Bug 1755996

Summary: Anaconda uses LUKS v1 for encrypted PVs
Product: Red Hat Enterprise Linux 8 Reporter: Jan Stodola <jstodola>
Component: anacondaAssignee: Vendula Poncova <vponcova>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: medium Docs Contact: Alexandra Nikandrova <anikandr>
Priority: medium    
Version: 8.0CC: mhavrila, rmetrich, rvykydal, sbueno, sjalgaon, vponcova
Target Milestone: rc   
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: anaconda-33.16.3.1-2 Doc Type: Bug Fix
Doc Text:
.Anaconda now uses LUKS2 version as the default for an encrypted container Previously, anaconda did not use LUKS2 version by default to create an encrypted container on the `Manual Partitioning` screen. As a result, the container encryption had LUKS1 version. With this update, anaconda uses LUKS2 version as the default to create an encrypted container on the `Manual Partitioning` screen and now the container has encryption with LUKS2 version.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:22:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1689193    
Attachments:
Description Flags
program.log
none
storage.log none

Description Jan Stodola 2019-09-26 14:39:20 UTC 
Description of problem:
When PVs are manually checked to be encrypted during custom partitioning in GUI, anaconda creates LUKS v1 format on the PVs. There is also no choice to select LUKS v1/v2 as for other device types (raw partitions or encrypded LVs)

Version-Release number of selected component (if applicable):
RHEL-8.0 GA
anaconda-29.19.0.40-1.el8

How reproducible:
always

Steps to Reproduce:
1. start graphical installation
2. proceed to custom partitioning
3. remove existing partitions
4. let anaconda create the partitions (LVM layout)
5. modify the volume group with rootfs and swap (and home)
6. check "Encrypt" in the VG configuration dialog
7. continue with the installation
8. reboot to installed system
9. check the LUKS version:
# cryptsetup luksDump /dev/vda2 | grep -i version

Actual results:
LUKS v1 is used:
[root@localhost ~]# cryptsetup luksDump /dev/vda2 | grep -i version
Version:        1
[root@localhost ~]#

Expected results:
LUKS v2 is used by default:
[root@localhost ~]# cryptsetup luksDump /dev/vdb1 | grep -i version
Version:        2
[root@localhost ~]#

Since it's possible to select LUKSv1/v2 for other types of devices, it should be possible to select the version for PVs as well.

Additional info:
When using encrypted autopartitioning, PVs are formatted with LUKS v2 as expected.
Comment 3 Jan Stodola 2019-09-26 14:46:41 UTC 
Created attachment 1619623 [details]
program.log
Comment 4 Jan Stodola 2019-09-26 14:47:03 UTC 
Created attachment 1619624 [details]
storage.log
Comment 8 Chris Williams 2020-02-12 20:59:00 UTC 
*** Bug 1784360 has been marked as a duplicate of this bug. ***
Comment 16 Shweta Naresh 2020-07-08 13:03:47 UTC 
@Alexandra Nikandrova, I have updated the yaml file to include the BZ. You can skip the yaml file updates, and only work on the doc text.

Thanks
Shweta
Comment 19 Marek Havrila 2020-07-27 12:37:05 UTC 
Verified on RHEL-8.3.0-20200701.2 and anaconda-33.16.3.10-1.el8.x86_64.rpm
Comment 22 errata-xmlrpc 2020-11-04 03:22:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (anaconda bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4729