cmd/fscrypt: make 'fscrypt setup' create /.fscrypt (#149)

Make the global setup command also create the metadata directory at
/.fscrypt, since that's where login protectors are placed, even when the
actual encrypted directories are on a different filesystem.

Resolves https://github.com/google/fscrypt/issues/129

3 files changed, 34 insertions, 28 deletions

diff --git a/README.md b/README.md
index 0ec8127..a88b546 100644
--- a/README.md
+++ b/README.md
@@ -86,8 +86,8 @@ policy can also be changed. This allows a user to change how a directory is
 protected without needing to reencrypt the directory's contents.
 
 Concretely, fscrypt contains the following functionality:
-*   `fscrypt setup` - Initializes the `fscrypt.conf` file
-    * This is the only functionality which requires root privileges
+*   `fscrypt setup` - Creates `/etc/fscrypt.conf` and the `/.fscrypt` directory
+    * This is the only functionality which always requires root privileges
 *   `fscrypt setup MOUNTPOINT` - Gets a filesystem ready for use with fscrypt
 *   `fscrypt encrypt DIRECTORY` - Encrypts an empty directory
 *   `fscrypt unlock DIRECTORY` - Unlocks an encrypted directory
@@ -241,16 +241,16 @@ MOUNTPOINT            DEVICE     FILESYSTEM  STATUS
 /                     /dev/sda1  ext4        encryption not enabled
 /mnt/disk             /dev/sdb   ext4        not setup with fscrypt
 
-# Create the global configuration file. Nothing else needs root.
+# Create the global configuration file. Nothing else necessarily needs root.
 >>>>> sudo fscrypt setup
 Create "/etc/fscrypt.conf"? [Y/n] y
 Customizing passphrase hashing difficulty for this system...
 Created global config file at "/etc/fscrypt.conf".
+Metadata directories created at "/.fscrypt".
 
 # Start using fscrypt with our filesystem
 >>>>> fscrypt setup /mnt/disk
 Metadata directories created at "/mnt/disk/.fscrypt".
-Filesystem "/mnt/disk" (/dev/sdb) ready for use with ext4 encryption.
 
 # Initialize encryption on a new empty directory
 >>>>> mkdir /mnt/disk/dir1
@@ -359,10 +359,6 @@ login passphrase, you may have to do additional work when you change your system
 passphrase.
 
 ```bash
-# Login passphrases also require that fscrypt is setup on the root directory
->>>>> sudo fscrypt setup /
-Filesystem "/" (/dev/dm-1) ready for use with ext4 encryption.
-
 # Select your login passphrase as the desired source.
 >>>>> mkdir /mnt/disk/dir2
 >>>>> fscrypt encrypt /mnt/disk/dir2
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index f70ba46..d71b427 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -41,38 +41,50 @@ var Setup = cli.Command{
 	ArgsUsage: fmt.Sprintf("[%s]", mountpointArg),
 	Usage:     "perform global setup or filesystem setup",
 	Description: fmt.Sprintf(`This command creates fscrypt's global config
-		file or enables fscrypt on a filesystem.
-
-		(1) When used without %[1]s, create the parameters in %[2]s.
-		This is primarily used to configure the passphrase hashing
-		parameters to the appropriate hardness (as determined by %[3]s).
-		Being root is required to write the config file.
-
-		(2) When used with %[1]s, enable fscrypt on %[1]s. This involves
-		creating the necessary folders on the filesystem which will hold
-		the metadata structures. Begin root may be required to create
-		these folders.`, mountpointArg, actions.ConfigFileLocation,
+		file and/or prepares a filesystem for use with fscrypt.
+
+		(1) When used without %[1]s, this command creates the global
+		config file %[2]s and the fscrypt metadata directory for the
+		root filesystem (i.e. /.fscrypt). This requires root privileges.
+		The passphrase hashing parameters in %[2]s are automatically set
+		to an appropriate hardness, as determined by %[3]s. The root
+		filesystem's metadata directory is created even if the root
+		filesystem doesn't support encryption itself, since it's where
+		login passphrase protectors are stored.
+
+		(2) When used with %[1]s, this command creates the fscrypt
+		metadata directory for the filesystem mounted at %[1]s. This
+		allows fscrypt to be used on that filesystem, provided that any
+		kernel and filesystem-specific prerequisites are also met (see
+		the README). This may require root privileges.`,
+		mountpointArg, actions.ConfigFileLocation,
 		shortDisplay(timeTargetFlag)),
 	Flags:  []cli.Flag{timeTargetFlag, legacyFlag, forceFlag},
 	Action: setupAction,
 }
 
 func setupAction(c *cli.Context) error {
-	var err error
 	switch c.NArg() {
 	case 0:
 		// Case (1) - global setup
-		err = createGlobalConfig(c.App.Writer, actions.ConfigFileLocation)
+		if err := createGlobalConfig(c.App.Writer, actions.ConfigFileLocation); err != nil {
+			return newExitError(c, err)
+		}
+		if err := setupFilesystem(c.App.Writer, "/"); err != nil {
+			if errors.Cause(err) != filesystem.ErrAlreadySetup {
+				return newExitError(c, err)
+			}
+			fmt.Fprintf(c.App.Writer,
+				"Skipping creating /.fscrypt because it already exists.\n")
+		}
 	case 1:
 		// Case (2) - filesystem setup
-		err = setupFilesystem(c.App.Writer, c.Args().Get(0))
+		if err := setupFilesystem(c.App.Writer, c.Args().Get(0)); err != nil {
+			return newExitError(c, err)
+		}
 	default:
 		return expectedArgsErr(c, 1, true)
 	}
-
-	if err != nil {
-		return newExitError(c, err)
-	}
 	return nil
 }
 
diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go
index f2fff96..2bb15ef 100644
--- a/cmd/fscrypt/setup.go
+++ b/cmd/fscrypt/setup.go
@@ -72,7 +72,5 @@ func setupFilesystem(w io.Writer, path string) error {
 	}
 
 	fmt.Fprintf(w, "Metadata directories created at %q.\n", ctx.Mount.BaseDir())
-	fmt.Fprintf(w, "Filesystem %q (%s) ready for use with %s encryption.\n",
-		ctx.Mount.Path, ctx.Mount.Device, ctx.Mount.Filesystem)
 	return nil
 }