Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1598863

Summary: NBDE doesn't work when Logical Volume is encrypted rather than underlying partition
Product: Red Hat Enterprise Linux 7 Reporter: Megan Towey <mtowey>
Component: clevisAssignee: Nathaniel McCallum <npmccallum>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7-AltCC: dpal, mprashad, mtowey, mzeleny, toneata
Target Milestone: rcFlags: mzeleny: needinfo? (mtowey)
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-25 00:47:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Megan Towey 2018-07-06 16:23:49 UTC
Description of problem:
NBDE doesn't work when Logical Volume is encrypted rather than underlying partition. You get prompted to enter a passphrase, but the Clevis LUKS systemd-ask-password Watcher doesn't start until the device is already decrypted. 

Version-Release number of selected component (if applicable):
clevis-7-4.el7.x86_64 
systemd-219-57.el7.x86_64
kernel-3.10.0-862.el7.x86_64

How reproducible:
Every time the LV is encrypted rather than underlying partition. 

Steps to Reproduce:
1. Install a RHEL 7.5 system with encrypted logical volumes
2. Follow steps listed to set up NBDE https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption
3.

Actual results:
You are prompted for a passphrase at boot and it does not continue until you input the passphrase. 

Expected results:
Clevis/tang should handle the passphrase input at boot time without manual intervention. 

Additional info:

Comment 1 Nathaniel McCallum 2018-07-10 07:55:36 UTC
Is root on the LVM volume?

Comment 3 Martin Zelený 2018-07-10 14:47:43 UTC
Tested on logical volume created from file. If the root volume is the case - complicated testing will be necessary.

Comment 4 Megan Towey 2018-07-11 13:27:49 UTC
Hi Martin and Nathaniel,

Yes, the root volume is also part of LVM and should be set up for automated decryption with Clevis/Tang. 
Two of my customers have confirmed the behavior is different when the partition is LUKS formatted versus when the LV is LUKS formatted.