Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1598863 - NBDE doesn't work when Logical Volume is encrypted rather than underlying partition [NEEDINFO]
Summary: NBDE doesn't work when Logical Volume is encrypted rather than underlying par...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: clevis
Version: 7.7-Alt
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nathaniel McCallum
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-06 16:23 UTC by Megan Towey
Modified: 2019-03-15 11:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-25 00:47:09 UTC
Target Upstream Version:
mzeleny: needinfo? (mtowey)


Attachments (Terms of Use)

Description Megan Towey 2018-07-06 16:23:49 UTC
Description of problem:
NBDE doesn't work when Logical Volume is encrypted rather than underlying partition. You get prompted to enter a passphrase, but the Clevis LUKS systemd-ask-password Watcher doesn't start until the device is already decrypted. 

Version-Release number of selected component (if applicable):
clevis-7-4.el7.x86_64 
systemd-219-57.el7.x86_64
kernel-3.10.0-862.el7.x86_64

How reproducible:
Every time the LV is encrypted rather than underlying partition. 

Steps to Reproduce:
1. Install a RHEL 7.5 system with encrypted logical volumes
2. Follow steps listed to set up NBDE https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption
3.

Actual results:
You are prompted for a passphrase at boot and it does not continue until you input the passphrase. 

Expected results:
Clevis/tang should handle the passphrase input at boot time without manual intervention. 

Additional info:

Comment 1 Nathaniel McCallum 2018-07-10 07:55:36 UTC
Is root on the LVM volume?

Comment 3 Martin Zelený 2018-07-10 14:47:43 UTC
Tested on logical volume created from file. If the root volume is the case - complicated testing will be necessary.

Comment 4 Megan Towey 2018-07-11 13:27:49 UTC
Hi Martin and Nathaniel,

Yes, the root volume is also part of LVM and should be set up for automated decryption with Clevis/Tang. 
Two of my customers have confirmed the behavior is different when the partition is LUKS formatted versus when the LV is LUKS formatted.


Note You need to log in before you can comment on or make changes to this bug.