Re: cryptsetup-reencrypt fails after converting a LUKS1 volume to LUKS2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ingo,
thanks for the report! Could you please provide me with more information here on the list or on gitlab issue tracker? We're very close to 2.0.4 release and I'd like to have this fixed if I could reproduce it. 

On 08/02/2018 10:16 AM, Ingo Franzki wrote:

Hi,

I have converted an existing LUKS1 volume to LUKS2 via 'cryptsetup convert --type luks2 <device>'.
That worked well.
How did you create original LUKS1 header? Please provide me with either exact command or debug output. 



After that I am trying to use cryptsetup-reencrypt ro reencrypt the volume using a different volume key.
This fails with 'Cannot format device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new.'

The debug output shows the following:

...
# keyslots_size is too large 4161536 (bytes). Data offset: 2097152, keyslots offset: 32768
Cannot format device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new.
# Releasing crypt device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new context.
# Releasing crypt device /dev/mapper/disk5 context.
# Releasing device-mapper backend.
Creation of LUKS backup headers failed.
...

So the reason certainly is that the header area is too small, because that volume was converted over from LUKS1 which uses a smaller header than LUKS2.
luksDump shows that the offset of the data segment is less on the converted volume than on a volume that was formatted as LUKS2 right away.
Ouch, this sounds like really ugly bug in conversion code. If we really changed data offset during it, it's basically data corruption we're speaking about. Could you reproduce it and provide me with full debug output of cryptsetup convert action? In the meantime I'll try to reproduce it myself... 


Nevertheless, 'cryptsetup convert' seems to be able to produce an (obviously smaller) LUKS2 header for that device. Other commands like luksAddKey are also able to work with that smaller LUKS2 header.

Is there a way to enlarge the header area of a (converted) LUKS2 volume to the standard header area size?
I guess not, but I thought I'll ask anyway....

Any other ideas?
Any way to enhance cryptsetup-reencrypt to be able to work with a smaller header area?

This would be a perfect solution for converting an existing LUKS1 volume to use a secure volume key with the PAES cipher that is supported by cryptsetup since version 2.0.3.

Kind regards, Ingo



Kind regards
Ondrej


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux