¿ù°£ Àα⠰Խù°

°Ô½Ã¹° 715°Ç
   
LUKS encryption > º¹È£È­
±Û¾´ÀÌ : ÃÖ°í°ü¸®ÀÚ ³¯Â¥ : 2023-06-08 (¸ñ) 16:47 Á¶È¸ : 712
                                
https://serverfault.com/questions/1052979/luks-encryption-for-mounted-disk-how-to-decrypt-cinder-volume



0

Thanks to Lee Yarwood, I was able to decrypt my volume. So I'm just posting a solution, how it can be done:

Description:

As an admin, you would like to decrypt volume, which is attached to compute node and check, that your barbican secret key is correct(i.e. customer is saying, that barbican secret key doesn't work). This procedure describes, how you can simply test it.

Starting point:

Volume is encrypted and attached to an instance(instance has to be shutdown to make qemu commands operational). Our volume id is: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3

Procedure:

Login to a compute node which is hosting your instance. List volumes attached to your instance:

[TEST]root@comp-09:/home/jwasilewski# virsh domblklist ec9081e4-e1e4-40a2-bf8c-c87c14b79d5a
Target     Source
------------------------------------------------
vda        /dev/dm-29
vdb        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89

In our case vdb volume is encrypted one. We can check it by qemu-img command:

[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
image: /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
file format: luks
virtual size: 20G (21472739328 bytes)
disk size: 0
encrypted: yes
Format specific information:
    ivgen alg: plain64
    hash alg: sha256
    cipher alg: aes-256
    uuid: 009f60f7-e871-4eac-88da-b274e80eb247
    cipher mode: xts
    slots:
        [0]:
            active: true
            iters: 900838
            key offset: 4096
            stripes: 4000
        [1]:
            active: false
            key offset: 262144
        [2]:
            active: false
            key offset: 520192
        [3]:
            active: false
            key offset: 778240
        [4]:
            active: false
            key offset: 1036288
        [5]:
            active: false
            key offset: 1294336
        [6]:
            active: false
            key offset: 1552384
        [7]:
            active: false
            key offset: 1810432
    payload offset: 2097152
    master key iters: 56302

We would like to decrypt the volume. We need to retrieve symmetric key which is allocated to this volume from barbican. We need to find a secret store associated with our volume, so we have to login to OpenStack database and execute:

mysql> select * from volumes where id = 'ca8da832-a88d-4f91-ab2d-2bd3efbca4a3'\G
*************************** 1. row ***************************
                 created_at: 2021-02-12 13:41:40
                 updated_at: 2021-02-17 12:33:34
                 deleted_at: NULL
                    deleted: 0
                         id: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
                     ec2_id: NULL
                    user_id: 0d63c8861a124f4fbebe4170a9d59e61
                 project_id: 175e079b3aef47a38da16d125863fd9d
                       host: cinder-01@huawei_backend#StoragePool001
                       size: 20
          availability_zone: nova
                     status: in-use
              attach_status: attached
               scheduled_at: 2021-02-12 13:41:40
                launched_at: 2021-02-12 13:41:42
              terminated_at: NULL
               display_name: encrypted-volume
        display_description:
          provider_location: {"huawei_sn": "2102352VVA10L2000001", "huawei_lun_id": "14985", "huawei_lun_wwn": "6e00084100ee7e7e7fe79b5900003a89"}
              provider_auth: NULL
                snapshot_id: NULL
             volume_type_id: 3129bdc2-6162-4729-9eab-d0c97db2335a
               source_volid: NULL
                   bootable: 0
          provider_geometry: NULL
                   _name_id: NULL
          encryption_key_id: b13d2017-e3e5-4f5f-a836-918ec130dc0a
           migration_status: NULL
         replication_status: disabled
replication_extended_status: NULL
    replication_driver_data: NULL
        consistencygroup_id: NULL
                provider_id: NULL
                multiattach: 0
            previous_status: NULL
               cluster_name: NULL
                   group_id: NULL
               service_uuid: 674de52f-1c9a-402f-88c9-6b79c91a4249
             shared_targets: 1
1 row in set (0.00 sec)

So encryption_key_id is our value which we were looking for. Then we can simply get our secret store:

[TEST]root@zabbix-1:~# openstack secret get http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a
+---------------+----------------------------------------------------------------------------------------+
| Field         | Value                                                                                  |
+---------------+----------------------------------------------------------------------------------------+
| Secret href   | http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a |
| Name          | None                                                                                   |
| Created       | 2021-02-12T13:41:39+00:00                                                              |
| Status        | ACTIVE                                                                                 |
| Content types | {u'default': u'application/octet-stream'}                                              |
| Algorithm     | aes                                                                                    |
| Bit length    | 512                                                                                    |
| Secret type   | symmetric                                                                              |
| Mode          | None                                                                                   |
| Expiration    | None                                                                                   |
+---------------+----------------------------------------------------------------------------------------+

And of course encryption key, by command(we will save it to file my_symmetric_key.key):

barbican secret get --payload_content_type application/octet-stream http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a --file my_symmetric_key.key

We need to transfer symmetric key to passphrase then:

[TEST]root@barbican-01:/var/log/barbican# hexdump -e '16/1 "%02x"' my_symmetric_key.key

Output is our LUKS Passphrase. We can go to our compute node and decrypt a volume:

[TEST]root@comp-09:/home/jwasilewski# cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89 my-encrypted-volume-decrypted
Enter passphrase for /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89:

Then we can confirm, that our volume is decrypted:

[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/mapper/my-encrypted-volume-decrypted
image: /dev/mapper/my-encrypted-volume-decrypted
file format: raw
virtual size: 20G (21472739328 bytes)
disk size: 0

That's all


À̸§ Æнº¿öµå
ºñ¹Ð±Û (üũÇÏ¸é ±Û¾´À̸¸ ³»¿ëÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.)
¿ÞÂÊÀÇ ±ÛÀÚ¸¦ ÀÔ·ÂÇϼ¼¿ä.
   

 



 
»çÀÌÆ®¸í : ¸ðÁö¸®³× | ´ëÇ¥ : ÀÌ°æÇö | °³ÀÎÄ¿¹Â´ÏƼ : ·©Å°´åÄÄ ¿î¿µÃ¼Á¦(OS) | °æ±âµµ ¼º³²½Ã ºÐ´ç±¸ | ÀüÀÚ¿ìÆí : mojily°ñ¹ðÀÌchonnom.com Copyright ¨Ï www.chonnom.com www.kyunghyun.net www.mojily.net. All rights reserved.