-
Epic
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
[RFE] Support using key file to decryption the luks device
-
Incidents & Support
-
False
-
-
False
-
Not Selected
-
To Do
-
There is no way to decrypt the LUKS device that was encrypted with the binary key file. So the migration will fail.
Reproduce step:
- Create the Luks device by binary key-file on a VM:
# pvcreate /dev/sdb
# vgcreate testvg /dev/sdb
# lvcreate -l100%FREE -n testlv testvg
# dd if=/dev/urandom of=/root/my.key bs=6400 count=1
# cryptsetup luksFormat /dev/mapper/testvg-testlv /root/my.key
# cryptsetup luksOpen /dev/mapper/testvg-testlv luks-testlv --key-file /root/my.key
# mkfs -t xfs /dev/mapper/luks-testlv
# mkdir /mnt/luks
# mount /dev/mapper/luks-testlv /mnt/luks
# vi /etc/crypttab
luks-testlv /dev/mapper/testvg-testlv /root/my.key luks
- No way to migrate this kind of VM, because no way to enter this binary key-file. Even if changing the secret, still not works:
# oc create secret generic my-luks-key-secret --from-file=0=my.key # oc get plan test -o yaml | yq '.spec.vms' - id: vm-11003 luks: name: my-luks-key-secret name: rhel8-mtv
