From 7fed63a84963cbd790e86a0e59ff14724bcf33c4 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 14 Sep 2021 14:12:39 -0700 Subject: Adjust recovery passphrase generation As per the feedback at https://github.com/google/fscrypt/issues/115 where users didn't understand that the recovery passphrase is important, restore the original behavior where recovery passphrase generation happens automatically without a prompt. This applies to the case where 'fscrypt encrypt' is using a login protector on a non-root filesystem. However, leave the --no-recovery option so that the recovery passphrase can still be disabled if the user really wants to. Also, clarify the information provided about the recovery passphrase. Update https://github.com/google/fscrypt/issues/115 --- cli-tests/t_encrypt_login.out | 25 +++++++++++++++++++++---- cli-tests/t_encrypt_login.sh | 2 -- 2 files changed, 21 insertions(+), 6 deletions(-) (limited to 'cli-tests') diff --git a/cli-tests/t_encrypt_login.out b/cli-tests/t_encrypt_login.out index 0d77799..c531f73 100644 --- a/cli-tests/t_encrypt_login.out +++ b/cli-tests/t_encrypt_login.out @@ -1,6 +1,12 @@ # Encrypt with login protector -See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions! + +IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for + important recovery instructions. It is *strongly recommended* to + record the recovery passphrase in a secure location; otherwise you + will lose access to this directory if you reinstall the operating + system or move this filesystem to another system. + ext4 filesystem "MNT" has 2 protectors and 1 policy PROTECTOR LINKED DESCRIPTION @@ -43,8 +49,13 @@ IMPORTANT: Before continuing, ensure you have properly set up your system for https://github.com/google/fscrypt#setting-up-for-login-protectors Enter login passphrase for fscrypt-test-user: -Protector is on a different filesystem! Generate a recovery passphrase (recommended)? [Y/n] y -See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions! + +IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for + important recovery instructions. It is *strongly recommended* to + record the recovery passphrase in a secure location; otherwise you + will lose access to this directory if you reinstall the operating + system or move this filesystem to another system. + "MNT/dir" is now encrypted, unlocked, and ready for use. ext4 filesystem "MNT" has 2 protectors and 1 policy @@ -70,7 +81,13 @@ desc10 Yes (MNT_ROOT) login protector for fscrypt-test-user desc11 No custom protector "Recovery passphrase for dir" # Encrypt with login protector as root -See "MNT/dir/fscrypt_recovery_readme.txt" for important recovery instructions! + +IMPORTANT: See "MNT/dir/fscrypt_recovery_readme.txt" for + important recovery instructions. It is *strongly recommended* to + record the recovery passphrase in a secure location; otherwise you + will lose access to this directory if you reinstall the operating + system or move this filesystem to another system. + ext4 filesystem "MNT" has 2 protectors and 1 policy PROTECTOR LINKED DESCRIPTION diff --git a/cli-tests/t_encrypt_login.sh b/cli-tests/t_encrypt_login.sh index 11a62f1..652d860 100755 --- a/cli-tests/t_encrypt_login.sh +++ b/cli-tests/t_encrypt_login.sh @@ -50,8 +50,6 @@ expect "Enter the source number for the new protector" send "1\r" expect "Enter login passphrase" send "TEST_USER_PASS\r" -expect "Protector is on a different filesystem! Generate a recovery passphrase (recommended)?" -send "y\r" expect eof EOF show_status true -- cgit v1.2.3