def test_backup_passphrase(self): """Verify that a backup passphrase can be created for a device""" succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0) self.assertTrue(succ) escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow') self.addCleanup(shutil.rmtree, escrow_dir) backup_passphrase = BlockDev.crypto_generate_backup_passphrase() with open(self.public_cert, 'rb') as cert_file: succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(), escrow_dir, backup_passphrase) self.assertTrue(succ) # Find the backup passphrase escrow_backup_passphrase = "%s/%s-escrow-backup-passphrase" % ( escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev)) self.assertTrue(os.path.isfile(escrow_backup_passphrase)) # Check that the encrypted file contains what we put in env = {k: v for k, v in os.environ.items()} env.update({"LC_ALL": "C"}) passphrase = subprocess.check_output([ 'volume_key', '--secrets', '-d', self.nss_dir, escrow_backup_passphrase ], env=env) passphrase = passphrase.strip().split()[1].decode('ascii') self.assertEqual(passphrase, backup_passphrase) # Check that the backup passphrase works succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', backup_passphrase, None) self.assertTrue(succ)
def test_backup_passphrase(self): """Verify that a backup passphrase can be created for a device""" succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0) self.assertTrue(succ) escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow') self.addCleanup(shutil.rmtree, escrow_dir) backup_passphrase = BlockDev.crypto_generate_backup_passphrase() with open(self.public_cert, 'rb') as cert_file: succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(), escrow_dir, backup_passphrase) self.assertTrue(succ) # Find the backup passphrase escrow_backup_passphrase = "%s/%s-escrow-backup-passphrase" % (escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev)) self.assertTrue(os.path.isfile(escrow_backup_passphrase)) # Check that the encrypted file contains what we put in env = os.environ env.update({"LC_ALL": "C"}) passphrase = subprocess.check_output( ['volume_key', '--secrets', '-d', self.nss_dir, escrow_backup_passphrase], env=env) passphrase = passphrase.strip().split()[1].decode('ascii') self.assertEqual(passphrase, backup_passphrase) # Check that the backup passphrase works succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', backup_passphrase, None) self.assertTrue(succ)
def test_escrow_packet(self): """Verify that an escrow packet can be created for a device""" succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0) self.assertTrue(succ) escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow') self.addCleanup(shutil.rmtree, escrow_dir) with open(self.public_cert, 'rb') as cert_file: succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(), escrow_dir, None) self.assertTrue(succ) # Find the escrow packet escrow_packet_file = '%s/%s-escrow' % ( escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev)) self.assertTrue(os.path.isfile(escrow_packet_file)) # Use the volume_key utility (see note in setUp about why not python) # to decrypt the escrow packet and restore access to the volume under # a new passphrase # Just use the existing temp directory to output the re-encrypted packet # PASSWD2 is the passphrase of the new escrow packet p = subprocess.Popen([ 'volume_key', '--reencrypt', '-b', '-d', self.nss_dir, escrow_packet_file, '-o', '%s/escrow-out' % escrow_dir ], stdin=subprocess.PIPE) p.communicate(input=('%s\0%s\0' % (PASSWD2, PASSWD2)).encode('utf-8')) if p.returncode != 0: raise subprocess.CalledProcessError(p.returncode, 'volume_key') # Restore access to the volume # PASSWD3 is the new passphrase for the LUKS device p = subprocess.Popen([ 'volume_key', '--restore', '-b', self.loop_dev, '%s/escrow-out' % escrow_dir ], stdin=subprocess.PIPE) p.communicate(input=('%s\0%s\0%s\0' % (PASSWD2, PASSWD3, PASSWD3)).encode('utf-8')) if p.returncode != 0: raise subprocess.CalledProcessError(p.returncode, 'volume_key') # Open the volume with the new passphrase succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', PASSWD3, None) self.assertTrue(succ)
def test_escrow_packet(self): """Verify that an escrow packet can be created for a device""" succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0) self.assertTrue(succ) escrow_dir = tempfile.mkdtemp(prefix='libblockdev_test_escrow') self.addCleanup(shutil.rmtree, escrow_dir) with open(self.public_cert, 'rb') as cert_file: succ = BlockDev.crypto_escrow_device(self.loop_dev, PASSWD, cert_file.read(), escrow_dir, None) self.assertTrue(succ) # Find the escrow packet escrow_packet_file = '%s/%s-escrow' % (escrow_dir, BlockDev.crypto_luks_uuid(self.loop_dev)) self.assertTrue(os.path.isfile(escrow_packet_file)) # Use the volume_key utility (see note in setUp about why not python) # to decrypt the escrow packet and restore access to the volume under # a new passphrase # Just use the existing temp directory to output the re-encrypted packet # PASSWD2 is the passphrase of the new escrow packet p = subprocess.Popen(['volume_key', '--reencrypt', '-b', '-d', self.nss_dir, escrow_packet_file, '-o', '%s/escrow-out' % escrow_dir], stdin=subprocess.PIPE) p.communicate(input=('%s\0%s\0' % (PASSWD2, PASSWD2)).encode('utf-8')) if p.returncode != 0: raise subprocess.CalledProcessError(p.returncode, 'volume_key') # Restore access to the volume # PASSWD3 is the new passphrase for the LUKS device p = subprocess.Popen(['volume_key', '--restore', '-b', self.loop_dev, '%s/escrow-out' % escrow_dir], stdin=subprocess.PIPE) p.communicate(input=('%s\0%s\0%s\0' % (PASSWD2, PASSWD3, PASSWD3)).encode('utf-8')) if p.returncode != 0: raise subprocess.CalledProcessError(p.returncode, 'volume_key') # Open the volume with the new passphrase succ = BlockDev.crypto_luks_open(self.loop_dev, 'libblockdevTestLUKS', PASSWD3, None) self.assertTrue(succ)