[Openstack-security] [Bug 1372375] Re: Attaching LVM encrypted volumes (with LUKS) could cause data loss if LUKS headers get corrupted

Joel Coffman 1372375 at bugs.launchpad.net
Mon Apr 6 14:45:50 UTC 2015 

> [...] how would we like to see the info passed to Cinder to indicate
that the Volume has been formatted to set the proposed flag?

Perhaps something could be added to the VolumeEncryptionMetadata API
extension to support toggling the flag when the volume is formatted. Not
sure how much would be gained from this approval since it potentially
would create a way to (maliciously) trigger reformatting the volume --
maybe it would be write-once so it can only be set (i.e., formatted =
True).

> It is crazy to luks format a volume because I am not able to mount it,
and it is crazy to suppose that if I am not able to mount a volume, then
it's the first time I am mounting it.

You could use the cryptsetup encryptor instead of LUKS, as raw
cryptsetup does not format the volume at all.

> Also, is anybody interested enough to work on this?

I'm willing to look into this issue since I'm responsible for the
original feature, but it's pretty much at the bottom of my priority
list.

I also stand by my original comment on this bug report. We're talking
about a situation where 1) the LUKS header is corrupted, 2) the
(encrypted) volume "data" is not corrupted, and 3) the user doesn't have
backups or snapshots of the volume. Perhaps someone from the Cinder core
team will correct me, but I'd guess that Cinder's backends try to avoid
data corruption, but it remains the user's responsibility to have
snapshots or backups of the volume in case corruption occurs. If so,
we're talking about a very specific situation where changing the
existing behavior would be beneficial.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372375

Title:
  Attaching LVM encrypted volumes (with LUKS) could cause data loss if
  LUKS headers get corrupted

Status in Cinder:
  New
Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  I have doubts about the flow of the volume attaching operation, as
  defined in /usr/lib/python2.6/site-
  packages/nova/volume/encryptors/luks.py.

  If the device is not recognized to be a valid luks device, the script is luks formatting it! So if for some reason the luks header get corrupted, it erases the whole data.
  To manage corrupted headers there are the 

      cryptsetup luksHeaderBackup

  and

      cryptsetup luksHeaderRestore

  commands that respectively do the backup and the restore of the
  headers.

  I think that the process has to be reviewed, and the luksFormat
  operation has to be performed during the volume creation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372375/+subscriptions

More information about the Openstack-security mailing list