f046cc0923
fscrypt can automatically unlock directories with the user's login password. To do this it ships a PAM module which reads the user's password and loads the respective keys into the user's kernel keyring. Significant inspiration was taken from the ecryptfs implementation.
51 lines
1.6 KiB
Nix
51 lines
1.6 KiB
Nix
import ./make-test-python.nix ({ ... }:
|
|
{
|
|
name = "fscrypt";
|
|
|
|
nodes.machine = { pkgs, ... }: {
|
|
imports = [ ./common/user-account.nix ];
|
|
security.pam.enableFscrypt = true;
|
|
};
|
|
|
|
testScript = ''
|
|
def login_as_alice():
|
|
machine.wait_until_tty_matches("1", "login: ")
|
|
machine.send_chars("alice\n")
|
|
machine.wait_until_tty_matches("1", "Password: ")
|
|
machine.send_chars("foobar\n")
|
|
machine.wait_until_tty_matches("1", "alice\@machine")
|
|
|
|
|
|
def logout():
|
|
machine.send_chars("logout\n")
|
|
machine.wait_until_tty_matches("1", "login: ")
|
|
|
|
|
|
machine.wait_for_unit("default.target")
|
|
|
|
with subtest("Enable fscrypt on filesystem"):
|
|
machine.succeed("tune2fs -O encrypt /dev/vda")
|
|
machine.succeed("fscrypt setup --quiet --force --time=1ms")
|
|
|
|
with subtest("Set up alice with an fscrypt-enabled home directory"):
|
|
machine.succeed("(echo foobar; echo foobar) | passwd alice")
|
|
machine.succeed("chown -R alice.users ~alice")
|
|
machine.succeed("echo foobar | fscrypt encrypt --skip-unlock --source=pam_passphrase --user=alice /home/alice")
|
|
|
|
with subtest("Create file as alice"):
|
|
login_as_alice()
|
|
machine.succeed("echo hello > /home/alice/world")
|
|
logout()
|
|
# Wait for logout to be processed
|
|
machine.sleep(1)
|
|
|
|
with subtest("File should not be readable without being logged in as alice"):
|
|
machine.fail("cat /home/alice/world")
|
|
|
|
with subtest("File should be readable again as alice"):
|
|
login_as_alice()
|
|
machine.succeed("cat /home/alice/world")
|
|
logout()
|
|
'';
|
|
})
|