luks_device: allow passphrases to contain newlines

This is useful when passing binary keyfiles from an ansible vault, as it removes the restriction that the binary data cannot contain newlines. The only exception is adding a new key to an existing container, as in that case the two passphrases are separated by a new line.
ansible-collections · Jan 29, 2025 · 8c6ef50 · 8c6ef50
1 parent cb6edf1
commit 8c6ef50
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/plugins/modules/luks_device.py b/plugins/modules/luks_device.py
@@ -70,9 +70,9 @@
   passphrase_encoding:
     description:
       - Determine how passphrases are provided to parameters such as O(passphrase), O(new_passphrase), and O(remove_passphrase).
-      - Please note that binary passphrases cannot contain all possible binary octets. For example, a newline (0x0A)
-        cannot be used since it indicates that the passphrase is over. If you want to use arbitrary binary data, you must
-        use keyfiles.
+      - Please note that binary passphrases cannot always contain all possible binary octets. When adding a new key to an existing
+        container, a newline (0x0A) cannot be used since it indicates that the passphrase is over. If you want to use arbitrary
+        binary data, you must use keyfiles.
     type: str
     default: text
     choices:
@@ -488,8 +488,6 @@ def get_passphrase_from_module_params(self, parameter_name):
             self._module.fail_json("Error while base64-decoding '{parameter_name}': {exc}".format(parameter_name=parameter_name, exc=exc))
 
     def _run_command(self, command, data=None):
-        if data is not None:
-            data += b'\n'
         return self._module.run_command(command, data=data, binary_data=True)
 
     def get_device_by_uuid(self, uuid):
@@ -635,6 +633,8 @@ def run_luks_create(self, device, keyfile, passphrase, keyslot, keysize, cipher,
         args.extend(['-q', device])
         if keyfile:
             args.append(keyfile)
+        else:
+            args.append('-')
 
         result = self._run_command(args, data=passphrase)
         if result[RETURN_CODE] != 0:
@@ -646,6 +646,8 @@ def run_luks_open(self, device, keyfile, passphrase, perf_same_cpu_crypt, perf_s
         args = [self._cryptsetup_bin]
         if keyfile:
             args.extend(['--key-file', keyfile])
+        else:
+            args.extend(['--key-file', '-'])
         if perf_same_cpu_crypt:
             args.extend(['--perf-same_cpu_crypt'])
         if perf_submit_from_crypt_cpus:
@@ -759,6 +761,8 @@ def run_luks_remove_key(self, device, keyfile, passphrase, keyslot,
             args = [self._cryptsetup_bin, 'luksKillSlot', device, '-q', str(keyslot)]
         if keyfile:
             args.extend(['--key-file', keyfile])
+        else:
+            args.extend(['--key-file', '-'])
         result = self._run_command(args, data=passphrase)
         if result[RETURN_CODE] != 0:
             raise ValueError('Error while removing LUKS key from %s: %s'
@@ -774,6 +778,7 @@ def luks_test_key(self, device, keyfile, passphrase, keyslot=None):
         if keyfile:
             args.extend(['--key-file', keyfile])
         else:
+            args.extend(['--key-file', '-'])
             data = passphrase
 
         if keyslot is not None: