aboutsummaryrefslogtreecommitdiff
path: root/cli-tests
diff options
context:
space:
mode:
Diffstat (limited to 'cli-tests')
-rw-r--r--cli-tests/t_encrypt.out45
-rw-r--r--cli-tests/t_encrypt_custom.out6
-rw-r--r--cli-tests/t_encrypt_login.out14
-rw-r--r--cli-tests/t_encrypt_raw_key.out4
-rw-r--r--cli-tests/t_lock.out22
-rw-r--r--cli-tests/t_not_enabled.out54
-rwxr-xr-xcli-tests/t_not_enabled.sh5
-rw-r--r--cli-tests/t_not_supported.out6
-rw-r--r--cli-tests/t_setup.out16
-rw-r--r--cli-tests/t_status.out28
-rw-r--r--cli-tests/t_unlock.out35
-rwxr-xr-xcli-tests/t_unlock.sh13
-rw-r--r--cli-tests/t_v1_policy.out20
-rw-r--r--cli-tests/t_v1_policy_fs_keyring.out4
14 files changed, 179 insertions, 93 deletions
diff --git a/cli-tests/t_encrypt.out b/cli-tests/t_encrypt.out
index af38299..26cb451 100644
--- a/cli-tests/t_encrypt.out
+++ b/cli-tests/t_encrypt.out
@@ -3,19 +3,30 @@
[ERROR] fscrypt encrypt: no such file or directory
ext4 filesystem "MNT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
# Try to encrypt a nonempty directory
-[ERROR] fscrypt encrypt: MNT/dir: not an empty directory
-
-Encryption can only be setup on empty directories; files cannot be encrypted
-in-place. Instead, encrypt an empty directory, copy the files into that
-encrypted directory, and securely delete the originals with "shred".
+[ERROR] fscrypt encrypt: Directory "MNT/dir" cannot be
+ encrypted because it is non-empty.
+
+Files cannot be encrypted in-place. Instead, encrypt a new directory, copy the
+files into it, and securely delete the original directory. For example:
+
+ mkdir MNT/dir.new
+ fscrypt encrypt MNT/dir.new
+ cp -a -T MNT/dir MNT/dir.new
+ find MNT/dir -type f -print0 | xargs -0 shred -n1 --remove=unlink
+ rm -rf MNT/dir
+ mv MNT/dir.new MNT/dir
+
+Caution: due to the nature of modern storage devices and filesystems, the
+original data may still be recoverable from disk. It's much better to encrypt
+your files from the start.
ext4 filesystem "MNT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
# Encrypt a directory as non-root user
ext4 filesystem "MNT" has 1 protector and 1 policy
@@ -52,16 +63,16 @@ PROTECTOR LINKED DESCRIPTION
desc1 No custom protector "prot"
# Try to encrypt an already-encrypted directory
-[ERROR] fscrypt encrypt: MNT/dir: file or directory already
- encrypted
+[ERROR] fscrypt encrypt: file or directory "MNT/dir" is
+ already encrypted
# Try to encrypt another user's directory as a non-root user
-[ERROR] fscrypt encrypt: MNT/dir: you do not own this
- directory
+[ERROR] fscrypt encrypt: cannot encrypt "MNT/dir" because
+ it's owned by another user (root).
-Encryption can only be setup on directories you own, even if you have write
-permission for the directory.
+ Encryption can only be enabled on a directory you own,
+ even if you have write access to the directory.
ext4 filesystem "MNT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
diff --git a/cli-tests/t_encrypt_custom.out b/cli-tests/t_encrypt_custom.out
index 572529a..8dd15e3 100644
--- a/cli-tests/t_encrypt_custom.out
+++ b/cli-tests/t_encrypt_custom.out
@@ -46,10 +46,10 @@ PROTECTOR LINKED DESCRIPTION
desc6 No custom protector "prot"
# Try to use a custom protector without a name
-[ERROR] fscrypt encrypt: custom protectors must have a name
+[ERROR] fscrypt encrypt: custom_passphrase protectors must be named
Use --name=PROTECTOR_NAME to specify a protector name.
ext4 filesystem "MNT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
diff --git a/cli-tests/t_encrypt_login.out b/cli-tests/t_encrypt_login.out
index c6eb463..e8e0e41 100644
--- a/cli-tests/t_encrypt_login.out
+++ b/cli-tests/t_encrypt_login.out
@@ -130,13 +130,17 @@ POLICY UNLOCKED PROTECTORS
desc34 Yes desc35
# Try to give a login protector a name
-[ERROR] fscrypt encrypt: login protectors do not need a name
+[ERROR] fscrypt encrypt: cannot assign name "prot" to new login protector for
+ user "fscrypt-test-user" because login protectors are
+ identified by user, not by name.
+
+To fix this, don't specify the --name=PROTECTOR_NAME option.
ext4 filesystem "MNT" has 0 protectors and 0 policies
ext4 filesystem "MNT_ROOT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
# Try to use the wrong login passphrase
[ERROR] fscrypt encrypt: incorrect login passphrase
@@ -144,5 +148,5 @@ ext4 filesystem "MNT" has 0 protectors and 0 policies
ext4 filesystem "MNT_ROOT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
diff --git a/cli-tests/t_encrypt_raw_key.out b/cli-tests/t_encrypt_raw_key.out
index c7c46eb..8765ba2 100644
--- a/cli-tests/t_encrypt_raw_key.out
+++ b/cli-tests/t_encrypt_raw_key.out
@@ -21,5 +21,5 @@ desc1 No raw key protector "prot"
[ERROR] fscrypt encrypt: TMPDIR/raw_key: key file must be 32 bytes
ext4 filesystem "MNT" has 0 protectors and 0 policies
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
diff --git a/cli-tests/t_lock.out b/cli-tests/t_lock.out
index c0f9279..b8c8dcb 100644
--- a/cli-tests/t_lock.out
+++ b/cli-tests/t_lock.out
@@ -33,11 +33,16 @@ desc2 No custom protector "prot"
contents
# Try to lock directory while files busy
-[ERROR] fscrypt lock: some files using the key are still open
+[ERROR] fscrypt lock: Directory was incompletely locked because some files are
+ still open. These files remain accessible.
-Directory was incompletely locked because some files are still open. These files
-remain accessible. Try killing any processes using files in the directory, then
-re-running 'fscrypt lock'.
+Try killing any processes using files in the directory, for example using:
+
+ find "MNT/dir" -print0 | xargs -0 fuser -k
+
+Then re-run:
+
+ fscrypt lock "MNT/dir"
# => status should be incompletely locked
"MNT/dir" is encrypted with fscrypt.
@@ -72,11 +77,12 @@ mkdir: cannot create directory 'MNT/dir/subdir': Required key not available
# Try to lock directory while other user has unlocked
Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use.
-[ERROR] fscrypt lock: other users have added the key too
+[ERROR] fscrypt lock: Directory "MNT/dir" couldn't be fully
+ locked because other user(s) have unlocked it.
+
+If you want to force the directory to be locked, use:
-Directory couldn't be fully locked because other user(s) have unlocked it. If
-you want to force the directory to be locked, use 'sudo fscrypt lock --all-users
-DIR'.
+ sudo fscrypt lock --all-users "MNT/dir"
contents
"MNT/dir" is now locked.
cat: MNT/dir/file: No such file or directory
diff --git a/cli-tests/t_not_enabled.out b/cli-tests/t_not_enabled.out
index 7d74bcf..4553891 100644
--- a/cli-tests/t_not_enabled.out
+++ b/cli-tests/t_not_enabled.out
@@ -2,28 +2,52 @@
# Disable encryption on DEV
# Try to encrypt a directory when encryption is disabled
-[ERROR] fscrypt encrypt: get encryption policy MNT/dir:
- encryption not enabled
+[ERROR] fscrypt encrypt: encryption not enabled on filesystem
+ MNT (DEV).
-Encryption is either disabled in the kernel config, or needs to be enabled for
-this filesystem. See the documentation on how to enable encryption on ext4
-systems (and the risks of doing so).
+To enable encryption support on this filesystem, run:
+
+ sudo tune2fs -O encrypt "DEV"
+
+Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation
+for more details.
# Try to unlock a directory when encryption is disabled
-[ERROR] fscrypt unlock: get encryption policy MNT/dir:
- encryption not enabled
+[ERROR] fscrypt unlock: encryption not enabled on filesystem
+ MNT (DEV).
+
+To enable encryption support on this filesystem, run:
-Encryption is either disabled in the kernel config, or needs to be enabled for
-this filesystem. See the documentation on how to enable encryption on ext4
-systems (and the risks of doing so).
+ sudo tune2fs -O encrypt "DEV"
+
+Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation
+for more details.
# Try to lock a directory when encryption is disabled
-[ERROR] fscrypt lock: get encryption policy MNT/dir:
- encryption not enabled
+[ERROR] fscrypt lock: encryption not enabled on filesystem
+ MNT (DEV).
+
+To enable encryption support on this filesystem, run:
+
+ sudo tune2fs -O encrypt "DEV"
+
+Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation
+for more details.
+
+# Check for additional message when GRUB appears to be installed
+[ERROR] fscrypt encrypt: encryption not enabled on filesystem
+ MNT (DEV).
+
+To enable encryption support on this filesystem, run:
+
+ sudo tune2fs -O encrypt "DEV"
+
+WARNING: you seem to have GRUB installed on this filesystem. Before doing the
+above, make sure you are using GRUB v2.04 or later; otherwise your system will
+become unbootable.
-Encryption is either disabled in the kernel config, or needs to be enabled for
-this filesystem. See the documentation on how to enable encryption on ext4
-systems (and the risks of doing so).
+Also ensure that your kernel has CONFIG_FS_ENCRYPTION=y. See the documentation
+for more details.
# Enable encryption on DEV
diff --git a/cli-tests/t_not_enabled.sh b/cli-tests/t_not_enabled.sh
index 3c7d22c..fae1094 100755
--- a/cli-tests/t_not_enabled.sh
+++ b/cli-tests/t_not_enabled.sh
@@ -26,6 +26,11 @@ _expect_failure "fscrypt unlock '$dir'"
_print_header "Try to lock a directory when encryption is disabled"
_expect_failure "fscrypt lock '$dir'"
+_print_header "Check for additional message when GRUB appears to be installed"
+mkdir -p "$MNT/boot/grub"
+_expect_failure "fscrypt encrypt '$dir'"
+rm -r "${MNT:?}/boot"
+
_print_header "Enable encryption on $DEV"
_run_noisy_command "tune2fs -O encrypt '$DEV'"
diff --git a/cli-tests/t_not_supported.out b/cli-tests/t_not_supported.out
index 8af840c..ecee56a 100644
--- a/cli-tests/t_not_supported.out
+++ b/cli-tests/t_not_supported.out
@@ -5,7 +5,5 @@
Metadata directories created at "MNT/.fscrypt".
# Try to encrypt a directory on tmpfs
-[ERROR] fscrypt encrypt: get encryption policy MNT/dir:
- encryption not supported
-
-Encryption for this type of filesystem is not supported on this kernel version.
+[ERROR] fscrypt encrypt: This kernel doesn't support encryption on tmpfs
+ filesystems.
diff --git a/cli-tests/t_setup.out b/cli-tests/t_setup.out
index e1606ba..943a781 100644
--- a/cli-tests/t_setup.out
+++ b/cli-tests/t_setup.out
@@ -26,7 +26,7 @@ Skipping creating MNT_ROOT/.fscrypt because it already exists.
# fscrypt setup --quiet when fscrypt.conf already exists
[ERROR] fscrypt setup: operation would be destructive
-Use --force to automatically run destructive operations.
+If desired, use --force to automatically run destructive operations.
# fscrypt setup --quiet --force when fscrypt.conf already exists
@@ -34,16 +34,16 @@ Use --force to automatically run destructive operations.
Metadata directories created at "MNT/.fscrypt".
# fscrypt setup filesystem (already set up)
-[ERROR] fscrypt setup: filesystem MNT: already setup for use
- with fscrypt
+[ERROR] fscrypt setup: filesystem MNT is already setup for
+ use with fscrypt
# no config file
-[ERROR] fscrypt setup: global config file does not exist
+[ERROR] fscrypt setup: "FSCRYPT_CONF" doesn't exist
-Run "sudo fscrypt setup" to create the file.
+Run "sudo fscrypt setup" to create this file.
# bad config file
-[ERROR] fscrypt setup: invalid character 'b' looking for beginning of value:
- global config file has invalid data
+[ERROR] fscrypt setup: "FSCRYPT_CONF" is invalid: invalid
+ character 'b' looking for beginning of value
-Run "sudo fscrypt setup" to recreate the file.
+Either fix this file manually, or run "sudo fscrypt setup" to recreate it.
diff --git a/cli-tests/t_status.out b/cli-tests/t_status.out
index b036712..0d478b5 100644
--- a/cli-tests/t_status.out
+++ b/cli-tests/t_status.out
@@ -10,10 +10,10 @@ ext4 filesystem "MNT" has 0 protectors and 0 policies
# Get status of unencrypted directory on setup mountpoint
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
# Remove fscrypt metadata from MNT
@@ -24,21 +24,25 @@ ext4 supported No
ext4 supported No
# Get status of not-setup mountpoint
-[ERROR] fscrypt status: filesystem MNT: not setup for use
+[ERROR] fscrypt status: filesystem MNT is not setup for use
with fscrypt
-Run "fscrypt setup MOUNTPOINT" to use fscrypt on this filesystem.
-[ERROR] fscrypt status: filesystem MNT: not setup for use
+Run "sudo fscrypt setup MNT" to use fscrypt on this
+filesystem.
+[ERROR] fscrypt status: filesystem MNT is not setup for use
with fscrypt
-Run "fscrypt setup MOUNTPOINT" to use fscrypt on this filesystem.
+Run "sudo fscrypt setup MNT" to use fscrypt on this
+filesystem.
# Get status of unencrypted directory on not-setup mountpoint
-[ERROR] fscrypt status: filesystem MNT: not setup for use
+[ERROR] fscrypt status: filesystem MNT is not setup for use
with fscrypt
-Run "fscrypt setup MOUNTPOINT" to use fscrypt on this filesystem.
-[ERROR] fscrypt status: filesystem MNT: not setup for use
+Run "sudo fscrypt setup MNT" to use fscrypt on this
+filesystem.
+[ERROR] fscrypt status: filesystem MNT is not setup for use
with fscrypt
-Run "fscrypt setup MOUNTPOINT" to use fscrypt on this filesystem.
+Run "sudo fscrypt setup MNT" to use fscrypt on this
+filesystem.
diff --git a/cli-tests/t_unlock.out b/cli-tests/t_unlock.out
index 29a10dd..25430a0 100644
--- a/cli-tests/t_unlock.out
+++ b/cli-tests/t_unlock.out
@@ -81,21 +81,36 @@ contents
desc1 Yes desc2
# Try to unlock with corrupt policy metadata
-[ERROR] fscrypt unlock: MNT/dir: system error: missing
- policy metadata for encrypted directory
-
-This file or directory has either been encrypted with another tool (such as
-e4crypt) or the corresponding filesystem metadata has been deleted.
+[ERROR] fscrypt unlock: fscrypt metadata file at
+ "MNT/.fscrypt/policies/desc1"
+ is corrupt: unexpected EOF
# Try to unlock with missing policy metadata
-[ERROR] fscrypt unlock: MNT/dir: system error: missing
- policy metadata for encrypted directory
-
-This file or directory has either been encrypted with another tool (such as
-e4crypt) or the corresponding filesystem metadata has been deleted.
+[ERROR] fscrypt unlock: filesystem "MNT" does not contain
+ the policy metadata for "MNT/dir".
+ This directory has either been encrypted with another
+ tool (such as e4crypt), or the file
+ "MNT/.fscrypt/policies/desc20"
+ has been deleted.
# Try to unlock with missing protector metadata
[ERROR] fscrypt unlock: could not load any protectors
You may need to mount a linked filesystem. Run with --verbose for more
information.
+
+# Try to unlock with wrong policy metadata
+[ERROR] fscrypt unlock: inconsistent metadata between encrypted directory
+ "MNT/dir1" and its corresponding
+ metadata file
+ "MNT/.fscrypt/policies/desc21".
+
+ Directory has
+ descriptor:desc21 padding:32
+ contents:AES_256_XTS filenames:AES_256_CTS
+ policy_version:2
+
+ Metadata file has
+ descriptor:desc23 padding:32
+ contents:AES_256_XTS filenames:AES_256_CTS
+ policy_version:2
diff --git a/cli-tests/t_unlock.sh b/cli-tests/t_unlock.sh
index 3dfba41..e32b0f7 100755
--- a/cli-tests/t_unlock.sh
+++ b/cli-tests/t_unlock.sh
@@ -67,3 +67,16 @@ mkdir "$dir"
echo hunter2 | fscrypt encrypt --quiet --name=prot --skip-unlock "$dir"
rm "$MNT"/.fscrypt/protectors/*
_expect_failure "echo hunter2 | fscrypt unlock '$dir'"
+
+_print_header "Try to unlock with wrong policy metadata"
+_reset_filesystems
+mkdir "$MNT/dir1"
+mkdir "$MNT/dir2"
+echo hunter2 | fscrypt encrypt --quiet --name=dir1 --skip-unlock "$MNT/dir1"
+echo hunter2 | fscrypt encrypt --quiet --name=dir2 --skip-unlock "$MNT/dir2"
+policy1=$(find "$MNT/.fscrypt/policies/" -type f | head -1)
+policy2=$(find "$MNT/.fscrypt/policies/" -type f | tail -1)
+mv "$policy1" "$TMPDIR/policy"
+mv "$policy2" "$policy1"
+mv "$TMPDIR/policy" "$policy2"
+_expect_failure "echo hunter2 | fscrypt unlock '$MNT/dir1'"
diff --git a/cli-tests/t_v1_policy.out b/cli-tests/t_v1_policy.out
index 0ff5219..b47bcca 100644
--- a/cli-tests/t_v1_policy.out
+++ b/cli-tests/t_v1_policy.out
@@ -11,14 +11,15 @@ can be done with --user=USERNAME. To use the root user's keyring or passphrase,
use --user=root.
# Try to use --user=root as user
-[ERROR] fscrypt encrypt: setting uids: operation not permitted: could not access
- user keyring
+[ERROR] fscrypt encrypt: could not access user keyring for "root": setting uids:
+ operation not permitted
You can only use --user=USERNAME to access the user keyring of another user if
you are running as root.
# Try to encrypt without user keyring in session keyring
-[ERROR] fscrypt encrypt: user keyring not linked into session keyring
+[ERROR] fscrypt encrypt: user keyring for "fscrypt-test-user" is not linked into
+ the session keyring
This is usually the result of a bad PAM configuration. Either correct the
problem in your PAM stack, enable pam_keyinit.so, or run "keyctl link @u @s".
@@ -100,11 +101,16 @@ cat: MNT/dir/file: No such file or directory
# Testing incompletely locking v1-encrypted directory
Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use.
Encrypted data removed from filesystem cache.
-[ERROR] fscrypt lock: some files using the key are still open
+[ERROR] fscrypt lock: Directory was incompletely locked because some files are
+ still open. These files remain accessible.
-Directory was incompletely locked because some files are still open. These files
-remain accessible. Try killing any processes using files in the directory, then
-re-running 'fscrypt lock'.
+Try killing any processes using files in the directory, for example using:
+
+ find "MNT/dir" -print0 | xargs -0 fuser -k
+
+Then re-run:
+
+ fscrypt lock "MNT/dir"
"MNT/dir" is encrypted with fscrypt.
Policy: desc1
diff --git a/cli-tests/t_v1_policy_fs_keyring.out b/cli-tests/t_v1_policy_fs_keyring.out
index ca32ec1..cfc8f7c 100644
--- a/cli-tests/t_v1_policy_fs_keyring.out
+++ b/cli-tests/t_v1_policy_fs_keyring.out
@@ -10,8 +10,8 @@ Either this command should be run as root, or you should set
re-create your encrypted directories using v2 encryption policies rather than v1
(this requires setting '"policy_version": "2"' in the "options" section of
/etc/fscrypt.conf).
-[ERROR] fscrypt status: get encryption policy MNT/dir: file
- or directory not encrypted
+[ERROR] fscrypt status: file or directory "MNT/dir" is not
+ encrypted
# Encrypt directory as user with --skip-unlock
"MNT/dir" is encrypted with fscrypt.
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-10 20:48:03 +0000