From 9003a0331a112e8901fae8279f4897a825ee8069 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 15 Dec 2019 19:31:39 -0800 Subject: cmd/fscrypt: add 'fscrypt lock' command Add support for 'fscrypt lock'. This command "locks" a directory, undoing 'fscrypt unlock'. When the filesystem keyring is used, 'fscrypt lock' also detects when a directory wasn't fully locked due to some files still being in-use. It can then be run again later to try to finish locking the files. --- cmd/fscrypt/errors.go | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'cmd/fscrypt/errors.go') diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go index ed57dbe..68135fe 100644 --- a/cmd/fscrypt/errors.go +++ b/cmd/fscrypt/errors.go @@ -56,6 +56,7 @@ var ( ErrAllLoadsFailed = errors.New("could not load any protectors") ErrMustBeRoot = errors.New("this command must be run as root") ErrPolicyUnlocked = errors.New("this file or directory is already unlocked") + ErrPolicyLocked = errors.New("this file or directory is already locked") ErrBadOwners = errors.New("you do not own this directory") ErrNotEmptyDir = errors.New("not an empty directory") ErrNotPassphrase = errors.New("protector does not use a passphrase") @@ -94,6 +95,11 @@ func getErrorSuggestions(err error) string { needs to be enabled for this filesystem. See the documentation on how to enable encryption on ext4 systems (and the risks of doing so).` + case keyring.ErrKeyFilesOpen: + return `Directory was incompletely locked because some files are + still open. These files remain accessible. Try killing + any processes using files in the directory, then + re-running 'fscrypt lock'.` case keyring.ErrSessionUserKeying: return `This is usually the result of a bad PAM configuration. Either correct the problem in your PAM stack, enable -- cgit v1.2.3