diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-01-29 19:27:10 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-29 19:27:10 -0800 |
| commit | c4fa1f4ccb407f44dfabf91d1214f06c277a1b9f (patch) | |
| tree | 1711ccb6829abcf03a6874878d4fbd1709865e1e /cmd/fscrypt | |
| parent | 0f06c53388f8b020e1a0d48af2f5e334c4ec2aca (diff) | |
cmd/fscrypt/commands: allow disabling recovery passphrase (#193)
While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).
As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.
Update https://github.com/google/fscrypt/issues/186
Diffstat (limited to 'cmd/fscrypt')
| -rw-r--r-- | cmd/fscrypt/commands.go | 15 | ||||
| -rw-r--r-- | cmd/fscrypt/flags.go | 6 |
2 files changed, 14 insertions, 7 deletions
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index e807d46..4a59d30 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -105,7 +105,7 @@ var Encrypt = cli.Command{ immediately be used.`, directoryArg, shortDisplay(policyFlag), shortDisplay(protectorFlag), mountpointArg), Flags: []cli.Flag{policyFlag, unlockWithFlag, protectorFlag, sourceFlag, - userFlag, nameFlag, keyFileFlag, skipUnlockFlag}, + userFlag, nameFlag, keyFileFlag, skipUnlockFlag, noRecoveryFlag}, Action: encryptAction, } @@ -239,13 +239,16 @@ func encryptPath(path string) (err error) { } }() - // Automatically generate a recovery passphrase if the protector - // is on a different filesystem from the policy. In practice, - // this happens for login passphrase-protected directories that + // Ask to generate a recovery passphrase if the protector is on + // a different filesystem from the policy. In practice, this + // happens for login passphrase-protected directories that // aren't on the root filesystem, since login protectors are // always stored on the root filesystem. - if ctx.Mount != protector.Context.Mount { - fmt.Printf("Generating recovery passphrase because protector is on a different filesystem.\n") + var needRecovery bool + if ctx.Mount != protector.Context.Mount && !noRecoveryFlag.Value { + needRecovery, err = askQuestion("Protector is on a different filesystem! Generate a recovery passphrase (recommended)?", true) + } + if needRecovery { var recoveryProtector *actions.Protector if recoveryPassphrase, recoveryProtector, err = actions.AddRecoveryPassphrase( policy, filepath.Base(path)); err != nil { diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go index b7933c9..ce2f30e 100644 --- a/cmd/fscrypt/flags.go +++ b/cmd/fscrypt/flags.go @@ -116,7 +116,7 @@ var ( allFlags = []prettyFlag{helpFlag, versionFlag, verboseFlag, quietFlag, forceFlag, legacyFlag, skipUnlockFlag, timeTargetFlag, sourceFlag, nameFlag, keyFileFlag, protectorFlag, - unlockWithFlag, policyFlag, allUsersFlag} + unlockWithFlag, policyFlag, allUsersFlag, noRecoveryFlag} // universalFlags contains flags that should be on every command universalFlags = []cli.Flag{verboseFlag, quietFlag, helpFlag} ) @@ -178,6 +178,10 @@ var ( different from the one you're locking it as. This flag is only implemented for v2 encryption policies.`, } + noRecoveryFlag = &boolFlag{ + Name: "no-recovery", + Usage: `Don't ask to generate a recovery passphrase.`, + } ) // Option flags: used to specify options instead of being prompted for them |