diff options
| author | Ben Boeckel <mathstuf@gmail.com> | 2015-09-25 01:37:54 -0400 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2015-10-11 11:42:02 +0300 |
| commit | 8cbd118637941e9d2621cb248ffd1ed3f7905413 (patch) | |
| tree | 7b2a0c4e51b0d6d10962afab656ac1f17281c26b /yarns | |
| parent | 88363ebc8e1f01c7179811da7a11b8ff2b5cd9bb (diff) | |
| download | obnam-8cbd118637941e9d2621cb248ffd1ed3f7905413.tar.gz | |
encryption_plugin: add a gnupghome configuration option
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Diffstat (limited to 'yarns')
| -rw-r--r-- | yarns/0060-encryption.yarn | 16 | ||||
| -rw-r--r-- | yarns/9000-implements.yarn | 26 |
2 files changed, 42 insertions, 0 deletions
diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn index acbade88..6985f1ff 100644 --- a/yarns/0060-encryption.yarn +++ b/yarns/0060-encryption.yarn @@ -46,6 +46,22 @@ that encryption is done at the I/O abstraction level. AND user U restores their latest generation in repository R into X THEN L, restored to X, matches manifest M +Keys provided by a custom directory +----------------------------------- + +We'll make a simple backup and restore using encryption. If this +works, we can probably assume that any other normal repository +operations (those not part of encryption management) also work, given +that encryption is done at the I/O abstraction level. + + SCENARIO encrypted backup and restore with a separate keyring + GIVEN user U separately uses encryption key "Test Key One" from test-data/keyring-1 + AND 128kB of new data in directory L + AND a manifest of L in M + WHEN user U backs up directory L to repository R + AND user U restores their latest generation in repository R into X + THEN L, restored to X, matches manifest M + Adding and removing keys to clients ----------------------------------- diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn index 204611cf..4a03f3d8 100644 --- a/yarns/9000-implements.yarn +++ b/yarns/9000-implements.yarn @@ -231,6 +231,32 @@ use. We store that. add_to_config "$MATCH_1" encrypt-with "$MATCH_2" +Scenarios involving encryption may also use a private keyring directory. + + IMPLEMENTS GIVEN user (\S+) separately uses encryption key "(.*)" from (\S+) + if [ ! -e "$DATADIR/$MATCH_1.gnupg" ] + then + mkdir "$DATADIR/$MATCH_1.gnupg" + cp -a "$SRCDIR/$MATCH_3/." "$DATADIR/$MATCH_1.gnupg/." + add_to_config "$MATCH_1" gnupghome "$DATADIR/$MATCH_1.gnupg" + else + # Export public and secret keys from new keyring. + export GNUPGHOME="$SRCDIR/$MATCH_3" + gpg --export "$MATCH_2" > "$DATADIR/public.key" + gpg --export-secret-keys "$MATCH_2" > "$DATADIR/secret.key" + + # Import into the keyring uses for tests. + export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" + gpg --import "$DATADIR/public.key" + gpg --import "$DATADIR/secret.key" + + # Use the configuration rather than the environment. + add_to_config "$MATCH_1" gnupghome "$GNUPGHOME" + unset GNUPGHOME + fi + + add_to_config "$MATCH_1" encrypt-with "$MATCH_2" + Encryption scenarions, at least, also need users that pretend to be someone else. |