Age | Commit message (Collapse) | Author |
|
readpassword.Trezor() is not implemented yet and returns
a hardcoded dummy key.
|
|
Don't dump the help text on the unsuspecting user, but
give a short error message:
$ gocryptfs -foobar
flag provided but not defined: -foobar
Invalid command line: gocryptfs -foobar. Try 'gocryptfs -help'.
For comparison: This is what cp does:
$ cp --foo
cp: unrecognized option '--foo'
Try 'cp --help' for more information.
And this what we used to do:
$ gocryptfs -foobar
flag provided but not defined: -foobar
gocryptfs v1.4.4-45-gfb772da; go-fuse v20170619-35-gb16719c; 2018-06-08 go1.10.2
Usage: gocryptfs -init|-passwd|-info [OPTIONS] CIPHERDIR
or gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT
Common Options (use -hh to show all):
-aessiv Use AES-SIV encryption (with -init)
-allow_other Allow other users to access the mount
-config Custom path to config file
-ctlsock Create control socket at location
-extpass Call external program to prompt for the password
-fg Stay in the foreground
-fusedebug Debug FUSE calls
-h, -help This short help text
-hh Long help text with all options
-init Initialize encrypted directory
-info Display information about encrypted directory
-masterkey Mount with explicit master key instead of password
-nonempty Allow mounting over non-empty directory
-nosyslog Do not redirect log messages to syslog
-passfile Read password from file
-passwd Change password
-plaintextnames Do not encrypt file names (with -init)
-q, -quiet Silence informational messages
-reverse Enable reverse mode
-ro Mount read-only
-speed Run crypto speed test
-version Print version information
-- Stop option parsing
You passed: "-foobar"
flag provided but not defined: -foobar
|
|
When mounted via /etc/fstab like this,
/a /b fuse.gocryptfs default 0 0
we always get extra options passed. As reported by @mahkoh
at https://github.com/rfjakob/gocryptfs/pull/233 :
mount passes `-o noexec` if `-o user` is set and `-o exec` is not set.
If both `-o user` and `-o exec` are set, it passes `-o exec`.
Make these options work, and in addtion, also make -suid and -rw
work the same way.
Reported-by: @mahkoh
|
|
By returning an error instead of calling os.Exit,
error cases can be tested easily. Error cases
were not tested until now.
|
|
The fsck operation is not yet implemented, this commits
just adds the flag and improves cli flag handling.
|
|
Allows to use /dev/random for generating the master key instead of the
default Go implementation. When the kernel random generator has been
properly initialized both are considered equally secure, however:
* Versions of Go prior to 1.9 just fall back to /dev/urandom if the
getrandom() syscall would be blocking (Go Bug #19274)
* Kernel versions prior to 3.17 do not support getrandom(), and there
is no check if the random generator has been properly initialized
before reading from /dev/urandom
This is especially useful for embedded hardware with low-entroy. Please
note that generation of the master key might block indefinitely if the
kernel cannot harvest enough entropy.
|
|
At the moment, it does two things:
1. Disable stat() caching so changes to the backing storage show up
immediately.
2. Disable hard link tracking, as the inode numbers on the backing
storage are not stable when files are deleted and re-created behind
our back. This would otherwise produce strange "file does not exist"
and other errors.
Mitigates https://github.com/rfjakob/gocryptfs/issues/156
|
|
https://goreportcard.com/report/github.com/rfjakob/gocryptfs#misspell
|
|
Uses the runtime/trace functionality.
TODO: add to man page.
|
|
|
|
Pretty-prints the config while stripping out sensitive
(and uninteresting) data
https://github.com/rfjakob/gocryptfs/issues/111
|
|
We have accumulated so many options over time that they
no longer fit on the screen.
Display only a useful subset of options to the user unless
they pass "-hh".
|
|
This commit defines all exit codes in one place in the exitcodes
package.
Also, it adds a test to verify the exit code on incorrect
password, which is what SiriKali cares about the most.
Fixes https://github.com/rfjakob/gocryptfs/issues/77 .
|
|
Includes test cases.
|
|
...and fix a few golint issues and print a scary warning message on mount.
Also, force the fs to ro,noexec.
|
|
Force decode of encrypted files even if the integrity check fails, instead of
failing with an IO error. Warning messages are still printed to syslog if corrupted
files are encountered.
It can be useful to recover files from disks with bad sectors or other corrupted
media.
Closes https://github.com/rfjakob/gocryptfs/pull/102 .
|
|
* Further explain the use of 'scryptn' parameter
* Further explain the use of 'scryptn' parameter in MANPAGE
* Use 28 as reasonable upper limit
|
|
Due to kernel readahead, we usually get multiple read requests
at the same time. These get submitted to the backing storage in
random order, which is a problem if seeking is very expensive.
Details: https://github.com/rfjakob/gocryptfs/issues/92
|
|
This brings the CLI options back in sync with the default
feature flags.
|
|
This commit also enables actually passing the HKDF setting to
fusefrontend, this was missing till now.
|
|
A crypto benchmark mode like "openssl speed".
Example run:
$ ./gocryptfs -speed
AES-GCM-256-OpenSSL 180.89 MB/s (selected in auto mode)
AES-GCM-256-Go 48.19 MB/s
AES-SIV-512-Go 37.40 MB/s
|
|
...and while we are at it, also filenames starting with "-".
|
|
As requested in https://github.com/rfjakob/gocryptfs/issues/73 .
|
|
Both are achieved by opening the socket from main and passing
it to the ctlsock package instead of passing the path.
|
|
Preallocation is very slow on hdds that run btrfs. Give the
user the option to disable it. This greatly speeds up small file
operations but reduces the robustness against out-of-space errors.
Also add the option to the man page.
More info: https://github.com/rfjakob/gocryptfs/issues/63
|
|
At the moment, in forward mode you can only encrypt paths
and in reverse mode you can only decrypt paths.
|
|
"-f" looks too much like "--force". The old variant is still
accepted for compatability.
|
|
Through base64.RawURLEncoding.
New command-line parameter "-raw64".
|
|
Close https://github.com/rfjakob/gocryptfs/issues/54
|
|
"The options -extpass and -masterkey cannot be used at the same time"
|
|
Binds it to a dummy variable so it appears in the help text.
|
|
Moving "-o" to the end broke a third-party app, SiriKali.
Breaking your users is bad, so let's accept "-o" anywhere.
|
|
|
|
Make it easier to read the password from a file. Internally this
is equivalent to "-extpass /bin/cat FILE".
|
|
When called from mount, we always get either "suid" or "nosuid".
As "nosuid" is the default, just ignore the options. Same for
the other options.
|
|
For compatability with mount(1), options are also accepted as
"-o COMMA-SEPARATED-OPTIONS" at the end of the command line.
For example, "-o q,zerokey" is equivalent to "-q -zerokey".
|
|
This prevents confusion with the "-o" options that is passed
by mount(1) at the end of the command line.
|
|
Only in plaintextnames-mode AND with the config file at the
default location it will be mapped into the mountpoint.
Also adds a test for that.
|
|
|
|
|
|
GCM-SIV is not yet finalized, and the reference implemenation is
painfully slow at about 2 MB/s. Switch to AES-SIV.
|
|
|
|
|
|
The main function has gotten way too big.
|