feat: provide additional clarity around key management (#2467)

* feat: add help text for key management There's been a number of help requests lately that seem to stem from a misunderstanding around key management All machines connected to sync must use the same encryption key. The key is up to the user to manage, as if we had access to it then the encryption wouldn't make sense. In the future, we should verify that the key provided matches what has been used to encrypt existing data. * never generate a new key on login
atuinsh · Dec 5, 2024 · 5dcccad · 5dcccad
1 parent c5c5e9d
commit 5dcccad
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/crates/atuin/src/command/client/account/login.rs b/crates/atuin/src/command/client/account/login.rs
@@ -6,7 +6,7 @@ use tokio::{fs::File, io::AsyncWriteExt};
 
 use atuin_client::{
     api_client,
-    encryption::{decode_key, encode_key, load_key, new_key, Key},
+    encryption::{decode_key, encode_key, load_key, Key},
     record::sqlite_store::SqliteStore,
     record::store::Store,
     settings::Settings,
@@ -55,6 +55,12 @@ impl Cmd {
         let key_path = settings.key_path.as_str();
         let key_path = PathBuf::from(key_path);
 
+        println!("IMPORTANT");
+        println!("If you are already logged in on another machine, you must ensure that the key you use here is the same as the key you used there.");
+        println!("You can find your key by running 'atuin key' on the other machine");
+        println!("Do not share this key with anyone");
+        println!("\nRead more here: https://docs.atuin.sh/guide/sync/#login \n");
+
         let key = or_user_input(&self.key, "encryption key [blank to use existing key file]");
 
         // if provided, the key may be EITHER base64, or a bip mnemonic
@@ -97,8 +103,7 @@ impl Cmd {
                     bail!("the key in existing key file was invalid");
                 }
             } else {
-                println!("No key file exists, creating a new");
-                let _key = new_key(settings)?;
+                panic!("No key provided. Please use 'atuin key' on your other machine, or recover your key from a backup.")
             }
         } else if !key_path.exists() {
             if decode_key(key.clone()).is_err() {

diff --git a/crates/atuin/src/command/client/account/register.rs b/crates/atuin/src/command/client/account/register.rs
@@ -51,5 +51,8 @@ pub async fn run(
 
     let _key = atuin_client::encryption::load_key(settings)?;
 
+    println!("Registration successful! Please make a note of your key (run 'atuin key') and keep it safe.");
+    println!("You will need it to log in on other devices, and we cannot help recover it if you lose it.");
+
     Ok(())
 }