1#!/bin/ksh -p 2# 3# CDDL HEADER START 4# 5# This file and its contents are supplied under the terms of the 6# Common Development and Distribution License ("CDDL"), version 1.0. 7# You may only use this file in accordance with the terms of version 8# 1.0 of the CDDL. 9# 10# A full copy of the text of the CDDL should have accompanied this 11# source. A copy of the CDDL is also available via the Internet at 12# http://www.illumos.org/license/CDDL. 13# 14# CDDL HEADER END 15# 16 17# 18# Copyright (c) 2017 Datto, Inc. All rights reserved. 19# 20 21. $STF_SUITE/include/libtest.shlib 22 23# 24# DESCRIPTION: 25# ZFS should receive to an encrypted child dataset. 26# 27# STRATEGY: 28# 1. Snapshot the default dataset 29# 2. Create an encrypted dataset 30# 3. Attempt to receive a stream to an encrypted child 31# 4. Unload the key 32# 5. Attempt to receive an incremental stream to an encrypted child (must fail) 33# 6. Attempt to receive a stream with properties to an unencrypted child 34# 7. Attempt to receive an incremental stream to an unencrypted child 35# 8. Attempt to receive with -o encryption=off to an unencrypted child 36# 9. Attempt to receive a replication stream to an unencrypted child 37# 10. Attempt to receive a snapshot stream to an encrypted child (must fail) 38# 39 40verify_runnable "both" 41 42function cleanup 43{ 44 datasetexists $TESTPOOL/encrypted && \ 45 destroy_dataset $TESTPOOL/encrypted -r 46 47 snapexists $snap && destroy_dataset $snap -f 48 snapexists $snap2 && destroy_dataset $snap2 -f 49 50 datasetexists $TESTPOOL/$TESTFS1 && \ 51 destroy_dataset $TESTPOOL/$TESTFS1 -r 52} 53 54log_onexit cleanup 55 56log_assert "ZFS should receive encrypted filesystems into child dataset" 57 58typeset passphrase="password" 59typeset snap="$TESTPOOL/$TESTFS@snap" 60typeset snap2="$TESTPOOL/$TESTFS@snap2" 61typeset testfile="testfile" 62 63log_must zfs snapshot $snap 64log_must zfs snapshot $snap2 65 66log_must eval "echo $passphrase | zfs create -o encryption=on" \ 67 "-o keyformat=passphrase $TESTPOOL/$TESTFS1" 68 69log_note "Verifying ZFS will receive to an encrypted child" 70log_must eval "zfs send $snap | zfs receive -u $TESTPOOL/$TESTFS1/c1" 71log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c1)" != "off" 72 73# Unload the key, the following tests won't require it and we will test 74# the receive checks as well. 75log_must zfs unmount $TESTPOOL/$TESTFS1 76log_must zfs unload-key $TESTPOOL/$TESTFS1 77 78log_note "Verifying ZFS will not receive an incremental into an encrypted" \ 79 "dataset when the key is unloaded" 80log_mustnot eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c1" 81 82log_note "Verifying 'send -p' will receive to an unencrypted child" 83log_must eval "zfs send -p $snap | zfs receive -u $TESTPOOL/$TESTFS1/c2" 84log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c2)" == "off" 85 86log_note "Verifying 'send -i' will receive to an unencrypted child" 87log_must eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c2" 88 89# For completeness add the property override case. 90log_note "Verifying recv -o encyption=off' will receive to an unencrypted child" 91log_must eval "zfs send $snap | \ 92 zfs receive -o encryption=off $TESTPOOL/$TESTFS1/c2o" 93log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c2o)" == "off" 94 95log_note "Verifying 'send -R' will receive to an unencrypted child" 96log_must eval "zfs send -R $snap | zfs receive $TESTPOOL/$TESTFS1/c3" 97log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c3)" == "off" 98 99log_note "Verifying ZFS will not receive to an encrypted child when the" \ 100 "parent key is unloaded" 101log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4" 102 103# Verify that replication can override encryption properties 104log_note "Verifying replication can override encryption properties for plain dataset" 105typeset key_location="/$TESTPOOL/pkey1" 106log_must eval "echo $passphrase > $key_location" 107log_must eval "zfs send -R $snap2 | zfs recv -s -F -o encryption=on" \ 108 "-o keyformat=passphrase -o keylocation=file://$key_location" \ 109 "-o mountpoint=none $TESTPOOL/encrypted" 110log_must test "$(get_prop 'encryption' $TESTPOOL/encrypted)" != "off" 111log_must test "$(get_prop 'keyformat' $TESTPOOL/encrypted)" == "passphrase" 112log_must test "$(get_prop 'keylocation' $TESTPOOL/encrypted)" == "file://$key_location" 113 114log_pass "ZFS can receive encrypted filesystems into child dataset" 115