Add fill command to overwrite SD card

CHANGELOG.md

@@ -16,6 +16,9 @@ Unreleased
  - Added `--usb-path` option that restricts the USB path of the device to
  connect to
 - Bumped `structopt` dependency to `0.3.17`
+- Added the `fill` command that fills the SD card of a Nitrokey Storage device
+ with random data
+ - Added the `crossterm` dependency in version `0.17.8`
 
 
 0.3.4

Cargo.toml

@@ -38,6 +38,9 @@ version = "1.0"
 [dependencies.base32]
 version = "0.4.0"
 
+[dependencies.crossterm]
+version = "0.17.7"
+
 [dependencies.envy]
 version = "0.4.1"
 
@@ -53,6 +56,9 @@ version = "0.1"
 [dependencies.nitrokey]
 version = "0.7.1"
 
+[dependencies.progressing]
+version = "3.0.2"
+
 [dependencies.serde]
 version = "1.0"
 features = ["derive"]

doc/nitrocli.1

@@ -131,6 +131,16 @@ open.
 .TP
 \fBnitrocli hidden close
 Close a hidden volume.
+.TP
+\fBnitrocli fill\fR
+Fills the SD card with random data, overwriting all existing data.
+This operation takes about one hour to finish for a 16 GB SD card.
+It cannot be cancelled, even if the \fBnitrocli\fR process is terminated before
+it finishes.
+
+This command requires the admin PIN.
+To avoid accidental calls of this command, the user has to enter the PIN even
+if it has been cached.
 
 .SS One-time passwords
 The Nitrokey Pro and the Nitrokey Storage support the generation of one-time

src/args.rs

@@ -79,6 +79,8 @@ Command! {
  Config(ConfigArgs) => |ctx, args: ConfigArgs| args.subcmd.execute(ctx),
  /// Interacts with the device's encrypted volume
  Encrypted(EncryptedArgs) => |ctx, args: EncryptedArgs| args.subcmd.execute(ctx),
+ /// Fills the SD card with random data
+ Fill => crate::commands::fill,
  /// Interacts with the device's hidden volume
  Hidden(HiddenArgs) => |ctx, args: HiddenArgs| args.subcmd.execute(ctx),
  /// Lists the attached Nitrokey devices

src/commands.rs

@@ -22,6 +22,7 @@ use nitrokey::GetPasswordSafe;
 
 use crate::args;
 use crate::config;
+use crate::output;
 use crate::pinentry;
 use crate::Context;
 
@@ -461,6 +462,39 @@ pub fn list(ctx: &mut Context<'_>, no_connect: bool) -> anyhow::Result<()> {
  Ok(())
 }
 
+/// Fill the SD card with random data
+pub fn fill(ctx: &mut Context<'_>) -> anyhow::Result<()> {
+ with_storage_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(args::PinType::Admin, &device)?;
+
+ // Similar to reset, we want the user to re-enter the admin PIN even if is cached to avoid
+ // accidental data loss.
+ pinentry::clear(&pin_entry).context("Failed to clear cached secret")?;
+
+ try_with_pin(ctx, &pin_entry, |pin| {
+ device.fill_sd_card(&pin).context("Failed to fill SD card")
+ })?;
+
+ let mut progress_bar = output::ProgressBar::new();
+ progress_bar.draw(ctx)?;
+ while !progress_bar.is_finished() {
+ use nitrokey::OperationStatus;
+
+ thread::sleep(time::Duration::from_secs(1));
+ let status = device
+ .get_operation_status()
+ .context("Failed to query operation status")?;
+ match status {
+ OperationStatus::Ongoing(progress) => progress_bar.update(progress)?,
+ OperationStatus::Idle => progress_bar.finish(),
+ };
+ progress_bar.draw(ctx)?;
+ }
+
+ Ok(())
+ })
+}
+
 /// Perform a factory reset.
 pub fn reset(ctx: &mut Context<'_>) -> anyhow::Result<()> {
  with_device(ctx, |ctx, mut device| {