[openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
Lee Yarwood
lyarwood at redhat.com
Fri Oct 21 11:07:08 UTC 2016
Hello,
I documented bug#1633518 [1] last week in which volumes encrypted prior
to Ib563b0ea [2] used a slightly mangled passphrase instead of the
original passphrase provided by the configured key manager.
My first attempt at resolving this [3] prompted an alternative
suggestion from mdbooth of adding the correct passphrase to the LUKS
device when we detect the use of a mangled passphrase.
I'm slightly wary of this option given the changing of passphrases so
I'd really appreciate input from the wider Nova and Cinder groups on
your preference for resolving this :
1. Keep the mangled passphrase in place and attempt to use it after
getting a permission denied error during luksOpen.
2. Add the correct passphrase and remove the mangled passphrase from the
LUKS device with luksChangeKey when we detect the use of the mangled
passphrase.
3. An alternative suggestion.
FYI, as os-brick has now copied the encryptor classes from Nova into
their own tree any fix will be cherry-picked across shortly after
landing in Nova. I'm also looking into dropping these classes from Nova
for Ocata so we can avoid duplicating effort like this in future.
Thanks in advance,
Lee
[1] https://launchpad.net/bugs/1633518
[2] https://review.openstack.org/#/c/309614/
[3] https://review.openstack.org/#/c/386670/
--
Lee Yarwood
Senior Software Engineer
Red Hat
PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76
More information about the OpenStack-dev
mailing list