mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
f8faffac89
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
132 lines
4.5 KiB
Go
132 lines
4.5 KiB
Go
/*
|
|
* recovery.go - support for generating recovery passphrases
|
|
*
|
|
* Copyright 2019 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
* use this file except in compliance with the License. You may obtain a copy of
|
|
* the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations under
|
|
* the License.
|
|
*/
|
|
|
|
package actions
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strconv"
|
|
|
|
"github.com/google/fscrypt/crypto"
|
|
"github.com/google/fscrypt/metadata"
|
|
"github.com/google/fscrypt/util"
|
|
)
|
|
|
|
// modifiedContextWithSource returns a copy of ctx with the protector source
|
|
// replaced by source.
|
|
func modifiedContextWithSource(ctx *Context, source metadata.SourceType) *Context {
|
|
modifiedConfig := *ctx.Config
|
|
modifiedConfig.Source = source
|
|
modifiedCtx := *ctx
|
|
modifiedCtx.Config = &modifiedConfig
|
|
return &modifiedCtx
|
|
}
|
|
|
|
// AddRecoveryPassphrase randomly generates a recovery passphrase and adds it as
|
|
// a custom_passphrase protector for the given Policy.
|
|
func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protector, error) {
|
|
// 20 random characters in a-z is 94 bits of entropy, which is way more
|
|
// than enough for a passphrase which still goes through the usual
|
|
// passphrase hashing which makes it extremely costly to brute force.
|
|
passphrase, err := crypto.NewRandomPassphrase(20)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
defer func() {
|
|
if err != nil {
|
|
passphrase.Wipe()
|
|
}
|
|
}()
|
|
getPassphraseFn := func(info ProtectorInfo, retry bool) (*crypto.Key, error) {
|
|
// CreateProtector() wipes the passphrase, but in this case we
|
|
// still need it for later, so make a copy.
|
|
return passphrase.Clone()
|
|
}
|
|
var recoveryProtector *Protector
|
|
customCtx := modifiedContextWithSource(policy.Context, metadata.SourceType_custom_passphrase)
|
|
seq := 1
|
|
for {
|
|
// Automatically generate a name for the recovery protector.
|
|
name := "Recovery passphrase for " + dirname
|
|
if seq != 1 {
|
|
name += " (" + strconv.Itoa(seq) + ")"
|
|
}
|
|
recoveryProtector, err = CreateProtector(customCtx, name, getPassphraseFn, policy.ownerIfCreating)
|
|
if err == nil {
|
|
break
|
|
}
|
|
if _, ok := err.(*ErrProtectorNameExists); !ok {
|
|
return nil, nil, err
|
|
}
|
|
seq++
|
|
}
|
|
if err := policy.AddProtector(recoveryProtector); err != nil {
|
|
recoveryProtector.Revert()
|
|
return nil, nil, err
|
|
}
|
|
return passphrase, recoveryProtector, nil
|
|
}
|
|
|
|
// WriteRecoveryInstructions writes a recovery passphrase and instructions to a
|
|
// file. This file should initially be located in the encrypted directory
|
|
// protected by the passphrase itself. It's up to the user to store the
|
|
// passphrase in a different location if they actually need it.
|
|
func WriteRecoveryInstructions(recoveryPassphrase *crypto.Key, recoveryProtector *Protector,
|
|
policy *Policy, path string) error {
|
|
file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE, 0600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer file.Close()
|
|
str := fmt.Sprintf(
|
|
`fscrypt automatically generated a recovery passphrase for this directory:
|
|
|
|
%s
|
|
|
|
It did this because you chose to protect this directory with your login
|
|
passphrase, but this directory is not on the root filesystem.
|
|
|
|
Copy this passphrase to a safe place if you want to still be able to unlock this
|
|
directory if you re-install the operating system or connect this storage media
|
|
to a different system (which would result in your login protector being lost).
|
|
|
|
To unlock this directory using this recovery passphrase, run 'fscrypt unlock'
|
|
and select the protector named %q.
|
|
|
|
If you want to disable recovery passphrase generation (not recommended),
|
|
re-create this directory and pass the --no-recovery option to 'fscrypt encrypt'.
|
|
Alternatively, you can remove this recovery passphrase protector using:
|
|
|
|
fscrypt metadata remove-protector-from-policy --force --protector=%s:%s --policy=%s:%s
|
|
|
|
It is safe to keep it around though, as the recovery passphrase is high-entropy.
|
|
`, recoveryPassphrase.Data(), recoveryProtector.data.Name,
|
|
recoveryProtector.Context.Mount.Path, recoveryProtector.data.ProtectorDescriptor,
|
|
policy.Context.Mount.Path, policy.data.KeyDescriptor)
|
|
if _, err = file.WriteString(str); err != nil {
|
|
return err
|
|
}
|
|
if recoveryProtector.ownerIfCreating != nil {
|
|
if err = util.Chown(file, recoveryProtector.ownerIfCreating); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return file.Sync()
|
|
}
|