Bug 1566005

Summary: Support detached LUKS header in cryptsetup-reencrypt utility
Product: Red Hat Enterprise Linux 7 Reporter: Milan Broz <mbroz>
Component: cryptsetupAssignee: Ondrej Kozina <okozina>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: agk, aravindt, cmarthal, coughlan, dkinkead, ejarvi, jbrassow, jikortus, jjarvis, mbroz, mheslin, okozina, prajnoha, rhandlin, storage-qe, yizhan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cryptsetup-2.0.3-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:29:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1468740    

Description Milan Broz 2018-04-11 10:22:35 UTC 
Description of problem:

Cryptsetup-reencrypt utility in RHEL7.5 currently doesn't support LUKS detached header, so there is currently no way to add/change encryption on LUKS devices with detached header.
(Cryptsetup contains support for --header option since RHEL7 GA; cryptsetup-reencrypt is missing this option.)

Upstream patch to solve this problem (can be backported to 1.7 version):
https://gitlab.com/cryptsetup/cryptsetup/commit/a22a24bc986386e081bb366baabf2a3415d49d28

Version-Release number of selected component (if applicable):
cryptsetup-1.7.4-4.el7

Expected results:
Support for --header option in cryptsetup-reencrypt.
Comment 2 Ondrej Kozina 2018-06-05 08:56:30 UTC 
Added in cryptsetup-2.0.3 (and could be backported in 1.7.x, if needed)
Comment 13 Corey Marthaler 2018-08-23 15:48:45 UTC 
I believe this is sufficient. We (cluster-qe) also added some cursory checks for detached header encryption of thin origin volumes w/ io verification from their snapshots volumes using the header file. 

Marking verified in the latest rpms.
3.10.0-937.el7.x86_64

lvm2-2.02.180-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
lvm2-libs-2.02.180-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-libs-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-event-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-event-libs-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-persistent-data-0.7.3-3.el7    BUILT: Tue Nov 14 05:07:18 CST 2017
cryptsetup-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018
cryptsetup-libs-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018
cryptsetup-reencrypt-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018





Making pool volume
lvcreate  --thinpool POOL -L 4G --profile thin-performance --zero n --poolmetadatasize 4M snapper_thinp

Making origin volume
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other1
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other2
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other3
lvcreate  -V 1G -T snapper_thinp/POOL -n other4
  WARNING: Sum of all thin volume sizes (5.00 GiB) exceeds the size of thin pool snapper_thinp/POOL (4.00 GiB).
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other5
  WARNING: Sum of all thin volume sizes (6.00 GiB) exceeds the size of thin pool snapper_thinp/POOL (4.00 GiB).

Placing an xfs filesystem on origin volume
Mounting origin volume

Writing files to /mnt/origin

Checking files on /mnt/origin

syncing before snap creation...
Making 1st snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap1
Mounting 1st snap volume
Checking files on /mnt/fs_snap1

Writing files to /mnt/origin

syncing before snap creation...
Making 2nd snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap2
Mounting 2nd snap volume
Checking files on /mnt/fs_snap2

Writing files to /mnt/origin

syncing before snap creation...
Encrypt existing filesystem using a detached header file (RFE 1566005)
cryptsetup-reencrypt --new --type luks2 /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.20119
cryptsetup luksOpen /dev/snapper_thinp/origin luks_origin --header /tmp/luks_detachedheader.20119

Writing files to /mnt/origin

Checking files on /mnt/origin

Making 3rd snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap3
cryptsetup luksOpen /dev/snapper_thinp/fs_snap3 fs_snap3 --header /tmp/luks_detachedheader.20119
Mounting 3rd snap volume
Checking files on /mnt/fs_snap1
Checking files on /mnt/fs_snap2
Checking files on /mnt/fs_snap2
Checking files on /mnt/fs_snap3
Checking files on /mnt/fs_snap3
Checking files on /mnt/fs_snap3

Removing snap volume snapper_thinp/fs_snap1
lvremove -f /dev/snapper_thinp/fs_snap1
Removing snap volume snapper_thinp/fs_snap2
lvremove -f /dev/snapper_thinp/fs_snap2
Removing snap volume snapper_thinp/fs_snap3
lvremove -f /dev/snapper_thinp/fs_snap3
Removing thin origin and other virtual thin volumes
Removing pool snapper_thinp/POOL
Comment 15 errata-xmlrpc 2018-10-30 11:29:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3239