Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-95729

[RHEL10] Incorrect key file in crypttab entry for volume encrypted_vol

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rhel-system-roles
    • 0
    • Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Bug Fix
    • Hide
      .`encryption_key` is no longer masked

      Before this update, the `encryption_key` parameter was incorrectly marked as `no_log`. This caused the key file path to be replaced by a placeholder string, preventing disk encryption from working. With this update, the `encryption_key` parameter is no longer marked with the `no_log` flag, and you can now perform disk encryption using a key file successfully.
      Show
      .`encryption_key` is no longer masked Before this update, the `encryption_key` parameter was incorrectly marked as `no_log`. This caused the key file path to be replaced by a placeholder string, preventing disk encryption from working. With this update, the `encryption_key` parameter is no longer marked with the `no_log` flag, and you can now perform disk encryption using a key file successfully.
    • Done
    • Done
    • Done
    • Not Required
    • None 

      TASK [Check key file of crypttab entry] **************************************************************************************************
task path: /usr/share/ansible/roles/rhel-system-roles.storage/tests/test-verify-volume-encryption.yml:155
fatal: [localhost]: FAILED! => {
    "assertion": "_storage_test_crypttab_entries[0].split()[2] == _storage_test_expected_crypttab_key_file",
    "changed": false,
    "evaluated_to": false,
    "msg": "Incorrect key file in crypttab entry for volume encrypted_vol"
}PLAY RECAP *******************************************************************************************************************************
localhost                  : ok=502  changed=13   unreachable=0    failed=1    skipped=409  rescued=0    ignored=0   

       

      the var _storage_test_expected_crypttab_entries could not get right values if add two or more encryption volumes to /etc/crypttab   

      test-verify-volume-encryption.yml

      - name: Set test variables
  set_fact:
    _storage_test_expected_crypttab_entries: "{{
      (storage_test_volume.encryption and _storage_test_volume_present) |
      ternary(1, 0) }}"
    _storage_test_crypttab_entries: "{{ storage_test_crypttab.stdout_lines |
      map('regex_search', '^' + storage_test_volume._device |
          basename + ' .*$') |
      select('string') | list }}"
    _storage_test_expected_crypttab_key_file: "{{
      storage_test_volume.encryption_key or '-' }}"

       
       

      [root@storageqe-109 tests]# cat /etc/crypttab 
luks-086dd5ea-ea8a-4cf5-9b9b-ae7feb642f0a /dev/mapper/mixed_encryption_pool-encrypted_vol -
luks-b50ee7df-cd82-4ad1-be2d-e58614664c16 /dev/mapper/mixed_encryption_pool-unencrypted_vol -
[root@storageqe-109 tests]# 

       

          # Test pool with mixed encrypted/unencrypted volumes  
    - name: Create pool with mixed encryption  
      include_role:  
        name: linux-system-roles.storage  
      vars:  
        storage_safe_mode: false  
        storage_pools:  
          - name: mixed_encryption_pool  
            type: lvm  
            disks: "{{ unused_disks }}"  
            volumes:  
              - name: encrypted_vol  
                size: 1g  
                mount_point: "{{ mount_location }}_encrypted"  
                encryption: true  
                encryption_password: encryptedvolpassword  
              - name: unencrypted_vol  
                size: 1g  
                mount_point: "{{ mount_location }}_unencrypted"  
                encryption: false  
  
    - name: Verify mixed encryption pool results  
      include_tasks: verify-role-results.yml  

    # Test changing encryption on existing volume  
    - name: Change encryption settings on existing volume  
      include_role:  
        name: linux-system-roles.storage  
      vars:  
        storage_safe_mode: false  
        storage_pools:  
          - name: mixed_encryption_pool  
            type: lvm  
            disks: "{{ unused_disks }}"  
            volumes:  
              - name: encrypted_vol  
                size: 1g  
                mount_point: "{{ mount_location }}_encrypted"  
                encryption: true  
                encryption_password: newencryptedpassword  
                encryption_luks_version: luks2  # Changed from default  
              - name: unencrypted_vol  
                size: 1g  
                mount_point: "{{ mount_location }}_unencrypted"  
                encryption: true  # Changed from false to true  
                encryption_password: newlyencryptedpassword  

      [root@storageqe-109 tests]# rpm -qa |grep role
      rhel-system-roles-1.101.1-0.1.el10.noarch
      [root@storageqe-109 tests]# uname -a
      Linux storageqe-109.rhts.eng.pek2.redhat.com 6.12.0-89.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 27 00:52:07 EDT 2025 x86_64 GNU/Linux
      [root@storageqe-109 tests]

       

       

       

        1. RHEL_95729.tar
          1.65 MB

              rmeggins@redhat.com Richard Megginson
              guazhang@redhat.com Guangwu Zhang
              Krishnaswamy Krishna Kumar
              Richard Megginson Richard Megginson
              Guangwu Zhang Guangwu Zhang
              Valentina Ashirova Valentina Ashirova
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: