def test_backup_passphrase(self):
"""Verify that a backup passphrase can be created for a device"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD,
None, 0)
self.assertTrue(succ)
escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow')
self.addCleanup(shutil.rmtree, escrow_dir)
backup_passphrase = BlockDev.crypto_generate_backup_passphrase()
with open(self.public_cert, 'rb') as cert_file:
succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD,
cert_file.read(), escrow_dir,
backup_passphrase)
self.assertTrue(succ)
# Find the backup passphrase
escrow_backup_passphrase = "%s/%s-escrow-backup-passphrase" % (
escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev))
self.assertTrue(os.path.isfile(escrow_backup_passphrase))
# Check that the encrypted file contains what we put in
env = {k: v for k, v in os.environ.items()}
env.update({"LC_ALL": "C"})
passphrase = subprocess.check_output([
'volume_key', '--secrets', '-d', self.nss_dir,
escrow_backup_passphrase
],
env=env)
passphrase = passphrase.strip().split()[1].decode('ascii')
self.assertEqual(passphrase, backup_passphrase)
# Check that the backup passphrase works
succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS',
backup_passphrase, None)
self.assertTrue(succ)
def test_backup_passphrase(self):
"""Verify that a backup passphrase can be created for a device"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0)
self.assertTrue(succ)
escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow')
self.addCleanup(shutil.rmtree, escrow_dir)
backup_passphrase = BlockDev.crypto_generate_backup_passphrase()
with open(self.public_cert, 'rb') as cert_file:
succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(),
escrow_dir, backup_passphrase)
self.assertTrue(succ)
# Find the backup passphrase
escrow_backup_passphrase = "%s/%s-escrow-backup-passphrase" % (escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev))
self.assertTrue(os.path.isfile(escrow_backup_passphrase))
# Check that the encrypted file contains what we put in
env = os.environ
env.update({"LC_ALL": "C"})
passphrase = subprocess.check_output(
['volume_key', '--secrets', '-d', self.nss_dir, escrow_backup_passphrase],
env=env)
passphrase = passphrase.strip().split()[1].decode('ascii')
self.assertEqual(passphrase, backup_passphrase)
# Check that the backup passphrase works
succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', backup_passphrase, None)
self.assertTrue(succ)
def test_escrow_packet(self):
"""Verify that an escrow packet can be created for a device"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD,
None, 0)
self.assertTrue(succ)
escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow')
self.addCleanup(shutil.rmtree, escrow_dir)
with open(self.public_cert, 'rb') as cert_file:
succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD,
cert_file.read(), escrow_dir,
None)
self.assertTrue(succ)
# Find the escrow packet
escrow_packet_file = '%s/%s-escrow' % (
escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev))
self.assertTrue(os.path.isfile(escrow_packet_file))
# Use the volume_key utility (see note in setUp about why not python)
# to decrypt the escrow packet and restore access to the volume under
# a new passphrase
# Just use the existing temp directory to output the re-encrypted packet
# PASSWD2 is the passphrase of the new escrow packet
p = subprocess.Popen([
'volume_key', '--reencrypt', '-b', '-d', self.nss_dir,
escrow_packet_file, '-o',
'%s/escrow-out' % escrow_dir
],
stdin=subprocess.PIPE)
p.communicate(input=('%s\0%s\0' % (PASSWD2, PASSWD2)).encode('utf-8'))
if p.returncode != 0:
raise subprocess.CalledProcessError(p.returncode, 'volume_key')
# Restore access to the volume
# PASSWD3 is the new passphrase for the LUKS device
p = subprocess.Popen([
'volume_key', '--restore', '-b', self.loop_dev,
'%s/escrow-out' % escrow_dir
],
stdin=subprocess.PIPE)
p.communicate(input=('%s\0%s\0%s\0' %
(PASSWD2, PASSWD3, PASSWD3)).encode('utf-8'))
if p.returncode != 0:
raise subprocess.CalledProcessError(p.returncode, 'volume_key')
# Open the volume with the new passphrase
succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS',
PASSWD3, None)
self.assertTrue(succ)
def test_escrow_packet(self):
"""Verify that an escrow packet can be created for a device"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0)
self.assertTrue(succ)
escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow')
self.addCleanup(shutil.rmtree, escrow_dir)
with open(self.public_cert, 'rb') as cert_file:
succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(),
escrow_dir, None)
self.assertTrue(succ)
# Find the escrow packet
escrow_packet_file = '%s/%s-escrow' % (escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev))
self.assertTrue(os.path.isfile(escrow_packet_file))
# Use the volume_key utility (see note in setUp about why not python)
# to decrypt the escrow packet and restore access to the volume under
# a new passphrase
# Just use the existing temp directory to output the re-encrypted packet
# PASSWD2 is the passphrase of the new escrow packet
p = subprocess.Popen(['volume_key', '--reencrypt', '-b', '-d', self.nss_dir,
escrow_packet_file, '-o', '%s/escrow-out' % escrow_dir],
stdin=subprocess.PIPE)
p.communicate(input=('%s\0%s\0' % (PASSWD2, PASSWD2)).encode('utf-8'))
if p.returncode != 0:
raise subprocess.CalledProcessError(p.returncode, 'volume_key')
# Restore access to the volume
# PASSWD3 is the new passphrase for the LUKS device
p = subprocess.Popen(['volume_key', '--restore', '-b', self.loop_dev,
'%s/escrow-out' % escrow_dir], stdin=subprocess.PIPE)
p.communicate(input=('%s\0%s\0%s\0' % (PASSWD2, PASSWD3, PASSWD3)).encode('utf-8'))
if p.returncode != 0:
raise subprocess.CalledProcessError(p.returncode, 'volume_key')
# Open the volume with the new passphrase
succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', PASSWD3, None)
self.assertTrue(succ)
