From afd82da968e5ea21b396a8ec321e31902c5f68c2 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 17 Mar 2020 21:10:58 -0700
Subject: README.md: update examples to use v2 policies

Since on new kernels v1 encryption policies are deprecated in favor of
v2, update the examples to show v2.  This mostly just consists of
updating the output, as the commands are essentially the same with one
notable difference in 'fscrypt lock'.
---
 README.md | 80 +++++++++++++++++++++++++++++++--------------------------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/README.md b/README.md
index 83a2154..0880216 100644
--- a/README.md
+++ b/README.md
@@ -199,7 +199,7 @@ that looks like the following:
 		"padding": "32",
 		"contents": "AES_256_XTS",
 		"filenames": "AES_256_CTS",
-		"policy_version": "1"
+		"policy_version": "2"
 	},
 	"use_fs_keyring_for_v1_policies": false
 }
@@ -362,6 +362,7 @@ MOUNTPOINT  DEVICE     FILESYSTEM  ENCRYPTION   FSCRYPT
 
 # Create the global configuration file. Nothing else necessarily needs root.
 >>>>> sudo fscrypt setup
+Defaulting to policy_version 2 because kernel supports it.
 Customizing passphrase hashing difficulty for this system...
 Created global config file at "/etc/fscrypt.conf".
 Metadata directories created at "/.fscrypt".
@@ -390,8 +391,8 @@ ext4 filesystem "/mnt/disk" has 1 protector and 1 policy
 PROTECTOR         LINKED  DESCRIPTION
 7626382168311a9d  No      custom protector "Super Secret"
 
-POLICY            UNLOCKED  PROTECTORS
-7626382168311a9d  Yes       7626382168311a9d
+POLICY                            UNLOCKED  PROTECTORS
+16382f282d7b29ee27e6460151d03382  Yes       7626382168311a9d
 ```
 
 #### Quiet Version
@@ -409,24 +410,23 @@ POLICY            UNLOCKED  PROTECTORS
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: Yes
 
 Protected with 1 protector:
 PROTECTOR         LINKED  DESCRIPTION
 7626382168311a9d  No      custom protector "Super Secret"
 
-# Lock the directory.  'sudo' and the '--user' argument are only
-# required if the directory uses a v1 encryption policy.
->>>>> sudo fscrypt lock /mnt/disk/dir1 --user=$USER
-Encrypted data removed from filesystem cache.
+# Lock the directory.  Note: if using a v1 encryption policy instead
+# of v2, you'll need 'sudo fscrypt lock /mnt/disk/dir1 --user=$USER'.
+>>>>> fscrypt lock /mnt/disk/dir1
 "/mnt/disk/dir1" is now locked.
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: No
 
 Protected with 1 protector:
@@ -446,8 +446,8 @@ Enter custom passphrase for protector "Super Secret":
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: Yes
 
 Protected with 1 protector:
@@ -459,7 +459,7 @@ Hello World
 
 #### Quiet Version
 ```bash
->>>>> sudo fscrypt lock /mnt/disk/dir1 --quiet --user=$USER
+>>>>> fscrypt lock /mnt/disk/dir1 --quiet
 >>>>> echo "hunter2" | fscrypt unlock /mnt/disk/dir1 --quiet
 ```
 
@@ -482,8 +482,8 @@ Enter login passphrase for joerichey:
 >>>>> fscrypt status /mnt/disk/dir2
 "/mnt/disk/dir2" is encrypted with fscrypt.
 
-Policy:   fe1c92009abc1cff
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   fe1c92009abc1cff4f3257c77e8134e3
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: Yes
 
 Protected with 1 protector:
@@ -496,9 +496,9 @@ PROTECTOR         LINKED   DESCRIPTION
 7626382168311a9d  No       custom protector "Super Secret"
 6891f0a901f0065e  Yes (/)  login protector for joerichey
 
-POLICY            UNLOCKED  PROTECTORS
-16382f282d7b29ee  Yes       7626382168311a9d
-fe1c92009abc1cff  Yes       6891f0a901f0065e
+POLICY                            UNLOCKED  PROTECTORS
+16382f282d7b29ee27e6460151d03382  Yes       7626382168311a9d
+fe1c92009abc1cff4f3257c77e8134e3  Yes       6891f0a901f0065e
 >>>>> fscrypt status /
 ext4 filesystem "/" has 1 protector(s) and 0 policy(ies)
 
@@ -518,8 +518,8 @@ PROTECTOR         LINKED  DESCRIPTION
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: Yes
 
 Protected with 1 protector:
@@ -573,9 +573,9 @@ PROTECTOR         LINKED   DESCRIPTION
 2c75f519b9c9959d  No       raw key protector "Skeleton"
 6891f0a901f0065e  Yes (/)  login protector for joerichey
 
-POLICY            UNLOCKED  PROTECTORS
-16382f282d7b29ee  Yes       7626382168311a9d
-fe1c92009abc1cff  Yes       6891f0a901f0065e
+POLICY                            UNLOCKED  PROTECTORS
+16382f282d7b29ee27e6460151d03382  Yes       7626382168311a9d
+fe1c92009abc1cff4f3257c77e8134e3  Yes       6891f0a901f0065e
 
 # Finally, we could apply this key to a directory
 >>>>> mkdir /mnt/disk/dir3
@@ -607,31 +607,31 @@ PROTECTOR         LINKED   DESCRIPTION
 2c75f519b9c9959d  No       raw key protector "Skeleton"
 6891f0a901f0065e  Yes (/)  login protector for joerichey
 
-POLICY            UNLOCKED  PROTECTORS
-d03fb894584a4318  No        2c75f519b9c9959d
-16382f282d7b29ee  No        7626382168311a9d
-fe1c92009abc1cff  No        6891f0a901f0065e
+POLICY                            UNLOCKED  PROTECTORS
+d03fb894584a4318d1780e9a7b0b47eb  No        2c75f519b9c9959d
+16382f282d7b29ee27e6460151d03382  No        7626382168311a9d
+fe1c92009abc1cff4f3257c77e8134e3  No        6891f0a901f0065e
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: No
 
 Protected with 1 protector:
 PROTECTOR         LINKED  DESCRIPTION
 7626382168311a9d  No      custom protector "Super Secret"
->>>>> fscrypt metadata add-protector-to-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee
+>>>>> fscrypt metadata add-protector-to-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee27e6460151d03382
 WARNING: All files using this policy will be accessible with this protector!!
-Protect policy 16382f282d7b29ee with protector 2c75f519b9c9959d? [Y/n]
+Protect policy 16382f282d7b29ee27e6460151d03382 with protector 2c75f519b9c9959d? [Y/n]
 Enter key file for protector "Skeleton": secret.key
 Enter custom passphrase for protector "Super Secret":
-Protector 2c75f519b9c9959d now protecting policy 16382f282d7b29ee.
+Protector 2c75f519b9c9959d now protecting policy 16382f282d7b29ee27e6460151d03382.
 >>>>> fscrypt status /mnt/disk/dir1
 "/mnt/disk/dir1" is encrypted with fscrypt.
 
-Policy:   16382f282d7b29ee
-Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
+Policy:   16382f282d7b29ee27e6460151d03382
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
 Unlocked: No
 
 Protected with 2 protectors:
@@ -649,16 +649,16 @@ Enter key file for protector "Skeleton": secret.key
 "/mnt/disk/dir1" is now unlocked and ready for use.
 
 # The protector can also be removed from the policy (if it is not the only one)
->>>>> fscrypt metadata remove-protector-from-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee
+>>>>> fscrypt metadata remove-protector-from-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee27e6460151d03382
 WARNING: All files using this policy will NO LONGER be accessible with this protector!!
-Stop protecting policy 16382f282d7b29ee with protector 2c75f519b9c9959d? [y/N] y
-Protector 2c75f519b9c9959d no longer protecting policy 16382f282d7b29ee.
+Stop protecting policy 16382f282d7b29ee27e6460151d03382 with protector 2c75f519b9c9959d? [y/N] y
+Protector 2c75f519b9c9959d no longer protecting policy 16382f282d7b29ee27e6460151d03382.
 ```
 
 #### Quiet Version
 ```bash
->>>>> echo "hunter2" | fscrypt metadata add-protector-to-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee --key=secret.key --quiet
->>>>> fscrypt metadata remove-protector-from-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee --quiet --force
+>>>>> echo "hunter2" | fscrypt metadata add-protector-to-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee27e6460151d03382 --key=secret.key --quiet
+>>>>> fscrypt metadata remove-protector-from-policy --protector=/mnt/disk:2c75f519b9c9959d --policy=/mnt/disk:16382f282d7b29ee27e6460151d03382 --quiet --force
 ```
 
 ## Contributing
-- 
cgit v1.2.3