fscrypt.git/cmd, branch v0.2.7 Go tool for managing Linux filesystem encryption cmd: Simplify "fscrypt --version" output (#207) 2020-03-23T21:24:48+00:00 Joseph Richey joerichey@google.com 2020-03-23T21:24:48+00:00 f10aadb2675b26d351365c6c208c930b6d4c619c There's no need to include the build time, author, and copyright info in the output of "fscrypt --version". This information is: - Overly complex (the current string is hard to parse) - Inaccurate (there are other authors than just me) - Unnecessary (the Apache 2 license is for Source Code) - Makes reproducible builds impossible The default version string is just fine. Signed-off-by: Joe Richey <joerichey@google.com> 
There's no need to include the build time, author, and copyright info
in the output of "fscrypt --version". This information is:

  - Overly complex (the current string is hard to parse)
  - Inaccurate (there are other authors than just me)
  - Unnecessary (the Apache 2 license is for Source Code)
  - Makes reproducible builds impossible

The default version string is just fine.

Signed-off-by: Joe Richey <joerichey@google.com>
 Improve error message when unlocking v2 policy is unsupported 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 8d71383bc08478313c221c8ab20e8902de1bb28b If trying to unlock a v2-encrypted directory fails because the kernel lacks support for v2 policies, show a better error message. This can happen if someone downgrades their kernel or tries to access encrypted directories on removable storage from a computer with an older kernel. Detecting this case is difficult since all we have to go with is EACCES when opening the directory. Implement a heuristic where if get EACCES, we actually have read access to the directory, and the kernel doesn't support v2 policies, we show the improved error message. Before: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied After: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied This may be caused by the directory using a v2 encryption policy and the current kernel not supporting it. If indeed the case, then this directory can only be used on kernel v5.4 and later. You can create directories accessible on older kernels by changing policy_version to 1 in /etc/fscrypt.conf. 
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message.  This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.

Detecting this case is difficult since all we have to go with is EACCES
when opening the directory.  Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.

Before:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

After:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

  This may be caused by the directory using a v2 encryption policy and
  the current kernel not supporting it. If indeed the case, then this
  directory can only be used on kernel v5.4 and later. You can create
  directories accessible on older kernels by changing policy_version to
  1 in /etc/fscrypt.conf.
Improve error message when setting v2 policy is unsupported 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 c123f5a24de5a25185653de8e6f970184fde035d If trying to encrypt a directory using a v2 policy fails due to the kernel lacking support for v2 policies, show a better error message. One way this can happen is if someone runs 'fscrypt setup' with a new kernel and then downgrades to an old kernel. Before: # echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet [ERROR] fscrypt encrypt: inappropriate ioctl for device: system error: could not add key to the keyring After: # echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet [ERROR] fscrypt encrypt: kernel is too old to support v2 encryption policies v2 encryption policies are only supported by kernel version 5.4 and later. Either use a newer kernel, or change policy_version to 1 in /etc/fscrypt.conf. 
If trying to encrypt a directory using a v2 policy fails due to the
kernel lacking support for v2 policies, show a better error message.

One way this can happen is if someone runs 'fscrypt setup' with a new
kernel and then downgrades to an old kernel.

Before:

  # echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
  [ERROR] fscrypt encrypt: inappropriate ioctl for device: system error: could not add key to the keyring

After:

  # echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
  [ERROR] fscrypt encrypt: kernel is too old to support v2 encryption policies

  v2 encryption policies are only supported by kernel version 5.4 and
  later. Either use a newer kernel, or change policy_version to 1 in
  /etc/fscrypt.conf.
Create /etc/fscrypt.conf with policy_version 2 on kernel v5.4+ 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 ec85cc8f987647c2b264c1f95dadda0f71c3d991 v2 encryption policies are now recommended, due to various security and usability advantages over v1 policies. Many people have been running into the usability problems with v1, so it's desirable to get people onto v2 without having to manually opt-in. Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable policy_version 2 automatically if the kernel supports it. I decided to go with this solution over the policy_version "auto" I suggested originally because this way is simpler, it can still be changed to "auto" later if desired, and "auto" might require changing how we parse the config file (since currently the config file is mapped directly to a protobuf where policy_version is an 'int' and is shared with EncryptionOptions). Resolves https://github.com/google/fscrypt/issues/182 
v2 encryption policies are now recommended, due to various security and
usability advantages over v1 policies.  Many people have been running
into the usability problems with v1, so it's desirable to get people
onto v2 without having to manually opt-in.

Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable
policy_version 2 automatically if the kernel supports it.

I decided to go with this solution over the policy_version "auto" I
suggested originally because this way is simpler, it can still be
changed to "auto" later if desired, and "auto" might require changing
how we parse the config file (since currently the config file is mapped
directly to a protobuf where policy_version is an 'int' and is shared
with EncryptionOptions).

Resolves https://github.com/google/fscrypt/issues/182
Simplify choosing the key description prefix 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 ae886a89f541a74255c9a41f7fa504a82ee6413e There's no real need to allow users to choose the key description prefix (a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4" and "f2fs" for compatibility with all kernels both old and new, and on other filesystems we can just use "fscrypt". So, let's do that. Since this removes the point of the "--legacy" option to 'fscrypt setup' and the "compatibility" field in /etc/fscrypt.conf, remove those too. Specifically, we start ignoring the "compatibility" in existing config files and not writing it to new ones. The corresponding protobuf field number and name are reserved. We stop accepting the "--legacy" option at all, although since it was default true and there was no real reason for anyone to change it to false, probably no one will notice. If anyone does, they should just stop specifying the option. Note that this change only affects user keyrings and thus only affects v1 encryption policies, which are deprecated in favor of v2 anyway. 
There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt".  So, let's do that.

Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.

Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones.  The corresponding protobuf field
number and name are reserved.  We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice.  If
anyone does, they should just stop specifying the option.

Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.
cmd/fscrypt/commands: allow disabling recovery passphrase (#193) 2020-01-30T03:27:10+00:00 Eric Biggers ebiggers@google.com 2020-01-30T03:27:10+00:00 c4fa1f4ccb407f44dfabf91d1214f06c277a1b9f While it's important to generate a recovery passphrase in the linked protector case to avoid data loss if the system is reinstalled, some people really don't want it (even though it can be safely ignored as it almost certainly has far more entropy than the login passphrase). As a compromise, prompt for y/n before generating it, with default y. Also, to allow disabling the recovery passphrase during noninteractive use, add a --no-recovery command-line option. Update https://github.com/google/fscrypt/issues/186 
While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).

As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.

Update https://github.com/google/fscrypt/issues/186
 cmd/fscrypt/commands: clean up properly when encryptPath() fails 2020-01-28T18:45:52+00:00 Eric Biggers ebiggers@google.com 2020-01-28T04:16:35+00:00 5c08edd521deadd36bec36662d30681b01253d62 Move the deferred locking and deletion of the policy on failure to the correct places, so that it's done in all failure cases, including in the case where adding the recovery protector fails. Also make the recovery protector be locked and deleted on failure. Finally, put all the code to do deferred deprovisioning of the policy in the same place: right after it's provisioned. 
Move the deferred locking and deletion of the policy on failure to the
correct places, so that it's done in all failure cases, including in the
case where adding the recovery protector fails.

Also make the recovery protector be locked and deleted on failure.

Finally, put all the code to do deferred deprovisioning of the policy in
the same place: right after it's provisioned.
cmd/fscrypt/errors: explicitly mark error messages as errors (#191) 2020-01-28T09:58:51+00:00 Eric Biggers ebiggers@google.com 2020-01-28T09:58:51+00:00 9927ab8426e765db8de304e9f99ba5c520b5018c When an fscrypt command fails and prints an error message, in some cases it isn't clear that the message is actually an error, e.g.: fscrypt encrypt: login protectors do not need a name Make it clear by always prefixing the message with "[ERROR] ", e.g. [ERROR] fscrypt encrypt: login protectors do not need a name Update https://github.com/google/fscrypt/issues/186 
When an fscrypt command fails and prints an error message, in some cases
it isn't clear that the message is actually an error, e.g.:

    fscrypt encrypt: login protectors do not need a name

Make it clear by always prefixing the message with "[ERROR] ", e.g.

    [ERROR] fscrypt encrypt: login protectors do not need a name

Update https://github.com/google/fscrypt/issues/186
 cmd/fscrypt/setup: don't prompt to create /etc/fscrypt.conf (#190) 2020-01-28T09:57:46+00:00 Eric Biggers ebiggers@google.com 2020-01-28T09:57:46+00:00 2c57ab18375a8d0b4df9c4b6d9f3692d14edfee7 When 'fscrypt setup' sees that /etc/fscrypt.conf doesn't exist, don't ask for confirmation before creating it. Just do it. This is the normal use, and there's not a good reason to ask the user to confirm it. 
When 'fscrypt setup' sees that /etc/fscrypt.conf doesn't exist, don't
ask for confirmation before creating it.  Just do it.  This is the
normal use, and there's not a good reason to ask the user to confirm it.
 Automatically generate recovery passphrase when useful 2020-01-23T03:05:06+00:00 Eric Biggers ebiggers@google.com 2019-11-27T20:04:13+00:00 8cd1b3ba2e7a12cd68e2dfd0cbb5ec09ff92783b If a user re-installs their system (or otherwise loses the /.fscrypt directory on the root filesystem) they also lose access to any login passphrase-protected directories on other filesystems, unless additional protectors were manually added. This can be unexpected, as it may be expected that the old login passphrase would still work. We can't really fix this by storing a login protector on every filesystem because: - If a user were to have N login protectors, it would take them N times longer to log in, as every login protector would need to be unlocked. - If a user were to change their login passphrase while any external volumes were unmounted, login protectors would get out of sync. - It's preferable that an external volume isn't unlockable by itself using only a login passphrase, as login passphrases are often weak. Instead, generate a recovery passphrase when creating a login passphrase-protected directory on a non-root filesystem. The recovery passphrase is added as a custom_passphrase protector, thus giving the policy two protectors: one pam_passphrase and one custom_passphrase. Then this passphrase is written to a file in the new encrypted directory. Writing the passphrase to a file here is okay since it's encrypted, but it's obviously useless by itself; it's up to the user to store this passphrase somewhere else if they need it. Use a recovery passphrase instead of a "recovery code" that encodes the policy key directly because a passphrase is more user-friendly: it can safely be made much shorter than a key, and it works just like any other fscrypt protector. Also, it's not as critical to allow recovery when the .fscrypt directory on the *same* filesystem is deleted. Resolves https://github.com/google/fscrypt/issues/164 
If a user re-installs their system (or otherwise loses the /.fscrypt
directory on the root filesystem) they also lose access to any login
passphrase-protected directories on other filesystems, unless additional
protectors were manually added.  This can be unexpected, as it may be
expected that the old login passphrase would still work.

We can't really fix this by storing a login protector on every
filesystem because:

- If a user were to have N login protectors, it would take them N times
  longer to log in, as every login protector would need to be unlocked.

- If a user were to change their login passphrase while any external
  volumes were unmounted, login protectors would get out of sync.

- It's preferable that an external volume isn't unlockable by itself
  using only a login passphrase, as login passphrases are often weak.

Instead, generate a recovery passphrase when creating a login
passphrase-protected directory on a non-root filesystem.

The recovery passphrase is added as a custom_passphrase protector, thus
giving the policy two protectors: one pam_passphrase and one
custom_passphrase.  Then this passphrase is written to a file in the new
encrypted directory.  Writing the passphrase to a file here is okay
since it's encrypted, but it's obviously useless by itself; it's up to
the user to store this passphrase somewhere else if they need it.

Use a recovery passphrase instead of a "recovery code" that encodes the
policy key directly because a passphrase is more user-friendly: it can
safely be made much shorter than a key, and it works just like any other
fscrypt protector.  Also, it's not as critical to allow recovery when
the .fscrypt directory on the *same* filesystem is deleted.

Resolves https://github.com/google/fscrypt/issues/164