Commit Graph

1194 Commits

Author SHA1 Message Date
Narrat
27707714d4 extras/tests: adjust 30_kdf for KDF related changes 2024-10-30 21:28:50 +01:00
Narrat
88e04b9177 remove commented code in KDF section
The check if the argument of --kdfiter is an integer is unnecessary.
Neither argon2 nor tomb-kdb-pbkdf2-getiter care about float input.
2024-10-30 21:28:50 +01:00
Narrat
7f323ef6ee update man page for recent KDF changes 2024-10-30 21:28:50 +01:00
Narrat
7456d4f4b7 Improve argon2 handling and KDF in general
Previously it wasn't possible to use argon2 as KDF function without the tomb tools from extras/kdf-keys being available.
To change that behaviour introduce checks on the ARGON2 variable. Additionally add a fallback function to create a salt that is compatible to tomb-kdb-pbkdf2-gensalt.

Options specific for the different supported KDF algorithm are reorganized. Some options align between the various KDF and some are unique to them.
The output of -h is enhanced with the various --kdf options and depends on the available optional tools. argon2 specific cli arguments won't be displayed if argon2 is not available.

Add case for results beside argon2 and pbkdf2. Key creation won't be stopped, just a warning is issued that the resulting key won't be protected via KDF.

Regarding the cli options. The argument for the suboption --kdf is made optional. In that regard one needs to make sure, that --kdf is the last option before an argument. Or - to separate. Third option would be use -k to specify the keyname.
Example: tomb forge --kdf - testkey.tomb
Example: tomb forge --kdf -k testkey.tomb
Example: tomb forge -k testkey.tomb --kdf

Additonally the kdf options are reorganized, which is a possible breaking change for scripts or GUI helpers.
* --kdftype is changed to --kdf
* --kdfiter is introduced as replacement the for previous --kdf definition
* --kdfpar is introduced to support the parallelism option of argon2 (nice to have if someone wants to adjust memory or iteration costs without increasing the time that much)
Only --kdf is mandatory to get a key which is protected with KDF. For every other option safe defaults are set and can be optionally adjusted.
KDF related subcommand options are removed where they don't come into play. gen_key() is only called in forge and passwd.

Closes #526
2024-10-30 21:25:43 +01:00
Narrat
a6e6a9c677 mount_tomb: make use of ACL in a specific location
Namely /run/media/$USER, which was introduced as a replacement for the
classic /media. Main motiviation being, that $USER_B shouldn't get
access to or information about mounted devices from $USER_A.
The mount point itself is owned by root, therefore one needs currently
to know the name of the mountpoint to change to the location.
Other tools for mounting media like udisksctl set ACL to allow the
owner to use it normally (autocompletion and such).

Fixes #461
2024-10-30 11:06:53 +01:00
gallegonovato
5409402196 Translated using Weblate (Spanish)
Currently translated at 87.1% (304 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
gallegonovato
c299f60b1c Translated using Weblate (Spanish)
Currently translated at 79.6% (278 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
Francisco Serrador
684049ef4a Translated using Weblate (Spanish)
Currently translated at 79.6% (278 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
gallegonovato
feed856ca5 Translated using Weblate (Spanish)
Currently translated at 79.6% (278 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
Francisco Serrador
e270cf9920 Translated using Weblate (Spanish)
Currently translated at 77.9% (272 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
gallegonovato
cd4fb29781 Translated using Weblate (Spanish)
Currently translated at 77.9% (272 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
Francisco Serrador
bca94c1190 Translated using Weblate (Spanish)
Currently translated at 76.2% (266 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-10-30 08:58:59 +01:00
Gianluca Montecchi
6ed15c93ad Translated using Weblate (Italian)
Currently translated at 70.6% (287 of 406 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/it/
2024-10-30 08:58:59 +01:00
Ricky Tigg
0f70744d54 Translated using Weblate (Finnish)
Currently translated at 99.4% (348 of 350 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-10-30 08:58:59 +01:00
BombFoolGranny
ae8f34567d Translated using Weblate (Russian)
Currently translated at 71.3% (249 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/ru/
2024-10-30 08:58:59 +01:00
Ricky Tigg
5e39b5eb40 Translated using Weblate (Finnish)
Currently translated at 99.4% (347 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-10-30 08:58:59 +01:00
Ricky Tigg
66baa58cd9 Translated using Weblate (Finnish)
Currently translated at 98.5% (344 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-10-30 08:58:59 +01:00
Ricky Tigg
60714f25db Translated using Weblate (Finnish)
Currently translated at 97.9% (342 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-10-30 08:58:59 +01:00
BombFoolGranny
94b135b711 Fix grammar mistake in tomb.1 2024-10-30 08:56:30 +01:00
Jaromil
ff692999de enable btrfs light zstd:1 compression by default at mount
this comes free and is handled gracefully by btrfs according to
pre-compression heuristics, making it an ideal filesystem choice for
tomb volumes that have compressable contents.

A `compress-force=zstd:1` custom option would deactivate the heuristic
test and compress everything.
2024-09-08 04:31:33 +02:00
Jaromil
4783456814 local definition of variables in mount function 2024-09-08 04:31:33 +02:00
Narrat
653609a4b9 slam_tomb: simplify and rename to _kill_processes
In general umount_tomb and slam_tomb shared a lot of similar code.
Main difference being, that the latter additionally searched for
processes and would still call umount_tomb if the processes could
be killed.
umount_tomb would then again search with the provided name for the
relevant tomb in list_tomb_mounts, which should be obsolete at this
point.
Therefore the decision to reduce slam_tomb in functionality. It would
only work on a supplied tombname and tombmount, look if there are
processes and is called from within umount_tomb.
(Theoretical tombname could be removed)
Calling tomb with slam or close sets a flag, which will decide if
that part in umount_tomb will be executed.
2024-09-01 22:30:17 +02:00
Narrat
284fb4a3cd slam_tomb(): don't parse process output and rework
In #504 list_processes() got reworked in a way to avoid parsing process
output as this had interesting side-effects.
Back then I mentioned the same behaviour existing in slam_tomb() which
should probably be changed too. This PR addresses that.
Firstly it will use list_processes() from within slam_tomb(), as this is
in principal overlapping functionality. For this list_processes() needed
to be adjusted. It now has a return value which can indicate if there
were processes.
Secondly the order of execution was changed in slam_tomb(). Before it
would process one process and work through the signals until this
process was killed. Now it will take a signal and issue a kill for all
processes found.
2024-09-01 22:30:17 +02:00
Jaromil
0ef195dff0 small updates to readme 2024-08-31 22:46:39 +02:00
Jaromil
48c08c0086 fix: resize on btrfs formatted volumes
new minimum increase for resize is 120MiB

increase resize delta on all test to be above new minimum

skip resize test for btrfs mixedmode (always fails)
2024-08-31 22:46:39 +02:00
Jaromil
29098f356c correct error message typo in resize (and in all translations) 2024-08-31 22:46:39 +02:00
Jaromil
447817de6c test btrfs tomb resize 2024-08-31 22:46:39 +02:00
Jaromil
b7fa057e48 elevate minimum size permitted for btrfs filesystem 2024-08-31 22:46:39 +02:00
Jaromil
963a0cc321 test btrfs tomb 2024-08-31 22:46:39 +02:00
Jaromil
117bd9bd6e improve readability of code in some complex branching points
avoid usage of if...elif...elif...else in some points, substituted
with while true; do ... done loops and break statements on success.
2024-08-31 22:46:39 +02:00
Jaromil
c1b5e1b310 remove sphinx from tests and docs
leftover strings are in translations, maybe take them off later
2024-08-31 22:46:39 +02:00
Jaromil
afe0390d93 remove unused and old libsphinx support
steff seems to be moving towards new implementations and this was
never reported as used by anyone
2024-08-31 22:46:39 +02:00
Jaromil
32eab3beec kdf iterations need only to be specified when forging a key
the key header saves the key iteration set when forging
2024-08-31 22:46:39 +02:00
Jaromil
11a5776456 add argon2 kdf test 2024-08-31 22:46:39 +02:00
Jaromil
ef1541f7a2 enable tests on ubuntu 24, and add doas and argon2 to CI
also remove python2 from latest ubuntu as no more found

doas test is enabled only for latest
2024-08-31 22:46:39 +02:00
Narrat
73950fe3d8 tests: add outside bind mounts to 75_hooks
it may happen, that someone bind mounts manually or via an immutable setup the tomb mountdir somewhere else.
Tomb should be able to discover such mounts and close them if the tomb itself is closed.
2024-08-31 19:07:09 +02:00
Narrat
41b899e4e1 slam_tomb: adjust for changes in list_tomb_mounts
As the argument for list_tomb_mounts uses the input directly, it needs to be uniform.
Therefore one must make sure that extraneous character like parentheses are removed from the variable.
And those are in place in tombname for slam_tomb().
2024-08-31 19:07:09 +02:00
Narrat
33f7878a22 rework handling of bind mounts
Instead of only looking for bind mounts from within a tomb due to bind-hooks, also consider bind mounts that happenfrom the outside (example: open a tomb and manually issue a mount --bind /media/tomb some/other/location).
Such a mount wouldn't be filtered before (only looking for an additional [/path/] added to TARGET.
Instead look for every mount that is related to the respective /dev/mapper/ entry of a tomb and also close or list them.
This helps to avoid to loop again against mounted tombs inside the main loop which loops over mounted tombs.
2024-08-31 19:07:09 +02:00
Narrat
42e233d2b0 list_tomb_binds: simplify function
similar to list_tomb_mounts, rework the findmnt usage to usage of the
actual tomb mapper device.
Simplifies the awk usage and just only one argument needed for the
mapper function.
2024-08-31 19:07:09 +02:00
Narrat
6df1cdeab9 list_tomb_mounts: simplify the function
previously it had dedicated cases for listing all tombs and a singular
one, which duplicated code.
The function got reworked, that it uses a different approach for
findmnt. Instead of filtering the general result, it now uses --source
on the tomb specific crypsetup mapper. Those are searched via general
globbing of the devices in /dev/mapper. This allows to combine the
previous separate cases.
Additionally remove the usage of _sudo for findmnt, as it is not
necessary.
2024-08-31 19:07:09 +02:00
Narrat
0b25ba6d68 umount_tomb: avoid double execution of list_tomb_binds()
Especially directly after each other.
2024-08-31 19:07:09 +02:00
Narrat
89283a06b7 Avoid manual handling of loop devices
Cryptsetup is since 1.3.0 capable of setting up a loop device if the
device argument is a file.
This has the additional benefit that those loop devices will get the
AUTOCLEAR flag (available with Linux 2.6.25). This means those loop
devices will be closed as soon they're unused (on luksClose).
2024-08-31 19:07:09 +02:00
Narrat
c83068c03a Man-Page: remove part about gpg-agent
No plans on making this necessary and information about setting it up may not be the right place for this man-page.
2024-08-31 15:50:50 +02:00
Narrat
be533b3995 Man: merge section on Password Input
Somehow this section existed two times in the man page with similar information.
Enhance it with notes regarding wayland and adjust the recommened pinentry programs.
GTK2 is long time EOL and actively being fased out by distributions, which makes pinentry-gtk2 obsolete.
pinentry-tty will work on every headless system or from a textual interface. pinentry-curses may end up starting if the respective ncurses is available.
2024-08-31 15:50:50 +02:00
Narrat
75aafc0c8c
CI optimization (#531)
* portable was moved into extras and is unmaintained
* the CI tests for the portable rewrite are archived
2024-08-05 15:32:54 +02:00
Ricky Tigg
45c4616110 Translated using Weblate (Finnish)
Currently translated at 79.0% (276 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-07-30 06:21:01 +02:00
gallegonovato
7016515ce6 Translated using Weblate (Spanish)
Currently translated at 71.3% (249 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-07-30 06:21:01 +02:00
Ricky Tigg
97c61dc513 Translated using Weblate (Finnish)
Currently translated at 61.0% (213 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/fi/
2024-07-30 06:21:01 +02:00
gallegonovato
4523823c48 Translated using Weblate (Spanish)
Currently translated at 70.7% (247 of 349 strings)

Translation: Tomb/tomb
Translate-URL: https://hosted.weblate.org/projects/tomb/tomb/es/
2024-07-30 06:21:01 +02:00
Narrat
cb997eec2c extras/tomber: restructure
move contents one folder up. Instead of extras/tomber/tomber it now resides in extras/tomber.
Move and rename extras/PYTHON.md into extras/tomber/README.md, as it is the README of the tool.
2024-07-30 06:19:10 +02:00