OpenStack Compute (nova)

Bug #1633518
Comment #3

Comment 3 for bug 1633518

Revision history for this message

Lee Yarwood (lyarwood) wrote on 2016-11-10:

I've been asked to document a manual attempt at verifying the current workaround for LuksEncryptor :

- Using a fixed key of 010203040506 (123456 when mangled) :

$ grep fixed_key ../logs/n-cpu.log
2016-11-10 08:22:44.334 DEBUG oslo_service.service [req-09c9dd4c-ca17-48fb-99b7-21211241e84e None None] key_manager.fixed_key = 010203040506 from (pid=15466) log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2689

- Create a LUKS volume-type and create a single bootable volume :

$ cinder type-create LUKS
$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
$ cinder create --volume-type LUKS 1
$ cinder set-bootable c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 true

- Boot from the volume to ensure it is formatted by Nova :

$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test

- Remove the correct passphrase and replace it with the mangled version used prior to Newton to trigger the workaround :

$ sudo cryptsetup luksAddKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
Enter any existing passphrase: 010203040506
Enter new passphrase for key slot: 123456
Verify passphrase: 123456
$ sudo cryptsetup luksRemoveKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
Enter passphrase to be deleted: 010203040506
$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 04 09 bc a9 cb ab fc 3f 65 b2 dd e5 a8 2d 32 b4 37 ec b9 80
MK salt: 39 13 31 5a ab 1e ce 63 5e 96 bb d4 26 7d 19 a4
8c 6a 39 79 1a c5 60 3c 2f 16 a2 a4 36 cb 23 64
MK iterations: 100500
UUID: a3b047cf-4a6a-46bb-bf2c-c38ea7c16fc3

Key Slot 0: DISABLED
Key Slot 1: ENABLED
        Iterations: 872230
        Salt: ea c6 19 21 ed 45 ce ce 96 51 08 90 a6 b0 e2 7e
                                dc 5a 94 f9 c6 f8 d8 90 d2 38 79 fa 21 f0 b7 e0
        Key material offset: 512
        AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

- Boot an instance again using the volume :

$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test

- Reviewing n-cpu.log we can see the WARNING marker highlighting that we are going to attempt to use a mangled passphrase :

n-cpu.log

5123 2016-11-10 08:36:10.666 WARNING nova.volume.encryptors.luks [req-ae0c9bce-54fd-4691-939d-d68808bc81bb admin admin] /dev/sdb is not usable with the current passphrase, attempting to use a mangled passphrase to open the volume.
[..]
5143 2016-11-10 08:36:28.919 DEBUG nova.volume.encryptors.luks [req-ae0c9bce-54fd-4691-939d-d68808bc81bb admin admin] /dev/sdb mangled passphrase successfully replaced from (pid=15466) _unmangle_volume

- Reviewing the volume there's still only one slot used and we are now able to open the device with the correct passphrase of 010203040506 :

$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6

Key Slot 0: ENABLED
        Iterations: 876710
        Salt: e6 e5 9d 7f d3 71 6c 3a af cb 7e 4f 30 06 2a 5e
                                fd d2 17 69 eb a9 2a fe 25 ee a5 0e 1c 56 1a 2e
        Key material offset: 8
        AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
$ sudo cryptsetup luksOpen /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 test
Enter passphrase for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6: 010203040506
$ lsblk /dev/mapper/test
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
test 253:6 0 1022M 0 crypt
$ sudo cryptsetup luksClose /dev/mapper/test

I've been asked to document a manual attempt at verifying the current workaround for LuksEncryptor :

- Using a fixed key of 010203040506 (123456 when mangled) :

$ grep fixed_key ../logs/n-cpu.log
2016-11-10 08:22:44.334 DEBUG oslo_service.service [req-09c9dd4c-ca17-48fb-99b7-21211241e84e None None] key_manager.fixed_key          = 010203040506 from (pid=15466) log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2689

- Create a LUKS volume-type and create a single bootable volume :

- Boot from the volume to ensure it is formatted by Nova :

$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test

- Remove the correct passphrase and replace it with the mangled version used prior to Newton to trigger the workaround :

$ sudo cryptsetup luksAddKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 
Enter any existing passphrase: 010203040506
Enter new passphrase for key slot: 123456
Verify passphrase: 123456
$ sudo cryptsetup luksRemoveKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 
Enter passphrase to be deleted: 010203040506
$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      04 09 bc a9 cb ab fc 3f 65 b2 dd e5 a8 2d 32 b4 37 ec b9 80 
MK salt:        39 13 31 5a ab 1e ce 63 5e 96 bb d4 26 7d 19 a4 
                8c 6a 39 79 1a c5 60 3c 2f 16 a2 a4 36 cb 23 64 
MK iterations:  100500
UUID:           a3b047cf-4a6a-46bb-bf2c-c38ea7c16fc3

Key Slot 0: DISABLED
Key Slot 1: ENABLED
        Iterations:             872230
        Salt:                   ea c6 19 21 ed 45 ce ce 96 51 08 90 a6 b0 e2 7e 
                                dc 5a 94 f9 c6 f8 d8 90 d2 38 79 fa 21 f0 b7 e0 
        Key material offset:    512
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

- Boot an instance again using the volume :

$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test

- Reviewing n-cpu.log we can see the WARNING marker highlighting that we are going to attempt to use a mangled passphrase :

n-cpu.log

- Reviewing the volume there's still only one slot used and we are now able to open the device with the correct passphrase of 010203040506 :

$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      04 09 bc a9 cb ab fc 3f 65 b2 dd e5 a8 2d 32 b4 37 ec b9 80 
MK salt:        39 13 31 5a ab 1e ce 63 5e 96 bb d4 26 7d 19 a4 
                8c 6a 39 79 1a c5 60 3c 2f 16 a2 a4 36 cb 23 64 
MK iterations:  100500
UUID:           a3b047cf-4a6a-46bb-bf2c-c38ea7c16fc3

Key Slot 0: ENABLED
        Iterations:             876710
        Salt:                   e6 e5 9d 7f d3 71 6c 3a af cb 7e 4f 30 06 2a 5e 
                                fd d2 17 69 eb a9 2a fe 25 ee a5 0e 1c 56 1a 2e 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
$ sudo cryptsetup luksOpen /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6 test
Enter passphrase for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6: 010203040506
$ lsblk /dev/mapper/test 
NAME MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
test 253:6    0 1022M  0 crypt 
$ sudo cryptsetup luksClose /dev/mapper/test