BARBICAN - LUKS2 Steps to create a VM using encrypted bootable volume using pre-encrypted image 1. Create secret order key (LUKS passphrase) 2. Get the secret reference from the secret order key ( this will be used as cinder_encryption_key_id ) 3. Create the key for encrypted image 4. Create encrypted image ( In this step, we will be using luks1 ) 5. Store encrypted image 6. Define Encrypted volume type 7. Create Encrypted Bootable volume 8. Create a VM using Encrypted Bootable volume Step 1. Create secret order key (LUKS passphrase) [root@california ~]# openstack secret order create key --name 'passphraselukstwo' --algorithm aes --bit-length 256 +----------------+----------------------------------------------------------------------------------------------+ | Field | Value | +----------------+----------------------------------------------------------------------------------------------+ | Order href | https://[2001:420:293:250b:172:29:86:91]:9311/v1/orders/33816998-f83a-4a88-a395-47e22682b92a | | Type | Key | | Container href | N/A | | Secret href | None | | Created | None | | Status | None | | Error code | None | | Error message | None | +----------------+----------------------------------------------------------------------------------------------+ Step 2. Get the secret reference from the secret order key ( this will be used as cinder_encryption_key_id ) [root@california ~]# openstack secret order get https://[2001:420:293:250b:172:29:86:91]:9311/v1/orders/33816998-f83a-4a88-a395-47e22682b92a +----------------+-----------------------------------------------------------------------------------------------+ | Field | Value | +----------------+-----------------------------------------------------------------------------------------------+ | Order href | https://[2001:420:293:250b:172:29:86:91]:9311/v1/orders/33816998-f83a-4a88-a395-47e22682b92a | | Type | Key | | Container href | N/A | | Secret href | https://[2001:420:293:250b:172:29:86:91]:9311/v1/secrets/c8af3cb4-40f4-4ca2-997d-4bacd58c96b2 | | Created | 2024-10-11T04:57:52+00:00 | | Status | ACTIVE | | Error code | None | | Error message | None | +----------------+-----------------------------------------------------------------------------------------------+ Step 3. Create the key for encrypted image [root@california ~]# openstack secret get --payload_content_type 'application/octet-stream' --file luks2.key https://[2001:420:293:250b:172:29:86:91]:9311/v1/secrets/c8af3cb4-40f4-4ca2-997d-4bacd58c96b2 [root@california ~]# [root@california ~]# [root@california ~]# [root@california ~]# xxd -p -c 32 luks2.key 3313574841e4a73df385fed4838ae3661d93e432fb4572dd31dff50ef1134f44 [root@california ~]# Step 4. Create encrypted image ( In this step, we will be using luks1 ) [root@california ~]# dd if=/dev/zero of=cirros-luks2-container bs=1M count=2000 2000+0 records in 2000+0 records out 2097152000 bytes (2.1 GB, 2.0 GiB) copied, 1.41532 s, 1.5 GB/s [root@california ~]# [root@california ~]# cryptsetup luksFormat --type luks2 /dev/loop1 WARNING! ======== This will overwrite data on /dev/loop1 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /root/cirros-luks2-container: Verify passphrase: [root@california ~]# [root@california ~]# [root@california ~]# cryptsetup luksOpen /dev/loop1 byov1 Enter passphrase for /root/cirros-luks2-container: [root@california ~]# [root@california ~]# ls -ltr /dev/mapper/byov1 lrwxrwxrwx. 1 root root 7 Oct 10 22:32 /dev/mapper/byov1 -> ../dm-8 [root@california ~]# cryptsetup -v status byov1 /dev/mapper/byov1 is active. type: LUKS2 cipher: aes-xts-plain64 keysize: 512 bits key location: keyring device: /dev/loop1 loop: /root/cirros-luks2-container sector size: 512 offset: 32768 sectors size: 4063232 sectors mode: read/write Command successful. [root@california ~]# [root@california ~]# sudo dd if=cirros-0.6.3.raw of=/dev/mapper/byov1 229376+0 records in 229376+0 records out 117440512 bytes (117 MB, 112 MiB) copied, 1.02727 s, 114 MB/s [root@california ~]# [root@california ~]# [root@california ~]# cryptsetup luksClose byov1 [root@california ~]# losetup -d /dev/loop1 [root@california ~]# file cirros-luks2-container cirros-luks2-container: LUKS encrypted file, ver 2 [, , sha256] UUID: 3e755796-53be-4a98-9bda-782ae79c7517 Step 5. Store encrypted image [root@california ~]# openstack image create --disk-format raw --container-format bare --file cirros-luks2-container --private --property cinder_encryption_key_id=c8af3cb4-40f4-4ca2-997d-4bacd58c96b2 --property cinder_encryption_key_deletion_policy=on_image_deletion cirros-luks2-encrypted +------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | container_format | bare | | created_at | 2024-10-11T05:42:45Z | | disk_format | raw | | file | /v2/images/31698e2a-ec8a-4bc8-b3b6-e5787d277a34/file | | id | 31698e2a-ec8a-4bc8-b3b6-e5787d277a34 | | min_disk | 0 | | min_ram | 0 | | name | cirros-luks2-encrypted | | owner | 3084f860066e438d80f98aef03f86519 | | properties | cinder_encryption_key_deletion_policy='on_image_deletion', cinder_encryption_key_id='c8af3cb4-40f4-4ca2-997d-4bacd58c96b2', locations='[]', os_hidden='False', owner_specified.openstack.md5='', owner_specified.openstack.object='images/cirros-luks2-encrypted', owner_specified.openstack.sha256='' | | protected | False | | schema | /v2/schemas/image | | status | queued | | tags | | | updated_at | 2024-10-11T05:42:45Z | | visibility | private | +------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@california ~]# [root@california ~]# openstack image list +--------------------------------------+-----------------------------+--------+ | ID | Name | Status | +--------------------------------------+-----------------------------+--------+ | 39d9b3c1-775b-4468-90fa-d567f0a6c13b | Automation_ubuntu64 | active | | a13d4902-dd4e-4aee-8de1-4f90d1546c62 | CentOS9-guest-image | active | | 9c22b0c0-0735-4405-a15e-cc4e5fb32e85 | ESC-6_0_0_36 | active | | 3aeded37-5ad6-4764-926f-73aa128183b9 | ESC-6_0_0_36_1 | active | | 19f2ad93-2ab7-40df-a3d1-cb8504a67255 | ESC-6_0_0_37 | active | | 32366031-4879-4026-b0a3-b68585bc3543 | RHEL-guest-image | active | | bcf83579-2ce0-487b-8210-9719df5440ba | cirros-encrypted | active | | ab9a70e4-24fb-47a8-aa53-f7a53e169587 | cirros-image | active | | 31698e2a-ec8a-4bc8-b3b6-e5787d277a34 | cirros-luks2-encrypted | active | | 89105ad0-b7e6-4e1a-b6dc-4eeb0ff0359e | cryptodisk-test-image | active | | e465208a-f28f-4db8-98bc-6a0293fbf2b3 | qvpc-di-21.28.mh20.95098 | active | | 1e2a31a7-5135-48e3-ab3b-9f26d564d490 | qvpc-di-cf-21.28.mh20.95098 | active | +--------------------------------------+-----------------------------+--------+ Step 6. Define Encrypted volume type USing the same volme type defined for luks; so didnt create it. Step 7. Create Encrypted Bootable volume [root@california ~]# openstack volume list +--------------------------------------+---------------------------------+-----------+------+-----------------------------------------------------+ | ID | Name | Status | Size | Attached to | +--------------------------------------+---------------------------------+-----------+------+-----------------------------------------------------+ | 0a2c9471-b97c-4333-b2c1-babd461707fb | cirros-luks2-encrypted-bootable | available | 2 | | | c03c8112-8b35-4e76-ad46-b1e5265e4e96 | cirros-encrypted-bootable | in-use | 2 | Attached to cirros-encryptedboot-luks1 on /dev/vda | +--------------------------------------+---------------------------------+-----------+------+-----------------------------------------------------+ [root@california ~]# openstack volume show 0a2c9471-b97c-4333-b2c1-babd461707fb +--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | true | | consistencygroup_id | None | | created_at | 2024-10-11T05:46:44.000000 | | description | None | | encrypted | True | | id | 0a2c9471-b97c-4333-b2c1-babd461707fb | | migration_status | None | | multiattach | False | | name | cirros-luks2-encrypted-bootable | | os-vol-host-attr:host | ceph@ceph#ceph | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 3084f860066e438d80f98aef03f86519 | | properties | | | replication_status | None | | size | 2 | | snapshot_id | None | | source_volid | None | | status | available | | type | LUKS | | updated_at | 2024-10-11T05:47:23.000000 | | user_id | 56ed2bdf9a3c46ae8307e26b978e8354 | | volume_image_metadata | {'signature_verified': 'False', 'cinder_encryption_key_id': 'c8af3cb4-40f4-4ca2-997d-4bacd58c96b2', 'cinder_encryption_key_deletion_policy': 'on_image_deletion', 'owner_specified.openstack.md5': '', 'owner_specified.openstack.sha256': '', 'owner_specified.openstack.object': 'images/cirros-luks2-encrypted', 'image_id': '31698e2a-ec8a-4bc8-b3b6-e5787d277a34', 'image_name': 'cirros-luks2-encrypted', 'checksum': '7c38a74f3acaddacab8be68f6483731b', 'container_format': 'bare', 'disk_format': 'raw', 'min_disk': '0', 'min_ram': '0', 'size': '2097152000'} | +--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@california ~]# Step 8. Create a VM using Encrypted Bootable volume THis is where we got LUKS2 not supported from libvirt ----- w.r.t to LUKS version 2 is not supported It is basically how you are creating the encrypted image cryptsetup luksFormat --type luks2 /dev/loop1 We also tried this, and we received the same message LUKS version 2 is not supported.   Conclusion: In RHOSP, Volume encryption only supports LUKS1 and not LUKS2." cryptsetup luksFormat --type luks1 /dev/loop1.  -à Works fine cryptsetup luksFormat --type luks2 /dev/loop1.  -à NOT Works