luks_device: add sector_size option (#193)

* Add sector_size option to luks_device.

* Trying to improve error handling.

* Improve error handling.

changelogs/fragments/193-luks_device-sector_size.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- "luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size`` parameter (https://github.com/ansible-collections/community.crypto/pull/193)."

plugins/modules/luks_device.py

@@ -211,6 +211,12 @@ options:
                       run in parallel.
                     - This is not used for PBKDF2, but only for the Argon PBKDFs.
                 type: int
+    sector_size:
+        description:
+            - "This option allows the user to specify the sector size (in bytes) used for LUKS2 containers."
+            - "Will only be used on container creation."
+        type: int
+        version_added: '1.5.0'
 
 requirements:
     - "cryptsetup"
@@ -452,7 +458,7 @@ class CryptHandler(Handler):
         if pbkdf['parallel'] is not None:
             options.extend(['--pbkdf-parallel', str(pbkdf['parallel'])])
 
-    def run_luks_create(self, device, keyfile, passphrase, keysize, cipher, hash_, pbkdf):
+    def run_luks_create(self, device, keyfile, passphrase, keysize, cipher, hash_, sector_size, pbkdf):
         # create a new luks container; use batch mode to auto confirm
         luks_type = self._module.params['type']
         label = self._module.params['label']
@@ -471,6 +477,8 @@ class CryptHandler(Handler):
             options.extend(['--hash', hash_])
         if pbkdf is not None:
             self._add_pbkdf_options(options, pbkdf)
+        if sector_size is not None:
+            options.extend(['--sector-size', str(sector_size)])
 
         args = [self._cryptsetup_bin, 'luksFormat']
         args.extend(options)
@@ -759,6 +767,7 @@ def run_module():
             ),
             mutually_exclusive=[('iteration_time', 'iteration_count')],
         ),
+        sector_size=dict(type='int'),
     )
 
     mutually_exclusive = [
@@ -806,6 +815,7 @@ def run_module():
                                       module.params['keysize'],
                                       module.params['cipher'],
                                       module.params['hash'],
+                                      module.params['sector_size'],
                                       module.params['pbkdf'],
                                       )
             except ValueError as e:

tests/integration/targets/luks_device/tasks/tests/passphrase.yml

@@ -4,19 +4,22 @@
     device: "{{ cryptfile_device }}"
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
+    type: luks2
     pbkdf:
       iteration_time: 0.1
       algorithm: argon2i
       memory: 1000
       parallel: 1
+    sector_size: 1024
   become: yes
   ignore_errors: yes
   register: create_passphrase_1
 
-- name: Make sure that the previous task only fails because the LUKS version used cannot handle the PBKDF parameters
+- name: Make sure that the previous task only fails if LUKS2 is not supported
   assert:
     that:
-      - create_passphrase_1 is not failed or 'Failed to set pbkdf parameters' in create_passphrase_1.msg
+      - "'Unknown option --type' in create_passphrase_1.msg"
+  when: create_passphrase_1 is failed
 
 - name: Create with passphrase1 (without argon2i)
   luks_device:
@@ -26,7 +29,7 @@
     pbkdf:
       iteration_time: 0.1
   become: yes
-  when: create_passphrase_1 is failed and 'Failed to set pbkdf parameters' in create_passphrase_1.msg
+  when: create_passphrase_1 is failed
 
 - name: Open with passphrase1
   luks_device: