yatm icon indicating copy to clipboard operation
yatm copied to clipboard

Published 20 hours ago verified publisher icon samuelncui

stenc 2.0.0 no longer supports -kd

Open maciozo opened this issue 8 months ago • 0 comments

When ./scripts/encrypt calls stenc, the -kd flag is not recognised:

time="2024-06-24T20:19:43+01:00" level=info msg="+ ./stenc -f /dev/tape/by-id/scsi-HUJ414057K -e on -k /tmp/2888885715.key -kd AAA000 -a 1 --ckod"
time="2024-06-24T20:19:43+01:00" level=info msg="Usage: stenc [OPTION...]"
time="2024-06-24T20:19:43+01:00" level=info
time="2024-06-24T20:19:43+01:00" level=info msg="Mandatory arguments to long options are mandatory for short options too."
time="2024-06-24T20:19:43+01:00" level=info msg="  -f, --file=DEVICE        use DEVICE as the tape drive to operate on"
time="2024-06-24T20:19:43+01:00" level=info msg="  -e, --encrypt=ENC-MODE   set encryption mode to ENC-MODE"
time="2024-06-24T20:19:43+01:00" level=info msg="  -d, --decrypt=DEC-MODE   set decryption mode to DEC-MODE"
time="2024-06-24T20:19:43+01:00" level=info msg="  -k, --key-file=FILE      read encryption key and key descriptor from FILE,"
time="2024-06-24T20:19:43+01:00" level=info msg="                           or standard input when FILE is -"
time="2024-06-24T20:19:43+01:00" level=info msg="  -a, --algorithm=INDEX    use encryption algorithm INDEX"
time="2024-06-24T20:19:43+01:00" level=info msg="      --allow-raw-read     mark written blocks to allow raw reads of"
time="2024-06-24T20:19:43+01:00" level=info msg="                           encrypted data"
time="2024-06-24T20:19:43+01:00" level=info msg="      --no-allow-raw-read  mark written blocks to disallow raw reads of"
time="2024-06-24T20:19:43+01:00" level=info msg="                           encrypted data"
time="2024-06-24T20:19:43+01:00" level=info msg="      --ckod               clear key on demount of tape media"
time="2024-06-24T20:19:43+01:00" level=info msg="  -h, --help               print this usage statement and exit"
time="2024-06-24T20:19:43+01:00" level=info msg="      --version            print version information and exit"

It now expects the key descriptior to appear on a new line in the key file:

KEY INPUT SYNTAX
       stenc requires that all keys are entered as text hexadecimal strings,
       with no delimiters in between bytes.  Do not precede your key input
       with 0x.  When using a key file, the second line in the file can
       contain an optional key descriptor that will be displayed with the
       device status (see KEY DESCRIPTORS).

       Keys can be generated using any cryptographically secure entropy
       source, such as the random(4) device or the openssl(1SSL) suite of
       commands.  A 256-bit key file can be created with the following
       command:

              openssl rand -hex 32

       Example 128 bit key:

              000102030405060708090a0b0c0d0e0f

       Example 256 bit key:

              000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f

       Example 256 key file with key descriptor:

              000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
              April backup key

This can probably be worked around by either appending the descriptor in newKey(), or in ./scripts/encrypt.

maciozo avatar Jun 24 '24 19:06 maciozo