//go:build linux && cgo /* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package cryptsetup // #include import "C" import ( "errors" "github.com/martinjungblut/go-cryptsetup" ) const ( // ReadWriteQueueBypass is a flag to disable the write and read workqueues for a crypt device. ReadWriteQueueBypass = C.CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE | C.CRYPT_ACTIVATE_NO_READ_WORKQUEUE wipeFlags = cryptsetup.CRYPT_ACTIVATE_PRIVATE | cryptsetup.CRYPT_ACTIVATE_NO_JOURNAL wipePattern = cryptsetup.CRYPT_WIPE_ZERO ) var errInvalidType = errors.New("device is not a *cryptsetup.Device") func format(device cryptDevice, integrity bool) error { switch d := device.(type) { case cgoFormatter: luks2Params := cryptsetup.LUKS2{ SectorSize: 4096, PBKDFType: &cryptsetup.PbkdfType{ // Use low memory recommendation from https://datatracker.ietf.org/doc/html/rfc9106#section-7 Type: "argon2id", TimeMs: 2000, Iterations: 3, ParallelThreads: 4, MaxMemoryKb: 65536, // ~64MiB }, } genericParams := cryptsetup.GenericParams{ Cipher: "aes", CipherMode: "xts-plain64", VolumeKeySize: 64, // 32*2 bytes for aes-xts-plain64 encryption } if integrity { luks2Params.Integrity = "hmac(sha256)" genericParams.VolumeKeySize += 32 // 32 bytes for hmac(sha256) integrity } return d.Format(luks2Params, genericParams) default: return errInvalidType } } func initByDevicePath(devicePath string) (cryptDevice, error) { return cryptsetup.Init(devicePath) } func initByName(name string) (cryptDevice, error) { return cryptsetup.InitByName(name) } func loadLUKS2(device cryptDevice) error { switch d := device.(type) { case cgoLoader: return d.Load(cryptsetup.LUKS2{}) default: return errInvalidType } } type cgoFormatter interface { Format(deviceType cryptsetup.DeviceType, genericParams cryptsetup.GenericParams) error } type cgoLoader interface { Load(deviceType cryptsetup.DeviceType) error }