From: Ondrej Kozina <okozina@redhat.com>
To: Ingo Franzki <ifranzki@linux.ibm.com>, dm-crypt@saout.de
Subject: Re: [dm-crypt] cryptsetup-reencrypt fails after converting a LUKS1 volume to LUKS2
Date: Thu, 2 Aug 2018 10:52:25 +0200 [thread overview]
Message-ID: <eb68bc6b-f168-ea0f-8525-4ee525bf3a69@redhat.com> (raw)
In-Reply-To: <6df9d673-5392-1171-3cd7-ed8a244b565e@linux.ibm.com>
Hi Ingo,
thanks for the report! Could you please provide me with more information
here on the list or on gitlab issue tracker? We're very close to 2.0.4
release and I'd like to have this fixed if I could reproduce it.
On 08/02/2018 10:16 AM, Ingo Franzki wrote:
> Hi,
>
> I have converted an existing LUKS1 volume to LUKS2 via 'cryptsetup convert --type luks2 <device>'.
> That worked well.
How did you create original LUKS1 header? Please provide me with either
exact command or debug output.
>
> After that I am trying to use cryptsetup-reencrypt ro reencrypt the volume using a different volume key.
> This fails with 'Cannot format device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new.'
>
> The debug output shows the following:
>
> ...
> # keyslots_size is too large 4161536 (bytes). Data offset: 2097152, keyslots offset: 32768
> Cannot format device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new.
> # Releasing crypt device LUKS-5d6495ba-b6f9-43c5-883f-dff56f10c72a.new context.
> # Releasing crypt device /dev/mapper/disk5 context.
> # Releasing device-mapper backend.
> Creation of LUKS backup headers failed.
> ...
>
> So the reason certainly is that the header area is too small, because that volume was converted over from LUKS1 which uses a smaller header than LUKS2.
> luksDump shows that the offset of the data segment is less on the converted volume than on a volume that was formatted as LUKS2 right away.
Ouch, this sounds like really ugly bug in conversion code. If we really
changed data offset during it, it's basically data corruption we're
speaking about. Could you reproduce it and provide me with full debug
output of cryptsetup convert action? In the meantime I'll try to
reproduce it myself...
> Nevertheless, 'cryptsetup convert' seems to be able to produce an (obviously smaller) LUKS2 header for that device. Other commands like luksAddKey are also able to work with that smaller LUKS2 header.
>
> Is there a way to enlarge the header area of a (converted) LUKS2 volume to the standard header area size?
> I guess not, but I thought I'll ask anyway....
>
> Any other ideas?
> Any way to enhance cryptsetup-reencrypt to be able to work with a smaller header area?
>
> This would be a perfect solution for converting an existing LUKS1 volume to use a secure volume key with the PAES cipher that is supported by cryptsetup since version 2.0.3.
>
> Kind regards, Ingo
>
Kind regards
Ondrej
next prev parent reply other threads:[~2018-08-02 8:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 8:16 [dm-crypt] cryptsetup-reencrypt fails after converting a LUKS1 volume to LUKS2 Ingo Franzki
2018-08-02 8:52 ` Ondrej Kozina [this message]
2018-08-02 9:20 ` Ondrej Kozina
2018-08-02 9:28 ` Michael Kjörling
2018-08-02 9:44 ` Ondrej Kozina
2018-08-02 10:38 ` Ingo Franzki
2018-08-02 10:56 ` Ondrej Kozina
2018-08-02 13:05 ` Ondrej Kozina
2018-08-02 13:42 ` Ingo Franzki
2018-08-02 14:24 ` Ondrej Kozina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb68bc6b-f168-ea0f-8525-4ee525bf3a69@redhat.com \
--to=okozina@redhat.com \
--cc=dm-crypt@saout.de \
--cc=ifranzki@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.