diff --git a/src/api2/tape/drive.rs b/src/api2/tape/drive.rs index 016e3092..d7a87480 100644 --- a/src/api2/tape/drive.rs +++ b/src/api2/tape/drive.rs @@ -484,19 +484,7 @@ pub async fn restore_key( if let Some(key_config) = key_config { let password_fn = || { Ok(password.as_bytes().to_vec()) }; - let key = match key_config.decrypt(&password_fn) { - Ok((key, ..)) => key, - Err(_) => { - match key_config.hint { - Some(hint) => { - bail!("decrypt key failed (password hint: {})", hint); - } - None => { - bail!("decrypt key failed (wrong password)"); - } - } - } - }; + let (key, ..) = key_config.decrypt(&password_fn)?; config::tape_encryption_keys::insert_key(key, key_config)?; } else { bail!("media does not contain any encryption key configuration"); diff --git a/src/backup/key_derivation.rs b/src/backup/key_derivation.rs index 065a527e..0b561b07 100644 --- a/src/backup/key_derivation.rs +++ b/src/backup/key_derivation.rs @@ -216,7 +216,7 @@ impl KeyConfig { let derived_key = kdf.derive_key(&passphrase)?; if raw_data.len() < 32 { - bail!("Unable to encode key - short data"); + bail!("Unable to decrypt key - short data"); } let iv = &raw_data[0..16]; let tag = &raw_data[16..32]; @@ -231,7 +231,16 @@ impl KeyConfig { b"", &enc_data, &tag, - ).map_err(|err| format_err!("Unable to decrypt key (wrong password?) - {}", err))? + ).map_err(|err| { + match self.hint { + Some(ref hint) => { + format_err!("Unable to decrypt key (password hint: {})", hint) + } + None => { + format_err!("Unable to decrypt key (wrong password?) - {}", err) + } + } + })? } else { raw_data.clone()