Package bootscope provides a way to bind keys to certain system properties for platforms that don't support measured boot.

Package hooks provides a way to protect keys using hooks supplied via a gadget and kernel snap for a device.

Package plainkey is a platform for recovering keys that are protected by a key that is protected by some other mechanism.

ActivateVolumeWithKey attempts to activate the LUKS encrypted volume at sourceDevicePath and create a mapping with the name volumeName, using the provided key.

ActivateVolumeWithKeyData attempts to activate the LUKS encrypted container at sourceDevicePath and create a mapping with the name volumeName, using one of the KeyData objects stored in the container's metadata area to recover the disk unlock key from the platform's secure device.

ActivateVolumeWithRecoveryKey attempts to activate the LUKS encrypted volume at sourceDevicePath and create a mapping with the name volumeName, using the fallback recovery key.

AddLUKS2ContainerRecoveryKey creates a fallback recovery keyslot with the specified name on the LUKS2 container at the specified path and uses it to protect the LUKS master key with the supplied recovery key.

AddLUKS2ContainerUnlockKey creates a keyslot with the specified name on the LUKS2 container at the specified path, and uses it to protect the master key with the supplied key.

DeactivateVolume attempts to deactivate the LUKS encrypted volumeName.

DeleteLUKS2ContainerKey deletes the keyslot with the specified name from the LUKS2 container at the specified path.

GetDiskUnlockKeyFromKernel retrieves the key that was used to unlock the encrypted container at the specified path.

GetPrimaryKeyFromKernel retrieves the auxiliary key associated with the KeyData that was used to unlock the encrypted container at the specified path.

InitializeLUKS2Container will initialize the partition at the specified devicePath as a new LUKS2 container.

ListLUKS2ContainerRecoveryKeyNames lists the names of keyslots on the specified LUKS2 container configured as recovery slots.

ListLUKS2ContainerUnlockKeyNames lists the names of keyslots on the specified LUKS2 container configured as normal unlock slots (the keys associated with these should be protected by the platform's secure device).

MakeDiskUnlockKey derives a disk unlock key from a passed primary key and a random salt.

NewFileKeyDataReader is used to read a file containing key data at the specified path.

NewFileKeyDataWriter creates a new FileKeyDataWriter for atomically writing a KeyData to a file.

NewKeyData creates a new KeyData object using the supplied KeyParams, which should be created by a platform-specific package, containing a payload encrypted by the platform's secure device and the associated handle required for subsequent recovery of the keys.

NewKeyDataWithPassphrase is similar to NewKeyData but creates KeyData objects that are supported by a passphrase, which is passed as an extra argument.

NewLUKS2KeyDataReader is used to read a LUKS2 token containing key data with the specified name on the specified LUKS2 container.

NewLUKS2KeyDataWriter creates a new LUKS2KeyDataWriter for atomically writing a KeyData to a LUKS2 token with the specicied name and priority on the specified LUKS2 container.

NewSystemdAuthRequestor creates an implementation of AuthRequestor that delegates to the systemd-ask-password binary.

ParseRecoveryKey interprets the supplied string and returns the corresponding RecoveryKey.

ReadKeyData reads the key data from the supplied KeyDataReader, returning a new KeyData object.

RegisterPlatformKeyDataHandler registers a handler for the specified platform name.

RenameLUKS2Container key renames the keyslot with the specified oldName on the LUKS2 container at the specified path.

SetArgon2KDF sets the KDF implementation for Argon2.

Argon2Default is used by Argon2Options to select the default Argon2 mode, which is currently Argon2id.

Argon2i is the data-independent mode of Argon2.

Argon2id is the hybrid mode of Argon2.

ClassicModelGradeMask is ORed with the model grade code when measuring a classic snap model.

PlatformHandlerErrorInvalidAuthKey indicates that an action could not be performed by PlatformKeyDataHandler because the supplied authorization key was incorrect.

PlatformHandlerErrorInvalidData indicates that an action could not be performed by PlatformKeyDataHandler because the supplied key data is invalid.

PlatformHandlerErrorUnavailable indicates that an action could not be be performed by PlatformKeyDataHandler because the platform's secure device is unavailable.

PlatformHandlerErrorUninitialized indicates that an action could not be performed by PlatformKeyDataHandler because the platform's secure device is not properly initialized.

ErrInvalidPassphrase is returned from KeyData methods that require knowledge of a passphrase is the supplied passphrase is incorrect.

ErrMissingCryptsetupFeature is returned from some functions that make use of the system's cryptsetup binary, if that binary is missing some required features.

ErrNoPlatformHandlerRegistered is returned from KeyData methods if no appropriate platform handler is registered using the RegisterPlatformKeyDataHandler API.

ErrRecoveryKeyUsed is returned from ActivateVolumeWithKeyData if the volume could not be activated with any platform protected keys but activation with the recovery key was successful.

InProcessArgon2KDF is the in-process implementation of the Argon2 KDF.

KeyDataGeneration describes the generation number of new keys created by NewKeyData.

SkipSnapModelCheck provides a mechanism to skip the snap device model check when calling ActivateVolumeWithKeyData.

ActivateVolumeOptions provides options to the ActivateVolumeWith* family of functions.

Argon2CostParams defines the cost parameters for key derivation using Argon2.

Argon2Options specifies parameters for the Argon2 KDF used for passphrase support.

FileKeyDataReader provides a mechanism to read a KeyData from a file.

FileKeyDataWriter provides a mechanism to write a KeyData to a file.

InitializeLUKS2ContainerOptions carries options for initializing LUKS2 containers.

InvalidKeyDataError is returned from KeyData methods if the key data is invalid in some way.

KeyData represents a disk unlock key and auxiliary key protected by a platform's secure device.

KeyParams provides parameters required to create a new KeyData object.

KeyWithPassphraseParams provides parameters required to create a new KeyData object with a passphrase enabled.

LUKS2KeyDataReader provides a mechanism to read a KeyData from a LUKS2 token.

LUKS2KeyDataWriter provides a mechanism to write a KeyData to a LUKS2 token.

PlatformDeviceUnavailableError is returned from KeyData methods if the platform's secure device is currently unavailable.

PlatformHandlerError is returned from a PlatformKeyDataHandler implementation when the type of error can be categorized as one of the types supported by PlatformHandlerErrorType.

PlatformKeyData represents the data exchanged between this package and platform implementations via the PlatformKeyDataHandler.

PlatformUninitializedError is returned from KeyData methods if the platform's secure device has not been initialized properly.

Argon2KDF is an interface to abstract use of the Argon2 KDF to make it possible to delegate execution to a short-lived utility process where required.

AuthRequestor is an interface for requesting credentials.

KeyDataReader is an interface used to read and decode a KeyData from persistent storage.

KeyDataWriter is an interface used by KeyData to write the data to persistent storage in an atomic way.

PlatormKeyDataHandler is the interface that this go package uses to interact with a platform's secure device for the purpose of recovering keys.

SnapModel exposes the details of a snap device model that are bound to an encrypted container.

Argon2Mode describes the Argon2 mode to use.

AuthMode corresponds to an authentication mechanism.

DiskUnlockKey is the key used to unlock a LUKS volume.

HashAlg provides an abstraction for crypto.Hash that can be serialized to JSON and DER.

KeyID is the unique ID for a KeyData object.

PlatformHandlerErrorType indicates the type of error that PlatformHandlerError is associated with.

PrimaryKey is an additional key used to modify properties of a KeyData object without having to create a new object.

RecoveryKey corresponds to a 16-byte recovery key in its binary form.