Bug 2003748
Summary: | Is there an equivalent command to the deprecated 'cryptsetup-reencrypt --decrypt' in rhel9? | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Corey Marthaler <cmarthal> |
Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 9.0 | CC: | agk, guazhang, jbrassow, okozina, prajnoha |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cryptsetup-2.6.0-1.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-09 08:23:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | cryptsetup-2.5.0 |
Embargoed: |
Description
Corey Marthaler
2021-09-13 15:18:02 UTC
Yes, this scenario is not yet supported with new LUKS2 reencryption code. There's an upstream tracker for the feature though: https://gitlab.com/cryptsetup/cryptsetup/-/issues/669 So I think you may drop this scenario until the feature above gets implemented. The command would be "cryptsetup reencrypt --decrypt /dev/split_image/split_luks --header future-exported-header-file-name". Also works for online devices. Hi, I don't much understand the bug, cryptsetup-reencrypt --decrypt without --header cryptsetup reencrypt --decrypt need --header all commands is expected, so what's the fixed package updated for ? Hi. Previous releases did not allow to decrypt LUKS2 device with metadata put in the head of data device. It is now supported, but user needs to specify a file location where decryption process stores interim LUKS2 metadata before decryption process is finished. Use the command from examples in cryptsetup-reencrypt man page with "cryptsetup reencrypt --decrypt --header /interim/header /dev/encrypted_device". The '/interim/header' file must not exist and it gets created in the decryption process. Hi, Could you help to check my test steps if can be covered this bug ? but looks I miss something here then feedback error. cryptsetup-2.6.0-1.el9.x86_64 [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --header /dev/loop0 --type luks2 -q [root@hp-dl380g10-06 ~]# [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --decrypt /dev/loop0 --header test_header --type luks2 -q No key available with this passphrase. [root@hp-dl380g10-06 ~]# > [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --header /dev/loop0 --type luks2 -q
This is a bug. This command must not proceed further with encrypt operation. Feel free to open a bug for it. The problem is that
while performing encrypt operation where --header parameter and device parameter points to same device corrupts the data.
Use following command instead to encrypt the data with LUKS2 metadata put in head of /dev/loop0 device. You need to have spare space at end of data device (32MiB with following example).
echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m
Hi, [root@pnate-client-01 ~]# rpm -qa |grep cryptsetup cryptsetup-libs-2.4.3-5.el9.x86_64 cryptsetup-2.4.3-5.el9.x86_64 [root@pnate-client-01 ~]# [root@pnate-client-01 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m Finished, time 00:00.098, 84 MiB written, speed 687.2 MiB/s [root@pnate-client-01 ~]# cryptsetup reencrypt --decrypt /dev/loop0 --header key6 Device key6 does not exist or access denied. [root@pnate-client-01 ~]# [root@hp-dl380g10-06 storage]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m Finished, time 00m00s, 84 MiB written, speed 576.2 MiB/s [root@hp-dl380g10-06 storage]# [root@hp-dl380g10-06 storage]# cryptsetup reencrypt --decrypt /dev/loop0 --header key6 WARNING! ======== Header file key6 does not exist. Do you want to initialize LUKS2 decryption of device /dev/loop0 and export LUKS2 header to file key6? Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /root/1.tar: Finished, time 00m00s, 84 MiB written, speed 417.5 MiB/s [root@hp-dl380g10-06 storage]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2534 |