1743891 – Attempting to use cryptsetup-reencrypt on new "cryptsetup reencrypt" formated luks device fails due to "Online reencryption in progress. Aborting."

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1743891 - Attempting to use cryptsetup-reencrypt on new "cryptsetup reencrypt" formated luks device fails due to "Online reencryption in progress. Aborting."

Summary: Attempting to use cryptsetup-reencrypt on new "cryptsetup reencrypt" formated...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cryptsetup
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	8.3
Assignee:	Ondrej Kozina
QA Contact:	guazhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-20 22:57 UTC by Corey Marthaler
Modified:	2021-09-06 15:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:	cryptsetup-2.3.3-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 01:59:39 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4542	0	None	None	None	2020-11-04 01:59:54 UTC

Description Corey Marthaler 2019-08-20 22:57:43 UTC

Description of problem:
[root@hayes-02 ~]# lvcreate  --thinpool POOL -L 4G --profile thin-performance --zero n --poolmetadatasize 4M snapper_thinp
  Thin pool volume with chunk size 64.00 KiB can address at most 15.81 TiB of data.
  Logical volume "POOL" created.
[root@hayes-02 ~]# lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin
  Logical volume "origin" created.

[root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --encrypt --init-only /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
[root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/snapper_thinp/origin luks_origin --header /tmp/luks_detachedheader.29881

[root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
Cannot exclusively open /dev/snapper_thinp/origin, device in use.

[root@hayes-02 ~]# cryptsetup luksClose luks_origin

# This should have a more appropriate error message if this utility can't preform this action. Online reencryption is *NOT* in progress
[root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
Online reencryption in progress. Aborting.

# Works fine with the other utility
[root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --decrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
Finished, time 00:10.735, 1024 MiB written, speed  95.4 MiB/s   


Version-Release number of selected component (if applicable):
cryptsetup-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-libs-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-reencrypt-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019

Comment 1 Ondrej Kozina 2019-08-21 11:10:04 UTC

(In reply to Corey Marthaler from comment #0)
> 
> # This should have a more appropriate error message if this utility can't
> preform this action. Online reencryption is *NOT* in progress
> [root@hayes-02 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt
> /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
> Online reencryption in progress. Aborting.

The reencryption indeed is not in progress in this case, but the device is marked with online reencryption in metadata.
It's part of a safeguard preventing us from manipulating LUKS2 device updated with newer tools (online reencryption extends LUKS2 metadata format temporarily) that
older utilities does not understand.

I'll think about more accurate message.

Comment 3 Ondrej Kozina 2020-02-03 12:56:34 UTC

Fixed in upstream with https://gitlab.com/cryptsetup/cryptsetup/commit/83934bdcf3fc46280a38d48567b0adddf0233d5f

Comment 4 Ondrej Kozina 2020-02-03 12:57:47 UTC

The new error message in this very case should look like: "Operation incompatible with device marked for LUKS2 reencryption. Aborting."

Comment 5 Corey Marthaler 2020-05-14 02:35:03 UTC

Is the fact that the old utility "works" to actually decrypt the luks2 device a bug here? Should that also produce a warning?

[root@hayes-01 ~]# lvcreate  --thinpool POOL -L 4G --profile thin-performance --zero n --poolmetadatasize 4M snapper_thinp
  Thin pool volume with chunk size 64.00 KiB can address at most 15.81 TiB of data.
  Logical volume "POOL" created.
[root@hayes-01 ~]# lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin
  Logical volume "origin" created.
[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --encrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
WARNING: Device /tmp/luks_detachedheader.29881 already contains a 'crypto_LUKS' superblock signature.
Finished, time 00:10.751, 1024 MiB written, speed  95.2 MiB/s   

[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/snapper_thinp/origin luks_origin --header /tmp/luks_detachedheader.29881
[root@hayes-01 ~]# cryptsetup luksClose luks_origin

# Old utility
[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/snapper_thinp/origin --header /tmp/luks_detachedheader.29881
Finished, time 00:08.771, 1024 MiB written, speed 116.7 MiB/s   

This was seen in bug 1809571.

Comment 6 Ondrej Kozina 2020-05-28 14:26:53 UTC

(In reply to Corey Marthaler from comment #5)
> Is the fact that the old utility "works" to actually decrypt the luks2
> device a bug here? Should that also produce a warning?

I don't think it's a bug. Legacy reencryption code works atm even on LUKS2 devices. What would be bug on the other hand is if you could somehow run legacy reencryption code on interrupted new reencryption or vice versa. Do we have test like this in qa? I don't think we have one in devel test suite, I'm afraid.

Comment 9 guazhang@redhat.com 2020-06-18 04:52:04 UTC

Hello

# echo Str0ngP455w0rd### | cryptsetup reencrypt --encrypt --init-only /dev/sda --header /tmp/luks_detachedheader.29881
# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/sda luks_origin --header /tmp/luks_detachedheader.29881
]#  echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881
Cannot exclusively open /dev/sda, device in use.
#  cryptsetup luksClose luks_origin
# echo Str0ngP455w0rd### | cryptsetup-reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881
Operation incompatible with device marked for LUKS2 reencryption. Aborting.
#  echo Str0ngP455w0rd### | cryptsetup reencrypt --decrypt /dev/sda --header /tmp/luks_detachedheader.29881


move to verified

Comment 12 errata-xmlrpc 2020-11-04 01:59:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: cryptsetup security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4542

Note You need to log in before you can comment on or make changes to this bug.