[Openstack-security] [Bug 1372375] Re: Attaching LVM encrypted volumes (with LUKS) could cause data loss if LUKS headers get corrupted

Joel Coffman 1372375 at bugs.launchpad.net
Thu Sep 25 15:00:24 UTC 2014 

The question here is really what should happen if the LUKS header become
corrupted for some reason.

Implicit to that question is the assumption that the header could be
corrupted without also impacting the integrity of the data stored in the
volume. While it's probably possible, my inclination is that corrupting
the header would also likely corrupt other portions of the volume in
which case the user would probably want to restore the volume from a
backup. (See patch to support backups of encrypted volumes:
https://review.openstack.org/#/c/74532/)

Regarding the use of luksHeaderBackup and luksHeaderRestore, where do
you propose storing the backup header file? Would a backup of the whole
volume (see above) be sufficient in your opinion, or is there a specific
need to backup only the header?

Finally, the decision to format the device in Nova instead of Cinder was
intentional: because Cinder never has access to the encryption key (it
merely requests the creation of an encryption key), only the compute
host must be trusted. That is, the current flow limits trust among the
various services in OpenStack. (I do not argue that flow could be
different, but there are security trade-offs that should be considered
with such a change.)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372375

Title:
  Attaching LVM encrypted volumes (with LUKS) could cause data loss if
  LUKS headers get corrupted

Status in Cinder:
  New
Status in OpenStack Compute (Nova):
  Incomplete
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  I have doubts about the flow of the volume attaching operation, as
  defined in /usr/lib/python2.6/site-
  packages/nova/volume/encryptors/luks.py.

  If the device is not recognized to be a valid luks device, the script is luks formatting it! So if for some reason the luks header get corrupted, it erases the whole data.
  To manage corrupted headers there are the 

      cryptsetup luksHeaderBackup

  and

      cryptsetup luksHeaderRestore

  commands that respectively do the backup and the restore of the
  headers.

  I think that the process has to be reviewed, and the luksFormat
  operation has to be performed during the volume creation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372375/+subscriptions

More information about the Openstack-security mailing list