Bug 1729600
| Summary: | cryptsetup-reencrypt utility fails to decrypt volume with active keyslot other than 0 (zero) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Corey Marthaler <cmarthal> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.1 | CC: | agk, guazhang, jbrassow, mbroz, okozina, prajnoha |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-2.2.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:17:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Corey, You have a small typo in the command. It should be "cryptsetup reencrypt --decrypt". But we do not support decryption with LUKS2 header put in the head of data device with the new code yet, see bug #676622, comment 8. Also, I notice you've combined testing of new reencryption code with testing of old reencryption tool: cryptsetup-reencrypt. There's nothing wrong about it, it must work. I've just wanted to point out that new code works in both offline and online mode. Command "cryptsetup reencrypt" decides the mode depending if the device is active (luksOpen) or not. So if you run "cryptsetup reencrypt" on inactive device, it performs offline reencryption. If the device is active (luksOpened) it'll switch automatically in online mode. Ehm, actually, please better see the bug #1676622, comment 8 :) (In reply to Corey Marthaler from comment #0) > ### Online reencrypt > [root@hayes-02 ~]# echo foobarglarch | cryptsetup reencrypt --active-name > raid_luksvolume > Finished, time 00:46.387, 4080 MiB written, speed 88.0 MiB/s > > [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume > [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt > /dev/raid_sanity/open_LUKS_fsadm_resize > [root@hayes-02 ~]# echo $? > 1 Ok, reproduced it. Actually, it's unrelated to new reencryption code at all. It's a bug in cryptsetup-reencrypt offline utility and very easily reproducible: format device with first active keyslot number != 0: 1) echo "passs" | cryptsetup luksFormat /dev/sdx -S5 2) echo "passs" | cryptsetup-reencrypt --decrypt /dev/sdx (result retcode = 1) (And fixed via commit https://gitlab.com/cryptsetup/cryptsetup/commit/4f8c6b7773a0f4f07a830575f482fb9ecf4c8819) Verified the issue in Scenario 3 is now fixed (the issues in Scenario 4 and 5 were syntax errors due to missing "reencrypt").
cryptsetup-2.2.0-1.el8 BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-libs-2.2.0-1.el8 BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-reencrypt-2.2.0-1.el8 BUILT: Fri Aug 16 01:22:41 CDT 2019
### Scenario 3: Decrypt an offline luks device (which *had* been *online* re-encrypted) FAILS
[root@hayes-01 ~]# lvcreate --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity
WARNING: New raid1 won't be synchronised. Don't read what you didn't write!
Wiping ext2 signature on /dev/raid_sanity/open_LUKS_fsadm_resize.
Logical volume "open_LUKS_fsadm_resize" created.
[root@hayes-01 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize
[root@hayes-01 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume
[root@hayes-01 ~]# mkfs /dev/mapper/raid_luksvolume
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 1044480 4k blocks and 261120 inodes
Filesystem UUID: 53e91a40-4855-49a0-87e9-6771e138dc36
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
[root@hayes-01 ~]# echo foobarglarch | cryptsetup reencrypt --active-name raid_luksvolume
Finished, time 01:26.079, 4080 MiB written, speed 47.4 MiB/s
[root@hayes-01 ~]# cryptsetup luksClose raid_luksvolume
[root@hayes-01 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Finished, time 00:41.574, 4080 MiB written, speed 98.1 MiB/s
[root@hayes-01 ~]# echo $?
0
[root@hayes-01 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3569 |
Description of problem: This appears to block the ability of "decryption support" listed in RFE 1676622. ### Scenario 1: Decrypt an offline luks device (which had *not* been re-encrypted) PASSES [root@hayes-02 ~]# lvcreate --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity WARNING: New raid1 won't be synchronised. Don't read what you didn't write! Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize. Logical volume "open_LUKS_fsadm_resize" created. [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume [root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume mke2fs 1.44.6 (5-Mar-2019) Creating filesystem with 1044480 4k blocks and 261120 inodes Filesystem UUID: 860082b9-9ddf-4c6b-b14b-f9da26a9d82a Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done ### Do not reencrypt [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize Finished, time 00:12.145, 4080 MiB written, speed 335.9 MiB/s [root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt [root@hayes-02 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/raid_sanity-open_LUKS_fsadm_resize 4.0G 8.0M 3.8G 1% /mnt ### Scenario 2: Decrypt an offline luks device (which *had* been *offline* re-encrypted) PASSES [root@hayes-02 ~]# lvcreate --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity WARNING: New raid1 won't be synchronised. Don't read what you didn't write! Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize. Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize. Logical volume "open_LUKS_fsadm_resize" created. [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume [root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume mke2fs 1.44.6 (5-Mar-2019) Creating filesystem with 1044480 4k blocks and 261120 inodes Filesystem UUID: 2ea1cd5f-4558-4bed-82b7-be85d908e2d3 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume ### Offline reencrypt [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt /dev/raid_sanity/open_LUKS_fsadm_resize Finished, time 00:11.367, 4080 MiB written, speed 358.9 MiB/s [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize Finished, time 00:11.657, 4080 MiB written, speed 350.0 MiB/s [root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt [root@hayes-02 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/raid_sanity-open_LUKS_fsadm_resize 4.0G 8.0M 3.8G 1% /mnt ### Scenario 3: Decrypt an offline luks device (which *had* been *online* re-encrypted) FAILS [root@hayes-02 ~]# lvcreate --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity WARNING: New raid1 won't be synchronised. Don't read what you didn't write! Wiping ext2 signature on /dev/raid_sanity/open_LUKS_fsadm_resize. Logical volume "open_LUKS_fsadm_resize" created. [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize [root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume [root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume mke2fs 1.44.6 (5-Mar-2019) Creating filesystem with 1044480 4k blocks and 261120 inodes Filesystem UUID: e7d2f06a-d436-42e4-8414-9da6ec351c07 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done ### Online reencrypt [root@hayes-02 ~]# echo foobarglarch | cryptsetup reencrypt --active-name raid_luksvolume Finished, time 00:46.387, 4080 MiB written, speed 88.0 MiB/s [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize [root@hayes-02 ~]# echo $? 1 ### There was no warning/error about what happened above [root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt mount: /mnt: unknown filesystem type 'crypto_LUKS'. ### Scenario 4-5: Decrypt an online|offline luks device (which *had* been *online* re-encrypted) but using cryptsetup --decrypt instead of cryptsetup-reencrypt FAILS Same setup as above [root@hayes-02 ~]# dmsetup ls raid_sanity-open_LUKS_fsadm_resize (253:4) raid_sanity-open_LUKS_fsadm_resize_rimage_1 (253:3) raid_sanity-open_LUKS_fsadm_resize_rimage_0 (253:1) raid_luksvolume (253:5) raid_sanity-open_LUKS_fsadm_resize_rmeta_1 (253:2) raid_sanity-open_LUKS_fsadm_resize_rmeta_0 (253:0) # Maybe my syntax is wrong, but the action is correct "--decrypt" [root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt raid_luksvolume Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING] [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific> cryptsetup: Unknown action. [root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING] [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific> cryptsetup: Unknown action. ### Attempt to close first [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume [root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING] [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific> cryptsetup: Unknown action. Version-Release number of selected component (if applicable): cryptsetup-2.2.0-0.2.el8 BUILT: Mon Jun 17 04:08:11 CDT 2019 cryptsetup-libs-2.2.0-0.2.el8 BUILT: Mon Jun 17 04:08:11 CDT 2019 cryptsetup-reencrypt-2.2.0-0.2.el8 BUILT: Mon Jun 17 04:08:11 CDT 2019 kernel-4.18.0-112.el8 BUILT: Fri Jul 5 06:51:26 CDT 2019 lvm2-2.03.05-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 lvm2-libs-2.03.05-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 lvm2-dbusd-2.03.05-1.el8 BUILT: Mon Jun 17 06:01:56 CDT 2019 cmirror-2.03.05-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 device-mapper-1.02.163-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 device-mapper-libs-1.02.163-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 device-mapper-event-1.02.163-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 device-mapper-event-libs-1.02.163-1.el8 BUILT: Mon Jun 17 05:59:47 CDT 2019 device-mapper-persistent-data-0.8.5-2.el8 BUILT: Wed Jun 5 10:28:04 CDT 2019 How reproducible: Everytime