yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80442
[Bug 1849196] Re: Remove the 512 bit key option for aes-xts-plain64 encrypted volumes
** Also affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1849196
Title:
Remove the 512 bit key option for aes-xts-plain64 encrypted volumes
Status in Cinder:
New
Status in OpenStack Dashboard (Horizon):
New
Bug description:
The Key size listed for Encrpyted volumes using aes-xts-plain64 is not
correct. If you use 512, you will get an error about an unsupported
key size. This has to do with how barbican receives the key
information from cinder.
https://github.com/openstack/cinder/blob/master/cinder/volume/volume_utils.py#L919
does not pass a "mode" so this block
https://github.com/openstack/barbican/blob/stable/rocky/barbican/plugin/crypto/simple_crypto.py#L222
evaluates to 512 and this is not present in this list
https://github.com/openstack/barbican/blob/stable/rocky/barbican/plugin/crypto/base.py#L64
The following docs needs updated to only reflect a 256 bit key.
https://docs.openstack.org/horizon/train/admin/manage-volumes.html
https://docs.openstack.org/horizon/stein/admin/manage-volumes.html
https://docs.openstack.org/horizon/rocky/admin/manage-volumes.html
https://docs.openstack.org/horizon/queens/admin/manage-volumes.html
Also the text needs to be updated.
Key Size (bits)
512 (Recommended for aes-xts-plain64. 256 should be used for aes-cbc-essiv)
Using this selection for aes-xts, the underlying key size would only be 256-bits*
256 Using this selection for aes-xts, the underlying key
size would only be 128-bits*
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1849196/+subscriptions
