From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <okozina@redhat.com>
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Thu,  2 Aug 2018 11:44:33 +0200 (CEST)
References: <6df9d673-5392-1171-3cd7-ed8a244b565e@linux.ibm.com>
 <e4f30bb0-7e83-e93b-8178-964b2ab40004@redhat.com>
 <20180802092832.GA16707@h-174-65.A328.priv.bahnhof.se>
From: Ondrej Kozina <okozina@redhat.com>
Message-ID: <d6bc219c-d7d4-3feb-b591-a775c34ebd32@redhat.com>
Date: Thu, 2 Aug 2018 11:44:30 +0200
MIME-Version: 1.0
In-Reply-To: <20180802092832.GA16707@h-174-65.A328.priv.bahnhof.se>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-MW
Content-Transfer-Encoding: 8bit
Subject: Re: [dm-crypt] cryptsetup-reencrypt fails after converting a LUKS1
 volume to LUKS2
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: michael@kjorling.se
Cc: dm-crypt@saout.de

On 08/02/2018 11:28 AM, Michael Kjörling wrote:
> On 2 Aug 2018 11:20 +0200, from okozina@redhat.com (Ondrej Kozina):
>> Ok, I know what's wrong. The convert action works as expected and
>> there's nothing wrong with data offset. The issue is
>> cryptsetup-reencrypt utility currently can't handle setup where
>> existing LUKS2 header, on a device you're about to reencrypt is
>> different size from default LUKS2 header size which is 4MiBs
>> currently. The converted header is as you wrote 2MiBs.
> 
> Sounds to me like that should be easy enough to add an early check and
> specific error message for. Even if the error is just something like
> "this container cannot be converted to LUKS2 because of header size
> mismatch, no changes made", it's far better than erroring out with a
> scary error message. cryptsetup-reencrypt is scary enough as it is.
> 

In my reproducer, the data were not damaged and I think neither were in 
Ingo's case (but can't speak for him). In fact, cryptsetup library 
behaved correctly and identified the mismatch. It's exactly just missing 
error message in cryptsetup-reencrypt as you pointed out. The 
reencryption stopped while creating header backups so no harm done (in 
my case). But let me think about it for some time yet.

O.