[openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
Daniel P. Berrange
berrange at redhat.com
Sun Oct 23 16:18:00 UTC 2016
On Fri, Oct 21, 2016 at 12:07:08PM +0100, Lee Yarwood wrote:
> Hello,
>
> I documented bug#1633518 [1] last week in which volumes encrypted prior
> to Ib563b0ea [2] used a slightly mangled passphrase instead of the
> original passphrase provided by the configured key manager.
>
> My first attempt at resolving this [3] prompted an alternative
> suggestion from mdbooth of adding the correct passphrase to the LUKS
> device when we detect the use of a mangled passphrase.
>
> I'm slightly wary of this option given the changing of passphrases so
> I'd really appreciate input from the wider Nova and Cinder groups on
> your preference for resolving this :
>
> 1. Keep the mangled passphrase in place and attempt to use it after
> getting a permission denied error during luksOpen.
This is going to be painful when we switch to using QEMU for LUKS,
because it is going to amount to starting QEMU, watching it fail
to open disks and then trying to start QEMU again. IMHO we need to
fix the broken passphrases globally asap.
> 2. Add the correct passphrase and remove the mangled passphrase from the
> LUKS device with luksChangeKey when we detect the use of the mangled
> passphrase.
Yes we should be doing this to fix up the broken devices.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the OpenStack-dev
mailing list