[Openstack-security] [Bug 1372375] Re: Attaching LVM encrypted volumes (with LUKS) could cause data loss if LUKS headers get corrupted
Joel Coffman
1372375 at bugs.launchpad.net
Mon Apr 6 14:45:50 UTC 2015
> [...] how would we like to see the info passed to Cinder to indicate
that the Volume has been formatted to set the proposed flag?
Perhaps something could be added to the VolumeEncryptionMetadata API
extension to support toggling the flag when the volume is formatted. Not
sure how much would be gained from this approval since it potentially
would create a way to (maliciously) trigger reformatting the volume --
maybe it would be write-once so it can only be set (i.e., formatted =
True).
> It is crazy to luks format a volume because I am not able to mount it,
and it is crazy to suppose that if I am not able to mount a volume, then
it's the first time I am mounting it.
You could use the cryptsetup encryptor instead of LUKS, as raw
cryptsetup does not format the volume at all.
> Also, is anybody interested enough to work on this?
I'm willing to look into this issue since I'm responsible for the
original feature, but it's pretty much at the bottom of my priority
list.
I also stand by my original comment on this bug report. We're talking
about a situation where 1) the LUKS header is corrupted, 2) the
(encrypted) volume "data" is not corrupted, and 3) the user doesn't have
backups or snapshots of the volume. Perhaps someone from the Cinder core
team will correct me, but I'd guess that Cinder's backends try to avoid
data corruption, but it remains the user's responsibility to have
snapshots or backups of the volume in case corruption occurs. If so,
we're talking about a very specific situation where changing the
existing behavior would be beneficial.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372375
Title:
Attaching LVM encrypted volumes (with LUKS) could cause data loss if
LUKS headers get corrupted
Status in Cinder:
New
Status in OpenStack Compute (Nova):
Invalid
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
I have doubts about the flow of the volume attaching operation, as
defined in /usr/lib/python2.6/site-
packages/nova/volume/encryptors/luks.py.
If the device is not recognized to be a valid luks device, the script is luks formatting it! So if for some reason the luks header get corrupted, it erases the whole data.
To manage corrupted headers there are the
cryptsetup luksHeaderBackup
and
cryptsetup luksHeaderRestore
commands that respectively do the backup and the restore of the
headers.
I think that the process has to be reviewed, and the luksFormat
operation has to be performed during the volume creation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372375/+subscriptions
More information about the Openstack-security
mailing list