git.apps.os.sepia.ceph.com Git - fscrypt.git/commit

author	Eric Biggers <ebiggers@google.com>
	Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)
committer	Eric Biggers <ebiggers@google.com>
	Mon, 23 Mar 2020 20:20:27 +0000 (13:20 -0700)
commit	ec85cc8f987647c2b264c1f95dadda0f71c3d991
tree	5695c9a84004ec40a9cb3d774c6bb2aa9503e605	tree \| snapshot
parent	ae886a89f541a74255c9a41f7fa504a82ee6413e	commit \| diff

Create /etc/fscrypt.conf with policy_version 2 on kernel v5.4+

v2 encryption policies are now recommended, due to various security and
usability advantages over v1 policies. Many people have been running
into the usability problems with v1, so it's desirable to get people
onto v2 without having to manually opt-in.

Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable
policy_version 2 automatically if the kernel supports it.

I decided to go with this solution over the policy_version "auto" I
suggested originally because this way is simpler, it can still be
changed to "auto" later if desired, and "auto" might require changing
how we parse the config file (since currently the config file is mapped
directly to a protobuf where policy_version is an 'int' and is shared
with EncryptionOptions).

Resolves https://github.com/google/fscrypt/issues/182

actions/config.go		diff \| blob \| history
actions/config_test.go		diff \| blob \| history
actions/context_test.go		diff \| blob \| history
cmd/fscrypt/setup.go		diff \| blob \| history
util/util.go		diff \| blob \| history
util/util_test.go		diff \| blob \| history