* [dm-crypt] Some Q&A about LUKS2 reencryption
@ 2020-04-27 8:39 Ondrej Kozina
2020-04-27 14:25 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Kozina @ 2020-04-27 8:39 UTC (permalink / raw)
To: dm-crypt
Hi,
I'm just sharing some Q&A originally exchanged via private e-mails.
Thank you for letting me share it publicly! I've also added some
clarifications to my original answers.
---------
Q: I mean how are you re-encrypting a drive that is say 98% full, where
is all that data going? I know you create devices but you have to store
the data somewhere right?
A: All metadata necessary to perform recovery of said segment (in case
of crash) are stored in LUKS2 metadata area. No matter if the LUKS2
reencryption was run in online or offline mode.
Q: If a drive is interrupted during re-encryption, and I remove the
device mapping from the hotzone device to mounted filesystem and old
encrypted device. Then won't the system be un-bootable?
A: In case of reencryption application crash, try to close the original
device via following command first: "cryptsetup close my_crypt_device".
Cryptsetup assesses if it's safe to teardown reencryption device stack
or not. It also cut off I/O (via dm-error mapping) to current hotzone
segment (to make later recovery possible). If it can't be torn down i.e.
due to mounted fs, you must unmount filesystem first. Never try to tear
down reencryption dm devices manually using e.g. dmsetup tool, at least
not unless cryptsetup says it's safe to do so. It could damage data
beyond repair.
Q: There is also resume support, how do you do these things? Also if I
reboot the system in such a state [the interrupted LUKS2 reencryption]
won't the system be un-bootable since there is no way to enter 2 keys at
start-up?
A: Cryptsetup (command line utility) expects passphrase be identical for
keyslot containing old volume key and for keyslot containing new one. So
the recovery in such case happen during normal "cryptsetup open"
operation. Or even in during systemd-cryptsetup attach during boot.
Reencryption recovery can be also performed in offline mode (w/o need to
activate luks device) by "cryptsetup repair" command.
O.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Some Q&A about LUKS2 reencryption
2020-04-27 8:39 [dm-crypt] Some Q&A about LUKS2 reencryption Ondrej Kozina
@ 2020-04-27 14:25 ` Arno Wagner
2020-04-27 15:27 ` Ondrej Kozina
0 siblings, 1 reply; 4+ messages in thread
From: Arno Wagner @ 2020-04-27 14:25 UTC (permalink / raw)
To: Ondrej Kozina; +Cc: dm-crypt
Hi Ondrej,
thanks. Added somewhat streamlined and edited to fit the format
of the FAQ better. Do you want to be listed under "Contributors"?
Regards,
Arno
On Mon, Apr 27, 2020 at 10:39:05 CEST, Ondrej Kozina wrote:
> Hi,
>
> I'm just sharing some Q&A originally exchanged via private e-mails. Thank
> you for letting me share it publicly! I've also added some clarifications to
> my original answers.
>
> ---------
>
> Q: I mean how are you re-encrypting a drive that is say 98% full, where is
> all that data going? I know you create devices but you have to store the
> data somewhere right?
>
> A: All metadata necessary to perform recovery of said segment (in case of
> crash) are stored in LUKS2 metadata area. No matter if the LUKS2
> reencryption was run in online or offline mode.
>
> Q: If a drive is interrupted during re-encryption, and I remove the device
> mapping from the hotzone device to mounted filesystem and old encrypted
> device. Then won't the system be un-bootable?
>
> A: In case of reencryption application crash, try to close the original
> device via following command first: "cryptsetup close my_crypt_device".
> Cryptsetup assesses if it's safe to teardown reencryption device stack
> or not. It also cut off I/O (via dm-error mapping) to current hotzone
> segment (to make later recovery possible). If it can't be torn down i.e. due
> to mounted fs, you must unmount filesystem first. Never try to tear down
> reencryption dm devices manually using e.g. dmsetup tool, at least not
> unless cryptsetup says it's safe to do so. It could damage data beyond
> repair.
>
> Q: There is also resume support, how do you do these things? Also if I
> reboot the system in such a state [the interrupted LUKS2 reencryption] won't
> the system be un-bootable since there is no way to enter 2 keys at start-up?
>
> A: Cryptsetup (command line utility) expects passphrase be identical for
> keyslot containing old volume key and for keyslot containing new one. So the
> recovery in such case happen during normal "cryptsetup open" operation. Or
> even in during systemd-cryptsetup attach during boot.
>
> Reencryption recovery can be also performed in offline mode (w/o need to
> activate luks device) by "cryptsetup repair" command.
>
> O.
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Some Q&A about LUKS2 reencryption
2020-04-27 14:25 ` Arno Wagner
@ 2020-04-27 15:27 ` Ondrej Kozina
2020-04-27 17:05 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Kozina @ 2020-04-27 15:27 UTC (permalink / raw)
To: dm-crypt; +Cc: arno
On 4/27/20 4:25 PM, Arno Wagner wrote:
> Hi Ondrej,
>
> thanks. Added somewhat streamlined and edited to fit the format
> of the FAQ better. Do you want to be listed under "Contributors"?
Thank you!
I do not insist being added. At least not until I make myself do write
up reasonably good FAQ section for LUKS2 reencryption. Let's keep me
motivated!
O.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Some Q&A about LUKS2 reencryption
2020-04-27 15:27 ` Ondrej Kozina
@ 2020-04-27 17:05 ` Arno Wagner
0 siblings, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2020-04-27 17:05 UTC (permalink / raw)
To: dm-crypt
On Mon, Apr 27, 2020 at 17:27:28 CEST, Ondrej Kozina wrote:
> On 4/27/20 4:25 PM, Arno Wagner wrote:
> >Hi Ondrej,
> >
> >thanks. Added somewhat streamlined and edited to fit the format
> >of the FAQ better. Do you want to be listed under "Contributors"?
>
> Thank you!
>
> I do not insist being added. At least not until I make myself do write up
> reasonably good FAQ section for LUKS2 reencryption. Let's keep me
> motivated!
>
> O.
Excellent, we will do it that way!
Regards,
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-27 17:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-27 8:39 [dm-crypt] Some Q&A about LUKS2 reencryption Ondrej Kozina
2020-04-27 14:25 ` Arno Wagner
2020-04-27 15:27 ` Ondrej Kozina
2020-04-27 17:05 ` Arno Wagner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox