diff options
| author | Eric Biggers <ebiggers@google.com> | 2021-09-14 14:12:39 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers3@gmail.com> | 2021-10-05 15:30:30 -0700 |
| commit | 7fed63a84963cbd790e86a0e59ff14724bcf33c4 (patch) | |
| tree | 246e2f723ba3cd7ed3a76e4b8698b1913edabc11 /cli-tests | |
| parent | 4d20c7b6eda7f4e9f25442e0ec48bdf5f959853b (diff) | |
Adjust recovery passphrase generation
As per the feedback at https://github.com/google/fscrypt/issues/115
where users didn't understand that the recovery passphrase is important,
restore the original behavior where recovery passphrase generation
happens automatically without a prompt. This applies to the case where
'fscrypt encrypt' is using a login protector on a non-root filesystem.
However, leave the --no-recovery option so that the recovery passphrase
can still be disabled if the user really wants to. Also, clarify the
information provided about the recovery passphrase.
Update https://github.com/google/fscrypt/issues/115
Diffstat (limited to 'cli-tests')
| -rw-r--r-- | cli-tests/t_encrypt_login.out | 25 | ||||
| -rwxr-xr-x | cli-tests/t_encrypt_login.sh | 2 |
2 files changed, 21 insertions, 6 deletions
diff --git a/cli-tests/t_encrypt_login.out b/cli-tests/t_encrypt_login.out index 0d77799..c531f73 100644 --- a/cli-tests/t_encrypt_login.out +++ b/cli-tests/t_encrypt_login.out @@ -1,6 +1,12 @@ # Encrypt with login protector -See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions! + +IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for + important recovery instructions. It is *strongly recommended* to + record the recovery passphrase in a secure location; otherwise you + will lose access to this directory if you reinstall the operating + system or move this filesystem to another system. + ext4 filesystem "MNT" has 2 protectors and 1 policy PROTECTOR LINKED DESCRIPTION @@ -43,8 +49,13 @@ IMPORTANT: Before continuing, ensure you have properly set up your system for https://github.com/google/fscrypt#setting-up-for-login-protectors
Enter login passphrase for fscrypt-test-user:
-Protector is on a different filesystem! Generate a recovery passphrase (recommended)? [Y/n] y
-See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions!
+
+IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for
+ important recovery instructions. It is *strongly recommended* to
+ record the recovery passphrase in a secure location; otherwise you
+ will lose access to this directory if you reinstall the operating
+ system or move this filesystem to another system.
+
"MNT/dir" is now encrypted, unlocked, and ready for use.
ext4 filesystem "MNT" has 2 protectors and 1 policy @@ -70,7 +81,13 @@ desc10 Yes (MNT_ROOT) login protector for fscrypt-test-user desc11 No custom protector "Recovery passphrase for dir" # Encrypt with login protector as root -See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions! + +IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for + important recovery instructions. It is *strongly recommended* to + record the recovery passphrase in a secure location; otherwise you + will lose access to this directory if you reinstall the operating + system or move this filesystem to another system. + ext4 filesystem "MNT" has 2 protectors and 1 policy PROTECTOR LINKED DESCRIPTION diff --git a/cli-tests/t_encrypt_login.sh b/cli-tests/t_encrypt_login.sh index 11a62f1..652d860 100755 --- a/cli-tests/t_encrypt_login.sh +++ b/cli-tests/t_encrypt_login.sh @@ -50,8 +50,6 @@ expect "Enter the source number for the new protector" send "1\r" expect "Enter login passphrase" send "TEST_USER_PASS\r" -expect "Protector is on a different filesystem! Generate a recovery passphrase (recommended)?" -send "y\r" expect eof EOF show_status true |