fscrypt
fscrypt copied to clipboard
google
Automate steps necessary to add extra protector
You can't run fscrypt encrypt on a directory that is already encrypted with pam_passphrase:
# mkdir test
# fscrypt encrypt test --user=redsandro
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
Enter login passphrase for redsandro:
"test" is now encrypted, unlocked, and ready for use.
# fscrypt encrypt test --user=redsandro
fscrypt encrypt: test: file or directory already encrypted
In order to add a protector in addition to an existing protector, we need to:
- Add protector using
fscrypt metadata create protector /home/ - Look up policy id for pam_password protector using
fscrypt status /home fscrypt metadata add-protector-to-policy --protector=/home:[protector id] --policy=/home:[policy id]
(In this example /home is a separate device, so some protectors will be linked to /.)
Perhaps this can be done automatically; fscrypt can handle the technicalities when it's clear what the user is trying to do.
E.g. in stead of:
# fscrypt encrypt test --user=redsandro
fscrypt encrypt: test: file or directory already encrypted
Do this in stead:
# fscrypt encrypt test --user=redsandro
fscrypt encrypt: test: Directory already encrypted with these protectors:
[type:id]
[type:id]
Do you want to add an additional protector? [y/N]
When yes, calculate the partition root and the protector containing policy automatically. (And hide pam_passphrase if it's already used).
@ebiggers commented:
Can you please file a new Github issue for this suggestion?
