Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detecting that a LUKS volume uses clevis #314

Closed
somewhere-or-other opened this issue Jun 4, 2021 · 6 comments
Closed

Detecting that a LUKS volume uses clevis #314

somewhere-or-other opened this issue Jun 4, 2021 · 6 comments

Comments

@somewhere-or-other
Copy link
Contributor

somewhere-or-other commented Jun 4, 2021
edited
Loading

Is there an easy way to detect that a particular LUKS volume, is using Clevis, as opposed to just having a passphrase or similar?

I'm working on a patch to a Pacemaker/Corosync resource agent (ClusterLabs/resource-agents#1656), to support Clevis-unlocked crypt volumes. It seems to work as-is, but it relies on the admin to specify a "use_clevis=true" when setting it up. I'd much prefer to have an automatic detection mechanism, but I haven't found it yet.

I think that clevis luks list might do the job, but I'm still investigating that. I'm hoping there's a better tool to use.
@sergio-correia
Copy link
Collaborator

The easy way would be using clevis luks list, as you pointed out. You could read the metadata yourself with other tools, though, and figure it out from there, e.g. luksmeta for LUKSv1 devices and cryptsetup for LUKSv2 ones.

@somewhere-or-other
Copy link
Contributor Author

somewhere-or-other commented Jun 4, 2021
edited
Loading

I'd hoped that clevis luks list would have a different exit code when run on a non-Clevis LUKS volume, than on one that has Clevis info, but it seems that's not to be. But something like this seems to work so far; I'll have to see if I can re-work my patch around that principle:

clevis luks list -d  /dev/vg_einstein/einsteinlv | grep -q '^[[:digit:]]\+:' && echo "found clevis" || echo "didn't find clevis"

@sarroutbi
Copy link
Collaborator

sarroutbi commented Jun 7, 2021
edited
Loading

I find this last is weird. When asking for a clevis luks volume, it seems return error is different from a non clevis luks volume than for a clevis volume:

~# clevis luks list -d /dev/vda1
/dev/vda1 is not a supported LUKS device!
No used slots detected for device /dev/vda1!
~# echo $?
1
~# clevis luks list -d /dev/vdb1
1: tpm2 '{"hash":"sha256","key":"ecc"}'
~# echo $?
0

@somewhere-or-other : can you please clarify:

  1. Output to this scenario "lsblk --fs" command?
  2. Version of clevis-luks package installed and distro?

@somewhere-or-other
Copy link
Contributor Author

somewhere-or-other commented Jun 7, 2021
edited
Loading

I wondered if it might be an old version. In short, it's RHEL 8.3, running the RH-supplied clevis 13.3:

[root@sloth1a ~]# rpm -qi clevis
Name        : clevis
Version     : 13
Release     : 3.el8
Architecture: x86_64
Install Date: Thu 22 Apr 2021 12:55:09 PM MDT
Group       : Unspecified
Size        : 123491
License     : GPLv3+
Signature   : RSA/SHA256, Mon 25 May 2020 04:34:09 AM MDT, Key ID 199e2f91fd431d51
Source RPM  : clevis-13-3.el8.src.rpm
Build Date  : Sun 24 May 2020 10:52:11 PM MDT
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/latchset/clevis
Summary     : Automated decryption framework
Description :
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.

The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKS
volumes during early boot.
[root@sloth1a ~]#

As far as the specific output:

[root@sloth1a ~]# cryptsetup -v luksFormat --type luks2 /dev/vg_einstein/einsteinlv
...
[root@sloth1a ~]# clevis luks list -d /dev/vg_einstein/einsteinlv 
[root@sloth1a ~]# echo $?
0
[root@sloth1a ~]# clevis luks bind -d /dev/vg_einstein/einsteinlv sss "$cfg"
...
[root@sloth1a ~]# 
[root@sloth1a ~]# clevis luks list -d /dev/vg_einstein/einsteinlv 
1: sss '{"t":1,"pins":{"tang":[{"url":"http://HOSTNAME1"},{"url":"http://HOSTNAME2"}]}}'
[root@sloth1a ~]# echo $?
0
[root@sloth1a ~]#

I'm not completely sure what you're looking for in the lsblk --fs output, but here's the relevant excerpt:

NAME                                FSTYPE       LABEL UUID                                   MOUNTPOINT
...
sdm                                 mpath_member       SSSakr-SY3N-k3Zo-TntB-Dd4o-33lE-KaJqbJ 
└─mpathf                            LVM2_member        SSSakr-SY3N-k3Zo-TntB-Dd4o-33lE-KaJqbJ 
  └─vg_einstein-einsteinlv          crypto_LUKS        5c708716-fe8f-444f-aa34-ed2b66bdbf09

@sarroutbi
Copy link
Collaborator

I think that clevis luks list checks for a device having luks format, not being bound. That is why output is returning 0 in your case (not bound, but with luks format), and 1 in the case I posted.

@somewhere-or-other : As you found the way to parse if bound, can we close this issue?

@somewhere-or-other
Copy link
Contributor Author

Ah. So a non-LUKS volume would give the non-zero error code, vs a LUKS-but-not-using-clevis volume. I get it.

Thank you for your help with this. Closing now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sarroutbi @somewhere-or-other @sergio-correia