From 08f93d8551c63aeb26756263245bd3a781911240 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Wed, 26 Feb 2025 14:34:50 +0100
Subject: [PATCH 1/2] luks/escrow: Only add backup passphrase when asked to

---
 blivet/formats/luks.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/blivet/formats/luks.py b/blivet/formats/luks.py
index c8622bc80..ea17bab57 100644
--- a/blivet/formats/luks.py
+++ b/blivet/formats/luks.py
@@ -506,7 +506,8 @@ def escrow(self, directory, backup_passphrase):
 
         try:
             blockdev.crypto.escrow_device(self.device, self.__passphrase, self.escrow_cert,
-                                          directory, backup_passphrase)
+                                          directory,
+                                          backup_passphrase if self.add_backup_passphrase else None)
         except blockdev.CryptoError as e:
             raise LUKSError(e)
 

From bdeb2ce41da13dc204899a8d103bd4d133e1fad7 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Wed, 26 Feb 2025 15:35:59 +0100
Subject: [PATCH 2/2] tests: Add a simple test case for generating LUKS escrow
 packet

---
 tests/unit_tests/formats_tests/luks_test.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/unit_tests/formats_tests/luks_test.py b/tests/unit_tests/formats_tests/luks_test.py
index c8f8dcfec..6228a8b6b 100644
--- a/tests/unit_tests/formats_tests/luks_test.py
+++ b/tests/unit_tests/formats_tests/luks_test.py
@@ -164,3 +164,14 @@ def test_luks_opal(self):
                     # cipher and key size are not valid for HW encryption only
                     self.assertEqual(crypto.opal_format.call_args[1]["cipher"], None)
                     self.assertEqual(crypto.opal_format.call_args[1]["key_size"], 0)
+
+    def test_escrow_packet(self):
+        fmt = LUKS(device="/dev/test", passphrase="passphrase", escrow_cert="/tmp/escrow.crt")
+        with patch("blivet.devices.lvm.blockdev.crypto") as crypto:
+            fmt.escrow(directory="/tmp", backup_passphrase="test")
+            crypto.escrow_device.assert_called_with("/dev/test", "passphrase", "/tmp/escrow.crt", "/tmp", None)
+
+        fmt.add_backup_passphrase = True
+        with patch("blivet.devices.lvm.blockdev.crypto") as crypto:
+            fmt.escrow(directory="/tmp", backup_passphrase="test")
+            crypto.escrow_device.assert_called_with("/dev/test", "passphrase", "/tmp/escrow.crt", "/tmp", "test")