diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-03-17 21:10:58 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-03-23 13:20:27 -0700 |
| commit | ec85cc8f987647c2b264c1f95dadda0f71c3d991 (patch) | |
| tree | 5695c9a84004ec40a9cb3d774c6bb2aa9503e605 /cmd/fscrypt | |
| parent | ae886a89f541a74255c9a41f7fa504a82ee6413e (diff) | |
Create /etc/fscrypt.conf with policy_version 2 on kernel v5.4+
v2 encryption policies are now recommended, due to various security and
usability advantages over v1 policies. Many people have been running
into the usability problems with v1, so it's desirable to get people
onto v2 without having to manually opt-in.
Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable
policy_version 2 automatically if the kernel supports it.
I decided to go with this solution over the policy_version "auto" I
suggested originally because this way is simpler, it can still be
changed to "auto" later if desired, and "auto" might require changing
how we parse the config file (since currently the config file is mapped
directly to a protobuf where policy_version is an 'int' and is shared
with EncryptionOptions).
Resolves https://github.com/google/fscrypt/issues/182
Diffstat (limited to 'cmd/fscrypt')
| -rw-r--r-- | cmd/fscrypt/setup.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go index 328788a..7b9bebb 100644 --- a/cmd/fscrypt/setup.go +++ b/cmd/fscrypt/setup.go @@ -50,8 +50,22 @@ func createGlobalConfig(w io.Writer, path string) error { return err } + // v2 encryption policies are recommended, so set policy_version 2 when + // the kernel supports it. v2 policies are supported by upstream Linux + // v5.4 and later. For now we simply check the kernel version. Ideally + // we'd instead check whether setting a v2 policy actually works, in + // order to also detect backports of the kernel patches. However, that's + // hard because from this context (creating /etc/fscrypt.conf) we may + // not yet have access to a filesystem that supports encryption. + var policyVersion int64 + if util.IsKernelVersionAtLeast(5, 4) { + fmt.Fprintln(w, "Defaulting to policy_version 2 because kernel supports it.") + policyVersion = 2 + } else { + fmt.Fprintln(w, "Defaulting to policy_version 1 because kernel doesn't support v2.") + } fmt.Fprintln(w, "Customizing passphrase hashing difficulty for this system...") - err = actions.CreateConfigFile(timeTargetFlag.Value) + err = actions.CreateConfigFile(timeTargetFlag.Value, policyVersion) if err != nil { return err } |