Master key in quiet/background mode

[phpony]

Right now I'm using cryptor as GUI for gocryptfs. I've created all my vaults manually and have my master keys in safe place. But when I've tried to create new vault with GUI app something was missing there: GUI apps don't have access and don't display master keys.

cryptor creates vaults by calling gocryptfs with -q option and does not display master key afterwards.

https://github.com/moson-mo/cryptor/blob/600330322f93e8e13297f978641f0254e39dfd03/src/Gocrypt.vala#L9-L14

                string cmd = "gocryptfs -init -q ";
                if (reverse) {
                    cmd += "-reverse ";
                }
                cmd += " -passfile " + pfile.get_path () + " -- " + path;
                Process.spawn_command_line_sync (cmd, null, out standard_error, out status);

And seems like it can't do it, because quiet mode suppresses the printing of master key:

https://github.com/rfjakob/gocryptfs/blob/9958b63931aee613d5f97a8e7137efa3fb118343/internal/tlog/log.go#L173C1-L182C3

func PrintMasterkeyReminder(key []byte) {
	if !Info.Enabled {
		// Quiet mode
		return
	}
	if !term.IsTerminal(int(os.Stdout.Fd())) {
		// We don't want the master key to end up in a log file
		Info.Printf("Not running on a terminal, suppressing master key display\n")
		return
	}

There's also additional check for proper terminal to make sure no master key leaks anywhere except to the proper terminal window.

There's 2 ways to solve this: GUI app should emulate a proper terminal and run gocryptfs in it (which breaks the whole GUI idea) or there should be additional option to provide the path to the file where to store the masterkey. Something like:

gocryptfs  -init -q -passfile=/tmp/pass -masterkey=/tmp/masterkey -- /mnt/crypt

With this option 3rd-party GUI apps will be able to read master key from this file, delete it and show the key once to the user with all proper instructions how to store it and what is it for.

Is it possible to implement something like this in next releases? Or there are other better ways to init vault and achieve Master key from 3rd-party GUI?

[phpony]

We can walk around this limitation using this method. But it's a bit stupid approach with a taste of resources wasting and as most "hacks" is a potential source of bugs and errors in future.

[rfjakob]

Hi, please use "gocryptfs-xray -dumpmasterkey"

…

On Fri, 26 Jan 2024, 10:43 Volkov Maksim, ***@***.***> wrote: We can walk around this limitation using this method <#774>. But it's a bit stupid approach with a taste of resources wasting and as most "hacks" is a potential source of bugs and errors in future. — Reply to this email directly, view it on GitHub <#821 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACGA757KVUTEDOZUIGIARTYQN3DDAVCNFSM6AAAAABCJRKPPKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DENJUHAYDM> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[phpony]

Thanks for reply! Yep, it works, but seems like it does not support -passfile=/file parameter? There's only interactive prompt for password with this tool?

[rfjakob]

No -passfile unfortunately, but you can do this:

gocryptfs-xray -dumpmasterkey myfs/gocryptfs.conf < passfile.txt

[phpony]

Thanks! It's implemented in cryptor now)