AddRecoveryPassphrase randomly generates a recovery passphrase and adds it as a custom_passphrase protector for the given Policy.

CreateConfigFile creates a new config file at the appropriate location with the appropriate hashing costs and encryption parameters.

CreatePolicy creates a Policy protected by given Protector and stores the appropriate data on the filesystem.

CreateProtector creates an unlocked protector with a given name (name only needed for custom and raw protector types).

GetPolicy retrieves a locked policy with a specific descriptor.

GetPolicyFromPath returns the locked policy descriptor for a file on the filesystem.

GetProtector retrieves a Protector with a specific descriptor.

GetProtectorFromOption retrieves a protector based on a protector option.

NewContextFromMountpoint makes a context for the filesystem at the specified mountpoint and whose Config is loaded from the global config file.

NewContextFromPath makes a context for the filesystem containing the specified path and whose Config is loaded from the global config file.

PurgeAllPolicies removes all policy keys on the filesystem from the kernel keyring.

WriteRecoveryInstructions writes a recovery passphrase and instructions to a file.

ConfigFileLocation is the location of fscrypt's global settings.

ErrLocked indicates that the key hasn't been unwrapped yet.

LoginProtectorMountpoint is the mountpoint where login protectors are stored.

Context contains the necessary global state to perform most of fscrypt's actions.

ErrAccessDeniedPossiblyV2 indicates that a directory's encryption policy couldn't be retrieved due to "permission denied", but it looks like it's due to the directory using a v2 policy but the kernel not supporting it.

ErrAlreadyProtected indicates that a policy is already protected by the given protector.

ErrBadConfig is an internal error that indicates that the config struct is invalid.

ErrBadConfigFile indicates that the config file is invalid.

ErrConfigFileExists indicates that the config file already exists.

ErrDifferentFilesystem indicates that a policy can't be applied to a directory on a different filesystem.

ErrLoginProtectorExists indicates that a user already has a login protector.

ErrLoginProtectorName indicates that a name was given for a login protector.

ErrMissingPolicyMetadata indicates that a directory is encrypted but its policy metadata cannot be found.

ErrMissingProtectorName indicates that a protector name is needed.

ErrNoConfigFile indicates that the config file doesn't exist.

ErrNotProtected indicates that the given policy is not protected by the given protector.

ErrOnlyProtector indicates that the last protector can't be removed from a policy.

ErrPolicyMetadataMismatch indicates that the policy metadata for an encrypted directory is inconsistent with that directory.

ErrProtectorNameExists indicates that a protector name already exists.

Policy represents an unlocked policy, so it contains the PolicyData as well as the actual protector key.

Protector represents an unlocked protector, so it contains the ProtectorData as well as the actual protector key.

ProtectorInfo is the information a caller will receive about a Protector before they have to return the corresponding key.

ProtectorOption is information about a protector relative to a Policy.

KeyFunc is passed to a function that will require some type of key.

OptionFunc is passed to a function that needs to unlock a Policy.