5b01cfd71b
Debian partman-crypto does not support preseed configuration for KDF type, defaulting to PBKDF2. PRD requires Argon2id for its superior resistance to GPU-based attacks. Solution: Post-install hook that creates: - /usr/local/bin/convert-luks-kdf.sh: User-runnable script to convert PBKDF2 to Argon2id with proper parameters (memory=1GB, parallelism=4) - /etc/profile.d/knel-kdf-reminder.sh: Login reminder until conversion - Updated /var/backups/keys/README.txt with conversion instructions Tests added (3 new): - Argon2id KDF configuration hook or script exists - KDF conversion helper script is created - User receives notification about KDF optimization Reference: docs/PRD.md encryption requirements Audit: FINDING-005 (2026-02-20) 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
79 lines
3.0 KiB
Bash
79 lines
3.0 KiB
Bash
#!/usr/bin/env bats
|
|
# Unit tests for encryption-setup.sh hook
|
|
# Reference: PRD.md FR-001 (Full Disk Encryption)
|
|
|
|
@test "encryption-setup.sh exists and is executable" {
|
|
[ -f "/workspace/config/hooks/installed/encryption-setup.sh" ]
|
|
[ -x "/workspace/config/hooks/installed/encryption-setup.sh" ]
|
|
}
|
|
|
|
@test "Encryption uses LUKS2 format" {
|
|
grep -q "luks2\|LUKS2" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption uses AES-XTS cipher" {
|
|
grep -q "aes-xts\|aes_xts\|AES-XTS" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption uses 512-bit key" {
|
|
grep -q "512" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup includes cryptsetup" {
|
|
grep -q "cryptsetup" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup configures initramfs" {
|
|
grep -q "initramfs" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup configures crypttab" {
|
|
grep -q "crypttab" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup includes dm-crypt module" {
|
|
grep -q "dm_crypt" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup creates check-encryption.sh" {
|
|
grep -q "check-encryption.sh" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup creates manage-encryption-keys.sh" {
|
|
grep -q "manage-encryption-keys.sh" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup creates systemd service" {
|
|
grep -q "knel-encryption-check.service" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup creates README with recovery info" {
|
|
grep -q "README" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "Encryption setup configures GRUB" {
|
|
grep -q "grub" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# Argon2id KDF Configuration (FINDING-005)
|
|
# =============================================================================
|
|
|
|
@test "Argon2id KDF configuration hook or script exists" {
|
|
# Either a dedicated KDF hook or configuration in encryption-setup.sh
|
|
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ] || \
|
|
grep -q "argon2id\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh
|
|
}
|
|
|
|
@test "KDF conversion helper script is created" {
|
|
# encryption-setup.sh should create a helper script for KDF conversion
|
|
grep -q "convert.*kdf\|kdf.*convert\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh || \
|
|
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
|
|
}
|
|
|
|
@test "User receives notification about KDF optimization" {
|
|
# A reminder should be created for the user to optimize KDF
|
|
grep -q "profile.d\|motd\|reminder" /workspace/config/hooks/installed/encryption-setup.sh || \
|
|
[ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
|
|
}
|