I followed the steps on an LPAR that has an active crypto domain with a master key set, using FCP multipath disk storage.
I did two installations (using Impish), one for each of the MPs, and the results are the same.
The LUKS installations complete and I can boot into the OS afterwards.
However, in both cases a normal (fallback) LUKS installation is done and 'aes-xts-plain64' is used instead of 'paes-xts-plain64'.
Wanting to be sure I checked the master key using the commands from the CCA proprietary package:
/opt/IBM/CCA/bin/panel.exe -mk-query --mktype=AES --mkregister=CURRENT
Preparing to QUERY master key verification pattern
Query of Key Verification Pattern for Master key [AES-MK ] [KEY-KM ] returned:
RND[0000000000000000]
VER[E113AC74BB40CCA1]
as well as using zkey:
# sudo zkey generate --xts --name key-for-verification
# sudo zkey list
Key : key-for-verification
-------------------------------------------------------------------------------------
Description :
Secure key size : 128 bytes
Clear key size : 512 bits
XTS type key : Yes
Key type : CCA-AESDATA
Volumes : (none)
APQNs : (none)
Key file name : /etc/zkey/repository/key-for-verification.skey
Sector size : (system default)
Volume type : LUKS2 Verification pattern : 1d6f7ea0dfebdd8b65f0970e573522fd 85ebee9ee93ca80cc87dc020aa1eb309
Created : 2021-08-03 06:38:28
Changed : (never) Re-enciphered : (never)
and both looked fine.
To be sure I re-did the same installation using a single DASD with LVM instead and this worked and resulted in the use of 'paes-xts-plain64':
This shows that an installation using zkey is generally possible, but that there seems to be another issue in the multipath code path that does not properly trigger the zkey usage (like with DASDs).
[I've attached a zip containing two files with the detailed steps that I followed.]
I followed the steps on an LPAR that has an active crypto domain with a master key set, using FCP multipath disk storage.
I did two installations (using Impish), one for each of the MPs, and the results are the same.
The LUKS installations complete and I can boot into the OS afterwards.
However, in both cases a normal (fallback) LUKS installation is done and 'aes-xts-plain64' is used instead of 'paes-xts-plain64'.
$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
cipher: aes-xts-plain64
Wanting to be sure I checked the master key using the commands from the CCA proprietary package: CCA/bin/ panel.exe -mk-query --mktype=AES --mkregister= CURRENT
/opt/IBM/
Preparing to QUERY master key verification pattern
Query of Key Verification Pattern for Master key [AES-MK ] [KEY-KM ] returned:
RND[00000000000 00000] 0CCA1] verification verification ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- - repository/ key-for- verification. skey
Verification pattern : 1d6f7ea0dfebdd8 b65f0970e573522 fd
85ebee9ee93c a80cc87dc020aa1 eb309
Re-enciphered : (never)
VER[E113AC74BB4
as well as using zkey:
# sudo zkey generate --xts --name key-for-
# sudo zkey list
Key : key-for-
-------
Description :
Secure key size : 128 bytes
Clear key size : 512 bits
XTS type key : Yes
Key type : CCA-AESDATA
Volumes : (none)
APQNs : (none)
Key file name : /etc/zkey/
Sector size : (system default)
Volume type : LUKS2
Created : 2021-08-03 06:38:28
Changed : (never)
and both looked fine.
To be sure I re-did the same installation using a single DASD with LVM instead and this worked and resulted in the use of 'paes-xts-plain64':
$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
cipher: paes-xts-plain64
This shows that an installation using zkey is generally possible, but that there seems to be another issue in the multipath code path that does not properly trigger the zkey usage (like with DASDs).
[I've attached a zip containing two files with the detailed steps that I followed.]