Even after RHEL-83779 LUKS support for multiple keyslots is quite basic. If multiple keyslots are in use, only one is preserved, and moreover its properties are not preserved. When the disk layout is being saved, ReaR prints "Warning: More than one luks2 keyslot found in 'cryptsetup luksDump /dev/vda3' output, will only consider the first keyslot during recovery". After recovery, the LUKS device looks like this:
cryptsetup luksDump /dev/vda3 LUKS header information Version: 2 Epoch: 5 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: eef0808e-5f62-4560-a996-a5df9b7b9839 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 1: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 5 Memory: 666144 Threads: 2 Salt: d8 74 62 01 9a c6 d7 60 32 a5 8c cd 35 79 da 8a 89 89 b0 7a 55 ae 8d 4b df 20 6a 78 de 66 63 5f AF stripes: 4000 AF hash: sha256 Area offset:290816 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 109409 Salt: c4 3d 6c 24 05 6e d2 a7 16 15 d6 0c f6 0a 94 d6 9e 9b dc cc aa e2 9e 7a 47 42 e1 4d 1a 2c ec 9c Digest: 94 b3 9a 9d 88 27 29 14 54 73 6d 86 08 5d 75 22 a1 fc 0b c3 21 d5 58 b7 2b 00 3f 0d 18 b2 c3 d4
while in the original system it looked like:
cryptsetup luksDump /dev/vda3 LUKS header information Version: 2 Epoch: 5 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: eef0808e-5f62-4560-a996-a5df9b7b9839 Label: (no label) Subsystem: (no subsystem) Flags: allow-discards Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id Time cost: 4 Memory: 480117 Threads: 2 Salt: 97 5d cb b4 2c 92 15 c4 4b 67 e6 70 1c e5 f6 d1 c1 03 14 1e f9 b1 c0 b5 f6 30 61 2b 0a 64 73 84 AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 1: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: pbkdf2 Hash: sha256 Iterations: 1558062 Salt: c9 ce 68 c8 fc 17 71 7a 9f d6 e5 c4 0a 3a 24 29 3c b0 8b 43 31 d2 9f 90 a8 d6 2a 2e ec 37 c3 a7 AF stripes: 4000 AF hash: sha256 Area offset:290816 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 100207 Salt: 03 c2 fa 5b 95 a1 2b 04 7f ba a8 cd d2 cc d8 fa bc 5e 23 9c 44 3f 74 a4 91 4b e8 91 c6 28 2e 60 Digest: 77 93 6c e5 c9 ed d1 ec 00 45 0e 74 c4 aa b4 5d 08 1b 61 61 f3 82 fc 13 86 e9 53 d9 98 79 b3 92
Note also that keyslot 1 used to use PBKDF: pbkdf2, but after recovery it has PBKDF: argon2id.
disklayout.conf (on a different system) looks like:
crypt /dev/mapper/luks-639d20b4-f627-4665-912a-144a16cdcf04 /dev/vda3 type=luks2 cipher=aes-xts-plain64 key_size=512 hash=sha256 uuid=639d20b4-f627-4665-912a-144a16cdcf04 keyfile=/etc/luks-keys/root.key pbkdf=argon2id
Note that the keyfile is valid for slot 1 (the system was installed this way), but the pbkdf for slot 0.
One might say that ReaR has no way to determine which key file belongs to which keyslot (/etc/crypttab looks like
luks-639d20b4-f627-4665-912a-144a16cdcf04 UUID=639d20b4-f627-4665-912a-144a16cdcf04 /etc/luks-keys/root.key luks
), but even if I add key-slot=1, it has no effect.
- is related to
-
RHEL-83779 ReaR doesn't recover LUKS encrypted systems properly when multiple keyslots are in use
-
- Release Pending
-