google · ebiggers · Jan 30, 2020 · Jan 28, 2020
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
@@ -105,7 +105,7 @@ var Encrypt = cli.Command{
 		immediately be used.`, directoryArg, shortDisplay(policyFlag),
 		shortDisplay(protectorFlag), mountpointArg),
 	Flags: []cli.Flag{policyFlag, unlockWithFlag, protectorFlag, sourceFlag,
-		userFlag, nameFlag, keyFileFlag, skipUnlockFlag},
+		userFlag, nameFlag, keyFileFlag, skipUnlockFlag, noRecoveryFlag},
 	Action: encryptAction,
 }
 
@@ -239,13 +239,16 @@ func encryptPath(path string) (err error) {
 			}
 		}()
 
-		// Automatically generate a recovery passphrase if the protector
-		// is on a different filesystem from the policy.  In practice,
-		// this happens for login passphrase-protected directories that
+		// Ask to generate a recovery passphrase if the protector is on
+		// a different filesystem from the policy.  In practice, this
+		// happens for login passphrase-protected directories that
 		// aren't on the root filesystem, since login protectors are
 		// always stored on the root filesystem.
-		if ctx.Mount != protector.Context.Mount {
-			fmt.Printf("Generating recovery passphrase because protector is on a different filesystem.\n")
+		var needRecovery bool
+		if ctx.Mount != protector.Context.Mount && !noRecoveryFlag.Value {
+			needRecovery, err = askQuestion("Protector is on a different filesystem! Generate a recovery passphrase (recommended)?", true)
+		}
+		if needRecovery {
 			var recoveryProtector *actions.Protector
 			if recoveryPassphrase, recoveryProtector, err = actions.AddRecoveryPassphrase(
 				policy, filepath.Base(path)); err != nil {

diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
@@ -116,7 +116,7 @@ var (
 	allFlags = []prettyFlag{helpFlag, versionFlag, verboseFlag, quietFlag,
 		forceFlag, legacyFlag, skipUnlockFlag, timeTargetFlag,
 		sourceFlag, nameFlag, keyFileFlag, protectorFlag,
-		unlockWithFlag, policyFlag, allUsersFlag}
+		unlockWithFlag, policyFlag, allUsersFlag, noRecoveryFlag}
 	// universalFlags contains flags that should be on every command
 	universalFlags = []cli.Flag{verboseFlag, quietFlag, helpFlag}
 )
@@ -178,6 +178,10 @@ var (
 			different from the one you're locking it as. This flag
 			is only implemented for v2 encryption policies.`,
 	}
+	noRecoveryFlag = &boolFlag{
+		Name:  "no-recovery",
+		Usage: `Don't ask to generate a recovery passphrase.`,
+	}
 )
 
 // Option flags: used to specify options instead of being prompted for them