已安装磁盘的 LUKS 加密-如何解密 Cinder 卷

tag-icon tag-icon openstack luks openstack-nova cinder
已安装磁盘的 LUKS 加密-如何解密 Cinder 卷

我对 LUKS 卷的解密可能性有疑问。我目前正在测试 barbican+cinder,但我只是想知道是否有办法以某种方式使用 barbican 生成的有效载荷解密我的 LUKS 卷。有什么程序吗?我自己做了,但不知何故它不起作用,我收到一个错误:

[TEST]root@barbican-01:/usr/lib/python3/dist-packages# barbican secret get --payload --payload_content_type application/octet-stream http://controller.test:9311/v1/secrets/76631940-9ab6-4b8c-9481-e54c3ffdbbfe
+---------+--------------------------------------------------------------------------------------------------------+
| Field   | Value                                                                                                  |
+---------+--------------------------------------------------------------------------------------------------------+
| Payload | b'\xbf!i\x97\xf4\x0c\x12\xa4\xfe4\xf3\x16C\xe8@\xdc\x0f\x9d+:\x0c7\xa9\xab[\x8d\xf2\xf1\xae\r\x89\xdc' |
+---------+--------------------------------------------------------------------------------------------------------+

cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f my-volume
Enter passphrase for /dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f: <passphrase from payload>
No key available with this passphrase.

我认为上述问题可能与编码有关,因此我直接从保险库中获取有效载荷值并将其用作密钥文件,但问题完全相同(我的加密卷是 domblklist 选项的最后一个卷列表):

vault kv get secret/data/e5baa518207e4f9db4810988d22087ce | grep value | awk -F'value:' '{print $2}'
4d4d35676c336567714850663477336d2b415475746b74774c56376b77324b4e73773879724c46704678513d]

[TEST]root@comp-02:~# cat bbb
4d4d35676c336567714850663477336d2b415475746b74774c56376b77324b4e73773879724c46704678513d
[TEST]root@comp-02:~# cat bbb | base64 -d > pass2
[TEST]root@comp-02:~# cat pass2
▒▒߻▒▒▒▒▒^<▒N▒▒▒▒~پ5▒▒▒▒▒▒▒z߾▒▒▒▒~▒▒▒▒▒n▒▒▒▒▒]▒[TEST]root@comp-02:~#
[TEST]root@comp-02:~# virsh domblklist instance-00000da8
Target     Source
------------------------------------------------
vda        /dev/dm-17
vdb        /dev/disk/by-id/wwn-0x6e00084100ee7e7e74623bd3000036bc
vdc        /dev/dm-16
vde        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7ab0b13c0000386f
vdf        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5
[TEST]root@comp-02:~# udisksctl unlock -b /dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5 --key-file pass2
Error unlocking /dev/dm-21: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Error unlocking /dev/dm-21: Failed to activate device: Operation not permitted
[TEST]root@comp-02:~# cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7bd45c1b000038b5 my-volume --master-key-file=pass2
Volume key does not match the volume.

我看到 nova/cinder 和 barbican 以某种方式做了这些事情,所以我坚信有一种方法可以手动解密。也许我在测试步骤中做错了什么。在此先感谢大家的帮助!不幸的是,我还没有找到任何关于如何做到这一点的资料。

此致

答案1

感谢 Lee Yarwood,我能够解密我的卷。所以我只是发布了一个解决方案,说明如何做到这一点:

描述:

作为管理员,您想要解密连接到计算节点的卷并检查您的 barbican 密钥是否正确(即客户说 barbican 密钥不起作用)。此过程描述了如何简单地测试它。

初始点:

卷已加密并附加到实例(必须关闭实例才能使 qemu 命令运行)。我们的卷 ID 是:ca8da832-a88d-4f91-ab2d-2bd3efbca4a3

程序:

登录到托管您的实例的计算节点。列出附加到您的实例的卷:

[TEST]root@comp-09:/home/jwasilewski# virsh domblklist ec9081e4-e1e4-40a2-bf8c-c87c14b79d5a
Target     Source
------------------------------------------------
vda        /dev/dm-29
vdb        /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89

在我们的例子中,vdb 卷是加密的。我们可以通过 qemu-img 命令来检查它:

[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
image: /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89
file format: luks
virtual size: 20G (21472739328 bytes)
disk size: 0
encrypted: yes
Format specific information:
    ivgen alg: plain64
    hash alg: sha256
    cipher alg: aes-256
    uuid: 009f60f7-e871-4eac-88da-b274e80eb247
    cipher mode: xts
    slots:
        [0]:
            active: true
            iters: 900838
            key offset: 4096
            stripes: 4000
        [1]:
            active: false
            key offset: 262144
        [2]:
            active: false
            key offset: 520192
        [3]:
            active: false
            key offset: 778240
        [4]:
            active: false
            key offset: 1036288
        [5]:
            active: false
            key offset: 1294336
        [6]:
            active: false
            key offset: 1552384
        [7]:
            active: false
            key offset: 1810432
    payload offset: 2097152
    master key iters: 56302

我们想解密该卷。我们需要从 barbican 检索分配给此卷的对称密钥。我们需要找到与我们的卷关联的秘密存储,因此我们必须登录 OpenStack 数据库并执行:

mysql> select * from volumes where id = 'ca8da832-a88d-4f91-ab2d-2bd3efbca4a3'\G
*************************** 1. row ***************************
                 created_at: 2021-02-12 13:41:40
                 updated_at: 2021-02-17 12:33:34
                 deleted_at: NULL
                    deleted: 0
                         id: ca8da832-a88d-4f91-ab2d-2bd3efbca4a3
                     ec2_id: NULL
                    user_id: 0d63c8861a124f4fbebe4170a9d59e61
                 project_id: 175e079b3aef47a38da16d125863fd9d
                       host: cinder-01@huawei_backend#StoragePool001
                       size: 20
          availability_zone: nova
                     status: in-use
              attach_status: attached
               scheduled_at: 2021-02-12 13:41:40
                launched_at: 2021-02-12 13:41:42
              terminated_at: NULL
               display_name: encrypted-volume
        display_description:
          provider_location: {"huawei_sn": "2102352VVA10L2000001", "huawei_lun_id": "14985", "huawei_lun_wwn": "6e00084100ee7e7e7fe79b5900003a89"}
              provider_auth: NULL
                snapshot_id: NULL
             volume_type_id: 3129bdc2-6162-4729-9eab-d0c97db2335a
               source_volid: NULL
                   bootable: 0
          provider_geometry: NULL
                   _name_id: NULL
          encryption_key_id: b13d2017-e3e5-4f5f-a836-918ec130dc0a
           migration_status: NULL
         replication_status: disabled
replication_extended_status: NULL
    replication_driver_data: NULL
        consistencygroup_id: NULL
                provider_id: NULL
                multiattach: 0
            previous_status: NULL
               cluster_name: NULL
                   group_id: NULL
               service_uuid: 674de52f-1c9a-402f-88c9-6b79c91a4249
             shared_targets: 1
1 row in set (0.00 sec)

所以encryption_key_id就是我们要找的值。然后我们可以简单地获取我们的秘密存储:

[TEST]root@zabbix-1:~# openstack secret get http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a
+---------------+----------------------------------------------------------------------------------------+
| Field         | Value                                                                                  |
+---------------+----------------------------------------------------------------------------------------+
| Secret href   | http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a |
| Name          | None                                                                                   |
| Created       | 2021-02-12T13:41:39+00:00                                                              |
| Status        | ACTIVE                                                                                 |
| Content types | {u'default': u'application/octet-stream'}                                              |
| Algorithm     | aes                                                                                    |
| Bit length    | 512                                                                                    |
| Secret type   | symmetric                                                                              |
| Mode          | None                                                                                   |
| Expiration    | None                                                                                   |
+---------------+----------------------------------------------------------------------------------------+

当然还有加密密钥,通过命令(我们将其保存到文件我的对称密钥.key):

barbican secret get --payload_content_type application/octet-stream http://controller.test:9311/v1/secrets/b13d2017-e3e5-4f5f-a836-918ec130dc0a --file my_symmetric_key.key

然后我们需要将对称密钥转换为密码:

[TEST]root@barbican-01:/var/log/barbican# hexdump -e '16/1 "%02x"' my_symmetric_key.key

输出是我们的 LUKS 密码。我们可以转到计算节点并解密卷:

[TEST]root@comp-09:/home/jwasilewski# cryptsetup luksOpen /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89 my-encrypted-volume-decrypted
Enter passphrase for /dev/disk/by-id/wwn-0x6e00084100ee7e7e7fe79b5900003a89:

然后我们可以确认我们的卷已被解密:

[TEST]root@comp-09:/home/jwasilewski# qemu-img info /dev/mapper/my-encrypted-volume-decrypted
image: /dev/mapper/my-encrypted-volume-decrypted
file format: raw
virtual size: 20G (21472739328 bytes)
disk size: 0

就这样

相关内容