
if [ -z "$opt_keyfile" ]; then
    display_errorbox "Cannot add secondary key: lacking --keyfile option"
    exit 1
fi

dm_name=$(luks_dm_name_for_device "$opt_device")
if [ -z "$dm_name" ]; then
    display_errorbox "Cannot find the volume name for $opt_device (not a LUKS partition?)"
    exit 1
fi

luks_dev=$(luks_get_underlying_device "$dm_name")
if [ -z "$luks_dev" ]; then
    display_errorbox "Cannot find the underlying partition of volume $dm_name (not a LUKS partition?)"
    exit 1
fi

# FIXME: we should look at the output of luksDump to check how many keys
# there are. If the header contains more than a single key (which would be the
# recovery password), maybe we should refuse to add another key.

request_password "Please enter LUKS recovery password"
if [ -z "$result_password" ]; then
    display_errorbox "Unable to obtain recovery password; aborting."
    exit 1
fi

luks_keyfile=$(luks_write_password pass "${result_password}")
luks_new_keyfile="$opt_keyfile"

if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then
    display_errorbox "Failed to add secondary LUKS key"
    rm -f "$luks_keyfile" "$luks_new_keyfile"
    exit 1
fi

rm -f "$luks_keyfile"
echo "Leaving secondary key in $luks_new_keyfile"
