diff options
| -rw-r--r-- | README.md | 12 | ||||
| -rw-r--r-- | cmd/fscrypt/commands.go | 48 | ||||
| -rw-r--r-- | cmd/fscrypt/setup.go | 2 |
3 files changed, 34 insertions, 28 deletions
@@ -86,8 +86,8 @@ policy can also be changed. This allows a user to change how a directory is protected without needing to reencrypt the directory's contents. Concretely, fscrypt contains the following functionality: -* `fscrypt setup` - Initializes the `fscrypt.conf` file - * This is the only functionality which requires root privileges +* `fscrypt setup` - Creates `/etc/fscrypt.conf` and the `/.fscrypt` directory + * This is the only functionality which always requires root privileges * `fscrypt setup MOUNTPOINT` - Gets a filesystem ready for use with fscrypt * `fscrypt encrypt DIRECTORY` - Encrypts an empty directory * `fscrypt unlock DIRECTORY` - Unlocks an encrypted directory @@ -241,16 +241,16 @@ MOUNTPOINT DEVICE FILESYSTEM STATUS / /dev/sda1 ext4 encryption not enabled /mnt/disk /dev/sdb ext4 not setup with fscrypt -# Create the global configuration file. Nothing else needs root. +# Create the global configuration file. Nothing else necessarily needs root. >>>>> sudo fscrypt setup Create "/etc/fscrypt.conf"? [Y/n] y Customizing passphrase hashing difficulty for this system... Created global config file at "/etc/fscrypt.conf". +Metadata directories created at "/.fscrypt". # Start using fscrypt with our filesystem >>>>> fscrypt setup /mnt/disk Metadata directories created at "/mnt/disk/.fscrypt". -Filesystem "/mnt/disk" (/dev/sdb) ready for use with ext4 encryption. # Initialize encryption on a new empty directory >>>>> mkdir /mnt/disk/dir1 @@ -359,10 +359,6 @@ login passphrase, you may have to do additional work when you change your system passphrase. ```bash -# Login passphrases also require that fscrypt is setup on the root directory ->>>>> sudo fscrypt setup / -Filesystem "/" (/dev/dm-1) ready for use with ext4 encryption. - # Select your login passphrase as the desired source. >>>>> mkdir /mnt/disk/dir2 >>>>> fscrypt encrypt /mnt/disk/dir2 diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index f70ba46..d71b427 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -41,38 +41,50 @@ var Setup = cli.Command{ ArgsUsage: fmt.Sprintf("[%s]", mountpointArg), Usage: "perform global setup or filesystem setup", Description: fmt.Sprintf(`This command creates fscrypt's global config - file or enables fscrypt on a filesystem. - - (1) When used without %[1]s, create the parameters in %[2]s. - This is primarily used to configure the passphrase hashing - parameters to the appropriate hardness (as determined by %[3]s). - Being root is required to write the config file. - - (2) When used with %[1]s, enable fscrypt on %[1]s. This involves - creating the necessary folders on the filesystem which will hold - the metadata structures. Begin root may be required to create - these folders.`, mountpointArg, actions.ConfigFileLocation, + file and/or prepares a filesystem for use with fscrypt. + + (1) When used without %[1]s, this command creates the global + config file %[2]s and the fscrypt metadata directory for the + root filesystem (i.e. /.fscrypt). This requires root privileges. + The passphrase hashing parameters in %[2]s are automatically set + to an appropriate hardness, as determined by %[3]s. The root + filesystem's metadata directory is created even if the root + filesystem doesn't support encryption itself, since it's where + login passphrase protectors are stored. + + (2) When used with %[1]s, this command creates the fscrypt + metadata directory for the filesystem mounted at %[1]s. This + allows fscrypt to be used on that filesystem, provided that any + kernel and filesystem-specific prerequisites are also met (see + the README). This may require root privileges.`, + mountpointArg, actions.ConfigFileLocation, shortDisplay(timeTargetFlag)), Flags: []cli.Flag{timeTargetFlag, legacyFlag, forceFlag}, Action: setupAction, } func setupAction(c *cli.Context) error { - var err error switch c.NArg() { case 0: // Case (1) - global setup - err = createGlobalConfig(c.App.Writer, actions.ConfigFileLocation) + if err := createGlobalConfig(c.App.Writer, actions.ConfigFileLocation); err != nil { + return newExitError(c, err) + } + if err := setupFilesystem(c.App.Writer, "/"); err != nil { + if errors.Cause(err) != filesystem.ErrAlreadySetup { + return newExitError(c, err) + } + fmt.Fprintf(c.App.Writer, + "Skipping creating /.fscrypt because it already exists.\n") + } case 1: // Case (2) - filesystem setup - err = setupFilesystem(c.App.Writer, c.Args().Get(0)) + if err := setupFilesystem(c.App.Writer, c.Args().Get(0)); err != nil { + return newExitError(c, err) + } default: return expectedArgsErr(c, 1, true) } - - if err != nil { - return newExitError(c, err) - } return nil } diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go index f2fff96..2bb15ef 100644 --- a/cmd/fscrypt/setup.go +++ b/cmd/fscrypt/setup.go @@ -72,7 +72,5 @@ func setupFilesystem(w io.Writer, path string) error { } fmt.Fprintf(w, "Metadata directories created at %q.\n", ctx.Mount.BaseDir()) - fmt.Fprintf(w, "Filesystem %q (%s) ready for use with %s encryption.\n", - ctx.Mount.Path, ctx.Mount.Device, ctx.Mount.Filesystem) return nil } |