Bug 1676622 - [RFE] Add online reencryption feature
Summary: [RFE] Add online reencryption feature
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: cryptsetup
Version: 8.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.1
Assignee: Ondrej Kozina
QA Contact: Corey Marthaler
Marek Suchánek
Depends On: 1682539
Blocks: 1701002
TreeView+ depends on / blocked
Reported: 2019-02-12 17:04 UTC by Ondrej Kozina
Modified: 2021-09-06 15:18 UTC (History)
11 users (show)

Fixed In Version: cryptsetup-2.2.0-0.2.el8
Doc Type: Enhancement
Doc Text:
.LUKS2 now supports online re-encryption The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted devices while the devices are in use. For example, you do not have to unmount the file system on the device to perform the following tasks: * Change the volume key * Change the encryption algorithm When encrypting a non-encrypted device, you must still unmount the file system, but the encryption is now significantly faster. You can remount the file system after a short initialization of the encryption. Additionally, the LUKS2 re-encryption is now more resilient. You can select between several options that prioritize performance or data protection during the re-encryption process. To perform the LUKS2 re-encryption, use the `cryptsetup reencrypt` subcommand. Red Hat no longer recommends using the `cryptsetup-reencrypt` utility for the LUKS2 format. Note that the LUKS1 format does not support online re-encryption, and the `cryptsetup reencrypt` subcommand is not compatible with LUKS1. To encrypt or re-encrypt a LUKS1 device, use the `cryptsetup-reencrypt` utility. For more information on disk encryption, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening[Encrypting block devices using LUKS].
Clone Of:
Last Closed: 2019-11-05 22:17:14 UTC
Type: Feature Request
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3569 0 None None None 2019-11-05 22:17:26 UTC

Description Ondrej Kozina 2019-02-12 17:04:59 UTC
Add online reencryption capability to cryptsetup (LUKS2 format only).

For reencryption (ciphertext->ciphertext transition) we aim to support:
- fully online process
- detached header supported (header put on device/file different from data device)
- embedded header supported (header put in head of data device)

For encryption (plaintext->ciphertext transition) we aim to support:
- offline embedded header introduction (data device size reduction)
- after activating initial device-mapper device the rest of encryption process can be peformed online
- detached header supported
- embedded header supported

For decryption (ciphertext->plaintext transition) we aim to support:
- fully online process (dm-linear mapping remains after decryption process completed)
- detached header supported

Comment 14 Corey Marthaler 2019-09-05 19:11:33 UTC
Marking this feature verified in the latest rpms. 

cryptsetup-2.2.0-2.el8    BUILT: Fri Aug 30 07:54:20 CDT 2019
cryptsetup-libs-2.2.0-2.el8    BUILT: Fri Aug 30 07:54:20 CDT 2019

Like mentioned in comment #2 we now have online encryption (as well as decryption) scenarios integrated with our lvm/fs regression tests with data verification during the following scenarios/suites:
1. online reencryption during raid replacement testing
2. online reencryption after raid fs extension testing
3. online reencryption during raid and mirror device failure testing
4. online reencryption after thin origin/snap fs extensions testing
5. online reencryption during raid split image testing
6. online reencryption in between cache origin and snapshot testing
7. online reencryption after cache pool rename and resize testing

Comment 22 errata-xmlrpc 2019-11-05 22:17:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.