'CryptsetupEncryptor' will silently enable corrupt data read if cryptsetup defaults change

Bug #1639221 reported by Daniel Berrange on 2016-11-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Unassigned
os-brick
Undecided
Unassigned

Bug Description

The CryptsetupEncryptor impl for volume encryption uses the cryptsetup 'plain' mode for encrypting the volumes.

When opening a volume it treats cipher and key_size as optional parameters:

        cipher = kwargs.get("cipher", None)
        if cipher is not None:
            cmd.extend(["--cipher", cipher])

        key_size = kwargs.get("key_size", None)
        if key_size is not None:
            cmd.extend(["--key-size", key_size])

as a result if those are not provided by the cinder API user, then it will rely on the cryptsetup command's default settings. The cryptsetup defaults are subject to change at the time it is built. If these settings ever change, then Nova will be opening the volume with different settings those used when first encrypted. Because the 'plain' volume type has no metadata, you can't detect this change in settings - you'll just silently be reading garbage data.

At the very least Nova should hardcode the defaults in its source to guarantee that they can never silently change under its feet, causing this corrupt data volume.

More generally though I think this impl should just be deleted and everyone should use LUKS which is a better design wrt secure key management.

Lee Yarwood (lyarwood) wrote :

I've sent the following out to the operators list to quickly see who is using CryptsetupEncryptor and why....

http://lists.openstack.org/pipermail/openstack-operators/2016-November/011985.html

Changed in nova:
status: New → Confirmed
assignee: nobody → Lee Yarwood (lyarwood)
importance: Undecided → Medium
Lee Yarwood (lyarwood) on 2016-11-08
Changed in os-brick:
assignee: nobody → Lee Yarwood (lyarwood)
status: New → Confirmed
Sean Dague (sdague) on 2017-06-23
Changed in nova:
assignee: Lee Yarwood (lyarwood) → nobody

Unassigning due to no activity for > 6 months.

Changed in os-brick:
assignee: Lee Yarwood (lyarwood) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers