2 files changed, 18 insertions, 3 deletions

diff --git a/cli-tests/t_encrypt_login.out b/cli-tests/t_encrypt_login.out
index e8e0e41..0d77799 100644
--- a/cli-tests/t_encrypt_login.out
+++ b/cli-tests/t_encrypt_login.out
@@ -37,6 +37,11 @@ The following protector sources are available:
 2 - A custom passphrase (custom_passphrase)

 3 - A raw 256-bit key (raw_key)

 Enter the source number for the new protector [2 - custom_passphrase]: 1

+

+IMPORTANT: Before continuing, ensure you have properly set up your system for

+           login protectors.  See

+           https://github.com/google/fscrypt#setting-up-for-login-protectors

+

 Enter login passphrase for fscrypt-test-user: 

 Protector is on a different filesystem! Generate a recovery passphrase (recommended)? [Y/n] y

 See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions!

diff --git a/cmd/fscrypt/protector.go b/cmd/fscrypt/protector.go
index 6d35d9e..ac864dd 100644
--- a/cmd/fscrypt/protector.go
+++ b/cmd/fscrypt/protector.go
@@ -21,6 +21,7 @@
 package main
 
 import (
+	"fmt"
 	"log"
 
 	"github.com/google/fscrypt/actions"
@@ -38,9 +39,18 @@ func createProtectorFromContext(ctx *actions.Context) (*actions.Protector, error
 	}
 	log.Printf("using source: %s", ctx.Config.Source.String())
 
-	if ctx.Config.Source == metadata.SourceType_pam_passphrase &&
-		userFlag.Value == "" && util.IsUserRoot() {
-		return nil, ErrSpecifyUser
+	if ctx.Config.Source == metadata.SourceType_pam_passphrase {
+		if userFlag.Value == "" && util.IsUserRoot() {
+			return nil, ErrSpecifyUser
+		}
+		if !quietFlag.Value {
+			fmt.Print(`
+IMPORTANT: Before continuing, ensure you have properly set up your system for
+           login protectors.  See
+           https://github.com/google/fscrypt#setting-up-for-login-protectors
+
+`)
+		}
 	}
 
 	name, err := promptForName(ctx)