**Description:**
As an admin, you would like to decrypt the volume, which is attached to compute node and check, that your barbican secret key is correct(i.e. customer is saying, that the barbican secret key doesn't work). This procedure describes, how you can simply test it.
**Starting point:**
Volume is encrypted and attached to an instance(instance has to be shutdown to make qemu commands operational). Our volume id is: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
**Procedure:**
Log in to a compute node that is hosting your instance. List volumes attached to your instance:
```
[TEST]root@comp-09:/home/jwasilewski# virsh domblklist ec9081e4-e1e4-40a2-bf8c-c87c14b79d5a
Target Source
------------------------------------------------
vda /dev/dm-29
vdb /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89```
In our case vdb volume is an encrypted one. We can check it by qemu-img command:
```
[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
image: /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
file format: luks
virtual size: 20G (21472739328 bytes)
disk size: 0
encrypted: yes
Format specific information:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: 009f60f7-e871-4eac-88da-b274e80eb247
cipher mode: xts
slots:
[0]:
active: true
iters: 900838
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2097152
master key iters: 56302```
We would like to decrypt the volume. We need to retrieve symmetric key which is allocated to this volume from barbican. We need to find a secret store associated with our volume, so we have to login to OpenStack database and execute:
```
mysql> select * from volumes where id = 'ca8da832-a88d-4f91-ab2d-2bd3efbca4a3'\G
*************************** 1. row ***************************
created_at: 2021-02-12 13:41:40
updated_at: 2021-02-17 12:33:34
deleted_at: NULL
deleted: 0
id: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
ec2_id: NULL
user_id: wfoij24f0sdfs0934nkl
project_id: 234sfds90klfgd093n
host: cinder-01@huawei_backend#StoragePool001
size: 20
availability_zone: nova
status: in-use
attach_status: attached
scheduled_at: 2021-02-12 13:41:40
launched_at: 2021-02-12 13:41:42
terminated_at: NULL
display_name: encrypted-volume
display_description:
provider_location: {"huawei_sn": "2102352VVA10L2000001", "huawei_lun_id": "14985", "huawei_lun_wwn": "6e00084100ee7e7e7fe79b5900003a89"}
provider_auth: NULL
snapshot_id: NULL
volume_type_id: 3129bdc2-6162-4729-9eab-d0c97db2335a
source_volid: NULL
bootable: 0
provider_geometry: NULL
_name_id: NULL
encryption_key_id: b13d2017-e3e5-4f5f-a836-918ec130dc0a
migration_status: NULL
replication_status: disabled
replication_extended_status: NULL
replication_driver_data: NULL
consistencygroup_id: NULL
provider_id: NULL
multiattach: 0
previous_status: NULL
cluster_name: NULL
group_id: NULL
service_uuid: 674de52f-1c9a-402f-88c9-6b79c91a4249
shared_targets: 1
1 row in set (0.00 sec)```
So encryption_key_id is the value that we were looking for.
Then we can simply get our secret store:
```
[TEST]root@zabbix-1:~# openstack secret get http://controller.tc.tester-pl.pl:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a
+---------------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------------+----------------------------------------------------------------------------------------+
| Secret href | http://controller.tc.tester-pl.pl:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a |
| Name | None |
| Created | 2021-02-12T13:41:39+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 512 |
| Secret type | symmetric |
| Mode | None |
| Expiration | None |
+---------------+----------------------------------------------------------------------------------------+```
And of course encryption key, by command(we will save it to file **my_symmetric_key.key**):
```
barbican secret get --payload_content_type application/octet-stream http://controller.tester-pl.pl:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a --file my_symmetric_key.key
```
We need to transfer symmetric key to passphrase then:
```
[TEST]root@barbican-01:/var/log/barbican# hexdump -e '16/1 "%02x"' my_symmetric_key.key
```
The output is our LUKS Passphrase. We can go to our compute node and decrypt a volume:
```
[TEST]root@comp-09:/home/jwasilewski# cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89 my-encrypted-volume-decrypted
Enter passphrase for /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89:```
Then we can confirm, that our volume is decrypted:
```
[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/mapper/my-encrypted-volume-decrypted
image: /dev/mapper/my-encrypted-volume-decrypted
file format: raw
virtual size: 20G (21472739328 bytes)
disk size: 0```
Thanks again for sharing it, I believe it is a super-useful procedure.