-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Poor scriptability due to --name not being easily checkable #376
Comments
Another scripting pain point:
So one has to resort to brittle stderr parsing for automatic unlocking: LANG=C fscrypt unlock mydir/ --key secret.key 2>&1 >/dev/null | grep "already unlocked" if one still wants other unlocking errors to manifest as exit codes. |
+1 for some form of lock/unlock check. Being able to determine if a folder is locked or unlocked would be essential for using fscrypt in more complex scripts. |
I'm scripting the creation of some encrypted ext4 folders by calling the
fscrypt
CLI.While most of the CLI seems designed for scriptability (prompts can be overridden by passing the information with CLI arguments), an unresolved pain point seems to be key names:
fscrypt metadata create protector
as described here, or usingfscrypt encrypt
, requires passing--name
.there is already a protector named "myname"
.The only workaround seems to be parsing the output of
fscrypt status /
, which does not look very stable at all.The bash completion currently does that in this ugly parsing hack:
fscrypt/cmd/fscrypt/fscrypt_bash_completion
Lines 86 to 94 in 9770081
Other parts of
fscrypt
provide programmatic queries of whether something already exists, e.g. to check whether a dir is already encrypted one can check the status code offscrypt status
, which as per--help
Some ideas to improve scriptability:
--json
flag that turns all output into JSON, similar to how Hashicorp tools likeconsul
provide it.There's the request for Stable library API #175 but things as simple as key creation should be possible also from the command line.
fscrypt metadata create protector
succeed instead of fail if the key name already exists AND the given--source raw_key --key
is the same as the one already stored (that is, make it idempotent), or add a flag to get that behaviour.The text was updated successfully, but these errors were encountered: