Add "--masterkey=" parameter for recovery purposes

gocryptfs_main/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"encoding/hex"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -64,12 +63,14 @@ func main() {
 
 	// Parse command line arguments
 	var debug, init, zerokey, fusedebug, openssl bool
+	var masterkey string
 
 	flag.BoolVar(&debug, "debug", false, "Enable debug output")
 	flag.BoolVar(&fusedebug, "fusedebug", false, "Enable fuse library debug output")
 	flag.BoolVar(&init, "init", false, "Initialize encrypted directory")
 	flag.BoolVar(&zerokey, "zerokey", false, "Use all-zero dummy master key")
 	flag.BoolVar(&openssl, "openssl", true, "Use OpenSSL instead of built-in Go crypto")
+	flag.StringVar(&masterkey, "masterkey", "", "Mount with explicit master key")
 	var cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file")
 
 	flag.Parse()
@@ -114,7 +115,9 @@ func main() {
 	key := make([]byte, cryptfs.KEY_LEN)
 	if zerokey {
 		fmt.Printf("Zerokey mode active: using all-zero dummy master key.\n")
-		fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n")
+	} else if len(masterkey) > 0 {
+		key = parseMasterKey(masterkey)
+		fmt.Printf("Using explicit master key.\n")
 	} else {
 		cfname := filepath.Join(cipherdir, cryptfs.ConfDefaultName)
 		_, err = os.Stat(cfname)
@@ -137,8 +140,12 @@ func main() {
 	srv := pathfsFrontend(key, cipherdir, mountpoint, fusedebug, openssl)
 	fmt.Printf("Mounted.\n")
 
-	if zerokey == false {
+	if zerokey == false && len(masterkey) == 0 {
 		printMasterKey(key)
+	} else if zerokey == true {
+		fmt.Printf("ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING.\n")
+	} else if len(masterkey) > 0 {
+		fmt.Printf("THE MASTER KEY IS VISIBLE VIA \"ps -auxwww\", ONLY USE THIS MODE FOR EMERGENCIES.\n")
 	}
 
 	// Send notification to our parent
@@ -147,35 +154,6 @@ func main() {
 	srv.Serve()
 }
 
-// printMasterKey - remind the user that he should store the master key in
-// a safe place
-func printMasterKey(key []byte) {
-	h := hex.EncodeToString(key)
-	var hChunked string
-
-	// Try to make it less scary by splitting it up in chunks
-	for i := 0; i < len(h); i+=8 {
-		hChunked += h[i:i+8]
-		if i < 52 {
-			hChunked += "-"
-		}
-		if i == 24 {
-			hChunked += "\n                      "
-		}
-	}
-
-	fmt.Printf(`
-ATTENTION:
-
-  Your master key is: %s
-
-If the gocryptfs.conf file becomes corrupted or you ever forget your password,
-there is only one hope for recovery: The master key. Print it to a piece of
-paper and store it in a drawer.
-
-`, hChunked)
-}
-
 func readPasswordTwice() string {
 	fmt.Printf("Password: ")
 	p1 := readPassword()

gocryptfs_main/masterkey.go

@@ -0,0 +1,54 @@
+package main
+
+import (
+	"os"
+	"fmt"
+	"encoding/hex"
+	"strings"
+	"github.com/rfjakob/gocryptfs/cryptfs"
+)
+
+
+// printMasterKey - remind the user that he should store the master key in
+// a safe place
+func printMasterKey(key []byte) {
+	h := hex.EncodeToString(key)
+	var hChunked string
+
+	// Try to make it less scary by splitting it up in chunks
+	for i := 0; i < len(h); i+=8 {
+		hChunked += h[i:i+8]
+		if i < 52 {
+			hChunked += "-"
+		}
+		if i == 24 {
+			hChunked += "\n                      "
+		}
+	}
+
+	fmt.Printf(`
+ATTENTION:
+
+  Your master key is: %s
+
+If the gocryptfs.conf file becomes corrupted or you ever forget your password,
+there is only one hope for recovery: The master key. Print it to a piece of
+paper and store it in a drawer.
+
+`, hChunked)
+}
+
+// Parse a hex-encoded master key that was passed on the command line
+func parseMasterKey(masterkey string) []byte {
+	masterkey = strings.Replace(masterkey, "-", "", -1)
+	key, err := hex.DecodeString(masterkey)
+	if err != nil {
+		fmt.Printf("Could not parse master key: %v\n", err)
+		os.Exit(1)
+	}
+	if len(key) != cryptfs.KEY_LEN {
+		fmt.Printf("Master key has length %d but we require length %d\n", len(key), cryptfs.KEY_LEN)
+		os.Exit(1)
+	}
+	return key
+}