feat: expose more encryption options to the machine config

Fixes: #3606

Signed-off-by: Artem Chernyshev <artem.0xD2@gmail.com>

go.mod

@@ -71,7 +71,7 @@ require (
 	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
 	github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e
-	github.com/talos-systems/go-blockdevice v0.2.1
+	github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7
 	github.com/talos-systems/go-cmd v0.1.0
 	github.com/talos-systems/go-debug v0.2.1
 	github.com/talos-systems/go-kmsg v0.1.1

go.sum

@@ -1143,8 +1143,8 @@ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e h1:7mNVNvTTRA7mqflb/34iSJrimISfRErruMyptRAGWkg=
 github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e/go.mod h1:xaNCB2/Bxaj+qrkdeodhRv5eKQVvKOGBBMj58MrIPY8=
-github.com/talos-systems/go-blockdevice v0.2.1 h1:swoY5NcssuMgdCf/dlMngNDgEAasGp2jviPqAz9Epss=
-github.com/talos-systems/go-blockdevice v0.2.1/go.mod h1:qnn/zDc09I1DA2BUDDCOSA2D0P8pIDjN8pGiRoRaQig=
+github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7 h1:v9ReoqKCN1yGp+i8ZHwhUzeMXQ4OpV+F71Vpp/itdAQ=
+github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7/go.mod h1:qnn/zDc09I1DA2BUDDCOSA2D0P8pIDjN8pGiRoRaQig=
 github.com/talos-systems/go-cmd v0.0.0-20210216164758-68eb0067e0f0/go.mod h1:kf+rZzTEmlDiYQ6ulslvRONnKLQH8x83TowltGMhO+k=
 github.com/talos-systems/go-cmd v0.1.0 h1:bqPeL0ksproFyTOlvMisdUXc7uAf0aqJ5Q6waSGv32s=
 github.com/talos-systems/go-cmd v0.1.0/go.mod h1:kf+rZzTEmlDiYQ6ulslvRONnKLQH8x83TowltGMhO+k=

internal/pkg/encryption/encryption.go

@@ -36,8 +36,28 @@ func NewHandler(device *blockdevice.BlockDevice, partition *gpt.Partition, encry
 			return nil, err
 		}
 
+		opts := []luks.Option{}
+		if encryptionConfig.KeySize() != 0 {
+			opts = append(opts, luks.WithKeySize(encryptionConfig.KeySize()))
+		}
+
+		if encryptionConfig.BlockSize() != 0 {
+			opts = append(opts, luks.WithBlockSize(encryptionConfig.BlockSize()))
+		}
+
+		if encryptionConfig.Options() != nil {
+			for _, opt := range encryptionConfig.Options() {
+				if err = luks.ValidatePerfOption(opt); err != nil {
+					return nil, err
+				}
+			}
+
+			opts = append(opts, luks.WithPerfOptions(encryptionConfig.Options()...))
+		}
+
 		provider = luks.New(
 			cipher,
+			opts...,
 		)
 	default:
 		return nil, fmt.Errorf("unknown encryption kind %s", encryptionConfig.Kind())

pkg/machinery/config/provider.go

@@ -393,6 +393,9 @@ type EncryptionKeyNodeID interface{}
 type Encryption interface {
 	Kind() string
 	Cipher() string
+	KeySize() uint
+	BlockSize() uint64
+	Options() []string
 	Keys() []EncryptionKey
 }
 

pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go

@@ -1023,6 +1023,21 @@ func (e *EncryptionConfig) Cipher() string {
 	return e.EncryptionCipher
 }
 
+// KeySize implements the config.Provider interface.
+func (e *EncryptionConfig) KeySize() uint {
+	return e.EncryptionKeySize
+}
+
+// BlockSize implements the config.Provider interface.
+func (e *EncryptionConfig) BlockSize() uint64 {
+	return e.EncryptionBlockSize
+}
+
+// Options implements the config.Provider interface.
+func (e *EncryptionConfig) Options() []string {
+	return e.EncryptionPerfOptions
+}
+
 // Keys implements the config.Provider interface.
 func (e *EncryptionConfig) Keys() []config.EncryptionKey {
 	keys := make([]config.EncryptionKey, len(e.EncryptionKeys))

pkg/machinery/config/types/v1alpha1/v1alpha1_types.go

@@ -1401,6 +1401,15 @@ type EncryptionConfig struct {
 	//     Cipher kind to use for the encryption.
 	//     Depends on the encryption provider.
 	EncryptionCipher string `yaml:"cipher,omitempty"`
+	//   description: >
+	//     Defines the encryption key length.
+	EncryptionKeySize uint `yaml:"keySize,omitempty"`
+	//   description: >
+	//     Defines the encryption sector size.
+	EncryptionBlockSize uint64 `yaml:"blockSize,omitempty"`
+	//   description: >
+	//     Additional --perf parameters for the LUKS2 encryption.
+	EncryptionPerfOptions []string `yaml:"options,omitempty"`
 }
 
 // EncryptionKey represents configuration for disk encryption key.
@@ -1412,7 +1421,7 @@ type EncryptionKey struct {
 	//     Deterministically generated key from the node UUID and PartitionLabel.
 	KeyNodeID *EncryptionKeyNodeID `yaml:"nodeID,omitempty"`
 	//   description: >
-	//     Key slot number for luks2 encryption.
+	//     Key slot number for LUKS2 encryption.
 	KeySlot int `yaml:"slot"`
 }
 

pkg/machinery/go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e
-	github.com/talos-systems/go-blockdevice v0.2.1
+	github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7
 	github.com/talos-systems/net v0.3.0
 	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f

pkg/machinery/go.sum

@@ -155,8 +155,8 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e h1:7mNVNvTTRA7mqflb/34iSJrimISfRErruMyptRAGWkg=
 github.com/talos-systems/crypto v0.3.2-0.20210707205149-deec8d47700e/go.mod h1:xaNCB2/Bxaj+qrkdeodhRv5eKQVvKOGBBMj58MrIPY8=
-github.com/talos-systems/go-blockdevice v0.2.1 h1:swoY5NcssuMgdCf/dlMngNDgEAasGp2jviPqAz9Epss=
-github.com/talos-systems/go-blockdevice v0.2.1/go.mod h1:qnn/zDc09I1DA2BUDDCOSA2D0P8pIDjN8pGiRoRaQig=
+github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7 h1:v9ReoqKCN1yGp+i8ZHwhUzeMXQ4OpV+F71Vpp/itdAQ=
+github.com/talos-systems/go-blockdevice v0.2.2-0.20210726200452-c34b59fb33a7/go.mod h1:qnn/zDc09I1DA2BUDDCOSA2D0P8pIDjN8pGiRoRaQig=
 github.com/talos-systems/go-cmd v0.0.0-20210216164758-68eb0067e0f0/go.mod h1:kf+rZzTEmlDiYQ6ulslvRONnKLQH8x83TowltGMhO+k=
 github.com/talos-systems/go-retry v0.1.1-0.20201113203059-8c63d290a688/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=
 github.com/talos-systems/go-retry v0.3.1/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=

website/content/docs/v0.12/Reference/configuration.md

@@ -702,7 +702,7 @@ systemDiskEncryption:
         keys:
             - # Deterministically generated key from the node UUID and PartitionLabel.
               nodeID: {}
-              slot: 0 # Key slot number for luks2 encryption.
+              slot: 0 # Key slot number for LUKS2 encryption.
 ```
 
 
@@ -3294,6 +3294,45 @@ Cipher kind to use for the encryption. Depends on the encryption provider.
 
 <hr />
 
+<div class="dd">
+
+<code>keySize</code>  <i>uint</i>
+
+</div>
+<div class="dt">
+
+Defines the encryption key length.
+
+</div>
+
+<hr />
+
+<div class="dd">
+
+<code>blockSize</code>  <i>uint64</i>
+
+</div>
+<div class="dt">
+
+Defines the encryption sector size.
+
+</div>
+
+<hr />
+
+<div class="dd">
+
+<code>options</code>  <i>[]string</i>
+
+</div>
+<div class="dt">
+
+Additional --perf parameters for the LUKS2 encryption.
+
+</div>
+
+<hr />
+
 
 
 
@@ -3343,7 +3382,7 @@ Deterministically generated key from the node UUID and PartitionLabel.
 </div>
 <div class="dt">
 
-Key slot number for luks2 encryption.
+Key slot number for LUKS2 encryption.
 
 </div>
 
@@ -4980,7 +5019,7 @@ ephemeral:
     keys:
         - # Deterministically generated key from the node UUID and PartitionLabel.
           nodeID: {}
-          slot: 0 # Key slot number for luks2 encryption.
+          slot: 0 # Key slot number for LUKS2 encryption.
 ```
 
 <hr />