Bug 2003748
| Summary: | Is there an equivalent command to the deprecated 'cryptsetup-reencrypt --decrypt' in rhel9? | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Corey Marthaler <cmarthal> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.0 | CC: | agk, guazhang, jbrassow, okozina, prajnoha |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-2.6.0-1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 08:23:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | cryptsetup-2.5.0 |
| Embargoed: | |||
Yes, this scenario is not yet supported with new LUKS2 reencryption code. There's an upstream tracker for the feature though: https://gitlab.com/cryptsetup/cryptsetup/-/issues/669 So I think you may drop this scenario until the feature above gets implemented. The command would be "cryptsetup reencrypt --decrypt /dev/split_image/split_luks --header future-exported-header-file-name". Also works for online devices. Hi, I don't much understand the bug, cryptsetup-reencrypt --decrypt without --header cryptsetup reencrypt --decrypt need --header all commands is expected, so what's the fixed package updated for ? Hi. Previous releases did not allow to decrypt LUKS2 device with metadata put in the head of data device. It is now supported, but user needs to specify a file location where decryption process stores interim LUKS2 metadata before decryption process is finished. Use the command from examples in cryptsetup-reencrypt man page with "cryptsetup reencrypt --decrypt --header /interim/header /dev/encrypted_device". The '/interim/header' file must not exist and it gets created in the decryption process. Hi, Could you help to check my test steps if can be covered this bug ? but looks I miss something here then feedback error. cryptsetup-2.6.0-1.el9.x86_64 [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --header /dev/loop0 --type luks2 -q [root@hp-dl380g10-06 ~]# [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --decrypt /dev/loop0 --header test_header --type luks2 -q No key available with this passphrase. [root@hp-dl380g10-06 ~]# > [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --header /dev/loop0 --type luks2 -q
This is a bug. This command must not proceed further with encrypt operation. Feel free to open a bug for it. The problem is that
while performing encrypt operation where --header parameter and device parameter points to same device corrupts the data.
Use following command instead to encrypt the data with LUKS2 metadata put in head of /dev/loop0 device. You need to have spare space at end of data device (32MiB with following example).
echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m
Hi, [root@pnate-client-01 ~]# rpm -qa |grep cryptsetup cryptsetup-libs-2.4.3-5.el9.x86_64 cryptsetup-2.4.3-5.el9.x86_64 [root@pnate-client-01 ~]# [root@pnate-client-01 ~]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m Finished, time 00:00.098, 84 MiB written, speed 687.2 MiB/s [root@pnate-client-01 ~]# cryptsetup reencrypt --decrypt /dev/loop0 --header key6 Device key6 does not exist or access denied. [root@pnate-client-01 ~]# [root@hp-dl380g10-06 storage]# echo 'redhatredhat' |cryptsetup reencrypt --encrypt /dev/loop0 --reduce-device-size 32m Finished, time 00m00s, 84 MiB written, speed 576.2 MiB/s [root@hp-dl380g10-06 storage]# [root@hp-dl380g10-06 storage]# cryptsetup reencrypt --decrypt /dev/loop0 --header key6 WARNING! ======== Header file key6 does not exist. Do you want to initialize LUKS2 decryption of device /dev/loop0 and export LUKS2 header to file key6? Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /root/1.tar: Finished, time 00m00s, 84 MiB written, speed 417.5 MiB/s [root@hp-dl380g10-06 storage]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2534 |
Description of problem: I'm looking for an equivalent to the no header needed 'cryptsetup-reencrypt --decrypt' command for rhel8 and rhel9 going forward without the 'cryptsetup-reencrypt' tool. If there's not an equivalent, then these decryption scenarios will be removed from regression in rhel9. [root@hayes-01 ~]# cryptsetup luksClose split_luks # Attempt with "new" tool [root@hayes-01 ~]# cryptsetup reencrypt --decrypt /dev/split_image/split_luks Usage: cryptsetup [-?Vvyrq] [-?|--help] [--usage] [-V|--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--integrity-legacy-padding] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--iv-large-sectors] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING] [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific> cryptsetup: LUKS2 decryption requires option --header. # Attempt with "old" tool [root@hayes-01 ~]# cryptsetup-reencrypt --decrypt /dev/split_image/split_luks Enter any existing passphrase: Finished, time 00:06.464, 836 MiB written, speed 129.3 MiB/s I'm seeing this same result in rhel9, but obviously without the option to use 'cryptsetup-reencrypt' Version-Release number of selected component (if applicable): cryptsetup-2.3.3-4.el8 BUILT: Thu Feb 18 10:25:50 CST 2021 cryptsetup-libs-2.3.3-4.el8 BUILT: Thu Feb 18 10:25:50 CST 2021 cryptsetup-reencrypt-2.3.3-4.el8 BUILT: Thu Feb 18 10:25:50 CST 2021