WIP: logic to unlock veracrypt drives

freedomofpress · Oct 5, 2023 · 68f24bc · 68f24bc
1 parent 2882bb1
commit 68f24bc
Showing 1 changed file with 26 additions and 23 deletions.
diff --git a/securedrop_export/disk/service.py b/securedrop_export/disk/service.py
@@ -4,7 +4,7 @@
 
 from .cli import CLI
 from .status import Status
-from .volume import Volume, MountedVolume
+from .volume import Volume, MountedVolume, EncryptionScheme
 from securedrop_export.exceptions import ExportException
 
 
@@ -89,36 +89,39 @@ def scan_single_device(self, blkid: str) -> Status:
 
     def unlock_device(self, passphrase: str, volume: Volume) -> Status:
         """
-        Given provided passphrase, unlock target volume. Currently,
-        LUKS volumes are supported.
+        Given provided passphrase, unlock target volume.
         """
         if volume:
-            try:
-                if volume.encryption is EncryptionScheme.LUKS:
+            if volume.encryption is EncryptionScheme.LUKS:
+                try:
                     logger.info("Unlocking LUKS drive")
                     volume = self.cli.unlock_luks_volume(volume, passphrase)
-                elif volume.encryption is EncryptionScheme.VERACRYPT:
-                    logger.warning(
-                        "LUKS volume not detected. Attempt to unlock Veracrypt volume"
-                    )
-                    volume = self.cli.attempt_unlock_veracrypt_volume(
-                        volume, passphrase
-                    )
-                else:  # encryptionscheme.UNKNOWN
-                    raise NotImplementedError()
+                    if isinstance(volume, MountedVolume):
+                        return Status.DEVICE_WRITABLE
+                    else:
+                        return Status.ERROR_UNLOCK_LUKS
 
-                 if isinstance(volume, MountedVolume):
-                     return Status.DEVICE_WRITABLE
+                except ExportException as ex:
+                    logger.error(ex)
+                    return Status.ERROR_UNLOCK_LUKS
 
+            # Try to unlock another drive, opportunistically
+            # hoping it is VeraCrypt/TC.
+            else:
+                try:
+                    logger.info(
+                        "Encryption scheme is not LUKS. " "Attempt VeraCrypt unlock."
+                    )
+                    volume = self.cli.attempt_unlock_veracrypt(volume, passphrase)
 
-                if isinstance(volume, MountedVolume):
-                    return Status.DEVICE_WRITABLE
-                else:
-                    return Status.ERROR_UNLOCK_LUKS
+                    if isinstance(volume, MountedVolume):
+                        return Status.DEVICE_WRITABLE
+                    else:
+                        return Status.ERROR_UNLOCK_GENERIC
+                except ExportException as ex:
+                    logger.error(ex)
+                    return Status.ERROR_UNLOCK_GENERIC
 
-            except ExportException as ex:
-                logger.error(ex)
-                return Status.ERROR_UNLOCK_LUKS
         else:
             # Trying to unlock devices before having an active device
             logger.warning("Tried to unlock_device but no current volume detected.")