RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2003748 - Is there an equivalent command to the deprecated 'cryptsetup-reencrypt --decrypt' in rhel9?
Summary: Is there an equivalent command to the deprecated 'cryptsetup-reencrypt --decr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: cryptsetup
Version: 9.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Ondrej Kozina
QA Contact: guazhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-13 15:18 UTC by Corey Marthaler
Modified: 2023-05-09 10:35 UTC (History)
5 users (show)

Fixed In Version: cryptsetup-2.6.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 08:23:06 UTC
Type: Bug
Target Upstream Version: cryptsetup-2.5.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-97012 0 None None None 2021-09-13 15:19:09 UTC
Red Hat Product Errata RHBA-2023:2534 0 None None None 2023-05-09 08:23:18 UTC

Description Corey Marthaler 2021-09-13 15:18:02 UTC 
Description of problem:
I'm looking for an equivalent to the no header needed 'cryptsetup-reencrypt --decrypt' command for rhel8 and rhel9 going forward without the 'cryptsetup-reencrypt' tool. If there's not an equivalent, then these decryption scenarios will be removed from regression in rhel9.

[root@hayes-01 ~]# cryptsetup luksClose split_luks

# Attempt with "new" tool
[root@hayes-01 ~]# cryptsetup reencrypt --decrypt /dev/split_image/split_luks
Usage: cryptsetup [-?Vvyrq] [-?|--help] [--usage] [-V|--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
        [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT]
        [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS]
        [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup]
        [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf]
        [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING]
        [--integrity-no-journal] [--integrity-no-wipe] [--integrity-legacy-padding] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--iv-large-sectors] [--persistent] [--label=STRING]
        [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt]
        [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING] [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific>
cryptsetup: LUKS2 decryption requires option --header.


# Attempt with "old" tool
[root@hayes-01 ~]# cryptsetup-reencrypt --decrypt /dev/split_image/split_luks
Enter any existing passphrase:
Finished, time 00:06.464,  836 MiB written, speed 129.3 MiB/s

I'm seeing this same result in rhel9, but obviously without the option to use 'cryptsetup-reencrypt'

Version-Release number of selected component (if applicable):
cryptsetup-2.3.3-4.el8    BUILT: Thu Feb 18 10:25:50 CST 2021
cryptsetup-libs-2.3.3-4.el8    BUILT: Thu Feb 18 10:25:50 CST 2021
cryptsetup-reencrypt-2.3.3-4.el8    BUILT: Thu Feb 18 10:25:50 CST 2021
Comment 1 Ondrej Kozina 2021-09-14 07:50:16 UTC 
Yes, this scenario is not yet supported with new LUKS2 reencryption code. There's an upstream tracker for the feature though: https://gitlab.com/cryptsetup/cryptsetup/-/issues/669

So I think you may drop this scenario until the feature above gets implemented.
Comment 3 Ondrej Kozina 2022-06-21 11:07:55 UTC 
The command would be "cryptsetup reencrypt --decrypt /dev/split_image/split_luks --header future-exported-header-file-name". Also works for online devices.
Comment 6 guazhang@redhat.com 2022-12-01 04:07:27 UTC 
Hi,

I don't much understand the bug, 
 cryptsetup-reencrypt --decrypt  without --header 
 cryptsetup reencrypt --decrypt need --header 

all commands is expected, so what's the fixed package updated for ?
Comment 7 Ondrej Kozina 2022-12-01 10:26:40 UTC 
Hi.

Previous releases did not allow to decrypt LUKS2 device with metadata put in the head of data device. It is now supported, but user needs to specify a file location where decryption process stores interim LUKS2 metadata before decryption process is finished.

Use the command from examples in cryptsetup-reencrypt man page with "cryptsetup reencrypt --decrypt --header /interim/header /dev/encrypted_device". The '/interim/header' file must not exist and it gets created in the decryption process.
Comment 8 guazhang@redhat.com 2022-12-02 07:16:07 UTC 
Hi,

Could you help to check my test steps if can be covered this bug ?
but looks I miss something here then feedback error.

cryptsetup-2.6.0-1.el9.x86_64
[root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt  --encrypt /dev/loop0  --header  /dev/loop0  --type luks2  -q 
[root@hp-dl380g10-06 ~]# 
[root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt  --decrypt /dev/loop0  --header  test_header  --type luks2  -q 
No key available with this passphrase.
[root@hp-dl380g10-06 ~]#
Comment 9 Ondrej Kozina 2022-12-02 09:14:05 UTC 
> [root@hp-dl380g10-06 ~]# echo 'redhatredhat' |cryptsetup reencrypt  --encrypt /dev/loop0  --header  /dev/loop0  --type luks2  -q

This is a bug. This command must not proceed further with encrypt operation. Feel free to open a bug for it. The problem is that
while performing encrypt operation where --header parameter and device parameter points to same device corrupts the data.

Use following command instead to encrypt the data with LUKS2 metadata put in head of /dev/loop0 device. You need to have spare space at end of data device (32MiB with following example).

echo 'redhatredhat' |cryptsetup reencrypt  --encrypt /dev/loop0  --reduce-device-size 32m
Comment 10 guazhang@redhat.com 2022-12-02 10:02:50 UTC 
Hi,


[root@pnate-client-01 ~]# rpm -qa |grep cryptsetup
cryptsetup-libs-2.4.3-5.el9.x86_64
cryptsetup-2.4.3-5.el9.x86_64
[root@pnate-client-01 ~]# 
[root@pnate-client-01 ~]# echo 'redhatredhat' |cryptsetup reencrypt  --encrypt /dev/loop0  --reduce-device-size 32m
Finished, time 00:00.098,   84 MiB written, speed 687.2 MiB/s
[root@pnate-client-01 ~]# cryptsetup reencrypt  --decrypt /dev/loop0  --header key6 
Device key6 does not exist or access denied.
[root@pnate-client-01 ~]# 



[root@hp-dl380g10-06 storage]# echo 'redhatredhat' |cryptsetup reencrypt  --encrypt /dev/loop0  --reduce-device-size 32m
Finished, time 00m00s,   84 MiB written, speed 576.2 MiB/s
[root@hp-dl380g10-06 storage]# 
[root@hp-dl380g10-06 storage]# cryptsetup reencrypt  --decrypt /dev/loop0  --header key6 

WARNING!
========
Header file key6 does not exist. Do you want to initialize LUKS2 decryption of device /dev/loop0 and export LUKS2 header to file key6?

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /root/1.tar: 
Finished, time 00m00s,   84 MiB written, speed 417.5 MiB/s
[root@hp-dl380g10-06 storage]#
Comment 15 errata-xmlrpc 2023-05-09 08:23:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2534
Note You need to log in before you can comment on or make changes to this bug.