From d9b9bbd4a87531cde949e7e82ac7025fd7072caa Mon Sep 17 00:00:00 2001
From: Pauline Middelink <middelin@google.com>
Date: Mon, 24 Jul 2017 22:00:44 +0200
Subject: [PATCH] Force restic to ask the password when adding a key.

As `restic key add` uses the same `ReadPasswordTwice()` as the
rest of restic, it is sensitive to the environment variable
RESTIC_PASSWORD or --password-file= override.

When asking for the new key, temporary remove these 2 overrides, forcing
the password to be asked.
---
 cmd/restic/cmd_key.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/cmd/restic/cmd_key.go b/cmd/restic/cmd_key.go
index fe8272457..101346426 100644
--- a/cmd/restic/cmd_key.go
+++ b/cmd/restic/cmd_key.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"os"
 
 	"github.com/restic/restic/internal/errors"
 	"github.com/restic/restic/internal/repository"
@@ -59,7 +60,16 @@ func getNewPassword(gopts GlobalOptions) (string, error) {
 		return testKeyNewPassword, nil
 	}
 
-	return ReadPasswordTwice(gopts,
+	// Since we already have an open repository, temporary remove the overrides
+	// to prompt the user for their passwd
+	oldPasswd := os.Getenv("RESTIC_PASSWORD")
+	defer func() { os.Setenv("RESTIC_PASSWORD", oldPasswd) }()
+	os.Unsetenv("RESTIC_PASSWORD")
+	newopts := gopts
+	newopts.password = ""
+	newopts.PasswordFile = ""
+
+	return ReadPasswordTwice(newopts,
 		"enter password for new key: ",
 		"enter password again: ")
 }