uplink: enc.encryption-key flag is only available for setup command (#2090)

* uplink: Mark encryption key config field for setup Set the "setup" property to the `EncryptionConfig.EncrptionKey` for avoiding to save it in the configuration file. This field is only meant for using in the command line parameters which need to use a different encryption key than the one present in the key file or use it when there is not set any encryption key file path. * cmd/uplink: Setup non-interactive accept enc key Change the uplink CLI setup command non-interactive to save the encryption key into a file when it's passed through the flag --enc.encryption-key Previous to this change it wasn't possible to create an key file despite of that the flag was provided, so it was useless on the setup command. * cmd/uplink: Reuse logic to read pwd from terminal Reuse the logic which is already implemented in the pkg/cfgstruct for reading a password from the terminal on interactive mode, rather than duplicating it in the setup command. * cmd/gateway: Use encryption key file flags The cmd/gateway was still using the `enc.key` configuration field which doesn't exist anymore and its setup command wasn't using the `enc.key-filepath` with combination of the `enc.encryption-key` for generating a file with the encryption key. This commit update the cmd/gateway appropriately and move to the uplink package the function used by cmd/uplink to save the encryption key for allowing to also be used by the cmd/gateway without duplicating the logic. * cmd/storj-sim: Adapt gateway config cmd changes Adapt the cmd/storj-sim to correctly pass the parameters to the cmd/gateway setup and run command. * scripts: Don't pass the --enc.encryption-key flag uplink configuration has changed to only support the `--enc.encryption-key` flag for setup commands and consequently the cmd/uplink and cmd/gateway don't accept this flag over other commands, hence the test for the uplink had to be updated for no passing the flag on the multiples calls that the test do to cmd/uplink. * uplink: Remove func which aren't useful anymore Remove the function which allows to user or load an encryption key because it isn't needed anymore since the `--enc.encryption-key` flag is only available for the setup command. Consequently remove its usage from cmd/uplink and cmd/gateway, because such flag will always be empty because in case that's passed Cobra will return an error due to a "unknown flag".
2019-06-07 18:14:40 +02:00 · 2019-06-07 18:14:40 +02:00 · f5227abd36
commit f5227abd36
parent 2919aa2f79
16 changed files with 192 additions and 255 deletions
--- a/cmd/gateway/main.go
+++ b/cmd/gateway/main.go
@ -81,17 +81,17 @@ func init() {
 func cmdSetup(cmd *cobra.Command, args []string) (err error) {
 	setupDir, err := filepath.Abs(confDir)
 	if err != nil {
-		return err
+		return Error.Wrap(err)
 	}

 	valid, _ := fpath.IsValidSetupDir(setupDir)
 	if !valid {
-		return fmt.Errorf("gateway configuration already exists (%v)", setupDir)
+		return Error.New("gateway configuration already exists (%v)", setupDir)
 	}

 	err = os.MkdirAll(setupDir, 0700)
 	if err != nil {
-		return err
+		return Error.Wrap(err)
 	}

 	overrides := map[string]interface{}{}
@ -102,22 +102,34 @@ func cmdSetup(cmd *cobra.Command, args []string) (err error) {
 		if err != nil {
 			return err
 		}
+
 		overrides[accessKeyFlag.Name] = accessKey
 	}
+
 	secretKeyFlag := cmd.Flag("minio.secret-key")
 	if !secretKeyFlag.Changed {
 		secretKey, err := generateKey()
 		if err != nil {
 			return err
 		}
+
 		overrides[secretKeyFlag.Name] = secretKey
 	}

-	if !setupCfg.NonInteractive {
-		return setupCfg.interactive(cmd, setupDir, overrides)
+	// override is required because the default value of Enc.KeyFilepath is ""
+	// and setting the value directly in setupCfg.Enc.KeyFiletpath will set the
+	// value in the config file but commented out.
+	encryptionKeyFilepath := setupCfg.Enc.KeyFilepath
+	if encryptionKeyFilepath == "" {
+		encryptionKeyFilepath = filepath.Join(setupDir, ".encryption.key")
+		overrides["enc.key-filepath"] = encryptionKeyFilepath
 	}

-	return process.SaveConfigWithAllDefaults(cmd.Flags(), filepath.Join(setupDir, "config.yaml"), overrides)
+	if setupCfg.NonInteractive {
+		return setupCfg.nonInteractive(cmd, setupDir, encryptionKeyFilepath, overrides)
+	}
+
+	return setupCfg.interactive(cmd, setupDir, encryptionKeyFilepath, overrides)
 }

 func cmdRun(cmd *cobra.Command, args []string) (err error) {
@ -154,7 +166,7 @@ func generateKey() (key string, err error) {
 	var buf [20]byte
 	_, err = rand.Read(buf[:])
 	if err != nil {
-		return "", err
+		return "", Error.Wrap(err)
 	}
 	return base58.Encode(buf[:]), nil
 }
@ -211,7 +223,7 @@ func (flags GatewayFlags) action(ctx context.Context, cliCtx *cli.Context) (err

 // NewGateway creates a new minio Gateway
 func (flags GatewayFlags) NewGateway(ctx context.Context) (gw minio.Gateway, err error) {
-	encKey, err := uplink.UseOrLoadEncryptionKey(flags.Enc.EncryptionKey, flags.Enc.KeyFilepath)
+	encKey, err := uplink.LoadEncryptionKey(flags.Enc.KeyFilepath)
 	if err != nil {
 		return nil, err
 	}
@ -248,7 +260,7 @@ func (flags GatewayFlags) openProject(ctx context.Context) (*libuplink.Project,
 		return nil, err
 	}

-	encKey, err := uplink.UseOrLoadEncryptionKey(flags.Enc.EncryptionKey, flags.Enc.KeyFilepath)
+	encKey, err := uplink.LoadEncryptionKey(flags.Enc.KeyFilepath)
 	if err != nil {
 		return nil, err
 	}
@ -264,7 +276,13 @@ func (flags GatewayFlags) openProject(ctx context.Context) (*libuplink.Project,
 	return uplk.OpenProject(ctx, flags.Client.SatelliteAddr, apiKey, &opts)
 }

-func (flags GatewayFlags) interactive(cmd *cobra.Command, setupDir string, overrides map[string]interface{}) error {
+// interactive creates the configuration of the gateway interactively.
+//
+// encryptionKeyFilepath should be set to the filepath indicated by the user or
+// or to a default path whose directory tree exists.
+func (flags GatewayFlags) interactive(
+	cmd *cobra.Command, setupDir string, encryptionKeyFilepath string, overrides map[string]interface{},
+) error {
 	satelliteAddress, err := cfgstruct.PromptForSatelitte(cmd)
 	if err != nil {
 		return Error.Wrap(err)
@ -275,21 +293,27 @@ func (flags GatewayFlags) interactive(cmd *cobra.Command, setupDir string, overr
 		return Error.Wrap(err)
 	}

-	encKey, err := cfgstruct.PromptForEncryptionKey()
+	humanReadableKey, err := cfgstruct.PromptForEncryptionKey()
+	if err != nil {
+		return Error.Wrap(err)
+	}
+
+	err = uplink.SaveEncryptionKey(humanReadableKey, encryptionKeyFilepath)
 	if err != nil {
 		return Error.Wrap(err)
 	}

 	overrides["satellite-addr"] = satelliteAddress
 	overrides["api-key"] = apiKey
-	overrides["enc.key"] = encKey

 	err = process.SaveConfigWithAllDefaults(cmd.Flags(), filepath.Join(setupDir, "config.yaml"), overrides)
 	if err != nil {
 		return nil
 	}

-	_, err = fmt.Println(`
+	_, err = fmt.Printf(`
+Your encryption key is saved to: %s
+
 Your S3 Gateway is configured and ready to use!

 Some things to try next:
@ -297,7 +321,7 @@ Some things to try next:
 * Run 'gateway --help' to see the operations that can be performed

 * See https://github.com/storj/docs/blob/master/S3-Gateway.md#using-the-aws-s3-commandline-interface for some example commands
-	`)
+	`, encryptionKeyFilepath)
 	if err != nil {
 		return nil
 	}
@ -306,6 +330,32 @@ Some things to try next:

 }

+// nonInteractive creates the configuration of the gateway non-interactively.
+//
+// encryptionKeyFilepath should be set to the filepath indicated by the user or
+// or to a default path whose directory tree exists.
+func (flags GatewayFlags) nonInteractive(
+	cmd *cobra.Command, setupDir string, encryptionKeyFilepath string, overrides map[string]interface{},
+) error {
+	if setupCfg.Enc.EncryptionKey != "" {
+		err := uplink.SaveEncryptionKey(setupCfg.Enc.EncryptionKey, encryptionKeyFilepath)
+		if err != nil {
+			return Error.Wrap(err)
+		}
+	}
+
+	err := process.SaveConfigWithAllDefaults(cmd.Flags(), filepath.Join(setupDir, "config.yaml"), overrides)
+	if err != nil {
+		return Error.Wrap(err)
+	}
+
+	if setupCfg.Enc.EncryptionKey != "" {
+		_, _ = fmt.Printf("Your encryption key is saved to: %s\n", encryptionKeyFilepath)
+	}
+
+	return nil
+}
+
 func main() {
 	process.Exec(rootCmd)
 }
--- a/cmd/storj-sim/network.go
+++ b/cmd/storj-sim/network.go
@ -313,7 +313,10 @@ func newNetwork(flags *Flags) (*Processes, error) {
 		process.WaitForStart(satellite)
 		process.Arguments = withCommon(process.Directory, Arguments{
 			"setup": {
-				"--non-interactive=true",
+				"--non-interactive",
+
+				"--enc.encryption-key=TestEncryptionKey",
+
 				"--identity-dir", process.Directory,
 				"--satellite-addr", satellite.Address,

@ -331,9 +334,7 @@ func newNetwork(flags *Flags) (*Processes, error) {

 				"--debug.addr", net.JoinHostPort(host, port(gatewayPeer, i, debugHTTP)),
 			},
-			"run": {
-				"--enc.encryption-key=TestEncryptionKey",
-			},
+			"run": {},
 		})

 		process.ExecBefore["run"] = func(process *Process) error {
--- a/cmd/uplink/cmd/common.go
+++ b/cmd/uplink/cmd/common.go
@ -5,7 +5,6 @@ package cmd

 import (
 	libuplink "storj.io/storj/lib/uplink"
-	"storj.io/storj/pkg/storj"
 	"storj.io/storj/uplink"
 )

@ -21,21 +20,3 @@ func loadEncryptionAccess(filepath string) (libuplink.EncryptionAccess, error) {
 		Key: *key,
 	}, nil
 }
-
-// useOrLoadEncryptionAccess creates an encryption key from humanReadableKey
-// when it isn't empty otherwise try to load the key from the file pointed by
-// filepath and creates an EnryptionAccess with it.
-func useOrLoadEncryptionAccess(humanReadableKey string, filepath string) (libuplink.EncryptionAccess, error) {
-	if humanReadableKey != "" {
-		key, err := storj.NewKey([]byte(humanReadableKey))
-		if err != nil {
-			return libuplink.EncryptionAccess{}, err
-		}
-
-		return libuplink.EncryptionAccess{
-			Key: *key,
-		}, nil
-	}
-
-	return loadEncryptionAccess(filepath)
-}
--- a/cmd/uplink/cmd/common_test.go
+++ b/cmd/uplink/cmd/common_test.go
@ -13,6 +13,7 @@ import (

 	"storj.io/storj/internal/testcontext"
 	"storj.io/storj/pkg/storj"
+	"storj.io/storj/uplink"
 )

 func TestLoadEncryptionKeyIntoEncryptionAccess(t *testing.T) {
@ -44,71 +45,28 @@ func TestLoadEncryptionKeyIntoEncryptionAccess(t *testing.T) {
 	})
 }

-func TestUseOrLoadEncryptionKeyIntoEncryptionAccess(t *testing.T) {
-	t.Run("ok: load", func(t *testing.T) {
-		passphrase := make([]byte, rand.Intn(100)+1)
-		_, err := rand.Read(passphrase)
-		require.NoError(t, err)
-
-		expectedKey, err := storj.NewKey(passphrase)
-		require.NoError(t, err)
-		ctx := testcontext.New(t)
-		filename := ctx.File("encryption.key")
-		err = ioutil.WriteFile(filename, expectedKey[:], os.FileMode(0400))
-		require.NoError(t, err)
-		defer ctx.Cleanup()
-
-		access, err := useOrLoadEncryptionAccess("", filename)
-		require.NoError(t, err)
-		require.Equal(t, *expectedKey, access.Key)
-	})
-
-	t.Run("ok: use", func(t *testing.T) {
-		rawKey := make([]byte, rand.Intn(100)+1)
-		_, err := rand.Read(rawKey)
-		require.NoError(t, err)
-
-		access, err := useOrLoadEncryptionAccess(string(rawKey), "")
-		require.NoError(t, err)
-
-		if len(rawKey) > storj.KeySize {
-			require.Equal(t, rawKey[:storj.KeySize], access.Key[:])
-		} else {
-			require.Equal(t, rawKey, access.Key[:len(rawKey)])
-		}
-	})
-
-	t.Run("error", func(t *testing.T) {
-		ctx := testcontext.New(t)
-		defer ctx.Cleanup()
-		filename := ctx.File("encryption.key")
-
-		_, err := useOrLoadEncryptionAccess("", filename)
-		require.Error(t, err)
-	})
-}
-
 func TestSaveLoadEncryptionKey(t *testing.T) {
-	var inputKey []byte
+	var inputKey string
 	{
-		inputKey = make([]byte, rand.Intn(storj.KeySize)*3+1)
-		_, err := rand.Read(inputKey)
+		randKey := make([]byte, rand.Intn(storj.KeySize)*3+1)
+		_, err := rand.Read(randKey)
 		require.NoError(t, err)
+		inputKey = string(randKey)
 	}

 	ctx := testcontext.New(t)
 	defer ctx.Cleanup()

 	filename := ctx.File("storj-test-cmd-uplink", "encryption.key")
-	err := saveEncryptionKey(inputKey, filename)
+	err := uplink.SaveEncryptionKey(inputKey, filename)
 	require.NoError(t, err)

-	access, err := useOrLoadEncryptionAccess("", filename)
+	access, err := loadEncryptionAccess(filename)
 	require.NoError(t, err)

 	if len(inputKey) > storj.KeySize {
-		require.Equal(t, inputKey[:storj.KeySize], access.Key[:])
+		require.Equal(t, []byte(inputKey[:storj.KeySize]), access.Key[:])
 	} else {
-		require.Equal(t, inputKey, access.Key[:len(inputKey)])
+		require.Equal(t, []byte(inputKey), access.Key[:len(inputKey)])
 	}
 }
--- a/cmd/uplink/cmd/cp.go
+++ b/cmd/uplink/cmd/cp.go
@ -82,7 +82,7 @@ func upload(ctx context.Context, src fpath.FPath, dst fpath.FPath, showProgress
 		return fmt.Errorf("source cannot be a directory: %s", src)
 	}

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
@ -134,7 +134,7 @@ func download(ctx context.Context, src fpath.FPath, dst fpath.FPath, showProgres
 		return fmt.Errorf("destination must be local path: %s", dst)
 	}

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
@ -212,7 +212,7 @@ func copyObject(ctx context.Context, src fpath.FPath, dst fpath.FPath) (err erro
 		return fmt.Errorf("destination must be Storj URL: %s", dst)
 	}

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
--- a/cmd/uplink/cmd/ls.go
+++ b/cmd/uplink/cmd/ls.go
@ -42,7 +42,7 @@ func list(cmd *cobra.Command, args []string) error {
 		}
 	}()

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
--- a/cmd/uplink/cmd/rb.go
+++ b/cmd/uplink/cmd/rb.go
@ -41,7 +41,7 @@ func deleteBucket(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("Nested buckets not supported, use format sj://bucket/")
 	}

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
--- a/cmd/uplink/cmd/rm.go
+++ b/cmd/uplink/cmd/rm.go
@ -36,7 +36,7 @@ func deleteObject(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("No bucket specified, use format sj://bucket/")
 	}

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
--- a/cmd/uplink/cmd/root.go
+++ b/cmd/uplink/cmd/root.go
@ -81,7 +81,7 @@ func (cliCfg *UplinkFlags) GetProject(ctx context.Context) (*libuplink.Project,
 		return nil, err
 	}

-	encKey, err := uplink.UseOrLoadEncryptionKey(cliCfg.Enc.EncryptionKey, cliCfg.Enc.KeyFilepath)
+	encKey, err := uplink.LoadEncryptionKey(cliCfg.Enc.KeyFilepath)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/uplink/cmd/setup.go
+++ b/cmd/uplink/cmd/setup.go
@ -4,7 +4,6 @@
 package cmd

 import (
-	"bytes"
 	"fmt"
 	"net"
 	"os"
@ -14,11 +13,11 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/zeebo/errs"
 	"go.uber.org/zap"
-	"golang.org/x/crypto/ssh/terminal"

 	"storj.io/storj/internal/fpath"
 	"storj.io/storj/pkg/cfgstruct"
 	"storj.io/storj/pkg/process"
+	"storj.io/storj/uplink"
 )

 var (
@ -76,14 +75,47 @@ func cmdSetup(cmd *cobra.Command, args []string) (err error) {
 	}

 	if setupCfg.NonInteractive {
-		override := map[string]interface{}{
-			"enc.key-filepath": usedEncryptionKeyFilepath,
-		}
-		return process.SaveConfigWithAllDefaults(
-			cmd.Flags(), filepath.Join(setupDir, process.DefaultCfgFilename), override)
+		return cmdSetupNonInteractive(cmd, setupDir, usedEncryptionKeyFilepath)
 	}

-	_, err = fmt.Print(`
+	return cmdSetupInteractive(cmd, setupDir, usedEncryptionKeyFilepath)
+}
+
+// cmdSetupNonInteractive sets up uplink non-interactively.
+//
+// encryptionKeyFilepath should be set to the filepath indicated by the user or
+// or to a default path whose directory tree exists.
+func cmdSetupNonInteractive(cmd *cobra.Command, setupDir string, encryptionKeyFilepath string) error {
+	if setupCfg.Enc.EncryptionKey != "" {
+		err := uplink.SaveEncryptionKey(setupCfg.Enc.EncryptionKey, encryptionKeyFilepath)
+		if err != nil {
+			return err
+		}
+	}
+
+	override := map[string]interface{}{
+		"enc.key-filepath": encryptionKeyFilepath,
+	}
+
+	err := process.SaveConfigWithAllDefaults(
+		cmd.Flags(), filepath.Join(setupDir, process.DefaultCfgFilename), override)
+	if err != nil {
+		return err
+	}
+
+	if setupCfg.Enc.EncryptionKey != "" {
+		_, _ = fmt.Printf("Your encryption key is saved to: %s\n", encryptionKeyFilepath)
+	}
+
+	return nil
+}
+
+// cmdSetupInteractive sets up uplink interactively.
+//
+// encryptionKeyFilepath should be set to the filepath indicated by the user or
+// or to a default path whose directory tree exists.
+func cmdSetupInteractive(cmd *cobra.Command, setupDir string, encryptionKeyFilepath string) error {
+	_, err := fmt.Print(`
 Pick satellite to use:
 	[1] mars.tardigrade.io
 	[2] jupiter.tardigrade.io
@ -140,42 +172,12 @@ Please enter numeric choice or enter satellite address manually [1]: `)
 		return errs.New("API key cannot be empty")
 	}

-	_, err = fmt.Print("Enter your encryption key: ")
-	if err != nil {
-		return err
-	}
-	humanReadableKey, err := terminal.ReadPassword(int(os.Stdin.Fd()))
+	humanReadableKey, err := cfgstruct.PromptForEncryptionKey()
 	if err != nil {
 		return err
 	}

-	_, err = fmt.Println()
-	if err != nil {
-		return err
-	}
-
-	if len(humanReadableKey) == 0 {
-		return errs.New("Encryption key cannot be empty")
-	}
-
-	_, err = fmt.Print("Enter your encryption key again: ")
-	if err != nil {
-		return err
-	}
-	repeatedHumanReadableKey, err := terminal.ReadPassword(int(os.Stdin.Fd()))
-	if err != nil {
-		return err
-	}
-	_, err = fmt.Println()
-	if err != nil {
-		return err
-	}
-
-	if !bytes.Equal(humanReadableKey, repeatedHumanReadableKey) {
-		return errs.New("encryption keys don't match")
-	}
-
-	err = saveEncryptionKey(humanReadableKey, usedEncryptionKeyFilepath)
+	err = uplink.SaveEncryptionKey(humanReadableKey, encryptionKeyFilepath)
 	if err != nil {
 		return err
 	}
@ -183,7 +185,7 @@ Please enter numeric choice or enter satellite address manually [1]: `)
 	var override = map[string]interface{}{
 		"api-key":          apiKey,
 		"satellite-addr":   satelliteAddress,
-		"enc.key-filepath": usedEncryptionKeyFilepath,
+		"enc.key-filepath": encryptionKeyFilepath,
 	}

 	err = process.SaveConfigWithAllDefaults(
@ -204,7 +206,7 @@ Some things to try next:
 * Run 'uplink --help' to see the operations that can be performed

 * See https://github.com/storj/docs/blob/master/Uplink-CLI.md#usage for some example commands
-	`, usedEncryptionKeyFilepath)
+	`, encryptionKeyFilepath)

 	return nil
 }
@ -266,34 +268,3 @@ func ApplyDefaultHostAndPortToAddr(address, defaultAddress string) (string, erro
 	// address is host:
 	return net.JoinHostPort(addressParts[0], defaultPort), nil
 }
-
-// saveEncryptionKey generates a Storj key from the inputKey and save it into a
-// new file created in filepath.
-func saveEncryptionKey(inputKey []byte, filepath string) error {
-	switch {
-	case len(inputKey) == 0:
-		return Error.New("inputKey is empty")
-	case filepath == "":
-		return Error.New("filepath is empty")
-	}
-
-	file, err := os.OpenFile(filepath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return Error.New("directory path doesn't exist. %+v", err)
-		}
-
-		if os.IsExist(err) {
-			return Error.New("file key already exists. %+v", err)
-		}
-
-		return Error.Wrap(err)
-	}
-
-	defer func() {
-		err = Error.Wrap(errs.Combine(err, file.Close()))
-	}()
-
-	_, err = file.Write(inputKey)
-	return err
-}
--- a/cmd/uplink/cmd/share.go
+++ b/cmd/uplink/cmd/share.go
@ -102,7 +102,7 @@ func shareMain(cmd *cobra.Command, args []string) (err error) {

 	var project *libuplink.Project

-	access, err := useOrLoadEncryptionAccess(cfg.Enc.EncryptionKey, cfg.Enc.KeyFilepath)
+	access, err := loadEncryptionAccess(cfg.Enc.KeyFilepath)
 	if err != nil {
 		return err
 	}
--- a/scripts/test-uplink.sh
+++ b/scripts/test-uplink.sh
@ -25,20 +25,20 @@ random_bytes_file () {
 random_bytes_file 2x1024      "$SRC_DIR/small-upload-testfile" # create 2kb file of random bytes (inline)
 random_bytes_file 5x1024x1024 "$SRC_DIR/big-upload-testfile"   # create 5mb file of random bytes (remote)

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink"  mb "sj://$BUCKET/"
+uplink --config-dir "$GATEWAY_0_DIR"  mb "sj://$BUCKET/"

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" cp "$SRC_DIR/small-upload-testfile" "sj://$BUCKET/"
-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" cp "$SRC_DIR/big-upload-testfile" "sj://$BUCKET/"
+uplink --config-dir "$GATEWAY_0_DIR" cp "$SRC_DIR/small-upload-testfile" "sj://$BUCKET/"
+uplink --config-dir "$GATEWAY_0_DIR" cp "$SRC_DIR/big-upload-testfile" "sj://$BUCKET/"

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" cp "sj://$BUCKET/small-upload-testfile" "$DST_DIR"
-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" cp "sj://$BUCKET/big-upload-testfile" "$DST_DIR"
+uplink --config-dir "$GATEWAY_0_DIR" cp "sj://$BUCKET/small-upload-testfile" "$DST_DIR"
+uplink --config-dir "$GATEWAY_0_DIR" cp "sj://$BUCKET/big-upload-testfile" "$DST_DIR"

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" rm "sj://$BUCKET/small-upload-testfile"
-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" rm "sj://$BUCKET/big-upload-testfile"
+uplink --config-dir "$GATEWAY_0_DIR" rm "sj://$BUCKET/small-upload-testfile"
+uplink --config-dir "$GATEWAY_0_DIR" rm "sj://$BUCKET/big-upload-testfile"

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" ls "sj://$BUCKET"
+uplink --config-dir "$GATEWAY_0_DIR" ls "sj://$BUCKET"

-uplink --config-dir "$GATEWAY_0_DIR" --enc.encryption-key "test-uplink" rb "sj://$BUCKET"
+uplink --config-dir "$GATEWAY_0_DIR" rb "sj://$BUCKET"

 if cmp "$SRC_DIR/small-upload-testfile" "$DST_DIR/small-upload-testfile"
 then
--- a/uplink/config.go
+++ b/uplink/config.go
@ -42,7 +42,7 @@ type RSConfig struct {
 // EncryptionConfig is a configuration struct that keeps details about
 // encrypting segments
 type EncryptionConfig struct {
-	EncryptionKey string `help:"the root key for encrypting the data; when set, it overrides the key stored in the file indicated by the key-filepath flag"`
+	EncryptionKey string `help:"the root key for encrypting the data which will be stored in KeyFilePath" setup:"true"`
 	KeyFilepath   string `help:"the path to the file which contains the root key for encrypting the data"`
 	DataType      int    `help:"Type of encryption to use for content and metadata (1=AES-GCM, 2=SecretBox)" default:"1"`
 	PathType      int    `help:"Type of encryption to use for paths (0=Unencrypted, 1=AES-GCM, 2=SecretBox)" default:"1"`
@ -121,7 +121,7 @@ func (c Config) GetMetainfo(ctx context.Context, identity *identity.FullIdentity
 		return nil, nil, err
 	}

-	key, err := UseOrLoadEncryptionKey(c.Enc.EncryptionKey, c.Enc.KeyFilepath)
+	key, err := LoadEncryptionKey(c.Enc.KeyFilepath)
 	if err != nil {
 		return nil, nil, Error.Wrap(err)
 	}
@ -182,19 +182,3 @@ func LoadEncryptionKey(filepath string) (key *storj.Key, error error) {

 	return storj.NewKey(rawKey)
 }
-
-// UseOrLoadEncryptionKey return an encryption key from humanReadableKey when
-// it isn't empty otherwise try to load the key from the file pointed by
-// filepath calling LoadEncryptionKey function.
-func UseOrLoadEncryptionKey(humanReadableKey string, filepath string) (*storj.Key, error) {
-	if humanReadableKey != "" {
-		key, err := storj.NewKey([]byte(humanReadableKey))
-		if err != nil {
-			return nil, err
-		}
-
-		return key, nil
-	}
-
-	return LoadEncryptionKey(filepath)
-}
--- a/uplink/config_test.go
+++ b/uplink/config_test.go
@ -58,50 +58,3 @@ func TestLoadEncryptionKey(t *testing.T) {
 		require.Error(t, err)
 	})
 }
-
-func TestUseOrLoadEncryptionKey(t *testing.T) {
-	saveRawKey := func(key []byte) (filepath string, clenaup func()) {
-		t.Helper()
-
-		ctx := testcontext.New(t)
-		filename := ctx.File("encryption.key")
-		err := ioutil.WriteFile(filename, key, os.FileMode(0400))
-		require.NoError(t, err)
-
-		return filename, ctx.Cleanup
-	}
-
-	t.Run("ok: load", func(t *testing.T) {
-		passphrase := make([]byte, rand.Intn(100)+1)
-		_, err := rand.Read(passphrase)
-		require.NoError(t, err)
-
-		expectedKey, err := storj.NewKey(passphrase)
-		require.NoError(t, err)
-		filename, cleanup := saveRawKey(expectedKey[:])
-		defer cleanup()
-
-		key, err := uplink.UseOrLoadEncryptionKey("", filename)
-		require.NoError(t, err)
-		require.Equal(t, expectedKey, key)
-	})
-
-	t.Run("ok: use", func(t *testing.T) {
-		rawKey := make([]byte, storj.KeySize+rand.Intn(50))
-		_, err := rand.Read(rawKey)
-		require.NoError(t, err)
-
-		key, err := uplink.UseOrLoadEncryptionKey(string(rawKey), "")
-		require.NoError(t, err)
-		require.Equal(t, rawKey[:storj.KeySize], key[:])
-	})
-
-	t.Run("error", func(t *testing.T) {
-		ctx := testcontext.New(t)
-		defer ctx.Cleanup()
-		filename := ctx.File("encryption.key")
-
-		_, err := uplink.UseOrLoadEncryptionKey("", filename)
-		require.Error(t, err)
-	})
-}
--- a/uplink/encryption_key.go
+++ b/uplink/encryption_key.go
@ -0,0 +1,41 @@
+// Copyright (C) 2019 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+package uplink
+
+import (
+	"os"
+
+	"github.com/zeebo/errs"
+)
+
+// SaveEncryptionKey generates a Storj key from the inputKey and save it into a
+// new file created in filepath.
+func SaveEncryptionKey(inputKey string, filepath string) error {
+	switch {
+	case len(inputKey) == 0:
+		return Error.New("inputKey is empty")
+	case filepath == "":
+		return Error.New("filepath is empty")
+	}
+
+	file, err := os.OpenFile(filepath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return Error.New("directory path doesn't exist. %+v", err)
+		}
+
+		if os.IsExist(err) {
+			return Error.New("file key already exists. %+v", err)
+		}
+
+		return Error.Wrap(err)
+	}
+
+	defer func() {
+		err = Error.Wrap(errs.Combine(err, file.Close()))
+	}()
+
+	_, err = file.Write([]byte(inputKey))
+	return err
+}
--- a/cmd/uplink/cmd/setup_unexported_test.go
+++ b/cmd/uplink/cmd/setup_unexported_test.go
@ -1,7 +1,7 @@
 // Copyright (C) 2019 Storj Labs, Inc.
 // See LICENSE for copying information.

-package cmd
+package uplink_test

 import (
 	"io/ioutil"
@ -14,15 +14,16 @@ import (
 	"github.com/stretchr/testify/require"
 	"storj.io/storj/internal/testcontext"
 	"storj.io/storj/pkg/storj"
+	"storj.io/storj/uplink"
 )

 func TestSaveEncryptionKey(t *testing.T) {
-	generateInputKey := func() []byte {
+	generateInputKey := func() string {
 		inputKey := make([]byte, rand.Intn(storj.KeySize*3)+1)
 		_, err := rand.Read(inputKey)
 		require.NoError(t, err)

-		return inputKey
+		return string(inputKey)
 	}

 	t.Run("ok", func(t *testing.T) {
@ -31,13 +32,13 @@ func TestSaveEncryptionKey(t *testing.T) {

 		inputKey := generateInputKey()
 		filename := ctx.File("storj-test-cmd-uplink", "encryption.key")
-		err := saveEncryptionKey(inputKey, filename)
+		err := uplink.SaveEncryptionKey(inputKey, filename)
 		require.NoError(t, err)

 		savedKey, err := ioutil.ReadFile(filename)
 		require.NoError(t, err)

-		assert.Equal(t, inputKey, savedKey)
+		assert.Equal(t, inputKey, string(savedKey))
 	})

 	t.Run("error: empty input key", func(t *testing.T) {
@ -46,17 +47,14 @@ func TestSaveEncryptionKey(t *testing.T) {

 		filename := ctx.File("storj-test-cmd-uplink", "encryption.key")

-		err := saveEncryptionKey(nil, filename)
-		require.Error(t, err)
-
-		err = saveEncryptionKey([]byte{}, filename)
+		err := uplink.SaveEncryptionKey("", filename)
 		require.Error(t, err)
 	})

 	t.Run("error: empty filepath", func(t *testing.T) {
 		inputKey := generateInputKey()

-		err := saveEncryptionKey(inputKey, "")
+		err := uplink.SaveEncryptionKey(inputKey, "")
 		require.Error(t, err)
 	})

@ -69,7 +67,7 @@ func TestSaveEncryptionKey(t *testing.T) {

 		inputKey := generateInputKey()
 		filename := filepath.Join(dir, "enc.key")
-		err := saveEncryptionKey(inputKey, filename)
+		err := uplink.SaveEncryptionKey(inputKey, filename)
 		require.Errorf(t, err, "directory path doesn't exist")
 	})

@ -81,7 +79,7 @@ func TestSaveEncryptionKey(t *testing.T) {
 		filename := ctx.File("encryption.key")
 		require.NoError(t, ioutil.WriteFile(filename, nil, os.FileMode(0600)))

-		err := saveEncryptionKey(inputKey, filename)
+		err := uplink.SaveEncryptionKey(inputKey, filename)
 		require.Errorf(t, err, "file key already exists")
 	})
 }