Public bug reported:
The CryptsetupEncryptor impl for volume encryption uses the cryptsetup
'plain' mode for encrypting the volumes.
When opening a volume it treats cipher and key_size as optional
parameters:
cipher = kwargs.get("cipher", None)
if cipher is not None:
cmd.extend(["--cipher", cipher])
key_size = kwargs.get("key_size", None)
if key_size is not None:
cmd.extend(["--key-size", key_size])
as a result if those are not provided by the cinder API user, then it will rely
on the cryptsetup command's default settings. The cryptsetup defaults are
subject to change at the time it is built. If these settings ever change, then
Nova will be opening the volume with different settings those used when first
encrypted. Because the 'plain' volume type has no metadata, you can't detect
this change in settings - you'll just silently be reading garbage data.
At the very least Nova should hardcode the defaults in its source to
guarantee that they can never silently change under its feet, causing
this corrupt data volume.
More generally though I think this impl should just be deleted and
everyone should use LUKS which is a better design wrt secure key
management.
** Affects: nova
Importance: Undecided
Status: New
** Affects: os-brick
Importance: Undecided
Status: New
** Also affects: os-brick
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1639221
Title:
'CryptsetupEncryptor' will silently enable corrupt data read if
cryptsetup defaults change
Status in OpenStack Compute (nova):
New
Status in os-brick:
New
Bug description:
The CryptsetupEncryptor impl for volume encryption uses the cryptsetup
'plain' mode for encrypting the volumes.
When opening a volume it treats cipher and key_size as optional
parameters:
cipher = kwargs.get("cipher", None)
if cipher is not None:
cmd.extend(["--cipher", cipher])
key_size = kwargs.get("key_size", None)
if key_size is not None:
cmd.extend(["--key-size", key_size])
as a result if those are not provided by the cinder API user, then it will
rely on the cryptsetup command's default settings. The cryptsetup defaults are
subject to change at the time it is built. If these settings ever change, then
Nova will be opening the volume with different settings those used when first
encrypted. Because the 'plain' volume type has no metadata, you can't detect
this change in settings - you'll just silently be reading garbage data.
At the very least Nova should hardcode the defaults in its source to
guarantee that they can never silently change under its feet, causing
this corrupt data volume.
More generally though I think this impl should just be deleted and
everyone should use LUKS which is a better design wrt secure key
management.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1639221/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
