feat(python/trezorctl): support prompt configuration for encrypt/decrypt keyvalue

fixes #2608

python/.changelog.d/2608.added

@@ -0,0 +1 @@
+trezorctl: Support prompt configuration for `encrypt-keyvalue` / `decrypt-keyvalue`.

python/src/trezorlib/cli/crypto.py

@@ -14,17 +14,27 @@
 # You should have received a copy of the License along with this library.
 # If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
 
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Tuple
 
 import click
 
 from .. import misc, tools
-from . import with_client
+from . import ChoiceType, with_client
 
 if TYPE_CHECKING:
     from ..client import TrezorClient
 
 
+PROMPT_TYPE = ChoiceType(
+    {
+        "always": (True, True),
+        "never": (False, False),
+        "decrypt": (False, True),
+        "encrypt": (True, False),
+    }
+)
+
+
 @click.group(name="crypto")
 def cli() -> None:
     """Miscellaneous cryptography features."""
@@ -40,23 +50,72 @@ def get_entropy(client: "TrezorClient", size: int) -> str:
 
 @cli.command()
 @click.option("-n", "--address", required=True, help="BIP-32 path, e.g. m/10016'/0")
+@click.option(
+    "-p", "--prompt", type=PROMPT_TYPE, default="always", help="Prompt for passphrase"
+)
 @click.argument("key")
 @click.argument("value")
 @with_client
-def encrypt_keyvalue(client: "TrezorClient", address: str, key: str, value: str) -> str:
+def encrypt_keyvalue(
-    """Encrypt value by given key and path."""
+    client: "TrezorClient",
+    address: str,
+    key: str,
+    value: str,
+    prompt: Tuple[bool, bool],
+) -> str:
+    """Encrypt value by given key and path.
+
+    The `prompt` option controls whether the device will prompt for confirmation on
+    encrypting and decrypting the value. The default is to prompt for both encryption
+    and decryption.
+
+    You must provide the same `prompt` option to the `decrypt-keyvalue` command,
+    otherwise the decryption will fail.
+    """
+    ask_on_encrypt, ask_on_decrypt = prompt
     address_n = tools.parse_path(address)
-    return misc.encrypt_keyvalue(client, address_n, key, value.encode()).hex()
+    return misc.encrypt_keyvalue(
+        client,
+        address_n,
+        key,
+        value.encode(),
+        ask_on_encrypt=ask_on_encrypt,
+        ask_on_decrypt=ask_on_decrypt,
+    ).hex()
 
 
 @cli.command()
 @click.option("-n", "--address", required=True, help="BIP-32 path, e.g. m/10016'/0")
+@click.option(
+    "-p", "--prompt", type=PROMPT_TYPE, default="always", help="Prompt for passphrase"
+)
 @click.argument("key")
 @click.argument("value")
 @with_client
 def decrypt_keyvalue(
-    client: "TrezorClient", address: str, key: str, value: str
+    client: "TrezorClient",
+    address: str,
+    key: str,
+    value: str,
+    prompt: Tuple[bool, bool],
 ) -> bytes:
-    """Decrypt value by given key and path."""
+    """Decrypt value by given key and path.
+
+    The `prompt` option controls whether the device will prompt for confirmation on
+    encrypting and decrypting the value. The default is to prompt for both encryption
+    and decryption.
+
+    You must use the same `prompt` value that you used for encryption, otherwise the
+    decryption will fail. I.e., it is not possible to encrypt with "--prompt=decrypt"
+    and decrypt with "--prompt=never".
+    """
+    ask_on_encrypt, ask_on_decrypt = prompt
     address_n = tools.parse_path(address)
-    return misc.decrypt_keyvalue(client, address_n, key, bytes.fromhex(value))
+    return misc.decrypt_keyvalue(
+        client,
+        address_n,
+        key,
+        bytes.fromhex(value),
+        ask_on_encrypt=ask_on_encrypt,
+        ask_on_decrypt=ask_on_decrypt,
+    )