From: Robert Nichols <rnicholsNOSPAM@comcast.net>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Detached headers, multiple drives and UUIDs
Date: Mon, 10 Apr 2017 13:28:14 -0500 [thread overview]
Message-ID: <ocgiro$cd4$1@blaine.gmane.org> (raw)
In-Reply-To: <f95aabe4-cf2b-f8aa-82ea-8c2ad3e303f1@gmail.com>
On 04/10/2017 08:25 AM, Milan Broz wrote:
> On 04/10/2017 03:07 PM, 7heo wrote:
>> Hello all,
>>
>> I have a question regarding the deported headers in LUKS, and how it
>> can be used to simplify the setup of RAID over LUKS:
>>
>> The current way to automatically unlock all the drives used in a Raid
>> array seems to be to add the same key to all the drives in the
>> array.
>>
>> However that doesn't work with detached headers for obvious reasons.
>> The detached headers can apparently be used on any number of
>> devices/files at the same time, with one problem: they all have the
>> same UUID. I tried using the --uuid flag with luksOpen without
>> success.
>
> You cannot change UUID for activated LUKS device, UUID must match the header
> (otherwise libcryptsetup cannot handle many functions).
No one is asking to change the UUID of an activated LUKS device. Let's approach this in a different way:
Is there any need for the detached header to remain available after the LUKS device has been activated? That is, could I have the detached header on a separate, removable device and, after activating the LUKS device via that header, unmount that separate device and lock it away in a safe? Would that interfere with access to the activated device or interfere with a subsequent luksClose operation? I don't see any reason why it should, since "--header" is not mentioned as an option for luksClose (and its aliases). Obviously, no _other_ LUKS operation would be possible without that header.
When I try this in CentOS 7 (cryptsetup-1.7.2-1.el7) it seems to work just fine. No, I didn't try any of the "not possible" operations.
Given that the above is possible, then why could one not modify the UUID in that detached header and use it for a different device, given that one accepts that luksClose is the only possible LUKS operation on that orphaned active device?
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
next prev parent reply other threads:[~2017-04-10 18:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-10 13:07 [dm-crypt] Detached headers, multiple drives and UUIDs 7heo
2017-04-10 13:25 ` Milan Broz
2017-04-10 13:45 ` 7heo
2017-04-10 14:09 ` Ondrej Kozina
2017-04-10 14:33 ` 7heo
2017-04-10 15:16 ` Ondrej Kozina
2017-04-10 15:22 ` Ondrej Kozina
2017-04-10 18:28 ` Robert Nichols [this message]
2017-04-10 19:10 ` Milan Broz
2017-04-10 20:53 ` 7heo
2017-04-10 21:29 ` Robert Nichols
2017-04-10 21:45 ` 7heo
2017-04-11 1:41 ` Robert Nichols
2017-04-11 7:38 ` Michael Kjörling
2017-04-11 4:02 ` Diagon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ocgiro$cd4$1@blaine.gmane.org' \
--to=rnicholsnospam@comcast.net \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.