After setting a new passphrase, the previous key is left untouched. This
revokes the old key, preventing future actions from using it in error.
Signed-off-by: Colin Gillespie <colin@cgillespie.xyz>
die("error encrypting key");
crypt->key = new_key;
+ bch2_revoke_key(c->disk_sb.sb);
bch2_write_super(c);
bch2_fs_stop(c);
return 0;
return ret;
}
+int bch2_revoke_key(struct bch_sb *sb)
+{
+ key_serial_t key_id;
+ struct printbuf key_description = PRINTBUF;
+
+ prt_printf(&key_description, "bcachefs:");
+ pr_uuid(&key_description, sb->user_uuid.b);
+
+ key_id = request_key("user", key_description.buf, NULL, KEY_SPEC_USER_KEYRING);
+ printbuf_exit(&key_description);
+ if (key_id < 0)
+ return errno;
+
+ keyctl_revoke(key_id);
+
+ return 0;
+}
+
int bch2_decrypt_sb_key(struct bch_fs *c,
struct bch_sb_field_crypt *crypt,
struct bch_key *key)
int bch2_chacha_encrypt_key(struct bch_key *, struct nonce, void *, size_t);
int bch2_request_key(struct bch_sb *, struct bch_key *);
+int bch2_revoke_key(struct bch_sb *);
int bch2_encrypt(struct bch_fs *, unsigned, struct nonce,
void *data, size_t);
projects / bcachefs-tools-debian / commitdiff