diff --git a/gocryptfs_main/main.go b/gocryptfs_main/main.go index d6ce064..600b6ab 100644 --- a/gocryptfs_main/main.go +++ b/gocryptfs_main/main.go @@ -1,7 +1,6 @@ package main import ( - "encoding/hex" "flag" "fmt" "io/ioutil" @@ -64,12 +63,14 @@ func main() { // Parse command line arguments var debug, init, zerokey, fusedebug, openssl bool + var masterkey string flag.BoolVar(&debug, "debug", false, "Enable debug output") flag.BoolVar(&fusedebug, "fusedebug", false, "Enable fuse library debug output") flag.BoolVar(&init, "init", false, "Initialize encrypted directory") flag.BoolVar(&zerokey, "zerokey", false, "Use all-zero dummy master key") flag.BoolVar(&openssl, "openssl", true, "Use OpenSSL instead of built-in Go crypto") + flag.StringVar(&masterkey, "masterkey", "", "Mount with explicit master key") var cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file") flag.Parse() @@ -114,7 +115,9 @@ func main() { key := make([]byte, cryptfs.KEY_LEN) if zerokey { fmt.Printf("Zerokey mode active: using all-zero dummy master key.\n") - fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n") + } else if len(masterkey) > 0 { + key = parseMasterKey(masterkey) + fmt.Printf("Using explicit master key.\n") } else { cfname := filepath.Join(cipherdir, cryptfs.ConfDefaultName) _, err = os.Stat(cfname) @@ -137,8 +140,12 @@ func main() { srv := pathfsFrontend(key, cipherdir, mountpoint, fusedebug, openssl) fmt.Printf("Mounted.\n") - if zerokey == false { + if zerokey == false && len(masterkey) == 0 { printMasterKey(key) + } else if zerokey == true { + fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n") + } else if len(masterkey) > 0 { + fmt.Printf("THE MASTER KEY IS VISIBLE VIA \"ps -auxwww\", ONLY USE THIS MODE FOR EMERGENCIES.\n") } // Send notification to our parent @@ -147,35 +154,6 @@ func main() { srv.Serve() } -// printMasterKey - remind the user that he should store the master key in -// a safe place -func printMasterKey(key []byte) { - h := hex.EncodeToString(key) - var hChunked string - - // Try to make it less scary by splitting it up in chunks - for i := 0; i < len(h); i+=8 { - hChunked += h[i:i+8] - if i < 52 { - hChunked += "-" - } - if i == 24 { - hChunked += "\n " - } - } - - fmt.Printf(` -ATTENTION: - - Your master key is: %s - -If the gocryptfs.conf file becomes corrupted or you ever forget your password, -there is only one hope for recovery: The master key. Print it to a piece of -paper and store it in a drawer. - -`, hChunked) -} - func readPasswordTwice() string { fmt.Printf("Password: ") p1 := readPassword() diff --git a/gocryptfs_main/masterkey.go b/gocryptfs_main/masterkey.go new file mode 100644 index 0000000..205f2ab --- /dev/null +++ b/gocryptfs_main/masterkey.go @@ -0,0 +1,54 @@ +package main + +import ( + "os" + "fmt" + "encoding/hex" + "strings" + "github.com/rfjakob/gocryptfs/cryptfs" +) + + +// printMasterKey - remind the user that he should store the master key in +// a safe place +func printMasterKey(key []byte) { + h := hex.EncodeToString(key) + var hChunked string + + // Try to make it less scary by splitting it up in chunks + for i := 0; i < len(h); i+=8 { + hChunked += h[i:i+8] + if i < 52 { + hChunked += "-" + } + if i == 24 { + hChunked += "\n " + } + } + + fmt.Printf(` +ATTENTION: + + Your master key is: %s + +If the gocryptfs.conf file becomes corrupted or you ever forget your password, +there is only one hope for recovery: The master key. Print it to a piece of +paper and store it in a drawer. + +`, hChunked) +} + +// Parse a hex-encoded master key that was passed on the command line +func parseMasterKey(masterkey string) []byte { + masterkey = strings.Replace(masterkey, "-", "", -1) + key, err := hex.DecodeString(masterkey) + if err != nil { + fmt.Printf("Could not parse master key: %v\n", err) + os.Exit(1) + } + if len(key) != cryptfs.KEY_LEN { + fmt.Printf("Master key has length %d but we require length %d\n", len(key), cryptfs.KEY_LEN) + os.Exit(1) + } + return key +}