[Libguestfs] [PATCH common v2 3/3] options: Allow default --key parameters.
Richard W.M. Jones
rjones at redhat.com
Tue Nov 26 22:15:18 UTC 2019
On Tue, Nov 26, 2019 at 11:09:01PM +0100, Fabien Dupont wrote:
> Hi Rich and Pino,
>
> Commenting after a test. I've installed a RHEL 7 virtual machine with 2
> disks, using the graphical installer. During the installation, I selected
> the 2 disks as well as encryption checkbox. It asked me for only one
> password.
> After the installation, when the machine boots, it asks for the password
> (showing a device UUID) only once. When connected as root, I can see that
> there are indeed 2 encrypted partitions: /dev/sda2 and /dev/sdb1, which are
> used as LVM PVs.
> They both use the same encryption key, but the initramfs only prompts once,
> which is the behavior proposed by Rich.
>
> So, I pushed the test a little more and added 2 disks to the virtual
> machine and manually configured LUKS (luksFormat, etc...), with the same
> passphrase, but different from the one provided during the installation.
> I added the disks to /etc/crypttab and at boot I'm asked to provide 3
> passphrases: 1 for the initial devices and 1 per additional disk. This is
> similar to Pino's fully deterministic approach.
> I then realized that I had encrypted the whole device, while the
> installation had created partitions. So, I added 2 other disks and
> partitioned them and encrypted them with the same passphrase, but a 3rd
> one. This time, I'm asked for 5 passphrases, confirming that it doesn't try
> the passphrase against more than one device.
You can change this behaviour by configuring a module called
decrypt_keyctl, at least on Debian hosts:
https://unix.stackexchange.com/questions/392284/using-a-single-passphrase-to-unlock-multiple-encrypted-disks-at-boot
> But that doesn't explain why it asks for only one passphrase for the
> initial devices. The LVM VG is configured with 2 PVs: /dev/sda2 and
> /dev/sdb1. Maybe it's considered as a single unit. I would need to dig
> deeper, but it's late.
> So, the conclusion is that in the real world, we find both cases: 1 key for
> multiple devices with a single prompt, and 1 identical key for multiple
> devices with N prompts.
>
> @Richard W.M. Jones <rjones at redhat.com>, do you think it's possible to add
> the ability to provide the UUID instead of /dev/sdxN ? We could document
> that the list of devices and UUIDs can be retrieved from lsblk and blkid.
Pino & I discussed this already and that's why the other thread about
SSA. It requires some deeper changes, but Pino is looking into it.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
More information about the Libguestfs
mailing list