- Boot from the volume to ensure it is formatted by Nova :
$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test
- Remove the correct passphrase and replace it with the mangled version used prior to Newton to trigger the workaround :
$ sudo cryptsetup luksAddKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
Enter any existing passphrase: 010203040506
Enter new passphrase for key slot: 123456
Verify passphrase: 123456
$ sudo cryptsetup luksRemoveKey /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
Enter passphrase to be deleted: 010203040506
$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
Key Slot 0: DISABLED
Key Slot 1: ENABLED
Iterations: 872230
Salt: ea c6 19 21 ed 45 ce ce 96 51 08 90 a6 b0 e2 7e dc 5a 94 f9 c6 f8 d8 90 d2 38 79 fa 21 f0 b7 e0
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
- Boot an instance again using the volume :
$ nova boot --boot-volume c93a9d66-08d7-4ad0-babb-87a2c6fe5cf6 --flavor 1 test
$ nova delete test
- Reviewing n-cpu.log we can see the WARNING marker highlighting that we are going to attempt to use a mangled passphrase :
n-cpu.log
5123 2016-11-10 08:36:10.666 WARNING nova.volume.encryptors.luks [req-ae0c9bce-54fd-4691-939d-d68808bc81bb admin admin] /dev/sdb is not usable with the current passphrase, attempting to use a mangled passphrase to open the volume.
[..]
5143 2016-11-10 08:36:28.919 DEBUG nova.volume.encryptors.luks [req-ae0c9bce-54fd-4691-939d-d68808bc81bb admin admin] /dev/sdb mangled passphrase successfully replaced from (pid=15466) _unmangle_volume
- Reviewing the volume there's still only one slot used and we are now able to open the device with the correct passphrase of 010203040506 :
$ sudo cryptsetup luksDump /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
LUKS header information for /dev/mapper/stack--volumes--lvmdriver--1-volume--c93a9d66--08d7--4ad0--babb--87a2c6fe5cf6
I've been asked to document a manual attempt at verifying the current workaround for LuksEncryptor :
- Using a fixed key of 010203040506 (123456 when mangled) :
$ grep fixed_key ../logs/n-cpu.log service [req-09c9dd4c- ca17-48fb- 99b7-21211241e8 4e None None] key_manager. fixed_key = 010203040506 from (pid=15466) log_opt_values /usr/lib/ python2. 7/site- packages/ oslo_config/ cfg.py: 2689
2016-11-10 08:22:44.334 DEBUG oslo_service.
- Create a LUKS volume-type and create a single bootable volume :
$ cinder type-create LUKS type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end LUKS nova.volume. encryptors. luks.LuksEncryp tor 08d7-4ad0- babb-87a2c6fe5c f6 true
$ cinder encryption-
$ cinder create --volume-type LUKS 1
$ cinder set-bootable c93a9d66-
- Boot from the volume to ensure it is formatted by Nova :
$ nova boot --boot-volume c93a9d66- 08d7-4ad0- babb-87a2c6fe5c f6 --flavor 1 test
$ nova delete test
- Remove the correct passphrase and replace it with the mangled version used prior to Newton to trigger the workaround :
$ sudo cryptsetup luksAddKey /dev/mapper/ stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6 stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6 stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6 stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6
Enter any existing passphrase: 010203040506
Enter new passphrase for key slot: 123456
Verify passphrase: 123456
$ sudo cryptsetup luksRemoveKey /dev/mapper/
Enter passphrase to be deleted: 010203040506
$ sudo cryptsetup luksDump /dev/mapper/
LUKS header information for /dev/mapper/
Version: 1 4a6a-46bb- bf2c-c38ea7c16f c3
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 04 09 bc a9 cb ab fc 3f 65 b2 dd e5 a8 2d 32 b4 37 ec b9 80
MK salt: 39 13 31 5a ab 1e ce 63 5e 96 bb d4 26 7d 19 a4
8c 6a 39 79 1a c5 60 3c 2f 16 a2 a4 36 cb 23 64
MK iterations: 100500
UUID: a3b047cf-
Key Slot 0: DISABLED
dc 5a 94 f9 c6 f8 d8 90 d2 38 79 fa 21 f0 b7 e0
Key Slot 1: ENABLED
Iterations: 872230
Salt: ea c6 19 21 ed 45 ce ce 96 51 08 90 a6 b0 e2 7e
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
- Boot an instance again using the volume :
$ nova boot --boot-volume c93a9d66- 08d7-4ad0- babb-87a2c6fe5c f6 --flavor 1 test
$ nova delete test
- Reviewing n-cpu.log we can see the WARNING marker highlighting that we are going to attempt to use a mangled passphrase :
n-cpu.log
5123 2016-11-10 08:36:10.666 WARNING nova.volume. encryptors. luks [req-ae0c9bce- 54fd-4691- 939d-d68808bc81 bb admin admin] /dev/sdb is not usable with the current passphrase, attempting to use a mangled passphrase to open the volume. encryptors. luks [req-ae0c9bce- 54fd-4691- 939d-d68808bc81 bb admin admin] /dev/sdb mangled passphrase successfully replaced from (pid=15466) _unmangle_volume
[..]
5143 2016-11-10 08:36:28.919 DEBUG nova.volume.
- Reviewing the volume there's still only one slot used and we are now able to open the device with the correct passphrase of 010203040506 :
$ sudo cryptsetup luksDump /dev/mapper/ stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6 stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6
LUKS header information for /dev/mapper/
Version: 1 4a6a-46bb- bf2c-c38ea7c16f c3
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 04 09 bc a9 cb ab fc 3f 65 b2 dd e5 a8 2d 32 b4 37 ec b9 80
MK salt: 39 13 31 5a ab 1e ce 63 5e 96 bb d4 26 7d 19 a4
8c 6a 39 79 1a c5 60 3c 2f 16 a2 a4 36 cb 23 64
MK iterations: 100500
UUID: a3b047cf-
Key Slot 0: ENABLED
fd d2 17 69 eb a9 2a fe 25 ee a5 0e 1c 56 1a 2e stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6 test stack-- volumes- -lvmdriver- -1-volume- -c93a9d66- -08d7-- 4ad0--babb- -87a2c6fe5cf6: 010203040506
Iterations: 876710
Salt: e6 e5 9d 7f d3 71 6c 3a af cb 7e 4f 30 06 2a 5e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
$ sudo cryptsetup luksOpen /dev/mapper/
Enter passphrase for /dev/mapper/
$ lsblk /dev/mapper/test
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
test 253:6 0 1022M 0 crypt
$ sudo cryptsetup luksClose /dev/mapper/test