Bug 1743891
| Summary: | Attempting to use cryptsetup-reencrypt on new "cryptsetup reencrypt" formated luks device fails due to "Online reencryption in progress. Aborting." | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Corey Marthaler <cmarthal> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | agk, guazhang, jbrassow, mbroz, okozina, prajnoha, rhandlin |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.3 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-2.3.3-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:59:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Corey Marthaler
2019-08-20 22:57:43 UTC
(In reply to Corey Marthaler from comment #0) > > # This should have a more appropriate error message if this utility can't > preform this action. Online reencryption is *NOT* in progress > [root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt > /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881 > Online reencryption in progress. Aborting. The reencryption indeed is not in progress in this case, but the device is marked with online reencryption in metadata. It's part of a safeguard preventing us from manipulating LUKS2 device updated with newer tools (online reencryption extends LUKS2 metadata format temporarily) that older utilities does not understand. I'll think about more accurate message. Fixed in upstream with https://gitlab.com/cryptsetup/cryptsetup/commit/83934bdcf3fc46280a38d48567b0adddf0233d5f The new error message in this very case should look like: "Operation incompatible with device marked for LUKS2 reencryption. Aborting." Is the fact that the old utility "works" to actually decrypt the luks2 device a bug here? Should that also produce a warning? [root@hayes-01 ~]# lvcreate --thinpool POOL -L 4G --profile thin-performance --zero n --poolmetadatasize 4M snapper_thinp Thin pool volume with chunk size 64.00 KiB can address at most 15.81 TiB of data. Logical volume "POOL" created. [root@hayes-01 ~]# lvcreate --virtualsize 1G -T snapper_thinp/POOL -n origin Logical volume "origin" created. [root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --encrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881 WARNING: Device /tmp/luks_detachedheader.29881 already contains a 'crypto_LUKS' superblock signature. Finished, time 00:10.751, 1024 MiB written, speed 95.2 MiB/s [root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/snapper_thinp/origin luks_origin --header /tmp/luks_detachedheader.29881 [root@hayes-01 ~]# cryptsetup luksClose luks_origin # Old utility [root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881 Finished, time 00:08.771, 1024 MiB written, speed 116.7 MiB/s This was seen in bug 1809571. (In reply to Corey Marthaler from comment #5) > Is the fact that the old utility "works" to actually decrypt the luks2 > device a bug here? Should that also produce a warning? I don't think it's a bug. Legacy reencryption code works atm even on LUKS2 devices. What would be bug on the other hand is if you could somehow run legacy reencryption code on interrupted new reencryption or vice versa. Do we have test like this in qa? I don't think we have one in devel test suite, I'm afraid. Hello # echo Str0ngP455w0rd### | cryptsetup reencrypt --encrypt --init-only /dev/sda --header /tmp/luks_detachedheader.29881 # echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/sda luks_origin --header /tmp/luks_detachedheader.29881 ]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881 Cannot exclusively open /dev/sda, device in use. # cryptsetup luksClose luks_origin # echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881 Operation incompatible with device marked for LUKS2 reencryption. Aborting. # echo Str0ngP455w0rd### | cryptsetup reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881 move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: cryptsetup security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4542 |