Cinder

Remove the 512 bit key option for aes-xts-plain64 encrypted volumes

Bug #1849196 reported by Keith Berger on 2019-10-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Keith Berger
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Unassigned

Bug Description

The Key size listed for Encrpyted volumes using aes-xts-plain64 is not correct. If you use 512, you will get an error about an unsupported key size. This has to do with how barbican receives the key information from cinder.

https://github.com/openstack/cinder/blob/master/cinder/volume/volume_utils.py#L919

does not pass a "mode" so this block

https://github.com/openstack/barbican/blob/stable/rocky/barbican/plugin/crypto/simple_crypto.py#L222

evaluates to 512 and this is not present in this list

https://github.com/openstack/barbican/blob/stable/rocky/barbican/plugin/crypto/base.py#L64

The following docs needs updated to only reflect a 256 bit key.

https://docs.openstack.org/horizon/train/admin/manage-volumes.html
https://docs.openstack.org/horizon/stein/admin/manage-volumes.html
https://docs.openstack.org/horizon/rocky/admin/manage-volumes.html
https://docs.openstack.org/horizon/queens/admin/manage-volumes.html

Also the text needs to be updated.

Key Size (bits)

512 (Recommended for aes-xts-plain64. 256 should be used for aes-cbc-essiv)
Using this selection for aes-xts, the underlying key size would only be 256-bits*

256 Using this selection for aes-xts, the underlying key size would only be 128-bits*

Tags:

Keith Berger (keith-berger) on 2019-10-21

Changed in cinder:
assignee:	nobody → Keith Berger (keith-berger)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-22: Fix merged to horizon (master)

Reviewed: https://review.opendev.org/689871
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=85a1dddf126691921924edcecaee5c054c7df6c2
Submitter: Zuul
Branch: master

commit 85a1dddf126691921924edcecaee5c054c7df6c2
Author: Keith Berger <email address hidden>
Date: Mon Oct 21 16:20:51 2019 -0400

Fix aes-xts key length in Horizon Admin Guide / Manage Volumes

    When using aes-xts-plain64, a 512 bit key produces an error as this
    is not a supported barbican key length for aes-xts-plain64. This patch
    updates the horzion admin doc to remove the reference of a 512 bit key.

    Change-Id: Ie36e05a1e59eb88b779c9f3249a714c20b5f5fe0
    Closes-Bug: #1708505
    Closes-Bug: #1849196

Changed in horizon:
status:	New → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-22: Fix proposed to horizon (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/690088

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-22: Fix proposed to horizon (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/690089

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-22: Fix proposed to horizon (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/690090

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-23: Fix merged to horizon (stable/train)

Reviewed: https://review.opendev.org/690088
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=524093e3e30cc8f64aecebedb51704584401087d
Submitter: Zuul
Branch: stable/train

commit 524093e3e30cc8f64aecebedb51704584401087d
Author: Keith Berger <email address hidden>
Date: Mon Oct 21 16:20:51 2019 -0400

Fix aes-xts key length in Horizon Admin Guide / Manage Volumes

    Change-Id: Ie36e05a1e59eb88b779c9f3249a714c20b5f5fe0
    Closes-Bug: #1708505
    Closes-Bug: #1849196
    (cherry picked from commit 85a1dddf126691921924edcecaee5c054c7df6c2)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-24: Fix merged to horizon (stable/stein)

Reviewed: https://review.opendev.org/690089
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=123a9e73a29cd820c64b9214f6173c849228543e
Submitter: Zuul
Branch: stable/stein

commit 123a9e73a29cd820c64b9214f6173c849228543e
Author: Keith Berger <email address hidden>
Date: Mon Oct 21 16:20:51 2019 -0400

Fix aes-xts key length in Horizon Admin Guide / Manage Volumes

    Change-Id: Ie36e05a1e59eb88b779c9f3249a714c20b5f5fe0
    Closes-Bug: #1708505
    Closes-Bug: #1849196
    (cherry picked from commit 85a1dddf126691921924edcecaee5c054c7df6c2)

tags:

added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-25: Fix merged to horizon (stable/rocky)

Reviewed: https://review.opendev.org/690090
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=8af8bc48a58fc9a2e45a89a24069f7cae0af8235
Submitter: Zuul
Branch: stable/rocky

commit 8af8bc48a58fc9a2e45a89a24069f7cae0af8235
Author: Keith Berger <email address hidden>
Date: Mon Oct 21 16:20:51 2019 -0400

Fix aes-xts key length in Horizon Admin Guide / Manage Volumes

    Change-Id: Ie36e05a1e59eb88b779c9f3249a714c20b5f5fe0
    Closes-Bug: #1708505
    Closes-Bug: #1849196
    (cherry picked from commit 85a1dddf126691921924edcecaee5c054c7df6c2)