5 # This file and its contents are supplied under the terms of the
6 # Common Development and Distribution License ("CDDL"), version 1.0.
7 # You may only use this file in accordance with the terms of version
10 # A full copy of the text of the CDDL should have accompanied this
11 # source. A copy of the CDDL is also available via the Internet at
12 # http://www.illumos.org/license/CDDL.
18 # Copyright (c) 2017 Datto, Inc. All rights reserved.
21 . $STF_SUITE/include/libtest.shlib
22 . $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib
26 # Unencrypted datasets should only allow keylocation of 'none', encryption
27 # roots should only allow keylocation of 'prompt' and file URI, and encrypted
28 # child datasets should not be able to change their keylocation.
31 # 1. Verify the key location of the default dataset is 'none'
32 # 2. Attempt to change the key location of the default dataset
33 # 3. Create an encrypted dataset using a key file
34 # 4. Attempt to change the key location of the encrypted dataset to 'none',
35 # an invalid location, its current location, and 'prompt'
36 # 5. Attempt to reload the encrypted dataset key using the new key location
37 # 6. Create a encrypted child dataset
38 # 7. Verify the key location of the child dataset is 'none'
39 # 8. Attempt to change the key location of the child dataset
40 # 9. Verify the key location of the child dataset has not changed
43 verify_runnable "both"
47 datasetexists $TESTPOOL/$TESTFS1 && \
48 destroy_dataset $TESTPOOL/$TESTFS1 -r
53 log_assert "Key location can only be 'prompt', 'file://', or 'https://'" \
54 "for encryption roots, and 'none' for unencrypted volumes"
56 log_must eval "echo $PASSPHRASE > /$TESTPOOL/pkey"
58 log_must verify_keylocation $TESTPOOL/$TESTFS "none"
59 log_must zfs set keylocation=none $TESTPOOL/$TESTFS
60 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS
61 log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS
62 log_must verify_keylocation $TESTPOOL/$TESTFS "none"
64 log_must zfs create -o encryption=on -o keyformat=passphrase \
65 -o keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
67 log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1
68 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
70 log_must zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
71 log_must verify_keylocation $TESTPOOL/$TESTFS1 "file:///$TESTPOOL/pkey"
74 log_must zfs set keylocation=$(get_https_base_url)/PASSPHRASE $TESTPOOL/$TESTFS1
75 log_must verify_keylocation $TESTPOOL/$TESTFS1 "$(get_https_base_url)/PASSPHRASE"
77 log_must zfs set keylocation=prompt $TESTPOOL/$TESTFS1
78 log_must verify_keylocation $TESTPOOL/$TESTFS1 "prompt"
80 log_must zfs unmount $TESTPOOL/$TESTFS1
81 log_must zfs unload-key $TESTPOOL/$TESTFS1
83 log_must rm /$TESTPOOL/pkey
84 log_must eval "echo $PASSPHRASE | zfs load-key $TESTPOOL/$TESTFS1"
85 log_must zfs mount $TESTPOOL/$TESTFS1
87 log_must zfs create $TESTPOOL/$TESTFS1/child
88 log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
90 log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1/child
91 log_mustnot zfs set keylocation=prompt $TESTPOOL/$TESTFS1/child
92 log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
93 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
95 log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
97 log_pass "Key location can only be 'prompt', 'file://', or 'https://'" \
98 "for encryption roots, and 'none' for unencrypted volumes"