RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1676622 - [RFE] Add online reencryption feature
Summary: [RFE] Add online reencryption feature
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: cryptsetup
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.1
Assignee: Ondrej Kozina
QA Contact: Corey Marthaler
Marek Suchánek
URL:
Whiteboard:
Depends On: 1682539
Blocks: 1701002
TreeView+ depends on / blocked
 
Reported: 2019-02-12 17:04 UTC by Ondrej Kozina
Modified: 2021-09-06 15:18 UTC (History)
11 users (show)

Fixed In Version: cryptsetup-2.2.0-0.2.el8
Doc Type: Enhancement
Doc Text:
.LUKS2 now supports online re-encryption The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks: * Change the volume key * Change the encryption algorithm When encrypting a non-encrypted device, you must still unmount the file system, but the encryption is now significantly faster. You can remount the file system after a short initialization of the encryption. Additionally, the LUKS2 re-encryption is now more resilient. You can select between several options that prioritize performance or data protection during the re-encryption process. To perform the LUKS2 re-encryption, use the `cryptsetup reencrypt` subcommand. Red Hat no longer recommends using the `cryptsetup-reencrypt` utility for the LUKS2 format. Note that the LUKS1 format does not support online re-encryption, and the `cryptsetup reencrypt` subcommand is not compatible with LUKS1. To encrypt or re-encrypt a LUKS1 device, use the `cryptsetup-reencrypt` utility. For more information on disk encryption, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening[Encrypting block devices using LUKS].
Clone Of:
Environment:
Last Closed: 2019-11-05 22:17:14 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3569 0 None None None 2019-11-05 22:17:26 UTC

Description Ondrej Kozina 2019-02-12 17:04:59 UTC 
Add online reencryption capability to cryptsetup (LUKS2 format only).

For reencryption (ciphertext->ciphertext transition) we aim to support:
- fully online process
- detached header supported (header put on device/file different from data device)
- embedded header supported (header put in head of data device)

For encryption (plaintext->ciphertext transition) we aim to support:
- offline embedded header introduction (data device size reduction)
- after activating initial device-mapper device the rest of encryption process can be peformed online
- detached header supported
- embedded header supported

For decryption (ciphertext->plaintext transition) we aim to support:
- fully online process (dm-linear mapping remains after decryption process completed)
- detached header supported
Comment 14 Corey Marthaler 2019-09-05 19:11:33 UTC 
Marking this feature verified in the latest rpms. 

4.18.0-141.el8.x86_64
cryptsetup-2.2.0-2.el8    BUILT: Fri Aug 30 07:54:20 CDT 2019
cryptsetup-libs-2.2.0-2.el8    BUILT: Fri Aug 30 07:54:20 CDT 2019

Like mentioned in comment #2 we now have online encryption (as well as decryption) scenarios integrated with our lvm/fs regression tests with data verification during the following scenarios/suites:
1. online reencryption during raid replacement testing
2. online reencryption after raid fs extension testing
3. online reencryption during raid and mirror device failure testing
4. online reencryption after thin origin/snap fs extensions testing
5. online reencryption during raid split image testing
6. online reencryption in between cache origin and snapshot testing
7. online reencryption after cache pool rename and resize testing
Comment 22 errata-xmlrpc 2019-11-05 22:17:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3569
Note You need to log in before you can comment on or make changes to this bug.