[cinder/barbican] LUKS encryption for mounted disk - how to decrypt cinder volume

Jan Wasilewski finarffin at gmail.com
Tue Feb 9 11:48:38 UTC 2021

Hi All,

I have a question about the possible decryption of LUKS volume. I'm testing
currently barbican+cinder, but I'm just wondering if there is a way, to
somehow decrypt my LUKS volume with payload generated by a barbican. Is
there any procedure for that? I was doing it by myself, but somehow it
doesn't work and I got an error:

[TEST]root at barbican-01:/usr/lib/python3/dist-packages# barbican secret get
--payload --payload_content_type application/octet-stream
| Field   | Value
| Payload | b'\xbf!i\x97\xf4\x0c\x12\xa4\xfe4\xf3\x16C\xe8@\xdc\x0f\x9d+:\x0c7\xa9\xab[\x8d\xf2\xf1\xae\r\x89\xdc'

cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f
Enter passphrase for
/dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f: *<passphrase from
No key available with this passphrase.

I thought that above issue can be related to encoding, so I took payload
value directly from vault and use it as a key-file, but problem is exactly
the same(my encrypted volume is the last volume list by domblklist option):

vault kv get secret/data/e5baa518207e4f9db4810988d22087ce | grep value |
awk -F'value:' '{print $2}'

[TEST]root at comp-02:~# cat bbb
[TEST]root at comp-02:~# cat bbb | base64 -d > pass2
[TEST]root at comp-02:~# cat pass2
▒▒߻▒▒▒▒▒^<▒N▒▒▒▒~پ5▒▒▒▒▒▒▒z߾▒▒▒▒~▒▒▒▒▒n▒▒▒▒▒]▒[TEST]root at comp-02:~#
[TEST]root at comp-02:~# virsh domblklist instance-00000da8
Target     Source
vda        /dev/dm-17
vdb        /dev/disk/by-id/wwn-0x6e00084100ee7e7e74623bd3000036bc
vdc        /dev/dm-16
vde        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f
vdf        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5
[TEST]root at comp-02:~# udisksctl unlock -b
/dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5 --key-file pass2
Error unlocking /dev/dm-21:
GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Error unlocking
/dev/dm-21: Failed to activate device: Operation not permitted
[TEST]root at comp-02:~# cryptsetup luksOpen
/dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5 my-volume
Volume key does not match the volume.

I see that nova/cinder and barbican are doing this stuff somehow so I
strongly believe there is a way to decrypt this manually. Maybe I’m doing
something wrong in my testing-steps.
Thanks in advance for any help here! Unfortunately, I haven’t found any
materials on how to do this.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210209/0704554c/attachment.html>

More information about the openstack-discuss mailing list