Add "--masterkey=" parameter for recovery purposes

This commit is contained in:
Jakob Unterwurzacher 2015-10-06 21:16:39 +02:00
parent 5c6df49067
commit 45ea8aa546
2 changed files with 64 additions and 32 deletions

View File

@ -1,7 +1,6 @@
package main package main
import ( import (
"encoding/hex"
"flag" "flag"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -64,12 +63,14 @@ func main() {
// Parse command line arguments // Parse command line arguments
var debug, init, zerokey, fusedebug, openssl bool var debug, init, zerokey, fusedebug, openssl bool
var masterkey string
flag.BoolVar(&debug, "debug", false, "Enable debug output") flag.BoolVar(&debug, "debug", false, "Enable debug output")
flag.BoolVar(&fusedebug, "fusedebug", false, "Enable fuse library debug output") flag.BoolVar(&fusedebug, "fusedebug", false, "Enable fuse library debug output")
flag.BoolVar(&init, "init", false, "Initialize encrypted directory") flag.BoolVar(&init, "init", false, "Initialize encrypted directory")
flag.BoolVar(&zerokey, "zerokey", false, "Use all-zero dummy master key") flag.BoolVar(&zerokey, "zerokey", false, "Use all-zero dummy master key")
flag.BoolVar(&openssl, "openssl", true, "Use OpenSSL instead of built-in Go crypto") flag.BoolVar(&openssl, "openssl", true, "Use OpenSSL instead of built-in Go crypto")
flag.StringVar(&masterkey, "masterkey", "", "Mount with explicit master key")
var cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file") var cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file")
flag.Parse() flag.Parse()
@ -114,7 +115,9 @@ func main() {
key := make([]byte, cryptfs.KEY_LEN) key := make([]byte, cryptfs.KEY_LEN)
if zerokey { if zerokey {
fmt.Printf("Zerokey mode active: using all-zero dummy master key.\n") fmt.Printf("Zerokey mode active: using all-zero dummy master key.\n")
fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n") } else if len(masterkey) > 0 {
key = parseMasterKey(masterkey)
fmt.Printf("Using explicit master key.\n")
} else { } else {
cfname := filepath.Join(cipherdir, cryptfs.ConfDefaultName) cfname := filepath.Join(cipherdir, cryptfs.ConfDefaultName)
_, err = os.Stat(cfname) _, err = os.Stat(cfname)
@ -137,8 +140,12 @@ func main() {
srv := pathfsFrontend(key, cipherdir, mountpoint, fusedebug, openssl) srv := pathfsFrontend(key, cipherdir, mountpoint, fusedebug, openssl)
fmt.Printf("Mounted.\n") fmt.Printf("Mounted.\n")
if zerokey == false { if zerokey == false && len(masterkey) == 0 {
printMasterKey(key) printMasterKey(key)
} else if zerokey == true {
fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n")
} else if len(masterkey) > 0 {
fmt.Printf("THE MASTER KEY IS VISIBLE VIA \"ps -auxwww\", ONLY USE THIS MODE FOR EMERGENCIES.\n")
} }
// Send notification to our parent // Send notification to our parent
@ -147,35 +154,6 @@ func main() {
srv.Serve() srv.Serve()
} }
// printMasterKey - remind the user that he should store the master key in
// a safe place
func printMasterKey(key []byte) {
h := hex.EncodeToString(key)
var hChunked string
// Try to make it less scary by splitting it up in chunks
for i := 0; i < len(h); i+=8 {
hChunked += h[i:i+8]
if i < 52 {
hChunked += "-"
}
if i == 24 {
hChunked += "\n "
}
}
fmt.Printf(`
ATTENTION:
Your master key is: %s
If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer.
`, hChunked)
}
func readPasswordTwice() string { func readPasswordTwice() string {
fmt.Printf("Password: ") fmt.Printf("Password: ")
p1 := readPassword() p1 := readPassword()

View File

@ -0,0 +1,54 @@
package main
import (
"os"
"fmt"
"encoding/hex"
"strings"
"github.com/rfjakob/gocryptfs/cryptfs"
)
// printMasterKey - remind the user that he should store the master key in
// a safe place
func printMasterKey(key []byte) {
h := hex.EncodeToString(key)
var hChunked string
// Try to make it less scary by splitting it up in chunks
for i := 0; i < len(h); i+=8 {
hChunked += h[i:i+8]
if i < 52 {
hChunked += "-"
}
if i == 24 {
hChunked += "\n "
}
}
fmt.Printf(`
ATTENTION:
Your master key is: %s
If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer.
`, hChunked)
}
// Parse a hex-encoded master key that was passed on the command line
func parseMasterKey(masterkey string) []byte {
masterkey = strings.Replace(masterkey, "-", "", -1)
key, err := hex.DecodeString(masterkey)
if err != nil {
fmt.Printf("Could not parse master key: %v\n", err)
os.Exit(1)
}
if len(key) != cryptfs.KEY_LEN {
fmt.Printf("Master key has length %d but we require length %d\n", len(key), cryptfs.KEY_LEN)
os.Exit(1)
}
return key
}