Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1959055

Summary: virt-v2v fails to open BitLocker disk with: BITLK devices with type 'encrypt-on-write' cannot be activated. (0)
Product: Red Hat Enterprise Linux 9 Reporter: mxie <mxie>
Component: virt-v2vAssignee: Virtualization Maintenance <virt-maint>
Status: CLOSED CANTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: chhu, jsuchane, juzhou, kkiwi, mzhan, rjones, tyan, tzheng, xiaodwan
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1959739 (view as bug list) Environment:
Last Closed: 2021-08-16 20:48:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1959739    
Attachments:
Description Flags
virt-v2v-windows-bitlocker-rhel9.log none

Description mxie@redhat.com 2021-05-10 16:18:32 UTC 
Created attachment 1781760 [details]
virt-v2v-windows-bitlocker-rhel9.log

Description of problem:
Virt-v2v can't find key when convert windows BitLocker guest on rhel9

Version-Release number of selected component (if applicable):
virt-v2v-1.44.0-1.el9.x86_64
libguestfs-1.45.2-4.el9.x86_64
guestfs-tools-1.46.0-1.el9.x86_64
nbdkit-1.25.4-2.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Prepare a windows guest whose disk is encrypted by Bitblocker on VMware, then convert the guest from VMware to rhv4.4 by v2v
#  virt-v2v -ic vpx://root.198.169/data/10.73.199.217/?no_verify=1 -it vddk -io vddk-libdir=/home/vddk7.0 -io  vddk-thumbprint=B5:52:1F:B4:21:09:45:24:51:32:56:F6:63:6A:93:5D:54:08:2D:78 -ip /home/passwd -o rhv-upload -of qcow2 -oc https://dell-per740-22.lab.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -os nfs_data -b ovirtmgmt esx7.0-win2019-ntfs-3g-bitblocker --key "/dev/sda2":file:windows-key 
[   0.8] Opening the source -i libvirt -ic vpx://root.198.169/data/10.73.199.217/?no_verify=1 esx7.0-win2019-ntfs-3g-bitblocker -it vddk  -io vddk-libdir=/home/vddk7.0 -io vddk-thumbprint=B5:52:1F:B4:21:09:45:24:51:32:56:F6:63:6A:93:5D:54:08:2D:78
[   3.6] Creating an overlay to protect the source from being modified
[   5.2] Opening the overlay
virt-v2v: could not find key to open LUKS encrypted /dev/sda2.

Try using --key on the command line.

Original error: cryptsetup_open: cryptsetup exited with status 1: BITLK devices with type 'encrypt-on-write' cannot be activated. (0)



Actual results:
As above description

Expected results:
Virt-v2v should can convert windows BitLocker guest since bug1808977 has been fixed

Additional info:
Comment 1 Richard W.M. Jones 2021-05-10 16:40:46 UTC 
We correctly run:

  cryptsetup -d /tmp/cryptabc37c.key open /dev/sda2 cryptsda2 --type bitlk

which fails with:

  BITLK devices with type 'encrypt-on-write' cannot be activated. (0)

This seems to be a problem with support for this guest by cryptsetup.
I think when you created the guest or set up BitLocker in the guest,
you may have selected the "Encrypt on Write" option.  (There is another
option to encrypt the whole disk).  Apparently cryptsetup or the kernel
does not support Encrypt on Write.  This may not be something that we
are able to solve.

https://gitlab.com/cryptsetup/cryptsetup/-/blob/c40be6cc7a830f95cbea336693bbcabd101df135/lib/bitlk/bitlk.c#L1209
Comment 3 Xiaodai Wang 2021-07-23 04:21:41 UTC 
The error is different now. 

# rpm -q virt-v2v libguestfs kernel
virt-v2v-1.45.2-1.el9.x86_64
libguestfs-1.45.6-9.el9.x86_64
kernel-5.13.0-1.el9.x86_64

#
[   0.0] Opening the source -i libvirt -ic vpx://root.x.x/data/x.x.x.x/?no_verify=1 esx7.0-win2019-ntfs-3g-bitblocker
[   3.7] Creating an overlay to protect the source from being modified
[   5.8] Opening the overlay
Enter key or passphrase ("/dev/sda2"): 
[  61.1] Inspecting the overlay
[ 439.4] Checking for sufficient free disk space in the guest
[ 439.4] Converting Windows Server 2019 Standard to run on KVM
virt-v2v: warning: there is no QXL driver for this version of Windows (10.0 
x86_64).  virt-v2v looks for this driver in 
/usr/share/virtio-win/virtio-win.iso

The guest will be configured to use a basic VGA display driver.
virt-v2v: error: libguestfs error: blockdev_getsize64: 
blockdev_getsize64_stub: /dev/mapper/cryptsda: No such file or directory

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]
Comment 5 Klaus Heinrich Kiwi 2021-08-09 20:44:02 UTC 
(In reply to Xiaodai Wang from comment #3)
> The error is different now. 
> 
But are you using encrypt on write as indicated by comment #1?

If this is another bug, we should open a different bz

>
Comment 6 Xiaodai Wang 2021-08-10 02:21:14 UTC 
I think yes, because the guest is same.
Comment 7 Klaus Heinrich Kiwi 2021-08-16 20:48:33 UTC 
(In reply to Xiaodai Wang from comment #6)
> I think yes, because the guest is same.

I'm closing this one as we can't support encrypt on write right now. If you have issues with converting a windows guest that was configured with whole-disk encryption, please open a different BZ.

 -Klaus
Comment 9 Richard W.M. Jones 2021-08-17 06:31:21 UTC 
Comment 3 is a different bug - some problem with inspection.  Can you
open a new bug about that with the log from comment 4.

As for this bug, encrypt-on-write is not supported by cryptsetup and/or
the kernel.  The bug is valid but we cannot fix it, so adjusting the
status.
Comment 10 mxie@redhat.com 2021-08-17 06:52:40 UTC 
(In reply to Richard W.M. Jones from comment #9)
> Comment 3 is a different bug - some problem with inspection.  Can you
> open a new bug about that with the log from comment 4.
> 
> As for this bug, encrypt-on-write is not supported by cryptsetup and/or
> the kernel.  The bug is valid but we cannot fix it, so adjusting the
> status.

The guest used in comment1 and comment3 is same one, the error info is changed with the upgrade of virt-v2v/libguestfs version , I think we can change the bug description and component if you want to fix the error of comment3, thanks
Comment 11 Richard W.M. Jones 2021-08-17 07:13:10 UTC 
I looked at both logs now and what's strange here is that
in the second log (comment 4) the cryptsetup command is
successful.  If it's really the same guest that would indicate
that encrypt-on-write has become supported in the kernel.
However I also checked the kernel and cryptsetup code and
nothing obviously has changed that could make this supported.

Anyway despite that, comment 3 / comment 4 does indicate a
completely different bug, so it needs a new bug number.

If we try to reuse the same bug for a different issue then
we end up losing all the original information about
encrypt-on-write.