Support full disk LUKS

[schakrava]

No description provided.

[halemmerich]

I have done some experiments using LUKS and wanted to share my experiences:
My target was a RockStor instance running a pool on encrypted disks and I did not accomplish that so far.
After creating a couple of LUKS disks mapped at /dev/mapper RockStor had a problem because the device names seemingly can only be 10 characters long. As I was using the serial number as the device mapper name the webinterface complained. Using shorter names makes the mapped disks appear in the storage view, but all operations including creation of a pool fail, because in the btrfs commands the device mapper disks are also addressed as /dev/name and not found.
I then tried to create a btrfs over the disks manually but RockStor did not pick it up correctly. The encrypted disks in the storage view are shown as having a btrfs on them, but can not be imported, probably again because of path issues.

[phillxnet]

@schakrava Could we change the title of this issue from:-
"Support dmcrypt"
to
"Support full disk LUKS"
From our recent discussion I think this fits in better with our current capabilities and plans plus from: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
we have:- "plain dm-crypt (one passphrase, no management, no metadata on disk) and LUKS (multiple user keys with one master key, anti-forensic features, metadata block at start of device, ...)"
So we gain management and an easy way to identify the device as LUKS encrypted so that scan_disks can hopefully provide an on the spot truth during disks Rescan (I think anyway as yet to confirm). This can then inform the db updater to set the new role flag to identify the device as LUKS formatted and hence trigger looking up it's /dev/mapper/device-name for unencrypted access.
and:
"First, unless you happen to understand the cryptographic background well, you should use LUKS. It does protect the user from a lot of common mistakes. Plain dm-crypt is for experts."
and:
"Advantages [of LUKS ] are a higher usability, automatic configuration of non-default crypto parameters, defenses against low-entropy passphrases like salting and iterated PBKDF2 passphrase hashing, the ability to change passphrases, and others."
My addition in square brackets in the last quote.

• We could later, by way of a feature issue, add a LUKS header backup button, and perhaps some additional LUKS password management.

We will also need the "cryptsetup" program installed which is available in the current repos. Just noting so it doesn't get missed.

[phillxnet]

@halemmerich Thanks for your pointers / input / sharing on this and as you found there are a few mechanisms within Rockstor that will require modification to support LUKS encrypted disks. Some work has already been done towards this and my current task involves another by way of issue #1320 "Revise internal use and format of device names". Once that issue is resolved I was hoping to come back to his issue and work through the required changes.

Those elements that have been improved in order to more easily accommodate LUKS include longer device names (now 64 chars) and the addition of a generic 'role' field within the Disk's db model. I like the serial as mount point idea by the way, may have to use that.

[schakrava]

@phillxnet , I've assigned the issue to you. I am wondering if that will give you the permission to change the title. Could you please try?

[phillxnet]

@schakrava Thanks, but still no edit button by title.

[phillxnet]

@schakrava Cheers.

[phillxnet]

Note to consider the effect of the smartctl calls on LUKS mapped devices ie update smart get_base_device / get_base_device_byid / or get_dev_options to account for LUKS device names so that the base device is passed to smartctl if required.

Please update the following forum thread with significant development on this issue:
https://forum.rockstor.com/t/smart-log-issues/1653

[phillxnet]

Please update the following forum thread with significant development on this issue:
https://forum.rockstor.com/t/luks-dm-crypt/36/9

[ciroiriarte]

Hi!, will this support the following use case?:

• multiple disks encrypted with LUKS (no partitions)
• multidisk (raid6) BTRFS filesystems on top of the encrypted devices
• key requested at boot time

It's an usual layout and I'm currently running that on openSUSE Leap 42.1, looking forward to migrate the disks to Rockstor...

[phillxnet]

Please also update the following forum thread on significant development on this issue:
https://forum.rockstor.com/t/at-rest-encryption/1993/1

[phillxnet]

Please also update the following forum thread on significant development:
https://forum.rockstor.com/t/fail-to-initalize-disk-mounted-with-luks/2034

[phillxnet]

In revisiting this issue I think it best if we first tidy up the recently added disk role field which is the intended mechanism to signal the requirement to change the file system access point from that of the raw device to that of it's /dev/mapper LUKS mount point. Once this task is complete we will have a better basis on which to support LUKS mount / device name re-direction in a cleaner fashion. I intend to link the disk role subsystem improvements issue to this issue so that the enhancements in that area can be tracked and to establish the dependency.

[phillxnet]

I am again working on this issue given it's indicated core dependencies have now been merged.

[phillxnet]

Update on sub issues found:
If we are to enable unattended boot then we also need to store keyfiles to unlock our data drives' LUKS containers. For the keyfiles to be secure they in turn need to be on encrypted storage. So no unattended power on with LUKS is securely possible. Also a 'sister' feature here is encrypted swap and root which is attainable via the current installer. This in turn allows for us to more feasibly store keyfiles in for example /root.

When installing Rockstor and selecting anaconda's build in encrypt my data option we get the following with 3.8.16-1:

lsblk 
NAME                                          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sr0                                            11:0    1 1024M  0 rom   
sda                                             8:0    0    8G  0 disk  
├─sda2                                          8:2    0  820M  0 part  
│ └─luks-df30128a-2e94-428a-ad47-671602d3ce4c 253:1    0  818M  0 crypt [SWAP]
├─sda3                                          8:3    0  6.7G  0 part  
│ └─luks-b8f89d97-f135-450f-9620-80a9fb421403 253:0    0  6.7G  0 crypt /home
└─sda1                                          8:1    0  500M  0 part  /boot

which equates to our rockstor_rockstor pool existing in it's own LUKS drive:

Label: 'rockstor_rockstor'  uuid: 60100357-ad15-4727-aec5-0f5abd1cee31
	Total devices 1 FS bytes used 1.55GiB
	devid    1 size 6.71GiB used 2.72GiB path /dev/mapper/luks-b8f89d97-f135-450f-9620-80a9fb421403

But there are problems on our Disks page:
3.8.16-1:

However things improve some what with the recent changes to disk management in #1622 :
3.8.16-16:

So some attention is require here obviously as previous 'special case' treatment for the root partition/drive is now showing it's short comings. I intend to have a look at improving this behaviour as part of this issue. The root cause here is that the installer works by encrypting 2 partitions but we predominantly address disks bar prior special root disk assessment that in this case fails.

Given the above points it may be pertinent to initially address password during power on for all LUKS volumes as a stepping stone ie following the installer default /etc/crypttab format of:

luks-b8f89d97-f135-450f-9620-80a9fb421403 UUID=b8f89d97-f135-450f-9620-80a9fb421403 none 
luks-df30128a-2e94-428a-ad47-671602d3ce4c UUID=df30128a-2e94-428a-ad47-671602d3ce4c none 

Where none signifies manual password entry on power up. At a later date this could be enhanced to include keyfile generation and management. This may also fit in better with current btrfs development on partial disk count capabilities as each disk is individually unlocked in turn, however currently no default pool mount is achievable until all members are unlocked. But this 'unlock via Rockstor Web-UI' element would also require some attention on #1547 "insufficient use of btrfs device scan" as currently 'btrfs device scan' is only run on boot and until LUKS encrypted volumes are unlocked they are not visible to the btrfs subsystems as available pool members.

[phillxnet]

Noting a thread on the linux-btrfs mailing list re strange interplay between systemd and keyfile activated LUKS containers upon subsequent format:
https://mail-archive.com/[email protected]/msg63975.html
Ongoing: the symptoms are that of mapped devices disappearing during mkfs.btrfs on /dev/mapper/dev-name (both the /dev/mapper/dev-name and it's target /dev/dm-* go missing with 100% systemd cpu). I suspect this is only with much newer systemd but will investigate our behaviour. I have not noticed anything akin to this so far in my tests.
latest exposition of issue as of writing:
https://mail-archive.com/[email protected]/msg64025.html

[phillxnet]

Newly added Open LUKS Volume info table:

and the same page but in LUKS Container Config mode viewing the base backing device:

A little more user facing text to add (as detailed in tasks above) and some more testing and I hope to be at pull request prep / review stage.

Note the Open LUKS Volume info page added here also suffer from the same issue as indicated in #1130 for detached devices. Linking here as the two behaviours share the same cause which can be addressed in the referenced issue: ie that of missing name reference due to dynamic renaming of detached devices.

[phillxnet]

Last minute problem detected, suspect this is related to occasional device name change:
ie display of /dev/mapper type names in 'btrfs fi show' as opposed to the regular canonical names, ie /dev/dm-1 etc.
Will look into this on my next session with this issue.
Similar to reports in above referenced linux-btrfs mailing list re wandering name types.

[phillxnet]

Above mentioned issue tracked down to udev failing to recognise and report (via lsblk) fstype update on our newly formatted luks volume. This is akin to issue #1606 fixed via pr #1607, ie timely use of 'udevadm trigger' or a less heavy weight counterpart.

[phillxnet]

Prior to 'udev trigger' kick we have:
TYPE="crypt" FSTYPE="" LABEL="" UUID=""
and after we have:
TYPE="crypt" FSTYPE="btrfs" LABEL="luks-pool" UUID="9a51f7fb-d82b-496e-aa31-b11f8fe57d89"
So this is looking exactly like the previously reported issue re adding drives with no udev reaction.
I will attempt to produce a more reliable reproducer and apply the same fix used in #1607 only after our mkfs.btrfs. Unless of course we have an instance of drive disconnection during mkfs.btrfs as mentioned in the linux.btrfs mailing list.

[phillxnet]

Tasks related to Open LUKS volume format changes affecting block device mapping and udev reporting of both the LUKS container and the consequent open LUKS volume.

• wiping (wipefs -a) a whole disk btrfs/ext4 formatted open LUKS volume causes it's /dev/dm-* node and /dev/mapper/luks-* symlink to disappear.

May 17 14:41:52 rtest systemd[1]: Stopped /dev/disk/by-uuid/89542d8f-2569-4f81-8eb9-5a15cf358de7.
May 17 14:41:52 rtest systemd[1]: Stopped /dev/disk/by-label/luks-pool.
May 17 14:41:52 rtest systemd[1]: Stopped /dev/disk/by-id/dm-uuid-CRYPT-LUKS1-5037b32095d64c7494e74c673120d32a-luks-5037b320-95d6-4c74-94e7-
May 17 14:41:52 rtest systemd[1]: Stopped /dev/disk/by-id/dm-name-luks-5037b320-95d6-4c74-94e7-4c673120d32a.
May 17 14:41:52 rtest systemd[1]: Stopped /dev/dm-0.
May 17 14:41:52 rtest systemd[1]: Stopped /sys/devices/virtual/block/dm-0.
May 17 14:41:52 rtest systemd[1]: Stopped target Encrypted Volumes.
May 17 14:41:52 rtest systemd[1]: Stopping Encrypted Volumes.
May 17 14:41:52 rtest systemd[1]: Stopping Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a...
May 17 14:41:52 rtest systemd[1]: Stopped Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a.

After an extended period (ie around 24 minutes in given example) the /dev/dm-* and consequent /dev/mapper/luks- are restored:

May 17 15:05:43 rtest systemd[1]: Starting Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a...
...
May 17 15:05:43 rtest systemd-cryptsetup[19832]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/5037b320-95d6-4c74-94e7-4c673120d32a.
...
May 17 15:05:48 rtest systemd[1]: Started Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a.

• Intermittent failure of udev to update FSTYPE, LABEL, and UUID after successfully formatting and mounting a new btrfs pool. It is noteworthy that mount by label fails in this scenario; however our established fail-over of mount by dev succeeded. It is assumed that the necessary udev created by-label symlink is the reason for the mount by label failure. This scenario is, as previously recorded, very similar to issue work around failure of udev to observe btrfs device add #1606 pr= work around failure of udev to observe btrfs device add. Fixes #1606 #1607 where adding a device to a pool could, intermittently, result in the same udev failure to represent the new disk state: ie new fstype, label, and uuid.

[phillxnet]

It appears that the auto generated (by systemd-cryptsetup-generator) systemd service file for each crypto block device (based on it's /etc/crypttab entry if any) in:

/var/run/systemd/generator/systemd-cryptsetup

is what is being auto run whenever we 'wipefs -a' a btrfs formatted Open LUKS volume:
ie:

systemctl stop systemd-cryptsetup\@luks\\x2d5037b320\\x2d95d6\\x2d4c74\\x2d94e7\\x2d4c673120d32a.service

results in equivalent observed systemd logging:

May 17 17:32:50 rtest systemd[1]: Stopping Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a...
May 17 17:32:50 rtest systemd[1]: Stopped /dev/disk/by-uuid/900d8946-c7c8-4ca7-936a-485323246884.
May 17 17:32:50 rtest systemd[1]: Stopped /dev/disk/by-label/luks-pool.
May 17 17:32:50 rtest systemd[1]: Stopped /dev/disk/by-id/dm-uuid-CRYPT-LUKS1-5037b32095d64c7494e74c673120d32a-luks-5037b320-95d6-4c74-94e7-4c673120d32a.
May 17 17:32:50 rtest systemd[1]: Stopped /dev/disk/by-id/dm-name-luks-5037b320-95d6-4c74-94e7-4c673120d32a.
May 17 17:32:50 rtest systemd[1]: Stopped /dev/dm-0.
May 17 17:32:50 rtest systemd[1]: Stopped /sys/devices/virtual/block/dm-0.
May 17 17:32:50 rtest systemd[1]: Stopped /dev/mapper/luks-5037b320-95d6-4c74-94e7-4c673120d32a.
May 17 17:32:50 rtest systemd[1]: Stopped Cryptography Setup for luks-5037b320-95d6-4c74-94e7-4c673120d32a.

And we again now have missing /dev/dm-* and /dev/mapper/luks-* entries.
However the reverse "start" will, without a keyfile config, request a password via console to re-establish the associated devices.

[phillxnet]

• As it is a requirement to re-open automatically closed LUKS containers once their Open LUKS Volumes are wiped (if they originally had a full dev fs on), we must acknowledge to the user that a keyfile config is required as we have, as yet, no method to manually open / mount devices /pools so must, for the time being, accomplish this in an automated fashion. Hence the reliance on a keyfile for auto authentication where LUKS volumes are concerned. At least to avoid the confusing scenario of an Open LUKS Volume becoming detached directly after being wiped.

• Also confirm sane behaviour on Open LUKS Volume removal from existing multi disk pool re appropriately updated fstype, label, and uuid.