[Libguestfs] [PATCH common v2 3/3] options: Allow default --key parameters.

Richard W.M. Jones rjones at redhat.com
Tue Nov 26 22:15:18 UTC 2019


On Tue, Nov 26, 2019 at 11:09:01PM +0100, Fabien Dupont wrote:
> Hi Rich and Pino,
> 
> Commenting after a test. I've installed a RHEL 7 virtual machine with 2
> disks, using the graphical installer. During the installation, I selected
> the 2 disks as well as encryption checkbox. It asked me for only one
> password.
> After the installation, when the machine boots, it asks for the password
> (showing a device UUID) only once. When connected as root, I can see that
> there are indeed 2 encrypted partitions: /dev/sda2 and /dev/sdb1, which are
> used as LVM PVs.
> They both use the same encryption key, but the initramfs only prompts once,
> which is the behavior proposed by Rich.
> 
> So, I pushed the test a little more and added 2 disks to the virtual
> machine and manually configured LUKS (luksFormat, etc...), with the same
> passphrase, but different from the one provided during the installation.
> I added the disks to /etc/crypttab and at boot I'm asked to provide 3
> passphrases: 1 for the initial devices and 1 per additional disk. This is
> similar to Pino's fully deterministic approach.
> I then realized that I had encrypted the whole device, while the
> installation had created partitions. So, I added 2 other disks and
> partitioned them and encrypted them with the same passphrase, but a 3rd
> one. This time, I'm asked for 5 passphrases, confirming that it doesn't try
> the passphrase against more than one device.

You can change this behaviour by configuring a module called
decrypt_keyctl, at least on Debian hosts:

https://unix.stackexchange.com/questions/392284/using-a-single-passphrase-to-unlock-multiple-encrypted-disks-at-boot

> But that doesn't explain why it asks for only one passphrase for the
> initial devices. The LVM VG is configured with 2 PVs: /dev/sda2 and
> /dev/sdb1. Maybe it's considered as a single unit. I would need to dig
> deeper, but it's late.
> So, the conclusion is that in the real world, we find both cases: 1 key for
> multiple devices with a single prompt, and 1 identical key for multiple
> devices with N prompts.
> 
> @Richard W.M. Jones <rjones at redhat.com>, do you think it's possible to add
> the ability to provide the UUID instead of /dev/sdxN ? We could document
> that the list of devices and UUIDs can be retrieved from lsblk and blkid.

Pino & I discussed this already and that's why the other thread about
SSA.  It requires some deeper changes, but Pino is looking into it.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top




More information about the Libguestfs mailing list