Thanks to Lee Yarwood, I was able to decrypt my volume. So I'm just posting a solution, how it can be done:
Description:
As an admin, you would like to decrypt volume, which is attached to compute node and check, that your barbican secret key is correct(i.e. customer is saying, that barbican secret key doesn't work). This procedure describes, how you can simply test it.
Starting point:
Volume is encrypted and attached to an instance(instance has to be shutdown to make qemu commands operational). Our volume id is: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
Procedure:
Login to a compute node which is hosting your instance. List volumes attached to your instance:
[TEST]root@comp-09:/home/jwasilewski# virsh domblklist ec9081e4-e1e4-40a2-bf8c-c87c14b79d5a
Target Source
------------------------------------------------
vda /dev/dm-29
vdb /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
In our case vdb volume is encrypted one. We can check it by qemu-img command:
[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
image: /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
file format: luks
virtual size: 20G (21472739328 bytes)
disk size: 0
encrypted: yes
Format specific information:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: 009f60f7-e871-4eac-88da-b274e80eb247
cipher mode: xts
slots:
[0]:
active: true
iters: 900838
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2097152
master key iters: 56302
We would like to decrypt the volume. We need to retrieve symmetric key which is allocated to this volume from barbican. We need to find a secret store associated with our volume, so we have to login to OpenStack database and execute:
mysql> select * from volumes where id = 'ca8da832-a88d-4f91-ab2d-2bd3efbca4a3'\G
*************************** 1. row ***************************
created_at: 2021-02-12 13:41:40
updated_at: 2021-02-17 12:33:34
deleted_at: NULL
deleted: 0
id: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
ec2_id: NULL
user_id: 0d63c8861a124f4fbebe4170a9d59e61
project_id: 175e079b3aef47a38da16d125863fd9d
host: cinder-01@huawei_backend#StoragePool001
size: 20
availability_zone: nova
status: in-use
attach_status: attached
scheduled_at: 2021-02-12 13:41:40
launched_at: 2021-02-12 13:41:42
terminated_at: NULL
display_name: encrypted-volume
display_description:
provider_location: {"huawei_sn": "2102352VVA10L2000001", "huawei_lun_id": "14985", "huawei_lun_wwn": "6e00084100ee7e7e7fe79b5900003a89"}
provider_auth: NULL
snapshot_id: NULL
volume_type_id: 3129bdc2-6162-4729-9eab-d0c97db2335a
source_volid: NULL
bootable: 0
provider_geometry: NULL
_name_id: NULL
encryption_key_id: b13d2017-e3e5-4f5f-a836-918ec130dc0a
migration_status: NULL
replication_status: disabled
replication_extended_status: NULL
replication_driver_data: NULL
consistencygroup_id: NULL
provider_id: NULL
multiattach: 0
previous_status: NULL
cluster_name: NULL
group_id: NULL
service_uuid: 674de52f-1c9a-402f-88c9-6b79c91a4249
shared_targets: 1
1 row in set (0.00 sec)
So encryption_key_id is our value which we were looking for. Then we can simply get our secret store:
[TEST]root@zabbix-1:~# openstack secret get http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a
+---------------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------------+----------------------------------------------------------------------------------------+
| Secret href | http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a |
| Name | None |
| Created | 2021-02-12T13:41:39+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 512 |
| Secret type | symmetric |
| Mode | None |
| Expiration | None |
+---------------+----------------------------------------------------------------------------------------+
And of course encryption key, by command(we will save it to file my_symmetric_key.key):
barbican secret get --payload_content_type application/octet-stream http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a --file my_symmetric_key.key
We need to transfer symmetric key to passphrase then:
[TEST]root@barbican-01:/var/log/barbican# hexdump -e '16/1 "%02x"' my_symmetric_key.key
Output is our LUKS Passphrase. We can go to our compute node and decrypt a volume:
[TEST]root@comp-09:/home/jwasilewski# cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89 my-encrypted-volume-decrypted
Enter passphrase for /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89:
Then we can confirm, that our volume is decrypted:
[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/mapper/my-encrypted-volume-decrypted
image: /dev/mapper/my-encrypted-volume-decrypted
file format: raw
virtual size: 20G (21472739328 bytes)
disk size: 0
That's all
