tpm: T7726: Prompt before overwriting existing TPM key

sarthurdev · sarthurdev · commit 70629c7f84a3 · 2025-09-09T17:22:10.000+02:00
diff --git a/src/helpers/vyos-config-encrypt.py b/src/helpers/vyos-config-encrypt.py
@@ -245,13 +245,25 @@ def decrypt_config(key):
 
     if not is_opened():
         if tpm_exists:
+            existing_key = None
+
+            try:
+                existing_key = read_tpm_key()
+            except: pass
+
             if args.enable:
-                key = Fernet.generate_key()
+                if existing_key:
+                    print('WARNING: An encryption key already exists in the TPM.')
+                    print('If you choose not to use the existing key, any system image')
+                    print('using the old key will need the recovery key.')
+                if existing_key and ask_yes_no('Do you want to use the existing TPM key?'):
+                    key = existing_key
+                else:
+                    key = Fernet.generate_key()
             elif args.disable or args.load:
-                try:
-                    key = read_tpm_key()
+                if existing_key:
                     need_recovery = False
-                except:
+                else:
                     print('Failed to read key from TPM, recovery key required')
                     need_recovery = True
         else:
