[cinder/barbican] LUKS encryption for mounted disk - how to decrypt cinder volume

Lee Yarwood lyarwood at redhat.com
Thu Feb 11 12:22:55 UTC 2021


On 10-02-21 17:43:03, Lee Yarwood wrote:
> On 10-02-21 11:29:06, Jan Wasilewski wrote:
>> Thank you for a nice description of how everything is organized. It is much
>> easier to understand the full workflow.
>> 
>>> I'll try to find some time to write these up again later in the week.
>> That would be great, I will try to do this by myself, but I'm wondering if
>> it's possible to do "all magic" directly from a payload that is visible
>> from barbican CLI.

My thanks to gcharot for writing the following up downstream a while ago
and highlighting some easy ways of achieving this.

The following assumes that the volume is already mapped and connected to
the localhost, in this case I'm just using the LVs used by the default
LVM/iSCSI c-vol backend in my devstack env.

It also assumes you have access to the secrets associated with the
encrypted volume, by default admins do not.

- Starting with an encrypted volume

$ sudo qemu-img info --output=json /dev/stack-volumes-lvmdriver-1/volume-d4cc53db-6add-4c29-9f96-42a5498f8bd0 | jq .format
"luks"

- Fetch and store the key locally

$ openstack secret get --payload_content_type 'application/octet-stream' http://192.168.122.208/key-manager/v1/secrets/6fd4f879-005d-4b7d-9e5f-2505f010be7c --file mysecret.key

- Use dmcrypt to decrypt the device using the key as a passphrase

$ yes $(hexdump -e '16/1 "%02x"' mysecret.key) | sudo cryptsetup luksOpen /dev/stack-volumes-lvmdriver-1/volume-d4cc53db-6add-4c29-9f96-42a5498f8bd0 volume-d4cc53db-6add-4c29-9f96-42a5498f8bd0

- This should leave you with the decrypted volume under /dev/mapper

$ sudo qemu-img info /dev/mapper/volume-d4cc53db-6add-4c29-9f96-42a5498f8bd0
image: /dev/mapper/volume-d4cc53db-6add-4c29-9f96-42a5498f8bd0
file format: raw
virtual size: 0.998 GiB (1071644672 bytes)
disk size: 0 B

Hope this helps!

-- 
Lee Yarwood                 A5D1 9385 88CB 7E5F BE64  6618 BCA6 6E33 F672 2D76
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210211/91d11f9a/attachment.sig>


More information about the openstack-discuss mailing list