5 # This file and its contents are supplied under the terms of the
6 # Common Development and Distribution License ("CDDL"), version 1.0.
7 # You may only use this file in accordance with the terms of version
10 # A full copy of the text of the CDDL should have accompanied this
11 # source. A copy of the CDDL is also available via the Internet at
12 # http://www.illumos.org/license/CDDL.
18 # Copyright (c) 2017 Datto, Inc. All rights reserved.
21 . $STF_SUITE/include/libtest.shlib
22 . $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib
26 # Unencrypted datasets should only allow keylocation of 'none', encryption
27 # roots should only allow keylocation of 'prompt' and file URI, and encrypted
28 # child datasets should not be able to change their keylocation.
31 # 1. Verify the key location of the default dataset is 'none'
32 # 2. Attempt to change the key location of the default dataset
33 # 3. Create an encrypted dataset using a key file
34 # 4. Attempt to change the key location of the encrypted dataset to 'none',
35 # an invalid location, its current location, and 'prompt'
36 # 5. Attempt to reload the encrypted dataset key using the new key location
37 # 6. Create a encrypted child dataset
38 # 7. Verify the key location of the child dataset is 'none'
39 # 8. Attempt to change the key location of the child dataset
40 # 9. Verify the key location of the child dataset has not changed
43 verify_runnable "both"
47 datasetexists $TESTPOOL/$TESTFS1 && \
48 log_must zfs destroy -r $TESTPOOL/$TESTFS1
52 log_assert "Key location can only be 'prompt' or a file path for encryption" \
53 "roots, and 'none' for unencrypted volumes"
55 log_must eval "echo $PASSPHRASE > /$TESTPOOL/pkey"
57 log_must verify_keylocation $TESTPOOL/$TESTFS "none"
58 log_must zfs set keylocation=none $TESTPOOL/$TESTFS
59 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS
60 log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS
61 log_must verify_keylocation $TESTPOOL/$TESTFS "none"
63 log_must zfs create -o encryption=on -o keyformat=passphrase \
64 -o keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
66 log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1
68 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
71 # file:///$TESTPOOL/pkey and /$TESTPOOL/pkey are equivalent on FreeBSD
72 # thanks to libfetch. Eventually we want to make the other platforms
73 # work this way as well, either by porting libfetch or by other means.
74 log_must zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
77 log_must zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
78 log_must verify_keylocation $TESTPOOL/$TESTFS1 "file:///$TESTPOOL/pkey"
80 log_must zfs set keylocation=prompt $TESTPOOL/$TESTFS1
81 log_must verify_keylocation $TESTPOOL/$TESTFS1 "prompt"
83 log_must zfs unmount $TESTPOOL/$TESTFS1
84 log_must zfs unload-key $TESTPOOL/$TESTFS1
86 log_must rm /$TESTPOOL/pkey
87 log_must eval "echo $PASSPHRASE | zfs load-key $TESTPOOL/$TESTFS1"
88 log_must zfs mount $TESTPOOL/$TESTFS1
90 log_must zfs create $TESTPOOL/$TESTFS1/child
91 log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
93 log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1/child
94 log_mustnot zfs set keylocation=prompt $TESTPOOL/$TESTFS1/child
95 log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
96 log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
98 log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
100 log_pass "Key location can only be 'prompt' or a file path for encryption" \
101 "roots, and 'none' for unencrypted volumes"