Skip to content
Permalink
Browse files Browse the repository at this point in the history
ceph-volume: honour osd_dmcrypt_key_size option
ceph-volume doesn't honour osd_dmcrypt_key_size.
It means the default size is always applied.

It also changes the default value in `get_key_size_from_conf()`

From cryptsetup manpage:

> For XTS mode you can optionally set a key size of 512 bits with the -s option.

Using more than 512bits will end up with the following error message:

```
Key size in XTS mode must be 256 or 512 bits.
```

Fixes: https://tracker.ceph.com/issues/54006

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
  • Loading branch information
guits committed Feb 10, 2022
1 parent f5b79d7 commit 47c3317
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 24 deletions.
41 changes: 28 additions & 13 deletions src/ceph-volume/ceph_volume/tests/util/test_encryption.py
@@ -1,5 +1,31 @@
from ceph_volume.util import encryption
import base64

class TestGetKeySize(object):
def test_get_size_from_conf_default(self, conf_ceph_stub):
conf_ceph_stub('''
[global]
fsid=asdf
''')
assert encryption.get_key_size_from_conf() == '512'

def test_get_size_from_conf_custom(self, conf_ceph_stub):
conf_ceph_stub('''
[global]
fsid=asdf
[osd]
osd_dmcrypt_key_size=256
''')
assert encryption.get_key_size_from_conf() == '256'

def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
conf_ceph_stub('''
[global]
fsid=asdf
[osd]
osd_dmcrypt_key_size=1024
''')
assert encryption.get_key_size_from_conf() == '512'

class TestStatus(object):

Expand Down Expand Up @@ -37,17 +63,6 @@ def test_mapper_does_not_exist(self, fake_run):

class TestDmcryptKey(object):

def test_dmcrypt_with_default_size(self, conf_ceph_stub):
conf_ceph_stub('[global]\nfsid=asdf-lkjh')
result = encryption.create_dmcrypt_key()
assert len(result) == 172

def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
conf_ceph_stub('''
[global]
fsid=asdf
[osd]
osd_dmcrypt_size=8
''')
def test_dmcrypt(self):
result = encryption.create_dmcrypt_key()
assert len(result) == 172
assert len(base64.b64decode(result)) == 128
34 changes: 23 additions & 11 deletions src/ceph-volume/ceph_volume/util/encryption.py
Expand Up @@ -9,21 +9,29 @@

logger = logging.getLogger(__name__)


def create_dmcrypt_key():
def get_key_size_from_conf():
"""
Create the secret dm-crypt key used to decrypt a device.
Return the osd dmcrypt key size from config file.
Default is 512.
"""
# get the customizable dmcrypt key size (in bits) from ceph.conf fallback
# to the default of 1024
dmcrypt_key_size = conf.ceph.get_safe(
default_key_size = '512'
key_size = conf.ceph.get_safe(
'osd',
'osd_dmcrypt_key_size',
default=1024,
)
# The size of the key is defined in bits, so we must transform that
# value to bytes (dividing by 8) because we read in bytes, not bits
random_string = os.urandom(int(dmcrypt_key_size / 8))
default='512')

if key_size not in ['256', '512']:
logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
"Falling back to {}bits".format(key_size, default_key_size)))
return default_key_size

return key_size

def create_dmcrypt_key():
"""
Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
"""
random_string = os.urandom(128)
key = base64.b64encode(random_string).decode('utf-8')
return key

Expand All @@ -38,6 +46,8 @@ def luks_format(key, device):
command = [
'cryptsetup',
'--batch-mode', # do not prompt
'--key-size',
get_key_size_from_conf(),
'--key-file', # misnomer, should be key
'-', # because we indicate stdin for the key here
'luksFormat',
Expand Down Expand Up @@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
"""
command = [
'cryptsetup',
'--key-size',
get_key_size_from_conf(),
'--key-file',
'-',
'--allow-discards', # allow discards (aka TRIM) requests for device
Expand Down

0 comments on commit 47c3317

Please sign in to comment.