From c4fa1f4ccb407f44dfabf91d1214f06c277a1b9f Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 29 Jan 2020 19:27:10 -0800 Subject: cmd/fscrypt/commands: allow disabling recovery passphrase (#193) While it's important to generate a recovery passphrase in the linked protector case to avoid data loss if the system is reinstalled, some people really don't want it (even though it can be safely ignored as it almost certainly has far more entropy than the login passphrase). As a compromise, prompt for y/n before generating it, with default y. Also, to allow disabling the recovery passphrase during noninteractive use, add a --no-recovery command-line option. Update https://github.com/google/fscrypt/issues/186 --- cmd/fscrypt/commands.go | 15 +++++++++------ cmd/fscrypt/flags.go | 6 +++++- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index e807d46..4a59d30 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -105,7 +105,7 @@ var Encrypt = cli.Command{ immediately be used.`, directoryArg, shortDisplay(policyFlag), shortDisplay(protectorFlag), mountpointArg), Flags: []cli.Flag{policyFlag, unlockWithFlag, protectorFlag, sourceFlag, - userFlag, nameFlag, keyFileFlag, skipUnlockFlag}, + userFlag, nameFlag, keyFileFlag, skipUnlockFlag, noRecoveryFlag}, Action: encryptAction, } @@ -239,13 +239,16 @@ func encryptPath(path string) (err error) { } }() - // Automatically generate a recovery passphrase if the protector - // is on a different filesystem from the policy. In practice, - // this happens for login passphrase-protected directories that + // Ask to generate a recovery passphrase if the protector is on + // a different filesystem from the policy. In practice, this + // happens for login passphrase-protected directories that // aren't on the root filesystem, since login protectors are // always stored on the root filesystem. - if ctx.Mount != protector.Context.Mount { - fmt.Printf("Generating recovery passphrase because protector is on a different filesystem.\n") + var needRecovery bool + if ctx.Mount != protector.Context.Mount && !noRecoveryFlag.Value { + needRecovery, err = askQuestion("Protector is on a different filesystem! Generate a recovery passphrase (recommended)?", true) + } + if needRecovery { var recoveryProtector *actions.Protector if recoveryPassphrase, recoveryProtector, err = actions.AddRecoveryPassphrase( policy, filepath.Base(path)); err != nil { diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go index b7933c9..ce2f30e 100644 --- a/cmd/fscrypt/flags.go +++ b/cmd/fscrypt/flags.go @@ -116,7 +116,7 @@ var ( allFlags = []prettyFlag{helpFlag, versionFlag, verboseFlag, quietFlag, forceFlag, legacyFlag, skipUnlockFlag, timeTargetFlag, sourceFlag, nameFlag, keyFileFlag, protectorFlag, - unlockWithFlag, policyFlag, allUsersFlag} + unlockWithFlag, policyFlag, allUsersFlag, noRecoveryFlag} // universalFlags contains flags that should be on every command universalFlags = []cli.Flag{verboseFlag, quietFlag, helpFlag} ) @@ -178,6 +178,10 @@ var ( different from the one you're locking it as. This flag is only implemented for v2 encryption policies.`, } + noRecoveryFlag = &boolFlag{ + Name: "no-recovery", + Usage: `Don't ask to generate a recovery passphrase.`, + } ) // Option flags: used to specify options instead of being prompted for them -- cgit v1.2.3