2130497 – [KMIP] Rook should use AES 256 for KEK encryption similar to Noobaa and Ceph-CSI

Bug 2130497 - [KMIP] Rook should use AES 256 for KEK encryption similar to Noobaa and Ceph-CSI

Summary: [KMIP] Rook should use AES 256 for KEK encryption similar to Noobaa and Ceph...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	rook
Sub Component:
Version:	4.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	ODF 4.12.0
Assignee:	Rakshith
QA Contact:	Rachael
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-28 11:16 UTC by Rachael
Modified:	2023-08-09 17:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	4.12.0-70
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-08 14:06:28 UTC
Embargoed:

Attachments	(Terms of Use)
Keys in CipherTrust Manager (64.02 KB, image/png) 2022-09-28 11:16 UTC, Rachael	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	red-hat-storage rook pull 419	0	None	open	Bug 2130497: osd: use 256 as cryptographicLength for keys using kmip kms	2022-10-03 07:04:09 UTC
Github	rook rook pull 11079	0	None	open	osd: use 256 as cryptographicLength for keys using kmip kms	2022-09-29 07:18:13 UTC

Description Rachael 2022-09-28 11:16:45 UTC

Created attachment 1914827 [details]
Keys in CipherTrust Manager

Description of problem (please be detailed as possible and provide log
snippets):

When clusterwide encryption is enabled using Thales CipherTrust Manager (using KMIP), the KEKs for OSDs stored in the CipherTrust Manager uses the AES 128 algorithm. However, Noobaa and Ceph-CSI uses AES 256 for the same.


Key Name	                                                        Version	Owner	        Modified	        Type	        Algorithm   Size	
ks-26c16fc59b66470b97e7473fad9ce9873849599865914e14bd6ef41148eac6ac	0	No owner	28 Sep 2022, 15:59	Symmetric	AES	    256	
ks-73db5d9b975e435dbce288450120ea51f58473483e2f4acfb6208a03b15009e2	0	No owner	28 Sep 2022, 15:57	Symmetric	AES	    128	
ks-08829f6b45d1452680fbbfafe7dad831e393b7913426423bbacaaf5869d03d06	0	No owner	28 Sep 2022, 15:57	Symmetric	AES	    128	
ks-1023550b881e4460a41f13904e41d17dfc270119272f4eb3a040a89a230726ee	0	No owner	28 Sep 2022, 15:57	Symmetric	AES	    128	
rbd-test-key	                                                        0       local|admin	27 Sep 2022, 11:41	Symmetric	AES	    256	

The encryption algorithm used for all the KEKs in ODF should be the same and since AES 256 is more secure than AES 128, rook should use AES 256 as well. 


Version of all relevant components (if applicable):
---------------------------------------------------
OCP: 4.12.0-0.nightly-2022-09-26-111919
ODF: odf-operator.v4.12.0  full_version=4.12.0-66


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
No

Is there any workaround available to the best of your knowledge?
No

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:
No

Steps to Reproduce:
-------------------
1. Deploy ODF with clusterwide encryption enabled using Thales CipherTrust Manager (using KMIP)
2. Check the CipherTrust Manager console for the keys created for OSDs and NooBaa(MCG)


Actual results:
---------------
AES 128 is used for OSD KEKs and AES 256 is used for NooBaa KEK


Expected results:
-----------------
All the KEKs should use the same encryption algorithm

Note You need to log in before you can comment on or make changes to this bug.