Bug 2130497
| Summary: | [KMIP] Rook should use AES 256 for KEK encryption similar to Noobaa and Ceph-CSI | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Rachael <rgeorge> | ||||
| Component: | rook | Assignee: | Rakshith <rar> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Rachael <rgeorge> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.12 | CC: | ocs-bugs, odf-bz-bot, rar, tnielsen | ||||
| Target Milestone: | --- | ||||||
| Target Release: | ODF 4.12.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 4.12.0-70 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-02-08 14:06:28 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1914827 [details] Keys in CipherTrust Manager Description of problem (please be detailed as possible and provide log snippets): When clusterwide encryption is enabled using Thales CipherTrust Manager (using KMIP), the KEKs for OSDs stored in the CipherTrust Manager uses the AES 128 algorithm. However, Noobaa and Ceph-CSI uses AES 256 for the same. Key Name Version Owner Modified Type Algorithm Size ks-26c16fc59b66470b97e7473fad9ce9873849599865914e14bd6ef41148eac6ac 0 No owner 28 Sep 2022, 15:59 Symmetric AES 256 ks-73db5d9b975e435dbce288450120ea51f58473483e2f4acfb6208a03b15009e2 0 No owner 28 Sep 2022, 15:57 Symmetric AES 128 ks-08829f6b45d1452680fbbfafe7dad831e393b7913426423bbacaaf5869d03d06 0 No owner 28 Sep 2022, 15:57 Symmetric AES 128 ks-1023550b881e4460a41f13904e41d17dfc270119272f4eb3a040a89a230726ee 0 No owner 28 Sep 2022, 15:57 Symmetric AES 128 rbd-test-key 0 local|admin 27 Sep 2022, 11:41 Symmetric AES 256 The encryption algorithm used for all the KEKs in ODF should be the same and since AES 256 is more secure than AES 128, rook should use AES 256 as well. Version of all relevant components (if applicable): --------------------------------------------------- OCP: 4.12.0-0.nightly-2022-09-26-111919 ODF: odf-operator.v4.12.0 full_version=4.12.0-66 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: ------------------- 1. Deploy ODF with clusterwide encryption enabled using Thales CipherTrust Manager (using KMIP) 2. Check the CipherTrust Manager console for the keys created for OSDs and NooBaa(MCG) Actual results: --------------- AES 128 is used for OSD KEKs and AES 256 is used for NooBaa KEK Expected results: ----------------- All the KEKs should use the same encryption algorithm