Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2362686

Summary: [CephFS - FScrypt] Prompt a error/warning message during encrypt if unsupported encryption algorithm specified in fscrypt.conf file
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: sumr
Component: CephFSAssignee: Christopher Hoffman <choffman>
Status: CLOSED ERRATA QA Contact: sumr
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.1CC: ceph-eng-bugs, cephqe-warriors, choffman, gfarnum, mamohan, ngangadh, rpollack, vshankar
Target Milestone: ---   
Target Release: 9.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-20.1.0-18 Doc Type: Bug Fix
Doc Text:
.Unsupported encryption algorithms now return an error on CephFS Previously, the CephFS userspace did not validate encryption algorithms when setting up `fscrypt`. Only `AES-256-XTS` and `AES-256-CTS` were supported, but if a different algorithm was requested, CephFS silently used the default supported algorithm without notifying the user. With this fix, a validation check ensures that only supported encryption algorithms are allowed when setting up `fscrypt` on CephFS. If an unsupported algorithm is supplied, the system returns an `EINVAL` error code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:55:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description sumr 2025-04-28 11:15:09 UTC 
Description of problem:
The supported encryption algorithm is,
AES_256_XTS for 'contents' and AES_256_CTS for 'filenames' which is default setting with fscrypt setup when https://github.com/ceph/fscrypt.git with branch wip-ceph-fuse used.

But if end-user tries to override default algo with other support algo like AES-256-HCTR2 for filenames, there is NO warning or Error message during fscrypt encrypt.

This BZ is to provide error message when AES-256-HCTR2 such unsupported algorithm is mentioned. It is unsupported for CephFS but not with FScrypt in-general, so this algo could be used as it is recommended pair - (AES-256-XTS, AES-256-HCTR2) 

Currently, since fscrypt encrypt prompts no error or warning message with this use case, after lock, only content is encrypted but not filename.

Version-Release number of selected component (if applicable): 19.2.1-161.el9cp


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Logs:

[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# fscrypt status testdir2
"testdir2" is encrypted with fscrypt.

Policy:   43399fee26967bc347421fa2839ccf7b
Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: No

Protected with 1 protector:
PROTECTOR         LINKED  DESCRIPTION
3e429880957ffb16  No      custom protector "cephfs1"


[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# cat /etc/fscrypt.conf 
{
	"source": "custom_passphrase",
	"hash_costs": {
		"time": "75",
		"memory": "131072",
		"parallelism": "8",
		"truncation_fixed": true
	},
	"options": {
		"padding": "32",
		"contents": "AES_256_XTS",
		"filenames": "AES_256_HCTR2",
		"policy_version": "2"
	},
	"use_fs_keyring_for_v1_policies": false,
	"allow_cross_user_metadata": false
}

[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# mkdir testdir3
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# fscrypt encrypt testdir3
Should we create a new protector? [y/N] y
The following protector sources are available:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 2
Enter a name for the new protector: cephfs2
Enter custom passphrase for protector "cephfs2": 
Confirm passphrase: 
"testdir3" is now encrypted, unlocked, and ready for use.
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# fscrypt status testdir3
"testdir3" is encrypted with fscrypt.

Policy:   da8c7b27c062dbecb4606e8e5f41f184
Options:  padding:32 contents:AES_256_XTS filenames:AES_256_HCTR2 policy_version:2
Unlocked: Yes

Protected with 1 protector:
PROTECTOR         LINKED  DESCRIPTION
bc0a61431bd062ba  No      custom protector "cephfs2"
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# cp /var/log/messages testdir3/
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -l testdir3
total 30
-rw-------. 1 root root 30012 Apr 28 11:03 messages
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# fscrypt lock testdir3
"testdir3" is now locked.
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -l testdir3
total 30
-rw-------. 1 root root 30012 Apr 28 11:03 messages
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -l testdir3/
total 30
-rw-------. 1 root root 30012 Apr 28 11:03 messages
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# cd testdir3
[root@ceph-sumar-fscrypt-az0v8f-node6 testdir3]# ls -l
total 30
-rw-------. 1 root root 30012 Apr 28 11:03 messages
[root@ceph-sumar-fscrypt-az0v8f-node6 testdir3]# vi messages 
[root@ceph-sumar-fscrypt-az0v8f-node6 testdir3]# echo test >> messages 
-bash: messages: Input/output error
[root@ceph-sumar-fscrypt-az0v8f-node6 testdir3]#
Comment 12 errata-xmlrpc 2026-01-29 06:55:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536