1566005 – Support detached LUKS header in cryptsetup-reencrypt utility

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1566005 - Support detached LUKS header in cryptsetup-reencrypt utility

Summary: Support detached LUKS header in cryptsetup-reencrypt utility

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	cryptsetup
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Ondrej Kozina
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1468740
TreeView+	depends on / blocked

Reported:	2018-04-11 10:22 UTC by Milan Broz
Modified:	2021-09-06 15:04 UTC (History)
CC List:	16 users (show)
Fixed In Version:	cryptsetup-2.0.3-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 11:29:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1468740	0	unspecified	CLOSED	[RFE] Support RHEL OS disk encryption on Azure	2022-03-13 14:20:47 UTC
Red Hat Product Errata	RHBA-2018:3239	0	None	None	None	2018-10-30 11:30:54 UTC

Internal Links: 1468740

Description Milan Broz 2018-04-11 10:22:35 UTC

Description of problem:

Cryptsetup-reencrypt utility in RHEL7.5 currently doesn't support LUKS detached header, so there is currently no way to add/change encryption on LUKS devices with detached header.
(Cryptsetup contains support for --header option since RHEL7 GA; cryptsetup-reencrypt is missing this option.)

Upstream patch to solve this problem (can be backported to 1.7 version):
https://gitlab.com/cryptsetup/cryptsetup/commit/a22a24bc986386e081bb366baabf2a3415d49d28

Version-Release number of selected component (if applicable):
cryptsetup-1.7.4-4.el7

Expected results:
Support for --header option in cryptsetup-reencrypt.

Comment 2 Ondrej Kozina 2018-06-05 08:56:30 UTC

Added in cryptsetup-2.0.3 (and could be backported in 1.7.x, if needed)

Comment 13 Corey Marthaler 2018-08-23 15:48:45 UTC

I believe this is sufficient. We (cluster-qe) also added some cursory checks for detached header encryption of thin origin volumes w/ io verification from their snapshots volumes using the header file. 

Marking verified in the latest rpms.
3.10.0-937.el7.x86_64

lvm2-2.02.180-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
lvm2-libs-2.02.180-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-libs-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-event-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-event-libs-1.02.149-5.el7    BUILT: Tue Aug 21 11:29:37 CDT 2018
device-mapper-persistent-data-0.7.3-3.el7    BUILT: Tue Nov 14 05:07:18 CST 2017
cryptsetup-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018
cryptsetup-libs-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018
cryptsetup-reencrypt-2.0.3-3.el7    BUILT: Tue Jul 31 09:34:18 CDT 2018





Making pool volume
lvcreate  --thinpool POOL -L 4G --profile thin-performance --zero n --poolmetadatasize 4M snapper_thinp

Making origin volume
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other1
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other2
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other3
lvcreate  -V 1G -T snapper_thinp/POOL -n other4
  WARNING: Sum of all thin volume sizes (5.00 GiB) exceeds the size of thin pool snapper_thinp/POOL (4.00 GiB).
lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n other5
  WARNING: Sum of all thin volume sizes (6.00 GiB) exceeds the size of thin pool snapper_thinp/POOL (4.00 GiB).

Placing an xfs filesystem on origin volume
Mounting origin volume

Writing files to /mnt/origin

Checking files on /mnt/origin

syncing before snap creation...
Making 1st snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap1
Mounting 1st snap volume
Checking files on /mnt/fs_snap1

Writing files to /mnt/origin

syncing before snap creation...
Making 2nd snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap2
Mounting 2nd snap volume
Checking files on /mnt/fs_snap2

Writing files to /mnt/origin

syncing before snap creation...
Encrypt existing filesystem using a detached header file (RFE 1566005)
cryptsetup-reencrypt --new --type luks2 /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.20119
cryptsetup luksOpen /dev/snapper_thinp/origin luks_origin --header /tmp/luks_detachedheader.20119

Writing files to /mnt/origin

Checking files on /mnt/origin

Making 3rd snapshot of origin volume
lvcreate  -y -k n -s /dev/snapper_thinp/origin -n fs_snap3
cryptsetup luksOpen /dev/snapper_thinp/fs_snap3 fs_snap3 --header /tmp/luks_detachedheader.20119
Mounting 3rd snap volume
Checking files on /mnt/fs_snap1
Checking files on /mnt/fs_snap2
Checking files on /mnt/fs_snap2
Checking files on /mnt/fs_snap3
Checking files on /mnt/fs_snap3
Checking files on /mnt/fs_snap3

Removing snap volume snapper_thinp/fs_snap1
lvremove -f /dev/snapper_thinp/fs_snap1
Removing snap volume snapper_thinp/fs_snap2
lvremove -f /dev/snapper_thinp/fs_snap2
Removing snap volume snapper_thinp/fs_snap3
lvremove -f /dev/snapper_thinp/fs_snap3
Removing thin origin and other virtual thin volumes
Removing pool snapper_thinp/POOL

Comment 15 errata-xmlrpc 2018-10-30 11:29:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3239

Note You need to log in before you can comment on or make changes to this bug.