Bug 1676622
| Summary: | [RFE] Add online reencryption feature | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ondrej Kozina <okozina> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED ERRATA | QA Contact: | Corey Marthaler <cmarthal> |
| Severity: | unspecified | Docs Contact: | Marek Suchánek <msuchane> |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | agk, cmarthal, jbrassow, jmagrini, lmanasko, mbroz, okozina, pasik, pkotvan, prajnoha, rhandlin |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-2.2.0-0.2.el8 | Doc Type: | Enhancement |
| Doc Text: |
.LUKS2 now supports online re-encryption
The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks:
* Change the volume key
* Change the encryption algorithm
When encrypting a non-encrypted device, you must still unmount the file system, but the encryption is now significantly faster. You can remount the file system after a short initialization of the encryption.
Additionally, the LUKS2 re-encryption is now more resilient. You can select between several options that prioritize performance or data protection during the re-encryption process.
To perform the LUKS2 re-encryption, use the `cryptsetup reencrypt` subcommand. Red Hat no longer recommends using the `cryptsetup-reencrypt` utility for the LUKS2 format.
Note that the LUKS1 format does not support online re-encryption, and the `cryptsetup reencrypt` subcommand is not compatible with LUKS1. To encrypt or re-encrypt a LUKS1 device, use the `cryptsetup-reencrypt` utility.
For more information on disk encryption, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening[Encrypting block devices using LUKS].
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:17:14 UTC | Type: | Feature Request |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1682539 | ||
| Bug Blocks: | 1701002 | ||
|
Description
Ondrej Kozina
2019-02-12 17:04:59 UTC
Marking this feature verified in the latest rpms. 4.18.0-141.el8.x86_64 cryptsetup-2.2.0-2.el8 BUILT: Fri Aug 30 07:54:20 CDT 2019 cryptsetup-libs-2.2.0-2.el8 BUILT: Fri Aug 30 07:54:20 CDT 2019 Like mentioned in comment #2 we now have online encryption (as well as decryption) scenarios integrated with our lvm/fs regression tests with data verification during the following scenarios/suites: 1. online reencryption during raid replacement testing 2. online reencryption after raid fs extension testing 3. online reencryption during raid and mirror device failure testing 4. online reencryption after thin origin/snap fs extensions testing 5. online reencryption during raid split image testing 6. online reencryption in between cache origin and snapshot testing 7. online reencryption after cache pool rename and resize testing Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3569 |