From d64720bbe7be422b42f41264db6d6f9fb878df71 Mon Sep 17 00:00:00 2001
From: Govind Venugopal <gvenugo3@asu.edu>
Date: Wed, 17 Sep 2025 16:49:26 -0700
Subject: [PATCH] Feature/homectl recovery key update (#38702)

Implements the ability to add recovery keys to existing user accounts
via homectl update --recovery-key=yes. Previously, recovery keys could
only be configured during initial user creation, requiring users to
recreate their entire home directory to add recovery keys later.

Fixes: #23602
---
 NEWS               | 6 ++++++
 man/homectl.xml    | 7 +++++++
 src/home/homectl.c | 8 +++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 4b576e88d49..0d7c77835ae 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 systemd System and Service Manager
 
+CHANGES WITH 259 in spe:
+
+        * homectl's --recovery-key= option may now be used with the "update"
+          command to add recovery keys to existing user accounts. Previously,
+          recovery keys could only be configured during initial user creation.
+
 CHANGES WITH 258:
 
         Incompatible changes:
diff --git a/man/homectl.xml b/man/homectl.xml
index cf5b878e7a3..36b3bbfe9c8 100644
--- a/man/homectl.xml
+++ b/man/homectl.xml
@@ -1584,6 +1584,13 @@ homectl update lafcadio --pkcs11-token-uri=auto</programlisting>
       <programlisting># Allow a FIDO2 security token to unlock the account of user 'nihilbaxter'.
 homectl update nihilbaxter --fido2-device=auto</programlisting>
     </example>
+
+    <example>
+      <title>Add a recovery key to an existing user account:</title>
+
+      <programlisting># Generate and add a recovery key for user 'emily'.
+homectl update emily --recovery-key=yes</programlisting>
+    </example>
   </refsect1>
 
   <refsect1>
diff --git a/src/home/homectl.c b/src/home/homectl.c
index 329572fb345..c50302fb747 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -1829,9 +1829,15 @@ static int acquire_updated_home_record(
                         return r;
         }
 
+        if (arg_recovery_key) {
+                r = identity_add_recovery_key(&json);
+                if (r < 0)
+                        return r;
+        }
+
         /* If the user supplied a full record, then add in lastChange, but do not override. Otherwise always
          * override. */
-        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device, !arg_identity);
+        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device || arg_recovery_key, !arg_identity);
         if (r < 0)
                 return r;