yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1639221] [NEW] 'CryptsetupEncryptor' will silently enable corrupt data read if cryptsetup defaults change

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Daniel Berrange <1639221@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Nov 2016 12:20:17 -0000
Reply-to: Bug 1639221 <1639221@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The CryptsetupEncryptor impl for volume encryption uses the cryptsetup
'plain' mode for encrypting the volumes.

When opening a volume it treats cipher and key_size as optional
parameters:

        cipher = kwargs.get("cipher", None)
        if cipher is not None:
            cmd.extend(["--cipher", cipher])

        key_size = kwargs.get("key_size", None)
        if key_size is not None:
            cmd.extend(["--key-size", key_size])


as a result if those are not provided by the cinder API user, then it will rely on the cryptsetup command's default settings.  The cryptsetup defaults are subject to change at the time it is built. If these settings ever change, then Nova will be opening the volume with different settings those used when first encrypted. Because the 'plain' volume type has no metadata, you can't detect this change in settings - you'll just silently be reading garbage data.

At the very least Nova should hardcode the defaults in its source to
guarantee that they can never silently change under its feet, causing
this corrupt data volume.

More generally though I think this impl should just be deleted and
everyone should use LUKS which is a better design wrt secure key
management.

** Affects: nova
     Importance: Undecided
         Status: New

** Affects: os-brick
     Importance: Undecided
         Status: New

** Also affects: os-brick
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1639221

Title:
  'CryptsetupEncryptor'  will silently enable corrupt data read if
  cryptsetup defaults change

Status in OpenStack Compute (nova):
  New
Status in os-brick:
  New

Bug description:
  The CryptsetupEncryptor impl for volume encryption uses the cryptsetup
  'plain' mode for encrypting the volumes.

  When opening a volume it treats cipher and key_size as optional
  parameters:

          cipher = kwargs.get("cipher", None)
          if cipher is not None:
              cmd.extend(["--cipher", cipher])

          key_size = kwargs.get("key_size", None)
          if key_size is not None:
              cmd.extend(["--key-size", key_size])

  
  as a result if those are not provided by the cinder API user, then it will rely on the cryptsetup command's default settings.  The cryptsetup defaults are subject to change at the time it is built. If these settings ever change, then Nova will be opening the volume with different settings those used when first encrypted. Because the 'plain' volume type has no metadata, you can't detect this change in settings - you'll just silently be reading garbage data.

  At the very least Nova should hardcode the defaults in its source to
  guarantee that they can never silently change under its feet, causing
  this corrupt data volume.

  More generally though I think this impl should just be deleted and
  everyone should use LUKS which is a better design wrt secure key
  management.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1639221/+subscriptions