restrict allowed token types used to retrieve LUKS2 key"), NULL, CRYPT_ARG_STRING, {}, {}) +ARG(OPT_TCRYPT_BACKUP, '\0', POPT_ARG_NONE, N_("Use backup (secondary) TCRYPT header"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_BACKUP_ACTIONS) + +ARG(OPT_TCRYPT_HIDDEN, '\0', POPT_ARG_NONE, N_("Use hidden header (hidden TCRYPT device)"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_HIDDEN_ACTIONS) + +ARG(OPT_TCRYPT_SYSTEM, '\0', POPT_ARG_NONE, N_("Device is system TCRYPT drive (with bootloader)"), NULL, CRYPT_ARG_BOOL, {}, OPT_TCRYPT_SYSTEM_ACTIONS) + ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {}) ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {}) @@ -213,6 +223,10 @@ ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), N ARG(OPT_VERIFY_PASSPHRASE, 'y', POPT_ARG_NONE, N_("Verifies the passphrase by asking for it twice"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_VOLUME_KEY_FILE, '\0', POPT_ARG_STRING, N_("Use the volume key from file"), NULL, CRYPT_ARG_STRING, {}, {}) + +ARG(OPT_VOLUME_KEY_KEYRING, '\0', POPT_ARG_STRING, N_("Use the specified keyring key as a volume key"), NULL, CRYPT_ARG_STRING, {}, {}) + /* added for reencryption */ ARG(OPT_BLOCK_SIZE, 'B', POPT_ARG_STRING, N_("Reencryption block size"), N_("MiB"), CRYPT_ARG_UINT32, { .u32_value = 4 }, {}) diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index 63604a3..5df9e1e 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -1,8 +1,8 @@ /* * Command line arguments helpers * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -25,57 +25,64 @@ #include "utils_arg_names.h" #include "utils_arg_macros.h" +#define ADDKEY_ACTION "luksAddKey" #define BITLKDUMP_ACTION "bitlkDump" #define BENCHMARK_ACTION "benchmark" +#define CHANGEKEY_ACTION "luksChangeKey" #define CLOSE_ACTION "close" +#define CONVERTKEY_ACTION "luksConvertKey" #define CONFIG_ACTION "config" #define CONVERT_ACTION "convert" #define ERASE_ACTION "erase" -#define FVAULT2DUMP_ACTION "fvault2Dump" -#define ISLUKS_ACTION "isLuks" -#define ADDKEY_ACTION "luksAddKey" -#define CHANGEKEY_ACTION "luksChangeKey" -#define CONVERTKEY_ACTION "luksConvertKey" -#define LUKSDUMP_ACTION "luksDump" #define FORMAT_ACTION "luksFormat" +#define FVAULT2DUMP_ACTION "fvault2Dump" #define HEADERBACKUP_ACTION "luksHeaderBackup" #define HEADERRESTORE_ACTION "luksHeaderRestore" +#define ISLUKS_ACTION "isLuks" #define KILLKEY_ACTION "luksKillSlot" -#define REMOVEKEY_ACTION "luksRemoveKey" -#define RESUME_ACTION "luksResume" -#define SUSPEND_ACTION "luksSuspend" -#define UUID_ACTION "luksUUID" +#define LUKSDUMP_ACTION "luksDump" #define OPEN_ACTION "open" #define REENCRYPT_ACTION "reencrypt" +#define REMOVEKEY_ACTION "luksRemoveKey" #define REPAIR_ACTION "repair" #define RESIZE_ACTION "resize" +#define RESUME_ACTION "luksResume" #define STATUS_ACTION "status" +#define SUSPEND_ACTION "luksSuspend" #define TCRYPTDUMP_ACTION "tcryptDump" #define TOKEN_ACTION "token" +#define UUID_ACTION "luksUUID" /* avoid unshielded commas in ARG() macros later */ #define OPT_ALIGN_PAYLOAD_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_ALLOW_DISCARDS_ACTIONS { OPEN_ACTION } #define OPT_DEFERRED_ACTIONS { CLOSE_ACTION } #define OPT_DEVICE_SIZE_ACTIONS { OPEN_ACTION, RESIZE_ACTION, REENCRYPT_ACTION } +#define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } -#define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION } +#define OPT_ERASE_ACTIONS { ERASE_ACTION } +#define OPT_EXTERNAL_TOKENS_PATH_ACTIONS { RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION } #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION } -#define OPT_INTEGRITY_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } -#define OPT_INTEGRITY_NO_WIPE_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } +#define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION } +#define OPT_HW_OPAL_ACTIONS { FORMAT_ACTION } +#define OPT_HW_OPAL_ONLY_ACTIONS OPT_HW_OPAL_ACTIONS +#define OPT_INTEGRITY_ACTIONS { FORMAT_ACTION } +#define OPT_INTEGRITY_NO_WIPE_ACTIONS { FORMAT_ACTION } #define OPT_ITER_TIME_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION } #define OPT_IV_LARGE_SECTORS_ACTIONS { OPEN_ACTION } #define OPT_KEEP_KEY_ACTIONS { REENCRYPT_ACTION } +#define OPT_KEY_DESCRIPTION_ACTIONS { TOKEN_ACTION } #define OPT_KEY_SIZE_ACTIONS { OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION } #define OPT_KEY_SLOT_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION } #define OPT_KEYSLOT_CIPHER_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION } #define OPT_KEYSLOT_KEY_SIZE_ACTIONS OPT_KEYSLOT_CIPHER_ACTIONS -#define OPT_NEW_KEYFILE_ACTIONS { ADDKEY_ACTION } -#define OPT_NEW_KEY_SLOT_ACTIONS { ADDKEY_ACTION } -#define OPT_NEW_TOKEN_ID_ACTIONS { ADDKEY_ACTION } #define OPT_LABEL_ACTIONS { CONFIG_ACTION, FORMAT_ACTION, REENCRYPT_ACTION } +#define OPT_LINK_VK_TO_KEYRING_ACTIONS { OPEN_ACTION, RESUME_ACTION } #define OPT_LUKS2_KEYSLOTS_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION } #define OPT_LUKS2_METADATA_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION } +#define OPT_NEW_KEYFILE_ACTIONS { ADDKEY_ACTION } +#define OPT_NEW_KEY_SLOT_ACTIONS { ADDKEY_ACTION } +#define OPT_NEW_TOKEN_ID_ACTIONS { ADDKEY_ACTION } #define OPT_OFFSET_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, FORMAT_ACTION } #define OPT_PBKDF_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION } #define OPT_PBKDF_FORCE_ITERATIONS_ACTIONS { FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION } diff --git a/src/integritysetup.c b/src/integritysetup.c index eee6171..0e5d70f 100644 --- a/src/integritysetup.c +++ b/src/integritysetup.c @@ -1,8 +1,8 @@ /* * integritysetup - setup integrity protected volumes for dm-integrity * - * Copyright (C) 2017-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2017-2023 Milan Broz + * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2017-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -190,13 +190,18 @@ static int action_format(void) goto out; } - r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID)); - if (r < 0) - goto out; + if (!ARG_SET(OPT_DISABLE_BLKID_ID)) { + r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID)); + if (r < 0) { + if (r == -EIO) + log_err(_("Blkid scan failed for %s."), action_argv[0]); + goto out; + } - /* Signature candidates found */ - if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0)) - goto out; + /* Signature candidates found */ + if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0)) + goto out; + } if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID)) crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING); @@ -212,8 +217,12 @@ static int action_format(void) log_std(_("Formatted with tag size %u, internal integrity %s.\n"), params2.tag_size, params2.integrity); - if (!ARG_SET(OPT_NO_WIPE_ID)) + if (!ARG_SET(OPT_NO_WIPE_ID)) { r = _wipe_data_device(cd, integrity_key); + /* Interrupted wipe should not fail format action */ + if (r == -EINTR) + r = 0; + } out: crypt_safe_free(integrity_key); crypt_safe_free(CONST_CAST(void*)params.journal_integrity_key); @@ -660,6 +669,9 @@ int main(int argc, const char **argv) textdomain(PACKAGE); popt_context = poptGetContext("integrity", argc, argv, popt_options, 0); + if (!popt_context) + exit(EXIT_FAILURE); + poptSetOtherOptionHelp(popt_context, _("[OPTION...] ")); diff --git a/src/integritysetup_arg_list.h b/src/integritysetup_arg_list.h index 39f2906..083184b 100644 --- a/src/integritysetup_arg_list.h +++ b/src/integritysetup_arg_list.h @@ -1,8 +1,8 @@ /* * Integritysetup command line arguments list * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -29,7 +29,7 @@ ARG(OPT_BUFFER_SECTORS, '\0', POPT_ARG_STRING, N_("Buffers size"), N_("SECTORS") ARG(OPT_BITMAP_FLUSH_TIME, '\0', POPT_ARG_STRING, N_("Bitmap mode flush time"), N_("ms"), CRYPT_ARG_UINT32, {}, {}) -ARG(OPT_BITMAP_SECTORS_PER_BIT, '\0', POPT_ARG_STRING, N_("Number of 512-byte sectors per bit (bitmap mode)."), "INT", CRYPT_ARG_UINT32, {}, {}) +ARG(OPT_BITMAP_SECTORS_PER_BIT, '\0', POPT_ARG_STRING, N_("Number of 512-byte sectors per bit (bitmap mode)"), "INT", CRYPT_ARG_UINT32, {}, {}) ARG(OPT_CANCEL_DEFERRED, '\0', POPT_ARG_NONE, N_("Cancel a previously set deferred device removal"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS) @@ -39,8 +39,14 @@ ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_B ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS) +ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device), DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS) + +ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS) + ARG(OPT_INTEGRITY, 'I', POPT_ARG_STRING, N_("Data integrity algorithm"), NULL, CRYPT_ARG_STRING, { .str_value = CONST_CAST(void *)DEFAULT_ALG_NAME }, {}) +ARG(OPT_INTEGRITY_BITMAP_MODE, 'B', POPT_ARG_NONE, N_("Use bitmap to track changes and disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {}) + ARG(OPT_INTEGRITY_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the integrity key from a file"), NULL, CRYPT_ARG_STRING, {}, {}) ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {}) @@ -53,6 +59,12 @@ ARG(OPT_INTEGRITY_LEGACY_RECALC, '\0', POPT_ARG_NONE, N_("Allow recalculating of ARG(OPT_INTEGRITY_NO_JOURNAL, 'D', POPT_ARG_NONE, N_("Disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_INTEGRITY_RECALCULATE, '\0', POPT_ARG_NONE, N_("Recalculate initial tags automatically"), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_RECALCULATE_ACTIONS) + +ARG(OPT_INTEGRITY_RECALCULATE_RESET, '\0', POPT_ARG_NONE, N_("Reset automatic recalculate position"), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_RECALCULATE_ACTIONS) + +ARG(OPT_INTEGRITY_RECOVERY_MODE, 'R', POPT_ARG_NONE, N_("Recovery mode (no journal, no tag checking)"), NULL, CRYPT_ARG_BOOL, {}, {}) + ARG(OPT_INTERLEAVE_SECTORS, '\0', POPT_ARG_STRING, N_("Interleave sectors"), N_("SECTORS"), CRYPT_ARG_UINT32, {}, OPT_INTERLEAVE_SECTORS_ACTIONS) ARG(OPT_JOURNAL_COMMIT_TIME, '\0', POPT_ARG_STRING, N_("Journal commit time"), N_("ms"), CRYPT_ARG_UINT32, {}, {}) @@ -75,26 +87,16 @@ ARG(OPT_JOURNAL_WATERMARK, '\0', POPT_ARG_STRING, N_("Journal watermark"), N_("p ARG(OPT_NO_WIPE, '\0', POPT_ARG_NONE, N_("Do not wipe device after format"), NULL, CRYPT_ARG_BOOL, {}, OPT_NO_WIPE_ACTIONS) -ARG(OPT_WIPE, '\0', POPT_ARG_NONE, N_("Wipe the end of the device after resize"), NULL, CRYPT_ARG_BOOL, {}, OPT_WIPE_ACTIONS) - ARG(OPT_PROGRESS_FREQUENCY, '\0', POPT_ARG_STRING, N_("Progress line update (in seconds)"), N_("secs"), CRYPT_ARG_UINT32, {}, {}) ARG(OPT_PROGRESS_JSON, '\0', POPT_ARG_NONE, N_("Print wipe progress data in json format (suitable for machine processing)"), NULL, CRYPT_ARG_BOOL, {}, OPT_PROGRESS_JSON_ACTIONS) -ARG(OPT_INTEGRITY_BITMAP_MODE, 'B', POPT_ARG_NONE, N_("Use bitmap to track changes and disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {}) - -ARG(OPT_INTEGRITY_RECALCULATE, '\0', POPT_ARG_NONE, N_("Recalculate initial tags automatically."), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_RECALCULATE_ACTIONS) - -ARG(OPT_INTEGRITY_RECALCULATE_RESET, '\0', POPT_ARG_NONE, N_("Reset automatic recalculate position."), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_RECALCULATE_ACTIONS) - -ARG(OPT_INTEGRITY_RECOVERY_MODE, 'R', POPT_ARG_NONE, N_("Recovery mode (no journal, no tag checking)"), NULL, CRYPT_ARG_BOOL, {}, {}) - ARG(OPT_SECTOR_SIZE, 's', POPT_ARG_STRING, N_("Sector size"), N_("bytes"), CRYPT_ARG_UINT32, { .u32_value = 512 }, OPT_SECTOR_SIZE_ACTIONS) +ARG(OPT_SIZE, 'b', POPT_ARG_STRING, N_("The size of the device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_SIZE_ACTIONS) + ARG(OPT_TAG_SIZE, 't', POPT_ARG_STRING, N_("Tag size (per-sector)"), N_("bytes"), CRYPT_ARG_UINT32, {}, OPT_TAG_SIZE_ACTIONS) ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {}, {}) -ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_DEVICE_SIZE_ACTIONS) - -ARG(OPT_SIZE, 'b', POPT_ARG_STRING, N_("The size of the device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_SIZE_ACTIONS) +ARG(OPT_WIPE, '\0', POPT_ARG_NONE, N_("Wipe the end of the device after resize"), NULL, CRYPT_ARG_BOOL, {}, OPT_WIPE_ACTIONS) diff --git a/src/integritysetup_args.h b/src/integritysetup_args.h index 8241008..5595a84 100644 --- a/src/integritysetup_args.h +++ b/src/integritysetup_args.h @@ -1,8 +1,8 @@ /* * Command line arguments helpers * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -25,24 +25,25 @@ #include "utils_arg_names.h" #include "utils_arg_macros.h" +#define DUMP_ACTION "dump" #define FORMAT_ACTION "format" -#define OPEN_ACTION "open" #define CLOSE_ACTION "close" -#define STATUS_ACTION "status" -#define DUMP_ACTION "dump" +#define OPEN_ACTION "open" #define RESIZE_ACTION "resize" +#define STATUS_ACTION "status" #define OPT_ALLOW_DISCARDS_ACTIONS { OPEN_ACTION } #define OPT_DEFERRED_ACTIONS { CLOSE_ACTION } +#define OPT_DEVICE_SIZE_ACTIONS { RESIZE_ACTION } +#define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION } #define OPT_INTEGRITY_RECALCULATE_ACTIONS { OPEN_ACTION } +#define OPT_INTERLEAVE_SECTORS_ACTIONS { FORMAT_ACTION } #define OPT_JOURNAL_SIZE_ACTIONS { FORMAT_ACTION } #define OPT_NO_WIPE_ACTIONS { FORMAT_ACTION } -#define OPT_INTERLEAVE_SECTORS_ACTIONS { FORMAT_ACTION } #define OPT_PROGRESS_JSON_ACTIONS { FORMAT_ACTION, RESIZE_ACTION } #define OPT_SECTOR_SIZE_ACTIONS { FORMAT_ACTION } -#define OPT_TAG_SIZE_ACTIONS { FORMAT_ACTION } -#define OPT_DEVICE_SIZE_ACTIONS { RESIZE_ACTION } #define OPT_SIZE_ACTIONS { RESIZE_ACTION } +#define OPT_TAG_SIZE_ACTIONS { FORMAT_ACTION } #define OPT_WIPE_ACTIONS { RESIZE_ACTION } enum { diff --git a/src/meson.build b/src/meson.build new file mode 100644 index 0000000..3fd1ff5 --- /dev/null +++ b/src/meson.build @@ -0,0 +1,77 @@ +src_build_dir = meson.current_build_dir() + +if get_option('cryptsetup') + cryptsetup_files = files( + 'cryptsetup.c', + 'utils_args.c', + 'utils_blockdev.c', + 'utils_luks.c', + 'utils_password.c', + 'utils_progress.c', + 'utils_reencrypt.c', + 'utils_reencrypt_luks1.c', + 'utils_tools.c', + ) + cryptsetup_files += lib_tools_files + cryptsetup_deps = [ + popt, + pwquality, + passwdqc, + uuid, + blkid, + ] + cryptsetup = executable('cryptsetup', + cryptsetup_files, + dependencies: cryptsetup_deps, + link_with: libcryptsetup, + link_args: link_args, + include_directories: includes_tools) +endif + +if get_option('veritysetup') + veritysetup_files = files( + 'utils_args.c', + 'utils_tools.c', + 'veritysetup.c', + ) + veritysetup_files += lib_tools_files + veritysetup_deps = [ + popt, + blkid, + ] + + veritysetup = executable('veritysetup', + veritysetup_files, + dependencies: veritysetup_deps, + link_with: libcryptsetup, + link_args: link_args, + include_directories: includes_tools) +endif + +if get_option('integritysetup') + integritysetup_files = files( + 'integritysetup.c', + 'utils_args.c', + 'utils_blockdev.c', + 'utils_progress.c', + 'utils_tools.c', + ) + integritysetup_files += lib_tools_files + integritysetup_deps = [ + popt, + uuid, + blkid, + ] + + integritysetup = executable('integritysetup', + integritysetup_files, + dependencies: integritysetup_deps, + link_with: libcryptsetup, + link_args: link_args, + include_directories: includes_tools) +endif + +src_ssh_token_files = files( + 'utils_password.c', + 'utils_tools.c', +) diff --git a/src/utils_arg_macros.h b/src/utils_arg_macros.h index 901b3f4..eba0eca 100644 --- a/src/utils_arg_macros.h +++ b/src/utils_arg_macros.h @@ -1,8 +1,8 @@ /* * Command line arguments parsing helpers * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h index 66a59e8..4ec5510 100644 --- a/src/utils_arg_names.h +++ b/src/utils_arg_names.h @@ -1,8 +1,8 @@ /* * Command line arguments name list * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -41,6 +41,7 @@ #define OPT_DEFERRED "deferred" #define OPT_DEVICE_SIZE "device-size" #define OPT_DECRYPT "decrypt" +#define OPT_DISABLE_BLKID "disable-blkid" #define OPT_DISABLE_EXTERNAL_TOKENS "disable-external-tokens" #define OPT_DISABLE_KEYRING "disable-keyring" #define OPT_DISABLE_LOCKS "disable-locks" @@ -49,6 +50,7 @@ #define OPT_DUMP_MASTER_KEY "dump-master-key" #define OPT_DUMP_VOLUME_KEY "dump-volume-key" #define OPT_ENCRYPT "encrypt" +#define OPT_EXTERNAL_TOKENS_PATH "external-tokens-path" #define OPT_FEC_DEVICE "fec-device" #define OPT_FEC_OFFSET "fec-offset" #define OPT_FEC_ROOTS "fec-roots" @@ -61,6 +63,9 @@ #define OPT_HEADER "header" #define OPT_HEADER_BACKUP_FILE "header-backup-file" #define OPT_HOTZONE_SIZE "hotzone-size" +#define OPT_HW_OPAL "hw-opal" +#define OPT_HW_OPAL_ONLY "hw-opal-only" +#define OPT_HW_OPAL_FACTORY_RESET "hw-opal-factory-reset" #define OPT_IGNORE_CORRUPTION "ignore-corruption" #define OPT_IGNORE_ZERO_BLOCKS "ignore-zero-blocks" #define OPT_INIT_ONLY "init-only" @@ -102,10 +107,12 @@ #define OPT_NO_WIPE "no-wipe" #define OPT_WIPE "wipe" #define OPT_LABEL "label" +#define OPT_LINK_VK_TO_KEYRING "link-vk-to-keyring" #define OPT_LUKS2_KEYSLOTS_SIZE "luks2-keyslots-size" #define OPT_LUKS2_METADATA_SIZE "luks2-metadata-size" #define OPT_MASTER_KEY_FILE "master-key-file" #define OPT_VOLUME_KEY_FILE "volume-key-file" +#define OPT_VOLUME_KEY_KEYRING "volume-key-keyring" #define OPT_NEW "new" #define OPT_NEW_KEY_SLOT "new-key-slot" #define OPT_NEW_KEYFILE "new-keyfile" diff --git a/src/utils_args.c b/src/utils_args.c index fda2350..47be0c3 100644 --- a/src/utils_args.c +++ b/src/utils_args.c @@ -1,8 +1,8 @@ /* * Command line arguments parsing helpers * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/utils_blockdev.c b/src/utils_blockdev.c index ae6dec4..c797cf4 100644 --- a/src/utils_blockdev.c +++ b/src/utils_blockdev.c @@ -1,8 +1,8 @@ /* * Linux block devices helpers * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -222,17 +222,22 @@ int tools_detect_signatures(const char *device, tools_probe_filter_info filter, switch (filter) { case PRB_FILTER_LUKS: + log_dbg("Blkid check (filter LUKS)."); if (blk_superblocks_filter_luks(h)) { r = -EINVAL; + log_dbg("Blkid filter LUKS probe failed."); goto out; } /* fall-through */ case PRB_FILTER_NONE: + log_dbg("Blkid check (filter none)."); blk_set_chains_for_full_print(h); break; case PRB_ONLY_LUKS: + log_dbg("Blkid check (LUKS only)."); blk_set_chains_for_fast_detection(h); if (blk_superblocks_only_luks(h)) { + log_dbg("Blkid only LUKS probe failed."); r = -EINVAL; goto out; } @@ -251,8 +256,11 @@ int tools_detect_signatures(const char *device, tools_probe_filter_info filter, (*count)++; } - if (pr == PRB_FAIL) - r = -EINVAL; + if (pr == PRB_FAIL) { + /* Expect device cannot be read */ + r = -EIO; + log_dbg("Blkid probe failed."); + } out: blk_free(h); return r; @@ -302,6 +310,8 @@ int tools_wipe_all_signatures(const char *path, bool exclusive, bool only_luks) goto out; } + log_dbg("Blkid wipe."); + while ((pr = blk_probe(h)) < PRB_EMPTY) { if (blk_is_partition(h)) log_verbose(_("Existing '%s' partition signature on device %s will be wiped."), diff --git a/src/utils_luks.c b/src/utils_luks.c index 6a10ab6..5007b3f 100644 --- a/src/utils_luks.c +++ b/src/utils_luks.c @@ -1,9 +1,9 @@ /* * Helper utilities for LUKS2 features * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Milan Broz - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Milan Broz + * Copyright (C) 2018-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -50,7 +50,8 @@ bool isLUKS1(const char *type) bool isLUKS2(const char *type) { - return type && !strcmp(type, CRYPT_LUKS2); + /* OPAL just changes the driver, header format is identical, so overload */ + return type && (!strcmp(type, CRYPT_LUKS2)); } int verify_passphrase(int def) diff --git a/src/utils_luks.h b/src/utils_luks.h index 28220ab..6183b26 100644 --- a/src/utils_luks.h +++ b/src/utils_luks.h @@ -1,9 +1,9 @@ /* * Helper utilities for LUKS in cryptsetup * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2018-2023 Milan Broz - * Copyright (C) 2018-2023 Ondrej Kozina + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Milan Broz + * Copyright (C) 2018-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/utils_password.c b/src/utils_password.c index 3374e18..70da4b0 100644 --- a/src/utils_password.c +++ b/src/utils_password.c @@ -1,8 +1,8 @@ /* * Password quality check wrapper * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -98,6 +98,7 @@ static int tools_check_password(const char *password) #elif defined ENABLE_PASSWDQC return tools_check_passwdqc(password); #else + UNUSED(password); return 0; #endif } diff --git a/src/utils_progress.c b/src/utils_progress.c index 76b1818..3105bed 100644 --- a/src/utils_progress.c +++ b/src/utils_progress.c @@ -1,8 +1,8 @@ /* * cryptsetup - progress output utilities * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index a78557c..7546811 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -1,9 +1,9 @@ /* * cryptsetup - action re-encryption utilities * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz - * Copyright (C) 2021-2023 Ondrej Kozina + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz + * Copyright (C) 2021-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -306,7 +306,7 @@ static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device if (!ARG_SET(OPT_BATCH_MODE_ID) && !ARG_SET(OPT_RESUME_ONLY_ID)) { r = asprintf(&msg, _("Device %s is already in LUKS2 reencryption. " "Do you wish to resume previously initialised operation?"), - crypt_get_metadata_device_name(cd) ?: data_device); + crypt_get_metadata_device_name(cd) ?: crypt_get_device_name(cd)); if (r < 0) { r = -ENOMEM; goto out; @@ -349,11 +349,6 @@ static int luks2_reencrypt_in_progress(struct crypt_device *cd) if (crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &flags)) return -EINVAL; - if (flags & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) { - log_err(_("Legacy LUKS2 reencryption is no longer supported.")); - return -EINVAL; - } - return flags & CRYPT_REQUIREMENT_ONLINE_REENCRYPT; } @@ -411,14 +406,34 @@ static enum device_status_info load_luks(struct crypt_device **r_cd, static bool luks2_reencrypt_eligible(struct crypt_device *cd) { + uint32_t flags; struct crypt_params_integrity ip = { 0 }; + if (crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &flags)) + return false; + + if (flags & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) { + log_err(_("Legacy LUKS2 reencryption is no longer supported.")); + return false; + } + + if (flags & CRYPT_REQUIREMENT_OPAL) { + log_err(_("Can not reencrypt LUKS2 device configured to use OPAL.")); + return false; + } + /* raw integrity info is available since 2.0 */ if (crypt_get_integrity_info(cd, &ip) || ip.tag_size) { log_err(_("Reencryption of device with integrity profile is not supported.")); return false; } + /* Check that cipher is in compatible format */ + if (!crypt_get_cipher(cd)) { + log_err(_("No known cipher specification pattern detected in LUKS2 header.")); + return false; + } + return true; } @@ -1322,9 +1337,15 @@ static int check_broken_luks_signature(const char *device) int r; size_t count; + if (ARG_SET(OPT_DISABLE_BLKID_ID)) + return 0; + r = tools_detect_signatures(device, PRB_ONLY_LUKS, &count, ARG_SET(OPT_BATCH_MODE_ID)); - if (r < 0) + if (r < 0) { + if (r == -EIO) + log_err(_("Blkid scan failed for %s."), device); return -EINVAL; + } if (count) { log_err(_("Device %s contains broken LUKS metadata. Aborting operation."), device); return -EINVAL; @@ -1449,6 +1470,8 @@ static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, co if ((r = reencrypt_luks2_load(*cd, data_device)) < 0) return r; } else if (dev_st == DEVICE_LUKS2) { + if (!luks2_reencrypt_eligible(*cd)) + return -EINVAL; if (!ARG_SET(OPT_HEADER_ID)) { log_err(_("LUKS2 decryption requires --header option.")); return -EINVAL; diff --git a/src/utils_reencrypt_luks1.c b/src/utils_reencrypt_luks1.c index ae849c0..1e36ad9 100644 --- a/src/utils_reencrypt_luks1.c +++ b/src/utils_reencrypt_luks1.c @@ -1,8 +1,8 @@ /* * cryptsetup - LUKS1 utility for offline re-encryption * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/utils_tools.c b/src/utils_tools.c index a0e2ebc..5cfd9e6 100644 --- a/src/utils_tools.c +++ b/src/utils_tools.c @@ -3,8 +3,8 @@ * * Copyright (C) 2004 Jana Saout * Copyright (C) 2004-2007 Clemens Fruhwirth - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -435,8 +435,9 @@ int tools_write_mk(const char *file, const char *key, int keysize) void tools_package_version(const char *name, bool use_pwlibs) { - bool udev = false, blkid = false, keyring = false, fips = false; - bool kernel_capi = false, pwquality = false, passwdqc = false; + bool udev = false, blkid = false, keyring = false, fips = false, + kernel_capi = false, pwquality = false, passwdqc = false, + hw_opal = false; #ifdef USE_UDEV udev = true; #endif @@ -457,12 +458,16 @@ void tools_package_version(const char *name, bool use_pwlibs) #elif defined(ENABLE_PASSWDQC) passwdqc = true; #endif - log_std("%s %s flags: %s%s%s%s%s%s%s\n", name, PACKAGE_VERSION, +#ifdef HAVE_HW_OPAL + hw_opal = true; +#endif + log_std("%s %s flags: %s%s%s%s%s%s%s%s\n", name, PACKAGE_VERSION, udev ? "UDEV " : "", blkid ? "BLKID " : "", keyring ? "KEYRING " : "", fips ? "FIPS " : "", kernel_capi ? "KERNEL_CAPI " : "", pwquality && use_pwlibs ? "PWQUALITY " : "", - passwdqc && use_pwlibs ? "PASSWDQC " : ""); + passwdqc && use_pwlibs ? "PASSWDQC " : "", + hw_opal ? "HW_OPAL " : ""); } diff --git a/src/veritysetup.c b/src/veritysetup.c index 8be81cc..3fd90fc 100644 --- a/src/veritysetup.c +++ b/src/veritysetup.c @@ -1,8 +1,8 @@ /* * veritysetup - setup cryptographic volumes for dm-verity * - * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2012-2023 Milan Broz + * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -599,6 +599,9 @@ int main(int argc, const char **argv) textdomain(PACKAGE); popt_context = poptGetContext("verity", argc, argv, popt_options, 0); + if (!popt_context) + exit(EXIT_FAILURE); + poptSetOtherOptionHelp(popt_context, _("[OPTION...] ")); diff --git a/src/veritysetup_arg_list.h b/src/veritysetup_arg_list.h index 014273e..34002f3 100644 --- a/src/veritysetup_arg_list.h +++ b/src/veritysetup_arg_list.h @@ -1,8 +1,8 @@ /* * Veritysetup command line arguments list * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/veritysetup_args.h b/src/veritysetup_args.h index d47813d..43f4a23 100644 --- a/src/veritysetup_args.h +++ b/src/veritysetup_args.h @@ -1,8 +1,8 @@ /* * Command line arguments helpers * - * Copyright (C) 2020-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2020-2023 Ondrej Kozina + * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2020-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -35,8 +35,8 @@ #define OPT_DEFERRED_ACTIONS { CLOSE_ACTION } #define OPT_IGNORE_CORRUPTION_ACTIONS { OPEN_ACTION } #define OPT_IGNORE_ZERO_BLOCKS_ACTIONS { OPEN_ACTION } -#define OPT_RESTART_ON_CORRUPTION_ACTIONS { OPEN_ACTION } #define OPT_PANIC_ON_CORRUPTION_ACTIONS { OPEN_ACTION } +#define OPT_RESTART_ON_CORRUPTION_ACTIONS { OPEN_ACTION } #define OPT_ROOT_HASH_FILE_ACTIONS { FORMAT_ACTION, OPEN_ACTION, VERIFY_ACTION } #define OPT_ROOT_HASH_SIGNATURE_ACTIONS { OPEN_ACTION } #define OPT_USE_TASKLETS_ACTIONS { OPEN_ACTION } diff --git a/tests/Makefile.am b/tests/Makefile.am index c8a46a8..75c1d3d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -4,6 +4,7 @@ TESTS = 00modules-test \ compat-args-test \ compat-test \ compat-test2 \ + compat-test-opal \ loopaes-test \ align-test \ align-test2 \ @@ -44,15 +45,7 @@ if EXTERNAL_TOKENS TESTS += systemd-test-plugin endif -ssh-test-plugin: fake_token_path.so -systemd-test-plugin: fake_token_path.so fake_systemd_tpm_path.so - -# Do not use global CFLAGS here as the *.so link does not support sanitizers -fake_token_path.so: fake_token_path.c - $(CC) $(LDFLAGS) -I $(top_srcdir)/lib -fPIC -shared -D_GNU_SOURCE \ - -Wl,--version-script=$(top_srcdir)/lib/libcryptsetup.sym \ - -o fake_token_path.so $(top_srcdir)/tests/fake_token_path.c \ - -DBUILD_DIR=\"$(abs_top_srcdir)/.libs/\" +systemd-test-plugin: fake_systemd_tpm_path.so fake_systemd_tpm_path.so: fake_systemd_tpm_path.c $(CC) $(LDFLAGS) -fPIC -shared -D_GNU_SOURCE -o fake_systemd_tpm_path.so \ @@ -68,6 +61,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \ luks2_valid_hdr.img.xz \ luks2_header_requirements.tar.xz \ luks2_mda_images.tar.xz \ + luks2_invalid_cipher.img.xz \ evil_hdr-payload_overwrite.xz \ evil_hdr-stripes_payload_dmg.xz \ evil_hdr-luks_hdr_damage.xz \ @@ -79,6 +73,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \ compat-args-test \ compat-test \ compat-test2 \ + compat-test-opal \ loopaes-test align-test discards-test mode-test password-hash-test \ align-test2 verity-compat-test \ reencryption-compat-test \ @@ -103,14 +98,14 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \ ssh-test-plugin \ generate-symbols-list \ run-all-symbols \ - fake_token_path.c \ fake_systemd_tpm_path.c \ unit-wipe-test \ systemd-test-plugin -CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_token_path.so fake_systemd_tpm_path.so +CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_systemd_tpm_path.so clean-local: - -rm -rf tcrypt-images luks1-images luks2-images bitlk-images fvault2-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp external-tokens + -rm -rf tcrypt-images luks1-images luks2-images bitlk-images fvault2-images conversion_imgs \ + luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp external-tokens luks2_invalid_cipher.img differ_SOURCES = differ.c differ_CFLAGS = $(AM_CFLAGS) -Wall -O2 @@ -165,7 +160,7 @@ all_symbols_test_CPPFLAGS = $(AM_CPPFLAGS) -D_GNU_SOURCE check_PROGRAMS = api-test api-test-2 differ vectors-test unit-utils-io unit-utils-crypt-test unit-wipe all-symbols-test -check-programs: test-symbols-list.h $(check_PROGRAMS) fake_token_path.so fake_systemd_tpm_path.so +check-programs: test-symbols-list.h $(check_PROGRAMS) fake_systemd_tpm_path.so conversion_imgs: @tar xJf conversion_imgs.tar.xz @@ -177,6 +172,7 @@ valgrind-check: api-test api-test-2 differ @VALG=1 ./compat-args-test @VALG=1 ./compat-test @VALG=1 ./compat-test2 + @[ -z "$(OPAL2_PSID_FILE)" ] || VALG=1 ./compat-test-opal @VALG=1 ./luks2-validation-test @VALG=1 ./verity-compat-test @VALG=1 ./integrity-compat-test @@ -198,7 +194,7 @@ valgrind-check: api-test api-test-2 differ @VALG=1 ./password-hash-test @VALG=1 ./reencryption-compat-test @VALG=1 ./fvault2-compat-test - @[ -z "$RUN_SSH_PLUGIN_TEST" ] || VALG=1 ./ssh-test-plugin + @[ -z "$(RUN_SSH_PLUGIN_TEST)" ] || VALG=1 ./ssh-test-plugin @INFOSTRING="unit-utils-crypt-test" ./valg-api.sh ./unit-utils-crypt-test @INFOSTRING="vectors-test" ./valg-api.sh ./vectors-test @grep -l "ERROR SUMMARY: [^0][0-9]* errors" valglog* || echo "No leaks detected." diff --git a/tests/align-test b/tests/align-test index 5941cde..d2932ae 100755 --- a/tests/align-test +++ b/tests/align-test @@ -12,8 +12,13 @@ FAST_PBKDF="--pbkdf-force-iterations 1000" FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi + function fips_mode() { @@ -54,7 +59,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -92,7 +100,7 @@ add_device() { exit 77 fi - sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) if [ ! -e /sys/block/$DEV/alignment_offset ] ; then @@ -176,7 +184,7 @@ format_plain() # sector size { echo -n "Formatting plain device (sector size $1)..." if [ -n "$DM_SECTOR_SIZE" ] ; then - echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 --sector-size $1 $DEV $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 --sector-size $1 $DEV $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail echo "PASSED" else diff --git a/tests/align-test2 b/tests/align-test2 index 33126a4..23d418a 100755 --- a/tests/align-test2 +++ b/tests/align-test2 @@ -11,8 +11,12 @@ PWD1="93R4P4pIqAH8" PWD2="mymJeD8ivEhE" FAST_PBKDF="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi cleanup() { udevadm settle >/dev/null 2>&1 @@ -49,7 +53,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -87,7 +94,7 @@ add_device() { exit 77 fi - sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) if [ ! -e /sys/block/$DEV/alignment_offset ] ; then diff --git a/tests/all-symbols-test.c b/tests/all-symbols-test.c index 10c7fe2..8d75044 100644 --- a/tests/all-symbols-test.c +++ b/tests/all-symbols-test.c @@ -1,7 +1,7 @@ /* * Test utility checking symbol versions in libcryptsetup. * - * Copyright (C) 2021-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved. * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -85,6 +85,10 @@ static int check_dlvsym(void *h, const char *symbol, const char *version) } log_dbg("OK\n"); +#else + UNUSED(h); + UNUSED(symbol); + UNUSED(version); #endif return 0; } diff --git a/tests/api-test-2.c b/tests/api-test-2.c index 824ae65..8a7a60e 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -1,9 +1,9 @@ /* * cryptsetup library LUKS2 API check functions * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -59,10 +59,12 @@ typedef int32_t key_serial_t; #define L_DEVICE_0S "luks_zerosec" #define L_DEVICE_WRONG "luks_wr" #define L_DEVICE_OK "luks_ok" +#define L_PLACEHOLDER "bdev_reference_placeholder" #define REQS_LUKS2_HEADER "luks2_header_requirements" #define NO_REQS_LUKS2_HEADER "luks2_header_requirements_free" #define BACKUP_FILE "csetup_backup_file" #define IMAGE1 "compatimage2.img" +#define EMPTY_HEADER "empty.hdr" #define IMAGE_EMPTY "empty.img" #define IMAGE_EMPTY_SMALL "empty_small.img" #define IMAGE_EMPTY_SMALL_2 "empty_small2.img" @@ -83,6 +85,19 @@ typedef int32_t key_serial_t; #define DEVICE_CHAR "/dev/zero" #define THE_LFILE_TEMPLATE "cryptsetup-tstlp.XXXXXX" +#define TEST_KEYRING_USER "cs_apitest2_keyring_in_user" +#define TEST_KEYRING_USER_NAME "%keyring:" TEST_KEYRING_USER +#define TEST_KEYRING_SESSION "cs_apitest2_keyring_in_session" +#define TEST_KEYRING_SESSION_NAME "%keyring:" TEST_KEYRING_SESSION +#define TEST_KEY_VK_USER "api_test_user_vk1" +#define TEST_KEY_VK_USER_NAME "\%user:" TEST_KEY_VK_USER +#define TEST_KEY_VK_LOGON "cs_api_test_prefix:api_test_logon_vk1" +#define TEST_KEY_VK_LOGON_NAME "\%logon:" TEST_KEY_VK_LOGON +#define TEST_KEY_VK_USER2 "api_test_user_vk2" +#define TEST_KEY_VK_USER2_NAME "\%user:" TEST_KEY_VK_USER2 +#define TEST_KEY_VK_LOGON2 "cs_api_test_prefix:api_test_logon_vk2" +#define TEST_KEY_VK_LOGON2_NAME "\%logon:" TEST_KEY_VK_LOGON + #define KEY_DESC_TEST0 "cs_token_test:test_key0" #define KEY_DESC_TEST1 "cs_token_test:test_key1" @@ -141,6 +156,10 @@ static uint32_t default_luks2_iter_time = 0; static uint32_t default_luks2_memory_kb = 0; static uint32_t default_luks2_parallel_threads = 0; +#ifdef KERNEL_KEYRING +static char keyring_in_user_str_id[32] = {0}; +#endif + static struct crypt_pbkdf_type min_pbkdf2 = { .type = "pbkdf2", .iterations = 1000, @@ -196,7 +215,7 @@ static int get_luks2_offsets(int metadata_device, uint64_t *r_header_size, uint64_t *r_payload_offset) { - struct crypt_device *cd = NULL; + struct crypt_device *_cd = NULL; static uint64_t default_header_size = 0; if (r_header_size) @@ -205,16 +224,16 @@ static int get_luks2_offsets(int metadata_device, *r_payload_offset = 0; if (!default_header_size) { - if (crypt_init(&cd, THE_LOOP_DEV)) + if (crypt_init(&_cd, THE_LOOP_DEV)) return -EINVAL; - if (crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, NULL)) { - crypt_free(cd); + if (crypt_format(_cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, NULL)) { + crypt_free(_cd); return -EINVAL; } - default_header_size = crypt_get_data_offset(cd); + default_header_size = crypt_get_data_offset(_cd); - crypt_free(cd); + crypt_free(_cd); } if (!sector_size) @@ -225,7 +244,7 @@ static int get_luks2_offsets(int metadata_device, if (r_payload_offset) { if (metadata_device) - *r_payload_offset = alignpayload_sec * sector_size; + *r_payload_offset = (uint64_t)alignpayload_sec * sector_size; else *r_payload_offset = DIV_ROUND_UP_MODULO(default_header_size * 512, (alignpayload_sec ?: 1) * sector_size); @@ -278,6 +297,9 @@ static void _cleanup_dmdevices(void) { struct stat st; + if (!stat(DMDIR L_PLACEHOLDER, &st)) + _system("dmsetup remove " DM_RETRY L_PLACEHOLDER DM_NOSTDERR, 0); + if (!stat(DMDIR H_DEVICE, &st)) _system("dmsetup remove " DM_RETRY H_DEVICE DM_NOSTDERR, 0); @@ -299,80 +321,6 @@ static void _cleanup_dmdevices(void) t_dev_offset = 0; } -static void _cleanup(void) -{ - struct stat st; - - CRYPT_FREE(cd); - CRYPT_FREE(cd2); - - //_system("udevadm settle", 0); - - if (!stat(DMDIR CDEVICE_1, &st)) - _system("dmsetup remove " DM_RETRY CDEVICE_1 DM_NOSTDERR, 0); - - if (!stat(DMDIR CDEVICE_2, &st)) - _system("dmsetup remove " DM_RETRY CDEVICE_2 DM_NOSTDERR, 0); - - if (!stat(DEVICE_EMPTY, &st)) - _system("dmsetup remove " DM_RETRY DEVICE_EMPTY_name DM_NOSTDERR, 0); - - if (!stat(DEVICE_ERROR, &st)) - _system("dmsetup remove " DM_RETRY DEVICE_ERROR_name DM_NOSTDERR, 0); - - _cleanup_dmdevices(); - - if (loop_device(THE_LOOP_DEV)) - loop_detach(THE_LOOP_DEV); - - if (loop_device(DEVICE_1)) - loop_detach(DEVICE_1); - - if (loop_device(DEVICE_2)) - loop_detach(DEVICE_2); - - if (loop_device(DEVICE_3)) - loop_detach(DEVICE_3); - - if (loop_device(DEVICE_4)) - loop_detach(DEVICE_4); - - if (loop_device(DEVICE_5)) - loop_detach(DEVICE_5); - - if (loop_device(DEVICE_6)) - loop_detach(DEVICE_6); - - _system("rm -f " IMAGE_EMPTY, 0); - _system("rm -f " IMAGE1, 0); - _system("rm -rf " CONV_DIR, 0); - - if (test_loop_file) - remove(test_loop_file); - if (tmp_file_1) - remove(tmp_file_1); - - remove(REQS_LUKS2_HEADER); - remove(NO_REQS_LUKS2_HEADER); - remove(BACKUP_FILE); - remove(IMAGE_PV_LUKS2_SEC); - remove(IMAGE_PV_LUKS2_SEC ".bcp"); - remove(IMAGE_EMPTY_SMALL); - remove(IMAGE_EMPTY_SMALL_2); - - _remove_keyfiles(); - - free(tmp_file_1); - free(test_loop_file); - free(THE_LOOP_DEV); - free(DEVICE_1); - free(DEVICE_2); - free(DEVICE_3); - free(DEVICE_4); - free(DEVICE_5); - free(DEVICE_6); -} - static int _setup(void) { int fd, ro = 0; @@ -429,6 +377,8 @@ static int _setup(void) _system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1); + _system("dd if=/dev/zero of=" EMPTY_HEADER " bs=4K count=1 2>/dev/null", 1); + _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1); fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro); close(fd); @@ -467,7 +417,7 @@ static int _setup(void) return 0; } -static int set_fast_pbkdf(struct crypt_device *cd) +static int set_fast_pbkdf(struct crypt_device *_cd) { const struct crypt_pbkdf_type *pbkdf = &min_argon2; @@ -475,7 +425,7 @@ static int set_fast_pbkdf(struct crypt_device *cd) if (_fips_mode) pbkdf = &min_pbkdf2; - return crypt_set_pbkdf_type(cd, pbkdf); + return crypt_set_pbkdf_type(_cd, pbkdf); } #ifdef KERNEL_KEYRING @@ -489,6 +439,21 @@ static key_serial_t keyctl_unlink(key_serial_t key, key_serial_t keyring) return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring); } +static key_serial_t keyctl_link(key_serial_t key, key_serial_t keyring) +{ + return syscall(__NR_keyctl, KEYCTL_LINK, key, keyring); +} + +static long keyctl_update(key_serial_t id, const void *payload, size_t plen) +{ + return syscall(__NR_keyctl, KEYCTL_UPDATE, id, payload, plen); +} + +static long keyctl_read(key_serial_t id, char *buffer, size_t buflen) +{ + return syscall(__NR_keyctl, KEYCTL_READ, id, buffer, buflen); +} + static key_serial_t request_key(const char *type, const char *description, const char *callout_info, @@ -497,33 +462,168 @@ static key_serial_t request_key(const char *type, return syscall(__NR_request_key, type, description, callout_info, keyring); } -static key_serial_t _kernel_key_by_segment(struct crypt_device *cd, int segment) +/* key handle permissions mask */ +typedef uint32_t key_perm_t; +#define KEY_POS_ALL 0x3f000000 +#define KEY_USR_ALL 0x003f0000 + +static key_serial_t add_key_set_perm(const char *type, const char *description, const void *payload, size_t plen, key_serial_t keyring, key_perm_t perm) +{ + long l; + key_serial_t kid = syscall(__NR_add_key, type, description, payload, plen, KEY_SPEC_THREAD_KEYRING); + + if (kid < 0) + return kid; + + l = syscall(__NR_keyctl, KEYCTL_SETPERM, kid, perm); + if (l == 0) + l = syscall(__NR_keyctl, KEYCTL_LINK, kid, keyring); + + syscall(__NR_keyctl, KEYCTL_UNLINK, kid, KEY_SPEC_THREAD_KEYRING); + + return l == 0 ? kid : -EINVAL; +} + +static key_serial_t _kernel_key_by_segment_and_type(struct crypt_device *_cd, int segment, + const char* type) { char key_description[1024]; - if (snprintf(key_description, sizeof(key_description), "cryptsetup:%s-d%u", crypt_get_uuid(cd), segment) < 1) + if (snprintf(key_description, sizeof(key_description), "cryptsetup:%s-d%u", crypt_get_uuid(_cd), segment) < 1) return -1; - return request_key("logon", key_description, NULL, 0); + return request_key(type, key_description, NULL, 0); } -static int _volume_key_in_keyring(struct crypt_device *cd, int segment) +static key_serial_t _kernel_key_by_segment(struct crypt_device *_cd, int segment) { - return _kernel_key_by_segment(cd, segment) >= 0 ? 0 : -1; + return _kernel_key_by_segment_and_type(_cd, segment, "logon"); +} + +static int _volume_key_in_keyring(struct crypt_device *_cd, int segment) +{ + return _kernel_key_by_segment(_cd, segment) >= 0 ? 0 : -1; +} + +static int _drop_keyring_key_from_keyring_name(const char *key_description, key_serial_t keyring, const char* type) +{ + //key_serial_t kid = request_key(type, key_description, NULL, keyring); + key_serial_t kid = request_key(type, key_description, NULL, 0); + + if (kid < 0) + return -2; + + return keyctl_unlink(kid, keyring); } -static int _drop_keyring_key(struct crypt_device *cd, int segment) +static int _drop_keyring_key_from_keyring_type(struct crypt_device *_cd, int segment, + key_serial_t keyring, const char* type) { - key_serial_t kid = _kernel_key_by_segment(cd, segment); + key_serial_t kid = _kernel_key_by_segment_and_type(_cd, segment, type); if (kid < 0) return -1; - return keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING); + return keyctl_unlink(kid, keyring); +} + +static int _drop_keyring_key(struct crypt_device *_cd, int segment) +{ + return _drop_keyring_key_from_keyring_type(_cd, segment, KEY_SPEC_THREAD_KEYRING, "logon"); } #endif -static int test_open(struct crypt_device *cd __attribute__((unused)), +static void _cleanup(void) +{ + struct stat st; + + CRYPT_FREE(cd); + CRYPT_FREE(cd2); + + //_system("udevadm settle", 0); + + if (!stat(DMDIR CDEVICE_1, &st)) + _system("dmsetup remove " DM_RETRY CDEVICE_1 DM_NOSTDERR, 0); + + if (!stat(DMDIR CDEVICE_2, &st)) + _system("dmsetup remove " DM_RETRY CDEVICE_2 DM_NOSTDERR, 0); + + if (!stat(DEVICE_EMPTY, &st)) + _system("dmsetup remove " DM_RETRY DEVICE_EMPTY_name DM_NOSTDERR, 0); + + if (!stat(DEVICE_ERROR, &st)) + _system("dmsetup remove " DM_RETRY DEVICE_ERROR_name DM_NOSTDERR, 0); + + _cleanup_dmdevices(); + + if (loop_device(THE_LOOP_DEV)) + loop_detach(THE_LOOP_DEV); + + if (loop_device(DEVICE_1)) + loop_detach(DEVICE_1); + + if (loop_device(DEVICE_2)) + loop_detach(DEVICE_2); + + if (loop_device(DEVICE_3)) + loop_detach(DEVICE_3); + + if (loop_device(DEVICE_4)) + loop_detach(DEVICE_4); + + if (loop_device(DEVICE_5)) + loop_detach(DEVICE_5); + + if (loop_device(DEVICE_6)) + loop_detach(DEVICE_6); + + _system("rm -f " IMAGE_EMPTY, 0); + _system("rm -f " IMAGE1, 0); + _system("rm -rf " CONV_DIR, 0); + _system("rm -f " EMPTY_HEADER, 0); + + if (test_loop_file) + remove(test_loop_file); + if (tmp_file_1) + remove(tmp_file_1); + + remove(REQS_LUKS2_HEADER); + remove(NO_REQS_LUKS2_HEADER); + remove(BACKUP_FILE); + remove(IMAGE_PV_LUKS2_SEC); + remove(IMAGE_PV_LUKS2_SEC ".bcp"); + remove(IMAGE_EMPTY_SMALL); + remove(IMAGE_EMPTY_SMALL_2); + + _remove_keyfiles(); + + free(tmp_file_1); + free(test_loop_file); + free(THE_LOOP_DEV); + free(DEVICE_1); + free(DEVICE_2); + free(DEVICE_3); + free(DEVICE_4); + free(DEVICE_5); + free(DEVICE_6); + +#ifdef KERNEL_KEYRING + char *end; + key_serial_t krid; + + if (keyring_in_user_str_id[0] != '\0') { + krid = strtoul(keyring_in_user_str_id, &end, 0); + if (!*end) + (void)keyctl_unlink(krid, KEY_SPEC_USER_KEYRING); + } + + krid = request_key("keyring", TEST_KEYRING_SESSION, NULL, 0); + if (krid > 0) + (void)keyctl_unlink(krid, KEY_SPEC_SESSION_KEYRING); +#endif +} + +static int test_open(struct crypt_device *_cd __attribute__((unused)), int token __attribute__((unused)), char **buffer, size_t *buffer_len, @@ -539,7 +639,35 @@ static int test_open(struct crypt_device *cd __attribute__((unused)), return 0; } -static int test_validate(struct crypt_device *cd __attribute__((unused)), const char *json) +static int test_open_pass(struct crypt_device *_cd __attribute__((unused)), + int token __attribute__((unused)), + char **buffer, + size_t *buffer_len, + void *usrptr __attribute__((unused))) +{ + *buffer = strdup(PASSPHRASE); + if (!*buffer) + return -ENOMEM; + *buffer_len = strlen(*buffer); + + return 0; +} + +static int test_open_pass1(struct crypt_device *_cd __attribute__((unused)), + int token __attribute__((unused)), + char **buffer, + size_t *buffer_len, + void *usrptr __attribute__((unused))) +{ + *buffer = strdup(PASSPHRASE1); + if (!*buffer) + return -ENOMEM; + *buffer_len = strlen(*buffer); + + return 0; +} + +static int test_validate(struct crypt_device *_cd __attribute__((unused)), const char *json) { return (strstr(json, "magic_string") == NULL); } @@ -1925,6 +2053,10 @@ static void Tokens(void) #define LUKS2_KEYRING_TOKEN_JSON_BAD(x, y) "{\"type\":\"luks2-keyring\",\"keyslots\":[" x "]," \ "\"key_description\":" y ", \"some_field\":\"some_value\"}" +#define TEST_TOKEN2_JSON(x) "{\"type\":\"test_token2\",\"keyslots\":[" x "] }" + +#define TEST_TOKEN3_JSON(x) "{\"type\":\"test_token3\",\"keyslots\":[" x "] }" + int ks, token_max; const char *dummy; @@ -1933,6 +2065,7 @@ static void Tokens(void) char passptr[] = PASSPHRASE; char passptr1[] = PASSPHRASE1; struct crypt_active_device cad; + struct crypt_keyslot_context *kc; static const crypt_token_handler th = { .name = "test_token", @@ -1948,6 +2081,12 @@ static void Tokens(void) }, th_reserved = { .name = "luks2-prefix", .open = test_open + }, th4 = { + .name = "test_token2", + .open = test_open_pass, // PASSPHRASE + }, th5 = { + .name = "test_token3", + .open = test_open_pass1, // PASSPHRASE1 }; struct crypt_token_params_luks2_keyring params = { @@ -2153,6 +2292,60 @@ static void Tokens(void) OK_(crypt_deactivate(cd, CDEVICE_1)); CRYPT_FREE(cd); + // test token based API with keyslot parameter + OK_(crypt_token_register(&th4)); // PASSPHRASE + OK_(crypt_token_register(&th5)); // PASSPHRASE1 + OK_(crypt_init(&cd, DMDIR L_DEVICE_1S)); + OK_(set_fast_pbkdf(cd)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 1); + EQ_(crypt_keyslot_add_by_volume_key(cd, 2, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 2); + + EQ_(crypt_keyslot_add_by_volume_key(cd, 3, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 3); + EQ_(crypt_keyslot_add_by_volume_key(cd, 4, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 4); + EQ_(crypt_keyslot_add_by_volume_key(cd, 5, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 5); + + OK_(crypt_keyslot_set_priority(cd, 0, CRYPT_SLOT_PRIORITY_IGNORE)); + OK_(crypt_keyslot_set_priority(cd, 3, CRYPT_SLOT_PRIORITY_IGNORE)); + + OK_(crypt_keyslot_set_priority(cd, 2, CRYPT_SLOT_PRIORITY_PREFER)); + OK_(crypt_keyslot_set_priority(cd, 5, CRYPT_SLOT_PRIORITY_PREFER)); + + EQ_(crypt_keyslot_add_by_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 6); + EQ_(crypt_keyslot_add_by_key(cd, 7, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 7); + + OK_(crypt_keyslot_set_priority(cd, 6, CRYPT_SLOT_PRIORITY_PREFER)); + OK_(crypt_keyslot_set_priority(cd, 7, CRYPT_SLOT_PRIORITY_PREFER)); + + EQ_(crypt_token_json_set(cd, 0, TEST_TOKEN2_JSON("\"0\", \"5\", \"1\", \"6\"")), 0); // PASSPHRASE + EQ_(crypt_token_json_set(cd, 1, TEST_TOKEN3_JSON("\"4\", \"6\", \"0\", \"5\"")), 1); // PASSPHRASE1 + + /* keyslots: + * + * 0 ignore (token 0) + * 1 normal (token 0) + * 2 prefer - + * 3 ignore - + * 4 normal (token 1) + * 5 prefer (token 1, token 0 wrong passphrase) + * 6 prefer (unbound, token 0, token 1 wrong passphrase) + * 7 prefer (unbound) + */ + + OK_(crypt_keyslot_context_init_by_token(cd, 0, NULL, NULL, 0, NULL, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 6); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, 7, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -ENOENT); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, 5, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -EPERM); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 5); + crypt_keyslot_context_free(kc); + + CRYPT_FREE(cd); + EQ_(crypt_token_max(CRYPT_LUKS2), 32); FAIL_(crypt_token_max(CRYPT_LUKS1), "No token support in LUKS1"); FAIL_(crypt_token_max(NULL), "No LUKS format specified"); @@ -2802,7 +2995,8 @@ static void Pbkdf(void) OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); OK_(strcmp(pbkdf->hash, default_luks1_hash)); EQ_(pbkdf->time_ms, default_luks2_iter_time); - EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); + GE_(pbkdf->max_memory_kb, 64 * 1024); + GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); // set and verify argon2 type OK_(crypt_set_pbkdf_type(cd, &argon2)); @@ -2827,7 +3021,8 @@ static void Pbkdf(void) OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); OK_(strcmp(pbkdf->hash, default_luks1_hash)); EQ_(pbkdf->time_ms, default_luks2_iter_time); - EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); + GE_(pbkdf->max_memory_kb, 64 * 1024); + GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); // try to pass illegal values argon2.parallel_threads = 0; @@ -2858,14 +3053,16 @@ static void Pbkdf(void) OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); OK_(strcmp(pbkdf->hash, default_luks1_hash)); EQ_(pbkdf->time_ms, default_luks2_iter_time); - EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); + GE_(pbkdf->max_memory_kb, 64 * 1024); + GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); crypt_set_iteration_time(cd, 1); OK_(crypt_load(cd, CRYPT_LUKS, NULL)); OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); OK_(strcmp(pbkdf->hash, default_luks1_hash)); EQ_(pbkdf->time_ms, 1); - EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); + GE_(pbkdf->max_memory_kb, 64 * 1024); + GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); CRYPT_FREE(cd); @@ -2913,6 +3110,17 @@ static void Pbkdf(void) argon2.hash = NULL; OK_(crypt_set_pbkdf_type(cd, &argon2)); + argon2.flags = CRYPT_PBKDF_NO_BENCHMARK; + argon2.max_memory_kb = 2 * 1024 * 1024; + argon2.iterations = 6; + argon2.parallel_threads = 8; + OK_(crypt_set_pbkdf_type(cd, &argon2)); + NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); + EQ_(pbkdf->iterations, 6); + EQ_(pbkdf->max_memory_kb, 2 * 1024 *1024); + EQ_(pbkdf->parallel_threads, 4); /* hard maximum*/ + EQ_(pbkdf->flags, CRYPT_PBKDF_NO_BENCHMARK); + CRYPT_FREE(cd); NOTNULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS1)); @@ -3015,6 +3223,9 @@ static void Luks2KeyslotAdd(void) OK_(crypt_deactivate(cd, CDEVICE_1)); EQ_(crypt_activate_by_passphrase(cd, NULL, 1, PASSPHRASE1, strlen(PASSPHRASE1), 0), 1); EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, PASSPHRASE1, strlen(PASSPHRASE1), 0), 1); + /* check we can resume device with new volume key */ + OK_(crypt_suspend(cd, CDEVICE_1)); + EQ_(crypt_resume_by_passphrase(cd, CDEVICE_1, 1, PASSPHRASE1, strlen(PASSPHRASE1)), 1); OK_(crypt_deactivate(cd, CDEVICE_1)); /* old keyslot must be unusable */ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "Key doesn't match volume key digest"); @@ -4331,6 +4542,52 @@ static void Luks2Reencryption(void) EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE); CRYPT_FREE(cd); + _cleanup_dmdevices(); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 1)); + + /* offline in-place encryption with reserved space in the head of data device */ + OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); + memset(&rparams, 0, sizeof(rparams)); + params2.sector_size = 512; + rparams.mode = CRYPT_REENCRYPT_ENCRYPT; + rparams.direction = CRYPT_REENCRYPT_FORWARD; + rparams.resilience = "checksum"; + rparams.hash = "sha256"; + rparams.luks2 = ¶ms2; + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, ¶ms2)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 30, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 30); + OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 30, "aes", "xts-plain64", &rparams)); + FAIL_(crypt_reencrypt_run(cd, NULL, NULL), "context not initialized"); + rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY; + OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 30, "aes", "xts-plain64", &rparams)); + OK_(crypt_reencrypt_run(cd, NULL, NULL)); + EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE); + CRYPT_FREE(cd); + + /* wipe existing header from previous run */ + _system("dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=4K count=5 2>/dev/null", 1); + /* open existing device from kernel (simulate active filesystem) */ + OK_(create_dmdevice_over_device(L_PLACEHOLDER, DMDIR L_DEVICE_OK, 1, r_header_size)); + + /* online in-place encryption with reserved space */ + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + OK_(crypt_init(&cd, EMPTY_HEADER)); + OK_(crypt_set_data_offset(cd, r_header_size)); + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, ¶ms2)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 30, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 30); + OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 30, "aes", "xts-plain64", &rparams)); + CRYPT_FREE(cd); + OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); + OK_(crypt_header_restore(cd, CRYPT_LUKS2, EMPTY_HEADER)); + NOTFAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_SHARED), "Failed to activate device in reencryption with shared flag."); + rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY; + OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 30, "aes", "xts-plain64", &rparams)); + OK_(crypt_reencrypt_run(cd, NULL, NULL)); + EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE); + OK_(crypt_deactivate(cd, CDEVICE_1)); + CRYPT_FREE(cd); + _cleanup_dmdevices(); OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 1)); @@ -5005,10 +5262,479 @@ static void VolumeKeyGet(void) _cleanup_dmdevices(); } -static int _crypt_load_check(struct crypt_device *cd) +static void KeyslotContextAndKeyringLink(void) +{ +#ifdef KERNEL_KEYRING + const char *cipher = "aes"; + const char *cipher_mode = "xts-plain64"; + struct crypt_keyslot_context *kc, *kc2; + uint64_t r_payload_offset; + char key[128]; + size_t key_size = 128; + key_serial_t kid, keyring_in_user_id, keyring_in_session_id, linked_kid, linked_kid2; + int suspend_status; + struct crypt_active_device cad; + char vk_buf[1024]; + long vk_len; + + struct crypt_pbkdf_type pbkdf = { + .type = CRYPT_KDF_ARGON2I, + .hash = "sha256", + .parallel_threads = 1, + .max_memory_kb = 128, + .iterations = 4, + .flags = CRYPT_PBKDF_NO_BENCHMARK + }; + struct crypt_params_luks2 params2 = { + .pbkdf = &pbkdf, + .sector_size = 4096 + }; + struct crypt_params_reencrypt rparams = { + .direction = CRYPT_REENCRYPT_FORWARD, + .resilience = "checksum", + .hash = "sha256", + .luks2 = ¶ms2, + }; + uint64_t r_header_size; + + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + pbkdf.iterations = 1000; + } + + OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); + + // prepare the device + OK_(crypt_init(&cd, DMDIR L_DEVICE_1S)); + OK_(set_fast_pbkdf(cd)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, KEY1, strlen(KEY1)), 1); + EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0)); + + kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING); + NOTFAIL_(kid, "Test or kernel keyring are broken."); + + keyring_in_user_id = add_key_set_perm("keyring", TEST_KEYRING_USER, NULL, 0, KEY_SPEC_USER_KEYRING, KEY_POS_ALL | KEY_USR_ALL); + NOTFAIL_(keyring_in_user_id, "Test or kernel keyring are broken."); + NOTFAIL_(snprintf(keyring_in_user_str_id, sizeof(keyring_in_user_str_id)-1, "%u", keyring_in_user_id), "Failed to get string id."); + keyring_in_session_id = add_key_set_perm("keyring", TEST_KEYRING_SESSION, NULL, 0, KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL | KEY_USR_ALL); + NOTFAIL_(keyring_in_session_id, "Test or kernel keyring are broken."); + + // test passphrase + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, NULL, CRYPT_ANY_SLOT, NULL, 0), -EINVAL); + OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_passphrase(cd, KEY1, strlen(KEY1), &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + crypt_keyslot_context_free(kc); + + OK_(prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1))); + OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + crypt_keyslot_context_free(kc); + + // test activation + OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + // test linking to a custom keyring linked in user keyring + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + + /* + * Otherwise we will not be able to search the TEST_KEYRING_USER in current context (see request_key(2): + * "The keyrings are searched in the order: thread-specific keyring, process-specific keyring, and then session keyring." + */ + NOTFAIL_(keyctl_link(keyring_in_user_id, KEY_SPEC_THREAD_KEYRING), "Failed to link in thread keyring."); + + FAIL_((linked_kid = request_key("logon", TEST_KEY_VK_USER, NULL, 0)), "VK was linked to custom keyring under wrong key type."); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); + + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, NULL, "logon", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + NOTFAIL_((linked_kid = request_key("logon", TEST_KEY_VK_LOGON, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); + + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, NULL, "logon", TEST_KEYRING_SESSION_NAME)); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + NOTFAIL_((linked_kid = request_key("logon", TEST_KEY_VK_LOGON, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_session_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); + + // test repeated activation + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + NOTFAIL_((linked_kid = request_key("logon", TEST_KEY_VK_LOGON, NULL, 0)), "VK was not linked to custom keyring after repeated activation."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(request_key("logon", TEST_KEY_VK_LOGON, NULL, 0), "VK was not linked to custom keyring after deactivation."); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_session_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(request_key("logon", TEST_KEY_VK_LOGON, NULL, 0), "VK was probably wrongly linked in yet another keyring "); + + // change key type to default (user) + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, NULL, TEST_KEYRING_USER_NAME)); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring after resetting key type."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + //NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to custom keyring after deactivation."); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was probably wrongly linked in yet another keyring "); + + // disable linking to session keyring + crypt_set_keyring_to_link(cd, NULL, NULL, NULL, NULL); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + FAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was probably wrongly linked in yet another keyring "); + FAIL_(request_key("logon", TEST_KEY_VK_LOGON, NULL, 0), "VK was probably wrongly linked in yet another keyring "); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "VK was not found in thread keyring"); + OK_(crypt_deactivate(cd, CDEVICE_1)); + FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "failed to unlink the key from thread keyring"); + + // link VK to keyring and re-activate by the linked VK + crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", TEST_KEYRING_SESSION_NAME); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring."); + OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring after deactivation."); + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "activation via VK in keyring after dropping the key"); + + // load VK back to keyring by activating + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + // activate by bad VK in keyring (test if VK digest is verified) + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to session keyring after activation."); + GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0); + vk_buf[0] = ~vk_buf[0]; + OK_(keyctl_update(linked_kid, vk_buf, vk_len)); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); + crypt_keyslot_context_free(kc); + + // After this point put resume tests only! + OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + suspend_status = crypt_suspend(cd, CDEVICE_1); + if (suspend_status == -ENOTSUP) { + printf("WARNING: Suspend/Resume not supported, skipping test.\n"); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken."); + CRYPT_FREE(cd); + _cleanup_dmdevices(); + return; + } + OK_(suspend_status); + OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); + EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED); + OK_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc)); + OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); + EQ_(0, cad.flags & CRYPT_ACTIVATE_SUSPENDED); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(crypt_suspend(cd, CDEVICE_1)); + EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + OK_(crypt_suspend(cd, CDEVICE_1)); + OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); + EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED); + EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 1); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(crypt_suspend(cd, CDEVICE_1)); + EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + crypt_keyslot_context_free(kc); + + // resume by VK keyring context + crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", TEST_KEYRING_SESSION_NAME); + OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); + NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring."); + OK_(crypt_suspend(cd, CDEVICE_1)); + OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME, &kc)); + EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring after deactivation."); + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "activation via VK in keyring after dropping the key"); + crypt_keyslot_context_free(kc); + + NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken."); + CRYPT_FREE(cd); + + // test storing two VKs in keyring during reencryption + OK_(get_luks2_offsets(1, 0, 0, &r_header_size, NULL)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 16)); + + OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, ¶ms2)); + OK_(crypt_set_pbkdf_type(cd, &pbkdf)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1); + EQ_(crypt_keyslot_add_by_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 0); + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 1, 0, "aes", "xts-plain64", &rparams), 2); + + // when no key name is specified, don't allow specifying type and keyring + EQ_(crypt_set_keyring_to_link(cd, NULL, NULL, NULL, keyring_in_user_str_id), -EINVAL); + EQ_(crypt_set_keyring_to_link(cd, NULL, NULL, "user", NULL), -EINVAL); + EQ_(crypt_set_keyring_to_link(cd, NULL, NULL, "user", keyring_in_user_str_id), -EINVAL); + + // key names have to be specified starting from the first + EQ_(crypt_set_keyring_to_link(cd, NULL, TEST_KEY_VK_USER, "user", keyring_in_user_str_id), -EINVAL); + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", keyring_in_user_str_id), -ESRCH); + + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, TEST_KEY_VK_USER2, "user", keyring_in_user_str_id), 0); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + FAIL_((linked_kid = request_key("logon", TEST_KEY_VK_USER, NULL, 0)), "VK was linked to custom keyring under wrong key type."); + FAIL_((linked_kid2 = request_key("logon", TEST_KEY_VK_USER2, NULL, 0)), "VK was linked to custom keyring under wrong key type."); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); + NOTFAIL_(_kernel_key_by_segment_and_type(cd, 1, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); + + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + NOTFAIL_(keyctl_unlink(linked_kid2, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); + // BUG: Reencryption code does not unlink the second VK + // FAIL_(_kernel_key_by_segment_and_type(cd, 1, "logon"), "dm-crypt VK remain linked in thread keyring."); + + // check that VKs are linked without calling crypt_activate_by_passphrase again, when activate is called on the same context + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + NOTFAIL_(keyctl_unlink(linked_kid2, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); + + // verify that the VK is no longer stored in a custom keyring + EQ_(crypt_set_keyring_to_link(cd, NULL, NULL, NULL, NULL), 0); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + FAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + // test that after reencryption finishes (and there is only one VK), only one VK name is used + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, TEST_KEY_VK_USER2, "user", keyring_in_user_str_id), 0); + rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY; + EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 1, 0, "aes", "xts-plain64", &rparams), 2); + OK_(crypt_reencrypt_run(cd, NULL, NULL)); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + CRYPT_FREE(cd); + + // Reenncryption: test reactivation using linked keys + OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, ¶ms2)); + OK_(crypt_set_pbkdf_type(cd, &pbkdf)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1); + EQ_(crypt_keyslot_add_by_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 0); + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + + EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 1, 0, "aes", "xts-plain64", &rparams), 2); + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, TEST_KEY_VK_USER2, "user", keyring_in_user_str_id), 0); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME , &kc)); + OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER2_NAME, &kc2)); + + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), -ESRCH); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, NULL, 0), -ESRCH); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, NULL, CRYPT_ANY_SLOT, kc, 0), -EINVAL); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, NULL, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER2, keyring_in_user_id, "user")); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + NOTFAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0); + vk_buf[0] = ~vk_buf[0]; + OK_(keyctl_update(linked_kid, vk_buf, vk_len)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER2, keyring_in_user_id, "user")); + CRYPT_FREE(cd); + + // Decryption: test reactivation using linked keys + OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, ¶ms2)); + OK_(crypt_set_pbkdf_type(cd, &pbkdf)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1); + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + rparams.mode = CRYPT_REENCRYPT_DECRYPT; + EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 1, CRYPT_ANY_SLOT, NULL, NULL, &rparams), 0); + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, TEST_KEY_VK_USER2, "user", keyring_in_user_str_id), 0); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "second VK was linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0)); + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0)); + // lazy evaluation, if the first context supplies key and only one key is required, the second (invalid) context is not invoked + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0)); + // first context takes precedence, if t fails, the second is not tried + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, kc, 0), -EINVAL); + + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0); + vk_buf[0] = ~vk_buf[0]; + OK_(keyctl_update(linked_kid, vk_buf, vk_len)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + CRYPT_FREE(cd); + + // Encryption: test reactivation using linked keys + _cleanup_dmdevices(); + OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2)); + + OK_(crypt_init(&cd, DMDIR H_DEVICE)); + + memset(&rparams, 0, sizeof(rparams)); + params2.sector_size = 512; + params2.data_device = DMDIR L_DEVICE_OK; + rparams.mode = CRYPT_REENCRYPT_ENCRYPT; + rparams.luks2 = ¶ms2; + rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY; + rparams.resilience = "checksum"; + rparams.hash = "sha256"; + OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, ¶ms2)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1); + EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 1, "aes", "xts-plain64", &rparams), 0); + + EQ_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, TEST_KEY_VK_USER2, "user", keyring_in_user_str_id), 0); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "second VK was linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0)); + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0)); + // lazy evaluation, if the first context supplies key and only one key is required, the second (invalid) context is not invoked + OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0)); + // first context takes precedence, if t fails, the second is not tried + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, kc, 0), -EINVAL); + + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1); + NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring."); + FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring."); + OK_(crypt_deactivate(cd, CDEVICE_1)); + + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); + GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0); + vk_buf[0] = ~vk_buf[0]; + OK_(keyctl_update(linked_kid, vk_buf, vk_len)); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); + + OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user")); + CRYPT_FREE(cd); + + crypt_keyslot_context_free(kc); + crypt_keyslot_context_free(kc2); + + _cleanup_dmdevices(); +#else + printf("WARNING: cryptsetup compiled with kernel keyring service disabled, skipping test.\n"); +#endif +} + +static int _crypt_load_check(struct crypt_device *_cd) { #ifdef HAVE_BLKID - return crypt_load(cd, CRYPT_LUKS, NULL); + return crypt_load(_cd, CRYPT_LUKS, NULL); #else return -ENOTSUP; #endif @@ -5132,6 +5858,7 @@ int main(int argc, char *argv[]) #endif RUN_(LuksKeyslotAdd, "Adding keyslot via new API"); RUN_(VolumeKeyGet, "Getting volume key via keyslot context API"); + RUN_(KeyslotContextAndKeyringLink, "Activate via keyslot context API and linking VK to a keyring"); RUN_(Luks2Repair, "LUKS2 repair"); // test disables metadata locking. Run always last! _cleanup(); diff --git a/tests/api-test.c b/tests/api-test.c index aa430dd..71f1270 100644 --- a/tests/api-test.c +++ b/tests/api-test.c @@ -1,9 +1,9 @@ /* * cryptsetup library API check functions * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/api_test.h b/tests/api_test.h index 14efead..462c9aa 100644 --- a/tests/api_test.h +++ b/tests/api_test.h @@ -1,9 +1,9 @@ /* * cryptsetup library API check functions * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz - * Copyright (C) 2016-2023 Ondrej Kozina + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz + * Copyright (C) 2016-2024 Ondrej Kozina * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -45,6 +45,8 @@ int t_set_readahead(const char *device, unsigned value); int fips_mode(void); +int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset); + int create_dmdevice_over_loop(const char *dm_name, const uint64_t size); int get_key_dm(const char *name, char *buffer, unsigned int buffer_size); @@ -138,7 +140,7 @@ void xlog(const char *msg, const char *tst, const char *func, int line, const ch #define T_DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */ #define T_DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/ #define T_DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption */ -#define T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt suppot for bypassing workqueues */ +#define T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt support for bypassing workqueues */ #define T_DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */ #define T_DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */ #define T_DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */ diff --git a/tests/bitlk-compat-test b/tests/bitlk-compat-test index 8559e06..aa4a71f 100755 --- a/tests/bitlk-compat-test +++ b/tests/bitlk-compat-test @@ -8,8 +8,12 @@ TST_DIR=bitlk-images MAP=bitlktst DUMP_VK_FILE=bitlk-test-vk -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi [ -z "$srcdir" ] && srcdir="." @@ -93,7 +97,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -156,6 +163,9 @@ for file in $(ls $TST_DIR/bitlk-*) ; do echo $PASSPHRASE | $CRYPTSETUP bitlkDump -r $file --dump-volume-key --volume-key-file $DUMP_VK_FILE >/dev/null 2>&1 ret=$? [ $ret -eq 0 ] || fail " failed to dump volume key" + $CRYPTSETUP bitlkOpen -r $file $MAP --volume-key-file $DUMP_VK_FILE --test-passphrase >/dev/null 2>&1 + ret=$? + [ $ret -eq 1 ] || fail " test passphrase with volume key unexpectedly succeeded" $CRYPTSETUP bitlkOpen -r $file $MAP --volume-key-file $DUMP_VK_FILE >/dev/null 2>&1 ret=$? [ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue diff --git a/tests/blockwise-compat-test b/tests/blockwise-compat-test index 11db493..8db91c9 100755 --- a/tests/blockwise-compat-test +++ b/tests/blockwise-compat-test @@ -68,7 +68,7 @@ add_device() { if [ $? -ne 0 ] ; then skip "This kernel seems to not support proper scsi_debug module." fi - grep -q scsi_debug /sys/block/*/device/model || sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) DEV="/dev/$DEV" [ -b $DEV ] || fail "Cannot find $DEV." diff --git a/tests/compat-args-test b/tests/compat-args-test index c41e942..788cc7c 100755 --- a/tests/compat-args-test +++ b/tests/compat-args-test @@ -4,8 +4,12 @@ PS4='$LINENO:' [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi TEST_UUID="12345678-1234-1234-1234-123456789abc" @@ -37,7 +41,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/compat-test b/tests/compat-test index 6dc8004..433beb2 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -5,8 +5,12 @@ PS4='$LINENO:' CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup CRYPTSETUP_RAW=$CRYPTSETUP -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi DIFFER=./differ DEV_NAME=dummy @@ -28,6 +32,7 @@ PWDW="rUkL4RUryBom" VK_FILE="compattest_vkfile" FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" +PLAIN_OPT="--hash sha256 --cipher aes-cbc-essiv:sha256 --key-size 256" LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591" KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255" @@ -198,7 +203,10 @@ function valgrind_setup() [ -n "$VALG" ] || return command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi CRYPTSETUP=valgrind_run CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}" } @@ -538,8 +546,8 @@ $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail prepare "[19] create & status & resize" wipe -echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail -echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx --cipher aes-cbc-essiv:sha256 --key-size 256 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV $PLAIN_OPT --offset 3 --skip 4 --readonly || fail $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail @@ -559,15 +567,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail $CRYPTSETUP -q remove $DEV_NAME || fail $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail -echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $PLAIN_OPT $LOOPDEV || fail $CRYPTSETUP -q remove $DEV_NAME || fail -echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail +echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME $PLAIN_OPT $LOOPDEV || fail $CRYPTSETUP -q remove $DEV_NAME || fail -echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail +echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME $PLAIN_OPT --size 100 $LOOPDEV || fail $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail $CRYPTSETUP -q remove $DEV_NAME || fail # 4k sector resize (if kernel supports it) -echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 +echo $PWD1 | $CRYPTSETUP -q open --type plain $PLAIN_OPT $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 if [ $? -eq 0 ] ; then $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail @@ -580,7 +588,7 @@ if [ $? -eq 0 ] ; then fi # Resize not aligned to logical block size add_scsi_device dev_size_mb=32 sector_size=4096 -echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $PLAIN_OPT $DEV || fail OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail dmsetup info $DEV_NAME | grep -q SUSPENDED && fail @@ -588,25 +596,25 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+ test $OLD_SIZE -eq $NEW_SIZE || fail $CRYPTSETUP close $DEV_NAME || fail # Add check for unaligned plain crypt activation -echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $PLAIN_OPT $DEV -b 7 2>/dev/null && fail $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail # verify is ignored on non-tty input echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail $CRYPTSETUP -q remove $DEV_NAME || fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 || fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail $CRYPTSETUP -q remove $DEV_NAME || fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d /dev/urandom || fail $CRYPTSETUP -q remove $DEV_NAME || fail prepare "[20] Disallow open/create if already mapped." wipe -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail -$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail -$CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 || fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail +$CRYPTSETUP create --cipher aes-cbc-essiv:sha256 --key-size 256 $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV 2>/dev/null && fail $CRYPTSETUP remove $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV || fail @@ -708,15 +716,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \ dmsetup remove --retry $DEV_NAME2 prepare "[25] Create shared segments" wipe -echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail -echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail -echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV $PLAIN_OPT --offset 0 --size 256 || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV $PLAIN_OPT --offset 512 --size 256 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV $PLAIN_OPT --offset 512 --size 256 --shared || fail $CRYPTSETUP -q remove $DEV_NAME2 || fail $CRYPTSETUP -q remove $DEV_NAME || fail prepare "[26] Suspend/Resume" wipe # only LUKS is supported -echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail +echo $PWD1 | $CRYPTSETUP create $DEV_NAME $PLAIN_OPT $LOOPDEV || fail $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail $CRYPTSETUP -q remove $DEV_NAME || fail @@ -836,8 +844,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail prepare "[31] Deferred removal of device" wipe -echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 $LOOPDEV $DEV_NAME || fail -echo $PWD2 | $CRYPTSETUP open --type plain --hash sha256 /dev/mapper/$DEV_NAME $DEV_NAME2 || fail +echo $PWD1 | $CRYPTSETUP open --type plain $PLAIN_OPT $LOOPDEV $DEV_NAME || fail +echo $PWD2 | $CRYPTSETUP open --type plain $PLAIN_OPT /dev/mapper/$DEV_NAME $DEV_NAME2 || fail $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail $CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1 diff --git a/tests/compat-test-opal b/tests/compat-test-opal new file mode 100755 index 0000000..3d5c07c --- /dev/null +++ b/tests/compat-test-opal @@ -0,0 +1,1329 @@ +#!/bin/bash + +PS4='$LINENO:' +[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." +CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup +CRYPTSETUP_RAW=$CRYPTSETUP + +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi + +DEV_NAME=dummy +DEV_NAME2=dummy2 +NO_HEADER_IMG=missing-header +HEADER_IMG=luks-header +HEADER_LUKS2_INV=luks2_invalid_cipher.img +KEY1=key1 +KEY2=key2 +KEY5=key5 +KEYE=keye +KEY_PWD1=key_pwd1 +OPAL2_ADMIN_PIN="adminPin01" +PWD1="93R4P4pIqAH8" +PWD2="mymJeD8ivEhE" +PWD3="ocMakf3fAcQO" +PWD4="Qx3qn46vq0v" +PWDW="rUkL4RUryBom" +TEST_KEYRING_NAME="compattest2_keyring" +TEST_TOKEN0="compattest2_desc0" +TEST_TOKEN1="compattest2_desc1" +VK_FILE="compattest2_vkfile" +IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}" +TOKEN_FILE0=test-token-file0 +TOKEN_FILE1=test-token-file1 +KEY_FILE0=test-key-file0 +KEY_FILE1=test-key-file1 + +FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + +TEST_UUID="12345678-1234-1234-1234-123456789abc" + +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + +function remove_mapping() +{ + [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 + [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME + [ -b /dev/mapper/"$DEV_NAME"_dif ] && dmsetup remove --retry "$DEV_NAME"_dif + rm -f $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $VK_FILE \ + $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \ + $KEY_FILE0 $KEY_FILE1 $KEY_PWD1 $NO_HEADER_IMG >/dev/null 2>&1 + + # unlink whole test keyring + [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null + unset TEST_KEYRING +} + +function fail() +{ + [ -n "$1" ] && echo "$1" + remove_mapping + reset_device_psid_nofail + echo "FAILED backtrace:" + while caller $frame; do ((frame++)); done + exit 2 +} + +function fips_mode() +{ + [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] +} + +function can_fail_fips() +{ + # Ignore this fail if running in FIPS mode + fips_mode || fail $1 +} + +function skip() +{ + [ -n "$1" ] && echo "$1" + remove_mapping + exit 77 +} + +function reset_device_psid() +{ + $CRYPTSETUP_RAW luksErase --hw-opal-factory-reset --key-file $OPAL2_PSID_FILE $OPAL2_DEV -q || \ + fail "PSID reset fail, wrong device used?" +} + +function reset_device_psid_nofail() +{ + $CRYPTSETUP_RAW luksErase --hw-opal-factory-reset --key-file $OPAL2_PSID_FILE $OPAL2_DEV -q 2>/dev/null +} + +function prepare() +{ + [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME + + case "$2" in + reset) + remove_mapping + reset_device_psid + ;; + wipe) + $CRYPTSETUP_RAW isLuks --type luks2 $HEADER_IMG -q 2>/dev/null + if [ $? -eq 0 ]; then + echo $OPAL2_ADMIN_PIN | $CRYPTSETUP_RAW luksErase $OPAL2_DEV -q --header $HEADER_IMG + else + echo $OPAL2_ADMIN_PIN | $CRYPTSETUP_RAW luksErase $OPAL2_DEV -q 2>/dev/null + fi + remove_mapping + ;; + new) + remove_mapping + ;; + reuse | *) + ;; + esac + + if [ ! -e $KEY1 ]; then + echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1 + echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1 + fi + + if [ ! -e $KEY2 ]; then + dd if=/dev/urandom of=$KEY2 count=1 bs=64 >/dev/null 2>&1 + fi + + if [ ! -e $KEY5 ]; then + dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1 + fi + + if [ ! -e $KEY_PWD1 ]; then + echo -n "$PWD1" > $KEY_PWD1 + fi + + if [ ! -e $KEYE ]; then + touch $KEYE + fi + + [ -n "$1" ] && echo "CASE: $1" +} + +function check_exists() +{ + [ -b /dev/mapper/$DEV_NAME ] || fail +} + +function valgrind_setup() +{ + command -v valgrind >/dev/null || fail "Cannot find valgrind." + [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi +} + +function valgrind_run() +{ + INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" +} + +function dm_crypt_keyring_support() +{ + VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) + [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version." + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) + VER_PTC=$(echo $VER_STR | cut -f 3 -d.) + + test -d /proc/sys/kernel/keys || return 1 + + [ $VER_MAJ -gt 1 ] && return 0 + [ $VER_MAJ -eq 1 -a $VER_MIN -gt 18 ] && return 0 + [ $VER_MAJ -eq 1 -a $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0 + return 1 +} + +function dm_crypt_keyring_new_kernel() +{ + KER_STR=$(uname -r) + [ -z "$KER_STR" ] && fail "Failed to parse kernel version." + KER_MAJ=$(echo $KER_STR | cut -f 1 -d.) + KER_MIN=$(echo $KER_STR | cut -f 2 -d.) + + [ $KER_MAJ -ge 5 ] && return 0 + [ $KER_MAJ -eq 4 -a $KER_MIN -ge 15 ] && return 0 + return 1 +} + +function test_and_prepare_keyring() { + command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped" + keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped" + TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null) + test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring" + keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1 + load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped." +} + +# $1 type +# $2 description +# $3 payload +# $4 keyring +function load_key() +{ + keyctl add $@ >/dev/null +} + +function setup_luks2_env() { + echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $OPAL2_DEV || fail + $CRYPTSETUP luksDump $OPAL2_DEV >/dev/null || fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME || fail + HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "keyring") + if [ -n "$HAVE_KEYRING" ]; then + HAVE_KEYRING=1 + else + HAVE_KEYRING=0 + fi + if $($CRYPTSETUP --version | grep -q "BLKID"); then + HAVE_BLKID=1 + else + HAVE_BLKID=0 + fi + $CRYPTSETUP close $DEV_NAME || fail +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) +test_vk_link() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) +test_vk_link_and_reactivate() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --volume-key-keyring $KEY_DESC <&-|| fail "Failed to unlock volume via a VK in keyring." + $CRYPTSETUP luksSuspend $DEV_NAME || fail "Failed to suspend device." + $CRYPTSETUP luksResume $DEV_NAME --volume-key-keyring $KEY_DESC <&- || fail "Failed to resume via a VK in keyring." + + echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase 2>/dev/null || fail + echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase 2>/dev/null && fail + echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-keyring $KEY_DESC $OPAL2_DEV --new-key-slot 1 || fail "Failed to add passphrase by VK in keyring." + echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase 2>/dev/null || fail + $CRYPTSETUP luksKillSlot -q $OPAL2_DEV 1 2>/dev/null || fail + + $CRYPTSETUP close $DEV_NAME || fail + # zero-out the key in keyring + keyctl pipe $KEYCTL_KEY_NAME | tr -c '\0' '\0' | keyctl pupdate $KEYCTL_KEY_NAME + $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --volume-key-keyring $KEY_DESC <&- > /dev/null 2>&1 && fail "Unlocked volume via a bad VK in keyring." + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after bad activation." + keyctl unlink $KEYCTL_KEY_NAME "$2" || fail +} + +function test_reencryption_does_not_init() +{ + local _hdr="" + local _hdrdev=$NO_HEADER_IMG + if [ -n "$1" ]; then + _hdr="--header $1" + _hdrdev=$1 + fi + local _dumpdev=${1:-$OPAL2_DEV} + + # store sequence id to check if reencryption was aborted without metadata modifications + OLD_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$OLD_SEQID -gt 0 ] || fail + + echo $PWD1 | $CRYPTSETUP reencrypt $_hdr -q --init-only $OPAL2_DEV 2>/dev/null && fail + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 | $CRYPTSETUP reencrypt $_hdr -q $OPAL2_DEV 2>/dev/null && fail + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 |$CRYPTSETUP reencrypt -q --decrypt --header $_hdrdev --init-only $OPAL2_DEV 2>/dev/null && fail + if [ $_hdrdev = $NO_HEADER_IMG ]; then + test -e $_hdrdev && fail "Decryption header was created." + fi + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 |$CRYPTSETUP reencrypt -q --decrypt --header $_hdrdev $OPAL2_DEV 2>/dev/null && fail + if [ $_hdrdev = $NO_HEADER_IMG ]; then + test -e $_hdrdev && fail "Decryption header was created." + fi + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + # repeat the test with active device + echo $PWD1 | $CRYPTSETUP open $_hdr $OPAL2_DEV $DEV_NAME -q || fail + + echo $PWD1 | $CRYPTSETUP reencrypt $_hdr -q --init-only --active-name $DEV_NAME 2>/dev/null && fail + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 | $CRYPTSETUP reencrypt $_hdr -q --active-name $DEV_NAME 2>/dev/null && fail + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 |$CRYPTSETUP reencrypt -q --decrypt --header $_hdrdev --init-only --active-name $DEV_NAME 2>/dev/null && fail + if [ $_hdrdev = $NO_HEADER_IMG ]; then + test -e $_hdrdev && fail "Decryption header was created." + fi + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + echo $PWD1 |$CRYPTSETUP reencrypt -q --decrypt --header $_hdrdev --active-name $DEV_NAME 2>/dev/null && fail + if [ $_hdrdev = $NO_HEADER_IMG ]; then + test -e $_hdrdev && fail "Decryption header was created." + fi + NEW_SEQID=0"$($CRYPTSETUP luksDump $_dumpdev | grep "Epoch:" | cut -d: -f 2 | sed -e 's/[[:space:]]*//g')" + [ 0$NEW_SEQID -gt 0 ] || fail + test $OLD_SEQID -eq $NEW_SEQID || fail "LUKS2 metadata was modified." + + $CRYPTSETUP close $DEV_NAME || fail +} + +function test_device() #opal_mode, #format_params, #--integrity-no-wipe +{ + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 $1 $2 $3 -q $FAST_PBKDF_OPT $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME || fail + test -z "$3" || dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M count=1 oflag=direct >/dev/null 2>&1 || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail + dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 || fail + $CRYPTSETUP close $DEV_NAME || fail + dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail + echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail +} + +function test_device_detached_header() #hdr, #opal_mode, #format_params, #--integrity-no-wipe +{ + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 --header $1 $2 $3 $4 -q $FAST_PBKDF_OPT $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --header $1 || fail + test -z "$4" || dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M count=1 oflag=direct >/dev/null 2>&1 || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + dd if=$OPAL2_DEV of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail + echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $1 || fail + dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 || fail + $CRYPTSETUP close $DEV_NAME || fail + dd if=$OPAL2_DEV of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --header $1 || fail + $CRYPTSETUP close $DEV_NAME --header $1 || fail + dd if=$OPAL2_DEV of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 && fail + echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q --header $1 || fail + rm -f $1 +} + +export LANG=C + +[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." +[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." + +# Do not run automatically. +[ -z "$OPAL2_DEV" ] && skip "WARNING: Variable OPAL2_DEV must be defined (partition or block dev), test skipped." +[ -z "$OPAL2_PSID_FILE" ] && skip "WARNING: Variable OPAL2_PSID_FILE must be defined, test skipped." +[ -f "$OPAL2_PSID_FILE" ] || skip "WARNING: $OPAL2_PSID_FILE is not reachable, test skipped." + +prepare "[0] Detect LUKS2 environment" reset +setup_luks2_env + +[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run + +prepare "[1] Data offset" +echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --offset 1 2>/dev/null && fail + +prepare "[2] Sector size and old payload alignment" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 511 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 256 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 8192 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 512 || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 4096 >/dev/null || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q --sector-size 2048 >/dev/null || fail + +prepare "[3] format" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail +# FIXME: BUG (--hw-opal-only should reject --cipher, --key-size & co) +#echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT --hw-opal-only -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $OPAL2_DEV 2> /dev/null && fail +prepare "[4] format using hash sha512" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP -q luksDump $OPAL2_DEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail +# Check JSON dump for some mandatory section +$CRYPTSETUP -q luksDump $OPAL2_DEV --dump-json-metadata | grep -q '"tokens":' || fail + +prepare "[5] open" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME --test-passphrase || fail +echo $PWDW | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME --test-passphrase 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code" +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +check_exists + +prepare "" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME --test-passphrase || fail +echo $PWDW | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME --test-passphrase 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code" +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +check_exists + +# Key Slot 1 and key material section 1 must change, the rest must not. +prepare "[6] add key" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail +echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $OPAL2_DEV $FAST_PBKDF_OPT || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP close $DEV_NAME || fail + +# Unsuccessful Key Delete - nothing may change +prepare "[7] unsuccessful delete" new +echo $PWDW | $CRYPTSETUP luksKillSlot $OPAL2_DEV 1 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksKillSlot should return EPERM exit code" + +# Delete Key Test +# Key Slot 1 and key material section 1 must change, the rest must not +prepare "[8] successful delete" +$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 1 || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME 2> /dev/null && fail +[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code" +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP close $DEV_NAME || fail + +# Key Slot 1 and key material section 1 must change, the rest must not +prepare "[9] add key test for key files" new +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $OPAL2_DEV $KEY1 || fail +$CRYPTSETUP -d $KEY1 luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP close $DEV_NAME || fail + +# Key Slot 1 and key material section 1 must change, the rest must not +prepare "[10] delete key test with key1 as remaining key" new +$CRYPTSETUP -d $KEY1 luksKillSlot $OPAL2_DEV 0 || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP luksOpen -d $KEY1 $OPAL2_DEV $DEV_NAME || fail + +# Delete last slot +prepare "[11] delete last key" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 --hw-opal $OPAL2_DEV $FAST_PBKDF_OPT || fail +echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 0 || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail + +prepare "[12] open/close - stacked devices" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal $OPAL2_DEV $FAST_PBKDF_OPT || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen $OPAL2_DEV $DEV_NAME || fail +echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 /dev/mapper/$DEV_NAME $FAST_PBKDF_OPT || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail +$CRYPTSETUP -q luksClose $DEV_NAME2 || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail + +prepare "[13] UUID - use and report provided UUID" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid blah --type luks2 --hw-opal $OPAL2_DEV 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 --hw-opal $OPAL2_DEV || fail +tst=$($CRYPTSETUP -q luksUUID $OPAL2_DEV) +[ "$tst"x = "$TEST_UUID"x ] || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $OPAL2_DEV || fail +tst=$($CRYPTSETUP -q luksUUID $OPAL2_DEV) +[ "$tst"x = "$TEST_UUID"x ] || fail + +prepare "[14] luksFormat" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 --hw-opal $OPAL2_DEV || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 512 --uuid $TEST_UUID --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP luksOpen -d $KEY_PWD1 $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail +# open by UUID +if [ -d /dev/disk/by-uuid ] ; then + $CRYPTSETUP luksOpen -d $KEY_PWD1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail + $CRYPTSETUP luksOpen -d $KEY_PWD1 UUID=$TEST_UUID $DEV_NAME || fail + $CRYPTSETUP -q luksClose $DEV_NAME || fail +fi +# skip tests using empty passphrases +if [ ! fips_mode ]; then +# empty passphrase (OPAL admin pin cannot be empty) +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail +fi + +# format hw-opal-only +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 512 --uuid $TEST_UUID --type luks2 --hw-opal-only $OPAL2_DEV || fail +$CRYPTSETUP luksOpen -d $KEY_PWD1 $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail +# open by UUID +if [ -d /dev/disk/by-uuid ] ; then + $CRYPTSETUP luksOpen -d $KEY_PWD1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail + $CRYPTSETUP luksOpen -d $KEY_PWD1 UUID=$TEST_UUID $DEV_NAME || fail + $CRYPTSETUP -q luksClose $DEV_NAME || fail +fi +# skip tests using empty passphrases +if [ ! fips_mode ]; then +# empty passphrase (OPAL admin pin cannot be empty) +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail +$CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail +fi + +# open by volume key +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY2 --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP luksOpen --volume-key-file $KEY2 $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail + +prepare "[15] AddKey volume key, passphrase and keyfile" wipe +# volumekey +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --volume-key-file /dev/zero --key-slot 3 || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2" || fail +echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV --volume-key-file /dev/zero --key-slot 4 || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase --key-slot 4 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "4: luks2" || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV --volume-key-file /dev/null --key-slot 5 2>/dev/null && fail +$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV --volume-key-file /dev/zero --key-slot 5 $KEY1 || fail +$CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase --key-slot 5 -d $KEY1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "5: luks2" || fail + +# special "-" handling +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 3 || fail +echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $OPAL2_DEV -d $KEY_PWD1 - || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase 2>/dev/null && fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV -d - --test-passphrase || fail +echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $OPAL2_DEV -d - $KEY2 || fail +$CRYPTSETUP luksOpen $OPAL2_DEV -d $KEY2 --test-passphrase || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail + +# [0]PWD3 [1]PWD2 [3]PWD1 [4]KEY2 +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 3 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2" || fail +$CRYPTSETUP luksAddKey -q $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY_PWD1 $KEY2 --key-slot 3 2>/dev/null && fail +# keyfile/keyfile +$CRYPTSETUP luksAddKey -q $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY_PWD1 $KEY2 --key-slot 4 || fail +$CRYPTSETUP luksOpen $OPAL2_DEV -d $KEY2 --test-passphrase --key-slot 4 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "4: luks2" || fail +# passphrase/keyfile +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV -d $KEY_PWD1 --key-slot 0 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "0: luks2" || fail +echo $PWD3 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase --key-slot 0 || fail +# passphrase/passphrase +echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV --key-slot 1 || fail +echo $PWD2 | $CRYPTSETUP luksOpen $OPAL2_DEV --test-passphrase --key-slot 1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "1: luks2" || fail +# keyfile/passphrase +echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV $KEY_PWD1 --key-slot 2 --new-keyfile-size 8 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2" || fail + +prepare "[16] RemoveKey passphrase and keyfile" reuse +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2" || fail +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY_PWD1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2" && fail +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY_PWD1 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksRemoveKey should return EPERM exit code" +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY2 --keyfile-size 1 2>/dev/null && fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "4: luks2" || fail +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY2 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "4: luks2" && fail +# if password or keyfile is provided, batch mode must not suppress it +echo "badpw" | $CRYPTSETUP luksKillSlot $OPAL2_DEV 2 2>/dev/null && fail +echo "badpw" | $CRYPTSETUP luksKillSlot $OPAL2_DEV 2 -q 2>/dev/null && fail +echo "badpw" | $CRYPTSETUP luksKillSlot $OPAL2_DEV 2 --key-file=- 2>/dev/null && fail +echo "badpw" | $CRYPTSETUP luksKillSlot $OPAL2_DEV 2 --key-file=- -q 2>/dev/null && fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2" || fail +# kill slot using passphrase from 1 +echo $PWD2 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 2 2>/dev/null || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2" && fail +# remove key0 / slot 0 +echo $PWD3 | $CRYPTSETUP luksRemoveKey $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "0: luks2" && fail +# last keyslot, in batch mode no passphrase needed... +$CRYPTSETUP luksKillSlot -q $OPAL2_DEV 1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "1: luks2" && fail + +prepare "[17] create & resize" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +# OPAL2 devices cannot be resized +$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP -q resize --size 99 $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP close $DEV_NAME || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT -q --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +# OPAL2 devices cannot be resized +$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP -q resize --size 99 $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP close $DEV_NAME || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail + +prepare "[18] Disallow open/create if already mapped." wipe +$CRYPTSETUP create -q $DEV_NAME $OPAL2_DEV -d $KEY1 2>/dev/null || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV 2>/dev/null && fail +$CRYPTSETUP remove $DEV_NAME || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV $DEV_NAME || fail +echo $PWD1 | $CRYPTSETUP luksOpen -q $OPAL2_DEV $DEV_NAME2 >/dev/null 2>&1 && fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 || fail "OPAL segment perhaps locked after failed activation over already active device." +$CRYPTSETUP luksClose $DEV_NAME || fail + +prepare "[19] luksDump" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $OPAL2_DEV -d $KEY_PWD1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "0: luks2" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q $TEST_UUID || fail +echo $PWDW | $CRYPTSETUP luksDump $OPAL2_DEV --dump-volume-key 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP luksDump $OPAL2_DEV --dump-volume-key | grep -q "MK dump:" || fail +$CRYPTSETUP luksDump -q $OPAL2_DEV --dump-volume-key -d $KEY_PWD1 | grep -q "MK dump:" || fail +echo $PWD1 | $CRYPTSETUP luksDump -q $OPAL2_DEV --dump-master-key --master-key-file $VK_FILE >/dev/null || fail +rm -f $VK_FILE +echo $PWD1 | $CRYPTSETUP luksDump -q $OPAL2_DEV --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail +echo $PWD1 | $CRYPTSETUP luksDump -q $OPAL2_DEV --dump-volume-key --volume-key-file $VK_FILE 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $OPAL2_DEV || fail +# Use volume key file without keyslots +echo $PWD1 | $CRYPTSETUP luksRemoveKey -q $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksRemoveKey -q $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksRemoveKey -q $OPAL2_DEV || fail +$CRYPTSETUP luksOpen --volume-key-file $VK_FILE --key-size 512 --test-passphrase $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE --key-size 512 $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $OPAL2_DEV || fail + +prepare "[20] ChangeKey passphrase and keyfile" wipe +# [0]PWD1 [1]PWD2 +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal $OPAL2_DEV $FAST_PBKDF_OPT --key-slot 0 --key-size 256 --luks2-keyslots-size 756k >/dev/null || fail +echo $PWD2 | $CRYPTSETUP luksAddKey -q $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY_PWD1 --key-slot 1 || fail +# [0]KEY2 [1]PWD2 +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY_PWD1 $KEY2 --key-slot 0 || fail +# [0]KEY2 [1]PWD1 +echo -e "$PWD2\n$PWD1" | $CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT --key-slot 1 || fail +# [0]KEY1 [1]PWD1 - with LUKS2 it should stay +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "0: luks2" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2" && fail +# [0]KEY1 [1]PWD2 +echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "1: luks2" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2" && fail +# test out of raw area, change in-place (space only for 2 keyslots) +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "0: luks2" || fail +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail +# make a free space in keyslot area +echo $PWD2 | $CRYPTSETUP luksKillSlot -q $OPAL2_DEV 0 || fail + +# assert LUKS2 does not overwrite existing area with specific keyslot id +AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $OPAL2_DEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_OLD -gt 0 ] || fail +echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey --key-slot 1 $OPAL2_DEV $FAST_PBKDF_OPT || fail +AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $OPAL2_DEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_NEW -gt 0 ] || fail +[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW" + +# assert LUKS2 does not overwrite existing area with any sklot +AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $OPAL2_DEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_OLD -gt 0 ] || fail +echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT || fail +AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $OPAL2_DEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_NEW -gt 0 ] || fail +[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW" + +prepare "[21] Keyfile limit" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 0 || fail +echo $PWD1 | $CRYPTSETUP luksChangeKey $OPAL2_DEV $KEY1 --new-keyfile-size 13 $FAST_PBKDF_OPT || fail +echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV -q 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +$CRYPTSETUP luksAddKey $OPAL2_DEV -d $KEY1 $KEY2 2>/dev/null && fail +$CRYPTSETUP luksAddKey $OPAL2_DEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail +$CRYPTSETUP luksAddKey $OPAL2_DEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail +$CRYPTSETUP luksAddKey $OPAL2_DEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY2 2>/dev/null && fail +$CRYPTSETUP luksRemoveKey $OPAL2_DEV $KEY2 -l 12 || fail +$CRYPTSETUP luksChangeKey $OPAL2_DEV -d $KEY1 $KEY2 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code" +$CRYPTSETUP luksChangeKey $OPAL2_DEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail +$CRYPTSETUP luksChangeKey $OPAL2_DEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail +# -l is ignored for stdin if _only_ passphrase is used +echo $PWD1 | $CRYPTSETUP luksAddKey $OPAL2_DEV -d $KEY2 $FAST_PBKDF_OPT || fail +# this is stupid, but expected +echo $PWD1 | $CRYPTSETUP luksRemoveKey $OPAL2_DEV -l 11 2>/dev/null && fail +echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $OPAL2_DEV -l 12 2>/dev/null && fail +echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $OPAL2_DEV -d- -l 12 || fail +# offset +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 0 || fail +echo $PWD1 | $CRYPTSETUP luksChangeKey $OPAL2_DEV $KEY1 --new-keyfile-offset 16 --new-keyfile-size 13 $FAST_PBKDF_OPT || fail +$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +$CRYPTSETUP luksAddKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail +$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail +$CRYPTSETUP luksOpen -d $KEY2 $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksClose $DEV_NAME || fail + +prepare "[22] Suspend/Resume" wipe +# OPAL+dm-crypt +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksSuspend $DEV_NAME || fail +$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail +$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail +echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksResume should return EPERM exit code" +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksSuspend $DEV_NAME || fail +$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail + +# OPAL only +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP luksSuspend $DEV_NAME || fail +$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail +$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail +echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail +[ $? -ne 2 ] && fail "luksResume should return EPERM exit code" +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP -q luksClose $DEV_NAME || fail + +prepare "[23] luksOpen/Resume with specified key slot number" wipe +# first, let's try passphrase option +echo -e "$PWD3\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 --hw-opal $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +[ -b /dev/mapper/$DEV_NAME ] && fail +echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $OPAL2_DEV $DEV_NAME || fail +check_exists +$CRYPTSETUP luksSuspend $DEV_NAME || fail +echo $PWD3 | $CRYPTSETUP luksResume -S 4 $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail +echo $PWD3 | $CRYPTSETUP luksResume -S 5 $DEV_NAME || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 0 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +[ -b /dev/mapper/$DEV_NAME ] && fail +echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +[ -b /dev/mapper/$DEV_NAME ] && fail +# second, try it with keyfiles +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat -q -S 5 $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo "$PWD1" | $CRYPTSETUP luksChangeKey -q -S 5 $FAST_PBKDF_OPT $OPAL2_DEV $KEY5 || fail +$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $OPAL2_DEV $KEY1 || fail +$CRYPTSETUP luksOpen -S 5 -d $KEY5 $OPAL2_DEV $DEV_NAME || fail +check_exists +$CRYPTSETUP luksSuspend $DEV_NAME || fail +dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail +$CRYPTSETUP luksResume -S 1 -d $KEY5 $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail +$CRYPTSETUP luksResume -S 5 -d $KEY5 $DEV_NAME || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +$CRYPTSETUP luksOpen -S 1 -d $KEY5 $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +[ -b /dev/mapper/$DEV_NAME ] && fail +$CRYPTSETUP luksOpen -S 5 -d $KEY1 $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +[ -b /dev/mapper/$DEV_NAME ] && fail + +prepare "[24] Detached LUKS header" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG --align-payload 8192 || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG --align-payload 4096 >/dev/null || fail +$CRYPTSETUP luksDump $HEADER_IMG | grep -e "0: hw-opal-crypt" -A1 | grep -qe $((4096*512)) || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG --align-payload 0 --sector-size 512 || fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP luksOpen $OPAL2_DEV --header $HEADER_IMG $DEV_NAME || fail +$CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail +$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail +dd if=$OPAL2_DEV of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 && fail +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP luksSuspend $DEV_NAME || fail +dd if=$OPAL2_DEV of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 && fail +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail +dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=4K count=1 iflag=direct >/dev/null 2>&1 || fail +$CRYPTSETUP luksClose $DEV_NAME || fail +echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail +$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail +$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail +$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail +echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail +rm $HEADER_IMG || fail +# create exactly 16 MiBs LUKS2 header +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG --luks2-keyslots-size 16352k --luks2-metadata-size 16k --offset 131072 >/dev/null || fail +SIZE=$(stat --printf=%s $HEADER_IMG) +test $SIZE -eq 16777216 || fail +$CRYPTSETUP -q luksDump $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[bytes\]" || fail + +prepare "[25] LUKS erase" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase -q $OPAL2_DEV || fail +$CRYPTSETUP isLuks -q $OPAL2_DEV && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase -q $OPAL2_DEV || fail +$CRYPTSETUP isLuks -q $OPAL2_DEV && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +# test psid reset once with valgrind +$CRYPTSETUP luksErase --hw-opal-factory-reset --key-file $OPAL2_PSID_FILE $OPAL2_DEV -q || fail + +prepare "[26] LUKS convert" wipe +# create almost compatible LUKS2 device except OPAL segment +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 -s256 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP -q convert --type luks1 $OPAL2_DEV >/dev/null 2>&1 && fail +$CRYPTSETUP isLuks --type luks2 $OPAL2_DEV || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 -s256 --hw-opal-only $OPAL2_DEV || fail +$CRYPTSETUP -q convert --type luks1 $OPAL2_DEV >/dev/null 2>&1 && fail +$CRYPTSETUP isLuks --type luks2 $OPAL2_DEV || fail + +if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then + prepare "[27] LUKS2 key in keyring" wipe + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --header $HEADER_IMG || fail + + # check keyring support detection works as expected + rmmod dm-crypt >/dev/null 2>&1 || true + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --header $HEADER_IMG $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail + $CRYPTSETUP close $DEV_NAME || fail + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail + $CRYPTSETUP close $DEV_NAME || fail + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail + $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail + $CRYPTSETUP close $DEV_NAME || fail + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --header $HEADER_IMG $DEV_NAME || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail + $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail + $CRYPTSETUP close $DEV_NAME || fail +fi + +prepare "[28] tokens" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then + + test_and_prepare_keyring + + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail + $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail + # keyslot 5 is inactive + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail + # key description is not reachable + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail + # wrong passphrase + load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail + load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail + $CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail + $CRYPTSETUP status $DEV_NAME > /dev/null || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + $CRYPTSETUP luksResume $DEV_NAME <&- || fail + $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail + $CRYPTSETUP close $DEV_NAME || fail + + # check --token-type sort of works (TODO: extend tests when native systemd tokens are available) + echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail + # this excludes keyring tokens from unlocking device + $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail + $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail + $CRYPTSETUP status $DEV_NAME > /dev/null && fail + + $CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail + $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail + + # test we can remove keyslot with token + echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail + $CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail + $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail + + # test we can add unassigned token + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail + $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail + + # test token unassign works + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail + $CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail + $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail +fi +echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 10 || fail +echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 11 --json-file - || fail +echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0 +$CRYPTSETUP token import $OPAL2_DEV --token-id 12 --json-file $TOKEN_FILE0 || fail +$CRYPTSETUP token import $OPAL2_DEV --token-id 12 --json-file $TOKEN_FILE0 2>/dev/null && fail +$CRYPTSETUP token export $OPAL2_DEV --token-id 10 >$TOKEN_FILE1 || fail +diff $TOKEN_FILE0 $TOKEN_FILE1 || fail +$CRYPTSETUP token export $OPAL2_DEV --token-id 11 >$TOKEN_FILE1 || fail +diff $TOKEN_FILE0 $TOKEN_FILE1 || fail +$CRYPTSETUP token export $OPAL2_DEV --token-id 12 >$TOKEN_FILE1 || fail +diff $TOKEN_FILE0 $TOKEN_FILE1 || fail +$CRYPTSETUP token export $OPAL2_DEV --token-id 12 --json-file $TOKEN_FILE1 || fail +diff $TOKEN_FILE0 $TOKEN_FILE1 || fail +$CRYPTSETUP token export $OPAL2_DEV --token-id 12 > $TOKEN_FILE1 || fail +diff $TOKEN_FILE0 $TOKEN_FILE1 || fail + +prepare "[29] LUKS keyslot priority" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -S 1 || fail +echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q $OPAL2_DEV $FAST_PBKDF_OPT -S 5 || fail +$CRYPTSETUP config $OPAL2_DEV -S 0 --priority prefer && fail +$CRYPTSETUP config $OPAL2_DEV -S 1 --priority bla >/dev/null 2>&1 && fail +$CRYPTSETUP config $OPAL2_DEV -S 1 --priority ignore || fail +echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --test-passphrase 2>/dev/null && fail +echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --test-passphrase -S 1 || fail +echo $PWD2 | $CRYPTSETUP open $OPAL2_DEV --test-passphrase || fail +$CRYPTSETUP config $OPAL2_DEV -S 1 --priority normal || fail +echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --test-passphrase || fail +$CRYPTSETUP config $OPAL2_DEV -S 1 --priority ignore || fail +echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV --test-passphrase 2>/dev/null && fail + +prepare "[30] LUKS label and subsystem" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Subsystem:" | grep -q "HW-OPAL" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Label:" | grep -q "(no label)" || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --subsystem SatelliteTwo --label TheLabel || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Subsystem:" | grep -q "SatelliteTwo" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Label:" | grep -q "TheLabel" || fail +$CRYPTSETUP config $OPAL2_DEV --subsystem SatelliteThree +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Label:" | grep -q "(no label)" || fail +$CRYPTSETUP config $OPAL2_DEV --subsystem SatelliteThree --label TheLabel +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Label:" | grep -q "TheLabel" || fail + +prepare "[31] LUKS PBKDF setting" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 --hw-opal --pbkdf bla $OPAL2_DEV >/dev/null 2>&1 && fail +# Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" |$CRYPTSETUP luksFormat --type luks2 --hw-opal --pbkdf pbkdf2 --pbkdf-force-iterations 999 $OPAL2_DEV 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Iterations:" | grep -q "1234" || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf argon2id --pbkdf-force-iterations 3 $OPAL2_DEV 2>/dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $OPAL2_DEV || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf argon2i --pbkdf-force-iterations 4 \ + --pbkdf-memory 1234 --pbkdf-parallel 1 $OPAL2_DEV || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Time cost:" | grep -q "4" || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Memory:" | grep -q "1234" || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Threads:" | grep -q "1" || can_fail_fips +# Benchmark +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $OPAL2_DEV || can_fail_fips +[ 0"$($CRYPTSETUP luksDump $OPAL2_DEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips +[ 0"$($CRYPTSETUP luksDump $OPAL2_DEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal --pbkdf pbkdf2 -i 500 $OPAL2_DEV || fail +[ 0"$($CRYPTSETUP luksDump $OPAL2_DEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail + +prepare "[32] LUKS Keyslot convert" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 0 || fail +echo "$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S0 --new-key-slot 5 $OPAL2_DEV $KEY5 || fail +$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 0 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "5: luks2" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "PBKDF:" | grep -q "pbkdf2" || fail +$CRYPTSETUP -q luksConvertKey $OPAL2_DEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "5: luks2" || can_fail_fips +echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV -S 1 --key-file $KEY5 || fail +$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 5 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "1: luks2" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "PBKDF:" | grep -q "pbkdf2" || fail +echo $PWD1 | $CRYPTSETUP -q luksConvertKey $OPAL2_DEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "1: luks2" || can_fail_fips +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $OPAL2_DEV || fail + +prepare "[33] luksAddKey unbound tests" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-slot 5 || fail +# unbound key may have arbitrary size +echo $PWD1 | $CRYPTSETUP luksChangeKey -q $OPAL2_DEV $FAST_PBKDF_OPT -S5 $KEY5 || fail +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $OPAL2_DEV || fail +echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2 (unbound)" || fail +dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $OPAL2_DEV || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2 (unbound)" || fail +# unbound key size is required +echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $OPAL2_DEV 2>/dev/null && fail +echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --volume-key-file /dev/urandom $OPAL2_DEV 2> /dev/null && fail +# do not allow one to replace keyslot by unbound slot +echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $OPAL2_DEV 2>/dev/null && fail +echo $PWD2 | $CRYPTSETUP -q open $OPAL2_DEV $DEV_NAME 2> /dev/null && fail +echo $PWD2 | $CRYPTSETUP -q open -S2 $OPAL2_DEV $DEV_NAME 2> /dev/null && fail +echo $PWD2 | $CRYPTSETUP -q open -S2 $OPAL2_DEV --test-passphrase || fail +echo $PWD1 | $CRYPTSETUP -q open $OPAL2_DEV $DEV_NAME 2> /dev/null && fail +# check we're able to change passphrase for unbound keyslot +echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP open --test-passphrase -S 2 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP -q open -S 2 $OPAL2_DEV $DEV_NAME 2> /dev/null && fail +# do not allow adding keyslot by unbound keyslot +echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $OPAL2_DEV 2> /dev/null && fail +# check adding keyslot works when there's unbound keyslot +echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $OPAL2_DEV --key-file $KEY5 -S8 || fail +echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME || fail +$CRYPTSETUP close $DEV_NAME || fail +$CRYPTSETUP luksKillSlot -q $OPAL2_DEV 2 +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "2: luks2 (unbound)" && fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 $OPAL2_DEV 2> /dev/null && fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound 2> /dev/null $OPAL2_DEV 2> /dev/null && fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $OPAL2_DEV > /dev/null || fail +diff $KEY_FILE0 $KEY_FILE1 || fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $OPAL2_DEV 2> /dev/null && fail +diff $KEY_FILE0 $KEY_FILE1 || fail +rm $KEY_FILE1 || fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $OPAL2_DEV | grep -q "Unbound Key:" && fail +echo $PWD3 | $CRYPTSETUP luksDump --unbound -S3 $OPAL2_DEV | grep -q "Unbound Key:" || fail +$CRYPTSETUP luksKillSlot -q $OPAL2_DEV 3 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2 (unbound)" && fail + +prepare "[34] LUKS2 metadata areas" wipe +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV 2> /dev/null || fail +DEFAULT_OFFSET=$($CRYPTSETUP luksDump $OPAL2_DEV | grep "offset: " | cut -f 2 -d ' ') +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128M >/dev/null 2>&1 && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "$((DEFAULT_OFFSET-2*131072)) \[bytes\]" || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-keyslots-size=128k >/dev/null || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset 16384 || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail +$CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "8355840 \[bytes\]" || fail +echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail +# data offset vs area size +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset $((256+56)) >/dev/null 2>&1 && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset $((256+64)) >/dev/null || fail + +prepare "[35] Per-keyslot encryption parameters" wipe +KEYSLOT_CIPHER="aes-cbc-plain64" +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal-only $OPAL2_DEV $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail +echo $PWD1 | $CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $KEY1 || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "0: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "0: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail +$CRYPTSETUP luksAddKey -q $OPAL2_DEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "1: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "1: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail +$CRYPTSETUP luksAddKey -q $OPAL2_DEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail +$CRYPTSETUP luksChangeKey $OPAL2_DEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail +# unbound keyslot +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $OPAL2_DEV || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $OPAL2_DEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $OPAL2_DEV || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail +[ "$($CRYPTSETUP luksDump $OPAL2_DEV | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail + +prepare "[36] Some encryption compatibility mode tests" wipe +CIPHERS="aes-ecb aes-cbc-null aes-cbc-plain64 aes-cbc-essiv:sha256 aes-xts-plain64" +key_size=256 +for cipher in $CIPHERS ; do + echo -n "[$cipher/$key_size]" + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat --type luks2 --hw-opal $OPAL2_DEV $FAST_PBKDF_OPT --cipher $cipher --key-size $key_size || fail +done +echo + +prepare "[37] New luksAddKey options." wipe +rm -f $VK_FILE +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat -q --type luks2 --hw-opal-only $FAST_PBKDF_OPT $OPAL2_DEV || fail +echo $PWD1 | $CRYPTSETUP luksDump -q $OPAL2_DEV --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail + +# pass pass +echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT $OPAL2_DEV || fail +echo $PWD2 | $CRYPTSETUP open -q --test-passphrase -S1 $OPAL2_DEV || fail + +# pass file +echo "$PWD2" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S1 --new-key-slot 2 $OPAL2_DEV $KEY1 || fail +$CRYPTSETUP open --test-passphrase -q -S2 -d $KEY1 $OPAL2_DEV || fail + +# file pass +echo "$PWD3" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 -d $KEY1 --new-key-slot 3 $OPAL2_DEV || fail +echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S3 $OPAL2_DEV || fail + +# file file +$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 4 -d $KEY1 --new-keyfile $KEY2 $OPAL2_DEV || fail +$CRYPTSETUP open --test-passphrase -q -S4 -d $KEY2 $OPAL2_DEV || fail + +# vk pass +echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S5 --volume-key-file $VK_FILE $OPAL2_DEV || fail +echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S5 $OPAL2_DEV || fail + +# vk file +$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $OPAL2_DEV || fail +$CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $OPAL2_DEV || fail + +if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then + test_and_prepare_keyring + load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + load_key user $TEST_TOKEN1 $PWDW "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 0 -S0 || fail + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --token-id 1 --unbound || fail + + # pass token + echo -e "$PWD1" | $CRYPTSETUP luksAddKey -q -S7 --new-token-id 1 $FAST_PBKDF_OPT $OPAL2_DEV || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 7 || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV && fail + + # file token + $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 7 --new-token-id 1 -d $KEY1 $OPAL2_DEV || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 7 || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV && fail + + # vk token + $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --volume-key-file $VK_FILE --new-token-id 1 $OPAL2_DEV || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 7 || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV && fail + + # token pass + echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --token-id 0 $OPAL2_DEV || fail + echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S7 $OPAL2_DEV || fail + + # token file + echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S8 --token-id 0 $OPAL2_DEV $KEY2 || fail + $CRYPTSETUP open -q --test-passphrase -S8 --key-file $KEY2 $OPAL2_DEV || fail + + # token token + $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S9 --token-id 0 --new-token-id 1 $OPAL2_DEV || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 9 || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $OPAL2_DEV && fail + + # reuse same token + $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S0 --new-key-slot 9 --token-id 0 --new-token-id 0 $OPAL2_DEV || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 9 || fail + + # reuse same token + $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --token-id 0 --new-token-id 0 $OPAL2_DEV || fail + echo $PWD1 | $CRYPTSETUP luksKillSlot $OPAL2_DEV 9 || fail + $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $OPAL2_DEV || fail +fi + +if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then + prepare "[38] Link VK to a keyring and use custom VK type." wipe + + echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $OPAL2_DEV 2> /dev/null || fail + KEY_NAME="cryptsetup:test_volume_key_id" + test_and_prepare_keyring + KID=$(echo -n test | keyctl padd user my_token @s) + keyctl unlink $KID >/dev/null 2>&1 @s && SESSION_KEYRING_WORKS=1 + KID=$(echo -n test | keyctl padd user my_token @us) + keyctl unlink $KID >/dev/null 2>&1 @us && USER_SESSION_KEYRING_WORKS=1 + + test_vk_link $KEY_NAME "@u" + test_vk_link $KEY_NAME "@u" "user" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "logon" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "user" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "logon" + # explicitly specify keyring key type + test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + + test_vk_link_and_reactivate $KEY_NAME "@u" "user" + test_vk_link_and_reactivate $KEY_NAME "@u" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user" + test_vk_link_and_reactivate $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + # explicitly specify keyring key type + test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user" + test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + + # test numeric keyring name -5 is user session (@us) keyring + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail + keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME + keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl unlink "%logon:$KEY_NAME" @us || fail + + # test malformed keyring descriptions and key types + # missing key description + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "%$TEST_KEYRING_NAME::" > /dev/null 2>&1 && fail + # malformed keyring description + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring ":$TEST_KEYRING_NAME::$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "@uuu::$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "@usu::$KEY_NAME" > /dev/null 2>&1 && fail + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user:" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "%user:$KEY_NAME" > /dev/null 2>&1 && fail + + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "@t::%0:$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "@t::%blah:$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --link-vk-to-keyring "@t::%userlogon:$KEY_NAME" > /dev/null 2>&1 && fail + +fi + +if ! fips_mode; then +prepare "[39] LUKS2 reencryption/decryption blocked" wipe + +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV || fail +test_reencryption_does_not_init + +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV || fail +test_reencryption_does_not_init + +prepare "[40] LUKS2 reencryption/decryption blocked (detached header)" wipe + +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --header $HEADER_IMG --type luks2 -s256 --hw-opal $OPAL2_DEV || fail +test_reencryption_does_not_init $HEADER_IMG + +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --header $HEADER_IMG --type luks2 -s256 --hw-opal-only $OPAL2_DEV || fail +test_reencryption_does_not_init $HEADER_IMG + +prepare "[41] LUKS2 encryption blocked" wipe + +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +test -b $DEV_NAME && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV $DEV_NAME 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +test -b $DEV_NAME && fail +echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail +$CRYPTSETUP isLuks $OPAL2_DEV && fail +fi + +prepare "[42] OPAL2 HW only test." wipe +test_device --hw-opal-only + +prepare "[43] OPAL2 + dmcrypt test." wipe +test_device --hw-opal + +prepare "[44] OPAL2 + auth encryption" wipe +test_device --hw-opal "-c aes-gcm-random --integrity aead" --integrity-no-wipe +test_device --hw-opal "-s 280 -c aes-ccm-random --integrity aead" --integrity-no-wipe + +prepare "[45] OPAL2 HW only test (detached header)" wipe +test_device_detached_header $HEADER_IMG --hw-opal-only + +prepare "[46] OPAL2 + dmcrypt test (detached header)" wipe +test_device_detached_header $HEADER_IMG --hw-opal + +prepare "[47] OPAL2 + auth encryption test (detached header)" wipe +test_device_detached_header $HEADER_IMG --hw-opal "-c aes-gcm-random --integrity aead" --integrity-no-wipe +test_device_detached_header $HEADER_IMG --hw-opal "-s 280 -c aes-ccm-random --integrity aead" --integrity-no-wipe + +# FIXME: Add partition based tests + +remove_mapping +reset_device_psid_nofail +exit 0 diff --git a/tests/compat-test2 b/tests/compat-test2 index c54dc7e..bc86563 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -3,9 +3,14 @@ PS4='$LINENO:' [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup +CRYPTSETUP_RAW=$CRYPTSETUP -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi DEV_NAME=dummy DEV_NAME2=dummy2 @@ -16,6 +21,7 @@ IMG10=luks-test-v10 HEADER_IMG=luks-header HEADER_KEYU=luks2_keyslot_unassigned.img HEADER_LUKS2_PV=blkid-luks2-pv.img +HEADER_LUKS2_INV=luks2_invalid_cipher.img KEY1=key1 KEY2=key2 KEY5=key5 @@ -50,7 +56,9 @@ function remove_mapping() [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME losetup -d $LOOPDEV >/dev/null 2>&1 - rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 + rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \ + $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \ + $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 # unlink whole test keyring [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null @@ -154,7 +162,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -164,6 +175,8 @@ function valgrind_run() function dm_crypt_keyring_support() { + $CRYPTSETUP --version | grep -q KEYRING || return 1 + VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version." @@ -284,6 +297,171 @@ function add_scsi_device() { [ -b $DEV ] || fail "Cannot find $DEV." } +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) +test_vk_link() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is linked to the specified keyring before resume with linking." + $CRYPTSETUP luksSuspend $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) +test_vk_link_and_reactivate() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&-|| fail "Failed to unlock volume via a VK in keyring." + $CRYPTSETUP luksSuspend $DEV_NAME || fail "Failed to suspend device." + $CRYPTSETUP luksResume $DEV_NAME --volume-key-keyring $KEY_DESC <&- || fail "Failed to resume via a VK in keyring." + + echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail + echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail + echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-keyring $KEY_DESC $LOOPDEV --new-key-slot 1 || fail "Failed to add passphrase by VK in keyring." + echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail + $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 2>/dev/null || fail + + $CRYPTSETUP close $DEV_NAME || fail + # zero-out the key in keyring + keyctl pipe $KEYCTL_KEY_NAME | tr -c '\0' '\0' | keyctl pupdate $KEYCTL_KEY_NAME + $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&- > /dev/null 2>&1 && fail "Unlocked volume via a bad VK in keyring." + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after bad activation." + keyctl unlink $KEYCTL_KEY_NAME "$2" || fail +} + +# $1 first key name +# $2 second key name +# $3 keyring to link VK to +# $4 key type (optional) +test_reencrypt_vk_link() { + KEY_TYPE=${4:-user} + if [ -z "$4" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$4:$1" + fi + if [ -z "$4" ]; then + KEY_DESC2=$2 + else + KEY_DESC2="%$4:$2" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + KEYCTL_KEY_NAME2="%$KEY_TYPE:$2" + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME || fail + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + + keyctl unlink $KEYCTL_KEY_NAME "$3" || fail + keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail +} + +# $1 first key name +# $2 second key name +# $3 keyring to link VK to +# $4 key type (optional) +test_reencrypt_vk_link_and_reactivate() { + KEY_TYPE=${4:-user} + if [ -z "$4" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$4:$1" + fi + if [ -z "$4" ]; then + KEY_DESC2=$2 + else + KEY_DESC2="%$4:$2" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + KEYCTL_KEY_NAME2="%$KEY_TYPE:$2" + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME || fail + keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" || fail + $CRYPTSETUP close $DEV_NAME || fail + + keyctl unlink $KEYCTL_KEY_NAME "$3" || fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail + keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail +} + +function expect_run() +{ + export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" + expect "$@" +} + +# expected unlocked keyslot id +# command arguments +function expect_unlocked_keyslot() +{ + command -v expect >/dev/null || { + echo "WARNING: expect tool missing, interactive test will be skipped." + return 0 + } + + EXPECT_TIMEOUT=60 + EXPECT_KEY=$1 + + expect_run - >/dev/null </dev/null && fail $CRYPTSETUP remove $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail @@ -626,6 +804,24 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail +# make a free space in keyslot area +echo $PWD1 | $CRYPTSETUP luksKillSlot -q $LOOPDEV 0 || fail + +# assert LUKS2 does not overwrite existing area with specific keyslot id +AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_OLD -gt 0 ] || fail +echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey --key-slot 1 $LOOPDEV $FAST_PBKDF_OPT +AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_NEW -gt 0 ] || fail +[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW" + +# assert LUKS2 does not overwrite existing area with any sklot +AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_OLD -gt 0 ] || fail +echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT +AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g') +[ 0$AREA_OFFSET_NEW -gt 0 ] || fail +[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW" prepare "[24] Keyfile limit" wipe $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail @@ -924,6 +1120,40 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then $CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail $CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail $CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail + + $CRYPTSETUP token remove $LOOPDEV --token-id 0 || fail + $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail + + # token 8 assigned to keyslot 0 and 5. Unlocks only 5 + echo "$PWD2" | $CRYPTSETUP luksAddKey -q -S5 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail + echo -n "{\"type\":\"luks2-keyring\",\"keyslots\":[\"0\",\"5\"],\"key_description\":\"$TEST_TOKEN1\"}" | $CRYPTSETUP token import $LOOPDEV --token-id 8 || fail + load_key user $TEST_TOKEN1 "$PWD2" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + + # token 3 assigned to keyslot 1 (wrong passphrase) + echo "$PWD3" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail + $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 -S1 --token-id 3 || fail + load_key user $TEST_TOKEN2 "$PWDW" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + + # specific token, specific keyslot + $CRYPTSETUP open --test-passphrase --token-id 0 -S0 $LOOPDEV --token-only <&- || fail + # specific keyslot unlocked by any token + $CRYPTSETUP open --test-passphrase -S0 $LOOPDEV --token-only <&- || fail + + # token 0 unusable for keyslot 5 + $CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV --token-only <&- >/dev/null && fail + # backup interactive prompt should work + echo $PWD2 | $CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV || fail + + $CRYPTSETUP open --test-passphrase -S5 --token-id 8 $LOOPDEV <&- || fail + $CRYPTSETUP open --test-passphrase -S5 $LOOPDEV <&- || fail + + expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 -S5 $LOOPDEV" || fail + expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 $LOOPDEV" || fail + + $CRYPTSETUP open --test-passphrase -S0 --token-id 8 $LOOPDEV --token-only >/dev/null && fail + [ $? -ne 2 ] && fail "open should return EPERM exit code." + $CRYPTSETUP open --test-passphrase -S1 $LOOPDEV --token-only && fail + [ $? -ne 2 ] && fail "open should return EPERM exit code." fi echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail @@ -1200,5 +1430,135 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail fi +prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe +xz -dk $HEADER_LUKS2_INV.xz +dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1 +$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail +echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail +echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail +echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail +dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \ + "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768" +$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail +$CRYPTSETUP close $DEV_NAME ||fail + +if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then + prepare "[45] Link VK to a keyring and use custom VK type." wipe + + echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail + KEY_NAME="cryptsetup:test_volume_key_id" + KEY_NAME2="cryptsetup:test_volume_key_id2" + KEY_NAME3="cryptsetup:test_volume_key_id3" + test_and_prepare_keyring + KID=$(echo -n test | keyctl padd user my_token @s) + keyctl unlink $KID >/dev/null 2>&1 @s && SESSION_KEYRING_WORKS=1 + KID=$(echo -n test | keyctl padd user my_token @us) + keyctl unlink $KID >/dev/null 2>&1 @us && USER_SESSION_KEYRING_WORKS=1 + + test_vk_link $KEY_NAME "@u" + test_vk_link $KEY_NAME "@u" "user" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "logon" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "user" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "logon" + # explicitly specify keyring key type + test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + + test_vk_link_and_reactivate $KEY_NAME "@u" "user" + test_vk_link_and_reactivate $KEY_NAME "@u" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user" + test_vk_link_and_reactivate $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + # explicitly specify keyring key type + test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user" + test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + + # test numeric keyring name -5 is user session (@us) keyring + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail + keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." + $CRYPTSETUP close $DEV_NAME + keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation." + keyctl unlink "%logon:$KEY_NAME" @us || fail + + # test malformed keyring descriptions and key types + # missing key description + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%$TEST_KEYRING_NAME::" > /dev/null 2>&1 && fail + # malformed keyring description + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring ":$TEST_KEYRING_NAME::$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@uuu::$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@usu::$KEY_NAME" > /dev/null 2>&1 && fail + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user:" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%user:$KEY_NAME" > /dev/null 2>&1 && fail + + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%0:$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%blah:$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%userlogon:$KEY_NAME" > /dev/null 2>&1 && fail + + # test that only one VK name is used, when the device is not in reencryption + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 || fail + keyctl unlink "%user:$KEY_NAME" @u || fail + keyctl unlink "%user:$KEY_NAME2" @u > /dev/null 2>&1 && fail + $CRYPTSETUP close $DEV_NAME || fail + + # test linkning multiple VKs during reencryption + echo $PWD1 | $CRYPTSETUP -q reencrypt $LOOPDEV --init-only + + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u" + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u" "user" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "logon" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "user" + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user" + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "logon" + # explicitly specify keyring key type + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME" + + test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u" + test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u" "user" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s" + [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s" "user" + test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" + test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user" + + # explicitly specify keyring key type + test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME" + + # the keyring and key type have to be the same for both keys + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail + + # supply one/three key name(s) when two names are required + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@s::%logon:$KEY_NAME2" --link-vk-to-keyring "@s::%logon:$KEY_NAME3" > /dev/null 2>&1 && fail +fi + +prepare "[45] Blkid disable check" wipe +if [ "$HAVE_BLKID" -gt 0 ]; then + xz -dkf $HEADER_LUKS2_PV.xz + # batch mode disables blkid print, use --debug to check it + echo $PWD1 | $CRYPTSETUP -q --debug luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" || fail + xz -dkf $HEADER_LUKS2_PV.xz + echo $PWD1 | $CRYPTSETUP -q --debug --disable-blkid luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" && fail +fi + +prepare "[46] Init from suspended device" wipe +dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail +echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --header $HEADER_IMG /dev/mapper/$DEV_NAME || fail +echo $PWD1 | $CRYPTSETUP -q luksOpen --header $HEADER_IMG /dev/mapper/$DEV_NAME $DEV_NAME2 || fail +# underlying device now returns error but node is still present +dmsetup load $DEV_NAME --table "0 40000 error" || fail +dmsetup resume $DEV_NAME || fail +dmsetup suspend $DEV_NAME || fail +# status must print data even if data device is suspended +$CRYPTSETUP -q status --debug --header $HEADER_IMG $DEV_NAME2 | grep "type:" | grep -q "LUKS2" || fail +dmsetup resume $DEV_NAME || fail +$CRYPTSETUP -q luksClose $DEV_NAME2 || fail +dmsetup remove --retry $DEV_NAME || fail + remove_mapping exit 0 diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c index ae8dd68..02e6be3 100644 --- a/tests/crypto-vectors.c +++ b/tests/crypto-vectors.c @@ -1,7 +1,7 @@ /* * cryptsetup crypto backend test vectors * - * Copyright (C) 2018-2023 Milan Broz + * Copyright (C) 2018-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -74,12 +74,9 @@ struct kdf_test_vector { unsigned int password_length; const char *salt; unsigned int salt_length; -// const char *key; -// unsigned int key_length; -// const char *ad; -// unsigned int ad_length; const char *output; unsigned int output_length; + bool can_fail_fips; /* violates minimal length check */ }; static struct kdf_test_vector kdf_test_vectors[] = { @@ -92,17 +89,11 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x01\x01\x01\x01\x01\x01\x01\x01", 32, "\x02\x02\x02\x02\x02\x02\x02\x02" "\x02\x02\x02\x02\x02\x02\x02\x02", 16, -// "\x03\x03\x03\x03\x03\x03\x03\x03", 8, -// "\x04\x04\x04\x04\x04\x04\x04\x04" -// "\x04\x04\x04\x04", 12, "\xa9\xa7\x51\x0e\x6d\xb4\xd5\x88" "\xba\x34\x14\xcd\x0e\x09\x4d\x48" "\x0d\x68\x3f\x97\xb9\xcc\xb6\x12" - "\xa5\x44\xfe\x8e\xf6\x5b\xa8\xe0", 32 -// "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa" -// "\x13\xf0\xd7\x7f\x24\x94\xbd\xa1" -// "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2" -// "\x99\x52\xa4\xc4\x67\x2b\x6c\xe8", 32 + "\xa5\x44\xfe\x8e\xf6\x5b\xa8\xe0", 32, + true }, { "argon2id", NULL, 0, 3, 32, 4, @@ -112,17 +103,11 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x01\x01\x01\x01\x01\x01\x01\x01", 32, "\x02\x02\x02\x02\x02\x02\x02\x02" "\x02\x02\x02\x02\x02\x02\x02\x02", 16, -// "\x03\x03\x03\x03\x03\x03\x03\x03", 8, -// "\x04\x04\x04\x04\x04\x04\x04\x04" -// "\x04\x04\x04\x04", 12, "\x03\xaa\xb9\x65\xc1\x20\x01\xc9" "\xd7\xd0\xd2\xde\x33\x19\x2c\x04" "\x94\xb6\x84\xbb\x14\x81\x96\xd7" - "\x3c\x1d\xf1\xac\xaf\x6d\x0c\x2e", 32 -// "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c" -// "\x08\xc0\x37\xa3\x4a\x8b\x53\xc9" -// "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e" -// "\xb5\x25\x20\xe9\x6b\x01\xe6\x59", 32 + "\x3c\x1d\xf1\xac\xaf\x6d\x0c\x2e", 32, + true }, /* empty password */ { @@ -133,7 +118,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9" "\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb" "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b" - "\x89\x09\xfe\xde\x57\xcc\x63\x86", 32 + "\x89\x09\xfe\xde\x57\xcc\x63\x86", 32, + true }, { "argon2id", NULL, 0, 3, 128, 1, @@ -143,7 +129,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x09\x2f\x38\x35\xac\xb2\x43\x92" "\x93\xeb\xcd\xe8\x04\x16\x6a\x31" "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6" - "\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb", 32 + "\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb", 32, + true }, /* RFC 3962 */ { @@ -153,7 +140,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01" "\x56\x5a\x11\x22\xb2\x56\x35\x15" "\x0a\xd1\xf7\xa0\x4b\xb9\xf3\xa3" - "\x33\xec\xc0\xe2\xe1\xf7\x08\x37", 32 + "\x33\xec\xc0\xe2\xe1\xf7\x08\x37", 32, + true }, { "pbkdf2", "sha1", 64, 2, 0, 0, "password", 8, @@ -161,7 +149,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e" "\x98\x8b\x62\xc7\x3c\xda\x93\x5d" "\xa0\x53\x78\xb9\x32\x44\xec\x8f" - "\x48\xa9\x9e\x61\xad\x79\x9d\x86", 32 + "\x48\xa9\x9e\x61\xad\x79\x9d\x86", 32, + true }, { "pbkdf2", "sha1", 64, 1200, 0, 0, "password", 8, @@ -169,7 +158,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e" "\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b" "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f" - "\x70\x8a\x31\xe2\xe6\x2b\x1e\x13", 32 + "\x70\x8a\x31\xe2\xe6\x2b\x1e\x13", 32, + false }, { "pbkdf2", "sha1", 64, 5, 0, 0, "password", 8, @@ -177,7 +167,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\xd1\xda\xa7\x86\x15\xf2\x87\xe6" "\xa1\xc8\xb1\x20\xd7\x06\x2a\x49" "\x3f\x98\xd2\x03\xe6\xbe\x49\xa6" - "\xad\xf4\xfa\x57\x4b\x6e\x64\xee", 32 + "\xad\xf4\xfa\x57\x4b\x6e\x64\xee", 32, + true }, { "pbkdf2", "sha1", 64, 1200, 0, 0, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" @@ -186,7 +177,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b" "\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9" "\xc5\xec\x59\xf1\xa4\x52\xf5\xcc" - "\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1", 32 + "\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1", 32, + false }, { "pbkdf2", "sha1", 64, 1200, 0, 0, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" @@ -195,7 +187,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5" "\x1b\x10\xe6\xa6\x87\x21\xbe\x61" "\x1a\x8b\x4d\x28\x26\x01\xdb\x3b" - "\x36\xbe\x92\x46\x91\x5e\xc8\x2a", 32 + "\x36\xbe\x92\x46\x91\x5e\xc8\x2a", 32, + false }, { "pbkdf2", "sha1", 64, 50, 0, 0, "\360\235\204\236", 4, // g-clef ("\xf09d849e) @@ -203,52 +196,60 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43" "\xa5\xb8\xbb\x27\x6a\x40\x3b\x39" "\xe7\xfe\x37\xa0\xc4\x1e\x02\xc2" - "\x81\xff\x30\x69\xe1\xe9\x4f\x52", 32 + "\x81\xff\x30\x69\xe1\xe9\x4f\x52", 32, + true }, { /* RFC-6070 */ "pbkdf2", "sha1", 64, 1, 0, 0, "password", 8, "salt", 4, "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9" - "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6", 20 + "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6", 20, + true }, { "pbkdf2", "sha1", 64, 2, 0, 0, "password", 8, "salt", 4, "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e" - "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57", 20 + "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57", 20, + true }, { "pbkdf2", "sha1", 64, 4096, 0, 0, "password", 8, "salt", 4, "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad" - "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1", 20 + "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1", 20, + true }, { "pbkdf2", "sha1", 64, 16777216, 0, 0, "password", 8, "salt", 4, "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94" - "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", 20 + "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", 20, + true }, { "pbkdf2", "sha1", 64, 4096, 0, 0, "passwordPASSWORDpassword", 24, "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8" "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96" - "\x4c\xf2\xf0\x70\x38", 25 + "\x4c\xf2\xf0\x70\x38", 25, + false }, { "pbkdf2", "sha1", 64, 4096, 0, 0, "pass\0word", 9, "sa\0lt", 5, "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37" - "\xd7\xf0\x34\x25\xe0\xc3", 16 + "\xd7\xf0\x34\x25\xe0\xc3", 16, + true }, { /* empty password test */ "pbkdf2", "sha1", 64, 2, 0, 0, "", 0, "salt", 4, "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2" - "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97", 20 + "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97", 20, + true }, { /* Password exceeds block size test */ "pbkdf2", "sha256", 64, 1200, 0, 0, @@ -258,7 +259,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x22\x34\x4b\xc4\xb6\xe3\x26\x75" "\xa8\x09\x0f\x3e\xa8\x0b\xe0\x1d" "\x5f\x95\x12\x6a\x2c\xdd\xc3\xfa" - "\xcc\x4a\x5e\x6d\xca\x04\xec\x58", 32 + "\xcc\x4a\x5e\x6d\xca\x04\xec\x58", 32, + false }, { "pbkdf2", "sha512", 128, 1200, 0, 0, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" @@ -269,7 +271,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x0f\xb2\xed\x2c\x0e\x6e\xfb\x7d" "\x7d\x8e\xdd\x58\x01\xb4\x59\x72" "\x99\x92\x16\x30\x5e\xa4\x36\x8d" - "\x76\x14\x80\xf3\xe3\x7a\x22\xb9", 32 + "\x76\x14\x80\xf3\xe3\x7a\x22\xb9", 32, + false }, { "pbkdf2", "whirlpool", 64, 1200, 0, 0, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" @@ -278,7 +281,8 @@ static struct kdf_test_vector kdf_test_vectors[] = { "\x9c\x1c\x74\xf5\x88\x26\xe7\x6a" "\x53\x58\xf4\x0c\x39\xe7\x80\x89" "\x07\xc0\x31\x19\x9a\x50\xa2\x48" - "\xf1\xd9\xfe\x78\x64\xe5\x84\x50", 32 + "\xf1\xd9\xfe\x78\x64\xe5\x84\x50", 32, + true } }; @@ -1024,23 +1028,38 @@ static int pbkdf_test_vectors(void) { char result[256]; unsigned int i; + struct crypt_hash *h; const struct kdf_test_vector *vec; for (i = 0; i < ARRAY_SIZE(kdf_test_vectors); i++) { crypt_backend_memzero(result, sizeof(result)); vec = &kdf_test_vectors[i]; - printf("PBKDF vector %02d %s ", i, vec->type); + if (vec->hash) + printf("PBKDF vector %02d %s-%s ", i, vec->type, vec->hash); + else + printf("PBKDF vector %02d %s ", i, vec->type); if (vec->hash && crypt_hmac_size(vec->hash) < 0) { printf("[%s N/A]\n", vec->hash); continue; } + if (vec->hash) { + if (crypt_hash_init(&h, vec->hash) < 0) { + printf("[%s N/A (init)]\n", vec->hash); + continue; + } + crypt_hash_destroy(h); + } if (crypt_pbkdf(vec->type, vec->hash, vec->password, vec->password_length, vec->salt, vec->salt_length, result, vec->output_length, vec->iterations, vec->memory, vec->parallelism) < 0) { - printf("[%s-%s N/A]\n", vec->type, vec->hash); - continue; + if (vec->can_fail_fips && fips_mode()) { + printf("[API FAILED, IGNORED (FIPS mode)]\n"); + continue; + } + printf("[API FAILED]\n"); + return EXIT_FAILURE; } if (memcmp(result, vec->output, vec->output_length)) { printf("[FAILED]\n"); diff --git a/tests/device-test b/tests/device-test index c8b53bb..9aaf03c 100755 --- a/tests/device-test +++ b/tests/device-test @@ -8,10 +8,15 @@ DEV_NAME2="ymmud" PWD1="93R4P4pIqAH8" PWD2="mymJeD8ivEhE" FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" +PLAIN_OPT="--type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256" SKIP_COUNT=0 -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi cleanup() { [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME @@ -43,7 +48,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -100,21 +108,6 @@ function dm_crypt_features() DM_PERF_NO_WORKQUEUE=1 } -function dm_crypt_keyring_support() -{ - VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) - [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version." - - VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) - VER_MIN=$(echo $VER_STR | cut -f 2 -d.) - - # run the test with dm-crypt v1.15.0+ on purpose - # the fix is in dm-crypt v1.18.1+ - [ $VER_MAJ -gt 1 ] && return 0 - [ $VER_MAJ -lt 1 ] && return 1 - [ $VER_MIN -ge 15 ] -} - format() # format { add_image @@ -165,33 +158,33 @@ if [ -z "$DM_PERF_CPU" ]; then SKIP_COUNT=$((SKIP_COUNT+1)) else echo -n "PLAIN: same_cpu_crypt submit_from_cpus " - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail + echo -e "$PWD1" | $CRYPTSETUP open -q $PLAIN_OPT $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail check_io $CRYPTSETUP close $DEV_NAME || fail echo -n "allow_discards " - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP open -q $PLAIN_OPT $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail check_io $CRYPTSETUP close $DEV_NAME || fail - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME || fail - echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP open -q $PLAIN_OPT $DEV $DEV_NAME || fail + echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail # Hash affects volume key for plain device. Check we can detect it - echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --hash sha512 --perf-same_cpu_crypt --allow-discards 2>/dev/null && fail + echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha512 --perf-same_cpu_crypt --allow-discards 2>/dev/null && fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail - echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME --allow-discards || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail - echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME || fail + echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME || fail $CRYPTSETUP status $DEV_NAME | grep -q discards && fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail - echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 $DEV $DEV_NAME2 2>/dev/null && fail + echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT $DEV $DEV_NAME2 2>/dev/null && fail if [ -n "$DM_PERF_NO_WORKQUEUE" ]; then echo -n "no_read_workqueue no_write_workqueue" - echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-no_read_workqueue --perf-no_write_workqueue || fail + echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME --perf-no_read_workqueue --perf-no_write_workqueue || fail $CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail $CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail check_io @@ -279,9 +272,12 @@ else echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --disable-keyring || fail $CRYPTSETUP status $DEV_NAME | grep -q keyring && fail if [ -n "$DM_KEYRING" ]; then - echo -n "keyring " - echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME || fail - $CRYPTSETUP status $DEV_NAME | grep -q keyring || fail + $CRYPTSETUP --version | grep -q KEYRING + if [ $? -eq 0 ]; then + echo -n "keyring " + echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME || fail + $CRYPTSETUP status $DEV_NAME | grep -q keyring || fail + fi fi if [ -n "$DM_PERF_NO_WORKQUEUE" ]; then echo -n "no_read_workqueue no_write_workqueue" @@ -299,7 +295,7 @@ else fi echo "[3] Kernel dmcrypt sector size options" -echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1 +echo -e "$PWD1" | $CRYPTSETUP open $PLAIN_OPT $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1 ret=$? [ -z "$DM_SECTOR_SIZE" -a $ret -eq 0 ] && fail "cryptsetup activated device with --sector-size option on incompatible kernel!" if [ $ret -ne 0 ] ; then @@ -312,18 +308,18 @@ else $CRYPTSETUP close $DEV_NAME || fail echo -n "PLAIN sector size:" - echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail + echo -e "$PWD1" | $CRYPTSETUP open $PLAIN_OPT $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail for S in 512 1024 2048 4096; do echo -n "[$S]" - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --sector-size $S || fail + echo -e "$PWD1" | $CRYPTSETUP open -q $PLAIN_OPT $DEV $DEV_NAME --sector-size $S || fail check_sector_size $S $CRYPTSETUP close $DEV_NAME || fail done - echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --iv-large-sectors >/dev/null 2>&1 && fail + echo -e "$PWD1" | $CRYPTSETUP open $PLAIN_OPT $DEV $DEV_NAME --iv-large-sectors >/dev/null 2>&1 && fail for S in 1024 2048 4096; do echo -n "[$S/IV]" - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --sector-size $S --iv-large-sectors || fail + echo -e "$PWD1" | $CRYPTSETUP open -q $PLAIN_OPT $DEV $DEV_NAME --sector-size $S --iv-large-sectors || fail check_sector_size $S dmsetup table $DEV_NAME | grep -q "iv_large_sectors" || fail $CRYPTSETUP close $DEV_NAME || fail diff --git a/tests/differ.c b/tests/differ.c index 95da8e5..0045b04 100644 --- a/tests/differ.c +++ b/tests/differ.c @@ -1,7 +1,7 @@ /* * cryptsetup file differ check (rewritten Clemens' fileDiffer in Python) * - * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/discards-test b/tests/discards-test index 870f74d..27e5a5b 100755 --- a/tests/discards-test +++ b/tests/discards-test @@ -6,14 +6,18 @@ DEV_NAME="discard-t3st" DEV="" PWD1="93R4P4pIqAH8" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi cleanup() { [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME udevadm settle >/dev/null 2>&1 rmmod scsi_debug >/dev/null 2>&1 - sleep 2 + sleep 1 } fail() @@ -34,7 +38,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -54,7 +61,7 @@ add_device() { exit 77 fi - sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) DEV="/dev/$DEV" @@ -103,7 +110,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail $CRYPTSETUP luksClose $DEV_NAME || fail echo "[2] Allowing discards for plain device" -echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail +echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 --allow-discards || fail $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail $CRYPTSETUP resize $DEV_NAME --size 100 || fail $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail diff --git a/tests/fake_systemd_tpm_path.c b/tests/fake_systemd_tpm_path.c index 6d82989..3dff718 100644 --- a/tests/fake_systemd_tpm_path.c +++ b/tests/fake_systemd_tpm_path.c @@ -2,9 +2,9 @@ #include /* systemd tpm2-util.h */ -int tpm2_find_device_auto(int log_level, char **ret); +int tpm2_find_device_auto(char **ret); -extern int tpm2_find_device_auto(int log_level __attribute__((unused)), char **ret) +extern int tpm2_find_device_auto(char **ret) { const char *path = getenv("TPM_PATH"); diff --git a/tests/fake_token_path.c b/tests/fake_token_path.c deleted file mode 100644 index 7b2bad3..0000000 --- a/tests/fake_token_path.c +++ /dev/null @@ -1,6 +0,0 @@ -#include - -const char *crypt_token_external_path(void) -{ - return BUILD_DIR; -} diff --git a/tests/fuzz/LUKS2.proto b/tests/fuzz/LUKS2.proto index 3a0f287..f54ed6b 100644 --- a/tests/fuzz/LUKS2.proto +++ b/tests/fuzz/LUKS2.proto @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -229,7 +229,7 @@ enum keyslot_af_type { KEYSLOT_AF_TYPE_LUKS1 = 1; } -// The af (anti-forensic splitter) object contains this madatory field: +// The af (anti-forensic splitter) object contains this mandatory field: // - type [string] the anti-forensic function type. // AF type luks1 (compatible with LUKS1 [1]) contains these additional fields: // - stripes [integer] the number of stripes, for historical reasons only the 4000 value is supported. diff --git a/tests/fuzz/LUKS2_plain_JSON.proto b/tests/fuzz/LUKS2_plain_JSON.proto index 59096b7..da8ea00 100644 --- a/tests/fuzz/LUKS2_plain_JSON.proto +++ b/tests/fuzz/LUKS2_plain_JSON.proto @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/crypt2_load_fuzz.cc b/tests/fuzz/crypt2_load_fuzz.cc index 1251d72..2195b40 100644 --- a/tests/fuzz/crypt2_load_fuzz.cc +++ b/tests/fuzz/crypt2_load_fuzz.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -22,91 +22,88 @@ extern "C" { #define FILESIZE (16777216) #include "src/cryptsetup.h" -#include #include "luks2/luks2.h" #include "crypto_backend/crypto_backend.h" #include "FuzzerInterface.h" -static int calculate_checksum(const uint8_t* data, size_t size) { - struct crypt_hash *hd = NULL; - struct luks2_hdr_disk *hdr = NULL; - int hash_size; - uint64_t hdr_size1, hdr_size2; - int r = 0; - - /* primary header */ - if (sizeof(struct luks2_hdr_disk) > size) - return 0; - hdr = CONST_CAST(struct luks2_hdr_disk *) data; - - hdr_size1 = be64_to_cpu(hdr->hdr_size); - if (hdr_size1 > size) - return 0; - memset(&hdr->csum, 0, LUKS2_CHECKSUM_L); - if ((r = crypt_hash_init(&hd, "sha256"))) - goto out; - if ((r = crypt_hash_write(hd, CONST_CAST(char*) data, hdr_size1))) - goto out; - hash_size = crypt_hash_size("sha256"); - if (hash_size <= 0) { - r = 1; - goto out; - } - if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size))) - goto out; - crypt_hash_destroy(hd); +#define CHKSUM_ALG "sha256" +#define CHKSUM_SIZE 32 - /* secondary header */ - if (hdr_size1 < sizeof(struct luks2_hdr_disk)) - hdr_size1 = sizeof(struct luks2_hdr_disk); +static bool fix_checksum_hdr(struct luks2_hdr_disk *hdr, const char *data, size_t len) +{ + char *csum = (char *)&hdr->csum; + struct crypt_hash *hd = NULL; + bool r = false; - if (hdr_size1 + sizeof(struct luks2_hdr_disk) > size) - return 0; - hdr = CONST_CAST(struct luks2_hdr_disk *) (data + hdr_size1); + if (crypt_hash_init(&hd, CHKSUM_ALG)) + return false; - hdr_size2 = be64_to_cpu(hdr->hdr_size); - if (hdr_size2 > size || (hdr_size1 + hdr_size2) > size) - return 0; + memset(csum, 0, LUKS2_CHECKSUM_L); - memset(&hdr->csum, 0, LUKS2_CHECKSUM_L); - if ((r = crypt_hash_init(&hd, "sha256"))) - goto out; - if ((r = crypt_hash_write(hd, (char*) hdr, hdr_size2))) - goto out; - if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size))) - goto out; + if (!crypt_hash_write(hd, data, len) && + !crypt_hash_final(hd, csum, CHKSUM_SIZE)) + r = true; -out: - if (hd) - crypt_hash_destroy(hd); + crypt_hash_destroy(hd); return r; } -int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - int fd; +static bool calculate_checksum(const char *data, size_t size, struct luks2_hdr_disk *hdr_rw) +{ + uint64_t hdr_size; + + /* Primary header cannot fit in data */ + if (sizeof(*hdr_rw) > size) + return false; + + hdr_size = be64_to_cpu(((struct luks2_hdr_disk *)data)->hdr_size); + if (hdr_size > size || hdr_size <= sizeof(*hdr_rw)) + return false; + + /* Calculate checksum for primary header */ + memcpy(hdr_rw, data, sizeof(*hdr_rw)); + return fix_checksum_hdr(hdr_rw, data, (size_t)hdr_size); +} + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + int fd, r = EXIT_FAILURE; struct crypt_device *cd = NULL; char name[] = "/tmp/test-script-fuzz.XXXXXX"; + struct luks2_hdr_disk hdr_rw; + size_t modified_data_size; - if (calculate_checksum(data, size)) - return 0; + /* if csum calculation fails, keep fuzzer running on original input */ + if (size >= sizeof(hdr_rw) && calculate_checksum((const char *)data, size, &hdr_rw)) + modified_data_size = sizeof(hdr_rw); + else + modified_data_size = 0; + /* create file with LUKS header for libcryptsetup */ fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC); if (fd == -1) - err(EXIT_FAILURE, "mkostemp() failed"); + return r; /* enlarge header */ if (ftruncate(fd, FILESIZE) == -1) goto out; - if (write_buffer(fd, data, size) != (ssize_t)size) + if (modified_data_size && + write_buffer(fd, &hdr_rw, modified_data_size) != (ssize_t)modified_data_size) + goto out; + + if (write_buffer(fd, data + modified_data_size, size - modified_data_size) != (ssize_t)size) goto out; + /* Actual fuzzing */ if (crypt_init(&cd, name) == 0) (void)crypt_load(cd, CRYPT_LUKS2, NULL); crypt_free(cd); + r = 0; out: close(fd); unlink(name); - return 0; + + return r; } } diff --git a/tests/fuzz/crypt2_load_proto_fuzz.cc b/tests/fuzz/crypt2_load_proto_fuzz.cc index 498c006..aaabfe8 100644 --- a/tests/fuzz/crypt2_load_proto_fuzz.cc +++ b/tests/fuzz/crypt2_load_proto_fuzz.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc index f3565ab..227c49a 100644 --- a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc +++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/meson.build b/tests/fuzz/meson.build new file mode 100644 index 0000000..95ea382 --- /dev/null +++ b/tests/fuzz/meson.build @@ -0,0 +1,127 @@ +if get_option('fuzz-targets') + crypt2_load_fuzz = executable('crypt2_load_fuzz', + [ + 'crypt2_load_fuzz.cc', + ], + dependencies: [ + devmapper, + fuzzing_engine, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) + + crypt2_load_ondisk_fuzz = executable('crypt2_load_ondisk_fuzz', + [ + 'crypt2_load_ondisk_fuzz.cc', + ], + dependencies: [ + devmapper, + fuzzing_engine, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) + + luks2_generated = protoc_generator.process('LUKS2.proto') + crypt2_load_proto_fuzz = executable('crypt2_load_proto_fuzz', + [ + 'crypt2_load_proto_fuzz.cc', + 'proto_to_luks2_converter.cc', + luks2_generated, + ], + dependencies: [ + devmapper, + protobuf, + libprotobuf_mutator, + fuzzing_engine, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) + + luks2_plain_json_generated = protoc_generator.process('LUKS2_plain_JSON.proto') + crypt2_load_proto_plain_fuzz = executable('crypt2_load_proto_plain_fuzz', + [ + 'crypt2_load_proto_plain_json_fuzz.cc', + 'json_proto_converter.cc', + 'plain_json_proto_to_luks2_converter.cc', + luks2_plain_json_generated, + ], + dependencies: [ + devmapper, + protobuf, + libprotobuf_mutator, + fuzzing_engine, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) + + proto_to_luks2 = executable('proto_to_luks2', + [ + 'proto_to_luks2.cc', + 'proto_to_luks2_converter.cc', + luks2_generated, + ], + dependencies: [ + devmapper, + protobuf, + libprotobuf_mutator, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) + + plain_json_proto_to_luks2 = executable('plain_json_proto_to_luks2', + [ + 'plain_json_proto_to_luks2.cc', + 'plain_json_proto_to_luks2_converter.cc', + 'json_proto_converter.cc', + luks2_plain_json_generated, + ], + dependencies: [ + devmapper, + protobuf, + libprotobuf_mutator, + ], + link_with: [ + libcryptsetup, + libcrypto_backend, + libutils_io, + ], + link_args: [ + link_args, + ], + include_directories: includes_tools) +endif diff --git a/tests/fuzz/oss-fuzz-build.sh b/tests/fuzz/oss-fuzz-build.sh index b2f643f..cf0cfde 100755 --- a/tests/fuzz/oss-fuzz-build.sh +++ b/tests/fuzz/oss-fuzz-build.sh @@ -42,14 +42,16 @@ in_oss_fuzz && LIBFUZZER_PATCH="$PWD/cryptsetup/tests/fuzz/unpoison-mutated-buff in_oss_fuzz && apt-get update && apt-get install -y \ make autoconf automake autopoint libtool pkg-config \ sharutils gettext expect keyutils ninja-build \ - bison + bison flex [ ! -d zlib ] && git clone --depth 1 https://github.com/madler/zlib.git [ ! -d xz ] && git clone https://git.tukaani.org/xz.git [ ! -d json-c ] && git clone --depth 1 https://github.com/json-c/json-c.git -[ ! -d lvm2 ] && git clone --depth 1 https://sourceware.org/git/lvm2.git +[ ! -d lvm2 ] && git clone --depth 1 https://gitlab.com/lvmteam/lvm2 [ ! -d popt ] && git clone --depth 1 https://github.com/rpm-software-management/popt.git -[ ! -d libprotobuf-mutator ] && git clone --depth 1 https://github.com/google/libprotobuf-mutator.git \ +# FIXME: temporary fix until libprotobuf stops shuffling C++ requirements +# [ ! -d libprotobuf-mutator ] && git clone --depth 1 https://github.com/google/libprotobuf-mutator.git \ +[ ! -d libprotobuf-mutator ] && git clone --depth 1 --branch v1.1 https://github.com/google/libprotobuf-mutator.git \ && [ "$SANITIZER" == "memory" ] && ( cd libprotobuf-mutator; patch -p1 < $LIBFUZZER_PATCH ) [ ! -d openssl ] && git clone --depth 1 https://github.com/openssl/openssl [ ! -d util-linux ] && git clone --depth 1 https://github.com/util-linux/util-linux @@ -76,8 +78,8 @@ make install cd .. cd xz -./autogen.sh --no-po4a -./configure --prefix="$DEPS_PATH" --enable-static --disable-shared +./autogen.sh --no-po4a --no-doxygen +./configure --prefix="$DEPS_PATH" --enable-static --disable-shared --disable-ifunc --disable-sandbox make -j make install cd .. @@ -94,16 +96,14 @@ cd ../.. cd lvm2 ./configure --prefix="$DEPS_PATH" --enable-static_link --disable-udev_sync --enable-pkgconfig --disable-selinux make -j libdm.device-mapper -# build of dmsetup.static is broken -# make install_device-mapper -cp ./libdm/ioctl/libdevmapper.a "$DEPS_PATH"/lib/ -cp ./libdm/libdevmapper.h "$DEPS_PATH"/include/ -cp ./libdm/libdevmapper.pc "$PKG_CONFIG_PATH" +make -C libdm install_static install_pkgconfig install_include cd .. cd popt # --no-undefined is incompatible with sanitizers sed -i -e 's/-Wl,--no-undefined //' src/CMakeLists.txt +# force static build of popt +sed -i 's/add_library(popt SHARED/add_library(popt STATIC/' src/CMakeLists.txt mkdir -p build rm -fr build/* cd build diff --git a/tests/fuzz/plain_json_proto_to_luks2.cc b/tests/fuzz/plain_json_proto_to_luks2.cc index 8c56c15..a0f02c5 100644 --- a/tests/fuzz/plain_json_proto_to_luks2.cc +++ b/tests/fuzz/plain_json_proto_to_luks2.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 protobuf to image converter * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.cc b/tests/fuzz/plain_json_proto_to_luks2_converter.cc index 823c0c5..6f756a9 100644 --- a/tests/fuzz/plain_json_proto_to_luks2_converter.cc +++ b/tests/fuzz/plain_json_proto_to_luks2_converter.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -32,6 +32,8 @@ namespace json_proto { void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid, const std::string &json_text) { struct luks2_hdr_disk hdr = {}; + size_t hdr_json_area_len, write_size; + uint8_t csum[LUKS2_CHECKSUM_L]; int r; if (hd) @@ -63,7 +65,6 @@ void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_pr strncpy(hdr.uuid, "af7f64ea-3233-4581-946b-6187d812841e", LUKS2_UUID_L); memset(hdr.salt, 1, LUKS2_SALT_L); - if (header_proto.has_selected_offset()) hdr.hdr_offset = cpu_to_be64(header_proto.selected_offset()); else @@ -74,10 +75,13 @@ void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_pr if (crypt_hash_write(hd, (char*)&hdr, LUKS2_HDR_BIN_LEN)) err(EXIT_FAILURE, "crypt_hash_write failed"); - size_t hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN; - uint8_t csum[LUKS2_CHECKSUM_L]; + if (header_proto.hdr_size() <= LUKS2_HDR_BIN_LEN || + header_proto.hdr_size() > LUKS2_DEFAULT_HDR_SIZE) + hdr_json_area_len = LUKS2_DEFAULT_HDR_SIZE - LUKS2_HDR_BIN_LEN; + else + hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN; - size_t write_size = json_text.length() > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text.length(); + write_size = json_text.length() > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text.length(); if (write_buffer(fd, json_text.c_str(), write_size) != (ssize_t)write_size) err(EXIT_FAILURE, "write_buffer failed"); if (crypt_hash_write(hd, json_text.c_str(), write_size)) @@ -113,6 +117,9 @@ void LUKS2ProtoConverter::convert(const LUKS2_both_headers &headers, int fd) { size_t out_size = headers.primary_header().hdr_size() + headers.secondary_header().hdr_size(); + if (out_size < 4096 || out_size > 2 * LUKS2_DEFAULT_HDR_SIZE) + out_size = LUKS2_DEFAULT_HDR_SIZE; + if (!write_headers_only) out_size += KEYSLOTS_SIZE + DATA_SIZE; diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.h b/tests/fuzz/plain_json_proto_to_luks2_converter.h index 7decf9f..aa1b594 100644 --- a/tests/fuzz/plain_json_proto_to_luks2_converter.h +++ b/tests/fuzz/plain_json_proto_to_luks2_converter.h @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/proto_to_luks2.cc b/tests/fuzz/proto_to_luks2.cc index 4a27cad..720d25b 100644 --- a/tests/fuzz/proto_to_luks2.cc +++ b/tests/fuzz/proto_to_luks2.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 protobuf to image converter * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/proto_to_luks2_converter.cc b/tests/fuzz/proto_to_luks2_converter.cc index 96a70b7..10f2b83 100644 --- a/tests/fuzz/proto_to_luks2_converter.cc +++ b/tests/fuzz/proto_to_luks2_converter.cc @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fuzz/proto_to_luks2_converter.h b/tests/fuzz/proto_to_luks2_converter.h index 9f926d0..5547ca7 100644 --- a/tests/fuzz/proto_to_luks2_converter.h +++ b/tests/fuzz/proto_to_luks2_converter.h @@ -1,8 +1,8 @@ /* * cryptsetup LUKS2 custom mutator fuzz target * - * Copyright (C) 2022-2023 Daniel Zatovic - * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2022-2024 Daniel Zatovic + * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/fvault2-compat-test b/tests/fvault2-compat-test index 45022d2..047798a 100755 --- a/tests/fvault2-compat-test +++ b/tests/fvault2-compat-test @@ -5,8 +5,12 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup MAP=fvault2test TST_DIR=fvault2-images -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi [ -z "$srcdir" ] && srcdir="." @@ -83,7 +87,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test index 208eafb..a2aae8d 100755 --- a/tests/integrity-compat-test +++ b/tests/integrity-compat-test @@ -5,8 +5,12 @@ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." INTSETUP=$CRYPTSETUP_PATH/integritysetup -INTSETUP_VALGRIND=../.libs/integritysetup -INTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + INTSETUP_VALGRIND=$INTSETUP +else + INTSETUP_VALGRIND=../.libs/integritysetup + INTSETUP_LIB_VALGRIND=../.libs +fi DEV_NAME=dmc_test DEV_NAME2=dmc_fake @@ -115,7 +119,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test index ea88c21..dc4787d 100755 --- a/tests/keyring-compat-test +++ b/tests/keyring-compat-test @@ -26,8 +26,12 @@ PWD="aaablabl" [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) @@ -54,7 +58,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -123,7 +130,7 @@ add_device() { exit 77 fi - sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) DEV="/dev/$DEV" diff --git a/tests/loopaes-test b/tests/loopaes-test index fdb4cd3..62fe772 100755 --- a/tests/loopaes-test +++ b/tests/loopaes-test @@ -3,8 +3,12 @@ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi # try to validate using loop-AES losetup/kernel if available LOSETUP_AES=/losetup-aes.old @@ -49,7 +53,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/luks1-compat-test b/tests/luks1-compat-test index 18afcd5..c0de983 100755 --- a/tests/luks1-compat-test +++ b/tests/luks1-compat-test @@ -6,8 +6,12 @@ TST_DIR=luks1-images MAP=luks1tst KEYFILE=keyfile1 -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi [ -z "$srcdir" ] && srcdir="." @@ -38,7 +42,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test index a8082f8..ff41ebf 100755 --- a/tests/luks2-integrity-test +++ b/tests/luks2-integrity-test @@ -11,8 +11,12 @@ PWD1=nHjJHjI23JK KEY_FILE=key.img FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi dmremove() { # device udevadm settle >/dev/null 2>&1 @@ -45,7 +49,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -60,6 +67,11 @@ add_device() { sync } +set_LO_DEV() { # file + # support both /dev/loopX and /dev/loop/X + LO_DEV=$(losetup -l -O NAME -n -j $1 2>/dev/null | sed -e 's/loop\//loop/') +} + status_check() # name value [detached] { if [ -n "$3" ]; then @@ -122,10 +134,12 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum dump_check "Key:" $(($4 + $5)) echo -n "[ACTIVATE]" $CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device." + set_LO_DEV $DEV status_check "cipher" $1 status_check "sector size" $6 status_check "integrity:" $3 status_check "keysize:" $(($4 + $5)) + [ -n "$LO_DEV" ] && status_check "device:" $LO_DEV [ $5 -gt 0 ] && status_check "integrity keysize:" $5 int_check_sum $1 $7 echo -n "[REMOVE]" @@ -137,12 +151,21 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum $CRYPTSETUP luksHeaderBackup -q --header-backup-file $HEADER_IMG $DEV || fail wipefs -a $DEV >/dev/null 2>&1 || fail $CRYPTSETUP open --header $HEADER_IMG -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device." + set_LO_DEV $DEV status_check "cipher" $1 1 status_check "sector size" $6 1 status_check "integrity:" $3 1 status_check "keysize:" $(($4 + $5)) 1 + [ -n "$LO_DEV" ] && status_check "device:" $LO_DEV 1 [ $5 -gt 0 ] && status_check "integrity keysize:" $5 1 int_check_sum $1 $7 + # check status returns values even if no --header is set + status_check "cipher" $1 + status_check "sector size" $6 + status_check "integrity:" $3 + status_check "keysize:" $(($4 + $5)) + [ -n "$LO_DEV" ] && status_check "device:" $LO_DEV + [ $5 -gt 0 ] && status_check "integrity keysize:" $5 $CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device." $CRYPTSETUP luksHeaderRestore -q --header-backup-file $HEADER_IMG $DEV || fail rm -f $HEADER_IMG @@ -169,6 +192,7 @@ intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 256 512 ee501705a intformat aes-xts-random hmac-sha256 hmac\(sha256\) 512 256 512 492c2d1cc9e222a850c399bfef4ed5a86bf5afc59e54f0f0c7ba8e2a64548323 intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 128 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b +intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b 1 intformat aes-xts-random hmac-sha256 hmac\(sha256\) 256 256 4096 8c0463f5ac09613674bdf40b0ff6f985edbc3de04e51fdc688873cb333ef3cda intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 256 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b diff --git a/tests/luks2-reencryption-mangle-test b/tests/luks2-reencryption-mangle-test index 5aa62e4..79b813d 100755 --- a/tests/luks2-reencryption-mangle-test +++ b/tests/luks2-reencryption-mangle-test @@ -5,8 +5,12 @@ PS4='$LINENO:' CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup CRYPTSETUP_RAW=$CRYPTSETUP -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi IMG=reenc-mangle-data IMG_HDR=$IMG.hdr IMG_HDR_BCP=$IMG_HDR.bcp @@ -210,7 +214,10 @@ function valgrind_setup() { bin_check valgrind [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi CRYPTSETUP=valgrind_run CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}" } diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index a647a8c..57acae0 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -4,8 +4,12 @@ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1" @@ -26,6 +30,13 @@ PWD1="93R4P4pIqAH8" PWD2="1cND4319812f" PWD3="1-9Qu5Ejfnqv" DEV_LINK="reenc-test-link" +KEYRING="luks2_reencryption_test_kr" +KEY_TYPE="user" +KEY_NAME1="luks2-reencryption-test1" +KEY_NAME2="luks2-reencryption-test2" +KEY_SPEC1="${KEYRING}::%${KEY_TYPE}:${KEY_NAME1}" +KEY_SPEC2="${KEYRING}::%${KEY_TYPE}:${KEY_NAME2}" +HAVE_KEYRING=0 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) @@ -105,6 +116,13 @@ function remove_mapping() scsi_debug_teardown $DEV } +function cleanup_keyring() +{ + if [ $HAVE_KEYRING -eq 1 ]; then + keyctl unlink %:$KEYRING "@s" >/dev/null 2>&1 || echo "Failed to unlink test keyring." + fi +} + function fail() { local frame=0 @@ -112,6 +130,7 @@ function fail() echo "FAILED backtrace:" while caller $frame; do ((frame++)); done remove_mapping + cleanup_keyring exit 2 } @@ -119,6 +138,7 @@ function skip() { [ -n "$1" ] && echo "$1" remove_mapping + cleanup_keyring exit 77 } @@ -362,6 +382,38 @@ function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest echo "[OK]" } +function reencrypt_recover_online_vk() { # $1 sector size, $2 resilience, $3 digest, [$4 header] + echo -n "resilience mode: $2 ..." + local _hdr="" + test -z "$4" || _hdr="--header $4" + + echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail + $CRYPTSETUP close $DEV_NAME || fail + + echo $PWD1 | $CRYPTSETUP open --link-vk-to-keyring $KEY_SPEC1 --link-vk-to-keyring $KEY_SPEC2 $DEV $_hdr $DEV_NAME || fail + + error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH + echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail + $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail + $CRYPTSETUP close $DEV_NAME || fail + fix_writes $OVRDEV $OLD_DEV + + # recovery during activation + $CRYPTSETUP open --volume-key-keyring $KEY_NAME1 --volume-key-keyring $KEY_NAME2 $DEV $_hdr $DEV_NAME || fail + check_hash_dev /dev/mapper/$DEV_NAME $3 + + $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt" + if [ $? -eq 0 ]; then + $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail + echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail + check_hash_dev /dev/mapper/$DEV_NAME $3 + fi + + $CRYPTSETUP close $DEV_NAME || fail + echo "[OK]" +} + function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest wipe_dev $DEV check_hash_dev $DEV $5 @@ -787,14 +839,27 @@ function reencrypt_online_fixed_size() { [ -n "$7" -a -f "$7" ] && rm -f $7 } +function prepare_vk_keyring() +{ + local s_desc=$(keyctl rdescribe @s | cut -d';' -f5) + local us_desc=$(keyctl rdescribe @us | cut -d';' -f5) + + if [ "$s_desc" = "$us_desc" -a -n "$s_desc" ]; then + echo "Session keyring is missing. Giving new one to parent process..." + keyctl new_session > /dev/null || fail + fi + + keyctl newring $KEYRING "@s" >/dev/null || fail "Failed to setup test keyring environment" + keyctl search "@s" keyring $KEYRING >/dev/null 2>&1 || fail "Could not find test keyring in a session keyring." +} + function setup_luks2_env() { echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail - HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring") - if [ -n "$HAVE_KEYRING" ]; then + local check_keyring=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring") + if [ -n "$check_keyring" ]; then HAVE_KEYRING=1 - else - HAVE_KEYRING=0 + prepare_vk_keyring fi DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/') [ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size." @@ -819,7 +884,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -1254,6 +1322,42 @@ if [ -n "$DM_SECTOR_SIZE" ]; then reencrypt_recover_online 4096 journal $HASH1 fi +if [ $HAVE_KEYRING -eq 1 ]; then + echo "sector size 512->512 (recovery by VK)" + + get_error_offsets 32 $OFFSET + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail + wipe $PWD1 + + echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]" + reencrypt_recover_online_vk 512 checksum $HASH1 + reencrypt_recover_online_vk 512 journal $HASH1 + + if [ -n "$DM_SECTOR_SIZE" ]; then + echo "sector size 512->4096" + + get_error_offsets 32 $OFFSET 4096 + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail + wipe $PWD1 + + echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]" + reencrypt_recover_online_vk 4096 checksum $HASH1 + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail + wipe $PWD1 + reencrypt_recover_online_vk 4096 journal $HASH1 + + echo "sector size 4096->4096" + + get_error_offsets 32 $OFFSET 4096 + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail + wipe $PWD1 + + echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]" + reencrypt_recover_online_vk 4096 checksum $HASH1 + reencrypt_recover_online_vk 4096 journal $HASH1 + fi +fi + echo "[8] Reencryption with detached header recovery" prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP @@ -2204,4 +2308,5 @@ echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail check_hash_dev_head $DEV 2048 $HASH2 remove_mapping +cleanup_keyring exit 0 diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test index cd9f0a6..545c38e 100755 --- a/tests/luks2-validation-test +++ b/tests/luks2-validation-test @@ -6,8 +6,12 @@ PS4='$LINENO:' [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi START_DIR=$(pwd) @@ -106,7 +110,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/luks2_invalid_cipher.img.xz b/tests/luks2_invalid_cipher.img.xz new file mode 100644 index 0000000..52ce436 Binary files /dev/null and b/tests/luks2_invalid_cipher.img.xz differ diff --git a/tests/meson.build b/tests/meson.build new file mode 100644 index 0000000..43fff9a --- /dev/null +++ b/tests/meson.build @@ -0,0 +1,482 @@ +fs = import('fs') + +# copy images and generators to build directory from where tests run +test_files_to_copy = [ + 'bitlk-images.tar.xz', + 'blkid-luks2-pv.img.xz', + 'compatimage.img.xz', + 'compatimage2.img.xz', + 'compatv10image.img.xz', + 'conversion_imgs.tar.xz', + 'evil_hdr-keyslot_overlap.xz', + 'evil_hdr-luks_hdr_damage.xz', + 'evil_hdr-payload_overwrite.xz', + 'evil_hdr-small_luks_device.xz', + 'evil_hdr-stripes_payload_dmg.xz', + 'fvault2-images.tar.xz', + 'generators/generate-luks2-area-in-json-hdr-space-json0.img.sh', + 'img_fs_ext4.img.xz', + 'luks1-images.tar.xz', + 'luks2_header_requirements.tar.xz', + 'luks2_keyslot_unassigned.img.xz', + 'luks2_mda_images.tar.xz', + 'luks2_valid_hdr.img.xz', + 'luks2_invalid_cipher.img.xz', + 'tcrypt-images.tar.xz', + 'valid_header_file.xz', + 'xfs_512_block_size.img.xz', + 'valg.sh', + 'cryptsetup-valg-supps', +] + +foreach file : test_files_to_copy + fs.copyfile(file) +endforeach + +api_test = executable('api-test', + [ + 'api-test.c', + 'test_utils.c', + ], + dependencies: devmapper, + link_with: libcryptsetup, + c_args: ['-DNO_CRYPTSETUP_PATH'], + include_directories: includes_lib) + +api_test_2 = executable('api-test-2', + [ + 'api-test-2.c', + 'test_utils.c', + ], + dependencies: devmapper, + link_with: libcryptsetup, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +vectors_test = executable('vectors-test', + [ + 'crypto-vectors.c', + ], + link_with: libcrypto_backend, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +differ = executable('differ', + [ + 'differ.c', + ], + c_args: [ + '-Wall', + '-O2', + ]) + +unit_utils_io = executable('unit-utils-io', + [ + 'unit-utils-io.c', + ], + link_with: libutils_io, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +unit_utils_crypt_test = files('unit-utils-crypt.c',) + lib_utils_crypt_files +unit_utils_crypt_test = executable('unit-utils-crypt-test-test', + unit_utils_crypt_test, + link_with: libcryptsetup, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +unit_wipe = executable('unit-wipe', + [ + 'unit-wipe.c', + ], + link_with: libcryptsetup, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +generate_symbols_list = find_program('generate-symbols-list') +test_symbols_list_h = custom_target('test-symbols-list.h', + output: 'test-symbols-list.h', + input: [ + libcryptsetup_sym_path, + ], + # the scripts writes the output to stdout, capture and write to output file + capture: true, + command: [ + generate_symbols_list, + '@INPUT@', + ]) +all_symbols_test = executable('all-symbols-test', + [ + 'all-symbols-test.c', + test_symbols_list_h, + ], + dependencies: dl, + link_with: libcryptsetup, + c_args: [ + '-DNO_CRYPTSETUP_PATH', + ], + include_directories: includes_lib) + +fake_systemd_tpm_path = shared_library('fake_systemd_tpm_path', + [ + 'fake_systemd_tpm_path.c', + ], + name_prefix: '', + build_by_default: not enable_static) + +tests_env = environment() +tests_env.set('CRYPTSETUP_PATH', src_build_dir) +tests_env.set('LIBCRYPTSETUP_DIR', lib_build_dir) +tests_env.set('srcdir', meson.current_source_dir()) +tests_env.set('SSH_BUILD_DIR', tokens_ssh_build_dir) +tests_env.set('CRYPTSETUP_TESTS_RUN_IN_MESON', '1') + +valgrind_tests_env = tests_env +valgrind_tests_env.set('VALG', '1') + +add_test_setup('default', + is_default: true, + env: tests_env, + exclude_suites: [ 'valgrind-only' ] +) + +add_test_setup('valgrind', + env: valgrind_tests_env, + exclude_suites: [ 'not-in-valgrind' ] +) + +test('00modules-test', + find_program('./00modules-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind', + priority: 9999) +test('api-test', + api_test, + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind') +test('valg-api-test', + find_program('./valg-api.sh'), + args: [ './api-test'], + depends: [ api_test ], + workdir: meson.current_build_dir(), + env: 'INFOSTRING=api-test-000', + timeout: 14400, + is_parallel: false, + suite: 'valgrind-only') +test('api-test-2', + api_test_2, + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind') +test('valg-api-test-2', + find_program('./valg-api.sh'), + args: [ './api-test-2'], + depends: [ api_test_2 ], + workdir: meson.current_build_dir(), + env: 'INFOSTRING=api-test-002', + timeout: 14400, + is_parallel: false, + suite: 'valgrind-only') +test('blockwise-compat-test', + find_program('./blockwise-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind', + depends: [ + unit_utils_io, + ]) +test('keyring-test', + find_program('./keyring-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind') +test('vectors-test', + vectors_test, + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind') +test('valg-vectors-test', + find_program('./valg-api.sh'), + args: [ './vectors-test' ], + depends: [ vectors_test ], + workdir: meson.current_build_dir(), + env: 'INFOSTRING=vectors-test', + timeout: 14400, + is_parallel: false, + suite: 'valgrind-only') +test('unit-wipe-test', + find_program('./unit-wipe-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind', + depends: [ + unit_wipe, + ]) +test('unit-utils-crypt-test', + unit_utils_crypt_test, + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind') +test('valg-unit-utils-crypt-test', + find_program('./valg-api.sh'), + args: [ './unit-utils-crypt-test' ], + depends: [ unit_utils_crypt_test ], + workdir: meson.current_build_dir(), + env: 'INFOSTRING=unit-utils-crypt-test', + timeout: 14400, + is_parallel: false, + suite: 'valgrind-only') + +if not enable_static + test('run-all-symbols', + find_program('./run-all-symbols'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind', + depends: [ + all_symbols_test, + libcryptsetup, + ]) +endif + +if get_option('cryptsetup') + test('compat-args-test', + find_program('./compat-args-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + test_symbols_list_h, + ]) + test('compat-test', + find_program('./compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + differ, + ]) + test('compat-test2', + find_program('./compat-test2'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('compat-test-opal', + find_program('./compat-test-opal'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('loopaes-test', + find_program('./loopaes-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('align-test', + find_program('./align-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('align-test2', + find_program('./align-test2'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('discards-test', + find_program('./discards-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('mode-test', + find_program('./mode-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('password-hash-test', + find_program('./password-hash-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('tcrypt-compat-test', + find_program('./tcrypt-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('luks1-compat-test', + find_program('./luks1-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('device-test', + find_program('./device-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('keyring-compat-test', + find_program('./keyring-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('luks2-validation-test', + find_program('./luks2-validation-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('luks2-integrity-test', + find_program('./luks2-integrity-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('bitlk-compat-test', + find_program('./bitlk-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('fvault2-compat-test', + find_program('./fvault2-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('reencryption-compat-test', + find_program('./reencryption-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('luks2-reencryption-test', + find_program('./luks2-reencryption-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) + test('luks2-reencryption-mangle-test', + find_program('./luks2-reencryption-mangle-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup, + ]) +endif + +if get_option('veritysetup') + test('verity-compat-test', + find_program('verity-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + veritysetup, + ]) +endif + +if get_option('integritysetup') + test('integrity-compat-test', + find_program('integrity-compat-test'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + integritysetup, + ]) +endif + +if get_option('ssh-token') and not enable_static + test('ssh-test-plugin', + find_program('ssh-test-plugin'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + depends: [ + cryptsetup_ssh, + libcryptsetup_token_ssh, + ]) +endif + +if get_option('external-tokens') and not enable_static + test('systemd-test-plugin', + find_program('systemd-test-plugin'), + workdir: meson.current_build_dir(), + timeout: 14400, + is_parallel: false, + suite: 'not-in-valgrind', + depends: [ + fake_systemd_tpm_path, + ]) +endif + +subdir('fuzz') diff --git a/tests/mode-test b/tests/mode-test index 82171fb..81780cd 100755 --- a/tests/mode-test +++ b/tests/mode-test @@ -8,6 +8,7 @@ DEV_NAME=dmc_test HEADER_IMG=mode-test.img PASSWORD=3xrododenron PASSWORD1=$PASSWORD +KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" # cipher-chainmode-ivopts:ivmode @@ -17,8 +18,12 @@ IVMODES="null benbi plain plain64 essiv:sha256" LOOPDEV=$(losetup -f 2>/dev/null) -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi dmremove() { # device udevadm settle >/dev/null 2>&1 @@ -51,7 +56,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -184,4 +192,13 @@ done dmcrypt xchacha12,aes-adiantum-plain64 dmcrypt xchacha20,aes-adiantum-plain64 +echo -n "CAPI format:" +echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail +$CRYPTSETUP close "$DEV_NAME"_tstdev || fail +echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail +dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail +$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail +$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail +echo [OK] + cleanup diff --git a/tests/password-hash-test b/tests/password-hash-test index 6e3c78c..e777390 100755 --- a/tests/password-hash-test +++ b/tests/password-hash-test @@ -9,8 +9,12 @@ KEY_FILE=keyfile DEV2=$DEV_NAME"_x" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi dmremove() { # device udevadm settle >/dev/null 2>&1 @@ -42,7 +46,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test index 453831d..68a8c1f 100755 --- a/tests/reencryption-compat-test +++ b/tests/reencryption-compat-test @@ -6,8 +6,12 @@ REENC_BIN=$CRYPTSETUP REENC="$REENC_BIN reencrypt" FAST_PBKDF="--pbkdf-force-iterations 1000 --pbkdf pbkdf2" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi DEV_NAME=reenc9768 DEV_NAME2=reenc1273 @@ -33,7 +37,7 @@ function fips_mode() function del_scsi_device() { rmmod scsi_debug >/dev/null 2>&1 - sleep 2 + sleep 1 } function remove_mapping() @@ -68,7 +72,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -88,7 +95,7 @@ function add_scsi_device() { exit 77 fi - sleep 2 + sleep 1 SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) [ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV." } diff --git a/tests/run-all-symbols b/tests/run-all-symbols index 775d5bb..58a1ba6 100755 --- a/tests/run-all-symbols +++ b/tests/run-all-symbols @@ -1,7 +1,7 @@ #!/bin/bash -DIR=../.libs -FILE=$DIR/libcryptsetup.so +[ -z "$LIBCRYPTSETUP_DIR" ] && LIBCRYPTSETUP_DIR=../.libs +FILE=$LIBCRYPTSETUP_DIR/libcryptsetup.so function fail() { @@ -15,7 +15,7 @@ function skip() exit 77 } -test -d $DIR || fail "Directory $DIR is missing." +test -d $LIBCRYPTSETUP_DIR || fail "Directory $LIBCRYPTSETUP_DIR is missing." test -f $FILE || skip "WARNING: Shared $FILE is missing, test skipped." ./all-symbols-test $FILE $@ diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin index 5b3966e..2475034 100755 --- a/tests/ssh-test-plugin +++ b/tests/ssh-test-plugin @@ -1,10 +1,10 @@ #!/bin/bash [ -z "$CRYPTSETUP_PATH" ] && { - TOKEN_PATH="./fake_token_path.so" - [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; } - export LD_PRELOAD=$TOKEN_PATH CRYPTSETUP_PATH=".." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + SSH_BUILD_DIR="$PWD/../.libs" + fi } CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh @@ -21,12 +21,24 @@ SSH_KEY_PATH="$HOME/sshtest-key" FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup + CRYPTSETUP_VALGRIND=$CRYPTSETUP + CRYPTSETUP_SSH=$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh + CRYPTSETUP_SSH_VALGRIND=$CRYPTSETUP_SSH +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh + CRYPTSETUP_LIB_VALGRIND=../.libs +fi [ -z "$srcdir" ] && srcdir="." +[ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] || { + # test runs on meson build + CRYPTSETUP_SSH="$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh" +} + function remove_mapping() { [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP @@ -104,7 +116,9 @@ function valgrind_setup() command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() @@ -152,6 +166,9 @@ check_dump() [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed." } +if [ -n "$SSH_BUILD_DIR" ]; then + CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR" +fi [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." @@ -174,17 +191,17 @@ ssh_check create_user ssh_setup -$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH +$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH $CUSTOM_TOKENS_PATH [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" -out=$($CRYPTSETUP luksDump $IMG) +out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG) check_dump "$out" 0 echo "[OK]" echo -n "Activating using SSH token: " $CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled" -$CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&- +$CRYPTSETUP luksOpen $CUSTOM_TOKENS_PATH -r $IMG $MAP -q >/dev/null 2>&1 <&- [ $? -ne 0 ] && fail "Failed to open $IMG using SSH token" echo "[OK]" @@ -193,10 +210,10 @@ $CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token" echo -n "Adding SSH token with --key-slot: " -$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 +$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 $CUSTOM_TOKENS_PATH [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" -out=$($CRYPTSETUP luksDump $IMG) +out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG) check_dump "$out" 1 echo "[OK]" diff --git a/tests/systemd-test-plugin b/tests/systemd-test-plugin index 5f37324..7515f76 100755 --- a/tests/systemd-test-plugin +++ b/tests/systemd-test-plugin @@ -61,14 +61,51 @@ CRYPTENROLL_LD_PRELOAD="" # if CRYPTSETUP_PATH is defined, we run against installed binaries, # otherwise we compile systemd tokens from source +[ ! -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] && { + bin_check git + bin_check meson + bin_check ninja + bin_check pkgconf + + INSTALL_PATH=$CRYPTSETUP_PATH/../external-tokens/install + mkdir -p $INSTALL_PATH + DESTDIR=$INSTALL_PATH meson install -C .. + PC_FILE="$(find $INSTALL_PATH -name 'libcryptsetup.pc')" + echo "INSTALL_PATH $INSTALL_PATH" + echo "PC_FILE $PC_FILE" + sed -i "s/^prefix=/prefix=${INSTALL_PATH//\//\\\/}/g" "$PC_FILE" + export PKG_CONFIG_PATH=$(dirname $PC_FILE) + + # systemd build system misses libcryptsetup.h if it is installed in non-default path + export CFLAGS="${CFLAGS:-} $(pkgconf --cflags libcryptsetup)" + + SYSTEMD_PATH=$CRYPTSETUP_PATH/../external-tokens/systemd + SYSTEMD_CRYPTENROLL=$SYSTEMD_PATH/build/systemd-cryptenroll + + mkdir -p $SYSTEMD_PATH + [ -d $SYSTEMD_PATH/.git ] || git clone --depth=1 https://github.com/systemd/systemd.git $SYSTEMD_PATH + cd $SYSTEMD_PATH + meson setup build/ -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true || skip "Failed to configure systemd via meson, some dependencies are probably missing." + ninja -C build/ systemd-cryptenroll libcryptsetup-token-systemd-tpm2.so || skip "Failed to build systemd." + + CRYPTSETUP_TOKENS_PATH=$CRYPTSETUP_PATH/../tokens/ssh + + cd $CRYPTSETUP_PATH/../tests + cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so $CRYPTSETUP_TOKENS_PATH + cp $SYSTEMD_PATH/build/src/shared/*.so $CRYPTSETUP_TOKENS_PATH + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$CRYPTSETUP_PATH/../tests" + + CRYPTENROLL_LD_PRELOAD="$CRYPTSETUP_PATH/../lib/libcryptsetup.so" + + echo "CRYPTENROLL_LD_PRELOAD $CRYPTENROLL_LD_PRELOAD" +} + [ -z "$CRYPTSETUP_PATH" ] && { bin_check git bin_check meson bin_check ninja bin_check pkgconf - TOKEN_PATH=fake_token_path.so - [ -f $TOKEN_PATH ] || skip "Please compile $TOKEN_PATH." INSTALL_PATH=$(pwd)/external-tokens/install make -C .. install DESTDIR=$INSTALL_PATH PC_FILE="$(find $INSTALL_PATH -name 'libcryptsetup.pc')" @@ -83,16 +120,17 @@ CRYPTENROLL_LD_PRELOAD="" SYSTEMD_CRYPTENROLL=$SYSTEMD_PATH/build/systemd-cryptenroll mkdir -p $SYSTEMD_PATH - [ "$(ls -A $SYSTEMD_PATH)" ] || git clone --depth=1 https://github.com/systemd/systemd.git $SYSTEMD_PATH + [ -d $SYSTEMD_PATH/.git ] || git clone --depth=1 https://github.com/systemd/systemd.git $SYSTEMD_PATH cd $SYSTEMD_PATH - meson -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true build/ || skip "Failed to configure systemd via meson, some dependencies are probably missing." + meson setup build/ -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true || skip "Failed to configure systemd via meson, some dependencies are probably missing." ninja -C build/ systemd-cryptenroll libcryptsetup-token-systemd-tpm2.so || skip "Failed to build systemd." + CRYPTSETUP_TOKENS_PATH=$CRYPTSETUP_PATH/.libs + cd $CRYPTSETUP_PATH/tests - cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so ../.libs/ - cp $SYSTEMD_PATH/build/src/shared/*.so ../.libs/ + cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so $CRYPTSETUP_TOKENS_PATH + cp $SYSTEMD_PATH/build/src/shared/*.so $CRYPTSETUP_TOKENS_PATH - export LD_PRELOAD="${LD_PRELOAD-}:$CRYPTSETUP_PATH/tests/$TOKEN_PATH" CRYPTENROLL_LD_PRELOAD="$CRYPTSETUP_PATH/.libs/libcryptsetup.so" } CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup @@ -115,7 +153,11 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup echo "Virtual TPM set up at $TPM_PATH" } +if [ -n "$SSH_BUILD_DIR" ]; then + CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR" +fi FAKE_TPM_PATH="$(pwd)/fake_systemd_tpm_path.so" +[ ! -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] && FAKE_TPM_PATH="$CRYPTSETUP_PATH/../tests/fake_systemd_tpm_path.so" [ -f $FAKE_TPM_PATH ] || skip "Please compile $FAKE_TPM_PATH." export LD_PRELOAD="$LD_PRELOAD:$FAKE_TPM_PATH" @@ -128,23 +170,23 @@ echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force- echo "Enrolling the device to TPM 2 using systemd-cryptenroll.." LD_PRELOAD="$LD_PRELOAD:$CRYPTENROLL_LD_PRELOAD" PASSWORD="$PASSWD" $SYSTEMD_CRYPTENROLL $IMG --tpm2-device=$TPM_PATH >/dev/null 2>&1 -$CRYPTSETUP luksDump $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)." +$CRYPTSETUP luksDump --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)." echo "Activating the device via TPM2 external token.." -$CRYPTSETUP open --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token." +$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token." $CRYPTSETUP close $MAP >/dev/null 2>&1 || fail "Failed to close $MAP." echo "Adding passphrase via TPM2 token.." -echo $PASSWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token." +echo $PASSWD2 | $CRYPTSETUP luksAddKey --external-tokens-path $CRYPTSETUP_TOKENS_PATH $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token." echo $PASSWD2 | $CRYPTSETUP open $IMG --test-passphrase --disable-external-tokens >/dev/null 2>&1 || fail "Failed to test passphrase added by tpm2 token." echo "Exporting and removing TPM2 token.." EXPORTED_TOKEN=$($CRYPTSETUP token export $IMG --token-id 0) $CRYPTSETUP token remove $IMG --token-id 0 -$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal." +$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal." echo "Re-importing TPM2 token.." echo $EXPORTED_TOKEN | $CRYPTSETUP token import $IMG --token-id 0 || fail "Failed to re-import deleted token." -$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token." +$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token." cleanup exit 0 diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test index c0fc50a..0708b32 100755 --- a/tests/tcrypt-compat-test +++ b/tests/tcrypt-compat-test @@ -11,8 +11,12 @@ PASSWORD_HIDDEN="bbbbbbbbbbbb" PASSWORD_72C="aaaaaaaaaaaabbbbbbbbbbbbccccccccccccddddddddddddeeeeeeeeeeeeffffffffffff" PIM=1234 -CRYPTSETUP_VALGRIND=../.libs/cryptsetup -CRYPTSETUP_LIB_VALGRIND=../.libs +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + CRYPTSETUP_VALGRIND=$CRYPTSETUP +else + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs +fi [ -z "$srcdir" ] && srcdir="." @@ -54,12 +58,12 @@ function test_one() # cipher mode keysize rm_pattern fi } -function test_kdf() # hash +function test_kdf() # hash img_hash { $CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "pbkdf2-$1 [N/A]" - IMGS=$(ls $TST_DIR/[tv]c* | grep "$1") + IMGS=$(ls $TST_DIR/[tv]c* | grep "$2") [ -n "$IMGS" ] && rm $IMGS else echo "pbkdf2-$1 [OK]" @@ -78,11 +82,12 @@ function test_required() command -v blkid >/dev/null || skip "blkid tool required, test skipped." echo "REQUIRED KDF TEST" - test_kdf sha256 - test_kdf sha512 - test_kdf ripemd160 - test_kdf whirlpool - test_kdf stribog512 + test_kdf sha256 sha256 + test_kdf sha512 sha512 + test_kdf blake2s-256 blake2 + test_kdf ripemd160 ripemd160 + test_kdf whirlpool whirlpool + test_kdf stribog512 stribog echo "REQUIRED CIPHERS TEST" test_one aes cbc 256 cbc-aes @@ -114,7 +119,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." - export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tests/tcrypt-images.tar.xz b/tests/tcrypt-images.tar.xz index 1841870..5ccef08 100644 Binary files a/tests/tcrypt-images.tar.xz and b/tests/tcrypt-images.tar.xz differ diff --git a/tests/test_utils.c b/tests/test_utils.c index 97c62a0..d06e738 100644 --- a/tests/test_utils.c +++ b/tests/test_utils.c @@ -1,8 +1,8 @@ /* * cryptsetup library API test utilities * - * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2023 Milan Broz + * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -200,26 +200,40 @@ int fips_mode(void) * size of the loop device or not */ int create_dmdevice_over_loop(const char *dm_name, const uint64_t size) +{ + int r; + + r = create_dmdevice_over_device(dm_name, THE_LOOP_DEV, size, t_dev_offset); + if (r != 0) + return r; + + t_dev_offset += size; + + return r; +} + +/* + * Creates dm-linear target over the desired block device. + */ +int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset) { char cmd[128]; int r; uint64_t r_size; - if (t_device_size(THE_LOOP_DEV, &r_size) < 0 || r_size <= t_dev_offset || !size) + if (!device || t_device_size(device, &r_size) < 0 || r_size <= offset || !size) return -1; - if ((r_size - t_dev_offset) < size) { - printf("No enough space on backing loop device\n."); + if ((r_size - offset) < size) { + printf("No enough space on device %s\n.", device); return -2; } r = snprintf(cmd, sizeof(cmd), "dmsetup create %s --table \"0 %" PRIu64 " linear %s %" PRIu64 "\"", - dm_name, size, THE_LOOP_DEV, t_dev_offset); + dm_name, size, device, offset); if (r < 0 || (size_t)r >= sizeof(cmd)) return -3; - if (!(r = _system(cmd, 1))) - t_dev_offset += size; - return r; + return _system(cmd, 1); } __attribute__((format(printf, 3, 4))) @@ -450,12 +464,12 @@ void global_log_callback(int level, const char *msg, void *usrptr __attribute__( len = strlen(global_log); - if (len + strlen(msg) > sizeof(global_log)) { + if (len + strlen(msg) >= sizeof(global_log)) { printf("Log buffer is too small, fix the test.\n"); return; } - strncat(global_log, msg, sizeof(global_log) - len); + strncat(global_log, msg, sizeof(global_log) - len - 1); global_lines++; if (level == CRYPT_LOG_ERROR) { len = strlen(msg); diff --git a/tests/unit-utils-crypt.c b/tests/unit-utils-crypt.c index 4ab3c96..22b8788 100644 --- a/tests/unit-utils-crypt.c +++ b/tests/unit-utils-crypt.c @@ -1,7 +1,7 @@ /* * cryptsetup crypto name and hex conversion helper test vectors * - * Copyright (C) 2022-2023 Milan Broz + * Copyright (C) 2022-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/unit-utils-io.c b/tests/unit-utils-io.c index 3bfc762..642f778 100644 --- a/tests/unit-utils-io.c +++ b/tests/unit-utils-io.c @@ -1,7 +1,7 @@ /* * simple unit test for utils_io.c (blockwise low level functions) * - * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/unit-wipe-test b/tests/unit-wipe-test index 4d0a078..a898354 100755 --- a/tests/unit-wipe-test +++ b/tests/unit-wipe-test @@ -41,7 +41,7 @@ function add_device() if [ $? -ne 0 ] ; then skip "This kernel seems to not support proper scsi_debug module." fi - grep -q scsi_debug /sys/block/*/device/model || sleep 2 + sleep 1 DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /) DEV="/dev/$DEV" [ -b $DEV ] || fail "Cannot find $DEV." diff --git a/tests/unit-wipe.c b/tests/unit-wipe.c index c3019c7..d381a83 100644 --- a/tests/unit-wipe.c +++ b/tests/unit-wipe.c @@ -1,7 +1,7 @@ /* * unit test helper for crypt_wipe API call * - * Copyright (C) 2022-2023 Milan Broz + * Copyright (C) 2022-2024 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/tests/verity-compat-test b/tests/verity-compat-test index 8a28a12..82c49d3 100755 --- a/tests/verity-compat-test +++ b/tests/verity-compat-test @@ -2,8 +2,13 @@ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." VERITYSETUP=$CRYPTSETUP_PATH/veritysetup -VERITYSETUP_VALGRIND=../.libs/veritysetup -VERITYSETUP_LIB_VALGRIND=../.libs + +if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + VERITYSETUP_VALGRIND=$VERITYSETUP +else + VERITYSETUP_VALGRIND=../.libs/veritysetup + VERITYSETUP_LIB_VALGRIND=../.libs +fi DEV_NAME=verity3273 DEV_NAME2=verity3273x @@ -304,7 +309,10 @@ function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $VERITYSETUP_VALGRIND ] && fail "Unable to get location of veritysetup executable." - export LD_LIBRARY_PATH="$VERITYSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." + if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then + export LD_LIBRARY_PATH="$VERITYSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" + fi } function valgrind_run() diff --git a/tokens/meson.build b/tokens/meson.build new file mode 100644 index 0000000..a772a11 --- /dev/null +++ b/tokens/meson.build @@ -0,0 +1,8 @@ +libcryptsetup_token_sym_path = join_paths(meson.current_source_dir(), 'libcryptsetup-token.sym') + +token_link_args = [ + '-Wl,--version-script=' + + libcryptsetup_token_sym_path, +] + +subdir('ssh') diff --git a/tokens/ssh/cryptsetup-ssh.c b/tokens/ssh/cryptsetup-ssh.c index 7c0bf02..68a414b 100644 --- a/tokens/ssh/cryptsetup-ssh.c +++ b/tokens/ssh/cryptsetup-ssh.c @@ -1,8 +1,8 @@ /* * Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE) * - * Copyright (C) 2016-2023 Milan Broz - * Copyright (C) 2021-2023 Vojtech Trefny + * Copyright (C) 2016-2024 Milan Broz + * Copyright (C) 2021-2024 Vojtech Trefny * * Use: * - generate ssh example token @@ -47,6 +47,7 @@ #define OPT_DEBUG 5 #define OPT_DEBUG_JSON 6 #define OPT_KEY_SLOT 7 +#define OPT_TOKENS_PATH 8 void tools_cleanup(void) { @@ -59,6 +60,7 @@ static int token_add( const char *user, const char *path, const char *keypath, + const char *plugin_path, int keyslot) { @@ -68,6 +70,12 @@ static int token_add( const char *string_token; int r, token; + if (plugin_path) { + r = crypt_token_set_external_path(plugin_path); + if (r < 0) + return r; + } + r = crypt_init(&cd, device); if (r) return r; @@ -78,15 +86,20 @@ static int token_add( goto out; } - r = -EINVAL; jobj = json_object_new_object(); - if (!jobj) + if (!jobj) { + r = -ENOMEM; goto out; + } /* type is mandatory field in all tokens and must match handler name member */ json_object_object_add(jobj, "type", json_object_new_string(TOKEN_NAME)); jobj_keyslots = json_object_new_array(); + if (!jobj_keyslots) { + r = -ENOMEM; + goto out; + } /* mandatory array field (may be empty and assigned later */ json_object_object_add(jobj, "keyslots", jobj_keyslots); @@ -143,6 +156,8 @@ static struct argp_option options[] = { {"ssh-user", OPT_SSH_USER, "STRING", 0, N_("Username used for the remote server")}, {"ssh-path", OPT_SSH_PATH, "STRING", 0, N_("Path to the key file on the remote server")}, {"ssh-keypath", OPT_KEY_PATH, "STRING", 0, N_("Path to the SSH key for connecting to the remote server")}, + {"external-tokens-path", + OPT_TOKENS_PATH,"STRING", 0, N_("Path to directory containinig libcryptsetup external tokens")}, {"key-slot", OPT_KEY_SLOT, "NUM", 0, N_("Keyslot to assign the token to. If not specified, token will "\ "be assigned to the first keyslot matching provided passphrase.")}, {0, 0, 0, 0, N_("Generic options:")}, @@ -159,6 +174,7 @@ struct arguments { char *ssh_user; char *ssh_path; char *ssh_keypath; + char *ssh_plugin_path; int keyslot; int verbose; int debug; @@ -182,6 +198,9 @@ parse_opt (int key, char *arg, struct argp_state *state) { case OPT_KEY_PATH: arguments->ssh_keypath = arg; break; + case OPT_TOKENS_PATH: + arguments->ssh_plugin_path = arg; + break; case OPT_KEY_SLOT: arguments->keyslot = atoi(arg); break; @@ -408,6 +427,7 @@ int main(int argc, char *argv[]) arguments.ssh_user, arguments.ssh_path, arguments.ssh_keypath, + arguments.ssh_plugin_path, arguments.keyslot); if (ret < 0) return EXIT_FAILURE; diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c index 639b25d..ac85f89 100644 --- a/tokens/ssh/libcryptsetup-token-ssh.c +++ b/tokens/ssh/libcryptsetup-token-ssh.c @@ -1,8 +1,8 @@ /* * Example of LUKS2 ssh token handler (EXPERIMENTAL) * - * Copyright (C) 2016-2023 Milan Broz - * Copyright (C) 2020-2023 Vojtech Trefny + * Copyright (C) 2016-2024 Milan Broz + * Copyright (C) 2020-2024 Vojtech Trefny * * Use: * - generate LUKS device diff --git a/tokens/ssh/meson.build b/tokens/ssh/meson.build new file mode 100644 index 0000000..dba1d76 --- /dev/null +++ b/tokens/ssh/meson.build @@ -0,0 +1,39 @@ +tokens_ssh_build_dir = meson.current_build_dir() + +if get_option('ssh-token') + if not enable_static + libcryptsetup_token_ssh = shared_library( + 'cryptsetup-token-ssh', + [ + 'libcryptsetup-token-ssh.c', + 'ssh-utils.c', + ], + dependencies: [ + jsonc, + libssh, + ], + link_with: libcryptsetup, + link_args: token_link_args, + include_directories: includes_tools + ['..']) + endif + + cryptsetup_ssh_files = files( + 'cryptsetup-ssh.c', + 'ssh-utils.c', + ) + cryptsetup_ssh_files += lib_ssh_token_files + cryptsetup_ssh_files += src_ssh_token_files + + cryptsetup_ssh = executable('cryptsetup-ssh', + cryptsetup_ssh_files, + dependencies: [ + argp, + jsonc, + libssh, + passwdqc, + popt, + pwquality, + ], + link_with: libcryptsetup, + include_directories: includes_tools + ['..']) +endif diff --git a/tokens/ssh/ssh-utils.c b/tokens/ssh/ssh-utils.c index 564d858..07638ba 100644 --- a/tokens/ssh/ssh-utils.c +++ b/tokens/ssh/ssh-utils.c @@ -1,8 +1,8 @@ /* * ssh plugin utilities * - * Copyright (C) 2016-2023 Milan Broz - * Copyright (C) 2020-2023 Vojtech Trefny + * Copyright (C) 2016-2024 Milan Broz + * Copyright (C) 2020-2024 Vojtech Trefny * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/tokens/ssh/ssh-utils.h b/tokens/ssh/ssh-utils.h index a491275..19fe61e 100644 --- a/tokens/ssh/ssh-utils.h +++ b/tokens/ssh/ssh-utils.h @@ -1,8 +1,8 @@ /* * ssh plugin utilities * - * Copyright (C) 2016-2023 Milan Broz - * Copyright (C) 2020-2023 Vojtech Trefny + * Copyright (C) 2016-2024 Milan Broz + * Copyright (C) 2020-2024 Vojtech Trefny * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -19,6 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#ifndef SSH_UTILS_H +#define SSH_UTILS_H + #include #include #include @@ -27,3 +30,5 @@ int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh, const char *path, char **password, size_t *password_len); ssh_session sshplugin_session_init(struct crypt_device *cd, const char *host, const char *user); int sshplugin_public_key_auth(struct crypt_device *cd, ssh_session ssh, const ssh_key pkey); + +#endif /* SSH_UTILS_H */ -- cgit v1.2.3