| Age | Commit message (Collapse) | Author |
|---|
|
Test using v1 encryption policies (deprecated) with
use_fs_keyring_for_v1_policies = true.
|
|
Test using v1 encryption policies (deprecated).
|
|
Test unlocking a directory.
|
|
Test getting global, filesystem, and unencrypted directory status when
the filesystem is or isn't set up for fscrypt.
|
|
Test 'fscrypt setup'.
|
|
Test that the passphrase hashing seems to take long enough.
|
|
Test that fscrypt fails when the filesystem doesn't support encryption.
|
|
Test that fscrypt fails when the filesystem doesn't have the encrypt
feature enabled. Then test enabling it.
|
|
Test locking a directory.
|
|
Test encrypting a directory using a raw_key protector.
|
|
Test encrypting a directory using a login (pam_passphrase) protector.
|
|
Test encrypting a directory using a custom_passphrase protector.
|
|
Add general tests for 'fscrypt encrypt'. For protector-specific tests,
see t_encrypt_custom, t_encrypt_login, and t_encrypt_raw_key.
|
|
Test changing the passphrase of a custom_passphrase protector.
|
|
Enforce that all the cli-test scripts pass 'shellcheck'.
|
|
Add a framework for writing automated tests of the fscrypt command-line
tool. See cli-tests/README.md for details.
|
|
Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time. The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.
|
|
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need
this to avoid touching the real "/".
|
|
Allow overriding the location of fscrypt.conf by setting the
FSCRYPT_CONF environmental variable. The CLI tests need this to avoid
touching the real /etc/fscrypt.conf.
|
|
There's no longer a need to override the Ubuntu version that the
Travis CI builds install e2fsprogs from, since we now use
"dist: bionic", and e2fsprogs in Bionic supports encryption.
|
|
Since v0.2.6, fscrypt only builds for 64-bit systems. E.g. trying to
build on Raspbian fails with the following error:
$ go get github.com/google/fscrypt/cmd/fscrypt
# github.com/google/fscrypt/keyring
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int
Fix it by making the 'ioc' variable have type uintptr.
[EB - removed the later cast to uintptr that became unnecessary, and
added explanation to commit message.]
|
|
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem. This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.
See findMainMount() for details about the algorithm used.
Resolves https://github.com/google/fscrypt/issues/211
|
|
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Passing -trimpath makes the build entirely reproducible.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
There's no need to include the build time, author, and copyright info
in the output of "fscrypt --version". This information is:
- Overly complex (the current string is hard to parse)
- Inaccurate (there are other authors than just me)
- Unnecessary (the Apache 2 license is for Source Code)
- Makes reproducible builds impossible
The default version string is just fine.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Automatically enable policy_version 2 when kernel support is detected
|
|
- Mention that a v5.4+ kernel is recommended.
- Mention that policy_version defaults to 1 when unset.
- Emphasize that v2 policies are the recommended solution to the key
visibility problems, and add some more information.
|
|
Since on new kernels v1 encryption policies are deprecated in favor of
v2, update the examples to show v2. This mostly just consists of
updating the output, as the commands are essentially the same with one
notable difference in 'fscrypt lock'.
|
|
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message. This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.
Detecting this case is difficult since all we have to go with is EACCES
when opening the directory. Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.
Before:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
After:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
This may be caused by the directory using a v2 encryption policy and
the current kernel not supporting it. If indeed the case, then this
directory can only be used on kernel v5.4 and later. You can create
directories accessible on older kernels by changing policy_version to
1 in /etc/fscrypt.conf.
|
|
If trying to encrypt a directory using a v2 policy fails due to the
kernel lacking support for v2 policies, show a better error message.
One way this can happen is if someone runs 'fscrypt setup' with a new
kernel and then downgrades to an old kernel.
Before:
# echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
[ERROR] fscrypt encrypt: inappropriate ioctl for device: system error: could not add key to the keyring
After:
# echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
[ERROR] fscrypt encrypt: kernel is too old to support v2 encryption policies
v2 encryption policies are only supported by kernel version 5.4 and
later. Either use a newer kernel, or change policy_version to 1 in
/etc/fscrypt.conf.
|
|
v2 encryption policies are now recommended, due to various security and
usability advantages over v1 policies. Many people have been running
into the usability problems with v1, so it's desirable to get people
onto v2 without having to manually opt-in.
Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable
policy_version 2 automatically if the kernel supports it.
I decided to go with this solution over the policy_version "auto" I
suggested originally because this way is simpler, it can still be
changed to "auto" later if desired, and "auto" might require changing
how we parse the config file (since currently the config file is mapped
directly to a protobuf where policy_version is an 'int' and is shared
with EncryptionOptions).
Resolves https://github.com/google/fscrypt/issues/182
|
|
There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt". So, let's do that.
Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.
Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones. The corresponding protobuf field
number and name are reserved. We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice. If
anyone does, they should just stop specifying the option.
Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.
|
|
|
|
Improve the documentation for the installation-related Makefile
variables, and update the commands to remove the forward slash after
$(DESTDIR) in order to remove a duplicate forward slash and match the
recommended usage.
|
|
DESTDIR has a well established purpose
https://www.gnu.org/prep/standards/html_node/DESTDIR.html
It is a suffix for all the files to be installed. And it is used by
package managers who installs the files into some $tmpdir before
creating a package.
Change the build commands to follow this convention.
Add BINDIR that does the same what previous did $DESTDIR.
|
|
* Release version v0.2.6
Fixes #195
Also, update the encrypted API key.
My person access token had expired, this one should work now.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).
As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.
Update https://github.com/google/fscrypt/issues/186
|
|
Clean up policies and protectors on error
|
|
Ensure that when an encryption policy is reverted (e.g. due to
encryptPath() failing after the policy was created), we also delete any
new protector links that were created for the policy, as this is not
handled by the logic that reverts new protectors.
|
|
When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist. Instead, if it already
exists and points to the mount, just use it. If it already exists and
points to the wrong place, return an error.
Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.
|
|
Move the deferred locking and deletion of the policy on failure to the
correct places, so that it's done in all failure cases, including in the
case where adding the recovery protector fails.
Also make the recovery protector be locked and deleted on failure.
Finally, put all the code to do deferred deprovisioning of the policy in
the same place: right after it's provisioned.
|
|
Ensure that a failed AddRecoveryPassphrase() doesn't leave around an
unneeded protector file.
|
|
When an fscrypt command fails and prints an error message, in some cases
it isn't clear that the message is actually an error, e.g.:
fscrypt encrypt: login protectors do not need a name
Make it clear by always prefixing the message with "[ERROR] ", e.g.
[ERROR] fscrypt encrypt: login protectors do not need a name
Update https://github.com/google/fscrypt/issues/186
|
|
When 'fscrypt setup' sees that /etc/fscrypt.conf doesn't exist, don't
ask for confirmation before creating it. Just do it. This is the
normal use, and there's not a good reason to ask the user to confirm it.
|
|
If the login protector was just created by the same 'fscrypt encrypt'
command, then policy.Context.Config.Source will be pam_passphrase. This
needs to be overridden to custom_passphrase when creating the protector
for the recovery passphrase.
This fixes the following error:
fscrypt encrypt: login protectors do not need a name
Resolves https://github.com/google/fscrypt/issues/187
Update https://github.com/google/fscrypt/issues/186
|
|
Resolves https://github.com/google/fscrypt/issues/181
|
|
The workaround for Go versions before 1.10 was already removed by
commit 3022c1603d96 ("Ensure setting user privileges is reversible").
|
|
canonicalizePath() is now only used by an error path in
getMountFromLink(), which we can make use getDeviceName() instead.
|
|
Automatically generate recovery passphrase when useful
|
|
If a user re-installs their system (or otherwise loses the /.fscrypt
directory on the root filesystem) they also lose access to any login
passphrase-protected directories on other filesystems, unless additional
protectors were manually added. This can be unexpected, as it may be
expected that the old login passphrase would still work.
We can't really fix this by storing a login protector on every
filesystem because:
- If a user were to have N login protectors, it would take them N times
longer to log in, as every login protector would need to be unlocked.
- If a user were to change their login passphrase while any external
volumes were unmounted, login protectors would get out of sync.
- It's preferable that an external volume isn't unlockable by itself
using only a login passphrase, as login passphrases are often weak.
Instead, generate a recovery passphrase when creating a login
passphrase-protected directory on a non-root filesystem.
The recovery passphrase is added as a custom_passphrase protector, thus
giving the policy two protectors: one pam_passphrase and one
custom_passphrase. Then this passphrase is written to a file in the new
encrypted directory. Writing the passphrase to a file here is okay
since it's encrypted, but it's obviously useless by itself; it's up to
the user to store this passphrase somewhere else if they need it.
Use a recovery passphrase instead of a "recovery code" that encodes the
policy key directly because a passphrase is more user-friendly: it can
safely be made much shorter than a key, and it works just like any other
fscrypt protector. Also, it's not as critical to allow recovery when
the .fscrypt directory on the *same* filesystem is deleted.
Resolves https://github.com/google/fscrypt/issues/164
|
