© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I followed the steps on an LPAR that has an active crypto domain with a master key set, using FCP multipath disk storage.
I did two installations (using Impish), one for each of the MPs, and the results are the same.
The LUKS installations complete and I can boot into the OS afterwards.
However, in both cases a normal (fallback) LUKS installation is done and 'aes-xts-plain64' is used instead of 'paes-xts-plain64'.
$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
cipher: aes-xts-plain64
Wanting to be sure I checked the master key using the commands from the CCA proprietary package:
/opt/IBM/
Preparing to QUERY master key verification pattern
Query of Key Verification Pattern for Master key [AES-MK ] [KEY-KM ] returned:
RND[00000000000
VER[E113AC74BB4
as well as using zkey:
# sudo zkey generate --xts --name key-for-
# sudo zkey list
Key : key-for-
-------
Description :
Secure key size : 128 bytes
Clear key size : 512 bits
XTS type key : Yes
Key type : CCA-AESDATA
Volumes : (none)
APQNs : (none)
Key file name : /etc/zkey/
Sector size : (system default)
Volume type : LUKS2
Created : 2021-08-03 06:38:28
Changed : (never)
and both looked fine.
To be sure I re-did the same installation using a single DASD with LVM instead and this worked and resulted in the use of 'paes-xts-plain64':
$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
cipher: paes-xts-plain64
This shows that an installation using zkey is generally possible, but that there seems to be another issue in the multipath code path that does not properly trigger the zkey usage (like with DASDs).
[I've attached a zip containing two files with the detailed steps that I followed.]