<varlistentry>
<term><option>header=</option></term>
- <listitem><para>Use a detached (separated) metadata device or
- file where the LUKS header is stored. This option is only
- relevant for LUKS devices. See
+ <listitem><para>Use a detached (separated) metadata device or file
+ where the header containing the master key(s) is stored. This
+ option is only relevant for LUKS and TrueCrypt/VeraCrypt devices. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for possible values and the default value of this
- option.</para>
+ for possible values and the default value of this option.</para>
<para>Optionally, the path may be followed by <literal>:</literal> and an
<filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or
option implies <option>tcrypt</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>veracrypt-pim=</option></term>
+
+ <listitem><para>Specifies a custom Personal Iteration Multiplier (PIM)
+ value, which can range from 0..2147468 for standard veracrypt volumes
+ and 0..65535 for veracrypt system volumes. A value of 0 will imply the
+ VeraCrypt default.
+
+ This option is only effective when <option>tcrypt-veracrypt</option> is
+ set.</para>
+
+ <para>Note that VeraCrypt enforces a minimal allowed PIM value depending on the
+ password strength and the hash algorithm used for key derivation, however
+ <option>veracrypt-pim=</option> is not checked against these bounds.
+ <ulink url="https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html">See
+ documentation</ulink> for more information.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>timeout=</option></term>
static bool arg_tcrypt_hidden = false;
static bool arg_tcrypt_system = false;
static bool arg_tcrypt_veracrypt = false;
+static uint32_t arg_tcrypt_veracrypt_pim = 0;
static char **arg_tcrypt_keyfiles = NULL;
static uint64_t arg_offset = 0;
static uint64_t arg_skip = 0;
return log_oom();
} else if ((val = startswith(option, "header="))) {
- arg_type = ANY_LUKS;
+ if (!STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT))
+ arg_type = ANY_LUKS;
if (!path_is_absolute(val))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
} else if (STR_IN_SET(option, "tcrypt-veracrypt", "veracrypt")) {
arg_type = CRYPT_TCRYPT;
arg_tcrypt_veracrypt = true;
+ } else if ((val = startswith(option, "veracrypt-pim="))) {
+
+ r = safe_atou32(val, &arg_tcrypt_veracrypt_pim);
+ if (r < 0) {
+ log_warning_errno(r, "Failed to parse %s, ignoring: %m", option);
+ return 0;
+ }
} else if (STR_IN_SET(option, "plain", "swap", "tmp") ||
startswith(option, "tmp="))
arg_type = CRYPT_PLAIN;
if (arg_tcrypt_veracrypt)
params.flags |= CRYPT_TCRYPT_VERA_MODES;
+
+ if (arg_tcrypt_veracrypt && arg_tcrypt_veracrypt_pim != 0)
+ params.veracrypt_pim = arg_tcrypt_veracrypt_pim;
if (key_data) {
params.passphrase = key_data;
destroy_key_file = key_file; /* let's get this baby erased when we leave */
if (arg_header) {
- log_debug("LUKS header: %s", arg_header);
- r = crypt_init(&cd, arg_header);
+ if (streq_ptr(arg_type, CRYPT_TCRYPT)){
+ log_debug("tcrypt header: %s", arg_header);
+ r = crypt_init_data_device(&cd, arg_header, source);
+ } else {
+ log_debug("LUKS header: %s", arg_header);
+ r = crypt_init(&cd, arg_header);
+ }
} else
r = crypt_init(&cd, source);
if (r < 0)