Vhk>ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl m Z ddlmZddlmZmZdZd Zd Ze j,d Ze j,d Zd ZdZgdZdZdZGddeZGddeZ GddeZ!dZ"dZ#e$dk(re#yy))absolute_importdivisionprint_functiona"3 module: luks_device short_description: Manage encrypted (LUKS) devices description: - Module manages L(LUKS,https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) on given device. Supports creating, destroying, opening and closing of LUKS container and adding or removing new keys and passphrases. extends_documentation_fragment: - community.crypto.attributes attributes: check_mode: support: full diff_mode: support: none idempotent: support: full options: device: description: - Device to work with (for example V(/dev/sda1)). Needed in most cases. Can be omitted only when O(state=closed) together with O(name) is provided. type: str state: description: - Desired state of the LUKS container. Based on its value creates, destroys, opens or closes the LUKS container on a given device. - V(present) will create LUKS container unless already present. Requires O(device) and either O(keyfile) or O(passphrase) options to be provided. - V(absent) will remove existing LUKS container if it exists. Requires O(device) or O(name) to be specified. - V(opened) will unlock the LUKS container. If it does not exist it will be created first. Requires O(device) and either O(keyfile) or O(passphrase) to be specified. Use the O(name) option to set the name of the opened container. Otherwise the name will be generated automatically and returned as a part of the result. - V(closed) will lock the LUKS container. However if the container does not exist it will be created. Requires O(device) and either O(keyfile) or O(passphrase) options to be provided. If container does already exist O(device) or O(name) will suffice. type: str default: present choices: [present, absent, opened, closed] name: description: - Sets container name when O(state=opened). Can be used instead of O(device) when closing the existing container (that is, when O(state=closed)). type: str keyfile: description: - Used to unlock the container. Either a O(keyfile) or a O(passphrase) is needed for most of the operations. Parameter value is the path to the keyfile with the passphrase. - BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. type: path passphrase: description: - Used to unlock the container. Either a O(passphrase) or a O(keyfile) is needed for most of the operations. Parameter value is a string with the passphrase. - B(Note) that the passphrase must be UTF-8 encoded text. If you want to use arbitrary binary data, or text using another encoding, use the O(passphrase_encoding) option and provide the passphrase Base64 encoded. type: str version_added: '1.0.0' passphrase_encoding: description: - Determine how passphrases are provided to parameters such as O(passphrase), O(new_passphrase), and O(remove_passphrase). type: str default: text choices: text: - The passphrase is provided as UTF-8 encoded text. base64: - The passphrase is provided as Base64 encoded bytes. - Use the P(ansible.builtin.b64encode#filter) filter to Base64-encode binary data. version_added: 2.23.0 keyslot: description: - Adds the O(keyfile) or O(passphrase) to a specific keyslot when creating a new container on O(device). Parameter value is the number of the keyslot. - B(Note) that a device of O(type=luks1) supports the keyslot numbers V(0)-V(7) and a device of O(type=luks2) supports the keyslot numbers V(0)-V(31). In order to use the keyslots V(8)-V(31) when creating a new container, setting O(type) to V(luks2) is required. type: int version_added: '2.16.0' keysize: description: - Sets the key size only if LUKS container does not exist. type: int version_added: '1.0.0' new_keyfile: description: - Adds additional key to given container on O(device). Needs O(keyfile) or O(passphrase) option for authorization. LUKS container supports up to 8 keyslots. Parameter value is the path to the keyfile with the passphrase. - NOTE that adding additional keys is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this keyfile. - BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. type: path new_passphrase: description: - Adds additional passphrase to given container on O(device). Needs O(keyfile) or O(passphrase) option for authorization. LUKS container supports up to 8 keyslots. Parameter value is a string with the new passphrase. - NOTE that adding additional passphrase is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this passphrase. - B(Note) that the passphrase must be UTF-8 encoded text. If you want to use arbitrary binary data, or text using another encoding, use the O(passphrase_encoding) option and provide the passphrase Base64 encoded. type: str version_added: '1.0.0' new_keyslot: description: - Adds the additional O(new_keyfile) or O(new_passphrase) to a specific keyslot on the given O(device). Parameter value is the number of the keyslot. - B(Note) that a device of O(type=luks1) supports the keyslot numbers V(0)-V(7) and a device of O(type=luks2) supports the keyslot numbers V(0)-V(31). type: int version_added: '2.16.0' remove_keyfile: description: - Removes given key from the container on O(device). Does not remove the keyfile from filesystem. Parameter value is the path to the keyfile with the passphrase. - NOTE that removing keys is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a key which no longer exists results in an error. - NOTE that to remove the last key from a LUKS container, the O(force_remove_last_key) option must be set to V(true). - BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. type: path remove_passphrase: description: - Removes given passphrase from the container on O(device). Parameter value is a string with the passphrase to remove. - NOTE that removing passphrases is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a passphrase which no longer exists results in an error. - NOTE that to remove the last keyslot from a LUKS container, the O(force_remove_last_key) option must be set to V(true). - B(Note) that the passphrase must be UTF-8 encoded text. If you want to use arbitrary binary data, or text using another encoding, use the O(passphrase_encoding) option and provide the passphrase Base64 encoded. type: str version_added: '1.0.0' remove_keyslot: description: - Removes the key in the given slot on O(device). Needs O(keyfile) or O(passphrase) for authorization. - B(Note) that a device of O(type=luks1) supports the keyslot numbers V(0)-V(7) and a device of O(type=luks2) supports the keyslot numbers V(0)-V(31). - B(Note) that the given O(keyfile) or O(passphrase) must not be in the slot to be removed. type: int version_added: '2.16.0' force_remove_last_key: description: - If set to V(true), allows removing the last key from a container. - BEWARE that when the last key has been removed from a container, the container can no longer be opened! type: bool default: false label: description: - This option allow the user to create a LUKS2 format container with label support, respectively to identify the container by label on later usages. - Will only be used on container creation, or when O(device) is not specified. - This cannot be specified if O(type) is set to V(luks1). type: str version_added: '1.0.0' uuid: description: - With this option user can identify the LUKS container by UUID. - Will only be used when O(device) and O(label) are not specified. type: str version_added: '1.0.0' type: description: - This option allow the user explicit define the format of LUKS container that wants to work with. Options are V(luks1) or V(luks2). type: str choices: [luks1, luks2] version_added: '1.0.0' cipher: description: - This option allows the user to define the cipher specification string for the LUKS container. - Will only be used on container creation. - For pre-2.6.10 kernels, use V(aes-plain) as they do not understand the new cipher spec strings. To use ESSIV, use V(aes-cbc-essiv:sha256). type: str version_added: '1.1.0' hash: description: - This option allows the user to specify the hash function used in LUKS key setup scheme and volume key digest. - Will only be used on container creation. type: str version_added: '1.1.0' pbkdf: description: - This option allows the user to configure the Password-Based Key Derivation Function (PBKDF) used. - Will only be used on container creation, and when adding keys to an existing container. type: dict version_added: '1.4.0' suboptions: iteration_time: description: - Specify the iteration time used for the PBKDF. - Note that this is in B(seconds), not in milliseconds as on the command line. - Mutually exclusive with O(pbkdf.iteration_count). type: float iteration_count: description: - Specify the iteration count used for the PBKDF. - Mutually exclusive with O(pbkdf.iteration_time). type: int algorithm: description: - The algorithm to use. - Only available for the LUKS 2 format. choices: - argon2i - argon2id - pbkdf2 type: str memory: description: - The memory cost limit in kilobytes for the PBKDF. - This is not used for PBKDF2, but only for the Argon PBKDFs. type: int parallel: description: - The parallel cost for the PBKDF. This is the number of threads that run in parallel. - This is not used for PBKDF2, but only for the Argon PBKDFs. type: int sector_size: description: - This option allows the user to specify the sector size (in bytes) used for LUKS2 containers. - Will only be used on container creation. type: int version_added: '1.5.0' perf_same_cpu_crypt: description: - Allows the user to perform encryption using the same CPU that IO was submitted on. - The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs. - Will only be used when opening containers. type: bool default: false version_added: '2.3.0' perf_submit_from_crypt_cpus: description: - Allows the user to disable offloading writes to a separate thread after encryption. - There are some situations where offloading block write IO operations from the encryption threads to a single thread degrades performance significantly. - The default is to offload block write IO operations to the same thread. - Will only be used when opening containers. type: bool default: false version_added: '2.3.0' perf_no_read_workqueue: description: - Allows the user to bypass dm-crypt internal workqueue and process read requests synchronously. - Will only be used when opening containers. type: bool default: false version_added: '2.3.0' perf_no_write_workqueue: description: - Allows the user to bypass dm-crypt internal workqueue and process write requests synchronously. - Will only be used when opening containers. type: bool default: false version_added: '2.3.0' persistent: description: - Allows the user to store options into container's metadata persistently and automatically use them next time. Only O(perf_same_cpu_crypt), O(perf_submit_from_crypt_cpus), O(perf_no_read_workqueue), O(perf_no_write_workqueue), and O(allow_discards) can be stored persistently. - Will only work with LUKS2 containers. - Will only be used when opening containers. type: bool default: false version_added: '2.3.0' allow_discards: description: - Allow discards (also known as TRIM) requests for device. - Will only be used when opening containers. type: bool default: false version_added: '2.17.0' requirements: - "cryptsetup" - "wipefs (when O(state) is V(absent))" - "lsblk" - "blkid (when O(label) or O(uuid) options are used)" author: Jan Pokorny (@japokorn) a --- - name: Create LUKS container (remains unchanged if it already exists) community.crypto.luks_device: device: "/dev/loop0" state: "present" keyfile: "/vault/keyfile" - name: Create LUKS container with a passphrase community.crypto.luks_device: device: "/dev/loop0" state: "present" passphrase: "foo" - name: Create LUKS container with specific encryption community.crypto.luks_device: device: "/dev/loop0" state: "present" cipher: "aes" hash: "sha256" - name: (Create and) open the LUKS container; name it "mycrypt" community.crypto.luks_device: device: "/dev/loop0" state: "opened" name: "mycrypt" keyfile: "/vault/keyfile" - name: Close the existing LUKS container "mycrypt" community.crypto.luks_device: state: "closed" name: "mycrypt" - name: Make sure LUKS container exists and is closed community.crypto.luks_device: device: "/dev/loop0" state: "closed" keyfile: "/vault/keyfile" - name: Create container if it does not exist and add new key to it community.crypto.luks_device: device: "/dev/loop0" state: "present" keyfile: "/vault/keyfile" new_keyfile: "/vault/keyfile2" - name: Add new key to the LUKS container (container has to exist) community.crypto.luks_device: device: "/dev/loop0" keyfile: "/vault/keyfile" new_keyfile: "/vault/keyfile2" - name: Add new passphrase to the LUKS container community.crypto.luks_device: device: "/dev/loop0" keyfile: "/vault/keyfile" new_passphrase: "foo" - name: Remove existing keyfile from the LUKS container community.crypto.luks_device: device: "/dev/loop0" remove_keyfile: "/vault/keyfile2" - name: Remove existing passphrase from the LUKS container community.crypto.luks_device: device: "/dev/loop0" remove_passphrase: "foo" - name: Completely remove the LUKS container and its contents community.crypto.luks_device: device: "/dev/loop0" state: "absent" - name: Create a container with label community.crypto.luks_device: device: "/dev/loop0" state: "present" keyfile: "/vault/keyfile" label: personalLabelName - name: Open the LUKS container based on label without device; name it "mycrypt" community.crypto.luks_device: label: "personalLabelName" state: "opened" name: "mycrypt" keyfile: "/vault/keyfile" - name: Close container based on UUID community.crypto.luks_device: uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340 state: "closed" name: "mycrypt" - name: Create a container using luks2 format community.crypto.luks_device: device: "/dev/loop0" state: "present" keyfile: "/vault/keyfile" type: luks2 - name: Create a container with key in slot 4 community.crypto.luks_device: device: "/dev/loop0" state: "present" keyfile: "/vault/keyfile" keyslot: 4 - name: Add a new key in slot 5 community.crypto.luks_device: device: "/dev/loop0" keyfile: "/vault/keyfile" new_keyfile: "/vault/keyfile" new_keyslot: 5 - name: Remove the key from slot 4 (given keyfile must not be slot 4) community.crypto.luks_device: device: "/dev/loop0" keyfile: "/vault/keyfile" remove_keyslot: 4 z name: description: When O(state=opened) returns (generated or given) name of LUKS container. Returns None if no name is supplied. returned: success type: str sample: "luks-c1da9a58-2fde-4256-9d9f-6ab008b4dd1b" N) b64decode) AnsibleModule)to_bytes to_nativez^crypt\s+([^\s]*)\s*$z\s*device:\s+([^\s]*)\s*sLUKS) i@iiiiiii i@sSKULcg}t|d5}|jt}|tk(r|j dt D]C}|j ||jt}|tk(s3|j |E ddd|r@t|d5}|D]$}|j ||jd& dddyy#1swYLxYw#1swYyxYw)Nrbrwbs) openread LUKS_HEADER_L LUKS_HEADERappendLUKS2_HEADER_OFFSETSseek LUKS2_HEADER2write)device wipe_offsetsfdataoffsets p/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/crypto/plugins/modules/luks_device.pywipe_luks_headersrsL fd  ,qvvm$ ;     "* ,F FF6N66-(D}$##F+  , , &$  51& 5v34 5 5 5 , , 5 5sA(C8C"*C#C #C,c2eZdZdZdZddZdZdZdZy) Handlerc|||_|jjdd|_|jd|_y)NlsblkTpassphrase_encoding)_module get_bin_path _lsblk_binparams_passphrase_encoding)selfmodules r__init__zHandler.__init__s3 ,,33GTB$*MM2G$H!c|jj|}|y|jdk(r t|S t t |S#t $r6}|jjdj||Yd}~yd}~wwxYw)Ntextz5Error while base64-decoding '{parameter_name}': {exc})parameter_nameexc) r%r(r)rrr Exception fail_jsonformat)r*r0 passphraser1s r!get_passphrase_from_module_paramsz)Handler.get_passphrase_from_module_paramss\\((8    $ $ .J' ' Yz23 3  LL " "GNN#1sO   sA B ,BB Nc>|jj||dS)NT)r binary_data)r% run_command)r*commandrs r _run_commandzHandler._run_commands||''d'MMr-c|jjdd|_|jjd}|y|j |jd|g}|t dk7ry|t jS)z1Returns the device that holds UUID passed by userblkidTuuidNz--uuidrr%r& _blkid_binr(r; RETURN_CODESTDOUTstrip)r*r>results rget_device_by_uuidzHandler.get_device_by_uuidst,,33GTB||""6* <""DOOXt#DE + ! #f~##%%r-c|jjdd|_|jjd}|y|j |jd|g}|t dk7ry|t jS)z2Returns the device that holds label passed by userr=TlabelN--labelrr?)r*rGrDs rget_device_by_labelzHandler.get_device_by_labelst,,33GTB ##G, =""DOOY#FG + ! #f~##%%r-c|j|jd|ddg}|tdk7rtd|d|t|t j }d|zS)z}Generate name for luks based on device UUID ('luks-'). Raises ValueError when obtaining of UUID fails. z-nz-oUUIDrz%Error while generating LUKS name for : zluks-%s)r;r'rA ValueErrorSTDERRrBrC)r*rrDdev_uuids rgenerate_luks_namezHandler.generate_luks_namesi""DOOT64#PQ + ! #AGPVX &>'')8##r-N) __name__ __module__ __qualname__r,r6r;rErIrPr-rr!r!s"I N & & $r-r!creZdZfdZdZdZdZdZdZdZ dZ d Z d Z d Z d Z dd ZddZxZS) CryptHandlercntt| ||jj dd|_y)N cryptsetupT)superrWr,r%r&_cryptsetup_bin)r*r+ __class__s rr,zCryptHandler.__init__!s+ lD*62#||88tLr-c|j|j|ddg}|tdk7rtd|d|t|t j dD],}tj|}|s|jdcSy) zobtain LUKS container name based on the device where it is located return None if not found raise ValueError if lsblk command fails z-nloz type,namerz$Error while obtaining LUKS name for rLFr N) r;r'rArMrNrB splitlinesLUKS_NAME_REGEXmatchgroup)r*rrDlinems rget_container_name_by_devicez)CryptHandler.get_container_name_by_device%s ""DOOVV[#QR + ! #@FvW 6N--e4 "D%%d+Awwqz! "r-c|j|jd|g}|tdk7rytj |t }|j d}|S)zobtain device name based on the LUKS container name return None if not found raise ValueError if lsblk command fails statusrNr )r;r[rALUKS_DEVICE_REGEXsearchrBra)r*namerDrcrs rget_container_device_by_namez)CryptHandler.get_container_device_by_name6sW ""D$8$8(D#IJ + ! #  $ $VF^ 4 r-cV|j|jd|g}|tdk(S)z&check if the LUKS container does existisLuksr)r;r[rA)r*rrDs ris_lukszCryptHandler.is_luksDs/""D$8$8(F#KLk"a''r-c|j|r[t|d5}tD];}|j||j t }|t k(s3dddy dddyy#1swYyxYw)zget the luks type of a devicerNluks2luks1)rmrrrrrr)r*rrrrs r get_luks_typezCryptHandler.get_luks_typeIs{ << fd# q2'FFF6N66-0D},&   '     s9A.A."A..A7c|j|jd|g}|tdk7rtd|d|z|tv}d|z|tv}|xs|S)zcheck if a keyslot is setluksDumpr%Error while dumping LUKS header from zKey Slot %d: ENABLEDz %d: luks2)r;r[rArMrB)r*rkeyslotrD result_luks1 result_luks2s ris_luks_slot_setzCryptHandler.is_luks_slot_setUsk""D$8$8*f#MN + ! #&RS S-9VF^K #w/6&>A +|+r-c t|d+|jdtt|ddzg|d|jdt|dg|d|jd|dg|d|jd t|dg|d  |jd t|d gyy) Niteration_timez --iter-timeiiteration_countz--pbkdf-force-iterations algorithmz--pbkdfmemoryz--pbkdf-memoryparallelz--pbkdf-parallel)extendstrint)r*optionspbkdfs r_add_pbkdf_optionszCryptHandler._add_pbkdf_options^s ! " . NNM3s59I3JT3Q/R+ST U " # / NN6EBS ?   NNL#g,7 8$$l3 G T6N#  KK KK ""4j"9 + ! #9?P  $r-c |jg} |r| jd|gn| jddg|r| jdg|r| jdg|r| jdg|r| jdg|r| jdg| r| jdg| jd d d || g|j| | } | td k7rt d|d| t y)N --key-filerz--perf-same_cpu_cryptz--perf-submit_from_crypt_cpusz--perf-no_read_workqueuez--perf-no_write_workqueuez --persistentz--allow-discardsrrluksrrz&Error while opening LUKS container on rL)r[rr;rArMrN) r*rrr5perf_same_cpu_cryptperf_submit_from_crypt_cpusperf_no_read_workqueueperf_no_write_workqueue persistentallow_discardsrirrDs r run_luks_openzCryptHandler.run_luks_opens$$%  KKw/ 0 KKs+ ,  KK01 2 & KK89 : ! KK34 5 " KK45 6  KK( )  KK+, - VXvvt<=""4j"9 + ! #6&>+  $r-ct|j|jd|g}|tdk7rtd|zy)Ncloserz%Error while closing LUKS container %s)r;r[rArM)r*rirDs rrun_luks_closezCryptHandler.run_luks_closesB""D$8$8'4#HI + ! #DMN N $r-cP|jjdd}|j|}||j||j |d|g}|t dk7rt d|d|t t|y#t$r}t d|d|d}~wwxYw)NwipefsTz--allrz1Error while wiping LUKS container signatures for rL) r%r&rdrr;rArMrNrr2)r*r wipefs_binrirDr1s rrun_luks_removezCryptHandler.run_luks_removes\\..x> 008      %""J#@A + ! #6&>+   f % 3   s: B B%B  B%c &g}|jd|g} ||j| ||| jdt|g|r| jd|gn8| jdddtt |g|j ||r| j |n"| j d|j ||j | dj|xsd} | td k7rtd |d | ty) zAdd new key from a keyfile or passphrase to given 'device'; authentication done using 'keyfile' or 'passphrase'. Raises ValueError when command fails. luksAddKeyNrrrz--keyfile-sizer-rrz'Error while adding new LUKS keyslot to rL) r[rrrlenrr;joinrArMrN) r*rrr5 new_keyfilenew_passphrase new_keyslotrrrrDs rrun_luks_add_keyzCryptHandler.run_luks_add_keys$$lF;    # #D% 0  " KKs;'78 9  KKw/ 0 KKs,RS T KK #  KK $ KK  KK '""4chhtn.D"E + ! #6&>+  $r-c|s|j|jd|g}|tdk7rtd|d}d}t j d} |t jD]c} | jdrd}| jdr|s+| d d vs3|d z }9| jd rK| j| r|d z }bd}e|d kr|jjd |z|<|jd|dg} |r| jd|gn2|0| jddgn|jd|dt|g} d}|j| |}|tdk7rtd|d|ty)zRRemove key from given device Raises ValueError when command fails rsrrtFz^Key Slot [0-9]+: ENABLEDz Keyslots:Tz r 0123456789r  z{LUKS device %s has less than two active keyslots. To be able to remove a key, please set `force_remove_last_key` to `true`.msgN luksRemoveKeyrrr luksKillSlotrz#Error while removing LUKS key from rL)r;r[rArMrecompilerBr^ startswithr`r%r3rrrN) r*rrr5ruforce_remove_last_keyrD keyslot_count keyslot_area keyslot_rerbrs rrun_luks_remove_keyz CryptHandler.run_luks_remove_keys %&&(<(ri)r%r(getrIrErrj)r*rrGr>ris rrz!ConditionsHandler.get_device_namems$$((2 ##''0||""&&v.||""&&v. >e/--e4F  ^ 0,,T2F ^ 0''DDTJF r-c|jduxr}|jjdduxs|jjdduxrC|jjddvxr&|jj |j S)Nrr5state)presentopenedclosedrr%r(rrmr*s r luks_createzConditionsHandler.luks_create|s KKt # < ##I.d:A<<&&|4D@ <  ##G,0OO  < &&..t{{;; r-c<|jjddk7ry|jj|j}|y|jjd|S||jjdk7r|jj d|z|S)zIf luks is already opened, return its name. If 'name' parameter is specified and differs from obtained value, fail. Return None otherwise rrNriz;LUKS container is already opened under different name '%s'.r)r%r(rrdrr3r*ris ropened_luks_namez"ConditionsHandler.opened_luks_names <<  w '8 3!!>>t{{K < <<  v & .K 4<<&&v. . LL " "-/34 #   r-c|jjd|jjd(|j|jjddk7ry|j}|yy)Nrr5rrFT)r%r(rrrs r luks_openzConditionsHandler.luks_opensm ##I.6LL'' 5={{"||""7+x7$$& <r-c|jjd |j|jjddk7ry|j)|jj |j}|du}|jjdE|jj |jjd|_|jdu}S)NrirrF)r%r(rrrdrj)r*ri luks_is_opens r luks_closezConditionsHandler.luks_closes LL   ' /DKK4G \\  )X 5 ;; "%%BB4;;ODt+L <<  v & 2,,II ##F+DK ;;d2Lr-c0|jd|jjd|jjd2|jjd|jjdy|jjddk(r|jjd |jj |j|jjd|j d}|jjd |jj |j|jjd|j d|jjd }|r|s|jjd | S) Nrr5rrFrabsentz;Contradiction in setup: Asking to add a key to absent LUKS.rrz9Trying to add key that is already present in another slot)rr%r(r3rrr6)r* key_presentkey_present_slots r luks_add_keyzConditionsHandler.luks_add_keysm KK  ##I.6LL'' 5= ##M2:LL''(89A <<  w '8 3 LL " "T # ((66 KK LL   .  2 23C D <<  } - 9#11??  ##M2667GH ##M2    #3 &&S'r-c |jK|jjd3|jjd|jjdy|jjddk(r|jjd|jjd|jj |j|jjdsy|jj |j|jjd |jd }|jj |j|jjd |jd |jjdr|jjd |S|jj |j|jjd|jdS) Nremove_keyfileremove_passphraseremove_keyslotFrrz@Contradiction in setup: Asking to remove a key from absent LUKS.rrr5z>Cannot remove keyslot with keyfile or passphrase in same slot.)rr%r(r3rrxrr6)r*rDs rluks_remove_keyz!ConditionsHandler.luks_remove_keys ;;  LL   0 1 9 ##$78@ ##$45= <<  w '8 3 LL " "1 #  <<  / 0 <%%66 T\\001AB''55  ##I.66|DF !!//  ##I.66|D ##$45   &&X'M!!// KK LL   0 1  2 23F G  r-c|jduxrC|jjddk(xr%|jj |jS)Nrrrrs r luks_removezConditionsHandler.luks_removesL KKt # 8 ##G,8 8""**4;;7 r-c|jj|K||dk(rd|jj|cxkrdkr nn|jjdn@d|jj|cxkrdksn|jjd|d k(r[d|jj|cxkrdks9n|jjd |jj|zy|d k(r\d|jj|cxkrdks9n|jjd |jj|zyyyy) NruzQYou must specify type=luks2 when creating a new LUKS device to use keyslots 8-31.rrz>When not specifying a type, only the keyslots 0-7 are allowed.rpz,%s must be between 0 and 7 when using LUKS1.roz-%s must be between 0 and 31 when using LUKS2.)r%r(r3)r*paramrs rvalidate_keyslotz"ConditionsHandler.validate_keyslot%sM <<  u % 1 Ui%7 ++E28b8LL**o+t||2259>Q>LL**\+G#A1D1DU1K,Pq,P &&Fll))%01'g%a4<<3F3Fu3M.SQS.S &&Gll))%01'/T%! 2r-)rRrSrTr,rrrrrrrrrrrs@rrrfs7-   >$*%N( T r-rctdCidtddgddtddtdd td d td d td d tdddtdddtdddtddddgddtdddtdddtdddtdddtddtdd tdd!tdd"d#g$d%tdd&tdd'td(ttd)tdtdgd*$tdtd+d,g-d.tdd/tddd0tddd1tddd2tddd3tddd4tdd}gd5}tdd6}t|d|7}td8d8d8d89|_|jd t j |jd}|j }t j|sD]D} |j| |jd #|jd 3|jd?;F|j%r|j&s |j)|j*|jd |j-d |jd|jd|jd%|jd&|jd.|jd' d|dA<|j&r|j0dCi||j3} | | |d<|j5r|jd} |  |j7|j*} |j&s |j9|j*|jd |j-d |jd/|jd0|jd1|jd2|jd3|jd4| | |d<d|dA<|j&r|j0dCi||j;r~|j* |j=|j*} n|jd} |j&s |j?| | |d<d|dA<|j&r|j0dCi||jAr|j&st |jC|j*|jd |j-d |jd |j-d|jd|jd'd|dA<|j&r|j0dCi||jEr|j&sY |jd} |jG|j*|jd |j-d|jd| Bd|dA<|j&r|j0dCi||jIrK|j&s |jK|j*d|dA<|j&r|j0dCi||j0dCi|y#t$r&}|jt|;Yd}~md}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~[d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw#t.$r }|jd@|z;Yd}~d}~wwxYw)DNrrr)rrrr)rdefaultchoicesr)rrirpathrrr5T)rno_logrrr$r/base64F)rrrrrurrrrbool)rrrrGr>rrpro)rrrhashrdictfloat)argon2iargon2idpbkdf2)rzr{r|r}r~)rzr{)rrmutually_exclusiverrrrrrr))rr5)rr)rrr)changedri) argument_specsupports_check_moderC)LANGLC_ALL LC_MESSAGESLC_CTYPEz{0} is not a devicerz4You cannot combine type luks1 with the label option.)rurr)rrzFRemoving a keyslot requires the passphrase or keyfile of another slot.zluks_device error: %sr)rrU)&rrrun_command_environ_updater(osstatst_modeS_ISBLKS_ISCHRr2r4r3rrWrrqrrr check_moderrr6rM exit_jsonrrrPrrrdrrrrrrr) module_argsrrDr+statinfomodeecrypt conditionsrrrilast_keys r run_moduler=s -= -  -u -&!-f%-(-U40-t4-E$7-!0B5 -"%.#-$eE2%-&u5'-(#>)-*% +-,--.u /-0uw&8 91-23-4u 5-6#1 $% 0E3TU'5) !FF  7-Le$M-N!feA3c(1Ad e ` #``  `5`00`58 a!aa!$ b -bb  b9b44b9< c%c  c%( d1d  d d=d88d= e) e$$e)ctyrQ)rrUr-rmainr&sLr-__main__)% __future__rrrr __metaclass__ DOCUMENTATIONEXAMPLESRETURNrrrrransible.module_utils.basicr+ansible.module_utils.common.text.convertersrr rArBrNrr_rgrrrrrobjectr!rWrrrrRrUr-rrs A@ X tw r  4K  "**56BJJ:;    5(:$f:$zD 7D N TTnfR zFr-