'CryptsetupEncryptor' will silently enable corrupt data read if cryptsetup defaults change
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Confirmed
|
Medium
|
Unassigned | ||
| os-brick |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
The CryptsetupEncryptor impl for volume encryption uses the cryptsetup 'plain' mode for encrypting the volumes.
When opening a volume it treats cipher and key_size as optional parameters:
cipher = kwargs.
if cipher is not None:
key_size = kwargs.
if key_size is not None:
as a result if those are not provided by the cinder API user, then it will rely on the cryptsetup command's default settings. The cryptsetup defaults are subject to change at the time it is built. If these settings ever change, then Nova will be opening the volume with different settings those used when first encrypted. Because the 'plain' volume type has no metadata, you can't detect this change in settings - you'll just silently be reading garbage data.
At the very least Nova should hardcode the defaults in its source to guarantee that they can never silently change under its feet, causing this corrupt data volume.
More generally though I think this impl should just be deleted and everyone should use LUKS which is a better design wrt secure key management.
| Lee Yarwood (lyarwood) wrote | #1 |
| Changed in nova: | |
| status: | New → Confirmed |
| assignee: | nobody → Lee Yarwood (lyarwood) |
| importance: | Undecided → Medium |
| Changed in os-brick: | |
| assignee: | nobody → Lee Yarwood (lyarwood) |
| status: | New → Confirmed |
| Changed in nova: | |
| assignee: | Lee Yarwood (lyarwood) → nobody |
| Sean McGinnis (sean-mcginnis) wrote Bug Assignee Expired | #2 |
| Changed in os-brick: | |
| assignee: | Lee Yarwood (lyarwood) → nobody |
I've sent the following out to the operators list to quickly see who is using CryptsetupEncryptor and why....
http://