search for: crypto_luks

For links to the original patch series, see: https://bugzilla.redhat.com/show_bug.cgi?id=1808977#c8 The original feedback was that ignoring errors from guestfs_luks_uuid would ignore legitimate errors from non-BitLocker disks, so I have modified this series so that errors are only ignored in the BitLocker case. As noted in the 4th patch there is no actual error in the BitLocker case, cryptsetup

...e a luks encrypted partition after reboot (a partition that was not enabled while booting, because not in the crypttab). I can execute the necessary command stack [1] but just wondering if there is an "enterprise/easy" way to do that ... [1] cryptsetup luksOpen $(blkid -t TYPE="crypto_LUKS" -o device) \ luks-$(cryptsetup luksUUID $(blkid -t TYPE="crypto_LUKS" -o device)) -- LF

...sage: > [ 3094.394043] EXT4-fs (dm-0): ext4_check_descriptors: Inode bitmap for group 3328 not in group (block 1235654634)! > [ 3094.394056] EXT4-fs (dm-0): group descriptors corrupted! Further on, when i try to <fsck -N /dev/sdb> i get: > fsck from util-linux 2.19.1 > fsck: fsck.crypto_LUKS: not found > fsck: Error 2 while executing fsck.crypto_LUKS for /dev/sdb But cryptsetup is installed, only lvm2 is missing, but i dont have a LVM device and as i researched at "debian.org" there is no package which provides the command <fsck.crypto_LUKS>. Any hints/instructi...

Support transparent decryption/inspection of Windows guests encrypted with BitLocker encryption. This won't make much sense without the associated libguestfs patches which I will post momentarily. (Submodules, ho hum) Rich.

...k. 2) The --allow-discards is needed to be able to run fstrim on a decrypted partition. I *think* that it's safe to be added unconditionally, but I'm not sure. It might be better to just add another luks_open() variant that uses the option. 3) As it is right now, lsblk is called for every crypto_LUKS device to see if a corresponding mapping had been created. I *think* it's good enough, but keeping a list of (blkdev, mapname) in the daemon memory and adding an API call to retrieve it might be better. Comments and pointers on how to proceed further are appreciated. Jan Synacek (1): WIP: s...

...let ret = List.filter_map check_with_vfs_type devices in @@ -144,9 +146,20 @@ and check_with_vfs_type device = else if String.is_suffix vfs_type "_member" then None - (* Ignore LUKS-encrypted partitions. These are also containers, as above. *) - else if vfs_type = "crypto_LUKS" then - None + (* If a LUKS-encrypted partition had been opened, include the corresponding + * device mapper filesystem path. *) + else if vfs_type = "crypto_LUKS" then ( + let out = command "lsblk" ["-n"; "-l"; "-o"; "NAME"...

...nclude <string.h> > #include <libintl.h> > #include <error.h> >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); > if (type && > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { >+ bool is_bitlocker = STREQ (type, "BitLocker"); > char mapname[32]; > make_mapname (partitions[i], mapname, sizeof mapname); > > #ifdef GUESTFS_HAVE_LUKS_UUID >- CLEANUP_FREE char *uuid = guestfs_l...

...estfs -> string -> bool (** Checks if a filesystem is a btrfs subvolume. *) -val inspect_decrypt : Guestfs.guestfs -> key_store -> unit +val inspect_decrypt : Guestfs.guestfs -> ?allow_discards:bool -> key_store -> unit (** Simple implementation of decryption: look for any [crypto_LUKS] partitions and decrypt them, then rescan for VGs. This only works - for Fedora whole-disk encryption. *) + for Fedora whole-disk encryption. + + If [?allow_discards] is set, the underlying [crypto_LUKS] partitions + will be decrypted with the discard operation allowed, which allo...

...;libintl.h> >> >#include <error.h> >> >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) >> > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); >> > if (type && >> > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { >> >+ bool is_bitlocker = STREQ (type, "BitLocker"); >> > char mapname[32]; >> > make_mapname (partitions[i], mapname, sizeof mapname); >> > >> >#ifdef GUESTFS_HAVE_LUKS_UUID >...

...(device, "/dev/")) + i = 5; + + for (; device[i] != '\0' && len >= 1; ++i) { + if (c_isalnum (device[i])) { + *mapname++ = device[i]; + len--; + } + } + + *mapname = '\0'; +} + +/** + * Simple implementation of decryption: look for any C<crypto_LUKS> + * partitions and decrypt them, then rescan for VGs. This only works + * for Fedora whole-disk encryption. WIP to make this work for other + * encryption schemes. + */ +void +inspect_do_decrypt (guestfs_h *g) +{ + CLEANUP_FREE_STRING_LIST char **partitions = guestfs_list_partitions (g); +...

...let ret = List.filter_map check_with_vfs_type devices in @@ -144,9 +146,19 @@ and check_with_vfs_type device = else if String.is_suffix vfs_type "_member" then None - (* Ignore LUKS-encrypted partitions. These are also containers, as above. *) - else if vfs_type = "crypto_LUKS" then - None + (* If a LUKS-encrypted partition had been opened, include the corresponding + * device mapper filesystem path. *) + else if vfs_type = "crypto_LUKS" then ( + let out = command "lsblk" ["-n"; "-l"; "-o"; "NAME"...

..._with_vfs_type devices in > > @@ -144,9 +146,20 @@ and check_with_vfs_type device = > else if String.is_suffix vfs_type "_member" then > None > > - (* Ignore LUKS-encrypted partitions. These are also containers, as above. *) > - else if vfs_type = "crypto_LUKS" then > - None > + (* If a LUKS-encrypted partition had been opened, include the corresponding > + * device mapper filesystem path. *) > + else if vfs_type = "crypto_LUKS" then ( > + let out = command "lsblk" ["-n"; "-l"; "-...

...gt; >#include <libintl.h> > >#include <error.h> > >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) > > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); > > if (type && > > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { > >+ bool is_bitlocker = STREQ (type, "BitLocker"); > > char mapname[32]; > > make_mapname (partitions[i], mapname, sizeof mapname); > > > >#ifdef GUESTFS_HAVE_LUKS_UUID > >- CLEANUP_...

...like to have a smart cli tool, that shows a comprehensive list about the local storage structure: An output like: /srv /dev/mapper/luks-f85b7a2c-...: UUID="ca924fad-..." TYPE="ext4" /dev/mapper/vg_internal_e-lv_internal_srv: UUID="f85b7a2c-..." TYPE="crypto_LUKS" vg_internal_e /dev/md3: UUID="1Fi2Ex-..." TYPE="LVM2_member" /dev/sda4: UUID="00029bd4-..." UUID_SUB="d0024074-..." LABEL="e.ld:3" TYPE="linux_raid_member" /dev/sdb4: UUID="00029bd4-...&quot...

...gt;> >#include <error.h> >>> >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) >>> > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); >>> > if (type && >>> > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { >>> >+ bool is_bitlocker = STREQ (type, "BitLocker"); >>> > char mapname[32]; >>> > make_mapname (partitions[i], mapname, sizeof mapname); >>> > >>> >#ifdef GUESTFS...

...o check for filesystems on devices. Some block devices cannot @@ -144,9 +145,20 @@ and check_with_vfs_type device = else if String.is_suffix vfs_type "_member" then None - (* Ignore LUKS-encrypted partitions. These are also containers, as above. *) - else if vfs_type = "crypto_LUKS" then - None + (* If a LUKS-encrypted partition had been opened, include the corresponding + * device mapper filesystem path. *) + else if vfs_type = "crypto_LUKS" then ( + let out = command "lsblk" ["-n"; "-l"; "-o"; "NAME"...

Hi, this series refactors some guestfish code (not much), and exposes it via Common_utils, so it is possible to decrypt LUKS partitions when using virt-customize, virt-get-kernel, virt-sparsify, and virt-sysprep. This brings them closer in features with C tools. Most probably a couple more of other OCaml-based tools (virt-v2v to convert encrypted guests, and virt-builder to use encrypted

On Wed, Jan 22, 2020 at 10:14:38AM +0100, Jan Synacek wrote: > -val inspect_decrypt : Guestfs.guestfs -> key_store -> unit > +val inspect_decrypt : Guestfs.guestfs -> ?allow_discards:bool -> key_store -> unit > > (** Simple implementation of decryption: look for any [crypto_LUKS] > partitions and decrypt them, then rescan for VGs. This only works > for Fedora whole-disk encryption. *) Documentation here needs a short explanation of what the new allow_discards parameter does, and what the default is. > diff --git a/options/decrypt.c b/options/decrypt.c...

As discussed in the emails today, this is the third version addressing most points from the v1/v2 review. You will need to pair this with the changes in libguestfs-common from this series: https://www.redhat.com/archives/libguestfs/2020-September/msg00050.html Rich.

Original version linked from here: https://bugzilla.redhat.com/show_bug.cgi?id=1808977#c8 There is no change in the code in this series, but feedback from the original series was we shouldn't lose the error message in patch 7. When I tested this just now in fact we don't lose the error if debugging is enabled, but I have updated the commit message to note what the error message is in the