luks_device: can't use binary data for passphrase

[ilia-kats]

SUMMARY

I have a partition that is encrypted using a randomly generated keyfile, which I store in a vault. I'm trying to write a playbook that opens the encrypted partition using the keyfile without uploading the keyfile to the managed node. Note that running

cat keyfile | ssh -p 2222 root@localhost cryptsetup open --key-file - /dev/vda3 data

works (where keyfile is the unencrypted keyfile).

Using ansible.builtin.command and ansible.builtin.shell also doesn't work (see ansible/ansible#84497)

ISSUE TYPE

• Bug Report

COMPONENT NAME

luks_device

ANSIBLE VERSION

ansible [core 2.18.1]
  config file = /home/ilia/[...]/ansible.cfg
  configured module search path = ['/home/ilia/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.13/site-packages/ansible
  ansible collection location = /home/ilia/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.13.1 (main, Dec  4 2024, 18:05:56) [GCC 14.2.1 20240910] (/usr/bin/python)
  jinja version = 3.1.5
  libyaml = True

COLLECTION VERSION

# /usr/lib/python3.13/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.22.3

CONFIGURATION

CONFIG_FILE() = /home/ilia/[...]/ansible.cfg
DEFAULT_HOST_LIST(/home/ilia/[...]/ansible.cfg) = ['/home/ilia/[...]/inventory.yml']
DEFAULT_VAULT_ID_MATCH(/home/ilia/[...]/ansible.cfg) = true
EDITOR(env: EDITOR) = vim

GALAXY_SERVERS:

OS / ENVIRONMENT

Control: Arch Linux
Managed node: Debian 12

STEPS TO REPRODUCE

- name: unlock encrypted data partitions
  hosts: all
  vars:
    keyfile: "{{ lookup('ansible.builtin.unvault', 'keyfiles/' ~ inventory_hostname) }}"
  tasks:
    - ansible.builtin.debug:
        msg: "{{ keyfile }}"
    - name: unlock data partitions
      community.crypto.luks_device:
        device: "{{ item.device }}"
        name: "{{ item.mountpoint | basename }}"
        passphrase: "{{ keyfile }}"
        state: opened
      # ansible.builtin.shell:
      #   cmd: "cryptsetup open --key-file - {{ item.device }} {{ item.mountpoint | basename }}"
      #   cmd: cat > test
      #   stdin: "{{ keyfile }}"
      #   stdin_add_newline: false
      loop: "{{ encrypted_mounts | dict2items(key_name='device', value_name='mountpoint') }}"

EXPECTED RESULTS

The encrypted partition is unlocked.

ACTUAL RESULTS

TASK [unlock data partitions] ******************************************
failed: [b260-pc000] (item={'device': '/dev/vda3', 'mountpoint': '/mnt/data'}) => {"ansible_loop_var": "item", "changed": false, "item": {"device": "/dev/vda3", "mountpoint": "/mnt/data"}, "msg": "luks_device error: Error while opening LUKS container on /dev/vda3: No key available with this passphrase.\n"}

I've also tried reverting ansible/ansible@d0fda3e with the same result.

[felixfontein]

Ansible does not allow binary data to be passed to or from modules. That's a limitation of Ansible, not of this module. Therefore this is not a bug.

What's possible is to add an option that tells the module that passphrases are provided in Base64 and have to be decoded before being used. That way you can pass Base64-encoded binary passphrases to the module.

[ilia-kats]

What's possible is to add an option that tells the module that passphrases are provided in Base64 and have to be decoded before being used. That way you can pass Base64-encoded binary passphrases to the module.

That would be great.

[felixfontein]

#829 adds a new option passphrase_encoding, which can be set to base64.