blob: a04f27245efe940d24cf4ce3faf6515c33cc2013 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
#!/bin/sh
set -e
cd ${AUTOPKGTEST_TMP:-/tmp}
#verbose="--verbose --debug --debug-json"
verbose="--verbose"
echo ">> Setup the 'cryptedfs' file that will contain the luks container"
dd if=/dev/zero of=cryptedfs count=1 bs=20M
echo -n "this the passphrase" >keyfile-default
echo -n "nuke-it" >keyfile-nuke
echo ">> Format with cryptsetup"
cryptsetup --batch-mode $verbose --use-urandom luksFormat cryptedfs keyfile-default
echo ">> Add nuke passphrase"
mkdir -p /etc/cryptsetup-nuke-password
cat keyfile-nuke | /usr/lib/cryptsetup-nuke-password/crypt --generate \
>/etc/cryptsetup-nuke-password/password_hash
echo ">> Open the luks container"
cryptsetup $verbose open cryptedfs testnuke --key-file keyfile-default
if [ ! -e /dev/mapper/testnuke ]; then
echo "ERROR: /dev/mapper/testnuke has not been created"
exit 1
fi
echo ">> Create the initial filesystem and put a flag file on it"
mkfs.ext4 /dev/mapper/testnuke
mount /dev/mapper/testnuke /mnt
echo "Debian rules!" >/mnt/my-secret-file
umount /mnt
cryptsetup $verbose close testnuke
echo ">> Backup the luks header"
rm -f luks-header-backup
cryptsetup $verbose luksHeaderBackup cryptedfs --header-backup-file luks-header-backup
echo ">> Call askpass with the nuke password"
export CRYPTTAB_SOURCE="$(pwd)/cryptedfs"
export DIVERTED_ASKPASS="$(pwd)/askpass"
cat >$DIVERTED_ASKPASS <<END
#!/bin/sh
cat keyfile-nuke
END
chmod 755 $DIVERTED_ASKPASS
password=$(/lib/cryptsetup/askpass)
if [ "$password" != "nuke-it" ]; then
echo "ERROR: askpass did not print the expected password on stdout (expected: 'nuke-it', was: '$password')"
exit 1
fi
echo ">> Ensuring that we can no longer open the luks container"
cryptsetup $verbose open cryptedfs testnuke --key-file keyfile-default || RESULT=$?
if [ $RESULT = 0 ]; then
echo "ERROR: open with nuke password worked!"
set +e
mount /dev/mapper/testnuke /mnt
if [ -e /mnt/my-secret-file ]; then
echo "ERROR: and the flag file can be seen"
fi
umount /mnt
cryptsetup $verbose close testnuke
exit 1
fi
if [ -e /dev/mapper/testnuke ]; then
echo "ERROR: /dev/mapper/testnuke should not exist"
cryptsetup $verbose close testnuke
exit 1
fi
|