From 7fed63a84963cbd790e86a0e59ff14724bcf33c4 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 14 Sep 2021 14:12:39 -0700 Subject: Adjust recovery passphrase generation As per the feedback at https://github.com/google/fscrypt/issues/115 where users didn't understand that the recovery passphrase is important, restore the original behavior where recovery passphrase generation happens automatically without a prompt. This applies to the case where 'fscrypt encrypt' is using a login protector on a non-root filesystem. However, leave the --no-recovery option so that the recovery passphrase can still be disabled if the user really wants to. Also, clarify the information provided about the recovery passphrase. Update https://github.com/google/fscrypt/issues/115 --- README.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index f581be9..d24cd03 100644 --- a/README.md +++ b/README.md @@ -474,14 +474,19 @@ via a login protector if the operating system is reinstalled or if the disk is connected to another system** -- even if the new system uses the same login passphrase for the user. -Because of this, `fscrypt encrypt` will offer to generate a recovery passphrase -when creating a login passphrase-protected directory on a non-root filesystem. -The recovery passphrase is simply a `custom_passphrase` protector with a -randomly generated high-entropy passphrase. It is strongly recommended to -accept the prompt to generate the recovery passphrase, then store the recovery -passphrase in a secure location. Then, if ever needed, you can use `fscrypt -unlock` to unlock the directory with the recovery passphrase (by choosing the -recovery protector instead of the login protector). +Because of this, `fscrypt encrypt` will automatically generate a recovery +passphrase when creating a login passphrase-protected directory on a non-root +filesystem. The recovery passphrase is simply a `custom_passphrase` protector +with a randomly generated high-entropy passphrase. Initially, the recovery +passphrase is stored in a file in the encrypted directory itself; therefore, to +use it you **must** record it in another secure location. It is strongly +recommended to do this. Then, if ever needed, you can use `fscrypt unlock` to +unlock the directory with the recovery passphrase (by choosing the recovery +protector instead of the login protector). + +If you really want to disable the generation of a recovery passphrase, use the +`--no-recovery` option. Only do this if you really know what you are doing and +are prepared for potential data loss. Alternative approaches to supporting recovery of login passphrase-protected directories include the following: @@ -493,7 +498,7 @@ directories include the following: Note that after restoring the `/.fscrypt` directory, unlocking the login protectors will require the passphrases they had at the time the backup was made **even if they were changed later**, so make sure to remember these - passphrase(s) or store them in a secure location. Also note that if the UUID + passphrase(s) or record them in a secure location. Also note that if the UUID of the root filesystem changed, you will need to manually fix the UUID in any `.fscrypt/protectors/*.link` files on other filesystems. -- cgit v1.2.3