Description of problem: ----------------------- User input passphrase may be weak and may not fit in to password quality check. Instead of asking for passphrase from users, it should be good to generate the random content key-file and use it to encrypt the additional disks. Max supported key size in cryptsetup is 8192K, so generate the key file of that size and use it for encryption Following command generates the key for disk for example sdb: dd bs=1024 count=8192 if=/dev/urandom of=/root/sdb_key iflag=fullblock Also set proper perms on this file: # chmod 0400 /root/sdb_key Version-Release number of selected component (if applicable): ------------------------------------------------------------- gluster-ansible-infra-1.0.4-5.el8rhgs.noarch.rpm How reproducible: ----------------- Always Steps to Reproduce: ------------------- 1. Run the playbook to set up NBDE 2. Input weak password for additional disks as 'test' Actual results: --------------- No keyfile is used but the weak password is used Expected results: ----------------- User may expected to key-in weak password. Preferable to generate new keyfile of size 8192K and set proper permission on that key file
Verified with gluster-ansible-infra-1.0.4-6.el8rhgs 1. Initially passphrase keyfile is generated under /root/sdx_key 2. Later /etc/sdx_keyfile is generated random 3. Passphrase based keyfile is removed 4. /etc/sdx_keyfile is used for unlocking the additional disks
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:2575