nh2
commented
1 year ago Another scripting pain point:
fscrypt unlock fails if already unlocked, and provides no way to check if it is.
So one has to resort to brittle stderr parsing for automatic unlocking:
LANG=C fscrypt unlock mydir/ --key secret.key 2>&1 >/dev/null | grep "already unlocked"if one still wants other unlocking errors to manifest as exit codes.
jamesps-ebi
I'm scripting the creation of some encrypted ext4 folders by calling the
fscryptCLI.While most of the CLI seems designed for scriptability (prompts can be overridden by passing the information with CLI arguments), an unresolved pain point seems to be key names:
fscrypt metadata create protectoras described here, or usingfscrypt encrypt, requires passing--name.there is already a protector named "myname".The only workaround seems to be parsing the output of
fscrypt status /, which does not look very stable at all.The bash completion currently does that in this ugly parsing hack:
https://github.com/google/fscrypt/blob/97700817e737eabf45033cdb4a42fa5c6e74f877/cmd/fscrypt/fscrypt_bash_completion#L86-L94
Other parts of
fscryptprovide programmatic queries of whether something already exists, e.g. to check whether a dir is already encrypted one can check the status code offscrypt status, which as per--helpSome ideas to improve scriptability:
--jsonflag that turns all output into JSON, similar to how Hashicorp tools likeconsulprovide it. There's the request for #175 but things as simple as key creation should be possible also from the command line.fscrypt metadata create protectorsucceed instead of fail if the key name already exists AND the given--source raw_key --keyis the same as the one already stored (that is, make it idempotent), or add a flag to get that behaviour.