vyos-config-encrypt.py —enable prompts for a backup key when no TPM is present, but the call to encrypt_config(recovery_key) is not a valid call. Two arguments are required.
encrypt_config looks like it needs to be adjusted to accommodate a lack of TPM during setup.
Sorry, wasn't on regular computer when I filed. Just wanted to get it put in.
Below is the output that one would see when they try to encrypt without a TPM present.
vyos@vyos:~$ encryption enable WARNING: VyOS will boot into a default config when encrypted without a TPM You will need to manually login with default credentials and use "encryption load" to mount the encrypted volume and use "load /config/config.boot" Are you sure you want to proceed? [y/N] y Enter key: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Failed to encrypt config: encrypt_config() missing 1 required positional argument: 'recovery_key' vyos@vyos:~$
It's a valid check if you're trying to enable and either have a TPM or don't as seen below.
vyos-config-encrypt.py line 259-266
elif args.enable and tpm_exists:
encrypt_config(key, recovery_key)
print('Encrypted config volume has been enabled with TPM')
print('Backup the recovery key in a safe place!')
print('Recovery key: ' + recovery_key.decode())
elif args.enable:
encrypt_config(recovery_key)However the actual encrypt_config function has two required arguments.
vyos-config-encrypt.py line 78:
def encrypt_config(key, recovery_key):
I'm happy to write a patch, but wanted to get any input from @sarthurdev first since they wrote the initial implementation in T4919: TPM-backed config encryption.
Possibly calling encrypt_config(False, recovery_key), and adding in a little logic in the function to skip TPM setup if the key argument is set to False?