[openstack-dev] encrypted volume snapshot question

Nate Reller rellerreller at yahoo.com
Tue Mar 26 21:55:22 UTC 2013


I do not think decryption and re-encryption will be necessary. I will do my
best to describe why via email.

The image file is used to setup a loop device, which looks like a normal block
device. The loop device size is limited to the size of the file backing the
loop device. It maps its idea of sectors to locations in the file backing the
device. Hence sector 0 will be bytes (0, 511) in the file backing the device.
Where those bytes are on the physical disk are unknown.

Normal block device functions are used to read and write data from a loop 
device.  Hence in Linux this will be a request call. This will tell the block
device where to write the data. For example a call could be made to write data 
to the first sector. The first sector is relative to the loop device and not
the physical device.  Therefore data written to the first sector of the loop 
device will be to the first 512 bytes of the file backing the loop device.

Now when dm-crypt is used I believe it is setup as another block device that 
sits above the block device to be encrypted. It will simply encrypt the data 
before it is sends the request call down to the lower level driver. Consider
the example write above again. Now the dm-crypt block device will receive a
request to write to the first sector. It will encrypt the data using the sector
number as the IV, and then call the lower block device using the same 
parameters (i.e. send this data to the first sector). The bytes will then be
written to the first sector of the loop device, which is the first 512 bytes of
the file backing the device, and who knows where on the physical device.

Since the physical sector is not used in the encryption then I do not see why
the disk would need to be decrypted and then re-encrypted. You could test this 
by creating a file backed loop device, putting dm-crypt on top, writing data to
it, unmounting it all, copying the file, putting dm-crypt on top, and reading
the data from it.

I must point out that I am no Linux kernel guru. I only have a very limited
experience. Let me know if this makes sense or not. 

-Nate

> Greetings Nate, Caitlin!
> 
> With volume snapshots, if a second physical copy is to be made, and an
> algorithm such as
> AES-XTS is used, how can one escape "decryption followed by re-encryption" give 
> than AES-XTS
> uses the sector address to generate the tweaks for encrypting each sector.
> 
> Regards
> Malini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130326/39bbd190/attachment.html>


More information about the OpenStack-dev mailing list